From sle-security-updates at lists.suse.com Tue Jun 1 06:19:24 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 1 Jun 2021 08:19:24 +0200 (CEST) Subject: SUSE-CU-2021:228-1: Security update of suse/sle15 Message-ID: <20210601061924.5D10DB46EA0@westernhagen.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:228-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.402 Container Release : 4.22.402 Severity : moderate Type : security References : 1177976 1183933 1186114 CVE-2021-22876 CVE-2021-22898 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1809-1 Released: Mon May 31 16:24:59 2021 Summary: Security update for curl Type: security Severity: moderate References: 1177976,1183933,1186114,CVE-2021-22876,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933). - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976). - Allow partial chain verification (jsc#SLE-17956). From sle-security-updates at lists.suse.com Tue Jun 1 06:35:09 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 1 Jun 2021 08:35:09 +0200 (CEST) Subject: SUSE-CU-2021:229-1: Security update of suse/sle15 Message-ID: <20210601063509.C8FEFB46EA0@westernhagen.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:229-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.461 Container Release : 6.2.461 Severity : moderate Type : security References : 1177976 1183933 1186114 CVE-2021-22876 CVE-2021-22898 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1809-1 Released: Mon May 31 16:24:59 2021 Summary: Security update for curl Type: security Severity: moderate References: 1177976,1183933,1186114,CVE-2021-22876,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933). - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976). - Allow partial chain verification (jsc#SLE-17956). From sle-security-updates at lists.suse.com Tue Jun 1 06:35:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 1 Jun 2021 08:35:27 +0200 (CEST) Subject: SUSE-CU-2021:230-1: Security update of suse/sles/15.2/virt-api Message-ID: <20210601063527.D3166B46E9F@westernhagen.suse.de> SUSE Container Update Advisory: suse/sles/15.2/virt-api ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:230-1 Container Tags : suse/sles/15.2/virt-api:0.38.1 , suse/sles/15.2/virt-api:0.38.1.5.8.43 Container Release : 5.8.43 Severity : important Type : security References : 1078466 1084671 1104902 1141597 1146705 1154935 1161276 1165502 1167471 1169006 1171883 1172442 1173422 1173582 1174232 1174436 1174593 1174942 1175458 1175514 1175519 1175623 1176201 1176513 1176800 1177458 1177490 1177490 1177510 1177858 1178219 1178346 1178386 1178387 1178512 1178554 1178727 1178775 1178775 1178823 1178825 1178909 1179363 1179398 1179399 1179431 1179491 1179503 1179515 1179593 1179694 1179721 1179824 1180020 1180038 1180073 1180083 1180138 1180225 1180596 1180603 1180603 1180836 1180885 1181011 1181358 1181443 1181505 1181831 1182117 1182279 1182328 1182331 1182333 1182362 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182791 1182899 1182959 1183064 1183094 1183370 1183371 1183749 1183791 1183797 1183852 1183933 1183934 1184358 1184435 1184614 1184690 1185163 1185408 1185408 1185409 1185409 1185410 1185410 1185438 1185562 1185698 1186114 CVE-2019-25013 CVE-2020-11080 CVE-2020-1971 CVE-2020-25692 CVE-2020-25709 CVE-2020-25710 CVE-2020-27618 CVE-2020-28196 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-8025 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2021-22876 CVE-2021-22890 CVE-2021-22898 CVE-2021-23840 CVE-2021-23841 CVE-2021-24031 CVE-2021-24032 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3326 CVE-2021-3449 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 ----------------------------------------------------------------- The container suse/sles/15.2/virt-api was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1989-1 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Type: recommended Severity: important References: 1173582 This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3620-1 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3626-1 Released: Fri Dec 4 13:51:46 2020 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1179515 This update for audit fixes the following issues: - Enable Aarch64 processor support. (bsc#1179515) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3703-1 Released: Mon Dec 7 20:17:32 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1179431 This update for aaa_base fixes the following issue: - Avoid semicolon within (t)csh login script on S/390. (bsc#1179431) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3721-1 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3735-1 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3809-1 Released: Tue Dec 15 13:46:05 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: Update from version 2.62.5 to version 2.62.6: - Support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) - Fix SOCKS5 username/password authentication. - Updated translations. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount ???a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:197-1 Released: Fri Jan 22 15:17:42 2021 Summary: Security update for permissions Type: security Severity: moderate References: 1171883,CVE-2020-8025 This update for permissions fixes the following issues: - Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:930-1 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:955-1 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1183852,CVE-2021-3449 This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1006-1 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1141-1 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1182791 This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1206-1 Released: Thu Apr 15 15:15:09 2021 Summary: Recommended update for kubevirt Type: recommended Severity: moderate References: 1183749 This update for kubevirt fixes the following issues: - updated kubevirt to version 0.38.1 This update for provides a lot of bug fixes and smaller changes. Please refer to this package's rpm changelog to get a full list of all changes. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1286-1 Released: Tue Apr 20 20:10:21 2021 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1180836 This recommended update for SLES-release provides the following fix: - Revert the problematic changes previously released and make sure the version is high enough to obsolete the package on containers and images. (bsc#1180836) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1296-1 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Type: optional Severity: low References: 1183791 This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1297-1 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178219 This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1466-1 Released: Tue May 4 08:30:57 2021 Summary: Security update for permissions Type: security Severity: important References: 1182899 This update for permissions fixes the following issues: - etc/permissions: remove unnecessary entries (bsc#1182899) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1528-1 Released: Thu May 6 15:31:23 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1161276 This update for openssl-1_1 fixes the following issues: - Do not list disapproved cipher algorithms while in 'FIPS' mode. (bsc#1161276) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1762-1 Released: Wed May 26 12:30:01 2021 Summary: Security update for curl Type: security Severity: moderate References: 1186114,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. From sle-security-updates at lists.suse.com Tue Jun 1 06:35:44 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 1 Jun 2021 08:35:44 +0200 (CEST) Subject: SUSE-CU-2021:231-1: Security update of suse/sles/15.2/virt-controller Message-ID: <20210601063544.5956AB46E9F@westernhagen.suse.de> SUSE Container Update Advisory: suse/sles/15.2/virt-controller ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:231-1 Container Tags : suse/sles/15.2/virt-controller:0.38.1 , suse/sles/15.2/virt-controller:0.38.1.5.8.43 Container Release : 5.8.43 Severity : important Type : security References : 1078466 1084671 1104902 1141597 1146705 1154935 1161276 1165502 1167471 1169006 1171883 1172442 1173422 1173582 1174232 1174436 1174593 1174942 1175458 1175514 1175519 1175623 1176201 1176513 1176800 1177458 1177490 1177490 1177510 1177858 1178219 1178346 1178386 1178387 1178512 1178554 1178727 1178775 1178775 1178823 1178825 1178909 1179363 1179398 1179399 1179431 1179491 1179503 1179515 1179593 1179694 1179721 1179824 1180020 1180038 1180073 1180083 1180138 1180225 1180596 1180603 1180603 1180836 1180885 1181011 1181358 1181443 1181505 1181831 1182117 1182279 1182328 1182331 1182333 1182362 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182791 1182899 1182959 1183064 1183094 1183370 1183371 1183749 1183791 1183797 1183852 1183933 1183934 1184358 1184435 1184614 1184690 1185163 1185408 1185408 1185409 1185409 1185410 1185410 1185438 1185562 1185698 1186114 CVE-2019-25013 CVE-2020-11080 CVE-2020-1971 CVE-2020-25692 CVE-2020-25709 CVE-2020-25710 CVE-2020-27618 CVE-2020-28196 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-8025 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2021-22876 CVE-2021-22890 CVE-2021-22898 CVE-2021-23840 CVE-2021-23841 CVE-2021-24031 CVE-2021-24032 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3326 CVE-2021-3449 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 ----------------------------------------------------------------- The container suse/sles/15.2/virt-controller was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1989-1 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Type: recommended Severity: important References: 1173582 This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3620-1 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3626-1 Released: Fri Dec 4 13:51:46 2020 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1179515 This update for audit fixes the following issues: - Enable Aarch64 processor support. (bsc#1179515) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3703-1 Released: Mon Dec 7 20:17:32 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1179431 This update for aaa_base fixes the following issue: - Avoid semicolon within (t)csh login script on S/390. (bsc#1179431) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3721-1 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3735-1 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3809-1 Released: Tue Dec 15 13:46:05 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: Update from version 2.62.5 to version 2.62.6: - Support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) - Fix SOCKS5 username/password authentication. - Updated translations. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount ???a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:197-1 Released: Fri Jan 22 15:17:42 2021 Summary: Security update for permissions Type: security Severity: moderate References: 1171883,CVE-2020-8025 This update for permissions fixes the following issues: - Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:930-1 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:955-1 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1183852,CVE-2021-3449 This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1006-1 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1141-1 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1182791 This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1206-1 Released: Thu Apr 15 15:15:09 2021 Summary: Recommended update for kubevirt Type: recommended Severity: moderate References: 1183749 This update for kubevirt fixes the following issues: - updated kubevirt to version 0.38.1 This update for provides a lot of bug fixes and smaller changes. Please refer to this package's rpm changelog to get a full list of all changes. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1286-1 Released: Tue Apr 20 20:10:21 2021 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1180836 This recommended update for SLES-release provides the following fix: - Revert the problematic changes previously released and make sure the version is high enough to obsolete the package on containers and images. (bsc#1180836) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1296-1 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Type: optional Severity: low References: 1183791 This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1297-1 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178219 This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1466-1 Released: Tue May 4 08:30:57 2021 Summary: Security update for permissions Type: security Severity: important References: 1182899 This update for permissions fixes the following issues: - etc/permissions: remove unnecessary entries (bsc#1182899) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1528-1 Released: Thu May 6 15:31:23 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1161276 This update for openssl-1_1 fixes the following issues: - Do not list disapproved cipher algorithms while in 'FIPS' mode. (bsc#1161276) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1762-1 Released: Wed May 26 12:30:01 2021 Summary: Security update for curl Type: security Severity: moderate References: 1186114,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. From sle-security-updates at lists.suse.com Tue Jun 1 06:36:03 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 1 Jun 2021 08:36:03 +0200 (CEST) Subject: SUSE-CU-2021:232-1: Security update of suse/sles/15.2/virt-handler Message-ID: <20210601063603.94681B46E9F@westernhagen.suse.de> SUSE Container Update Advisory: suse/sles/15.2/virt-handler ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:232-1 Container Tags : suse/sles/15.2/virt-handler:0.38.1 , suse/sles/15.2/virt-handler:0.38.1.5.8.45 Container Release : 5.8.45 Severity : important Type : security References : 1005063 1027282 1029377 1029902 1040164 1042670 1069384 1070853 1078466 1079761 1081750 1082318 1083473 1083507 1084671 1086001 1088004 1088009 1088573 1094814 1094814 1098449 1104902 1105832 1107030 1107030 1109663 1109847 1112500 1112928 1115408 1118629 1120644 1120644 1122191 1122191 1123784 1125043 1128323 1128828 1129346 1129346 1130103 1130840 1130840 1131482 1133098 1133418 1133452 1133452 1137942 1138459 1138459 1139837 1141597 1141853 1141853 1142614 1144793 1146705 1149121 1149121 1149792 1149792 1149955 1149955 1149955 1151490 1151490 1153238 1153238 1153774 1154935 1155094 1159035 1159622 1161276 1161770 1161923 1162224 1162367 1162423 1162825 1162896 1165502 1165580 1165780 1165780 1165786 1165894 1165894 1167471 1168771 1169006 1171561 1171656 1171883 1172157 1172383 1172384 1172385 1172386 1172429 1172442 1172495 1172695 1172710 1173060 1173064 1173274 1173422 1173582 1173612 1174091 1174091 1174232 1174386 1174436 1174571 1174593 1174641 1174701 1174863 1174942 1175370 1175441 1175458 1175514 1175519 1175623 1176201 1176262 1176262 1176494 1176513 1176644 1176670 1176673 1176682 1176684 1176800 1177047 1177211 1177458 1177490 1177490 1177510 1177533 1177658 1177858 1178009 1178049 1178083 1178174 1178219 1178346 1178354 1178386 1178387 1178400 1178512 1178554 1178565 1178680 1178727 1178775 1178775 1178823 1178825 1178909 1178934 1179193 1179193 1179363 1179398 1179399 1179431 1179466 1179467 1179468 1179491 1179503 1179515 1179593 1179630 1179686 1179691 1179691 1179694 1179717 1179719 1179721 1179738 1179756 1179824 1180020 1180038 1180073 1180083 1180138 1180225 1180377 1180523 1180596 1180603 1180603 1180686 1180713 1180836 1180885 1181011 1181108 1181126 1181319 1181358 1181443 1181505 1181571 1181639 1181831 1181933 1182117 1182137 1182279 1182328 1182331 1182333 1182362 1182379 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182425 1182577 1182791 1182899 1182959 1182968 1183012 1183064 1183094 1183370 1183371 1183374 1183456 1183457 1183749 1183791 1183796 1183797 1183852 1183933 1183934 1184064 1184136 1184358 1184401 1184435 1184614 1184687 1184690 1185163 1185190 1185408 1185408 1185409 1185409 1185410 1185410 1185438 1185562 1185698 1186114 637176 658604 673071 709442 743787 747125 751718 754447 754677 787526 809831 831629 834601 840054 871152 885662 885882 917607 942751 951166 955334 976199 983582 984751 985177 985348 989523 CVE-2011-3389 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2013-1752 CVE-2013-4238 CVE-2014-2667 CVE-2014-4650 CVE-2016-0772 CVE-2016-1000110 CVE-2016-5636 CVE-2016-5699 CVE-2017-18207 CVE-2018-1000802 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-15853 CVE-2018-15854 CVE-2018-15855 CVE-2018-15856 CVE-2018-15857 CVE-2018-15858 CVE-2018-15859 CVE-2018-15861 CVE-2018-15862 CVE-2018-15863 CVE-2018-15864 CVE-2018-20406 CVE-2018-20406 CVE-2018-20852 CVE-2018-20852 CVE-2019-10160 CVE-2019-10160 CVE-2019-15903 CVE-2019-16056 CVE-2019-16056 CVE-2019-16056 CVE-2019-16935 CVE-2019-16935 CVE-2019-16935 CVE-2019-17498 CVE-2019-18348 CVE-2019-20907 CVE-2019-20907 CVE-2019-20916 CVE-2019-20916 CVE-2019-25013 CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863 CVE-2019-5010 CVE-2019-5010 CVE-2019-5010 CVE-2019-9636 CVE-2019-9636 CVE-2019-9674 CVE-2019-9893 CVE-2019-9947 CVE-2019-9947 CVE-2020-10761 CVE-2020-11080 CVE-2020-11947 CVE-2020-12829 CVE-2020-13361 CVE-2020-13362 CVE-2020-13659 CVE-2020-13800 CVE-2020-14364 CVE-2020-14422 CVE-2020-14422 CVE-2020-15469 CVE-2020-15863 CVE-2020-16092 CVE-2020-1971 CVE-2020-24352 CVE-2020-25084 CVE-2020-25624 CVE-2020-25625 CVE-2020-25692 CVE-2020-25709 CVE-2020-25710 CVE-2020-25723 CVE-2020-26116 CVE-2020-27616 CVE-2020-27617 CVE-2020-27618 CVE-2020-27619 CVE-2020-27821 CVE-2020-28196 CVE-2020-28916 CVE-2020-29129 CVE-2020-29130 CVE-2020-29443 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-8025 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2020-8492 CVE-2020-8492 CVE-2021-20181 CVE-2021-20203 CVE-2021-20221 CVE-2021-20231 CVE-2021-20232 CVE-2021-20257 CVE-2021-20305 CVE-2021-22876 CVE-2021-22890 CVE-2021-22898 CVE-2021-23336 CVE-2021-23840 CVE-2021-23841 CVE-2021-24031 CVE-2021-24032 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3177 CVE-2021-3326 CVE-2021-3416 CVE-2021-3426 CVE-2021-3449 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 PM-1350 SLE-9426 ----------------------------------------------------------------- The container suse/sles/15.2/virt-handler was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2170-1 Released: Mon Oct 8 10:31:14 2018 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1107030 This update for python3 fixes the following issues: - Add -fwrapv to OPTS, which is default for python3 for bugs which are caused by avoiding it. (bsc#1107030) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2485-1 Released: Fri Oct 26 12:38:01 2018 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1112928 This update for kmod provides the following fixes: - Allow 'modprobe -c' print the status of 'allow_unsupported_modules' option. (bsc#1112928) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2620-1 Released: Thu Nov 8 17:57:34 2018 Summary: Security update for libxkbcommon Type: security Severity: low References: 1105832,CVE-2018-15853,CVE-2018-15854,CVE-2018-15855,CVE-2018-15856,CVE-2018-15857,CVE-2018-15858,CVE-2018-15859,CVE-2018-15861,CVE-2018-15862,CVE-2018-15863,CVE-2018-15864 This update for libxkbcommon to version 0.8.2 fixes the following issues: - Fix a few NULL-dereferences, out-of-bounds access and undefined behavior in the XKB text format parser. - CVE-2018-15853: Endless recursion could have been used by local attackers to crash xkbcommon users by supplying a crafted keymap file that triggers boolean negation (bsc#1105832). - CVE-2018-15854: Unchecked NULL pointer usage could have been used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because geometry tokens were desupported incorrectly (bsc#1105832). - CVE-2018-15855: Unchecked NULL pointer usage could have been used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because the XkbFile for an xkb_geometry section was mishandled (bsc#1105832). - CVE-2018-15856: An infinite loop when reaching EOL unexpectedly could be used by local attackers to cause a denial of service during parsing of crafted keymap files (bsc#1105832). - CVE-2018-15857: An invalid free in ExprAppendMultiKeysymList could have been used by local attackers to crash xkbcommon keymap parsers or possibly have unspecified other impact by supplying a crafted keymap file (bsc#1105832). - CVE-2018-15858: Unchecked NULL pointer usage when handling invalid aliases in CopyKeyAliasesToKeymap could have been used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file (bsc#1105832). - CVE-2018-15859: Unchecked NULL pointer usage when parsing invalid atoms in ExprResolveLhs could have been used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because lookup failures are mishandled (bsc#1105832). - CVE-2018-15861: Unchecked NULL pointer usage in ExprResolveLhs could have been used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file that triggers an xkb_intern_atom failure (bsc#1105832). - CVE-2018-15862: Unchecked NULL pointer usage in LookupModMask could have been used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with invalid virtual modifiers (bsc#1105832). - CVE-2018-15863: Unchecked NULL pointer usage in ResolveStateAndPredicate could have been used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with a no-op modmask expression (bsc#1105832). - CVE-2018-15864: Unchecked NULL pointer usage in resolve_keysym could have been used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because a map access attempt can occur for a map that was never created (bsc#1105832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:170-1 Released: Fri Jan 25 13:43:29 2019 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1118629 This update for kmod fixes the following issues: - Fixes module dependency file corruption on parallel invocation (bsc#1118629). - Allows 'modprobe -c' to print the status of 'allow_unsupported_modules' option. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:215-1 Released: Thu Jan 31 15:59:57 2019 Summary: Security update for python3 Type: security Severity: important References: 1120644,1122191,CVE-2018-20406,CVE-2019-5010 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191) - CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:464-1 Released: Fri Feb 22 09:43:52 2019 Summary: Recommended update for xkeyboard-config Type: recommended Severity: moderate References: 1123784 This update for xkeyboard-config fixes the following issues: - Fixes missing mappings for evdev keys KEY_RFKILL and KEY_WWAN. (bsc#1123784) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:966-1 Released: Wed Apr 17 12:20:13 2019 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1128323 This update for python-rpm-macros fixes the following issues: The Python RPM macros were updated to version 20190408.32abece, fixing bugs (bsc#1128323) * Add missing $ expansion on the pytest call * Rewrite pytest and pytest_arch into Lua macros with multiple arguments. * We should preserve existing PYTHONPATH. * Add --ignore to pytest calls to ignore build directories. * Actually make pytest into function to capture arguments as well * Add pytest definitions. * Use upstream-recommended %{_rpmconfigdir}/macros.d directory for the rpm macros. * Fix an issue with epoch printing having too many \ * add epoch while printing 'Provides:' ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:971-1 Released: Wed Apr 17 14:43:26 2019 Summary: Security update for python3 Type: security Severity: important References: 1129346,CVE-2019-9636 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1160-1 Released: Mon May 6 14:24:31 2019 Summary: Recommended update for sg3_utils Type: recommended Severity: moderate References: 1005063,1069384,1131482,1133418,840054 This update for sg3_utils fixes the following issues: - Update to version 1.44~763+19.1ed0757: * rescan-scsi-bus.sh: use LUN wildcard in idlist (bsc#1069384) * 40-usb-blacklist.rules: use ID_SCSI_INQUIRY (bsc#840054, bsc#1131482) * Changed versioning scheme (svn r763, pre-release of upstream 1.44, plus 16 SUSE patches, SUSE git commit b2fedfa) * 59-fc-wwpn-id.rules: fix rule syntax (bsc#1133418) - Spec file: add fc_wwpn_id to generate by-path links for fibrechannel (bsc#1005063) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1352-1 Released: Fri May 24 14:41:44 2019 Summary: Security update for python3 Type: security Severity: moderate References: 1130840,1133452,CVE-2019-9947 This update for python3 to version 3.6.8 fixes the following issues: Security issue fixed: - CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840). Non-security issue fixed: - Fixed broken debuginfo packages by switching off LTO and PGO optimization (bsc#1133452). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2050-1 Released: Tue Aug 6 09:42:37 2019 Summary: Security update for python3 Type: security Severity: important References: 1094814,1138459,1141853,CVE-2018-20852,CVE-2019-10160 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459). - CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853). Non-security issue fixed: - Fixed an issue where the SIGINT signal was ignored or not handled (bsc#1094814). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2517-1 Released: Wed Oct 2 10:49:20 2019 Summary: Security update for libseccomp Type: security Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 This update for libseccomp fixes the following issues: Security issues fixed: - CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828) libseccomp was updated to new upstream release 2.4.1: - Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893): - Update the syscall table for Linux v5.0-rc5 - Added support for the SCMP_ACT_KILL_PROCESS action - Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute - Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension - Added support for the parisc and parisc64 architectures - Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) - Return -EDOM on an endian mismatch when adding an architecture to a filter - Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() - Fix PFC generation when a syscall is prioritized, but no rule exists - Numerous fixes to the seccomp-bpf filter generation code - Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 - Numerous tests added to the included test suite, coverage now at ~92% - Update our Travis CI configuration to use Ubuntu 16.04 - Numerous documentation fixes and updates libseccomp was updated to release 2.3.3: - Updated the syscall table for Linux v4.15-rc7 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2802-1 Released: Tue Oct 29 11:39:05 2019 Summary: Security update for python3 Type: security Severity: moderate References: 1149121,1149792,1149955,1151490,1153238,CVE-2019-16056,CVE-2019-16935,PM-1350,SLE-9426 This update for python3 to 3.6.9 fixes the following issues: Security issues fixed: - CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Non-security issues fixed: - Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490) - Improved locale handling by implementing PEP 538. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3018-1 Released: Wed Nov 20 12:48:21 2019 Summary: Recommended update for xkeyboard-config Type: recommended Severity: moderate References: 1153774 This update for xkeyboard-config fixes the following issues: - Fix capslock in Old Hungarian layout (bsc#1153774) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:114-1 Released: Thu Jan 16 10:11:52 2020 Summary: Security update for python3 Type: security Severity: important References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947 This update for python3 to version 3.6.10 fixes the following issues: - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). - CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:340-1 Released: Thu Feb 6 13:03:56 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1161770 This update for python-rpm-macros fixes the following issues: - Add macros related to the Python dist metadata dependency generator. (bsc#1161770) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:467-1 Released: Tue Feb 25 12:00:39 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492 This update for python3 fixes the following issues: Security issues fixed: - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). - CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367). Non-security issue fixed: - If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:777-1 Released: Tue Mar 24 18:07:52 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1165894 This update for python3 fixes the following issue: - Rename idle icons to idle3 in order to not conflict with python2 variant of the package (bsc#1165894) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1342-1 Released: Tue May 19 13:27:31 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1149955,1165894,CVE-2019-16056 This update for python3 fixes the following issues: - Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1370-1 Released: Thu May 21 19:06:00 2020 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1171656 This update for systemd-presets-branding-SLE fixes the following issues: Cleanup of outdated autostart services (bsc#1171656): - Remove acpid.service. acpid is only available on SLE via openSUSE backports. In openSUSE acpid.service is *not* autostarted. I see no reason why it should be on SLE. - Remove spamassassin.timer. This timer never seems to have existed. Instead spamassassin ships a 'sa-update.timer'. But it is not default-enabled and nobody ever complained about this. - Remove snapd.apparmor.service: This service was proactively added a year ago, but snapd didn't even make it into openSUSE yet. There's no reason to keep this entry unless snapd actually enters SLE which is not foreseeable. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1492-1 Released: Wed May 27 18:32:41 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1171561 This update for python-rpm-macros fixes the following issue: - Update to version 20200207.5feb6c1 (bsc#1171561) * Do not write .pyc files for tests ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1822-1 Released: Thu Jul 2 11:30:42 2020 Summary: Security update for python3 Type: security Severity: important References: 1173274,CVE-2020-14422 This update for python3 fixes the following issues: - CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface could have led to denial of service (bsc#1173274). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1989-1 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Type: recommended Severity: important References: 1173582 This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2015-1 Released: Thu Jul 23 09:21:24 2020 Summary: Security update for qemu Type: security Severity: important References: 1172383,1172384,1172386,1172495,1172710,CVE-2020-10761,CVE-2020-13361,CVE-2020-13362,CVE-2020-13659,CVE-2020-13800 This update for qemu to version 4.2.1 fixes the following issues: - CVE-2020-10761: Fixed a denial of service in Network Block Device (nbd) support infrastructure (bsc#1172710). - CVE-2020-13800: Fixed a denial of service possibility in ati-vga emulation (bsc#1172495). - CVE-2020-13659: Fixed a null pointer dereference possibility in MegaRAID SAS 8708EM2 emulation (bsc#1172386). - CVE-2020-13362: Fixed an OOB access possibility in MegaRAID SAS 8708EM2 emulation (bsc#1172383). - CVE-2020-13361: Fixed an OOB access possibility in ES1370 audio device emulation (bsc#1172384). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2277-1 Released: Wed Aug 19 13:24:03 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1174091,CVE-2019-20907 This update for python3 fixes the following issues: - bsc#1174091, CVE-2019-20907: avoiding possible infinite loop in specifically crafted tarball. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2638-1 Released: Tue Sep 15 15:41:32 2020 Summary: Recommended update for cryptsetup Type: recommended Severity: moderate References: 1165580 This update for cryptsetup fixes the following issues: Update from version 2.0.5 to version 2.0.6. (jsc#SLE-5911, bsc#1165580) - Fix support of larger metadata areas in *LUKS2* header. This release properly supports all specified metadata areas, as documented in *LUKS2* format description. Currently, only default metadata area size is used (in format or convert). Later cryptsetup versions will allow increasing this metadata area size. - If *AEAD* (authenticated encryption) is used, cryptsetup now tries to check if the requested *AEAD* algorithm with specified key size is available in kernel crypto API. This change avoids formatting a device that cannot be later activated. For this function, the kernel must be compiled with the *CONFIG_CRYPTO_USER_API_AEAD* option enabled. Note that kernel user crypto API options (*CONFIG_CRYPTO_USER_API* and *CONFIG_CRYPTO_USER_API_SKCIPHER*) are already mandatory for LUKS2. - Fix setting of integrity no-journal flag. Now you can store this flag to metadata using *\--persistent* option. - Fix cryptsetup-reencrypt to not keep temporary reencryption headers if interrupted during initial password prompt. - Adds early check to plain and LUKS2 formats to disallow device format if device size is not aligned to requested sector size. Previously it was possible, and the device was rejected to activate by kernel later. - Fix checking of hash algorithms availability for *PBKDF* early. Previously *LUKS2* format allowed non-existent hash algorithm with invalid keyslot preventing the device from activation. - Allow Adiantum cipher construction (a non-authenticated length-preserving fast encryption scheme), so it can be used both for data encryption and keyslot encryption in *LUKS1/2* devices. For benchmark, use: # cryptsetup benchmark -c xchacha12,aes-adiantum # cryptsetup benchmark -c xchacha20,aes-adiantum For LUKS format: # cryptsetup luksFormat -c xchacha20,aes-adiantum-plain64 -s 256 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2877-1 Released: Wed Oct 7 14:43:20 2020 Summary: Security update for qemu Type: security Severity: important References: 1174386,1174641,1174863,1175370,1175441,1176494,CVE-2020-14364,CVE-2020-15863,CVE-2020-16092,CVE-2020-24352 This update for qemu fixes the following issues: - CVE-2020-14364: Fixed an OOB access while processing USB packets (bsc#1175441,bsc#1176494). - CVE-2020-16092: Fixed a denial of service in packet processing of various emulated NICs (bsc#1174641). - CVE-2020-15863: Fixed a buffer overflow in the XGMAC device (bsc#1174386). - CVE-2020-24352: Fixed an out-of-bounds read/write in ati-vga device emulation in ati_2d_blt (bsc#1175370). - Allow to IPL secure guests with -no-reboot (bsc#1174863) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2890-1 Released: Mon Oct 12 11:07:00 2020 Summary: Recommended update for multipath-tools Type: recommended Severity: important References: 1125043,1139837,1161923,1165786,1172157,1172429,1173060,1173064,1176644,1176670 This update for multipath-tools fixes the following issues: - Fixed an issue where mapping two WWID's to the same multipath led to a data corruption (bsc#1172429) - Improved logging of some failure cases (bsc#1173060, bsc#1173064) - Limited the PRIN allocation length to 8192 bytes (bsc#1165786) - Added '-e' option to enable foreign libraries (bsc#1139837) - Fixed an issue when handling synthetic uevents (bsc#1161923) - Fix handling of hardware properties for maps without paths (bsc#1176644) - Fixed an issue where all paths were dropped from a storage array (bsc#1125043) - Fixed handling of incompletely initialized udev devices (bsc#1172157) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3420-1 Released: Thu Nov 19 13:40:55 2020 Summary: Recommended update for multipath-tools Type: recommended Severity: moderate References: 1162896,1178354 This update for multipath-tools fixes the following issues: - Avoid reading files extensions other than '.conf' from config dir. (bsc#1162896) - Fix wrong usage of '%service_del_preun -n' macro in spec file. (bsc#1178354) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3551-1 Released: Fri Nov 27 14:54:37 2020 Summary: Security update for libssh2_org Type: security Severity: moderate References: 1130103,1178083,CVE-2019-17498,CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863 This update for libssh2_org fixes the following issues: - Version update to 1.9.0: [bsc#1178083, jsc#SLE-16922] Enhancements and bugfixes: * adds ECDSA keys and host key support when using OpenSSL * adds ED25519 key and host key support when using OpenSSL 1.1.1 * adds OpenSSH style key file reading * adds AES CTR mode support when using WinCNG * adds PEM passphrase protected file support for Libgcrypt and WinCNG * adds SHA256 hostkey fingerprint * adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path() * adds explicit zeroing of sensitive data in memory * adds additional bounds checks to network buffer reads * adds the ability to use the server default permissions when creating sftp directories * adds support for building with OpenSSL no engine flag * adds support for building with LibreSSL * increased sftp packet size to 256k * fixed oversized packet handling in sftp * fixed building with OpenSSL 1.1 * fixed a possible crash if sftp stat gets an unexpected response * fixed incorrect parsing of the KEX preference string value * fixed conditional RSA and AES-CTR support * fixed a small memory leak during the key exchange process * fixed a possible memory leak of the ssh banner string * fixed various small memory leaks in the backends * fixed possible out of bounds read when parsing public keys from the server * fixed possible out of bounds read when parsing invalid PEM files * no longer null terminates the scp remote exec command * now handle errors when diffie hellman key pair generation fails * improved building instructions * improved unit tests - Version update to 1.8.2: [bsc#1130103] Bug fixes: * Fixed the misapplied userauth patch that broke 1.8.1 * moved the MAX size declarations from the public header ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3593-1 Released: Wed Dec 2 10:33:49 2020 Summary: Security update for python3 Type: security Severity: important References: 1176262,1179193,CVE-2019-20916 This update for python3 fixes the following issues: Update to 3.6.12 (bsc#1179193), including: - Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3620-1 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3626-1 Released: Fri Dec 4 13:51:46 2020 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1179515 This update for audit fixes the following issues: - Enable Aarch64 processor support. (bsc#1179515) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3703-1 Released: Mon Dec 7 20:17:32 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1179431 This update for aaa_base fixes the following issue: - Avoid semicolon within (t)csh login script on S/390. (bsc#1179431) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3721-1 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3735-1 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3791-1 Released: Mon Dec 14 17:39:19 2020 Summary: Recommended update for gzip Type: recommended Severity: moderate References: This update for gzip fixes the following issue: - Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775) Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3809-1 Released: Tue Dec 15 13:46:05 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: Update from version 2.62.5 to version 2.62.6: - Support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) - Fix SOCKS5 username/password authentication. - Updated translations. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount ???a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3930-1 Released: Wed Dec 23 18:19:39 2020 Summary: Security update for python3 Type: security Severity: important References: 1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630,CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492 This update for python3 fixes the following issues: - Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. - Change setuptools and pip version numbers according to new wheels - Handful of changes to make python36 compatible with SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738) - add triplets for mips-r6 and riscv - RISC-V needs CTYPES_PASS_BY_REF_HACK Update to 3.6.12 (bsc#1179193) * Ensure python3.dll is loaded from correct locations when Python is embedded * The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address). * Prevent http header injection by rejecting control characters in http.client.putrequest(???). * Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing. * Avoid infinite loop when reading specially crafted TAR files using the tarfile module - This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091). Update to 3.6.11: - Disallow CR or LF in email.headerregistry. Address arguments to guard against header injection attacks. - Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. (bsc#1155094) - CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3946-1 Released: Tue Dec 29 17:39:54 2020 Summary: Recommended update for python3 Type: recommended Severity: important References: 1180377 This update for python3 fixes the following issues: - A previous update inadvertently removed the 'PyFPE_jbuf' symbol from Python3, which caused regressions in several applications. (bsc#1180377) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:6-1 Released: Mon Jan 4 07:05:06 2021 Summary: Recommended update for libdlm Type: recommended Severity: moderate References: 1098449,1144793,1168771,1177533,1177658 This update for libdlm fixes the following issues: - Rework libdlm3 require with a shared library version tag instead so it propagates to all consuming packages.(bsc#1177658, bsc#1098449) - Add support for type 'uint64_t' to corosync ringid. (bsc#1168771) - Include some fixes/enhancements for dlm_controld. (bsc#1144793) - Fixed an issue where /boot logical volume was accidentally unmounted. (bsc#1177533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:152-1 Released: Fri Jan 15 17:04:47 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1179691,1179738 This update for lvm2 fixes the following issues: - Fix for lvm2 to use udev as external device by default. (bsc#1179691) - Fixed an issue in configuration for an item that is commented out by default. (bsc#1179738) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:174-1 Released: Wed Jan 20 07:55:23 2021 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1172695 This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:197-1 Released: Fri Jan 22 15:17:42 2021 Summary: Security update for permissions Type: security Severity: moderate References: 1171883,CVE-2020-8025 This update for permissions fixes the following issues: - Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:278-1 Released: Tue Feb 2 09:43:08 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1181319 This update for lvm2 fixes the following issues: - Backport 'lvmlockd' to adopt orphan locks feature. (bsc#1181319) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:302-1 Released: Thu Feb 4 13:18:35 2021 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1179691 This update for lvm2 fixes the following issues: - lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691). If this behavior is still wanted, please change this manually in the lvm.conf ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:521-1 Released: Fri Feb 19 11:00:33 2021 Summary: Security update for qemu Type: security Severity: important References: 1178049,1178565,1179717,1179719,1180523,1181639,1181933,1182137,CVE-2020-11947,CVE-2021-20181,CVE-2021-20203,CVE-2021-20221 This update for qemu fixes the following issues: - Fixed potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137) - Fixed out-of-bound access in iscsi (CVE-2020-11947 bsc#1180523) - Fixed out-of-bound access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639) - Fixed out-of-bound access in ARM interrupt handling (CVE-2021-20221 bsc#1181933) - Fixed vfio-pci device on s390 enters error state (bsc#1179717 bsc#1179719) - Fixed 'Failed to try-restart qemu-ga at .service' error while updating the qemu-guest-agent. (bsc#1178565) - Apply fixes to qemu scsi passthrough with respect to timeout and error conditions, including using more correct status codes. Add more qemu tracing which helped track down these issues (bsc#1178049) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:926-1 Released: Tue Mar 23 13:20:24 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1083473,1112500,1115408,1165780,1183012 This update for systemd-presets-common-SUSE fixes the following issues: - Add default user preset containing: - enable `pulseaudio.socket` (bsc#1083473) - enable `pipewire.socket` (bsc#1183012) - enable `pipewire-pulse.socket` (bsc#1183012) - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23) - Changes to the default preset: - enable `btrfsmaintenance-refresh.path`. - disable `btrfsmaintenance-refresh.service`. - enable `dnf-makecache.timer`. - enable `ignition-firstboot-complete.service`. - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500) - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408) - remove enable `updatedb.timer` - Avoid needless refresh on boot. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:930-1 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:935-1 Released: Wed Mar 24 12:19:10 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:947-1 Released: Wed Mar 24 14:30:58 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1182379,CVE-2021-23336 This update for python3 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:955-1 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1183852,CVE-2021-3449 This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1006-1 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1018-1 Released: Tue Apr 6 14:29:13 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1180713 This update for gzip fixes the following issues: - Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1141-1 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1182791 This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1206-1 Released: Thu Apr 15 15:15:09 2021 Summary: Recommended update for kubevirt Type: recommended Severity: moderate References: 1183749 This update for kubevirt fixes the following issues: - updated kubevirt to version 0.38.1 This update for provides a lot of bug fixes and smaller changes. Please refer to this package's rpm changelog to get a full list of all changes. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1235-1 Released: Fri Apr 16 08:12:09 2021 Summary: Recommended update for numactl Type: recommended Severity: moderate References: 1133098,1181571,1183796,955334,976199 This update for numactl fixes the following issues: - Enabled LTO (bsc#1133098) - Dropped the dependency from perl - it was no longer in use - Included sys/sysmacros.h to fix an issue when building this package from source (bsc#1181571, bsc#1183796) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1243-1 Released: Fri Apr 16 14:45:04 2021 Summary: Security update for qemu Type: security Severity: important References: 1172385,1173612,1176673,1176682,1176684,1178174,1178400,1178934,1179466,1179467,1179468,1179686,1181108,1182425,1182577,1182968,1184064,CVE-2020-12829,CVE-2020-15469,CVE-2020-25084,CVE-2020-25624,CVE-2020-25625,CVE-2020-25723,CVE-2020-27616,CVE-2020-27617,CVE-2020-27821,CVE-2020-28916,CVE-2020-29129,CVE-2020-29130,CVE-2020-29443,CVE-2021-20257,CVE-2021-3416 This update for qemu fixes the following issues: - CVE-2020-12829: Fix OOB access in sm501 device emulation (bsc#1172385) - CVE-2020-25723: Fix use-after-free in usb xhci packet handling (bsc#1178934) - CVE-2020-25084: Fix use-after-free in usb ehci packet handling (bsc#1176673) - CVE-2020-25625: Fix infinite loop (DoS) in usb hcd-ohci emulation (bsc#1176684) - CVE-2020-25624: Fix OOB access in usb hcd-ohci emulation (bsc#1176682) - CVE-2020-27617: Fix guest triggerable assert in shared network handling code (bsc#1178174) - CVE-2020-28916: Fix infinite loop (DoS) in e1000e device emulation (bsc#1179468) - CVE-2020-29443: Fix OOB access in atapi emulation (bsc#1181108) - CVE-2020-27821: Fix heap overflow in MSIx emulation (bsc#1179686) - CVE-2020-15469: Fix null pointer deref. (DoS) in mmio ops (bsc#1173612) - CVE-2021-20257: Fix infinite loop (DoS) in e1000 device emulation (bsc#1182577) - CVE-2021-3416: Fix OOB access (stack overflow) in rtl8139 NIC emulation (bsc#1182968) - CVE-2021-3416: Fix OOB access (stack overflow) in other NIC emulations (bsc#1182968) - CVE-2020-27616: Fix OOB access in ati-vga emulation (bsc#1178400) - CVE-2020-29129: Fix OOB access in SLIRP ARP/NCSI packet processing (bsc#1179466, CVE-2020-29130, bsc#1179467) - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) - Add split-provides through forsplits/13 to cover updates of SLE15-SP2 to SLE15-SP3, and openSUSE equivalents (bsc#1184064) - Added a few more usability improvements for our git packaging workflow ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1286-1 Released: Tue Apr 20 20:10:21 2021 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1180836 This recommended update for SLES-release provides the following fix: - Revert the problematic changes previously released and make sure the version is high enough to obsolete the package on containers and images. (bsc#1180836) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1289-1 Released: Wed Apr 21 14:02:46 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1177047 This update for gzip fixes the following issues: - Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1295-1 Released: Wed Apr 21 14:08:19 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1184136 This update for systemd-presets-common-SUSE fixes the following issues: - Enabled hcn-init.service for HNV on POWER (bsc#1184136) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1296-1 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Type: optional Severity: low References: 1183791 This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1297-1 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178219 This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1412-1 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Type: security Severity: important References: 1184401,CVE-2021-20305 This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1449-1 Released: Fri Apr 30 08:08:25 2021 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1165780 This update for systemd-presets-branding-SLE fixes the following issues: - Don't enable 'btrfsmaintenance-refresh.service', 'btrfsmaintenance' is managed by systemd-presets-common-SUSE instead. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1466-1 Released: Tue May 4 08:30:57 2021 Summary: Security update for permissions Type: security Severity: important References: 1182899 This update for permissions fixes the following issues: - etc/permissions: remove unnecessary entries (bsc#1182899) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1481-1 Released: Tue May 4 14:18:32 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1178680 This update for lvm2 fixes the following issues: - Add metadata-based autoactivation property for volume group and logical volume. (bsc#1178680) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1528-1 Released: Thu May 6 15:31:23 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1161276 This update for openssl-1_1 fixes the following issues: - Do not list disapproved cipher algorithms while in 'FIPS' mode. (bsc#1161276) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1557-1 Released: Tue May 11 09:50:00 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1183374,CVE-2021-3426 This update for python3 fixes the following issues: - CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1582-1 Released: Wed May 12 13:40:03 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1184687,1185190 This update for lvm2 fixes the following issues: - Honor 'lvm.conf' parameter event_activation=0 on 'pvscan --cache -aay'. (bsc#1185190) - Fixed and issue when LVM can't be disabled on boot. (bsc#1184687) - Update patch for avoiding apply warning messages. (bsc#1012973) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1589-1 Released: Wed May 12 13:45:15 2021 Summary: Recommended update for numactl Type: recommended Severity: low References: This update for numactl fixes the following issues: - Added bug fixes to enable support for 32 bit systems (jsc#SLE-17217) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1762-1 Released: Wed May 26 12:30:01 2021 Summary: Security update for curl Type: security Severity: moderate References: 1186114,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1773-1 Released: Wed May 26 17:22:21 2021 Summary: Recommended update for python3 Type: recommended Severity: low References: This update for python3 fixes the following issues: - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. From sle-security-updates at lists.suse.com Tue Jun 1 06:36:28 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 1 Jun 2021 08:36:28 +0200 (CEST) Subject: SUSE-CU-2021:233-1: Security update of suse/sles/15.2/virt-launcher Message-ID: <20210601063628.435F0B46EA0@westernhagen.suse.de> SUSE Container Update Advisory: suse/sles/15.2/virt-launcher ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:233-1 Container Tags : suse/sles/15.2/virt-launcher:0.38.1 , suse/sles/15.2/virt-launcher:0.38.1.5.8.40 Container Release : 5.8.40 Severity : important Type : security References : 1027519 1027519 1027519 1078466 1080040 1083473 1084671 1098449 1104902 1112500 1115408 1130103 1133098 1141597 1144793 1146705 1154935 1155094 1156260 1160876 1161276 1162896 1163764 1165502 1165780 1165780 1166602 1167471 1168771 1169006 1170200 1170498 1171549 1171883 1172385 1172442 1172695 1172926 1173079 1173256 1173422 1173582 1173612 1174091 1174232 1174257 1174257 1174436 1174466 1174529 1174564 1174571 1174593 1174644 1174701 1174942 1175120 1175161 1175169 1175458 1175514 1175519 1175623 1176076 1176116 1176201 1176256 1176257 1176258 1176259 1176262 1176262 1176390 1176451 1176489 1176499 1176513 1176549 1176638 1176673 1176679 1176682 1176684 1176782 1176800 1176828 1177047 1177077 1177078 1177151 1177158 1177204 1177211 1177319 1177344 1177360 1177409 1177409 1177412 1177412 1177413 1177413 1177414 1177414 1177450 1177458 1177490 1177490 1177510 1177533 1177643 1177656 1177658 1177676 1177699 1177789 1177843 1177857 1177858 1177933 1177950 1178009 1178049 1178073 1178083 1178174 1178219 1178346 1178354 1178376 1178386 1178387 1178400 1178512 1178531 1178554 1178565 1178591 1178591 1178680 1178692 1178727 1178775 1178775 1178823 1178825 1178837 1178860 1178860 1178905 1178909 1178932 1178934 1178963 1179016 1179148 1179193 1179193 1179363 1179398 1179399 1179431 1179440 1179452 1179466 1179467 1179468 1179491 1179496 1179498 1179501 1179502 1179503 1179506 1179514 1179515 1179516 1179526 1179569 1179593 1179630 1179686 1179691 1179691 1179694 1179717 1179719 1179721 1179738 1179756 1179802 1179824 1179908 1179908 1179997 1180020 1180038 1180073 1180083 1180107 1180138 1180155 1180225 1180377 1180523 1180596 1180603 1180603 1180686 1180690 1180713 1180836 1180885 1181011 1181108 1181126 1181254 1181313 1181319 1181358 1181443 1181505 1181540 1181571 1181639 1181651 1181831 1181933 1181963 1181989 1182117 1182137 1182279 1182324 1182328 1182331 1182333 1182362 1182379 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182425 1182506 1182576 1182577 1182766 1182791 1182824 1182899 1182959 1182968 1183012 1183064 1183072 1183074 1183094 1183194 1183370 1183371 1183374 1183421 1183456 1183457 1183578 1183579 1183749 1183791 1183796 1183797 1183852 1183899 1183933 1183934 1184064 1184122 1184136 1184231 1184358 1184401 1184435 1184507 1184614 1184687 1184690 1185066 1185163 1185170 1185190 1185408 1185408 1185409 1185409 1185410 1185410 1185438 1185562 1185698 1186114 955334 976199 CVE-2019-14584 CVE-2019-16935 CVE-2019-17498 CVE-2019-18348 CVE-2019-18397 CVE-2019-20907 CVE-2019-20916 CVE-2019-20916 CVE-2019-25013 CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863 CVE-2019-5010 CVE-2020-11080 CVE-2020-11947 CVE-2020-12829 CVE-2020-13987 CVE-2020-13988 CVE-2020-14355 CVE-2020-14422 CVE-2020-15166 CVE-2020-15469 CVE-2020-17437 CVE-2020-17438 CVE-2020-1971 CVE-2020-25084 CVE-2020-25624 CVE-2020-25625 CVE-2020-25660 CVE-2020-25678 CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 CVE-2020-25687 CVE-2020-25692 CVE-2020-25709 CVE-2020-25710 CVE-2020-25723 CVE-2020-26116 CVE-2020-27616 CVE-2020-27617 CVE-2020-27618 CVE-2020-27619 CVE-2020-27670 CVE-2020-27670 CVE-2020-27671 CVE-2020-27671 CVE-2020-27672 CVE-2020-27672 CVE-2020-27673 CVE-2020-27674 CVE-2020-27781 CVE-2020-27821 CVE-2020-27839 CVE-2020-28196 CVE-2020-28368 CVE-2020-28368 CVE-2020-28916 CVE-2020-29129 CVE-2020-29130 CVE-2020-29443 CVE-2020-29480 CVE-2020-29481 CVE-2020-29483 CVE-2020-29484 CVE-2020-29562 CVE-2020-29566 CVE-2020-29570 CVE-2020-29571 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-8025 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2020-8492 CVE-2021-20181 CVE-2021-20203 CVE-2021-20221 CVE-2021-20231 CVE-2021-20232 CVE-2021-20257 CVE-2021-20288 CVE-2021-20305 CVE-2021-22876 CVE-2021-22890 CVE-2021-22898 CVE-2021-23336 CVE-2021-23840 CVE-2021-23841 CVE-2021-24031 CVE-2021-24032 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-28210 CVE-2021-28211 CVE-2021-28687 CVE-2021-31535 CVE-2021-3177 CVE-2021-3308 CVE-2021-3326 CVE-2021-3416 CVE-2021-3426 CVE-2021-3449 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 ----------------------------------------------------------------- The container suse/sles/15.2/virt-launcher was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1989-1 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Type: recommended Severity: important References: 1173582 This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3049-1 Released: Tue Oct 27 16:08:27 2020 Summary: Security update for xen Type: security Severity: important References: 1177409,1177412,1177413,1177414,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 This update for xen fixes the following issues: - bsc#1177409 - VUL-0: CVE-2020-27673: xen: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286) - bsc#1177412 - VUL-0: CVE-2020-27672: xen: Race condition in Xen mapping code (XSA-345) - bsc#1177413 - VUL-0: CVE-2020-27671: xen: undue deferral of IOMMU TLB flushes (XSA-346) - bsc#1177414 - VUL-0: CVE-2020-27670: xen: unsafe AMD IOMMU page table updates (XSA-347) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3070-1 Released: Wed Oct 28 11:47:28 2020 Summary: Security update for spice Type: security Severity: moderate References: 1177158,CVE-2020-14355 This update for spice fixes the following issues: - CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC image decoding (bsc#1177158). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3264-1 Released: Tue Nov 10 09:50:29 2020 Summary: Security update for zeromq Type: security Severity: moderate References: 1176116,1176256,1176257,1176258,1176259,CVE-2020-15166 This update for zeromq fixes the following issues: - CVE-2020-15166: Fixed the possibility of unauthenticated clients causing a denial-of-service (bsc#1176116). - Fixed a heap overflow when receiving malformed ZMTP v1 packets (bsc#1176256) - Fixed a memory leak in client induced by malicious server(s) without CURVE/ZAP (bsc#1176257) - Fixed memory leak when processing PUB messages with metadata (bsc#1176259) - Fixed a stack overflow in PUB/XPUB subscription store (bsc#1176258) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3307-1 Released: Thu Nov 12 14:17:55 2020 Summary: Recommended update for rdma-core Type: recommended Severity: moderate References: 1177699 This update for rdma-core fixes the following issue: - Move rxe_cfg to libibverbs-utils. (bsc#1177699) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3382-1 Released: Thu Nov 19 11:03:01 2020 Summary: Recommended update for dmidecode Type: recommended Severity: moderate References: 1174257 This update for dmidecode fixes the following issues: - Add partial support for SMBIOS 3.4.0. (bsc#1174257) - Skip details of uninstalled memory modules. (bsc#1174257) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3412-1 Released: Thu Nov 19 12:44:57 2020 Summary: Security update for xen Type: security Severity: important References: 1027519,1177950,1178591,CVE-2020-28368 This update for xen fixes the following issues: Security issue fixed: - CVE-2020-28368: Fixed the Intel RAPL sidechannel attack, aka PLATYPUS attack, aka XSA-351 (bsc#1178591). Non-security issues fixed: - Updated to Xen 4.13.2 bug fix release (bsc#1027519). - Fixed a panic during MSI cleanup on AMD hardware (bsc#1027519). - Adjusted help for --max_iters, default is 5 (bsc#1177950). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3420-1 Released: Thu Nov 19 13:40:55 2020 Summary: Recommended update for multipath-tools Type: recommended Severity: moderate References: 1162896,1178354 This update for multipath-tools fixes the following issues: - Avoid reading files extensions other than '.conf' from config dir. (bsc#1162896) - Fix wrong usage of '%service_del_preun -n' macro in spec file. (bsc#1178354) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3468-1 Released: Fri Nov 20 15:11:00 2020 Summary: Recommended update for brltty Type: recommended Severity: moderate References: 1177656 This update for brltty fixes the following issues: - Add coreutils and util-linux to post requires to fix package installation. (bsc#1177656) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3473-1 Released: Fri Nov 20 19:08:33 2020 Summary: Security update for ceph Type: security Severity: moderate References: 1163764,1170200,1170498,1173079,1174466,1174529,1174644,1175120,1175161,1175169,1176451,1176499,1176638,1177078,1177151,1177319,1177344,1177450,1177643,1177676,1177843,1177933,1178073,1178531,CVE-2020-25660 This update for ceph fixes the following issues: - CVE-2020-25660: Bring back CEPHX_V2 authorizer challenges (bsc#1177843). - Added --container-init feature (bsc#1177319, bsc#1163764) - Made journald as the logdriver again (bsc#1177933) - Fixes a condition check for copy_tree, copy_files, and move_files in cephadm (bsc#1177676) - Fixed a bug where device_health_metrics pool gets created even without any OSDs in the cluster (bsc#1173079) - Log cephadm output /var/log/ceph/cephadm.log (bsc#1174644) - Fixed a bug where the orchestrator didn't come up anymore after the deletion of OSDs (bsc#1176499) - Fixed a bug where cephadm fails to deploy all OSDs and gets stuck (bsc#1177450) - python-common will no longer skip unavailable disks (bsc#1177151) - Added snap-schedule module (jsc#SES-704) - Updated the SES7 downstream branding (bsc#1175120, bsc#1175161, bsc#1175169, bsc#1170498) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2020:3481-1 Released: Mon Nov 23 11:17:09 2020 Summary: Optional update for vim Type: optional Severity: low References: 1166602,1173256,1174564,1176549 This update for vim doesn't fix any user visible issues and it is optional to install. - Introduce vim-small package with reduced requirements for small installations (bsc#1166602). - Stop owning /etc/vimrc so the old, distro provided config actually gets removed. - Own some dirs in vim-data-common so installation of vim-small doesn't leave not owned directories. (bsc#1173256) - Add vi as slave to update-alternatives so that every package has a matching 'vi' symlink. (bsc#1174564, bsc#1176549) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3551-1 Released: Fri Nov 27 14:54:37 2020 Summary: Security update for libssh2_org Type: security Severity: moderate References: 1130103,1178083,CVE-2019-17498,CVE-2019-3855,CVE-2019-3856,CVE-2019-3857,CVE-2019-3858,CVE-2019-3859,CVE-2019-3860,CVE-2019-3861,CVE-2019-3862,CVE-2019-3863 This update for libssh2_org fixes the following issues: - Version update to 1.9.0: [bsc#1178083, jsc#SLE-16922] Enhancements and bugfixes: * adds ECDSA keys and host key support when using OpenSSL * adds ED25519 key and host key support when using OpenSSL 1.1.1 * adds OpenSSH style key file reading * adds AES CTR mode support when using WinCNG * adds PEM passphrase protected file support for Libgcrypt and WinCNG * adds SHA256 hostkey fingerprint * adds libssh2_agent_get_identity_path() and libssh2_agent_set_identity_path() * adds explicit zeroing of sensitive data in memory * adds additional bounds checks to network buffer reads * adds the ability to use the server default permissions when creating sftp directories * adds support for building with OpenSSL no engine flag * adds support for building with LibreSSL * increased sftp packet size to 256k * fixed oversized packet handling in sftp * fixed building with OpenSSL 1.1 * fixed a possible crash if sftp stat gets an unexpected response * fixed incorrect parsing of the KEX preference string value * fixed conditional RSA and AES-CTR support * fixed a small memory leak during the key exchange process * fixed a possible memory leak of the ssh banner string * fixed various small memory leaks in the backends * fixed possible out of bounds read when parsing public keys from the server * fixed possible out of bounds read when parsing invalid PEM files * no longer null terminates the scp remote exec command * now handle errors when diffie hellman key pair generation fails * improved building instructions * improved unit tests - Version update to 1.8.2: [bsc#1130103] Bug fixes: * Fixed the misapplied userauth patch that broke 1.8.1 * moved the MAX size declarations from the public header ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3581-1 Released: Tue Dec 1 14:40:22 2020 Summary: Recommended update for libusb-1_0 Type: recommended Severity: moderate References: 1178376 This update for libusb-1_0 fixes the following issues: - Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3593-1 Released: Wed Dec 2 10:33:49 2020 Summary: Security update for python3 Type: security Severity: important References: 1176262,1179193,CVE-2019-20916 This update for python3 fixes the following issues: Update to 3.6.12 (bsc#1179193), including: - Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3615-1 Released: Thu Dec 3 10:02:02 2020 Summary: Security update for xen Type: security Severity: important References: 1177409,1177412,1177413,1177414,1178591,1178963,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 This update for xen fixes the following issues: - bsc#1178963 - VUL-0: xen: stack corruption from XSA-346 change (XSA-355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3620-1 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3626-1 Released: Fri Dec 4 13:51:46 2020 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1179515 This update for audit fixes the following issues: - Enable Aarch64 processor support. (bsc#1179515) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3703-1 Released: Mon Dec 7 20:17:32 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1179431 This update for aaa_base fixes the following issue: - Avoid semicolon within (t)csh login script on S/390. (bsc#1179431) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3721-1 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3735-1 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3741-1 Released: Thu Dec 10 09:32:43 2020 Summary: Recommended update for ceph Type: recommended Severity: moderate References: 1179452,1179526 This update for ceph fixes the following issues: - Fixed an issue when reading a large 'RGW' object takes too long and can cause data loss. (bsc#1179526) - Fixed a build issue caused by missing nautilus module named 'six'. (bsc#1179452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3773-1 Released: Mon Dec 14 11:12:18 2020 Summary: Recommended update for cdrtools and schily-libs Type: recommended Severity: moderate References: 1178692 This update for cdrtools and schily-libs fixes the following issues: cdrtools: - Initialize memory that created the partition table instead of writing random bytes to it. (bsc#1178692) schily-libs: - Initialize memory that created the partition table instead of writing random bytes to it. (bsc#1178692) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3791-1 Released: Mon Dec 14 17:39:19 2020 Summary: Recommended update for gzip Type: recommended Severity: moderate References: This update for gzip fixes the following issue: - Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775) Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3809-1 Released: Tue Dec 15 13:46:05 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: Update from version 2.62.5 to version 2.62.6: - Support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) - Fix SOCKS5 username/password authentication. - Updated translations. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount ???a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3884-1 Released: Fri Dec 18 16:47:58 2020 Summary: Security update for ovmf Type: security Severity: moderate References: 1177789,CVE-2019-14584 This update for ovmf fixes the following issues: - CVE-2019-14584: Fixed a null dereference in AuthenticodeVerify() (bsc#1177789). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3895-1 Released: Mon Dec 21 12:56:25 2020 Summary: Security update for ceph Type: security Severity: important References: 1178860,1179016,1179802,1180107,1180155,CVE-2020-27781 This update for ceph fixes the following issues: Security issue fixed: - CVE-2020-27781: Fixed a privilege escalation via the ceph_volume_client Python interface (bsc#1180155, bsc#1179802). Non-security issues fixed: - Update to 15.2.8-80-g1f4b6229ca: + Rebase on tip of upstream 'octopus' branch, SHA1 bdf3eebcd22d7d0b3dd4d5501bee5bac354d5b55 * upstream Octopus v15.2.8 release, see https://ceph.io/releases/v15-2-8-octopus-released/ - Update to 15.2.7-776-g343cd10fe5: + Rebase on tip of upstream 'octopus' branch, SHA1 1b8a634fdcd94dfb3ba650793fb1b6d09af65e05 * (bsc#1178860) mgr/dashboard: Disable TLS 1.0 and 1.1 + (bsc#1179016) rpm: require smartmontools on SUSE + (bsc#1180107) ceph-volume: pass --filter-for-batch from drive-group subcommand ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3915-1 Released: Tue Dec 22 14:16:27 2020 Summary: Security update for xen Type: security Severity: moderate References: 1027519,1176782,1179496,1179498,1179501,1179502,1179506,1179514,1179516,CVE-2020-29480,CVE-2020-29481,CVE-2020-29483,CVE-2020-29484,CVE-2020-29566,CVE-2020-29570,CVE-2020-29571 This update for xen fixes the following issues: - CVE-2020-29480: Fixed an issue which could have allowed leak of non-sensitive data to administrator guests (bsc#117949 XSA-115). - CVE-2020-29481: Fixed an issue which could have allowd to new domains to inherit existing node permissions (bsc#1179498 XSA-322). - CVE-2020-29483: Fixed an issue where guests could disturb domain cleanup (bsc#1179502 XSA-325). - CVE-2020-29484: Fixed an issue where guests could crash xenstored via watchs (bsc#1179501 XSA-324). - CVE-2020-29566: Fixed an undue recursion in x86 HVM context switch code (bsc#1179506 XSA-348). - CVE-2020-29570: Fixed an issue where FIFO event channels control block related ordering (bsc#1179514 XSA-358). - CVE-2020-29571: Fixed an issue where FIFO event channels control structure ordering (bsc#1179516 XSA-359). - Fixed an issue where dump-core shows missing nr_pages during core (bsc#1176782). - Multiple other bugs (bsc#1027519) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3930-1 Released: Wed Dec 23 18:19:39 2020 Summary: Security update for python3 Type: security Severity: important References: 1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630,CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492 This update for python3 fixes the following issues: - Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. - Change setuptools and pip version numbers according to new wheels - Handful of changes to make python36 compatible with SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738) - add triplets for mips-r6 and riscv - RISC-V needs CTYPES_PASS_BY_REF_HACK Update to 3.6.12 (bsc#1179193) * Ensure python3.dll is loaded from correct locations when Python is embedded * The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address). * Prevent http header injection by rejecting control characters in http.client.putrequest(???). * Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing. * Avoid infinite loop when reading specially crafted TAR files using the tarfile module - This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091). Update to 3.6.11: - Disallow CR or LF in email.headerregistry. Address arguments to guard against header injection attacks. - Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. (bsc#1155094) - CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3946-1 Released: Tue Dec 29 17:39:54 2020 Summary: Recommended update for python3 Type: recommended Severity: important References: 1180377 This update for python3 fixes the following issues: - A previous update inadvertently removed the 'PyFPE_jbuf' symbol from Python3, which caused regressions in several applications. (bsc#1180377) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:6-1 Released: Mon Jan 4 07:05:06 2021 Summary: Recommended update for libdlm Type: recommended Severity: moderate References: 1098449,1144793,1168771,1177533,1177658 This update for libdlm fixes the following issues: - Rework libdlm3 require with a shared library version tag instead so it propagates to all consuming packages.(bsc#1177658, bsc#1098449) - Add support for type 'uint64_t' to corosync ringid. (bsc#1168771) - Include some fixes/enhancements for dlm_controld. (bsc#1144793) - Fixed an issue where /boot logical volume was accidentally unmounted. (bsc#1177533) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:10-1 Released: Mon Jan 4 10:01:52 2021 Summary: Recommended update for dmidecode Type: recommended Severity: moderate References: 1174257 This update for dmidecode fixes the following issue: - Two missing commas in the data arrays cause 'OUT OF SPEC' messages during the index resolution. (bnc#1174257) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:127-1 Released: Thu Jan 14 10:30:23 2021 Summary: Security update for open-iscsi Type: security Severity: important References: 1179440,1179908 This update for open-iscsi fixes the following issues: - Updated to upstream version 2.1.3 as 2.1.3-suse, for bsc#1179908, including: * uip: check for TCP urgent pointer past end of frame * uip: check for u8 overflow when processing TCP options * uip: check for header length underflow during checksum calculation * fwparam_ppc: Fix memory leak in fwparam_ppc.c * iscsiuio: Remove unused macro IFNAMSIZ defined in iscsid_ipc.c * fwparam_ppc: Fix illegal memory access in fwparam_ppc.c * sysfs: Verify parameter of sysfs_device_get() * fwparam_ppc: Fix NULL pointer dereference in find_devtree() * open-iscsi: Clean user_param list when process exit * iscsi_net_util: Fix NULL pointer dereference in find_vlan_dev() * open-iscsi: Fix NULL pointer dereference in mgmt_ipc_read_req() * open-iscsi: Fix invalid pointer deference in find_initiator() * iscsiuio: Fix invalid parameter when call fstat() * iscsi-iname: Verify open() return value before calling read() * iscsi_sysfs: Fix NULL pointer deference in iscsi_sysfs_read_iface - Updatged to latest upstream, including: * iscsiadm: Optimize the the verification of mode paramters * iscsid: Poll timeout value to 1 minute for iscsid * iscsiadm: fix host stats mode coredump * iscsid: fix logging level when starting and shutting down daemon * Updated iscsiadm man page. * Fix memory leak in sysfs_get_str * libopeniscsiusr: Compare with max int instead of max long - Systemd unit files should not depend on network.target (bsc#1179440). - Updated to latest upstream, including async login ability: * Implement login 'no_wait' for iscsiadm NODE mode * iscsiadm buffer overflow regression when discovering many targets at once * iscsid: Check Invalid Session id for stop connection * Add ability to attempt target logins asynchronously - %service_del_postun_without_restart is now available on SLE More accurately it's been introduced in SLE12-SP2+ and SLE15+ ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:152-1 Released: Fri Jan 15 17:04:47 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1179691,1179738 This update for lvm2 fixes the following issues: - Fix for lvm2 to use udev as external device by default. (bsc#1179691) - Fixed an issue in configuration for an item that is commented out by default. (bsc#1179738) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:163-1 Released: Tue Jan 19 12:11:10 2021 Summary: Security update for dnsmasq Type: security Severity: important References: 1176076,1177077,CVE-2020-25681,CVE-2020-25682,CVE-2020-25683,CVE-2020-25684,CVE-2020-25685,CVE-2020-25686,CVE-2020-25687 This update for dnsmasq fixes the following issues: - bsc#1177077: Fixed DNSpooq vulnerabilities - CVE-2020-25684, CVE-2020-25685, CVE-2020-25686: Fixed multiple Cache Poisoning attacks. - CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687: Fixed multiple potential Heap-based overflows when DNSSEC is enabled. - Retry query to other servers on receipt of SERVFAIL rcode (bsc#1176076) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:174-1 Released: Wed Jan 20 07:55:23 2021 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1172695 This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:197-1 Released: Fri Jan 22 15:17:42 2021 Summary: Security update for permissions Type: security Severity: moderate References: 1171883,CVE-2020-8025 This update for permissions fixes the following issues: - Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:278-1 Released: Tue Feb 2 09:43:08 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1181319 This update for lvm2 fixes the following issues: - Backport 'lvmlockd' to adopt orphan locks feature. (bsc#1181319) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:302-1 Released: Thu Feb 4 13:18:35 2021 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1179691 This update for lvm2 fixes the following issues: - lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691). If this behavior is still wanted, please change this manually in the lvm.conf ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:419-1 Released: Wed Feb 10 12:03:33 2021 Summary: Recommended update for open-iscsi Type: recommended Severity: moderate References: 1181313 This update for open-iscsi fixes the following issues: - Fixes a segfault when exiting from iscsiadm (bsc#1181313) - Fix for several memory leaks in iscsiadm - Fix for a crash when function iscsi_rec_update_param() is invoked ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:521-1 Released: Fri Feb 19 11:00:33 2021 Summary: Security update for qemu Type: security Severity: important References: 1178049,1178565,1179717,1179719,1180523,1181639,1181933,1182137,CVE-2020-11947,CVE-2021-20181,CVE-2021-20203,CVE-2021-20221 This update for qemu fixes the following issues: - Fixed potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137) - Fixed out-of-bound access in iscsi (CVE-2020-11947 bsc#1180523) - Fixed out-of-bound access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639) - Fixed out-of-bound access in ARM interrupt handling (CVE-2021-20221 bsc#1181933) - Fixed vfio-pci device on s390 enters error state (bsc#1179717 bsc#1179719) - Fixed 'Failed to try-restart qemu-ga at .service' error while updating the qemu-guest-agent. (bsc#1178565) - Apply fixes to qemu scsi passthrough with respect to timeout and error conditions, including using more correct status codes. Add more qemu tracing which helped track down these issues (bsc#1178049) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:761-1 Released: Wed Mar 10 12:26:54 2021 Summary: Recommended update for libX11 Type: recommended Severity: moderate References: 1181963 This update for libX11 fixes the following issues: - Fixes a race condition in 'libX11' that causes various applications to crash randomly. (bsc#1181963) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:926-1 Released: Tue Mar 23 13:20:24 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1083473,1112500,1115408,1165780,1183012 This update for systemd-presets-common-SUSE fixes the following issues: - Add default user preset containing: - enable `pulseaudio.socket` (bsc#1083473) - enable `pipewire.socket` (bsc#1183012) - enable `pipewire-pulse.socket` (bsc#1183012) - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23) - Changes to the default preset: - enable `btrfsmaintenance-refresh.path`. - disable `btrfsmaintenance-refresh.service`. - enable `dnf-makecache.timer`. - enable `ignition-firstboot-complete.service`. - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500) - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408) - remove enable `updatedb.timer` - Avoid needless refresh on boot. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:930-1 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:935-1 Released: Wed Mar 24 12:19:10 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:947-1 Released: Wed Mar 24 14:30:58 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1182379,CVE-2021-23336 This update for python3 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:952-1 Released: Thu Mar 25 14:36:56 2021 Summary: Recommended update for libunwind Type: recommended Severity: moderate References: 1160876,1171549 This update for libunwind fixes the following issues: - Update to version 1.5.0. (jsc#ECO-3395) - Enable s390x for building. (jsc#ECO-3395) - Fix compilation with 'fno-common'. (bsc#1171549) - Fix build with 'GCC-10'. (bsc#1160876) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:955-1 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1183852,CVE-2021-3449 This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:972-1 Released: Mon Mar 29 19:31:03 2021 Summary: Security update for ovmf Type: security Severity: moderate References: 1183578,1183579,CVE-2021-28210,CVE-2021-28211 This update for ovmf fixes the following issues: - CVE-2021-28211: ovmf: edk2: possible heap corruption with LzmaUefiDecompressGetInfo (bsc#1183578) - CVE-2021-28210: ovmf: unlimited FV recursion, round 2 (bsc#1183579) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:991-1 Released: Wed Mar 31 13:28:37 2021 Summary: Recommended update for vim Type: recommended Severity: moderate References: 1182324 This update for vim provides the following fixes: - Install SUSE vimrc in /usr. (bsc#1182324) - Source correct suse.vimrc file. (bsc#1182324) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1006-1 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1018-1 Released: Tue Apr 6 14:29:13 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1180713 This update for gzip fixes the following issues: - Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1028-1 Released: Tue Apr 6 17:54:37 2021 Summary: Security update for xen Type: security Severity: important References: 1027519,1177204,1179148,1180690,1181254,1181989,1182576,1183072,CVE-2021-28687,CVE-2021-3308 This update for xen fixes the following issues: - CVE-2021-3308: VUL-0: xen: IRQ vector leak on x86 (bsc#1181254, XSA-360) - CVE-2021-28687: HVM soft-reset crashes toolstack (bsc#1183072, XSA-368) - L3: conring size for XEN HV's with huge memory to small. Inital Xen logs cut (bsc#1177204) - L3: XEN domU crashed on resume when using the xl unpause command (bsc#1182576) - L3: xen: no needsreboot flag set (bsc#1180690) - kdump of HVM fails, soft-reset not handled by libxl (bsc#1179148) - openQA job causes libvirtd to dump core when running kdump inside domain (bsc#1181989) - Upstream bug fixes (bsc#1027519) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1108-1 Released: Thu Apr 8 11:48:47 2021 Summary: Security update for ceph Type: security Severity: moderate References: 1172926,1176390,1176489,1176679,1176828,1177360,1177857,1178837,1178860,1178905,1178932,1179569,1179997,1182766,CVE-2020-25678,CVE-2020-27839 This update for ceph fixes the following issues: - ceph was updated to to 15.2.9 - cephadm: fix 'inspect' and 'pull' (bsc#1182766) - CVE-2020-27839: mgr/dashboard: Use secure cookies to store JWT Token (bsc#1179997) - CVE-2020-25678: Do not add sensitive information in Ceph log files (bsc#1178905) - mgr/orchestrator: Sort 'ceph orch device ls' by host (bsc#1172926) - mgr/dashboard: enable different URL for users of browser to Grafana (bsc#1176390, bsc#1176679) - mgr/cephadm: lock multithreaded access to OSDRemovalQueue (bsc#1176489) - cephadm: command_unit: call systemctl with verbose=True (bsc#1176828) - cephadm: silence 'Failed to evict container' log msg (bsc#1177360) - mgr/cephadm: upgrade: fail gracefully, if daemon redeploy fails (bsc#1177857) - rgw: cls/user: set from_index for reset stats calls (bsc#1178837) - mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860) - cephadm: reference the last local image by digest (bsc#1178932, bsc#1179569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1141-1 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1182791 This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1206-1 Released: Thu Apr 15 15:15:09 2021 Summary: Recommended update for kubevirt Type: recommended Severity: moderate References: 1183749 This update for kubevirt fixes the following issues: - updated kubevirt to version 0.38.1 This update for provides a lot of bug fixes and smaller changes. Please refer to this package's rpm changelog to get a full list of all changes. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1235-1 Released: Fri Apr 16 08:12:09 2021 Summary: Recommended update for numactl Type: recommended Severity: moderate References: 1133098,1181571,1183796,955334,976199 This update for numactl fixes the following issues: - Enabled LTO (bsc#1133098) - Dropped the dependency from perl - it was no longer in use - Included sys/sysmacros.h to fix an issue when building this package from source (bsc#1181571, bsc#1183796) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1243-1 Released: Fri Apr 16 14:45:04 2021 Summary: Security update for qemu Type: security Severity: important References: 1172385,1173612,1176673,1176682,1176684,1178174,1178400,1178934,1179466,1179467,1179468,1179686,1181108,1182425,1182577,1182968,1184064,CVE-2020-12829,CVE-2020-15469,CVE-2020-25084,CVE-2020-25624,CVE-2020-25625,CVE-2020-25723,CVE-2020-27616,CVE-2020-27617,CVE-2020-27821,CVE-2020-28916,CVE-2020-29129,CVE-2020-29130,CVE-2020-29443,CVE-2021-20257,CVE-2021-3416 This update for qemu fixes the following issues: - CVE-2020-12829: Fix OOB access in sm501 device emulation (bsc#1172385) - CVE-2020-25723: Fix use-after-free in usb xhci packet handling (bsc#1178934) - CVE-2020-25084: Fix use-after-free in usb ehci packet handling (bsc#1176673) - CVE-2020-25625: Fix infinite loop (DoS) in usb hcd-ohci emulation (bsc#1176684) - CVE-2020-25624: Fix OOB access in usb hcd-ohci emulation (bsc#1176682) - CVE-2020-27617: Fix guest triggerable assert in shared network handling code (bsc#1178174) - CVE-2020-28916: Fix infinite loop (DoS) in e1000e device emulation (bsc#1179468) - CVE-2020-29443: Fix OOB access in atapi emulation (bsc#1181108) - CVE-2020-27821: Fix heap overflow in MSIx emulation (bsc#1179686) - CVE-2020-15469: Fix null pointer deref. (DoS) in mmio ops (bsc#1173612) - CVE-2021-20257: Fix infinite loop (DoS) in e1000 device emulation (bsc#1182577) - CVE-2021-3416: Fix OOB access (stack overflow) in rtl8139 NIC emulation (bsc#1182968) - CVE-2021-3416: Fix OOB access (stack overflow) in other NIC emulations (bsc#1182968) - CVE-2020-27616: Fix OOB access in ati-vga emulation (bsc#1178400) - CVE-2020-29129: Fix OOB access in SLIRP ARP/NCSI packet processing (bsc#1179466, CVE-2020-29130, bsc#1179467) - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) - Add split-provides through forsplits/13 to cover updates of SLE15-SP2 to SLE15-SP3, and openSUSE equivalents (bsc#1184064) - Added a few more usability improvements for our git packaging workflow ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1286-1 Released: Tue Apr 20 20:10:21 2021 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1180836 This recommended update for SLES-release provides the following fix: - Revert the problematic changes previously released and make sure the version is high enough to obsolete the package on containers and images. (bsc#1180836) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1289-1 Released: Wed Apr 21 14:02:46 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1177047 This update for gzip fixes the following issues: - Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1295-1 Released: Wed Apr 21 14:08:19 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1184136 This update for systemd-presets-common-SUSE fixes the following issues: - Enabled hcn-init.service for HNV on POWER (bsc#1184136) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1296-1 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Type: optional Severity: low References: 1183791 This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1297-1 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178219 This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1412-1 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Type: security Severity: important References: 1184401,CVE-2021-20305 This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1449-1 Released: Fri Apr 30 08:08:25 2021 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1165780 This update for systemd-presets-branding-SLE fixes the following issues: - Don't enable 'btrfsmaintenance-refresh.service', 'btrfsmaintenance' is managed by systemd-presets-common-SUSE instead. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1466-1 Released: Tue May 4 08:30:57 2021 Summary: Security update for permissions Type: security Severity: important References: 1182899 This update for permissions fixes the following issues: - etc/permissions: remove unnecessary entries (bsc#1182899) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1474-1 Released: Tue May 4 08:59:01 2021 Summary: Security update for ceph Type: security Severity: important References: 1183074,1183899,1184231,CVE-2021-20288 This update for ceph fixes the following issues: - ceph was updated to 15.2.11-83-g8a15f484c2: * CVE-2021-20288: Fixed unauthorized global_id reuse (bsc#1183074). * disk gets replaced with no rocksdb/wal (bsc#1184231). * BlueStore handles huge(>4GB) writes from RocksDB to BlueFS poorly, potentially causing data corruption (bsc#1183899). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1479-1 Released: Tue May 4 14:11:33 2021 Summary: Recommended update for ebtables Type: recommended Severity: important References: 1182824 This update for ebtables fixes the following issue: - Lock properly when on `NFS` shares and the `--concurrent` flag is used in a non standard order. (bsc#1182824) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1481-1 Released: Tue May 4 14:18:32 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1178680 This update for lvm2 fixes the following issues: - Add metadata-based autoactivation property for volume group and logical volume. (bsc#1178680) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1517-1 Released: Wed May 5 17:43:54 2021 Summary: Recommended update for open-iscsi Type: recommended Severity: moderate References: 1179908,1183421,CVE-2020-13987,CVE-2020-13988,CVE-2020-17437,CVE-2020-17438 This update for open-iscsi fixes the following issues: - Enabled asynchronous logins for iscsi.service (bsc#1183421) - Fixed a login issue when target is delayed ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1528-1 Released: Thu May 6 15:31:23 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1161276 This update for openssl-1_1 fixes the following issues: - Do not list disapproved cipher algorithms while in 'FIPS' mode. (bsc#1161276) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1557-1 Released: Tue May 11 09:50:00 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1183374,CVE-2021-3426 This update for python3 fixes the following issues: - CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1582-1 Released: Wed May 12 13:40:03 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1184687,1185190 This update for lvm2 fixes the following issues: - Honor 'lvm.conf' parameter event_activation=0 on 'pvscan --cache -aay'. (bsc#1185190) - Fixed and issue when LVM can't be disabled on boot. (bsc#1184687) - Update patch for avoiding apply warning messages. (bsc#1012973) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1589-1 Released: Wed May 12 13:45:15 2021 Summary: Recommended update for numactl Type: recommended Severity: low References: This update for numactl fixes the following issues: - Added bug fixes to enable support for 32 bit systems (jsc#SLE-17217) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1598-1 Released: Thu May 13 13:14:33 2021 Summary: Security update for dtc Type: security Severity: low References: 1184122 This update for dtc fixes the following issues: - make all packaged binaries PIE-executables (bsc#1184122). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1655-1 Released: Wed May 19 16:44:33 2021 Summary: Security update for fribidi Type: security Severity: important References: 1156260,CVE-2019-18397 This update for fribidi fixes the following issues: Security issues fixed: - CVE-2019-18397: Avoid buffer overflow. (bsc#1156260) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1669-1 Released: Thu May 20 11:10:44 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1181540,1181651,1183194,1185170 This update for nfs-utils fixes the following issues: - The '/var/run' is long deprecated - switch all relevant paths to '/run'. (bsc#1185170) - Improve logging of authentication (bsc#1181540) - Add man page of the 'nconnect mount'. (bsc#1181651) - Fixed an issue when HANA crashed due to inaccessible/hanging NFS mount. (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1675-1 Released: Thu May 20 15:00:23 2021 Summary: Recommended update for snappy Type: recommended Severity: moderate References: 1080040,1184507 This update for snappy fixes the following issues: Update from version 1.1.3 to 1.1.8 - Small performance improvements. - Removed `snappy::string` alias for `std::string`. - Improved `CMake` configuration. - Improved packages descriptions. - Fix RPM groups. - Aarch64 fixes - PPC speedups - PIE improvements - Fix license install. (bsc#1080040) - Fix a 1% performance regression when snappy is used in PIE executable. - Improve compression performance by 5%. - Improve decompression performance by 20%. - Use better download URL. - Fix a build issue for tensorflow2. (bsc#1184507) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1762-1 Released: Wed May 26 12:30:01 2021 Summary: Security update for curl Type: security Severity: moderate References: 1186114,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1765-1 Released: Wed May 26 12:36:38 2021 Summary: Security update for libX11 Type: security Severity: moderate References: 1182506,CVE-2021-31535 This update for libX11 fixes the following issues: - CVE-2021-31535: Fixed missing request length checks in libX11 (bsc#1182506). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1773-1 Released: Wed May 26 17:22:21 2021 Summary: Recommended update for python3 Type: recommended Severity: low References: This update for python3 fixes the following issues: - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1794-1 Released: Thu May 27 19:25:29 2021 Summary: Recommended update for radvd Type: recommended Severity: moderate References: 1185066 This update for radvd fixes the following issues: - replace '/var/run' with '/run' in '/usr/lib/tmpfiles.d/radvd.conf' (bsc#1185066) From sle-security-updates at lists.suse.com Tue Jun 1 06:36:57 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 1 Jun 2021 08:36:57 +0200 (CEST) Subject: SUSE-CU-2021:235-1: Security update of suse/sles/15.2/virt-operator Message-ID: <20210601063657.46B13B46E9F@westernhagen.suse.de> SUSE Container Update Advisory: suse/sles/15.2/virt-operator ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:235-1 Container Tags : suse/sles/15.2/virt-operator:0.38.1 , suse/sles/15.2/virt-operator:0.38.1.5.8.43 Container Release : 5.8.43 Severity : important Type : security References : 1078466 1084671 1104902 1141597 1146705 1154935 1161276 1165502 1167471 1169006 1171883 1172442 1173422 1173582 1174232 1174436 1174593 1174942 1175458 1175514 1175519 1175623 1176201 1176513 1176800 1177458 1177490 1177490 1177510 1177858 1178219 1178346 1178386 1178387 1178512 1178554 1178727 1178775 1178775 1178823 1178825 1178909 1179363 1179398 1179399 1179431 1179491 1179503 1179515 1179593 1179694 1179721 1179824 1180020 1180038 1180073 1180083 1180138 1180225 1180596 1180603 1180603 1180836 1180885 1181011 1181358 1181443 1181505 1181831 1182117 1182279 1182328 1182331 1182333 1182362 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182791 1182899 1182959 1183064 1183094 1183370 1183371 1183749 1183791 1183797 1183852 1183933 1183934 1184358 1184435 1184614 1184690 1185163 1185408 1185408 1185409 1185409 1185410 1185410 1185438 1185562 1185698 1186114 CVE-2019-25013 CVE-2020-11080 CVE-2020-1971 CVE-2020-25692 CVE-2020-25709 CVE-2020-25710 CVE-2020-27618 CVE-2020-28196 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-8025 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2021-22876 CVE-2021-22890 CVE-2021-22898 CVE-2021-23840 CVE-2021-23841 CVE-2021-24031 CVE-2021-24032 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3326 CVE-2021-3449 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 ----------------------------------------------------------------- The container suse/sles/15.2/virt-operator was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1989-1 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Type: recommended Severity: important References: 1173582 This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3620-1 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3626-1 Released: Fri Dec 4 13:51:46 2020 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1179515 This update for audit fixes the following issues: - Enable Aarch64 processor support. (bsc#1179515) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3703-1 Released: Mon Dec 7 20:17:32 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1179431 This update for aaa_base fixes the following issue: - Avoid semicolon within (t)csh login script on S/390. (bsc#1179431) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3721-1 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3735-1 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3809-1 Released: Tue Dec 15 13:46:05 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: Update from version 2.62.5 to version 2.62.6: - Support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) - Fix SOCKS5 username/password authentication. - Updated translations. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount ???a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:197-1 Released: Fri Jan 22 15:17:42 2021 Summary: Security update for permissions Type: security Severity: moderate References: 1171883,CVE-2020-8025 This update for permissions fixes the following issues: - Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:930-1 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:955-1 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1183852,CVE-2021-3449 This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1006-1 Released: Thu Apr 1 17:44:57 2021 Summary: Security update for curl Type: security Severity: moderate References: 1183933,1183934,CVE-2021-22876,CVE-2021-22890 This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1141-1 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1182791 This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1206-1 Released: Thu Apr 15 15:15:09 2021 Summary: Recommended update for kubevirt Type: recommended Severity: moderate References: 1183749 This update for kubevirt fixes the following issues: - updated kubevirt to version 0.38.1 This update for provides a lot of bug fixes and smaller changes. Please refer to this package's rpm changelog to get a full list of all changes. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1286-1 Released: Tue Apr 20 20:10:21 2021 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1180836 This recommended update for SLES-release provides the following fix: - Revert the problematic changes previously released and make sure the version is high enough to obsolete the package on containers and images. (bsc#1180836) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1296-1 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Type: optional Severity: low References: 1183791 This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1297-1 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178219 This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1466-1 Released: Tue May 4 08:30:57 2021 Summary: Security update for permissions Type: security Severity: important References: 1182899 This update for permissions fixes the following issues: - etc/permissions: remove unnecessary entries (bsc#1182899) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1528-1 Released: Thu May 6 15:31:23 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1161276 This update for openssl-1_1 fixes the following issues: - Do not list disapproved cipher algorithms while in 'FIPS' mode. (bsc#1161276) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1762-1 Released: Wed May 26 12:30:01 2021 Summary: Security update for curl Type: security Severity: moderate References: 1186114,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. From sle-security-updates at lists.suse.com Tue Jun 1 13:16:22 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 1 Jun 2021 15:16:22 +0200 (CEST) Subject: SUSE-SU-2021:1819-1: important: Security update for gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly Message-ID: <20210601131622.1DFB1FD14@maintenance.suse.de> SUSE Security Update: Security update for gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1819-1 Rating: important References: #1181255 SLE-13843 Cross-References: CVE-2021-3185 CVSS scores: CVE-2021-3185 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3185 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability, contains one feature is now available. Description: This update for gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly fixes the following issues: gstreamer was updated to version 1.16.3 (bsc#1181255): - delay creation of threadpools - bin: Fix `deep-element-removed` log message - buffer: fix meta sequence number fallback on rpi - bufferlist: foreach: always remove as parent if buffer is changed - bus: Make setting/replacing/clearing the sync handler thread-safe - elementfactory: Fix missing features in case a feature moves to another filename - element: When removing a ghost pad also unset its target - meta: intern registered impl string - registry: Use a toolchain-specific registry file on Windows - systemclock: Invalid internal time calculation causes non-increasing clock time on Windows - value: don't write to `const char *` - value: Fix segfault comparing empty GValueArrays - Revert floating enforcing - aggregator: fix iteration direction in skip_buffers - sparsefile: fix possible crash when seeking - baseparse: cache fix - baseparse: fix memory leak when subclass skips whole input buffer - baseparse: Set the private duration before posting a duration-changed message - basetransform: allow not passthrough if generate_output is implemented - identity: Fix a minor leak using meta_str - queue: protect against lost wakeups for iterm_del condition - queue2: Avoid races when posting buffering messages - queue2: Fix missing/dropped buffering messages at startup - identity: Unblock condition variable on FLUSH_START - check: Use `g_thread_yield()` instead of `g_usleep(1)` - tests: use cpu_family for arch checks - gst-launch: Follow up to missing `s/g_print/gst_print/g` - gst-inspect: Add define guard for `g_log_writer_supports_color()` - gst-launch: go back down to `GST_STATE_NULL` in one step. - device-monitor: list hidden providers before listing devices - autotools build fixes for GNU make 4.3 gstreamer-plugins-good was updated to version 1.16.3 (bsc#1181255): - deinterlace: on-the-fly renegotiation - flacenc: Pass audio info from set_format() to query_total_samples() explicitly - flacparse: fix broken reordering of flac metadata - jack: Use jack_free(3) to release ports - jpegdec: check buffer size before dereferencing - pulse: fix discovery of newly added devices - qtdemux fuzzing fixes - qtdemux: Add 'mp3 ' fourcc that VLC seems to produce now - qtdemux: Specify REDIRECT information in error message - rtpbin: fix shutdown crash in rtpbin - rtpsession: rename RTCP thread - rtpvp8pay, rtpvp9pay: fix caps leak in set_caps() - rtpjpegdepay: outputs framed jpeg - rtpjitterbuffer: Properly free internal packets queue in finalize() - rtspsrc: Don't return TRUE for unhandled query - rtspsrc: Avoid stack overflow recursing waiting for response - rtspsrc: Use the correct type for storing the max-rtcp-rtp-time-diff property - rtspsrc: Error out when failling to receive message response - rtspsrc: Fix for segmentation fault when handling set/get_parameter requests - speex: Fix crash on Windows caused by cross-CRT issue - speexdec: Crash when stopping the pipeline - splitmuxsrc: Properly stop the loop if no part reader is present - use gst_element_class_set_metadata when passing dynamic strings - v4l2videodec: Increase internal bitstream pool size - v4l2: fix crash when handling unsupported video format - videocrop: allow properties to be animated by GstController - videomixer: Don't leak peer caps - vp8enc/vp8enc: set 1 for the default value of VP8E_SET_STATIC_THRESHOLD - wavenc: Fix writing of the channel mask with >2 channels gstreamer-plugins-bad was updated to version 1.16.3 (bsc#1181255): - amcvideodec: fix sync meta copying not taking a reference - audiobuffersplit: Perform discont tracking on running time - audiobuffersplit: Specify in the template caps that only interleaved audio is supported - audiobuffersplit: Unset DISCONT flag if not discontinuous - autoconvert: Fix lock-less exchange or free condition - autoconvert: fix compiler warnings with g_atomic on recent GLib versions - avfvideosrc: element requests camera permissions even with capture-screen property is true - codecparsers: h264parser: guard against ref_pic_markings overflow - dtlsconnection: Avoid segmentation fault when no srtp capabilities are negotiated - dtls/connection: fix EOF handling with openssl 1.1.1e - fdkaacdec: add support for mpegversion=2 - hls: Check nettle version to ensure AES128 support - ipcpipeline: Rework compiler checks - interlace: Increment phase_index before checking if we're at the end of the phase - lv2: Make it build with -fno-common - h264parser: Do not allocate too large size of memory for registered user data SEI - ladspa: fix unbounded integer properties - modplug: avoid division by zero - msdkdec: Fix GstMsdkContext leak - msdkenc: fix leaks on windows - musepackdec: Don't fail all queries if no sample rate is known yet - openslessink: Allow openslessink to handle 48kHz streams. - opencv: allow compilation against 4.2.x - proxysink: event_function needs to handle the event when it is disconnecetd from proxysrc - vulkan: Drop use of VK_RESULT_BEGIN_RANGE - wasapi: added missing lock release in case of error in gst_wasapi_xxx_reset - wasapi: Fix possible deadlock while downwards state change - waylandsink: Clear window when pipeline is stopped - webrtc: Support non-trickle ICE candidates in the SDP - webrtc: Unmap all non-binary buffers received via the datachannel - meson: build with neon 0.31 - Drop upstream fixed patch: gstreamer-h264parser-fix-overflow.patch - h264parser: guard against ref_pic_markings overflow (bsc#1181255 CVE-2021-3185) - Disable the kate/libtiger plugin. Kate streams for karaoke are not used anymore, and the source tarball for libtiger is no longer available upstream. (jsc#SLE-13843) gstreamer-plugins-ugly was updated to version 1.16.3 (bsc#1181255): + x264enc: corrected em_data value in CEA-708 CC SEI message gstreamer-plugins-base was updated to version 1.16.3 (bsc#1181255): - audioaggregator: Check all downstream allowed caps structures if they support the upstream rate - audioaggregator: Fix negotiation with downstream if there is no peer yet - audioencoder: fix segment event leak - discoverer: Fix caps handling in `pad-added` signal handler - discoverer: Start discovering next URI from right thread - fft: Update our kiss fft version, fixes thread-safety and concurrency issues and misc other things - gl: numerous memory fixes (use-after-free, leaks, missing NULL-ify) - gl/display/egl: ensure debug category is initialized - gstglwindow_x11: fix resize - pbutils: Add latest H.264 level values - rtpbuffer: fix header extension length validation - video: Fix NV12_64Z32 number of component - video-format: RGB16/15 are not 16 bit per component but only 5.333 and 5 - video: fix top/bottom field flags - videodecoder: don't copy interlace-mode from reference state - appsrc/appsink: Make setting/replacing callbacks thread-safe - compositor: Fix checkerboard filling for BGRx/RGBx and UYVY/YUY2/YVYU - decodebin3: only force streams-selected seqnum after a select-streams - glupload: Fix fallback from direct dmabuf to dmabuf upload method - glvideomixer: perform `_get_highest_precision()` on the GL thread - libvisual: use `gst_element_class_set_metadata()` when passing dynamic strings - oggstream: Workaround for broken PAR in VP8 BOS - subparse: accept WebVTT timestamps without an hour component - playbin: Handle error message with redirection indication - textrender: Fix AYUV output. - typefind: Consider MPEG-PS PSM to be a PES type - uridecodebin3: default to non-0 buffer-size and buffer-duration, otherwise it could potentially cause big memory allocations over time - videoaggregator: Don't configure NULL chroma-site/colorimetry - videorate/videoscale/audioresample: Ensure that the caps returned from... - build: Replace bashisms in configure for Wayland and GLES3 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1819=1 - SUSE Linux Enterprise Workstation Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-1819=1 - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-1819=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-1819=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-1819=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1819=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1819=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1819=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): gstreamer-1.16.3-3.3.1 gstreamer-debuginfo-1.16.3-3.3.1 gstreamer-debugsource-1.16.3-3.3.1 gstreamer-plugins-base-1.16.3-4.3.1 gstreamer-plugins-base-debuginfo-1.16.3-4.3.1 gstreamer-plugins-base-debugsource-1.16.3-4.3.1 libgstallocators-1_0-0-1.16.3-4.3.1 libgstallocators-1_0-0-debuginfo-1.16.3-4.3.1 libgstapp-1_0-0-1.16.3-4.3.1 libgstapp-1_0-0-debuginfo-1.16.3-4.3.1 libgstaudio-1_0-0-1.16.3-4.3.1 libgstaudio-1_0-0-debuginfo-1.16.3-4.3.1 libgstgl-1_0-0-1.16.3-4.3.1 libgstgl-1_0-0-debuginfo-1.16.3-4.3.1 libgstpbutils-1_0-0-1.16.3-4.3.1 libgstpbutils-1_0-0-debuginfo-1.16.3-4.3.1 libgstreamer-1_0-0-1.16.3-3.3.1 libgstreamer-1_0-0-debuginfo-1.16.3-3.3.1 libgstriff-1_0-0-1.16.3-4.3.1 libgstriff-1_0-0-debuginfo-1.16.3-4.3.1 libgsttag-1_0-0-1.16.3-4.3.1 libgsttag-1_0-0-debuginfo-1.16.3-4.3.1 libgstvideo-1_0-0-1.16.3-4.3.1 libgstvideo-1_0-0-debuginfo-1.16.3-4.3.1 - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64): gstreamer-plugins-ugly-1.16.3-3.3.1 gstreamer-plugins-ugly-debuginfo-1.16.3-3.3.1 gstreamer-plugins-ugly-debugsource-1.16.3-3.3.1 - SUSE Linux Enterprise Workstation Extension 15-SP3 (noarch): gstreamer-plugins-ugly-lang-1.16.3-3.3.1 - SUSE Linux Enterprise Workstation Extension 15-SP2 (noarch): gstreamer-plugins-ugly-lang-1.16.3-3.3.1 - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): gstreamer-plugins-ugly-1.16.3-3.3.1 gstreamer-plugins-ugly-debuginfo-1.16.3-3.3.1 gstreamer-plugins-ugly-debugsource-1.16.3-3.3.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (x86_64): gstreamer-32bit-1.16.3-3.3.1 gstreamer-32bit-debuginfo-1.16.3-3.3.1 gstreamer-debugsource-1.16.3-3.3.1 gstreamer-plugins-base-32bit-debuginfo-1.16.3-4.3.1 gstreamer-plugins-base-debugsource-1.16.3-4.3.1 libgstaudio-1_0-0-32bit-1.16.3-4.3.1 libgstaudio-1_0-0-32bit-debuginfo-1.16.3-4.3.1 libgstreamer-1_0-0-32bit-1.16.3-3.3.1 libgstreamer-1_0-0-32bit-debuginfo-1.16.3-3.3.1 libgsttag-1_0-0-32bit-1.16.3-4.3.1 libgsttag-1_0-0-32bit-debuginfo-1.16.3-4.3.1 libgstvideo-1_0-0-32bit-1.16.3-4.3.1 libgstvideo-1_0-0-32bit-debuginfo-1.16.3-4.3.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (x86_64): gstreamer-32bit-1.16.3-3.3.1 gstreamer-32bit-debuginfo-1.16.3-3.3.1 gstreamer-debugsource-1.16.3-3.3.1 gstreamer-plugins-base-32bit-debuginfo-1.16.3-4.3.1 gstreamer-plugins-base-debugsource-1.16.3-4.3.1 libgstaudio-1_0-0-32bit-1.16.3-4.3.1 libgstaudio-1_0-0-32bit-debuginfo-1.16.3-4.3.1 libgstreamer-1_0-0-32bit-1.16.3-3.3.1 libgstreamer-1_0-0-32bit-debuginfo-1.16.3-3.3.1 libgsttag-1_0-0-32bit-1.16.3-4.3.1 libgsttag-1_0-0-32bit-debuginfo-1.16.3-4.3.1 libgstvideo-1_0-0-32bit-1.16.3-4.3.1 libgstvideo-1_0-0-32bit-debuginfo-1.16.3-4.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): gstreamer-debuginfo-1.16.3-3.3.1 gstreamer-debugsource-1.16.3-3.3.1 gstreamer-devel-1.16.3-3.3.1 gstreamer-plugins-bad-1.16.3-4.4.1 gstreamer-plugins-bad-chromaprint-1.16.3-4.4.1 gstreamer-plugins-bad-chromaprint-debuginfo-1.16.3-4.4.1 gstreamer-plugins-bad-debuginfo-1.16.3-4.4.1 gstreamer-plugins-bad-debugsource-1.16.3-4.4.1 gstreamer-plugins-bad-devel-1.16.3-4.4.1 gstreamer-plugins-base-debuginfo-1.16.3-4.3.1 gstreamer-plugins-base-debugsource-1.16.3-4.3.1 gstreamer-plugins-base-devel-1.16.3-4.3.1 gstreamer-utils-1.16.3-3.3.1 gstreamer-utils-debuginfo-1.16.3-3.3.1 libgstadaptivedemux-1_0-0-1.16.3-4.4.1 libgstadaptivedemux-1_0-0-debuginfo-1.16.3-4.4.1 libgstbadaudio-1_0-0-1.16.3-4.4.1 libgstbadaudio-1_0-0-debuginfo-1.16.3-4.4.1 libgstbasecamerabinsrc-1_0-0-1.16.3-4.4.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.16.3-4.4.1 libgstcodecparsers-1_0-0-1.16.3-4.4.1 libgstcodecparsers-1_0-0-debuginfo-1.16.3-4.4.1 libgstinsertbin-1_0-0-1.16.3-4.4.1 libgstinsertbin-1_0-0-debuginfo-1.16.3-4.4.1 libgstisoff-1_0-0-1.16.3-4.4.1 libgstisoff-1_0-0-debuginfo-1.16.3-4.4.1 libgstmpegts-1_0-0-1.16.3-4.4.1 libgstmpegts-1_0-0-debuginfo-1.16.3-4.4.1 libgstplayer-1_0-0-1.16.3-4.4.1 libgstplayer-1_0-0-debuginfo-1.16.3-4.4.1 libgstsctp-1_0-0-1.16.3-4.4.1 libgstsctp-1_0-0-debuginfo-1.16.3-4.4.1 libgsturidownloader-1_0-0-1.16.3-4.4.1 libgsturidownloader-1_0-0-debuginfo-1.16.3-4.4.1 libgstwayland-1_0-0-1.16.3-4.4.1 libgstwayland-1_0-0-debuginfo-1.16.3-4.4.1 libgstwebrtc-1_0-0-1.16.3-4.4.1 libgstwebrtc-1_0-0-debuginfo-1.16.3-4.4.1 typelib-1_0-GstAllocators-1_0-1.16.3-4.3.1 typelib-1_0-GstApp-1_0-1.16.3-4.3.1 typelib-1_0-GstAudio-1_0-1.16.3-4.3.1 typelib-1_0-GstGL-1_0-1.16.3-4.3.1 typelib-1_0-GstInsertBin-1_0-1.16.3-4.4.1 typelib-1_0-GstMpegts-1_0-1.16.3-4.4.1 typelib-1_0-GstPbutils-1_0-1.16.3-4.3.1 typelib-1_0-GstPlayer-1_0-1.16.3-4.4.1 typelib-1_0-GstRtp-1_0-1.16.3-4.3.1 typelib-1_0-GstRtsp-1_0-1.16.3-4.3.1 typelib-1_0-GstSdp-1_0-1.16.3-4.3.1 typelib-1_0-GstTag-1_0-1.16.3-4.3.1 typelib-1_0-GstVideo-1_0-1.16.3-4.3.1 typelib-1_0-GstWebRTC-1_0-1.16.3-4.4.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (noarch): gstreamer-plugins-bad-lang-1.16.3-4.4.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): gstreamer-1.16.3-3.3.1 gstreamer-debuginfo-1.16.3-3.3.1 gstreamer-debugsource-1.16.3-3.3.1 gstreamer-devel-1.16.3-3.3.1 gstreamer-plugins-base-1.16.3-4.3.1 gstreamer-plugins-base-debuginfo-1.16.3-4.3.1 gstreamer-plugins-base-debugsource-1.16.3-4.3.1 gstreamer-plugins-base-devel-1.16.3-4.3.1 gstreamer-plugins-good-1.16.3-3.3.1 gstreamer-plugins-good-debuginfo-1.16.3-3.3.1 gstreamer-plugins-good-debugsource-1.16.3-3.3.1 gstreamer-utils-1.16.3-3.3.1 gstreamer-utils-debuginfo-1.16.3-3.3.1 libgstallocators-1_0-0-1.16.3-4.3.1 libgstallocators-1_0-0-debuginfo-1.16.3-4.3.1 libgstapp-1_0-0-1.16.3-4.3.1 libgstapp-1_0-0-debuginfo-1.16.3-4.3.1 libgstaudio-1_0-0-1.16.3-4.3.1 libgstaudio-1_0-0-debuginfo-1.16.3-4.3.1 libgstfft-1_0-0-1.16.3-4.3.1 libgstfft-1_0-0-debuginfo-1.16.3-4.3.1 libgstgl-1_0-0-1.16.3-4.3.1 libgstgl-1_0-0-debuginfo-1.16.3-4.3.1 libgstpbutils-1_0-0-1.16.3-4.3.1 libgstpbutils-1_0-0-debuginfo-1.16.3-4.3.1 libgstreamer-1_0-0-1.16.3-3.3.1 libgstreamer-1_0-0-debuginfo-1.16.3-3.3.1 libgstriff-1_0-0-1.16.3-4.3.1 libgstriff-1_0-0-debuginfo-1.16.3-4.3.1 libgstrtp-1_0-0-1.16.3-4.3.1 libgstrtp-1_0-0-debuginfo-1.16.3-4.3.1 libgstrtsp-1_0-0-1.16.3-4.3.1 libgstrtsp-1_0-0-debuginfo-1.16.3-4.3.1 libgstsdp-1_0-0-1.16.3-4.3.1 libgstsdp-1_0-0-debuginfo-1.16.3-4.3.1 libgsttag-1_0-0-1.16.3-4.3.1 libgsttag-1_0-0-debuginfo-1.16.3-4.3.1 libgstvideo-1_0-0-1.16.3-4.3.1 libgstvideo-1_0-0-debuginfo-1.16.3-4.3.1 typelib-1_0-Gst-1_0-1.16.3-3.3.1 typelib-1_0-GstAllocators-1_0-1.16.3-4.3.1 typelib-1_0-GstApp-1_0-1.16.3-4.3.1 typelib-1_0-GstAudio-1_0-1.16.3-4.3.1 typelib-1_0-GstGL-1_0-1.16.3-4.3.1 typelib-1_0-GstPbutils-1_0-1.16.3-4.3.1 typelib-1_0-GstRtp-1_0-1.16.3-4.3.1 typelib-1_0-GstRtsp-1_0-1.16.3-4.3.1 typelib-1_0-GstSdp-1_0-1.16.3-4.3.1 typelib-1_0-GstTag-1_0-1.16.3-4.3.1 typelib-1_0-GstVideo-1_0-1.16.3-4.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): gstreamer-lang-1.16.3-3.3.1 gstreamer-plugins-base-lang-1.16.3-4.3.1 gstreamer-plugins-good-lang-1.16.3-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): gstreamer-1.16.3-3.3.1 gstreamer-debuginfo-1.16.3-3.3.1 gstreamer-debugsource-1.16.3-3.3.1 gstreamer-plugins-bad-debuginfo-1.16.3-4.4.1 gstreamer-plugins-bad-debugsource-1.16.3-4.4.1 gstreamer-plugins-base-1.16.3-4.3.1 gstreamer-plugins-base-debuginfo-1.16.3-4.3.1 gstreamer-plugins-base-debugsource-1.16.3-4.3.1 gstreamer-plugins-good-1.16.3-3.3.1 gstreamer-plugins-good-debuginfo-1.16.3-3.3.1 gstreamer-plugins-good-debugsource-1.16.3-3.3.1 libgstallocators-1_0-0-1.16.3-4.3.1 libgstallocators-1_0-0-debuginfo-1.16.3-4.3.1 libgstapp-1_0-0-1.16.3-4.3.1 libgstapp-1_0-0-debuginfo-1.16.3-4.3.1 libgstaudio-1_0-0-1.16.3-4.3.1 libgstaudio-1_0-0-debuginfo-1.16.3-4.3.1 libgstfft-1_0-0-1.16.3-4.3.1 libgstfft-1_0-0-debuginfo-1.16.3-4.3.1 libgstgl-1_0-0-1.16.3-4.3.1 libgstgl-1_0-0-debuginfo-1.16.3-4.3.1 libgstpbutils-1_0-0-1.16.3-4.3.1 libgstpbutils-1_0-0-debuginfo-1.16.3-4.3.1 libgstphotography-1_0-0-1.16.3-4.4.1 libgstphotography-1_0-0-debuginfo-1.16.3-4.4.1 libgstreamer-1_0-0-1.16.3-3.3.1 libgstreamer-1_0-0-debuginfo-1.16.3-3.3.1 libgstriff-1_0-0-1.16.3-4.3.1 libgstriff-1_0-0-debuginfo-1.16.3-4.3.1 libgstrtp-1_0-0-1.16.3-4.3.1 libgstrtp-1_0-0-debuginfo-1.16.3-4.3.1 libgstrtsp-1_0-0-1.16.3-4.3.1 libgstrtsp-1_0-0-debuginfo-1.16.3-4.3.1 libgstsdp-1_0-0-1.16.3-4.3.1 libgstsdp-1_0-0-debuginfo-1.16.3-4.3.1 libgsttag-1_0-0-1.16.3-4.3.1 libgsttag-1_0-0-debuginfo-1.16.3-4.3.1 libgstvideo-1_0-0-1.16.3-4.3.1 libgstvideo-1_0-0-debuginfo-1.16.3-4.3.1 typelib-1_0-Gst-1_0-1.16.3-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): gstreamer-lang-1.16.3-3.3.1 gstreamer-plugins-base-lang-1.16.3-4.3.1 gstreamer-plugins-good-lang-1.16.3-3.3.1 References: https://www.suse.com/security/cve/CVE-2021-3185.html https://bugzilla.suse.com/1181255 From sle-security-updates at lists.suse.com Tue Jun 1 16:18:08 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 1 Jun 2021 18:18:08 +0200 (CEST) Subject: SUSE-SU-2021:14740-1: important: Security update for dhcp Message-ID: <20210601161808.E81A9FD14@maintenance.suse.de> SUSE Security Update: Security update for dhcp ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14740-1 Rating: important References: #1186382 Cross-References: CVE-2021-25217 CVSS scores: CVE-2021-25217 (SUSE): 7.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for dhcp fixes the following issues: - CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-dhcp-14740=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-dhcp-14740=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-dhcp-14740=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-dhcp-14740=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): dhcp-4.2.4.P2-0.28.12.1 dhcp-client-4.2.4.P2-0.28.12.1 dhcp-relay-4.2.4.P2-0.28.12.1 dhcp-server-4.2.4.P2-0.28.12.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): dhcp-4.2.4.P2-0.28.12.1 dhcp-client-4.2.4.P2-0.28.12.1 dhcp-relay-4.2.4.P2-0.28.12.1 dhcp-server-4.2.4.P2-0.28.12.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): dhcp-debuginfo-4.2.4.P2-0.28.12.1 dhcp-debugsource-4.2.4.P2-0.28.12.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): dhcp-debuginfo-4.2.4.P2-0.28.12.1 dhcp-debugsource-4.2.4.P2-0.28.12.1 References: https://www.suse.com/security/cve/CVE-2021-25217.html https://bugzilla.suse.com/1186382 From sle-security-updates at lists.suse.com Tue Jun 1 16:20:14 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 1 Jun 2021 18:20:14 +0200 (CEST) Subject: SUSE-SU-2021:1822-1: important: Security update for dhcp Message-ID: <20210601162014.82EE2FD14@maintenance.suse.de> SUSE Security Update: Security update for dhcp ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1822-1 Rating: important References: #1186382 Cross-References: CVE-2021-25217 CVSS scores: CVE-2021-25217 (SUSE): 7.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for dhcp fixes the following issues: - CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1822=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1822=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1822=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1822=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1822=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1822=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1822=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1822=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1822=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1822=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1822=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1822=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1822=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): dhcp-4.3.3-10.22.1 dhcp-client-4.3.3-10.22.1 dhcp-client-debuginfo-4.3.3-10.22.1 dhcp-debuginfo-4.3.3-10.22.1 dhcp-debugsource-4.3.3-10.22.1 dhcp-relay-4.3.3-10.22.1 dhcp-relay-debuginfo-4.3.3-10.22.1 dhcp-server-4.3.3-10.22.1 dhcp-server-debuginfo-4.3.3-10.22.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): dhcp-4.3.3-10.22.1 dhcp-client-4.3.3-10.22.1 dhcp-client-debuginfo-4.3.3-10.22.1 dhcp-debuginfo-4.3.3-10.22.1 dhcp-debugsource-4.3.3-10.22.1 dhcp-relay-4.3.3-10.22.1 dhcp-relay-debuginfo-4.3.3-10.22.1 dhcp-server-4.3.3-10.22.1 dhcp-server-debuginfo-4.3.3-10.22.1 - SUSE OpenStack Cloud 9 (x86_64): dhcp-4.3.3-10.22.1 dhcp-client-4.3.3-10.22.1 dhcp-client-debuginfo-4.3.3-10.22.1 dhcp-debuginfo-4.3.3-10.22.1 dhcp-debugsource-4.3.3-10.22.1 dhcp-relay-4.3.3-10.22.1 dhcp-relay-debuginfo-4.3.3-10.22.1 dhcp-server-4.3.3-10.22.1 dhcp-server-debuginfo-4.3.3-10.22.1 - SUSE OpenStack Cloud 8 (x86_64): dhcp-4.3.3-10.22.1 dhcp-client-4.3.3-10.22.1 dhcp-client-debuginfo-4.3.3-10.22.1 dhcp-debuginfo-4.3.3-10.22.1 dhcp-debugsource-4.3.3-10.22.1 dhcp-relay-4.3.3-10.22.1 dhcp-relay-debuginfo-4.3.3-10.22.1 dhcp-server-4.3.3-10.22.1 dhcp-server-debuginfo-4.3.3-10.22.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): dhcp-debuginfo-4.3.3-10.22.1 dhcp-debugsource-4.3.3-10.22.1 dhcp-devel-4.3.3-10.22.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): dhcp-4.3.3-10.22.1 dhcp-client-4.3.3-10.22.1 dhcp-client-debuginfo-4.3.3-10.22.1 dhcp-debuginfo-4.3.3-10.22.1 dhcp-debugsource-4.3.3-10.22.1 dhcp-relay-4.3.3-10.22.1 dhcp-relay-debuginfo-4.3.3-10.22.1 dhcp-server-4.3.3-10.22.1 dhcp-server-debuginfo-4.3.3-10.22.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): dhcp-4.3.3-10.22.1 dhcp-client-4.3.3-10.22.1 dhcp-client-debuginfo-4.3.3-10.22.1 dhcp-debuginfo-4.3.3-10.22.1 dhcp-debugsource-4.3.3-10.22.1 dhcp-relay-4.3.3-10.22.1 dhcp-relay-debuginfo-4.3.3-10.22.1 dhcp-server-4.3.3-10.22.1 dhcp-server-debuginfo-4.3.3-10.22.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): dhcp-4.3.3-10.22.1 dhcp-client-4.3.3-10.22.1 dhcp-client-debuginfo-4.3.3-10.22.1 dhcp-debuginfo-4.3.3-10.22.1 dhcp-debugsource-4.3.3-10.22.1 dhcp-relay-4.3.3-10.22.1 dhcp-relay-debuginfo-4.3.3-10.22.1 dhcp-server-4.3.3-10.22.1 dhcp-server-debuginfo-4.3.3-10.22.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): dhcp-4.3.3-10.22.1 dhcp-client-4.3.3-10.22.1 dhcp-client-debuginfo-4.3.3-10.22.1 dhcp-debuginfo-4.3.3-10.22.1 dhcp-debugsource-4.3.3-10.22.1 dhcp-relay-4.3.3-10.22.1 dhcp-relay-debuginfo-4.3.3-10.22.1 dhcp-server-4.3.3-10.22.1 dhcp-server-debuginfo-4.3.3-10.22.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): dhcp-4.3.3-10.22.1 dhcp-client-4.3.3-10.22.1 dhcp-client-debuginfo-4.3.3-10.22.1 dhcp-debuginfo-4.3.3-10.22.1 dhcp-debugsource-4.3.3-10.22.1 dhcp-relay-4.3.3-10.22.1 dhcp-relay-debuginfo-4.3.3-10.22.1 dhcp-server-4.3.3-10.22.1 dhcp-server-debuginfo-4.3.3-10.22.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): dhcp-4.3.3-10.22.1 dhcp-client-4.3.3-10.22.1 dhcp-client-debuginfo-4.3.3-10.22.1 dhcp-debuginfo-4.3.3-10.22.1 dhcp-debugsource-4.3.3-10.22.1 dhcp-relay-4.3.3-10.22.1 dhcp-relay-debuginfo-4.3.3-10.22.1 dhcp-server-4.3.3-10.22.1 dhcp-server-debuginfo-4.3.3-10.22.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): dhcp-4.3.3-10.22.1 dhcp-client-4.3.3-10.22.1 dhcp-client-debuginfo-4.3.3-10.22.1 dhcp-debuginfo-4.3.3-10.22.1 dhcp-debugsource-4.3.3-10.22.1 dhcp-relay-4.3.3-10.22.1 dhcp-relay-debuginfo-4.3.3-10.22.1 dhcp-server-4.3.3-10.22.1 dhcp-server-debuginfo-4.3.3-10.22.1 - HPE Helion Openstack 8 (x86_64): dhcp-4.3.3-10.22.1 dhcp-client-4.3.3-10.22.1 dhcp-client-debuginfo-4.3.3-10.22.1 dhcp-debuginfo-4.3.3-10.22.1 dhcp-debugsource-4.3.3-10.22.1 dhcp-relay-4.3.3-10.22.1 dhcp-relay-debuginfo-4.3.3-10.22.1 dhcp-server-4.3.3-10.22.1 dhcp-server-debuginfo-4.3.3-10.22.1 References: https://www.suse.com/security/cve/CVE-2021-25217.html https://bugzilla.suse.com/1186382 From sle-security-updates at lists.suse.com Tue Jun 1 16:21:20 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 1 Jun 2021 18:21:20 +0200 (CEST) Subject: SUSE-SU-2021:1824-1: important: Security update for shim Message-ID: <20210601162120.F1C8AFD14@maintenance.suse.de> SUSE Security Update: Security update for shim ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1824-1 Rating: important References: #1182057 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for shim fixes the following issues: - Update to the unified shim binary for SBAT support (bsc#1182057) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1824=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1824=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1824=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (x86_64): shim-15.4-7.19.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): shim-15.4-7.19.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): shim-15.4-7.19.1 References: https://bugzilla.suse.com/1182057 From sle-security-updates at lists.suse.com Tue Jun 1 19:16:48 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 1 Jun 2021 21:16:48 +0200 (CEST) Subject: SUSE-SU-2021:1826-1: important: Security update for bind Message-ID: <20210601191648.D84BFFD14@maintenance.suse.de> SUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1826-1 Rating: important References: #1183453 #1185073 Cross-References: CVE-2021-25214 CVE-2021-25215 CVSS scores: CVE-2021-25214 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-25214 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-25215 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-25215 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for bind fixes the following issues: - CVE-2021-25214: Fixed a broken inbound incremental zone update (IXFR) which could have caused named to terminate unexpectedly (bsc#1185345). - CVE-2021-25215: Fixed an assertion check which could have failed while answering queries for DNAME records that required the DNAME to be processed to resolve itself (bsc#1185345). - Switched from /var/run to /run (bsc#1185073) - Hardening: Compiled binary with PIE flags to make it position independent Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-1826=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1826=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): bind-9.16.6-22.7.1 bind-chrootenv-9.16.6-22.7.1 bind-debuginfo-9.16.6-22.7.1 bind-debugsource-9.16.6-22.7.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (noarch): bind-doc-9.16.6-22.7.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): bind-debuginfo-9.16.6-22.7.1 bind-debugsource-9.16.6-22.7.1 bind-devel-9.16.6-22.7.1 bind-utils-9.16.6-22.7.1 bind-utils-debuginfo-9.16.6-22.7.1 libbind9-1600-9.16.6-22.7.1 libbind9-1600-debuginfo-9.16.6-22.7.1 libdns1605-9.16.6-22.7.1 libdns1605-debuginfo-9.16.6-22.7.1 libirs-devel-9.16.6-22.7.1 libirs1601-9.16.6-22.7.1 libirs1601-debuginfo-9.16.6-22.7.1 libisc1606-9.16.6-22.7.1 libisc1606-debuginfo-9.16.6-22.7.1 libisccc1600-9.16.6-22.7.1 libisccc1600-debuginfo-9.16.6-22.7.1 libisccfg1600-9.16.6-22.7.1 libisccfg1600-debuginfo-9.16.6-22.7.1 libns1604-9.16.6-22.7.1 libns1604-debuginfo-9.16.6-22.7.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): python3-bind-9.16.6-22.7.1 References: https://www.suse.com/security/cve/CVE-2021-25214.html https://www.suse.com/security/cve/CVE-2021-25215.html https://bugzilla.suse.com/1183453 https://bugzilla.suse.com/1185073 From sle-security-updates at lists.suse.com Tue Jun 1 19:19:01 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 1 Jun 2021 21:19:01 +0200 (CEST) Subject: SUSE-SU-2021:1825-1: important: Security update for lz4 Message-ID: <20210601191901.6A096FD14@maintenance.suse.de> SUSE Security Update: Security update for lz4 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1825-1 Rating: important References: #1185438 Cross-References: CVE-2021-3520 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1825=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): liblz4-1-1.9.2-3.3.1 liblz4-1-debuginfo-1.9.2-3.3.1 liblz4-devel-1.9.2-3.3.1 lz4-1.9.2-3.3.1 lz4-debuginfo-1.9.2-3.3.1 lz4-debugsource-1.9.2-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): liblz4-1-32bit-1.9.2-3.3.1 liblz4-1-32bit-debuginfo-1.9.2-3.3.1 References: https://www.suse.com/security/cve/CVE-2021-3520.html https://bugzilla.suse.com/1185438 From sle-security-updates at lists.suse.com Wed Jun 2 16:17:00 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 2 Jun 2021 18:17:00 +0200 (CEST) Subject: SUSE-SU-2021:1829-1: important: Security update for qemu Message-ID: <20210602161700.A8ABDFD84@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1829-1 Rating: important References: #1031692 #1094725 #1126455 #1149813 #1163019 #1172380 #1172382 #1175534 #1178935 #1179477 #1181933 #1182846 #1182975 Cross-References: CVE-2019-15890 CVE-2019-8934 CVE-2020-10756 CVE-2020-13754 CVE-2020-14364 CVE-2020-25723 CVE-2020-29130 CVE-2020-8608 CVE-2021-20221 CVE-2021-20257 CVE-2021-3419 CVSS scores: CVE-2019-15890 (SUSE): 5.8 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2019-8934 (NVD) : 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2019-8934 (SUSE): 4 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2020-10756 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-10756 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-13754 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-13754 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-14364 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14364 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25723 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-29130 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-8608 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-8608 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H CVE-2021-20221 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3419 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that solves 11 vulnerabilities and has two fixes is now available. Description: This update for qemu fixes the following issues: - Fix OOB access during mmio operations (CVE-2020-13754, bsc#1172382) - Fix sPAPR emulator leaks the host hardware identity (CVE-2019-8934, bsc#1126455) - Fix out-of-bounds read information disclosure in icmp6_send_echoreply (CVE-2020-10756, bsc#1172380) - Fix out-of-bound heap buffer access via an interrupt ID field (CVE-2021-20221, bsc#1181933) - For the record, these issues are fixed in this package already. Most are alternate references to previously mentioned issues: (CVE-2019-15890, bsc#1149813, CVE-2020-8608, bsc#1163019, CVE-2020-14364, bsc#1175534, CVE-2020-25723, bsc#1178935, CVE-2020-29130, bsc#1179477, CVE-2021-20257, bsc#1182846, CVE-2021-3419, bsc#1182975, bsc#1031692, bsc#1094725) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1829=1 Package List: - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): qemu-ipxe-1.0.0-41.65.1 qemu-seabios-1.9.1_0_gb3ef39f-41.65.1 qemu-sgabios-8-41.65.1 qemu-vgabios-1.9.1_0_gb3ef39f-41.65.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): qemu-2.6.2-41.65.1 qemu-block-curl-2.6.2-41.65.1 qemu-block-curl-debuginfo-2.6.2-41.65.1 qemu-block-rbd-2.6.2-41.65.1 qemu-block-rbd-debuginfo-2.6.2-41.65.1 qemu-block-ssh-2.6.2-41.65.1 qemu-block-ssh-debuginfo-2.6.2-41.65.1 qemu-debugsource-2.6.2-41.65.1 qemu-guest-agent-2.6.2-41.65.1 qemu-guest-agent-debuginfo-2.6.2-41.65.1 qemu-kvm-2.6.2-41.65.1 qemu-lang-2.6.2-41.65.1 qemu-tools-2.6.2-41.65.1 qemu-tools-debuginfo-2.6.2-41.65.1 qemu-x86-2.6.2-41.65.1 qemu-x86-debuginfo-2.6.2-41.65.1 References: https://www.suse.com/security/cve/CVE-2019-15890.html https://www.suse.com/security/cve/CVE-2019-8934.html https://www.suse.com/security/cve/CVE-2020-10756.html https://www.suse.com/security/cve/CVE-2020-13754.html https://www.suse.com/security/cve/CVE-2020-14364.html https://www.suse.com/security/cve/CVE-2020-25723.html https://www.suse.com/security/cve/CVE-2020-29130.html https://www.suse.com/security/cve/CVE-2020-8608.html https://www.suse.com/security/cve/CVE-2021-20221.html https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-3419.html https://bugzilla.suse.com/1031692 https://bugzilla.suse.com/1094725 https://bugzilla.suse.com/1126455 https://bugzilla.suse.com/1149813 https://bugzilla.suse.com/1163019 https://bugzilla.suse.com/1172380 https://bugzilla.suse.com/1172382 https://bugzilla.suse.com/1175534 https://bugzilla.suse.com/1178935 https://bugzilla.suse.com/1179477 https://bugzilla.suse.com/1181933 https://bugzilla.suse.com/1182846 https://bugzilla.suse.com/1182975 From sle-security-updates at lists.suse.com Wed Jun 2 16:19:10 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 2 Jun 2021 18:19:10 +0200 (CEST) Subject: SUSE-SU-2021:1830-1: critical: Security update for libwebp Message-ID: <20210602161910.AB081FF1D@maintenance.suse.de> SUSE Security Update: Security update for libwebp ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1830-1 Rating: critical References: #1185652 #1185654 #1185673 #1185674 #1185685 #1185686 #1185690 #1185691 #1186247 Cross-References: CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332 CVSS scores: CVE-2018-25009 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25009 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25010 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25010 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25011 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-25011 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-25012 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25012 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25013 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2020-36329 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-36329 (SUSE): 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2020-36330 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2020-36330 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36331 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2020-36331 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2020-36332 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36332 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: This update for libwebp fixes the following issues: - CVE-2018-25010: Fixed heap-based buffer overflow in ApplyFilter() (bsc#1185685). - CVE-2020-36330: Fixed heap-based buffer overflow in ChunkVerifyAndAssign() (bsc#1185691). - CVE-2020-36332: Fixed extreme memory allocation when reading a file (bsc#1185674). - CVE-2020-36329: Fixed use-after-free in EmitFancyRGB() (bsc#1185652). - CVE-2018-25012: Fixed heap-based buffer overflow in GetLE24() (bsc#1185690). - CVE-2018-25013: Fixed heap-based buffer overflow in ShiftBytes() (bsc#1185654). - CVE-2020-36331: Fixed heap-based buffer overflow in ChunkAssignData() (bsc#1185686). - CVE-2018-25009: Fixed heap-based buffer overflow in GetLE16() (bsc#1185673). - CVE-2018-25011: Fixed fail on multiple image chunks (bsc#1186247). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1830=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1830=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1830=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1830=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-1830=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1830=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1830=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1830=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1830=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1830=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1830=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1830=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1830=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1830=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libwebp-debugsource-0.4.3-4.7.1 libwebp5-0.4.3-4.7.1 libwebp5-32bit-0.4.3-4.7.1 libwebp5-debuginfo-0.4.3-4.7.1 libwebp5-debuginfo-32bit-0.4.3-4.7.1 libwebpdemux1-0.4.3-4.7.1 libwebpdemux1-debuginfo-0.4.3-4.7.1 libwebpmux1-0.4.3-4.7.1 libwebpmux1-debuginfo-0.4.3-4.7.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libwebp-debugsource-0.4.3-4.7.1 libwebp5-0.4.3-4.7.1 libwebp5-32bit-0.4.3-4.7.1 libwebp5-debuginfo-0.4.3-4.7.1 libwebp5-debuginfo-32bit-0.4.3-4.7.1 libwebpdemux1-0.4.3-4.7.1 libwebpdemux1-debuginfo-0.4.3-4.7.1 libwebpmux1-0.4.3-4.7.1 libwebpmux1-debuginfo-0.4.3-4.7.1 - SUSE OpenStack Cloud 9 (x86_64): libwebp-debugsource-0.4.3-4.7.1 libwebp5-0.4.3-4.7.1 libwebp5-32bit-0.4.3-4.7.1 libwebp5-debuginfo-0.4.3-4.7.1 libwebp5-debuginfo-32bit-0.4.3-4.7.1 libwebpdemux1-0.4.3-4.7.1 libwebpdemux1-debuginfo-0.4.3-4.7.1 libwebpmux1-0.4.3-4.7.1 libwebpmux1-debuginfo-0.4.3-4.7.1 - SUSE OpenStack Cloud 8 (x86_64): libwebp-debugsource-0.4.3-4.7.1 libwebp5-0.4.3-4.7.1 libwebp5-32bit-0.4.3-4.7.1 libwebp5-debuginfo-0.4.3-4.7.1 libwebp5-debuginfo-32bit-0.4.3-4.7.1 libwebpdemux1-0.4.3-4.7.1 libwebpdemux1-debuginfo-0.4.3-4.7.1 libwebpmux1-0.4.3-4.7.1 libwebpmux1-debuginfo-0.4.3-4.7.1 - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): libwebp-debugsource-0.4.3-4.7.1 libwebpmux1-0.4.3-4.7.1 libwebpmux1-debuginfo-0.4.3-4.7.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libwebp-debugsource-0.4.3-4.7.1 libwebp-devel-0.4.3-4.7.1 libwebpdecoder1-0.4.3-4.7.1 libwebpdecoder1-debuginfo-0.4.3-4.7.1 libwebpmux1-0.4.3-4.7.1 libwebpmux1-debuginfo-0.4.3-4.7.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libwebp-debugsource-0.4.3-4.7.1 libwebp5-0.4.3-4.7.1 libwebp5-debuginfo-0.4.3-4.7.1 libwebpdemux1-0.4.3-4.7.1 libwebpdemux1-debuginfo-0.4.3-4.7.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libwebp5-32bit-0.4.3-4.7.1 libwebp5-debuginfo-32bit-0.4.3-4.7.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libwebp-debugsource-0.4.3-4.7.1 libwebp5-0.4.3-4.7.1 libwebp5-debuginfo-0.4.3-4.7.1 libwebpdemux1-0.4.3-4.7.1 libwebpdemux1-debuginfo-0.4.3-4.7.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libwebp5-32bit-0.4.3-4.7.1 libwebp5-debuginfo-32bit-0.4.3-4.7.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libwebp-debugsource-0.4.3-4.7.1 libwebp5-0.4.3-4.7.1 libwebp5-debuginfo-0.4.3-4.7.1 libwebpdemux1-0.4.3-4.7.1 libwebpdemux1-debuginfo-0.4.3-4.7.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libwebp5-32bit-0.4.3-4.7.1 libwebp5-debuginfo-32bit-0.4.3-4.7.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libwebp-debugsource-0.4.3-4.7.1 libwebp5-0.4.3-4.7.1 libwebp5-debuginfo-0.4.3-4.7.1 libwebpdemux1-0.4.3-4.7.1 libwebpdemux1-debuginfo-0.4.3-4.7.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libwebp5-32bit-0.4.3-4.7.1 libwebp5-debuginfo-32bit-0.4.3-4.7.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libwebp-debugsource-0.4.3-4.7.1 libwebp5-0.4.3-4.7.1 libwebp5-debuginfo-0.4.3-4.7.1 libwebpdemux1-0.4.3-4.7.1 libwebpdemux1-debuginfo-0.4.3-4.7.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libwebp5-32bit-0.4.3-4.7.1 libwebp5-debuginfo-32bit-0.4.3-4.7.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libwebp-debugsource-0.4.3-4.7.1 libwebp5-0.4.3-4.7.1 libwebp5-32bit-0.4.3-4.7.1 libwebp5-debuginfo-0.4.3-4.7.1 libwebp5-debuginfo-32bit-0.4.3-4.7.1 libwebpdemux1-0.4.3-4.7.1 libwebpdemux1-debuginfo-0.4.3-4.7.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libwebp-debugsource-0.4.3-4.7.1 libwebp5-0.4.3-4.7.1 libwebp5-32bit-0.4.3-4.7.1 libwebp5-debuginfo-0.4.3-4.7.1 libwebp5-debuginfo-32bit-0.4.3-4.7.1 libwebpdemux1-0.4.3-4.7.1 libwebpdemux1-debuginfo-0.4.3-4.7.1 - HPE Helion Openstack 8 (x86_64): libwebp-debugsource-0.4.3-4.7.1 libwebp5-0.4.3-4.7.1 libwebp5-32bit-0.4.3-4.7.1 libwebp5-debuginfo-0.4.3-4.7.1 libwebp5-debuginfo-32bit-0.4.3-4.7.1 libwebpdemux1-0.4.3-4.7.1 libwebpdemux1-debuginfo-0.4.3-4.7.1 libwebpmux1-0.4.3-4.7.1 libwebpmux1-debuginfo-0.4.3-4.7.1 References: https://www.suse.com/security/cve/CVE-2018-25009.html https://www.suse.com/security/cve/CVE-2018-25010.html https://www.suse.com/security/cve/CVE-2018-25011.html https://www.suse.com/security/cve/CVE-2018-25012.html https://www.suse.com/security/cve/CVE-2018-25013.html https://www.suse.com/security/cve/CVE-2020-36329.html https://www.suse.com/security/cve/CVE-2020-36330.html https://www.suse.com/security/cve/CVE-2020-36331.html https://www.suse.com/security/cve/CVE-2020-36332.html https://bugzilla.suse.com/1185652 https://bugzilla.suse.com/1185654 https://bugzilla.suse.com/1185673 https://bugzilla.suse.com/1185674 https://bugzilla.suse.com/1185685 https://bugzilla.suse.com/1185686 https://bugzilla.suse.com/1185690 https://bugzilla.suse.com/1185691 https://bugzilla.suse.com/1186247 From sle-security-updates at lists.suse.com Wed Jun 2 19:15:50 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 2 Jun 2021 21:15:50 +0200 (CEST) Subject: SUSE-SU-2021:1840-1: important: Security update for xstream Message-ID: <20210602191550.9BA03FD07@maintenance.suse.de> SUSE Security Update: Security update for xstream ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1840-1 Rating: important References: #1184372 #1184373 #1184374 #1184375 #1184376 #1184377 #1184378 #1184379 #1184380 #1184796 #1184797 Cross-References: CVE-2021-21341 CVE-2021-21342 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351 CVSS scores: CVE-2021-21341 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-21341 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-21342 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-21342 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-21343 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2021-21343 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2021-21344 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-21344 (SUSE): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2021-21345 (NVD) : 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-21345 (SUSE): 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-21346 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-21346 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-21347 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-21347 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-21348 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-21348 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-21349 (NVD) : 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2021-21349 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-21350 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-21350 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-21351 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-21351 (SUSE): 8 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for xstream fixes the following issues: - Upgrade to 1.4.16 - CVE-2021-21351: remote attacker to load and execute arbitrary code (bsc#1184796) - CVE-2021-21349: SSRF can lead to a remote attacker to request data from internal resources (bsc#1184797) - CVE-2021-21350: arbitrary code execution (bsc#1184380) - CVE-2021-21348: remote attacker could cause denial of service by consuming maximum CPU time (bsc#1184374) - CVE-2021-21347: remote attacker to load and execute arbitrary code from a remote host (bsc#1184378) - CVE-2021-21344: remote attacker could load and execute arbitrary code from a remote host (bsc#1184375) - CVE-2021-21342: server-side forgery (bsc#1184379) - CVE-2021-21341: remote attacker could cause a denial of service by allocating 100% CPU time (bsc#1184377) - CVE-2021-21346: remote attacker could load and execute arbitrary code (bsc#1184373) - CVE-2021-21345: remote attacker with sufficient rights could execute commands (bsc#1184372) - CVE-2021-21343: replace or inject objects, that result in the deletion of files on the local host (bsc#1184376) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-1840=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-1840=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-1840=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch): xstream-1.4.16-3.8.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (noarch): xstream-1.4.16-3.8.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): xstream-1.4.16-3.8.1 References: https://www.suse.com/security/cve/CVE-2021-21341.html https://www.suse.com/security/cve/CVE-2021-21342.html https://www.suse.com/security/cve/CVE-2021-21343.html https://www.suse.com/security/cve/CVE-2021-21344.html https://www.suse.com/security/cve/CVE-2021-21345.html https://www.suse.com/security/cve/CVE-2021-21346.html https://www.suse.com/security/cve/CVE-2021-21347.html https://www.suse.com/security/cve/CVE-2021-21348.html https://www.suse.com/security/cve/CVE-2021-21349.html https://www.suse.com/security/cve/CVE-2021-21350.html https://www.suse.com/security/cve/CVE-2021-21351.html https://bugzilla.suse.com/1184372 https://bugzilla.suse.com/1184373 https://bugzilla.suse.com/1184374 https://bugzilla.suse.com/1184375 https://bugzilla.suse.com/1184376 https://bugzilla.suse.com/1184377 https://bugzilla.suse.com/1184378 https://bugzilla.suse.com/1184379 https://bugzilla.suse.com/1184380 https://bugzilla.suse.com/1184796 https://bugzilla.suse.com/1184797 From sle-security-updates at lists.suse.com Wed Jun 2 19:17:42 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 2 Jun 2021 21:17:42 +0200 (CEST) Subject: SUSE-SU-2021:1839-1: important: Security update for nginx Message-ID: <20210602191742.2132EFD07@maintenance.suse.de> SUSE Security Update: Security update for nginx ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1839-1 Rating: important References: #1186126 Cross-References: CVE-2021-23017 CVSS scores: CVE-2021-23017 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for nginx fixes the following issues: - CVE-2021-23017: nginx DNS resolver off-by-one heap write (bsc#1186126) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1839=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1839=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1839=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1839=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1839=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1839=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1839=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1839=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1839=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): nginx-1.16.1-6.13.1 nginx-debuginfo-1.16.1-6.13.1 nginx-debugsource-1.16.1-6.13.1 - SUSE Manager Server 4.0 (noarch): nginx-source-1.16.1-6.13.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): nginx-1.16.1-6.13.1 nginx-debuginfo-1.16.1-6.13.1 nginx-debugsource-1.16.1-6.13.1 - SUSE Manager Retail Branch Server 4.0 (noarch): nginx-source-1.16.1-6.13.1 - SUSE Manager Proxy 4.0 (noarch): nginx-source-1.16.1-6.13.1 - SUSE Manager Proxy 4.0 (x86_64): nginx-1.16.1-6.13.1 nginx-debuginfo-1.16.1-6.13.1 nginx-debugsource-1.16.1-6.13.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): nginx-1.16.1-6.13.1 nginx-debuginfo-1.16.1-6.13.1 nginx-debugsource-1.16.1-6.13.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): nginx-source-1.16.1-6.13.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): nginx-1.16.1-6.13.1 nginx-debuginfo-1.16.1-6.13.1 nginx-debugsource-1.16.1-6.13.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): nginx-source-1.16.1-6.13.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): nginx-1.16.1-6.13.1 nginx-debuginfo-1.16.1-6.13.1 nginx-debugsource-1.16.1-6.13.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): nginx-source-1.16.1-6.13.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): nginx-1.16.1-6.13.1 nginx-debuginfo-1.16.1-6.13.1 nginx-debugsource-1.16.1-6.13.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): nginx-source-1.16.1-6.13.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): nginx-1.16.1-6.13.1 nginx-debuginfo-1.16.1-6.13.1 nginx-debugsource-1.16.1-6.13.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): nginx-source-1.16.1-6.13.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): nginx-1.16.1-6.13.1 nginx-debuginfo-1.16.1-6.13.1 nginx-debugsource-1.16.1-6.13.1 - SUSE Enterprise Storage 6 (noarch): nginx-source-1.16.1-6.13.1 - SUSE CaaS Platform 4.0 (noarch): nginx-source-1.16.1-6.13.1 - SUSE CaaS Platform 4.0 (x86_64): nginx-1.16.1-6.13.1 nginx-debuginfo-1.16.1-6.13.1 nginx-debugsource-1.16.1-6.13.1 References: https://www.suse.com/security/cve/CVE-2021-23017.html https://bugzilla.suse.com/1186126 From sle-security-updates at lists.suse.com Wed Jun 2 19:18:57 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 2 Jun 2021 21:18:57 +0200 (CEST) Subject: SUSE-SU-2021:1841-1: important: Security update for dhcp Message-ID: <20210602191857.2B1E7FD07@maintenance.suse.de> SUSE Security Update: Security update for dhcp ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1841-1 Rating: important References: #1186382 Cross-References: CVE-2021-25217 CVSS scores: CVE-2021-25217 (SUSE): 7.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for dhcp fixes the following issues: - CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1841=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1841=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1841=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1841=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1841=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1841=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1841=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1841=1 - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-1841=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-1841=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1841=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1841=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1841=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1841=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1841=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1841=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1841=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): dhcp-4.3.6.P1-6.11.1 dhcp-client-4.3.6.P1-6.11.1 dhcp-client-debuginfo-4.3.6.P1-6.11.1 dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-devel-4.3.6.P1-6.11.1 dhcp-relay-4.3.6.P1-6.11.1 dhcp-relay-debuginfo-4.3.6.P1-6.11.1 dhcp-server-4.3.6.P1-6.11.1 dhcp-server-debuginfo-4.3.6.P1-6.11.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): dhcp-4.3.6.P1-6.11.1 dhcp-client-4.3.6.P1-6.11.1 dhcp-client-debuginfo-4.3.6.P1-6.11.1 dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-devel-4.3.6.P1-6.11.1 dhcp-relay-4.3.6.P1-6.11.1 dhcp-relay-debuginfo-4.3.6.P1-6.11.1 dhcp-server-4.3.6.P1-6.11.1 dhcp-server-debuginfo-4.3.6.P1-6.11.1 - SUSE Manager Proxy 4.0 (x86_64): dhcp-4.3.6.P1-6.11.1 dhcp-client-4.3.6.P1-6.11.1 dhcp-client-debuginfo-4.3.6.P1-6.11.1 dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-devel-4.3.6.P1-6.11.1 dhcp-relay-4.3.6.P1-6.11.1 dhcp-relay-debuginfo-4.3.6.P1-6.11.1 dhcp-server-4.3.6.P1-6.11.1 dhcp-server-debuginfo-4.3.6.P1-6.11.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): dhcp-4.3.6.P1-6.11.1 dhcp-client-4.3.6.P1-6.11.1 dhcp-client-debuginfo-4.3.6.P1-6.11.1 dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-devel-4.3.6.P1-6.11.1 dhcp-relay-4.3.6.P1-6.11.1 dhcp-relay-debuginfo-4.3.6.P1-6.11.1 dhcp-server-4.3.6.P1-6.11.1 dhcp-server-debuginfo-4.3.6.P1-6.11.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): dhcp-4.3.6.P1-6.11.1 dhcp-client-4.3.6.P1-6.11.1 dhcp-client-debuginfo-4.3.6.P1-6.11.1 dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-devel-4.3.6.P1-6.11.1 dhcp-relay-4.3.6.P1-6.11.1 dhcp-relay-debuginfo-4.3.6.P1-6.11.1 dhcp-server-4.3.6.P1-6.11.1 dhcp-server-debuginfo-4.3.6.P1-6.11.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): dhcp-4.3.6.P1-6.11.1 dhcp-client-4.3.6.P1-6.11.1 dhcp-client-debuginfo-4.3.6.P1-6.11.1 dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-devel-4.3.6.P1-6.11.1 dhcp-relay-4.3.6.P1-6.11.1 dhcp-relay-debuginfo-4.3.6.P1-6.11.1 dhcp-server-4.3.6.P1-6.11.1 dhcp-server-debuginfo-4.3.6.P1-6.11.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): dhcp-4.3.6.P1-6.11.1 dhcp-client-4.3.6.P1-6.11.1 dhcp-client-debuginfo-4.3.6.P1-6.11.1 dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-devel-4.3.6.P1-6.11.1 dhcp-relay-4.3.6.P1-6.11.1 dhcp-relay-debuginfo-4.3.6.P1-6.11.1 dhcp-server-4.3.6.P1-6.11.1 dhcp-server-debuginfo-4.3.6.P1-6.11.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): dhcp-4.3.6.P1-6.11.1 dhcp-client-4.3.6.P1-6.11.1 dhcp-client-debuginfo-4.3.6.P1-6.11.1 dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-devel-4.3.6.P1-6.11.1 dhcp-relay-4.3.6.P1-6.11.1 dhcp-relay-debuginfo-4.3.6.P1-6.11.1 dhcp-server-4.3.6.P1-6.11.1 dhcp-server-debuginfo-4.3.6.P1-6.11.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-relay-4.3.6.P1-6.11.1 dhcp-relay-debuginfo-4.3.6.P1-6.11.1 dhcp-server-4.3.6.P1-6.11.1 dhcp-server-debuginfo-4.3.6.P1-6.11.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-relay-4.3.6.P1-6.11.1 dhcp-relay-debuginfo-4.3.6.P1-6.11.1 dhcp-server-4.3.6.P1-6.11.1 dhcp-server-debuginfo-4.3.6.P1-6.11.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): dhcp-4.3.6.P1-6.11.1 dhcp-client-4.3.6.P1-6.11.1 dhcp-client-debuginfo-4.3.6.P1-6.11.1 dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-devel-4.3.6.P1-6.11.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): dhcp-4.3.6.P1-6.11.1 dhcp-client-4.3.6.P1-6.11.1 dhcp-client-debuginfo-4.3.6.P1-6.11.1 dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-devel-4.3.6.P1-6.11.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): dhcp-4.3.6.P1-6.11.1 dhcp-client-4.3.6.P1-6.11.1 dhcp-client-debuginfo-4.3.6.P1-6.11.1 dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-devel-4.3.6.P1-6.11.1 dhcp-relay-4.3.6.P1-6.11.1 dhcp-relay-debuginfo-4.3.6.P1-6.11.1 dhcp-server-4.3.6.P1-6.11.1 dhcp-server-debuginfo-4.3.6.P1-6.11.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): dhcp-4.3.6.P1-6.11.1 dhcp-client-4.3.6.P1-6.11.1 dhcp-client-debuginfo-4.3.6.P1-6.11.1 dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-devel-4.3.6.P1-6.11.1 dhcp-relay-4.3.6.P1-6.11.1 dhcp-relay-debuginfo-4.3.6.P1-6.11.1 dhcp-server-4.3.6.P1-6.11.1 dhcp-server-debuginfo-4.3.6.P1-6.11.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): dhcp-4.3.6.P1-6.11.1 dhcp-client-4.3.6.P1-6.11.1 dhcp-client-debuginfo-4.3.6.P1-6.11.1 dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-devel-4.3.6.P1-6.11.1 dhcp-relay-4.3.6.P1-6.11.1 dhcp-relay-debuginfo-4.3.6.P1-6.11.1 dhcp-server-4.3.6.P1-6.11.1 dhcp-server-debuginfo-4.3.6.P1-6.11.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): dhcp-4.3.6.P1-6.11.1 dhcp-client-4.3.6.P1-6.11.1 dhcp-client-debuginfo-4.3.6.P1-6.11.1 dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-devel-4.3.6.P1-6.11.1 dhcp-relay-4.3.6.P1-6.11.1 dhcp-relay-debuginfo-4.3.6.P1-6.11.1 dhcp-server-4.3.6.P1-6.11.1 dhcp-server-debuginfo-4.3.6.P1-6.11.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): dhcp-4.3.6.P1-6.11.1 dhcp-client-4.3.6.P1-6.11.1 dhcp-client-debuginfo-4.3.6.P1-6.11.1 dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-devel-4.3.6.P1-6.11.1 dhcp-relay-4.3.6.P1-6.11.1 dhcp-relay-debuginfo-4.3.6.P1-6.11.1 dhcp-server-4.3.6.P1-6.11.1 dhcp-server-debuginfo-4.3.6.P1-6.11.1 - SUSE CaaS Platform 4.0 (x86_64): dhcp-4.3.6.P1-6.11.1 dhcp-client-4.3.6.P1-6.11.1 dhcp-client-debuginfo-4.3.6.P1-6.11.1 dhcp-debuginfo-4.3.6.P1-6.11.1 dhcp-debugsource-4.3.6.P1-6.11.1 dhcp-devel-4.3.6.P1-6.11.1 dhcp-relay-4.3.6.P1-6.11.1 dhcp-relay-debuginfo-4.3.6.P1-6.11.1 dhcp-server-4.3.6.P1-6.11.1 dhcp-server-debuginfo-4.3.6.P1-6.11.1 References: https://www.suse.com/security/cve/CVE-2021-25217.html https://bugzilla.suse.com/1186382 From sle-security-updates at lists.suse.com Wed Jun 2 19:20:10 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 2 Jun 2021 21:20:10 +0200 (CEST) Subject: SUSE-SU-2021:1834-1: important: Security update for ceph Message-ID: <20210602192010.76B9AFD07@maintenance.suse.de> SUSE Security Update: Security update for ceph ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1834-1 Rating: important References: #1185619 #1186020 #1186021 Cross-References: CVE-2021-3509 CVE-2021-3524 CVE-2021-3531 CVSS scores: CVE-2021-3509 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-3524 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-3524 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-3531 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-3531 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Enterprise Storage 7 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for ceph fixes the following issues: - Update to 15.2.12-83-g528da226523: - (CVE-2021-3509) fix cookie injection issue (bsc#1186021) - (CVE-2021-3531) RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name (bsc#1186020) - (CVE-2021-3524) sanitize \r in s3 CORSConfiguration???s ExposeHeader (bsc#1185619) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1834=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1834=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1834=1 - SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2021-1834=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): librados2-15.2.12.83+g528da226523-3.25.1 librados2-debuginfo-15.2.12.83+g528da226523-3.25.1 librbd1-15.2.12.83+g528da226523-3.25.1 librbd1-debuginfo-15.2.12.83+g528da226523-3.25.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): ceph-common-15.2.12.83+g528da226523-3.25.1 ceph-common-debuginfo-15.2.12.83+g528da226523-3.25.1 ceph-debugsource-15.2.12.83+g528da226523-3.25.1 libcephfs-devel-15.2.12.83+g528da226523-3.25.1 libcephfs2-15.2.12.83+g528da226523-3.25.1 libcephfs2-debuginfo-15.2.12.83+g528da226523-3.25.1 librados-devel-15.2.12.83+g528da226523-3.25.1 librados-devel-debuginfo-15.2.12.83+g528da226523-3.25.1 librados2-15.2.12.83+g528da226523-3.25.1 librados2-debuginfo-15.2.12.83+g528da226523-3.25.1 libradospp-devel-15.2.12.83+g528da226523-3.25.1 librbd-devel-15.2.12.83+g528da226523-3.25.1 librbd1-15.2.12.83+g528da226523-3.25.1 librbd1-debuginfo-15.2.12.83+g528da226523-3.25.1 librgw-devel-15.2.12.83+g528da226523-3.25.1 librgw2-15.2.12.83+g528da226523-3.25.1 librgw2-debuginfo-15.2.12.83+g528da226523-3.25.1 python3-ceph-argparse-15.2.12.83+g528da226523-3.25.1 python3-ceph-common-15.2.12.83+g528da226523-3.25.1 python3-cephfs-15.2.12.83+g528da226523-3.25.1 python3-cephfs-debuginfo-15.2.12.83+g528da226523-3.25.1 python3-rados-15.2.12.83+g528da226523-3.25.1 python3-rados-debuginfo-15.2.12.83+g528da226523-3.25.1 python3-rbd-15.2.12.83+g528da226523-3.25.1 python3-rbd-debuginfo-15.2.12.83+g528da226523-3.25.1 python3-rgw-15.2.12.83+g528da226523-3.25.1 python3-rgw-debuginfo-15.2.12.83+g528da226523-3.25.1 rados-objclass-devel-15.2.12.83+g528da226523-3.25.1 rbd-nbd-15.2.12.83+g528da226523-3.25.1 rbd-nbd-debuginfo-15.2.12.83+g528da226523-3.25.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): ceph-common-15.2.12.83+g528da226523-3.25.1 ceph-common-debuginfo-15.2.12.83+g528da226523-3.25.1 ceph-debugsource-15.2.12.83+g528da226523-3.25.1 libcephfs-devel-15.2.12.83+g528da226523-3.25.1 libcephfs2-15.2.12.83+g528da226523-3.25.1 libcephfs2-debuginfo-15.2.12.83+g528da226523-3.25.1 librados-devel-15.2.12.83+g528da226523-3.25.1 librados-devel-debuginfo-15.2.12.83+g528da226523-3.25.1 librados2-15.2.12.83+g528da226523-3.25.1 librados2-debuginfo-15.2.12.83+g528da226523-3.25.1 libradospp-devel-15.2.12.83+g528da226523-3.25.1 librbd-devel-15.2.12.83+g528da226523-3.25.1 librbd1-15.2.12.83+g528da226523-3.25.1 librbd1-debuginfo-15.2.12.83+g528da226523-3.25.1 librgw-devel-15.2.12.83+g528da226523-3.25.1 librgw2-15.2.12.83+g528da226523-3.25.1 librgw2-debuginfo-15.2.12.83+g528da226523-3.25.1 python3-ceph-argparse-15.2.12.83+g528da226523-3.25.1 python3-ceph-common-15.2.12.83+g528da226523-3.25.1 python3-cephfs-15.2.12.83+g528da226523-3.25.1 python3-cephfs-debuginfo-15.2.12.83+g528da226523-3.25.1 python3-rados-15.2.12.83+g528da226523-3.25.1 python3-rados-debuginfo-15.2.12.83+g528da226523-3.25.1 python3-rbd-15.2.12.83+g528da226523-3.25.1 python3-rbd-debuginfo-15.2.12.83+g528da226523-3.25.1 python3-rgw-15.2.12.83+g528da226523-3.25.1 python3-rgw-debuginfo-15.2.12.83+g528da226523-3.25.1 rados-objclass-devel-15.2.12.83+g528da226523-3.25.1 rbd-nbd-15.2.12.83+g528da226523-3.25.1 rbd-nbd-debuginfo-15.2.12.83+g528da226523-3.25.1 - SUSE Enterprise Storage 7 (aarch64 x86_64): ceph-base-15.2.12.83+g528da226523-3.25.1 ceph-base-debuginfo-15.2.12.83+g528da226523-3.25.1 ceph-common-15.2.12.83+g528da226523-3.25.1 ceph-common-debuginfo-15.2.12.83+g528da226523-3.25.1 ceph-debugsource-15.2.12.83+g528da226523-3.25.1 libcephfs2-15.2.12.83+g528da226523-3.25.1 libcephfs2-debuginfo-15.2.12.83+g528da226523-3.25.1 librados2-15.2.12.83+g528da226523-3.25.1 librados2-debuginfo-15.2.12.83+g528da226523-3.25.1 librbd1-15.2.12.83+g528da226523-3.25.1 librbd1-debuginfo-15.2.12.83+g528da226523-3.25.1 librgw2-15.2.12.83+g528da226523-3.25.1 librgw2-debuginfo-15.2.12.83+g528da226523-3.25.1 python3-ceph-argparse-15.2.12.83+g528da226523-3.25.1 python3-ceph-common-15.2.12.83+g528da226523-3.25.1 python3-cephfs-15.2.12.83+g528da226523-3.25.1 python3-cephfs-debuginfo-15.2.12.83+g528da226523-3.25.1 python3-rados-15.2.12.83+g528da226523-3.25.1 python3-rados-debuginfo-15.2.12.83+g528da226523-3.25.1 python3-rbd-15.2.12.83+g528da226523-3.25.1 python3-rbd-debuginfo-15.2.12.83+g528da226523-3.25.1 python3-rgw-15.2.12.83+g528da226523-3.25.1 python3-rgw-debuginfo-15.2.12.83+g528da226523-3.25.1 rbd-nbd-15.2.12.83+g528da226523-3.25.1 rbd-nbd-debuginfo-15.2.12.83+g528da226523-3.25.1 - SUSE Enterprise Storage 7 (noarch): cephadm-15.2.12.83+g528da226523-3.25.1 References: https://www.suse.com/security/cve/CVE-2021-3509.html https://www.suse.com/security/cve/CVE-2021-3524.html https://www.suse.com/security/cve/CVE-2021-3531.html https://bugzilla.suse.com/1185619 https://bugzilla.suse.com/1186020 https://bugzilla.suse.com/1186021 From sle-security-updates at lists.suse.com Wed Jun 2 19:22:41 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 2 Jun 2021 21:22:41 +0200 (CEST) Subject: SUSE-SU-2021:1837-1: important: Security update for qemu Message-ID: <20210602192241.2436AFD07@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1837-1 Rating: important References: #1149813 #1163019 #1172380 #1175534 #1176681 #1178683 #1178935 #1179477 #1179484 #1179725 #1182846 #1182975 #1186290 Cross-References: CVE-2019-15890 CVE-2020-10756 CVE-2020-14364 CVE-2020-25085 CVE-2020-25707 CVE-2020-25723 CVE-2020-29129 CVE-2020-29130 CVE-2020-8608 CVE-2021-20257 CVE-2021-3419 CVSS scores: CVE-2019-15890 (SUSE): 5.8 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2020-10756 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-10756 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-14364 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14364 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25085 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25085 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25707 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25723 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-29129 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29129 (SUSE): 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-8608 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-8608 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3419 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has two fixes is now available. Description: This update for qemu fixes the following issues: - Fix out-of-bounds access issue while doing multi block SDMA (CVE-2020-25085, bsc#1176681) - Fix out-of-bounds read information disclosure in icmp6_send_echoreply (CVE-2020-10756, bsc#1172380) - QEMU BIOS fails to read stage2 loader on s390x (bsc#1186290) - Change dependency from CONFIG_VFIO back to CONFIG_LINUX (bsc#1179725) - For the record, these issues are fixed in this package already. Most are alternate references to previously mentioned issues: (CVE-2019-15890, bsc#1149813, CVE-2020-8608, bsc#1163019, CVE-2020-14364, bsc#1175534, CVE-2020-25707, bsc#1178683, CVE-2020-25723, bsc#1178935, CVE-2020-29130, bsc#1179477, CVE-2020-29129, bsc#1179484, CVE-2021-20257, bsc#1182846, CVE-2021-3419, bsc#1182975) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1837=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): qemu-3.1.1.1-51.1 qemu-audio-alsa-3.1.1.1-51.1 qemu-audio-alsa-debuginfo-3.1.1.1-51.1 qemu-audio-oss-3.1.1.1-51.1 qemu-audio-oss-debuginfo-3.1.1.1-51.1 qemu-audio-pa-3.1.1.1-51.1 qemu-audio-pa-debuginfo-3.1.1.1-51.1 qemu-audio-sdl-3.1.1.1-51.1 qemu-audio-sdl-debuginfo-3.1.1.1-51.1 qemu-block-curl-3.1.1.1-51.1 qemu-block-curl-debuginfo-3.1.1.1-51.1 qemu-block-iscsi-3.1.1.1-51.1 qemu-block-iscsi-debuginfo-3.1.1.1-51.1 qemu-block-ssh-3.1.1.1-51.1 qemu-block-ssh-debuginfo-3.1.1.1-51.1 qemu-debugsource-3.1.1.1-51.1 qemu-guest-agent-3.1.1.1-51.1 qemu-guest-agent-debuginfo-3.1.1.1-51.1 qemu-lang-3.1.1.1-51.1 qemu-tools-3.1.1.1-51.1 qemu-tools-debuginfo-3.1.1.1-51.1 qemu-ui-curses-3.1.1.1-51.1 qemu-ui-curses-debuginfo-3.1.1.1-51.1 qemu-ui-gtk-3.1.1.1-51.1 qemu-ui-gtk-debuginfo-3.1.1.1-51.1 qemu-ui-sdl-3.1.1.1-51.1 qemu-ui-sdl-debuginfo-3.1.1.1-51.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 x86_64): qemu-block-rbd-3.1.1.1-51.1 qemu-block-rbd-debuginfo-3.1.1.1-51.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): qemu-kvm-3.1.1.1-51.1 - SUSE Linux Enterprise Server 12-SP5 (ppc64le): qemu-ppc-3.1.1.1-51.1 qemu-ppc-debuginfo-3.1.1.1-51.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64): qemu-arm-3.1.1.1-51.1 qemu-arm-debuginfo-3.1.1.1-51.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): qemu-ipxe-1.0.0+-51.1 qemu-seabios-1.12.0_0_ga698c89-51.1 qemu-sgabios-8-51.1 qemu-vgabios-1.12.0_0_ga698c89-51.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): qemu-x86-3.1.1.1-51.1 - SUSE Linux Enterprise Server 12-SP5 (s390x): qemu-s390-3.1.1.1-51.1 qemu-s390-debuginfo-3.1.1.1-51.1 References: https://www.suse.com/security/cve/CVE-2019-15890.html https://www.suse.com/security/cve/CVE-2020-10756.html https://www.suse.com/security/cve/CVE-2020-14364.html https://www.suse.com/security/cve/CVE-2020-25085.html https://www.suse.com/security/cve/CVE-2020-25707.html https://www.suse.com/security/cve/CVE-2020-25723.html https://www.suse.com/security/cve/CVE-2020-29129.html https://www.suse.com/security/cve/CVE-2020-29130.html https://www.suse.com/security/cve/CVE-2020-8608.html https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-3419.html https://bugzilla.suse.com/1149813 https://bugzilla.suse.com/1163019 https://bugzilla.suse.com/1172380 https://bugzilla.suse.com/1175534 https://bugzilla.suse.com/1176681 https://bugzilla.suse.com/1178683 https://bugzilla.suse.com/1178935 https://bugzilla.suse.com/1179477 https://bugzilla.suse.com/1179484 https://bugzilla.suse.com/1179725 https://bugzilla.suse.com/1182846 https://bugzilla.suse.com/1182975 https://bugzilla.suse.com/1186290 From sle-security-updates at lists.suse.com Wed Jun 2 19:27:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 2 Jun 2021 21:27:27 +0200 (CEST) Subject: SUSE-SU-2021:1838-1: important: Security update for squid Message-ID: <20210602192728.00741FD07@maintenance.suse.de> SUSE Security Update: Security update for squid ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1838-1 Rating: important References: #1171164 #1171569 #1183436 #1185916 #1185918 #1185919 #1185921 #1185923 Cross-References: CVE-2020-25097 CVE-2021-28651 CVE-2021-28652 CVE-2021-28662 CVE-2021-31806 CVSS scores: CVE-2020-25097 (NVD) : 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2020-25097 (SUSE): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2021-28651 (SUSE): 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H CVE-2021-28652 (SUSE): 6.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2021-28662 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-31806 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has three fixes is now available. Description: This update for squid fixes the following issues: - update to 4.15: - CVE-2021-28652: Broken cache manager URL parsing (bsc#1185918) - CVE-2021-28651: Memory leak in RFC 2169 response parsing (bsc#1185921) - CVE-2021-28662: Limit HeaderLookupTable_t::lookup() to BadHdr and specific IDs (bsc#1185919) - CVE-2021-31806: Handle more Range requests (bsc#1185916) - CVE-2020-25097: HTTP Request Smuggling vulnerability (bsc#1183436) - Handle more partial responses (bsc#1185923) - fix previous change to reinstante permissions macros, because the wrong path has been used (bsc#1171569). - use libexecdir instead of libdir to conform to recent changes in Factory (bsc#1171164). - Reinstate permissions macros for pinger binary, because the permissions package is also responsible for setting up the cap_net_raw capability, currently a fresh squid install doesn't get a capability bit at all (bsc#1171569). - Change pinger and basic_pam_auth helper to use standard permissions. pinger uses cap_net_raw=ep instead (bsc#1171569) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1838=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): squid-4.15-4.18.1 squid-debuginfo-4.15-4.18.1 squid-debugsource-4.15-4.18.1 References: https://www.suse.com/security/cve/CVE-2020-25097.html https://www.suse.com/security/cve/CVE-2021-28651.html https://www.suse.com/security/cve/CVE-2021-28652.html https://www.suse.com/security/cve/CVE-2021-28662.html https://www.suse.com/security/cve/CVE-2021-31806.html https://bugzilla.suse.com/1171164 https://bugzilla.suse.com/1171569 https://bugzilla.suse.com/1183436 https://bugzilla.suse.com/1185916 https://bugzilla.suse.com/1185918 https://bugzilla.suse.com/1185919 https://bugzilla.suse.com/1185921 https://bugzilla.suse.com/1185923 From sle-security-updates at lists.suse.com Wed Jun 2 19:31:01 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 2 Jun 2021 21:31:01 +0200 (CEST) Subject: SUSE-SU-2021:1835-1: important: Security update for ceph Message-ID: <20210602193101.BA839FD07@maintenance.suse.de> SUSE Security Update: Security update for ceph ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1835-1 Rating: important References: #1185619 #1186020 #1186021 Cross-References: CVE-2021-3509 CVE-2021-3524 CVE-2021-3531 CVSS scores: CVE-2021-3509 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-3524 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-3524 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-3531 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-3531 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for ceph fixes the following issues: - Update to 15.2.12-83-g528da226523: - (CVE-2021-3509) fix cookie injection issue (bsc#1186021) - (CVE-2021-3531) RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name (bsc#1186020) - (CVE-2021-3524) sanitize \r in s3 CORSConfiguration???s ExposeHeader (bsc#1185619) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1835=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1835=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1835=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1835=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1835=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1835=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1835=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1835=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1835=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): ceph-common-14.2.21.403+g69ab6ea274d-3.63.1 ceph-common-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 ceph-debugsource-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs-devel-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados2-14.2.21.403+g69ab6ea274d-3.63.1 librados2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 libradospp-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librgw-devel-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-ceph-argparse-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 rados-objclass-devel-14.2.21.403+g69ab6ea274d-3.63.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): ceph-common-14.2.21.403+g69ab6ea274d-3.63.1 ceph-common-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 ceph-debugsource-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs-devel-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados2-14.2.21.403+g69ab6ea274d-3.63.1 librados2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 libradospp-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librgw-devel-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-ceph-argparse-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 rados-objclass-devel-14.2.21.403+g69ab6ea274d-3.63.1 - SUSE Manager Proxy 4.0 (x86_64): ceph-common-14.2.21.403+g69ab6ea274d-3.63.1 ceph-common-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 ceph-debugsource-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs-devel-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados2-14.2.21.403+g69ab6ea274d-3.63.1 librados2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 libradospp-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librgw-devel-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-ceph-argparse-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 rados-objclass-devel-14.2.21.403+g69ab6ea274d-3.63.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): ceph-common-14.2.21.403+g69ab6ea274d-3.63.1 ceph-common-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 ceph-debugsource-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs-devel-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados2-14.2.21.403+g69ab6ea274d-3.63.1 librados2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 libradospp-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librgw-devel-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-ceph-argparse-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 rados-objclass-devel-14.2.21.403+g69ab6ea274d-3.63.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): ceph-common-14.2.21.403+g69ab6ea274d-3.63.1 ceph-common-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 ceph-debugsource-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs-devel-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados2-14.2.21.403+g69ab6ea274d-3.63.1 librados2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 libradospp-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librgw-devel-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-ceph-argparse-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 rados-objclass-devel-14.2.21.403+g69ab6ea274d-3.63.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): ceph-common-14.2.21.403+g69ab6ea274d-3.63.1 ceph-common-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 ceph-debugsource-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs-devel-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados2-14.2.21.403+g69ab6ea274d-3.63.1 librados2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 libradospp-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librgw-devel-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-ceph-argparse-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 rados-objclass-devel-14.2.21.403+g69ab6ea274d-3.63.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): ceph-common-14.2.21.403+g69ab6ea274d-3.63.1 ceph-common-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 ceph-debugsource-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs-devel-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados2-14.2.21.403+g69ab6ea274d-3.63.1 librados2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 libradospp-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librgw-devel-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-ceph-argparse-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 rados-objclass-devel-14.2.21.403+g69ab6ea274d-3.63.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): ceph-common-14.2.21.403+g69ab6ea274d-3.63.1 ceph-common-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 ceph-debugsource-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs-devel-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados2-14.2.21.403+g69ab6ea274d-3.63.1 librados2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 libradospp-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librgw-devel-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-ceph-argparse-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 rados-objclass-devel-14.2.21.403+g69ab6ea274d-3.63.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): ceph-14.2.21.403+g69ab6ea274d-3.63.1 ceph-base-14.2.21.403+g69ab6ea274d-3.63.1 ceph-base-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 ceph-common-14.2.21.403+g69ab6ea274d-3.63.1 ceph-common-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 ceph-debugsource-14.2.21.403+g69ab6ea274d-3.63.1 ceph-fuse-14.2.21.403+g69ab6ea274d-3.63.1 ceph-fuse-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 ceph-mds-14.2.21.403+g69ab6ea274d-3.63.1 ceph-mds-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 ceph-mgr-14.2.21.403+g69ab6ea274d-3.63.1 ceph-mgr-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 ceph-mon-14.2.21.403+g69ab6ea274d-3.63.1 ceph-mon-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 ceph-osd-14.2.21.403+g69ab6ea274d-3.63.1 ceph-osd-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 ceph-radosgw-14.2.21.403+g69ab6ea274d-3.63.1 ceph-radosgw-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 cephfs-shell-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs-devel-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados2-14.2.21.403+g69ab6ea274d-3.63.1 librados2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 libradospp-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librgw-devel-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-ceph-argparse-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 rados-objclass-devel-14.2.21.403+g69ab6ea274d-3.63.1 rbd-fuse-14.2.21.403+g69ab6ea274d-3.63.1 rbd-fuse-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 rbd-mirror-14.2.21.403+g69ab6ea274d-3.63.1 rbd-mirror-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 rbd-nbd-14.2.21.403+g69ab6ea274d-3.63.1 rbd-nbd-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 - SUSE Enterprise Storage 6 (noarch): ceph-grafana-dashboards-14.2.21.403+g69ab6ea274d-3.63.1 ceph-mgr-dashboard-14.2.21.403+g69ab6ea274d-3.63.1 ceph-mgr-diskprediction-local-14.2.21.403+g69ab6ea274d-3.63.1 ceph-mgr-rook-14.2.21.403+g69ab6ea274d-3.63.1 ceph-prometheus-alerts-14.2.21.403+g69ab6ea274d-3.63.1 - SUSE CaaS Platform 4.0 (x86_64): ceph-common-14.2.21.403+g69ab6ea274d-3.63.1 ceph-common-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 ceph-debugsource-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs-devel-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-14.2.21.403+g69ab6ea274d-3.63.1 libcephfs2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-14.2.21.403+g69ab6ea274d-3.63.1 librados-devel-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librados2-14.2.21.403+g69ab6ea274d-3.63.1 librados2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 libradospp-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd-devel-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-14.2.21.403+g69ab6ea274d-3.63.1 librbd1-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 librgw-devel-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-14.2.21.403+g69ab6ea274d-3.63.1 librgw2-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-ceph-argparse-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-14.2.21.403+g69ab6ea274d-3.63.1 python3-cephfs-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-14.2.21.403+g69ab6ea274d-3.63.1 python3-rados-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-14.2.21.403+g69ab6ea274d-3.63.1 python3-rbd-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-14.2.21.403+g69ab6ea274d-3.63.1 python3-rgw-debuginfo-14.2.21.403+g69ab6ea274d-3.63.1 rados-objclass-devel-14.2.21.403+g69ab6ea274d-3.63.1 References: https://www.suse.com/security/cve/CVE-2021-3509.html https://www.suse.com/security/cve/CVE-2021-3524.html https://www.suse.com/security/cve/CVE-2021-3531.html https://bugzilla.suse.com/1185619 https://bugzilla.suse.com/1186020 https://bugzilla.suse.com/1186021 From sle-security-updates at lists.suse.com Thu Jun 3 06:02:46 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 3 Jun 2021 08:02:46 +0200 (CEST) Subject: SUSE-CU-2021:236-1: Security update of ses/6/cephcsi/cephcsi Message-ID: <20210603060246.65F1AB46F22@westernhagen.suse.de> SUSE Container Update Advisory: ses/6/cephcsi/cephcsi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:236-1 Container Tags : ses/6/cephcsi/cephcsi:1.2.0.0 , ses/6/cephcsi/cephcsi:1.2.0.0.1.5.430 , ses/6/cephcsi/cephcsi:latest Container Release : 1.5.430 Severity : important Type : security References : 1050625 1078466 1080040 1083473 1112500 1115408 1125671 1140565 1141597 1145463 1146705 1154393 1160876 1165780 1165780 1167939 1171549 1171998 1172442 1174016 1174436 1174466 1174514 1175289 1175458 1175519 1176201 1176262 1176784 1176785 1177200 1177238 1177275 1177427 1177460 1177460 1177490 1177533 1177583 1177976 1178016 1178168 1178216 1178219 1178235 1178386 1178407 1178657 1178775 1178775 1178837 1178860 1178905 1178909 1178910 1178966 1179083 1179222 1179326 1179363 1179503 1179691 1179691 1179694 1179721 1179738 1179756 1179816 1179824 1179847 1179909 1179997 1180020 1180038 1180073 1180077 1180083 1180118 1180225 1180594 1180596 1180603 1180603 1180603 1180663 1180684 1180685 1180686 1180687 1180721 1180851 1180885 1181011 1181090 1181126 1181183 1181328 1181358 1181378 1181443 1181505 1181540 1181618 1181622 1181651 1181665 1181831 1181874 1181976 1182053 1182117 1182279 1182328 1182331 1182333 1182362 1182379 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182471 1182629 1182791 1182936 1183012 1183064 1183074 1183094 1183194 1183370 1183371 1183374 1183456 1183457 1183487 1183600 1183628 1183791 1183797 1183933 1183936 1183942 1184136 1184358 1184401 1184435 1184507 1184614 1184690 1184997 1185163 1185170 1185239 1185408 1185408 1185409 1185409 1185410 1185410 1185417 1185438 1185562 1185619 1185698 1186020 1186021 1186114 CVE-2017-9271 CVE-2019-20916 CVE-2019-25013 CVE-2020-11078 CVE-2020-11080 CVE-2020-14343 CVE-2020-25659 CVE-2020-25678 CVE-2020-25709 CVE-2020-25710 CVE-2020-27618 CVE-2020-27839 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2021-20231 CVE-2021-20232 CVE-2021-20288 CVE-2021-20305 CVE-2021-21240 CVE-2021-22876 CVE-2021-22898 CVE-2021-23239 CVE-2021-23240 CVE-2021-23336 CVE-2021-23840 CVE-2021-23841 CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987 CVE-2021-24031 CVE-2021-24032 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3156 CVE-2021-3156 CVE-2021-3177 CVE-2021-3326 CVE-2021-3426 CVE-2021-3509 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3524 CVE-2021-3531 CVE-2021-3537 ----------------------------------------------------------------- The container ses/6/cephcsi/cephcsi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:79-1 Released: Tue Jan 12 10:49:34 2021 Summary: Recommended update for gcc7 Type: recommended Severity: moderate References: 1167939 This update for gcc7 fixes the following issues: - Amend the gcc7 aarch64 atomics for glibc namespace violation with getauxval. [bsc#1167939] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:179-1 Released: Wed Jan 20 13:38:51 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:227-1 Released: Tue Jan 26 19:22:14 2021 Summary: Security update for sudo Type: security Severity: important References: 1180684,1180685,1180687,1181090,CVE-2021-23239,CVE-2021-23240,CVE-2021-3156 This update for sudo fixes the following issues: - A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges [bsc#1181090,CVE-2021-3156] - It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit` [bsc#1180684,CVE-2021-23239] - A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685, CVE-2021-23240] - It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:266-1 Released: Mon Feb 1 21:02:37 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1177533,1179326,1179691,1179738 This update for lvm2 fixes the following issue: - Fixes an issue when boot logical volume gets unmounted during patching. (bsc#1177533) - Fix for lvm2 to use 'external_device_info_source='udev'' by default. (bsc#1179691) - Fixed an issue in configuration for an item that is commented out by default. (bsc#1179738) - Fixed an issue when after storage migration major performance issues occurred on the system. (bsc#1179326) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:301-1 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:304-1 Released: Thu Feb 4 13:19:43 2021 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1179691 This update for lvm2 fixes the following issues: - lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691). If this behavior is still wanted, please change this manually in the lvm.conf ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:307-1 Released: Fri Feb 5 05:30:34 2021 Summary: Recommended update for libselinux Type: recommended Severity: low References: 1180603 This update for libselinux fixes the following issues: - Corrected the license to public domain (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:580-1 Released: Wed Feb 24 11:16:42 2021 Summary: Optional update for python-cffi Type: optional Severity: low References: 1182471 This update for python-cffi fixes the following issues: - Restored compatibility with Python 2.7 update (bsc#1182471) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:596-1 Released: Thu Feb 25 10:26:30 2021 Summary: Recommended update for gcc7 Type: recommended Severity: moderate References: 1181618 This update for gcc7 fixes the following issues: - Fixed webkit2gtk3 build (bsc#1181618) - Change GCC exception licenses to SPDX format - Remove include-fixed/pthread.h ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:753-1 Released: Tue Mar 9 17:09:57 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:890-1 Released: Fri Mar 19 15:51:41 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:926-1 Released: Tue Mar 23 13:20:24 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1083473,1112500,1115408,1165780,1183012 This update for systemd-presets-common-SUSE fixes the following issues: - Add default user preset containing: - enable `pulseaudio.socket` (bsc#1083473) - enable `pipewire.socket` (bsc#1183012) - enable `pipewire-pulse.socket` (bsc#1183012) - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23) - Changes to the default preset: - enable `btrfsmaintenance-refresh.path`. - disable `btrfsmaintenance-refresh.service`. - enable `dnf-makecache.timer`. - enable `ignition-firstboot-complete.service`. - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500) - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408) - remove enable `updatedb.timer` - Avoid needless refresh on boot. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:931-1 Released: Wed Mar 24 12:10:41 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:934-1 Released: Wed Mar 24 12:18:21 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:947-1 Released: Wed Mar 24 14:30:58 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1182379,CVE-2021-23336 This update for python3 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:952-1 Released: Thu Mar 25 14:36:56 2021 Summary: Recommended update for libunwind Type: recommended Severity: moderate References: 1160876,1171549 This update for libunwind fixes the following issues: - Update to version 1.5.0. (jsc#ECO-3395) - Enable s390x for building. (jsc#ECO-3395) - Fix compilation with 'fno-common'. (bsc#1171549) - Fix build with 'GCC-10'. (bsc#1160876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:953-1 Released: Thu Mar 25 14:37:26 2021 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1178407 This update for psmisc fixes the following issues: - Fix for 'fuser' when it does not show open kvm storage image files such as 'qcow2' files. (bsc#1178407) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:956-1 Released: Thu Mar 25 19:19:04 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179816,1179847,1179909,1180077,1180663,1180721,1181328,1181622,1182629,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.43: - doc: give more details about creating versioned package locks (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) - Fix source-download commands help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) - Prefer /run over /var/run. Update libzypp to 17.25.8: - Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there. - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement). - Add missing includes for GCC 11 compatibility. - Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'. - Commit: Fix rpmdb compat symlink in case rpm got removed. - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use. - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#1179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:985-1 Released: Tue Mar 30 14:42:46 2021 Summary: Recommended update for the Azure SDK and CLI Type: recommended Severity: moderate References: 1125671,1140565,1154393,1174514,1175289,1176784,1176785,1178168,CVE-2020-14343,CVE-2020-25659 This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit). (bsc#1176784, jsc#ECO=3105) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1007-1 Released: Thu Apr 1 17:47:20 2021 Summary: Security update for MozillaFirefox Type: security Severity: important References: 1183942,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987 This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1141-1 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1182791 This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1169-1 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Type: recommended Severity: low References: 1181976 This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1275-1 Released: Tue Apr 20 14:31:26 2021 Summary: Security update for sudo Type: security Severity: important References: 1183936,CVE-2021-3156 This update for sudo fixes the following issues: - L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1295-1 Released: Wed Apr 21 14:08:19 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1184136 This update for systemd-presets-common-SUSE fixes the following issues: - Enabled hcn-init.service for HNV on POWER (bsc#1184136) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1296-1 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Type: optional Severity: low References: 1183791 This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1297-1 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178219 This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1412-1 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Type: security Severity: important References: 1184401,CVE-2021-20305 This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1449-1 Released: Fri Apr 30 08:08:25 2021 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1165780 This update for systemd-presets-branding-SLE fixes the following issues: - Don't enable 'btrfsmaintenance-refresh.service', 'btrfsmaintenance' is managed by systemd-presets-common-SUSE instead. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1472-1 Released: Tue May 4 08:56:37 2021 Summary: Security update for ceph, deepsea Type: security Severity: important References: 1145463,1174466,1177200,1178016,1178216,1178235,1178657,1178837,1178860,1178905,1179997,1180118,1180594,1181183,1181378,1181665,1183074,1183487,1183600,CVE-2020-25678,CVE-2020-27839,CVE-2021-20288 This update for ceph, deepsea fixes the following issues: - ceph was updated to 14.2.20-402-g6aa76c6815: * CVE-2021-20288: Fixed unauthorized global_id reuse (bsc#1183074). * CVE-2020-25678: Do not add sensitive information in Ceph log files (bsc#1178905). * CVE-2020-27839: Use secure cookies to store JWT Token (bsc#1179997). * mgr/dashboard: prometheus alerting: add some leeway for package drops and errors (bsc#1145463) * mon: have 'mon stat' output json as well (bsc#1174466) * rpm: ceph-mgr-dashboard recommends python3-saml on SUSE (bsc#1177200) * mgr/dashboard: Display a warning message in Dashboard when debug mode is enabled (bsc#1178235) * rgw: cls/user: set from_index for reset stats calls (bsc#1178837) * mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860) * bluestore: provide a different name for fallback allocator (bsc#1180118) * test/run-cli-tests: use cram from github (bsc#1181378) * mgr/dashboard: fix 'Python2 Cookie module import fails on Python3' (bsc#1183487) * common: make ms_bind_msgr2 default to 'false' (bsc#1180594) - deapsea was updated to 0.9.35 * osd: add method to zap simple osds (bsc#1178657, bsc#1178216) * upgrade to cephadm: fix Drive Group generation (bsc#1181665) * Rework config change detection to handle global.conf correctly (bsc#1181183) * Use -i to pass credentials to `ceph dashboard` commands (bsc#1183600) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1557-1 Released: Tue May 11 09:50:00 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1183374,CVE-2021-3426 This update for python3 fixes the following issues: - CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1602-1 Released: Thu May 13 16:35:19 2021 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libsolv and libzypp fixes the following issues: libsolv: Upgrade from version 0.7.17 to version 0.7.19 - Fix rare segfault in `resolve_jobrules()` that could happen if new rules are learned. - Fix memory leaks in error cases - Fix error handling in `solv_xfopen_fd()` - Fix regex code on win32 - fixed memory leak in choice rule generation - `repo_add_conda`: add a flag to skip version 2 packages. libzypp: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1669-1 Released: Thu May 20 11:10:44 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1181540,1181651,1183194,1185170 This update for nfs-utils fixes the following issues: - The '/var/run' is long deprecated - switch all relevant paths to '/run'. (bsc#1185170) - Improve logging of authentication (bsc#1181540) - Add man page of the 'nconnect mount'. (bsc#1181651) - Fixed an issue when HANA crashed due to inaccessible/hanging NFS mount. (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1675-1 Released: Thu May 20 15:00:23 2021 Summary: Recommended update for snappy Type: recommended Severity: moderate References: 1080040,1184507 This update for snappy fixes the following issues: Update from version 1.1.3 to 1.1.8 - Small performance improvements. - Removed `snappy::string` alias for `std::string`. - Improved `CMake` configuration. - Improved packages descriptions. - Fix RPM groups. - Aarch64 fixes - PPC speedups - PIE improvements - Fix license install. (bsc#1080040) - Fix a 1% performance regression when snappy is used in PIE executable. - Improve compression performance by 5%. - Improve decompression performance by 20%. - Use better download URL. - Fix a build issue for tensorflow2. (bsc#1184507) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1769-1 Released: Wed May 26 14:00:17 2021 Summary: Security update for ceph Type: security Severity: important References: 1185619,1186020,1186021,CVE-2021-3509,CVE-2021-3524,CVE-2021-3531 This update for ceph fixes the following issues: - Update to 15.2.12-83-g528da226523: - (CVE-2021-3509) fix cookie injection issue (bsc#1186021) - (CVE-2021-3531) RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name (bsc#1186020) - (CVE-2021-3524) sanitize \r in s3 CORSConfiguration???s ExposeHeader (bsc#1185619) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1773-1 Released: Wed May 26 17:22:21 2021 Summary: Recommended update for python3 Type: recommended Severity: low References: This update for python3 fixes the following issues: - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1806-1 Released: Mon May 31 16:23:04 2021 Summary: Security update for python-httplib2 Type: security Severity: moderate References: 1171998,1182053,CVE-2020-11078,CVE-2021-21240 This update for python-httplib2 fixes the following issues: - Update to version 0.19.0 (bsc#1182053). - CVE-2021-21240: Fixed regular expression denial of service via malicious header (bsc#1182053). - CVE-2020-11078: Fixed unescaped part of uri where an attacker could change request headers and body (bsc#1182053). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1809-1 Released: Mon May 31 16:24:59 2021 Summary: Security update for curl Type: security Severity: moderate References: 1177976,1183933,1186114,CVE-2021-22876,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933). - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976). - Allow partial chain verification (jsc#SLE-17956). From sle-security-updates at lists.suse.com Thu Jun 3 06:05:23 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 3 Jun 2021 08:05:23 +0200 (CEST) Subject: SUSE-CU-2021:237-1: Security update of ses/6/ceph/ceph Message-ID: <20210603060523.5AF48B46F22@westernhagen.suse.de> SUSE Container Update Advisory: ses/6/ceph/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:237-1 Container Tags : ses/6/ceph/ceph:14.2.21.403 , ses/6/ceph/ceph:14.2.21.403.1.5.426 , ses/6/ceph/ceph:latest Container Release : 1.5.426 Severity : important Type : security References : 1050625 1078466 1080040 1083473 1112500 1115408 1125671 1140565 1141597 1145463 1146705 1154393 1160876 1165780 1165780 1167939 1171549 1171998 1172442 1174016 1174436 1174466 1174514 1175289 1175458 1175519 1176201 1176262 1176784 1176785 1177200 1177238 1177275 1177427 1177460 1177460 1177490 1177533 1177583 1177976 1178016 1178168 1178216 1178219 1178235 1178386 1178407 1178657 1178775 1178775 1178837 1178860 1178905 1178909 1178910 1178966 1179083 1179222 1179326 1179363 1179503 1179691 1179691 1179694 1179721 1179738 1179756 1179816 1179824 1179847 1179909 1179997 1180020 1180038 1180073 1180077 1180083 1180118 1180225 1180594 1180596 1180603 1180603 1180603 1180663 1180684 1180685 1180686 1180687 1180721 1180851 1180885 1181011 1181090 1181126 1181183 1181328 1181358 1181378 1181443 1181505 1181540 1181618 1181622 1181651 1181665 1181831 1181874 1181976 1182053 1182117 1182279 1182328 1182331 1182333 1182362 1182379 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182471 1182629 1182791 1182936 1183012 1183064 1183074 1183094 1183194 1183370 1183371 1183374 1183456 1183457 1183487 1183600 1183628 1183791 1183797 1183933 1183936 1183942 1184136 1184358 1184401 1184435 1184507 1184614 1184690 1184997 1185163 1185170 1185239 1185408 1185408 1185409 1185409 1185410 1185410 1185417 1185438 1185562 1185619 1185698 1186020 1186021 1186114 CVE-2017-9271 CVE-2019-20916 CVE-2019-25013 CVE-2020-11078 CVE-2020-11080 CVE-2020-14343 CVE-2020-25659 CVE-2020-25678 CVE-2020-25709 CVE-2020-25710 CVE-2020-27618 CVE-2020-27839 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2021-20231 CVE-2021-20232 CVE-2021-20288 CVE-2021-20305 CVE-2021-21240 CVE-2021-22876 CVE-2021-22898 CVE-2021-23239 CVE-2021-23240 CVE-2021-23336 CVE-2021-23840 CVE-2021-23841 CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987 CVE-2021-24031 CVE-2021-24032 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3156 CVE-2021-3156 CVE-2021-3177 CVE-2021-3326 CVE-2021-3426 CVE-2021-3509 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3524 CVE-2021-3531 CVE-2021-3537 ----------------------------------------------------------------- The container ses/6/ceph/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:79-1 Released: Tue Jan 12 10:49:34 2021 Summary: Recommended update for gcc7 Type: recommended Severity: moderate References: 1167939 This update for gcc7 fixes the following issues: - Amend the gcc7 aarch64 atomics for glibc namespace violation with getauxval. [bsc#1167939] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:179-1 Released: Wed Jan 20 13:38:51 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:227-1 Released: Tue Jan 26 19:22:14 2021 Summary: Security update for sudo Type: security Severity: important References: 1180684,1180685,1180687,1181090,CVE-2021-23239,CVE-2021-23240,CVE-2021-3156 This update for sudo fixes the following issues: - A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges [bsc#1181090,CVE-2021-3156] - It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit` [bsc#1180684,CVE-2021-23239] - A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685, CVE-2021-23240] - It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:266-1 Released: Mon Feb 1 21:02:37 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1177533,1179326,1179691,1179738 This update for lvm2 fixes the following issue: - Fixes an issue when boot logical volume gets unmounted during patching. (bsc#1177533) - Fix for lvm2 to use 'external_device_info_source='udev'' by default. (bsc#1179691) - Fixed an issue in configuration for an item that is commented out by default. (bsc#1179738) - Fixed an issue when after storage migration major performance issues occurred on the system. (bsc#1179326) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:301-1 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:304-1 Released: Thu Feb 4 13:19:43 2021 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1179691 This update for lvm2 fixes the following issues: - lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691). If this behavior is still wanted, please change this manually in the lvm.conf ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:307-1 Released: Fri Feb 5 05:30:34 2021 Summary: Recommended update for libselinux Type: recommended Severity: low References: 1180603 This update for libselinux fixes the following issues: - Corrected the license to public domain (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:580-1 Released: Wed Feb 24 11:16:42 2021 Summary: Optional update for python-cffi Type: optional Severity: low References: 1182471 This update for python-cffi fixes the following issues: - Restored compatibility with Python 2.7 update (bsc#1182471) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:596-1 Released: Thu Feb 25 10:26:30 2021 Summary: Recommended update for gcc7 Type: recommended Severity: moderate References: 1181618 This update for gcc7 fixes the following issues: - Fixed webkit2gtk3 build (bsc#1181618) - Change GCC exception licenses to SPDX format - Remove include-fixed/pthread.h ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:753-1 Released: Tue Mar 9 17:09:57 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:890-1 Released: Fri Mar 19 15:51:41 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:926-1 Released: Tue Mar 23 13:20:24 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1083473,1112500,1115408,1165780,1183012 This update for systemd-presets-common-SUSE fixes the following issues: - Add default user preset containing: - enable `pulseaudio.socket` (bsc#1083473) - enable `pipewire.socket` (bsc#1183012) - enable `pipewire-pulse.socket` (bsc#1183012) - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23) - Changes to the default preset: - enable `btrfsmaintenance-refresh.path`. - disable `btrfsmaintenance-refresh.service`. - enable `dnf-makecache.timer`. - enable `ignition-firstboot-complete.service`. - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500) - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408) - remove enable `updatedb.timer` - Avoid needless refresh on boot. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:931-1 Released: Wed Mar 24 12:10:41 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:934-1 Released: Wed Mar 24 12:18:21 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:947-1 Released: Wed Mar 24 14:30:58 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1182379,CVE-2021-23336 This update for python3 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:952-1 Released: Thu Mar 25 14:36:56 2021 Summary: Recommended update for libunwind Type: recommended Severity: moderate References: 1160876,1171549 This update for libunwind fixes the following issues: - Update to version 1.5.0. (jsc#ECO-3395) - Enable s390x for building. (jsc#ECO-3395) - Fix compilation with 'fno-common'. (bsc#1171549) - Fix build with 'GCC-10'. (bsc#1160876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:953-1 Released: Thu Mar 25 14:37:26 2021 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1178407 This update for psmisc fixes the following issues: - Fix for 'fuser' when it does not show open kvm storage image files such as 'qcow2' files. (bsc#1178407) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:956-1 Released: Thu Mar 25 19:19:04 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179816,1179847,1179909,1180077,1180663,1180721,1181328,1181622,1182629,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.43: - doc: give more details about creating versioned package locks (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) - Fix source-download commands help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) - Prefer /run over /var/run. Update libzypp to 17.25.8: - Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there. - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement). - Add missing includes for GCC 11 compatibility. - Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'. - Commit: Fix rpmdb compat symlink in case rpm got removed. - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use. - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#1179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:985-1 Released: Tue Mar 30 14:42:46 2021 Summary: Recommended update for the Azure SDK and CLI Type: recommended Severity: moderate References: 1125671,1140565,1154393,1174514,1175289,1176784,1176785,1178168,CVE-2020-14343,CVE-2020-25659 This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit). (bsc#1176784, jsc#ECO=3105) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1007-1 Released: Thu Apr 1 17:47:20 2021 Summary: Security update for MozillaFirefox Type: security Severity: important References: 1183942,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987 This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1141-1 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1182791 This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1169-1 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Type: recommended Severity: low References: 1181976 This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1275-1 Released: Tue Apr 20 14:31:26 2021 Summary: Security update for sudo Type: security Severity: important References: 1183936,CVE-2021-3156 This update for sudo fixes the following issues: - L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1295-1 Released: Wed Apr 21 14:08:19 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1184136 This update for systemd-presets-common-SUSE fixes the following issues: - Enabled hcn-init.service for HNV on POWER (bsc#1184136) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1296-1 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Type: optional Severity: low References: 1183791 This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1297-1 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178219 This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1412-1 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Type: security Severity: important References: 1184401,CVE-2021-20305 This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1449-1 Released: Fri Apr 30 08:08:25 2021 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1165780 This update for systemd-presets-branding-SLE fixes the following issues: - Don't enable 'btrfsmaintenance-refresh.service', 'btrfsmaintenance' is managed by systemd-presets-common-SUSE instead. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1472-1 Released: Tue May 4 08:56:37 2021 Summary: Security update for ceph, deepsea Type: security Severity: important References: 1145463,1174466,1177200,1178016,1178216,1178235,1178657,1178837,1178860,1178905,1179997,1180118,1180594,1181183,1181378,1181665,1183074,1183487,1183600,CVE-2020-25678,CVE-2020-27839,CVE-2021-20288 This update for ceph, deepsea fixes the following issues: - ceph was updated to 14.2.20-402-g6aa76c6815: * CVE-2021-20288: Fixed unauthorized global_id reuse (bsc#1183074). * CVE-2020-25678: Do not add sensitive information in Ceph log files (bsc#1178905). * CVE-2020-27839: Use secure cookies to store JWT Token (bsc#1179997). * mgr/dashboard: prometheus alerting: add some leeway for package drops and errors (bsc#1145463) * mon: have 'mon stat' output json as well (bsc#1174466) * rpm: ceph-mgr-dashboard recommends python3-saml on SUSE (bsc#1177200) * mgr/dashboard: Display a warning message in Dashboard when debug mode is enabled (bsc#1178235) * rgw: cls/user: set from_index for reset stats calls (bsc#1178837) * mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860) * bluestore: provide a different name for fallback allocator (bsc#1180118) * test/run-cli-tests: use cram from github (bsc#1181378) * mgr/dashboard: fix 'Python2 Cookie module import fails on Python3' (bsc#1183487) * common: make ms_bind_msgr2 default to 'false' (bsc#1180594) - deapsea was updated to 0.9.35 * osd: add method to zap simple osds (bsc#1178657, bsc#1178216) * upgrade to cephadm: fix Drive Group generation (bsc#1181665) * Rework config change detection to handle global.conf correctly (bsc#1181183) * Use -i to pass credentials to `ceph dashboard` commands (bsc#1183600) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1557-1 Released: Tue May 11 09:50:00 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1183374,CVE-2021-3426 This update for python3 fixes the following issues: - CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1602-1 Released: Thu May 13 16:35:19 2021 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libsolv and libzypp fixes the following issues: libsolv: Upgrade from version 0.7.17 to version 0.7.19 - Fix rare segfault in `resolve_jobrules()` that could happen if new rules are learned. - Fix memory leaks in error cases - Fix error handling in `solv_xfopen_fd()` - Fix regex code on win32 - fixed memory leak in choice rule generation - `repo_add_conda`: add a flag to skip version 2 packages. libzypp: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1669-1 Released: Thu May 20 11:10:44 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1181540,1181651,1183194,1185170 This update for nfs-utils fixes the following issues: - The '/var/run' is long deprecated - switch all relevant paths to '/run'. (bsc#1185170) - Improve logging of authentication (bsc#1181540) - Add man page of the 'nconnect mount'. (bsc#1181651) - Fixed an issue when HANA crashed due to inaccessible/hanging NFS mount. (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1675-1 Released: Thu May 20 15:00:23 2021 Summary: Recommended update for snappy Type: recommended Severity: moderate References: 1080040,1184507 This update for snappy fixes the following issues: Update from version 1.1.3 to 1.1.8 - Small performance improvements. - Removed `snappy::string` alias for `std::string`. - Improved `CMake` configuration. - Improved packages descriptions. - Fix RPM groups. - Aarch64 fixes - PPC speedups - PIE improvements - Fix license install. (bsc#1080040) - Fix a 1% performance regression when snappy is used in PIE executable. - Improve compression performance by 5%. - Improve decompression performance by 20%. - Use better download URL. - Fix a build issue for tensorflow2. (bsc#1184507) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1769-1 Released: Wed May 26 14:00:17 2021 Summary: Security update for ceph Type: security Severity: important References: 1185619,1186020,1186021,CVE-2021-3509,CVE-2021-3524,CVE-2021-3531 This update for ceph fixes the following issues: - Update to 15.2.12-83-g528da226523: - (CVE-2021-3509) fix cookie injection issue (bsc#1186021) - (CVE-2021-3531) RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name (bsc#1186020) - (CVE-2021-3524) sanitize \r in s3 CORSConfiguration???s ExposeHeader (bsc#1185619) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1773-1 Released: Wed May 26 17:22:21 2021 Summary: Recommended update for python3 Type: recommended Severity: low References: This update for python3 fixes the following issues: - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1806-1 Released: Mon May 31 16:23:04 2021 Summary: Security update for python-httplib2 Type: security Severity: moderate References: 1171998,1182053,CVE-2020-11078,CVE-2021-21240 This update for python-httplib2 fixes the following issues: - Update to version 0.19.0 (bsc#1182053). - CVE-2021-21240: Fixed regular expression denial of service via malicious header (bsc#1182053). - CVE-2020-11078: Fixed unescaped part of uri where an attacker could change request headers and body (bsc#1182053). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1809-1 Released: Mon May 31 16:24:59 2021 Summary: Security update for curl Type: security Severity: moderate References: 1177976,1183933,1186114,CVE-2021-22876,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933). - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976). - Allow partial chain verification (jsc#SLE-17956). From sle-security-updates at lists.suse.com Thu Jun 3 06:08:00 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 3 Jun 2021 08:08:00 +0200 (CEST) Subject: SUSE-CU-2021:238-1: Security update of ses/6/rook/ceph Message-ID: <20210603060800.B7E7BB46F22@westernhagen.suse.de> SUSE Container Update Advisory: ses/6/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:238-1 Container Tags : ses/6/rook/ceph:1.1.1.0 , ses/6/rook/ceph:1.1.1.0.1.5.424 , ses/6/rook/ceph:latest Container Release : 1.5.424 Severity : important Type : security References : 1050625 1078466 1080040 1083473 1112500 1115408 1125671 1140565 1141597 1145463 1146705 1154393 1160876 1165780 1165780 1167939 1171549 1171998 1172442 1174016 1174436 1174466 1174514 1175289 1175458 1175519 1176201 1176262 1176784 1176785 1177200 1177238 1177275 1177427 1177460 1177460 1177490 1177533 1177583 1177976 1178016 1178168 1178216 1178219 1178235 1178386 1178407 1178657 1178775 1178775 1178837 1178860 1178905 1178909 1178910 1178966 1179083 1179222 1179326 1179363 1179503 1179691 1179691 1179694 1179721 1179738 1179756 1179816 1179824 1179847 1179909 1179997 1180020 1180038 1180073 1180077 1180083 1180118 1180225 1180594 1180596 1180603 1180603 1180603 1180663 1180684 1180685 1180686 1180687 1180721 1180851 1180885 1181011 1181090 1181126 1181183 1181328 1181358 1181378 1181443 1181505 1181540 1181618 1181622 1181651 1181665 1181831 1181874 1181976 1182053 1182117 1182279 1182328 1182331 1182333 1182362 1182379 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182471 1182629 1182791 1182936 1183012 1183064 1183074 1183094 1183194 1183370 1183371 1183374 1183456 1183457 1183487 1183600 1183628 1183791 1183797 1183933 1183936 1183942 1184136 1184358 1184401 1184435 1184507 1184614 1184690 1184997 1185163 1185170 1185239 1185408 1185408 1185409 1185409 1185410 1185410 1185417 1185438 1185562 1185619 1185698 1186020 1186021 1186114 CVE-2017-9271 CVE-2019-20916 CVE-2019-25013 CVE-2020-11078 CVE-2020-11080 CVE-2020-14343 CVE-2020-25659 CVE-2020-25678 CVE-2020-25709 CVE-2020-25710 CVE-2020-27618 CVE-2020-27839 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2021-20231 CVE-2021-20232 CVE-2021-20288 CVE-2021-20305 CVE-2021-21240 CVE-2021-22876 CVE-2021-22898 CVE-2021-23239 CVE-2021-23240 CVE-2021-23336 CVE-2021-23840 CVE-2021-23841 CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987 CVE-2021-24031 CVE-2021-24032 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3156 CVE-2021-3156 CVE-2021-3177 CVE-2021-3326 CVE-2021-3426 CVE-2021-3509 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3524 CVE-2021-3531 CVE-2021-3537 ----------------------------------------------------------------- The container ses/6/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:79-1 Released: Tue Jan 12 10:49:34 2021 Summary: Recommended update for gcc7 Type: recommended Severity: moderate References: 1167939 This update for gcc7 fixes the following issues: - Amend the gcc7 aarch64 atomics for glibc namespace violation with getauxval. [bsc#1167939] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:179-1 Released: Wed Jan 20 13:38:51 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:227-1 Released: Tue Jan 26 19:22:14 2021 Summary: Security update for sudo Type: security Severity: important References: 1180684,1180685,1180687,1181090,CVE-2021-23239,CVE-2021-23240,CVE-2021-3156 This update for sudo fixes the following issues: - A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges [bsc#1181090,CVE-2021-3156] - It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit` [bsc#1180684,CVE-2021-23239] - A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685, CVE-2021-23240] - It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:266-1 Released: Mon Feb 1 21:02:37 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1177533,1179326,1179691,1179738 This update for lvm2 fixes the following issue: - Fixes an issue when boot logical volume gets unmounted during patching. (bsc#1177533) - Fix for lvm2 to use 'external_device_info_source='udev'' by default. (bsc#1179691) - Fixed an issue in configuration for an item that is commented out by default. (bsc#1179738) - Fixed an issue when after storage migration major performance issues occurred on the system. (bsc#1179326) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:301-1 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:304-1 Released: Thu Feb 4 13:19:43 2021 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1179691 This update for lvm2 fixes the following issues: - lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691). If this behavior is still wanted, please change this manually in the lvm.conf ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:307-1 Released: Fri Feb 5 05:30:34 2021 Summary: Recommended update for libselinux Type: recommended Severity: low References: 1180603 This update for libselinux fixes the following issues: - Corrected the license to public domain (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:580-1 Released: Wed Feb 24 11:16:42 2021 Summary: Optional update for python-cffi Type: optional Severity: low References: 1182471 This update for python-cffi fixes the following issues: - Restored compatibility with Python 2.7 update (bsc#1182471) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:596-1 Released: Thu Feb 25 10:26:30 2021 Summary: Recommended update for gcc7 Type: recommended Severity: moderate References: 1181618 This update for gcc7 fixes the following issues: - Fixed webkit2gtk3 build (bsc#1181618) - Change GCC exception licenses to SPDX format - Remove include-fixed/pthread.h ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:753-1 Released: Tue Mar 9 17:09:57 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:890-1 Released: Fri Mar 19 15:51:41 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:926-1 Released: Tue Mar 23 13:20:24 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1083473,1112500,1115408,1165780,1183012 This update for systemd-presets-common-SUSE fixes the following issues: - Add default user preset containing: - enable `pulseaudio.socket` (bsc#1083473) - enable `pipewire.socket` (bsc#1183012) - enable `pipewire-pulse.socket` (bsc#1183012) - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23) - Changes to the default preset: - enable `btrfsmaintenance-refresh.path`. - disable `btrfsmaintenance-refresh.service`. - enable `dnf-makecache.timer`. - enable `ignition-firstboot-complete.service`. - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500) - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408) - remove enable `updatedb.timer` - Avoid needless refresh on boot. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:931-1 Released: Wed Mar 24 12:10:41 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:934-1 Released: Wed Mar 24 12:18:21 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:947-1 Released: Wed Mar 24 14:30:58 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1182379,CVE-2021-23336 This update for python3 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:952-1 Released: Thu Mar 25 14:36:56 2021 Summary: Recommended update for libunwind Type: recommended Severity: moderate References: 1160876,1171549 This update for libunwind fixes the following issues: - Update to version 1.5.0. (jsc#ECO-3395) - Enable s390x for building. (jsc#ECO-3395) - Fix compilation with 'fno-common'. (bsc#1171549) - Fix build with 'GCC-10'. (bsc#1160876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:953-1 Released: Thu Mar 25 14:37:26 2021 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1178407 This update for psmisc fixes the following issues: - Fix for 'fuser' when it does not show open kvm storage image files such as 'qcow2' files. (bsc#1178407) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:956-1 Released: Thu Mar 25 19:19:04 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179816,1179847,1179909,1180077,1180663,1180721,1181328,1181622,1182629,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.43: - doc: give more details about creating versioned package locks (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) - Fix source-download commands help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) - Prefer /run over /var/run. Update libzypp to 17.25.8: - Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there. - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement). - Add missing includes for GCC 11 compatibility. - Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'. - Commit: Fix rpmdb compat symlink in case rpm got removed. - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use. - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#1179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:985-1 Released: Tue Mar 30 14:42:46 2021 Summary: Recommended update for the Azure SDK and CLI Type: recommended Severity: moderate References: 1125671,1140565,1154393,1174514,1175289,1176784,1176785,1178168,CVE-2020-14343,CVE-2020-25659 This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit). (bsc#1176784, jsc#ECO=3105) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1007-1 Released: Thu Apr 1 17:47:20 2021 Summary: Security update for MozillaFirefox Type: security Severity: important References: 1183942,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987 This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1141-1 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1182791 This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1169-1 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Type: recommended Severity: low References: 1181976 This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1275-1 Released: Tue Apr 20 14:31:26 2021 Summary: Security update for sudo Type: security Severity: important References: 1183936,CVE-2021-3156 This update for sudo fixes the following issues: - L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1295-1 Released: Wed Apr 21 14:08:19 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1184136 This update for systemd-presets-common-SUSE fixes the following issues: - Enabled hcn-init.service for HNV on POWER (bsc#1184136) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1296-1 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Type: optional Severity: low References: 1183791 This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1297-1 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178219 This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1412-1 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Type: security Severity: important References: 1184401,CVE-2021-20305 This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1449-1 Released: Fri Apr 30 08:08:25 2021 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1165780 This update for systemd-presets-branding-SLE fixes the following issues: - Don't enable 'btrfsmaintenance-refresh.service', 'btrfsmaintenance' is managed by systemd-presets-common-SUSE instead. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1472-1 Released: Tue May 4 08:56:37 2021 Summary: Security update for ceph, deepsea Type: security Severity: important References: 1145463,1174466,1177200,1178016,1178216,1178235,1178657,1178837,1178860,1178905,1179997,1180118,1180594,1181183,1181378,1181665,1183074,1183487,1183600,CVE-2020-25678,CVE-2020-27839,CVE-2021-20288 This update for ceph, deepsea fixes the following issues: - ceph was updated to 14.2.20-402-g6aa76c6815: * CVE-2021-20288: Fixed unauthorized global_id reuse (bsc#1183074). * CVE-2020-25678: Do not add sensitive information in Ceph log files (bsc#1178905). * CVE-2020-27839: Use secure cookies to store JWT Token (bsc#1179997). * mgr/dashboard: prometheus alerting: add some leeway for package drops and errors (bsc#1145463) * mon: have 'mon stat' output json as well (bsc#1174466) * rpm: ceph-mgr-dashboard recommends python3-saml on SUSE (bsc#1177200) * mgr/dashboard: Display a warning message in Dashboard when debug mode is enabled (bsc#1178235) * rgw: cls/user: set from_index for reset stats calls (bsc#1178837) * mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860) * bluestore: provide a different name for fallback allocator (bsc#1180118) * test/run-cli-tests: use cram from github (bsc#1181378) * mgr/dashboard: fix 'Python2 Cookie module import fails on Python3' (bsc#1183487) * common: make ms_bind_msgr2 default to 'false' (bsc#1180594) - deapsea was updated to 0.9.35 * osd: add method to zap simple osds (bsc#1178657, bsc#1178216) * upgrade to cephadm: fix Drive Group generation (bsc#1181665) * Rework config change detection to handle global.conf correctly (bsc#1181183) * Use -i to pass credentials to `ceph dashboard` commands (bsc#1183600) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1557-1 Released: Tue May 11 09:50:00 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1183374,CVE-2021-3426 This update for python3 fixes the following issues: - CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1602-1 Released: Thu May 13 16:35:19 2021 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libsolv and libzypp fixes the following issues: libsolv: Upgrade from version 0.7.17 to version 0.7.19 - Fix rare segfault in `resolve_jobrules()` that could happen if new rules are learned. - Fix memory leaks in error cases - Fix error handling in `solv_xfopen_fd()` - Fix regex code on win32 - fixed memory leak in choice rule generation - `repo_add_conda`: add a flag to skip version 2 packages. libzypp: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1669-1 Released: Thu May 20 11:10:44 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1181540,1181651,1183194,1185170 This update for nfs-utils fixes the following issues: - The '/var/run' is long deprecated - switch all relevant paths to '/run'. (bsc#1185170) - Improve logging of authentication (bsc#1181540) - Add man page of the 'nconnect mount'. (bsc#1181651) - Fixed an issue when HANA crashed due to inaccessible/hanging NFS mount. (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1675-1 Released: Thu May 20 15:00:23 2021 Summary: Recommended update for snappy Type: recommended Severity: moderate References: 1080040,1184507 This update for snappy fixes the following issues: Update from version 1.1.3 to 1.1.8 - Small performance improvements. - Removed `snappy::string` alias for `std::string`. - Improved `CMake` configuration. - Improved packages descriptions. - Fix RPM groups. - Aarch64 fixes - PPC speedups - PIE improvements - Fix license install. (bsc#1080040) - Fix a 1% performance regression when snappy is used in PIE executable. - Improve compression performance by 5%. - Improve decompression performance by 20%. - Use better download URL. - Fix a build issue for tensorflow2. (bsc#1184507) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1769-1 Released: Wed May 26 14:00:17 2021 Summary: Security update for ceph Type: security Severity: important References: 1185619,1186020,1186021,CVE-2021-3509,CVE-2021-3524,CVE-2021-3531 This update for ceph fixes the following issues: - Update to 15.2.12-83-g528da226523: - (CVE-2021-3509) fix cookie injection issue (bsc#1186021) - (CVE-2021-3531) RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name (bsc#1186020) - (CVE-2021-3524) sanitize \r in s3 CORSConfiguration???s ExposeHeader (bsc#1185619) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1773-1 Released: Wed May 26 17:22:21 2021 Summary: Recommended update for python3 Type: recommended Severity: low References: This update for python3 fixes the following issues: - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1806-1 Released: Mon May 31 16:23:04 2021 Summary: Security update for python-httplib2 Type: security Severity: moderate References: 1171998,1182053,CVE-2020-11078,CVE-2021-21240 This update for python-httplib2 fixes the following issues: - Update to version 0.19.0 (bsc#1182053). - CVE-2021-21240: Fixed regular expression denial of service via malicious header (bsc#1182053). - CVE-2020-11078: Fixed unescaped part of uri where an attacker could change request headers and body (bsc#1182053). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1809-1 Released: Mon May 31 16:24:59 2021 Summary: Security update for curl Type: security Severity: moderate References: 1177976,1183933,1186114,CVE-2021-22876,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933). - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976). - Allow partial chain verification (jsc#SLE-17956). From sle-security-updates at lists.suse.com Thu Jun 3 06:10:47 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 3 Jun 2021 08:10:47 +0200 (CEST) Subject: SUSE-CU-2021:239-1: Security update of ses/7/cephcsi/cephcsi Message-ID: <20210603061047.B24B3B46F22@westernhagen.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/cephcsi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:239-1 Container Tags : ses/7/cephcsi/cephcsi:3.2.1 , ses/7/cephcsi/cephcsi:3.2.1.0.3.400 , ses/7/cephcsi/cephcsi:latest , ses/7/cephcsi/cephcsi:sle15.2.octopus , ses/7/cephcsi/cephcsi:v3.2.1 , ses/7/cephcsi/cephcsi:v3.2.1.0 Container Release : 3.400 Severity : important Type : security References : 1080040 1115550 1161276 1165780 1171998 1174162 1178680 1180851 1181443 1181540 1181651 1181874 1182053 1182611 1182899 1182936 1183064 1183074 1183194 1183374 1183628 1183797 1183899 1184231 1184358 1184401 1184435 1184507 1184614 1184687 1184690 1184997 1185163 1185170 1185190 1185239 1185408 1185408 1185409 1185409 1185410 1185410 1185417 1185438 1185562 1185619 1185698 1186020 1186021 1186114 CVE-2020-11078 CVE-2021-20288 CVE-2021-20305 CVE-2021-21240 CVE-2021-22898 CVE-2021-3426 CVE-2021-3509 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3524 CVE-2021-3531 CVE-2021-3537 ----------------------------------------------------------------- The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1412-1 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Type: security Severity: important References: 1184401,CVE-2021-20305 This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1426-1 Released: Thu Apr 29 06:23:13 2021 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: This update for libsolv fixes the following issues: - Fix rare segfault in resolve_jobrules() that could happen if new rules are learnt. - Fix a couple of memory leaks in error cases. - Fix error handling in solv_xfopen_fd() - Fixed 'regex' code on win32. - Fixed memory leak in choice rule generation ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1449-1 Released: Fri Apr 30 08:08:25 2021 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1165780 This update for systemd-presets-branding-SLE fixes the following issues: - Don't enable 'btrfsmaintenance-refresh.service', 'btrfsmaintenance' is managed by systemd-presets-common-SUSE instead. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1466-1 Released: Tue May 4 08:30:57 2021 Summary: Security update for permissions Type: security Severity: important References: 1182899 This update for permissions fixes the following issues: - etc/permissions: remove unnecessary entries (bsc#1182899) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1475-1 Released: Tue May 4 08:59:27 2021 Summary: Security update for ceph Type: security Severity: important References: 1183074,1183899,1184231,CVE-2021-20288 This update for ceph fixes the following issues: - ceph was updated to 15.2.11-83-g8a15f484c2: * CVE-2021-20288: Fixed unauthorized global_id reuse (bsc#1183074). * disk gets replaced with no rocksdb/wal (bsc#1184231). * BlueStore handles huge(>4GB) writes from RocksDB to BlueFS poorly, potentially causing data corruption (bsc#1183899). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1481-1 Released: Tue May 4 14:18:32 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1178680 This update for lvm2 fixes the following issues: - Add metadata-based autoactivation property for volume group and logical volume. (bsc#1178680) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1521-1 Released: Wed May 5 17:52:55 2021 Summary: Recommended update for ceph-iscsi Type: recommended Severity: moderate References: 1182611 This update for ceph-iscsi fixes the following issues: -Fix for the gateway when it fails to start using SSL. (bsc#1182611) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1528-1 Released: Thu May 6 15:31:23 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1161276 This update for openssl-1_1 fixes the following issues: - Do not list disapproved cipher algorithms while in 'FIPS' mode. (bsc#1161276) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1544-1 Released: Fri May 7 16:34:41 2021 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libzypp fixes the following issues: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1557-1 Released: Tue May 11 09:50:00 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1183374,CVE-2021-3426 This update for python3 fixes the following issues: - CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1582-1 Released: Wed May 12 13:40:03 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1184687,1185190 This update for lvm2 fixes the following issues: - Honor 'lvm.conf' parameter event_activation=0 on 'pvscan --cache -aay'. (bsc#1185190) - Fixed and issue when LVM can't be disabled on boot. (bsc#1184687) - Update patch for avoiding apply warning messages. (bsc#1012973) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1669-1 Released: Thu May 20 11:10:44 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1181540,1181651,1183194,1185170 This update for nfs-utils fixes the following issues: - The '/var/run' is long deprecated - switch all relevant paths to '/run'. (bsc#1185170) - Improve logging of authentication (bsc#1181540) - Add man page of the 'nconnect mount'. (bsc#1181651) - Fixed an issue when HANA crashed due to inaccessible/hanging NFS mount. (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1675-1 Released: Thu May 20 15:00:23 2021 Summary: Recommended update for snappy Type: recommended Severity: moderate References: 1080040,1184507 This update for snappy fixes the following issues: Update from version 1.1.3 to 1.1.8 - Small performance improvements. - Removed `snappy::string` alias for `std::string`. - Improved `CMake` configuration. - Improved packages descriptions. - Fix RPM groups. - Aarch64 fixes - PPC speedups - PIE improvements - Fix license install. (bsc#1080040) - Fix a 1% performance regression when snappy is used in PIE executable. - Improve compression performance by 5%. - Improve decompression performance by 20%. - Use better download URL. - Fix a build issue for tensorflow2. (bsc#1184507) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1762-1 Released: Wed May 26 12:30:01 2021 Summary: Security update for curl Type: security Severity: moderate References: 1186114,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1773-1 Released: Wed May 26 17:22:21 2021 Summary: Recommended update for python3 Type: recommended Severity: low References: This update for python3 fixes the following issues: - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1777-1 Released: Thu May 27 11:20:53 2021 Summary: Security update for ceph Type: security Severity: important References: 1185619,1186020,1186021,CVE-2021-3509,CVE-2021-3524,CVE-2021-3531 This update for ceph fixes the following issues: - Update to 15.2.12-83-g528da226523: - (CVE-2021-3509) fix cookie injection issue (bsc#1186021) - (CVE-2021-3531) RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name (bsc#1186020) - (CVE-2021-3524) sanitize \r in s3 CORSConfiguration???s ExposeHeader (bsc#1185619) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1801-1 Released: Mon May 31 07:36:01 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1115550,1174162 This update for openssh fixes the following issues: - Fixed a race condition leading to a sshd termination of multichannel sessions with non-root users (bsc#1115550, bsc#1174162). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1806-1 Released: Mon May 31 16:23:04 2021 Summary: Security update for python-httplib2 Type: security Severity: moderate References: 1171998,1182053,CVE-2020-11078,CVE-2021-21240 This update for python-httplib2 fixes the following issues: - Update to version 0.19.0 (bsc#1182053). - CVE-2021-21240: Fixed regular expression denial of service via malicious header (bsc#1182053). - CVE-2020-11078: Fixed unescaped part of uri where an attacker could change request headers and body (bsc#1182053). From sle-security-updates at lists.suse.com Thu Jun 3 06:13:53 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 3 Jun 2021 08:13:53 +0200 (CEST) Subject: SUSE-CU-2021:240-1: Security update of ses/7/ceph/ceph Message-ID: <20210603061353.52AA2B46F22@westernhagen.suse.de> SUSE Container Update Advisory: ses/7/ceph/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:240-1 Container Tags : ses/7/ceph/ceph:15.2.12.83 , ses/7/ceph/ceph:15.2.12.83.4.214 , ses/7/ceph/ceph:latest , ses/7/ceph/ceph:sle15.2.octopus Container Release : 4.214 Severity : important Type : security References : 1080040 1115550 1161276 1171998 1174162 1180851 1181443 1181540 1181651 1181874 1182053 1182936 1183064 1183194 1183374 1183628 1183797 1184358 1184399 1184435 1184507 1184614 1184687 1184997 1185163 1185170 1185190 1185239 1185277 1185363 1185363 1185408 1185409 1185410 1185417 1185438 1185562 1185619 1185698 1186020 1186021 1186114 CVE-2020-11078 CVE-2021-21240 CVE-2021-22898 CVE-2021-3426 CVE-2021-3509 CVE-2021-3516 CVE-2021-3517 CVE-2021-3518 CVE-2021-3520 CVE-2021-3524 CVE-2021-3531 CVE-2021-3537 ----------------------------------------------------------------- The container ses/7/ceph/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1528-1 Released: Thu May 6 15:31:23 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1161276 This update for openssl-1_1 fixes the following issues: - Do not list disapproved cipher algorithms while in 'FIPS' mode. (bsc#1161276) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1544-1 Released: Fri May 7 16:34:41 2021 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libzypp fixes the following issues: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1552-1 Released: Mon May 10 19:15:13 2021 Summary: Recommended update for strongswan Type: recommended Severity: moderate References: 1185363 This update for strongswan fixes the following issues: - Added support for AES CCM aead algorithms to openssl plugin (bsc#1185363) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1557-1 Released: Tue May 11 09:50:00 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1183374,CVE-2021-3426 This update for python3 fixes the following issues: - CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1582-1 Released: Wed May 12 13:40:03 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1184687,1185190 This update for lvm2 fixes the following issues: - Honor 'lvm.conf' parameter event_activation=0 on 'pvscan --cache -aay'. (bsc#1185190) - Fixed and issue when LVM can't be disabled on boot. (bsc#1184687) - Update patch for avoiding apply warning messages. (bsc#1012973) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1600-1 Released: Thu May 13 16:34:08 2021 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1185277 This update for dracut fixes the following issue: Update to version 049.1+suse.188.gbf445638: - Do not resolve symbolic links before `instmod`. (bsc#1185277) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1640-1 Released: Wed May 19 13:47:50 2021 Summary: Recommended update for strongswan Type: recommended Severity: moderate References: 1185363 This update for strongswan fixes the following issues: - FIPS: Replace AEAD AES CCM patch with upstream variant (bsc#1185363) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1669-1 Released: Thu May 20 11:10:44 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1181540,1181651,1183194,1185170 This update for nfs-utils fixes the following issues: - The '/var/run' is long deprecated - switch all relevant paths to '/run'. (bsc#1185170) - Improve logging of authentication (bsc#1181540) - Add man page of the 'nconnect mount'. (bsc#1181651) - Fixed an issue when HANA crashed due to inaccessible/hanging NFS mount. (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1675-1 Released: Thu May 20 15:00:23 2021 Summary: Recommended update for snappy Type: recommended Severity: moderate References: 1080040,1184507 This update for snappy fixes the following issues: Update from version 1.1.3 to 1.1.8 - Small performance improvements. - Removed `snappy::string` alias for `std::string`. - Improved `CMake` configuration. - Improved packages descriptions. - Fix RPM groups. - Aarch64 fixes - PPC speedups - PIE improvements - Fix license install. (bsc#1080040) - Fix a 1% performance regression when snappy is used in PIE executable. - Improve compression performance by 5%. - Improve decompression performance by 20%. - Use better download URL. - Fix a build issue for tensorflow2. (bsc#1184507) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1677-1 Released: Thu May 20 15:29:32 2021 Summary: Recommended update for purge-kernels-service Type: recommended Severity: low References: 1184399 This update for purge-kernels-service fixes the following issues: - Add 'ZYPP_LOCK_TIMEOUT=-1' to keep waiting for the lock to avoid possible conflict with other background services uding zypper. (bsc#1184399) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1762-1 Released: Wed May 26 12:30:01 2021 Summary: Security update for curl Type: security Severity: moderate References: 1186114,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1773-1 Released: Wed May 26 17:22:21 2021 Summary: Recommended update for python3 Type: recommended Severity: low References: This update for python3 fixes the following issues: - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1777-1 Released: Thu May 27 11:20:53 2021 Summary: Security update for ceph Type: security Severity: important References: 1185619,1186020,1186021,CVE-2021-3509,CVE-2021-3524,CVE-2021-3531 This update for ceph fixes the following issues: - Update to 15.2.12-83-g528da226523: - (CVE-2021-3509) fix cookie injection issue (bsc#1186021) - (CVE-2021-3531) RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name (bsc#1186020) - (CVE-2021-3524) sanitize \r in s3 CORSConfiguration???s ExposeHeader (bsc#1185619) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1801-1 Released: Mon May 31 07:36:01 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1115550,1174162 This update for openssh fixes the following issues: - Fixed a race condition leading to a sshd termination of multichannel sessions with non-root users (bsc#1115550, bsc#1174162). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1806-1 Released: Mon May 31 16:23:04 2021 Summary: Security update for python-httplib2 Type: security Severity: moderate References: 1171998,1182053,CVE-2020-11078,CVE-2021-21240 This update for python-httplib2 fixes the following issues: - Update to version 0.19.0 (bsc#1182053). - CVE-2021-21240: Fixed regular expression denial of service via malicious header (bsc#1182053). - CVE-2020-11078: Fixed unescaped part of uri where an attacker could change request headers and body (bsc#1182053). From sle-security-updates at lists.suse.com Thu Jun 3 06:16:59 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 3 Jun 2021 08:16:59 +0200 (CEST) Subject: SUSE-CU-2021:241-1: Security update of ses/7/rook/ceph Message-ID: <20210603061659.E98CEB46F22@westernhagen.suse.de> SUSE Container Update Advisory: ses/7/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:241-1 Container Tags : ses/7/rook/ceph:1.5.10 , ses/7/rook/ceph:1.5.10.4 , ses/7/rook/ceph:1.5.10.4.1.1630 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus Container Release : 1.1630 Severity : important Type : security References : 1080040 1115550 1161276 1171998 1174162 1180851 1181443 1181540 1181651 1181874 1182053 1182936 1183064 1183194 1183374 1183628 1183797 1184358 1184435 1184507 1184614 1184687 1184997 1185163 1185170 1185190 1185239 1185408 1185409 1185410 1185417 1185438 1185562 1185619 1185698 1186020 1186021 1186114 CVE-2020-11078 CVE-2021-21240 CVE-2021-22898 CVE-2021-3426 CVE-2021-3509 CVE-2021-3516 CVE-2021-3517 CVE-2021-3518 CVE-2021-3520 CVE-2021-3524 CVE-2021-3531 CVE-2021-3537 ----------------------------------------------------------------- The container ses/7/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1528-1 Released: Thu May 6 15:31:23 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1161276 This update for openssl-1_1 fixes the following issues: - Do not list disapproved cipher algorithms while in 'FIPS' mode. (bsc#1161276) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1544-1 Released: Fri May 7 16:34:41 2021 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libzypp fixes the following issues: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1557-1 Released: Tue May 11 09:50:00 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1183374,CVE-2021-3426 This update for python3 fixes the following issues: - CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1582-1 Released: Wed May 12 13:40:03 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1184687,1185190 This update for lvm2 fixes the following issues: - Honor 'lvm.conf' parameter event_activation=0 on 'pvscan --cache -aay'. (bsc#1185190) - Fixed and issue when LVM can't be disabled on boot. (bsc#1184687) - Update patch for avoiding apply warning messages. (bsc#1012973) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1669-1 Released: Thu May 20 11:10:44 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1181540,1181651,1183194,1185170 This update for nfs-utils fixes the following issues: - The '/var/run' is long deprecated - switch all relevant paths to '/run'. (bsc#1185170) - Improve logging of authentication (bsc#1181540) - Add man page of the 'nconnect mount'. (bsc#1181651) - Fixed an issue when HANA crashed due to inaccessible/hanging NFS mount. (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1675-1 Released: Thu May 20 15:00:23 2021 Summary: Recommended update for snappy Type: recommended Severity: moderate References: 1080040,1184507 This update for snappy fixes the following issues: Update from version 1.1.3 to 1.1.8 - Small performance improvements. - Removed `snappy::string` alias for `std::string`. - Improved `CMake` configuration. - Improved packages descriptions. - Fix RPM groups. - Aarch64 fixes - PPC speedups - PIE improvements - Fix license install. (bsc#1080040) - Fix a 1% performance regression when snappy is used in PIE executable. - Improve compression performance by 5%. - Improve decompression performance by 20%. - Use better download URL. - Fix a build issue for tensorflow2. (bsc#1184507) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1762-1 Released: Wed May 26 12:30:01 2021 Summary: Security update for curl Type: security Severity: moderate References: 1186114,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1773-1 Released: Wed May 26 17:22:21 2021 Summary: Recommended update for python3 Type: recommended Severity: low References: This update for python3 fixes the following issues: - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1777-1 Released: Thu May 27 11:20:53 2021 Summary: Security update for ceph Type: security Severity: important References: 1185619,1186020,1186021,CVE-2021-3509,CVE-2021-3524,CVE-2021-3531 This update for ceph fixes the following issues: - Update to 15.2.12-83-g528da226523: - (CVE-2021-3509) fix cookie injection issue (bsc#1186021) - (CVE-2021-3531) RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name (bsc#1186020) - (CVE-2021-3524) sanitize \r in s3 CORSConfiguration???s ExposeHeader (bsc#1185619) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1801-1 Released: Mon May 31 07:36:01 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1115550,1174162 This update for openssh fixes the following issues: - Fixed a race condition leading to a sshd termination of multichannel sessions with non-root users (bsc#1115550, bsc#1174162). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1806-1 Released: Mon May 31 16:23:04 2021 Summary: Security update for python-httplib2 Type: security Severity: moderate References: 1171998,1182053,CVE-2020-11078,CVE-2021-21240 This update for python-httplib2 fixes the following issues: - Update to version 0.19.0 (bsc#1182053). - CVE-2021-21240: Fixed regular expression denial of service via malicious header (bsc#1182053). - CVE-2020-11078: Fixed unescaped part of uri where an attacker could change request headers and body (bsc#1182053). From sle-security-updates at lists.suse.com Thu Jun 3 19:18:14 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 3 Jun 2021 21:18:14 +0200 (CEST) Subject: SUSE-SU-2021:1845-1: important: Security update for avahi Message-ID: <20210603191814.5478DFD07@maintenance.suse.de> SUSE Security Update: Security update for avahi ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1845-1 Rating: important References: #1180827 #1184521 Cross-References: CVE-2021-26720 CVE-2021-3468 CVSS scores: CVE-2021-26720 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-26720 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3468 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for avahi fixes the following issues: - CVE-2021-3468: avoid infinite loop by handling HUP event in client_work (bsc#1184521). - CVE-2021-26720: drop privileges when invoking avahi-daemon-check-dns.sh (bsc#1180827) - Update avahi-daemon-check-dns.sh from Debian. Our previous version relied on ifconfig, route, and init.d. - Add sudo to requires: used to drop privileges. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1845=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1845=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1845=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1845=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): avahi-0.6.32-5.13.1 avahi-autoipd-0.6.32-5.13.1 avahi-autoipd-debuginfo-0.6.32-5.13.1 avahi-compat-howl-devel-0.6.32-5.13.1 avahi-compat-mDNSResponder-devel-0.6.32-5.13.1 avahi-debuginfo-0.6.32-5.13.1 avahi-debugsource-0.6.32-5.13.1 avahi-glib2-debugsource-0.6.32-5.13.1 avahi-utils-0.6.32-5.13.1 avahi-utils-debuginfo-0.6.32-5.13.1 avahi-utils-gtk-0.6.32-5.13.1 avahi-utils-gtk-debuginfo-0.6.32-5.13.1 libavahi-client3-0.6.32-5.13.1 libavahi-client3-debuginfo-0.6.32-5.13.1 libavahi-common3-0.6.32-5.13.1 libavahi-common3-debuginfo-0.6.32-5.13.1 libavahi-core7-0.6.32-5.13.1 libavahi-core7-debuginfo-0.6.32-5.13.1 libavahi-devel-0.6.32-5.13.1 libavahi-glib-devel-0.6.32-5.13.1 libavahi-glib1-0.6.32-5.13.1 libavahi-glib1-debuginfo-0.6.32-5.13.1 libavahi-gobject-devel-0.6.32-5.13.1 libavahi-gobject0-0.6.32-5.13.1 libavahi-gobject0-debuginfo-0.6.32-5.13.1 libavahi-ui-gtk3-0-0.6.32-5.13.1 libavahi-ui-gtk3-0-debuginfo-0.6.32-5.13.1 libavahi-ui0-0.6.32-5.13.1 libavahi-ui0-debuginfo-0.6.32-5.13.1 libdns_sd-0.6.32-5.13.1 libdns_sd-debuginfo-0.6.32-5.13.1 libhowl0-0.6.32-5.13.1 libhowl0-debuginfo-0.6.32-5.13.1 typelib-1_0-Avahi-0_6-0.6.32-5.13.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): avahi-lang-0.6.32-5.13.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): avahi-32bit-debuginfo-0.6.32-5.13.1 libavahi-client3-32bit-0.6.32-5.13.1 libavahi-client3-32bit-debuginfo-0.6.32-5.13.1 libavahi-common3-32bit-0.6.32-5.13.1 libavahi-common3-32bit-debuginfo-0.6.32-5.13.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): avahi-0.6.32-5.13.1 avahi-autoipd-0.6.32-5.13.1 avahi-autoipd-debuginfo-0.6.32-5.13.1 avahi-compat-howl-devel-0.6.32-5.13.1 avahi-compat-mDNSResponder-devel-0.6.32-5.13.1 avahi-debuginfo-0.6.32-5.13.1 avahi-debugsource-0.6.32-5.13.1 avahi-glib2-debugsource-0.6.32-5.13.1 avahi-utils-0.6.32-5.13.1 avahi-utils-debuginfo-0.6.32-5.13.1 avahi-utils-gtk-0.6.32-5.13.1 avahi-utils-gtk-debuginfo-0.6.32-5.13.1 libavahi-client3-0.6.32-5.13.1 libavahi-client3-debuginfo-0.6.32-5.13.1 libavahi-common3-0.6.32-5.13.1 libavahi-common3-debuginfo-0.6.32-5.13.1 libavahi-core7-0.6.32-5.13.1 libavahi-core7-debuginfo-0.6.32-5.13.1 libavahi-devel-0.6.32-5.13.1 libavahi-glib-devel-0.6.32-5.13.1 libavahi-glib1-0.6.32-5.13.1 libavahi-glib1-debuginfo-0.6.32-5.13.1 libavahi-gobject-devel-0.6.32-5.13.1 libavahi-gobject0-0.6.32-5.13.1 libavahi-gobject0-debuginfo-0.6.32-5.13.1 libavahi-ui-gtk3-0-0.6.32-5.13.1 libavahi-ui-gtk3-0-debuginfo-0.6.32-5.13.1 libavahi-ui0-0.6.32-5.13.1 libavahi-ui0-debuginfo-0.6.32-5.13.1 libdns_sd-0.6.32-5.13.1 libdns_sd-debuginfo-0.6.32-5.13.1 libhowl0-0.6.32-5.13.1 libhowl0-debuginfo-0.6.32-5.13.1 typelib-1_0-Avahi-0_6-0.6.32-5.13.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): avahi-lang-0.6.32-5.13.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): avahi-0.6.32-5.13.1 avahi-autoipd-0.6.32-5.13.1 avahi-autoipd-debuginfo-0.6.32-5.13.1 avahi-compat-howl-devel-0.6.32-5.13.1 avahi-compat-mDNSResponder-devel-0.6.32-5.13.1 avahi-debuginfo-0.6.32-5.13.1 avahi-debugsource-0.6.32-5.13.1 avahi-glib2-debugsource-0.6.32-5.13.1 avahi-utils-0.6.32-5.13.1 avahi-utils-debuginfo-0.6.32-5.13.1 avahi-utils-gtk-0.6.32-5.13.1 avahi-utils-gtk-debuginfo-0.6.32-5.13.1 libavahi-client3-0.6.32-5.13.1 libavahi-client3-debuginfo-0.6.32-5.13.1 libavahi-common3-0.6.32-5.13.1 libavahi-common3-debuginfo-0.6.32-5.13.1 libavahi-core7-0.6.32-5.13.1 libavahi-core7-debuginfo-0.6.32-5.13.1 libavahi-devel-0.6.32-5.13.1 libavahi-glib-devel-0.6.32-5.13.1 libavahi-glib1-0.6.32-5.13.1 libavahi-glib1-debuginfo-0.6.32-5.13.1 libavahi-gobject-devel-0.6.32-5.13.1 libavahi-gobject0-0.6.32-5.13.1 libavahi-gobject0-debuginfo-0.6.32-5.13.1 libavahi-ui-gtk3-0-0.6.32-5.13.1 libavahi-ui-gtk3-0-debuginfo-0.6.32-5.13.1 libavahi-ui0-0.6.32-5.13.1 libavahi-ui0-debuginfo-0.6.32-5.13.1 libdns_sd-0.6.32-5.13.1 libdns_sd-debuginfo-0.6.32-5.13.1 libhowl0-0.6.32-5.13.1 libhowl0-debuginfo-0.6.32-5.13.1 typelib-1_0-Avahi-0_6-0.6.32-5.13.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): avahi-32bit-debuginfo-0.6.32-5.13.1 libavahi-client3-32bit-0.6.32-5.13.1 libavahi-client3-32bit-debuginfo-0.6.32-5.13.1 libavahi-common3-32bit-0.6.32-5.13.1 libavahi-common3-32bit-debuginfo-0.6.32-5.13.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): avahi-lang-0.6.32-5.13.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): avahi-0.6.32-5.13.1 avahi-autoipd-0.6.32-5.13.1 avahi-autoipd-debuginfo-0.6.32-5.13.1 avahi-compat-howl-devel-0.6.32-5.13.1 avahi-compat-mDNSResponder-devel-0.6.32-5.13.1 avahi-debuginfo-0.6.32-5.13.1 avahi-debugsource-0.6.32-5.13.1 avahi-glib2-debugsource-0.6.32-5.13.1 avahi-utils-0.6.32-5.13.1 avahi-utils-debuginfo-0.6.32-5.13.1 avahi-utils-gtk-0.6.32-5.13.1 avahi-utils-gtk-debuginfo-0.6.32-5.13.1 libavahi-client3-0.6.32-5.13.1 libavahi-client3-debuginfo-0.6.32-5.13.1 libavahi-common3-0.6.32-5.13.1 libavahi-common3-debuginfo-0.6.32-5.13.1 libavahi-core7-0.6.32-5.13.1 libavahi-core7-debuginfo-0.6.32-5.13.1 libavahi-devel-0.6.32-5.13.1 libavahi-glib-devel-0.6.32-5.13.1 libavahi-glib1-0.6.32-5.13.1 libavahi-glib1-debuginfo-0.6.32-5.13.1 libavahi-gobject-devel-0.6.32-5.13.1 libavahi-gobject0-0.6.32-5.13.1 libavahi-gobject0-debuginfo-0.6.32-5.13.1 libavahi-ui-gtk3-0-0.6.32-5.13.1 libavahi-ui-gtk3-0-debuginfo-0.6.32-5.13.1 libavahi-ui0-0.6.32-5.13.1 libavahi-ui0-debuginfo-0.6.32-5.13.1 libdns_sd-0.6.32-5.13.1 libdns_sd-debuginfo-0.6.32-5.13.1 libhowl0-0.6.32-5.13.1 libhowl0-debuginfo-0.6.32-5.13.1 typelib-1_0-Avahi-0_6-0.6.32-5.13.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): avahi-32bit-debuginfo-0.6.32-5.13.1 libavahi-client3-32bit-0.6.32-5.13.1 libavahi-client3-32bit-debuginfo-0.6.32-5.13.1 libavahi-common3-32bit-0.6.32-5.13.1 libavahi-common3-32bit-debuginfo-0.6.32-5.13.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): avahi-lang-0.6.32-5.13.1 References: https://www.suse.com/security/cve/CVE-2021-26720.html https://www.suse.com/security/cve/CVE-2021-3468.html https://bugzilla.suse.com/1180827 https://bugzilla.suse.com/1184521 From sle-security-updates at lists.suse.com Thu Jun 3 19:20:28 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 3 Jun 2021 21:20:28 +0200 (CEST) Subject: SUSE-SU-2021:1844-1: important: Security update for polkit Message-ID: <20210603192028.482C5FD07@maintenance.suse.de> SUSE Security Update: Security update for polkit ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1844-1 Rating: important References: #1186497 Cross-References: CVE-2021-3560 CVSS scores: CVE-2021-3560 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for polkit fixes the following issues: - CVE-2021-3560: Fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1844=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1844=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1844=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1844=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1844=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1844=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1844=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1844=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1844=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1844=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1844=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1844=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1844=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libpolkit0-0.114-3.12.1 libpolkit0-debuginfo-0.114-3.12.1 polkit-0.114-3.12.1 polkit-debuginfo-0.114-3.12.1 polkit-debugsource-0.114-3.12.1 polkit-devel-0.114-3.12.1 polkit-devel-debuginfo-0.114-3.12.1 typelib-1_0-Polkit-1_0-0.114-3.12.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libpolkit0-0.114-3.12.1 libpolkit0-debuginfo-0.114-3.12.1 polkit-0.114-3.12.1 polkit-debuginfo-0.114-3.12.1 polkit-debugsource-0.114-3.12.1 polkit-devel-0.114-3.12.1 polkit-devel-debuginfo-0.114-3.12.1 typelib-1_0-Polkit-1_0-0.114-3.12.1 - SUSE Manager Proxy 4.0 (x86_64): libpolkit0-0.114-3.12.1 libpolkit0-debuginfo-0.114-3.12.1 polkit-0.114-3.12.1 polkit-debuginfo-0.114-3.12.1 polkit-debugsource-0.114-3.12.1 polkit-devel-0.114-3.12.1 polkit-devel-debuginfo-0.114-3.12.1 typelib-1_0-Polkit-1_0-0.114-3.12.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libpolkit0-0.114-3.12.1 libpolkit0-debuginfo-0.114-3.12.1 polkit-0.114-3.12.1 polkit-debuginfo-0.114-3.12.1 polkit-debugsource-0.114-3.12.1 polkit-devel-0.114-3.12.1 polkit-devel-debuginfo-0.114-3.12.1 typelib-1_0-Polkit-1_0-0.114-3.12.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libpolkit0-0.114-3.12.1 libpolkit0-debuginfo-0.114-3.12.1 polkit-0.114-3.12.1 polkit-debuginfo-0.114-3.12.1 polkit-debugsource-0.114-3.12.1 polkit-devel-0.114-3.12.1 polkit-devel-debuginfo-0.114-3.12.1 typelib-1_0-Polkit-1_0-0.114-3.12.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libpolkit0-0.114-3.12.1 libpolkit0-debuginfo-0.114-3.12.1 polkit-0.114-3.12.1 polkit-debuginfo-0.114-3.12.1 polkit-debugsource-0.114-3.12.1 polkit-devel-0.114-3.12.1 polkit-devel-debuginfo-0.114-3.12.1 typelib-1_0-Polkit-1_0-0.114-3.12.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libpolkit0-0.114-3.12.1 libpolkit0-debuginfo-0.114-3.12.1 polkit-0.114-3.12.1 polkit-debuginfo-0.114-3.12.1 polkit-debugsource-0.114-3.12.1 polkit-devel-0.114-3.12.1 polkit-devel-debuginfo-0.114-3.12.1 typelib-1_0-Polkit-1_0-0.114-3.12.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libpolkit0-0.114-3.12.1 libpolkit0-debuginfo-0.114-3.12.1 polkit-0.114-3.12.1 polkit-debuginfo-0.114-3.12.1 polkit-debugsource-0.114-3.12.1 polkit-devel-0.114-3.12.1 polkit-devel-debuginfo-0.114-3.12.1 typelib-1_0-Polkit-1_0-0.114-3.12.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libpolkit0-0.114-3.12.1 libpolkit0-debuginfo-0.114-3.12.1 polkit-0.114-3.12.1 polkit-debuginfo-0.114-3.12.1 polkit-debugsource-0.114-3.12.1 polkit-devel-0.114-3.12.1 polkit-devel-debuginfo-0.114-3.12.1 typelib-1_0-Polkit-1_0-0.114-3.12.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libpolkit0-0.114-3.12.1 libpolkit0-debuginfo-0.114-3.12.1 polkit-0.114-3.12.1 polkit-debuginfo-0.114-3.12.1 polkit-debugsource-0.114-3.12.1 polkit-devel-0.114-3.12.1 polkit-devel-debuginfo-0.114-3.12.1 typelib-1_0-Polkit-1_0-0.114-3.12.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libpolkit0-0.114-3.12.1 libpolkit0-debuginfo-0.114-3.12.1 polkit-0.114-3.12.1 polkit-debuginfo-0.114-3.12.1 polkit-debugsource-0.114-3.12.1 polkit-devel-0.114-3.12.1 polkit-devel-debuginfo-0.114-3.12.1 typelib-1_0-Polkit-1_0-0.114-3.12.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libpolkit0-0.114-3.12.1 libpolkit0-debuginfo-0.114-3.12.1 polkit-0.114-3.12.1 polkit-debuginfo-0.114-3.12.1 polkit-debugsource-0.114-3.12.1 polkit-devel-0.114-3.12.1 polkit-devel-debuginfo-0.114-3.12.1 typelib-1_0-Polkit-1_0-0.114-3.12.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libpolkit0-0.114-3.12.1 libpolkit0-debuginfo-0.114-3.12.1 polkit-0.114-3.12.1 polkit-debuginfo-0.114-3.12.1 polkit-debugsource-0.114-3.12.1 polkit-devel-0.114-3.12.1 polkit-devel-debuginfo-0.114-3.12.1 typelib-1_0-Polkit-1_0-0.114-3.12.1 - SUSE CaaS Platform 4.0 (x86_64): libpolkit0-0.114-3.12.1 libpolkit0-debuginfo-0.114-3.12.1 polkit-0.114-3.12.1 polkit-debuginfo-0.114-3.12.1 polkit-debugsource-0.114-3.12.1 polkit-devel-0.114-3.12.1 polkit-devel-debuginfo-0.114-3.12.1 typelib-1_0-Polkit-1_0-0.114-3.12.1 References: https://www.suse.com/security/cve/CVE-2021-3560.html https://bugzilla.suse.com/1186497 From sle-security-updates at lists.suse.com Thu Jun 3 19:21:42 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 3 Jun 2021 21:21:42 +0200 (CEST) Subject: SUSE-SU-2021:1842-1: important: Security update for polkit Message-ID: <20210603192142.CFB74FD07@maintenance.suse.de> SUSE Security Update: Security update for polkit ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1842-1 Rating: important References: #1186497 Cross-References: CVE-2021-3560 CVSS scores: CVE-2021-3560 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for polkit fixes the following issues: - CVE-2021-3560: Fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1842=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1842=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1842=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1842=1 - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2021-1842=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1842=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1842=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1842=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1842=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1842=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1842=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1842=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1842=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1842=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libpolkit0-0.113-5.21.1 libpolkit0-debuginfo-0.113-5.21.1 polkit-0.113-5.21.1 polkit-debuginfo-0.113-5.21.1 polkit-debugsource-0.113-5.21.1 typelib-1_0-Polkit-1_0-0.113-5.21.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libpolkit0-0.113-5.21.1 libpolkit0-debuginfo-0.113-5.21.1 polkit-0.113-5.21.1 polkit-debuginfo-0.113-5.21.1 polkit-debugsource-0.113-5.21.1 typelib-1_0-Polkit-1_0-0.113-5.21.1 - SUSE OpenStack Cloud 9 (x86_64): libpolkit0-0.113-5.21.1 libpolkit0-debuginfo-0.113-5.21.1 polkit-0.113-5.21.1 polkit-debuginfo-0.113-5.21.1 polkit-debugsource-0.113-5.21.1 typelib-1_0-Polkit-1_0-0.113-5.21.1 - SUSE OpenStack Cloud 8 (x86_64): libpolkit0-0.113-5.21.1 libpolkit0-debuginfo-0.113-5.21.1 polkit-0.113-5.21.1 polkit-debuginfo-0.113-5.21.1 polkit-debugsource-0.113-5.21.1 typelib-1_0-Polkit-1_0-0.113-5.21.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): libpolkit0-32bit-0.113-5.21.1 libpolkit0-debuginfo-32bit-0.113-5.21.1 polkit-debugsource-0.113-5.21.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): polkit-debuginfo-0.113-5.21.1 polkit-debugsource-0.113-5.21.1 polkit-devel-0.113-5.21.1 polkit-devel-debuginfo-0.113-5.21.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libpolkit0-0.113-5.21.1 libpolkit0-debuginfo-0.113-5.21.1 polkit-0.113-5.21.1 polkit-debuginfo-0.113-5.21.1 polkit-debugsource-0.113-5.21.1 typelib-1_0-Polkit-1_0-0.113-5.21.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libpolkit0-0.113-5.21.1 libpolkit0-debuginfo-0.113-5.21.1 polkit-0.113-5.21.1 polkit-debuginfo-0.113-5.21.1 polkit-debugsource-0.113-5.21.1 typelib-1_0-Polkit-1_0-0.113-5.21.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpolkit0-0.113-5.21.1 libpolkit0-debuginfo-0.113-5.21.1 polkit-0.113-5.21.1 polkit-debuginfo-0.113-5.21.1 polkit-debugsource-0.113-5.21.1 typelib-1_0-Polkit-1_0-0.113-5.21.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libpolkit0-0.113-5.21.1 libpolkit0-debuginfo-0.113-5.21.1 polkit-0.113-5.21.1 polkit-debuginfo-0.113-5.21.1 polkit-debugsource-0.113-5.21.1 typelib-1_0-Polkit-1_0-0.113-5.21.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libpolkit0-0.113-5.21.1 libpolkit0-debuginfo-0.113-5.21.1 polkit-0.113-5.21.1 polkit-debuginfo-0.113-5.21.1 polkit-debugsource-0.113-5.21.1 typelib-1_0-Polkit-1_0-0.113-5.21.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libpolkit0-0.113-5.21.1 libpolkit0-debuginfo-0.113-5.21.1 polkit-0.113-5.21.1 polkit-debuginfo-0.113-5.21.1 polkit-debugsource-0.113-5.21.1 typelib-1_0-Polkit-1_0-0.113-5.21.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libpolkit0-0.113-5.21.1 libpolkit0-debuginfo-0.113-5.21.1 polkit-0.113-5.21.1 polkit-debuginfo-0.113-5.21.1 polkit-debugsource-0.113-5.21.1 typelib-1_0-Polkit-1_0-0.113-5.21.1 - HPE Helion Openstack 8 (x86_64): libpolkit0-0.113-5.21.1 libpolkit0-debuginfo-0.113-5.21.1 polkit-0.113-5.21.1 polkit-debuginfo-0.113-5.21.1 polkit-debugsource-0.113-5.21.1 typelib-1_0-Polkit-1_0-0.113-5.21.1 References: https://www.suse.com/security/cve/CVE-2021-3560.html https://bugzilla.suse.com/1186497 From sle-security-updates at lists.suse.com Thu Jun 3 19:22:52 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 3 Jun 2021 21:22:52 +0200 (CEST) Subject: SUSE-SU-2021:1843-1: important: Security update for polkit Message-ID: <20210603192252.30F75FD07@maintenance.suse.de> SUSE Security Update: Security update for polkit ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1843-1 Rating: important References: #1186497 Cross-References: CVE-2021-3560 CVSS scores: CVE-2021-3560 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for polkit fixes the following issues: - CVE-2021-3560: Fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1843=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1843=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1843=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): libpolkit0-0.116-3.3.1 libpolkit0-debuginfo-0.116-3.3.1 polkit-0.116-3.3.1 polkit-debuginfo-0.116-3.3.1 polkit-debugsource-0.116-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libpolkit0-0.116-3.3.1 libpolkit0-debuginfo-0.116-3.3.1 polkit-0.116-3.3.1 polkit-debuginfo-0.116-3.3.1 polkit-debugsource-0.116-3.3.1 polkit-devel-0.116-3.3.1 polkit-devel-debuginfo-0.116-3.3.1 typelib-1_0-Polkit-1_0-0.116-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libpolkit0-0.116-3.3.1 libpolkit0-debuginfo-0.116-3.3.1 polkit-0.116-3.3.1 polkit-debuginfo-0.116-3.3.1 polkit-debugsource-0.116-3.3.1 polkit-devel-0.116-3.3.1 polkit-devel-debuginfo-0.116-3.3.1 typelib-1_0-Polkit-1_0-0.116-3.3.1 References: https://www.suse.com/security/cve/CVE-2021-3560.html https://bugzilla.suse.com/1186497 From sle-security-updates at lists.suse.com Thu Jun 3 19:23:58 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 3 Jun 2021 21:23:58 +0200 (CEST) Subject: SUSE-SU-2021:1494-2: important: Security update for avahi Message-ID: <20210603192358.DE766FD07@maintenance.suse.de> SUSE Security Update: Security update for avahi ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1494-2 Rating: important References: #1184521 Cross-References: CVE-2021-3468 CVSS scores: CVE-2021-3468 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for avahi fixes the following issues: - CVE-2021-3468: avoid infinite loop by handling HUP event in client_work (bsc#1184521). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1494=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1494=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1494=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1494=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1494=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1494=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1494=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1494=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1494=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1494=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1494=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): avahi-0.6.32-32.15.1 avahi-debuginfo-0.6.32-32.15.1 avahi-debuginfo-32bit-0.6.32-32.15.1 avahi-debugsource-0.6.32-32.15.1 avahi-glib2-debugsource-0.6.32-32.15.1 avahi-utils-0.6.32-32.15.1 avahi-utils-debuginfo-0.6.32-32.15.1 libavahi-client3-0.6.32-32.15.1 libavahi-client3-32bit-0.6.32-32.15.1 libavahi-client3-debuginfo-0.6.32-32.15.1 libavahi-client3-debuginfo-32bit-0.6.32-32.15.1 libavahi-common3-0.6.32-32.15.1 libavahi-common3-32bit-0.6.32-32.15.1 libavahi-common3-debuginfo-0.6.32-32.15.1 libavahi-common3-debuginfo-32bit-0.6.32-32.15.1 libavahi-core7-0.6.32-32.15.1 libavahi-core7-debuginfo-0.6.32-32.15.1 libavahi-glib1-0.6.32-32.15.1 libavahi-glib1-32bit-0.6.32-32.15.1 libavahi-glib1-debuginfo-0.6.32-32.15.1 libavahi-glib1-debuginfo-32bit-0.6.32-32.15.1 libdns_sd-0.6.32-32.15.1 libdns_sd-32bit-0.6.32-32.15.1 libdns_sd-debuginfo-0.6.32-32.15.1 libdns_sd-debuginfo-32bit-0.6.32-32.15.1 - SUSE OpenStack Cloud Crowbar 9 (noarch): avahi-lang-0.6.32-32.15.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): avahi-lang-0.6.32-32.15.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): avahi-0.6.32-32.15.1 avahi-debuginfo-0.6.32-32.15.1 avahi-debuginfo-32bit-0.6.32-32.15.1 avahi-debugsource-0.6.32-32.15.1 avahi-glib2-debugsource-0.6.32-32.15.1 avahi-utils-0.6.32-32.15.1 avahi-utils-debuginfo-0.6.32-32.15.1 libavahi-client3-0.6.32-32.15.1 libavahi-client3-32bit-0.6.32-32.15.1 libavahi-client3-debuginfo-0.6.32-32.15.1 libavahi-client3-debuginfo-32bit-0.6.32-32.15.1 libavahi-common3-0.6.32-32.15.1 libavahi-common3-32bit-0.6.32-32.15.1 libavahi-common3-debuginfo-0.6.32-32.15.1 libavahi-common3-debuginfo-32bit-0.6.32-32.15.1 libavahi-core7-0.6.32-32.15.1 libavahi-core7-debuginfo-0.6.32-32.15.1 libavahi-glib1-0.6.32-32.15.1 libavahi-glib1-32bit-0.6.32-32.15.1 libavahi-glib1-debuginfo-0.6.32-32.15.1 libavahi-glib1-debuginfo-32bit-0.6.32-32.15.1 libdns_sd-0.6.32-32.15.1 libdns_sd-32bit-0.6.32-32.15.1 libdns_sd-debuginfo-0.6.32-32.15.1 libdns_sd-debuginfo-32bit-0.6.32-32.15.1 - SUSE OpenStack Cloud 9 (noarch): avahi-lang-0.6.32-32.15.1 - SUSE OpenStack Cloud 9 (x86_64): avahi-0.6.32-32.15.1 avahi-debuginfo-0.6.32-32.15.1 avahi-debuginfo-32bit-0.6.32-32.15.1 avahi-debugsource-0.6.32-32.15.1 avahi-glib2-debugsource-0.6.32-32.15.1 avahi-utils-0.6.32-32.15.1 avahi-utils-debuginfo-0.6.32-32.15.1 libavahi-client3-0.6.32-32.15.1 libavahi-client3-32bit-0.6.32-32.15.1 libavahi-client3-debuginfo-0.6.32-32.15.1 libavahi-client3-debuginfo-32bit-0.6.32-32.15.1 libavahi-common3-0.6.32-32.15.1 libavahi-common3-32bit-0.6.32-32.15.1 libavahi-common3-debuginfo-0.6.32-32.15.1 libavahi-common3-debuginfo-32bit-0.6.32-32.15.1 libavahi-core7-0.6.32-32.15.1 libavahi-core7-debuginfo-0.6.32-32.15.1 libavahi-glib1-0.6.32-32.15.1 libavahi-glib1-32bit-0.6.32-32.15.1 libavahi-glib1-debuginfo-0.6.32-32.15.1 libavahi-glib1-debuginfo-32bit-0.6.32-32.15.1 libdns_sd-0.6.32-32.15.1 libdns_sd-32bit-0.6.32-32.15.1 libdns_sd-debuginfo-0.6.32-32.15.1 libdns_sd-debuginfo-32bit-0.6.32-32.15.1 - SUSE OpenStack Cloud 8 (x86_64): avahi-0.6.32-32.15.1 avahi-debuginfo-0.6.32-32.15.1 avahi-debuginfo-32bit-0.6.32-32.15.1 avahi-debugsource-0.6.32-32.15.1 avahi-glib2-debugsource-0.6.32-32.15.1 avahi-utils-0.6.32-32.15.1 avahi-utils-debuginfo-0.6.32-32.15.1 libavahi-client3-0.6.32-32.15.1 libavahi-client3-32bit-0.6.32-32.15.1 libavahi-client3-debuginfo-0.6.32-32.15.1 libavahi-client3-debuginfo-32bit-0.6.32-32.15.1 libavahi-common3-0.6.32-32.15.1 libavahi-common3-32bit-0.6.32-32.15.1 libavahi-common3-debuginfo-0.6.32-32.15.1 libavahi-common3-debuginfo-32bit-0.6.32-32.15.1 libavahi-core7-0.6.32-32.15.1 libavahi-core7-debuginfo-0.6.32-32.15.1 libavahi-glib1-0.6.32-32.15.1 libavahi-glib1-32bit-0.6.32-32.15.1 libavahi-glib1-debuginfo-0.6.32-32.15.1 libavahi-glib1-debuginfo-32bit-0.6.32-32.15.1 libdns_sd-0.6.32-32.15.1 libdns_sd-32bit-0.6.32-32.15.1 libdns_sd-debuginfo-0.6.32-32.15.1 libdns_sd-debuginfo-32bit-0.6.32-32.15.1 - SUSE OpenStack Cloud 8 (noarch): avahi-lang-0.6.32-32.15.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): avahi-0.6.32-32.15.1 avahi-debuginfo-0.6.32-32.15.1 avahi-debugsource-0.6.32-32.15.1 avahi-glib2-debugsource-0.6.32-32.15.1 avahi-utils-0.6.32-32.15.1 avahi-utils-debuginfo-0.6.32-32.15.1 libavahi-client3-0.6.32-32.15.1 libavahi-client3-debuginfo-0.6.32-32.15.1 libavahi-common3-0.6.32-32.15.1 libavahi-common3-debuginfo-0.6.32-32.15.1 libavahi-core7-0.6.32-32.15.1 libavahi-core7-debuginfo-0.6.32-32.15.1 libavahi-glib1-0.6.32-32.15.1 libavahi-glib1-debuginfo-0.6.32-32.15.1 libdns_sd-0.6.32-32.15.1 libdns_sd-debuginfo-0.6.32-32.15.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): avahi-debuginfo-32bit-0.6.32-32.15.1 libavahi-client3-32bit-0.6.32-32.15.1 libavahi-client3-debuginfo-32bit-0.6.32-32.15.1 libavahi-common3-32bit-0.6.32-32.15.1 libavahi-common3-debuginfo-32bit-0.6.32-32.15.1 libavahi-glib1-32bit-0.6.32-32.15.1 libavahi-glib1-debuginfo-32bit-0.6.32-32.15.1 libdns_sd-32bit-0.6.32-32.15.1 libdns_sd-debuginfo-32bit-0.6.32-32.15.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): avahi-lang-0.6.32-32.15.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): avahi-0.6.32-32.15.1 avahi-debuginfo-0.6.32-32.15.1 avahi-debugsource-0.6.32-32.15.1 avahi-glib2-debugsource-0.6.32-32.15.1 avahi-utils-0.6.32-32.15.1 avahi-utils-debuginfo-0.6.32-32.15.1 libavahi-client3-0.6.32-32.15.1 libavahi-client3-debuginfo-0.6.32-32.15.1 libavahi-common3-0.6.32-32.15.1 libavahi-common3-debuginfo-0.6.32-32.15.1 libavahi-core7-0.6.32-32.15.1 libavahi-core7-debuginfo-0.6.32-32.15.1 libavahi-glib1-0.6.32-32.15.1 libavahi-glib1-debuginfo-0.6.32-32.15.1 libdns_sd-0.6.32-32.15.1 libdns_sd-debuginfo-0.6.32-32.15.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): avahi-lang-0.6.32-32.15.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): avahi-debuginfo-32bit-0.6.32-32.15.1 libavahi-client3-32bit-0.6.32-32.15.1 libavahi-client3-debuginfo-32bit-0.6.32-32.15.1 libavahi-common3-32bit-0.6.32-32.15.1 libavahi-common3-debuginfo-32bit-0.6.32-32.15.1 libavahi-glib1-32bit-0.6.32-32.15.1 libavahi-glib1-debuginfo-32bit-0.6.32-32.15.1 libdns_sd-32bit-0.6.32-32.15.1 libdns_sd-debuginfo-32bit-0.6.32-32.15.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): avahi-0.6.32-32.15.1 avahi-debuginfo-0.6.32-32.15.1 avahi-debugsource-0.6.32-32.15.1 avahi-glib2-debugsource-0.6.32-32.15.1 avahi-utils-0.6.32-32.15.1 avahi-utils-debuginfo-0.6.32-32.15.1 libavahi-client3-0.6.32-32.15.1 libavahi-client3-debuginfo-0.6.32-32.15.1 libavahi-common3-0.6.32-32.15.1 libavahi-common3-debuginfo-0.6.32-32.15.1 libavahi-core7-0.6.32-32.15.1 libavahi-core7-debuginfo-0.6.32-32.15.1 libavahi-glib1-0.6.32-32.15.1 libavahi-glib1-debuginfo-0.6.32-32.15.1 libdns_sd-0.6.32-32.15.1 libdns_sd-debuginfo-0.6.32-32.15.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): avahi-debuginfo-32bit-0.6.32-32.15.1 libavahi-client3-32bit-0.6.32-32.15.1 libavahi-client3-debuginfo-32bit-0.6.32-32.15.1 libavahi-common3-32bit-0.6.32-32.15.1 libavahi-common3-debuginfo-32bit-0.6.32-32.15.1 libavahi-glib1-32bit-0.6.32-32.15.1 libavahi-glib1-debuginfo-32bit-0.6.32-32.15.1 libdns_sd-32bit-0.6.32-32.15.1 libdns_sd-debuginfo-32bit-0.6.32-32.15.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): avahi-lang-0.6.32-32.15.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): avahi-0.6.32-32.15.1 avahi-debuginfo-0.6.32-32.15.1 avahi-debugsource-0.6.32-32.15.1 avahi-glib2-debugsource-0.6.32-32.15.1 avahi-utils-0.6.32-32.15.1 avahi-utils-debuginfo-0.6.32-32.15.1 libavahi-client3-0.6.32-32.15.1 libavahi-client3-debuginfo-0.6.32-32.15.1 libavahi-common3-0.6.32-32.15.1 libavahi-common3-debuginfo-0.6.32-32.15.1 libavahi-core7-0.6.32-32.15.1 libavahi-core7-debuginfo-0.6.32-32.15.1 libavahi-glib1-0.6.32-32.15.1 libavahi-glib1-debuginfo-0.6.32-32.15.1 libdns_sd-0.6.32-32.15.1 libdns_sd-debuginfo-0.6.32-32.15.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): avahi-debuginfo-32bit-0.6.32-32.15.1 libavahi-client3-32bit-0.6.32-32.15.1 libavahi-client3-debuginfo-32bit-0.6.32-32.15.1 libavahi-common3-32bit-0.6.32-32.15.1 libavahi-common3-debuginfo-32bit-0.6.32-32.15.1 libavahi-glib1-32bit-0.6.32-32.15.1 libavahi-glib1-debuginfo-32bit-0.6.32-32.15.1 libdns_sd-32bit-0.6.32-32.15.1 libdns_sd-debuginfo-32bit-0.6.32-32.15.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): avahi-lang-0.6.32-32.15.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): avahi-lang-0.6.32-32.15.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): avahi-0.6.32-32.15.1 avahi-debuginfo-0.6.32-32.15.1 avahi-debuginfo-32bit-0.6.32-32.15.1 avahi-debugsource-0.6.32-32.15.1 avahi-glib2-debugsource-0.6.32-32.15.1 avahi-utils-0.6.32-32.15.1 avahi-utils-debuginfo-0.6.32-32.15.1 libavahi-client3-0.6.32-32.15.1 libavahi-client3-32bit-0.6.32-32.15.1 libavahi-client3-debuginfo-0.6.32-32.15.1 libavahi-client3-debuginfo-32bit-0.6.32-32.15.1 libavahi-common3-0.6.32-32.15.1 libavahi-common3-32bit-0.6.32-32.15.1 libavahi-common3-debuginfo-0.6.32-32.15.1 libavahi-common3-debuginfo-32bit-0.6.32-32.15.1 libavahi-core7-0.6.32-32.15.1 libavahi-core7-debuginfo-0.6.32-32.15.1 libavahi-glib1-0.6.32-32.15.1 libavahi-glib1-32bit-0.6.32-32.15.1 libavahi-glib1-debuginfo-0.6.32-32.15.1 libavahi-glib1-debuginfo-32bit-0.6.32-32.15.1 libdns_sd-0.6.32-32.15.1 libdns_sd-32bit-0.6.32-32.15.1 libdns_sd-debuginfo-0.6.32-32.15.1 libdns_sd-debuginfo-32bit-0.6.32-32.15.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): avahi-lang-0.6.32-32.15.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): avahi-0.6.32-32.15.1 avahi-debuginfo-0.6.32-32.15.1 avahi-debuginfo-32bit-0.6.32-32.15.1 avahi-debugsource-0.6.32-32.15.1 avahi-glib2-debugsource-0.6.32-32.15.1 avahi-utils-0.6.32-32.15.1 avahi-utils-debuginfo-0.6.32-32.15.1 libavahi-client3-0.6.32-32.15.1 libavahi-client3-32bit-0.6.32-32.15.1 libavahi-client3-debuginfo-0.6.32-32.15.1 libavahi-client3-debuginfo-32bit-0.6.32-32.15.1 libavahi-common3-0.6.32-32.15.1 libavahi-common3-32bit-0.6.32-32.15.1 libavahi-common3-debuginfo-0.6.32-32.15.1 libavahi-common3-debuginfo-32bit-0.6.32-32.15.1 libavahi-core7-0.6.32-32.15.1 libavahi-core7-debuginfo-0.6.32-32.15.1 libavahi-glib1-0.6.32-32.15.1 libavahi-glib1-32bit-0.6.32-32.15.1 libavahi-glib1-debuginfo-0.6.32-32.15.1 libavahi-glib1-debuginfo-32bit-0.6.32-32.15.1 libdns_sd-0.6.32-32.15.1 libdns_sd-32bit-0.6.32-32.15.1 libdns_sd-debuginfo-0.6.32-32.15.1 libdns_sd-debuginfo-32bit-0.6.32-32.15.1 - HPE Helion Openstack 8 (x86_64): avahi-0.6.32-32.15.1 avahi-debuginfo-0.6.32-32.15.1 avahi-debuginfo-32bit-0.6.32-32.15.1 avahi-debugsource-0.6.32-32.15.1 avahi-glib2-debugsource-0.6.32-32.15.1 avahi-utils-0.6.32-32.15.1 avahi-utils-debuginfo-0.6.32-32.15.1 libavahi-client3-0.6.32-32.15.1 libavahi-client3-32bit-0.6.32-32.15.1 libavahi-client3-debuginfo-0.6.32-32.15.1 libavahi-client3-debuginfo-32bit-0.6.32-32.15.1 libavahi-common3-0.6.32-32.15.1 libavahi-common3-32bit-0.6.32-32.15.1 libavahi-common3-debuginfo-0.6.32-32.15.1 libavahi-common3-debuginfo-32bit-0.6.32-32.15.1 libavahi-core7-0.6.32-32.15.1 libavahi-core7-debuginfo-0.6.32-32.15.1 libavahi-glib1-0.6.32-32.15.1 libavahi-glib1-32bit-0.6.32-32.15.1 libavahi-glib1-debuginfo-0.6.32-32.15.1 libavahi-glib1-debuginfo-32bit-0.6.32-32.15.1 libdns_sd-0.6.32-32.15.1 libdns_sd-32bit-0.6.32-32.15.1 libdns_sd-debuginfo-0.6.32-32.15.1 libdns_sd-debuginfo-32bit-0.6.32-32.15.1 - HPE Helion Openstack 8 (noarch): avahi-lang-0.6.32-32.15.1 References: https://www.suse.com/security/cve/CVE-2021-3468.html https://bugzilla.suse.com/1184521 From sle-security-updates at lists.suse.com Fri Jun 4 10:17:01 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 4 Jun 2021 12:17:01 +0200 (CEST) Subject: SUSE-SU-2021:1855-1: important: Security update for slurm Message-ID: <20210604101701.19F8FFD14@maintenance.suse.de> SUSE Security Update: Security update for slurm ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1855-1 Rating: important References: #1186024 Cross-References: CVE-2021-31215 CVSS scores: CVE-2021-31215 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-31215 (SUSE): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Affected Products: SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for slurm fixes the following issues: - CVE-2021-31215: remote code execution as SlurmUser because of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling (bsc#1186024) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1855=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1855=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1855=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1855=1 Package List: - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libslurm32-17.11.13-6.37.1 libslurm32-debuginfo-17.11.13-6.37.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libslurm32-17.11.13-6.37.1 libslurm32-debuginfo-17.11.13-6.37.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libpmi0-17.11.13-6.37.1 libpmi0-debuginfo-17.11.13-6.37.1 libslurm32-17.11.13-6.37.1 libslurm32-debuginfo-17.11.13-6.37.1 perl-slurm-17.11.13-6.37.1 perl-slurm-debuginfo-17.11.13-6.37.1 slurm-17.11.13-6.37.1 slurm-auth-none-17.11.13-6.37.1 slurm-auth-none-debuginfo-17.11.13-6.37.1 slurm-config-17.11.13-6.37.1 slurm-debuginfo-17.11.13-6.37.1 slurm-debugsource-17.11.13-6.37.1 slurm-devel-17.11.13-6.37.1 slurm-doc-17.11.13-6.37.1 slurm-lua-17.11.13-6.37.1 slurm-lua-debuginfo-17.11.13-6.37.1 slurm-munge-17.11.13-6.37.1 slurm-munge-debuginfo-17.11.13-6.37.1 slurm-node-17.11.13-6.37.1 slurm-node-debuginfo-17.11.13-6.37.1 slurm-pam_slurm-17.11.13-6.37.1 slurm-pam_slurm-debuginfo-17.11.13-6.37.1 slurm-plugins-17.11.13-6.37.1 slurm-plugins-debuginfo-17.11.13-6.37.1 slurm-slurmdbd-17.11.13-6.37.1 slurm-slurmdbd-debuginfo-17.11.13-6.37.1 slurm-sql-17.11.13-6.37.1 slurm-sql-debuginfo-17.11.13-6.37.1 slurm-torque-17.11.13-6.37.1 slurm-torque-debuginfo-17.11.13-6.37.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libpmi0-17.11.13-6.37.1 libpmi0-debuginfo-17.11.13-6.37.1 libslurm32-17.11.13-6.37.1 libslurm32-debuginfo-17.11.13-6.37.1 perl-slurm-17.11.13-6.37.1 perl-slurm-debuginfo-17.11.13-6.37.1 slurm-17.11.13-6.37.1 slurm-auth-none-17.11.13-6.37.1 slurm-auth-none-debuginfo-17.11.13-6.37.1 slurm-config-17.11.13-6.37.1 slurm-debuginfo-17.11.13-6.37.1 slurm-debugsource-17.11.13-6.37.1 slurm-devel-17.11.13-6.37.1 slurm-doc-17.11.13-6.37.1 slurm-lua-17.11.13-6.37.1 slurm-lua-debuginfo-17.11.13-6.37.1 slurm-munge-17.11.13-6.37.1 slurm-munge-debuginfo-17.11.13-6.37.1 slurm-node-17.11.13-6.37.1 slurm-node-debuginfo-17.11.13-6.37.1 slurm-pam_slurm-17.11.13-6.37.1 slurm-pam_slurm-debuginfo-17.11.13-6.37.1 slurm-plugins-17.11.13-6.37.1 slurm-plugins-debuginfo-17.11.13-6.37.1 slurm-slurmdbd-17.11.13-6.37.1 slurm-slurmdbd-debuginfo-17.11.13-6.37.1 slurm-sql-17.11.13-6.37.1 slurm-sql-debuginfo-17.11.13-6.37.1 slurm-torque-17.11.13-6.37.1 slurm-torque-debuginfo-17.11.13-6.37.1 References: https://www.suse.com/security/cve/CVE-2021-31215.html https://bugzilla.suse.com/1186024 From sle-security-updates at lists.suse.com Fri Jun 4 10:22:39 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 4 Jun 2021 12:22:39 +0200 (CEST) Subject: SUSE-SU-2021:1859-1: moderate: Security update for python-py Message-ID: <20210604102239.DA4F6FD14@maintenance.suse.de> SUSE Security Update: Security update for python-py ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1859-1 Rating: moderate References: #1179805 #1184505 Cross-References: CVE-2020-29651 CVSS scores: CVE-2020-29651 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-29651 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Python2 15-SP3 SUSE Linux Enterprise Module for Python2 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for python-py fixes the following issues: - CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1859=1 - SUSE Linux Enterprise Module for Python2 15-SP3: zypper in -t patch SUSE-SLE-Module-Python2-15-SP3-2021-1859=1 - SUSE Linux Enterprise Module for Python2 15-SP2: zypper in -t patch SUSE-SLE-Module-Python2-15-SP2-2021-1859=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1859=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1859=1 Package List: - SUSE MicroOS 5.0 (noarch): python3-py-1.8.1-5.6.1 - SUSE Linux Enterprise Module for Python2 15-SP3 (noarch): python2-py-1.8.1-5.6.1 - SUSE Linux Enterprise Module for Python2 15-SP2 (noarch): python2-py-1.8.1-5.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): python3-py-1.8.1-5.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): python3-py-1.8.1-5.6.1 References: https://www.suse.com/security/cve/CVE-2020-29651.html https://bugzilla.suse.com/1179805 https://bugzilla.suse.com/1184505 From sle-security-updates at lists.suse.com Fri Jun 4 10:25:06 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 4 Jun 2021 12:25:06 +0200 (CEST) Subject: SUSE-SU-2021:1857-1: important: Security update for djvulibre Message-ID: <20210604102506.D4DDDFD14@maintenance.suse.de> SUSE Security Update: Security update for djvulibre ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1857-1 Rating: important References: #1186253 Cross-References: CVE-2021-3500 CVSS scores: CVE-2021-3500 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for djvulibre fixes the following issues: - CVE-2021-3500: Stack overflow in function DJVU:DjVuDocument:get_djvu_file() via crafted djvu file (bsc#1186253) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1857=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1857=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1857=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1857=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1857=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1857=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1857=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1857=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1857=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1857=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1857=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1857=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1857=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): djvulibre-debuginfo-3.5.27-3.14.1 djvulibre-debugsource-3.5.27-3.14.1 libdjvulibre-devel-3.5.27-3.14.1 libdjvulibre21-3.5.27-3.14.1 libdjvulibre21-debuginfo-3.5.27-3.14.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): djvulibre-debuginfo-3.5.27-3.14.1 djvulibre-debugsource-3.5.27-3.14.1 libdjvulibre-devel-3.5.27-3.14.1 libdjvulibre21-3.5.27-3.14.1 libdjvulibre21-debuginfo-3.5.27-3.14.1 - SUSE Manager Proxy 4.0 (x86_64): djvulibre-debuginfo-3.5.27-3.14.1 djvulibre-debugsource-3.5.27-3.14.1 libdjvulibre-devel-3.5.27-3.14.1 libdjvulibre21-3.5.27-3.14.1 libdjvulibre21-debuginfo-3.5.27-3.14.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): djvulibre-debuginfo-3.5.27-3.14.1 djvulibre-debugsource-3.5.27-3.14.1 libdjvulibre-devel-3.5.27-3.14.1 libdjvulibre21-3.5.27-3.14.1 libdjvulibre21-debuginfo-3.5.27-3.14.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): djvulibre-debuginfo-3.5.27-3.14.1 djvulibre-debugsource-3.5.27-3.14.1 libdjvulibre-devel-3.5.27-3.14.1 libdjvulibre21-3.5.27-3.14.1 libdjvulibre21-debuginfo-3.5.27-3.14.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): djvulibre-debuginfo-3.5.27-3.14.1 djvulibre-debugsource-3.5.27-3.14.1 libdjvulibre-devel-3.5.27-3.14.1 libdjvulibre21-3.5.27-3.14.1 libdjvulibre21-debuginfo-3.5.27-3.14.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): djvulibre-debuginfo-3.5.27-3.14.1 djvulibre-debugsource-3.5.27-3.14.1 libdjvulibre-devel-3.5.27-3.14.1 libdjvulibre21-3.5.27-3.14.1 libdjvulibre21-debuginfo-3.5.27-3.14.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): djvulibre-debuginfo-3.5.27-3.14.1 djvulibre-debugsource-3.5.27-3.14.1 libdjvulibre-devel-3.5.27-3.14.1 libdjvulibre21-3.5.27-3.14.1 libdjvulibre21-debuginfo-3.5.27-3.14.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): djvulibre-debuginfo-3.5.27-3.14.1 djvulibre-debugsource-3.5.27-3.14.1 libdjvulibre-devel-3.5.27-3.14.1 libdjvulibre21-3.5.27-3.14.1 libdjvulibre21-debuginfo-3.5.27-3.14.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): djvulibre-debuginfo-3.5.27-3.14.1 djvulibre-debugsource-3.5.27-3.14.1 libdjvulibre-devel-3.5.27-3.14.1 libdjvulibre21-3.5.27-3.14.1 libdjvulibre21-debuginfo-3.5.27-3.14.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): djvulibre-debuginfo-3.5.27-3.14.1 djvulibre-debugsource-3.5.27-3.14.1 libdjvulibre-devel-3.5.27-3.14.1 libdjvulibre21-3.5.27-3.14.1 libdjvulibre21-debuginfo-3.5.27-3.14.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): djvulibre-debuginfo-3.5.27-3.14.1 djvulibre-debugsource-3.5.27-3.14.1 libdjvulibre-devel-3.5.27-3.14.1 libdjvulibre21-3.5.27-3.14.1 libdjvulibre21-debuginfo-3.5.27-3.14.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): djvulibre-debuginfo-3.5.27-3.14.1 djvulibre-debugsource-3.5.27-3.14.1 libdjvulibre-devel-3.5.27-3.14.1 libdjvulibre21-3.5.27-3.14.1 libdjvulibre21-debuginfo-3.5.27-3.14.1 - SUSE CaaS Platform 4.0 (x86_64): djvulibre-debuginfo-3.5.27-3.14.1 djvulibre-debugsource-3.5.27-3.14.1 libdjvulibre-devel-3.5.27-3.14.1 libdjvulibre21-3.5.27-3.14.1 libdjvulibre21-debuginfo-3.5.27-3.14.1 References: https://www.suse.com/security/cve/CVE-2021-3500.html https://bugzilla.suse.com/1186253 From sle-security-updates at lists.suse.com Fri Jun 4 10:27:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 4 Jun 2021 12:27:26 +0200 (CEST) Subject: SUSE-SU-2021:1854-1: moderate: Security update for MozillaThunderbird Message-ID: <20210604102726.9E792FD14@maintenance.suse.de> SUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1854-1 Rating: moderate References: #1185086 #1185633 #1186198 #1186199 Cross-References: CVE-2021-29950 CVE-2021-29951 CVE-2021-29956 CVE-2021-29957 CVSS scores: CVE-2021-29950 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-29951 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2021-29956 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-29957 (SUSE): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Linux Enterprise Workstation Extension 15-SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for MozillaThunderbird fixes the following issues: - Mozilla Thunderbird 78.10.2 - CVE-2021-29957: Fixed partial protection of inline OpenPGP message not indicated (bsc#1186198). - CVE-2021-29956: Fixed Thunderbird stored OpenPGP secret keys without master password protection (bsc#1186199). - CVE-2021-29951: Fixed Thunderbird Maintenance Service could have been started or stopped by domain users (bsc#1185633). - CVE-2021-29950: Fixed logic issue potentially leaves key material unlocked (bsc#1185086). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-1854=1 - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-1854=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64): MozillaThunderbird-78.10.2-8.27.1 MozillaThunderbird-debuginfo-78.10.2-8.27.1 MozillaThunderbird-debugsource-78.10.2-8.27.1 MozillaThunderbird-translations-common-78.10.2-8.27.1 MozillaThunderbird-translations-other-78.10.2-8.27.1 - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): MozillaThunderbird-78.10.2-8.27.1 MozillaThunderbird-debuginfo-78.10.2-8.27.1 MozillaThunderbird-debugsource-78.10.2-8.27.1 MozillaThunderbird-translations-common-78.10.2-8.27.1 MozillaThunderbird-translations-other-78.10.2-8.27.1 References: https://www.suse.com/security/cve/CVE-2021-29950.html https://www.suse.com/security/cve/CVE-2021-29951.html https://www.suse.com/security/cve/CVE-2021-29956.html https://www.suse.com/security/cve/CVE-2021-29957.html https://bugzilla.suse.com/1185086 https://bugzilla.suse.com/1185633 https://bugzilla.suse.com/1186198 https://bugzilla.suse.com/1186199 From sle-security-updates at lists.suse.com Fri Jun 4 10:28:49 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 4 Jun 2021 12:28:49 +0200 (CEST) Subject: SUSE-SU-2021:1858-1: moderate: Security update for csync2 Message-ID: <20210604102849.420C8FD14@maintenance.suse.de> SUSE Security Update: Security update for csync2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1858-1 Rating: moderate References: #1147137 #1147139 Cross-References: CVE-2019-15522 CVE-2019-15523 CVSS scores: CVE-2019-15522 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-15522 (SUSE): 3.5 CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2019-15523 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2019-15523 (SUSE): 2.6 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N Affected Products: SUSE Linux Enterprise High Availability 15-SP2 SUSE Linux Enterprise High Availability 15-SP1 SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for csync2 fixes the following issues: - CVE-2019-15522: Fixed an issue where daemon fails to enforce TLS (bsc#1147137) - CVE-2019-15523: Fixed an incorrect TLS handshake error handling (bsc#1147139) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15-SP2: zypper in -t patch SUSE-SLE-Product-HA-15-SP2-2021-1858=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2021-1858=1 - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2021-1858=1 Package List: - SUSE Linux Enterprise High Availability 15-SP2 (aarch64 ppc64le s390x x86_64): csync2-2.0+git.1461714863.10636a4-4.6.1 csync2-debuginfo-2.0+git.1461714863.10636a4-4.6.1 csync2-debugsource-2.0+git.1461714863.10636a4-4.6.1 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): csync2-2.0+git.1461714863.10636a4-4.6.1 csync2-debuginfo-2.0+git.1461714863.10636a4-4.6.1 csync2-debugsource-2.0+git.1461714863.10636a4-4.6.1 - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): csync2-2.0+git.1461714863.10636a4-4.6.1 csync2-debuginfo-2.0+git.1461714863.10636a4-4.6.1 csync2-debugsource-2.0+git.1461714863.10636a4-4.6.1 References: https://www.suse.com/security/cve/CVE-2019-15522.html https://www.suse.com/security/cve/CVE-2019-15523.html https://bugzilla.suse.com/1147137 https://bugzilla.suse.com/1147139 From sle-security-updates at lists.suse.com Fri Jun 4 10:33:24 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 4 Jun 2021 12:33:24 +0200 (CEST) Subject: SUSE-SU-2021:1856-1: important: Security update for slurm_18_08 Message-ID: <20210604103324.46EB6FD14@maintenance.suse.de> SUSE Security Update: Security update for slurm_18_08 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1856-1 Rating: important References: #1186024 Cross-References: CVE-2021-31215 CVSS scores: CVE-2021-31215 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-31215 (SUSE): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Affected Products: SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for slurm_18_08 fixes the following issues: - CVE-2021-31215: remote code execution as SlurmUser because of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling (bsc#1186024) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1856=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1856=1 Package List: - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libpmi0_18_08-18.08.9-1.14.1 libpmi0_18_08-debuginfo-18.08.9-1.14.1 libslurm33-18.08.9-1.14.1 libslurm33-debuginfo-18.08.9-1.14.1 perl-slurm_18_08-18.08.9-1.14.1 perl-slurm_18_08-debuginfo-18.08.9-1.14.1 slurm_18_08-18.08.9-1.14.1 slurm_18_08-auth-none-18.08.9-1.14.1 slurm_18_08-auth-none-debuginfo-18.08.9-1.14.1 slurm_18_08-config-18.08.9-1.14.1 slurm_18_08-debuginfo-18.08.9-1.14.1 slurm_18_08-debugsource-18.08.9-1.14.1 slurm_18_08-devel-18.08.9-1.14.1 slurm_18_08-doc-18.08.9-1.14.1 slurm_18_08-lua-18.08.9-1.14.1 slurm_18_08-lua-debuginfo-18.08.9-1.14.1 slurm_18_08-munge-18.08.9-1.14.1 slurm_18_08-munge-debuginfo-18.08.9-1.14.1 slurm_18_08-node-18.08.9-1.14.1 slurm_18_08-node-debuginfo-18.08.9-1.14.1 slurm_18_08-pam_slurm-18.08.9-1.14.1 slurm_18_08-pam_slurm-debuginfo-18.08.9-1.14.1 slurm_18_08-plugins-18.08.9-1.14.1 slurm_18_08-plugins-debuginfo-18.08.9-1.14.1 slurm_18_08-slurmdbd-18.08.9-1.14.1 slurm_18_08-slurmdbd-debuginfo-18.08.9-1.14.1 slurm_18_08-sql-18.08.9-1.14.1 slurm_18_08-sql-debuginfo-18.08.9-1.14.1 slurm_18_08-torque-18.08.9-1.14.1 slurm_18_08-torque-debuginfo-18.08.9-1.14.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libpmi0_18_08-18.08.9-1.14.1 libpmi0_18_08-debuginfo-18.08.9-1.14.1 libslurm33-18.08.9-1.14.1 libslurm33-debuginfo-18.08.9-1.14.1 perl-slurm_18_08-18.08.9-1.14.1 perl-slurm_18_08-debuginfo-18.08.9-1.14.1 slurm_18_08-18.08.9-1.14.1 slurm_18_08-auth-none-18.08.9-1.14.1 slurm_18_08-auth-none-debuginfo-18.08.9-1.14.1 slurm_18_08-config-18.08.9-1.14.1 slurm_18_08-debuginfo-18.08.9-1.14.1 slurm_18_08-debugsource-18.08.9-1.14.1 slurm_18_08-devel-18.08.9-1.14.1 slurm_18_08-doc-18.08.9-1.14.1 slurm_18_08-lua-18.08.9-1.14.1 slurm_18_08-lua-debuginfo-18.08.9-1.14.1 slurm_18_08-munge-18.08.9-1.14.1 slurm_18_08-munge-debuginfo-18.08.9-1.14.1 slurm_18_08-node-18.08.9-1.14.1 slurm_18_08-node-debuginfo-18.08.9-1.14.1 slurm_18_08-pam_slurm-18.08.9-1.14.1 slurm_18_08-pam_slurm-debuginfo-18.08.9-1.14.1 slurm_18_08-plugins-18.08.9-1.14.1 slurm_18_08-plugins-debuginfo-18.08.9-1.14.1 slurm_18_08-slurmdbd-18.08.9-1.14.1 slurm_18_08-slurmdbd-debuginfo-18.08.9-1.14.1 slurm_18_08-sql-18.08.9-1.14.1 slurm_18_08-sql-debuginfo-18.08.9-1.14.1 slurm_18_08-torque-18.08.9-1.14.1 slurm_18_08-torque-debuginfo-18.08.9-1.14.1 References: https://www.suse.com/security/cve/CVE-2021-31215.html https://bugzilla.suse.com/1186024 From sle-security-updates at lists.suse.com Fri Jun 4 10:34:42 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 4 Jun 2021 12:34:42 +0200 (CEST) Subject: SUSE-SU-2021:1860-1: critical: Security update for libwebp Message-ID: <20210604103442.76212FD14@maintenance.suse.de> SUSE Security Update: Security update for libwebp ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1860-1 Rating: critical References: #1185652 #1185654 #1185673 #1185674 #1185685 #1185686 #1185688 #1185690 #1185691 #1186247 Cross-References: CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332 CVSS scores: CVE-2018-25009 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25009 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25010 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25010 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25011 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-25011 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-25012 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25012 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2018-25013 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2020-36328 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-36328 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-36329 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-36329 (SUSE): 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2020-36330 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2020-36330 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36331 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2020-36331 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2020-36332 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36332 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This update for libwebp fixes the following issues: - CVE-2018-25010: Fixed heap-based buffer overflow in ApplyFilter() (bsc#1185685). - CVE-2020-36330: Fixed heap-based buffer overflow in ChunkVerifyAndAssign() (bsc#1185691). - CVE-2020-36332: Fixed extreme memory allocation when reading a file (bsc#1185674). - CVE-2020-36329: Fixed use-after-free in EmitFancyRGB() (bsc#1185652). - CVE-2018-25012: Fixed heap-based buffer overflow in GetLE24() (bsc#1185690). - CVE-2020-36328: Fixed heap-based buffer overflow in WebPDecode*Into functions (bsc#1185688). - CVE-2018-25013: Fixed heap-based buffer overflow in ShiftBytes() (bsc#1185654). - CVE-2020-36331: Fixed heap-based buffer overflow in ChunkAssignData() (bsc#1185686). - CVE-2018-25009: Fixed heap-based buffer overflow in GetLE16() (bsc#1185673). - CVE-2018-25011: Fixed fail on multiple image chunks (bsc#1186247). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1860=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1860=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1860=1 - SUSE Linux Enterprise Workstation Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-1860=1 - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-1860=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1860=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1860=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1860=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1860=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1860=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-1860=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-1860=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1860=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1860=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1860=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1860=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1860=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libwebp-debugsource-0.5.0-3.5.1 libwebp-devel-0.5.0-3.5.1 libwebp6-0.5.0-3.5.1 libwebp6-debuginfo-0.5.0-3.5.1 libwebpdecoder2-0.5.0-3.5.1 libwebpdecoder2-debuginfo-0.5.0-3.5.1 libwebpdemux2-0.5.0-3.5.1 libwebpdemux2-debuginfo-0.5.0-3.5.1 libwebpextras0-0.5.0-3.5.1 libwebpextras0-debuginfo-0.5.0-3.5.1 libwebpmux2-0.5.0-3.5.1 libwebpmux2-debuginfo-0.5.0-3.5.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libwebp-debugsource-0.5.0-3.5.1 libwebp-devel-0.5.0-3.5.1 libwebp6-0.5.0-3.5.1 libwebp6-debuginfo-0.5.0-3.5.1 libwebpdecoder2-0.5.0-3.5.1 libwebpdecoder2-debuginfo-0.5.0-3.5.1 libwebpdemux2-0.5.0-3.5.1 libwebpdemux2-debuginfo-0.5.0-3.5.1 libwebpextras0-0.5.0-3.5.1 libwebpextras0-debuginfo-0.5.0-3.5.1 libwebpmux2-0.5.0-3.5.1 libwebpmux2-debuginfo-0.5.0-3.5.1 - SUSE Manager Proxy 4.0 (x86_64): libwebp-debugsource-0.5.0-3.5.1 libwebp-devel-0.5.0-3.5.1 libwebp6-0.5.0-3.5.1 libwebp6-debuginfo-0.5.0-3.5.1 libwebpdecoder2-0.5.0-3.5.1 libwebpdecoder2-debuginfo-0.5.0-3.5.1 libwebpdemux2-0.5.0-3.5.1 libwebpdemux2-debuginfo-0.5.0-3.5.1 libwebpextras0-0.5.0-3.5.1 libwebpextras0-debuginfo-0.5.0-3.5.1 libwebpmux2-0.5.0-3.5.1 libwebpmux2-debuginfo-0.5.0-3.5.1 - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64): libwebp-debugsource-0.5.0-3.5.1 libwebp6-0.5.0-3.5.1 libwebp6-debuginfo-0.5.0-3.5.1 - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): libwebp-debugsource-0.5.0-3.5.1 libwebp6-0.5.0-3.5.1 libwebp6-debuginfo-0.5.0-3.5.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libwebp-debugsource-0.5.0-3.5.1 libwebp-devel-0.5.0-3.5.1 libwebp6-0.5.0-3.5.1 libwebp6-debuginfo-0.5.0-3.5.1 libwebpdecoder2-0.5.0-3.5.1 libwebpdecoder2-debuginfo-0.5.0-3.5.1 libwebpdemux2-0.5.0-3.5.1 libwebpdemux2-debuginfo-0.5.0-3.5.1 libwebpextras0-0.5.0-3.5.1 libwebpextras0-debuginfo-0.5.0-3.5.1 libwebpmux2-0.5.0-3.5.1 libwebpmux2-debuginfo-0.5.0-3.5.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libwebp-debugsource-0.5.0-3.5.1 libwebp-devel-0.5.0-3.5.1 libwebp6-0.5.0-3.5.1 libwebp6-debuginfo-0.5.0-3.5.1 libwebpdecoder2-0.5.0-3.5.1 libwebpdecoder2-debuginfo-0.5.0-3.5.1 libwebpdemux2-0.5.0-3.5.1 libwebpdemux2-debuginfo-0.5.0-3.5.1 libwebpextras0-0.5.0-3.5.1 libwebpextras0-debuginfo-0.5.0-3.5.1 libwebpmux2-0.5.0-3.5.1 libwebpmux2-debuginfo-0.5.0-3.5.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libwebp-debugsource-0.5.0-3.5.1 libwebp-devel-0.5.0-3.5.1 libwebp6-0.5.0-3.5.1 libwebp6-debuginfo-0.5.0-3.5.1 libwebpdecoder2-0.5.0-3.5.1 libwebpdecoder2-debuginfo-0.5.0-3.5.1 libwebpdemux2-0.5.0-3.5.1 libwebpdemux2-debuginfo-0.5.0-3.5.1 libwebpextras0-0.5.0-3.5.1 libwebpextras0-debuginfo-0.5.0-3.5.1 libwebpmux2-0.5.0-3.5.1 libwebpmux2-debuginfo-0.5.0-3.5.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libwebp-debugsource-0.5.0-3.5.1 libwebp-devel-0.5.0-3.5.1 libwebp6-0.5.0-3.5.1 libwebp6-debuginfo-0.5.0-3.5.1 libwebpdecoder2-0.5.0-3.5.1 libwebpdecoder2-debuginfo-0.5.0-3.5.1 libwebpdemux2-0.5.0-3.5.1 libwebpdemux2-debuginfo-0.5.0-3.5.1 libwebpextras0-0.5.0-3.5.1 libwebpextras0-debuginfo-0.5.0-3.5.1 libwebpmux2-0.5.0-3.5.1 libwebpmux2-debuginfo-0.5.0-3.5.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libwebp-debugsource-0.5.0-3.5.1 libwebp-devel-0.5.0-3.5.1 libwebp6-0.5.0-3.5.1 libwebp6-debuginfo-0.5.0-3.5.1 libwebpdecoder2-0.5.0-3.5.1 libwebpdecoder2-debuginfo-0.5.0-3.5.1 libwebpdemux2-0.5.0-3.5.1 libwebpdemux2-debuginfo-0.5.0-3.5.1 libwebpextras0-0.5.0-3.5.1 libwebpextras0-debuginfo-0.5.0-3.5.1 libwebpmux2-0.5.0-3.5.1 libwebpmux2-debuginfo-0.5.0-3.5.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (x86_64): libwebp-debugsource-0.5.0-3.5.1 libwebp6-32bit-0.5.0-3.5.1 libwebp6-32bit-debuginfo-0.5.0-3.5.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (x86_64): libwebp-debugsource-0.5.0-3.5.1 libwebp6-32bit-0.5.0-3.5.1 libwebp6-32bit-debuginfo-0.5.0-3.5.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libwebp-debugsource-0.5.0-3.5.1 libwebp-devel-0.5.0-3.5.1 libwebp6-0.5.0-3.5.1 libwebp6-debuginfo-0.5.0-3.5.1 libwebpdecoder2-0.5.0-3.5.1 libwebpdecoder2-debuginfo-0.5.0-3.5.1 libwebpdemux2-0.5.0-3.5.1 libwebpdemux2-debuginfo-0.5.0-3.5.1 libwebpextras0-0.5.0-3.5.1 libwebpextras0-debuginfo-0.5.0-3.5.1 libwebpmux2-0.5.0-3.5.1 libwebpmux2-debuginfo-0.5.0-3.5.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libwebp-debugsource-0.5.0-3.5.1 libwebp-devel-0.5.0-3.5.1 libwebp6-0.5.0-3.5.1 libwebp6-debuginfo-0.5.0-3.5.1 libwebpdecoder2-0.5.0-3.5.1 libwebpdecoder2-debuginfo-0.5.0-3.5.1 libwebpdemux2-0.5.0-3.5.1 libwebpdemux2-debuginfo-0.5.0-3.5.1 libwebpextras0-0.5.0-3.5.1 libwebpextras0-debuginfo-0.5.0-3.5.1 libwebpmux2-0.5.0-3.5.1 libwebpmux2-debuginfo-0.5.0-3.5.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libwebp-debugsource-0.5.0-3.5.1 libwebp-devel-0.5.0-3.5.1 libwebp6-0.5.0-3.5.1 libwebp6-debuginfo-0.5.0-3.5.1 libwebpdecoder2-0.5.0-3.5.1 libwebpdecoder2-debuginfo-0.5.0-3.5.1 libwebpdemux2-0.5.0-3.5.1 libwebpdemux2-debuginfo-0.5.0-3.5.1 libwebpextras0-0.5.0-3.5.1 libwebpextras0-debuginfo-0.5.0-3.5.1 libwebpmux2-0.5.0-3.5.1 libwebpmux2-debuginfo-0.5.0-3.5.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libwebp-debugsource-0.5.0-3.5.1 libwebp-devel-0.5.0-3.5.1 libwebp6-0.5.0-3.5.1 libwebp6-debuginfo-0.5.0-3.5.1 libwebpdecoder2-0.5.0-3.5.1 libwebpdecoder2-debuginfo-0.5.0-3.5.1 libwebpdemux2-0.5.0-3.5.1 libwebpdemux2-debuginfo-0.5.0-3.5.1 libwebpextras0-0.5.0-3.5.1 libwebpextras0-debuginfo-0.5.0-3.5.1 libwebpmux2-0.5.0-3.5.1 libwebpmux2-debuginfo-0.5.0-3.5.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libwebp-debugsource-0.5.0-3.5.1 libwebp-devel-0.5.0-3.5.1 libwebp6-0.5.0-3.5.1 libwebp6-debuginfo-0.5.0-3.5.1 libwebpdecoder2-0.5.0-3.5.1 libwebpdecoder2-debuginfo-0.5.0-3.5.1 libwebpdemux2-0.5.0-3.5.1 libwebpdemux2-debuginfo-0.5.0-3.5.1 libwebpextras0-0.5.0-3.5.1 libwebpextras0-debuginfo-0.5.0-3.5.1 libwebpmux2-0.5.0-3.5.1 libwebpmux2-debuginfo-0.5.0-3.5.1 - SUSE CaaS Platform 4.0 (x86_64): libwebp-debugsource-0.5.0-3.5.1 libwebp-devel-0.5.0-3.5.1 libwebp6-0.5.0-3.5.1 libwebp6-debuginfo-0.5.0-3.5.1 libwebpdecoder2-0.5.0-3.5.1 libwebpdecoder2-debuginfo-0.5.0-3.5.1 libwebpdemux2-0.5.0-3.5.1 libwebpdemux2-debuginfo-0.5.0-3.5.1 libwebpextras0-0.5.0-3.5.1 libwebpextras0-debuginfo-0.5.0-3.5.1 libwebpmux2-0.5.0-3.5.1 libwebpmux2-debuginfo-0.5.0-3.5.1 References: https://www.suse.com/security/cve/CVE-2018-25009.html https://www.suse.com/security/cve/CVE-2018-25010.html https://www.suse.com/security/cve/CVE-2018-25011.html https://www.suse.com/security/cve/CVE-2018-25012.html https://www.suse.com/security/cve/CVE-2018-25013.html https://www.suse.com/security/cve/CVE-2020-36328.html https://www.suse.com/security/cve/CVE-2020-36329.html https://www.suse.com/security/cve/CVE-2020-36330.html https://www.suse.com/security/cve/CVE-2020-36331.html https://www.suse.com/security/cve/CVE-2020-36332.html https://bugzilla.suse.com/1185652 https://bugzilla.suse.com/1185654 https://bugzilla.suse.com/1185673 https://bugzilla.suse.com/1185674 https://bugzilla.suse.com/1185685 https://bugzilla.suse.com/1185686 https://bugzilla.suse.com/1185688 https://bugzilla.suse.com/1185690 https://bugzilla.suse.com/1185691 https://bugzilla.suse.com/1186247 From sle-security-updates at lists.suse.com Fri Jun 4 13:19:52 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 4 Jun 2021 15:19:52 +0200 (CEST) Subject: SUSE-SU-2021:1493-2: moderate: Security update for avahi Message-ID: <20210604131952.E2A17FD14@maintenance.suse.de> SUSE Security Update: Security update for avahi ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1493-2 Rating: moderate References: #1184521 Cross-References: CVE-2021-3468 CVSS scores: CVE-2021-3468 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for avahi fixes the following issues: - CVE-2021-3468: avoid infinite loop by handling HUP event in client_work (bsc#1184521). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1493=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1493=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1493=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1493=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1493=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1493=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1493=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1493=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1493=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): avahi-0.7-3.9.1 avahi-autoipd-0.7-3.9.1 avahi-autoipd-debuginfo-0.7-3.9.1 avahi-compat-howl-devel-0.7-3.9.1 avahi-compat-mDNSResponder-devel-0.7-3.9.1 avahi-debuginfo-0.7-3.9.1 avahi-debugsource-0.7-3.9.1 avahi-glib2-debugsource-0.7-3.9.1 avahi-utils-0.7-3.9.1 avahi-utils-debuginfo-0.7-3.9.1 avahi-utils-gtk-0.7-3.9.1 avahi-utils-gtk-debuginfo-0.7-3.9.1 libavahi-client3-0.7-3.9.1 libavahi-client3-debuginfo-0.7-3.9.1 libavahi-common3-0.7-3.9.1 libavahi-common3-debuginfo-0.7-3.9.1 libavahi-core7-0.7-3.9.1 libavahi-core7-debuginfo-0.7-3.9.1 libavahi-devel-0.7-3.9.1 libavahi-glib-devel-0.7-3.9.1 libavahi-glib1-0.7-3.9.1 libavahi-glib1-debuginfo-0.7-3.9.1 libavahi-gobject-devel-0.7-3.9.1 libavahi-gobject0-0.7-3.9.1 libavahi-gobject0-debuginfo-0.7-3.9.1 libavahi-ui-gtk3-0-0.7-3.9.1 libavahi-ui-gtk3-0-debuginfo-0.7-3.9.1 libavahi-ui0-0.7-3.9.1 libavahi-ui0-debuginfo-0.7-3.9.1 libdns_sd-0.7-3.9.1 libdns_sd-debuginfo-0.7-3.9.1 libhowl0-0.7-3.9.1 libhowl0-debuginfo-0.7-3.9.1 typelib-1_0-Avahi-0_6-0.7-3.9.1 - SUSE Manager Server 4.0 (x86_64): avahi-32bit-debuginfo-0.7-3.9.1 libavahi-client3-32bit-0.7-3.9.1 libavahi-client3-32bit-debuginfo-0.7-3.9.1 libavahi-common3-32bit-0.7-3.9.1 libavahi-common3-32bit-debuginfo-0.7-3.9.1 - SUSE Manager Server 4.0 (noarch): avahi-lang-0.7-3.9.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): avahi-0.7-3.9.1 avahi-32bit-debuginfo-0.7-3.9.1 avahi-autoipd-0.7-3.9.1 avahi-autoipd-debuginfo-0.7-3.9.1 avahi-compat-howl-devel-0.7-3.9.1 avahi-compat-mDNSResponder-devel-0.7-3.9.1 avahi-debuginfo-0.7-3.9.1 avahi-debugsource-0.7-3.9.1 avahi-glib2-debugsource-0.7-3.9.1 avahi-utils-0.7-3.9.1 avahi-utils-debuginfo-0.7-3.9.1 avahi-utils-gtk-0.7-3.9.1 avahi-utils-gtk-debuginfo-0.7-3.9.1 libavahi-client3-0.7-3.9.1 libavahi-client3-32bit-0.7-3.9.1 libavahi-client3-32bit-debuginfo-0.7-3.9.1 libavahi-client3-debuginfo-0.7-3.9.1 libavahi-common3-0.7-3.9.1 libavahi-common3-32bit-0.7-3.9.1 libavahi-common3-32bit-debuginfo-0.7-3.9.1 libavahi-common3-debuginfo-0.7-3.9.1 libavahi-core7-0.7-3.9.1 libavahi-core7-debuginfo-0.7-3.9.1 libavahi-devel-0.7-3.9.1 libavahi-glib-devel-0.7-3.9.1 libavahi-glib1-0.7-3.9.1 libavahi-glib1-debuginfo-0.7-3.9.1 libavahi-gobject-devel-0.7-3.9.1 libavahi-gobject0-0.7-3.9.1 libavahi-gobject0-debuginfo-0.7-3.9.1 libavahi-ui-gtk3-0-0.7-3.9.1 libavahi-ui-gtk3-0-debuginfo-0.7-3.9.1 libavahi-ui0-0.7-3.9.1 libavahi-ui0-debuginfo-0.7-3.9.1 libdns_sd-0.7-3.9.1 libdns_sd-debuginfo-0.7-3.9.1 libhowl0-0.7-3.9.1 libhowl0-debuginfo-0.7-3.9.1 typelib-1_0-Avahi-0_6-0.7-3.9.1 - SUSE Manager Retail Branch Server 4.0 (noarch): avahi-lang-0.7-3.9.1 - SUSE Manager Proxy 4.0 (x86_64): avahi-0.7-3.9.1 avahi-32bit-debuginfo-0.7-3.9.1 avahi-autoipd-0.7-3.9.1 avahi-autoipd-debuginfo-0.7-3.9.1 avahi-compat-howl-devel-0.7-3.9.1 avahi-compat-mDNSResponder-devel-0.7-3.9.1 avahi-debuginfo-0.7-3.9.1 avahi-debugsource-0.7-3.9.1 avahi-glib2-debugsource-0.7-3.9.1 avahi-utils-0.7-3.9.1 avahi-utils-debuginfo-0.7-3.9.1 avahi-utils-gtk-0.7-3.9.1 avahi-utils-gtk-debuginfo-0.7-3.9.1 libavahi-client3-0.7-3.9.1 libavahi-client3-32bit-0.7-3.9.1 libavahi-client3-32bit-debuginfo-0.7-3.9.1 libavahi-client3-debuginfo-0.7-3.9.1 libavahi-common3-0.7-3.9.1 libavahi-common3-32bit-0.7-3.9.1 libavahi-common3-32bit-debuginfo-0.7-3.9.1 libavahi-common3-debuginfo-0.7-3.9.1 libavahi-core7-0.7-3.9.1 libavahi-core7-debuginfo-0.7-3.9.1 libavahi-devel-0.7-3.9.1 libavahi-glib-devel-0.7-3.9.1 libavahi-glib1-0.7-3.9.1 libavahi-glib1-debuginfo-0.7-3.9.1 libavahi-gobject-devel-0.7-3.9.1 libavahi-gobject0-0.7-3.9.1 libavahi-gobject0-debuginfo-0.7-3.9.1 libavahi-ui-gtk3-0-0.7-3.9.1 libavahi-ui-gtk3-0-debuginfo-0.7-3.9.1 libavahi-ui0-0.7-3.9.1 libavahi-ui0-debuginfo-0.7-3.9.1 libdns_sd-0.7-3.9.1 libdns_sd-debuginfo-0.7-3.9.1 libhowl0-0.7-3.9.1 libhowl0-debuginfo-0.7-3.9.1 typelib-1_0-Avahi-0_6-0.7-3.9.1 - SUSE Manager Proxy 4.0 (noarch): avahi-lang-0.7-3.9.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): avahi-0.7-3.9.1 avahi-autoipd-0.7-3.9.1 avahi-autoipd-debuginfo-0.7-3.9.1 avahi-compat-howl-devel-0.7-3.9.1 avahi-compat-mDNSResponder-devel-0.7-3.9.1 avahi-debuginfo-0.7-3.9.1 avahi-debugsource-0.7-3.9.1 avahi-glib2-debugsource-0.7-3.9.1 avahi-utils-0.7-3.9.1 avahi-utils-debuginfo-0.7-3.9.1 avahi-utils-gtk-0.7-3.9.1 avahi-utils-gtk-debuginfo-0.7-3.9.1 libavahi-client3-0.7-3.9.1 libavahi-client3-debuginfo-0.7-3.9.1 libavahi-common3-0.7-3.9.1 libavahi-common3-debuginfo-0.7-3.9.1 libavahi-core7-0.7-3.9.1 libavahi-core7-debuginfo-0.7-3.9.1 libavahi-devel-0.7-3.9.1 libavahi-glib-devel-0.7-3.9.1 libavahi-glib1-0.7-3.9.1 libavahi-glib1-debuginfo-0.7-3.9.1 libavahi-gobject-devel-0.7-3.9.1 libavahi-gobject0-0.7-3.9.1 libavahi-gobject0-debuginfo-0.7-3.9.1 libavahi-ui-gtk3-0-0.7-3.9.1 libavahi-ui-gtk3-0-debuginfo-0.7-3.9.1 libavahi-ui0-0.7-3.9.1 libavahi-ui0-debuginfo-0.7-3.9.1 libdns_sd-0.7-3.9.1 libdns_sd-debuginfo-0.7-3.9.1 libhowl0-0.7-3.9.1 libhowl0-debuginfo-0.7-3.9.1 typelib-1_0-Avahi-0_6-0.7-3.9.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): avahi-lang-0.7-3.9.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): avahi-32bit-debuginfo-0.7-3.9.1 libavahi-client3-32bit-0.7-3.9.1 libavahi-client3-32bit-debuginfo-0.7-3.9.1 libavahi-common3-32bit-0.7-3.9.1 libavahi-common3-32bit-debuginfo-0.7-3.9.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): avahi-0.7-3.9.1 avahi-autoipd-0.7-3.9.1 avahi-autoipd-debuginfo-0.7-3.9.1 avahi-compat-howl-devel-0.7-3.9.1 avahi-compat-mDNSResponder-devel-0.7-3.9.1 avahi-debuginfo-0.7-3.9.1 avahi-debugsource-0.7-3.9.1 avahi-glib2-debugsource-0.7-3.9.1 avahi-utils-0.7-3.9.1 avahi-utils-debuginfo-0.7-3.9.1 avahi-utils-gtk-0.7-3.9.1 avahi-utils-gtk-debuginfo-0.7-3.9.1 libavahi-client3-0.7-3.9.1 libavahi-client3-debuginfo-0.7-3.9.1 libavahi-common3-0.7-3.9.1 libavahi-common3-debuginfo-0.7-3.9.1 libavahi-core7-0.7-3.9.1 libavahi-core7-debuginfo-0.7-3.9.1 libavahi-devel-0.7-3.9.1 libavahi-glib-devel-0.7-3.9.1 libavahi-glib1-0.7-3.9.1 libavahi-glib1-debuginfo-0.7-3.9.1 libavahi-gobject-devel-0.7-3.9.1 libavahi-gobject0-0.7-3.9.1 libavahi-gobject0-debuginfo-0.7-3.9.1 libavahi-ui-gtk3-0-0.7-3.9.1 libavahi-ui-gtk3-0-debuginfo-0.7-3.9.1 libavahi-ui0-0.7-3.9.1 libavahi-ui0-debuginfo-0.7-3.9.1 libdns_sd-0.7-3.9.1 libdns_sd-debuginfo-0.7-3.9.1 libhowl0-0.7-3.9.1 libhowl0-debuginfo-0.7-3.9.1 typelib-1_0-Avahi-0_6-0.7-3.9.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): avahi-lang-0.7-3.9.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): avahi-32bit-debuginfo-0.7-3.9.1 libavahi-client3-32bit-0.7-3.9.1 libavahi-client3-32bit-debuginfo-0.7-3.9.1 libavahi-common3-32bit-0.7-3.9.1 libavahi-common3-32bit-debuginfo-0.7-3.9.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): avahi-0.7-3.9.1 avahi-32bit-debuginfo-0.7-3.9.1 avahi-autoipd-0.7-3.9.1 avahi-autoipd-debuginfo-0.7-3.9.1 avahi-compat-howl-devel-0.7-3.9.1 avahi-compat-mDNSResponder-devel-0.7-3.9.1 avahi-debuginfo-0.7-3.9.1 avahi-debugsource-0.7-3.9.1 avahi-glib2-debugsource-0.7-3.9.1 avahi-utils-0.7-3.9.1 avahi-utils-debuginfo-0.7-3.9.1 avahi-utils-gtk-0.7-3.9.1 avahi-utils-gtk-debuginfo-0.7-3.9.1 libavahi-client3-0.7-3.9.1 libavahi-client3-32bit-0.7-3.9.1 libavahi-client3-32bit-debuginfo-0.7-3.9.1 libavahi-client3-debuginfo-0.7-3.9.1 libavahi-common3-0.7-3.9.1 libavahi-common3-32bit-0.7-3.9.1 libavahi-common3-32bit-debuginfo-0.7-3.9.1 libavahi-common3-debuginfo-0.7-3.9.1 libavahi-core7-0.7-3.9.1 libavahi-core7-debuginfo-0.7-3.9.1 libavahi-devel-0.7-3.9.1 libavahi-glib-devel-0.7-3.9.1 libavahi-glib1-0.7-3.9.1 libavahi-glib1-debuginfo-0.7-3.9.1 libavahi-gobject-devel-0.7-3.9.1 libavahi-gobject0-0.7-3.9.1 libavahi-gobject0-debuginfo-0.7-3.9.1 libavahi-ui-gtk3-0-0.7-3.9.1 libavahi-ui-gtk3-0-debuginfo-0.7-3.9.1 libavahi-ui0-0.7-3.9.1 libavahi-ui0-debuginfo-0.7-3.9.1 libdns_sd-0.7-3.9.1 libdns_sd-debuginfo-0.7-3.9.1 libhowl0-0.7-3.9.1 libhowl0-debuginfo-0.7-3.9.1 typelib-1_0-Avahi-0_6-0.7-3.9.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): avahi-lang-0.7-3.9.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): avahi-0.7-3.9.1 avahi-autoipd-0.7-3.9.1 avahi-autoipd-debuginfo-0.7-3.9.1 avahi-compat-howl-devel-0.7-3.9.1 avahi-compat-mDNSResponder-devel-0.7-3.9.1 avahi-debuginfo-0.7-3.9.1 avahi-debugsource-0.7-3.9.1 avahi-glib2-debugsource-0.7-3.9.1 avahi-utils-0.7-3.9.1 avahi-utils-debuginfo-0.7-3.9.1 avahi-utils-gtk-0.7-3.9.1 avahi-utils-gtk-debuginfo-0.7-3.9.1 libavahi-client3-0.7-3.9.1 libavahi-client3-debuginfo-0.7-3.9.1 libavahi-common3-0.7-3.9.1 libavahi-common3-debuginfo-0.7-3.9.1 libavahi-core7-0.7-3.9.1 libavahi-core7-debuginfo-0.7-3.9.1 libavahi-devel-0.7-3.9.1 libavahi-glib-devel-0.7-3.9.1 libavahi-glib1-0.7-3.9.1 libavahi-glib1-debuginfo-0.7-3.9.1 libavahi-gobject-devel-0.7-3.9.1 libavahi-gobject0-0.7-3.9.1 libavahi-gobject0-debuginfo-0.7-3.9.1 libavahi-ui-gtk3-0-0.7-3.9.1 libavahi-ui-gtk3-0-debuginfo-0.7-3.9.1 libavahi-ui0-0.7-3.9.1 libavahi-ui0-debuginfo-0.7-3.9.1 libdns_sd-0.7-3.9.1 libdns_sd-debuginfo-0.7-3.9.1 libhowl0-0.7-3.9.1 libhowl0-debuginfo-0.7-3.9.1 typelib-1_0-Avahi-0_6-0.7-3.9.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): avahi-lang-0.7-3.9.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): avahi-32bit-debuginfo-0.7-3.9.1 libavahi-client3-32bit-0.7-3.9.1 libavahi-client3-32bit-debuginfo-0.7-3.9.1 libavahi-common3-32bit-0.7-3.9.1 libavahi-common3-32bit-debuginfo-0.7-3.9.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): avahi-0.7-3.9.1 avahi-autoipd-0.7-3.9.1 avahi-autoipd-debuginfo-0.7-3.9.1 avahi-compat-howl-devel-0.7-3.9.1 avahi-compat-mDNSResponder-devel-0.7-3.9.1 avahi-debuginfo-0.7-3.9.1 avahi-debugsource-0.7-3.9.1 avahi-glib2-debugsource-0.7-3.9.1 avahi-utils-0.7-3.9.1 avahi-utils-debuginfo-0.7-3.9.1 avahi-utils-gtk-0.7-3.9.1 avahi-utils-gtk-debuginfo-0.7-3.9.1 libavahi-client3-0.7-3.9.1 libavahi-client3-debuginfo-0.7-3.9.1 libavahi-common3-0.7-3.9.1 libavahi-common3-debuginfo-0.7-3.9.1 libavahi-core7-0.7-3.9.1 libavahi-core7-debuginfo-0.7-3.9.1 libavahi-devel-0.7-3.9.1 libavahi-glib-devel-0.7-3.9.1 libavahi-glib1-0.7-3.9.1 libavahi-glib1-debuginfo-0.7-3.9.1 libavahi-gobject-devel-0.7-3.9.1 libavahi-gobject0-0.7-3.9.1 libavahi-gobject0-debuginfo-0.7-3.9.1 libavahi-ui-gtk3-0-0.7-3.9.1 libavahi-ui-gtk3-0-debuginfo-0.7-3.9.1 libavahi-ui0-0.7-3.9.1 libavahi-ui0-debuginfo-0.7-3.9.1 libdns_sd-0.7-3.9.1 libdns_sd-debuginfo-0.7-3.9.1 libhowl0-0.7-3.9.1 libhowl0-debuginfo-0.7-3.9.1 typelib-1_0-Avahi-0_6-0.7-3.9.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): avahi-lang-0.7-3.9.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): avahi-32bit-debuginfo-0.7-3.9.1 libavahi-client3-32bit-0.7-3.9.1 libavahi-client3-32bit-debuginfo-0.7-3.9.1 libavahi-common3-32bit-0.7-3.9.1 libavahi-common3-32bit-debuginfo-0.7-3.9.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): avahi-0.7-3.9.1 avahi-autoipd-0.7-3.9.1 avahi-autoipd-debuginfo-0.7-3.9.1 avahi-compat-howl-devel-0.7-3.9.1 avahi-compat-mDNSResponder-devel-0.7-3.9.1 avahi-debuginfo-0.7-3.9.1 avahi-debugsource-0.7-3.9.1 avahi-glib2-debugsource-0.7-3.9.1 avahi-utils-0.7-3.9.1 avahi-utils-debuginfo-0.7-3.9.1 avahi-utils-gtk-0.7-3.9.1 avahi-utils-gtk-debuginfo-0.7-3.9.1 libavahi-client3-0.7-3.9.1 libavahi-client3-debuginfo-0.7-3.9.1 libavahi-common3-0.7-3.9.1 libavahi-common3-debuginfo-0.7-3.9.1 libavahi-core7-0.7-3.9.1 libavahi-core7-debuginfo-0.7-3.9.1 libavahi-devel-0.7-3.9.1 libavahi-glib-devel-0.7-3.9.1 libavahi-glib1-0.7-3.9.1 libavahi-glib1-debuginfo-0.7-3.9.1 libavahi-gobject-devel-0.7-3.9.1 libavahi-gobject0-0.7-3.9.1 libavahi-gobject0-debuginfo-0.7-3.9.1 libavahi-ui-gtk3-0-0.7-3.9.1 libavahi-ui-gtk3-0-debuginfo-0.7-3.9.1 libavahi-ui0-0.7-3.9.1 libavahi-ui0-debuginfo-0.7-3.9.1 libdns_sd-0.7-3.9.1 libdns_sd-debuginfo-0.7-3.9.1 libhowl0-0.7-3.9.1 libhowl0-debuginfo-0.7-3.9.1 typelib-1_0-Avahi-0_6-0.7-3.9.1 - SUSE Enterprise Storage 6 (x86_64): avahi-32bit-debuginfo-0.7-3.9.1 libavahi-client3-32bit-0.7-3.9.1 libavahi-client3-32bit-debuginfo-0.7-3.9.1 libavahi-common3-32bit-0.7-3.9.1 libavahi-common3-32bit-debuginfo-0.7-3.9.1 - SUSE Enterprise Storage 6 (noarch): avahi-lang-0.7-3.9.1 - SUSE CaaS Platform 4.0 (x86_64): avahi-0.7-3.9.1 avahi-32bit-debuginfo-0.7-3.9.1 avahi-autoipd-0.7-3.9.1 avahi-autoipd-debuginfo-0.7-3.9.1 avahi-compat-howl-devel-0.7-3.9.1 avahi-compat-mDNSResponder-devel-0.7-3.9.1 avahi-debuginfo-0.7-3.9.1 avahi-debugsource-0.7-3.9.1 avahi-glib2-debugsource-0.7-3.9.1 avahi-utils-0.7-3.9.1 avahi-utils-debuginfo-0.7-3.9.1 avahi-utils-gtk-0.7-3.9.1 avahi-utils-gtk-debuginfo-0.7-3.9.1 libavahi-client3-0.7-3.9.1 libavahi-client3-32bit-0.7-3.9.1 libavahi-client3-32bit-debuginfo-0.7-3.9.1 libavahi-client3-debuginfo-0.7-3.9.1 libavahi-common3-0.7-3.9.1 libavahi-common3-32bit-0.7-3.9.1 libavahi-common3-32bit-debuginfo-0.7-3.9.1 libavahi-common3-debuginfo-0.7-3.9.1 libavahi-core7-0.7-3.9.1 libavahi-core7-debuginfo-0.7-3.9.1 libavahi-devel-0.7-3.9.1 libavahi-glib-devel-0.7-3.9.1 libavahi-glib1-0.7-3.9.1 libavahi-glib1-debuginfo-0.7-3.9.1 libavahi-gobject-devel-0.7-3.9.1 libavahi-gobject0-0.7-3.9.1 libavahi-gobject0-debuginfo-0.7-3.9.1 libavahi-ui-gtk3-0-0.7-3.9.1 libavahi-ui-gtk3-0-debuginfo-0.7-3.9.1 libavahi-ui0-0.7-3.9.1 libavahi-ui0-debuginfo-0.7-3.9.1 libdns_sd-0.7-3.9.1 libdns_sd-debuginfo-0.7-3.9.1 libhowl0-0.7-3.9.1 libhowl0-debuginfo-0.7-3.9.1 typelib-1_0-Avahi-0_6-0.7-3.9.1 - SUSE CaaS Platform 4.0 (noarch): avahi-lang-0.7-3.9.1 References: https://www.suse.com/security/cve/CVE-2021-3468.html https://bugzilla.suse.com/1184521 From sle-security-updates at lists.suse.com Fri Jun 4 13:21:06 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 4 Jun 2021 15:21:06 +0200 (CEST) Subject: SUSE-SU-2021:1863-1: important: Security update for umoci Message-ID: <20210604132106.AB7D9FD14@maintenance.suse.de> SUSE Security Update: Security update for umoci ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1863-1 Rating: important References: #1184147 Cross-References: CVE-2021-29136 CVSS scores: CVE-2021-29136 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2021-29136 (SUSE): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Module for Containers 15-SP3 SUSE Linux Enterprise Module for Containers 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for umoci fixes the following issues: - Update to v0.4.7 (bsc#1184147). - CVE-2021-29136: Fixed overwriting of host files via malicious layer (bsc#1184147). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1863=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1863=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1863=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1863=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1863=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1863=1 - SUSE Linux Enterprise Module for Containers 15-SP3: zypper in -t patch SUSE-SLE-Module-Containers-15-SP3-2021-1863=1 - SUSE Linux Enterprise Module for Containers 15-SP2: zypper in -t patch SUSE-SLE-Module-Containers-15-SP2-2021-1863=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1863=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1863=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1863=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): umoci-0.4.7-3.12.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): umoci-0.4.7-3.12.1 - SUSE Manager Proxy 4.0 (x86_64): umoci-0.4.7-3.12.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): umoci-0.4.7-3.12.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): umoci-0.4.7-3.12.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): umoci-0.4.7-3.12.1 - SUSE Linux Enterprise Module for Containers 15-SP3 (aarch64 ppc64le s390x x86_64): umoci-0.4.7-3.12.1 - SUSE Linux Enterprise Module for Containers 15-SP2 (aarch64 ppc64le s390x x86_64): umoci-0.4.7-3.12.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): umoci-0.4.7-3.12.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): umoci-0.4.7-3.12.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): umoci-0.4.7-3.12.1 - SUSE CaaS Platform 4.0 (x86_64): umoci-0.4.7-3.12.1 References: https://www.suse.com/security/cve/CVE-2021-29136.html https://bugzilla.suse.com/1184147 From sle-security-updates at lists.suse.com Fri Jun 4 16:16:52 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 4 Jun 2021 18:16:52 +0200 (CEST) Subject: SUSE-SU-2021:1865-1: important: Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) Message-ID: <20210604161652.1C2FDFD14@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1865-1 Rating: important References: #1184710 #1184952 #1186235 Cross-References: CVE-2020-36322 CVE-2021-29154 CVSS scores: CVE-2020-36322 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-29154 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29154 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 4.4.180-94_130 fixes several issues. The following security issues were fixed: - Fix a kernel warning during sysfs read (bsc#1186235) - CVE-2020-36322: An issue was discovered in the FUSE filesystem implementation in the Linux kernel aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184952). - CVE-2021-29154: BPF JIT compilers in the Linux kernel have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c (bsc#1184710) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1864=1 SUSE-SLE-SAP-12-SP3-2021-1865=1 SUSE-SLE-SAP-12-SP3-2021-1866=1 SUSE-SLE-SAP-12-SP3-2021-1867=1 SUSE-SLE-SAP-12-SP3-2021-1868=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1864=1 SUSE-SLE-SERVER-12-SP3-2021-1865=1 SUSE-SLE-SERVER-12-SP3-2021-1866=1 SUSE-SLE-SERVER-12-SP3-2021-1867=1 SUSE-SLE-SERVER-12-SP3-2021-1868=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_121-default-10-2.2 kgraft-patch-4_4_180-94_121-default-debuginfo-10-2.2 kgraft-patch-4_4_180-94_124-default-10-2.2 kgraft-patch-4_4_180-94_124-default-debuginfo-10-2.2 kgraft-patch-4_4_180-94_127-default-10-2.2 kgraft-patch-4_4_180-94_127-default-debuginfo-10-2.2 kgraft-patch-4_4_180-94_130-default-9-2.2 kgraft-patch-4_4_180-94_130-default-debuginfo-9-2.2 kgraft-patch-4_4_180-94_135-default-7-2.2 kgraft-patch-4_4_180-94_135-default-debuginfo-7-2.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_121-default-10-2.2 kgraft-patch-4_4_180-94_121-default-debuginfo-10-2.2 kgraft-patch-4_4_180-94_124-default-10-2.2 kgraft-patch-4_4_180-94_124-default-debuginfo-10-2.2 kgraft-patch-4_4_180-94_127-default-10-2.2 kgraft-patch-4_4_180-94_127-default-debuginfo-10-2.2 kgraft-patch-4_4_180-94_130-default-9-2.2 kgraft-patch-4_4_180-94_130-default-debuginfo-9-2.2 kgraft-patch-4_4_180-94_135-default-7-2.2 kgraft-patch-4_4_180-94_135-default-debuginfo-7-2.2 References: https://www.suse.com/security/cve/CVE-2020-36322.html https://www.suse.com/security/cve/CVE-2021-29154.html https://bugzilla.suse.com/1184710 https://bugzilla.suse.com/1184952 https://bugzilla.suse.com/1186235 From sle-security-updates at lists.suse.com Fri Jun 4 16:19:24 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 4 Jun 2021 18:19:24 +0200 (CEST) Subject: SUSE-SU-2021:1870-1: important: Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) Message-ID: <20210604161924.47348FD14@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1870-1 Rating: important References: #1184710 #1184952 Cross-References: CVE-2020-36322 CVE-2021-29154 CVSS scores: CVE-2020-36322 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-29154 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29154 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 4.4.180-94_138 fixes several issues. The following security issues were fixed: - CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184952). - CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bsc#1184710) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1869=1 SUSE-SLE-SAP-12-SP3-2021-1870=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1869=1 SUSE-SLE-SERVER-12-SP3-2021-1870=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_138-default-5-2.2 kgraft-patch-4_4_180-94_138-default-debuginfo-5-2.2 kgraft-patch-4_4_180-94_141-default-4-2.2 kgraft-patch-4_4_180-94_141-default-debuginfo-4-2.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_138-default-5-2.2 kgraft-patch-4_4_180-94_138-default-debuginfo-5-2.2 kgraft-patch-4_4_180-94_141-default-4-2.2 kgraft-patch-4_4_180-94_141-default-debuginfo-4-2.2 References: https://www.suse.com/security/cve/CVE-2020-36322.html https://www.suse.com/security/cve/CVE-2021-29154.html https://bugzilla.suse.com/1184710 https://bugzilla.suse.com/1184952 From sle-security-updates at lists.suse.com Mon Jun 7 10:17:00 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 7 Jun 2021 12:17:00 +0200 (CEST) Subject: SUSE-SU-2021:1873-1: important: Security update for gstreamer-plugins-bad Message-ID: <20210607101700.57FEFFD07@maintenance.suse.de> SUSE Security Update: Security update for gstreamer-plugins-bad ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1873-1 Rating: important References: #1181255 Cross-References: CVE-2021-3185 CVSS scores: CVE-2021-3185 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3185 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gstreamer-plugins-bad fixes the following issues: - CVE-2021-3185: Fixed buffer overflow in gst_h264_slice_parse_dec_ref_pic_marking (bsc#1181255). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1873=1 Package List: - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libgstegl-1_0-0-1.2.4-3.7.1 libgstegl-1_0-0-debuginfo-1.2.4-3.7.1 References: https://www.suse.com/security/cve/CVE-2021-3185.html https://bugzilla.suse.com/1181255 From sle-security-updates at lists.suse.com Mon Jun 7 16:17:03 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 7 Jun 2021 18:17:03 +0200 (CEST) Subject: SUSE-SU-2021:1875-1: important: Security update for gstreamer-plugins-bad Message-ID: <20210607161703.09BA7FD07@maintenance.suse.de> SUSE Security Update: Security update for gstreamer-plugins-bad ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1875-1 Rating: important References: #1181255 Cross-References: CVE-2021-3185 CVSS scores: CVE-2021-3185 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3185 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gstreamer-plugins-bad fixes the following issues: - CVE-2021-3185: Fixed buffer overflow in gst_h264_slice_parse_dec_ref_pic_marking (bsc#1181255). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1875=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1875=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1875=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1875=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1875=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1875=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1875=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1875=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1875=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1875=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1875=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1875=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1875=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): gstreamer-plugins-bad-lang-1.8.3-18.3.5 - SUSE OpenStack Cloud Crowbar 9 (x86_64): gstreamer-plugins-bad-1.8.3-18.3.5 gstreamer-plugins-bad-debuginfo-1.8.3-18.3.5 gstreamer-plugins-bad-debugsource-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadaudio-1_0-0-1.8.3-18.3.5 libgstbadaudio-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadbase-1_0-0-1.8.3-18.3.5 libgstbadbase-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadvideo-1_0-0-1.8.3-18.3.5 libgstbadvideo-1_0-0-debuginfo-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-debuginfo-1.8.3-18.3.5 libgstcodecparsers-1_0-0-1.8.3-18.3.5 libgstcodecparsers-1_0-0-debuginfo-1.8.3-18.3.5 libgstgl-1_0-0-1.8.3-18.3.5 libgstgl-1_0-0-debuginfo-1.8.3-18.3.5 libgstmpegts-1_0-0-1.8.3-18.3.5 libgstmpegts-1_0-0-debuginfo-1.8.3-18.3.5 libgstphotography-1_0-0-1.8.3-18.3.5 libgstphotography-1_0-0-debuginfo-1.8.3-18.3.5 libgsturidownloader-1_0-0-1.8.3-18.3.5 libgsturidownloader-1_0-0-debuginfo-1.8.3-18.3.5 - SUSE OpenStack Cloud Crowbar 8 (noarch): gstreamer-plugins-bad-lang-1.8.3-18.3.5 - SUSE OpenStack Cloud Crowbar 8 (x86_64): gstreamer-plugins-bad-1.8.3-18.3.5 gstreamer-plugins-bad-debuginfo-1.8.3-18.3.5 gstreamer-plugins-bad-debugsource-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadaudio-1_0-0-1.8.3-18.3.5 libgstbadaudio-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadbase-1_0-0-1.8.3-18.3.5 libgstbadbase-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadvideo-1_0-0-1.8.3-18.3.5 libgstbadvideo-1_0-0-debuginfo-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-debuginfo-1.8.3-18.3.5 libgstcodecparsers-1_0-0-1.8.3-18.3.5 libgstcodecparsers-1_0-0-debuginfo-1.8.3-18.3.5 libgstgl-1_0-0-1.8.3-18.3.5 libgstgl-1_0-0-debuginfo-1.8.3-18.3.5 libgstmpegts-1_0-0-1.8.3-18.3.5 libgstmpegts-1_0-0-debuginfo-1.8.3-18.3.5 libgstphotography-1_0-0-1.8.3-18.3.5 libgstphotography-1_0-0-debuginfo-1.8.3-18.3.5 libgsturidownloader-1_0-0-1.8.3-18.3.5 libgsturidownloader-1_0-0-debuginfo-1.8.3-18.3.5 - SUSE OpenStack Cloud 9 (x86_64): gstreamer-plugins-bad-1.8.3-18.3.5 gstreamer-plugins-bad-debuginfo-1.8.3-18.3.5 gstreamer-plugins-bad-debugsource-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadaudio-1_0-0-1.8.3-18.3.5 libgstbadaudio-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadbase-1_0-0-1.8.3-18.3.5 libgstbadbase-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadvideo-1_0-0-1.8.3-18.3.5 libgstbadvideo-1_0-0-debuginfo-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-debuginfo-1.8.3-18.3.5 libgstcodecparsers-1_0-0-1.8.3-18.3.5 libgstcodecparsers-1_0-0-debuginfo-1.8.3-18.3.5 libgstgl-1_0-0-1.8.3-18.3.5 libgstgl-1_0-0-debuginfo-1.8.3-18.3.5 libgstmpegts-1_0-0-1.8.3-18.3.5 libgstmpegts-1_0-0-debuginfo-1.8.3-18.3.5 libgstphotography-1_0-0-1.8.3-18.3.5 libgstphotography-1_0-0-debuginfo-1.8.3-18.3.5 libgsturidownloader-1_0-0-1.8.3-18.3.5 libgsturidownloader-1_0-0-debuginfo-1.8.3-18.3.5 - SUSE OpenStack Cloud 9 (noarch): gstreamer-plugins-bad-lang-1.8.3-18.3.5 - SUSE OpenStack Cloud 8 (x86_64): gstreamer-plugins-bad-1.8.3-18.3.5 gstreamer-plugins-bad-debuginfo-1.8.3-18.3.5 gstreamer-plugins-bad-debugsource-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadaudio-1_0-0-1.8.3-18.3.5 libgstbadaudio-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadbase-1_0-0-1.8.3-18.3.5 libgstbadbase-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadvideo-1_0-0-1.8.3-18.3.5 libgstbadvideo-1_0-0-debuginfo-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-debuginfo-1.8.3-18.3.5 libgstcodecparsers-1_0-0-1.8.3-18.3.5 libgstcodecparsers-1_0-0-debuginfo-1.8.3-18.3.5 libgstgl-1_0-0-1.8.3-18.3.5 libgstgl-1_0-0-debuginfo-1.8.3-18.3.5 libgstmpegts-1_0-0-1.8.3-18.3.5 libgstmpegts-1_0-0-debuginfo-1.8.3-18.3.5 libgstphotography-1_0-0-1.8.3-18.3.5 libgstphotography-1_0-0-debuginfo-1.8.3-18.3.5 libgsturidownloader-1_0-0-1.8.3-18.3.5 libgsturidownloader-1_0-0-debuginfo-1.8.3-18.3.5 - SUSE OpenStack Cloud 8 (noarch): gstreamer-plugins-bad-lang-1.8.3-18.3.5 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): gstreamer-plugins-bad-debuginfo-1.8.3-18.3.5 gstreamer-plugins-bad-debugsource-1.8.3-18.3.5 gstreamer-plugins-bad-devel-1.8.3-18.3.5 libgstinsertbin-1_0-0-1.8.3-18.3.5 libgstinsertbin-1_0-0-debuginfo-1.8.3-18.3.5 libgsturidownloader-1_0-0-1.8.3-18.3.5 libgsturidownloader-1_0-0-debuginfo-1.8.3-18.3.5 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): gstreamer-plugins-bad-1.8.3-18.3.5 gstreamer-plugins-bad-debuginfo-1.8.3-18.3.5 gstreamer-plugins-bad-debugsource-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadaudio-1_0-0-1.8.3-18.3.5 libgstbadaudio-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadbase-1_0-0-1.8.3-18.3.5 libgstbadbase-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadvideo-1_0-0-1.8.3-18.3.5 libgstbadvideo-1_0-0-debuginfo-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-debuginfo-1.8.3-18.3.5 libgstcodecparsers-1_0-0-1.8.3-18.3.5 libgstcodecparsers-1_0-0-debuginfo-1.8.3-18.3.5 libgstgl-1_0-0-1.8.3-18.3.5 libgstgl-1_0-0-debuginfo-1.8.3-18.3.5 libgstmpegts-1_0-0-1.8.3-18.3.5 libgstmpegts-1_0-0-debuginfo-1.8.3-18.3.5 libgstphotography-1_0-0-1.8.3-18.3.5 libgstphotography-1_0-0-debuginfo-1.8.3-18.3.5 libgsturidownloader-1_0-0-1.8.3-18.3.5 libgsturidownloader-1_0-0-debuginfo-1.8.3-18.3.5 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): gstreamer-plugins-bad-lang-1.8.3-18.3.5 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): gstreamer-plugins-bad-1.8.3-18.3.5 gstreamer-plugins-bad-debuginfo-1.8.3-18.3.5 gstreamer-plugins-bad-debugsource-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadaudio-1_0-0-1.8.3-18.3.5 libgstbadaudio-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadbase-1_0-0-1.8.3-18.3.5 libgstbadbase-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadvideo-1_0-0-1.8.3-18.3.5 libgstbadvideo-1_0-0-debuginfo-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-debuginfo-1.8.3-18.3.5 libgstcodecparsers-1_0-0-1.8.3-18.3.5 libgstcodecparsers-1_0-0-debuginfo-1.8.3-18.3.5 libgstgl-1_0-0-1.8.3-18.3.5 libgstgl-1_0-0-debuginfo-1.8.3-18.3.5 libgstmpegts-1_0-0-1.8.3-18.3.5 libgstmpegts-1_0-0-debuginfo-1.8.3-18.3.5 libgstphotography-1_0-0-1.8.3-18.3.5 libgstphotography-1_0-0-debuginfo-1.8.3-18.3.5 libgsturidownloader-1_0-0-1.8.3-18.3.5 libgsturidownloader-1_0-0-debuginfo-1.8.3-18.3.5 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): gstreamer-plugins-bad-lang-1.8.3-18.3.5 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): gstreamer-plugins-bad-1.8.3-18.3.5 gstreamer-plugins-bad-debuginfo-1.8.3-18.3.5 gstreamer-plugins-bad-debugsource-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadaudio-1_0-0-1.8.3-18.3.5 libgstbadaudio-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadbase-1_0-0-1.8.3-18.3.5 libgstbadbase-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadvideo-1_0-0-1.8.3-18.3.5 libgstbadvideo-1_0-0-debuginfo-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-debuginfo-1.8.3-18.3.5 libgstcodecparsers-1_0-0-1.8.3-18.3.5 libgstcodecparsers-1_0-0-debuginfo-1.8.3-18.3.5 libgstgl-1_0-0-1.8.3-18.3.5 libgstgl-1_0-0-debuginfo-1.8.3-18.3.5 libgstmpegts-1_0-0-1.8.3-18.3.5 libgstmpegts-1_0-0-debuginfo-1.8.3-18.3.5 libgstphotography-1_0-0-1.8.3-18.3.5 libgstphotography-1_0-0-debuginfo-1.8.3-18.3.5 libgsturidownloader-1_0-0-1.8.3-18.3.5 libgsturidownloader-1_0-0-debuginfo-1.8.3-18.3.5 - SUSE Linux Enterprise Server 12-SP5 (noarch): gstreamer-plugins-bad-lang-1.8.3-18.3.5 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): gstreamer-plugins-bad-1.8.3-18.3.5 gstreamer-plugins-bad-debuginfo-1.8.3-18.3.5 gstreamer-plugins-bad-debugsource-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadaudio-1_0-0-1.8.3-18.3.5 libgstbadaudio-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadbase-1_0-0-1.8.3-18.3.5 libgstbadbase-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadvideo-1_0-0-1.8.3-18.3.5 libgstbadvideo-1_0-0-debuginfo-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-debuginfo-1.8.3-18.3.5 libgstcodecparsers-1_0-0-1.8.3-18.3.5 libgstcodecparsers-1_0-0-debuginfo-1.8.3-18.3.5 libgstgl-1_0-0-1.8.3-18.3.5 libgstgl-1_0-0-debuginfo-1.8.3-18.3.5 libgstmpegts-1_0-0-1.8.3-18.3.5 libgstmpegts-1_0-0-debuginfo-1.8.3-18.3.5 libgstphotography-1_0-0-1.8.3-18.3.5 libgstphotography-1_0-0-debuginfo-1.8.3-18.3.5 libgsturidownloader-1_0-0-1.8.3-18.3.5 libgsturidownloader-1_0-0-debuginfo-1.8.3-18.3.5 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): gstreamer-plugins-bad-lang-1.8.3-18.3.5 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): gstreamer-plugins-bad-1.8.3-18.3.5 gstreamer-plugins-bad-debuginfo-1.8.3-18.3.5 gstreamer-plugins-bad-debugsource-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadaudio-1_0-0-1.8.3-18.3.5 libgstbadaudio-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadbase-1_0-0-1.8.3-18.3.5 libgstbadbase-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadvideo-1_0-0-1.8.3-18.3.5 libgstbadvideo-1_0-0-debuginfo-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-debuginfo-1.8.3-18.3.5 libgstcodecparsers-1_0-0-1.8.3-18.3.5 libgstcodecparsers-1_0-0-debuginfo-1.8.3-18.3.5 libgstgl-1_0-0-1.8.3-18.3.5 libgstgl-1_0-0-debuginfo-1.8.3-18.3.5 libgstmpegts-1_0-0-1.8.3-18.3.5 libgstmpegts-1_0-0-debuginfo-1.8.3-18.3.5 libgstphotography-1_0-0-1.8.3-18.3.5 libgstphotography-1_0-0-debuginfo-1.8.3-18.3.5 libgsturidownloader-1_0-0-1.8.3-18.3.5 libgsturidownloader-1_0-0-debuginfo-1.8.3-18.3.5 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): gstreamer-plugins-bad-lang-1.8.3-18.3.5 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): gstreamer-plugins-bad-1.8.3-18.3.5 gstreamer-plugins-bad-debuginfo-1.8.3-18.3.5 gstreamer-plugins-bad-debugsource-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadaudio-1_0-0-1.8.3-18.3.5 libgstbadaudio-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadbase-1_0-0-1.8.3-18.3.5 libgstbadbase-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadvideo-1_0-0-1.8.3-18.3.5 libgstbadvideo-1_0-0-debuginfo-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-debuginfo-1.8.3-18.3.5 libgstcodecparsers-1_0-0-1.8.3-18.3.5 libgstcodecparsers-1_0-0-debuginfo-1.8.3-18.3.5 libgstgl-1_0-0-1.8.3-18.3.5 libgstgl-1_0-0-debuginfo-1.8.3-18.3.5 libgstmpegts-1_0-0-1.8.3-18.3.5 libgstmpegts-1_0-0-debuginfo-1.8.3-18.3.5 libgstphotography-1_0-0-1.8.3-18.3.5 libgstphotography-1_0-0-debuginfo-1.8.3-18.3.5 libgsturidownloader-1_0-0-1.8.3-18.3.5 libgsturidownloader-1_0-0-debuginfo-1.8.3-18.3.5 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): gstreamer-plugins-bad-lang-1.8.3-18.3.5 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): gstreamer-plugins-bad-1.8.3-18.3.5 gstreamer-plugins-bad-debuginfo-1.8.3-18.3.5 gstreamer-plugins-bad-debugsource-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadaudio-1_0-0-1.8.3-18.3.5 libgstbadaudio-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadbase-1_0-0-1.8.3-18.3.5 libgstbadbase-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadvideo-1_0-0-1.8.3-18.3.5 libgstbadvideo-1_0-0-debuginfo-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-debuginfo-1.8.3-18.3.5 libgstcodecparsers-1_0-0-1.8.3-18.3.5 libgstcodecparsers-1_0-0-debuginfo-1.8.3-18.3.5 libgstgl-1_0-0-1.8.3-18.3.5 libgstgl-1_0-0-debuginfo-1.8.3-18.3.5 libgstmpegts-1_0-0-1.8.3-18.3.5 libgstmpegts-1_0-0-debuginfo-1.8.3-18.3.5 libgstphotography-1_0-0-1.8.3-18.3.5 libgstphotography-1_0-0-debuginfo-1.8.3-18.3.5 libgsturidownloader-1_0-0-1.8.3-18.3.5 libgsturidownloader-1_0-0-debuginfo-1.8.3-18.3.5 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): gstreamer-plugins-bad-lang-1.8.3-18.3.5 - HPE Helion Openstack 8 (x86_64): gstreamer-plugins-bad-1.8.3-18.3.5 gstreamer-plugins-bad-debuginfo-1.8.3-18.3.5 gstreamer-plugins-bad-debugsource-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-1.8.3-18.3.5 libgstadaptivedemux-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadaudio-1_0-0-1.8.3-18.3.5 libgstbadaudio-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadbase-1_0-0-1.8.3-18.3.5 libgstbadbase-1_0-0-debuginfo-1.8.3-18.3.5 libgstbadvideo-1_0-0-1.8.3-18.3.5 libgstbadvideo-1_0-0-debuginfo-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-1.8.3-18.3.5 libgstbasecamerabinsrc-1_0-0-debuginfo-1.8.3-18.3.5 libgstcodecparsers-1_0-0-1.8.3-18.3.5 libgstcodecparsers-1_0-0-debuginfo-1.8.3-18.3.5 libgstgl-1_0-0-1.8.3-18.3.5 libgstgl-1_0-0-debuginfo-1.8.3-18.3.5 libgstmpegts-1_0-0-1.8.3-18.3.5 libgstmpegts-1_0-0-debuginfo-1.8.3-18.3.5 libgstphotography-1_0-0-1.8.3-18.3.5 libgstphotography-1_0-0-debuginfo-1.8.3-18.3.5 libgsturidownloader-1_0-0-1.8.3-18.3.5 libgsturidownloader-1_0-0-debuginfo-1.8.3-18.3.5 - HPE Helion Openstack 8 (noarch): gstreamer-plugins-bad-lang-1.8.3-18.3.5 References: https://www.suse.com/security/cve/CVE-2021-3185.html https://bugzilla.suse.com/1181255 From sle-security-updates at lists.suse.com Mon Jun 7 16:19:28 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 7 Jun 2021 18:19:28 +0200 (CEST) Subject: SUSE-SU-2021:1876-1: important: Security update for snakeyaml Message-ID: <20210607161928.13D2CFD07@maintenance.suse.de> SUSE Security Update: Security update for snakeyaml ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1876-1 Rating: important References: #1159488 #1186088 Cross-References: CVE-2017-18640 CVSS scores: CVE-2017-18640 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-18640 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.2 SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for snakeyaml fixes the following issues: - Upgrade to 1.28 - CVE-2017-18640: The Alias feature allows entity expansion during a load operation (bsc#1159488, bsc#1186088) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2021-1876=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-1876=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-1876=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch): snakeyaml-1.28-3.5.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (noarch): snakeyaml-1.28-3.5.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): snakeyaml-1.28-3.5.1 References: https://www.suse.com/security/cve/CVE-2017-18640.html https://bugzilla.suse.com/1159488 https://bugzilla.suse.com/1186088 From sle-security-updates at lists.suse.com Tue Jun 8 10:17:06 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 8 Jun 2021 12:17:06 +0200 (CEST) Subject: SUSE-SU-2021:1878-1: moderate: Security update for 389-ds Message-ID: <20210608101706.59BA0FD07@maintenance.suse.de> SUSE Security Update: Security update for 389-ds ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1878-1 Rating: moderate References: #1185356 Cross-References: CVE-2021-3514 CVSS scores: CVE-2021-3514 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for 389-ds fixes the following issues: - CVE-2021-3514: Fixed a sync_repl NULL pointer dereference in sync_create_state_control() (bsc#1185356) 389-ds was updated to version 1.4.3.23~git0.f53d0132b: Bump version to 1.4.3.23: * Issue 4725 - [RFE] DS - Update the password policy to support a Temporary Password Rules (#4727) * Issue 4759 - Fix coverity issue (#4760) * Issue 4656 - Fix cherry pick error around replication enabling * Issue 4701 - RFE - Exclude attributes from retro changelog (#4723) (#4746) * Issue 4742 - UI - should always use LDAPI path when calling CLI * Issue 4667 - incorrect accounting of readers in vattr rwlock (#4732) * Issue 4711 - SIGSEV with sync_repl (#4738) * Issue 4649 - fix testcase importing ContentSyncPlugin * Issue 2736 - Warnings from automatic shebang munging macro * Issue 2736 - https://github.com/389ds/389-ds-base/issues/2736 * Issue 4706 - negative wtime in access log for CMP operations Bump version to 1.4.3.22: * Issue 4671 - UI - Fix browser crashes * lib389 - Add ContentSyncPlugin class * Issue 4656 - lib389 - fix cherry pick error * Issue 4229 - Fix Rust linking * Issue 4658 - monitor - connection start date is incorrect * Issue 2621 - lib389 - backport ds_supports_new_changelog() * Issue 4656 - Make replication CLI backwards compatible with role name change * Issue 4656 - Remove problematic language from UI/CLI/lib389 * Issue 4459 - lib389 - Default paths should use dse.ldif if the server is down * Issue 4663 - CLI - unable to add objectclass/attribute without x-origin Bump version to 1.4.3.21: * Issue 4169 - UI - updates on the tuning page are not reflected in the UI * Issue 4588 - BUG - unable to compile without xcrypt (#4589) * Issue 4513 - Fix replication CI test failures (#4557) * Issue 4646 - CLI/UI - revise DNA plugin management * Issue 4644 - Large updates can reset the CLcache to the beginning of the changelog (#4647) * Issue 4649 - crash in sync_repl when a MODRDN create a cenotaph (#4652) * Issue 4615 - log message when psearch first exceeds max threads per conn Bump version to 1.4.3.20: * Issue 4324 - Some architectures the cache line size file does not exist * Issue 4593 - RFE - Print help when nsSSLPersonalitySSL is not found (#4614) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-1878=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): 389-ds-1.4.3.23~git0.f53d0132b-3.15.1 389-ds-debuginfo-1.4.3.23~git0.f53d0132b-3.15.1 389-ds-debugsource-1.4.3.23~git0.f53d0132b-3.15.1 389-ds-devel-1.4.3.23~git0.f53d0132b-3.15.1 lib389-1.4.3.23~git0.f53d0132b-3.15.1 libsvrcore0-1.4.3.23~git0.f53d0132b-3.15.1 libsvrcore0-debuginfo-1.4.3.23~git0.f53d0132b-3.15.1 References: https://www.suse.com/security/cve/CVE-2021-3514.html https://bugzilla.suse.com/1185356 From sle-security-updates at lists.suse.com Tue Jun 8 13:17:43 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 8 Jun 2021 15:17:43 +0200 (CEST) Subject: SUSE-SU-2021:1880-1: important: Security update for shim Message-ID: <20210608131743.9CCADFD14@maintenance.suse.de> SUSE Security Update: Security update for shim ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1880-1 Rating: important References: #1182057 #1185464 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for shim fixes the following issues: - Update to the unified shim binary for SBAT support (bsc#1182057) - shim-install: Always assume "removable" for Azure to avoid the endless reset loop (bsc#1185464). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1880=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (x86_64): shim-15.4-25.16.1 References: https://bugzilla.suse.com/1182057 https://bugzilla.suse.com/1185464 From sle-security-updates at lists.suse.com Tue Jun 8 16:18:13 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 8 Jun 2021 18:18:13 +0200 (CEST) Subject: SUSE-SU-2021:1891-1: important: Security update for the Linux Kernel Message-ID: <20210608161813.810BAFD07@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1891-1 Rating: important References: #1176081 #1180846 #1183947 #1184611 #1184675 #1185642 #1185677 #1185680 #1185724 #1185859 #1185860 #1185862 #1185863 #1185898 #1185899 #1185901 #1185938 #1185950 #1185987 #1186060 #1186061 #1186062 #1186111 #1186285 #1186390 #1186484 #1186498 Cross-References: CVE-2020-24586 CVE-2020-24587 CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2021-23133 CVE-2021-23134 CVE-2021-32399 CVE-2021-33034 CVE-2021-33200 CVE-2021-3491 CVSS scores: CVE-2020-24586 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24586 (SUSE): 4.7 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVE-2020-24587 (NVD) : 2.6 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24587 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26139 (NVD) : 5.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26139 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-26141 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26145 (SUSE): 5.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26147 (NVD) : 5.4 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N CVE-2021-23133 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23133 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-33200 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33200 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3491 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Live Patching 12-SP4 SUSE Linux Enterprise High Availability 12-SP4 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 15 fixes is now available. Description: The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111) - CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062) - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060) - CVE-2021-23133: Fixed a race condition in SCTP sockets, which could lead to privilege escalation from the context of a network service or an unprivileged process. (bnc#1184675) - CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859). - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862). - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859). - CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860) - CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987) The following non-security bugs were fixed: - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185724). - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185724). - af_packet: fix the tx skb protocol in raw sockets with ETH_P_ALL (bsc#1176081). - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043). - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043). - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043). - kABI: Fix kABI after modifying struct __call_single_data (bsc#1180846). - kabi: preserve struct header_ops after bsc#1176081 fix (bsc#1176081). - kernel/smp: Provide CSD lock timeout diagnostics (bsc#1180846). - kernel/smp: add boot parameter for controlling CSD lock debugging (bsc#1180846). - kernel/smp: add more data to CSD lock debugging (bsc#1180846). - kernel/smp: make csdlock timeout depend on boot parameter (bsc#1180846). - kernel/smp: prepare more CSD lock debugging (bsc#1180846). - md/raid1: properly indicate failure when ending a failed write request (bsc#1185680). - net/ethernet: Add parse_protocol header_ops support (bsc#1176081). - net/mlx5e: Remove the wrong assumption about transport offset (bsc#1176081). - net/mlx5e: Trust kernel regarding transport offset (bsc#1176081). - net/packet: Ask driver for protocol if not provided by user (bsc#1176081). - net/packet: Remove redundant skb->protocol set (bsc#1176081). - net: Do not set transport offset to invalid value (bsc#1176081). - net: Introduce parse_protocol header_ops callback (bsc#1176081). - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950). - netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950). - netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950). - netfilter: conntrack: tcp: only close if RST matches exact sequence (bsc#1183947 bsc#1185950). - s390/entry: save the caller of psw_idle (bsc#1185677). - smp: Add source and destination CPUs to __call_single_data (bsc#1180846). - video: hyperv_fb: Add ratelimit on error message (bsc#1185724). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1891=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1891=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1891=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1891=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2021-1891=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2021-1891=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): kernel-default-4.12.14-95.77.1 kernel-default-base-4.12.14-95.77.1 kernel-default-base-debuginfo-4.12.14-95.77.1 kernel-default-debuginfo-4.12.14-95.77.1 kernel-default-debugsource-4.12.14-95.77.1 kernel-default-devel-4.12.14-95.77.1 kernel-default-devel-debuginfo-4.12.14-95.77.1 kernel-syms-4.12.14-95.77.1 - SUSE OpenStack Cloud Crowbar 9 (noarch): kernel-devel-4.12.14-95.77.1 kernel-macros-4.12.14-95.77.1 kernel-source-4.12.14-95.77.1 - SUSE OpenStack Cloud 9 (x86_64): kernel-default-4.12.14-95.77.1 kernel-default-base-4.12.14-95.77.1 kernel-default-base-debuginfo-4.12.14-95.77.1 kernel-default-debuginfo-4.12.14-95.77.1 kernel-default-debugsource-4.12.14-95.77.1 kernel-default-devel-4.12.14-95.77.1 kernel-default-devel-debuginfo-4.12.14-95.77.1 kernel-syms-4.12.14-95.77.1 - SUSE OpenStack Cloud 9 (noarch): kernel-devel-4.12.14-95.77.1 kernel-macros-4.12.14-95.77.1 kernel-source-4.12.14-95.77.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): kernel-default-4.12.14-95.77.1 kernel-default-base-4.12.14-95.77.1 kernel-default-base-debuginfo-4.12.14-95.77.1 kernel-default-debuginfo-4.12.14-95.77.1 kernel-default-debugsource-4.12.14-95.77.1 kernel-default-devel-4.12.14-95.77.1 kernel-syms-4.12.14-95.77.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): kernel-default-devel-debuginfo-4.12.14-95.77.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): kernel-devel-4.12.14-95.77.1 kernel-macros-4.12.14-95.77.1 kernel-source-4.12.14-95.77.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-95.77.1 kernel-default-base-4.12.14-95.77.1 kernel-default-base-debuginfo-4.12.14-95.77.1 kernel-default-debuginfo-4.12.14-95.77.1 kernel-default-debugsource-4.12.14-95.77.1 kernel-default-devel-4.12.14-95.77.1 kernel-syms-4.12.14-95.77.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (x86_64): kernel-default-devel-debuginfo-4.12.14-95.77.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): kernel-devel-4.12.14-95.77.1 kernel-macros-4.12.14-95.77.1 kernel-source-4.12.14-95.77.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x): kernel-default-man-4.12.14-95.77.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kernel-default-kgraft-4.12.14-95.77.1 kernel-default-kgraft-devel-4.12.14-95.77.1 kgraft-patch-4_12_14-95_77-default-1-6.3.1 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-95.77.1 cluster-md-kmp-default-debuginfo-4.12.14-95.77.1 dlm-kmp-default-4.12.14-95.77.1 dlm-kmp-default-debuginfo-4.12.14-95.77.1 gfs2-kmp-default-4.12.14-95.77.1 gfs2-kmp-default-debuginfo-4.12.14-95.77.1 kernel-default-debuginfo-4.12.14-95.77.1 kernel-default-debugsource-4.12.14-95.77.1 ocfs2-kmp-default-4.12.14-95.77.1 ocfs2-kmp-default-debuginfo-4.12.14-95.77.1 References: https://www.suse.com/security/cve/CVE-2020-24586.html https://www.suse.com/security/cve/CVE-2020-24587.html https://www.suse.com/security/cve/CVE-2020-26139.html https://www.suse.com/security/cve/CVE-2020-26141.html https://www.suse.com/security/cve/CVE-2020-26145.html https://www.suse.com/security/cve/CVE-2020-26147.html https://www.suse.com/security/cve/CVE-2021-23133.html https://www.suse.com/security/cve/CVE-2021-23134.html https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://www.suse.com/security/cve/CVE-2021-33200.html https://www.suse.com/security/cve/CVE-2021-3491.html https://bugzilla.suse.com/1176081 https://bugzilla.suse.com/1180846 https://bugzilla.suse.com/1183947 https://bugzilla.suse.com/1184611 https://bugzilla.suse.com/1184675 https://bugzilla.suse.com/1185642 https://bugzilla.suse.com/1185677 https://bugzilla.suse.com/1185680 https://bugzilla.suse.com/1185724 https://bugzilla.suse.com/1185859 https://bugzilla.suse.com/1185860 https://bugzilla.suse.com/1185862 https://bugzilla.suse.com/1185863 https://bugzilla.suse.com/1185898 https://bugzilla.suse.com/1185899 https://bugzilla.suse.com/1185901 https://bugzilla.suse.com/1185938 https://bugzilla.suse.com/1185950 https://bugzilla.suse.com/1185987 https://bugzilla.suse.com/1186060 https://bugzilla.suse.com/1186061 https://bugzilla.suse.com/1186062 https://bugzilla.suse.com/1186111 https://bugzilla.suse.com/1186285 https://bugzilla.suse.com/1186390 https://bugzilla.suse.com/1186484 https://bugzilla.suse.com/1186498 From sle-security-updates at lists.suse.com Tue Jun 8 16:22:48 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 8 Jun 2021 18:22:48 +0200 (CEST) Subject: SUSE-SU-2021:1890-1: important: Security update for the Linux Kernel Message-ID: <20210608162248.C41D1FD07@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1890-1 Rating: important References: #1087082 #1133021 #1152457 #1152489 #1155518 #1156395 #1164648 #1177666 #1178378 #1178418 #1178612 #1179519 #1179825 #1179827 #1179851 #1182257 #1182378 #1182999 #1183346 #1183868 #1183873 #1183932 #1183947 #1183976 #1184081 #1184082 #1184259 #1184611 #1184855 #1185428 #1185495 #1185497 #1185589 #1185606 #1185642 #1185645 #1185677 #1185680 #1185703 #1185725 #1185758 #1185859 #1185860 #1185861 #1185862 #1185863 #1185898 #1185899 #1185911 #1185938 #1185950 #1185982 #1185987 #1185988 #1186060 #1186061 #1186062 #1186111 #1186285 #1186320 #1186390 #1186416 #1186439 #1186441 #1186451 #1186460 #1186479 #1186484 #1186498 #1186501 #1186573 #1186681 Cross-References: CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2021-23134 CVE-2021-32399 CVE-2021-33034 CVE-2021-33200 CVE-2021-3491 CVSS scores: CVE-2020-24586 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24586 (SUSE): 4.7 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVE-2020-24587 (NVD) : 2.6 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24587 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-24588 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2020-24588 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-26139 (NVD) : 5.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26139 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-26141 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26145 (SUSE): 5.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26147 (NVD) : 5.4 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N CVE-2021-23134 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-33200 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33200 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3491 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Module for Live Patching 15-SP2 SUSE Linux Enterprise Module for Legacy Software 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Availability 15-SP2 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 60 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111) - CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062) - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060) - CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859). - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862). - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859). - CVE-2020-24588: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (bnc#1185861) - CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860) - CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987) The following non-security bugs were fixed: - ACPI / hotplug / PCI: Fix reference count leak in enable_slot() (git-fixes). - ACPI: GTDT: Do not corrupt interrupt mappings on watchdow probe failure (git-fixes). - ACPI: custom_method: fix a possible memory leak (git-fixes). - ACPI: custom_method: fix potential use-after-free issue (git-fixes). - ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro (git-fixes). - ALSA: bebob: enable to deliver MIDI messages for multiple ports (git-fixes). - ALSA: dice: fix stream format at middle sampling rate for Alesis iO 26 (git-fixes). - ALSA: dice: fix stream format for TC Electronic Konnekt Live at high sampling transfer frequency (git-fixes). - ALSA: firewire-lib: fix calculation for size of IR context payload (git-fixes). - ALSA: firewire-lib: fix check for the size of isochronous packet payload (git-fixes). - ALSA: hda/conexant: Re-order CX5066 quirk table entries (git-fixes). - ALSA: hda/realtek: ALC285 Thinkpad jack pin quirk is unreachable (git-fixes). - ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293 (git-fixes). - ALSA: hda/realtek: Headphone volume is controlled by Front mixer (git-fixes). - ALSA: hda/realtek: reset eapd coeff to default value for alc287 (git-fixes). - ALSA: hda: fixup headset for ASUS GU502 laptop (git-fixes). - ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP (git-fixes). - ALSA: hdsp: do not disable if not enabled (git-fixes). - ALSA: hdspm: do not disable if not enabled (git-fixes). - ALSA: intel8x0: Do not update period unless prepared (git-fixes). - ALSA: line6: Fix racy initialization of LINE6 MIDI (git-fixes). - ALSA: rme9652: do not disable if not enabled (git-fixes). - ALSA: usb-audio: Validate MS endpoint descriptors (git-fixes). - ALSA: usb-audio: fix control-request direction (git-fixes). - ALSA: usb-audio: scarlett2: Fix device hang with ehci-pci (git-fixes). - ALSA: usb-audio: scarlett2: Improve driver startup messages (git-fixes). - ALSA: usb-audio: scarlett2: snd_scarlett_gen2_controls_create() can be static (git-fixes). - ARM64: vdso32: Install vdso32 from vdso_install (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF (git-fixes). - ASoC: cs35l33: fix an error code in probe() (git-fixes). - ASoC: cs42l42: Regmap must use_single_read/write (git-fixes). - ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init() (git-fixes). - ASoC: rsnd: core: Check convert rate in rsnd_hw_params (git-fixes). - ASoC: rt286: Generalize support for ALC3263 codec (git-fixes). - ASoC: rt286: Make RT286_SET_GPIO_* readable and writable (git-fixes). - Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS (git-fixes). - Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes). - Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default (git-fixes). - Bluetooth: check for zapped sk before connecting (git-fixes). - Bluetooth: initialize skb_queue_head at l2cap_chan_create() (git-fixes). - Drivers: hv: vmbus: Fix Suspend-to-Idle for Generation-2 VM (git-fixes). - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725). - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725). - Drivers: hv: vmbus: Use after free in __vmbus_open() (git-fixes). - Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices (git-fixes). - Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state (git-fixes). - KVM: s390: fix guarded storage control register handling (bsc#1133021). - Move upstreamed media fixes into sorted section - NFC: nci: fix memory leak in nci_allocate_device (git-fixes). - PCI/RCEC: Fix RCiEP device to RCEC association (git-fixes). - PCI: Allow VPD access for QLogic ISP2722 (git-fixes). - PCI: PM: Do not read power state in pci_enable_device_flags() (git-fixes). - PCI: Release OF node in pci_scan_device()'s error path (git-fixes). - PCI: endpoint: Fix missing destroy_workqueue() (git-fixes). - PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc() (git-fixes). - PCI: thunder: Fix compile testing (git-fixes). - PM / devfreq: Use more accurate returned new_freq as resume_freq (git-fixes). - RDMA/addr: create addr_wq with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/core: create ib_cm with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/hns: Delete redundant abnormal interrupt status (git-fixes). - RDMA/hns: Delete redundant condition judgment related to eq (git-fixes). - RDMA/qedr: Fix error return code in qedr_iw_connect() (jsc#SLE-8215). - RDMA/srpt: Fix error return code in srpt_cm_req_recv() (git-fixes). - Revert "arm64: vdso: Fix compilation with clang older than 8" (git-fixes). - Revert "gdrom: fix a memory leak bug" (git-fixes). - Revert "i3c master: fix missing destroy_workqueue() on error in i3c_master_register" (git-fixes). - Revert "leds: lp5523: fix a missing check of return value of lp55xx_read" (git-fixes). - Revert 337f13046ff0 ("futex: Allow FUTEX_CLOCK_REALTIME with FUTEX_WAIT op") (git-fixes). - SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428). - SUNRPC: More fixes for backlog congestion (bsc#1185428). - USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet (git-fixes). - USB: Add reset-resume quirk for WD19's Realtek Hub (git-fixes). - USB: serial: pl2303: add support for PL2303HXN (bsc#1186320). - USB: serial: pl2303: fix line-speed handling on newer chips (bsc#1186320). - USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check (git-fixes). - USB: trancevibrator: fix control-request direction (git-fixes). - amdgpu: avoid incorrect %hu format string (git-fixes). - arm64/mm: Fix pfn_valid() for ZONE_DEVICE based memory (git-fixes). - arm64: Add missing ISB after invalidating TLB in __primary_switch (git-fixes). - arm64: avoid -Woverride-init warning (git-fixes). - arm64: kasan: fix page_alloc tagging with DEBUG_VIRTUAL (git-fixes). - arm64: kdump: update ppos when reading elfcorehdr (git-fixes). - arm64: kexec_file: fix memory leakage in create_dtb() when fdt_open_into() fails (git-fixes). - arm64: link with -z norelro for LLD or aarch64-elf (git-fixes). - arm64: link with -z norelro regardless of CONFIG_RELOCATABLE (git-fixes). - arm64: ptrace: Fix seccomp of traced syscall -1 (NO_SYSCALL) (git-fixes). - arm64: ptrace: Use NO_SYSCALL instead of -1 in syscall_trace_enter() (git-fixes). - arm64: vdso32: make vdso32 install conditional (git-fixes). - arm: mm: use __pfn_to_section() to get mem_section (git-fixes). - ata: ahci: Disable SXS for Hisilicon Kunpeng920 (git-fixes). - blk-iocost: ioc_pd_free() shouldn't assume irq disabled (git-fixes). - blk-mq: Swap two calls in blk_mq_exit_queue() (git-fixes). - block/genhd: use atomic_t for disk_event->block (bsc#1185497). - block: Fix three kernel-doc warnings (git-fixes). - block: fix get_max_io_size() (git-fixes). - bnxt_en: Fix RX consumer index logic in the error path (git-fixes). - bnxt_en: fix ternary sign extension bug in bnxt_show_temp() (git-fixes). - bpf: Fix leakage of uninitialized bpf stack under speculation (bsc#1155518). - bpf: Fix masking negation logic upon negative dst register (bsc#1155518). - btrfs: fix race between transaction aborts and fsyncs leading to use-after-free (bsc#1186441). - btrfs: fix race when picking most recent mod log operation for an old root (bsc#1186439). - cdc-wdm: untangle a circular dependency between callback and softint (git-fixes). - cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom (git-fixes). - cdrom: gdrom: initialize global variable at init time (git-fixes). - ceph: do not clobber i_snap_caps on non-I_NEW inode (bsc#1186501). - ceph: fix inode leak on getattr error in __fh_to_dentry (bsc#1186501). - ceph: fix up error handling with snapdirs (bsc#1186501). - ceph: only check pool permissions for regular files (bsc#1186501). - cfg80211: scan: drop entry from hidden_list on overflow (git-fixes). - clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return (git-fixes). - cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758). - crypto: api - check for ERR pointers in crypto_destroy_tfm() (git-fixes). - crypto: mips/poly1305 - enable for all MIPS processors (git-fixes). - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init (git-fixes). - crypto: qat - Fix a double free in adf_create_ring (git-fixes). - crypto: qat - do not release uninitialized resources (git-fixes). - crypto: qat - fix error path in adf_isr_resource_alloc() (git-fixes). - crypto: qat - fix unmap invalid dma address (git-fixes). - crypto: stm32/cryp - Fix PM reference leak on stm32-cryp.c (git-fixes). - crypto: stm32/hash - Fix PM reference leak on stm32-hash.c (git-fixes). - cxgb4: Fix unintentional sign extension issues (git-fixes). - dm: avoid filesystem lookup in dm_get_dev_t() (git-fixes). - dmaengine: dw-edma: Fix crash on loading/unloading driver (git-fixes). - docs: kernel-parameters: Add gpio_mockup_named_lines (git-fixes). - docs: kernel-parameters: Move gpio-mockup for alphabetic order (git-fixes). - drivers: hv: Fix whitespace errors (bsc#1185725). - drm/amd/display: Fix UBSAN warning for not a valid value for type '_Bool' (git-fixes). - drm/amd/display: Fix two cursor duplication when using overlay (git-fixes). - drm/amd/display: Force vsync flip when reconfiguring MPCC (git-fixes). - drm/amd/display: Reject non-zero src_y and src_x for video planes (git-fixes). - drm/amd/display: fix dml prefetch validation (git-fixes). - drm/amd/display: fixed divide by zero kernel crash during dsc enablement (git-fixes). - drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f (git-fixes). - drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid compute hang (git-fixes). - drm/amdgpu: fix NULL pointer dereference (git-fixes). - drm/amdgpu: mask the xgmi number of hops reported from psp to kfd (git-fixes). - drm/amdkfd: Fix cat debugfs hang_hws file causes system crash bug (git-fixes). - drm/i915: Avoid div-by-zero on gen2 (git-fixes). - drm/meson: fix shutdown crash when component not probed (git-fixes). - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal (git-fixes). - drm/msm/mdp5: Do not multiply vclk line count by 100 (git-fixes). - drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected (git-fixes). - drm/radeon: Avoid power table parsing memory leaks (git-fixes). - drm/radeon: Fix off-by-one power_state index heap overwrite (git-fixes). - drm/vkms: fix misuse of WARN_ON (git-fixes). - drm: Added orientation quirk for OneGX1 Pro (git-fixes). - ethernet:enic: Fix a use after free bug in enic_hard_start_xmit (git-fixes). - extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged (git-fixes). - extcon: arizona: Fix various races on driver unbind (git-fixes). - fbdev: zero-fill colormap in fbcmap.c (git-fixes). - firmware: arm_scpi: Prevent the ternary sign expansion bug (git-fixes). - fs/epoll: restore waking from ep_done_scan() (bsc#1183868). - ftrace: Handle commands when closing set_ftrace_filter file (git-fixes). - futex: Change utime parameter to be 'const ... *' (git-fixes). - futex: Do not apply time namespace adjustment on FUTEX_LOCK_PI (bsc#1164648). - futex: Get rid of the val2 conditional dance (git-fixes). - futex: Make syscall entry points less convoluted (git-fixes). - genirq/irqdomain: Do not try to free an interrupt that has no (git-fixes) - genirq: Disable interrupts for force threaded handlers (git-fixes) - genirq: Reduce irqdebug cacheline bouncing (bsc#1185703 ltc#192641). - gpio: xilinx: Correct kernel doc for xgpio_probe() (git-fixes). - gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 (git-fixes). - hrtimer: Update softirq_expires_next correctly after (git-fixes) - hwmon: (occ) Fix poll rate limiting (git-fixes). - i2c: Add I2C_AQ_NO_REP_START adapter quirk (git-fixes). - i2c: bail out early when RDWR parameters are wrong (git-fixes). - i2c: i801: Do not generate an interrupt on bus reset (git-fixes). - i2c: s3c2410: fix possible NULL pointer deref on read message after write (git-fixes). - i2c: sh_mobile: Use new clock calculation formulas for RZ/G2E (git-fixes). - i40e: Fix PHY type identifiers for 2.5G and 5G adapters (git-fixes). - i40e: Fix use-after-free in i40e_client_subtask() (git-fixes). - i40e: fix broken XDP support (git-fixes). - i40e: fix the restart auto-negotiation after FEC modified (git-fixes). - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043). - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043). - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043). - ibmvnic: remove default label from to_string switch (bsc#1152457 ltc#174432 git-fixes). - ics932s401: fix broken handling of errors when word reading fails (git-fixes). - iio: adc: ad7124: Fix missbalanced regulator enable / disable on error (git-fixes). - iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers (git-fixes). - iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp() (git-fixes). - iio: adc: ad7793: Add missing error code in ad7793_setup() (git-fixes). - iio: gyro: fxas21002c: balance runtime power in error path (git-fixes). - iio: gyro: mpu3050: Fix reported temperature value (git-fixes). - iio: proximity: pulsedlight: Fix rumtime PM imbalance on error (git-fixes). - iio: tsl2583: Fix division by a zero lux_val (git-fixes). - intel_th: Consistency and off-by-one fix (git-fixes). - iommu/amd: Add support for map/unmap_resource (jsc#ECO-3482). - ipc/mqueue, msg, sem: Avoid relying on a stack reference past its expiry (bsc#1185988). - ipmi/watchdog: Stop watchdog timer when the current action is 'none' (bsc#1184855). - kernel-docs.spec.in: Build using an utf-8 locale. Sphinx cannot handle UTF-8 input in non-UTF-8 locale. - leds: lp5523: check return value of lp5xx_read and jump to cleanup code (git-fixes). - lpfc: Decouple port_template and vport_template (bsc#185032). - mac80211: clear the beacon's CRC after channel switch (git-fixes). - md-cluster: fix use-after-free issue when removing rdev (bsc#1184082). - md/raid1: properly indicate failure when ending a failed write request (bsc#1185680). - md: do not flush workqueue unconditionally in md_open (bsc#1184081). - md: factor out a mddev_find_locked helper from mddev_find (bsc#1184081). - md: md_open returns -EBUSY when entering racing area (bsc#1184081). - md: split mddev_find (bsc#1184081). - media: adv7604: fix possible use-after-free in adv76xx_remove() (git-fixes). - media: drivers: media: pci: sta2x11: fix Kconfig dependency on GPIOLIB (git-fixes). - media: dvb-usb: fix memory leak in dvb_usb_adapter_init (git-fixes). - media: em28xx: fix memory leak (git-fixes). - media: gspca/sq905.c: fix uninitialized variable (git-fixes). - media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove() (git-fixes). - media: i2c: adv7842: fix possible use-after-free in adv7842_remove() (git-fixes). - media: i2c: tda1997: Fix possible use-after-free in tda1997x_remove() (git-fixes). - media: imx: capture: Return -EPIPE from __capture_legacy_try_fmt() (git-fixes). - media: ite-cir: check for receive overflow (git-fixes). - media: media/saa7164: fix saa7164_encoder_register() memory leak bugs (git-fixes). - media: platform: sti: Fix runtime PM imbalance in regs_show (git-fixes). - media: tc358743: fix possible use-after-free in tc358743_remove() (git-fixes). - mfd: arizona: Fix rumtime PM imbalance on error (git-fixes). - misc/uss720: fix memory leak in uss720_probe (git-fixes). - mlxsw: spectrum_mr: Update egress RIF list before route's action (git-fixes). - mm: memcontrol: fix cpuhotplug statistics flushing (bsc#1185606). - mmc: block: Update ext_csd.cache_ctrl if it was written (git-fixes). - mmc: core: Do a power cycle when the CMD11 fails (git-fixes). - mmc: core: Set read only for SD cards with permanent write protect bit (git-fixes). - mmc: sdhci-pci-gli: increase 1.8V regulator wait (git-fixes). - mmc: sdhci-pci: Add PCI IDs for Intel LKF (git-fixes). - mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based controllers (git-fixes). - mmc: sdhci: Check for reset prior to DMA address unmap (git-fixes). - net, xdp: Update pkt_type if generic XDP changes unicast MAC (git-fixes). - net: enetc: fix link error again (git-fixes). - net: hns3: Fix for geneve tx checksum bug (git-fixes). - net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() (git-fixes). - net: hns3: clear unnecessary reset request in hclge_reset_rebuild (git-fixes). - net: hns3: disable phy loopback setting in hclge_mac_start_phy (git-fixes). - net: hns3: fix for vxlan gpe tx checksum bug (git-fixes). - net: hns3: fix incorrect configuration for igu_egu_hw_err (git-fixes). - net: hns3: initialize the message content in hclge_get_link_mode() (git-fixes). - net: hns3: use netif_tx_disable to stop the transmit queue (git-fixes). - net: thunderx: Fix unintentional sign extension issue (git-fixes). - net: usb: fix memory leak in smsc75xx_bind (git-fixes). - netdevice: Add missing IFF_PHONY_HEADROOM self-definition (git-fixes). - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950). - netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950). - netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950). - nvme-core: add cancel tagset helpers (bsc#1183976). - nvme-fabrics: decode host pathing error for connect (bsc#1179827). - nvme-fc: check sgl supported by target (bsc#1179827). - nvme-fc: clear q_live at beginning of association teardown (bsc#1186479). - nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted (bsc#1184259). - nvme-fc: set NVME_REQ_CANCELLED in nvme_fc_terminate_exchange() (bsc#1184259). - nvme-fc: short-circuit reconnect retries (bsc#1179827). - nvme-multipath: fix double initialization of ANA state (bsc#1178612, bsc#1184259). - nvme-multipath: reset bdev to ns head when failover (bsc#178378 bsc#1182999). - nvme-pci: Remove tag from process cq (git-fixes). - nvme-pci: Remove two-pass completions (git-fixes). - nvme-pci: Simplify nvme_poll_irqdisable (git-fixes). - nvme-pci: align io queue count with allocted nvme_queue in (git-fixes). - nvme-pci: avoid race between nvme_reap_pending_cqes() and nvme_poll() (git-fixes). - nvme-pci: dma read memory barrier for completions (git-fixes). - nvme-pci: fix "slimmer CQ head update" (git-fixes). - nvme-pci: make sure write/poll_queues less or equal then cpu (git-fixes). - nvme-pci: remove last_sq_tail (git-fixes). - nvme-pci: remove volatile cqes (git-fixes). - nvme-pci: slimmer CQ head update (git-fixes). - nvme-pci: use simple suspend when a HMB is enabled (git-fixes). - nvme-tcp: Fix possible race of io_work and direct send (git-fixes). - nvme-tcp: Fix warning with CONFIG_DEBUG_PREEMPT (git-fixes). - nvme-tcp: add clean action for failed reconnection (bsc#1183976). - nvme-tcp: fix kconfig dependency warning when !CRYPTO (git-fixes). - nvme-tcp: fix misuse of __smp_processor_id with preemption (git-fixes). - nvme-tcp: fix possible hang waiting for icresp response (bsc#1179519). - nvme-tcp: use cancel tagset helper for tear down (bsc#1183976). - nvme: Fix NULL dereference for pci nvme controllers (bsc#1182378). - nvme: add 'kato' sysfs attribute (bsc#1179825). - nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request() (bsc#1184259). - nvme: define constants for identification values (git-fixes). - nvme: do not intialize hwmon for discovery controllers (bsc#1184259). - nvme: do not intialize hwmon for discovery controllers (git-fixes). - nvme: document nvme controller states (git-fixes). - nvme: explicitly update mpath disk capacity on revalidation (git-fixes). - nvme: expose reconnect_delay and ctrl_loss_tmo via sysfs (bsc#1182378). - nvme: fix controller instance leak (git-fixes). - nvme: fix deadlock in disconnect during scan_work and/or ana_work (git-fixes). - nvme: fix possible deadlock when I/O is blocked (git-fixes). - nvme: remove superfluous else in nvme_ctrl_loss_tmo_store (bsc#1182378). - nvme: retrigger ANA log update if group descriptor isn't found (git-fixes) - nvme: sanitize KATO setting (bsc#1179825). - nvme: simplify error logic in nvme_validate_ns() (bsc#1184259). - nvmet: fix a memory leak (git-fixes). - nvmet: seset ns->file when open fails (bsc#1183873). - nvmet: use new ana_log_size instead the old one (bsc#1184259). - nxp-i2c: restore includes for kABI (bsc#1185589). - nxp-nci: add NXP1002 id (bsc#1185589). - phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() (git-fixes). - pinctrl: ingenic: Improve unreachable code generation (git-fixes). - pinctrl: samsung: use 'int' for register masks in Exynos (git-fixes). - platform/mellanox: mlxbf-tmfifo: Fix a memory barrier issue (git-fixes). - platform/x86: intel_pmc_core: Do not use global pmcdev in quirks (git-fixes). - platform/x86: thinkpad_acpi: Correct thermal sensor allocation (git-fixes). - posix-timers: Preserve return value in clock_adjtime32() (git-fixes) - power: supply: Use IRQF_ONESHOT (git-fixes). - power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() (git-fixes). - power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() (git-fixes). - powerpc/64s: Fix crashes when toggling entry flush barrier (bsc#1177666 git-fixes). - powerpc/64s: Fix crashes when toggling stf barrier (bsc#1087082 git-fixes). - qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth (git-fixes). - rtc: pcf2127: handle timestamp interrupts (bsc#1185495). - s390/dasd: fix hanging DASD driver unbind (bsc#1183932 LTC#192153). - s390/entry: save the caller of psw_idle (bsc#1185677). - s390/kdump: fix out-of-memory with PCI (bsc#1182257 LTC#191375). - sched/eas: Do not update misfit status if the task is pinned (git-fixes) - sched/fair: Avoid stale CPU util_est value for schedutil in (git-fixes) - sched/fair: Fix unfairness caused by missing load decay (git-fixes) - scripts/git_sort/git_sort.py: add bpf git repo - scsi: core: Run queue in case of I/O resource contention failure (bsc#1186416). - scsi: fnic: Kill 'exclude_id' argument to fnic_cleanup_io() (bsc#1179851). - scsi: libfc: Avoid invoking response handler twice if ep is already completed (bsc#1186573). - scsi: lpfc: Add a option to enable interlocked ABTS before job completion (bsc#1186451). - scsi: lpfc: Add ndlp kref accounting for resume RPI path (bsc#1186451). - scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology (bsc#1186451). - scsi: lpfc: Fix Node recovery when driver is handling simultaneous PLOGIs (bsc#1186451). - scsi: lpfc: Fix bad memory access during VPD DUMP mailbox command (bsc#1186451). - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs (bsc#1186451). - scsi: lpfc: Fix node handling for Fabric Controller and Domain Controller (bsc#1186451). - scsi: lpfc: Fix non-optimized ERSP handling (bsc#1186451). - scsi: lpfc: Fix unreleased RPIs when NPIV ports are created (bsc#1186451). - scsi: lpfc: Ignore GID-FT response that may be received after a link flip (bsc#1186451). - scsi: lpfc: Reregister FPIN types if ELS_RDF is received from fabric controller (bsc#1186451). - scsi: lpfc: Update lpfc version to 12.8.0.10 (bsc#1186451). - sctp: delay auto_asconf init until binding the first addr (<cover.1620748346.git.mkubecek at suse.cz>). - serial: core: fix suspicious security_locked_down() call (git-fixes). - serial: core: return early on unsupported ioctls (git-fixes). - serial: sh-sci: Fix off-by-one error in FIFO threshold register setting (git-fixes). - serial: stm32: fix incorrect characters on console (git-fixes). - serial: stm32: fix tx_empty condition (git-fixes). - serial: tegra: Fix a mask operation that is always true (git-fixes). - smc: disallow TCP_ULP in smc_setsockopt() (git-fixes). - spi: ath79: always call chipselect function (git-fixes). - spi: ath79: remove spi-master setup and cleanup assignment (git-fixes). - spi: dln2: Fix reference leak to master (git-fixes). - spi: omap-100k: Fix reference leak to master (git-fixes). - spi: qup: fix PM reference leak in spi_qup_remove() (git-fixes). - spi: spi-fsl-dspi: Fix a resource leak in an error handling path (git-fixes). - staging: emxx_udc: fix loop in _nbu2ss_nuke() (git-fixes). - staging: iio: cdc: ad7746: avoid overwrite of num_channels (git-fixes). - tcp: fix to update snd_wl1 in bulk receiver fast path (<cover.1620748346.git.mkubecek at suse.cz>). - thermal/drivers/ti-soc-thermal/bandgap Remove unused variable 'val' (git-fixes). - thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue (git-fixes). - tracing: Map all PIDs to command lines (git-fixes). - tty: amiserial: fix TIOCSSERIAL permission check (git-fixes). - tty: fix memory leak in vc_deallocate (git-fixes). - tty: moxa: fix TIOCSSERIAL jiffies conversions (git-fixes). - tty: moxa: fix TIOCSSERIAL permission check (git-fixes). - uio: uio_hv_generic: use devm_kzalloc() for private data alloc (git-fixes). - uio_hv_generic: Fix a memory leak in error handling paths (git-fixes). - uio_hv_generic: Fix another memory leak in error handling paths (git-fixes). - uio_hv_generic: add missed sysfs_remove_bin_file (git-fixes). - usb: core: hub: Fix PM reference leak in usb_port_resume() (git-fixes). - usb: core: hub: fix race condition about TRSMRCY of resume (git-fixes). - usb: dwc2: Fix gadget DMA unmap direction (git-fixes). - usb: dwc3: gadget: Enable suspend events (git-fixes). - usb: dwc3: gadget: Return success always for kick transfer in ep queue (git-fixes). - usb: dwc3: omap: improve extcon initialization (git-fixes). - usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield (git-fixes). - usb: fotg210-hcd: Fix an error message (git-fixes). - usb: gadget/function/f_fs string table fix for multiple languages (git-fixes). - usb: gadget: dummy_hcd: fix gpf in gadget_setup (git-fixes). - usb: gadget: f_uac1: validate input parameters (git-fixes). - usb: gadget: f_uac2: validate input parameters (git-fixes). - usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen() (git-fixes). - usb: gadget: uvc: add bInterval checking for HS mode (git-fixes). - usb: musb: fix PM reference leak in musb_irq_work() (git-fixes). - usb: sl811-hcd: improve misleading indentation (git-fixes). - usb: webcam: Invalid size of Processing Unit Descriptor (git-fixes). - usb: xhci: Fix port minor revision (git-fixes). - usb: xhci: Increase timeout for HC halt (git-fixes). - vgacon: Record video mode changes with VT_RESIZEX (git-fixes). - video: hyperv_fb: Add ratelimit on error message (bsc#1185725). - vrf: fix a comment about loopback device (git-fixes). - watchdog/softlockup: Remove obsolete check of last reported task (bsc#1185982). - watchdog/softlockup: report the overall time of softlockups (bsc#1185982). - watchdog: explicitly update timestamp when reporting softlockup (bsc#1185982). - watchdog: rename __touch_watchdog() to a better descriptive name (bsc#1185982). - whitespace cleanup - wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join (git-fixes). - wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt (git-fixes). - workqueue: Minor follow-ups to the rescuer destruction change (bsc#1185911). - workqueue: more destroy_workqueue() fixes (bsc#1185911). - x86/cpu: Initialize MSR_TSC_AUX if RDTSCP *or* RDPID is supported (bsc#1152489). - xhci: Do not use GFP_KERNEL in (potentially) atomic context (git-fixes). - xhci: check control context is valid before dereferencing it (git-fixes). - xhci: fix potential array out of bounds with several interrupters (git-fixes). - xsk: Respect device's headroom and tailroom on generic xmit path (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1890=1 - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-1890=1 - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-1890=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2021-1890=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-1890=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1890=1 - SUSE Linux Enterprise High Availability 15-SP2: zypper in -t patch SUSE-SLE-Product-HA-15-SP2-2021-1890=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): kernel-default-5.3.18-24.67.3 kernel-default-base-5.3.18-24.67.3.9.30.2 kernel-default-debuginfo-5.3.18-24.67.3 kernel-default-debugsource-5.3.18-24.67.3 - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): kernel-default-debuginfo-5.3.18-24.67.3 kernel-default-debugsource-5.3.18-24.67.3 kernel-default-extra-5.3.18-24.67.3 kernel-default-extra-debuginfo-5.3.18-24.67.3 kernel-preempt-extra-5.3.18-24.67.4 kernel-preempt-extra-debuginfo-5.3.18-24.67.4 - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-24.67.3 kernel-default-debugsource-5.3.18-24.67.3 kernel-default-livepatch-5.3.18-24.67.3 kernel-default-livepatch-devel-5.3.18-24.67.3 kernel-livepatch-5_3_18-24_67-default-1-5.3.2 kernel-livepatch-5_3_18-24_67-default-debuginfo-1-5.3.2 kernel-livepatch-SLE15-SP2_Update_14-debugsource-1-5.3.2 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-24.67.3 kernel-default-debugsource-5.3.18-24.67.3 reiserfs-kmp-default-5.3.18-24.67.3 reiserfs-kmp-default-debuginfo-5.3.18-24.67.3 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-obs-build-5.3.18-24.67.2 kernel-obs-build-debugsource-5.3.18-24.67.2 kernel-syms-5.3.18-24.67.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 x86_64): kernel-preempt-debuginfo-5.3.18-24.67.4 kernel-preempt-debugsource-5.3.18-24.67.4 kernel-preempt-devel-5.3.18-24.67.4 kernel-preempt-devel-debuginfo-5.3.18-24.67.4 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): kernel-docs-5.3.18-24.67.3 kernel-source-5.3.18-24.67.2 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-default-5.3.18-24.67.3 kernel-default-base-5.3.18-24.67.3.9.30.2 kernel-default-debuginfo-5.3.18-24.67.3 kernel-default-debugsource-5.3.18-24.67.3 kernel-default-devel-5.3.18-24.67.3 kernel-default-devel-debuginfo-5.3.18-24.67.3 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 x86_64): kernel-preempt-5.3.18-24.67.4 kernel-preempt-debuginfo-5.3.18-24.67.4 kernel-preempt-debugsource-5.3.18-24.67.4 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): kernel-devel-5.3.18-24.67.2 kernel-macros-5.3.18-24.67.2 - SUSE Linux Enterprise High Availability 15-SP2 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-5.3.18-24.67.3 cluster-md-kmp-default-debuginfo-5.3.18-24.67.3 dlm-kmp-default-5.3.18-24.67.3 dlm-kmp-default-debuginfo-5.3.18-24.67.3 gfs2-kmp-default-5.3.18-24.67.3 gfs2-kmp-default-debuginfo-5.3.18-24.67.3 kernel-default-debuginfo-5.3.18-24.67.3 kernel-default-debugsource-5.3.18-24.67.3 ocfs2-kmp-default-5.3.18-24.67.3 ocfs2-kmp-default-debuginfo-5.3.18-24.67.3 References: https://www.suse.com/security/cve/CVE-2020-24586.html https://www.suse.com/security/cve/CVE-2020-24587.html https://www.suse.com/security/cve/CVE-2020-24588.html https://www.suse.com/security/cve/CVE-2020-26139.html https://www.suse.com/security/cve/CVE-2020-26141.html https://www.suse.com/security/cve/CVE-2020-26145.html https://www.suse.com/security/cve/CVE-2020-26147.html https://www.suse.com/security/cve/CVE-2021-23134.html https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://www.suse.com/security/cve/CVE-2021-33200.html https://www.suse.com/security/cve/CVE-2021-3491.html https://bugzilla.suse.com/1087082 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1152457 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1155518 https://bugzilla.suse.com/1156395 https://bugzilla.suse.com/1164648 https://bugzilla.suse.com/1177666 https://bugzilla.suse.com/1178378 https://bugzilla.suse.com/1178418 https://bugzilla.suse.com/1178612 https://bugzilla.suse.com/1179519 https://bugzilla.suse.com/1179825 https://bugzilla.suse.com/1179827 https://bugzilla.suse.com/1179851 https://bugzilla.suse.com/1182257 https://bugzilla.suse.com/1182378 https://bugzilla.suse.com/1182999 https://bugzilla.suse.com/1183346 https://bugzilla.suse.com/1183868 https://bugzilla.suse.com/1183873 https://bugzilla.suse.com/1183932 https://bugzilla.suse.com/1183947 https://bugzilla.suse.com/1183976 https://bugzilla.suse.com/1184081 https://bugzilla.suse.com/1184082 https://bugzilla.suse.com/1184259 https://bugzilla.suse.com/1184611 https://bugzilla.suse.com/1184855 https://bugzilla.suse.com/1185428 https://bugzilla.suse.com/1185495 https://bugzilla.suse.com/1185497 https://bugzilla.suse.com/1185589 https://bugzilla.suse.com/1185606 https://bugzilla.suse.com/1185642 https://bugzilla.suse.com/1185645 https://bugzilla.suse.com/1185677 https://bugzilla.suse.com/1185680 https://bugzilla.suse.com/1185703 https://bugzilla.suse.com/1185725 https://bugzilla.suse.com/1185758 https://bugzilla.suse.com/1185859 https://bugzilla.suse.com/1185860 https://bugzilla.suse.com/1185861 https://bugzilla.suse.com/1185862 https://bugzilla.suse.com/1185863 https://bugzilla.suse.com/1185898 https://bugzilla.suse.com/1185899 https://bugzilla.suse.com/1185911 https://bugzilla.suse.com/1185938 https://bugzilla.suse.com/1185950 https://bugzilla.suse.com/1185982 https://bugzilla.suse.com/1185987 https://bugzilla.suse.com/1185988 https://bugzilla.suse.com/1186060 https://bugzilla.suse.com/1186061 https://bugzilla.suse.com/1186062 https://bugzilla.suse.com/1186111 https://bugzilla.suse.com/1186285 https://bugzilla.suse.com/1186320 https://bugzilla.suse.com/1186390 https://bugzilla.suse.com/1186416 https://bugzilla.suse.com/1186439 https://bugzilla.suse.com/1186441 https://bugzilla.suse.com/1186451 https://bugzilla.suse.com/1186460 https://bugzilla.suse.com/1186479 https://bugzilla.suse.com/1186484 https://bugzilla.suse.com/1186498 https://bugzilla.suse.com/1186501 https://bugzilla.suse.com/1186573 https://bugzilla.suse.com/1186681 From sle-security-updates at lists.suse.com Tue Jun 8 16:35:00 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 8 Jun 2021 18:35:00 +0200 (CEST) Subject: SUSE-SU-2021:1884-1: important: Security update for MozillaFirefox Message-ID: <20210608163500.D763FFD07@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1884-1 Rating: important References: #1185633 #1186696 Cross-References: CVE-2021-29951 CVE-2021-29964 CVE-2021-29967 CVSS scores: CVE-2021-29951 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: Firefox Extended Support Release 78.11.0 ESR (bsc#1186696) * CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message * CVE-2021-29967: Memory safety bugs fixed in Firefox Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-1884=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1884=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.11.0-8.43.1 MozillaFirefox-debuginfo-78.11.0-8.43.1 MozillaFirefox-debugsource-78.11.0-8.43.1 MozillaFirefox-translations-common-78.11.0-8.43.1 MozillaFirefox-translations-other-78.11.0-8.43.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le x86_64): MozillaFirefox-devel-78.11.0-8.43.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.11.0-8.43.1 MozillaFirefox-debuginfo-78.11.0-8.43.1 MozillaFirefox-debugsource-78.11.0-8.43.1 MozillaFirefox-devel-78.11.0-8.43.1 MozillaFirefox-translations-common-78.11.0-8.43.1 MozillaFirefox-translations-other-78.11.0-8.43.1 References: https://www.suse.com/security/cve/CVE-2021-29951.html https://www.suse.com/security/cve/CVE-2021-29964.html https://www.suse.com/security/cve/CVE-2021-29967.html https://bugzilla.suse.com/1185633 https://bugzilla.suse.com/1186696 From sle-security-updates at lists.suse.com Tue Jun 8 16:36:28 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 8 Jun 2021 18:36:28 +0200 (CEST) Subject: SUSE-SU-2021:1893-1: important: Security update for qemu Message-ID: <20210608163628.B8F84FD07@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1893-1 Rating: important References: #1149813 #1163019 #1172380 #1175534 #1176681 #1178683 #1178935 #1179477 #1179484 #1182846 #1182975 #1183979 #1186290 SLE-17785 Cross-References: CVE-2019-15890 CVE-2020-10756 CVE-2020-14364 CVE-2020-25085 CVE-2020-25707 CVE-2020-25723 CVE-2020-29129 CVE-2020-29130 CVE-2020-8608 CVE-2021-20257 CVE-2021-3419 CVSS scores: CVE-2019-15890 (SUSE): 5.8 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2020-10756 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-10756 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-14364 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14364 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25085 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25085 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25707 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25723 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-29129 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29129 (SUSE): 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-8608 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-8608 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3419 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves 11 vulnerabilities, contains one feature and has two fixes is now available. Description: This update for qemu fixes the following issues: - CVE-2020-25085: Fix out-of-bounds access issue while doing multi block SDMA (bsc#1176681) - CVE-2020-10756: Fix out-of-bounds read information disclosure in icmp6_send_echoreply(bsc#1172380) - Fix issue where s390 guest fails to find zipl boot menu index (bsc#1183979) - QEMU BIOS fails to read stage2 loader on s390x (bsc#1186290) - Host CPU microcode revision will be visible inside VMs when the proper CPU-model is used (jsc#SLE-17785): - For the record, these issues are fixed in this package already. Most are alternate references to previously mentioned issues: (CVE-2019-15890, bsc#1149813, CVE-2020-8608, bsc#1163019, CVE-2020-14364, bsc#1175534, CVE-2020-25707, bsc#1178683, CVE-2020-25723, bsc#1178935, CVE-2020-29130, bsc#1179477, CVE-2020-29129, bsc#1179484, CVE-2021-20257, bsc#1182846, CVE-2021-3419, bsc#1182975) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1893=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-1893=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1893=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): qemu-4.2.1-11.19.2 qemu-debuginfo-4.2.1-11.19.2 qemu-debugsource-4.2.1-11.19.2 qemu-tools-4.2.1-11.19.2 qemu-tools-debuginfo-4.2.1-11.19.2 - SUSE MicroOS 5.0 (aarch64): qemu-arm-4.2.1-11.19.2 qemu-arm-debuginfo-4.2.1-11.19.2 - SUSE MicroOS 5.0 (x86_64): qemu-x86-4.2.1-11.19.2 qemu-x86-debuginfo-4.2.1-11.19.2 - SUSE MicroOS 5.0 (noarch): qemu-ipxe-1.0.0+-11.19.2 qemu-seabios-1.12.1+-11.19.2 qemu-sgabios-8-11.19.2 qemu-vgabios-1.12.1+-11.19.2 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): qemu-4.2.1-11.19.2 qemu-block-curl-4.2.1-11.19.2 qemu-block-curl-debuginfo-4.2.1-11.19.2 qemu-block-iscsi-4.2.1-11.19.2 qemu-block-iscsi-debuginfo-4.2.1-11.19.2 qemu-block-rbd-4.2.1-11.19.2 qemu-block-rbd-debuginfo-4.2.1-11.19.2 qemu-block-ssh-4.2.1-11.19.2 qemu-block-ssh-debuginfo-4.2.1-11.19.2 qemu-debuginfo-4.2.1-11.19.2 qemu-debugsource-4.2.1-11.19.2 qemu-guest-agent-4.2.1-11.19.2 qemu-guest-agent-debuginfo-4.2.1-11.19.2 qemu-lang-4.2.1-11.19.2 qemu-ui-spice-app-4.2.1-11.19.2 qemu-ui-spice-app-debuginfo-4.2.1-11.19.2 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (s390x x86_64): qemu-kvm-4.2.1-11.19.2 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (ppc64le): qemu-ppc-4.2.1-11.19.2 qemu-ppc-debuginfo-4.2.1-11.19.2 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64): qemu-arm-4.2.1-11.19.2 qemu-arm-debuginfo-4.2.1-11.19.2 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (x86_64): qemu-audio-alsa-4.2.1-11.19.2 qemu-audio-alsa-debuginfo-4.2.1-11.19.2 qemu-audio-pa-4.2.1-11.19.2 qemu-audio-pa-debuginfo-4.2.1-11.19.2 qemu-ui-curses-4.2.1-11.19.2 qemu-ui-curses-debuginfo-4.2.1-11.19.2 qemu-ui-gtk-4.2.1-11.19.2 qemu-ui-gtk-debuginfo-4.2.1-11.19.2 qemu-x86-4.2.1-11.19.2 qemu-x86-debuginfo-4.2.1-11.19.2 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): qemu-ipxe-1.0.0+-11.19.2 qemu-microvm-4.2.1-11.19.2 qemu-seabios-1.12.1+-11.19.2 qemu-sgabios-8-11.19.2 qemu-vgabios-1.12.1+-11.19.2 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (s390x): qemu-s390-4.2.1-11.19.2 qemu-s390-debuginfo-4.2.1-11.19.2 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): qemu-debuginfo-4.2.1-11.19.2 qemu-debugsource-4.2.1-11.19.2 qemu-tools-4.2.1-11.19.2 qemu-tools-debuginfo-4.2.1-11.19.2 References: https://www.suse.com/security/cve/CVE-2019-15890.html https://www.suse.com/security/cve/CVE-2020-10756.html https://www.suse.com/security/cve/CVE-2020-14364.html https://www.suse.com/security/cve/CVE-2020-25085.html https://www.suse.com/security/cve/CVE-2020-25707.html https://www.suse.com/security/cve/CVE-2020-25723.html https://www.suse.com/security/cve/CVE-2020-29129.html https://www.suse.com/security/cve/CVE-2020-29130.html https://www.suse.com/security/cve/CVE-2020-8608.html https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-3419.html https://bugzilla.suse.com/1149813 https://bugzilla.suse.com/1163019 https://bugzilla.suse.com/1172380 https://bugzilla.suse.com/1175534 https://bugzilla.suse.com/1176681 https://bugzilla.suse.com/1178683 https://bugzilla.suse.com/1178935 https://bugzilla.suse.com/1179477 https://bugzilla.suse.com/1179484 https://bugzilla.suse.com/1182846 https://bugzilla.suse.com/1182975 https://bugzilla.suse.com/1183979 https://bugzilla.suse.com/1186290 From sle-security-updates at lists.suse.com Tue Jun 8 16:39:24 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 8 Jun 2021 18:39:24 +0200 (CEST) Subject: SUSE-SU-2021:1888-1: important: Security update for the Linux Kernel Message-ID: <20210608163924.1B723FD07@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1888-1 Rating: important References: #1087082 #1133021 #1152457 #1155518 #1156395 #1164648 #1177666 #1178378 #1178418 #1178612 #1179519 #1179825 #1179827 #1179851 #1182999 #1183346 #1183868 #1183873 #1183947 #1184081 #1184082 #1184611 #1185428 #1185495 #1185497 #1185589 #1185606 #1185645 #1185680 #1185703 #1185725 #1185758 #1185859 #1185860 #1185862 #1185899 #1185911 #1185938 #1185988 #1186061 #1186062 #1186285 #1186320 #1186390 #1186416 #1186439 #1186441 #1186451 #1186460 #1186479 #1186484 #1186501 #1186573 #1186681 Cross-References: CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2021-23134 CVE-2021-32399 CVE-2021-33034 CVE-2021-33200 CVE-2021-3491 CVSS scores: CVE-2020-24586 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24586 (SUSE): 4.7 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVE-2020-24587 (NVD) : 2.6 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24587 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-24588 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2020-24588 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-26139 (NVD) : 5.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26139 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-26141 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26145 (SUSE): 5.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26147 (NVD) : 5.4 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N CVE-2021-23134 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-33200 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33200 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3491 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP2 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 42 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111) - CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062) - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060) - CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859). - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862). - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859). - CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860) - CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987) - CVE-2020-24588: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (bnc#1185861) The following non-security bugs were fixed: - ACPI / hotplug / PCI: Fix reference count leak in enable_slot() (git-fixes). - ACPI: GTDT: Do not corrupt interrupt mappings on watchdow probe failure (git-fixes). - ACPI: custom_method: fix a possible memory leak (git-fixes). - ACPI: custom_method: fix potential use-after-free issue (git-fixes). - ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro (git-fixes). - ALSA: bebob: enable to deliver MIDI messages for multiple ports (git-fixes). - ALSA: dice: fix stream format at middle sampling rate for Alesis iO 26 (git-fixes). - ALSA: dice: fix stream format for TC Electronic Konnekt Live at high sampling transfer frequency (git-fixes). - ALSA: firewire-lib: fix calculation for size of IR context payload (git-fixes). - ALSA: firewire-lib: fix check for the size of isochronous packet payload (git-fixes). - ALSA: hda/conexant: Re-order CX5066 quirk table entries (git-fixes). - ALSA: hda/realtek: ALC285 Thinkpad jack pin quirk is unreachable (git-fixes). - ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293 (git-fixes). - ALSA: hda/realtek: Headphone volume is controlled by Front mixer (git-fixes). - ALSA: hda/realtek: reset eapd coeff to default value for alc287 (git-fixes). - ALSA: hda: fixup headset for ASUS GU502 laptop (git-fixes). - ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP (git-fixes). - ALSA: hdsp: do not disable if not enabled (git-fixes). - ALSA: hdspm: do not disable if not enabled (git-fixes). - ALSA: intel8x0: Do not update period unless prepared (git-fixes). - ALSA: line6: Fix racy initialization of LINE6 MIDI (git-fixes). - ALSA: rme9652: do not disable if not enabled (git-fixes). - ALSA: usb-audio: Validate MS endpoint descriptors (git-fixes). - ALSA: usb-audio: fix control-request direction (git-fixes). - ALSA: usb-audio: scarlett2: Fix device hang with ehci-pci (git-fixes). - ALSA: usb-audio: scarlett2: Improve driver startup messages (git-fixes). - ALSA: usb-audio: scarlett2: snd_scarlett_gen2_controls_create() can be static (git-fixes). - ARM64: vdso32: Install vdso32 from vdso_install (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF (git-fixes). - ASoC: cs35l33: fix an error code in probe() (git-fixes). - ASoC: cs42l42: Regmap must use_single_read/write (git-fixes). - ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init() (git-fixes). - ASoC: rsnd: core: Check convert rate in rsnd_hw_params (git-fixes). - ASoC: rt286: Generalize support for ALC3263 codec (git-fixes). - ASoC: rt286: Make RT286_SET_GPIO_* readable and writable (git-fixes). - Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS (git-fixes). - Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes). - Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default (git-fixes). - Bluetooth: check for zapped sk before connecting (git-fixes). - Bluetooth: initialize skb_queue_head at l2cap_chan_create() (git-fixes). - Drivers: hv: vmbus: Fix Suspend-to-Idle for Generation-2 VM (git-fixes). - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725). - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725). - Drivers: hv: vmbus: Use after free in __vmbus_open() (git-fixes). - Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices (git-fixes). - Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state (git-fixes). - KVM: s390: fix guarded storage control register handling (bsc#1133021). - Move upstreamed media fixes into sorted section - NFC: nci: fix memory leak in nci_allocate_device (git-fixes). - PCI/RCEC: Fix RCiEP device to RCEC association (git-fixes). - PCI: Allow VPD access for QLogic ISP2722 (git-fixes). - PCI: PM: Do not read power state in pci_enable_device_flags() (git-fixes). - PCI: Release OF node in pci_scan_device()'s error path (git-fixes). - PCI: endpoint: Fix missing destroy_workqueue() (git-fixes). - PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc() (git-fixes). - PCI: thunder: Fix compile testing (git-fixes). - PM / devfreq: Use more accurate returned new_freq as resume_freq (git-fixes). - RDMA/addr: create addr_wq with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/core: create ib_cm with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/hns: Delete redundant abnormal interrupt status (git-fixes). - RDMA/hns: Delete redundant condition judgment related to eq (git-fixes). - RDMA/qedr: Fix error return code in qedr_iw_connect() (jsc#SLE-8215). - RDMA/srpt: Fix error return code in srpt_cm_req_recv() (git-fixes). - Revert "arm64: vdso: Fix compilation with clang older than 8" (git-fixes). - Revert "gdrom: fix a memory leak bug" (git-fixes). - Revert "i3c master: fix missing destroy_workqueue() on error in i3c_master_register" (git-fixes). - Revert "leds: lp5523: fix a missing check of return value of lp55xx_read" (git-fixes). - Revert 337f13046ff0 ("futex: Allow FUTEX_CLOCK_REALTIME with FUTEX_WAIT op") (git-fixes). - SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428). - SUNRPC: More fixes for backlog congestion (bsc#1185428). - USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet (git-fixes). - USB: Add reset-resume quirk for WD19's Realtek Hub (git-fixes). - USB: serial: pl2303: add support for PL2303HXN (bsc#1186320). - USB: serial: pl2303: fix line-speed handling on newer chips (bsc#1186320). - USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check (git-fixes). - USB: trancevibrator: fix control-request direction (git-fixes). - amdgpu: avoid incorrect %hu format string (git-fixes). - arm64/mm: Fix pfn_valid() for ZONE_DEVICE based memory (git-fixes). - arm64: Add missing ISB after invalidating TLB in __primary_switch (git-fixes). - arm64: avoid -Woverride-init warning (git-fixes). - arm64: kasan: fix page_alloc tagging with DEBUG_VIRTUAL (git-fixes). - arm64: kdump: update ppos when reading elfcorehdr (git-fixes). - arm64: kexec_file: fix memory leakage in create_dtb() when fdt_open_into() fails (git-fixes). - arm64: link with -z norelro for LLD or aarch64-elf (git-fixes). - arm64: link with -z norelro regardless of CONFIG_RELOCATABLE (git-fixes). - arm64: ptrace: Fix seccomp of traced syscall -1 (NO_SYSCALL) (git-fixes). - arm64: ptrace: Use NO_SYSCALL instead of -1 in syscall_trace_enter() (git-fixes). - arm64: vdso32: make vdso32 install conditional (git-fixes). - arm: mm: use __pfn_to_section() to get mem_section (git-fixes). - ata: ahci: Disable SXS for Hisilicon Kunpeng920 (git-fixes). - blk-iocost: ioc_pd_free() shouldn't assume irq disabled (git-fixes). - blk-mq: Swap two calls in blk_mq_exit_queue() (git-fixes). - block/genhd: use atomic_t for disk_event->block (bsc#1185497). - block: Fix three kernel-doc warnings (git-fixes). - block: fix get_max_io_size() (git-fixes). - bnxt_en: Fix RX consumer index logic in the error path (git-fixes). - bnxt_en: fix ternary sign extension bug in bnxt_show_temp() (git-fixes). - bpf: Fix leakage of uninitialized bpf stack under speculation (bsc#1155518). - bpf: Fix masking negation logic upon negative dst register (bsc#1155518). - btrfs: fix race between transaction aborts and fsyncs leading to use-after-free (bsc#1186441). - btrfs: fix race when picking most recent mod log operation for an old root (bsc#1186439). - cdc-wdm: untangle a circular dependency between callback and softint (git-fixes). - cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom (git-fixes). - cdrom: gdrom: initialize global variable at init time (git-fixes). - ceph: do not clobber i_snap_caps on non-I_NEW inode (bsc#1186501). - ceph: fix inode leak on getattr error in __fh_to_dentry (bsc#1186501). - ceph: fix up error handling with snapdirs (bsc#1186501). - ceph: only check pool permissions for regular files (bsc#1186501). - cfg80211: scan: drop entry from hidden_list on overflow (git-fixes). - clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return (git-fixes). - cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758). - crypto: api - check for ERR pointers in crypto_destroy_tfm() (git-fixes). - crypto: mips/poly1305 - enable for all MIPS processors (git-fixes). - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init (git-fixes). - crypto: qat - Fix a double free in adf_create_ring (git-fixes). - crypto: qat - do not release uninitialized resources (git-fixes). - crypto: qat - fix error path in adf_isr_resource_alloc() (git-fixes). - crypto: qat - fix unmap invalid dma address (git-fixes). - crypto: stm32/cryp - Fix PM reference leak on stm32-cryp.c (git-fixes). - crypto: stm32/hash - Fix PM reference leak on stm32-hash.c (git-fixes). - cxgb4: Fix unintentional sign extension issues (git-fixes). - dm: avoid filesystem lookup in dm_get_dev_t() (git-fixes). - dmaengine: dw-edma: Fix crash on loading/unloading driver (git-fixes). - docs: kernel-parameters: Add gpio_mockup_named_lines (git-fixes). - docs: kernel-parameters: Move gpio-mockup for alphabetic order (git-fixes). - drivers: hv: Fix whitespace errors (bsc#1185725). - drm/amd/display: Fix UBSAN warning for not a valid value for type '_Bool' (git-fixes). - drm/amd/display: Fix two cursor duplication when using overlay (git-fixes). - drm/amd/display: Force vsync flip when reconfiguring MPCC (git-fixes). - drm/amd/display: Reject non-zero src_y and src_x for video planes (git-fixes). - drm/amd/display: fix dml prefetch validation (git-fixes). - drm/amd/display: fixed divide by zero kernel crash during dsc enablement (git-fixes). - drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f (git-fixes). - drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid compute hang (git-fixes). - drm/amdgpu: fix NULL pointer dereference (git-fixes). - drm/amdgpu: mask the xgmi number of hops reported from psp to kfd (git-fixes). - drm/amdkfd: Fix cat debugfs hang_hws file causes system crash bug (git-fixes). - drm/i915: Avoid div-by-zero on gen2 (git-fixes). - drm/meson: fix shutdown crash when component not probed (git-fixes). - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal (git-fixes). - drm/msm/mdp5: Do not multiply vclk line count by 100 (git-fixes). - drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected (git-fixes). - drm/radeon: Avoid power table parsing memory leaks (git-fixes). - drm/radeon: Fix off-by-one power_state index heap overwrite (git-fixes). - drm/vkms: fix misuse of WARN_ON (git-fixes). - drm: Added orientation quirk for OneGX1 Pro (git-fixes). - ethernet:enic: Fix a use after free bug in enic_hard_start_xmit (git-fixes). - extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged (git-fixes). - extcon: arizona: Fix various races on driver unbind (git-fixes). - fbdev: zero-fill colormap in fbcmap.c (git-fixes). - firmware: arm_scpi: Prevent the ternary sign expansion bug (git-fixes). - fs/epoll: restore waking from ep_done_scan() (bsc#1183868). - ftrace: Handle commands when closing set_ftrace_filter file (git-fixes). - futex: Change utime parameter to be 'const ... *' (git-fixes). - futex: Do not apply time namespace adjustment on FUTEX_LOCK_PI (bsc#1164648). - futex: Get rid of the val2 conditional dance (git-fixes). - futex: Make syscall entry points less convoluted (git-fixes). - genirq/irqdomain: Do not try to free an interrupt that has no (git-fixes) - genirq: Disable interrupts for force threaded handlers (git-fixes) - genirq: Reduce irqdebug cacheline bouncing (bsc#1185703 ltc#192641). - gpio: xilinx: Correct kernel doc for xgpio_probe() (git-fixes). - gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 (git-fixes). - hrtimer: Update softirq_expires_next correctly after (git-fixes) - hwmon: (occ) Fix poll rate limiting (git-fixes). - i2c: Add I2C_AQ_NO_REP_START adapter quirk (git-fixes). - i2c: bail out early when RDWR parameters are wrong (git-fixes). - i2c: i801: Do not generate an interrupt on bus reset (git-fixes). - i2c: s3c2410: fix possible NULL pointer deref on read message after write (git-fixes). - i2c: sh_mobile: Use new clock calculation formulas for RZ/G2E (git-fixes). - i40e: Fix PHY type identifiers for 2.5G and 5G adapters (git-fixes). - i40e: Fix use-after-free in i40e_client_subtask() (git-fixes). - i40e: fix broken XDP support (git-fixes). - i40e: fix the restart auto-negotiation after FEC modified (git-fixes). - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043). - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043). - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043). - ibmvnic: remove default label from to_string switch (bsc#1152457 ltc#174432 git-fixes). - ics932s401: fix broken handling of errors when word reading fails (git-fixes). - iio: adc: ad7124: Fix missbalanced regulator enable / disable on error (git-fixes). - iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers (git-fixes). - iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp() (git-fixes). - iio: adc: ad7793: Add missing error code in ad7793_setup() (git-fixes). - iio: gyro: fxas21002c: balance runtime power in error path (git-fixes). - iio: gyro: mpu3050: Fix reported temperature value (git-fixes). - iio: proximity: pulsedlight: Fix rumtime PM imbalance on error (git-fixes). - iio: tsl2583: Fix division by a zero lux_val (git-fixes). - intel_th: Consistency and off-by-one fix (git-fixes). - iommu/amd: Add support for map/unmap_resource (jsc#ECO-3482). - ipc/mqueue, msg, sem: Avoid relying on a stack reference past its expiry (bsc#1185988). - ipmi/watchdog: Stop watchdog timer when the current action is 'none' (bsc#1184855). - kernel-docs.spec.in: Build using an utf-8 locale. Sphinx cannot handle UTF-8 input in non-UTF-8 locale. - leds: lp5523: check return value of lp5xx_read and jump to cleanup code (git-fixes). - lpfc: Decouple port_template and vport_template (bsc#185032). - mac80211: clear the beacon's CRC after channel switch (git-fixes). - md-cluster: fix use-after-free issue when removing rdev (bsc#1184082). - md/raid1: properly indicate failure when ending a failed write request (bsc#1185680). - md: do not flush workqueue unconditionally in md_open (bsc#1184081). - md: factor out a mddev_find_locked helper from mddev_find (bsc#1184081). - md: md_open returns -EBUSY when entering racing area (bsc#1184081). - md: split mddev_find (bsc#1184081). - media: adv7604: fix possible use-after-free in adv76xx_remove() (git-fixes). - media: drivers: media: pci: sta2x11: fix Kconfig dependency on GPIOLIB (git-fixes). - media: dvb-usb: fix memory leak in dvb_usb_adapter_init (git-fixes). - media: em28xx: fix memory leak (git-fixes). - media: gspca/sq905.c: fix uninitialized variable (git-fixes). - media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove() (git-fixes). - media: i2c: adv7842: fix possible use-after-free in adv7842_remove() (git-fixes). - media: i2c: tda1997: Fix possible use-after-free in tda1997x_remove() (git-fixes). - media: imx: capture: Return -EPIPE from __capture_legacy_try_fmt() (git-fixes). - media: ite-cir: check for receive overflow (git-fixes). - media: media/saa7164: fix saa7164_encoder_register() memory leak bugs (git-fixes). - media: platform: sti: Fix runtime PM imbalance in regs_show (git-fixes). - media: tc358743: fix possible use-after-free in tc358743_remove() (git-fixes). - mfd: arizona: Fix rumtime PM imbalance on error (git-fixes). - misc/uss720: fix memory leak in uss720_probe (git-fixes). - mlxsw: spectrum_mr: Update egress RIF list before route's action (git-fixes). - mm: memcontrol: fix cpuhotplug statistics flushing (bsc#1185606). - mmc: block: Update ext_csd.cache_ctrl if it was written (git-fixes). - mmc: core: Do a power cycle when the CMD11 fails (git-fixes). - mmc: core: Set read only for SD cards with permanent write protect bit (git-fixes). - mmc: sdhci-pci-gli: increase 1.8V regulator wait (git-fixes). - mmc: sdhci-pci: Add PCI IDs for Intel LKF (git-fixes). - mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based controllers (git-fixes). - mmc: sdhci: Check for reset prior to DMA address unmap (git-fixes). - net, xdp: Update pkt_type if generic XDP changes unicast MAC (git-fixes). - net: enetc: fix link error again (git-fixes). - net: hns3: Fix for geneve tx checksum bug (git-fixes). - net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() (git-fixes). - net: hns3: clear unnecessary reset request in hclge_reset_rebuild (git-fixes). - net: hns3: disable phy loopback setting in hclge_mac_start_phy (git-fixes). - net: hns3: fix for vxlan gpe tx checksum bug (git-fixes). - net: hns3: fix incorrect configuration for igu_egu_hw_err (git-fixes). - net: hns3: initialize the message content in hclge_get_link_mode() (git-fixes). - net: hns3: use netif_tx_disable to stop the transmit queue (git-fixes). - net: thunderx: Fix unintentional sign extension issue (git-fixes). - net: usb: fix memory leak in smsc75xx_bind (git-fixes). - netdevice: Add missing IFF_PHONY_HEADROOM self-definition (git-fixes). - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950). - netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950). - netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950). - nvme-core: add cancel tagset helpers (bsc#1183976). - nvme-fabrics: decode host pathing error for connect (bsc#1179827). - nvme-fc: check sgl supported by target (bsc#1179827). - nvme-fc: clear q_live at beginning of association teardown (bsc#1186479). - nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted (bsc#1184259). - nvme-fc: set NVME_REQ_CANCELLED in nvme_fc_terminate_exchange() (bsc#1184259). - nvme-fc: short-circuit reconnect retries (bsc#1179827). - nvme-multipath: fix double initialization of ANA state (bsc#1178612, bsc#1184259). - nvme-multipath: reset bdev to ns head when failover (bsc#178378 bsc#1182999). - nvme-pci: Remove tag from process cq (git-fixes). - nvme-pci: Remove two-pass completions (git-fixes). - nvme-pci: Simplify nvme_poll_irqdisable (git-fixes). - nvme-pci: align io queue count with allocted nvme_queue in (git-fixes). - nvme-pci: avoid race between nvme_reap_pending_cqes() and nvme_poll() (git-fixes). - nvme-pci: dma read memory barrier for completions (git-fixes). - nvme-pci: fix "slimmer CQ head update" (git-fixes). - nvme-pci: make sure write/poll_queues less or equal then cpu (git-fixes). - nvme-pci: remove last_sq_tail (git-fixes). - nvme-pci: remove volatile cqes (git-fixes). - nvme-pci: slimmer CQ head update (git-fixes). - nvme-pci: use simple suspend when a HMB is enabled (git-fixes). - nvme-tcp: Fix possible race of io_work and direct send (git-fixes). - nvme-tcp: Fix warning with CONFIG_DEBUG_PREEMPT (git-fixes). - nvme-tcp: add clean action for failed reconnection (bsc#1183976). - nvme-tcp: fix kconfig dependency warning when !CRYPTO (git-fixes). - nvme-tcp: fix misuse of __smp_processor_id with preemption (git-fixes). - nvme-tcp: fix possible hang waiting for icresp response (bsc#1179519). - nvme-tcp: use cancel tagset helper for tear down (bsc#1183976). - nvme: Fix NULL dereference for pci nvme controllers (bsc#1182378). - nvme: add 'kato' sysfs attribute (bsc#1179825). - nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request() (bsc#1184259). - nvme: define constants for identification values (git-fixes). - nvme: do not intialize hwmon for discovery controllers (bsc#1184259). - nvme: do not intialize hwmon for discovery controllers (git-fixes). - nvme: document nvme controller states (git-fixes). - nvme: explicitly update mpath disk capacity on revalidation (git-fixes). - nvme: expose reconnect_delay and ctrl_loss_tmo via sysfs (bsc#1182378). - nvme: fix controller instance leak (git-fixes). - nvme: fix deadlock in disconnect during scan_work and/or ana_work (git-fixes). - nvme: fix possible deadlock when I/O is blocked (git-fixes). - nvme: remove superfluous else in nvme_ctrl_loss_tmo_store (bsc#1182378). - nvme: retrigger ANA log update if group descriptor isn't found (git-fixes) - nvme: sanitize KATO setting (bsc#1179825). - nvme: simplify error logic in nvme_validate_ns() (bsc#1184259). - nvmet: fix a memory leak (git-fixes). - nvmet: seset ns->file when open fails (bsc#1183873). - nvmet: use new ana_log_size instead the old one (bsc#1184259). - nxp-i2c: restore includes for kABI (bsc#1185589). - nxp-nci: add NXP1002 id (bsc#1185589). - phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() (git-fixes). - pinctrl: ingenic: Improve unreachable code generation (git-fixes). - pinctrl: samsung: use 'int' for register masks in Exynos (git-fixes). - platform/mellanox: mlxbf-tmfifo: Fix a memory barrier issue (git-fixes). - platform/x86: intel_pmc_core: Do not use global pmcdev in quirks (git-fixes). - platform/x86: thinkpad_acpi: Correct thermal sensor allocation (git-fixes). - posix-timers: Preserve return value in clock_adjtime32() (git-fixes) - power: supply: Use IRQF_ONESHOT (git-fixes). - power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() (git-fixes). - power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() (git-fixes). - powerpc/64s: Fix crashes when toggling entry flush barrier (bsc#1177666 git-fixes). - powerpc/64s: Fix crashes when toggling stf barrier (bsc#1087082 git-fixes). - qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth (git-fixes). - rtc: pcf2127: handle timestamp interrupts (bsc#1185495). - s390/dasd: fix hanging DASD driver unbind (bsc#1183932 LTC#192153). - s390/entry: save the caller of psw_idle (bsc#1185677). - s390/kdump: fix out-of-memory with PCI (bsc#1182257 LTC#191375). - sched/eas: Do not update misfit status if the task is pinned (git-fixes) - sched/fair: Avoid stale CPU util_est value for schedutil in (git-fixes) - sched/fair: Fix unfairness caused by missing load decay (git-fixes) - scripts/git_sort/git_sort.py: Update nvme repositories - scripts/git_sort/git_sort.py: add bpf git repo - scsi: core: Run queue in case of I/O resource contention failure (bsc#1186416). - scsi: fnic: Kill 'exclude_id' argument to fnic_cleanup_io() (bsc#1179851). - scsi: libfc: Avoid invoking response handler twice if ep is already completed (bsc#1186573). - scsi: lpfc: Add a option to enable interlocked ABTS before job completion (bsc#1186451). - scsi: lpfc: Add ndlp kref accounting for resume RPI path (bsc#1186451). - scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology (bsc#1186451). - scsi: lpfc: Fix Node recovery when driver is handling simultaneous PLOGIs (bsc#1186451). - scsi: lpfc: Fix bad memory access during VPD DUMP mailbox command (bsc#1186451). - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs (bsc#1186451). - scsi: lpfc: Fix node handling for Fabric Controller and Domain Controller (bsc#1186451). - scsi: lpfc: Fix non-optimized ERSP handling (bsc#1186451). - scsi: lpfc: Fix unreleased RPIs when NPIV ports are created (bsc#1186451). - scsi: lpfc: Ignore GID-FT response that may be received after a link flip (bsc#1186451). - scsi: lpfc: Reregister FPIN types if ELS_RDF is received from fabric controller (bsc#1186451). - scsi: lpfc: Update lpfc version to 12.8.0.10 (bsc#1186451). - sctp: delay auto_asconf init until binding the first addr (<cover.1620748346.git.mkubecek at suse.cz>). - serial: core: fix suspicious security_locked_down() call (git-fixes). - serial: core: return early on unsupported ioctls (git-fixes). - serial: sh-sci: Fix off-by-one error in FIFO threshold register setting (git-fixes). - serial: stm32: fix incorrect characters on console (git-fixes). - serial: stm32: fix tx_empty condition (git-fixes). - serial: tegra: Fix a mask operation that is always true (git-fixes). - smc: disallow TCP_ULP in smc_setsockopt() (git-fixes). - spi: ath79: always call chipselect function (git-fixes). - spi: ath79: remove spi-master setup and cleanup assignment (git-fixes). - spi: dln2: Fix reference leak to master (git-fixes). - spi: omap-100k: Fix reference leak to master (git-fixes). - spi: qup: fix PM reference leak in spi_qup_remove() (git-fixes). - spi: spi-fsl-dspi: Fix a resource leak in an error handling path (git-fixes). - staging: emxx_udc: fix loop in _nbu2ss_nuke() (git-fixes). - staging: iio: cdc: ad7746: avoid overwrite of num_channels (git-fixes). - tcp: fix to update snd_wl1 in bulk receiver fast path (<cover.1620748346.git.mkubecek at suse.cz>). - thermal/drivers/ti-soc-thermal/bandgap Remove unused variable 'val' (git-fixes). - thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue (git-fixes). - tracing: Map all PIDs to command lines (git-fixes). - tty: amiserial: fix TIOCSSERIAL permission check (git-fixes). - tty: fix memory leak in vc_deallocate (git-fixes). - tty: moxa: fix TIOCSSERIAL jiffies conversions (git-fixes). - tty: moxa: fix TIOCSSERIAL permission check (git-fixes). - uio: uio_hv_generic: use devm_kzalloc() for private data alloc (git-fixes). - uio_hv_generic: Fix a memory leak in error handling paths (git-fixes). - uio_hv_generic: Fix another memory leak in error handling paths (git-fixes). - uio_hv_generic: add missed sysfs_remove_bin_file (git-fixes). - usb: core: hub: Fix PM reference leak in usb_port_resume() (git-fixes). - usb: core: hub: fix race condition about TRSMRCY of resume (git-fixes). - usb: dwc2: Fix gadget DMA unmap direction (git-fixes). - usb: dwc3: gadget: Enable suspend events (git-fixes). - usb: dwc3: gadget: Return success always for kick transfer in ep queue (git-fixes). - usb: dwc3: omap: improve extcon initialization (git-fixes). - usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield (git-fixes). - usb: fotg210-hcd: Fix an error message (git-fixes). - usb: gadget/function/f_fs string table fix for multiple languages (git-fixes). - usb: gadget: dummy_hcd: fix gpf in gadget_setup (git-fixes). - usb: gadget: f_uac1: validate input parameters (git-fixes). - usb: gadget: f_uac2: validate input parameters (git-fixes). - usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen() (git-fixes). - usb: gadget: uvc: add bInterval checking for HS mode (git-fixes). - usb: musb: fix PM reference leak in musb_irq_work() (git-fixes). - usb: sl811-hcd: improve misleading indentation (git-fixes). - usb: webcam: Invalid size of Processing Unit Descriptor (git-fixes). - usb: xhci: Fix port minor revision (git-fixes). - usb: xhci: Increase timeout for HC halt (git-fixes). - vgacon: Record video mode changes with VT_RESIZEX (git-fixes). - video: hyperv_fb: Add ratelimit on error message (bsc#1185725). - vrf: fix a comment about loopback device (git-fixes). - watchdog/softlockup: Remove obsolete check of last reported task (bsc#1185982). - watchdog/softlockup: report the overall time of softlockups (bsc#1185982). - watchdog: explicitly update timestamp when reporting softlockup (bsc#1185982). - watchdog: rename __touch_watchdog() to a better descriptive name (bsc#1185982). - whitespace cleanup - wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join (git-fixes). - wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt (git-fixes). - workqueue: Minor follow-ups to the rescuer destruction change (bsc#1185911). - workqueue: more destroy_workqueue() fixes (bsc#1185911). - x86/cpu: Initialize MSR_TSC_AUX if RDTSCP *or* RDPID is supported (bsc#1152489). - xhci: Do not use GFP_KERNEL in (potentially) atomic context (git-fixes). - xhci: check control context is valid before dereferencing it (git-fixes). - xhci: fix potential array out of bounds with several interrupters (git-fixes). - xsk: Respect device's headroom and tailroom on generic xmit path (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP2: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2021-1888=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP2 (noarch): kernel-devel-azure-5.3.18-18.50.2 kernel-source-azure-5.3.18-18.50.2 - SUSE Linux Enterprise Module for Public Cloud 15-SP2 (x86_64): kernel-azure-5.3.18-18.50.2 kernel-azure-debuginfo-5.3.18-18.50.2 kernel-azure-debugsource-5.3.18-18.50.2 kernel-azure-devel-5.3.18-18.50.2 kernel-azure-devel-debuginfo-5.3.18-18.50.2 kernel-syms-azure-5.3.18-18.50.1 References: https://www.suse.com/security/cve/CVE-2020-24586.html https://www.suse.com/security/cve/CVE-2020-24587.html https://www.suse.com/security/cve/CVE-2020-24588.html https://www.suse.com/security/cve/CVE-2020-26139.html https://www.suse.com/security/cve/CVE-2020-26141.html https://www.suse.com/security/cve/CVE-2020-26145.html https://www.suse.com/security/cve/CVE-2020-26147.html https://www.suse.com/security/cve/CVE-2021-23134.html https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://www.suse.com/security/cve/CVE-2021-33200.html https://www.suse.com/security/cve/CVE-2021-3491.html https://bugzilla.suse.com/1087082 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1152457 https://bugzilla.suse.com/1155518 https://bugzilla.suse.com/1156395 https://bugzilla.suse.com/1164648 https://bugzilla.suse.com/1177666 https://bugzilla.suse.com/1178378 https://bugzilla.suse.com/1178418 https://bugzilla.suse.com/1178612 https://bugzilla.suse.com/1179519 https://bugzilla.suse.com/1179825 https://bugzilla.suse.com/1179827 https://bugzilla.suse.com/1179851 https://bugzilla.suse.com/1182999 https://bugzilla.suse.com/1183346 https://bugzilla.suse.com/1183868 https://bugzilla.suse.com/1183873 https://bugzilla.suse.com/1183947 https://bugzilla.suse.com/1184081 https://bugzilla.suse.com/1184082 https://bugzilla.suse.com/1184611 https://bugzilla.suse.com/1185428 https://bugzilla.suse.com/1185495 https://bugzilla.suse.com/1185497 https://bugzilla.suse.com/1185589 https://bugzilla.suse.com/1185606 https://bugzilla.suse.com/1185645 https://bugzilla.suse.com/1185680 https://bugzilla.suse.com/1185703 https://bugzilla.suse.com/1185725 https://bugzilla.suse.com/1185758 https://bugzilla.suse.com/1185859 https://bugzilla.suse.com/1185860 https://bugzilla.suse.com/1185862 https://bugzilla.suse.com/1185899 https://bugzilla.suse.com/1185911 https://bugzilla.suse.com/1185938 https://bugzilla.suse.com/1185988 https://bugzilla.suse.com/1186061 https://bugzilla.suse.com/1186062 https://bugzilla.suse.com/1186285 https://bugzilla.suse.com/1186320 https://bugzilla.suse.com/1186390 https://bugzilla.suse.com/1186416 https://bugzilla.suse.com/1186439 https://bugzilla.suse.com/1186441 https://bugzilla.suse.com/1186451 https://bugzilla.suse.com/1186460 https://bugzilla.suse.com/1186479 https://bugzilla.suse.com/1186484 https://bugzilla.suse.com/1186501 https://bugzilla.suse.com/1186573 https://bugzilla.suse.com/1186681 From sle-security-updates at lists.suse.com Tue Jun 8 16:48:43 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 8 Jun 2021 18:48:43 +0200 (CEST) Subject: SUSE-SU-2021:1892-1: important: Security update for libX11 Message-ID: <20210608164843.1971DFD07@maintenance.suse.de> SUSE Security Update: Security update for libX11 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1892-1 Rating: important References: #1186643 Cross-References: CVE-2021-31535 CVSS scores: CVE-2021-31535 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libX11 fixes the following issues: - Regression in the fix for CVE-2021-31535, causing segfaults for xforms applications like fdesign (bsc#1186643) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1892=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1892=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1892=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1892=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1892=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1892=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1892=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1892=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1892=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1892=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1892=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1892=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1892=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): libX11-data-1.6.2-12.21.1 - SUSE OpenStack Cloud Crowbar 9 (x86_64): libX11-6-1.6.2-12.21.1 libX11-6-32bit-1.6.2-12.21.1 libX11-6-debuginfo-1.6.2-12.21.1 libX11-6-debuginfo-32bit-1.6.2-12.21.1 libX11-debugsource-1.6.2-12.21.1 libX11-xcb1-1.6.2-12.21.1 libX11-xcb1-32bit-1.6.2-12.21.1 libX11-xcb1-debuginfo-1.6.2-12.21.1 libX11-xcb1-debuginfo-32bit-1.6.2-12.21.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): libX11-data-1.6.2-12.21.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libX11-6-1.6.2-12.21.1 libX11-6-32bit-1.6.2-12.21.1 libX11-6-debuginfo-1.6.2-12.21.1 libX11-6-debuginfo-32bit-1.6.2-12.21.1 libX11-debugsource-1.6.2-12.21.1 libX11-xcb1-1.6.2-12.21.1 libX11-xcb1-32bit-1.6.2-12.21.1 libX11-xcb1-debuginfo-1.6.2-12.21.1 libX11-xcb1-debuginfo-32bit-1.6.2-12.21.1 - SUSE OpenStack Cloud 9 (x86_64): libX11-6-1.6.2-12.21.1 libX11-6-32bit-1.6.2-12.21.1 libX11-6-debuginfo-1.6.2-12.21.1 libX11-6-debuginfo-32bit-1.6.2-12.21.1 libX11-debugsource-1.6.2-12.21.1 libX11-xcb1-1.6.2-12.21.1 libX11-xcb1-32bit-1.6.2-12.21.1 libX11-xcb1-debuginfo-1.6.2-12.21.1 libX11-xcb1-debuginfo-32bit-1.6.2-12.21.1 - SUSE OpenStack Cloud 9 (noarch): libX11-data-1.6.2-12.21.1 - SUSE OpenStack Cloud 8 (x86_64): libX11-6-1.6.2-12.21.1 libX11-6-32bit-1.6.2-12.21.1 libX11-6-debuginfo-1.6.2-12.21.1 libX11-6-debuginfo-32bit-1.6.2-12.21.1 libX11-debugsource-1.6.2-12.21.1 libX11-xcb1-1.6.2-12.21.1 libX11-xcb1-32bit-1.6.2-12.21.1 libX11-xcb1-debuginfo-1.6.2-12.21.1 libX11-xcb1-debuginfo-32bit-1.6.2-12.21.1 - SUSE OpenStack Cloud 8 (noarch): libX11-data-1.6.2-12.21.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libX11-debugsource-1.6.2-12.21.1 libX11-devel-1.6.2-12.21.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libX11-6-1.6.2-12.21.1 libX11-6-debuginfo-1.6.2-12.21.1 libX11-debugsource-1.6.2-12.21.1 libX11-xcb1-1.6.2-12.21.1 libX11-xcb1-debuginfo-1.6.2-12.21.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): libX11-data-1.6.2-12.21.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libX11-6-32bit-1.6.2-12.21.1 libX11-6-debuginfo-32bit-1.6.2-12.21.1 libX11-xcb1-32bit-1.6.2-12.21.1 libX11-xcb1-debuginfo-32bit-1.6.2-12.21.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libX11-6-1.6.2-12.21.1 libX11-6-debuginfo-1.6.2-12.21.1 libX11-debugsource-1.6.2-12.21.1 libX11-xcb1-1.6.2-12.21.1 libX11-xcb1-debuginfo-1.6.2-12.21.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libX11-6-32bit-1.6.2-12.21.1 libX11-6-debuginfo-32bit-1.6.2-12.21.1 libX11-xcb1-32bit-1.6.2-12.21.1 libX11-xcb1-debuginfo-32bit-1.6.2-12.21.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): libX11-data-1.6.2-12.21.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libX11-6-1.6.2-12.21.1 libX11-6-debuginfo-1.6.2-12.21.1 libX11-debugsource-1.6.2-12.21.1 libX11-xcb1-1.6.2-12.21.1 libX11-xcb1-debuginfo-1.6.2-12.21.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libX11-6-32bit-1.6.2-12.21.1 libX11-6-debuginfo-32bit-1.6.2-12.21.1 libX11-xcb1-32bit-1.6.2-12.21.1 libX11-xcb1-debuginfo-32bit-1.6.2-12.21.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): libX11-data-1.6.2-12.21.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libX11-6-1.6.2-12.21.1 libX11-6-debuginfo-1.6.2-12.21.1 libX11-debugsource-1.6.2-12.21.1 libX11-xcb1-1.6.2-12.21.1 libX11-xcb1-debuginfo-1.6.2-12.21.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libX11-6-32bit-1.6.2-12.21.1 libX11-6-debuginfo-32bit-1.6.2-12.21.1 libX11-xcb1-32bit-1.6.2-12.21.1 libX11-xcb1-debuginfo-32bit-1.6.2-12.21.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): libX11-data-1.6.2-12.21.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libX11-6-1.6.2-12.21.1 libX11-6-debuginfo-1.6.2-12.21.1 libX11-debugsource-1.6.2-12.21.1 libX11-xcb1-1.6.2-12.21.1 libX11-xcb1-debuginfo-1.6.2-12.21.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libX11-6-32bit-1.6.2-12.21.1 libX11-6-debuginfo-32bit-1.6.2-12.21.1 libX11-xcb1-32bit-1.6.2-12.21.1 libX11-xcb1-debuginfo-32bit-1.6.2-12.21.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): libX11-data-1.6.2-12.21.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): libX11-data-1.6.2-12.21.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libX11-6-1.6.2-12.21.1 libX11-6-32bit-1.6.2-12.21.1 libX11-6-debuginfo-1.6.2-12.21.1 libX11-6-debuginfo-32bit-1.6.2-12.21.1 libX11-debugsource-1.6.2-12.21.1 libX11-xcb1-1.6.2-12.21.1 libX11-xcb1-32bit-1.6.2-12.21.1 libX11-xcb1-debuginfo-1.6.2-12.21.1 libX11-xcb1-debuginfo-32bit-1.6.2-12.21.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): libX11-data-1.6.2-12.21.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libX11-6-1.6.2-12.21.1 libX11-6-32bit-1.6.2-12.21.1 libX11-6-debuginfo-1.6.2-12.21.1 libX11-6-debuginfo-32bit-1.6.2-12.21.1 libX11-debugsource-1.6.2-12.21.1 libX11-xcb1-1.6.2-12.21.1 libX11-xcb1-32bit-1.6.2-12.21.1 libX11-xcb1-debuginfo-1.6.2-12.21.1 libX11-xcb1-debuginfo-32bit-1.6.2-12.21.1 - HPE Helion Openstack 8 (x86_64): libX11-6-1.6.2-12.21.1 libX11-6-32bit-1.6.2-12.21.1 libX11-6-debuginfo-1.6.2-12.21.1 libX11-6-debuginfo-32bit-1.6.2-12.21.1 libX11-debugsource-1.6.2-12.21.1 libX11-xcb1-1.6.2-12.21.1 libX11-xcb1-32bit-1.6.2-12.21.1 libX11-xcb1-debuginfo-1.6.2-12.21.1 libX11-xcb1-debuginfo-32bit-1.6.2-12.21.1 - HPE Helion Openstack 8 (noarch): libX11-data-1.6.2-12.21.1 References: https://www.suse.com/security/cve/CVE-2021-31535.html https://bugzilla.suse.com/1186643 From sle-security-updates at lists.suse.com Tue Jun 8 16:50:01 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 8 Jun 2021 18:50:01 +0200 (CEST) Subject: SUSE-SU-2021:14743-1: moderate: Security update for MozillaFirefox Message-ID: <20210608165001.9F768FD07@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14743-1 Rating: moderate References: #1185633 #1186696 Cross-References: CVE-2021-29951 CVE-2021-29964 CVE-2021-29967 CVSS scores: CVE-2021-29951 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: Firefox Extended Support Release 78.11.0 ESR (bsc#1186696) * CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message * CVE-2021-29967: Memory safety bugs fixed in Firefox Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-MozillaFirefox-14743=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-MozillaFirefox-14743=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): MozillaFirefox-78.11.0-78.131.1 MozillaFirefox-translations-common-78.11.0-78.131.1 MozillaFirefox-translations-other-78.11.0-78.131.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64): MozillaFirefox-debuginfo-78.11.0-78.131.1 References: https://www.suse.com/security/cve/CVE-2021-29951.html https://www.suse.com/security/cve/CVE-2021-29964.html https://www.suse.com/security/cve/CVE-2021-29967.html https://bugzilla.suse.com/1185633 https://bugzilla.suse.com/1186696 From sle-security-updates at lists.suse.com Tue Jun 8 16:51:28 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 8 Jun 2021 18:51:28 +0200 (CEST) Subject: SUSE-SU-2021:1886-1: important: Security update for MozillaFirefox Message-ID: <20210608165128.92913FD07@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1886-1 Rating: important References: #1185633 #1186696 Cross-References: CVE-2021-29951 CVE-2021-29964 CVE-2021-29967 CVSS scores: CVE-2021-29951 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: Firefox Extended Support Release 78.11.0 ESR (bsc#1186696) * CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message * CVE-2021-29967: Memory safety bugs fixed in Firefox Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1886=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1886=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1886=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1886=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1886=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1886=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1886=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1886=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1886=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1886=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1886=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1886=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1886=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): MozillaFirefox-78.11.0-112.62.1 MozillaFirefox-debuginfo-78.11.0-112.62.1 MozillaFirefox-debugsource-78.11.0-112.62.1 MozillaFirefox-devel-78.11.0-112.62.1 MozillaFirefox-translations-common-78.11.0-112.62.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): MozillaFirefox-78.11.0-112.62.1 MozillaFirefox-debuginfo-78.11.0-112.62.1 MozillaFirefox-debugsource-78.11.0-112.62.1 MozillaFirefox-devel-78.11.0-112.62.1 MozillaFirefox-translations-common-78.11.0-112.62.1 - SUSE OpenStack Cloud 9 (x86_64): MozillaFirefox-78.11.0-112.62.1 MozillaFirefox-debuginfo-78.11.0-112.62.1 MozillaFirefox-debugsource-78.11.0-112.62.1 MozillaFirefox-devel-78.11.0-112.62.1 MozillaFirefox-translations-common-78.11.0-112.62.1 - SUSE OpenStack Cloud 8 (x86_64): MozillaFirefox-78.11.0-112.62.1 MozillaFirefox-debuginfo-78.11.0-112.62.1 MozillaFirefox-debugsource-78.11.0-112.62.1 MozillaFirefox-devel-78.11.0-112.62.1 MozillaFirefox-translations-common-78.11.0-112.62.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-78.11.0-112.62.1 MozillaFirefox-debugsource-78.11.0-112.62.1 MozillaFirefox-devel-78.11.0-112.62.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): MozillaFirefox-78.11.0-112.62.1 MozillaFirefox-debuginfo-78.11.0-112.62.1 MozillaFirefox-debugsource-78.11.0-112.62.1 MozillaFirefox-devel-78.11.0-112.62.1 MozillaFirefox-translations-common-78.11.0-112.62.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): MozillaFirefox-78.11.0-112.62.1 MozillaFirefox-debuginfo-78.11.0-112.62.1 MozillaFirefox-debugsource-78.11.0-112.62.1 MozillaFirefox-devel-78.11.0-112.62.1 MozillaFirefox-translations-common-78.11.0-112.62.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.11.0-112.62.1 MozillaFirefox-debuginfo-78.11.0-112.62.1 MozillaFirefox-debugsource-78.11.0-112.62.1 MozillaFirefox-devel-78.11.0-112.62.1 MozillaFirefox-translations-common-78.11.0-112.62.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.11.0-112.62.1 MozillaFirefox-debuginfo-78.11.0-112.62.1 MozillaFirefox-debugsource-78.11.0-112.62.1 MozillaFirefox-devel-78.11.0-112.62.1 MozillaFirefox-translations-common-78.11.0-112.62.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.11.0-112.62.1 MozillaFirefox-debuginfo-78.11.0-112.62.1 MozillaFirefox-debugsource-78.11.0-112.62.1 MozillaFirefox-devel-78.11.0-112.62.1 MozillaFirefox-translations-common-78.11.0-112.62.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): MozillaFirefox-78.11.0-112.62.1 MozillaFirefox-debuginfo-78.11.0-112.62.1 MozillaFirefox-debugsource-78.11.0-112.62.1 MozillaFirefox-devel-78.11.0-112.62.1 MozillaFirefox-translations-common-78.11.0-112.62.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): MozillaFirefox-78.11.0-112.62.1 MozillaFirefox-debuginfo-78.11.0-112.62.1 MozillaFirefox-debugsource-78.11.0-112.62.1 MozillaFirefox-devel-78.11.0-112.62.1 MozillaFirefox-translations-common-78.11.0-112.62.1 - HPE Helion Openstack 8 (x86_64): MozillaFirefox-78.11.0-112.62.1 MozillaFirefox-debuginfo-78.11.0-112.62.1 MozillaFirefox-debugsource-78.11.0-112.62.1 MozillaFirefox-devel-78.11.0-112.62.1 MozillaFirefox-translations-common-78.11.0-112.62.1 References: https://www.suse.com/security/cve/CVE-2021-29951.html https://www.suse.com/security/cve/CVE-2021-29964.html https://www.suse.com/security/cve/CVE-2021-29967.html https://bugzilla.suse.com/1185633 https://bugzilla.suse.com/1186696 From sle-security-updates at lists.suse.com Tue Jun 8 16:53:02 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 8 Jun 2021 18:53:02 +0200 (CEST) Subject: SUSE-SU-2021:1894-1: important: Security update for qemu Message-ID: <20210608165302.E5027FD07@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1894-1 Rating: important References: #1094725 #1149813 #1163019 #1172380 #1172382 #1175534 #1178683 #1178935 #1179477 #1181933 #1182846 #1182975 Cross-References: CVE-2019-15890 CVE-2020-10756 CVE-2020-13754 CVE-2020-14364 CVE-2020-25707 CVE-2020-25723 CVE-2020-29130 CVE-2020-8608 CVE-2021-20221 CVE-2021-20257 CVE-2021-3419 CVSS scores: CVE-2019-15890 (SUSE): 5.8 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2020-10756 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-10756 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-13754 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-13754 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-14364 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14364 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25707 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25723 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-29130 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-8608 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-8608 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H CVE-2021-20221 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2021-20221 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3419 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves 11 vulnerabilities and has one errata is now available. Description: This update for qemu fixes the following issues: - Fix OOB access during mmio operations (CVE-2020-13754, bsc#1172382) - Fix out-of-bounds read information disclosure in icmp6_send_echoreply (CVE-2020-10756, bsc#1172380) - Fix out-of-bound heap buffer access via an interrupt ID field (CVE-2021-20221, bsc#1181933) - For the record, these issues are fixed in this package already. Most are alternate references to previously mentioned issues: (CVE-2019-15890, bsc#1149813, CVE-2020-8608, bsc#1163019, CVE-2020-14364, bsc#1175534, CVE-2020-25707, bsc#1178683, CVE-2020-25723, bsc#1178935, CVE-2020-29130, bsc#1179477, CVE-2021-20257, bsc#1182846, CVE-2021-3419, bsc#1182975, bsc#1094725) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1894=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1894=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1894=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1894=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1894=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1894=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): qemu-2.9.1-6.50.1 qemu-block-curl-2.9.1-6.50.1 qemu-block-curl-debuginfo-2.9.1-6.50.1 qemu-block-iscsi-2.9.1-6.50.1 qemu-block-iscsi-debuginfo-2.9.1-6.50.1 qemu-block-rbd-2.9.1-6.50.1 qemu-block-rbd-debuginfo-2.9.1-6.50.1 qemu-block-ssh-2.9.1-6.50.1 qemu-block-ssh-debuginfo-2.9.1-6.50.1 qemu-debugsource-2.9.1-6.50.1 qemu-guest-agent-2.9.1-6.50.1 qemu-guest-agent-debuginfo-2.9.1-6.50.1 qemu-kvm-2.9.1-6.50.1 qemu-lang-2.9.1-6.50.1 qemu-tools-2.9.1-6.50.1 qemu-tools-debuginfo-2.9.1-6.50.1 qemu-x86-2.9.1-6.50.1 qemu-x86-debuginfo-2.9.1-6.50.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): qemu-ipxe-1.0.0+-6.50.1 qemu-seabios-1.10.2_0_g5f4c7b1-6.50.1 qemu-sgabios-8-6.50.1 qemu-vgabios-1.10.2_0_g5f4c7b1-6.50.1 - SUSE OpenStack Cloud 8 (x86_64): qemu-2.9.1-6.50.1 qemu-block-curl-2.9.1-6.50.1 qemu-block-curl-debuginfo-2.9.1-6.50.1 qemu-block-iscsi-2.9.1-6.50.1 qemu-block-iscsi-debuginfo-2.9.1-6.50.1 qemu-block-rbd-2.9.1-6.50.1 qemu-block-rbd-debuginfo-2.9.1-6.50.1 qemu-block-ssh-2.9.1-6.50.1 qemu-block-ssh-debuginfo-2.9.1-6.50.1 qemu-debugsource-2.9.1-6.50.1 qemu-guest-agent-2.9.1-6.50.1 qemu-guest-agent-debuginfo-2.9.1-6.50.1 qemu-kvm-2.9.1-6.50.1 qemu-lang-2.9.1-6.50.1 qemu-tools-2.9.1-6.50.1 qemu-tools-debuginfo-2.9.1-6.50.1 qemu-x86-2.9.1-6.50.1 qemu-x86-debuginfo-2.9.1-6.50.1 - SUSE OpenStack Cloud 8 (noarch): qemu-ipxe-1.0.0+-6.50.1 qemu-seabios-1.10.2_0_g5f4c7b1-6.50.1 qemu-sgabios-8-6.50.1 qemu-vgabios-1.10.2_0_g5f4c7b1-6.50.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): qemu-2.9.1-6.50.1 qemu-block-curl-2.9.1-6.50.1 qemu-block-curl-debuginfo-2.9.1-6.50.1 qemu-block-iscsi-2.9.1-6.50.1 qemu-block-iscsi-debuginfo-2.9.1-6.50.1 qemu-block-ssh-2.9.1-6.50.1 qemu-block-ssh-debuginfo-2.9.1-6.50.1 qemu-debugsource-2.9.1-6.50.1 qemu-guest-agent-2.9.1-6.50.1 qemu-guest-agent-debuginfo-2.9.1-6.50.1 qemu-lang-2.9.1-6.50.1 qemu-tools-2.9.1-6.50.1 qemu-tools-debuginfo-2.9.1-6.50.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le): qemu-ppc-2.9.1-6.50.1 qemu-ppc-debuginfo-2.9.1-6.50.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): qemu-ipxe-1.0.0+-6.50.1 qemu-seabios-1.10.2_0_g5f4c7b1-6.50.1 qemu-sgabios-8-6.50.1 qemu-vgabios-1.10.2_0_g5f4c7b1-6.50.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): qemu-block-rbd-2.9.1-6.50.1 qemu-block-rbd-debuginfo-2.9.1-6.50.1 qemu-kvm-2.9.1-6.50.1 qemu-x86-2.9.1-6.50.1 qemu-x86-debuginfo-2.9.1-6.50.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): qemu-2.9.1-6.50.1 qemu-block-curl-2.9.1-6.50.1 qemu-block-curl-debuginfo-2.9.1-6.50.1 qemu-block-iscsi-2.9.1-6.50.1 qemu-block-iscsi-debuginfo-2.9.1-6.50.1 qemu-block-ssh-2.9.1-6.50.1 qemu-block-ssh-debuginfo-2.9.1-6.50.1 qemu-debugsource-2.9.1-6.50.1 qemu-guest-agent-2.9.1-6.50.1 qemu-guest-agent-debuginfo-2.9.1-6.50.1 qemu-lang-2.9.1-6.50.1 qemu-tools-2.9.1-6.50.1 qemu-tools-debuginfo-2.9.1-6.50.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 x86_64): qemu-block-rbd-2.9.1-6.50.1 qemu-block-rbd-debuginfo-2.9.1-6.50.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): qemu-kvm-2.9.1-6.50.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le): qemu-ppc-2.9.1-6.50.1 qemu-ppc-debuginfo-2.9.1-6.50.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64): qemu-arm-2.9.1-6.50.1 qemu-arm-debuginfo-2.9.1-6.50.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): qemu-x86-2.9.1-6.50.1 qemu-x86-debuginfo-2.9.1-6.50.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): qemu-ipxe-1.0.0+-6.50.1 qemu-seabios-1.10.2_0_g5f4c7b1-6.50.1 qemu-sgabios-8-6.50.1 qemu-vgabios-1.10.2_0_g5f4c7b1-6.50.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x): qemu-s390-2.9.1-6.50.1 qemu-s390-debuginfo-2.9.1-6.50.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): qemu-2.9.1-6.50.1 qemu-block-curl-2.9.1-6.50.1 qemu-block-curl-debuginfo-2.9.1-6.50.1 qemu-block-iscsi-2.9.1-6.50.1 qemu-block-iscsi-debuginfo-2.9.1-6.50.1 qemu-block-rbd-2.9.1-6.50.1 qemu-block-rbd-debuginfo-2.9.1-6.50.1 qemu-block-ssh-2.9.1-6.50.1 qemu-block-ssh-debuginfo-2.9.1-6.50.1 qemu-debugsource-2.9.1-6.50.1 qemu-guest-agent-2.9.1-6.50.1 qemu-guest-agent-debuginfo-2.9.1-6.50.1 qemu-kvm-2.9.1-6.50.1 qemu-lang-2.9.1-6.50.1 qemu-tools-2.9.1-6.50.1 qemu-tools-debuginfo-2.9.1-6.50.1 qemu-x86-2.9.1-6.50.1 qemu-x86-debuginfo-2.9.1-6.50.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): qemu-ipxe-1.0.0+-6.50.1 qemu-seabios-1.10.2_0_g5f4c7b1-6.50.1 qemu-sgabios-8-6.50.1 qemu-vgabios-1.10.2_0_g5f4c7b1-6.50.1 - HPE Helion Openstack 8 (noarch): qemu-ipxe-1.0.0+-6.50.1 qemu-seabios-1.10.2_0_g5f4c7b1-6.50.1 qemu-sgabios-8-6.50.1 qemu-vgabios-1.10.2_0_g5f4c7b1-6.50.1 - HPE Helion Openstack 8 (x86_64): qemu-2.9.1-6.50.1 qemu-block-curl-2.9.1-6.50.1 qemu-block-curl-debuginfo-2.9.1-6.50.1 qemu-block-iscsi-2.9.1-6.50.1 qemu-block-iscsi-debuginfo-2.9.1-6.50.1 qemu-block-rbd-2.9.1-6.50.1 qemu-block-rbd-debuginfo-2.9.1-6.50.1 qemu-block-ssh-2.9.1-6.50.1 qemu-block-ssh-debuginfo-2.9.1-6.50.1 qemu-debugsource-2.9.1-6.50.1 qemu-guest-agent-2.9.1-6.50.1 qemu-guest-agent-debuginfo-2.9.1-6.50.1 qemu-kvm-2.9.1-6.50.1 qemu-lang-2.9.1-6.50.1 qemu-tools-2.9.1-6.50.1 qemu-tools-debuginfo-2.9.1-6.50.1 qemu-x86-2.9.1-6.50.1 qemu-x86-debuginfo-2.9.1-6.50.1 References: https://www.suse.com/security/cve/CVE-2019-15890.html https://www.suse.com/security/cve/CVE-2020-10756.html https://www.suse.com/security/cve/CVE-2020-13754.html https://www.suse.com/security/cve/CVE-2020-14364.html https://www.suse.com/security/cve/CVE-2020-25707.html https://www.suse.com/security/cve/CVE-2020-25723.html https://www.suse.com/security/cve/CVE-2020-29130.html https://www.suse.com/security/cve/CVE-2020-8608.html https://www.suse.com/security/cve/CVE-2021-20221.html https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-3419.html https://bugzilla.suse.com/1094725 https://bugzilla.suse.com/1149813 https://bugzilla.suse.com/1163019 https://bugzilla.suse.com/1172380 https://bugzilla.suse.com/1172382 https://bugzilla.suse.com/1175534 https://bugzilla.suse.com/1178683 https://bugzilla.suse.com/1178935 https://bugzilla.suse.com/1179477 https://bugzilla.suse.com/1181933 https://bugzilla.suse.com/1182846 https://bugzilla.suse.com/1182975 From sle-security-updates at lists.suse.com Tue Jun 8 16:55:37 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 8 Jun 2021 18:55:37 +0200 (CEST) Subject: SUSE-SU-2021:1887-1: important: Security update for the Linux Kernel Message-ID: <20210608165537.1A9D5FD07@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1887-1 Rating: important References: #1064802 #1066129 #1087082 #1101816 #1103992 #1104427 #1104745 #1109837 #1112374 #1113431 #1126390 #1133021 #1152457 #1174682 #1176081 #1177666 #1180552 #1181383 #1182256 #1183738 #1183754 #1183947 #1184040 #1184081 #1184082 #1184611 #1184675 #1184855 #1185428 #1185481 #1185642 #1185680 #1185703 #1185724 #1185758 #1185859 #1185860 #1185863 #1185898 #1185899 #1185906 #1185938 #1186060 #1186062 #1186285 #1186416 #1186439 #1186441 #1186460 #1186484 Cross-References: CVE-2020-24586 CVE-2020-24587 CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2021-23133 CVE-2021-23134 CVE-2021-32399 CVE-2021-33034 CVE-2021-33200 CVE-2021-3491 CVSS scores: CVE-2020-24586 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24586 (SUSE): 4.7 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVE-2020-24587 (NVD) : 2.6 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24587 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26139 (NVD) : 5.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26139 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-26141 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26145 (SUSE): 5.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26147 (NVD) : 5.4 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N CVE-2021-23133 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23133 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-33200 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33200 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3491 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 38 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111) - CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062) - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060) - CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859). - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862). - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859). - CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860) - CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987) - CVE-2021-23133: Fixed a race condition in SCTP sockets, which could lead to privilege escalation from the context of a network service or an unprivileged process. (bnc#1184675) The following non-security bugs were fixed: - ACPI / hotplug / PCI: Fix reference count leak in enable_slot() (git-fixes). - ACPI: CPPC: Replace cppc_attr with kobj_attribute (git-fixes). - ACPI: GTDT: Do not corrupt interrupt mappings on watchdow probe failure (git-fixes). - ACPI: custom_method: fix a possible memory leak (git-fixes). - ACPI: custom_method: fix potential use-after-free issue (git-fixes). - ACPICA: Enable sleep button on ACPI legacy wake (bsc#1181383). - ALSA: aloop: Fix initialization of controls (git-fixes). - ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro (git-fixes). - ALSA: core: remove redundant spin_lock pair in snd_card_disconnect (git-fixes). - ALSA: emu8000: Fix a use after free in snd_emu8000_create_mixer (git-fixes). - ALSA: hda/conexant: Re-order CX5066 quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Lenovo quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Sony quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Acer quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Sony quirk table entries (git-fixes). - ALSA: hda/realtek: Remove redundant entry for ALC861 Haier/Uniwill devices (git-fixes). - ALSA: hda/realtek: reset eapd coeff to default value for alc287 (git-fixes). - ALSA: hdsp: do not disable if not enabled (git-fixes). - ALSA: hdspm: do not disable if not enabled (git-fixes). - ALSA: line6: Fix racy initialization of LINE6 MIDI (git-fixes). - ALSA: rme9652: do not disable if not enabled (git-fixes). - ALSA: sb: Fix two use after free in snd_sb_qsound_build (git-fixes). - ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX (git-fixes). - ALSA: usb-audio: Add error checks for usb_driver_claim_interface() calls (git-fixes). - ALSA: usb: midi: do not return -ENOMEM when usb_urb_ep_type_check fails (git-fixes). - ARM: footbridge: fix PCI interrupt mapping (git-fixes). - ASoC: cs35l33: fix an error code in probe() (git-fixes). - ASoC: cs42l42: Regmap must use_single_read/write (git-fixes). - ASoC: fsl_esai: Fix TDM slot setup for I2S mode (git-fixes). - ASoC: intel: atom: Stop advertising non working S24LE support (git-fixes). - ASoC: rt286: Generalize support for ALC3263 codec (git-fixes). - ASoC: rt286: Make RT286_SET_GPIO_* readable and writable (git-fixes). - ASoC: wm8960: Fix wrong bclk and lrclk with pll enabled for some chips (git-fixes). - Avoid potentially erroneos RST drop (bsc#1183947). - Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes). - Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default (git-fixes). - Bluetooth: initialize skb_queue_head at l2cap_chan_create() (git-fixes). - Do not drop out of segments RST if tcp_be_liberal is set (bsc#1183947). - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185724). - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185724). - Drivers: hv: vmbus: Use after free in __vmbus_open() (git-fixes). - EDAC/amd64: Gather hardware information early (bsc#1180552). - EDAC/amd64: Make struct amd64_family_type global (bsc#1180552). - EDAC/amd64: Save max number of controllers to family type (bsc#1180552). - HID: alps: fix error return code in alps_input_configured() (git-fixes). - HID: plantronics: Workaround for double volume key presses (git-fixes). - HID: wacom: Assign boolean values to a bool variable (git-fixes). - HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices (git-fixes). - Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices (git-fixes). - Input: i8042 - fix Pegatron C15B ID entry (git-fixes). - Input: nspire-keypad - enable interrupts only when opened (git-fixes). - Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state (git-fixes). - KVM: s390: fix guarded storage control register handling (bsc#1133021). - NFC: fix possible resource leak (git-fixes). - NFC: fix resource leak when target index is invalid (git-fixes). - NFC: nci: fix memory leak in nci_allocate_device (git-fixes). - NFSv4: Replace closed stateids with the "invalid special stateid" (bsc#1185481). - PCI: PM: Do not read power state in pci_enable_device_flags() (git-fixes). - PCI: Release OF node in pci_scan_device()'s error path (git-fixes). - RDMA/hns: Delete redundant condition judgment related to eq (bsc#1104427). - RDMA/srpt: Fix error return code in srpt_cm_req_recv() (bsc#1103992). - SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428). - SUNRPC: More fixes for backlog congestion (bsc#1185428). - USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet (git-fixes). - USB: Add reset-resume quirk for WD19's Realtek Hub (git-fixes). - USB: serial: fix return value for unsupported ioctls (git-fixes). - USB: serial: usb_wwan: fix unprivileged TIOCCSERIAL (git-fixes). - USB: trancevibrator: fix control-request direction (git-fixes). - af_packet: fix the tx skb protocol in raw sockets with ETH_P_ALL (bsc#1176081). - ata: libahci_platform: fix IRQ check (git-fixes). - ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices (git-fixes). - backlight: journada720: Fix Wmisleading-indentation warning (git-fixes). - batman-adv: Do not always reallocate the fragmentation skb head (git-fixes). - bluetooth: eliminate the potential race condition when removing the HCI controller (git-fixes). - bnxt_en: Fix PCI AER error recovery flow (git-fixes). - bnxt_en: fix ternary sign extension bug in bnxt_show_temp() (bsc#1104745). - bpf: Fix masking negation logic upon negative dst register (git-fixes). - btrfs: fix race between transaction aborts and fsyncs leading to use-after-free (bsc#1186441). - btrfs: fix race when picking most recent mod log operation for an old root (bsc#1186439). - bus: qcom: Put child node before return (git-fixes). - cfg80211: remove WARN_ON() in cfg80211_sme_connect (git-fixes). - cfg80211: scan: drop entry from hidden_list on overflow (git-fixes). - clk: exynos7: Mark aclk_fsys1_200 as critical (git-fixes). - clk: fix invalid usage of list cursor in register (git-fixes). - clk: fix invalid usage of list cursor in unregister (git-fixes). - clk: mvebu: armada-37xx-periph: Fix switching CPU freq from 250 Mhz to 1 GHz (git-fixes). - clk: mvebu: armada-37xx-periph: Fix workaround for switching from L1 to L0 (git-fixes). - clk: mvebu: armada-37xx-periph: remove .set_parent method for CPU PM clock (git-fixes). - clk: socfpga: fix iomem pointer cast on 64-bit (git-fixes). - clk: uniphier: Fix potential infinite loop (git-fixes). - cpufreq: Add NULL checks to show() and store() methods of cpufreq (bsc#1184040). - cpufreq: Avoid cpufreq_suspend() deadlock on system shutdown (bsc#1184040). - cpufreq: Kconfig: fix documentation links (git-fixes). - cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758). - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init (git-fixes). - crypto: qat - Fix a double free in adf_create_ring (git-fixes). - crypto: qat - do not release uninitialized resources (git-fixes). - crypto: qat - fix error path in adf_isr_resource_alloc() (git-fixes). - cxgb4: Fix unintentional sign extension issues (bsc#1064802 bsc#1066129). - dm: fix redundant IO accounting for bios that need splitting (bsc#1183738). - dmaengine: dw: Make it dependent to HAS_IOMEM (git-fixes). - docs: kernel-parameters: Add gpio_mockup_named_lines (git-fixes). - docs: kernel-parameters: Move gpio-mockup for alphabetic order (git-fixes). - drivers: net: fix memory leak in atusb_probe (git-fixes). - drivers: net: fix memory leak in peak_usb_create_dev (git-fixes). - drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f (git-fixes). - drm/amdgpu: fix NULL pointer dereference (git-fixes). - drm/amdkfd: fix build error with AMD_IOMMU_V2=m (git-fixes). - drm/i915/gvt: Fix error code in intel_gvt_init_device() (git-fixes). - drm/imx: imx-ldb: fix out of bounds array access warning (git-fixes). - drm/meson: fix shutdown crash when component not probed (git-fixes). - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal (git-fixes). - drm/omap: fix misleading indentation in pixinc() (git-fixes). - drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected (git-fixes). - drm/radeon: Fix off-by-one power_state index heap overwrite (git-fixes). - drm/radeon: fix copy of uninitialized variable back to userspace (git-fixes). - e1000e: Fix duplicate include guard (git-fixes). - e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 (git-fixes). - e1000e: add rtnl_lock() to e1000_reset_task (git-fixes). - ethernet:enic: Fix a use after free bug in enic_hard_start_xmit (bsc#1113431). - extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged (git-fixes). - fbdev: zero-fill colormap in fbcmap.c (git-fixes). - ftrace: Handle commands when closing set_ftrace_filter file (git-fixes). - genirq: Reduce irqdebug cacheline bouncing (bsc#1185703 ltc#192641). - gianfar: Handle error code at MAC address change (git-fixes). - gpio: xilinx: Correct kernel doc for xgpio_probe() (git-fixes). - gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 (git-fixes). - i2c: cadence: add IRQ check (git-fixes). - i2c: emev2: add IRQ check (git-fixes). - i2c: i801: Do not generate an interrupt on bus reset (git-fixes). - i2c: i801: Do not generate an interrupt on bus reset (git-fixes). - i2c: jz4780: add IRQ check (git-fixes). - i2c: s3c2410: fix possible NULL pointer deref on read message after write (git-fixes). - i2c: sh7760: add IRQ check (git-fixes). - i2c: sh7760: fix IRQ error path (git-fixes). - i40e: Added Asym_Pause to supported link modes (git-fixes). - i40e: Fix PHY type identifiers for 2.5G and 5G adapters (jsc#SLE-4797). - i40e: Fix sparse errors in i40e_txrx.c (git-fixes). - i40e: Fix use-after-free in i40e_client_subtask() (bsc#1101816 ). - i40e: fix broken XDP support (git-fixes). - i40e: fix the panic when running bpf in xdpdrv mode (git-fixes). - i40e: fix the restart auto-negotiation after FEC modified (jsc#SLE-4797). - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043). - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043). - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043). - ibmvnic: remove default label from to_string switch (bsc#1152457 ltc#174432 git-fixes). - igb: Fix duplicate include guard (git-fixes). - igb: check timestamp validity (git-fixes). - iio: adc: ad7793: Add missing error code in ad7793_setup() (git-fixes). - iio: gyro: mpu3050: Fix reported temperature value (git-fixes). - iio: proximity: pulsedlight: Fix rumtime PM imbalance on error (git-fixes). - iio: tsl2583: Fix division by a zero lux_val (git-fixes). - intel_th: Consistency and off-by-one fix (git-fixes). - ipmi/watchdog: Stop watchdog timer when the current action is 'none' (bsc#1184855). - ipw2x00: potential buffer overflow in libipw_wx_set_encodeext() (git-fixes). - kABI: powerpc/64: add back start_tb and accum_tb to thread_struct. - kabi: preserve struct header_ops after bsc#1176081 fix (bsc#1176081). - leds: lp5523: check return value of lp5xx_read and jump to cleanup code (git-fixes). - liquidio: Fix unintented sign extension of a left shift of a u16 (git-fixes). - mac80211: bail out if cipher schemes are invalid (git-fixes). - mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN (git-fixes). - mac80211: clear the beacon's CRC after channel switch (git-fixes). - macvlan: macvlan_count_rx() needs to be aware of preemption (git-fixes). - md-cluster: fix use-after-free issue when removing rdev (bsc#1184082). - md/raid1: properly indicate failure when ending a failed write request (bsc#1185680). - md: do not flush workqueue unconditionally in md_open (bsc#1184081). - md: factor out a mddev_find_locked helper from mddev_find (bsc#1184081). - md: md_open returns -EBUSY when entering racing area (bsc#1184081). - md: split mddev_find (bsc#1184081). - media: adv7604: fix possible use-after-free in adv76xx_remove() (git-fixes). - media: dvb-usb: fix memory leak in dvb_usb_adapter_init (git-fixes). - media: dvbdev: Fix memory leak in dvb_media_device_free() (git-fixes). - media: em28xx: fix memory leak (git-fixes). - media: gspca/sq905.c: fix uninitialized variable (git-fixes). - media: i2c: adv7842: fix possible use-after-free in adv7842_remove() (git-fixes). - media: ite-cir: check for receive overflow (git-fixes). - media: m88rs6000t: avoid potential out-of-bounds reads on arrays (git-fixes). - media: media/saa7164: fix saa7164_encoder_register() memory leak bugs (git-fixes). - media: omap4iss: return error code when omap4iss_get() failed (git-fixes). - mfd: lpc_sch: Partially revert "Add support for Intel Quark X1000" (git-fixes). - mfd: stm32-timers: Avoid clearing auto reload register (git-fixes). - misc/uss720: fix memory leak in uss720_probe (git-fixes). - misc: lis3lv02d: Fix false-positive WARN on various HP models (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_datagram payload (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_notify_bm_set_msg struct (git-fixes). - mlxsw: spectrum_mr: Update egress RIF list before route's action (bsc#1112374). - mm: mempolicy: fix potential pte_unmap_unlock pte error (bsc#1185906). - mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified (bsc#1185906). - mmc: block: Update ext_csd.cache_ctrl if it was written (git-fixes). - mmc: core: Correct descriptions in mmc_of_parse() (git-fixes). - mmc: core: Do a power cycle when the CMD11 fails (git-fixes). - mmc: core: Set read only for SD cards with permanent write protect bit (git-fixes). - mmc: mmc_spi: Drop unused NO_IRQ definition (git-fixes). - mt7601u: fix always true expression (git-fixes). - mtd: require write permissions for locking and badblock ioctls (git-fixes). - net, xdp: Update pkt_type if generic XDP changes unicast MAC (bsc#1109837). - net/ethernet: Add parse_protocol header_ops support (bsc#1176081). - net/mlx4_en: update moderation when config reset (git-fixes). - net/mlx5e: Fix error path for ethtool set-priv-flag (git-fixes). - net/mlx5e: Remove the wrong assumption about transport offset (bsc#1176081). - net/mlx5e: Trust kernel regarding transport offset (bsc#1176081). - net/packet: Ask driver for protocol if not provided by user (bsc#1176081). - net/packet: Remove redundant skb->protocol set (bsc#1176081). - net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template (git-fixes). - net: Do not set transport offset to invalid value (bsc#1176081). - net: Introduce parse_protocol header_ops callback (bsc#1176081). - net: enic: Cure the enic api locking trainwreck (git-fixes). - net: hns3: Fix for geneve tx checksum bug (bsc#1104353 ). - net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() (bsc#1104353). - net: hns3: disable phy loopback setting in hclge_mac_start_phy (bsc#1104353). - net: hns3: fix for vxlan gpe tx checksum bug (bsc#1104353 ). - net: hns3: fix incorrect configuration for igu_egu_hw_err (bsc#1104353). - net: hns3: initialize the message content in hclge_get_link_mode() (bsc#1126390). - net: hns3: use netif_tx_disable to stop the transmit queue (bsc#1104353). - net: phy: intel-xway: enable integrated led functions (git-fixes). - net: qed: RDMA personality shouldn't fail VF load (git-fixes). - net: thunderx: Fix unintentional sign extension issue (git-fixes). - net: usb: fix memory leak in smsc75xx_bind (git-fixes). - netdevice: Add missing IFF_PHONY_HEADROOM self-definition (git-fixes). - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950). - netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950). - netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950). - netfilter: conntrack: tcp: only close if RST matches exact sequence (bsc#1183947 bsc#1185950). - nfc: pn533: prevent potential memory corruption (git-fixes). - nvme-fc: clear q_live at beginning of association teardown (git-fixes). - nvme-loop: Introduce no merge flag for biovec (bsc#1174682). - pata_arasan_cf: fix IRQ check (git-fixes). - pata_ipx4xx_cf: fix IRQ check (git-fixes). - pcnet32: Use pci_resource_len to validate PCI resource (git-fixes). - phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y, unconditionally (git-fixes). - phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() (git-fixes). - pinctrl: core: Fix kernel doc string for pin_get_name() (git-fixes). - pinctrl: lewisburg: Update number of pins in community (git-fixes). - pinctrl: samsung: use 'int' for register masks in Exynos (git-fixes). - platform/mellanox: mlxbf-tmfifo: Fix a memory barrier issue (git-fixes). - platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards with critclk_systems DMI table (git-fixes). - platform/x86: thinkpad_acpi: Correct thermal sensor allocation (git-fixes). - power: supply: Use IRQF_ONESHOT (git-fixes). - power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() (git-fixes). - power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() (git-fixes). - powerpc/64: remove start_tb and accum_tb from thread_struct (bsc#1186487 ltc#177613). - powerpc/64s: Fix crashes when toggling entry flush barrier (bsc#1177666 git-fixes). - powerpc/64s: Fix crashes when toggling stf barrier (bsc#1087082 git-fixes). - powerpc/pseries: lparcfg calculate PURR on demand (bsc#1186487 ltc#177613). - regulator: bd9571mwv: Fix AVS and DVFS voltage range (git-fixes). - rsxx: remove extraneous 'const' qualifier (git-fixes). - rtc: ds1307: Fix wday settings for rx8130 (git-fixes). - rtlwifi: 8821ae: upgrade PHY and RF parameters (git-fixes). - s390/dasd: fix hanging DASD driver unbind (bsc#1183754 LTC#192081). - s390/dasd: fix hanging IO request during DASD driver unbind (bsc#1183754 LTC#192081). - s390/entry: save the caller of psw_idle (bsc#1185677). - s390/kdump: fix out-of-memory with PCI (bsc#1182256 LTC#191375). - sata_mv: add IRQ checks (git-fixes). - scsi: core: Run queue in case of I/O resource contention failure (bsc#1186416). - scsi: libfc: Avoid invoking response handler twice if ep is already completed (bsc#1186573). - scsi: lpfc: Add a option to enable interlocked ABTS before job completion (bsc#1186452). - scsi: lpfc: Add ndlp kref accounting for resume RPI path (bsc#1186452). - scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology (bsc#1186452). - scsi: lpfc: Fix Node recovery when driver is handling simultaneous PLOGIs (bsc#1186452). - scsi: lpfc: Fix bad memory access during VPD DUMP mailbox command (bsc#1186452). - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs (bsc#1186452). - scsi: lpfc: Fix node handling for Fabric Controller and Domain Controller (bsc#1186452). - scsi: lpfc: Fix non-optimized ERSP handling (bsc#1186452). - scsi: lpfc: Fix unreleased RPIs when NPIV ports are created (bsc#1186452). - scsi: lpfc: Ignore GID-FT response that may be received after a link flip (bsc#1186452). - scsi: lpfc: Reregister FPIN types if ELS_RDF is received from fabric controller (bsc#1186452). - scsi: lpfc: Update lpfc version to 12.8.0.10 (bsc#1186452). - scsi: qla2xxx: Prevent PRLI in target mode (git-fixes). - serial: sh-sci: Fix off-by-one error in FIFO threshold register setting (git-fixes). - serial: stm32: fix incorrect characters on console (git-fixes). - smc: disallow TCP_ULP in smc_setsockopt() (bsc#1109837). - soc: qcom: mdt_loader: Validate that p_filesz < p_memsz (git-fixes). - spi: dln2: Fix reference leak to master (git-fixes). - spi: omap-100k: Fix reference leak to master (git-fixes). - spi: spi-ti-qspi: Free DMA resources (git-fixes). - staging: emxx_udc: fix loop in _nbu2ss_nuke() (git-fixes). - staging: iio: cdc: ad7746: avoid overwrite of num_channels (git-fixes). - staging: rtl8192u: Fix potential infinite loop (git-fixes). - tcp: fix to update snd_wl1 in bulk receiver fast path (bsc#1185827). - thermal/drivers/ti-soc-thermal/bandgap Remove unused variable 'val' (git-fixes). - thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue (git-fixes). - tpm: fix error return code in tpm2_get_cc_attrs_tbl() (git-fixes). - tracing: Map all PIDs to command lines (git-fixes). - uio: uio_hv_generic: use devm_kzalloc() for private data alloc (git-fixes). - uio_hv_generic: Fix a memory leak in error handling paths (git-fixes). - uio_hv_generic: Fix another memory leak in error handling paths (git-fixes). - uio_hv_generic: add missed sysfs_remove_bin_file (git-fixes). - usb: core: hub: fix race condition about TRSMRCY of resume (git-fixes). - usb: core: hub: fix race condition about TRSMRCY of resume (git-fixes). - usb: dwc3: gadget: Fix START_TRANSFER link state check (git-fixes). - usb: dwc3: omap: improve extcon initialization (git-fixes). - usb: fotg210-hcd: Fix an error message (git-fixes). - usb: sl811-hcd: improve misleading indentation (git-fixes). - usb: typec: tcpci: Check ROLE_CONTROL while interpreting CC_STATUS (git-fixes). - usb: xhci: Fix port minor revision (git-fixes). - usb: xhci: Increase timeout for HC halt (git-fixes). - usb: xhci: Increase timeout for HC halt (git-fixes). - vgacon: Record video mode changes with VT_RESIZEX (git-fixes). - video: hyperv_fb: Add ratelimit on error message (bsc#1185724). - vsock/vmci: log once the failed queue pair allocation (git-fixes). - wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join (git-fixes). - wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt (git-fixes). - xhci: Do not use GFP_KERNEL in (potentially) atomic context (git-fixes). - xsk: Respect device's headroom and tailroom on generic xmit path (bsc#1109837). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1887=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-azure-4.12.14-16.59.1 kernel-azure-base-4.12.14-16.59.1 kernel-azure-base-debuginfo-4.12.14-16.59.1 kernel-azure-debuginfo-4.12.14-16.59.1 kernel-azure-debugsource-4.12.14-16.59.1 kernel-azure-devel-4.12.14-16.59.1 kernel-syms-azure-4.12.14-16.59.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-azure-4.12.14-16.59.1 kernel-source-azure-4.12.14-16.59.1 References: https://www.suse.com/security/cve/CVE-2020-24586.html https://www.suse.com/security/cve/CVE-2020-24587.html https://www.suse.com/security/cve/CVE-2020-26139.html https://www.suse.com/security/cve/CVE-2020-26141.html https://www.suse.com/security/cve/CVE-2020-26145.html https://www.suse.com/security/cve/CVE-2020-26147.html https://www.suse.com/security/cve/CVE-2021-23133.html https://www.suse.com/security/cve/CVE-2021-23134.html https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://www.suse.com/security/cve/CVE-2021-33200.html https://www.suse.com/security/cve/CVE-2021-3491.html https://bugzilla.suse.com/1064802 https://bugzilla.suse.com/1066129 https://bugzilla.suse.com/1087082 https://bugzilla.suse.com/1101816 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104427 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113431 https://bugzilla.suse.com/1126390 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1152457 https://bugzilla.suse.com/1174682 https://bugzilla.suse.com/1176081 https://bugzilla.suse.com/1177666 https://bugzilla.suse.com/1180552 https://bugzilla.suse.com/1181383 https://bugzilla.suse.com/1182256 https://bugzilla.suse.com/1183738 https://bugzilla.suse.com/1183754 https://bugzilla.suse.com/1183947 https://bugzilla.suse.com/1184040 https://bugzilla.suse.com/1184081 https://bugzilla.suse.com/1184082 https://bugzilla.suse.com/1184611 https://bugzilla.suse.com/1184675 https://bugzilla.suse.com/1184855 https://bugzilla.suse.com/1185428 https://bugzilla.suse.com/1185481 https://bugzilla.suse.com/1185642 https://bugzilla.suse.com/1185680 https://bugzilla.suse.com/1185703 https://bugzilla.suse.com/1185724 https://bugzilla.suse.com/1185758 https://bugzilla.suse.com/1185859 https://bugzilla.suse.com/1185860 https://bugzilla.suse.com/1185863 https://bugzilla.suse.com/1185898 https://bugzilla.suse.com/1185899 https://bugzilla.suse.com/1185906 https://bugzilla.suse.com/1185938 https://bugzilla.suse.com/1186060 https://bugzilla.suse.com/1186062 https://bugzilla.suse.com/1186285 https://bugzilla.suse.com/1186416 https://bugzilla.suse.com/1186439 https://bugzilla.suse.com/1186441 https://bugzilla.suse.com/1186460 https://bugzilla.suse.com/1186484 From sle-security-updates at lists.suse.com Tue Jun 8 17:03:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 8 Jun 2021 19:03:25 +0200 (CEST) Subject: SUSE-SU-2021:1889-1: important: Security update for the Linux Kernel Message-ID: <20210608170325.0CC60FD07@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1889-1 Rating: important References: #1087082 #1133021 #1152457 #1152489 #1155518 #1156395 #1162702 #1164648 #1176564 #1177666 #1178418 #1178612 #1179827 #1179851 #1182378 #1182999 #1183346 #1183868 #1183873 #1183932 #1183947 #1184081 #1184082 #1184611 #1184855 #1185428 #1185497 #1185589 #1185606 #1185645 #1185677 #1185680 #1185696 #1185703 #1185725 #1185758 #1185859 #1185861 #1185863 #1185898 #1185899 #1185911 #1185938 #1185987 #1185988 #1186061 #1186285 #1186320 #1186439 #1186441 #1186460 #1186498 #1186501 #1186573 Cross-References: CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2021-23134 CVE-2021-32399 CVE-2021-33034 CVE-2021-33200 CVE-2021-3491 CVSS scores: CVE-2020-24586 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24586 (SUSE): 4.7 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVE-2020-24587 (NVD) : 2.6 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24587 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-24588 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2020-24588 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-26139 (NVD) : 5.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26139 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-26141 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26145 (SUSE): 5.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26147 (NVD) : 5.4 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N CVE-2021-23134 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-33200 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33200 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3491 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Realtime 15-SP2 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 42 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 RT kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111) - CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062) - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060) - CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859). - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862). - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859). - CVE-2020-24588: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (bnc#1185861) - CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860) - CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987) The following non-security bugs were fixed: - ACPI / hotplug / PCI: Fix reference count leak in enable_slot() (git-fixes). - ACPI: GTDT: Do not corrupt interrupt mappings on watchdow probe failure (git-fixes). - ACPI: custom_method: fix a possible memory leak (git-fixes). - ACPI: custom_method: fix potential use-after-free issue (git-fixes). - ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro (git-fixes). - ALSA: bebob: enable to deliver MIDI messages for multiple ports (git-fixes). - ALSA: dice: fix stream format at middle sampling rate for Alesis iO 26 (git-fixes). - ALSA: dice: fix stream format for TC Electronic Konnekt Live at high sampling transfer frequency (git-fixes). - ALSA: firewire-lib: fix calculation for size of IR context payload (git-fixes). - ALSA: firewire-lib: fix check for the size of isochronous packet payload (git-fixes). - ALSA: hda/conexant: Re-order CX5066 quirk table entries (git-fixes). - ALSA: hda/realtek: ALC285 Thinkpad jack pin quirk is unreachable (git-fixes). - ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293 (git-fixes). - ALSA: hda/realtek: Headphone volume is controlled by Front mixer (git-fixes). - ALSA: hda/realtek: reset eapd coeff to default value for alc287 (git-fixes). - ALSA: hda: fixup headset for ASUS GU502 laptop (git-fixes). - ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP (git-fixes). - ALSA: hdsp: do not disable if not enabled (git-fixes). - ALSA: hdspm: do not disable if not enabled (git-fixes). - ALSA: intel8x0: Do not update period unless prepared (git-fixes). - ALSA: line6: Fix racy initialization of LINE6 MIDI (git-fixes). - ALSA: rme9652: do not disable if not enabled (git-fixes). - ALSA: usb-audio: Validate MS endpoint descriptors (git-fixes). - ALSA: usb-audio: fix control-request direction (git-fixes). - ALSA: usb-audio: scarlett2: Fix device hang with ehci-pci (git-fixes). - ALSA: usb-audio: scarlett2: Improve driver startup messages (git-fixes). - ALSA: usb-audio: scarlett2: snd_scarlett_gen2_controls_create() can be static (git-fixes). - ARM64: vdso32: Install vdso32 from vdso_install (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF (git-fixes). - ASoC: cs35l33: fix an error code in probe() (git-fixes). - ASoC: cs42l42: Regmap must use_single_read/write (git-fixes). - ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init() (git-fixes). - ASoC: rsnd: core: Check convert rate in rsnd_hw_params (git-fixes). - ASoC: rt286: Generalize support for ALC3263 codec (git-fixes). - ASoC: rt286: Make RT286_SET_GPIO_* readable and writable (git-fixes). - Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS (git-fixes). - Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes). - Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default (git-fixes). - Bluetooth: check for zapped sk before connecting (git-fixes). - Bluetooth: initialize skb_queue_head at l2cap_chan_create() (git-fixes). - Drivers: hv: vmbus: Fix Suspend-to-Idle for Generation-2 VM (git-fixes). - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725). - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725). - Drivers: hv: vmbus: Use after free in __vmbus_open() (git-fixes). - Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices (git-fixes). - Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state (git-fixes). - KVM: s390: fix guarded storage control register handling (bsc#1133021). - Move upstreamed media fixes into sorted section - NFC: nci: fix memory leak in nci_allocate_device (git-fixes). - PCI/RCEC: Fix RCiEP device to RCEC association (git-fixes). - PCI: Allow VPD access for QLogic ISP2722 (git-fixes). - PCI: PM: Do not read power state in pci_enable_device_flags() (git-fixes). - PCI: Release OF node in pci_scan_device()'s error path (git-fixes). - PCI: endpoint: Fix missing destroy_workqueue() (git-fixes). - PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc() (git-fixes). - PCI: thunder: Fix compile testing (git-fixes). - PM / devfreq: Use more accurate returned new_freq as resume_freq (git-fixes). - RDMA/addr: create addr_wq with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/core: create ib_cm with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/hns: Delete redundant abnormal interrupt status (git-fixes). - RDMA/hns: Delete redundant condition judgment related to eq (git-fixes). - RDMA/qedr: Fix error return code in qedr_iw_connect() (jsc#SLE-8215). - RDMA/srpt: Fix error return code in srpt_cm_req_recv() (git-fixes). - SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428). - SUNRPC: More fixes for backlog congestion (bsc#1185428). - USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet (git-fixes). - USB: Add reset-resume quirk for WD19's Realtek Hub (git-fixes). - USB: serial: pl2303: add support for PL2303HXN (bsc#1186320). - USB: serial: pl2303: fix line-speed handling on newer chips (bsc#1186320). - USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check (git-fixes). - USB: trancevibrator: fix control-request direction (git-fixes). - amdgpu: avoid incorrect %hu format string (git-fixes). - arm64/mm: Fix pfn_valid() for ZONE_DEVICE based memory (git-fixes). - arm64: Add missing ISB after invalidating TLB in __primary_switch (git-fixes). - arm64: avoid -Woverride-init warning (git-fixes). - arm64: kasan: fix page_alloc tagging with DEBUG_VIRTUAL (git-fixes). - arm64: kdump: update ppos when reading elfcorehdr (git-fixes). - arm64: kexec_file: fix memory leakage in create_dtb() when fdt_open_into() fails (git-fixes). - arm64: link with -z norelro for LLD or aarch64-elf (git-fixes). - arm64: link with -z norelro regardless of CONFIG_RELOCATABLE (git-fixes). - arm64: ptrace: Fix seccomp of traced syscall -1 (NO_SYSCALL) (git-fixes). - arm64: ptrace: Use NO_SYSCALL instead of -1 in syscall_trace_enter() (git-fixes). - arm64: vdso32: make vdso32 install conditional (git-fixes). - arm: mm: use __pfn_to_section() to get mem_section (git-fixes). - ata: ahci: Disable SXS for Hisilicon Kunpeng920 (git-fixes). - blk-iocost: ioc_pd_free() shouldn't assume irq disabled (git-fixes). - blk-mq: Swap two calls in blk_mq_exit_queue() (git-fixes). - block/genhd: use atomic_t for disk_event->block (bsc#1185497). - block: Fix three kernel-doc warnings (git-fixes). - block: fix get_max_io_size() (git-fixes). - bnxt_en: Fix RX consumer index logic in the error path (git-fixes). - bnxt_en: fix ternary sign extension bug in bnxt_show_temp() (git-fixes). - bpf: Fix leakage of uninitialized bpf stack under speculation (bsc#1155518). - bpf: Fix masking negation logic upon negative dst register (bsc#1155518). - btrfs: fix race between transaction aborts and fsyncs leading to use-after-free (bsc#1186441). - btrfs: fix race when picking most recent mod log operation for an old root (bsc#1186439). - cdc-wdm: untangle a circular dependency between callback and softint (git-fixes). - cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom (git-fixes). - cdrom: gdrom: initialize global variable at init time (git-fixes). - ceph: do not clobber i_snap_caps on non-I_NEW inode (bsc#1186501). - ceph: fix inode leak on getattr error in __fh_to_dentry (bsc#1186501). - ceph: fix up error handling with snapdirs (bsc#1186501). - ceph: only check pool permissions for regular files (bsc#1186501). - cfg80211: scan: drop entry from hidden_list on overflow (git-fixes). - clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return (git-fixes). - cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758). - crypto: api - check for ERR pointers in crypto_destroy_tfm() (git-fixes). - crypto: mips/poly1305 - enable for all MIPS processors (git-fixes). - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init (git-fixes). - crypto: qat - Fix a double free in adf_create_ring (git-fixes). - crypto: qat - do not release uninitialized resources (git-fixes). - crypto: qat - fix error path in adf_isr_resource_alloc() (git-fixes). - crypto: qat - fix unmap invalid dma address (git-fixes). - crypto: stm32/cryp - Fix PM reference leak on stm32-cryp.c (git-fixes). - crypto: stm32/hash - Fix PM reference leak on stm32-hash.c (git-fixes). - cxgb4: Fix unintentional sign extension issues (git-fixes). - dm: avoid filesystem lookup in dm_get_dev_t() (git-fixes). - dmaengine: dw-edma: Fix crash on loading/unloading driver (git-fixes). - docs: kernel-parameters: Add gpio_mockup_named_lines (git-fixes). - docs: kernel-parameters: Move gpio-mockup for alphabetic order (git-fixes). - drivers: hv: Fix whitespace errors (bsc#1185725). - drm/amd/display: Fix UBSAN warning for not a valid value for type '_Bool' (git-fixes). - drm/amd/display: Fix two cursor duplication when using overlay (git-fixes). - drm/amd/display: Force vsync flip when reconfiguring MPCC (git-fixes). - drm/amd/display: Reject non-zero src_y and src_x for video planes (git-fixes). - drm/amd/display: fix dml prefetch validation (git-fixes). - drm/amd/display: fixed divide by zero kernel crash during dsc enablement (git-fixes). - drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f (git-fixes). - drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid compute hang (git-fixes). - drm/amdgpu: fix NULL pointer dereference (git-fixes). - drm/amdgpu: mask the xgmi number of hops reported from psp to kfd (git-fixes). - drm/amdkfd: Fix cat debugfs hang_hws file causes system crash bug (git-fixes). - drm/i915: Avoid div-by-zero on gen2 (git-fixes). - drm/meson: fix shutdown crash when component not probed (git-fixes). - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal (git-fixes). - drm/msm/mdp5: Do not multiply vclk line count by 100 (git-fixes). - drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected (git-fixes). - drm/radeon: Avoid power table parsing memory leaks (git-fixes). - drm/radeon: Fix off-by-one power_state index heap overwrite (git-fixes). - drm/vkms: fix misuse of WARN_ON (git-fixes). - drm: Added orientation quirk for OneGX1 Pro (git-fixes). - ethernet:enic: Fix a use after free bug in enic_hard_start_xmit (git-fixes). - extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged (git-fixes). - extcon: arizona: Fix various races on driver unbind (git-fixes). - fbdev: zero-fill colormap in fbcmap.c (git-fixes). - firmware: arm_scpi: Prevent the ternary sign expansion bug (git-fixes). - fs/epoll: restore waking from ep_done_scan() (bsc#1183868). - ftrace: Handle commands when closing set_ftrace_filter file (git-fixes). - futex: Change utime parameter to be 'const ... *' (git-fixes). - futex: Do not apply time namespace adjustment on FUTEX_LOCK_PI (bsc#1164648). - futex: Get rid of the val2 conditional dance (git-fixes). - futex: Make syscall entry points less convoluted (git-fixes). - genirq/irqdomain: Do not try to free an interrupt that has no (git-fixes) - genirq: Disable interrupts for force threaded handlers (git-fixes) - genirq: Reduce irqdebug cacheline bouncing (bsc#1185703 ltc#192641). - gpio: xilinx: Correct kernel doc for xgpio_probe() (git-fixes). - gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 (git-fixes). - hrtimer: Update softirq_expires_next correctly after (git-fixes) - hwmon: (occ) Fix poll rate limiting (git-fixes). - i2c: Add I2C_AQ_NO_REP_START adapter quirk (git-fixes). - i2c: bail out early when RDWR parameters are wrong (git-fixes). - i2c: i801: Do not generate an interrupt on bus reset (git-fixes). - i2c: s3c2410: fix possible NULL pointer deref on read message after write (git-fixes). - i2c: sh_mobile: Use new clock calculation formulas for RZ/G2E (git-fixes). - i40e: Fix PHY type identifiers for 2.5G and 5G adapters (git-fixes). - i40e: Fix use-after-free in i40e_client_subtask() (git-fixes). - i40e: fix broken XDP support (git-fixes). - i40e: fix the restart auto-negotiation after FEC modified (git-fixes). - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043). - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043). - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043). - ibmvnic: remove default label from to_string switch (bsc#1152457 ltc#174432 git-fixes). - ics932s401: fix broken handling of errors when word reading fails (git-fixes). - iio: adc: ad7124: Fix missbalanced regulator enable / disable on error (git-fixes). - iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers (git-fixes). - iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp() (git-fixes). - iio: adc: ad7793: Add missing error code in ad7793_setup() (git-fixes). - iio: gyro: fxas21002c: balance runtime power in error path (git-fixes). - iio: gyro: mpu3050: Fix reported temperature value (git-fixes). - iio: proximity: pulsedlight: Fix rumtime PM imbalance on error (git-fixes). - iio: tsl2583: Fix division by a zero lux_val (git-fixes). - intel_th: Consistency and off-by-one fix (git-fixes). - iommu/amd: Add support for map/unmap_resource (jsc#ECO-3482). - ipc/mqueue, msg, sem: Avoid relying on a stack reference past its expiry (bsc#1185988). - ipmi/watchdog: Stop watchdog timer when the current action is 'none' (bsc#1184855). - kernel-docs.spec.in: Build using an utf-8 locale. Sphinx cannot handle UTF-8 input in non-UTF-8 locale. - leds: lp5523: check return value of lp5xx_read and jump to cleanup code (git-fixes). - locking/seqlock: Tweak DEFINE_SEQLOCK() kernel doc (bsc#1176564 bsc#1162702). - lpfc: Decouple port_template and vport_template (bsc#185032). - mac80211: clear the beacon's CRC after channel switch (git-fixes). - md-cluster: fix use-after-free issue when removing rdev (bsc#1184082). - md/raid1: properly indicate failure when ending a failed write request (bsc#1185680). - md: do not flush workqueue unconditionally in md_open (bsc#1184081). - md: factor out a mddev_find_locked helper from mddev_find (bsc#1184081). - md: md_open returns -EBUSY when entering racing area (bsc#1184081). - md: split mddev_find (bsc#1184081). - media: adv7604: fix possible use-after-free in adv76xx_remove() (git-fixes). - media: drivers: media: pci: sta2x11: fix Kconfig dependency on GPIOLIB (git-fixes). - media: dvb-usb: fix memory leak in dvb_usb_adapter_init (git-fixes). - media: em28xx: fix memory leak (git-fixes). - media: gspca/sq905.c: fix uninitialized variable (git-fixes). - media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove() (git-fixes). - media: i2c: adv7842: fix possible use-after-free in adv7842_remove() (git-fixes). - media: i2c: tda1997: Fix possible use-after-free in tda1997x_remove() (git-fixes). - media: imx: capture: Return -EPIPE from __capture_legacy_try_fmt() (git-fixes). - media: ite-cir: check for receive overflow (git-fixes). - media: media/saa7164: fix saa7164_encoder_register() memory leak bugs (git-fixes). - media: platform: sti: Fix runtime PM imbalance in regs_show (git-fixes). - media: tc358743: fix possible use-after-free in tc358743_remove() (git-fixes). - mfd: arizona: Fix rumtime PM imbalance on error (git-fixes). - misc/uss720: fix memory leak in uss720_probe (git-fixes). - mlxsw: spectrum_mr: Update egress RIF list before route's action (git-fixes). - mm: memcontrol: fix cpuhotplug statistics flushing (bsc#1185606). - mmc: block: Update ext_csd.cache_ctrl if it was written (git-fixes). - mmc: core: Do a power cycle when the CMD11 fails (git-fixes). - mmc: core: Set read only for SD cards with permanent write protect bit (git-fixes). - mmc: sdhci-pci-gli: increase 1.8V regulator wait (git-fixes). - mmc: sdhci-pci: Add PCI IDs for Intel LKF (git-fixes). - mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based controllers (git-fixes). - mmc: sdhci: Check for reset prior to DMA address unmap (git-fixes). - net, xdp: Update pkt_type if generic XDP changes unicast MAC (git-fixes). - net: enetc: fix link error again (git-fixes). - net: hns3: Fix for geneve tx checksum bug (git-fixes). - net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() (git-fixes). - net: hns3: clear unnecessary reset request in hclge_reset_rebuild (git-fixes). - net: hns3: disable phy loopback setting in hclge_mac_start_phy (git-fixes). - net: hns3: fix for vxlan gpe tx checksum bug (git-fixes). - net: hns3: fix incorrect configuration for igu_egu_hw_err (git-fixes). - net: hns3: initialize the message content in hclge_get_link_mode() (git-fixes). - net: hns3: use netif_tx_disable to stop the transmit queue (git-fixes). - net: thunderx: Fix unintentional sign extension issue (git-fixes). - net: usb: fix memory leak in smsc75xx_bind (git-fixes). - net: xfrm: Localize sequence counter per network namespace (bsc#1185696). - net: xfrm: Use sequence counter with associated spinlock (bsc#1185696). - netdevice: Add missing IFF_PHONY_HEADROOM self-definition (git-fixes). - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950). - netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950). - netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950). - nvme-core: add cancel tagset helpers (bsc#1183976). - nvme-fabrics: decode host pathing error for connect (bsc#1179827). - nvme-fc: check sgl supported by target (bsc#1179827). - nvme-fc: clear q_live at beginning of association teardown (bsc#1186479). - nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted (bsc#1184259). - nvme-fc: set NVME_REQ_CANCELLED in nvme_fc_terminate_exchange() (bsc#1184259). - nvme-fc: short-circuit reconnect retries (bsc#1179827). - nvme-multipath: fix double initialization of ANA state (bsc#1178612, bsc#1184259). - nvme-multipath: reset bdev to ns head when failover (bsc#178378 bsc#1182999). - nvme-pci: Remove tag from process cq (git-fixes). - nvme-pci: Remove two-pass completions (git-fixes). - nvme-pci: Simplify nvme_poll_irqdisable (git-fixes). - nvme-pci: align io queue count with allocted nvme_queue in (git-fixes). - nvme-pci: avoid race between nvme_reap_pending_cqes() and nvme_poll() (git-fixes). - nvme-pci: dma read memory barrier for completions (git-fixes). - nvme-pci: fix "slimmer CQ head update" (git-fixes). - nvme-pci: make sure write/poll_queues less or equal then cpu (git-fixes). - nvme-pci: remove last_sq_tail (git-fixes). - nvme-pci: remove volatile cqes (git-fixes). - nvme-pci: slimmer CQ head update (git-fixes). - nvme-pci: use simple suspend when a HMB is enabled (git-fixes). - nvme-tcp: Fix possible race of io_work and direct send (git-fixes). - nvme-tcp: Fix warning with CONFIG_DEBUG_PREEMPT (git-fixes). - nvme-tcp: add clean action for failed reconnection (bsc#1183976). - nvme-tcp: fix kconfig dependency warning when !CRYPTO (git-fixes). - nvme-tcp: fix misuse of __smp_processor_id with preemption (git-fixes). - nvme-tcp: fix possible hang waiting for icresp response (bsc#1179519). - nvme-tcp: use cancel tagset helper for tear down (bsc#1183976). - nvme: Fix NULL dereference for pci nvme controllers (bsc#1182378). - nvme: add 'kato' sysfs attribute (bsc#1179825). - nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request() (bsc#1184259). - nvme: define constants for identification values (git-fixes). - nvme: do not intialize hwmon for discovery controllers (bsc#1184259). - nvme: do not intialize hwmon for discovery controllers (git-fixes). - nvme: document nvme controller states (git-fixes). - nvme: explicitly update mpath disk capacity on revalidation (git-fixes). - nvme: expose reconnect_delay and ctrl_loss_tmo via sysfs (bsc#1182378). - nvme: fix controller instance leak (git-fixes). - nvme: fix deadlock in disconnect during scan_work and/or ana_work (git-fixes). - nvme: fix possible deadlock when I/O is blocked (git-fixes). - nvme: remove superfluous else in nvme_ctrl_loss_tmo_store (bsc#1182378). - nvme: retrigger ANA log update if group descriptor isn't found (git-fixes) - nvme: sanitize KATO setting (bsc#1179825). - nvme: simplify error logic in nvme_validate_ns() (bsc#1184259). - nvmet: fix a memory leak (git-fixes). - nvmet: seset ns->file when open fails (bsc#1183873). - nvmet: use new ana_log_size instead the old one (bsc#1184259). - nxp-i2c: restore includes for kABI (bsc#1185589). - nxp-nci: add NXP1002 id (bsc#1185589). - phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() (git-fixes). - pinctrl: ingenic: Improve unreachable code generation (git-fixes). - pinctrl: samsung: use 'int' for register masks in Exynos (git-fixes). - platform/mellanox: mlxbf-tmfifo: Fix a memory barrier issue (git-fixes). - platform/x86: intel_pmc_core: Do not use global pmcdev in quirks (git-fixes). - platform/x86: thinkpad_acpi: Correct thermal sensor allocation (git-fixes). - posix-timers: Preserve return value in clock_adjtime32() (git-fixes) - power: supply: Use IRQF_ONESHOT (git-fixes). - power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() (git-fixes). - power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() (git-fixes). - powerpc/64s: Fix crashes when toggling entry flush barrier (bsc#1177666 git-fixes). - powerpc/64s: Fix crashes when toggling stf barrier (bsc#1087082 git-fixes). - qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth (git-fixes). - rtc: pcf2127: handle timestamp interrupts (bsc#1185495). - s390/dasd: fix hanging DASD driver unbind (bsc#1183932 LTC#192153). - s390/entry: save the caller of psw_idle (bsc#1185677). - s390/kdump: fix out-of-memory with PCI (bsc#1182257 LTC#191375). - sched/eas: Do not update misfit status if the task is pinned (git-fixes) - sched/fair: Avoid stale CPU util_est value for schedutil in (git-fixes) - sched/fair: Fix unfairness caused by missing load decay (git-fixes) - scripts/git_sort/git_sort.py: add bpf git repo - scsi: core: Run queue in case of I/O resource contention failure (bsc#1186416). - scsi: fnic: Kill 'exclude_id' argument to fnic_cleanup_io() (bsc#1179851). - scsi: libfc: Avoid invoking response handler twice if ep is already completed (bsc#1186573). - scsi: lpfc: Add a option to enable interlocked ABTS before job completion (bsc#1186451). - scsi: lpfc: Add ndlp kref accounting for resume RPI path (bsc#1186451). - scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology (bsc#1186451). - scsi: lpfc: Fix Node recovery when driver is handling simultaneous PLOGIs (bsc#1186451). - scsi: lpfc: Fix bad memory access during VPD DUMP mailbox command (bsc#1186451). - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs (bsc#1186451). - scsi: lpfc: Fix node handling for Fabric Controller and Domain Controller (bsc#1186451). - scsi: lpfc: Fix non-optimized ERSP handling (bsc#1186451). - scsi: lpfc: Fix unreleased RPIs when NPIV ports are created (bsc#1186451). - scsi: lpfc: Ignore GID-FT response that may be received after a link flip (bsc#1186451). - scsi: lpfc: Reregister FPIN types if ELS_RDF is received from fabric controller (bsc#1186451). - scsi: lpfc: Update lpfc version to 12.8.0.10 (bsc#1186451). - sctp: delay auto_asconf init until binding the first addr - seqlock,lockdep: Fix seqcount_latch_init() (bsc#1176564 bsc#1162702). - serial: core: fix suspicious security_locked_down() call (git-fixes). - serial: core: return early on unsupported ioctls (git-fixes). - serial: sh-sci: Fix off-by-one error in FIFO threshold register setting (git-fixes). - serial: stm32: fix incorrect characters on console (git-fixes). - serial: stm32: fix tx_empty condition (git-fixes). - serial: tegra: Fix a mask operation that is always true (git-fixes). - smc: disallow TCP_ULP in smc_setsockopt() (git-fixes). - spi: ath79: always call chipselect function (git-fixes). - spi: ath79: remove spi-master setup and cleanup assignment (git-fixes). - spi: dln2: Fix reference leak to master (git-fixes). - spi: omap-100k: Fix reference leak to master (git-fixes). - spi: qup: fix PM reference leak in spi_qup_remove() (git-fixes). - spi: spi-fsl-dspi: Fix a resource leak in an error handling path (git-fixes). - staging: emxx_udc: fix loop in _nbu2ss_nuke() (git-fixes). - staging: iio: cdc: ad7746: avoid overwrite of num_channels (git-fixes). - tcp: fix to update snd_wl1 in bulk receiver fast path - thermal/drivers/ti-soc-thermal/bandgap Remove unused variable 'val' (git-fixes). - thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue (git-fixes). - tracing: Map all PIDs to command lines (git-fixes). - tty: amiserial: fix TIOCSSERIAL permission check (git-fixes). - tty: fix memory leak in vc_deallocate (git-fixes). - tty: moxa: fix TIOCSSERIAL jiffies conversions (git-fixes). - tty: moxa: fix TIOCSSERIAL permission check (git-fixes). - uio: uio_hv_generic: use devm_kzalloc() for private data alloc (git-fixes). - uio_hv_generic: Fix a memory leak in error handling paths (git-fixes). - uio_hv_generic: Fix another memory leak in error handling paths (git-fixes). - uio_hv_generic: add missed sysfs_remove_bin_file (git-fixes). - usb: core: hub: Fix PM reference leak in usb_port_resume() (git-fixes). - usb: core: hub: fix race condition about TRSMRCY of resume (git-fixes). - usb: dwc2: Fix gadget DMA unmap direction (git-fixes). - usb: dwc3: gadget: Enable suspend events (git-fixes). - usb: dwc3: gadget: Return success always for kick transfer in ep queue (git-fixes). - usb: dwc3: omap: improve extcon initialization (git-fixes). - usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield (git-fixes). - usb: fotg210-hcd: Fix an error message (git-fixes). - usb: gadget/function/f_fs string table fix for multiple languages (git-fixes). - usb: gadget: dummy_hcd: fix gpf in gadget_setup (git-fixes). - usb: gadget: f_uac1: validate input parameters (git-fixes). - usb: gadget: f_uac2: validate input parameters (git-fixes). - usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen() (git-fixes). - usb: gadget: uvc: add bInterval checking for HS mode (git-fixes). - usb: musb: fix PM reference leak in musb_irq_work() (git-fixes). - usb: sl811-hcd: improve misleading indentation (git-fixes). - usb: webcam: Invalid size of Processing Unit Descriptor (git-fixes). - usb: xhci: Fix port minor revision (git-fixes). - usb: xhci: Increase timeout for HC halt (git-fixes). - vgacon: Record video mode changes with VT_RESIZEX (git-fixes). - video: hyperv_fb: Add ratelimit on error message (bsc#1185725). - vrf: fix a comment about loopback device (git-fixes). - watchdog/softlockup: Remove obsolete check of last reported task (bsc#1185982). - watchdog/softlockup: report the overall time of softlockups (bsc#1185982). - watchdog: explicitly update timestamp when reporting softlockup (bsc#1185982). - watchdog: rename __touch_watchdog() to a better descriptive name (bsc#1185982). - whitespace cleanup - wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join (git-fixes). - wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt (git-fixes). - workqueue: Minor follow-ups to the rescuer destruction change (bsc#1185911). - workqueue: more destroy_workqueue() fixes (bsc#1185911). - x86/cpu: Initialize MSR_TSC_AUX if RDTSCP *or* RDPID is supported (bsc#1152489). - xhci: Do not use GFP_KERNEL in (potentially) atomic context (git-fixes). - xhci: check control context is valid before dereferencing it (git-fixes). - xhci: fix potential array out of bounds with several interrupters (git-fixes). - xsk: Respect device's headroom and tailroom on generic xmit path (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Realtime 15-SP2: zypper in -t patch SUSE-SLE-Module-RT-15-SP2-2021-1889=1 Package List: - SUSE Linux Enterprise Module for Realtime 15-SP2 (x86_64): cluster-md-kmp-rt-5.3.18-39.1 cluster-md-kmp-rt-debuginfo-5.3.18-39.1 dlm-kmp-rt-5.3.18-39.1 dlm-kmp-rt-debuginfo-5.3.18-39.1 gfs2-kmp-rt-5.3.18-39.1 gfs2-kmp-rt-debuginfo-5.3.18-39.1 kernel-rt-5.3.18-39.1 kernel-rt-debuginfo-5.3.18-39.1 kernel-rt-debugsource-5.3.18-39.1 kernel-rt-devel-5.3.18-39.1 kernel-rt-devel-debuginfo-5.3.18-39.1 kernel-rt_debug-5.3.18-39.1 kernel-rt_debug-debuginfo-5.3.18-39.1 kernel-rt_debug-debugsource-5.3.18-39.1 kernel-rt_debug-devel-5.3.18-39.1 kernel-rt_debug-devel-debuginfo-5.3.18-39.1 kernel-syms-rt-5.3.18-39.1 ocfs2-kmp-rt-5.3.18-39.1 ocfs2-kmp-rt-debuginfo-5.3.18-39.1 - SUSE Linux Enterprise Module for Realtime 15-SP2 (noarch): kernel-devel-rt-5.3.18-39.1 kernel-source-rt-5.3.18-39.1 References: https://www.suse.com/security/cve/CVE-2020-24586.html https://www.suse.com/security/cve/CVE-2020-24587.html https://www.suse.com/security/cve/CVE-2020-24588.html https://www.suse.com/security/cve/CVE-2020-26139.html https://www.suse.com/security/cve/CVE-2020-26141.html https://www.suse.com/security/cve/CVE-2020-26145.html https://www.suse.com/security/cve/CVE-2020-26147.html https://www.suse.com/security/cve/CVE-2021-23134.html https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://www.suse.com/security/cve/CVE-2021-33200.html https://www.suse.com/security/cve/CVE-2021-3491.html https://bugzilla.suse.com/1087082 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1152457 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1155518 https://bugzilla.suse.com/1156395 https://bugzilla.suse.com/1162702 https://bugzilla.suse.com/1164648 https://bugzilla.suse.com/1176564 https://bugzilla.suse.com/1177666 https://bugzilla.suse.com/1178418 https://bugzilla.suse.com/1178612 https://bugzilla.suse.com/1179827 https://bugzilla.suse.com/1179851 https://bugzilla.suse.com/1182378 https://bugzilla.suse.com/1182999 https://bugzilla.suse.com/1183346 https://bugzilla.suse.com/1183868 https://bugzilla.suse.com/1183873 https://bugzilla.suse.com/1183932 https://bugzilla.suse.com/1183947 https://bugzilla.suse.com/1184081 https://bugzilla.suse.com/1184082 https://bugzilla.suse.com/1184611 https://bugzilla.suse.com/1184855 https://bugzilla.suse.com/1185428 https://bugzilla.suse.com/1185497 https://bugzilla.suse.com/1185589 https://bugzilla.suse.com/1185606 https://bugzilla.suse.com/1185645 https://bugzilla.suse.com/1185677 https://bugzilla.suse.com/1185680 https://bugzilla.suse.com/1185696 https://bugzilla.suse.com/1185703 https://bugzilla.suse.com/1185725 https://bugzilla.suse.com/1185758 https://bugzilla.suse.com/1185859 https://bugzilla.suse.com/1185861 https://bugzilla.suse.com/1185863 https://bugzilla.suse.com/1185898 https://bugzilla.suse.com/1185899 https://bugzilla.suse.com/1185911 https://bugzilla.suse.com/1185938 https://bugzilla.suse.com/1185987 https://bugzilla.suse.com/1185988 https://bugzilla.suse.com/1186061 https://bugzilla.suse.com/1186285 https://bugzilla.suse.com/1186320 https://bugzilla.suse.com/1186439 https://bugzilla.suse.com/1186441 https://bugzilla.suse.com/1186460 https://bugzilla.suse.com/1186498 https://bugzilla.suse.com/1186501 https://bugzilla.suse.com/1186573 From sle-security-updates at lists.suse.com Tue Jun 8 17:11:54 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 8 Jun 2021 19:11:54 +0200 (CEST) Subject: SUSE-SU-2021:1885-1: important: Security update for runc Message-ID: <20210608171154.B89F0FD07@maintenance.suse.de> SUSE Security Update: Security update for runc ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1885-1 Rating: important References: #1185405 Cross-References: CVE-2021-30465 CVSS scores: CVE-2021-30465 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-30465 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Containers 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for runc fixes the following issues: - CVE-2021-30465: Fixed a symlink-exchange attack (bsc#1185405). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Containers 12: zypper in -t patch SUSE-SLE-Module-Containers-12-2021-1885=1 Package List: - SUSE Linux Enterprise Module for Containers 12 (ppc64le s390x x86_64): runc-1.0.0~rc93-16.11.1 runc-debuginfo-1.0.0~rc93-16.11.1 References: https://www.suse.com/security/cve/CVE-2021-30465.html https://bugzilla.suse.com/1185405 From sle-security-updates at lists.suse.com Tue Jun 8 17:13:19 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 8 Jun 2021 19:13:19 +0200 (CEST) Subject: SUSE-SU-2021:1896-1: moderate: Security update for pam_radius Message-ID: <20210608171319.1031CFD07@maintenance.suse.de> SUSE Security Update: Security update for pam_radius ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1896-1 Rating: moderate References: #1163933 Cross-References: CVE-2015-9542 CVSS scores: CVE-2015-9542 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-9542 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for pam_radius fixes the following issues: - CVE-2015-9542: pam_radius: buffer overflow in password field (bsc#1163933) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1896=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1896=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1896=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1896=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1896=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1896=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1896=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1896=1 - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-1896=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-1896=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1896=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1896=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1896=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1896=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1896=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): pam_radius-1.4.0-3.3.1 pam_radius-debuginfo-1.4.0-3.3.1 pam_radius-debugsource-1.4.0-3.3.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): pam_radius-1.4.0-3.3.1 pam_radius-debuginfo-1.4.0-3.3.1 pam_radius-debugsource-1.4.0-3.3.1 - SUSE Manager Proxy 4.0 (x86_64): pam_radius-1.4.0-3.3.1 pam_radius-debuginfo-1.4.0-3.3.1 pam_radius-debugsource-1.4.0-3.3.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): pam_radius-1.4.0-3.3.1 pam_radius-debuginfo-1.4.0-3.3.1 pam_radius-debugsource-1.4.0-3.3.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): pam_radius-1.4.0-3.3.1 pam_radius-debuginfo-1.4.0-3.3.1 pam_radius-debugsource-1.4.0-3.3.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): pam_radius-1.4.0-3.3.1 pam_radius-debuginfo-1.4.0-3.3.1 pam_radius-debugsource-1.4.0-3.3.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): pam_radius-1.4.0-3.3.1 pam_radius-debuginfo-1.4.0-3.3.1 pam_radius-debugsource-1.4.0-3.3.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): pam_radius-1.4.0-3.3.1 pam_radius-debuginfo-1.4.0-3.3.1 pam_radius-debugsource-1.4.0-3.3.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): pam_radius-1.4.0-3.3.1 pam_radius-debuginfo-1.4.0-3.3.1 pam_radius-debugsource-1.4.0-3.3.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): pam_radius-1.4.0-3.3.1 pam_radius-debuginfo-1.4.0-3.3.1 pam_radius-debugsource-1.4.0-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): pam_radius-1.4.0-3.3.1 pam_radius-debuginfo-1.4.0-3.3.1 pam_radius-debugsource-1.4.0-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): pam_radius-1.4.0-3.3.1 pam_radius-debuginfo-1.4.0-3.3.1 pam_radius-debugsource-1.4.0-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): pam_radius-1.4.0-3.3.1 pam_radius-debuginfo-1.4.0-3.3.1 pam_radius-debugsource-1.4.0-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): pam_radius-1.4.0-3.3.1 pam_radius-debuginfo-1.4.0-3.3.1 pam_radius-debugsource-1.4.0-3.3.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): pam_radius-1.4.0-3.3.1 pam_radius-debuginfo-1.4.0-3.3.1 pam_radius-debugsource-1.4.0-3.3.1 - SUSE CaaS Platform 4.0 (x86_64): pam_radius-1.4.0-3.3.1 pam_radius-debuginfo-1.4.0-3.3.1 pam_radius-debugsource-1.4.0-3.3.1 References: https://www.suse.com/security/cve/CVE-2015-9542.html https://bugzilla.suse.com/1163933 From sle-security-updates at lists.suse.com Tue Jun 8 17:14:46 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 8 Jun 2021 19:14:46 +0200 (CEST) Subject: SUSE-SU-2021:1895-1: important: Security update for qemu Message-ID: <20210608171446.BEEF0FD07@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1895-1 Rating: important References: #1149813 #1163019 #1172380 #1172382 #1175534 #1178683 #1178935 #1179477 #1179484 #1182846 #1182975 Cross-References: CVE-2019-15890 CVE-2020-10756 CVE-2020-13754 CVE-2020-14364 CVE-2020-25707 CVE-2020-25723 CVE-2020-29129 CVE-2020-29130 CVE-2020-8608 CVE-2021-20257 CVE-2021-3419 CVSS scores: CVE-2019-15890 (SUSE): 5.8 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2020-10756 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-10756 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-13754 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-13754 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-14364 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14364 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25707 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25723 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-29129 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29129 (SUSE): 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-8608 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-8608 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3419 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for qemu fixes the following issues: - Fix OOB access during mmio operations (CVE-2020-13754, bsc#1172382) - Fix out-of-bounds read information disclosure in icmp6_send_echoreply (CVE-2020-10756, bsc#1172380) - For the record, these issues are fixed in this package already. Most are alternate references to previously mentioned issues: (CVE-2019-15890, bsc#1149813, CVE-2020-8608, bsc#1163019, CVE-2020-14364, bsc#1175534, CVE-2020-25707, bsc#1178683, CVE-2020-25723, bsc#1178935, CVE-2020-29130, bsc#1179477, CVE-2020-29129, bsc#1179484, CVE-2021-20257, bsc#1182846, CVE-2021-3419, bsc#1182975) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1895=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1895=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1895=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1895=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): qemu-2.11.2-9.46.1 qemu-block-curl-2.11.2-9.46.1 qemu-block-curl-debuginfo-2.11.2-9.46.1 qemu-block-iscsi-2.11.2-9.46.1 qemu-block-iscsi-debuginfo-2.11.2-9.46.1 qemu-block-rbd-2.11.2-9.46.1 qemu-block-rbd-debuginfo-2.11.2-9.46.1 qemu-block-ssh-2.11.2-9.46.1 qemu-block-ssh-debuginfo-2.11.2-9.46.1 qemu-debuginfo-2.11.2-9.46.1 qemu-debugsource-2.11.2-9.46.1 qemu-guest-agent-2.11.2-9.46.1 qemu-guest-agent-debuginfo-2.11.2-9.46.1 qemu-lang-2.11.2-9.46.1 qemu-tools-2.11.2-9.46.1 qemu-tools-debuginfo-2.11.2-9.46.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le): qemu-ppc-2.11.2-9.46.1 qemu-ppc-debuginfo-2.11.2-9.46.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): qemu-kvm-2.11.2-9.46.1 qemu-x86-2.11.2-9.46.1 qemu-x86-debuginfo-2.11.2-9.46.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): qemu-ipxe-1.0.0+-9.46.1 qemu-seabios-1.11.0_0_g63451fc-9.46.1 qemu-sgabios-8-9.46.1 qemu-vgabios-1.11.0_0_g63451fc-9.46.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): qemu-2.11.2-9.46.1 qemu-block-curl-2.11.2-9.46.1 qemu-block-curl-debuginfo-2.11.2-9.46.1 qemu-block-iscsi-2.11.2-9.46.1 qemu-block-iscsi-debuginfo-2.11.2-9.46.1 qemu-block-rbd-2.11.2-9.46.1 qemu-block-rbd-debuginfo-2.11.2-9.46.1 qemu-block-ssh-2.11.2-9.46.1 qemu-block-ssh-debuginfo-2.11.2-9.46.1 qemu-debuginfo-2.11.2-9.46.1 qemu-debugsource-2.11.2-9.46.1 qemu-guest-agent-2.11.2-9.46.1 qemu-guest-agent-debuginfo-2.11.2-9.46.1 qemu-lang-2.11.2-9.46.1 qemu-tools-2.11.2-9.46.1 qemu-tools-debuginfo-2.11.2-9.46.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64): qemu-arm-2.11.2-9.46.1 qemu-arm-debuginfo-2.11.2-9.46.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): qemu-ipxe-1.0.0+-9.46.1 qemu-vgabios-1.11.0_0_g63451fc-9.46.1 - SUSE Linux Enterprise Server 15-LTSS (s390x): qemu-kvm-2.11.2-9.46.1 qemu-s390-2.11.2-9.46.1 qemu-s390-debuginfo-2.11.2-9.46.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): qemu-2.11.2-9.46.1 qemu-block-curl-2.11.2-9.46.1 qemu-block-curl-debuginfo-2.11.2-9.46.1 qemu-block-iscsi-2.11.2-9.46.1 qemu-block-iscsi-debuginfo-2.11.2-9.46.1 qemu-block-rbd-2.11.2-9.46.1 qemu-block-rbd-debuginfo-2.11.2-9.46.1 qemu-block-ssh-2.11.2-9.46.1 qemu-block-ssh-debuginfo-2.11.2-9.46.1 qemu-debuginfo-2.11.2-9.46.1 qemu-debugsource-2.11.2-9.46.1 qemu-guest-agent-2.11.2-9.46.1 qemu-guest-agent-debuginfo-2.11.2-9.46.1 qemu-lang-2.11.2-9.46.1 qemu-tools-2.11.2-9.46.1 qemu-tools-debuginfo-2.11.2-9.46.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64): qemu-arm-2.11.2-9.46.1 qemu-arm-debuginfo-2.11.2-9.46.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): qemu-ipxe-1.0.0+-9.46.1 qemu-seabios-1.11.0_0_g63451fc-9.46.1 qemu-sgabios-8-9.46.1 qemu-vgabios-1.11.0_0_g63451fc-9.46.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): qemu-kvm-2.11.2-9.46.1 qemu-x86-2.11.2-9.46.1 qemu-x86-debuginfo-2.11.2-9.46.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): qemu-2.11.2-9.46.1 qemu-block-curl-2.11.2-9.46.1 qemu-block-curl-debuginfo-2.11.2-9.46.1 qemu-block-iscsi-2.11.2-9.46.1 qemu-block-iscsi-debuginfo-2.11.2-9.46.1 qemu-block-rbd-2.11.2-9.46.1 qemu-block-rbd-debuginfo-2.11.2-9.46.1 qemu-block-ssh-2.11.2-9.46.1 qemu-block-ssh-debuginfo-2.11.2-9.46.1 qemu-debuginfo-2.11.2-9.46.1 qemu-debugsource-2.11.2-9.46.1 qemu-guest-agent-2.11.2-9.46.1 qemu-guest-agent-debuginfo-2.11.2-9.46.1 qemu-lang-2.11.2-9.46.1 qemu-tools-2.11.2-9.46.1 qemu-tools-debuginfo-2.11.2-9.46.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64): qemu-arm-2.11.2-9.46.1 qemu-arm-debuginfo-2.11.2-9.46.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): qemu-kvm-2.11.2-9.46.1 qemu-x86-2.11.2-9.46.1 qemu-x86-debuginfo-2.11.2-9.46.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): qemu-ipxe-1.0.0+-9.46.1 qemu-seabios-1.11.0_0_g63451fc-9.46.1 qemu-sgabios-8-9.46.1 qemu-vgabios-1.11.0_0_g63451fc-9.46.1 References: https://www.suse.com/security/cve/CVE-2019-15890.html https://www.suse.com/security/cve/CVE-2020-10756.html https://www.suse.com/security/cve/CVE-2020-13754.html https://www.suse.com/security/cve/CVE-2020-14364.html https://www.suse.com/security/cve/CVE-2020-25707.html https://www.suse.com/security/cve/CVE-2020-25723.html https://www.suse.com/security/cve/CVE-2020-29129.html https://www.suse.com/security/cve/CVE-2020-29130.html https://www.suse.com/security/cve/CVE-2020-8608.html https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-3419.html https://bugzilla.suse.com/1149813 https://bugzilla.suse.com/1163019 https://bugzilla.suse.com/1172380 https://bugzilla.suse.com/1172382 https://bugzilla.suse.com/1175534 https://bugzilla.suse.com/1178683 https://bugzilla.suse.com/1178935 https://bugzilla.suse.com/1179477 https://bugzilla.suse.com/1179484 https://bugzilla.suse.com/1182846 https://bugzilla.suse.com/1182975 From sle-security-updates at lists.suse.com Tue Jun 8 17:17:23 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 8 Jun 2021 19:17:23 +0200 (CEST) Subject: SUSE-SU-2021:1897-1: important: Security update for libX11 Message-ID: <20210608171723.6B03FFD07@maintenance.suse.de> SUSE Security Update: Security update for libX11 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1897-1 Rating: important References: #1186643 Cross-References: CVE-2021-31535 CVSS scores: CVE-2021-31535 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE MicroOS 5.0 SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libX11 fixes the following issues: - Regression in the fix for CVE-2021-31535, causing segfaults for xforms applications like fdesign (bsc#1186643) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1897=1 - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1897=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1897=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1897=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1897=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1897=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1897=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1897=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1897=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1897=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1897=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1897=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1897=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1897=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1897=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1897=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): libX11-6-1.6.5-3.21.1 libX11-6-debuginfo-1.6.5-3.21.1 libX11-debugsource-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libX11-xcb1-debuginfo-1.6.5-3.21.1 - SUSE MicroOS 5.0 (noarch): libX11-data-1.6.5-3.21.1 - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libX11-6-1.6.5-3.21.1 libX11-6-debuginfo-1.6.5-3.21.1 libX11-debugsource-1.6.5-3.21.1 libX11-devel-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libX11-xcb1-debuginfo-1.6.5-3.21.1 - SUSE Manager Server 4.0 (x86_64): libX11-6-32bit-1.6.5-3.21.1 libX11-6-32bit-debuginfo-1.6.5-3.21.1 libX11-xcb1-32bit-1.6.5-3.21.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.21.1 - SUSE Manager Server 4.0 (noarch): libX11-data-1.6.5-3.21.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libX11-6-1.6.5-3.21.1 libX11-6-32bit-1.6.5-3.21.1 libX11-6-32bit-debuginfo-1.6.5-3.21.1 libX11-6-debuginfo-1.6.5-3.21.1 libX11-debugsource-1.6.5-3.21.1 libX11-devel-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libX11-xcb1-32bit-1.6.5-3.21.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.21.1 libX11-xcb1-debuginfo-1.6.5-3.21.1 - SUSE Manager Retail Branch Server 4.0 (noarch): libX11-data-1.6.5-3.21.1 - SUSE Manager Proxy 4.0 (noarch): libX11-data-1.6.5-3.21.1 - SUSE Manager Proxy 4.0 (x86_64): libX11-6-1.6.5-3.21.1 libX11-6-32bit-1.6.5-3.21.1 libX11-6-32bit-debuginfo-1.6.5-3.21.1 libX11-6-debuginfo-1.6.5-3.21.1 libX11-debugsource-1.6.5-3.21.1 libX11-devel-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libX11-xcb1-32bit-1.6.5-3.21.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.21.1 libX11-xcb1-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libX11-6-1.6.5-3.21.1 libX11-6-debuginfo-1.6.5-3.21.1 libX11-debugsource-1.6.5-3.21.1 libX11-devel-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libX11-xcb1-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): libX11-data-1.6.5-3.21.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): libX11-6-32bit-1.6.5-3.21.1 libX11-6-32bit-debuginfo-1.6.5-3.21.1 libX11-xcb1-32bit-1.6.5-3.21.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libX11-6-1.6.5-3.21.1 libX11-6-debuginfo-1.6.5-3.21.1 libX11-debugsource-1.6.5-3.21.1 libX11-devel-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libX11-xcb1-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): libX11-data-1.6.5-3.21.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libX11-6-32bit-1.6.5-3.21.1 libX11-6-32bit-debuginfo-1.6.5-3.21.1 libX11-xcb1-32bit-1.6.5-3.21.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libX11-6-1.6.5-3.21.1 libX11-6-debuginfo-1.6.5-3.21.1 libX11-debugsource-1.6.5-3.21.1 libX11-devel-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libX11-xcb1-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): libX11-6-32bit-1.6.5-3.21.1 libX11-6-32bit-debuginfo-1.6.5-3.21.1 libX11-xcb1-32bit-1.6.5-3.21.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): libX11-data-1.6.5-3.21.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): libX11-data-1.6.5-3.21.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libX11-6-1.6.5-3.21.1 libX11-6-32bit-1.6.5-3.21.1 libX11-6-32bit-debuginfo-1.6.5-3.21.1 libX11-6-debuginfo-1.6.5-3.21.1 libX11-debugsource-1.6.5-3.21.1 libX11-devel-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libX11-xcb1-32bit-1.6.5-3.21.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.21.1 libX11-xcb1-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libX11-6-1.6.5-3.21.1 libX11-6-debuginfo-1.6.5-3.21.1 libX11-debugsource-1.6.5-3.21.1 libX11-devel-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libX11-xcb1-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): libX11-data-1.6.5-3.21.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libX11-6-1.6.5-3.21.1 libX11-6-debuginfo-1.6.5-3.21.1 libX11-debugsource-1.6.5-3.21.1 libX11-devel-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libX11-xcb1-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): libX11-data-1.6.5-3.21.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): libX11-6-32bit-1.6.5-3.21.1 libX11-6-32bit-debuginfo-1.6.5-3.21.1 libX11-xcb1-32bit-1.6.5-3.21.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libX11-6-1.6.5-3.21.1 libX11-6-debuginfo-1.6.5-3.21.1 libX11-debugsource-1.6.5-3.21.1 libX11-devel-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libX11-xcb1-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libX11-6-32bit-1.6.5-3.21.1 libX11-6-32bit-debuginfo-1.6.5-3.21.1 libX11-xcb1-32bit-1.6.5-3.21.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): libX11-data-1.6.5-3.21.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libX11-6-1.6.5-3.21.1 libX11-6-debuginfo-1.6.5-3.21.1 libX11-debugsource-1.6.5-3.21.1 libX11-devel-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libX11-xcb1-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): libX11-data-1.6.5-3.21.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): libX11-6-32bit-1.6.5-3.21.1 libX11-6-32bit-debuginfo-1.6.5-3.21.1 libX11-xcb1-32bit-1.6.5-3.21.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libX11-6-1.6.5-3.21.1 libX11-6-debuginfo-1.6.5-3.21.1 libX11-debugsource-1.6.5-3.21.1 libX11-devel-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libX11-xcb1-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): libX11-data-1.6.5-3.21.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): libX11-6-32bit-1.6.5-3.21.1 libX11-6-32bit-debuginfo-1.6.5-3.21.1 libX11-xcb1-32bit-1.6.5-3.21.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libX11-6-1.6.5-3.21.1 libX11-6-debuginfo-1.6.5-3.21.1 libX11-debugsource-1.6.5-3.21.1 libX11-devel-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libX11-xcb1-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): libX11-data-1.6.5-3.21.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libX11-6-32bit-1.6.5-3.21.1 libX11-6-32bit-debuginfo-1.6.5-3.21.1 libX11-xcb1-32bit-1.6.5-3.21.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libX11-6-1.6.5-3.21.1 libX11-6-debuginfo-1.6.5-3.21.1 libX11-debugsource-1.6.5-3.21.1 libX11-devel-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libX11-xcb1-debuginfo-1.6.5-3.21.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): libX11-data-1.6.5-3.21.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libX11-6-32bit-1.6.5-3.21.1 libX11-6-32bit-debuginfo-1.6.5-3.21.1 libX11-xcb1-32bit-1.6.5-3.21.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.21.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libX11-6-1.6.5-3.21.1 libX11-6-debuginfo-1.6.5-3.21.1 libX11-debugsource-1.6.5-3.21.1 libX11-devel-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libX11-xcb1-debuginfo-1.6.5-3.21.1 - SUSE Enterprise Storage 6 (noarch): libX11-data-1.6.5-3.21.1 - SUSE Enterprise Storage 6 (x86_64): libX11-6-32bit-1.6.5-3.21.1 libX11-6-32bit-debuginfo-1.6.5-3.21.1 libX11-xcb1-32bit-1.6.5-3.21.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.21.1 - SUSE CaaS Platform 4.0 (x86_64): libX11-6-1.6.5-3.21.1 libX11-6-32bit-1.6.5-3.21.1 libX11-6-32bit-debuginfo-1.6.5-3.21.1 libX11-6-debuginfo-1.6.5-3.21.1 libX11-debugsource-1.6.5-3.21.1 libX11-devel-1.6.5-3.21.1 libX11-xcb1-1.6.5-3.21.1 libX11-xcb1-32bit-1.6.5-3.21.1 libX11-xcb1-32bit-debuginfo-1.6.5-3.21.1 libX11-xcb1-debuginfo-1.6.5-3.21.1 - SUSE CaaS Platform 4.0 (noarch): libX11-data-1.6.5-3.21.1 References: https://www.suse.com/security/cve/CVE-2021-31535.html https://bugzilla.suse.com/1186643 From sle-security-updates at lists.suse.com Tue Jun 8 22:18:14 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Jun 2021 00:18:14 +0200 (CEST) Subject: SUSE-SU-2021:1904-1: important: Security update for gstreamer-plugins-bad Message-ID: <20210608221814.2EB2EFD07@maintenance.suse.de> SUSE Security Update: Security update for gstreamer-plugins-bad ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1904-1 Rating: important References: #1181255 Cross-References: CVE-2021-3185 CVSS scores: CVE-2021-3185 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3185 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gstreamer-plugins-bad fixes the following issues: - CVE-2021-3185: h264parser: guard against ref_pic_markings overflow (bsc#1181255 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1904=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1904=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1904=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1904=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1904=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1904=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1904=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1904=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1904=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1904=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1904=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1904=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1904=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): gstreamer-plugins-bad-1.12.5-3.6.1 gstreamer-plugins-bad-debuginfo-1.12.5-3.6.1 gstreamer-plugins-bad-debugsource-1.12.5-3.6.1 gstreamer-plugins-bad-devel-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadallocators-1_0-0-1.12.5-3.6.1 libgstbadallocators-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadaudio-1_0-0-1.12.5-3.6.1 libgstbadaudio-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadbase-1_0-0-1.12.5-3.6.1 libgstbadbase-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadvideo-1_0-0-1.12.5-3.6.1 libgstbadvideo-1_0-0-debuginfo-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.12.5-3.6.1 libgstcodecparsers-1_0-0-1.12.5-3.6.1 libgstcodecparsers-1_0-0-debuginfo-1.12.5-3.6.1 libgstgl-1_0-0-1.12.5-3.6.1 libgstgl-1_0-0-debuginfo-1.12.5-3.6.1 libgstinsertbin-1_0-0-1.12.5-3.6.1 libgstinsertbin-1_0-0-debuginfo-1.12.5-3.6.1 libgstmpegts-1_0-0-1.12.5-3.6.1 libgstmpegts-1_0-0-debuginfo-1.12.5-3.6.1 libgstphotography-1_0-0-1.12.5-3.6.1 libgstphotography-1_0-0-debuginfo-1.12.5-3.6.1 libgstplayer-1_0-0-1.12.5-3.6.1 libgstplayer-1_0-0-debuginfo-1.12.5-3.6.1 libgsturidownloader-1_0-0-1.12.5-3.6.1 libgsturidownloader-1_0-0-debuginfo-1.12.5-3.6.1 libgstwayland-1_0-0-1.12.5-3.6.1 libgstwayland-1_0-0-debuginfo-1.12.5-3.6.1 typelib-1_0-GstBadAllocators-1_0-1.12.5-3.6.1 typelib-1_0-GstGL-1_0-1.12.5-3.6.1 typelib-1_0-GstInsertBin-1_0-1.12.5-3.6.1 typelib-1_0-GstMpegts-1_0-1.12.5-3.6.1 typelib-1_0-GstPlayer-1_0-1.12.5-3.6.1 - SUSE Manager Server 4.0 (noarch): gstreamer-plugins-bad-lang-1.12.5-3.6.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): gstreamer-plugins-bad-1.12.5-3.6.1 gstreamer-plugins-bad-debuginfo-1.12.5-3.6.1 gstreamer-plugins-bad-debugsource-1.12.5-3.6.1 gstreamer-plugins-bad-devel-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadallocators-1_0-0-1.12.5-3.6.1 libgstbadallocators-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadaudio-1_0-0-1.12.5-3.6.1 libgstbadaudio-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadbase-1_0-0-1.12.5-3.6.1 libgstbadbase-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadvideo-1_0-0-1.12.5-3.6.1 libgstbadvideo-1_0-0-debuginfo-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.12.5-3.6.1 libgstcodecparsers-1_0-0-1.12.5-3.6.1 libgstcodecparsers-1_0-0-debuginfo-1.12.5-3.6.1 libgstgl-1_0-0-1.12.5-3.6.1 libgstgl-1_0-0-debuginfo-1.12.5-3.6.1 libgstinsertbin-1_0-0-1.12.5-3.6.1 libgstinsertbin-1_0-0-debuginfo-1.12.5-3.6.1 libgstmpegts-1_0-0-1.12.5-3.6.1 libgstmpegts-1_0-0-debuginfo-1.12.5-3.6.1 libgstphotography-1_0-0-1.12.5-3.6.1 libgstphotography-1_0-0-debuginfo-1.12.5-3.6.1 libgstplayer-1_0-0-1.12.5-3.6.1 libgstplayer-1_0-0-debuginfo-1.12.5-3.6.1 libgsturidownloader-1_0-0-1.12.5-3.6.1 libgsturidownloader-1_0-0-debuginfo-1.12.5-3.6.1 libgstwayland-1_0-0-1.12.5-3.6.1 libgstwayland-1_0-0-debuginfo-1.12.5-3.6.1 typelib-1_0-GstBadAllocators-1_0-1.12.5-3.6.1 typelib-1_0-GstGL-1_0-1.12.5-3.6.1 typelib-1_0-GstInsertBin-1_0-1.12.5-3.6.1 typelib-1_0-GstMpegts-1_0-1.12.5-3.6.1 typelib-1_0-GstPlayer-1_0-1.12.5-3.6.1 - SUSE Manager Retail Branch Server 4.0 (noarch): gstreamer-plugins-bad-lang-1.12.5-3.6.1 - SUSE Manager Proxy 4.0 (noarch): gstreamer-plugins-bad-lang-1.12.5-3.6.1 - SUSE Manager Proxy 4.0 (x86_64): gstreamer-plugins-bad-1.12.5-3.6.1 gstreamer-plugins-bad-debuginfo-1.12.5-3.6.1 gstreamer-plugins-bad-debugsource-1.12.5-3.6.1 gstreamer-plugins-bad-devel-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadallocators-1_0-0-1.12.5-3.6.1 libgstbadallocators-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadaudio-1_0-0-1.12.5-3.6.1 libgstbadaudio-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadbase-1_0-0-1.12.5-3.6.1 libgstbadbase-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadvideo-1_0-0-1.12.5-3.6.1 libgstbadvideo-1_0-0-debuginfo-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.12.5-3.6.1 libgstcodecparsers-1_0-0-1.12.5-3.6.1 libgstcodecparsers-1_0-0-debuginfo-1.12.5-3.6.1 libgstgl-1_0-0-1.12.5-3.6.1 libgstgl-1_0-0-debuginfo-1.12.5-3.6.1 libgstinsertbin-1_0-0-1.12.5-3.6.1 libgstinsertbin-1_0-0-debuginfo-1.12.5-3.6.1 libgstmpegts-1_0-0-1.12.5-3.6.1 libgstmpegts-1_0-0-debuginfo-1.12.5-3.6.1 libgstphotography-1_0-0-1.12.5-3.6.1 libgstphotography-1_0-0-debuginfo-1.12.5-3.6.1 libgstplayer-1_0-0-1.12.5-3.6.1 libgstplayer-1_0-0-debuginfo-1.12.5-3.6.1 libgsturidownloader-1_0-0-1.12.5-3.6.1 libgsturidownloader-1_0-0-debuginfo-1.12.5-3.6.1 libgstwayland-1_0-0-1.12.5-3.6.1 libgstwayland-1_0-0-debuginfo-1.12.5-3.6.1 typelib-1_0-GstBadAllocators-1_0-1.12.5-3.6.1 typelib-1_0-GstGL-1_0-1.12.5-3.6.1 typelib-1_0-GstInsertBin-1_0-1.12.5-3.6.1 typelib-1_0-GstMpegts-1_0-1.12.5-3.6.1 typelib-1_0-GstPlayer-1_0-1.12.5-3.6.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): gstreamer-plugins-bad-1.12.5-3.6.1 gstreamer-plugins-bad-debuginfo-1.12.5-3.6.1 gstreamer-plugins-bad-debugsource-1.12.5-3.6.1 gstreamer-plugins-bad-devel-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadallocators-1_0-0-1.12.5-3.6.1 libgstbadallocators-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadaudio-1_0-0-1.12.5-3.6.1 libgstbadaudio-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadbase-1_0-0-1.12.5-3.6.1 libgstbadbase-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadvideo-1_0-0-1.12.5-3.6.1 libgstbadvideo-1_0-0-debuginfo-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.12.5-3.6.1 libgstcodecparsers-1_0-0-1.12.5-3.6.1 libgstcodecparsers-1_0-0-debuginfo-1.12.5-3.6.1 libgstgl-1_0-0-1.12.5-3.6.1 libgstgl-1_0-0-debuginfo-1.12.5-3.6.1 libgstinsertbin-1_0-0-1.12.5-3.6.1 libgstinsertbin-1_0-0-debuginfo-1.12.5-3.6.1 libgstmpegts-1_0-0-1.12.5-3.6.1 libgstmpegts-1_0-0-debuginfo-1.12.5-3.6.1 libgstphotography-1_0-0-1.12.5-3.6.1 libgstphotography-1_0-0-debuginfo-1.12.5-3.6.1 libgstplayer-1_0-0-1.12.5-3.6.1 libgstplayer-1_0-0-debuginfo-1.12.5-3.6.1 libgsturidownloader-1_0-0-1.12.5-3.6.1 libgsturidownloader-1_0-0-debuginfo-1.12.5-3.6.1 libgstwayland-1_0-0-1.12.5-3.6.1 libgstwayland-1_0-0-debuginfo-1.12.5-3.6.1 typelib-1_0-GstBadAllocators-1_0-1.12.5-3.6.1 typelib-1_0-GstGL-1_0-1.12.5-3.6.1 typelib-1_0-GstInsertBin-1_0-1.12.5-3.6.1 typelib-1_0-GstMpegts-1_0-1.12.5-3.6.1 typelib-1_0-GstPlayer-1_0-1.12.5-3.6.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): gstreamer-plugins-bad-lang-1.12.5-3.6.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): gstreamer-plugins-bad-1.12.5-3.6.1 gstreamer-plugins-bad-debuginfo-1.12.5-3.6.1 gstreamer-plugins-bad-debugsource-1.12.5-3.6.1 gstreamer-plugins-bad-devel-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadallocators-1_0-0-1.12.5-3.6.1 libgstbadallocators-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadaudio-1_0-0-1.12.5-3.6.1 libgstbadaudio-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadbase-1_0-0-1.12.5-3.6.1 libgstbadbase-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadvideo-1_0-0-1.12.5-3.6.1 libgstbadvideo-1_0-0-debuginfo-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.12.5-3.6.1 libgstcodecparsers-1_0-0-1.12.5-3.6.1 libgstcodecparsers-1_0-0-debuginfo-1.12.5-3.6.1 libgstgl-1_0-0-1.12.5-3.6.1 libgstgl-1_0-0-debuginfo-1.12.5-3.6.1 libgstinsertbin-1_0-0-1.12.5-3.6.1 libgstinsertbin-1_0-0-debuginfo-1.12.5-3.6.1 libgstmpegts-1_0-0-1.12.5-3.6.1 libgstmpegts-1_0-0-debuginfo-1.12.5-3.6.1 libgstphotography-1_0-0-1.12.5-3.6.1 libgstphotography-1_0-0-debuginfo-1.12.5-3.6.1 libgstplayer-1_0-0-1.12.5-3.6.1 libgstplayer-1_0-0-debuginfo-1.12.5-3.6.1 libgsturidownloader-1_0-0-1.12.5-3.6.1 libgsturidownloader-1_0-0-debuginfo-1.12.5-3.6.1 libgstwayland-1_0-0-1.12.5-3.6.1 libgstwayland-1_0-0-debuginfo-1.12.5-3.6.1 typelib-1_0-GstBadAllocators-1_0-1.12.5-3.6.1 typelib-1_0-GstGL-1_0-1.12.5-3.6.1 typelib-1_0-GstInsertBin-1_0-1.12.5-3.6.1 typelib-1_0-GstMpegts-1_0-1.12.5-3.6.1 typelib-1_0-GstPlayer-1_0-1.12.5-3.6.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): gstreamer-plugins-bad-lang-1.12.5-3.6.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): gstreamer-plugins-bad-1.12.5-3.6.1 gstreamer-plugins-bad-debuginfo-1.12.5-3.6.1 gstreamer-plugins-bad-debugsource-1.12.5-3.6.1 gstreamer-plugins-bad-devel-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadallocators-1_0-0-1.12.5-3.6.1 libgstbadallocators-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadaudio-1_0-0-1.12.5-3.6.1 libgstbadaudio-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadbase-1_0-0-1.12.5-3.6.1 libgstbadbase-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadvideo-1_0-0-1.12.5-3.6.1 libgstbadvideo-1_0-0-debuginfo-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.12.5-3.6.1 libgstcodecparsers-1_0-0-1.12.5-3.6.1 libgstcodecparsers-1_0-0-debuginfo-1.12.5-3.6.1 libgstgl-1_0-0-1.12.5-3.6.1 libgstgl-1_0-0-debuginfo-1.12.5-3.6.1 libgstinsertbin-1_0-0-1.12.5-3.6.1 libgstinsertbin-1_0-0-debuginfo-1.12.5-3.6.1 libgstmpegts-1_0-0-1.12.5-3.6.1 libgstmpegts-1_0-0-debuginfo-1.12.5-3.6.1 libgstphotography-1_0-0-1.12.5-3.6.1 libgstphotography-1_0-0-debuginfo-1.12.5-3.6.1 libgstplayer-1_0-0-1.12.5-3.6.1 libgstplayer-1_0-0-debuginfo-1.12.5-3.6.1 libgsturidownloader-1_0-0-1.12.5-3.6.1 libgsturidownloader-1_0-0-debuginfo-1.12.5-3.6.1 libgstwayland-1_0-0-1.12.5-3.6.1 libgstwayland-1_0-0-debuginfo-1.12.5-3.6.1 typelib-1_0-GstBadAllocators-1_0-1.12.5-3.6.1 typelib-1_0-GstGL-1_0-1.12.5-3.6.1 typelib-1_0-GstInsertBin-1_0-1.12.5-3.6.1 typelib-1_0-GstMpegts-1_0-1.12.5-3.6.1 typelib-1_0-GstPlayer-1_0-1.12.5-3.6.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): gstreamer-plugins-bad-lang-1.12.5-3.6.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): gstreamer-plugins-bad-lang-1.12.5-3.6.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): gstreamer-plugins-bad-1.12.5-3.6.1 gstreamer-plugins-bad-debuginfo-1.12.5-3.6.1 gstreamer-plugins-bad-debugsource-1.12.5-3.6.1 gstreamer-plugins-bad-devel-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadallocators-1_0-0-1.12.5-3.6.1 libgstbadallocators-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadaudio-1_0-0-1.12.5-3.6.1 libgstbadaudio-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadbase-1_0-0-1.12.5-3.6.1 libgstbadbase-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadvideo-1_0-0-1.12.5-3.6.1 libgstbadvideo-1_0-0-debuginfo-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.12.5-3.6.1 libgstcodecparsers-1_0-0-1.12.5-3.6.1 libgstcodecparsers-1_0-0-debuginfo-1.12.5-3.6.1 libgstgl-1_0-0-1.12.5-3.6.1 libgstgl-1_0-0-debuginfo-1.12.5-3.6.1 libgstinsertbin-1_0-0-1.12.5-3.6.1 libgstinsertbin-1_0-0-debuginfo-1.12.5-3.6.1 libgstmpegts-1_0-0-1.12.5-3.6.1 libgstmpegts-1_0-0-debuginfo-1.12.5-3.6.1 libgstphotography-1_0-0-1.12.5-3.6.1 libgstphotography-1_0-0-debuginfo-1.12.5-3.6.1 libgstplayer-1_0-0-1.12.5-3.6.1 libgstplayer-1_0-0-debuginfo-1.12.5-3.6.1 libgsturidownloader-1_0-0-1.12.5-3.6.1 libgsturidownloader-1_0-0-debuginfo-1.12.5-3.6.1 libgstwayland-1_0-0-1.12.5-3.6.1 libgstwayland-1_0-0-debuginfo-1.12.5-3.6.1 typelib-1_0-GstBadAllocators-1_0-1.12.5-3.6.1 typelib-1_0-GstGL-1_0-1.12.5-3.6.1 typelib-1_0-GstInsertBin-1_0-1.12.5-3.6.1 typelib-1_0-GstMpegts-1_0-1.12.5-3.6.1 typelib-1_0-GstPlayer-1_0-1.12.5-3.6.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): gstreamer-plugins-bad-1.12.5-3.6.1 gstreamer-plugins-bad-debuginfo-1.12.5-3.6.1 gstreamer-plugins-bad-debugsource-1.12.5-3.6.1 gstreamer-plugins-bad-devel-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadallocators-1_0-0-1.12.5-3.6.1 libgstbadallocators-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadaudio-1_0-0-1.12.5-3.6.1 libgstbadaudio-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadbase-1_0-0-1.12.5-3.6.1 libgstbadbase-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadvideo-1_0-0-1.12.5-3.6.1 libgstbadvideo-1_0-0-debuginfo-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.12.5-3.6.1 libgstcodecparsers-1_0-0-1.12.5-3.6.1 libgstcodecparsers-1_0-0-debuginfo-1.12.5-3.6.1 libgstgl-1_0-0-1.12.5-3.6.1 libgstgl-1_0-0-debuginfo-1.12.5-3.6.1 libgstinsertbin-1_0-0-1.12.5-3.6.1 libgstinsertbin-1_0-0-debuginfo-1.12.5-3.6.1 libgstmpegts-1_0-0-1.12.5-3.6.1 libgstmpegts-1_0-0-debuginfo-1.12.5-3.6.1 libgstphotography-1_0-0-1.12.5-3.6.1 libgstphotography-1_0-0-debuginfo-1.12.5-3.6.1 libgstplayer-1_0-0-1.12.5-3.6.1 libgstplayer-1_0-0-debuginfo-1.12.5-3.6.1 libgsturidownloader-1_0-0-1.12.5-3.6.1 libgsturidownloader-1_0-0-debuginfo-1.12.5-3.6.1 libgstwayland-1_0-0-1.12.5-3.6.1 libgstwayland-1_0-0-debuginfo-1.12.5-3.6.1 typelib-1_0-GstBadAllocators-1_0-1.12.5-3.6.1 typelib-1_0-GstGL-1_0-1.12.5-3.6.1 typelib-1_0-GstInsertBin-1_0-1.12.5-3.6.1 typelib-1_0-GstMpegts-1_0-1.12.5-3.6.1 typelib-1_0-GstPlayer-1_0-1.12.5-3.6.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): gstreamer-plugins-bad-lang-1.12.5-3.6.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): gstreamer-plugins-bad-1.12.5-3.6.1 gstreamer-plugins-bad-debuginfo-1.12.5-3.6.1 gstreamer-plugins-bad-debugsource-1.12.5-3.6.1 gstreamer-plugins-bad-devel-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadallocators-1_0-0-1.12.5-3.6.1 libgstbadallocators-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadaudio-1_0-0-1.12.5-3.6.1 libgstbadaudio-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadbase-1_0-0-1.12.5-3.6.1 libgstbadbase-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadvideo-1_0-0-1.12.5-3.6.1 libgstbadvideo-1_0-0-debuginfo-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.12.5-3.6.1 libgstcodecparsers-1_0-0-1.12.5-3.6.1 libgstcodecparsers-1_0-0-debuginfo-1.12.5-3.6.1 libgstgl-1_0-0-1.12.5-3.6.1 libgstgl-1_0-0-debuginfo-1.12.5-3.6.1 libgstinsertbin-1_0-0-1.12.5-3.6.1 libgstinsertbin-1_0-0-debuginfo-1.12.5-3.6.1 libgstmpegts-1_0-0-1.12.5-3.6.1 libgstmpegts-1_0-0-debuginfo-1.12.5-3.6.1 libgstphotography-1_0-0-1.12.5-3.6.1 libgstphotography-1_0-0-debuginfo-1.12.5-3.6.1 libgstplayer-1_0-0-1.12.5-3.6.1 libgstplayer-1_0-0-debuginfo-1.12.5-3.6.1 libgsturidownloader-1_0-0-1.12.5-3.6.1 libgsturidownloader-1_0-0-debuginfo-1.12.5-3.6.1 libgstwayland-1_0-0-1.12.5-3.6.1 libgstwayland-1_0-0-debuginfo-1.12.5-3.6.1 typelib-1_0-GstBadAllocators-1_0-1.12.5-3.6.1 typelib-1_0-GstGL-1_0-1.12.5-3.6.1 typelib-1_0-GstInsertBin-1_0-1.12.5-3.6.1 typelib-1_0-GstMpegts-1_0-1.12.5-3.6.1 typelib-1_0-GstPlayer-1_0-1.12.5-3.6.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): gstreamer-plugins-bad-lang-1.12.5-3.6.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): gstreamer-plugins-bad-1.12.5-3.6.1 gstreamer-plugins-bad-debuginfo-1.12.5-3.6.1 gstreamer-plugins-bad-debugsource-1.12.5-3.6.1 gstreamer-plugins-bad-devel-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadallocators-1_0-0-1.12.5-3.6.1 libgstbadallocators-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadaudio-1_0-0-1.12.5-3.6.1 libgstbadaudio-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadbase-1_0-0-1.12.5-3.6.1 libgstbadbase-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadvideo-1_0-0-1.12.5-3.6.1 libgstbadvideo-1_0-0-debuginfo-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.12.5-3.6.1 libgstcodecparsers-1_0-0-1.12.5-3.6.1 libgstcodecparsers-1_0-0-debuginfo-1.12.5-3.6.1 libgstgl-1_0-0-1.12.5-3.6.1 libgstgl-1_0-0-debuginfo-1.12.5-3.6.1 libgstinsertbin-1_0-0-1.12.5-3.6.1 libgstinsertbin-1_0-0-debuginfo-1.12.5-3.6.1 libgstmpegts-1_0-0-1.12.5-3.6.1 libgstmpegts-1_0-0-debuginfo-1.12.5-3.6.1 libgstphotography-1_0-0-1.12.5-3.6.1 libgstphotography-1_0-0-debuginfo-1.12.5-3.6.1 libgstplayer-1_0-0-1.12.5-3.6.1 libgstplayer-1_0-0-debuginfo-1.12.5-3.6.1 libgsturidownloader-1_0-0-1.12.5-3.6.1 libgsturidownloader-1_0-0-debuginfo-1.12.5-3.6.1 libgstwayland-1_0-0-1.12.5-3.6.1 libgstwayland-1_0-0-debuginfo-1.12.5-3.6.1 typelib-1_0-GstBadAllocators-1_0-1.12.5-3.6.1 typelib-1_0-GstGL-1_0-1.12.5-3.6.1 typelib-1_0-GstInsertBin-1_0-1.12.5-3.6.1 typelib-1_0-GstMpegts-1_0-1.12.5-3.6.1 typelib-1_0-GstPlayer-1_0-1.12.5-3.6.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): gstreamer-plugins-bad-lang-1.12.5-3.6.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): gstreamer-plugins-bad-1.12.5-3.6.1 gstreamer-plugins-bad-debuginfo-1.12.5-3.6.1 gstreamer-plugins-bad-debugsource-1.12.5-3.6.1 gstreamer-plugins-bad-devel-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadallocators-1_0-0-1.12.5-3.6.1 libgstbadallocators-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadaudio-1_0-0-1.12.5-3.6.1 libgstbadaudio-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadbase-1_0-0-1.12.5-3.6.1 libgstbadbase-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadvideo-1_0-0-1.12.5-3.6.1 libgstbadvideo-1_0-0-debuginfo-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.12.5-3.6.1 libgstcodecparsers-1_0-0-1.12.5-3.6.1 libgstcodecparsers-1_0-0-debuginfo-1.12.5-3.6.1 libgstgl-1_0-0-1.12.5-3.6.1 libgstgl-1_0-0-debuginfo-1.12.5-3.6.1 libgstinsertbin-1_0-0-1.12.5-3.6.1 libgstinsertbin-1_0-0-debuginfo-1.12.5-3.6.1 libgstmpegts-1_0-0-1.12.5-3.6.1 libgstmpegts-1_0-0-debuginfo-1.12.5-3.6.1 libgstphotography-1_0-0-1.12.5-3.6.1 libgstphotography-1_0-0-debuginfo-1.12.5-3.6.1 libgstplayer-1_0-0-1.12.5-3.6.1 libgstplayer-1_0-0-debuginfo-1.12.5-3.6.1 libgsturidownloader-1_0-0-1.12.5-3.6.1 libgsturidownloader-1_0-0-debuginfo-1.12.5-3.6.1 libgstwayland-1_0-0-1.12.5-3.6.1 libgstwayland-1_0-0-debuginfo-1.12.5-3.6.1 typelib-1_0-GstBadAllocators-1_0-1.12.5-3.6.1 typelib-1_0-GstGL-1_0-1.12.5-3.6.1 typelib-1_0-GstInsertBin-1_0-1.12.5-3.6.1 typelib-1_0-GstMpegts-1_0-1.12.5-3.6.1 typelib-1_0-GstPlayer-1_0-1.12.5-3.6.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): gstreamer-plugins-bad-lang-1.12.5-3.6.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): gstreamer-plugins-bad-1.12.5-3.6.1 gstreamer-plugins-bad-debuginfo-1.12.5-3.6.1 gstreamer-plugins-bad-debugsource-1.12.5-3.6.1 gstreamer-plugins-bad-devel-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadallocators-1_0-0-1.12.5-3.6.1 libgstbadallocators-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadaudio-1_0-0-1.12.5-3.6.1 libgstbadaudio-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadbase-1_0-0-1.12.5-3.6.1 libgstbadbase-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadvideo-1_0-0-1.12.5-3.6.1 libgstbadvideo-1_0-0-debuginfo-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.12.5-3.6.1 libgstcodecparsers-1_0-0-1.12.5-3.6.1 libgstcodecparsers-1_0-0-debuginfo-1.12.5-3.6.1 libgstgl-1_0-0-1.12.5-3.6.1 libgstgl-1_0-0-debuginfo-1.12.5-3.6.1 libgstinsertbin-1_0-0-1.12.5-3.6.1 libgstinsertbin-1_0-0-debuginfo-1.12.5-3.6.1 libgstmpegts-1_0-0-1.12.5-3.6.1 libgstmpegts-1_0-0-debuginfo-1.12.5-3.6.1 libgstphotography-1_0-0-1.12.5-3.6.1 libgstphotography-1_0-0-debuginfo-1.12.5-3.6.1 libgstplayer-1_0-0-1.12.5-3.6.1 libgstplayer-1_0-0-debuginfo-1.12.5-3.6.1 libgsturidownloader-1_0-0-1.12.5-3.6.1 libgsturidownloader-1_0-0-debuginfo-1.12.5-3.6.1 libgstwayland-1_0-0-1.12.5-3.6.1 libgstwayland-1_0-0-debuginfo-1.12.5-3.6.1 typelib-1_0-GstBadAllocators-1_0-1.12.5-3.6.1 typelib-1_0-GstGL-1_0-1.12.5-3.6.1 typelib-1_0-GstInsertBin-1_0-1.12.5-3.6.1 typelib-1_0-GstMpegts-1_0-1.12.5-3.6.1 typelib-1_0-GstPlayer-1_0-1.12.5-3.6.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): gstreamer-plugins-bad-lang-1.12.5-3.6.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): gstreamer-plugins-bad-1.12.5-3.6.1 gstreamer-plugins-bad-debuginfo-1.12.5-3.6.1 gstreamer-plugins-bad-debugsource-1.12.5-3.6.1 gstreamer-plugins-bad-devel-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadallocators-1_0-0-1.12.5-3.6.1 libgstbadallocators-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadaudio-1_0-0-1.12.5-3.6.1 libgstbadaudio-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadbase-1_0-0-1.12.5-3.6.1 libgstbadbase-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadvideo-1_0-0-1.12.5-3.6.1 libgstbadvideo-1_0-0-debuginfo-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.12.5-3.6.1 libgstcodecparsers-1_0-0-1.12.5-3.6.1 libgstcodecparsers-1_0-0-debuginfo-1.12.5-3.6.1 libgstgl-1_0-0-1.12.5-3.6.1 libgstgl-1_0-0-debuginfo-1.12.5-3.6.1 libgstinsertbin-1_0-0-1.12.5-3.6.1 libgstinsertbin-1_0-0-debuginfo-1.12.5-3.6.1 libgstmpegts-1_0-0-1.12.5-3.6.1 libgstmpegts-1_0-0-debuginfo-1.12.5-3.6.1 libgstphotography-1_0-0-1.12.5-3.6.1 libgstphotography-1_0-0-debuginfo-1.12.5-3.6.1 libgstplayer-1_0-0-1.12.5-3.6.1 libgstplayer-1_0-0-debuginfo-1.12.5-3.6.1 libgsturidownloader-1_0-0-1.12.5-3.6.1 libgsturidownloader-1_0-0-debuginfo-1.12.5-3.6.1 libgstwayland-1_0-0-1.12.5-3.6.1 libgstwayland-1_0-0-debuginfo-1.12.5-3.6.1 typelib-1_0-GstBadAllocators-1_0-1.12.5-3.6.1 typelib-1_0-GstGL-1_0-1.12.5-3.6.1 typelib-1_0-GstInsertBin-1_0-1.12.5-3.6.1 typelib-1_0-GstMpegts-1_0-1.12.5-3.6.1 typelib-1_0-GstPlayer-1_0-1.12.5-3.6.1 - SUSE Enterprise Storage 6 (noarch): gstreamer-plugins-bad-lang-1.12.5-3.6.1 - SUSE CaaS Platform 4.0 (x86_64): gstreamer-plugins-bad-1.12.5-3.6.1 gstreamer-plugins-bad-debuginfo-1.12.5-3.6.1 gstreamer-plugins-bad-debugsource-1.12.5-3.6.1 gstreamer-plugins-bad-devel-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-1.12.5-3.6.1 libgstadaptivedemux-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadallocators-1_0-0-1.12.5-3.6.1 libgstbadallocators-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadaudio-1_0-0-1.12.5-3.6.1 libgstbadaudio-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadbase-1_0-0-1.12.5-3.6.1 libgstbadbase-1_0-0-debuginfo-1.12.5-3.6.1 libgstbadvideo-1_0-0-1.12.5-3.6.1 libgstbadvideo-1_0-0-debuginfo-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-1.12.5-3.6.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.12.5-3.6.1 libgstcodecparsers-1_0-0-1.12.5-3.6.1 libgstcodecparsers-1_0-0-debuginfo-1.12.5-3.6.1 libgstgl-1_0-0-1.12.5-3.6.1 libgstgl-1_0-0-debuginfo-1.12.5-3.6.1 libgstinsertbin-1_0-0-1.12.5-3.6.1 libgstinsertbin-1_0-0-debuginfo-1.12.5-3.6.1 libgstmpegts-1_0-0-1.12.5-3.6.1 libgstmpegts-1_0-0-debuginfo-1.12.5-3.6.1 libgstphotography-1_0-0-1.12.5-3.6.1 libgstphotography-1_0-0-debuginfo-1.12.5-3.6.1 libgstplayer-1_0-0-1.12.5-3.6.1 libgstplayer-1_0-0-debuginfo-1.12.5-3.6.1 libgsturidownloader-1_0-0-1.12.5-3.6.1 libgsturidownloader-1_0-0-debuginfo-1.12.5-3.6.1 libgstwayland-1_0-0-1.12.5-3.6.1 libgstwayland-1_0-0-debuginfo-1.12.5-3.6.1 typelib-1_0-GstBadAllocators-1_0-1.12.5-3.6.1 typelib-1_0-GstGL-1_0-1.12.5-3.6.1 typelib-1_0-GstInsertBin-1_0-1.12.5-3.6.1 typelib-1_0-GstMpegts-1_0-1.12.5-3.6.1 typelib-1_0-GstPlayer-1_0-1.12.5-3.6.1 - SUSE CaaS Platform 4.0 (noarch): gstreamer-plugins-bad-lang-1.12.5-3.6.1 References: https://www.suse.com/security/cve/CVE-2021-3185.html https://bugzilla.suse.com/1181255 From sle-security-updates at lists.suse.com Tue Jun 8 22:19:37 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Jun 2021 00:19:37 +0200 (CEST) Subject: SUSE-SU-2021:1900-1: important: Security update for apache2-mod_auth_openidc Message-ID: <20210608221937.DE215FD07@maintenance.suse.de> SUSE Security Update: Security update for apache2-mod_auth_openidc ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1900-1 Rating: important References: #1186291 Cross-References: CVE-2021-20718 CVSS scores: CVE-2021-20718 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-20718 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for apache2-mod_auth_openidc fixes the following issues: - CVE-2021-20718: Fixed possible remote denial-of-service (DoS) via unspecified vectors (bsc#1186291). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1900=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1900=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1900=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1900=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1900=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): apache2-mod_auth_openidc-2.4.0-3.14.1 apache2-mod_auth_openidc-debuginfo-2.4.0-3.14.1 apache2-mod_auth_openidc-debugsource-2.4.0-3.14.1 - SUSE OpenStack Cloud 9 (x86_64): apache2-mod_auth_openidc-2.4.0-3.14.1 apache2-mod_auth_openidc-debuginfo-2.4.0-3.14.1 apache2-mod_auth_openidc-debugsource-2.4.0-3.14.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): apache2-mod_auth_openidc-2.4.0-3.14.1 apache2-mod_auth_openidc-debuginfo-2.4.0-3.14.1 apache2-mod_auth_openidc-debugsource-2.4.0-3.14.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): apache2-mod_auth_openidc-2.4.0-3.14.1 apache2-mod_auth_openidc-debuginfo-2.4.0-3.14.1 apache2-mod_auth_openidc-debugsource-2.4.0-3.14.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): apache2-mod_auth_openidc-2.4.0-3.14.1 apache2-mod_auth_openidc-debuginfo-2.4.0-3.14.1 apache2-mod_auth_openidc-debugsource-2.4.0-3.14.1 References: https://www.suse.com/security/cve/CVE-2021-20718.html https://bugzilla.suse.com/1186291 From sle-security-updates at lists.suse.com Tue Jun 8 22:20:56 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Jun 2021 00:20:56 +0200 (CEST) Subject: SUSE-SU-2021:1901-1: important: Security update for spice Message-ID: <20210608222056.23BBCFD07@maintenance.suse.de> SUSE Security Update: Security update for spice ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1901-1 Rating: important References: #1177158 #1181686 Cross-References: CVE-2020-14355 CVE-2021-20201 CVSS scores: CVE-2020-14355 (NVD) : 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14355 (SUSE): 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2021-20201 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-20201 (SUSE): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for spice fixes the following issues: - CVE-2021-20201: client initiated renegotiation causing denial of service (bsc#1181686) - CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC decoding code (bsc#1177158) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1901=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1901=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1901=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1901=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libspice-server-devel-0.14.0-4.9.1 libspice-server1-0.14.0-4.9.1 libspice-server1-debuginfo-0.14.0-4.9.1 spice-debugsource-0.14.0-4.9.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libspice-server-devel-0.14.0-4.9.1 libspice-server1-0.14.0-4.9.1 libspice-server1-debuginfo-0.14.0-4.9.1 spice-debugsource-0.14.0-4.9.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libspice-server-devel-0.14.0-4.9.1 libspice-server1-0.14.0-4.9.1 libspice-server1-debuginfo-0.14.0-4.9.1 spice-debugsource-0.14.0-4.9.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libspice-server-devel-0.14.0-4.9.1 libspice-server1-0.14.0-4.9.1 libspice-server1-debuginfo-0.14.0-4.9.1 spice-debugsource-0.14.0-4.9.1 References: https://www.suse.com/security/cve/CVE-2020-14355.html https://www.suse.com/security/cve/CVE-2021-20201.html https://bugzilla.suse.com/1177158 https://bugzilla.suse.com/1181686 From sle-security-updates at lists.suse.com Tue Jun 8 22:22:20 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Jun 2021 00:22:20 +0200 (CEST) Subject: SUSE-SU-2021:1906-1: important: Security update for spice Message-ID: <20210608222220.35F69FD07@maintenance.suse.de> SUSE Security Update: Security update for spice ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1906-1 Rating: important References: #1181686 Cross-References: CVE-2021-20201 CVSS scores: CVE-2021-20201 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-20201 (SUSE): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for spice fixes the following issues: - CVE-2021-20201: client initiated renegotiation causing denial of service (bsc#1181686) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1906=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1906=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1906=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1906=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1906=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1906=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1906=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1906=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1906=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1906=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1906=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1906=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libspice-server1-0.12.8-18.1 libspice-server1-debuginfo-0.12.8-18.1 spice-debugsource-0.12.8-18.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libspice-server1-0.12.8-18.1 libspice-server1-debuginfo-0.12.8-18.1 spice-debugsource-0.12.8-18.1 - SUSE OpenStack Cloud 9 (x86_64): libspice-server1-0.12.8-18.1 libspice-server1-debuginfo-0.12.8-18.1 spice-debugsource-0.12.8-18.1 - SUSE OpenStack Cloud 8 (x86_64): libspice-server1-0.12.8-18.1 libspice-server1-debuginfo-0.12.8-18.1 spice-debugsource-0.12.8-18.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libspice-server-devel-0.12.8-18.1 spice-debugsource-0.12.8-18.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libspice-server1-0.12.8-18.1 libspice-server1-debuginfo-0.12.8-18.1 spice-debugsource-0.12.8-18.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libspice-server1-0.12.8-18.1 libspice-server1-debuginfo-0.12.8-18.1 spice-debugsource-0.12.8-18.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libspice-server1-0.12.8-18.1 libspice-server1-debuginfo-0.12.8-18.1 spice-debugsource-0.12.8-18.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libspice-server1-0.12.8-18.1 libspice-server1-debuginfo-0.12.8-18.1 spice-debugsource-0.12.8-18.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libspice-server1-0.12.8-18.1 libspice-server1-debuginfo-0.12.8-18.1 spice-debugsource-0.12.8-18.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libspice-server1-0.12.8-18.1 libspice-server1-debuginfo-0.12.8-18.1 spice-debugsource-0.12.8-18.1 - HPE Helion Openstack 8 (x86_64): libspice-server1-0.12.8-18.1 libspice-server1-debuginfo-0.12.8-18.1 spice-debugsource-0.12.8-18.1 References: https://www.suse.com/security/cve/CVE-2021-20201.html https://bugzilla.suse.com/1181686 From sle-security-updates at lists.suse.com Tue Jun 8 22:23:45 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Jun 2021 00:23:45 +0200 (CEST) Subject: SUSE-SU-2021:1899-1: important: Security update for the Linux Kernel Message-ID: <20210608222345.B01ACFD07@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1899-1 Rating: important References: #1064802 #1066129 #1087082 #1101816 #1103992 #1104353 #1104427 #1104745 #1109837 #1113431 #1126390 #1133021 #1152457 #1174682 #1176081 #1177666 #1180552 #1181383 #1182256 #1183738 #1183947 #1184081 #1184082 #1184611 #1184855 #1185428 #1185481 #1185680 #1185703 #1185724 #1185758 #1185827 #1185901 #1185906 #1185938 #1186060 #1186111 #1186390 #1186416 #1186439 #1186441 #1186452 #1186460 #1186498 Cross-References: CVE-2020-24586 CVE-2020-24587 CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2021-23133 CVE-2021-23134 CVE-2021-32399 CVE-2021-33034 CVE-2021-33200 CVE-2021-3491 CVSS scores: CVE-2020-24586 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24586 (SUSE): 4.7 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVE-2020-24587 (NVD) : 2.6 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24587 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26139 (NVD) : 5.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26139 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-26141 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26145 (SUSE): 5.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26147 (NVD) : 5.4 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N CVE-2021-23133 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23133 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-33200 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33200 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3491 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Real Time Extension 12-SP5 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 32 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 RT kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111) - CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062) - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060) - CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859). - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862). - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859). - CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860) - CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987) - CVE-2021-23133: Fixed a race condition in SCTP sockets, which could lead to privilege escalation from the context of a network service or an unprivileged process. (bnc#1184675) The following non-security bugs were fixed: - ACPI: CPPC: Replace cppc_attr with kobj_attribute (git-fixes). - ACPICA: Enable sleep button on ACPI legacy wake (bsc#1181383). - ALSA: aloop: Fix initialization of controls (git-fixes). - ALSA: core: remove redundant spin_lock pair in snd_card_disconnect (git-fixes). - ALSA: usb-audio: Add error checks for usb_driver_claim_interface() calls (git-fixes). - ALSA: usb: midi: do not return -ENOMEM when usb_urb_ep_type_check fails (git-fixes). - ARM: footbridge: fix PCI interrupt mapping (git-fixes). - ASoC: fsl_esai: Fix TDM slot setup for I2S mode (git-fixes). - ASoC: intel: atom: Stop advertising non working S24LE support (git-fixes). - ASoC: wm8960: Fix wrong bclk and lrclk with pll enabled for some chips (git-fixes). - Avoid potentially erroneos RST drop (bsc#1183947). - Do not drop out of segments RST if tcp_be_liberal is set (bsc#1183947). - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185724). - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185724). - Drivers: hv: vmbus: Use after free in __vmbus_open() (git-fixes). - EDAC/amd64: Gather hardware information early (bsc#1180552). - EDAC/amd64: Make struct amd64_family_type global (bsc#1180552). - EDAC/amd64: Save max number of controllers to family type (bsc#1180552). - HID: alps: fix error return code in alps_input_configured() (git-fixes). - HID: plantronics: Workaround for double volume key presses (git-fixes). - HID: wacom: Assign boolean values to a bool variable (git-fixes). - HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices (git-fixes). - Input: i8042 - fix Pegatron C15B ID entry (git-fixes). - Input: nspire-keypad - enable interrupts only when opened (git-fixes). - KVM: s390: fix guarded storage control register handling (bsc#1133021). - NFSv4: Replace closed stateids with the "invalid special stateid" (bsc#1185481). - PCI: Release OF node in pci_scan_device()'s error path (git-fixes). - RDMA/hns: Delete redundant condition judgment related to eq (bsc#1104427). - RDMA/srpt: Fix error return code in srpt_cm_req_recv() (bsc#1103992). - SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428). - USB: serial: fix return value for unsupported ioctls (git-fixes). - USB: serial: usb_wwan: fix unprivileged TIOCCSERIAL (git-fixes). - af_packet: fix the tx skb protocol in raw sockets with ETH_P_ALL (bsc#1176081). - ata: libahci_platform: fix IRQ check (git-fixes). - ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices (git-fixes). - backlight: journada720: Fix Wmisleading-indentation warning (git-fixes). - batman-adv: Do not always reallocate the fragmentation skb head (git-fixes). - bluetooth: eliminate the potential race condition when removing the HCI controller (git-fixes). - bnxt_en: fix ternary sign extension bug in bnxt_show_temp() (bsc#1104745). - bpf: Fix masking negation logic upon negative dst register (git-fixes). - btrfs: fix race between transaction aborts and fsyncs leading to use-after-free (bsc#1186441). - btrfs: fix race when picking most recent mod log operation for an old root (bsc#1186439). - bus: qcom: Put child node before return (git-fixes). - cfg80211: remove WARN_ON() in cfg80211_sme_connect (git-fixes). - clk: exynos7: Mark aclk_fsys1_200 as critical (git-fixes). - clk: fix invalid usage of list cursor in register (git-fixes). - clk: fix invalid usage of list cursor in unregister (git-fixes). - clk: mvebu: armada-37xx-periph: Fix switching CPU freq from 250 Mhz to 1 GHz (git-fixes). - clk: mvebu: armada-37xx-periph: Fix workaround for switching from L1 to L0 (git-fixes). - clk: mvebu: armada-37xx-periph: remove .set_parent method for CPU PM clock (git-fixes). - clk: socfpga: fix iomem pointer cast on 64-bit (git-fixes). - clk: uniphier: Fix potential infinite loop (git-fixes). - cpufreq: Kconfig: fix documentation links (git-fixes). - cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758). - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init (git-fixes). - crypto: qat - Fix a double free in adf_create_ring (git-fixes). - crypto: qat - do not release uninitialized resources (git-fixes). - crypto: qat - fix error path in adf_isr_resource_alloc() (git-fixes). - cxgb4: Fix unintentional sign extension issues (bsc#1064802 bsc#1066129). - dm: fix redundant IO accounting for bios that need splitting (bsc#1183738). - dmaengine: dw: Make it dependent to HAS_IOMEM (git-fixes). - docs: kernel-parameters: Add gpio_mockup_named_lines (git-fixes). - docs: kernel-parameters: Move gpio-mockup for alphabetic order (git-fixes). - drivers: net: fix memory leak in atusb_probe (git-fixes). - drivers: net: fix memory leak in peak_usb_create_dev (git-fixes). - drm/amdkfd: fix build error with AMD_IOMMU_V2=m (git-fixes). - drm/i915/gvt: Fix error code in intel_gvt_init_device() (git-fixes). - drm/imx: imx-ldb: fix out of bounds array access warning (git-fixes). - drm/omap: fix misleading indentation in pixinc() (git-fixes). - drm/radeon: fix copy of uninitialized variable back to userspace (git-fixes). - e1000e: Fix duplicate include guard (git-fixes). - e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 (git-fixes). - e1000e: add rtnl_lock() to e1000_reset_task (git-fixes). - ethernet:enic: Fix a use after free bug in enic_hard_start_xmit (bsc#1113431). - ftrace: Handle commands when closing set_ftrace_filter file (git-fixes). - genirq: Reduce irqdebug cacheline bouncing (bsc#1185703 ltc#192641). - gianfar: Handle error code at MAC address change (git-fixes). - i2c: cadence: add IRQ check (git-fixes). - i2c: emev2: add IRQ check (git-fixes). - i2c: jz4780: add IRQ check (git-fixes). - i40e: Added Asym_Pause to supported link modes (git-fixes). - i40e: Fix PHY type identifiers for 2.5G and 5G adapters (jsc#SLE-4797). - i40e: Fix sparse errors in i40e_txrx.c (git-fixes). - i40e: Fix use-after-free in i40e_client_subtask() (bsc#1101816 ). - i40e: fix broken XDP support (git-fixes). - i40e: fix the panic when running bpf in xdpdrv mode (git-fixes). - i40e: fix the restart auto-negotiation after FEC modified (jsc#SLE-4797). - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043). - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043). - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043). - ibmvnic: remove default label from to_string switch (bsc#1152457 ltc#174432 git-fixes). - igb: Fix duplicate include guard (git-fixes). - igb: check timestamp validity (git-fixes). - ipmi/watchdog: Stop watchdog timer when the current action is 'none' (bsc#1184855). - ipw2x00: potential buffer overflow in libipw_wx_set_encodeext() (git-fixes). - kABI: powerpc/64: add back start_tb and accum_tb to thread_struct. - kabi: preserve struct header_ops after bsc#1176081 fix (bsc#1176081). - liquidio: Fix unintented sign extension of a left shift of a u16 (git-fixes). - mac80211: bail out if cipher schemes are invalid (git-fixes). - mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN (git-fixes). - macvlan: macvlan_count_rx() needs to be aware of preemption (git-fixes). - md-cluster: fix use-after-free issue when removing rdev (bsc#1184082). - md/raid1: properly indicate failure when ending a failed write request (bsc#1185680). - md: do not flush workqueue unconditionally in md_open (bsc#1184081). - md: factor out a mddev_find_locked helper from mddev_find (bsc#1184081). - md: md_open returns -EBUSY when entering racing area (bsc#1184081). - md: split mddev_find (bsc#1184081). - media: dvbdev: Fix memory leak in dvb_media_device_free() (git-fixes). - media: m88rs6000t: avoid potential out-of-bounds reads on arrays (git-fixes). - media: omap4iss: return error code when omap4iss_get() failed (git-fixes). - mfd: lpc_sch: Partially revert "Add support for Intel Quark X1000" (git-fixes). - mfd: stm32-timers: Avoid clearing auto reload register (git-fixes). - misc: lis3lv02d: Fix false-positive WARN on various HP models (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_datagram payload (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_notify_bm_set_msg struct (git-fixes). - mlxsw: spectrum_mr: Update egress RIF list before route's action (bsc#1112374). - mm: mempolicy: fix potential pte_unmap_unlock pte error (bsc#1185906). - mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified (bsc#1185906). - mmc: core: Correct descriptions in mmc_of_parse() (git-fixes). - mmc: mmc_spi: Drop unused NO_IRQ definition (git-fixes). - mt7601u: fix always true expression (git-fixes). - mtd: require write permissions for locking and badblock ioctls (git-fixes). - net, xdp: Update pkt_type if generic XDP changes unicast MAC (bsc#1109837). - net/ethernet: Add parse_protocol header_ops support (bsc#1176081). - net/mlx4_en: update moderation when config reset (git-fixes). - net/mlx5e: Fix error path for ethtool set-priv-flag (git-fixes). - net/mlx5e: Remove the wrong assumption about transport offset (bsc#1176081). - net/mlx5e: Trust kernel regarding transport offset (bsc#1176081). - net/packet: Ask driver for protocol if not provided by user (bsc#1176081). - net/packet: Remove redundant skb->protocol set (bsc#1176081). - net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template (git-fixes). - net: Do not set transport offset to invalid value (bsc#1176081). - net: Introduce parse_protocol header_ops callback (bsc#1176081). - net: hns3: Fix for geneve tx checksum bug (bsc#1104353 ). - net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() (bsc#1104353). - net: hns3: disable phy loopback setting in hclge_mac_start_phy (bsc#1104353). - net: hns3: fix for vxlan gpe tx checksum bug (bsc#1104353 ). - net: hns3: fix incorrect configuration for igu_egu_hw_err (bsc#1104353). - net: hns3: initialize the message content in hclge_get_link_mode() (bsc#1126390). - net: hns3: use netif_tx_disable to stop the transmit queue (bsc#1104353). - net: thunderx: Fix unintentional sign extension issue (git-fixes). - netdevice: Add missing IFF_PHONY_HEADROOM self-definition (git-fixes). - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950). - netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950). - netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950). - netfilter: conntrack: tcp: only close if RST matches exact sequence (bsc#1183947 bsc#1185950). - nfc: pn533: prevent potential memory corruption (git-fixes). - nvme-fc: clear q_live at beginning of association teardown (git-fixes). - nvme-loop: Introduce no merge flag for biovec (bsc#1174682). - pata_arasan_cf: fix IRQ check (git-fixes). - pata_ipx4xx_cf: fix IRQ check (git-fixes). - pcnet32: Use pci_resource_len to validate PCI resource (git-fixes). - phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y, unconditionally (git-fixes). - pinctrl: core: Fix kernel doc string for pin_get_name() (git-fixes). - pinctrl: lewisburg: Update number of pins in community (git-fixes). - platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards with critclk_systems DMI table (git-fixes). - powerpc/64: remove start_tb and accum_tb from thread_struct (bsc#1186487 ltc#177613). - powerpc/64s: Fix crashes when toggling entry flush barrier (bsc#1177666 git-fixes). - powerpc/64s: Fix crashes when toggling stf barrier (bsc#1087082 git-fixes). - powerpc/pseries: lparcfg calculate PURR on demand (bsc#1186487 ltc#177613). - regulator: bd9571mwv: Fix AVS and DVFS voltage range (git-fixes). - rsxx: remove extraneous 'const' qualifier (git-fixes). - rtc: ds1307: Fix wday settings for rx8130 (git-fixes). - rtlwifi: 8821ae: upgrade PHY and RF parameters (git-fixes). - s390/dasd: fix hanging DASD driver unbind (bsc#1183754 LTC#192081). - s390/dasd: fix hanging IO request during DASD driver unbind (bsc#1183754 LTC#192081). - s390/entry: save the caller of psw_idle (bsc#1185677). - s390/kdump: fix out-of-memory with PCI (bsc#1182256 LTC#191375). - sata_mv: add IRQ checks (git-fixes). - scsi: core: Run queue in case of I/O resource contention failure (bsc#1186416). - scsi: libfc: Avoid invoking response handler twice if ep is already completed (bsc#1186573). - scsi: lpfc: Add a option to enable interlocked ABTS before job completion (bsc#1186452). - scsi: lpfc: Add ndlp kref accounting for resume RPI path (bsc#1186452). - scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology (bsc#1186452). - scsi: lpfc: Fix Node recovery when driver is handling simultaneous PLOGIs (bsc#1186452). - scsi: lpfc: Fix bad memory access during VPD DUMP mailbox command (bsc#1186452). - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs (bsc#1186452). - scsi: lpfc: Fix node handling for Fabric Controller and Domain Controller (bsc#1186452). - scsi: lpfc: Fix non-optimized ERSP handling (bsc#1186452). - scsi: lpfc: Fix unreleased RPIs when NPIV ports are created (bsc#1186452). - scsi: lpfc: Ignore GID-FT response that may be received after a link flip (bsc#1186452). - scsi: lpfc: Reregister FPIN types if ELS_RDF is received from fabric controller (bsc#1186452). - scsi: lpfc: Update lpfc version to 12.8.0.10 (bsc#1186452). - scsi: qla2xxx: Prevent PRLI in target mode (git-fixes). - smc: disallow TCP_ULP in smc_setsockopt() (bsc#1109837). - soc: qcom: mdt_loader: Validate that p_filesz < p_memsz (git-fixes). - spi: spi-ti-qspi: Free DMA resources (git-fixes). - staging: rtl8192u: Fix potential infinite loop (git-fixes). - tcp: fix to update snd_wl1 in bulk receiver fast path (bsc#1185827). - thermal/drivers/ti-soc-thermal/bandgap Remove unused variable 'val' (git-fixes). - tracing: Map all PIDs to command lines (git-fixes). - uio: uio_hv_generic: use devm_kzalloc() for private data alloc (git-fixes). - uio_hv_generic: Fix a memory leak in error handling paths (git-fixes). - uio_hv_generic: Fix another memory leak in error handling paths (git-fixes). - uio_hv_generic: add missed sysfs_remove_bin_file (git-fixes). - usb: core: hub: fix race condition about TRSMRCY of resume (git-fixes). - usb: dwc3: gadget: Fix START_TRANSFER link state check (git-fixes). - usb: typec: tcpci: Check ROLE_CONTROL while interpreting CC_STATUS (git-fixes). - usb: xhci: Increase timeout for HC halt (git-fixes). - video: hyperv_fb: Add ratelimit on error message (bsc#1185724). - xhci: Do not use GFP_KERNEL in (potentially) atomic context (git-fixes). - xsk: Respect device's headroom and tailroom on generic xmit path (bsc#1109837). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 12-SP5: zypper in -t patch SUSE-SLE-RT-12-SP5-2021-1899=1 Package List: - SUSE Linux Enterprise Real Time Extension 12-SP5 (noarch): kernel-devel-rt-4.12.14-10.46.1 kernel-source-rt-4.12.14-10.46.1 - SUSE Linux Enterprise Real Time Extension 12-SP5 (x86_64): cluster-md-kmp-rt-4.12.14-10.46.1 cluster-md-kmp-rt-debuginfo-4.12.14-10.46.1 dlm-kmp-rt-4.12.14-10.46.1 dlm-kmp-rt-debuginfo-4.12.14-10.46.1 gfs2-kmp-rt-4.12.14-10.46.1 gfs2-kmp-rt-debuginfo-4.12.14-10.46.1 kernel-rt-4.12.14-10.46.1 kernel-rt-base-4.12.14-10.46.1 kernel-rt-base-debuginfo-4.12.14-10.46.1 kernel-rt-debuginfo-4.12.14-10.46.1 kernel-rt-debugsource-4.12.14-10.46.1 kernel-rt-devel-4.12.14-10.46.1 kernel-rt-devel-debuginfo-4.12.14-10.46.1 kernel-rt_debug-4.12.14-10.46.1 kernel-rt_debug-debuginfo-4.12.14-10.46.1 kernel-rt_debug-debugsource-4.12.14-10.46.1 kernel-rt_debug-devel-4.12.14-10.46.1 kernel-rt_debug-devel-debuginfo-4.12.14-10.46.1 kernel-syms-rt-4.12.14-10.46.1 ocfs2-kmp-rt-4.12.14-10.46.1 ocfs2-kmp-rt-debuginfo-4.12.14-10.46.1 References: https://www.suse.com/security/cve/CVE-2020-24586.html https://www.suse.com/security/cve/CVE-2020-24587.html https://www.suse.com/security/cve/CVE-2020-26139.html https://www.suse.com/security/cve/CVE-2020-26141.html https://www.suse.com/security/cve/CVE-2020-26145.html https://www.suse.com/security/cve/CVE-2020-26147.html https://www.suse.com/security/cve/CVE-2021-23133.html https://www.suse.com/security/cve/CVE-2021-23134.html https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://www.suse.com/security/cve/CVE-2021-33200.html https://www.suse.com/security/cve/CVE-2021-3491.html https://bugzilla.suse.com/1064802 https://bugzilla.suse.com/1066129 https://bugzilla.suse.com/1087082 https://bugzilla.suse.com/1101816 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1104427 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1113431 https://bugzilla.suse.com/1126390 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1152457 https://bugzilla.suse.com/1174682 https://bugzilla.suse.com/1176081 https://bugzilla.suse.com/1177666 https://bugzilla.suse.com/1180552 https://bugzilla.suse.com/1181383 https://bugzilla.suse.com/1182256 https://bugzilla.suse.com/1183738 https://bugzilla.suse.com/1183947 https://bugzilla.suse.com/1184081 https://bugzilla.suse.com/1184082 https://bugzilla.suse.com/1184611 https://bugzilla.suse.com/1184855 https://bugzilla.suse.com/1185428 https://bugzilla.suse.com/1185481 https://bugzilla.suse.com/1185680 https://bugzilla.suse.com/1185703 https://bugzilla.suse.com/1185724 https://bugzilla.suse.com/1185758 https://bugzilla.suse.com/1185827 https://bugzilla.suse.com/1185901 https://bugzilla.suse.com/1185906 https://bugzilla.suse.com/1185938 https://bugzilla.suse.com/1186060 https://bugzilla.suse.com/1186111 https://bugzilla.suse.com/1186390 https://bugzilla.suse.com/1186416 https://bugzilla.suse.com/1186439 https://bugzilla.suse.com/1186441 https://bugzilla.suse.com/1186452 https://bugzilla.suse.com/1186460 https://bugzilla.suse.com/1186498 From sle-security-updates at lists.suse.com Tue Jun 8 22:30:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Jun 2021 00:30:25 +0200 (CEST) Subject: SUSE-SU-2021:14744-1: important: Security update for spice Message-ID: <20210608223025.F405EFD07@maintenance.suse.de> SUSE Security Update: Security update for spice ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14744-1 Rating: important References: #1177158 #1181686 #982386 Cross-References: CVE-2016-2150 CVE-2020-14355 CVE-2021-20201 CVSS scores: CVE-2016-2150 (NVD) : 7.1 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2016-2150 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-14355 (NVD) : 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14355 (SUSE): 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2021-20201 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-20201 (SUSE): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for spice fixes the following issues: - CVE-2021-20201: client initiated renegotiation causing denial of service (bsc#1181686) - CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC decoding code (bsc#1177158) - CVE-2016-2150: Fixed a guest escape using crafted primary surface parameters (bsc#982386) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-spice-14744=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-spice-14744=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 x86_64): libspice-server1-0.12.4-21.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): spice-debuginfo-0.12.4-21.1 spice-debugsource-0.12.4-21.1 References: https://www.suse.com/security/cve/CVE-2016-2150.html https://www.suse.com/security/cve/CVE-2020-14355.html https://www.suse.com/security/cve/CVE-2021-20201.html https://bugzilla.suse.com/1177158 https://bugzilla.suse.com/1181686 https://bugzilla.suse.com/982386 From sle-security-updates at lists.suse.com Tue Jun 8 22:31:51 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Jun 2021 00:31:51 +0200 (CEST) Subject: SUSE-SU-2021:1905-1: important: Security update for spice-gtk Message-ID: <20210608223151.45AAAFD07@maintenance.suse.de> SUSE Security Update: Security update for spice-gtk ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1905-1 Rating: important References: #1177158 Cross-References: CVE-2020-14355 CVSS scores: CVE-2020-14355 (NVD) : 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14355 (SUSE): 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L Affected Products: SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for spice-gtk fixes the following issues: - CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC decoding code (bsc#1177158) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1905=1 Package List: - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libspice-client-glib-2_0-8-0.31-9.13.1 libspice-client-glib-2_0-8-debuginfo-0.31-9.13.1 libspice-client-glib-helper-0.31-9.13.1 libspice-client-glib-helper-debuginfo-0.31-9.13.1 libspice-client-gtk-2_0-4-0.31-9.13.1 libspice-client-gtk-2_0-4-debuginfo-0.31-9.13.1 libspice-client-gtk-3_0-4-0.31-9.13.1 libspice-client-gtk-3_0-4-debuginfo-0.31-9.13.1 libspice-controller0-0.31-9.13.1 libspice-controller0-debuginfo-0.31-9.13.1 spice-gtk-debuginfo-0.31-9.13.1 spice-gtk-debugsource-0.31-9.13.1 typelib-1_0-SpiceClientGlib-2_0-0.31-9.13.1 typelib-1_0-SpiceClientGtk-3_0-0.31-9.13.1 References: https://www.suse.com/security/cve/CVE-2020-14355.html https://bugzilla.suse.com/1177158 From sle-security-updates at lists.suse.com Tue Jun 8 22:33:00 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Jun 2021 00:33:00 +0200 (CEST) Subject: SUSE-SU-2021:1902-1: important: Security update for spice Message-ID: <20210608223300.C6655FD07@maintenance.suse.de> SUSE Security Update: Security update for spice ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1902-1 Rating: important References: #1177158 #1181686 Cross-References: CVE-2020-14355 CVE-2021-20201 CVSS scores: CVE-2020-14355 (NVD) : 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14355 (SUSE): 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2021-20201 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-20201 (SUSE): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for spice fixes the following issues: - CVE-2021-20201: client initiated renegotiation causing denial of service (bsc#1181686) - CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC decoding code (bsc#1177158) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1902=1 Package List: - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libspice-server1-0.12.7-10.12.1 libspice-server1-debuginfo-0.12.7-10.12.1 spice-debugsource-0.12.7-10.12.1 References: https://www.suse.com/security/cve/CVE-2020-14355.html https://www.suse.com/security/cve/CVE-2021-20201.html https://bugzilla.suse.com/1177158 https://bugzilla.suse.com/1181686 From sle-security-updates at lists.suse.com Wed Jun 9 13:17:38 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Jun 2021 15:17:38 +0200 (CEST) Subject: SUSE-SU-2021:1911-1: important: Security update for spice-gtk Message-ID: <20210609131738.B942EFD07@maintenance.suse.de> SUSE Security Update: Security update for spice-gtk ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1911-1 Rating: important References: #1177158 Cross-References: CVE-2020-14355 CVSS scores: CVE-2020-14355 (NVD) : 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14355 (SUSE): 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for spice-gtk fixes the following issues: - CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC decoding code (bsc#1177158) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1911=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1911=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1911=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1911=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libspice-client-glib-2_0-8-0.34-3.6.1 libspice-client-glib-2_0-8-debuginfo-0.34-3.6.1 libspice-client-glib-helper-0.34-3.6.1 libspice-client-glib-helper-debuginfo-0.34-3.6.1 libspice-client-gtk-3_0-5-0.34-3.6.1 libspice-client-gtk-3_0-5-debuginfo-0.34-3.6.1 libspice-controller0-0.34-3.6.1 libspice-controller0-debuginfo-0.34-3.6.1 spice-gtk-debuginfo-0.34-3.6.1 spice-gtk-debugsource-0.34-3.6.1 spice-gtk-devel-0.34-3.6.1 typelib-1_0-SpiceClientGlib-2_0-0.34-3.6.1 typelib-1_0-SpiceClientGtk-3_0-0.34-3.6.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libspice-client-glib-2_0-8-0.34-3.6.1 libspice-client-glib-2_0-8-debuginfo-0.34-3.6.1 libspice-client-glib-helper-0.34-3.6.1 libspice-client-glib-helper-debuginfo-0.34-3.6.1 libspice-client-gtk-3_0-5-0.34-3.6.1 libspice-client-gtk-3_0-5-debuginfo-0.34-3.6.1 libspice-controller0-0.34-3.6.1 libspice-controller0-debuginfo-0.34-3.6.1 spice-gtk-debuginfo-0.34-3.6.1 spice-gtk-debugsource-0.34-3.6.1 spice-gtk-devel-0.34-3.6.1 typelib-1_0-SpiceClientGlib-2_0-0.34-3.6.1 typelib-1_0-SpiceClientGtk-3_0-0.34-3.6.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libspice-client-glib-2_0-8-0.34-3.6.1 libspice-client-glib-2_0-8-debuginfo-0.34-3.6.1 libspice-client-glib-helper-0.34-3.6.1 libspice-client-glib-helper-debuginfo-0.34-3.6.1 libspice-client-gtk-3_0-5-0.34-3.6.1 libspice-client-gtk-3_0-5-debuginfo-0.34-3.6.1 libspice-controller0-0.34-3.6.1 libspice-controller0-debuginfo-0.34-3.6.1 spice-gtk-debuginfo-0.34-3.6.1 spice-gtk-debugsource-0.34-3.6.1 spice-gtk-devel-0.34-3.6.1 typelib-1_0-SpiceClientGlib-2_0-0.34-3.6.1 typelib-1_0-SpiceClientGtk-3_0-0.34-3.6.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libspice-client-glib-2_0-8-0.34-3.6.1 libspice-client-glib-2_0-8-debuginfo-0.34-3.6.1 libspice-client-glib-helper-0.34-3.6.1 libspice-client-glib-helper-debuginfo-0.34-3.6.1 libspice-client-gtk-3_0-5-0.34-3.6.1 libspice-client-gtk-3_0-5-debuginfo-0.34-3.6.1 libspice-controller0-0.34-3.6.1 libspice-controller0-debuginfo-0.34-3.6.1 spice-gtk-debuginfo-0.34-3.6.1 spice-gtk-debugsource-0.34-3.6.1 spice-gtk-devel-0.34-3.6.1 typelib-1_0-SpiceClientGlib-2_0-0.34-3.6.1 typelib-1_0-SpiceClientGtk-3_0-0.34-3.6.1 References: https://www.suse.com/security/cve/CVE-2020-14355.html https://bugzilla.suse.com/1177158 From sle-security-updates at lists.suse.com Wed Jun 9 16:17:32 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Jun 2021 18:17:32 +0200 (CEST) Subject: SUSE-SU-2021:1917-1: moderate: Security update for libxml2 Message-ID: <20210609161732.289E1FD07@maintenance.suse.de> SUSE Security Update: Security update for libxml2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1917-1 Rating: moderate References: #1186015 Cross-References: CVE-2021-3541 CVSS scores: CVE-2021-3541 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Python2 15-SP3 SUSE Linux Enterprise Module for Python2 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1917=1 - SUSE Linux Enterprise Module for Python2 15-SP3: zypper in -t patch SUSE-SLE-Module-Python2-15-SP3-2021-1917=1 - SUSE Linux Enterprise Module for Python2 15-SP2: zypper in -t patch SUSE-SLE-Module-Python2-15-SP2-2021-1917=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1917=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1917=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): libxml2-2-2.9.7-3.37.1 libxml2-2-debuginfo-2.9.7-3.37.1 libxml2-debugsource-2.9.7-3.37.1 libxml2-tools-2.9.7-3.37.1 libxml2-tools-debuginfo-2.9.7-3.37.1 - SUSE Linux Enterprise Module for Python2 15-SP3 (aarch64 ppc64le s390x x86_64): python-libxml2-python-debugsource-2.9.7-3.37.1 python2-libxml2-python-2.9.7-3.37.1 python2-libxml2-python-debuginfo-2.9.7-3.37.1 - SUSE Linux Enterprise Module for Python2 15-SP2 (aarch64 ppc64le s390x x86_64): python-libxml2-python-debugsource-2.9.7-3.37.1 python2-libxml2-python-2.9.7-3.37.1 python2-libxml2-python-debuginfo-2.9.7-3.37.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libxml2-2-2.9.7-3.37.1 libxml2-2-debuginfo-2.9.7-3.37.1 libxml2-debugsource-2.9.7-3.37.1 libxml2-devel-2.9.7-3.37.1 libxml2-tools-2.9.7-3.37.1 libxml2-tools-debuginfo-2.9.7-3.37.1 python-libxml2-python-debugsource-2.9.7-3.37.1 python3-libxml2-python-2.9.7-3.37.1 python3-libxml2-python-debuginfo-2.9.7-3.37.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): libxml2-2-32bit-2.9.7-3.37.1 libxml2-2-32bit-debuginfo-2.9.7-3.37.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libxml2-2-2.9.7-3.37.1 libxml2-2-debuginfo-2.9.7-3.37.1 libxml2-debugsource-2.9.7-3.37.1 libxml2-devel-2.9.7-3.37.1 libxml2-tools-2.9.7-3.37.1 libxml2-tools-debuginfo-2.9.7-3.37.1 python-libxml2-python-debugsource-2.9.7-3.37.1 python3-libxml2-python-2.9.7-3.37.1 python3-libxml2-python-debuginfo-2.9.7-3.37.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libxml2-2-32bit-2.9.7-3.37.1 libxml2-2-32bit-debuginfo-2.9.7-3.37.1 References: https://www.suse.com/security/cve/CVE-2021-3541.html https://bugzilla.suse.com/1186015 From sle-security-updates at lists.suse.com Wed Jun 9 16:18:44 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Jun 2021 18:18:44 +0200 (CEST) Subject: SUSE-SU-2021:1915-1: important: Security update for the Linux Kernel Message-ID: <20210609161844.ADA36FD07@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1915-1 Rating: important References: #1043990 #1055117 #1065729 #1152457 #1152489 #1155518 #1156395 #1167260 #1167574 #1168838 #1174416 #1174426 #1175995 #1178089 #1179243 #1179851 #1180846 #1181161 #1182613 #1183063 #1183203 #1183289 #1184208 #1184209 #1184436 #1184485 #1184514 #1184585 #1184650 #1184724 #1184728 #1184730 #1184731 #1184736 #1184737 #1184738 #1184740 #1184741 #1184742 #1184760 #1184811 #1184893 #1184934 #1184942 #1184957 #1184969 #1184984 #1185041 #1185113 #1185233 #1185244 #1185269 #1185365 #1185454 #1185472 #1185491 #1185549 #1185586 #1185587 Cross-References: CVE-2021-29155 CVE-2021-29650 CVSS scores: CVE-2021-29155 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-29155 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-29650 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-29650 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Realtime 15-SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has 57 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 RT kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-29650: Fixed an issue with the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208). - CVE-2021-29155: Fixed an issue that was discovered in kernel/bpf/verifier.c that performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation was not correctly accounted for when restricting subsequent operations (bnc#1184942). The following non-security bugs were fixed: - ACPI: CPPC: Replace cppc_attr with kobj_attribute (git-fixes). - ALSA: core: remove redundant spin_lock pair in snd_card_disconnect (git-fixes). - ALSA: emu8000: Fix a use after free in snd_emu8000_create_mixer (git-fixes). - ALSA: hda/cirrus: Add error handling into CS8409 I2C functions (git-fixes). - ALSA: hda/cirrus: Add Headphone and Headset MIC Volume Control (git-fixes). - ALSA: hda/cirrus: Add jack detect interrupt support from CS42L42 companion codec (git-fixes). - ALSA: hda/cirrus: Add support for CS8409 HDA bridge and CS42L42 companion codec (git-fixes). - ALSA: hda/cirrus: Cleanup patch_cirrus.c code (git-fixes). - ALSA: hda/cirrus: Fix CS42L42 Headset Mic volume control name (git-fixes). - ALSA: hda/cirrus: Make CS8409 driver more generic by using fixups (git-fixes). - ALSA: hda/cirrus: Set Initial DMIC volume for Bullseye to -26 dB (git-fixes). - ALSA: hda/cirrus: Use CS8409 filter to fix abnormal sounds on Bullseye (git-fixes). - ALSA: hda/realtek: Add quirk for Intel Clevo PCx0Dx (git-fixes). - ALSA: hda/realtek: fix mic boost on Intel NUC 8 (git-fixes). - ALSA: hda/realtek: fix static noise on ALC285 Lenovo laptops (git-fixes). - ALSA: hda/realtek: GA503 use same quirks as GA401 (git-fixes). - ALSA: hda/realtek - Headset Mic issue on HP platform (git-fixes). - ALSA: hda/realtek: Remove redundant entry for ALC861 Haier/Uniwill devices (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Acer quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 ASUS quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Dell quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 HP quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Lenovo quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Sony quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC662 quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Acer quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Clevo quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Sony quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order remaining ALC269 quirk table entries (git-fixes). - ALSA: sb: Fix two use after free in snd_sb_qsound_build (git-fixes). - ALSA: usb-audio: Add DJM450 to Pioneer format quirk (git-fixes). - ALSA: usb-audio: Add error checks for usb_driver_claim_interface() calls (git-fixes). - ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX (git-fixes). - ALSA: usb-audio: Configure Pioneer DJM-850 samplerate (git-fixes). - ALSA: usb-audio: DJM-750: ensure format is set (git-fixes). - ALSA: usb-audio: Explicitly set up the clock selector (git-fixes). - ALSA: usb-audio: Fix implicit sync clearance at stopping stream (git-fixes). - ALSA: usb-audio: Fix Pioneer DJM devices URB_CONTROL request direction to set samplerate (git-fixes). - ALSA: usb: midi: do not return -ENOMEM when usb_urb_ep_type_check fails (git-fixes). - arm: dts: add imx7d pcf2127 fix to blacklist - ASoC: ak5558: correct reset polarity (git-fixes). - ASoC: ak5558: Fix s/show/slow/ typo (git-fixes). - ASoC: Intel: kbl_da7219_max98927: Fix kabylake_ssp_fixup function (git-fixes). - ASoC: samsung: tm2_wm5110: check of of_parse return value (git-fixes). - ASoC: simple-card: fix possible uninitialized single_cpu local variable (git-fixes). - ASoC: SOF: Intel: HDA: fix core status verification (git-fixes). - ASoC: SOF: Intel: hda: remove unnecessary parentheses (git-fixes). - ata: libahci_platform: fix IRQ check (git-fixes). - ath10k: Fix ath10k_wmi_tlv_op_pull_peer_stats_info() unlock without lock (git-fixes). - ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices (git-fixes). - backlight: journada720: Fix Wmisleading-indentation warning (git-fixes). - blkcg: fix memleak for iolatency (git-fixes). - block, bfq: set next_rq to waker_bfqq->next_rq in waker injection (bsc#1168838). - block: recalculate segment count for multi-segment discards correctly (bsc#1184724). - block: rsxx: select CONFIG_CRC32 (git-fixes). - bluetooth: eliminate the potential race condition when removing the HCI controller (git-fixes). - bnxt_en: reverse order of TX disable and carrier off (git-fixes). - bpf: Fix verifier jsgt branch analysis on max bound (bsc#1155518). - bpf, libbpf: Only create rx and tx XDP rings when necessary (bsc#1155518). - bpf, samples: Fix possible hang in xdpsock with multiple threads (bsc#1155518). - bpf, sockmap: Fix sk->prot unhash op reset (bsc#1155518). - bsg: free the request before return error code (git-fixes). - btrfs: fix qgroup data rsv leak caused by falloc failure (bsc#1185549). - btrfs: fix race between swap file activation and snapshot creation (bsc#1185587). - btrfs: fix race between writes to swap files and scrub (bsc#1185586). - btrfs: track qgroup released data in own variable in insert_prealloc_file_extent (bsc#1185549). - bus: qcom: Put child node before return (git-fixes). - cfg80211: remove WARN_ON() in cfg80211_sme_connect (git-fixes). - clk: exynos7: Mark aclk_fsys1_200 as critical (git-fixes). - clk: mvebu: armada-37xx-periph: Fix switching CPU freq from 250 Mhz to 1 GHz (git-fixes). - clk: mvebu: armada-37xx-periph: Fix workaround for switching from L1 to L0 (git-fixes). - clk: mvebu: armada-37xx-periph: remove .set_parent method for CPU PM clock (git-fixes). - clk: qcom: a53-pll: Add missing MODULE_DEVICE_TABLE (git-fixes). - clk: uniphier: Fix potential infinite loop (git-fixes). - clk: zynqmp: move zynqmp_pll_set_mode out of round_rate callback (git-fixes). - coresight: etm4x: Fix issues on trcseqevr access (git-fixes). - coresight: etm4x: Fix save and restore of TRCVMIDCCTLR1 register (git-fixes). - coresight: tmc-etr: Fix barrier packet insertion for perf buffer (git-fixes). - cpufreq: armada-37xx: Fix determining base CPU frequency (git-fixes). - cpufreq: armada-37xx: Fix driver cleanup when registration failed (git-fixes). - cpufreq: armada-37xx: Fix setting TBG parent for load levels (git-fixes). - cpufreq: armada-37xx: Fix the AVS value for load L1 (git-fixes). - cpufreq: Kconfig: fix documentation links (git-fixes). - crypto: arm/curve25519 - Move '.fpu' after '.arch' (git-fixes). - crypto: rng - fix crypto_rng_reset() refcounting when !CRYPTO_STATS (git-fixes). - cxgb4: avoid collecting SGE_QBASE regs during traffic (git-fixes). - cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds (git-fixes). - dmaengine: dw: Make it dependent to HAS_IOMEM (git-fixes). - dm: eliminate potential source of excessive kernel log noise (git-fixes). - dm era: Fix bitset memory leaks (git-fixes). - dm era: only resize metadata in preresume (git-fixes). - dm era: Recover committed writeset after crash (git-fixes). - dm era: Reinitialize bitset cache before digesting a new writeset (git-fixes). - dm era: Use correct value size in equality function of writeset tree (git-fixes). - dm era: Verify the data block size hasn't changed (git-fixes). - dm: fix bug with RCU locking in dm_blk_report_zones (git-fixes). - dm integrity: fix error reporting in bitmap mode after creation (git-fixes). - dm ioctl: fix error return code in target_message (git-fixes). - dm mpath: fix racey management of PG initialization (git-fixes). - dm mpath: switch paths in dm_blk_ioctl() code path (bsc#1167574, bsc#1175995, bsc#1184485). - dm raid: fix discard limits for raid1 (git-fixes). - dm: remove invalid sparse __acquires and __releases annotations (git-fixes). - dm writecache: fix the maximum number of arguments (git-fixes). - dm writecache: handle DAX to partitions on persistent memory correctly (git-fixes). - dm writecache: remove BUG() and fail gracefully instead (git-fixes). - dm zoned: select CONFIG_CRC32 (git-fixes). - dpaa_eth: copy timestamp fields to new skb in A-050385 workaround (git-fixes). - dpaa_eth: fix the RX headroom size alignment (git-fixes). - dpaa_eth: Remove unnecessary boolean expression in dpaa_get_headroom (git-fixes). - dpaa_eth: Use random MAC address when none is given (bsc#1184811). - drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' (git-fixes). - drm/amdkfd: fix build error with AMD_IOMMU_V2=m (git-fixes). - drm/ast: Add 25MHz refclk support (bsc#1174416). - drm/ast: Add support for 1152x864 mode (bsc#1174416). - drm/ast: Add support for AIP200 (bsc#1174416). - drm/ast: AST2500 fixups (bsc#1174416). - drm/ast: Correct mode table for AST2500 precatch (bsc#1174416). - drm/ast: Disable screen on register init (bsc#1174416). - drm/ast: Disable VGA decoding while driver is active (bsc#1174416). - drm/ast: drm/ast: Fix boot address for AST2500 (bsc#1174416). - drm/ast: Fix P2A config detection (bsc#1174416). - drm/ast: Fix register access in non-P2A mode for DP501 (bsc#1174416). - drm/ast: Keep MISC fields when enabling VGA (bsc#1174416). - drm/i915/gvt: Fix error code in intel_gvt_init_device() (git-fixes). - drm/imx: imx-ldb: fix out of bounds array access warning (git-fixes). - drm/msm: Fix a5xx/a6xx timestamps (git-fixes). - drm/omap: fix misleading indentation in pixinc() (git-fixes). - drm/radeon: fix copy of uninitialized variable back to userspace (git-fixes). - drm/tegra: dc: Do not set PLL clock to 0Hz (git-fixes). - e1000e: add rtnl_lock() to e1000_reset_task (git-fixes). - e1000e: Fix duplicate include guard (git-fixes). - e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 (git-fixes). - enetc: Let the hardware auto-advance the taprio base-time of 0 (git-fixes). - enetc: Workaround for MDIO register access issue (git-fixes). - ethernet/netronome/nfp: Fix a use after free in nfp_bpf_ctrl_msg_rx (git-fixes). - ext4: do not try to set xattr into ea_inode if value is empty (bsc#1184730). - ext4: find old entry again if failed to rename whiteout (bsc#1184742). - ext4: fix potential error in ext4_do_update_inode (bsc#1184731). - ext4: fix potential htree index checksum corruption (bsc#1184728). - firmware: qcom-scm: Fix QCOM_SCM configuration (git-fixes). - fnic: use scsi_host_busy_iter() to traverse commands (bsc#1179851). - fotg210-udc: Complete OUT requests on short packets (git-fixes). - fotg210-udc: Do not DMA more than the buffer can take (git-fixes). - fotg210-udc: Fix DMA on EP0 for length > max packet size (git-fixes). - fotg210-udc: Fix EP0 IN requests bigger than two packets (git-fixes). - fotg210-udc: Mask GRP2 interrupts we do not handle (git-fixes). - fotg210-udc: Remove a dubious condition leading to fotg210_done (git-fixes). - fs: direct-io: fix missing sdio->boundary (bsc#1184736). - fs/jfs: fix potential integer overflow on shift of a int (bsc#1184741). - fsl/fman: reuse set_mac_address() in dtsec init() (bsc#1184811). - fsl/fman: tolerate missing MAC address in device tree (bsc#1184811). - gpio: omap: Save and restore sysconfig (git-fixes). - gpio: sysfs: Obey valid_mask (git-fixes). - HID: alps: fix error return code in alps_input_configured() (git-fixes). - HID: google: add don USB id (git-fixes). - HID: plantronics: Workaround for double volume key presses (git-fixes). - HID: wacom: Assign boolean values to a bool variable (git-fixes). - HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices (git-fixes). - i2c: cadence: add IRQ check (git-fixes). - i2c: emev2: add IRQ check (git-fixes). - i2c: img-scb: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: jz4780: add IRQ check (git-fixes). - i2c: omap: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: sh7760: add IRQ check (git-fixes). - i2c: sh7760: fix IRQ error path (git-fixes). - i2c: sprd: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i40e: Added Asym_Pause to supported link modes (git-fixes). - i40e: Add zero-initialization of AQ command structures (git-fixes). - i40e: Fix addition of RX filters after enabling FW LLDP agent (git-fixes). - i40e: Fix add TC filter for IPv6 (git-fixes). - i40e: Fix display statistics for veb_tc (git-fixes). - i40e: Fix endianness conversions (git-fixes). - i40e: Fix flow for IPv6 next header (extension header) (git-fixes). - i40e: Fix kernel oops when i40e driver removes VF's (git-fixes). - i40e: Fix overwriting flow control settings during driver loading (git-fixes). - i40e: Fix sparse errors in i40e_txrx.c (git-fixes). - i40e: Fix sparse warning: missing error code 'err' (git-fixes). - i40e: fix the panic when running bpf in xdpdrv mode (git-fixes). - ibmvnic: avoid calling napi_disable() twice (bsc#1065729). - ibmvnic: clean up the remaining debugfs data structures (bsc#1065729). - ibmvnic: correctly use dev_consume/free_skb_irq (jsc#SLE-17268 jsc#SLE-17043 bsc#1179243 ltc#189290 git-fixes). - ibmvnic: improve failover sysfs entry (bsc#1043990 ltc#155681 git-fixes). - ibmvnic: print adapter state as a string (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: print reset reason as a string (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: queue reset work in system_long_wq (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: remove duplicate napi_schedule call in do_reset function (bsc#1065729). - ibmvnic: remove duplicate napi_schedule call in open function (bsc#1065729). - ice: Account for port VLAN in VF max packet size calculation (git-fixes). - ice: Cleanup fltr list in case of allocation issues (git-fixes). - ice: Fix for dereference of NULL pointer (git-fixes). - ice: Increase control queue timeout (git-fixes). - ice: prevent ice_open and ice_stop during reset (git-fixes). - igb: check timestamp validity (git-fixes). - igb: Fix duplicate include guard (git-fixes). - igc: Fix Pause Frame Advertising (git-fixes). - igc: Fix Supported Pause Frame Link Setting (git-fixes). - igc: reinit_locked() should be called with rtnl_lock (git-fixes). - iio:accel:adis16201: Fix wrong axis assignment that prevents loading (git-fixes). - ima: Free IMA measurement buffer after kexec syscall (git-fixes). - Input: i8042 - fix Pegatron C15B ID entry (git-fixes). - Input: nspire-keypad - enable interrupts only when opened (git-fixes). - Input: s6sy761 - fix coordinate read bit shift (git-fixes). - interconnect: core: fix error return code of icc_link_destroy() (git-fixes). - iopoll: introduce read_poll_timeout macro (git-fixes). - iommu/vt-d: Use device numa domain if RHSA is missing (bsc#1184585). - ipw2x00: potential buffer overflow in libipw_wx_set_encodeext() (git-fixes). - irqchip: Add support for Layerscape external interrupt lines (bsc#1185233). - irqchip/ls-extirq: add IRQCHIP_SKIP_SET_WAKE to the irqchip flags (bsc#1185233). - irqchip/ls-extirq: Add LS1043A, LS1088A external interrupt support (bsc#1185233). - isofs: release buffer head before return (bsc#1182613). - ixgbe: fail to create xfrm offload of IPsec tunnel mode SA (git-fixes). - jffs2: fix use after free in jffs2_sum_write_data() (bsc#1184740). - kABI: cover up change in struct kvm_arch (bsc#1184969). - kABI: Fix kABI caused by fixes for bsc#1174426 (bsc#1174426). - kABI: powerpc/pseries: Add shutdown() to vio_driver and vio_bus (bsc#1184209 ltc#190917). - kernel/smp: make csdlock timeout depend on boot parameter (bsc#1180846). - KVM: kvmclock: Fix vCPUs > 64 can't be online/hotpluged (bsc#1152489). - KVM: PPC: Book3S HV P9: Restore host CTRL SPR after guest exit (bsc#1156395). - KVM: PPC: Make the VMX instruction emulation routines static (bsc#1156395). - libnvdimm/label: Return -ENXIO for no slot in __blk_label_update (bsc#1185269). - libnvdimm/namespace: Fix reaping of invalidated block-window-namespace labels (bsc#1185269). - libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC (bsc#1184969 git-fixes). - libnvdimm/security: ensure sysfs poll thread woke up and fetch updated attr (git-fixes). - liquidio: Fix unintented sign extension of a left shift of a u16 (git-fixes). - locking/qrwlock: Fix ordering in queued_write_lock_slowpath() (bsc#1185041). - mac80211: bail out if cipher schemes are invalid (git-fixes). - mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN (git-fixes). - macvlan: macvlan_count_rx() needs to be aware of preemption (git-fixes). - media: dvbdev: Fix memory leak in dvb_media_device_free() (git-fixes). - media: m88rs6000t: avoid potential out-of-bounds reads on arrays (git-fixes). - media: mantis: remove orphan mantis_core.c (git-fixes). - media: omap4iss: return error code when omap4iss_get() failed (git-fixes). - media: platform: sunxi: sun6i-csi: fix error return code of sun6i_video_start_streaming() (git-fixes). - media: staging/intel-ipu3: Fix memory leak in imu_fmt (git-fixes). - media: staging/intel-ipu3: Fix race condition during set_fmt (git-fixes). - media: staging/intel-ipu3: Fix set_fmt error handling (git-fixes). - media: v4l2-ctrls.c: fix race condition in hdl->requests list (git-fixes). - memory: gpmc: fix out of bounds read and dereference on gpmc_cs[] (git-fixes). - memory: pl353: fix mask of ECC page_size config register (git-fixes). - mfd: lpc_sch: Partially revert "Add support for Intel Quark X1000" (git-fixes). - mfd: stm32-timers: Avoid clearing auto reload register (git-fixes). - misc: lis3lv02d: Fix false-positive WARN on various HP models (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_datagram payload (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_notify_bm_set_msg struct (git-fixes). - mmc: core: Correct descriptions in mmc_of_parse() (git-fixes). - mmc: cqhci: Add cqhci_deactivate() (git-fixes). - mmc: mmc_spi: Drop unused NO_IRQ definition (git-fixes). - mmc: sdhci-of-arasan: Add missed checks for devm_clk_register() (git-fixes). - mmc: sdhci-of-dwcmshc: fix rpmb access (git-fixes). - mmc: sdhci-of-dwcmshc: implement specific set_uhs_signaling (git-fixes). - mmc: sdhci-of-esdhc: make sure delay chain locked for HS400 (git-fixes). - mmc: sdhci-of-esdhc: set timeout to max before tuning (git-fixes). - mmc: sdhci-pci: Fix SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers (git-fixes). - mmc: sdhci: Use Auto CMD Auto Select only when v4_mode is true (git-fixes). - mmc: uniphier-sd: Fix an error handling path in uniphier_sd_probe() (git-fixes). - mmc: uniphier-sd: Fix a resource leak in the remove function (git-fixes). - mm/rmap: fix potential pte_unmap on an not mapped pte (git-fixes). - Move upstreamed i915 fix into sorted section - mt7601u: fix always true expression (git-fixes). - mtd: Handle possible -EPROBE_DEFER from parse_mtd_partitions() (git-fixes). - mtd: rawnand: brcmnand: fix OOB R/W with Hamming ECC (git-fixes). - mtd: rawnand: fsmc: Fix error code in fsmc_nand_probe() (git-fixes). - mtd: rawnand: gpmi: Fix a double free in gpmi_nand_init (git-fixes). - mtd: rawnand: qcom: Return actual error code instead of -ENODEV (git-fixes). - mtd: require write permissions for locking and badblock ioctls (git-fixes). - mtd: spinand: core: add missing MODULE_DEVICE_TABLE() (git-fixes). - mtd: spi-nor: Rename "n25q512a" to "mt25qu512a (n25q512a)" (bsc#1167260). - mtd: spi-nor: Split mt25qu512a (n25q512a) entry into two (bsc#1167260). - nbd: fix a block_device refcount leak in nbd_release (git-fixes). - net: atlantic: fix out of range usage of active_vlans array (git-fixes). - net: atlantic: fix potential error handling (git-fixes). - net: atlantic: fix use after free kasan warn (git-fixes). - net: dsa: felix: implement port flushing on .phylink_mac_link_down (git-fixes). - net: enetc: remove bogus write to SIRXIDR from enetc_setup_rxbdr (git-fixes). - net: enetc: take the MDIO lock only once per NAPI poll cycle (git-fixes). - net: geneve: check skb is large enough for IPv4/IPv6 header (git-fixes). - net: geneve: modify IP header check in geneve6_xmit_skb and geneve_xmit_skb (git-fixes). - net: hns3: clear VF down state bit before request link status (git-fixes). - net: hns3: fix bug when calculating the TCAM table info (git-fixes). - net: hns3: fix query vlan mask value error for flow director (git-fixes). - net: hns3: Remove un-necessary 'else-if' in the hclge_reset_event() (git-fixes). - net: ll_temac: Add more error handling of dma_map_single() calls (git-fixes). - net: ll_temac: Fix race condition causing TX hang (git-fixes). - net: ll_temac: Fix RX buffer descriptor handling on GFP_ATOMIC pressure (git-fixes). - net: ll_temac: Handle DMA halt condition caused by buffer underrun (git-fixes). - net/mlx4_core: Add missed mlx4_free_cmd_mailbox() (git-fixes). - net/mlx5: Do not request more than supported EQs (git-fixes). - net/mlx5e: Do not match on Geneve options in case option masks are all zero (git-fixes). - net/mlx5e: Fix error path for ethtool set-priv-flag (git-fixes). - net/mlx5e: Fix ethtool indication of connector type (git-fixes). - net/mlx5e: fix ingress_ifindex check in mlx5e_flower_parse_meta (jsc#SLE-8464). - net:nfc:digital: Fix a double free in digital_tg_recv_dep_req (git-fixes). - net: phy: intel-xway: enable integrated led functions (git-fixes). - net: phy: marvell: fix m88e1011_set_downshift (git-fixes). - net: phy: marvell: fix m88e1111_set_downshift (git-fixes). - net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template (git-fixes). - net: smc911x: Adjust indentation in smc911x_phy_configure (git-fixes). - net: stmmac: fix missing IFF_MULTICAST check in dwmac4_set_filter (git-fixes). - net: stmmac: xgmac: fix missing IFF_MULTICAST checki in dwxgmac2_set_filter (git-fixes). - net: tulip: Adjust indentation in {dmfe, uli526x}_init_module (git-fixes). - nfc: pn533: prevent potential memory corruption (git-fixes). - nfp: flower: ignore duplicate merge hints from FW (git-fixes). - node: fix device cleanups in error handling code (git-fixes). - null_blk: fix passing of REQ_FUA flag in null_handle_rq (git-fixes). - nvme-fabrics: reject I/O to offline device (bsc#1181161). - nvme-tcp: fix possible hang when failing to set io queues (bsc#1181161). - ocfs2: fix a use after free on error (bsc#1184738). - pata_arasan_cf: fix IRQ check (git-fixes). - pata_ipx4xx_cf: fix IRQ check (git-fixes). - PCI/AER: Add pcie_walk_rcec() to RCEC AER handling (bsc#1174426). - PCI/AER: Add RCEC AER error injection support (bsc#1174426). - PCI/AER: Clear AER status from Root Port when resetting Downstream Port (bsc#1174426). - PCI/AER: Specify the type of Port that was reset (bsc#1174426). - PCI/AER: Use "aer" variable for capability offset (bsc#1174426). - PCI/AER: Write AER Capability only when we control it (bsc#1174426). - PCI: designware-ep: Fix the Header Type check (git-fixes). - PCI/ERR: Add pcie_link_rcec() to associate RCiEPs (bsc#1174426). - PCI/ERR: Add pci_walk_bridge() to pcie_do_recovery() (bsc#1174426). - PCI/ERR: Avoid negated conditional for clarity (bsc#1174426). - PCI/ERR: Bind RCEC devices to the Root Port driver (bsc#1174426). - PCI/ERR: Cache RCEC EA Capability offset in pci_init_capabilities() (bsc#1174426). - PCI/ERR: Clear AER status only when we control AER (bsc#1174426). - PCI/ERR: Clear PCIe Device Status errors only if OS owns AER (bsc#1174426). - PCI/ERR: Clear status of the reporting device (bsc#1174426). - PCI/ERR: Recover from RCEC AER errors (bsc#1174426). - PCI/ERR: Recover from RCiEP AER errors (bsc#1174426). - PCI/ERR: Rename reset_link() to reset_subordinates() (bsc#1174426). - PCI/ERR: Retain status from error notification (bsc#1174426). - PCI/ERR: Simplify by computing pci_pcie_type() once (bsc#1174426). - PCI/ERR: Simplify by using pci_upstream_bridge() (bsc#1174426). - PCI/ERR: Use "bridge" for clarity in pcie_do_recovery() (bsc#1174426). - PCI/PME: Add pcie_walk_rcec() to RCEC PME handling (bsc#1174426). - PCI/portdrv: Report reset for frozen channel (bsc#1174426). - PCI: tegra: Fix ASPM-L1SS advertisement disable code (git-fixes). - PCI: tegra: Move "dbi" accesses to post common DWC initialization (git-fixes). - phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y, unconditionally (git-fixes). - pinctrl: core: Fix kernel doc string for pin_get_name() (git-fixes). - pinctrl: Ingenic: Add missing pins to the JZ4770 MAC MII group (git-fixes). - platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards with critclk_systems DMI table (git-fixes). - PM: runtime: Add documentation for pm_runtime_resume_and_get() (git-fixes). - powerepc/book3s64/hash: Align start/end address correctly with bolt mapping (bsc#1184957). - powerpc/64s: Fix pte update for kernel memory on radix (bsc#1055117 git-fixes). - powerpc/asm-offsets: GPR14 is not needed either (bsc#1065729). - powerpc/eeh: Fix EEH handling for hugepages in ioremap space (bsc#1156395). - powerpc/fadump: Mark fadump_calculate_reserve_size as __init (bsc#1065729). - powerpc/mm: Add cond_resched() while removing hpte mappings (bsc#1183289 ltc#191637). - powerpc/papr_scm: Fix build error due to wrong printf specifier (bsc#1184969). - powerpc/papr_scm: Implement support for H_SCM_FLUSH hcall (bsc#1184969). - powerpc/perf: Fix PMU constraint check for EBB events (bsc#1065729). - powerpc/prom: Mark identical_pvr_fixup as __init (bsc#1065729). - powerpc/pseries: Add shutdown() to vio_driver and vio_bus (bsc#1184209 ltc#190917). - powerpc/time: Enable sched clock for irqtime (bsc#1156395). - regmap: set debugfs_name to NULL after it is freed (git-fixes). - regulator: Avoid a double 'of_node_get' in 'regulator_of_get_init_node()' (git-fixes). - reintroduce cqhci_suspend for kABI (git-fixes). - reiserfs: update reiserfs_xattrs_initialized() condition (bsc#1184737). - rpm/constraints.in: bump disk space to 45GB on riscv64 - rpm/kernel-obs-build.spec.in: Include essiv with dm-crypt (boo#1183063). - rpm/macros.kernel-source: fix KMP failure in %install (bsc#1185244) - rpm/mkspec: Use tilde instead of dot for version string with rc (bsc#1184650) - rsi: Use resume_noirq for SDIO (git-fixes). - rsxx: remove extraneous 'const' qualifier (git-fixes). - rtc: ds1307: Fix wday settings for rx8130 (git-fixes). - rtc: fsl-ftm-alarm: add MODULE_TABLE() (bsc#1185454). - rtc: fsl-ftm-alarm: avoid struct rtc_time conversions (bsc#1185454). - rtc: fsl-ftm-alarm: enable acpi support (bsc#1185454). - rtc: fsl-ftm-alarm: fix freeze(s2idle) failed to wake (bsc#1185454). - rtc: fsl-ftm-alarm: report alarm to core (bsc#1185454). - rtc: fsl-ftm-alarm: switch to ktime_get_real_seconds (bsc#1185454). - rtc: fsl-ftm-alarm: switch to rtc_time64_to_tm/rtc_tm_to_time64 (bsc#1185454). - rtc: fsl-ftm-alarm: update acpi device id (bsc#1185454). - rtc: pcf2127: add alarm support (bsc#1185233). - rtc: pcf2127: add pca2129 device id (bsc#1185233). - rtc: pcf2127: add tamper detection support (bsc#1185233). - rtc: pcf2127: add watchdog feature support (bsc#1185233). - rtc: pcf2127: bugfix: watchdog build dependency (bsc#1185233). - rtc: pcf2127: cleanup register and bit defines (bsc#1185233). - rtc: pcf2127: convert to devm_rtc_allocate_device (bsc#1185233). - rtc: pcf2127: fix a bug when not specify interrupts property (bsc#1185233). - rtc: pcf2127: fix alarm handling (bsc#1185233). - rtc: pcf2127: fix pcf2127_nvmem_read/write() returns (bsc#1185233). - rtc: pcf2127: handle boot-enabled watchdog feature (bsc#1185233). - rtc: pcf2127: let the core handle rtc range (bsc#1185233). - rtc: pcf2127: move watchdog initialisation to a separate function (bsc#1185233). - rtc: pcf2127: only use watchdog when explicitly available (bsc#1185233). - rtc: pcf2127: properly set flag WD_CD for rtc chips(pcf2129, pca2129) (bsc#1185233). - rtc: pcf2127: remove unnecessary #ifdef (bsc#1185233). - rtc: pcf2127: set regmap max_register (bsc#1185233). - rtc: pcf2127: watchdog: handle nowayout feature (bsc#1185233). - rtlwifi: 8821ae: upgrade PHY and RF parameters (git-fixes). - rtw88: Fix array overrun in rtw_get_tx_power_params() (git-fixes). - sata_mv: add IRQ checks (git-fixes). - scsi: block: Fix a race in the runtime power management code (git-fixes). - scsi: core: add scsi_host_busy_iter() (bsc#1179851). - scsi: core: Only return started requests from scsi_host_find_tag() (bsc#1179851). - scsi: lpfc: Copyright updates for 12.8.0.9 patches (bsc#1185472). - scsi: lpfc: Eliminate use of LPFC_DRIVER_NAME in lpfc_attr.c (bsc#1185472). - scsi: lpfc: Fix a bunch of kernel-doc issues (bsc#1185472). - scsi: lpfc: Fix a bunch of kernel-doc misdemeanours (bsc#1185472). - scsi: lpfc: Fix a bunch of misnamed functions (bsc#1185472). - scsi: lpfc: Fix a few incorrectly named functions (bsc#1185472). - scsi: lpfc: Fix a typo (bsc#1185472). - scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO response (bsc#1185472). - scsi: lpfc: Fix DMA virtual address ptr assignment in bsg (bsc#1185365). - scsi: lpfc: Fix error handling for mailboxes completed in MBX_POLL mode (bsc#1185472). - scsi: lpfc: Fix formatting and misspelling issues (bsc#1185472). - scsi: lpfc: Fix gcc -Wstringop-overread warning (bsc#1185472). - scsi: lpfc: Fix illegal memory access on Abort IOCBs (bsc#1183203). - scsi: lpfc: Fix incorrectly documented function lpfc_debugfs_commonxripools_data() (bsc#1185472). - scsi: lpfc: Fix incorrect naming of __lpfc_update_fcf_record() (bsc#1185472). - scsi: lpfc: Fix kernel-doc formatting issue (bsc#1185472). - scsi: lpfc: Fix lack of device removal on port swaps with PRLIs (bsc#1185472). - scsi: lpfc: Fix lpfc_hdw_queue attribute being ignored (bsc#1185472). - scsi: lpfc: Fix missing FDMI registrations after Mgmt Svc login (bsc#1185472). - scsi: lpfc: Fix NMI crash during rmmod due to circular hbalock dependency (bsc#1185472). - scsi: lpfc: Fix reference counting errors in lpfc_cmpl_els_rsp() (bsc#1185472). - scsi: lpfc: Fix rmmod crash due to bad ring pointers to abort_iotag (bsc#1185472). - scsi: lpfc: Fix silent memory allocation failure in lpfc_sli4_bsg_link_diag_test() (bsc#1185472). - scsi: lpfc: Fix some error codes in debugfs (bsc#1185472). - scsi: lpfc: Fix use-after-free on unused nodes after port swap (bsc#1185472). - scsi: lpfc: Fix various trivial errors in comments and log messages (bsc#1185472). - scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic (bsc#1185472). - scsi: lpfc: Standardize discovery object logging format (bsc#1185472). - scsi: lpfc: Update lpfc version to 12.8.0.9 (bsc#1185472). - scsi: qla2xxx: Add error counters to debugfs node (bsc#1185491). - scsi: qla2xxx: Add H:C:T info in the log message for fc ports (bsc#1185491). - scsi: qla2xxx: Always check the return value of qla24xx_get_isp_stats() (bsc#1185491). - scsi: qla2xxx: Assign boolean values to a bool variable (bsc#1185491). - scsi: qla2xxx: Check kzalloc() return value (bsc#1185491). - scsi: qla2xxx: Consolidate zio threshold setting for both FCP NVMe (bsc#1185491). - scsi: qla2xxx: Constify struct qla_tgt_func_tmpl (bsc#1185491). - scsi: qla2xxx: Do logout even if fabric scan retries got exhausted (bsc#1185491). - scsi: qla2xxx: Enable NVMe CONF (BIT_7) when enabling SLER (bsc#1185491). - scsi: qla2xxx: fc_remote_port_chkready() returns a SCSI result value (bsc#1185491). - scsi: qla2xxx: Fix a couple of misdocumented functions (bsc#1185491). - scsi: qla2xxx: Fix a couple of misnamed functions (bsc#1185491). - scsi: qla2xxx: Fix broken #endif placement (bsc#1185491). - scsi: qla2xxx: Fix crash in PCIe error handling (bsc#1185491). - scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() (bsc#1185491). - scsi: qla2xxx: Fix endianness annotations (bsc#1185491). - scsi: qla2xxx: Fix incorrectly named function qla8044_check_temp() (bsc#1185491). - scsi: qla2xxx: Fix IOPS drop seen in some adapters (bsc#1185491). - scsi: qla2xxx: Fix mailbox Ch erroneous error (bsc#1185491). - scsi: qla2xxx: Fix mailbox recovery during PCIe error (bsc#1185491). - scsi: qla2xxx: Fix RISC RESET completion polling (bsc#1185491). - scsi: qla2xxx: Fix some incorrect formatting/spelling issues (bsc#1185491). - scsi: qla2xxx: Fix some memory corruption (bsc#1185491). - scsi: qla2xxx: Fix stuck session (bsc#1185491). - scsi: qla2xxx: Fix use after free in bsg (bsc#1185491). - scsi: qla2xxx: Implementation to get and manage host, target stats and initiator port (bsc#1185491). - scsi: qla2xxx: Move some messages from debug to normal log level (bsc#1185491). - scsi: qla2xxx: Remove redundant NULL check (bsc#1185491). - scsi: qla2xxx: Remove unnecessary NULL check (bsc#1185491). - scsi: qla2xxx: Remove unneeded if-null-free check (bsc#1185491). - scsi: qla2xxx: Replace __qla2x00_marker()'s missing underscores (bsc#1185491). - scsi: qla2xxx: Reserve extra IRQ vectors (bsc#1184436). - scsi: qla2xxx: Reuse existing error handling path (bsc#1185491). - scsi: qla2xxx: Simplify if statement (bsc#1185491). - scsi: qla2xxx: Simplify qla8044_minidump_process_control() (bsc#1185491). - scsi: qla2xxx: Simplify the calculation of variables (bsc#1185491). - scsi: qla2xxx: Suppress Coverity complaints about dseg_r* (bsc#1185491). - scsi: qla2xxx: Update default AER debug mask (bsc#1185491). - scsi: qla2xxx: Update version to 10.02.00.105-k (bsc#1185491). - scsi: qla2xxx: Update version to 10.02.00.106-k (bsc#1185491). - scsi: qla2xxx: Use dma_pool_zalloc() (bsc#1185491). - scsi: qla2xxx: Wait for ABTS response on I/O timeouts for NVMe (bsc#1185491). - scsi: smartpqi: Correct driver removal with HBA disks (bsc#1178089). - scsi: smartpqi: Correct pqi_sas_smp_handler busy condition (bsc#1178089). - scsi: smartpqi: Update version to 1.2.16-012 (bsc#1178089). - selftests/powerpc: Add pkey helpers for rights (bsc#1184934 ltc#191460). - selftests/powerpc: Add test for execute-disabled pkeys (bsc#1184934 ltc#191460). - selftests/powerpc: Add test for pkey siginfo verification (bsc#1184934 ltc#191460). - selftests/powerpc: Add wrapper for gettid (bsc#1184934 ltc#191460). - selftests/powerpc: Fix exit status of pkey tests (bsc#1184934 ltc#191460). - selftests/powerpc: Fix L1D flushing tests for Power10 (bsc#1184934 ltc#191460). - selftests/powerpc: Fix pkey syscall redefinitions (bsc#1184934 ltc#191460). - selftests/powerpc: Move pkey helpers to headers (bsc#1184934 ltc#191460). - selftests/powerpc: refactor entry and rfi_flush tests (bsc#1184934 ltc#191460). - soc: aspeed: fix a ternary sign expansion bug (git-fixes). - soc: qcom: mdt_loader: Detect truncated read of segments (git-fixes). - soc: qcom: mdt_loader: Validate that p_filesz p_memsz (git-fixes). - soundwire: bus: Fix device found flag correctly (git-fixes). - soundwire: stream: fix memory leak in stream config error path (git-fixes). - spi: fsl-dspi: fix NULL pointer dereference (bsc#1167260). - spi: fsl-dspi: fix use-after-free in remove path (bsc#1167260). - spi: fsl-dspi: fix wrong pointer in suspend/resume (bsc#1167260). - spi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware() (git-fixes). - spi: Introduce dspi_slave_abort() function for NXP's dspi SPI driver (bsc#1167260). - spi: spi-fsl-dspi: Accelerate transfers using larger word size if possible (bsc#1167260). - spi: spi-fsl-dspi: Add comments around dspi_pop_tx and dspi_push_rx functions (bsc#1167260). - spi: spi-fsl-dspi: Adding shutdown hook (bsc#1167260). - spi: spi-fsl-dspi: Add support for LS1028A (bsc#1167260). - spi: spi-fsl-dspi: Always use the TCFQ devices in poll mode (bsc#1167260). - spi: spi-fsl-dspi: Avoid NULL pointer in dspi_slave_abort for non-DMA mode (bsc#1167260). - spi: spi-fsl-dspi: Avoid reading more data than written in EOQ mode (bsc#1167260). - spi: spi-fsl-dspi: Change usage pattern of SPI_MCR_* and SPI_CTAR_* macros (bsc#1167260). - spi: spi-fsl-dspi: Convert TCFQ users to XSPI FIFO mode (bsc#1167260). - spi: spi-fsl-dspi: Convert the instantiations that support it to DMA (bsc#1167260). - spi: spi-fsl-dspi: delete EOQ transfer mode (bsc#1167260). - spi: spi-fsl-dspi: Demistify magic value in SPI_SR_CLEAR (bsc#1167260). - spi: spi-fsl-dspi: Do not access reserved fields in SPI_MCR (bsc#1167260). - spi: spi-fsl-dspi: Do not mask off undefined bits (bsc#1167260). - spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours (bsc#1167260). - spi: spi-fsl-dspi: Fix 16-bit word order in 32-bit XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Fix bits-per-word acceleration in DMA mode (bsc#1167260). - spi: spi-fsl-dspi: Fix code alignment (bsc#1167260). - spi: spi-fsl-dspi: fix DMA mapping (bsc#1167260). - spi: spi-fsl-dspi: Fix external abort on interrupt in resume or exit paths (bsc#1167260). - spi: spi-fsl-dspi: Fix interrupt-less DMA mode taking an XSPI code path (bsc#1167260). - spi: spi-fsl-dspi: Fix little endian access to PUSHR CMD and TXDATA (bsc#1167260). - spi: spi-fsl-dspi: Fix lockup if device is removed during SPI transfer (bsc#1167260). - spi: spi-fsl-dspi: Fix lockup if device is shutdown during SPI transfer (bsc#1167260). - spi: spi-fsl-dspi: fix native data copy (bsc#1167260). - spi: spi-fsl-dspi: Fix race condition in TCFQ/EOQ interrupt (bsc#1167260). - spi: spi-fsl-dspi: Fix typos (bsc#1167260). - spi: spi-fsl-dspi: Free DMA memory with matching function (bsc#1167260). - spi: spi-fsl-dspi: Implement .max_message_size method for EOQ mode (bsc#1167260). - spi: spi-fsl-dspi: Initialize completion before possible interrupt (bsc#1167260). - spi: spi-fsl-dspi: LS2080A and LX2160A support XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Make bus-num property optional (bsc#1167260). - spi: spi-fsl-dspi: Move dspi_interrupt above dspi_transfer_one_message (bsc#1167260). - spi: spi-fsl-dspi: Move invariant configs out of dspi_transfer_one_message (bsc#1167260). - spi: spi-fsl-dspi: Optimize dspi_setup_accel for lowest interrupt count (bsc#1167260). - spi: spi-fsl-dspi: Parameterize the FIFO size and DMA buffer size (bsc#1167260). - spi: spi-fsl-dspi: Protect against races on dspi->words_in_flight (bsc#1167260). - spi: spi-fsl-dspi: Reduce indentation in dspi_release_dma() (bsc#1167260). - spi: spi-fsl-dspi: Reduce indentation level in dspi_interrupt (bsc#1167260). - spi: spi-fsl-dspi: remove git-fixes Remove git-fixes. Prepare to update the driver. References: bsc#1167260 - spi: spi-fsl-dspi: Remove impossible to reach error check (bsc#1167260). - spi: spi-fsl-dspi: Remove pointless assignment of master->transfer to NULL (bsc#1167260). - spi: spi-fsl-dspi: Remove unused chip->void_write_data (bsc#1167260). - spi: spi-fsl-dspi: Remove unused defines and includes (bsc#1167260). - spi: spi-fsl-dspi: Remove unused initialization of 'ret' in dspi_probe (bsc#1167260). - spi: spi-fsl-dspi: Rename fifo_{read,write} and {tx,cmd}_fifo_write (bsc#1167260). - spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion (bsc#1167260). - spi: spi-fsl-dspi: Replace legacy spi_master names with spi_controller (bsc#1167260). - spi: spi-fsl-dspi: set ColdFire to DMA mode (bsc#1167260). - spi: spi-fsl-dspi: Simplify bytes_per_word gymnastics (bsc#1167260). - spi: spi-fsl-dspi: Take software timestamp in dspi_fifo_write (bsc#1167260). - spi: spi-fsl-dspi: Use BIT() and GENMASK() macros (bsc#1167260). - spi: spi-fsl-dspi: Use dma_request_chan() instead dma_request_slave_channel() (bsc#1167260). - spi: spi-fsl-dspi: Use EOQ for last word in buffer even for XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Use poll mode in case the platform IRQ is missing (bsc#1167260). - spi: spi-fsl-dspi: Use reverse Christmas tree declaration order (bsc#1167260). - spi: spi-fsl-dspi: Use specific compatible strings for all SoC instantiations (bsc#1167260). - spi: spi-fsl-dspi: use XSPI mode instead of DMA for DPAA2 SoCs (bsc#1167260). - spi: spi-ti-qspi: Free DMA resources (git-fixes). - staging: fwserial: fix TIOCGSERIAL implementation (git-fixes). - staging: fwserial: fix TIOCSSERIAL implementation (git-fixes). - staging: fwserial: fix TIOCSSERIAL jiffies conversions (git-fixes). - staging: fwserial: fix TIOCSSERIAL permission check (git-fixes). - staging: rtl8192u: Fix potential infinite loop (git-fixes). - usb: CDC-ACM: fix poison/unpoison imbalance (bsc#1184984). - usb: CDC-ACM: fix poison/unpoison imbalance (git-fixes). - usb: cdc-acm: fix TIOCGSERIAL implementation (git-fixes). - usb: cdc-acm: fix unprivileged TIOCCSERIAL (git-fixes). - usb: dwc2: Fix hibernation between host and device modes (git-fixes). - usb: dwc2: Fix host mode hibernation exit with remote wakeup flow (git-fixes). - usb: dwc2: Fix session request interrupt handler (git-fixes). - usb: dwc3: gadget: Fix START_TRANSFER link state check (git-fixes). - usb: dwc3: keystone: use devm_platform_ioremap_resource() to simplify code (git-fixes). - usb: dwc3: meson-g12a: use devm_platform_ioremap_resource() to simplify code (git-fixes). - usb: dwc3: Switch to use device_property_count_u32() (git-fixes). - usb: gadget: aspeed: fix dma map failure (git-fixes). - usb: gadget: Fix double free of device descriptor pointers (git-fixes). - usb: gadget: pch_udc: Check for DMA mapping error (git-fixes). - usb: gadget: pch_udc: Check if driver is present before calling ->setup() (git-fixes). - usb: gadget: pch_udc: Move pch_udc_init() to satisfy kernel doc (git-fixes). - usb: gadget: pch_udc: Replace cpu_to_le32() by lower_32_bits() (git-fixes). - usb: gadget: pch_udc: Revert d3cb25a12138 completely (git-fixes). - usb: gadget: r8a66597: Add missing null check on return from platform_get_resource (git-fixes). - usb: gadget: udc: fix wrong pointer passed to IS_ERR() and PTR_ERR() (git-fixes). - usb: Remove dev_err() usage after platform_get_irq() (git-fixes). - usb: serial: ark3116: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: f81232: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: f81534: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: fix return value for unsupported ioctls (git-fixes). - usb: serial: mos7720: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: opticon: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: quatech2: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: ssu100: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: usb_wwan: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: usb_wwan: fix TIOCSSERIAL jiffies conversions (git-fixes). - usb: serial: usb_wwan: fix unprivileged TIOCCSERIAL (git-fixes). - usb: typec: tcpci: Check ROLE_CONTROL while interpreting CC_STATUS (git-fixes). - usb: typec: tcpm: Address incorrect values of tcpm psy for fixed supply (git-fixes). - usb: typec: tcpm: Honour pSnkStdby requirement during negotiation (git-fixes). - veth: Store queue_mapping independently of XDP prog presence (git-fixes). - vfio/pci: Add missing range check in vfio_pci_mmap (git-fixes). - virt_wifi: Return micros for BSS TSF values (git-fixes). - vxlan: move debug check after netdev unregister (git-fixes). - workqueue: Move the position of debug_work_activate() in __queue_work() (bsc#1184893). - x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access (bsc#1152489). - x86/insn: Add some Intel instructions to the opcode map (bsc#1184760). - x86/insn: Add some more Intel instructions to the opcode map (bsc#1184760). - x86/microcode: Check for offline CPUs before requesting new microcode (bsc#1152489). - x86/mm: Fix NX bit clearing issue in kernel_map_pages_in_pgd (bsc#1152489). - x86/platform/uv: Set section block size for hubless architectures (bsc#1152489). - x86/reboot: Force all cpus to exit VMX root if VMX is supported (bsc#1152489). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1915=1 - SUSE Linux Enterprise Module for Realtime 15-SP3: zypper in -t patch SUSE-SLE-Module-RT-15-SP3-2021-1915=1 Package List: - SUSE MicroOS 5.0 (x86_64): kernel-rt-5.3.18-8.10.1 kernel-rt-debuginfo-5.3.18-8.10.1 kernel-rt-debugsource-5.3.18-8.10.1 - SUSE Linux Enterprise Module for Realtime 15-SP3 (x86_64): cluster-md-kmp-rt-5.3.18-8.10.1 cluster-md-kmp-rt-debuginfo-5.3.18-8.10.1 dlm-kmp-rt-5.3.18-8.10.1 dlm-kmp-rt-debuginfo-5.3.18-8.10.1 gfs2-kmp-rt-5.3.18-8.10.1 gfs2-kmp-rt-debuginfo-5.3.18-8.10.1 kernel-rt-5.3.18-8.10.1 kernel-rt-debuginfo-5.3.18-8.10.1 kernel-rt-debugsource-5.3.18-8.10.1 kernel-rt-devel-5.3.18-8.10.1 kernel-rt-devel-debuginfo-5.3.18-8.10.1 kernel-rt_debug-debuginfo-5.3.18-8.10.1 kernel-rt_debug-debugsource-5.3.18-8.10.1 kernel-rt_debug-devel-5.3.18-8.10.1 kernel-rt_debug-devel-debuginfo-5.3.18-8.10.1 kernel-syms-rt-5.3.18-8.10.1 ocfs2-kmp-rt-5.3.18-8.10.1 ocfs2-kmp-rt-debuginfo-5.3.18-8.10.1 - SUSE Linux Enterprise Module for Realtime 15-SP3 (noarch): kernel-devel-rt-5.3.18-8.10.1 kernel-source-rt-5.3.18-8.10.1 References: https://www.suse.com/security/cve/CVE-2021-29155.html https://www.suse.com/security/cve/CVE-2021-29650.html https://bugzilla.suse.com/1043990 https://bugzilla.suse.com/1055117 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1152457 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1155518 https://bugzilla.suse.com/1156395 https://bugzilla.suse.com/1167260 https://bugzilla.suse.com/1167574 https://bugzilla.suse.com/1168838 https://bugzilla.suse.com/1174416 https://bugzilla.suse.com/1174426 https://bugzilla.suse.com/1175995 https://bugzilla.suse.com/1178089 https://bugzilla.suse.com/1179243 https://bugzilla.suse.com/1179851 https://bugzilla.suse.com/1180846 https://bugzilla.suse.com/1181161 https://bugzilla.suse.com/1182613 https://bugzilla.suse.com/1183063 https://bugzilla.suse.com/1183203 https://bugzilla.suse.com/1183289 https://bugzilla.suse.com/1184208 https://bugzilla.suse.com/1184209 https://bugzilla.suse.com/1184436 https://bugzilla.suse.com/1184485 https://bugzilla.suse.com/1184514 https://bugzilla.suse.com/1184585 https://bugzilla.suse.com/1184650 https://bugzilla.suse.com/1184724 https://bugzilla.suse.com/1184728 https://bugzilla.suse.com/1184730 https://bugzilla.suse.com/1184731 https://bugzilla.suse.com/1184736 https://bugzilla.suse.com/1184737 https://bugzilla.suse.com/1184738 https://bugzilla.suse.com/1184740 https://bugzilla.suse.com/1184741 https://bugzilla.suse.com/1184742 https://bugzilla.suse.com/1184760 https://bugzilla.suse.com/1184811 https://bugzilla.suse.com/1184893 https://bugzilla.suse.com/1184934 https://bugzilla.suse.com/1184942 https://bugzilla.suse.com/1184957 https://bugzilla.suse.com/1184969 https://bugzilla.suse.com/1184984 https://bugzilla.suse.com/1185041 https://bugzilla.suse.com/1185113 https://bugzilla.suse.com/1185233 https://bugzilla.suse.com/1185244 https://bugzilla.suse.com/1185269 https://bugzilla.suse.com/1185365 https://bugzilla.suse.com/1185454 https://bugzilla.suse.com/1185472 https://bugzilla.suse.com/1185491 https://bugzilla.suse.com/1185549 https://bugzilla.suse.com/1185586 https://bugzilla.suse.com/1185587 From sle-security-updates at lists.suse.com Wed Jun 9 16:27:29 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Jun 2021 18:27:29 +0200 (CEST) Subject: SUSE-SU-2021:1918-1: important: Security update for qemu Message-ID: <20210609162729.71EF5FD07@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1918-1 Rating: important References: #1149813 #1163019 #1172380 #1175534 #1178683 #1178935 #1179477 #1179484 #1182846 #1182975 Cross-References: CVE-2019-15890 CVE-2020-10756 CVE-2020-14364 CVE-2020-25707 CVE-2020-25723 CVE-2020-29129 CVE-2020-29130 CVE-2020-8608 CVE-2021-20257 CVE-2021-3419 CVSS scores: CVE-2019-15890 (SUSE): 5.8 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2020-10756 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-10756 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-14364 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14364 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25707 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25723 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-29129 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29129 (SUSE): 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-8608 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-8608 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3419 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This update for qemu fixes the following issues: - CVE-2020-10756: Fix out-of-bounds read information disclosure in icmp6_send_echoreply (bsc#1172380) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1918=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1918=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1918=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1918=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1918=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1918=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-1918=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1918=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1918=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1918=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): qemu-3.1.1.1-9.27.2 qemu-block-curl-3.1.1.1-9.27.2 qemu-block-curl-debuginfo-3.1.1.1-9.27.2 qemu-block-iscsi-3.1.1.1-9.27.2 qemu-block-iscsi-debuginfo-3.1.1.1-9.27.2 qemu-block-rbd-3.1.1.1-9.27.2 qemu-block-rbd-debuginfo-3.1.1.1-9.27.2 qemu-block-ssh-3.1.1.1-9.27.2 qemu-block-ssh-debuginfo-3.1.1.1-9.27.2 qemu-debuginfo-3.1.1.1-9.27.2 qemu-debugsource-3.1.1.1-9.27.2 qemu-guest-agent-3.1.1.1-9.27.2 qemu-guest-agent-debuginfo-3.1.1.1-9.27.2 qemu-lang-3.1.1.1-9.27.2 qemu-tools-3.1.1.1-9.27.2 qemu-tools-debuginfo-3.1.1.1-9.27.2 - SUSE Manager Server 4.0 (s390x x86_64): qemu-kvm-3.1.1.1-9.27.2 - SUSE Manager Server 4.0 (ppc64le): qemu-ppc-3.1.1.1-9.27.2 qemu-ppc-debuginfo-3.1.1.1-9.27.2 - SUSE Manager Server 4.0 (noarch): qemu-ipxe-1.0.0+-9.27.2 qemu-seabios-1.12.0_0_ga698c89-9.27.2 qemu-sgabios-8-9.27.2 qemu-vgabios-1.12.0_0_ga698c89-9.27.2 - SUSE Manager Server 4.0 (x86_64): qemu-audio-alsa-3.1.1.1-9.27.2 qemu-audio-alsa-debuginfo-3.1.1.1-9.27.2 qemu-audio-oss-3.1.1.1-9.27.2 qemu-audio-oss-debuginfo-3.1.1.1-9.27.2 qemu-audio-pa-3.1.1.1-9.27.2 qemu-audio-pa-debuginfo-3.1.1.1-9.27.2 qemu-ui-curses-3.1.1.1-9.27.2 qemu-ui-curses-debuginfo-3.1.1.1-9.27.2 qemu-ui-gtk-3.1.1.1-9.27.2 qemu-ui-gtk-debuginfo-3.1.1.1-9.27.2 qemu-x86-3.1.1.1-9.27.2 qemu-x86-debuginfo-3.1.1.1-9.27.2 - SUSE Manager Server 4.0 (s390x): qemu-s390-3.1.1.1-9.27.2 qemu-s390-debuginfo-3.1.1.1-9.27.2 - SUSE Manager Retail Branch Server 4.0 (x86_64): qemu-3.1.1.1-9.27.2 qemu-audio-alsa-3.1.1.1-9.27.2 qemu-audio-alsa-debuginfo-3.1.1.1-9.27.2 qemu-audio-oss-3.1.1.1-9.27.2 qemu-audio-oss-debuginfo-3.1.1.1-9.27.2 qemu-audio-pa-3.1.1.1-9.27.2 qemu-audio-pa-debuginfo-3.1.1.1-9.27.2 qemu-block-curl-3.1.1.1-9.27.2 qemu-block-curl-debuginfo-3.1.1.1-9.27.2 qemu-block-iscsi-3.1.1.1-9.27.2 qemu-block-iscsi-debuginfo-3.1.1.1-9.27.2 qemu-block-rbd-3.1.1.1-9.27.2 qemu-block-rbd-debuginfo-3.1.1.1-9.27.2 qemu-block-ssh-3.1.1.1-9.27.2 qemu-block-ssh-debuginfo-3.1.1.1-9.27.2 qemu-debuginfo-3.1.1.1-9.27.2 qemu-debugsource-3.1.1.1-9.27.2 qemu-guest-agent-3.1.1.1-9.27.2 qemu-guest-agent-debuginfo-3.1.1.1-9.27.2 qemu-kvm-3.1.1.1-9.27.2 qemu-lang-3.1.1.1-9.27.2 qemu-tools-3.1.1.1-9.27.2 qemu-tools-debuginfo-3.1.1.1-9.27.2 qemu-ui-curses-3.1.1.1-9.27.2 qemu-ui-curses-debuginfo-3.1.1.1-9.27.2 qemu-ui-gtk-3.1.1.1-9.27.2 qemu-ui-gtk-debuginfo-3.1.1.1-9.27.2 qemu-x86-3.1.1.1-9.27.2 qemu-x86-debuginfo-3.1.1.1-9.27.2 - SUSE Manager Retail Branch Server 4.0 (noarch): qemu-ipxe-1.0.0+-9.27.2 qemu-seabios-1.12.0_0_ga698c89-9.27.2 qemu-sgabios-8-9.27.2 qemu-vgabios-1.12.0_0_ga698c89-9.27.2 - SUSE Manager Proxy 4.0 (noarch): qemu-ipxe-1.0.0+-9.27.2 qemu-seabios-1.12.0_0_ga698c89-9.27.2 qemu-sgabios-8-9.27.2 qemu-vgabios-1.12.0_0_ga698c89-9.27.2 - SUSE Manager Proxy 4.0 (x86_64): qemu-3.1.1.1-9.27.2 qemu-audio-alsa-3.1.1.1-9.27.2 qemu-audio-alsa-debuginfo-3.1.1.1-9.27.2 qemu-audio-oss-3.1.1.1-9.27.2 qemu-audio-oss-debuginfo-3.1.1.1-9.27.2 qemu-audio-pa-3.1.1.1-9.27.2 qemu-audio-pa-debuginfo-3.1.1.1-9.27.2 qemu-block-curl-3.1.1.1-9.27.2 qemu-block-curl-debuginfo-3.1.1.1-9.27.2 qemu-block-iscsi-3.1.1.1-9.27.2 qemu-block-iscsi-debuginfo-3.1.1.1-9.27.2 qemu-block-rbd-3.1.1.1-9.27.2 qemu-block-rbd-debuginfo-3.1.1.1-9.27.2 qemu-block-ssh-3.1.1.1-9.27.2 qemu-block-ssh-debuginfo-3.1.1.1-9.27.2 qemu-debuginfo-3.1.1.1-9.27.2 qemu-debugsource-3.1.1.1-9.27.2 qemu-guest-agent-3.1.1.1-9.27.2 qemu-guest-agent-debuginfo-3.1.1.1-9.27.2 qemu-kvm-3.1.1.1-9.27.2 qemu-lang-3.1.1.1-9.27.2 qemu-tools-3.1.1.1-9.27.2 qemu-tools-debuginfo-3.1.1.1-9.27.2 qemu-ui-curses-3.1.1.1-9.27.2 qemu-ui-curses-debuginfo-3.1.1.1-9.27.2 qemu-ui-gtk-3.1.1.1-9.27.2 qemu-ui-gtk-debuginfo-3.1.1.1-9.27.2 qemu-x86-3.1.1.1-9.27.2 qemu-x86-debuginfo-3.1.1.1-9.27.2 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): qemu-3.1.1.1-9.27.2 qemu-block-curl-3.1.1.1-9.27.2 qemu-block-curl-debuginfo-3.1.1.1-9.27.2 qemu-block-iscsi-3.1.1.1-9.27.2 qemu-block-iscsi-debuginfo-3.1.1.1-9.27.2 qemu-block-rbd-3.1.1.1-9.27.2 qemu-block-rbd-debuginfo-3.1.1.1-9.27.2 qemu-block-ssh-3.1.1.1-9.27.2 qemu-block-ssh-debuginfo-3.1.1.1-9.27.2 qemu-debuginfo-3.1.1.1-9.27.2 qemu-debugsource-3.1.1.1-9.27.2 qemu-guest-agent-3.1.1.1-9.27.2 qemu-guest-agent-debuginfo-3.1.1.1-9.27.2 qemu-lang-3.1.1.1-9.27.2 qemu-tools-3.1.1.1-9.27.2 qemu-tools-debuginfo-3.1.1.1-9.27.2 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le): qemu-ppc-3.1.1.1-9.27.2 qemu-ppc-debuginfo-3.1.1.1-9.27.2 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): qemu-audio-alsa-3.1.1.1-9.27.2 qemu-audio-alsa-debuginfo-3.1.1.1-9.27.2 qemu-audio-oss-3.1.1.1-9.27.2 qemu-audio-oss-debuginfo-3.1.1.1-9.27.2 qemu-audio-pa-3.1.1.1-9.27.2 qemu-audio-pa-debuginfo-3.1.1.1-9.27.2 qemu-kvm-3.1.1.1-9.27.2 qemu-ui-curses-3.1.1.1-9.27.2 qemu-ui-curses-debuginfo-3.1.1.1-9.27.2 qemu-ui-gtk-3.1.1.1-9.27.2 qemu-ui-gtk-debuginfo-3.1.1.1-9.27.2 qemu-x86-3.1.1.1-9.27.2 qemu-x86-debuginfo-3.1.1.1-9.27.2 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): qemu-ipxe-1.0.0+-9.27.2 qemu-seabios-1.12.0_0_ga698c89-9.27.2 qemu-sgabios-8-9.27.2 qemu-vgabios-1.12.0_0_ga698c89-9.27.2 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): qemu-3.1.1.1-9.27.2 qemu-block-curl-3.1.1.1-9.27.2 qemu-block-curl-debuginfo-3.1.1.1-9.27.2 qemu-block-iscsi-3.1.1.1-9.27.2 qemu-block-iscsi-debuginfo-3.1.1.1-9.27.2 qemu-block-rbd-3.1.1.1-9.27.2 qemu-block-rbd-debuginfo-3.1.1.1-9.27.2 qemu-block-ssh-3.1.1.1-9.27.2 qemu-block-ssh-debuginfo-3.1.1.1-9.27.2 qemu-debuginfo-3.1.1.1-9.27.2 qemu-debugsource-3.1.1.1-9.27.2 qemu-guest-agent-3.1.1.1-9.27.2 qemu-guest-agent-debuginfo-3.1.1.1-9.27.2 qemu-lang-3.1.1.1-9.27.2 qemu-tools-3.1.1.1-9.27.2 qemu-tools-debuginfo-3.1.1.1-9.27.2 - SUSE Linux Enterprise Server 15-SP1-LTSS (s390x x86_64): qemu-kvm-3.1.1.1-9.27.2 - SUSE Linux Enterprise Server 15-SP1-LTSS (ppc64le): qemu-ppc-3.1.1.1-9.27.2 qemu-ppc-debuginfo-3.1.1.1-9.27.2 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64): qemu-arm-3.1.1.1-9.27.2 qemu-arm-debuginfo-3.1.1.1-9.27.2 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): qemu-ipxe-1.0.0+-9.27.2 qemu-seabios-1.12.0_0_ga698c89-9.27.2 qemu-sgabios-8-9.27.2 qemu-vgabios-1.12.0_0_ga698c89-9.27.2 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): qemu-audio-alsa-3.1.1.1-9.27.2 qemu-audio-alsa-debuginfo-3.1.1.1-9.27.2 qemu-audio-oss-3.1.1.1-9.27.2 qemu-audio-oss-debuginfo-3.1.1.1-9.27.2 qemu-audio-pa-3.1.1.1-9.27.2 qemu-audio-pa-debuginfo-3.1.1.1-9.27.2 qemu-ui-curses-3.1.1.1-9.27.2 qemu-ui-curses-debuginfo-3.1.1.1-9.27.2 qemu-ui-gtk-3.1.1.1-9.27.2 qemu-ui-gtk-debuginfo-3.1.1.1-9.27.2 qemu-x86-3.1.1.1-9.27.2 qemu-x86-debuginfo-3.1.1.1-9.27.2 - SUSE Linux Enterprise Server 15-SP1-LTSS (s390x): qemu-s390-3.1.1.1-9.27.2 qemu-s390-debuginfo-3.1.1.1-9.27.2 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): qemu-ipxe-1.0.0+-9.27.2 qemu-seabios-1.12.0_0_ga698c89-9.27.2 qemu-sgabios-8-9.27.2 qemu-vgabios-1.12.0_0_ga698c89-9.27.2 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): qemu-3.1.1.1-9.27.2 qemu-audio-alsa-3.1.1.1-9.27.2 qemu-audio-alsa-debuginfo-3.1.1.1-9.27.2 qemu-audio-oss-3.1.1.1-9.27.2 qemu-audio-oss-debuginfo-3.1.1.1-9.27.2 qemu-audio-pa-3.1.1.1-9.27.2 qemu-audio-pa-debuginfo-3.1.1.1-9.27.2 qemu-block-curl-3.1.1.1-9.27.2 qemu-block-curl-debuginfo-3.1.1.1-9.27.2 qemu-block-iscsi-3.1.1.1-9.27.2 qemu-block-iscsi-debuginfo-3.1.1.1-9.27.2 qemu-block-rbd-3.1.1.1-9.27.2 qemu-block-rbd-debuginfo-3.1.1.1-9.27.2 qemu-block-ssh-3.1.1.1-9.27.2 qemu-block-ssh-debuginfo-3.1.1.1-9.27.2 qemu-debuginfo-3.1.1.1-9.27.2 qemu-debugsource-3.1.1.1-9.27.2 qemu-guest-agent-3.1.1.1-9.27.2 qemu-guest-agent-debuginfo-3.1.1.1-9.27.2 qemu-kvm-3.1.1.1-9.27.2 qemu-lang-3.1.1.1-9.27.2 qemu-tools-3.1.1.1-9.27.2 qemu-tools-debuginfo-3.1.1.1-9.27.2 qemu-ui-curses-3.1.1.1-9.27.2 qemu-ui-curses-debuginfo-3.1.1.1-9.27.2 qemu-ui-gtk-3.1.1.1-9.27.2 qemu-ui-gtk-debuginfo-3.1.1.1-9.27.2 qemu-x86-3.1.1.1-9.27.2 qemu-x86-debuginfo-3.1.1.1-9.27.2 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (x86_64): qemu-audio-oss-3.1.1.1-9.27.2 qemu-audio-oss-debuginfo-3.1.1.1-9.27.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): qemu-3.1.1.1-9.27.2 qemu-block-curl-3.1.1.1-9.27.2 qemu-block-curl-debuginfo-3.1.1.1-9.27.2 qemu-block-iscsi-3.1.1.1-9.27.2 qemu-block-iscsi-debuginfo-3.1.1.1-9.27.2 qemu-block-rbd-3.1.1.1-9.27.2 qemu-block-rbd-debuginfo-3.1.1.1-9.27.2 qemu-block-ssh-3.1.1.1-9.27.2 qemu-block-ssh-debuginfo-3.1.1.1-9.27.2 qemu-debuginfo-3.1.1.1-9.27.2 qemu-debugsource-3.1.1.1-9.27.2 qemu-guest-agent-3.1.1.1-9.27.2 qemu-guest-agent-debuginfo-3.1.1.1-9.27.2 qemu-lang-3.1.1.1-9.27.2 qemu-tools-3.1.1.1-9.27.2 qemu-tools-debuginfo-3.1.1.1-9.27.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64): qemu-arm-3.1.1.1-9.27.2 qemu-arm-debuginfo-3.1.1.1-9.27.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): qemu-ipxe-1.0.0+-9.27.2 qemu-seabios-1.12.0_0_ga698c89-9.27.2 qemu-sgabios-8-9.27.2 qemu-vgabios-1.12.0_0_ga698c89-9.27.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): qemu-audio-alsa-3.1.1.1-9.27.2 qemu-audio-alsa-debuginfo-3.1.1.1-9.27.2 qemu-audio-oss-3.1.1.1-9.27.2 qemu-audio-oss-debuginfo-3.1.1.1-9.27.2 qemu-audio-pa-3.1.1.1-9.27.2 qemu-audio-pa-debuginfo-3.1.1.1-9.27.2 qemu-kvm-3.1.1.1-9.27.2 qemu-ui-curses-3.1.1.1-9.27.2 qemu-ui-curses-debuginfo-3.1.1.1-9.27.2 qemu-ui-gtk-3.1.1.1-9.27.2 qemu-ui-gtk-debuginfo-3.1.1.1-9.27.2 qemu-x86-3.1.1.1-9.27.2 qemu-x86-debuginfo-3.1.1.1-9.27.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): qemu-3.1.1.1-9.27.2 qemu-block-curl-3.1.1.1-9.27.2 qemu-block-curl-debuginfo-3.1.1.1-9.27.2 qemu-block-iscsi-3.1.1.1-9.27.2 qemu-block-iscsi-debuginfo-3.1.1.1-9.27.2 qemu-block-rbd-3.1.1.1-9.27.2 qemu-block-rbd-debuginfo-3.1.1.1-9.27.2 qemu-block-ssh-3.1.1.1-9.27.2 qemu-block-ssh-debuginfo-3.1.1.1-9.27.2 qemu-debuginfo-3.1.1.1-9.27.2 qemu-debugsource-3.1.1.1-9.27.2 qemu-guest-agent-3.1.1.1-9.27.2 qemu-guest-agent-debuginfo-3.1.1.1-9.27.2 qemu-lang-3.1.1.1-9.27.2 qemu-tools-3.1.1.1-9.27.2 qemu-tools-debuginfo-3.1.1.1-9.27.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64): qemu-arm-3.1.1.1-9.27.2 qemu-arm-debuginfo-3.1.1.1-9.27.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): qemu-audio-alsa-3.1.1.1-9.27.2 qemu-audio-alsa-debuginfo-3.1.1.1-9.27.2 qemu-audio-oss-3.1.1.1-9.27.2 qemu-audio-oss-debuginfo-3.1.1.1-9.27.2 qemu-audio-pa-3.1.1.1-9.27.2 qemu-audio-pa-debuginfo-3.1.1.1-9.27.2 qemu-kvm-3.1.1.1-9.27.2 qemu-ui-curses-3.1.1.1-9.27.2 qemu-ui-curses-debuginfo-3.1.1.1-9.27.2 qemu-ui-gtk-3.1.1.1-9.27.2 qemu-ui-gtk-debuginfo-3.1.1.1-9.27.2 qemu-x86-3.1.1.1-9.27.2 qemu-x86-debuginfo-3.1.1.1-9.27.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): qemu-ipxe-1.0.0+-9.27.2 qemu-seabios-1.12.0_0_ga698c89-9.27.2 qemu-sgabios-8-9.27.2 qemu-vgabios-1.12.0_0_ga698c89-9.27.2 - SUSE Enterprise Storage 6 (aarch64 x86_64): qemu-3.1.1.1-9.27.2 qemu-block-curl-3.1.1.1-9.27.2 qemu-block-curl-debuginfo-3.1.1.1-9.27.2 qemu-block-iscsi-3.1.1.1-9.27.2 qemu-block-iscsi-debuginfo-3.1.1.1-9.27.2 qemu-block-rbd-3.1.1.1-9.27.2 qemu-block-rbd-debuginfo-3.1.1.1-9.27.2 qemu-block-ssh-3.1.1.1-9.27.2 qemu-block-ssh-debuginfo-3.1.1.1-9.27.2 qemu-debuginfo-3.1.1.1-9.27.2 qemu-debugsource-3.1.1.1-9.27.2 qemu-guest-agent-3.1.1.1-9.27.2 qemu-guest-agent-debuginfo-3.1.1.1-9.27.2 qemu-lang-3.1.1.1-9.27.2 qemu-tools-3.1.1.1-9.27.2 qemu-tools-debuginfo-3.1.1.1-9.27.2 - SUSE Enterprise Storage 6 (aarch64): qemu-arm-3.1.1.1-9.27.2 qemu-arm-debuginfo-3.1.1.1-9.27.2 - SUSE Enterprise Storage 6 (noarch): qemu-ipxe-1.0.0+-9.27.2 qemu-seabios-1.12.0_0_ga698c89-9.27.2 qemu-sgabios-8-9.27.2 qemu-vgabios-1.12.0_0_ga698c89-9.27.2 - SUSE Enterprise Storage 6 (x86_64): qemu-audio-alsa-3.1.1.1-9.27.2 qemu-audio-alsa-debuginfo-3.1.1.1-9.27.2 qemu-audio-oss-3.1.1.1-9.27.2 qemu-audio-oss-debuginfo-3.1.1.1-9.27.2 qemu-audio-pa-3.1.1.1-9.27.2 qemu-audio-pa-debuginfo-3.1.1.1-9.27.2 qemu-kvm-3.1.1.1-9.27.2 qemu-ui-curses-3.1.1.1-9.27.2 qemu-ui-curses-debuginfo-3.1.1.1-9.27.2 qemu-ui-gtk-3.1.1.1-9.27.2 qemu-ui-gtk-debuginfo-3.1.1.1-9.27.2 qemu-x86-3.1.1.1-9.27.2 qemu-x86-debuginfo-3.1.1.1-9.27.2 - SUSE CaaS Platform 4.0 (x86_64): qemu-3.1.1.1-9.27.2 qemu-audio-alsa-3.1.1.1-9.27.2 qemu-audio-alsa-debuginfo-3.1.1.1-9.27.2 qemu-audio-oss-3.1.1.1-9.27.2 qemu-audio-oss-debuginfo-3.1.1.1-9.27.2 qemu-audio-pa-3.1.1.1-9.27.2 qemu-audio-pa-debuginfo-3.1.1.1-9.27.2 qemu-block-curl-3.1.1.1-9.27.2 qemu-block-curl-debuginfo-3.1.1.1-9.27.2 qemu-block-iscsi-3.1.1.1-9.27.2 qemu-block-iscsi-debuginfo-3.1.1.1-9.27.2 qemu-block-rbd-3.1.1.1-9.27.2 qemu-block-rbd-debuginfo-3.1.1.1-9.27.2 qemu-block-ssh-3.1.1.1-9.27.2 qemu-block-ssh-debuginfo-3.1.1.1-9.27.2 qemu-debuginfo-3.1.1.1-9.27.2 qemu-debugsource-3.1.1.1-9.27.2 qemu-guest-agent-3.1.1.1-9.27.2 qemu-guest-agent-debuginfo-3.1.1.1-9.27.2 qemu-kvm-3.1.1.1-9.27.2 qemu-lang-3.1.1.1-9.27.2 qemu-tools-3.1.1.1-9.27.2 qemu-tools-debuginfo-3.1.1.1-9.27.2 qemu-ui-curses-3.1.1.1-9.27.2 qemu-ui-curses-debuginfo-3.1.1.1-9.27.2 qemu-ui-gtk-3.1.1.1-9.27.2 qemu-ui-gtk-debuginfo-3.1.1.1-9.27.2 qemu-x86-3.1.1.1-9.27.2 qemu-x86-debuginfo-3.1.1.1-9.27.2 - SUSE CaaS Platform 4.0 (noarch): qemu-ipxe-1.0.0+-9.27.2 qemu-seabios-1.12.0_0_ga698c89-9.27.2 qemu-sgabios-8-9.27.2 qemu-vgabios-1.12.0_0_ga698c89-9.27.2 References: https://www.suse.com/security/cve/CVE-2019-15890.html https://www.suse.com/security/cve/CVE-2020-10756.html https://www.suse.com/security/cve/CVE-2020-14364.html https://www.suse.com/security/cve/CVE-2020-25707.html https://www.suse.com/security/cve/CVE-2020-25723.html https://www.suse.com/security/cve/CVE-2020-29129.html https://www.suse.com/security/cve/CVE-2020-29130.html https://www.suse.com/security/cve/CVE-2020-8608.html https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-3419.html https://bugzilla.suse.com/1149813 https://bugzilla.suse.com/1163019 https://bugzilla.suse.com/1172380 https://bugzilla.suse.com/1175534 https://bugzilla.suse.com/1178683 https://bugzilla.suse.com/1178935 https://bugzilla.suse.com/1179477 https://bugzilla.suse.com/1179484 https://bugzilla.suse.com/1182846 https://bugzilla.suse.com/1182975 From sle-security-updates at lists.suse.com Wed Jun 9 16:29:57 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Jun 2021 18:29:57 +0200 (CEST) Subject: SUSE-SU-2021:1913-1: important: Security update for the Linux Kernel Message-ID: <20210609162957.3E4EEFD07@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1913-1 Rating: important References: #1064802 #1066129 #1087082 #1101816 #1103992 #1104353 #1104427 #1104745 #1109837 #1112374 #1113431 #1126390 #1133021 #1152457 #1174682 #1176081 #1177666 #1180552 #1181383 #1182256 #1183738 #1183754 #1183947 #1184040 #1184081 #1184082 #1184611 #1184675 #1184855 #1185428 #1185481 #1185642 #1185677 #1185680 #1185703 #1185724 #1185758 #1185827 #1185859 #1185860 #1185862 #1185863 #1185898 #1185899 #1185901 #1185906 #1185938 #1185950 #1185987 #1186060 #1186061 #1186062 #1186111 #1186285 #1186390 #1186416 #1186439 #1186441 #1186452 #1186460 #1186484 #1186487 #1186498 #1186573 Cross-References: CVE-2020-24586 CVE-2020-24587 CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2021-23133 CVE-2021-23134 CVE-2021-32399 CVE-2021-33034 CVE-2021-33200 CVE-2021-3491 CVSS scores: CVE-2020-24586 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24586 (SUSE): 4.7 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVE-2020-24587 (NVD) : 2.6 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24587 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26139 (NVD) : 5.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26139 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-26141 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26145 (SUSE): 5.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26147 (NVD) : 5.4 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N CVE-2021-23133 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23133 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-33200 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33200 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3491 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise High Availability 12-SP5 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 52 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111) - CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062) - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060) - CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859). - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862). - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859). - CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860) - CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987) - CVE-2021-23133: Fixed a race condition in SCTP sockets, which could lead to privilege escalation from the context of a network service or an unprivileged process. (bnc#1184675) The following non-security bugs were fixed: - ACPI / hotplug / PCI: Fix reference count leak in enable_slot() (git-fixes). - ACPI: CPPC: Replace cppc_attr with kobj_attribute (git-fixes). - ACPI: GTDT: Do not corrupt interrupt mappings on watchdow probe failure (git-fixes). - ACPI: custom_method: fix a possible memory leak (git-fixes). - ACPI: custom_method: fix potential use-after-free issue (git-fixes). - ACPICA: Enable sleep button on ACPI legacy wake (bsc#1181383). - ALSA: aloop: Fix initialization of controls (git-fixes). - ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro (git-fixes). - ALSA: core: remove redundant spin_lock pair in snd_card_disconnect (git-fixes). - ALSA: emu8000: Fix a use after free in snd_emu8000_create_mixer (git-fixes). - ALSA: hda/conexant: Re-order CX5066 quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Lenovo quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Sony quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Acer quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Sony quirk table entries (git-fixes). - ALSA: hda/realtek: Remove redundant entry for ALC861 Haier/Uniwill devices (git-fixes). - ALSA: hda/realtek: reset eapd coeff to default value for alc287 (git-fixes). - ALSA: hdsp: do not disable if not enabled (git-fixes). - ALSA: hdspm: do not disable if not enabled (git-fixes). - ALSA: line6: Fix racy initialization of LINE6 MIDI (git-fixes). - ALSA: rme9652: do not disable if not enabled (git-fixes). - ALSA: sb: Fix two use after free in snd_sb_qsound_build (git-fixes). - ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX (git-fixes). - ALSA: usb-audio: Add error checks for usb_driver_claim_interface() calls (git-fixes). - ALSA: usb: midi: do not return -ENOMEM when usb_urb_ep_type_check fails (git-fixes). - ARM: footbridge: fix PCI interrupt mapping (git-fixes). - ASoC: cs35l33: fix an error code in probe() (git-fixes). - ASoC: cs42l42: Regmap must use_single_read/write (git-fixes). - ASoC: fsl_esai: Fix TDM slot setup for I2S mode (git-fixes). - ASoC: intel: atom: Stop advertising non working S24LE support (git-fixes). - ASoC: rt286: Generalize support for ALC3263 codec (git-fixes). - ASoC: rt286: Make RT286_SET_GPIO_* readable and writable (git-fixes). - ASoC: wm8960: Fix wrong bclk and lrclk with pll enabled for some chips (git-fixes). - Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes). - Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default (git-fixes). - Bluetooth: initialize skb_queue_head at l2cap_chan_create() (git-fixes). - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185724). - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185724). - Drivers: hv: vmbus: Use after free in __vmbus_open() (git-fixes). - EDAC/amd64: Gather hardware information early (bsc#1180552). - EDAC/amd64: Make struct amd64_family_type global (bsc#1180552). - EDAC/amd64: Save max number of controllers to family type (bsc#1180552). - HID: alps: fix error return code in alps_input_configured() (git-fixes). - HID: plantronics: Workaround for double volume key presses (git-fixes). - HID: wacom: Assign boolean values to a bool variable (git-fixes). - HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices (git-fixes). - Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices (git-fixes). - Input: i8042 - fix Pegatron C15B ID entry (git-fixes). - Input: nspire-keypad - enable interrupts only when opened (git-fixes). - Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state (git-fixes). - KVM: s390: fix guarded storage control register handling (bsc#1133021). - NFC: fix possible resource leak (git-fixes). - NFC: fix resource leak when target index is invalid (git-fixes). - NFC: nci: fix memory leak in nci_allocate_device (git-fixes). - NFSv4: Replace closed stateids with the "invalid special stateid" (bsc#1185481). - PCI: PM: Do not read power state in pci_enable_device_flags() (git-fixes). - PCI: Release OF node in pci_scan_device()'s error path (git-fixes). - RDMA/hns: Delete redundant condition judgment related to eq (bsc#1104427). - RDMA/srpt: Fix error return code in srpt_cm_req_recv() (bsc#1103992). - SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428). - SUNRPC: More fixes for backlog congestion (bsc#1185428). - USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet (git-fixes). - USB: Add reset-resume quirk for WD19's Realtek Hub (git-fixes). - USB: serial: fix return value for unsupported ioctls (git-fixes). - USB: serial: usb_wwan: fix unprivileged TIOCCSERIAL (git-fixes). - USB: trancevibrator: fix control-request direction (git-fixes). - af_packet: fix the tx skb protocol in raw sockets with ETH_P_ALL (bsc#1176081). - ata: libahci_platform: fix IRQ check (git-fixes). - ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices (git-fixes). - backlight: journada720: Fix Wmisleading-indentation warning (git-fixes). - batman-adv: Do not always reallocate the fragmentation skb head (git-fixes). - bluetooth: eliminate the potential race condition when removing the HCI controller (git-fixes). - bnxt_en: Fix PCI AER error recovery flow (git-fixes). - bnxt_en: fix ternary sign extension bug in bnxt_show_temp() (bsc#1104745). - bpf: Fix masking negation logic upon negative dst register (git-fixes). - btrfs: fix race between transaction aborts and fsyncs leading to use-after-free (bsc#1186441). - btrfs: fix race when picking most recent mod log operation for an old root (bsc#1186439). - bus: qcom: Put child node before return (git-fixes). - cfg80211: remove WARN_ON() in cfg80211_sme_connect (git-fixes). - cfg80211: scan: drop entry from hidden_list on overflow (git-fixes). - clk: exynos7: Mark aclk_fsys1_200 as critical (git-fixes). - clk: fix invalid usage of list cursor in register (git-fixes). - clk: fix invalid usage of list cursor in unregister (git-fixes). - clk: mvebu: armada-37xx-periph: Fix switching CPU freq from 250 Mhz to 1 GHz (git-fixes). - clk: mvebu: armada-37xx-periph: Fix workaround for switching from L1 to L0 (git-fixes). - clk: mvebu: armada-37xx-periph: remove .set_parent method for CPU PM clock (git-fixes). - clk: socfpga: fix iomem pointer cast on 64-bit (git-fixes). - clk: uniphier: Fix potential infinite loop (git-fixes). - cpufreq: Add NULL checks to show() and store() methods of cpufreq (bsc#1184040). - cpufreq: Avoid cpufreq_suspend() deadlock on system shutdown (bsc#1184040). - cpufreq: Kconfig: fix documentation links (git-fixes). - cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758). - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init (git-fixes). - crypto: qat - Fix a double free in adf_create_ring (git-fixes). - crypto: qat - do not release uninitialized resources (git-fixes). - crypto: qat - fix error path in adf_isr_resource_alloc() (git-fixes). - cxgb4: Fix unintentional sign extension issues (bsc#1064802 bsc#1066129). - dm: fix redundant IO accounting for bios that need splitting (bsc#1183738). - dmaengine: dw: Make it dependent to HAS_IOMEM (git-fixes). - docs: kernel-parameters: Add gpio_mockup_named_lines (git-fixes). - docs: kernel-parameters: Move gpio-mockup for alphabetic order (git-fixes). - drivers: net: fix memory leak in atusb_probe (git-fixes). - drivers: net: fix memory leak in peak_usb_create_dev (git-fixes). - drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f (git-fixes). - drm/amdgpu: fix NULL pointer dereference (git-fixes). - drm/amdkfd: fix build error with AMD_IOMMU_V2=m (git-fixes). - drm/i915/gvt: Fix error code in intel_gvt_init_device() (git-fixes). - drm/imx: imx-ldb: fix out of bounds array access warning (git-fixes). - drm/meson: fix shutdown crash when component not probed (git-fixes). - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal (git-fixes). - drm/omap: fix misleading indentation in pixinc() (git-fixes). - drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected (git-fixes). - drm/radeon: Fix off-by-one power_state index heap overwrite (git-fixes). - drm/radeon: fix copy of uninitialized variable back to userspace (git-fixes). - e1000e: Fix duplicate include guard (git-fixes). - e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 (git-fixes). - e1000e: add rtnl_lock() to e1000_reset_task (git-fixes). - ethernet:enic: Fix a use after free bug in enic_hard_start_xmit (bsc#1113431). - extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged (git-fixes). - fbdev: zero-fill colormap in fbcmap.c (git-fixes). - ftrace: Handle commands when closing set_ftrace_filter file (git-fixes). - genirq: Reduce irqdebug cacheline bouncing (bsc#1185703 ltc#192641). - gianfar: Handle error code at MAC address change (git-fixes). - gpio: xilinx: Correct kernel doc for xgpio_probe() (git-fixes). - gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 (git-fixes). - i2c: cadence: add IRQ check (git-fixes). - i2c: emev2: add IRQ check (git-fixes). - i2c: i801: Do not generate an interrupt on bus reset (git-fixes). - i2c: i801: Do not generate an interrupt on bus reset (git-fixes). - i2c: jz4780: add IRQ check (git-fixes). - i2c: s3c2410: fix possible NULL pointer deref on read message after write (git-fixes). - i2c: sh7760: add IRQ check (git-fixes). - i2c: sh7760: fix IRQ error path (git-fixes). - i40e: Added Asym_Pause to supported link modes (git-fixes). - i40e: Fix PHY type identifiers for 2.5G and 5G adapters (jsc#SLE-4797). - i40e: Fix sparse errors in i40e_txrx.c (git-fixes). - i40e: Fix use-after-free in i40e_client_subtask() (bsc#1101816 ). - i40e: fix broken XDP support (git-fixes). - i40e: fix the panic when running bpf in xdpdrv mode (git-fixes). - i40e: fix the restart auto-negotiation after FEC modified (jsc#SLE-4797). - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043). - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043). - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043). - ibmvnic: remove default label from to_string switch (bsc#1152457 ltc#174432 git-fixes). - igb: Fix duplicate include guard (git-fixes). - igb: check timestamp validity (git-fixes). - iio: adc: ad7793: Add missing error code in ad7793_setup() (git-fixes). - iio: gyro: mpu3050: Fix reported temperature value (git-fixes). - iio: proximity: pulsedlight: Fix rumtime PM imbalance on error (git-fixes). - iio: tsl2583: Fix division by a zero lux_val (git-fixes). - intel_th: Consistency and off-by-one fix (git-fixes). - ipmi/watchdog: Stop watchdog timer when the current action is 'none' (bsc#1184855). - ipw2x00: potential buffer overflow in libipw_wx_set_encodeext() (git-fixes). - kABI: powerpc/64: add back start_tb and accum_tb to thread_struct. - kabi: preserve struct header_ops after bsc#1176081 fix (bsc#1176081). - leds: lp5523: check return value of lp5xx_read and jump to cleanup code (git-fixes). - liquidio: Fix unintented sign extension of a left shift of a u16 (git-fixes). - mac80211: bail out if cipher schemes are invalid (git-fixes). - mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN (git-fixes). - mac80211: clear the beacon's CRC after channel switch (git-fixes). - macvlan: macvlan_count_rx() needs to be aware of preemption (git-fixes). - md-cluster: fix use-after-free issue when removing rdev (bsc#1184082). - md/raid1: properly indicate failure when ending a failed write request (bsc#1185680). - md: do not flush workqueue unconditionally in md_open (bsc#1184081). - md: factor out a mddev_find_locked helper from mddev_find (bsc#1184081). - md: md_open returns -EBUSY when entering racing area (bsc#1184081). - md: split mddev_find (bsc#1184081). - media: adv7604: fix possible use-after-free in adv76xx_remove() (git-fixes). - media: dvb-usb: fix memory leak in dvb_usb_adapter_init (git-fixes). - media: dvbdev: Fix memory leak in dvb_media_device_free() (git-fixes). - media: em28xx: fix memory leak (git-fixes). - media: gspca/sq905.c: fix uninitialized variable (git-fixes). - media: i2c: adv7842: fix possible use-after-free in adv7842_remove() (git-fixes). - media: ite-cir: check for receive overflow (git-fixes). - media: m88rs6000t: avoid potential out-of-bounds reads on arrays (git-fixes). - media: media/saa7164: fix saa7164_encoder_register() memory leak bugs (git-fixes). - media: omap4iss: return error code when omap4iss_get() failed (git-fixes). - mfd: lpc_sch: Partially revert "Add support for Intel Quark X1000" (git-fixes). - mfd: stm32-timers: Avoid clearing auto reload register (git-fixes). - misc/uss720: fix memory leak in uss720_probe (git-fixes). - misc: lis3lv02d: Fix false-positive WARN on various HP models (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_datagram payload (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_notify_bm_set_msg struct (git-fixes). - mlxsw: spectrum_mr: Update egress RIF list before route's action (bsc#1112374). - mm: mempolicy: fix potential pte_unmap_unlock pte error (bsc#1185906). - mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified (bsc#1185906). - mmc: block: Update ext_csd.cache_ctrl if it was written (git-fixes). - mmc: core: Correct descriptions in mmc_of_parse() (git-fixes). - mmc: core: Do a power cycle when the CMD11 fails (git-fixes). - mmc: core: Set read only for SD cards with permanent write protect bit (git-fixes). - mmc: mmc_spi: Drop unused NO_IRQ definition (git-fixes). - mt7601u: fix always true expression (git-fixes). - mtd: require write permissions for locking and badblock ioctls (git-fixes). - net, xdp: Update pkt_type if generic XDP changes unicast MAC (bsc#1109837). - net/ethernet: Add parse_protocol header_ops support (bsc#1176081). - net/mlx4_en: update moderation when config reset (git-fixes). - net/mlx5e: Fix error path for ethtool set-priv-flag (git-fixes). - net/mlx5e: Remove the wrong assumption about transport offset (bsc#1176081). - net/mlx5e: Trust kernel regarding transport offset (bsc#1176081). - net/packet: Ask driver for protocol if not provided by user (bsc#1176081). - net/packet: Remove redundant skb->protocol set (bsc#1176081). - net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template (git-fixes). - net: Do not set transport offset to invalid value (bsc#1176081). - net: Introduce parse_protocol header_ops callback (bsc#1176081). - net: enic: Cure the enic api locking trainwreck (git-fixes). - net: hns3: Fix for geneve tx checksum bug (bsc#1104353 ). - net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() (bsc#1104353). - net: hns3: disable phy loopback setting in hclge_mac_start_phy (bsc#1104353). - net: hns3: fix for vxlan gpe tx checksum bug (bsc#1104353 ). - net: hns3: fix incorrect configuration for igu_egu_hw_err (bsc#1104353). - net: hns3: initialize the message content in hclge_get_link_mode() (bsc#1126390). - net: hns3: use netif_tx_disable to stop the transmit queue (bsc#1104353). - net: phy: intel-xway: enable integrated led functions (git-fixes). - net: qed: RDMA personality shouldn't fail VF load (git-fixes). - net: thunderx: Fix unintentional sign extension issue (git-fixes). - net: usb: fix memory leak in smsc75xx_bind (git-fixes). - netdevice: Add missing IFF_PHONY_HEADROOM self-definition (git-fixes). - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950). - netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950). - netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950). - netfilter: conntrack: tcp: only close if RST matches exact sequence (bsc#1183947 bsc#1185950). - nfc: pn533: prevent potential memory corruption (git-fixes). - nvme-fc: clear q_live at beginning of association teardown (git-fixes). - nvme-loop: Introduce no merge flag for biovec (bsc#1174682). - pata_arasan_cf: fix IRQ check (git-fixes). - pata_ipx4xx_cf: fix IRQ check (git-fixes). - pcnet32: Use pci_resource_len to validate PCI resource (git-fixes). - phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y, unconditionally (git-fixes). - phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() (git-fixes). - pinctrl: core: Fix kernel doc string for pin_get_name() (git-fixes). - pinctrl: lewisburg: Update number of pins in community (git-fixes). - pinctrl: samsung: use 'int' for register masks in Exynos (git-fixes). - platform/mellanox: mlxbf-tmfifo: Fix a memory barrier issue (git-fixes). - platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards with critclk_systems DMI table (git-fixes). - platform/x86: thinkpad_acpi: Correct thermal sensor allocation (git-fixes). - power: supply: Use IRQF_ONESHOT (git-fixes). - power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() (git-fixes). - power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() (git-fixes). - powerpc/64: remove start_tb and accum_tb from thread_struct (bsc#1186487 ltc#177613). - powerpc/64s: Fix crashes when toggling entry flush barrier (bsc#1177666 git-fixes). - powerpc/64s: Fix crashes when toggling stf barrier (bsc#1087082 git-fixes). - powerpc/pseries: lparcfg calculate PURR on demand (bsc#1186487 ltc#177613). - regulator: bd9571mwv: Fix AVS and DVFS voltage range (git-fixes). - rsxx: remove extraneous 'const' qualifier (git-fixes). - rtc: ds1307: Fix wday settings for rx8130 (git-fixes). - rtlwifi: 8821ae: upgrade PHY and RF parameters (git-fixes). - s390/dasd: fix hanging DASD driver unbind (bsc#1183754 LTC#192081). - s390/dasd: fix hanging IO request during DASD driver unbind (bsc#1183754 LTC#192081). - s390/entry: save the caller of psw_idle (bsc#1185677). - s390/kdump: fix out-of-memory with PCI (bsc#1182256 LTC#191375). - sata_mv: add IRQ checks (git-fixes). - scsi: core: Run queue in case of I/O resource contention failure (bsc#1186416). - scsi: libfc: Avoid invoking response handler twice if ep is already completed (bsc#1186573). - scsi: lpfc: Add a option to enable interlocked ABTS before job completion (bsc#1186452). - scsi: lpfc: Add ndlp kref accounting for resume RPI path (bsc#1186452). - scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology (bsc#1186452). - scsi: lpfc: Fix Node recovery when driver is handling simultaneous PLOGIs (bsc#1186452). - scsi: lpfc: Fix bad memory access during VPD DUMP mailbox command (bsc#1186452). - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs (bsc#1186452). - scsi: lpfc: Fix node handling for Fabric Controller and Domain Controller (bsc#1186452). - scsi: lpfc: Fix non-optimized ERSP handling (bsc#1186452). - scsi: lpfc: Fix unreleased RPIs when NPIV ports are created (bsc#1186452). - scsi: lpfc: Ignore GID-FT response that may be received after a link flip (bsc#1186452). - scsi: lpfc: Reregister FPIN types if ELS_RDF is received from fabric controller (bsc#1186452). - scsi: lpfc: Update lpfc version to 12.8.0.10 (bsc#1186452). - scsi: qla2xxx: Prevent PRLI in target mode (git-fixes). - serial: sh-sci: Fix off-by-one error in FIFO threshold register setting (git-fixes). - serial: stm32: fix incorrect characters on console (git-fixes). - smc: disallow TCP_ULP in smc_setsockopt() (bsc#1109837). - soc: qcom: mdt_loader: Validate that p_filesz < p_memsz (git-fixes). - spi: dln2: Fix reference leak to master (git-fixes). - spi: omap-100k: Fix reference leak to master (git-fixes). - spi: spi-ti-qspi: Free DMA resources (git-fixes). - staging: emxx_udc: fix loop in _nbu2ss_nuke() (git-fixes). - staging: iio: cdc: ad7746: avoid overwrite of num_channels (git-fixes). - staging: rtl8192u: Fix potential infinite loop (git-fixes). - tcp: fix to update snd_wl1 in bulk receiver fast path (bsc#1185827). - thermal/drivers/ti-soc-thermal/bandgap Remove unused variable 'val' (git-fixes). - thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue (git-fixes). - tpm: fix error return code in tpm2_get_cc_attrs_tbl() (git-fixes). - tracing: Map all PIDs to command lines (git-fixes). - uio: uio_hv_generic: use devm_kzalloc() for private data alloc (git-fixes). - uio_hv_generic: Fix a memory leak in error handling paths (git-fixes). - uio_hv_generic: Fix another memory leak in error handling paths (git-fixes). - uio_hv_generic: add missed sysfs_remove_bin_file (git-fixes). - usb: core: hub: fix race condition about TRSMRCY of resume (git-fixes). - usb: core: hub: fix race condition about TRSMRCY of resume (git-fixes). - usb: dwc3: gadget: Fix START_TRANSFER link state check (git-fixes). - usb: dwc3: omap: improve extcon initialization (git-fixes). - usb: fotg210-hcd: Fix an error message (git-fixes). - usb: sl811-hcd: improve misleading indentation (git-fixes). - usb: typec: tcpci: Check ROLE_CONTROL while interpreting CC_STATUS (git-fixes). - usb: xhci: Fix port minor revision (git-fixes). - usb: xhci: Increase timeout for HC halt (git-fixes). - usb: xhci: Increase timeout for HC halt (git-fixes). - vgacon: Record video mode changes with VT_RESIZEX (git-fixes). - video: hyperv_fb: Add ratelimit on error message (bsc#1185724). - vsock/vmci: log once the failed queue pair allocation (git-fixes). - wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join (git-fixes). - wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt (git-fixes). - xhci: Do not use GFP_KERNEL in (potentially) atomic context (git-fixes). - xsk: Respect device's headroom and tailroom on generic xmit path (bsc#1109837). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2021-1913=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1913=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1913=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-1913=1 - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2021-1913=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): kernel-default-debuginfo-4.12.14-122.74.1 kernel-default-debugsource-4.12.14-122.74.1 kernel-default-extra-4.12.14-122.74.1 kernel-default-extra-debuginfo-4.12.14-122.74.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-122.74.1 kernel-obs-build-debugsource-4.12.14-122.74.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): kernel-docs-4.12.14-122.74.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-122.74.1 kernel-default-base-4.12.14-122.74.1 kernel-default-base-debuginfo-4.12.14-122.74.1 kernel-default-debuginfo-4.12.14-122.74.1 kernel-default-debugsource-4.12.14-122.74.1 kernel-default-devel-4.12.14-122.74.1 kernel-syms-4.12.14-122.74.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-default-devel-debuginfo-4.12.14-122.74.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-4.12.14-122.74.1 kernel-macros-4.12.14-122.74.1 kernel-source-4.12.14-122.74.1 - SUSE Linux Enterprise Server 12-SP5 (s390x): kernel-default-man-4.12.14-122.74.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-122.74.1 kernel-default-debugsource-4.12.14-122.74.1 kernel-default-kgraft-4.12.14-122.74.1 kernel-default-kgraft-devel-4.12.14-122.74.1 kgraft-patch-4_12_14-122_74-default-1-8.3.1 - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-122.74.1 cluster-md-kmp-default-debuginfo-4.12.14-122.74.1 dlm-kmp-default-4.12.14-122.74.1 dlm-kmp-default-debuginfo-4.12.14-122.74.1 gfs2-kmp-default-4.12.14-122.74.1 gfs2-kmp-default-debuginfo-4.12.14-122.74.1 kernel-default-debuginfo-4.12.14-122.74.1 kernel-default-debugsource-4.12.14-122.74.1 ocfs2-kmp-default-4.12.14-122.74.1 ocfs2-kmp-default-debuginfo-4.12.14-122.74.1 References: https://www.suse.com/security/cve/CVE-2020-24586.html https://www.suse.com/security/cve/CVE-2020-24587.html https://www.suse.com/security/cve/CVE-2020-26139.html https://www.suse.com/security/cve/CVE-2020-26141.html https://www.suse.com/security/cve/CVE-2020-26145.html https://www.suse.com/security/cve/CVE-2020-26147.html https://www.suse.com/security/cve/CVE-2021-23133.html https://www.suse.com/security/cve/CVE-2021-23134.html https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://www.suse.com/security/cve/CVE-2021-33200.html https://www.suse.com/security/cve/CVE-2021-3491.html https://bugzilla.suse.com/1064802 https://bugzilla.suse.com/1066129 https://bugzilla.suse.com/1087082 https://bugzilla.suse.com/1101816 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104353 https://bugzilla.suse.com/1104427 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113431 https://bugzilla.suse.com/1126390 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1152457 https://bugzilla.suse.com/1174682 https://bugzilla.suse.com/1176081 https://bugzilla.suse.com/1177666 https://bugzilla.suse.com/1180552 https://bugzilla.suse.com/1181383 https://bugzilla.suse.com/1182256 https://bugzilla.suse.com/1183738 https://bugzilla.suse.com/1183754 https://bugzilla.suse.com/1183947 https://bugzilla.suse.com/1184040 https://bugzilla.suse.com/1184081 https://bugzilla.suse.com/1184082 https://bugzilla.suse.com/1184611 https://bugzilla.suse.com/1184675 https://bugzilla.suse.com/1184855 https://bugzilla.suse.com/1185428 https://bugzilla.suse.com/1185481 https://bugzilla.suse.com/1185642 https://bugzilla.suse.com/1185677 https://bugzilla.suse.com/1185680 https://bugzilla.suse.com/1185703 https://bugzilla.suse.com/1185724 https://bugzilla.suse.com/1185758 https://bugzilla.suse.com/1185827 https://bugzilla.suse.com/1185859 https://bugzilla.suse.com/1185860 https://bugzilla.suse.com/1185862 https://bugzilla.suse.com/1185863 https://bugzilla.suse.com/1185898 https://bugzilla.suse.com/1185899 https://bugzilla.suse.com/1185901 https://bugzilla.suse.com/1185906 https://bugzilla.suse.com/1185938 https://bugzilla.suse.com/1185950 https://bugzilla.suse.com/1185987 https://bugzilla.suse.com/1186060 https://bugzilla.suse.com/1186061 https://bugzilla.suse.com/1186062 https://bugzilla.suse.com/1186111 https://bugzilla.suse.com/1186285 https://bugzilla.suse.com/1186390 https://bugzilla.suse.com/1186416 https://bugzilla.suse.com/1186439 https://bugzilla.suse.com/1186441 https://bugzilla.suse.com/1186452 https://bugzilla.suse.com/1186460 https://bugzilla.suse.com/1186484 https://bugzilla.suse.com/1186487 https://bugzilla.suse.com/1186498 https://bugzilla.suse.com/1186573 From sle-security-updates at lists.suse.com Wed Jun 9 16:39:23 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Jun 2021 18:39:23 +0200 (CEST) Subject: SUSE-SU-2021:1912-1: important: Security update for the Linux Kernel Message-ID: <20210609163923.62B6DFD14@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1912-1 Rating: important References: #1181161 #1183405 #1183738 #1183947 #1184611 #1184675 #1185642 #1185680 #1185725 #1185859 #1185860 #1185862 #1185863 #1185898 #1185899 #1185901 #1185938 #1185950 #1185987 #1186060 #1186061 #1186062 #1186111 #1186285 #1186390 #1186484 #1186498 Cross-References: CVE-2020-24586 CVE-2020-24587 CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2021-23133 CVE-2021-23134 CVE-2021-32399 CVE-2021-33034 CVE-2021-33200 CVE-2021-3491 CVSS scores: CVE-2020-24586 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24586 (SUSE): 4.7 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVE-2020-24587 (NVD) : 2.6 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24587 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26139 (NVD) : 5.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26139 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-26141 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26145 (SUSE): 5.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26147 (NVD) : 5.4 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N CVE-2021-23133 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23133 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-33200 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33200 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3491 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Availability 15-SP1 SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 15 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111) - CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062) - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060) - CVE-2021-23133: Fixed a race condition in SCTP sockets, which could lead to privilege escalation from the context of a network service or an unprivileged process. (bnc#1184675) - CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859). - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862). - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859). - CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860) - CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987) The following non-security bugs were fixed: - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725). - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725). - dm: fix redundant IO accounting for bios that need splitting (bsc#1183738). - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043). - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043). - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043). - kabi: Fix breakage in NVMe driver (bsc#1181161). - kabi: Fix nvmet error log definitions (bsc#1181161). - kabi: nvme: fix fast_io_fail_tmo (bsc#1181161). - md/raid1: properly indicate failure when ending a failed write request (bsc#1185680). - net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405) - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950). - netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950). - netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950). - netfilter: conntrack: tcp: only close if RST matches exact sequence (bsc#1183947 bsc#1185950). - nvme-fabrics: allow to queue requests for live queues (bsc#1181161). - nvme-fabrics: do not check state NVME_CTRL_NEW for request acceptance (bsc#1181161). - nvme-fabrics: reject I/O to offline device (bsc#1181161). - nvme-pci: Sync queues on reset (bsc#1181161). - nvme-rdma: avoid race between time out and tear down (bsc#1181161). - nvme-rdma: avoid repeated request completion (bsc#1181161). - nvme-rdma: avoid request double completion for concurrent nvme_rdma_timeout (bsc#1181161). - nvme-rdma: fix controller reset hang during traffic (bsc#1181161). - nvme-rdma: fix possible hang when failing to set io queues (bsc#1181161). - nvme-rdma: fix timeout handler (bsc#1181161). - nvme-rdma: serialize controller teardown sequences (bsc#1181161). - nvme-tcp: avoid race between time out and tear down (bsc#1181161). - nvme-tcp: avoid repeated request completion (bsc#1181161). - nvme-tcp: avoid request double completion for concurrent nvme_tcp_timeout (bsc#1181161). - nvme-tcp: fix controller reset hang during traffic (bsc#1181161). - nvme-tcp: fix possible hang when failing to set io queues (bsc#1181161). - nvme-tcp: fix timeout handler (bsc#1181161). - nvme-tcp: serialize controller teardown sequences (bsc#1181161). - nvme: Restart request timers in resetting state (bsc#1181161). - nvme: add error log page slot definition (bsc#1181161). - nvme: include admin_q sync with nvme_sync_queues (bsc#1181161). - nvme: introduce "Command Aborted By host" status code (bsc#1181161). - nvme: introduce nvme_is_fabrics to check fabrics cmd (bsc#1181161). - nvme: introduce nvme_sync_io_queues (bsc#1181161). - nvme: make fabrics command run on a separate request queue (bsc#1181161). - nvme: prevent warning triggered by nvme_stop_keep_alive (bsc#1181161). - nvme: unlink head after removing last namespace (bsc#1181161). - nvmet: add error log support for fabrics-cmd (bsc#1181161). - nvmet: add error-log definitions (bsc#1181161). - video: hyperv_fb: Add ratelimit on error message (bsc#1185725). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1912=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1912=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1912=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1912=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1912=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1912=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2021-1912=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1912=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1912=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2021-1912=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1912=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): kernel-default-4.12.14-197.92.1 kernel-default-base-4.12.14-197.92.1 kernel-default-base-debuginfo-4.12.14-197.92.1 kernel-default-debuginfo-4.12.14-197.92.1 kernel-default-debugsource-4.12.14-197.92.1 kernel-default-devel-4.12.14-197.92.1 kernel-default-devel-debuginfo-4.12.14-197.92.1 kernel-obs-build-4.12.14-197.92.1 kernel-obs-build-debugsource-4.12.14-197.92.1 kernel-syms-4.12.14-197.92.1 reiserfs-kmp-default-4.12.14-197.92.1 reiserfs-kmp-default-debuginfo-4.12.14-197.92.1 - SUSE Manager Server 4.0 (noarch): kernel-devel-4.12.14-197.92.1 kernel-docs-4.12.14-197.92.1 kernel-macros-4.12.14-197.92.1 kernel-source-4.12.14-197.92.1 - SUSE Manager Server 4.0 (s390x): kernel-default-man-4.12.14-197.92.1 kernel-zfcpdump-debuginfo-4.12.14-197.92.1 kernel-zfcpdump-debugsource-4.12.14-197.92.1 - SUSE Manager Retail Branch Server 4.0 (noarch): kernel-devel-4.12.14-197.92.1 kernel-docs-4.12.14-197.92.1 kernel-macros-4.12.14-197.92.1 kernel-source-4.12.14-197.92.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): kernel-default-4.12.14-197.92.1 kernel-default-base-4.12.14-197.92.1 kernel-default-base-debuginfo-4.12.14-197.92.1 kernel-default-debuginfo-4.12.14-197.92.1 kernel-default-debugsource-4.12.14-197.92.1 kernel-default-devel-4.12.14-197.92.1 kernel-default-devel-debuginfo-4.12.14-197.92.1 kernel-obs-build-4.12.14-197.92.1 kernel-obs-build-debugsource-4.12.14-197.92.1 kernel-syms-4.12.14-197.92.1 reiserfs-kmp-default-4.12.14-197.92.1 reiserfs-kmp-default-debuginfo-4.12.14-197.92.1 - SUSE Manager Proxy 4.0 (x86_64): kernel-default-4.12.14-197.92.1 kernel-default-base-4.12.14-197.92.1 kernel-default-base-debuginfo-4.12.14-197.92.1 kernel-default-debuginfo-4.12.14-197.92.1 kernel-default-debugsource-4.12.14-197.92.1 kernel-default-devel-4.12.14-197.92.1 kernel-default-devel-debuginfo-4.12.14-197.92.1 kernel-obs-build-4.12.14-197.92.1 kernel-obs-build-debugsource-4.12.14-197.92.1 kernel-syms-4.12.14-197.92.1 reiserfs-kmp-default-4.12.14-197.92.1 reiserfs-kmp-default-debuginfo-4.12.14-197.92.1 - SUSE Manager Proxy 4.0 (noarch): kernel-devel-4.12.14-197.92.1 kernel-docs-4.12.14-197.92.1 kernel-macros-4.12.14-197.92.1 kernel-source-4.12.14-197.92.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): kernel-default-4.12.14-197.92.1 kernel-default-base-4.12.14-197.92.1 kernel-default-base-debuginfo-4.12.14-197.92.1 kernel-default-debuginfo-4.12.14-197.92.1 kernel-default-debugsource-4.12.14-197.92.1 kernel-default-devel-4.12.14-197.92.1 kernel-default-devel-debuginfo-4.12.14-197.92.1 kernel-obs-build-4.12.14-197.92.1 kernel-obs-build-debugsource-4.12.14-197.92.1 kernel-syms-4.12.14-197.92.1 reiserfs-kmp-default-4.12.14-197.92.1 reiserfs-kmp-default-debuginfo-4.12.14-197.92.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): kernel-devel-4.12.14-197.92.1 kernel-docs-4.12.14-197.92.1 kernel-macros-4.12.14-197.92.1 kernel-source-4.12.14-197.92.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-197.92.1 kernel-default-base-4.12.14-197.92.1 kernel-default-base-debuginfo-4.12.14-197.92.1 kernel-default-debuginfo-4.12.14-197.92.1 kernel-default-debugsource-4.12.14-197.92.1 kernel-default-devel-4.12.14-197.92.1 kernel-default-devel-debuginfo-4.12.14-197.92.1 kernel-obs-build-4.12.14-197.92.1 kernel-obs-build-debugsource-4.12.14-197.92.1 kernel-syms-4.12.14-197.92.1 reiserfs-kmp-default-4.12.14-197.92.1 reiserfs-kmp-default-debuginfo-4.12.14-197.92.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): kernel-devel-4.12.14-197.92.1 kernel-docs-4.12.14-197.92.1 kernel-macros-4.12.14-197.92.1 kernel-source-4.12.14-197.92.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (s390x): kernel-default-man-4.12.14-197.92.1 kernel-zfcpdump-debuginfo-4.12.14-197.92.1 kernel-zfcpdump-debugsource-4.12.14-197.92.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): kernel-default-4.12.14-197.92.1 kernel-default-base-4.12.14-197.92.1 kernel-default-base-debuginfo-4.12.14-197.92.1 kernel-default-debuginfo-4.12.14-197.92.1 kernel-default-debugsource-4.12.14-197.92.1 kernel-default-devel-4.12.14-197.92.1 kernel-default-devel-debuginfo-4.12.14-197.92.1 kernel-obs-build-4.12.14-197.92.1 kernel-obs-build-debugsource-4.12.14-197.92.1 kernel-syms-4.12.14-197.92.1 reiserfs-kmp-default-4.12.14-197.92.1 reiserfs-kmp-default-debuginfo-4.12.14-197.92.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): kernel-devel-4.12.14-197.92.1 kernel-docs-4.12.14-197.92.1 kernel-macros-4.12.14-197.92.1 kernel-source-4.12.14-197.92.1 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-197.92.1 kernel-default-debugsource-4.12.14-197.92.1 kernel-default-livepatch-4.12.14-197.92.1 kernel-default-livepatch-devel-4.12.14-197.92.1 kernel-livepatch-4_12_14-197_92-default-1-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): kernel-default-4.12.14-197.92.1 kernel-default-base-4.12.14-197.92.1 kernel-default-base-debuginfo-4.12.14-197.92.1 kernel-default-debuginfo-4.12.14-197.92.1 kernel-default-debugsource-4.12.14-197.92.1 kernel-default-devel-4.12.14-197.92.1 kernel-default-devel-debuginfo-4.12.14-197.92.1 kernel-obs-build-4.12.14-197.92.1 kernel-obs-build-debugsource-4.12.14-197.92.1 kernel-syms-4.12.14-197.92.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): kernel-devel-4.12.14-197.92.1 kernel-docs-4.12.14-197.92.1 kernel-macros-4.12.14-197.92.1 kernel-source-4.12.14-197.92.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): kernel-default-4.12.14-197.92.1 kernel-default-base-4.12.14-197.92.1 kernel-default-base-debuginfo-4.12.14-197.92.1 kernel-default-debuginfo-4.12.14-197.92.1 kernel-default-debugsource-4.12.14-197.92.1 kernel-default-devel-4.12.14-197.92.1 kernel-default-devel-debuginfo-4.12.14-197.92.1 kernel-obs-build-4.12.14-197.92.1 kernel-obs-build-debugsource-4.12.14-197.92.1 kernel-syms-4.12.14-197.92.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): kernel-devel-4.12.14-197.92.1 kernel-docs-4.12.14-197.92.1 kernel-macros-4.12.14-197.92.1 kernel-source-4.12.14-197.92.1 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-197.92.1 cluster-md-kmp-default-debuginfo-4.12.14-197.92.1 dlm-kmp-default-4.12.14-197.92.1 dlm-kmp-default-debuginfo-4.12.14-197.92.1 gfs2-kmp-default-4.12.14-197.92.1 gfs2-kmp-default-debuginfo-4.12.14-197.92.1 kernel-default-debuginfo-4.12.14-197.92.1 kernel-default-debugsource-4.12.14-197.92.1 ocfs2-kmp-default-4.12.14-197.92.1 ocfs2-kmp-default-debuginfo-4.12.14-197.92.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): kernel-default-4.12.14-197.92.1 kernel-default-base-4.12.14-197.92.1 kernel-default-base-debuginfo-4.12.14-197.92.1 kernel-default-debuginfo-4.12.14-197.92.1 kernel-default-debugsource-4.12.14-197.92.1 kernel-default-devel-4.12.14-197.92.1 kernel-default-devel-debuginfo-4.12.14-197.92.1 kernel-obs-build-4.12.14-197.92.1 kernel-obs-build-debugsource-4.12.14-197.92.1 kernel-syms-4.12.14-197.92.1 reiserfs-kmp-default-4.12.14-197.92.1 reiserfs-kmp-default-debuginfo-4.12.14-197.92.1 - SUSE Enterprise Storage 6 (noarch): kernel-devel-4.12.14-197.92.1 kernel-docs-4.12.14-197.92.1 kernel-macros-4.12.14-197.92.1 kernel-source-4.12.14-197.92.1 - SUSE CaaS Platform 4.0 (noarch): kernel-devel-4.12.14-197.92.1 kernel-docs-4.12.14-197.92.1 kernel-macros-4.12.14-197.92.1 kernel-source-4.12.14-197.92.1 - SUSE CaaS Platform 4.0 (x86_64): kernel-default-4.12.14-197.92.1 kernel-default-base-4.12.14-197.92.1 kernel-default-base-debuginfo-4.12.14-197.92.1 kernel-default-debuginfo-4.12.14-197.92.1 kernel-default-debugsource-4.12.14-197.92.1 kernel-default-devel-4.12.14-197.92.1 kernel-default-devel-debuginfo-4.12.14-197.92.1 kernel-obs-build-4.12.14-197.92.1 kernel-obs-build-debugsource-4.12.14-197.92.1 kernel-syms-4.12.14-197.92.1 reiserfs-kmp-default-4.12.14-197.92.1 reiserfs-kmp-default-debuginfo-4.12.14-197.92.1 References: https://www.suse.com/security/cve/CVE-2020-24586.html https://www.suse.com/security/cve/CVE-2020-24587.html https://www.suse.com/security/cve/CVE-2020-26139.html https://www.suse.com/security/cve/CVE-2020-26141.html https://www.suse.com/security/cve/CVE-2020-26145.html https://www.suse.com/security/cve/CVE-2020-26147.html https://www.suse.com/security/cve/CVE-2021-23133.html https://www.suse.com/security/cve/CVE-2021-23134.html https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://www.suse.com/security/cve/CVE-2021-33200.html https://www.suse.com/security/cve/CVE-2021-3491.html https://bugzilla.suse.com/1181161 https://bugzilla.suse.com/1183405 https://bugzilla.suse.com/1183738 https://bugzilla.suse.com/1183947 https://bugzilla.suse.com/1184611 https://bugzilla.suse.com/1184675 https://bugzilla.suse.com/1185642 https://bugzilla.suse.com/1185680 https://bugzilla.suse.com/1185725 https://bugzilla.suse.com/1185859 https://bugzilla.suse.com/1185860 https://bugzilla.suse.com/1185862 https://bugzilla.suse.com/1185863 https://bugzilla.suse.com/1185898 https://bugzilla.suse.com/1185899 https://bugzilla.suse.com/1185901 https://bugzilla.suse.com/1185938 https://bugzilla.suse.com/1185950 https://bugzilla.suse.com/1185987 https://bugzilla.suse.com/1186060 https://bugzilla.suse.com/1186061 https://bugzilla.suse.com/1186062 https://bugzilla.suse.com/1186111 https://bugzilla.suse.com/1186285 https://bugzilla.suse.com/1186390 https://bugzilla.suse.com/1186484 https://bugzilla.suse.com/1186498 From sle-security-updates at lists.suse.com Wed Jun 9 16:44:12 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Jun 2021 18:44:12 +0200 (CEST) Subject: SUSE-SU-2021:1919-1: important: Security update for MozillaFirefox Message-ID: <20210609164412.59FECFD14@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1919-1 Rating: important References: #1185633 #1186696 Cross-References: CVE-2021-29951 CVE-2021-29964 CVE-2021-29967 CVSS scores: CVE-2021-29951 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: Firefox Extended Support Release 78.11.0 ESR (bsc#1186696) * CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message * CVE-2021-29967: Memory safety bugs fixed in Firefox Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1919=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1919=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1919=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1919=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1919=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1919=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1919=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1919=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1919=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1919=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1919=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1919=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1919=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): MozillaFirefox-78.11.0-3.144.1 MozillaFirefox-debuginfo-78.11.0-3.144.1 MozillaFirefox-debugsource-78.11.0-3.144.1 MozillaFirefox-devel-78.11.0-3.144.1 MozillaFirefox-translations-common-78.11.0-3.144.1 MozillaFirefox-translations-other-78.11.0-3.144.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): MozillaFirefox-78.11.0-3.144.1 MozillaFirefox-debuginfo-78.11.0-3.144.1 MozillaFirefox-debugsource-78.11.0-3.144.1 MozillaFirefox-devel-78.11.0-3.144.1 MozillaFirefox-translations-common-78.11.0-3.144.1 MozillaFirefox-translations-other-78.11.0-3.144.1 - SUSE Manager Proxy 4.0 (x86_64): MozillaFirefox-78.11.0-3.144.1 MozillaFirefox-debuginfo-78.11.0-3.144.1 MozillaFirefox-debugsource-78.11.0-3.144.1 MozillaFirefox-devel-78.11.0-3.144.1 MozillaFirefox-translations-common-78.11.0-3.144.1 MozillaFirefox-translations-other-78.11.0-3.144.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): MozillaFirefox-78.11.0-3.144.1 MozillaFirefox-debuginfo-78.11.0-3.144.1 MozillaFirefox-debugsource-78.11.0-3.144.1 MozillaFirefox-devel-78.11.0-3.144.1 MozillaFirefox-translations-common-78.11.0-3.144.1 MozillaFirefox-translations-other-78.11.0-3.144.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): MozillaFirefox-78.11.0-3.144.1 MozillaFirefox-debuginfo-78.11.0-3.144.1 MozillaFirefox-debugsource-78.11.0-3.144.1 MozillaFirefox-devel-78.11.0-3.144.1 MozillaFirefox-translations-common-78.11.0-3.144.1 MozillaFirefox-translations-other-78.11.0-3.144.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.11.0-3.144.1 MozillaFirefox-debuginfo-78.11.0-3.144.1 MozillaFirefox-debugsource-78.11.0-3.144.1 MozillaFirefox-devel-78.11.0-3.144.1 MozillaFirefox-translations-common-78.11.0-3.144.1 MozillaFirefox-translations-other-78.11.0-3.144.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): MozillaFirefox-78.11.0-3.144.1 MozillaFirefox-debuginfo-78.11.0-3.144.1 MozillaFirefox-debugsource-78.11.0-3.144.1 MozillaFirefox-devel-78.11.0-3.144.1 MozillaFirefox-translations-common-78.11.0-3.144.1 MozillaFirefox-translations-other-78.11.0-3.144.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): MozillaFirefox-78.11.0-3.144.1 MozillaFirefox-debuginfo-78.11.0-3.144.1 MozillaFirefox-debugsource-78.11.0-3.144.1 MozillaFirefox-devel-78.11.0-3.144.1 MozillaFirefox-translations-common-78.11.0-3.144.1 MozillaFirefox-translations-other-78.11.0-3.144.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): MozillaFirefox-78.11.0-3.144.1 MozillaFirefox-debuginfo-78.11.0-3.144.1 MozillaFirefox-debugsource-78.11.0-3.144.1 MozillaFirefox-devel-78.11.0-3.144.1 MozillaFirefox-translations-common-78.11.0-3.144.1 MozillaFirefox-translations-other-78.11.0-3.144.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): MozillaFirefox-78.11.0-3.144.1 MozillaFirefox-debuginfo-78.11.0-3.144.1 MozillaFirefox-debugsource-78.11.0-3.144.1 MozillaFirefox-devel-78.11.0-3.144.1 MozillaFirefox-translations-common-78.11.0-3.144.1 MozillaFirefox-translations-other-78.11.0-3.144.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): MozillaFirefox-78.11.0-3.144.1 MozillaFirefox-debuginfo-78.11.0-3.144.1 MozillaFirefox-debugsource-78.11.0-3.144.1 MozillaFirefox-devel-78.11.0-3.144.1 MozillaFirefox-translations-common-78.11.0-3.144.1 MozillaFirefox-translations-other-78.11.0-3.144.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): MozillaFirefox-78.11.0-3.144.1 MozillaFirefox-debuginfo-78.11.0-3.144.1 MozillaFirefox-debugsource-78.11.0-3.144.1 MozillaFirefox-devel-78.11.0-3.144.1 MozillaFirefox-translations-common-78.11.0-3.144.1 MozillaFirefox-translations-other-78.11.0-3.144.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): MozillaFirefox-78.11.0-3.144.1 MozillaFirefox-debuginfo-78.11.0-3.144.1 MozillaFirefox-debugsource-78.11.0-3.144.1 MozillaFirefox-devel-78.11.0-3.144.1 MozillaFirefox-translations-common-78.11.0-3.144.1 MozillaFirefox-translations-other-78.11.0-3.144.1 - SUSE CaaS Platform 4.0 (x86_64): MozillaFirefox-78.11.0-3.144.1 MozillaFirefox-debuginfo-78.11.0-3.144.1 MozillaFirefox-debugsource-78.11.0-3.144.1 MozillaFirefox-devel-78.11.0-3.144.1 MozillaFirefox-translations-common-78.11.0-3.144.1 MozillaFirefox-translations-other-78.11.0-3.144.1 References: https://www.suse.com/security/cve/CVE-2021-29951.html https://www.suse.com/security/cve/CVE-2021-29964.html https://www.suse.com/security/cve/CVE-2021-29967.html https://bugzilla.suse.com/1185633 https://bugzilla.suse.com/1186696 From sle-security-updates at lists.suse.com Wed Jun 9 16:45:46 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 9 Jun 2021 18:45:46 +0200 (CEST) Subject: SUSE-SU-2021:1914-1: moderate: Security update for libopenmpt Message-ID: <20210609164546.0DDF6FD14@maintenance.suse.de> SUSE Security Update: Security update for libopenmpt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1914-1 Rating: moderate References: #1186663 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for libopenmpt fixes the following issues: Various bugfix and stability issues were fixed, some of those might have security impact. libopenmpt was updated to 0.3.28: * Fixed excessive memory consumption with malformed files in various formats. Changes in 0.3.27: * AMS: Avoid allocating excessive amount of memory for compressed song message in malformed files. * S3M: Some samples were imported with a too high sample rate if module was saved with Scream Tracker 3. Changes in 0.3.26: * DMF: Improve import of finetune effect with parameters larger than +/-15. Changes in 0.3.25: * AMS: An upper bound for uncompressed sample size is now established to avoid memory exhaustion from malformed files. * MO3: Avoid certain ModPlug hacks from being fixed up twice, which could lead to e.g. very narrow pan swing range for old OpenMPT IT files saved with a recent MO3 encoder version. * IMF: Instrument sample mapping was off by one octave, notable in the guitar part of Astaris by Karsten Koch. * PLM: Percentage offset (Mxx) was slightly off. Changes in 0.3.24: * PP20: The first few bytes of some files were not decompressed properly, making some files unplayable (depending on the original format). Changes in 0.3.23: * IT: Global volume slides with both nibbles set preferred the ???slide up??? nibble over the ???slide down??? nibble in old OpenMPT versions, unlike other slides. Such old files are now imported correctly again. * IT: Fixed an edge case where, if the filter hit full cutoff / no resonance on the first tick of a row where a new delayed note would be triggered, the filter would be disabled even though it should stay active. Fixes trace.it by maddie. * XM: Out-of-range arpeggio clamping behaviour broke in OpenMPT 1.23.05.00. The arpeggios in Binary World by Dakota now play correctly again. * S3M: Support old-style sample pre-amp value in very early S3M files. * S3M: Only force-enable fast slides for files ST 3.00. Previously, any S3M file made with an ST3 version older than 3.20 enabled them. * M15: Improve tracker detection heuristics to never assume SoundTracker 2.0 if there is a huge number of Dxx commands, as that is a definite hint that they should be treated as volume slides. Fixes Monty On The Run by Master Blaster. Changes in 0.3.22: * IT: Disable retrigger with short notes quirk for modules saved with Chibi Tracker, as it does not implement that quirk. * MOD: Fix early song ending due to ProTracker pattern jump quirk (EEx + Dxx on same row) if infinite looping is disabled. Fixes Haunted Tracks.mod by Triace. * MOD: Vibrato type ???ramp down??? was upside down. Changes in 0.3.21: * IT: Vibrato was too fast in Old Effects mode since libopenmpt 0.3. * XM: Treat 8bitbubsy???s FT2 clone exactly like Fasttracker 2 with respect to compatibility and playback flags. For example, FT2 Pan Law was not applied. * DMF: Some files had a wrong tempo since libopenmpt 0.2.5705-beta15. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-1914=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1914=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): libmodplug-devel-0.3.28-2.13.1 libmodplug1-0.3.28-2.13.1 libmodplug1-debuginfo-0.3.28-2.13.1 libopenmpt-debugsource-0.3.28-2.13.1 libopenmpt-devel-0.3.28-2.13.1 libopenmpt0-0.3.28-2.13.1 libopenmpt0-debuginfo-0.3.28-2.13.1 libopenmpt_modplug1-0.3.28-2.13.1 libopenmpt_modplug1-debuginfo-0.3.28-2.13.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): libmodplug-devel-0.3.28-2.13.1 libmodplug1-0.3.28-2.13.1 libmodplug1-debuginfo-0.3.28-2.13.1 libopenmpt-debugsource-0.3.28-2.13.1 libopenmpt-devel-0.3.28-2.13.1 libopenmpt0-0.3.28-2.13.1 libopenmpt0-debuginfo-0.3.28-2.13.1 libopenmpt_modplug1-0.3.28-2.13.1 libopenmpt_modplug1-debuginfo-0.3.28-2.13.1 References: https://bugzilla.suse.com/1186663 From sle-security-updates at lists.suse.com Thu Jun 10 10:23:53 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Jun 2021 12:23:53 +0200 (CEST) Subject: SUSE-SU-2021:1929-1: important: Security update for ucode-intel Message-ID: <20210610102353.BFD37FD07@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1929-1 Rating: important References: #1179833 #1179836 #1179837 #1179839 Cross-References: CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 CVSS scores: CVE-2020-24489 (SUSE): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2020-24511 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-24512 (SUSE): 2.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2020-24513 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: Updated to Intel CPU Microcode 20210608 release. - CVE-2020-24513: A domain bypass transient execution vulnerability was discovered on some Intel Atom processors that use a micro-architectural incident channel. (INTEL-SA-00465 bsc#1179833) See also: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0465.html - CVE-2020-24511: The IBRS feature to mitigate Spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (INTEL-SA-00464 bsc#1179836) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0464.html) - CVE-2020-24512: Fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837 INTEL-SA-00464) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0464.html) - CVE-2020-24489: Fixed Intel VT-d device pass through potential local privilege escalation (INTEL-SA-00442 bsc#1179839) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0442.html Other fixes: - Update for functional issues. Refer to [Third Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/637780)for details. - Update for functional issues. Refer to [Second Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details. - Update for functional issues. Refer to [Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details. - Update for functional issues. Refer to [Intel Xeon Processor D-1500, D-1500 NS and D-1600 NS Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-d-1500-specification-update.html) for details. - Update for functional issues. Refer to [Intel Xeon E7-8800 and E7-4800 v3 Processor Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e7-v3- spec-update.html) for details. - Update for functional issues. Refer to [Intel Xeon Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3- spec-update.html?wapkw=processor+spec+update+e5) for details. - Update for functional issues. Refer to [10th Gen Intel Core Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/10th-gen-core-families-specification-update.html) for details. - Update for functional issues. Refer to [8th and 9th Gen Intel Core Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/8th-gen-core-spec-update.html) for details. - Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-cor e-family-spec-update.html) for details. - Update for functional issues. Refer to [6th Gen Intel Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details. - Update for functional issues. Refer to [Intel Xeon E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-120 0v6-spec-update.html) for details. - Update for functional issues. Refer to [Intel Xeon E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-e-2100-specification-update.html) for details. - New platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | CLX-SP | A0 | 06-55-05/b7 | | 03000010 | Xeon Scalable Gen2 | ICX-SP | C0 | 06-6a-05/87 | | 0c0002f0 | Xeon Scalable Gen3 | ICX-SP | D0 | 06-6a-06/87 | | 0d0002a0 | Xeon Scalable Gen3 | SNR | B0 | 06-86-04/01 | | 0b00000f | Atom P59xxB | SNR | B1 | 06-86-05/01 | | 0b00000f | Atom P59xxB | TGL | B1 | 06-8c-01/80 | | 00000088 | Core Gen11 Mobile | TGL-R | C0 | 06-8c-02/c2 | | 00000016 | Core Gen11 Mobile | TGL-H | R0 | 06-8d-01/c2 | | 0000002c | Core Gen11 Mobile | EHL | B1 | 06-96-01/01 | | 00000011 | Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E | JSL | A0/A1 | 06-9c-00/01 | | 0000001d | Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105 | RKL-S | B0 | 06-a7-01/02 | | 00000040 | Core Gen11 - Updated platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000044 | 00000046 | Core Gen4 X series; Xeon E5 v3 | HSX-EX | E0 | 06-3f-04/80 | 00000016 | 00000019 | Xeon E7 v3 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile | BDX-ML | B0/M0/R0 | 06-4f-01/ef | 0b000038 | 0b00003e | Xeon E5/E7 v4; Core i7-69xx/68xx | SKX-SP | B1 | 06-55-03/97 | 01000159 | 0100015b | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04003006 | 04003102 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05003006 | 05003102 | Xeon Scalable Gen2 | CPX-SP | A1 | 06-55-0b/bf | 0700001e | 07002302 | Xeon Scalable Gen3 | BDX-DE | V2/V3 | 06-56-03/10 | 07000019 | 0700001b | Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19 | BDX-DE | Y0 | 06-56-04/10 | 0f000017 | 0f000019 | Xeon D-1557/59/67/71/77/81/87 | BDX-NS | A0 | 06-56-05/10 | 0e00000f | 0e000012 | Xeon D-1513N/23/33/43/53 | APL | D0 | 06-5c-09/03 | 00000040 | 00000044 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 0000001e | 00000020 | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000e2 | 000000ea | Core Gen6; Xeon E3 v5 | DNV | B0 | 06-5f-01/01 | 0000002e | 00000034 | Atom C Series | GLK | B0 | 06-7a-01/01 | 00000034 | 00000036 | Pentium Silver N/J5xxx, Celeron N/J4xxx | GKL-R | R0 | 06-7a-08/01 | 00000018 | 0000001a | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | ICL-U/Y | D1 | 06-7e-05/80 | 000000a0 | 000000a6 | Core Gen10 Mobile | LKF | B2/B3 | 06-8a-01/10 | 00000028 | 0000002a | Core w/Hybrid Technology | AML-Y22 | H0 | 06-8e-09/10 | 000000de | 000000ea | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000de | 000000ea | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000e0 | 000000ea | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000de | 000000ea | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000de | 000000ea | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000de | 000000ea | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000de | 000000ea | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000de | 000000ea | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000de | 000000ea | Core Gen9 Mobile | CML-H | R1 | 06-a5-02/20 | 000000e0 | 000000ea | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | 000000e0 | 000000ea | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | 000000e0 | 000000ec | Core Gen10 | CML-U62 | A0 | 06-a6-00/80 | 000000e0 | 000000e8 | Core Gen10 Mobile | CML-U62 V2 | K0 | 06-a6-01/80 | 000000e0 | 000000ea | Core Gen10 Mobile Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1929=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (x86_64): ucode-intel-20210525-3.35.1 ucode-intel-debuginfo-20210525-3.35.1 ucode-intel-debugsource-20210525-3.35.1 References: https://www.suse.com/security/cve/CVE-2020-24489.html https://www.suse.com/security/cve/CVE-2020-24511.html https://www.suse.com/security/cve/CVE-2020-24512.html https://www.suse.com/security/cve/CVE-2020-24513.html https://bugzilla.suse.com/1179833 https://bugzilla.suse.com/1179836 https://bugzilla.suse.com/1179837 https://bugzilla.suse.com/1179839 From sle-security-updates at lists.suse.com Thu Jun 10 10:27:18 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Jun 2021 12:27:18 +0200 (CEST) Subject: SUSE-SU-2021:1928-1: moderate: Security update for spice-gtk Message-ID: <20210610102718.7051DFD07@maintenance.suse.de> SUSE Security Update: Security update for spice-gtk ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1928-1 Rating: moderate References: #1177158 Cross-References: CVE-2020-14355 CVSS scores: CVE-2020-14355 (NVD) : 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14355 (SUSE): 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for spice-gtk fixes the following issues: - CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC decoding code (bsc#1177158) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1928=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1928=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1928=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1928=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1928=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1928=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1928=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1928=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1928=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libspice-client-glib-2_0-8-0.35-3.3.1 libspice-client-glib-2_0-8-debuginfo-0.35-3.3.1 libspice-client-glib-helper-0.35-3.3.1 libspice-client-glib-helper-debuginfo-0.35-3.3.1 libspice-client-gtk-3_0-5-0.35-3.3.1 libspice-client-gtk-3_0-5-debuginfo-0.35-3.3.1 spice-gtk-debuginfo-0.35-3.3.1 spice-gtk-debugsource-0.35-3.3.1 spice-gtk-devel-0.35-3.3.1 typelib-1_0-SpiceClientGlib-2_0-0.35-3.3.1 typelib-1_0-SpiceClientGtk-3_0-0.35-3.3.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libspice-client-glib-2_0-8-0.35-3.3.1 libspice-client-glib-2_0-8-debuginfo-0.35-3.3.1 libspice-client-glib-helper-0.35-3.3.1 libspice-client-glib-helper-debuginfo-0.35-3.3.1 libspice-client-gtk-3_0-5-0.35-3.3.1 libspice-client-gtk-3_0-5-debuginfo-0.35-3.3.1 spice-gtk-debuginfo-0.35-3.3.1 spice-gtk-debugsource-0.35-3.3.1 spice-gtk-devel-0.35-3.3.1 typelib-1_0-SpiceClientGlib-2_0-0.35-3.3.1 typelib-1_0-SpiceClientGtk-3_0-0.35-3.3.1 - SUSE Manager Proxy 4.0 (x86_64): libspice-client-glib-2_0-8-0.35-3.3.1 libspice-client-glib-2_0-8-debuginfo-0.35-3.3.1 libspice-client-glib-helper-0.35-3.3.1 libspice-client-glib-helper-debuginfo-0.35-3.3.1 libspice-client-gtk-3_0-5-0.35-3.3.1 libspice-client-gtk-3_0-5-debuginfo-0.35-3.3.1 spice-gtk-debuginfo-0.35-3.3.1 spice-gtk-debugsource-0.35-3.3.1 spice-gtk-devel-0.35-3.3.1 typelib-1_0-SpiceClientGlib-2_0-0.35-3.3.1 typelib-1_0-SpiceClientGtk-3_0-0.35-3.3.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libspice-client-glib-2_0-8-0.35-3.3.1 libspice-client-glib-2_0-8-debuginfo-0.35-3.3.1 libspice-client-glib-helper-0.35-3.3.1 libspice-client-glib-helper-debuginfo-0.35-3.3.1 libspice-client-gtk-3_0-5-0.35-3.3.1 libspice-client-gtk-3_0-5-debuginfo-0.35-3.3.1 spice-gtk-debuginfo-0.35-3.3.1 spice-gtk-debugsource-0.35-3.3.1 spice-gtk-devel-0.35-3.3.1 typelib-1_0-SpiceClientGlib-2_0-0.35-3.3.1 typelib-1_0-SpiceClientGtk-3_0-0.35-3.3.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libspice-client-glib-2_0-8-0.35-3.3.1 libspice-client-glib-2_0-8-debuginfo-0.35-3.3.1 libspice-client-glib-helper-0.35-3.3.1 libspice-client-glib-helper-debuginfo-0.35-3.3.1 libspice-client-gtk-3_0-5-0.35-3.3.1 libspice-client-gtk-3_0-5-debuginfo-0.35-3.3.1 spice-gtk-debuginfo-0.35-3.3.1 spice-gtk-debugsource-0.35-3.3.1 spice-gtk-devel-0.35-3.3.1 typelib-1_0-SpiceClientGlib-2_0-0.35-3.3.1 typelib-1_0-SpiceClientGtk-3_0-0.35-3.3.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libspice-client-glib-2_0-8-0.35-3.3.1 libspice-client-glib-2_0-8-debuginfo-0.35-3.3.1 libspice-client-glib-helper-0.35-3.3.1 libspice-client-glib-helper-debuginfo-0.35-3.3.1 libspice-client-gtk-3_0-5-0.35-3.3.1 libspice-client-gtk-3_0-5-debuginfo-0.35-3.3.1 spice-gtk-debuginfo-0.35-3.3.1 spice-gtk-debugsource-0.35-3.3.1 spice-gtk-devel-0.35-3.3.1 typelib-1_0-SpiceClientGlib-2_0-0.35-3.3.1 typelib-1_0-SpiceClientGtk-3_0-0.35-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libspice-client-glib-2_0-8-0.35-3.3.1 libspice-client-glib-2_0-8-debuginfo-0.35-3.3.1 libspice-client-glib-helper-0.35-3.3.1 libspice-client-glib-helper-debuginfo-0.35-3.3.1 libspice-client-gtk-3_0-5-0.35-3.3.1 libspice-client-gtk-3_0-5-debuginfo-0.35-3.3.1 spice-gtk-debuginfo-0.35-3.3.1 spice-gtk-debugsource-0.35-3.3.1 spice-gtk-devel-0.35-3.3.1 typelib-1_0-SpiceClientGlib-2_0-0.35-3.3.1 typelib-1_0-SpiceClientGtk-3_0-0.35-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libspice-client-glib-2_0-8-0.35-3.3.1 libspice-client-glib-2_0-8-debuginfo-0.35-3.3.1 libspice-client-glib-helper-0.35-3.3.1 libspice-client-glib-helper-debuginfo-0.35-3.3.1 libspice-client-gtk-3_0-5-0.35-3.3.1 libspice-client-gtk-3_0-5-debuginfo-0.35-3.3.1 spice-gtk-debuginfo-0.35-3.3.1 spice-gtk-debugsource-0.35-3.3.1 spice-gtk-devel-0.35-3.3.1 typelib-1_0-SpiceClientGlib-2_0-0.35-3.3.1 typelib-1_0-SpiceClientGtk-3_0-0.35-3.3.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libspice-client-glib-2_0-8-0.35-3.3.1 libspice-client-glib-2_0-8-debuginfo-0.35-3.3.1 libspice-client-glib-helper-0.35-3.3.1 libspice-client-glib-helper-debuginfo-0.35-3.3.1 libspice-client-gtk-3_0-5-0.35-3.3.1 libspice-client-gtk-3_0-5-debuginfo-0.35-3.3.1 spice-gtk-debuginfo-0.35-3.3.1 spice-gtk-debugsource-0.35-3.3.1 spice-gtk-devel-0.35-3.3.1 typelib-1_0-SpiceClientGlib-2_0-0.35-3.3.1 typelib-1_0-SpiceClientGtk-3_0-0.35-3.3.1 - SUSE CaaS Platform 4.0 (x86_64): libspice-client-glib-2_0-8-0.35-3.3.1 libspice-client-glib-2_0-8-debuginfo-0.35-3.3.1 libspice-client-glib-helper-0.35-3.3.1 libspice-client-glib-helper-debuginfo-0.35-3.3.1 libspice-client-gtk-3_0-5-0.35-3.3.1 libspice-client-gtk-3_0-5-debuginfo-0.35-3.3.1 spice-gtk-debuginfo-0.35-3.3.1 spice-gtk-debugsource-0.35-3.3.1 spice-gtk-devel-0.35-3.3.1 typelib-1_0-SpiceClientGlib-2_0-0.35-3.3.1 typelib-1_0-SpiceClientGtk-3_0-0.35-3.3.1 References: https://www.suse.com/security/cve/CVE-2020-14355.html https://bugzilla.suse.com/1177158 From sle-security-updates at lists.suse.com Thu Jun 10 10:28:48 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Jun 2021 12:28:48 +0200 (CEST) Subject: SUSE-SU-2021:1927-1: important: Security update for spice Message-ID: <20210610102848.7B3B4FD07@maintenance.suse.de> SUSE Security Update: Security update for spice ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1927-1 Rating: important References: #1181686 Cross-References: CVE-2021-20201 CVSS scores: CVE-2021-20201 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-20201 (SUSE): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Server Applications 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for spice fixes the following issues: - CVE-2021-20201: client initiated renegotiation causing denial of service (bsc#1181686) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1927=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-1927=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): libspice-server1-0.14.2-3.6.1 libspice-server1-debuginfo-0.14.2-3.6.1 spice-debugsource-0.14.2-3.6.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): libspice-server-devel-0.14.2-3.6.1 libspice-server1-0.14.2-3.6.1 libspice-server1-debuginfo-0.14.2-3.6.1 spice-debugsource-0.14.2-3.6.1 References: https://www.suse.com/security/cve/CVE-2021-20201.html https://bugzilla.suse.com/1181686 From sle-security-updates at lists.suse.com Thu Jun 10 13:18:58 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Jun 2021 15:18:58 +0200 (CEST) Subject: SUSE-SU-2021:1932-1: important: Security update for ucode-intel Message-ID: <20210610131858.84B38FD14@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1932-1 Rating: important References: #1179833 #1179836 #1179837 #1179839 Cross-References: CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 CVSS scores: CVE-2020-24489 (SUSE): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2020-24511 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-24512 (SUSE): 2.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2020-24513 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: - Updated to Intel CPU Microcode 20210525 release. - CVE-2020-24513: A domain bypass transient execution vulnerability was discovered on some Intel Atom processors that use a micro-architectural incident channel. (INTEL-SA-00465 bsc#1179833) See also: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0465.html - CVE-2020-24511: The IBRS feature to mitigate Spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (INTEL-SA-00464 bsc#1179836) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0464.html) - CVE-2020-24512: Fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837 INTEL-SA-00464) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0464.html) - CVE-2020-24489: Fixed Intel VT-d device pass through potential local privilege escalation (INTEL-SA-00442 bsc#1179839) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0442.html Other fixes: - Update for functional issues. Refer to [Third Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/637780)for details. - Update for functional issues. Refer to [Second Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details. - Update for functional issues. Refer to [Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details. - Update for functional issues. Refer to [Intel Xeon Processor D-1500, D-1500 NS and D-1600 NS Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-d-1500-specification-update.html) for details. - Update for functional issues. Refer to [Intel Xeon E7-8800 and E7-4800 v3 Processor Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e7-v3- spec-update.html) for details. - Update for functional issues. Refer to [Intel Xeon Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3- spec-update.html?wapkw=processor+spec+update+e5) for details. - Update for functional issues. Refer to [10th Gen Intel Core Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/10th-gen-core-families-specification-update.html) for details. - Update for functional issues. Refer to [8th and 9th Gen Intel Core Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/8th-gen-core-spec-update.html) for details. - Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-cor e-family-spec-update.html) for details. - Update for functional issues. Refer to [6th Gen Intel Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details. - Update for functional issues. Refer to [Intel Xeon E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-120 0v6-spec-update.html) for details. - Update for functional issues. Refer to [Intel Xeon E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-e-2100-specification-update.html) for details. - New platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | CLX-SP | A0 | 06-55-05/b7 | | 03000010 | Xeon Scalable Gen2 | ICX-SP | C0 | 06-6a-05/87 | | 0c0002f0 | Xeon Scalable Gen3 | ICX-SP | D0 | 06-6a-06/87 | | 0d0002a0 | Xeon Scalable Gen3 | SNR | B0 | 06-86-04/01 | | 0b00000f | Atom P59xxB | SNR | B1 | 06-86-05/01 | | 0b00000f | Atom P59xxB | TGL | B1 | 06-8c-01/80 | | 00000088 | Core Gen11 Mobile | TGL-R | C0 | 06-8c-02/c2 | | 00000016 | Core Gen11 Mobile | TGL-H | R0 | 06-8d-01/c2 | | 0000002c | Core Gen11 Mobile | EHL | B1 | 06-96-01/01 | | 00000011 | Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E | JSL | A0/A1 | 06-9c-00/01 | | 0000001d | Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105 | RKL-S | B0 | 06-a7-01/02 | | 00000040 | Core Gen11 - Updated platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000044 | 00000046 | Core Gen4 X series; Xeon E5 v3 | HSX-EX | E0 | 06-3f-04/80 | 00000016 | 00000019 | Xeon E7 v3 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile | BDX-ML | B0/M0/R0 | 06-4f-01/ef | 0b000038 | 0b00003e | Xeon E5/E7 v4; Core i7-69xx/68xx | SKX-SP | B1 | 06-55-03/97 | 01000159 | 0100015b | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04003006 | 04003102 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05003006 | 05003102 | Xeon Scalable Gen2 | CPX-SP | A1 | 06-55-0b/bf | 0700001e | 07002302 | Xeon Scalable Gen3 | BDX-DE | V2/V3 | 06-56-03/10 | 07000019 | 0700001b | Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19 | BDX-DE | Y0 | 06-56-04/10 | 0f000017 | 0f000019 | Xeon D-1557/59/67/71/77/81/87 | BDX-NS | A0 | 06-56-05/10 | 0e00000f | 0e000012 | Xeon D-1513N/23/33/43/53 | APL | D0 | 06-5c-09/03 | 00000040 | 00000044 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 0000001e | 00000020 | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000e2 | 000000ea | Core Gen6; Xeon E3 v5 | DNV | B0 | 06-5f-01/01 | 0000002e | 00000034 | Atom C Series | GLK | B0 | 06-7a-01/01 | 00000034 | 00000036 | Pentium Silver N/J5xxx, Celeron N/J4xxx | GKL-R | R0 | 06-7a-08/01 | 00000018 | 0000001a | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | ICL-U/Y | D1 | 06-7e-05/80 | 000000a0 | 000000a6 | Core Gen10 Mobile | LKF | B2/B3 | 06-8a-01/10 | 00000028 | 0000002a | Core w/Hybrid Technology | AML-Y22 | H0 | 06-8e-09/10 | 000000de | 000000ea | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000de | 000000ea | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000e0 | 000000ea | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000de | 000000ea | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000de | 000000ea | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000de | 000000ea | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000de | 000000ea | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000de | 000000ea | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000de | 000000ea | Core Gen9 Mobile | CML-H | R1 | 06-a5-02/20 | 000000e0 | 000000ea | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | 000000e0 | 000000ea | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | 000000e0 | 000000ec | Core Gen10 | CML-U62 | A0 | 06-a6-00/80 | 000000e0 | 000000e8 | Core Gen10 Mobile | CML-U62 V2 | K0 | 06-a6-01/80 | 000000e0 | 000000ea | Core Gen10 Mobile Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1932=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1932=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1932=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1932=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1932=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1932=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1932=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1932=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1932=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (x86_64): ucode-intel-20210525-3.203.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): ucode-intel-20210525-3.203.1 - SUSE Manager Proxy 4.0 (x86_64): ucode-intel-20210525-3.203.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): ucode-intel-20210525-3.203.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): ucode-intel-20210525-3.203.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): ucode-intel-20210525-3.203.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): ucode-intel-20210525-3.203.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): ucode-intel-20210525-3.203.1 - SUSE Enterprise Storage 6 (x86_64): ucode-intel-20210525-3.203.1 - SUSE CaaS Platform 4.0 (x86_64): ucode-intel-20210525-3.203.1 References: https://www.suse.com/security/cve/CVE-2020-24489.html https://www.suse.com/security/cve/CVE-2020-24511.html https://www.suse.com/security/cve/CVE-2020-24512.html https://www.suse.com/security/cve/CVE-2020-24513.html https://bugzilla.suse.com/1179833 https://bugzilla.suse.com/1179836 https://bugzilla.suse.com/1179837 https://bugzilla.suse.com/1179839 From sle-security-updates at lists.suse.com Thu Jun 10 13:22:16 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Jun 2021 15:22:16 +0200 (CEST) Subject: SUSE-SU-2021:1938-1: important: Security update for python-Pillow Message-ID: <20210610132216.40AF2FD14@maintenance.suse.de> SUSE Security Update: Security update for python-Pillow ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1938-1 Rating: important References: #1180832 #1180834 #1183101 #1183102 #1183105 #1183107 #1183108 #1183110 #1185784 #1185785 #1185786 #1185803 #1185804 #1185805 Cross-References: CVE-2020-35653 CVE-2020-35655 CVE-2021-25287 CVE-2021-25288 CVE-2021-25290 CVE-2021-25292 CVE-2021-25293 CVE-2021-27921 CVE-2021-27922 CVE-2021-27923 CVE-2021-28675 CVE-2021-28676 CVE-2021-28677 CVE-2021-28678 CVSS scores: CVE-2020-35653 (NVD) : 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H CVE-2020-35653 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVE-2020-35655 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L CVE-2020-35655 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVE-2021-25288 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2021-25290 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-25292 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-25293 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27921 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27922 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27923 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28675 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28677 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28677 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28678 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 ______________________________________________________________________________ An update that fixes 14 vulnerabilities is now available. Description: This update for python-Pillow fixes the following issues: - CVE-2020-35655: Fixed a buffer over-read when decoding crafted SGI RLE image files (bsc#1180832). - CVE-2021-25293: Fixed an out-of-bounds read in SGIRleDecode.c (bsc#1183102). - CVE-2021-25290: Fixed a negative-offset memcpy with an invalid size in TiffDecode.c (bsc#1183105). - CVE-2021-25292: Fixed a backtracking regex in PDF parser could be used as a DOS attack (bsc#1183101). - CVE-2021-27921,CVE-2021-27922,CVE-2021-27923: Fixed improper reported size of a contained image (bsc#1183110,bsc#1183108,bsc#1183107) - CVE-2020-35653: Fixed buffer over-read in PcxDecode when decoding a crafted PCX file (bsc#1180834). - CVE-2021-25287: Fixed out-of-bounds read in J2kDecode in j2ku_graya_la (bsc#1185805). - CVE-2021-25288: Fixed out-of-bounds read in J2kDecode in j2ku_gray_i (bsc#1185803). - CVE-2021-28675: Fixed DoS in PsdImagePlugin (bsc#1185804). - CVE-2021-28678: Fixed improper check in BlpImagePlugin (bsc#1185784). - CVE-2021-28677: Fixed DoS in the open phase via a malicious EPS file (bsc#1185785). - CVE-2021-28676: Fixed infinite loop in FliDecode.c (bsc#1185786). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1938=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1938=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): python-Pillow-5.2.0-3.8.1 python-Pillow-debuginfo-5.2.0-3.8.1 python-Pillow-debugsource-5.2.0-3.8.1 - SUSE OpenStack Cloud 9 (x86_64): python-Pillow-5.2.0-3.8.1 python-Pillow-debuginfo-5.2.0-3.8.1 python-Pillow-debugsource-5.2.0-3.8.1 References: https://www.suse.com/security/cve/CVE-2020-35653.html https://www.suse.com/security/cve/CVE-2020-35655.html https://www.suse.com/security/cve/CVE-2021-25287.html https://www.suse.com/security/cve/CVE-2021-25288.html https://www.suse.com/security/cve/CVE-2021-25290.html https://www.suse.com/security/cve/CVE-2021-25292.html https://www.suse.com/security/cve/CVE-2021-25293.html https://www.suse.com/security/cve/CVE-2021-27921.html https://www.suse.com/security/cve/CVE-2021-27922.html https://www.suse.com/security/cve/CVE-2021-27923.html https://www.suse.com/security/cve/CVE-2021-28675.html https://www.suse.com/security/cve/CVE-2021-28676.html https://www.suse.com/security/cve/CVE-2021-28677.html https://www.suse.com/security/cve/CVE-2021-28678.html https://bugzilla.suse.com/1180832 https://bugzilla.suse.com/1180834 https://bugzilla.suse.com/1183101 https://bugzilla.suse.com/1183102 https://bugzilla.suse.com/1183105 https://bugzilla.suse.com/1183107 https://bugzilla.suse.com/1183108 https://bugzilla.suse.com/1183110 https://bugzilla.suse.com/1185784 https://bugzilla.suse.com/1185785 https://bugzilla.suse.com/1185786 https://bugzilla.suse.com/1185803 https://bugzilla.suse.com/1185804 https://bugzilla.suse.com/1185805 From sle-security-updates at lists.suse.com Thu Jun 10 13:26:38 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Jun 2021 15:26:38 +0200 (CEST) Subject: SUSE-SU-2021:1939-1: important: Security update for python-Pillow Message-ID: <20210610132638.88212FD14@maintenance.suse.de> SUSE Security Update: Security update for python-Pillow ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1939-1 Rating: important References: #1180834 #1183101 #1183105 #1183107 #1183108 #1185785 #1185786 #1185803 #1185804 #1185805 Cross-References: CVE-2020-35653 CVE-2021-25287 CVE-2021-25288 CVE-2021-25290 CVE-2021-25292 CVE-2021-27922 CVE-2021-27923 CVE-2021-28675 CVE-2021-28676 CVE-2021-28677 CVSS scores: CVE-2020-35653 (NVD) : 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H CVE-2020-35653 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVE-2021-25288 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2021-25290 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-25292 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-27922 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27923 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28675 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28677 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28677 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This update for python-Pillow fixes the following issues: - CVE-2021-25292: Fixed a backtracking regex in PDF parser could be used as a DOS attack (bsc#1183101). - CVE-2021-25290: Fixed a negative-offset memcpy with an invalid size in TiffDecode.c (bsc#1183105). - CVE-2021-27922,CVE-2021-27923: Fixed improper reported size of a contained image (bsc#1183108,bsc#1183107) - CVE-2020-35653: Fixed buffer over-read in PcxDecode when decoding a crafted PCX file (bsc#1180834). - CVE-2021-25287: Fixed out-of-bounds read in J2kDecode in j2ku_graya_la (bsc#1185805). - CVE-2021-25288: Fixed out-of-bounds read in J2kDecode in j2ku_gray_i (bsc#1185803). - CVE-2021-28675: Fixed DoS in PsdImagePlugin (bsc#1185804). - CVE-2021-28677: Fixed DoS in the open phase via a malicious EPS file (bsc#1185785). - CVE-2021-28676: Fixed infinite loop in FliDecode.c (bsc#1185786). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1939=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1939=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1939=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): python-Pillow-4.2.1-3.14.1 python-Pillow-debuginfo-4.2.1-3.14.1 python-Pillow-debugsource-4.2.1-3.14.1 - SUSE OpenStack Cloud 8 (x86_64): python-Pillow-4.2.1-3.14.1 python-Pillow-debuginfo-4.2.1-3.14.1 python-Pillow-debugsource-4.2.1-3.14.1 - HPE Helion Openstack 8 (x86_64): python-Pillow-4.2.1-3.14.1 python-Pillow-debuginfo-4.2.1-3.14.1 python-Pillow-debugsource-4.2.1-3.14.1 References: https://www.suse.com/security/cve/CVE-2020-35653.html https://www.suse.com/security/cve/CVE-2021-25287.html https://www.suse.com/security/cve/CVE-2021-25288.html https://www.suse.com/security/cve/CVE-2021-25290.html https://www.suse.com/security/cve/CVE-2021-25292.html https://www.suse.com/security/cve/CVE-2021-27922.html https://www.suse.com/security/cve/CVE-2021-27923.html https://www.suse.com/security/cve/CVE-2021-28675.html https://www.suse.com/security/cve/CVE-2021-28676.html https://www.suse.com/security/cve/CVE-2021-28677.html https://bugzilla.suse.com/1180834 https://bugzilla.suse.com/1183101 https://bugzilla.suse.com/1183105 https://bugzilla.suse.com/1183107 https://bugzilla.suse.com/1183108 https://bugzilla.suse.com/1185785 https://bugzilla.suse.com/1185786 https://bugzilla.suse.com/1185803 https://bugzilla.suse.com/1185804 https://bugzilla.suse.com/1185805 From sle-security-updates at lists.suse.com Thu Jun 10 13:30:12 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Jun 2021 15:30:12 +0200 (CEST) Subject: SUSE-SU-2021:1931-1: important: Security update for ucode-intel Message-ID: <20210610133012.7842FFD14@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1931-1 Rating: important References: #1179833 #1179836 #1179837 #1179839 Cross-References: CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 CVSS scores: CVE-2020-24489 (SUSE): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2020-24511 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-24512 (SUSE): 2.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2020-24513 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: Updated to Intel CPU Microcode 20210608 release. - CVE-2020-24513: A domain bypass transient execution vulnerability was discovered on some Intel Atom processors that use a micro-architectural incident channel. (INTEL-SA-00465 bsc#1179833) See also: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0465.html - CVE-2020-24511: The IBRS feature to mitigate Spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (INTEL-SA-00464 bsc#1179836) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0464.html) - CVE-2020-24512: Fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837 INTEL-SA-00464) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0464.html) - CVE-2020-24489: Fixed Intel VT-d device pass through potential local privilege escalation (INTEL-SA-00442 bsc#1179839) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0442.html Other fixes: - Update for functional issues. Refer to [Third Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/637780)for details. - Update for functional issues. Refer to [Second Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details. - Update for functional issues. Refer to [Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details. - Update for functional issues. Refer to [Intel Xeon Processor D-1500, D-1500 NS and D-1600 NS Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-d-1500-specification-update.html) for details. - Update for functional issues. Refer to [Intel Xeon E7-8800 and E7-4800 v3 Processor Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e7-v3- spec-update.html) for details. - Update for functional issues. Refer to [Intel Xeon Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3- spec-update.html?wapkw=processor+spec+update+e5) for details. - Update for functional issues. Refer to [10th Gen Intel Core Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/10th-gen-core-families-specification-update.html) for details. - Update for functional issues. Refer to [8th and 9th Gen Intel Core Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/8th-gen-core-spec-update.html) for details. - Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-cor e-family-spec-update.html) for details. - Update for functional issues. Refer to [6th Gen Intel Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details. - Update for functional issues. Refer to [Intel Xeon E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-120 0v6-spec-update.html) for details. - Update for functional issues. Refer to [Intel Xeon E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-e-2100-specification-update.html) for details. - New platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | CLX-SP | A0 | 06-55-05/b7 | | 03000010 | Xeon Scalable Gen2 | ICX-SP | C0 | 06-6a-05/87 | | 0c0002f0 | Xeon Scalable Gen3 | ICX-SP | D0 | 06-6a-06/87 | | 0d0002a0 | Xeon Scalable Gen3 | SNR | B0 | 06-86-04/01 | | 0b00000f | Atom P59xxB | SNR | B1 | 06-86-05/01 | | 0b00000f | Atom P59xxB | TGL | B1 | 06-8c-01/80 | | 00000088 | Core Gen11 Mobile | TGL-R | C0 | 06-8c-02/c2 | | 00000016 | Core Gen11 Mobile | TGL-H | R0 | 06-8d-01/c2 | | 0000002c | Core Gen11 Mobile | EHL | B1 | 06-96-01/01 | | 00000011 | Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E | JSL | A0/A1 | 06-9c-00/01 | | 0000001d | Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105 | RKL-S | B0 | 06-a7-01/02 | | 00000040 | Core Gen11 - Updated platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000044 | 00000046 | Core Gen4 X series; Xeon E5 v3 | HSX-EX | E0 | 06-3f-04/80 | 00000016 | 00000019 | Xeon E7 v3 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile | BDX-ML | B0/M0/R0 | 06-4f-01/ef | 0b000038 | 0b00003e | Xeon E5/E7 v4; Core i7-69xx/68xx | SKX-SP | B1 | 06-55-03/97 | 01000159 | 0100015b | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04003006 | 04003102 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05003006 | 05003102 | Xeon Scalable Gen2 | CPX-SP | A1 | 06-55-0b/bf | 0700001e | 07002302 | Xeon Scalable Gen3 | BDX-DE | V2/V3 | 06-56-03/10 | 07000019 | 0700001b | Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19 | BDX-DE | Y0 | 06-56-04/10 | 0f000017 | 0f000019 | Xeon D-1557/59/67/71/77/81/87 | BDX-NS | A0 | 06-56-05/10 | 0e00000f | 0e000012 | Xeon D-1513N/23/33/43/53 | APL | D0 | 06-5c-09/03 | 00000040 | 00000044 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 0000001e | 00000020 | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000e2 | 000000ea | Core Gen6; Xeon E3 v5 | DNV | B0 | 06-5f-01/01 | 0000002e | 00000034 | Atom C Series | GLK | B0 | 06-7a-01/01 | 00000034 | 00000036 | Pentium Silver N/J5xxx, Celeron N/J4xxx | GKL-R | R0 | 06-7a-08/01 | 00000018 | 0000001a | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | ICL-U/Y | D1 | 06-7e-05/80 | 000000a0 | 000000a6 | Core Gen10 Mobile | LKF | B2/B3 | 06-8a-01/10 | 00000028 | 0000002a | Core w/Hybrid Technology | AML-Y22 | H0 | 06-8e-09/10 | 000000de | 000000ea | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000de | 000000ea | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000e0 | 000000ea | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000de | 000000ea | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000de | 000000ea | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000de | 000000ea | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000de | 000000ea | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000de | 000000ea | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000de | 000000ea | Core Gen9 Mobile | CML-H | R1 | 06-a5-02/20 | 000000e0 | 000000ea | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | 000000e0 | 000000ea | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | 000000e0 | 000000ec | Core Gen10 | CML-U62 | A0 | 06-a6-00/80 | 000000e0 | 000000e8 | Core Gen10 Mobile | CML-U62 V2 | K0 | 06-a6-01/80 | 000000e0 | 000000ea | Core Gen10 Mobile Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1931=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1931=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1931=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (x86_64): ucode-intel-20210525-3.67.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): ucode-intel-20210525-3.67.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): ucode-intel-20210525-3.67.1 References: https://www.suse.com/security/cve/CVE-2020-24489.html https://www.suse.com/security/cve/CVE-2020-24511.html https://www.suse.com/security/cve/CVE-2020-24512.html https://www.suse.com/security/cve/CVE-2020-24513.html https://bugzilla.suse.com/1179833 https://bugzilla.suse.com/1179836 https://bugzilla.suse.com/1179837 https://bugzilla.suse.com/1179839 From sle-security-updates at lists.suse.com Thu Jun 10 13:33:07 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Jun 2021 15:33:07 +0200 (CEST) Subject: SUSE-SU-2021:1930-1: important: Security update for ucode-intel Message-ID: <20210610133307.232EBFD14@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1930-1 Rating: important References: #1179833 #1179836 #1179837 #1179839 Cross-References: CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 CVSS scores: CVE-2020-24489 (SUSE): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2020-24511 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-24512 (SUSE): 2.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2020-24513 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: Updated to Intel CPU Microcode 20210608 release. - CVE-2020-24513: A domain bypass transient execution vulnerability was discovered on some Intel Atom processors that use a micro-architectural incident channel. (INTEL-SA-00465 bsc#1179833) See also: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0465.html - CVE-2020-24511: The IBRS feature to mitigate Spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (INTEL-SA-00464 bsc#1179836) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0464.html) - CVE-2020-24512: Fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837 INTEL-SA-00464) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0464.html) - CVE-2020-24489: Fixed Intel VT-d device pass through potential local privilege escalation (INTEL-SA-00442 bsc#1179839) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0442.html Other fixes: - Update for functional issues. Refer to [Third Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/637780)for details. - Update for functional issues. Refer to [Second Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details. - Update for functional issues. Refer to [Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details. - Update for functional issues. Refer to [Intel Xeon Processor D-1500, D-1500 NS and D-1600 NS Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-d-1500-specification-update.html) for details. - Update for functional issues. Refer to [Intel Xeon E7-8800 and E7-4800 v3 Processor Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e7-v3- spec-update.html) for details. - Update for functional issues. Refer to [Intel Xeon Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3- spec-update.html?wapkw=processor+spec+update+e5) for details. - Update for functional issues. Refer to [10th Gen Intel Core Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/10th-gen-core-families-specification-update.html) for details. - Update for functional issues. Refer to [8th and 9th Gen Intel Core Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/8th-gen-core-spec-update.html) for details. - Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-cor e-family-spec-update.html) for details. - Update for functional issues. Refer to [6th Gen Intel Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details. - Update for functional issues. Refer to [Intel Xeon E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-120 0v6-spec-update.html) for details. - Update for functional issues. Refer to [Intel Xeon E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-e-2100-specification-update.html) for details. - New platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | CLX-SP | A0 | 06-55-05/b7 | | 03000010 | Xeon Scalable Gen2 | ICX-SP | C0 | 06-6a-05/87 | | 0c0002f0 | Xeon Scalable Gen3 | ICX-SP | D0 | 06-6a-06/87 | | 0d0002a0 | Xeon Scalable Gen3 | SNR | B0 | 06-86-04/01 | | 0b00000f | Atom P59xxB | SNR | B1 | 06-86-05/01 | | 0b00000f | Atom P59xxB | TGL | B1 | 06-8c-01/80 | | 00000088 | Core Gen11 Mobile | TGL-R | C0 | 06-8c-02/c2 | | 00000016 | Core Gen11 Mobile | TGL-H | R0 | 06-8d-01/c2 | | 0000002c | Core Gen11 Mobile | EHL | B1 | 06-96-01/01 | | 00000011 | Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E | JSL | A0/A1 | 06-9c-00/01 | | 0000001d | Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105 | RKL-S | B0 | 06-a7-01/02 | | 00000040 | Core Gen11 - Updated platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000044 | 00000046 | Core Gen4 X series; Xeon E5 v3 | HSX-EX | E0 | 06-3f-04/80 | 00000016 | 00000019 | Xeon E7 v3 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile | BDX-ML | B0/M0/R0 | 06-4f-01/ef | 0b000038 | 0b00003e | Xeon E5/E7 v4; Core i7-69xx/68xx | SKX-SP | B1 | 06-55-03/97 | 01000159 | 0100015b | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04003006 | 04003102 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05003006 | 05003102 | Xeon Scalable Gen2 | CPX-SP | A1 | 06-55-0b/bf | 0700001e | 07002302 | Xeon Scalable Gen3 | BDX-DE | V2/V3 | 06-56-03/10 | 07000019 | 0700001b | Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19 | BDX-DE | Y0 | 06-56-04/10 | 0f000017 | 0f000019 | Xeon D-1557/59/67/71/77/81/87 | BDX-NS | A0 | 06-56-05/10 | 0e00000f | 0e000012 | Xeon D-1513N/23/33/43/53 | APL | D0 | 06-5c-09/03 | 00000040 | 00000044 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 0000001e | 00000020 | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000e2 | 000000ea | Core Gen6; Xeon E3 v5 | DNV | B0 | 06-5f-01/01 | 0000002e | 00000034 | Atom C Series | GLK | B0 | 06-7a-01/01 | 00000034 | 00000036 | Pentium Silver N/J5xxx, Celeron N/J4xxx | GKL-R | R0 | 06-7a-08/01 | 00000018 | 0000001a | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | ICL-U/Y | D1 | 06-7e-05/80 | 000000a0 | 000000a6 | Core Gen10 Mobile | LKF | B2/B3 | 06-8a-01/10 | 00000028 | 0000002a | Core w/Hybrid Technology | AML-Y22 | H0 | 06-8e-09/10 | 000000de | 000000ea | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000de | 000000ea | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000e0 | 000000ea | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000de | 000000ea | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000de | 000000ea | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000de | 000000ea | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000de | 000000ea | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000de | 000000ea | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000de | 000000ea | Core Gen9 Mobile | CML-H | R1 | 06-a5-02/20 | 000000e0 | 000000ea | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | 000000e0 | 000000ea | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | 000000e0 | 000000ec | Core Gen10 | CML-U62 | A0 | 06-a6-00/80 | 000000e0 | 000000e8 | Core Gen10 Mobile | CML-U62 V2 | K0 | 06-a6-01/80 | 000000e0 | 000000ea | Core Gen10 Mobile Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1930=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1930=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1930=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1930=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1930=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1930=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1930=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1930=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1930=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1930=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1930=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): ucode-intel-20210525-13.90.1 ucode-intel-debuginfo-20210525-13.90.1 ucode-intel-debugsource-20210525-13.90.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): ucode-intel-20210525-13.90.1 ucode-intel-debuginfo-20210525-13.90.1 ucode-intel-debugsource-20210525-13.90.1 - SUSE OpenStack Cloud 9 (x86_64): ucode-intel-20210525-13.90.1 ucode-intel-debuginfo-20210525-13.90.1 ucode-intel-debugsource-20210525-13.90.1 - SUSE OpenStack Cloud 8 (x86_64): ucode-intel-20210525-13.90.1 ucode-intel-debuginfo-20210525-13.90.1 ucode-intel-debugsource-20210525-13.90.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): ucode-intel-20210525-13.90.1 ucode-intel-debuginfo-20210525-13.90.1 ucode-intel-debugsource-20210525-13.90.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): ucode-intel-20210525-13.90.1 ucode-intel-debuginfo-20210525-13.90.1 ucode-intel-debugsource-20210525-13.90.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (x86_64): ucode-intel-20210525-13.90.1 ucode-intel-debuginfo-20210525-13.90.1 ucode-intel-debugsource-20210525-13.90.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): ucode-intel-20210525-13.90.1 ucode-intel-debuginfo-20210525-13.90.1 ucode-intel-debugsource-20210525-13.90.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): ucode-intel-20210525-13.90.1 ucode-intel-debuginfo-20210525-13.90.1 ucode-intel-debugsource-20210525-13.90.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): ucode-intel-20210525-13.90.1 ucode-intel-debuginfo-20210525-13.90.1 ucode-intel-debugsource-20210525-13.90.1 - HPE Helion Openstack 8 (x86_64): ucode-intel-20210525-13.90.1 ucode-intel-debuginfo-20210525-13.90.1 ucode-intel-debugsource-20210525-13.90.1 References: https://www.suse.com/security/cve/CVE-2020-24489.html https://www.suse.com/security/cve/CVE-2020-24511.html https://www.suse.com/security/cve/CVE-2020-24512.html https://www.suse.com/security/cve/CVE-2020-24513.html https://bugzilla.suse.com/1179833 https://bugzilla.suse.com/1179836 https://bugzilla.suse.com/1179837 https://bugzilla.suse.com/1179839 From sle-security-updates at lists.suse.com Thu Jun 10 13:36:07 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Jun 2021 15:36:07 +0200 (CEST) Subject: SUSE-SU-2021:1943-1: important: Security update for caribou Message-ID: <20210610133607.65B43FD14@maintenance.suse.de> SUSE Security Update: Security update for caribou ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1943-1 Rating: important References: #1186617 Cross-References: CVE-2021-3567 CVSS scores: CVE-2021-3567 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for caribou fixes the following issues: Security issue fixed: - CVE-2021-3567: Fixed a segfault when attempting to use shifted characters (bsc#1186617). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1943=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1943=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1943=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1943=1 - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2021-1943=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1943=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1943=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1943=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1943=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1943=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1943=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1943=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1943=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1943=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): caribou-common-0.4.21-8.3.1 caribou-debuginfo-0.4.21-8.3.1 caribou-debugsource-0.4.21-8.3.1 libcaribou0-0.4.21-8.3.1 libcaribou0-debuginfo-0.4.21-8.3.1 typelib-1_0-Caribou-1_0-0.4.21-8.3.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): caribou-common-0.4.21-8.3.1 caribou-debuginfo-0.4.21-8.3.1 caribou-debugsource-0.4.21-8.3.1 libcaribou0-0.4.21-8.3.1 libcaribou0-debuginfo-0.4.21-8.3.1 typelib-1_0-Caribou-1_0-0.4.21-8.3.1 - SUSE OpenStack Cloud 9 (x86_64): caribou-common-0.4.21-8.3.1 caribou-debuginfo-0.4.21-8.3.1 caribou-debugsource-0.4.21-8.3.1 libcaribou0-0.4.21-8.3.1 libcaribou0-debuginfo-0.4.21-8.3.1 typelib-1_0-Caribou-1_0-0.4.21-8.3.1 - SUSE OpenStack Cloud 8 (x86_64): caribou-common-0.4.21-8.3.1 caribou-debuginfo-0.4.21-8.3.1 caribou-debugsource-0.4.21-8.3.1 libcaribou0-0.4.21-8.3.1 libcaribou0-debuginfo-0.4.21-8.3.1 typelib-1_0-Caribou-1_0-0.4.21-8.3.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): caribou-0.4.21-8.3.1 caribou-debuginfo-0.4.21-8.3.1 caribou-debugsource-0.4.21-8.3.1 caribou-gtk-module-common-0.4.21-8.3.1 caribou-gtk2-module-0.4.21-8.3.1 caribou-gtk2-module-debuginfo-0.4.21-8.3.1 caribou-gtk3-module-0.4.21-8.3.1 caribou-gtk3-module-debuginfo-0.4.21-8.3.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (noarch): caribou-lang-0.4.21-8.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): caribou-debuginfo-0.4.21-8.3.1 caribou-debugsource-0.4.21-8.3.1 caribou-devel-0.4.21-8.3.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): caribou-common-0.4.21-8.3.1 caribou-debuginfo-0.4.21-8.3.1 caribou-debugsource-0.4.21-8.3.1 libcaribou0-0.4.21-8.3.1 libcaribou0-debuginfo-0.4.21-8.3.1 typelib-1_0-Caribou-1_0-0.4.21-8.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): caribou-common-0.4.21-8.3.1 caribou-debuginfo-0.4.21-8.3.1 caribou-debugsource-0.4.21-8.3.1 libcaribou0-0.4.21-8.3.1 libcaribou0-debuginfo-0.4.21-8.3.1 typelib-1_0-Caribou-1_0-0.4.21-8.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): caribou-common-0.4.21-8.3.1 caribou-debuginfo-0.4.21-8.3.1 caribou-debugsource-0.4.21-8.3.1 libcaribou0-0.4.21-8.3.1 libcaribou0-debuginfo-0.4.21-8.3.1 typelib-1_0-Caribou-1_0-0.4.21-8.3.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): caribou-common-0.4.21-8.3.1 caribou-debuginfo-0.4.21-8.3.1 caribou-debugsource-0.4.21-8.3.1 libcaribou0-0.4.21-8.3.1 libcaribou0-debuginfo-0.4.21-8.3.1 typelib-1_0-Caribou-1_0-0.4.21-8.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): caribou-common-0.4.21-8.3.1 caribou-debuginfo-0.4.21-8.3.1 caribou-debugsource-0.4.21-8.3.1 libcaribou0-0.4.21-8.3.1 libcaribou0-debuginfo-0.4.21-8.3.1 typelib-1_0-Caribou-1_0-0.4.21-8.3.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): caribou-common-0.4.21-8.3.1 caribou-debuginfo-0.4.21-8.3.1 caribou-debugsource-0.4.21-8.3.1 libcaribou0-0.4.21-8.3.1 libcaribou0-debuginfo-0.4.21-8.3.1 typelib-1_0-Caribou-1_0-0.4.21-8.3.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): caribou-common-0.4.21-8.3.1 caribou-debuginfo-0.4.21-8.3.1 caribou-debugsource-0.4.21-8.3.1 libcaribou0-0.4.21-8.3.1 libcaribou0-debuginfo-0.4.21-8.3.1 typelib-1_0-Caribou-1_0-0.4.21-8.3.1 - HPE Helion Openstack 8 (x86_64): caribou-common-0.4.21-8.3.1 caribou-debuginfo-0.4.21-8.3.1 caribou-debugsource-0.4.21-8.3.1 libcaribou0-0.4.21-8.3.1 libcaribou0-debuginfo-0.4.21-8.3.1 typelib-1_0-Caribou-1_0-0.4.21-8.3.1 References: https://www.suse.com/security/cve/CVE-2021-3567.html https://bugzilla.suse.com/1186617 From sle-security-updates at lists.suse.com Thu Jun 10 13:37:32 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Jun 2021 15:37:32 +0200 (CEST) Subject: SUSE-SU-2021:1942-1: important: Security update for qemu Message-ID: <20210610133732.AB298FD14@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1942-1 Rating: important References: #1149813 #1163019 #1175144 #1175534 #1176681 #1178683 #1178935 #1179477 #1179484 #1179686 #1181103 #1182282 #1182425 #1182968 #1182975 #1183373 #1186290 Cross-References: CVE-2019-15890 CVE-2020-14364 CVE-2020-17380 CVE-2020-25085 CVE-2020-25707 CVE-2020-25723 CVE-2020-27821 CVE-2020-29129 CVE-2020-29130 CVE-2020-8608 CVE-2021-20263 CVE-2021-3409 CVE-2021-3416 CVE-2021-3419 CVSS scores: CVE-2019-15890 (SUSE): 5.8 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2020-14364 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14364 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-17380 (NVD) : 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVE-2020-17380 (SUSE): 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVE-2020-25085 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25085 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25707 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25723 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-27821 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-27821 (SUSE): 5.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-29129 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29129 (SUSE): 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-8608 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-8608 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H CVE-2021-20263 (NVD) : 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2021-20263 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2021-3409 (NVD) : 5.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2021-3409 (SUSE): 5.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2021-3416 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2021-3416 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3419 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 ______________________________________________________________________________ An update that solves 14 vulnerabilities and has three fixes is now available. Description: This update for qemu fixes the following issues: - Switch method of splitting off hw-s390x-virtio-gpu-ccw.so as a module to what was accepted upstream (bsc#1181103) - Fix OOB access in sdhci interface (CVE-2020-17380, bsc#1175144, CVE-2020-25085, bsc#1176681, CVE-2021-3409, bsc#1182282) - Fix potential privilege escalation in virtiofsd tool (CVE-2021-20263, bsc#1183373) - Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968) - Fix heap overflow in MSIx emulation (CVE-2020-27821, bsc#1179686) - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) - QEMU BIOS fails to read stage2 loader on s390x (bsc#1186290) - For the record, these issues are fixed in this package already. Most are alternate references to previously mentioned issues: (CVE-2019-15890, bsc#1149813, CVE-2020-8608, bsc#1163019, CVE-2020-14364, bsc#1175534, CVE-2020-25707, bsc#1178683, CVE-2020-25723, bsc#1178935, CVE-2020-29130, bsc#1179477, CVE-2020-29129, bsc#1179484, CVE-2021-3419, bsc#1182975) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-1942=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1942=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): qemu-5.2.0-17.1 qemu-block-curl-5.2.0-17.1 qemu-block-curl-debuginfo-5.2.0-17.1 qemu-block-iscsi-5.2.0-17.1 qemu-block-iscsi-debuginfo-5.2.0-17.1 qemu-block-rbd-5.2.0-17.1 qemu-block-rbd-debuginfo-5.2.0-17.1 qemu-block-ssh-5.2.0-17.1 qemu-block-ssh-debuginfo-5.2.0-17.1 qemu-chardev-baum-5.2.0-17.1 qemu-chardev-baum-debuginfo-5.2.0-17.1 qemu-debuginfo-5.2.0-17.1 qemu-debugsource-5.2.0-17.1 qemu-guest-agent-5.2.0-17.1 qemu-guest-agent-debuginfo-5.2.0-17.1 qemu-ksm-5.2.0-17.1 qemu-lang-5.2.0-17.1 qemu-ui-curses-5.2.0-17.1 qemu-ui-curses-debuginfo-5.2.0-17.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le x86_64): qemu-audio-spice-5.2.0-17.1 qemu-audio-spice-debuginfo-5.2.0-17.1 qemu-chardev-spice-5.2.0-17.1 qemu-chardev-spice-debuginfo-5.2.0-17.1 qemu-hw-display-qxl-5.2.0-17.1 qemu-hw-display-qxl-debuginfo-5.2.0-17.1 qemu-hw-display-virtio-vga-5.2.0-17.1 qemu-hw-display-virtio-vga-debuginfo-5.2.0-17.1 qemu-hw-usb-redirect-5.2.0-17.1 qemu-hw-usb-redirect-debuginfo-5.2.0-17.1 qemu-ui-gtk-5.2.0-17.1 qemu-ui-gtk-debuginfo-5.2.0-17.1 qemu-ui-opengl-5.2.0-17.1 qemu-ui-opengl-debuginfo-5.2.0-17.1 qemu-ui-spice-app-5.2.0-17.1 qemu-ui-spice-app-debuginfo-5.2.0-17.1 qemu-ui-spice-core-5.2.0-17.1 qemu-ui-spice-core-debuginfo-5.2.0-17.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (s390x x86_64): qemu-hw-display-virtio-gpu-5.2.0-17.1 qemu-hw-display-virtio-gpu-debuginfo-5.2.0-17.1 qemu-hw-display-virtio-gpu-pci-5.2.0-17.1 qemu-hw-display-virtio-gpu-pci-debuginfo-5.2.0-17.1 qemu-kvm-5.2.0-17.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (ppc64le): qemu-ppc-5.2.0-17.1 qemu-ppc-debuginfo-5.2.0-17.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64): qemu-arm-5.2.0-17.1 qemu-arm-debuginfo-5.2.0-17.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (noarch): qemu-ipxe-1.0.0+-17.1 qemu-seabios-1.14.0_0_g155821a-17.1 qemu-sgabios-8-17.1 qemu-skiboot-5.2.0-17.1 qemu-vgabios-1.14.0_0_g155821a-17.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (x86_64): qemu-audio-alsa-5.2.0-17.1 qemu-audio-alsa-debuginfo-5.2.0-17.1 qemu-audio-pa-5.2.0-17.1 qemu-audio-pa-debuginfo-5.2.0-17.1 qemu-x86-5.2.0-17.1 qemu-x86-debuginfo-5.2.0-17.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (s390x): qemu-hw-s390x-virtio-gpu-ccw-5.2.0-17.1 qemu-hw-s390x-virtio-gpu-ccw-debuginfo-5.2.0-17.1 qemu-s390x-5.2.0-17.1 qemu-s390x-debuginfo-5.2.0-17.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): qemu-debuginfo-5.2.0-17.1 qemu-debugsource-5.2.0-17.1 qemu-tools-5.2.0-17.1 qemu-tools-debuginfo-5.2.0-17.1 References: https://www.suse.com/security/cve/CVE-2019-15890.html https://www.suse.com/security/cve/CVE-2020-14364.html https://www.suse.com/security/cve/CVE-2020-17380.html https://www.suse.com/security/cve/CVE-2020-25085.html https://www.suse.com/security/cve/CVE-2020-25707.html https://www.suse.com/security/cve/CVE-2020-25723.html https://www.suse.com/security/cve/CVE-2020-27821.html https://www.suse.com/security/cve/CVE-2020-29129.html https://www.suse.com/security/cve/CVE-2020-29130.html https://www.suse.com/security/cve/CVE-2020-8608.html https://www.suse.com/security/cve/CVE-2021-20263.html https://www.suse.com/security/cve/CVE-2021-3409.html https://www.suse.com/security/cve/CVE-2021-3416.html https://www.suse.com/security/cve/CVE-2021-3419.html https://bugzilla.suse.com/1149813 https://bugzilla.suse.com/1163019 https://bugzilla.suse.com/1175144 https://bugzilla.suse.com/1175534 https://bugzilla.suse.com/1176681 https://bugzilla.suse.com/1178683 https://bugzilla.suse.com/1178935 https://bugzilla.suse.com/1179477 https://bugzilla.suse.com/1179484 https://bugzilla.suse.com/1179686 https://bugzilla.suse.com/1181103 https://bugzilla.suse.com/1182282 https://bugzilla.suse.com/1182425 https://bugzilla.suse.com/1182968 https://bugzilla.suse.com/1182975 https://bugzilla.suse.com/1183373 https://bugzilla.suse.com/1186290 From sle-security-updates at lists.suse.com Thu Jun 10 13:40:51 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Jun 2021 15:40:51 +0200 (CEST) Subject: SUSE-SU-2021:1933-1: important: Security update for ucode-intel Message-ID: <20210610134051.9CFCAFD14@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1933-1 Rating: important References: #1179833 #1179836 #1179837 #1179839 Cross-References: CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 CVSS scores: CVE-2020-24489 (SUSE): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2020-24511 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-24512 (SUSE): 2.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2020-24513 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: Updated to Intel CPU Microcode 20210608 release. - CVE-2020-24513: A domain bypass transient execution vulnerability was discovered on some Intel Atom processors that use a micro-architectural incident channel. (INTEL-SA-00465 bsc#1179833) See also: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0465.html - CVE-2020-24511: The IBRS feature to mitigate Spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (INTEL-SA-00464 bsc#1179836) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0464.html) - CVE-2020-24512: Fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837 INTEL-SA-00464) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0464.html) - CVE-2020-24489: Fixed Intel VT-d device pass through potential local privilege escalation (INTEL-SA-00442 bsc#1179839) See also https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0 0442.html Other fixes: - Update for functional issues. Refer to [Third Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/637780)for details. - Update for functional issues. Refer to [Second Generation Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/338848) for details. - Update for functional issues. Refer to [Intel Xeon Processor Scalable Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/613537) for details. - Update for functional issues. Refer to [Intel Xeon Processor D-1500, D-1500 NS and D-1600 NS Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-d-1500-specification-update.html) for details. - Update for functional issues. Refer to [Intel Xeon E7-8800 and E7-4800 v3 Processor Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e7-v3- spec-update.html) for details. - Update for functional issues. Refer to [Intel Xeon Processor E5 v3 Product Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3- spec-update.html?wapkw=processor+spec+update+e5) for details. - Update for functional issues. Refer to [10th Gen Intel Core Processor Families Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/10th-gen-core-families-specification-update.html) for details. - Update for functional issues. Refer to [8th and 9th Gen Intel Core Processor Family Spec Update](https://www.intel.com/content/www/us/en/products/docs/processors/co re/8th-gen-core-spec-update.html) for details. - Update for functional issues. Refer to [7th Gen and 8th Gen (U Quad-Core) Intel Processor Families Specification Update](https://www.intel.com/content/www/us/en/processors/core/7th-gen-cor e-family-spec-update.html) for details. - Update for functional issues. Refer to [6th Gen Intel Processor Family Specification Update](https://cdrdv2.intel.com/v1/dl/getContent/332689) for details. - Update for functional issues. Refer to [Intel Xeon E3-1200 v6 Processor Family Specification Update](https://www.intel.com/content/www/us/en/processors/xeon/xeon-e3-120 0v6-spec-update.html) for details. - Update for functional issues. Refer to [Intel Xeon E-2100 and E-2200 Processor Family Specification Update](https://www.intel.com/content/www/us/en/products/docs/processors/xe on/xeon-e-2100-specification-update.html) for details. - New platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | CLX-SP | A0 | 06-55-05/b7 | | 03000010 | Xeon Scalable Gen2 | ICX-SP | C0 | 06-6a-05/87 | | 0c0002f0 | Xeon Scalable Gen3 | ICX-SP | D0 | 06-6a-06/87 | | 0d0002a0 | Xeon Scalable Gen3 | SNR | B0 | 06-86-04/01 | | 0b00000f | Atom P59xxB | SNR | B1 | 06-86-05/01 | | 0b00000f | Atom P59xxB | TGL | B1 | 06-8c-01/80 | | 00000088 | Core Gen11 Mobile | TGL-R | C0 | 06-8c-02/c2 | | 00000016 | Core Gen11 Mobile | TGL-H | R0 | 06-8d-01/c2 | | 0000002c | Core Gen11 Mobile | EHL | B1 | 06-96-01/01 | | 00000011 | Pentium J6426/N6415, Celeron J6412/J6413/N6210/N6211, Atom x6000E | JSL | A0/A1 | 06-9c-00/01 | | 0000001d | Pentium N6000/N6005, Celeron N4500/N4505/N5100/N5105 | RKL-S | B0 | 06-a7-01/02 | | 00000040 | Core Gen11 - Updated platforms: | Processor | Stepping | F-M-S/PI | Old Ver | New Ver | Products |:---------------|:---------|:------------|:---------|:---------|:--------- | HSX-E/EP | Cx/M1 | 06-3f-02/6f | 00000044 | 00000046 | Core Gen4 X series; Xeon E5 v3 | HSX-EX | E0 | 06-3f-04/80 | 00000016 | 00000019 | Xeon E7 v3 | SKL-U/Y | D0 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile | SKL-U23e | K1 | 06-4e-03/c0 | 000000e2 | 000000ea | Core Gen6 Mobile | BDX-ML | B0/M0/R0 | 06-4f-01/ef | 0b000038 | 0b00003e | Xeon E5/E7 v4; Core i7-69xx/68xx | SKX-SP | B1 | 06-55-03/97 | 01000159 | 0100015b | Xeon Scalable | SKX-SP | H0/M0/U0 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon Scalable | SKX-D | M1 | 06-55-04/b7 | 02006a0a | 02006b06 | Xeon D-21xx | CLX-SP | B0 | 06-55-06/bf | 04003006 | 04003102 | Xeon Scalable Gen2 | CLX-SP | B1 | 06-55-07/bf | 05003006 | 05003102 | Xeon Scalable Gen2 | CPX-SP | A1 | 06-55-0b/bf | 0700001e | 07002302 | Xeon Scalable Gen3 | BDX-DE | V2/V3 | 06-56-03/10 | 07000019 | 0700001b | Xeon D-1518/19/21/27/28/31/33/37/41/48, Pentium D1507/08/09/17/19 | BDX-DE | Y0 | 06-56-04/10 | 0f000017 | 0f000019 | Xeon D-1557/59/67/71/77/81/87 | BDX-NS | A0 | 06-56-05/10 | 0e00000f | 0e000012 | Xeon D-1513N/23/33/43/53 | APL | D0 | 06-5c-09/03 | 00000040 | 00000044 | Pentium N/J4xxx, Celeron N/J3xxx, Atom x5/7-E39xx | APL | E0 | 06-5c-0a/03 | 0000001e | 00000020 | Atom x5-E39xx | SKL-H/S | R0/N0 | 06-5e-03/36 | 000000e2 | 000000ea | Core Gen6; Xeon E3 v5 | DNV | B0 | 06-5f-01/01 | 0000002e | 00000034 | Atom C Series | GLK | B0 | 06-7a-01/01 | 00000034 | 00000036 | Pentium Silver N/J5xxx, Celeron N/J4xxx | GKL-R | R0 | 06-7a-08/01 | 00000018 | 0000001a | Pentium J5040/N5030, Celeron J4125/J4025/N4020/N4120 | ICL-U/Y | D1 | 06-7e-05/80 | 000000a0 | 000000a6 | Core Gen10 Mobile | LKF | B2/B3 | 06-8a-01/10 | 00000028 | 0000002a | Core w/Hybrid Technology | AML-Y22 | H0 | 06-8e-09/10 | 000000de | 000000ea | Core Gen8 Mobile | KBL-U/Y | H0 | 06-8e-09/c0 | 000000de | 000000ea | Core Gen7 Mobile | CFL-U43e | D0 | 06-8e-0a/c0 | 000000e0 | 000000ea | Core Gen8 Mobile | WHL-U | W0 | 06-8e-0b/d0 | 000000de | 000000ea | Core Gen8 Mobile | AML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile | CML-Y42 | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen10 Mobile | WHL-U | V0 | 06-8e-0c/94 | 000000de | 000000ea | Core Gen8 Mobile | KBL-G/H/S/E3 | B0 | 06-9e-09/2a | 000000de | 000000ea | Core Gen7; Xeon E3 v6 | CFL-H/S/E3 | U0 | 06-9e-0a/22 | 000000de | 000000ea | Core Gen8 Desktop, Mobile, Xeon E | CFL-S | B0 | 06-9e-0b/02 | 000000de | 000000ea | Core Gen8 | CFL-H/S | P0 | 06-9e-0c/22 | 000000de | 000000ea | Core Gen9 | CFL-H | R0 | 06-9e-0d/22 | 000000de | 000000ea | Core Gen9 Mobile | CML-H | R1 | 06-a5-02/20 | 000000e0 | 000000ea | Core Gen10 Mobile | CML-S62 | G1 | 06-a5-03/22 | 000000e0 | 000000ea | Core Gen10 | CML-S102 | Q0 | 06-a5-05/22 | 000000e0 | 000000ec | Core Gen10 | CML-U62 | A0 | 06-a6-00/80 | 000000e0 | 000000e8 | Core Gen10 Mobile | CML-U62 V2 | K0 | 06-a6-01/80 | 000000e0 | 000000ea | Core Gen10 Mobile Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1933=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1933=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1933=1 Package List: - SUSE MicroOS 5.0 (x86_64): ucode-intel-20210525-7.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): ucode-intel-20210525-7.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): ucode-intel-20210525-7.1 References: https://www.suse.com/security/cve/CVE-2020-24489.html https://www.suse.com/security/cve/CVE-2020-24511.html https://www.suse.com/security/cve/CVE-2020-24512.html https://www.suse.com/security/cve/CVE-2020-24513.html https://bugzilla.suse.com/1179833 https://bugzilla.suse.com/1179836 https://bugzilla.suse.com/1179837 https://bugzilla.suse.com/1179839 From sle-security-updates at lists.suse.com Thu Jun 10 13:42:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Jun 2021 15:42:26 +0200 (CEST) Subject: SUSE-SU-2021:1948-1: important: Security update for djvulibre Message-ID: <20210610134226.1EB91FD07@maintenance.suse.de> SUSE Security Update: Security update for djvulibre ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1948-1 Rating: important References: #1186253 Cross-References: CVE-2021-3500 CVSS scores: CVE-2021-3500 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for djvulibre fixes the following issues: - CVE-2021-3500: Stack overflow in function DJVU:DjVuDocument:get_djvu_file() via crafted djvu file (bsc#1186253) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-1948=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-1948=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-1948=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1948=1 Package List: - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (aarch64 ppc64le s390x x86_64): djvulibre-3.5.27-11.6.1 djvulibre-debuginfo-3.5.27-11.6.1 djvulibre-debugsource-3.5.27-11.6.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (aarch64 ppc64le s390x x86_64): djvulibre-3.5.27-11.6.1 djvulibre-debuginfo-3.5.27-11.6.1 djvulibre-debugsource-3.5.27-11.6.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): djvulibre-debuginfo-3.5.27-11.6.1 djvulibre-debugsource-3.5.27-11.6.1 libdjvulibre-devel-3.5.27-11.6.1 libdjvulibre21-3.5.27-11.6.1 libdjvulibre21-debuginfo-3.5.27-11.6.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): djvulibre-debuginfo-3.5.27-11.6.1 djvulibre-debugsource-3.5.27-11.6.1 libdjvulibre-devel-3.5.27-11.6.1 libdjvulibre21-3.5.27-11.6.1 libdjvulibre21-debuginfo-3.5.27-11.6.1 References: https://www.suse.com/security/cve/CVE-2021-3500.html https://bugzilla.suse.com/1186253 From sle-security-updates at lists.suse.com Thu Jun 10 13:44:41 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Jun 2021 15:44:41 +0200 (CEST) Subject: SUSE-SU-2021:1940-1: important: Security update for python-Pillow Message-ID: <20210610134441.A9B59FD07@maintenance.suse.de> SUSE Security Update: Security update for python-Pillow ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1940-1 Rating: important References: #1180834 #1183105 #1183107 #1183108 #1185785 #1185786 #1185803 #1185804 #1185805 Cross-References: CVE-2020-35653 CVE-2021-25287 CVE-2021-25288 CVE-2021-25290 CVE-2021-27922 CVE-2021-27923 CVE-2021-28675 CVE-2021-28676 CVE-2021-28677 CVSS scores: CVE-2020-35653 (NVD) : 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H CVE-2020-35653 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVE-2021-25288 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2021-25290 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27922 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27923 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28675 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28677 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28677 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud 7 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: This update for python-Pillow fixes the following issues: - CVE-2021-25290: Fixed a negative-offset memcpy with an invalid size in TiffDecode.c (bsc#1183105). - CVE-2021-27922,CVE-2021-27923: Fixed improper reported size of a contained image (bsc#1183108,bsc#1183107) - CVE-2020-35653: Fixed buffer over-read in PcxDecode when decoding a crafted PCX file (bsc#1180834). - CVE-2021-25287: Fixed out-of-bounds read in J2kDecode in j2ku_graya_la (bsc#1185805). - CVE-2021-25288: Fixed out-of-bounds read in J2kDecode in j2ku_gray_i (bsc#1185803). - CVE-2021-28675: Fixed DoS in PsdImagePlugin (bsc#1185804). - CVE-2021-28677: Fixed DoS in the open phase via a malicious EPS file (bsc#1185785). - CVE-2021-28676: Fixed infinite loop in FliDecode.c (bsc#1185786). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-1940=1 Package List: - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): python-Pillow-2.8.1-4.22.1 python-Pillow-debuginfo-2.8.1-4.22.1 python-Pillow-debugsource-2.8.1-4.22.1 References: https://www.suse.com/security/cve/CVE-2020-35653.html https://www.suse.com/security/cve/CVE-2021-25287.html https://www.suse.com/security/cve/CVE-2021-25288.html https://www.suse.com/security/cve/CVE-2021-25290.html https://www.suse.com/security/cve/CVE-2021-27922.html https://www.suse.com/security/cve/CVE-2021-27923.html https://www.suse.com/security/cve/CVE-2021-28675.html https://www.suse.com/security/cve/CVE-2021-28676.html https://www.suse.com/security/cve/CVE-2021-28677.html https://bugzilla.suse.com/1180834 https://bugzilla.suse.com/1183105 https://bugzilla.suse.com/1183107 https://bugzilla.suse.com/1183108 https://bugzilla.suse.com/1185785 https://bugzilla.suse.com/1185786 https://bugzilla.suse.com/1185803 https://bugzilla.suse.com/1185804 https://bugzilla.suse.com/1185805 From sle-security-updates at lists.suse.com Thu Jun 10 13:46:54 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Jun 2021 15:46:54 +0200 (CEST) Subject: SUSE-SU-2021:1947-1: important: Security update for qemu Message-ID: <20210610134654.03C71FD07@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1947-1 Rating: important References: #1149813 #1163019 #1172380 #1172382 #1175534 #1178683 #1178935 #1179477 #1179484 #1182846 #1182975 Cross-References: CVE-2019-15890 CVE-2020-10756 CVE-2020-13754 CVE-2020-14364 CVE-2020-25707 CVE-2020-25723 CVE-2020-29129 CVE-2020-29130 CVE-2020-8608 CVE-2021-20257 CVE-2021-3419 CVSS scores: CVE-2019-15890 (SUSE): 5.8 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2020-10756 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-10756 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-13754 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-13754 (SUSE): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L CVE-2020-14364 (NVD) : 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14364 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-25707 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-25723 (NVD) : 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-25723 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2020-29129 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29129 (SUSE): 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-29130 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-8608 (NVD) : 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-8608 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H CVE-2021-20257 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3419 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for qemu fixes the following issues: - Fix OOB access during mmio operations (CVE-2020-13754, bsc#1172382) - Fix out-of-bounds read information disclosure in icmp6_send_echoreply (CVE-2020-10756, bsc#1172380) - For the record, these issues are fixed in this package already. Most are alternate references to previously mentioned issues: (CVE-2019-15890, bsc#1149813, CVE-2020-8608, bsc#1163019, CVE-2020-14364, bsc#1175534, CVE-2020-25707, bsc#1178683, CVE-2020-25723, bsc#1178935, CVE-2020-29130, bsc#1179477, CVE-2020-29129, bsc#1179484, CVE-2021-20257, bsc#1182846, CVE-2021-3419, bsc#1182975) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1947=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1947=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1947=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1947=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): qemu-2.11.2-5.32.1 qemu-block-curl-2.11.2-5.32.1 qemu-block-curl-debuginfo-2.11.2-5.32.1 qemu-block-iscsi-2.11.2-5.32.1 qemu-block-iscsi-debuginfo-2.11.2-5.32.1 qemu-block-rbd-2.11.2-5.32.1 qemu-block-rbd-debuginfo-2.11.2-5.32.1 qemu-block-ssh-2.11.2-5.32.1 qemu-block-ssh-debuginfo-2.11.2-5.32.1 qemu-debugsource-2.11.2-5.32.1 qemu-guest-agent-2.11.2-5.32.1 qemu-guest-agent-debuginfo-2.11.2-5.32.1 qemu-kvm-2.11.2-5.32.1 qemu-lang-2.11.2-5.32.1 qemu-tools-2.11.2-5.32.1 qemu-tools-debuginfo-2.11.2-5.32.1 qemu-x86-2.11.2-5.32.1 - SUSE OpenStack Cloud Crowbar 9 (noarch): qemu-ipxe-1.0.0+-5.32.1 qemu-seabios-1.11.0_0_g63451fc-5.32.1 qemu-sgabios-8-5.32.1 qemu-vgabios-1.11.0_0_g63451fc-5.32.1 - SUSE OpenStack Cloud 9 (noarch): qemu-ipxe-1.0.0+-5.32.1 qemu-seabios-1.11.0_0_g63451fc-5.32.1 qemu-sgabios-8-5.32.1 qemu-vgabios-1.11.0_0_g63451fc-5.32.1 - SUSE OpenStack Cloud 9 (x86_64): qemu-2.11.2-5.32.1 qemu-block-curl-2.11.2-5.32.1 qemu-block-curl-debuginfo-2.11.2-5.32.1 qemu-block-iscsi-2.11.2-5.32.1 qemu-block-iscsi-debuginfo-2.11.2-5.32.1 qemu-block-rbd-2.11.2-5.32.1 qemu-block-rbd-debuginfo-2.11.2-5.32.1 qemu-block-ssh-2.11.2-5.32.1 qemu-block-ssh-debuginfo-2.11.2-5.32.1 qemu-debugsource-2.11.2-5.32.1 qemu-guest-agent-2.11.2-5.32.1 qemu-guest-agent-debuginfo-2.11.2-5.32.1 qemu-kvm-2.11.2-5.32.1 qemu-lang-2.11.2-5.32.1 qemu-tools-2.11.2-5.32.1 qemu-tools-debuginfo-2.11.2-5.32.1 qemu-x86-2.11.2-5.32.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): qemu-2.11.2-5.32.1 qemu-block-curl-2.11.2-5.32.1 qemu-block-curl-debuginfo-2.11.2-5.32.1 qemu-block-iscsi-2.11.2-5.32.1 qemu-block-iscsi-debuginfo-2.11.2-5.32.1 qemu-block-ssh-2.11.2-5.32.1 qemu-block-ssh-debuginfo-2.11.2-5.32.1 qemu-debugsource-2.11.2-5.32.1 qemu-guest-agent-2.11.2-5.32.1 qemu-guest-agent-debuginfo-2.11.2-5.32.1 qemu-lang-2.11.2-5.32.1 qemu-tools-2.11.2-5.32.1 qemu-tools-debuginfo-2.11.2-5.32.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le): qemu-ppc-2.11.2-5.32.1 qemu-ppc-debuginfo-2.11.2-5.32.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): qemu-ipxe-1.0.0+-5.32.1 qemu-seabios-1.11.0_0_g63451fc-5.32.1 qemu-sgabios-8-5.32.1 qemu-vgabios-1.11.0_0_g63451fc-5.32.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): qemu-block-rbd-2.11.2-5.32.1 qemu-block-rbd-debuginfo-2.11.2-5.32.1 qemu-kvm-2.11.2-5.32.1 qemu-x86-2.11.2-5.32.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): qemu-2.11.2-5.32.1 qemu-block-curl-2.11.2-5.32.1 qemu-block-curl-debuginfo-2.11.2-5.32.1 qemu-block-iscsi-2.11.2-5.32.1 qemu-block-iscsi-debuginfo-2.11.2-5.32.1 qemu-block-ssh-2.11.2-5.32.1 qemu-block-ssh-debuginfo-2.11.2-5.32.1 qemu-debugsource-2.11.2-5.32.1 qemu-guest-agent-2.11.2-5.32.1 qemu-guest-agent-debuginfo-2.11.2-5.32.1 qemu-lang-2.11.2-5.32.1 qemu-tools-2.11.2-5.32.1 qemu-tools-debuginfo-2.11.2-5.32.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 x86_64): qemu-block-rbd-2.11.2-5.32.1 qemu-block-rbd-debuginfo-2.11.2-5.32.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): qemu-kvm-2.11.2-5.32.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64): qemu-arm-2.11.2-5.32.1 qemu-arm-debuginfo-2.11.2-5.32.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (ppc64le): qemu-ppc-2.11.2-5.32.1 qemu-ppc-debuginfo-2.11.2-5.32.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (x86_64): qemu-x86-2.11.2-5.32.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): qemu-ipxe-1.0.0+-5.32.1 qemu-seabios-1.11.0_0_g63451fc-5.32.1 qemu-sgabios-8-5.32.1 qemu-vgabios-1.11.0_0_g63451fc-5.32.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x): qemu-s390-2.11.2-5.32.1 qemu-s390-debuginfo-2.11.2-5.32.1 References: https://www.suse.com/security/cve/CVE-2019-15890.html https://www.suse.com/security/cve/CVE-2020-10756.html https://www.suse.com/security/cve/CVE-2020-13754.html https://www.suse.com/security/cve/CVE-2020-14364.html https://www.suse.com/security/cve/CVE-2020-25707.html https://www.suse.com/security/cve/CVE-2020-25723.html https://www.suse.com/security/cve/CVE-2020-29129.html https://www.suse.com/security/cve/CVE-2020-29130.html https://www.suse.com/security/cve/CVE-2020-8608.html https://www.suse.com/security/cve/CVE-2021-20257.html https://www.suse.com/security/cve/CVE-2021-3419.html https://bugzilla.suse.com/1149813 https://bugzilla.suse.com/1163019 https://bugzilla.suse.com/1172380 https://bugzilla.suse.com/1172382 https://bugzilla.suse.com/1175534 https://bugzilla.suse.com/1178683 https://bugzilla.suse.com/1178935 https://bugzilla.suse.com/1179477 https://bugzilla.suse.com/1179484 https://bugzilla.suse.com/1182846 https://bugzilla.suse.com/1182975 From sle-security-updates at lists.suse.com Thu Jun 10 13:50:40 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Jun 2021 15:50:40 +0200 (CEST) Subject: SUSE-SU-2021:1944-1: important: Security update for gstreamer-plugins-bad Message-ID: <20210610135040.4FA5AFD07@maintenance.suse.de> SUSE Security Update: Security update for gstreamer-plugins-bad ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1944-1 Rating: important References: #1181255 Cross-References: CVE-2021-3185 CVSS scores: CVE-2021-3185 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3185 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gstreamer-plugins-bad fixes the following issues: - Update to version 1.16.3: - CVE-2021-3185: buffer overflow in gst_h264_slice_parse_dec_ref_pic_marking() (bsc#1181255) - amcvideodec: fix sync meta copying not taking a reference - audiobuffersplit: Perform discont tracking on running time - audiobuffersplit: Specify in the template caps that only interleaved audio is supported - audiobuffersplit: Unset DISCONT flag if not discontinuous - autoconvert: Fix lock-less exchange or free condition - autoconvert: fix compiler warnings with g_atomic on recent GLib versions - avfvideosrc: element requests camera permissions even with capture-screen property is true - codecparsers: h264parser: guard against ref_pic_markings overflow - dtlsconnection: Avoid segmentation fault when no srtp capabilities are negotiated - dtls/connection: fix EOF handling with openssl 1.1.1e - fdkaacdec: add support for mpegversion=2 - hls: Check nettle version to ensure AES128 support - ipcpipeline: Rework compiler checks - interlace: Increment phase_index before checking if we're at the end of the phase - h264parser: Do not allocate too large size of memory for registered user data SEI - ladspa: fix unbounded integer properties - modplug: avoid division by zero - msdkdec: Fix GstMsdkContext leak - msdkenc: fix leaks on windows - musepackdec: Don't fail all queries if no sample rate is known yet - openslessink: Allow openslessink to handle 48kHz streams. - opencv: allow compilation against 4.2.x - proxysink: event_function needs to handle the event when it is disconnecetd from proxysrc - vulkan: Drop use of VK_RESULT_BEGIN_RANGE - wasapi: added missing lock release in case of error in gst_wasapi_xxx_reset - wasapi: Fix possible deadlock while downwards state change - waylandsink: Clear window when pipeline is stopped - webrtc: Support non-trickle ICE candidates in the SDP - webrtc: Unmap all non-binary buffers received via the datachannel Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-1944=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1944=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): gstreamer-plugins-bad-1.16.3-9.3.1 gstreamer-plugins-bad-chromaprint-1.16.3-9.3.1 gstreamer-plugins-bad-chromaprint-debuginfo-1.16.3-9.3.1 gstreamer-plugins-bad-debuginfo-1.16.3-9.3.1 gstreamer-plugins-bad-debugsource-1.16.3-9.3.1 gstreamer-plugins-bad-devel-1.16.3-9.3.1 libgstadaptivedemux-1_0-0-1.16.3-9.3.1 libgstadaptivedemux-1_0-0-debuginfo-1.16.3-9.3.1 libgstbadaudio-1_0-0-1.16.3-9.3.1 libgstbadaudio-1_0-0-debuginfo-1.16.3-9.3.1 libgstbasecamerabinsrc-1_0-0-1.16.3-9.3.1 libgstbasecamerabinsrc-1_0-0-debuginfo-1.16.3-9.3.1 libgstcodecparsers-1_0-0-1.16.3-9.3.1 libgstcodecparsers-1_0-0-debuginfo-1.16.3-9.3.1 libgstinsertbin-1_0-0-1.16.3-9.3.1 libgstinsertbin-1_0-0-debuginfo-1.16.3-9.3.1 libgstisoff-1_0-0-1.16.3-9.3.1 libgstisoff-1_0-0-debuginfo-1.16.3-9.3.1 libgstmpegts-1_0-0-1.16.3-9.3.1 libgstmpegts-1_0-0-debuginfo-1.16.3-9.3.1 libgstplayer-1_0-0-1.16.3-9.3.1 libgstplayer-1_0-0-debuginfo-1.16.3-9.3.1 libgstsctp-1_0-0-1.16.3-9.3.1 libgstsctp-1_0-0-debuginfo-1.16.3-9.3.1 libgsturidownloader-1_0-0-1.16.3-9.3.1 libgsturidownloader-1_0-0-debuginfo-1.16.3-9.3.1 libgstwayland-1_0-0-1.16.3-9.3.1 libgstwayland-1_0-0-debuginfo-1.16.3-9.3.1 libgstwebrtc-1_0-0-1.16.3-9.3.1 libgstwebrtc-1_0-0-debuginfo-1.16.3-9.3.1 typelib-1_0-GstInsertBin-1_0-1.16.3-9.3.1 typelib-1_0-GstMpegts-1_0-1.16.3-9.3.1 typelib-1_0-GstPlayer-1_0-1.16.3-9.3.1 typelib-1_0-GstWebRTC-1_0-1.16.3-9.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (noarch): gstreamer-plugins-bad-lang-1.16.3-9.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): gstreamer-plugins-bad-debuginfo-1.16.3-9.3.1 gstreamer-plugins-bad-debugsource-1.16.3-9.3.1 libgstphotography-1_0-0-1.16.3-9.3.1 libgstphotography-1_0-0-debuginfo-1.16.3-9.3.1 References: https://www.suse.com/security/cve/CVE-2021-3185.html https://bugzilla.suse.com/1181255 From sle-security-updates at lists.suse.com Thu Jun 10 19:16:53 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Jun 2021 21:16:53 +0200 (CEST) Subject: SUSE-SU-2021:1951-1: important: Security update for salt Message-ID: <20210610191653.18662FD07@maintenance.suse.de> SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1951-1 Rating: important References: #1185281 #1186674 ECO-3212 SLE-18028 SLE-18033 Cross-References: CVE-2021-31607 CVSS scores: CVE-2021-31607 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Transactional Server 15-SP3 SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 ______________________________________________________________________________ An update that solves one vulnerability, contains three features and has one errata is now available. Description: This update for salt fixes the following issues: - Check if dpkgnotify is executable (bsc#1186674) - Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028) - Drop support for Python2. Obsoletes `python2-salt` package (jsc#SLE-18028) - Fix issue parsing errors in ansiblegate state module - Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607) - transactional_update: detect recursion in the executor - Add subpackage `salt-transactional-update` (jsc#SLE-18033) - Remove duplicate directories Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Transactional Server 15-SP3: zypper in -t patch SUSE-SLE-Module-Transactional-Server-15-SP3-2021-1951=1 - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-1951=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1951=1 Package List: - SUSE Linux Enterprise Module for Transactional Server 15-SP3 (aarch64 ppc64le s390x x86_64): salt-transactional-update-3002.2-8.41.8.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): salt-api-3002.2-8.41.8.1 salt-cloud-3002.2-8.41.8.1 salt-master-3002.2-8.41.8.1 salt-proxy-3002.2-8.41.8.1 salt-ssh-3002.2-8.41.8.1 salt-standalone-formulas-configuration-3002.2-8.41.8.1 salt-syndic-3002.2-8.41.8.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (noarch): salt-fish-completion-3002.2-8.41.8.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): python3-salt-3002.2-8.41.8.1 salt-3002.2-8.41.8.1 salt-doc-3002.2-8.41.8.1 salt-minion-3002.2-8.41.8.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): salt-bash-completion-3002.2-8.41.8.1 salt-zsh-completion-3002.2-8.41.8.1 References: https://www.suse.com/security/cve/CVE-2021-31607.html https://bugzilla.suse.com/1185281 https://bugzilla.suse.com/1186674 From sle-security-updates at lists.suse.com Thu Jun 10 19:20:40 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 10 Jun 2021 21:20:40 +0200 (CEST) Subject: SUSE-SU-2021:1952-1: moderate: Security update for csync2 Message-ID: <20210610192040.05EBAFD07@maintenance.suse.de> SUSE Security Update: Security update for csync2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1952-1 Rating: moderate References: #1147137 #1147139 Cross-References: CVE-2019-15522 CVE-2019-15523 CVSS scores: CVE-2019-15522 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-15522 (SUSE): 7.3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2019-15523 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2019-15523 (SUSE): 2.6 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N Affected Products: SUSE Linux Enterprise High Availability 12-SP5 SUSE Linux Enterprise High Availability 12-SP4 SUSE Linux Enterprise High Availability 12-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for csync2 fixes the following issues: - CVE-2019-15522: Fixed an issue where daemon fails to enforce TLS (bsc#1147137) - CVE-2019-15523: Fixed an incorrect TLS handshake error handling (bsc#1147139) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2021-1952=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2021-1952=1 - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2021-1952=1 Package List: - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): csync2-2.0+git.1368794815.cf835a7-3.9.5 csync2-debuginfo-2.0+git.1368794815.cf835a7-3.9.5 csync2-debugsource-2.0+git.1368794815.cf835a7-3.9.5 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): csync2-2.0+git.1368794815.cf835a7-3.9.5 csync2-debuginfo-2.0+git.1368794815.cf835a7-3.9.5 csync2-debugsource-2.0+git.1368794815.cf835a7-3.9.5 - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): csync2-2.0+git.1368794815.cf835a7-3.9.5 csync2-debuginfo-2.0+git.1368794815.cf835a7-3.9.5 csync2-debugsource-2.0+git.1368794815.cf835a7-3.9.5 References: https://www.suse.com/security/cve/CVE-2019-15522.html https://www.suse.com/security/cve/CVE-2019-15523.html https://bugzilla.suse.com/1147137 https://bugzilla.suse.com/1147139 From sle-security-updates at lists.suse.com Fri Jun 11 13:18:29 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 11 Jun 2021 15:18:29 +0200 (CEST) Subject: SUSE-SU-2021:1954-1: important: Security update for containerd, docker, runc Message-ID: <20210611131829.D4546FD07@maintenance.suse.de> SUSE Security Update: Security update for containerd, docker, runc ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1954-1 Rating: important References: #1168481 #1175081 #1175821 #1181594 #1181641 #1181677 #1181730 #1181732 #1181749 #1182451 #1182476 #1182947 #1183024 #1183855 #1184768 #1184962 #1185405 Cross-References: CVE-2021-21284 CVE-2021-21285 CVE-2021-21334 CVE-2021-30465 CVSS scores: CVE-2021-21284 (NVD) : 6.8 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N CVE-2021-21284 (SUSE): 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N CVE-2021-21285 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-21285 (SUSE): 5 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVE-2021-21334 (NVD) : 6.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2021-21334 (SUSE): 6.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2021-30465 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-30465 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE MicroOS 5.0 SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Containers 15-SP3 SUSE Linux Enterprise Module for Containers 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 7 SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves four vulnerabilities and has 13 fixes is now available. Description: This update for containerd, docker, runc fixes the following issues: Docker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594) * Switch version to use -ce suffix rather than _ce to avoid confusing other tools (bsc#1182476). * CVE-2021-21284: Fixed a potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) * CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730). * btrfs quotas being removed by Docker regularly (bsc#1183855, bsc#1175081) runc was updated to v1.0.0~rc93 (bsc#1182451, bsc#1175821 bsc#1184962). * Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821). * Fixed /dev/null is not available (bsc#1168481). * CVE-2021-30465: Fixed a symlink-exchange attack vulnarability (bsc#1185405). containerd was updated to v1.4.4 * CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397). * Handle a requirement from docker (bsc#1181594). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1954=1 - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1954=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1954=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1954=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1954=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1954=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1954=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1954=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1954=1 - SUSE Linux Enterprise Module for Containers 15-SP3: zypper in -t patch SUSE-SLE-Module-Containers-15-SP3-2021-1954=1 - SUSE Linux Enterprise Module for Containers 15-SP2: zypper in -t patch SUSE-SLE-Module-Containers-15-SP2-2021-1954=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1954=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1954=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1954=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1954=1 - SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2021-1954=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1954=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): containerd-1.4.4-5.32.1 docker-20.10.6_ce-6.49.3 docker-debuginfo-20.10.6_ce-6.49.3 runc-1.0.0~rc93-1.14.2 runc-debuginfo-1.0.0~rc93-1.14.2 - SUSE Manager Server 4.0 (ppc64le s390x x86_64): containerd-1.4.4-5.32.1 docker-20.10.6_ce-6.49.3 docker-debuginfo-20.10.6_ce-6.49.3 runc-1.0.0~rc93-1.14.2 runc-debuginfo-1.0.0~rc93-1.14.2 - SUSE Manager Server 4.0 (noarch): docker-bash-completion-20.10.6_ce-6.49.3 - SUSE Manager Retail Branch Server 4.0 (noarch): docker-bash-completion-20.10.6_ce-6.49.3 - SUSE Manager Retail Branch Server 4.0 (x86_64): containerd-1.4.4-5.32.1 docker-20.10.6_ce-6.49.3 docker-debuginfo-20.10.6_ce-6.49.3 runc-1.0.0~rc93-1.14.2 runc-debuginfo-1.0.0~rc93-1.14.2 - SUSE Manager Proxy 4.0 (x86_64): containerd-1.4.4-5.32.1 docker-20.10.6_ce-6.49.3 docker-debuginfo-20.10.6_ce-6.49.3 runc-1.0.0~rc93-1.14.2 runc-debuginfo-1.0.0~rc93-1.14.2 - SUSE Manager Proxy 4.0 (noarch): docker-bash-completion-20.10.6_ce-6.49.3 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): containerd-1.4.4-5.32.1 docker-20.10.6_ce-6.49.3 docker-debuginfo-20.10.6_ce-6.49.3 runc-1.0.0~rc93-1.14.2 runc-debuginfo-1.0.0~rc93-1.14.2 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): docker-bash-completion-20.10.6_ce-6.49.3 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): containerd-1.4.4-5.32.1 docker-20.10.6_ce-6.49.3 docker-debuginfo-20.10.6_ce-6.49.3 runc-1.0.0~rc93-1.14.2 runc-debuginfo-1.0.0~rc93-1.14.2 - SUSE Linux Enterprise Server for SAP 15 (noarch): docker-bash-completion-20.10.6_ce-6.49.3 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): containerd-1.4.4-5.32.1 docker-20.10.6_ce-6.49.3 docker-debuginfo-20.10.6_ce-6.49.3 runc-1.0.0~rc93-1.14.2 runc-debuginfo-1.0.0~rc93-1.14.2 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): docker-bash-completion-20.10.6_ce-6.49.3 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): containerd-1.4.4-5.32.1 docker-20.10.6_ce-6.49.3 docker-debuginfo-20.10.6_ce-6.49.3 runc-1.0.0~rc93-1.14.2 runc-debuginfo-1.0.0~rc93-1.14.2 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): docker-bash-completion-20.10.6_ce-6.49.3 - SUSE Linux Enterprise Server 15-LTSS (noarch): docker-bash-completion-20.10.6_ce-6.49.3 - SUSE Linux Enterprise Server 15-LTSS (s390x): containerd-1.4.4-5.32.1 docker-20.10.6_ce-6.49.3 docker-debuginfo-20.10.6_ce-6.49.3 runc-1.0.0~rc93-1.14.2 runc-debuginfo-1.0.0~rc93-1.14.2 - SUSE Linux Enterprise Module for Containers 15-SP3 (aarch64 ppc64le s390x x86_64): containerd-1.4.4-5.32.1 docker-20.10.6_ce-6.49.3 docker-debuginfo-20.10.6_ce-6.49.3 runc-1.0.0~rc93-1.14.2 runc-debuginfo-1.0.0~rc93-1.14.2 - SUSE Linux Enterprise Module for Containers 15-SP3 (noarch): docker-bash-completion-20.10.6_ce-6.49.3 docker-fish-completion-20.10.6_ce-6.49.3 - SUSE Linux Enterprise Module for Containers 15-SP2 (aarch64 ppc64le s390x x86_64): containerd-1.4.4-5.32.1 docker-20.10.6_ce-6.49.3 docker-debuginfo-20.10.6_ce-6.49.3 runc-1.0.0~rc93-1.14.2 runc-debuginfo-1.0.0~rc93-1.14.2 - SUSE Linux Enterprise Module for Containers 15-SP2 (noarch): docker-bash-completion-20.10.6_ce-6.49.3 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): containerd-1.4.4-5.32.1 docker-20.10.6_ce-6.49.3 docker-debuginfo-20.10.6_ce-6.49.3 runc-1.0.0~rc93-1.14.2 runc-debuginfo-1.0.0~rc93-1.14.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): docker-bash-completion-20.10.6_ce-6.49.3 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): containerd-1.4.4-5.32.1 docker-20.10.6_ce-6.49.3 docker-debuginfo-20.10.6_ce-6.49.3 runc-1.0.0~rc93-1.14.2 runc-debuginfo-1.0.0~rc93-1.14.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): docker-bash-completion-20.10.6_ce-6.49.3 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): docker-bash-completion-20.10.6_ce-6.49.3 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): containerd-1.4.4-5.32.1 docker-20.10.6_ce-6.49.3 docker-debuginfo-20.10.6_ce-6.49.3 runc-1.0.0~rc93-1.14.2 runc-debuginfo-1.0.0~rc93-1.14.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): containerd-1.4.4-5.32.1 docker-20.10.6_ce-6.49.3 docker-debuginfo-20.10.6_ce-6.49.3 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): docker-bash-completion-20.10.6_ce-6.49.3 - SUSE Enterprise Storage 7 (aarch64 x86_64): runc-1.0.0~rc93-1.14.2 runc-debuginfo-1.0.0~rc93-1.14.2 - SUSE Enterprise Storage 6 (aarch64 x86_64): containerd-1.4.4-5.32.1 docker-20.10.6_ce-6.49.3 docker-debuginfo-20.10.6_ce-6.49.3 runc-1.0.0~rc93-1.14.2 runc-debuginfo-1.0.0~rc93-1.14.2 - SUSE Enterprise Storage 6 (noarch): docker-bash-completion-20.10.6_ce-6.49.3 - SUSE CaaS Platform 4.0 (noarch): docker-bash-completion-20.10.6_ce-6.49.3 - SUSE CaaS Platform 4.0 (x86_64): containerd-1.4.4-5.32.1 docker-20.10.6_ce-6.49.3 docker-debuginfo-20.10.6_ce-6.49.3 runc-1.0.0~rc93-1.14.2 runc-debuginfo-1.0.0~rc93-1.14.2 References: https://www.suse.com/security/cve/CVE-2021-21284.html https://www.suse.com/security/cve/CVE-2021-21285.html https://www.suse.com/security/cve/CVE-2021-21334.html https://www.suse.com/security/cve/CVE-2021-30465.html https://bugzilla.suse.com/1168481 https://bugzilla.suse.com/1175081 https://bugzilla.suse.com/1175821 https://bugzilla.suse.com/1181594 https://bugzilla.suse.com/1181641 https://bugzilla.suse.com/1181677 https://bugzilla.suse.com/1181730 https://bugzilla.suse.com/1181732 https://bugzilla.suse.com/1181749 https://bugzilla.suse.com/1182451 https://bugzilla.suse.com/1182476 https://bugzilla.suse.com/1182947 https://bugzilla.suse.com/1183024 https://bugzilla.suse.com/1183855 https://bugzilla.suse.com/1184768 https://bugzilla.suse.com/1184962 https://bugzilla.suse.com/1185405 From sle-security-updates at lists.suse.com Fri Jun 11 13:33:01 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 11 Jun 2021 15:33:01 +0200 (CEST) Subject: SUSE-IU-2021:537-1: Security update of suse-sles-15-sp2-chost-byos-v20210610-hvm-ssd-x86_64 Message-ID: <20210611133301.F0DF0B46F0D@westernhagen.suse.de> SUSE Image Update Advisory: suse-sles-15-sp2-chost-byos-v20210610-hvm-ssd-x86_64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2021:537-1 Image Tags : suse-sles-15-sp2-chost-byos-v20210610-hvm-ssd-x86_64:20210610 Image Release : Severity : important Type : security References : 1021918 1029961 1043990 1055117 1065729 1080040 1087082 1089870 1106014 1115550 1133021 1152457 1152457 1152489 1152489 1153687 1155518 1156395 1156395 1162964 1164648 1167260 1168838 1168894 1169122 1169348 1170092 1170094 1170858 1174162 1174416 1174426 1176370 1177666 1178089 1178378 1178418 1178491 1178577 1178612 1178624 1178675 1179243 1179519 1179805 1179825 1179827 1179851 1179851 1180478 1180846 1180851 1180851 1181161 1181351 1181443 1181540 1181610 1181651 1181679 1181874 1181874 1181911 1182016 1182257 1182372 1182378 1182613 1182904 1182936 1182936 1182950 1182999 1183063 1183194 1183194 1183203 1183268 1183289 1183346 1183374 1183589 1183628 1183628 1183732 1183797 1183826 1183868 1183873 1183932 1183947 1183976 1184081 1184082 1184208 1184209 1184259 1184326 1184358 1184399 1184400 1184435 1184436 1184505 1184507 1184514 1184611 1184614 1184650 1184687 1184724 1184728 1184730 1184731 1184736 1184737 1184738 1184740 1184741 1184742 1184760 1184811 1184829 1184855 1184893 1184912 1184934 1184942 1184957 1184969 1184984 1184997 1184997 1184997 1185041 1185113 1185163 1185170 1185190 1185233 1185239 1185239 1185244 1185269 1185277 1185325 1185365 1185408 1185409 1185410 1185417 1185428 1185438 1185454 1185472 1185491 1185495 1185497 1185549 1185562 1185580 1185586 1185587 1185589 1185606 1185642 1185645 1185677 1185680 1185698 1185703 1185725 1185758 1185859 1185860 1185861 1185862 1185863 1185898 1185899 1185910 1185911 1185938 1185950 1185982 1185987 1185988 1186015 1186060 1186061 1186062 1186111 1186114 1186285 1186320 1186382 1186390 1186416 1186439 1186441 1186451 1186460 1186479 1186484 1186498 1186501 1186573 1186673 1186681 CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2020-29651 CVE-2021-22898 CVE-2021-23134 CVE-2021-25217 CVE-2021-29155 CVE-2021-29650 CVE-2021-32399 CVE-2021-33034 CVE-2021-33200 CVE-2021-3426 CVE-2021-3491 CVE-2021-3516 CVE-2021-3517 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 CVE-2021-3541 ----------------------------------------------------------------- The container suse-sles-15-sp2-chost-byos-v20210610-hvm-ssd-x86_64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1544-1 Released: Fri May 7 16:34:41 2021 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libzypp fixes the following issues: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1557-1 Released: Tue May 11 09:50:00 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1183374,CVE-2021-3426 This update for python3 fixes the following issues: - CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1566-1 Released: Wed May 12 09:39:16 2021 Summary: Recommended update for chrony Type: recommended Severity: moderate References: 1162964,1184400 This update for chrony fixes the following issues: - Fix build with glibc-2.31 (bsc#1162964) - Use /run instead of /var/run for PIDFile in chronyd.service (bsc#1184400) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1574-1 Released: Wed May 12 12:04:51 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1043990,1055117,1065729,1152457,1152489,1156395,1167260,1168838,1174416,1174426,1178089,1179243,1179851,1180846,1181161,1182613,1183063,1183203,1183289,1184208,1184209,1184436,1184514,1184650,1184724,1184728,1184730,1184731,1184736,1184737,1184738,1184740,1184741,1184742,1184760,1184811,1184893,1184934,1184942,1184957,1184969,1184984,1185041,1185113,1185233,1185244,1185269,1185365,1185454,1185472,1185491,1185549,1185586,1185587,CVE-2021-29155,CVE-2021-29650 The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-29650: Fixed an issue with the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208). - CVE-2021-29155: Fixed an issue that was discovered in kernel/bpf/verifier.c that performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation was not correctly accounted for when restricting subsequent operations (bnc#1184942). The following non-security bugs were fixed: - ACPI: CPPC: Replace cppc_attr with kobj_attribute (git-fixes). - ALSA: core: remove redundant spin_lock pair in snd_card_disconnect (git-fixes). - ALSA: emu8000: Fix a use after free in snd_emu8000_create_mixer (git-fixes). - ALSA: hda/cirrus: Add error handling into CS8409 I2C functions (git-fixes). - ALSA: hda/cirrus: Add Headphone and Headset MIC Volume Control (git-fixes). - ALSA: hda/cirrus: Add jack detect interrupt support from CS42L42 companion codec (git-fixes). - ALSA: hda/cirrus: Add support for CS8409 HDA bridge and CS42L42 companion codec (git-fixes). - ALSA: hda/cirrus: Cleanup patch_cirrus.c code (git-fixes). - ALSA: hda/cirrus: Fix CS42L42 Headset Mic volume control name (git-fixes). - ALSA: hda/cirrus: Make CS8409 driver more generic by using fixups (git-fixes). - ALSA: hda/cirrus: Set Initial DMIC volume for Bullseye to -26 dB (git-fixes). - ALSA: hda/cirrus: Use CS8409 filter to fix abnormal sounds on Bullseye (git-fixes). - ALSA: hda/realtek: Add quirk for Intel Clevo PCx0Dx (git-fixes). - ALSA: hda/realtek: fix mic boost on Intel NUC 8 (git-fixes). - ALSA: hda/realtek: fix static noise on ALC285 Lenovo laptops (git-fixes). - ALSA: hda/realtek: GA503 use same quirks as GA401 (git-fixes). - ALSA: hda/realtek - Headset Mic issue on HP platform (git-fixes). - ALSA: hda/realtek: Remove redundant entry for ALC861 Haier/Uniwill devices (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Acer quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 ASUS quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Dell quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 HP quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Lenovo quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Sony quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC662 quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Acer quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Clevo quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Sony quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order remaining ALC269 quirk table entries (git-fixes). - ALSA: sb: Fix two use after free in snd_sb_qsound_build (git-fixes). - ALSA: usb-audio: Add DJM450 to Pioneer format quirk (git-fixes). - ALSA: usb-audio: Add error checks for usb_driver_claim_interface() calls (git-fixes). - ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX (git-fixes). - ALSA: usb-audio: Configure Pioneer DJM-850 samplerate (git-fixes). - ALSA: usb-audio: DJM-750: ensure format is set (git-fixes). - ALSA: usb-audio: Explicitly set up the clock selector (git-fixes). - ALSA: usb-audio: Fix implicit sync clearance at stopping stream (git-fixes). - ALSA: usb-audio: Fix Pioneer DJM devices URB_CONTROL request direction to set samplerate (git-fixes). - ALSA: usb: midi: do not return -ENOMEM when usb_urb_ep_type_check fails (git-fixes). - arm: dts: add imx7d pcf2127 fix to blacklist - ASoC: ak5558: correct reset polarity (git-fixes). - ASoC: ak5558: Fix s/show/slow/ typo (git-fixes). - ASoC: Intel: kbl_da7219_max98927: Fix kabylake_ssp_fixup function (git-fixes). - ASoC: samsung: tm2_wm5110: check of of_parse return value (git-fixes). - ASoC: simple-card: fix possible uninitialized single_cpu local variable (git-fixes). - ASoC: SOF: Intel: HDA: fix core status verification (git-fixes). - ASoC: SOF: Intel: hda: remove unnecessary parentheses (git-fixes). - ata: libahci_platform: fix IRQ check (git-fixes). - ath10k: Fix ath10k_wmi_tlv_op_pull_peer_stats_info() unlock without lock (git-fixes). - ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices (git-fixes). - backlight: journada720: Fix Wmisleading-indentation warning (git-fixes). - blkcg: fix memleak for iolatency (git-fixes). - block, bfq: set next_rq to waker_bfqq->next_rq in waker injection (bsc#1168838). - block: recalculate segment count for multi-segment discards correctly (bsc#1184724). - block: rsxx: select CONFIG_CRC32 (git-fixes). - bluetooth: eliminate the potential race condition when removing the HCI controller (git-fixes). - bnxt_en: reverse order of TX disable and carrier off (git-fixes). - bsg: free the request before return error code (git-fixes). - btrfs: fix qgroup data rsv leak caused by falloc failure (bsc#1185549). - btrfs: fix race between swap file activation and snapshot creation (bsc#1185587). - btrfs: fix race between writes to swap files and scrub (bsc#1185586). - btrfs: track qgroup released data in own variable in insert_prealloc_file_extent (bsc#1185549). - bus: qcom: Put child node before return (git-fixes). - cfg80211: remove WARN_ON() in cfg80211_sme_connect (git-fixes). - clk: exynos7: Mark aclk_fsys1_200 as critical (git-fixes). - clk: mvebu: armada-37xx-periph: Fix switching CPU freq from 250 Mhz to 1 GHz (git-fixes). - clk: mvebu: armada-37xx-periph: Fix workaround for switching from L1 to L0 (git-fixes). - clk: mvebu: armada-37xx-periph: remove .set_parent method for CPU PM clock (git-fixes). - clk: qcom: a53-pll: Add missing MODULE_DEVICE_TABLE (git-fixes). - clk: uniphier: Fix potential infinite loop (git-fixes). - clk: zynqmp: move zynqmp_pll_set_mode out of round_rate callback (git-fixes). - coresight: etm4x: Fix issues on trcseqevr access (git-fixes). - coresight: etm4x: Fix save and restore of TRCVMIDCCTLR1 register (git-fixes). - coresight: tmc-etr: Fix barrier packet insertion for perf buffer (git-fixes). - cpufreq: armada-37xx: Fix determining base CPU frequency (git-fixes). - cpufreq: armada-37xx: Fix driver cleanup when registration failed (git-fixes). - cpufreq: armada-37xx: Fix setting TBG parent for load levels (git-fixes). - cpufreq: armada-37xx: Fix the AVS value for load L1 (git-fixes). - cpufreq: Kconfig: fix documentation links (git-fixes). - crypto: arm/curve25519 - Move '.fpu' after '.arch' (git-fixes). - crypto: rng - fix crypto_rng_reset() refcounting when !CRYPTO_STATS (git-fixes). - cxgb4: avoid collecting SGE_QBASE regs during traffic (git-fixes). - cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds (git-fixes). - dmaengine: dw: Make it dependent to HAS_IOMEM (git-fixes). - dm: eliminate potential source of excessive kernel log noise (git-fixes). - dm era: Fix bitset memory leaks (git-fixes). - dm era: only resize metadata in preresume (git-fixes). - dm era: Recover committed writeset after crash (git-fixes). - dm era: Reinitialize bitset cache before digesting a new writeset (git-fixes). - dm era: Use correct value size in equality function of writeset tree (git-fixes). - dm era: Verify the data block size hasn't changed (git-fixes). - dm: fix bug with RCU locking in dm_blk_report_zones (git-fixes). - dm integrity: fix error reporting in bitmap mode after creation (git-fixes). - dm ioctl: fix error return code in target_message (git-fixes). - dm mpath: fix racey management of PG initialization (git-fixes). - dm raid: fix discard limits for raid1 (git-fixes). - dm: remove invalid sparse __acquires and __releases annotations (git-fixes). - dm writecache: fix the maximum number of arguments (git-fixes). - dm writecache: handle DAX to partitions on persistent memory correctly (git-fixes). - dm writecache: remove BUG() and fail gracefully instead (git-fixes). - dm zoned: select CONFIG_CRC32 (git-fixes). - dpaa_eth: copy timestamp fields to new skb in A-050385 workaround (git-fixes). - dpaa_eth: fix the RX headroom size alignment (git-fixes). - dpaa_eth: Remove unnecessary boolean expression in dpaa_get_headroom (git-fixes). - dpaa_eth: Use random MAC address when none is given (bsc#1184811). - drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' (git-fixes). - drm/amdkfd: fix build error with AMD_IOMMU_V2=m (git-fixes). - drm/ast: Add 25MHz refclk support (bsc#1174416). - drm/ast: Add support for 1152x864 mode (bsc#1174416). - drm/ast: Add support for AIP200 (bsc#1174416). - drm/ast: AST2500 fixups (bsc#1174416). - drm/ast: Correct mode table for AST2500 precatch (bsc#1174416). - drm/ast: Disable screen on register init (bsc#1174416). - drm/ast: Disable VGA decoding while driver is active (bsc#1174416). - drm/ast: drm/ast: Fix boot address for AST2500 (bsc#1174416). - drm/ast: Fix P2A config detection (bsc#1174416). - drm/ast: Fix register access in non-P2A mode for DP501 (bsc#1174416). - drm/ast: Keep MISC fields when enabling VGA (bsc#1174416). - drm/i915/gvt: Fix error code in intel_gvt_init_device() (git-fixes). - drm/imx: imx-ldb: fix out of bounds array access warning (git-fixes). - drm/msm: Fix a5xx/a6xx timestamps (git-fixes). - drm/omap: fix misleading indentation in pixinc() (git-fixes). - drm/radeon: fix copy of uninitialized variable back to userspace (git-fixes). - drm/tegra: dc: Do not set PLL clock to 0Hz (git-fixes). - e1000e: add rtnl_lock() to e1000_reset_task (git-fixes). - e1000e: Fix duplicate include guard (git-fixes). - e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 (git-fixes). - enetc: Let the hardware auto-advance the taprio base-time of 0 (git-fixes). - enetc: Workaround for MDIO register access issue (git-fixes). - ethernet/netronome/nfp: Fix a use after free in nfp_bpf_ctrl_msg_rx (git-fixes). - ext4: do not try to set xattr into ea_inode if value is empty (bsc#1184730). - ext4: find old entry again if failed to rename whiteout (bsc#1184742). - ext4: fix potential error in ext4_do_update_inode (bsc#1184731). - ext4: fix potential htree index checksum corruption (bsc#1184728). - firmware: qcom-scm: Fix QCOM_SCM configuration (git-fixes). - fnic: use scsi_host_busy_iter() to traverse commands (bsc#1179851). - fotg210-udc: Complete OUT requests on short packets (git-fixes). - fotg210-udc: Do not DMA more than the buffer can take (git-fixes). - fotg210-udc: Fix DMA on EP0 for length > max packet size (git-fixes). - fotg210-udc: Fix EP0 IN requests bigger than two packets (git-fixes). - fotg210-udc: Mask GRP2 interrupts we do not handle (git-fixes). - fotg210-udc: Remove a dubious condition leading to fotg210_done (git-fixes). - fs: direct-io: fix missing sdio->boundary (bsc#1184736). - fs/jfs: fix potential integer overflow on shift of a int (bsc#1184741). - fsl/fman: reuse set_mac_address() in dtsec init() (bsc#1184811). - fsl/fman: tolerate missing MAC address in device tree (bsc#1184811). - gpio: omap: Save and restore sysconfig (git-fixes). - gpio: sysfs: Obey valid_mask (git-fixes). - HID: alps: fix error return code in alps_input_configured() (git-fixes). - HID: google: add don USB id (git-fixes). - HID: plantronics: Workaround for double volume key presses (git-fixes). - HID: wacom: Assign boolean values to a bool variable (git-fixes). - HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices (git-fixes). - i2c: cadence: add IRQ check (git-fixes). - i2c: emev2: add IRQ check (git-fixes). - i2c: img-scb: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: jz4780: add IRQ check (git-fixes). - i2c: omap: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: sh7760: add IRQ check (git-fixes). - i2c: sh7760: fix IRQ error path (git-fixes). - i2c: sprd: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i40e: Added Asym_Pause to supported link modes (git-fixes). - i40e: Add zero-initialization of AQ command structures (git-fixes). - i40e: Fix addition of RX filters after enabling FW LLDP agent (git-fixes). - i40e: Fix add TC filter for IPv6 (git-fixes). - i40e: Fix display statistics for veb_tc (git-fixes). - i40e: Fix endianness conversions (git-fixes). - i40e: Fix flow for IPv6 next header (extension header) (git-fixes). - i40e: Fix kernel oops when i40e driver removes VF's (git-fixes). - i40e: Fix overwriting flow control settings during driver loading (git-fixes). - i40e: Fix sparse errors in i40e_txrx.c (git-fixes). - i40e: Fix sparse warning: missing error code 'err' (git-fixes). - i40e: fix the panic when running bpf in xdpdrv mode (git-fixes). - ibmvnic: avoid calling napi_disable() twice (bsc#1065729). - ibmvnic: clean up the remaining debugfs data structures (bsc#1065729). - ibmvnic: correctly use dev_consume/free_skb_irq (jsc#SLE-17268 jsc#SLE-17043 bsc#1179243 ltc#189290 git-fixes). - ibmvnic: improve failover sysfs entry (bsc#1043990 ltc#155681 git-fixes). - ibmvnic: print adapter state as a string (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: print reset reason as a string (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: queue reset work in system_long_wq (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: remove duplicate napi_schedule call in do_reset function (bsc#1065729). - ibmvnic: remove duplicate napi_schedule call in open function (bsc#1065729). - ice: Account for port VLAN in VF max packet size calculation (git-fixes). - ice: Cleanup fltr list in case of allocation issues (git-fixes). - ice: Fix for dereference of NULL pointer (git-fixes). - ice: Increase control queue timeout (git-fixes). - ice: prevent ice_open and ice_stop during reset (git-fixes). - igb: check timestamp validity (git-fixes). - igb: Fix duplicate include guard (git-fixes). - igc: Fix Pause Frame Advertising (git-fixes). - igc: Fix Supported Pause Frame Link Setting (git-fixes). - igc: reinit_locked() should be called with rtnl_lock (git-fixes). - iio:accel:adis16201: Fix wrong axis assignment that prevents loading (git-fixes). - ima: Free IMA measurement buffer after kexec syscall (git-fixes). - Input: i8042 - fix Pegatron C15B ID entry (git-fixes). - Input: nspire-keypad - enable interrupts only when opened (git-fixes). - Input: s6sy761 - fix coordinate read bit shift (git-fixes). - interconnect: core: fix error return code of icc_link_destroy() (git-fixes). - iopoll: introduce read_poll_timeout macro (git-fixes). - ipw2x00: potential buffer overflow in libipw_wx_set_encodeext() (git-fixes). - irqchip: Add support for Layerscape external interrupt lines (bsc#1185233). - irqchip/ls-extirq: add IRQCHIP_SKIP_SET_WAKE to the irqchip flags (bsc#1185233). - irqchip/ls-extirq: Add LS1043A, LS1088A external interrupt support (bsc#1185233). - isofs: release buffer head before return (bsc#1182613). - ixgbe: fail to create xfrm offload of IPsec tunnel mode SA (git-fixes). - jffs2: fix use after free in jffs2_sum_write_data() (bsc#1184740). - kABI: cover up change in struct kvm_arch (bsc#1184969). - kABI: Fix kABI caused by fixes for bsc#1174426 (bsc#1174426). - kABI: powerpc/pseries: Add shutdown() to vio_driver and vio_bus (bsc#1184209 ltc#190917). - kernel/smp: make csdlock timeout depend on boot parameter (bsc#1180846). - KVM: kvmclock: Fix vCPUs > 64 can't be online/hotpluged (bsc#1152489). - KVM: PPC: Book3S HV P9: Restore host CTRL SPR after guest exit (bsc#1156395). - KVM: PPC: Make the VMX instruction emulation routines static (bsc#1156395). - libnvdimm/label: Return -ENXIO for no slot in __blk_label_update (bsc#1185269). - libnvdimm/namespace: Fix reaping of invalidated block-window-namespace labels (bsc#1185269). - libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC (bsc#1184969 git-fixes). - libnvdimm/security: ensure sysfs poll thread woke up and fetch updated attr (git-fixes). - liquidio: Fix unintented sign extension of a left shift of a u16 (git-fixes). - locking/qrwlock: Fix ordering in queued_write_lock_slowpath() (bsc#1185041). - mac80211: bail out if cipher schemes are invalid (git-fixes). - mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN (git-fixes). - macvlan: macvlan_count_rx() needs to be aware of preemption (git-fixes). - media: dvbdev: Fix memory leak in dvb_media_device_free() (git-fixes). - media: m88rs6000t: avoid potential out-of-bounds reads on arrays (git-fixes). - media: mantis: remove orphan mantis_core.c (git-fixes). - media: omap4iss: return error code when omap4iss_get() failed (git-fixes). - media: platform: sunxi: sun6i-csi: fix error return code of sun6i_video_start_streaming() (git-fixes). - media: staging/intel-ipu3: Fix memory leak in imu_fmt (git-fixes). - media: staging/intel-ipu3: Fix race condition during set_fmt (git-fixes). - media: staging/intel-ipu3: Fix set_fmt error handling (git-fixes). - media: v4l2-ctrls.c: fix race condition in hdl->requests list (git-fixes). - memory: gpmc: fix out of bounds read and dereference on gpmc_cs[] (git-fixes). - memory: pl353: fix mask of ECC page_size config register (git-fixes). - mfd: lpc_sch: Partially revert 'Add support for Intel Quark X1000' (git-fixes). - mfd: stm32-timers: Avoid clearing auto reload register (git-fixes). - misc: lis3lv02d: Fix false-positive WARN on various HP models (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_datagram payload (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_notify_bm_set_msg struct (git-fixes). - mmc: core: Correct descriptions in mmc_of_parse() (git-fixes). - mmc: cqhci: Add cqhci_deactivate() (git-fixes). - mmc: mmc_spi: Drop unused NO_IRQ definition (git-fixes). - mmc: sdhci-of-arasan: Add missed checks for devm_clk_register() (git-fixes). - mmc: sdhci-of-dwcmshc: fix rpmb access (git-fixes). - mmc: sdhci-of-dwcmshc: implement specific set_uhs_signaling (git-fixes). - mmc: sdhci-of-esdhc: make sure delay chain locked for HS400 (git-fixes). - mmc: sdhci-of-esdhc: set timeout to max before tuning (git-fixes). - mmc: sdhci-pci: Fix SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers (git-fixes). - mmc: sdhci: Use Auto CMD Auto Select only when v4_mode is true (git-fixes). - mmc: uniphier-sd: Fix an error handling path in uniphier_sd_probe() (git-fixes). - mmc: uniphier-sd: Fix a resource leak in the remove function (git-fixes). - mm/rmap: fix potential pte_unmap on an not mapped pte (git-fixes). - Move upstreamed i915 fix into sorted section - mt7601u: fix always true expression (git-fixes). - mtd: Handle possible -EPROBE_DEFER from parse_mtd_partitions() (git-fixes). - mtd: rawnand: brcmnand: fix OOB R/W with Hamming ECC (git-fixes). - mtd: rawnand: fsmc: Fix error code in fsmc_nand_probe() (git-fixes). - mtd: rawnand: gpmi: Fix a double free in gpmi_nand_init (git-fixes). - mtd: rawnand: qcom: Return actual error code instead of -ENODEV (git-fixes). - mtd: require write permissions for locking and badblock ioctls (git-fixes). - mtd: spinand: core: add missing MODULE_DEVICE_TABLE() (git-fixes). - mtd: spi-nor: Rename 'n25q512a' to 'mt25qu512a (n25q512a)' (bsc#1167260). - mtd: spi-nor: Split mt25qu512a (n25q512a) entry into two (bsc#1167260). - nbd: fix a block_device refcount leak in nbd_release (git-fixes). - net: atlantic: fix out of range usage of active_vlans array (git-fixes). - net: atlantic: fix potential error handling (git-fixes). - net: atlantic: fix use after free kasan warn (git-fixes). - net: dsa: felix: implement port flushing on .phylink_mac_link_down (git-fixes). - net: enetc: remove bogus write to SIRXIDR from enetc_setup_rxbdr (git-fixes). - net: enetc: take the MDIO lock only once per NAPI poll cycle (git-fixes). - net: geneve: check skb is large enough for IPv4/IPv6 header (git-fixes). - net: geneve: modify IP header check in geneve6_xmit_skb and geneve_xmit_skb (git-fixes). - net: hns3: clear VF down state bit before request link status (git-fixes). - net: hns3: fix bug when calculating the TCAM table info (git-fixes). - net: hns3: fix query vlan mask value error for flow director (git-fixes). - net: hns3: Remove un-necessary 'else-if' in the hclge_reset_event() (git-fixes). - net: ll_temac: Add more error handling of dma_map_single() calls (git-fixes). - net: ll_temac: Fix race condition causing TX hang (git-fixes). - net: ll_temac: Fix RX buffer descriptor handling on GFP_ATOMIC pressure (git-fixes). - net: ll_temac: Handle DMA halt condition caused by buffer underrun (git-fixes). - net/mlx4_core: Add missed mlx4_free_cmd_mailbox() (git-fixes). - net/mlx5: Do not request more than supported EQs (git-fixes). - net/mlx5e: Do not match on Geneve options in case option masks are all zero (git-fixes). - net/mlx5e: Fix error path for ethtool set-priv-flag (git-fixes). - net/mlx5e: Fix ethtool indication of connector type (git-fixes). - net/mlx5e: fix ingress_ifindex check in mlx5e_flower_parse_meta (jsc#SLE-8464). - net:nfc:digital: Fix a double free in digital_tg_recv_dep_req (git-fixes). - net: phy: intel-xway: enable integrated led functions (git-fixes). - net: phy: marvell: fix m88e1011_set_downshift (git-fixes). - net: phy: marvell: fix m88e1111_set_downshift (git-fixes). - net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template (git-fixes). - net: smc911x: Adjust indentation in smc911x_phy_configure (git-fixes). - net: stmmac: fix missing IFF_MULTICAST check in dwmac4_set_filter (git-fixes). - net: stmmac: xgmac: fix missing IFF_MULTICAST checki in dwxgmac2_set_filter (git-fixes). - net: tulip: Adjust indentation in {dmfe, uli526x}_init_module (git-fixes). - nfc: pn533: prevent potential memory corruption (git-fixes). - nfp: flower: ignore duplicate merge hints from FW (git-fixes). - node: fix device cleanups in error handling code (git-fixes). - null_blk: fix passing of REQ_FUA flag in null_handle_rq (git-fixes). - nvme-fabrics: reject I/O to offline device (bsc#1181161). - nvme-tcp: fix possible hang when failing to set io queues (bsc#1181161). - ocfs2: fix a use after free on error (bsc#1184738). - pata_arasan_cf: fix IRQ check (git-fixes). - pata_ipx4xx_cf: fix IRQ check (git-fixes). - PCI/AER: Add pcie_walk_rcec() to RCEC AER handling (bsc#1174426). - PCI/AER: Add RCEC AER error injection support (bsc#1174426). - PCI/AER: Clear AER status from Root Port when resetting Downstream Port (bsc#1174426). - PCI/AER: Specify the type of Port that was reset (bsc#1174426). - PCI/AER: Use 'aer' variable for capability offset (bsc#1174426). - PCI/AER: Write AER Capability only when we control it (bsc#1174426). - PCI: designware-ep: Fix the Header Type check (git-fixes). - PCI/ERR: Add pcie_link_rcec() to associate RCiEPs (bsc#1174426). - PCI/ERR: Add pci_walk_bridge() to pcie_do_recovery() (bsc#1174426). - PCI/ERR: Avoid negated conditional for clarity (bsc#1174426). - PCI/ERR: Bind RCEC devices to the Root Port driver (bsc#1174426). - PCI/ERR: Cache RCEC EA Capability offset in pci_init_capabilities() (bsc#1174426). - PCI/ERR: Clear AER status only when we control AER (bsc#1174426). - PCI/ERR: Clear PCIe Device Status errors only if OS owns AER (bsc#1174426). - PCI/ERR: Clear status of the reporting device (bsc#1174426). - PCI/ERR: Recover from RCEC AER errors (bsc#1174426). - PCI/ERR: Recover from RCiEP AER errors (bsc#1174426). - PCI/ERR: Rename reset_link() to reset_subordinates() (bsc#1174426). - PCI/ERR: Retain status from error notification (bsc#1174426). - PCI/ERR: Simplify by computing pci_pcie_type() once (bsc#1174426). - PCI/ERR: Simplify by using pci_upstream_bridge() (bsc#1174426). - PCI/ERR: Use 'bridge' for clarity in pcie_do_recovery() (bsc#1174426). - PCI/PME: Add pcie_walk_rcec() to RCEC PME handling (bsc#1174426). - PCI/portdrv: Report reset for frozen channel (bsc#1174426). - PCI: tegra: Fix ASPM-L1SS advertisement disable code (git-fixes). - PCI: tegra: Move 'dbi' accesses to post common DWC initialization (git-fixes). - phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y, unconditionally (git-fixes). - pinctrl: core: Fix kernel doc string for pin_get_name() (git-fixes). - pinctrl: Ingenic: Add missing pins to the JZ4770 MAC MII group (git-fixes). - platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards with critclk_systems DMI table (git-fixes). - PM: runtime: Add documentation for pm_runtime_resume_and_get() (git-fixes). - powerepc/book3s64/hash: Align start/end address correctly with bolt mapping (bsc#1184957). - powerpc/64s: Fix pte update for kernel memory on radix (bsc#1055117 git-fixes). - powerpc/asm-offsets: GPR14 is not needed either (bsc#1065729). - powerpc/eeh: Fix EEH handling for hugepages in ioremap space (bsc#1156395). - powerpc/fadump: Mark fadump_calculate_reserve_size as __init (bsc#1065729). - powerpc/mm: Add cond_resched() while removing hpte mappings (bsc#1183289 ltc#191637). - powerpc/papr_scm: Fix build error due to wrong printf specifier (bsc#1184969). - powerpc/papr_scm: Implement support for H_SCM_FLUSH hcall (bsc#1184969). - powerpc/perf: Fix PMU constraint check for EBB events (bsc#1065729). - powerpc/prom: Mark identical_pvr_fixup as __init (bsc#1065729). - powerpc/pseries: Add shutdown() to vio_driver and vio_bus (bsc#1184209 ltc#190917). - powerpc/time: Enable sched clock for irqtime (bsc#1156395). - regmap: set debugfs_name to NULL after it is freed (git-fixes). - regulator: Avoid a double 'of_node_get' in 'regulator_of_get_init_node()' (git-fixes). - reintroduce cqhci_suspend for kABI (git-fixes). - reiserfs: update reiserfs_xattrs_initialized() condition (bsc#1184737). - rpm/constraints.in: bump disk space to 45GB on riscv64 - rpm/kernel-obs-build.spec.in: Include essiv with dm-crypt (boo#1183063). - rpm/macros.kernel-source: fix KMP failure in %install (bsc#1185244) - rpm/mkspec: Use tilde instead of dot for version string with rc (bsc#1184650) - rsi: Use resume_noirq for SDIO (git-fixes). - rsxx: remove extraneous 'const' qualifier (git-fixes). - rtc: ds1307: Fix wday settings for rx8130 (git-fixes). - rtc: fsl-ftm-alarm: add MODULE_TABLE() (bsc#1185454). - rtc: fsl-ftm-alarm: avoid struct rtc_time conversions (bsc#1185454). - rtc: fsl-ftm-alarm: enable acpi support (bsc#1185454). - rtc: fsl-ftm-alarm: fix freeze(s2idle) failed to wake (bsc#1185454). - rtc: fsl-ftm-alarm: report alarm to core (bsc#1185454). - rtc: fsl-ftm-alarm: switch to ktime_get_real_seconds (bsc#1185454). - rtc: fsl-ftm-alarm: switch to rtc_time64_to_tm/rtc_tm_to_time64 (bsc#1185454). - rtc: fsl-ftm-alarm: update acpi device id (bsc#1185454). - rtc: pcf2127: add alarm support (bsc#1185233). - rtc: pcf2127: add pca2129 device id (bsc#1185233). - rtc: pcf2127: add tamper detection support (bsc#1185233). - rtc: pcf2127: add watchdog feature support (bsc#1185233). - rtc: pcf2127: bugfix: watchdog build dependency (bsc#1185233). - rtc: pcf2127: cleanup register and bit defines (bsc#1185233). - rtc: pcf2127: convert to devm_rtc_allocate_device (bsc#1185233). - rtc: pcf2127: fix a bug when not specify interrupts property (bsc#1185233). - rtc: pcf2127: fix alarm handling (bsc#1185233). - rtc: pcf2127: fix pcf2127_nvmem_read/write() returns (bsc#1185233). - rtc: pcf2127: handle boot-enabled watchdog feature (bsc#1185233). - rtc: pcf2127: let the core handle rtc range (bsc#1185233). - rtc: pcf2127: move watchdog initialisation to a separate function (bsc#1185233). - rtc: pcf2127: only use watchdog when explicitly available (bsc#1185233). - rtc: pcf2127: properly set flag WD_CD for rtc chips(pcf2129, pca2129) (bsc#1185233). - rtc: pcf2127: remove unnecessary #ifdef (bsc#1185233). - rtc: pcf2127: set regmap max_register (bsc#1185233). - rtc: pcf2127: watchdog: handle nowayout feature (bsc#1185233). - rtlwifi: 8821ae: upgrade PHY and RF parameters (git-fixes). - rtw88: Fix array overrun in rtw_get_tx_power_params() (git-fixes). - sata_mv: add IRQ checks (git-fixes). - scsi: block: Fix a race in the runtime power management code (git-fixes). - scsi: core: add scsi_host_busy_iter() (bsc#1179851). - scsi: core: Only return started requests from scsi_host_find_tag() (bsc#1179851). - scsi: lpfc: Copyright updates for 12.8.0.9 patches (bsc#1185472). - scsi: lpfc: Eliminate use of LPFC_DRIVER_NAME in lpfc_attr.c (bsc#1185472). - scsi: lpfc: Fix a bunch of kernel-doc issues (bsc#1185472). - scsi: lpfc: Fix a bunch of kernel-doc misdemeanours (bsc#1185472). - scsi: lpfc: Fix a bunch of misnamed functions (bsc#1185472). - scsi: lpfc: Fix a few incorrectly named functions (bsc#1185472). - scsi: lpfc: Fix a typo (bsc#1185472). - scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO response (bsc#1185472). - scsi: lpfc: Fix DMA virtual address ptr assignment in bsg (bsc#1185365). - scsi: lpfc: Fix error handling for mailboxes completed in MBX_POLL mode (bsc#1185472). - scsi: lpfc: Fix formatting and misspelling issues (bsc#1185472). - scsi: lpfc: Fix gcc -Wstringop-overread warning (bsc#1185472). - scsi: lpfc: Fix illegal memory access on Abort IOCBs (bsc#1183203). - scsi: lpfc: Fix incorrectly documented function lpfc_debugfs_commonxripools_data() (bsc#1185472). - scsi: lpfc: Fix incorrect naming of __lpfc_update_fcf_record() (bsc#1185472). - scsi: lpfc: Fix kernel-doc formatting issue (bsc#1185472). - scsi: lpfc: Fix lack of device removal on port swaps with PRLIs (bsc#1185472). - scsi: lpfc: Fix lpfc_hdw_queue attribute being ignored (bsc#1185472). - scsi: lpfc: Fix missing FDMI registrations after Mgmt Svc login (bsc#1185472). - scsi: lpfc: Fix NMI crash during rmmod due to circular hbalock dependency (bsc#1185472). - scsi: lpfc: Fix reference counting errors in lpfc_cmpl_els_rsp() (bsc#1185472). - scsi: lpfc: Fix rmmod crash due to bad ring pointers to abort_iotag (bsc#1185472). - scsi: lpfc: Fix silent memory allocation failure in lpfc_sli4_bsg_link_diag_test() (bsc#1185472). - scsi: lpfc: Fix some error codes in debugfs (bsc#1185472). - scsi: lpfc: Fix use-after-free on unused nodes after port swap (bsc#1185472). - scsi: lpfc: Fix various trivial errors in comments and log messages (bsc#1185472). - scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic (bsc#1185472). - scsi: lpfc: Standardize discovery object logging format (bsc#1185472). - scsi: lpfc: Update lpfc version to 12.8.0.9 (bsc#1185472). - scsi: qla2xxx: Add error counters to debugfs node (bsc#1185491). - scsi: qla2xxx: Add H:C:T info in the log message for fc ports (bsc#1185491). - scsi: qla2xxx: Always check the return value of qla24xx_get_isp_stats() (bsc#1185491). - scsi: qla2xxx: Assign boolean values to a bool variable (bsc#1185491). - scsi: qla2xxx: Check kzalloc() return value (bsc#1185491). - scsi: qla2xxx: Consolidate zio threshold setting for both FCP NVMe (bsc#1185491). - scsi: qla2xxx: Constify struct qla_tgt_func_tmpl (bsc#1185491). - scsi: qla2xxx: Do logout even if fabric scan retries got exhausted (bsc#1185491). - scsi: qla2xxx: Enable NVMe CONF (BIT_7) when enabling SLER (bsc#1185491). - scsi: qla2xxx: fc_remote_port_chkready() returns a SCSI result value (bsc#1185491). - scsi: qla2xxx: Fix a couple of misdocumented functions (bsc#1185491). - scsi: qla2xxx: Fix a couple of misnamed functions (bsc#1185491). - scsi: qla2xxx: Fix broken #endif placement (bsc#1185491). - scsi: qla2xxx: Fix crash in PCIe error handling (bsc#1185491). - scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() (bsc#1185491). - scsi: qla2xxx: Fix endianness annotations (bsc#1185491). - scsi: qla2xxx: Fix incorrectly named function qla8044_check_temp() (bsc#1185491). - scsi: qla2xxx: Fix IOPS drop seen in some adapters (bsc#1185491). - scsi: qla2xxx: Fix mailbox Ch erroneous error (bsc#1185491). - scsi: qla2xxx: Fix mailbox recovery during PCIe error (bsc#1185491). - scsi: qla2xxx: Fix RISC RESET completion polling (bsc#1185491). - scsi: qla2xxx: Fix some incorrect formatting/spelling issues (bsc#1185491). - scsi: qla2xxx: Fix some memory corruption (bsc#1185491). - scsi: qla2xxx: Fix stuck session (bsc#1185491). - scsi: qla2xxx: Fix use after free in bsg (bsc#1185491). - scsi: qla2xxx: Implementation to get and manage host, target stats and initiator port (bsc#1185491). - scsi: qla2xxx: Move some messages from debug to normal log level (bsc#1185491). - scsi: qla2xxx: Remove redundant NULL check (bsc#1185491). - scsi: qla2xxx: Remove unnecessary NULL check (bsc#1185491). - scsi: qla2xxx: Remove unneeded if-null-free check (bsc#1185491). - scsi: qla2xxx: Replace __qla2x00_marker()'s missing underscores (bsc#1185491). - scsi: qla2xxx: Reserve extra IRQ vectors (bsc#1184436). - scsi: qla2xxx: Reuse existing error handling path (bsc#1185491). - scsi: qla2xxx: Simplify if statement (bsc#1185491). - scsi: qla2xxx: Simplify qla8044_minidump_process_control() (bsc#1185491). - scsi: qla2xxx: Simplify the calculation of variables (bsc#1185491). - scsi: qla2xxx: Suppress Coverity complaints about dseg_r* (bsc#1185491). - scsi: qla2xxx: Update default AER debug mask (bsc#1185491). - scsi: qla2xxx: Update version to 10.02.00.105-k (bsc#1185491). - scsi: qla2xxx: Update version to 10.02.00.106-k (bsc#1185491). - scsi: qla2xxx: Use dma_pool_zalloc() (bsc#1185491). - scsi: qla2xxx: Wait for ABTS response on I/O timeouts for NVMe (bsc#1185491). - scsi: smartpqi: Correct driver removal with HBA disks (bsc#1178089). - scsi: smartpqi: Correct pqi_sas_smp_handler busy condition (bsc#1178089). - scsi: smartpqi: Update version to 1.2.16-012 (bsc#1178089). - selftests/powerpc: Add pkey helpers for rights (bsc#1184934 ltc#191460). - selftests/powerpc: Add test for execute-disabled pkeys (bsc#1184934 ltc#191460). - selftests/powerpc: Add test for pkey siginfo verification (bsc#1184934 ltc#191460). - selftests/powerpc: Add wrapper for gettid (bsc#1184934 ltc#191460). - selftests/powerpc: Fix exit status of pkey tests (bsc#1184934 ltc#191460). - selftests/powerpc: Fix L1D flushing tests for Power10 (bsc#1184934 ltc#191460). - selftests/powerpc: Fix pkey syscall redefinitions (bsc#1184934 ltc#191460). - selftests/powerpc: Move pkey helpers to headers (bsc#1184934 ltc#191460). - selftests/powerpc: refactor entry and rfi_flush tests (bsc#1184934 ltc#191460). - soc: aspeed: fix a ternary sign expansion bug (git-fixes). - soc: qcom: mdt_loader: Detect truncated read of segments (git-fixes). - soc: qcom: mdt_loader: Validate that p_filesz p_memsz (git-fixes). - soundwire: bus: Fix device found flag correctly (git-fixes). - soundwire: stream: fix memory leak in stream config error path (git-fixes). - spi: fsl-dspi: fix NULL pointer dereference (bsc#1167260). - spi: fsl-dspi: fix use-after-free in remove path (bsc#1167260). - spi: fsl-dspi: fix wrong pointer in suspend/resume (bsc#1167260). - spi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware() (git-fixes). - spi: Introduce dspi_slave_abort() function for NXP's dspi SPI driver (bsc#1167260). - spi: spi-fsl-dspi: Accelerate transfers using larger word size if possible (bsc#1167260). - spi: spi-fsl-dspi: Add comments around dspi_pop_tx and dspi_push_rx functions (bsc#1167260). - spi: spi-fsl-dspi: Adding shutdown hook (bsc#1167260). - spi: spi-fsl-dspi: Add support for LS1028A (bsc#1167260). - spi: spi-fsl-dspi: Always use the TCFQ devices in poll mode (bsc#1167260). - spi: spi-fsl-dspi: Avoid NULL pointer in dspi_slave_abort for non-DMA mode (bsc#1167260). - spi: spi-fsl-dspi: Avoid reading more data than written in EOQ mode (bsc#1167260). - spi: spi-fsl-dspi: Change usage pattern of SPI_MCR_* and SPI_CTAR_* macros (bsc#1167260). - spi: spi-fsl-dspi: Convert TCFQ users to XSPI FIFO mode (bsc#1167260). - spi: spi-fsl-dspi: Convert the instantiations that support it to DMA (bsc#1167260). - spi: spi-fsl-dspi: delete EOQ transfer mode (bsc#1167260). - spi: spi-fsl-dspi: Demistify magic value in SPI_SR_CLEAR (bsc#1167260). - spi: spi-fsl-dspi: Do not access reserved fields in SPI_MCR (bsc#1167260). - spi: spi-fsl-dspi: Do not mask off undefined bits (bsc#1167260). - spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours (bsc#1167260). - spi: spi-fsl-dspi: Fix 16-bit word order in 32-bit XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Fix bits-per-word acceleration in DMA mode (bsc#1167260). - spi: spi-fsl-dspi: Fix code alignment (bsc#1167260). - spi: spi-fsl-dspi: fix DMA mapping (bsc#1167260). - spi: spi-fsl-dspi: Fix external abort on interrupt in resume or exit paths (bsc#1167260). - spi: spi-fsl-dspi: Fix interrupt-less DMA mode taking an XSPI code path (bsc#1167260). - spi: spi-fsl-dspi: Fix little endian access to PUSHR CMD and TXDATA (bsc#1167260). - spi: spi-fsl-dspi: Fix lockup if device is removed during SPI transfer (bsc#1167260). - spi: spi-fsl-dspi: Fix lockup if device is shutdown during SPI transfer (bsc#1167260). - spi: spi-fsl-dspi: fix native data copy (bsc#1167260). - spi: spi-fsl-dspi: Fix race condition in TCFQ/EOQ interrupt (bsc#1167260). - spi: spi-fsl-dspi: Fix typos (bsc#1167260). - spi: spi-fsl-dspi: Free DMA memory with matching function (bsc#1167260). - spi: spi-fsl-dspi: Implement .max_message_size method for EOQ mode (bsc#1167260). - spi: spi-fsl-dspi: Initialize completion before possible interrupt (bsc#1167260). - spi: spi-fsl-dspi: LS2080A and LX2160A support XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Make bus-num property optional (bsc#1167260). - spi: spi-fsl-dspi: Move dspi_interrupt above dspi_transfer_one_message (bsc#1167260). - spi: spi-fsl-dspi: Move invariant configs out of dspi_transfer_one_message (bsc#1167260). - spi: spi-fsl-dspi: Optimize dspi_setup_accel for lowest interrupt count (bsc#1167260). - spi: spi-fsl-dspi: Parameterize the FIFO size and DMA buffer size (bsc#1167260). - spi: spi-fsl-dspi: Protect against races on dspi->words_in_flight (bsc#1167260). - spi: spi-fsl-dspi: Reduce indentation in dspi_release_dma() (bsc#1167260). - spi: spi-fsl-dspi: Reduce indentation level in dspi_interrupt (bsc#1167260). - spi: spi-fsl-dspi: remove git-fixes Remove git-fixes. Prepare to update the driver. References: bsc#1167260 - spi: spi-fsl-dspi: Remove impossible to reach error check (bsc#1167260). - spi: spi-fsl-dspi: Remove pointless assignment of master->transfer to NULL (bsc#1167260). - spi: spi-fsl-dspi: Remove unused chip->void_write_data (bsc#1167260). - spi: spi-fsl-dspi: Remove unused defines and includes (bsc#1167260). - spi: spi-fsl-dspi: Remove unused initialization of 'ret' in dspi_probe (bsc#1167260). - spi: spi-fsl-dspi: Rename fifo_{read,write} and {tx,cmd}_fifo_write (bsc#1167260). - spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion (bsc#1167260). - spi: spi-fsl-dspi: Replace legacy spi_master names with spi_controller (bsc#1167260). - spi: spi-fsl-dspi: set ColdFire to DMA mode (bsc#1167260). - spi: spi-fsl-dspi: Simplify bytes_per_word gymnastics (bsc#1167260). - spi: spi-fsl-dspi: Take software timestamp in dspi_fifo_write (bsc#1167260). - spi: spi-fsl-dspi: Use BIT() and GENMASK() macros (bsc#1167260). - spi: spi-fsl-dspi: Use dma_request_chan() instead dma_request_slave_channel() (bsc#1167260). - spi: spi-fsl-dspi: Use EOQ for last word in buffer even for XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Use poll mode in case the platform IRQ is missing (bsc#1167260). - spi: spi-fsl-dspi: Use reverse Christmas tree declaration order (bsc#1167260). - spi: spi-fsl-dspi: Use specific compatible strings for all SoC instantiations (bsc#1167260). - spi: spi-fsl-dspi: use XSPI mode instead of DMA for DPAA2 SoCs (bsc#1167260). - spi: spi-ti-qspi: Free DMA resources (git-fixes). - staging: fwserial: fix TIOCGSERIAL implementation (git-fixes). - staging: fwserial: fix TIOCSSERIAL implementation (git-fixes). - staging: fwserial: fix TIOCSSERIAL jiffies conversions (git-fixes). - staging: fwserial: fix TIOCSSERIAL permission check (git-fixes). - staging: rtl8192u: Fix potential infinite loop (git-fixes). - usb: CDC-ACM: fix poison/unpoison imbalance (bsc#1184984). - usb: CDC-ACM: fix poison/unpoison imbalance (git-fixes). - usb: cdc-acm: fix TIOCGSERIAL implementation (git-fixes). - usb: cdc-acm: fix unprivileged TIOCCSERIAL (git-fixes). - usb: dwc2: Fix hibernation between host and device modes (git-fixes). - usb: dwc2: Fix host mode hibernation exit with remote wakeup flow (git-fixes). - usb: dwc2: Fix session request interrupt handler (git-fixes). - usb: dwc3: gadget: Fix START_TRANSFER link state check (git-fixes). - usb: dwc3: keystone: use devm_platform_ioremap_resource() to simplify code (git-fixes). - usb: dwc3: meson-g12a: use devm_platform_ioremap_resource() to simplify code (git-fixes). - usb: dwc3: Switch to use device_property_count_u32() (git-fixes). - usb: gadget: aspeed: fix dma map failure (git-fixes). - usb: gadget: Fix double free of device descriptor pointers (git-fixes). - usb: gadget: pch_udc: Check for DMA mapping error (git-fixes). - usb: gadget: pch_udc: Check if driver is present before calling ->setup() (git-fixes). - usb: gadget: pch_udc: Move pch_udc_init() to satisfy kernel doc (git-fixes). - usb: gadget: pch_udc: Replace cpu_to_le32() by lower_32_bits() (git-fixes). - usb: gadget: pch_udc: Revert d3cb25a12138 completely (git-fixes). - usb: gadget: r8a66597: Add missing null check on return from platform_get_resource (git-fixes). - usb: gadget: udc: fix wrong pointer passed to IS_ERR() and PTR_ERR() (git-fixes). - usb: Remove dev_err() usage after platform_get_irq() (git-fixes). - usb: serial: ark3116: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: f81232: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: f81534: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: fix return value for unsupported ioctls (git-fixes). - usb: serial: mos7720: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: opticon: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: quatech2: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: ssu100: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: usb_wwan: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: usb_wwan: fix TIOCSSERIAL jiffies conversions (git-fixes). - usb: serial: usb_wwan: fix unprivileged TIOCCSERIAL (git-fixes). - usb: typec: tcpci: Check ROLE_CONTROL while interpreting CC_STATUS (git-fixes). - usb: typec: tcpm: Address incorrect values of tcpm psy for fixed supply (git-fixes). - usb: typec: tcpm: Honour pSnkStdby requirement during negotiation (git-fixes). - veth: Store queue_mapping independently of XDP prog presence (git-fixes). - vfio/pci: Add missing range check in vfio_pci_mmap (git-fixes). - virt_wifi: Return micros for BSS TSF values (git-fixes). - vxlan: move debug check after netdev unregister (git-fixes). - workqueue: Move the position of debug_work_activate() in __queue_work() (bsc#1184893). - x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access (bsc#1152489). - x86/insn: Add some Intel instructions to the opcode map (bsc#1184760). - x86/insn: Add some more Intel instructions to the opcode map (bsc#1184760). - x86/microcode: Check for offline CPUs before requesting new microcode (bsc#1152489). - x86/mm: Fix NX bit clearing issue in kernel_map_pages_in_pgd (bsc#1152489). - x86/platform/uv: Set section block size for hubless architectures (bsc#1152489). - x86/reboot: Force all cpus to exit VMX root if VMX is supported (bsc#1152489). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1582-1 Released: Wed May 12 13:40:03 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1184687,1185190 This update for lvm2 fixes the following issues: - Honor 'lvm.conf' parameter event_activation=0 on 'pvscan --cache -aay'. (bsc#1185190) - Fixed and issue when LVM can't be disabled on boot. (bsc#1184687) - Update patch for avoiding apply warning messages. (bsc#1012973) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1600-1 Released: Thu May 13 16:34:08 2021 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1185277 This update for dracut fixes the following issue: Update to version 049.1+suse.188.gbf445638: - Do not resolve symbolic links before `instmod`. (bsc#1185277) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1636-1 Released: Wed May 19 13:33:56 2021 Summary: Recommended update for grub2 Type: security Severity: moderate References: 1185580 This update for grub2 fixes the following issues: - Fixed error with the shim_lock protocol that is not found on aarch64 (bsc#1185580). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1669-1 Released: Thu May 20 11:10:44 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1181540,1181651,1183194,1185170 This update for nfs-utils fixes the following issues: - The '/var/run' is long deprecated - switch all relevant paths to '/run'. (bsc#1185170) - Improve logging of authentication (bsc#1181540) - Add man page of the 'nconnect mount'. (bsc#1181651) - Fixed an issue when HANA crashed due to inaccessible/hanging NFS mount. (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1672-1 Released: Thu May 20 13:44:41 2021 Summary: Recommended update for supportutils Type: recommended Severity: moderate References: 1021918,1089870,1168894,1169122,1169348,1170092,1170094,1170858,1176370,1178491,1180478,1181351,1181610,1181679,1181911,1182904,1182950,1183732,1183826,1184829,1184912 This update for supportutils fixes the following issues: - Collects rotated logs with different compression types (bsc#1180478) - Captures now IBM Power bootlist (jsc#SLE-15557) - Fixed some errors with supportutils in combination with the btrfs filesystem (bsc#1168894) - Fixed an issue with ntp.txt, when it contains large binary data (bsc#1169122) - Checks package signatures in rpm.txt (bsc#1021918) - Optimize find (bsc#1184912) - Using zypper --xmlout (bsc#1181351) - Error fix for sysfs.txt (bsc#1089870) - Added list-timers to systemd.txt (bsc#1169348) - Including nfs4 in search (bsc#1184829) - [powerpc] Collect dynamic_debug log files for ibmvNIC #98 (bsc#1183826) - Fixed mismatched taint flags (bsc#1178491) - Removed redundant fdisk code that can cause timeout issues (bsc#1181679) - Supportconfig processes -f without hanging (bsc#1182904) - Collect logs for power specific components (using iprconfig) pr#94 (bsc#1182950) - [powerpc] Collect logs for power specific components (HNV) pr#88 (bsc#1181911) - Includes NVMe information with OPTION_NVME=1 in nvme.txt (bsc#1176370, SLE-15932) - No longer truncates boot log (bsc#1181610) - Collects rotated logs with different compression types (bsc#1180478) - Capture IBM Power bootlist (SLE-15557) - [powerpc] Collect logs for power specific components #72 (bscn#1176895) - Fixed btrfs errors (bsc#1168894) - Large ntp.txt with binary data (bsc#1169122) - Only include hostinfo details in /etc/motd (bsc#1170092) - Fixed CPU load average calculation (bsc#1170094) - Understands 3rd party packages on SLES or OpenSUSE (bsc#1170858) - Implement persistens host information across reboots (bsc#1183732) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1675-1 Released: Thu May 20 15:00:23 2021 Summary: Recommended update for snappy Type: recommended Severity: moderate References: 1080040,1184507 This update for snappy fixes the following issues: Update from version 1.1.3 to 1.1.8 - Small performance improvements. - Removed `snappy::string` alias for `std::string`. - Improved `CMake` configuration. - Improved packages descriptions. - Fix RPM groups. - Aarch64 fixes - PPC speedups - PIE improvements - Fix license install. (bsc#1080040) - Fix a 1% performance regression when snappy is used in PIE executable. - Improve compression performance by 5%. - Improve decompression performance by 20%. - Use better download URL. - Fix a build issue for tensorflow2. (bsc#1184507) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1762-1 Released: Wed May 26 12:30:01 2021 Summary: Security update for curl Type: security Severity: moderate References: 1186114,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1773-1 Released: Wed May 26 17:22:21 2021 Summary: Recommended update for python3 Type: recommended Severity: low References: This update for python3 fixes the following issues: - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1801-1 Released: Mon May 31 07:36:01 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1115550,1174162 This update for openssh fixes the following issues: - Fixed a race condition leading to a sshd termination of multichannel sessions with non-root users (bsc#1115550, bsc#1174162). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1833-1 Released: Wed Jun 2 15:32:28 2021 Summary: Recommended update for zypper Type: recommended Severity: moderate References: 1153687,1180851,1181874,1182372,1182936,1183268,1183589,1183628,1184997,1185239 This update for zypper fixes the following issues: zypper was upgraded to 1.14.44: - man page: Recommend the needs-rebooting command to test whether a system reboot is suggested. - patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268) - Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687) - Protect against strict/relaxed user umask via sudo. (bsc#1183589) - xml summary: Add solvables repository alias. (bsc#1182372) libzypp was upgraded from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1841-1 Released: Wed Jun 2 16:30:17 2021 Summary: Security update for dhcp Type: security Severity: important References: 1186382,CVE-2021-25217 This update for dhcp fixes the following issues: - CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1846-1 Released: Fri Jun 4 08:46:37 2021 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1185910 This update for mozilla-nss fixes the following issue: - Provide some missing binaries from `mozilla-nss` not added in `SLE-Module-Basesystem_15-SP3`. (bsc#1185910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1859-1 Released: Fri Jun 4 09:02:38 2021 Summary: Security update for python-py Type: security Severity: moderate References: 1179805,1184505,CVE-2020-29651 This update for python-py fixes the following issues: - CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1879-1 Released: Tue Jun 8 09:16:09 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1184326,1184399,1184997,1185325 This update for libzypp, zypper fixes the following issues: libzypp was updated to 17.26.0: - Work around download.o.o broken https redirects. - Allow trusted repos to add additional signing keys (bsc#1184326) Repositories signed with a trusted gpg key may import additional package signing keys. This is needed if different keys were used to sign the the packages shipped by the repository. - MediaCurl: Fix logging of redirects. - Use 15.3 resolver problem and solution texts on all distros. - $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the zypp lock (bsc#1184399) Helps boot time services like 'zypper purge-kernels' to wait for the zypp lock until other services using zypper have completed. - Fix purge-kernels is broken in Leap 15.3 (bsc#1185325) Leap 15.3 introduces a new kernel package called kernel-flavour-extra, which contain kmp's. Currently kmp's are detected by name '.*-kmp(-.*)?' but this does not work which those new packages. This patch fixes the problem by checking packages for kmod(*) and ksym(*) provides and only falls back to name checking if the package in question does not provide one of those. - Introduce zypp-runpurge, a tool to run purge-kernels on testcases. zypper was updated to 1.14.45: - Fix service detection with cgroupv2 (bsc#1184997) - Add hints to 'trust GPG key' prompt. - Add report when receiving new package signing keys from a trusted repo (bsc#1184326) - Added translation using Weblate (Kabyle) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1890-1 Released: Tue Jun 8 15:08:16 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1087082,1133021,1152457,1152489,1155518,1156395,1164648,1177666,1178378,1178418,1178612,1179519,1179825,1179827,1179851,1182257,1182378,1182999,1183346,1183868,1183873,1183932,1183947,1183976,1184081,1184082,1184259,1184611,1184855,1185428,1185495,1185497,1185589,1185606,1185642,1185645,1185677,1185680,1185703,1185725,1185758,1185859,1185860,1185861,1185862,1185863,1185898,1185899,1185911,1185938,1185950,1185982,1185987,1185988,1186060,1186061,1186062,1186111,1186285,1186320,1186390,1186416,1186439,1186441,1186451,1186460,1186479,1186484,1186498,1186501,1186573,1186681,CVE-2020-24586,CVE-2020-24587,CVE-2020-24588,CVE-2020-26139,CVE-2020-26141,CVE-2020-26145,CVE-2020-26147,CVE-2021-23134,CVE-2021-32399,CVE-2021-33034,CVE-2021-33200,CVE-2021-3491 The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111) - CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062) - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060) - CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859). - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862). - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859). - CVE-2020-24588: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (bnc#1185861) - CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860) - CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987) The following non-security bugs were fixed: - ACPI / hotplug / PCI: Fix reference count leak in enable_slot() (git-fixes). - ACPI: GTDT: Do not corrupt interrupt mappings on watchdow probe failure (git-fixes). - ACPI: custom_method: fix a possible memory leak (git-fixes). - ACPI: custom_method: fix potential use-after-free issue (git-fixes). - ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro (git-fixes). - ALSA: bebob: enable to deliver MIDI messages for multiple ports (git-fixes). - ALSA: dice: fix stream format at middle sampling rate for Alesis iO 26 (git-fixes). - ALSA: dice: fix stream format for TC Electronic Konnekt Live at high sampling transfer frequency (git-fixes). - ALSA: firewire-lib: fix calculation for size of IR context payload (git-fixes). - ALSA: firewire-lib: fix check for the size of isochronous packet payload (git-fixes). - ALSA: hda/conexant: Re-order CX5066 quirk table entries (git-fixes). - ALSA: hda/realtek: ALC285 Thinkpad jack pin quirk is unreachable (git-fixes). - ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293 (git-fixes). - ALSA: hda/realtek: Headphone volume is controlled by Front mixer (git-fixes). - ALSA: hda/realtek: reset eapd coeff to default value for alc287 (git-fixes). - ALSA: hda: fixup headset for ASUS GU502 laptop (git-fixes). - ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP (git-fixes). - ALSA: hdsp: do not disable if not enabled (git-fixes). - ALSA: hdspm: do not disable if not enabled (git-fixes). - ALSA: intel8x0: Do not update period unless prepared (git-fixes). - ALSA: line6: Fix racy initialization of LINE6 MIDI (git-fixes). - ALSA: rme9652: do not disable if not enabled (git-fixes). - ALSA: usb-audio: Validate MS endpoint descriptors (git-fixes). - ALSA: usb-audio: fix control-request direction (git-fixes). - ALSA: usb-audio: scarlett2: Fix device hang with ehci-pci (git-fixes). - ALSA: usb-audio: scarlett2: Improve driver startup messages (git-fixes). - ALSA: usb-audio: scarlett2: snd_scarlett_gen2_controls_create() can be static (git-fixes). - ARM64: vdso32: Install vdso32 from vdso_install (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF (git-fixes). - ASoC: cs35l33: fix an error code in probe() (git-fixes). - ASoC: cs42l42: Regmap must use_single_read/write (git-fixes). - ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init() (git-fixes). - ASoC: rsnd: core: Check convert rate in rsnd_hw_params (git-fixes). - ASoC: rt286: Generalize support for ALC3263 codec (git-fixes). - ASoC: rt286: Make RT286_SET_GPIO_* readable and writable (git-fixes). - Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS (git-fixes). - Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes). - Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default (git-fixes). - Bluetooth: check for zapped sk before connecting (git-fixes). - Bluetooth: initialize skb_queue_head at l2cap_chan_create() (git-fixes). - Drivers: hv: vmbus: Fix Suspend-to-Idle for Generation-2 VM (git-fixes). - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725). - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725). - Drivers: hv: vmbus: Use after free in __vmbus_open() (git-fixes). - Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices (git-fixes). - Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state (git-fixes). - KVM: s390: fix guarded storage control register handling (bsc#1133021). - Move upstreamed media fixes into sorted section - NFC: nci: fix memory leak in nci_allocate_device (git-fixes). - PCI/RCEC: Fix RCiEP device to RCEC association (git-fixes). - PCI: Allow VPD access for QLogic ISP2722 (git-fixes). - PCI: PM: Do not read power state in pci_enable_device_flags() (git-fixes). - PCI: Release OF node in pci_scan_device()'s error path (git-fixes). - PCI: endpoint: Fix missing destroy_workqueue() (git-fixes). - PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc() (git-fixes). - PCI: thunder: Fix compile testing (git-fixes). - PM / devfreq: Use more accurate returned new_freq as resume_freq (git-fixes). - RDMA/addr: create addr_wq with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/core: create ib_cm with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/hns: Delete redundant abnormal interrupt status (git-fixes). - RDMA/hns: Delete redundant condition judgment related to eq (git-fixes). - RDMA/qedr: Fix error return code in qedr_iw_connect() (jsc#SLE-8215). - RDMA/srpt: Fix error return code in srpt_cm_req_recv() (git-fixes). - Revert 'arm64: vdso: Fix compilation with clang older than 8' (git-fixes). - Revert 'gdrom: fix a memory leak bug' (git-fixes). - Revert 'i3c master: fix missing destroy_workqueue() on error in i3c_master_register' (git-fixes). - Revert 'leds: lp5523: fix a missing check of return value of lp55xx_read' (git-fixes). - Revert 337f13046ff0 ('futex: Allow FUTEX_CLOCK_REALTIME with FUTEX_WAIT op') (git-fixes). - SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428). - SUNRPC: More fixes for backlog congestion (bsc#1185428). - USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet (git-fixes). - USB: Add reset-resume quirk for WD19's Realtek Hub (git-fixes). - USB: serial: pl2303: add support for PL2303HXN (bsc#1186320). - USB: serial: pl2303: fix line-speed handling on newer chips (bsc#1186320). - USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check (git-fixes). - USB: trancevibrator: fix control-request direction (git-fixes). - amdgpu: avoid incorrect %hu format string (git-fixes). - arm64/mm: Fix pfn_valid() for ZONE_DEVICE based memory (git-fixes). - arm64: Add missing ISB after invalidating TLB in __primary_switch (git-fixes). - arm64: avoid -Woverride-init warning (git-fixes). - arm64: kasan: fix page_alloc tagging with DEBUG_VIRTUAL (git-fixes). - arm64: kdump: update ppos when reading elfcorehdr (git-fixes). - arm64: kexec_file: fix memory leakage in create_dtb() when fdt_open_into() fails (git-fixes). - arm64: link with -z norelro for LLD or aarch64-elf (git-fixes). - arm64: link with -z norelro regardless of CONFIG_RELOCATABLE (git-fixes). - arm64: ptrace: Fix seccomp of traced syscall -1 (NO_SYSCALL) (git-fixes). - arm64: ptrace: Use NO_SYSCALL instead of -1 in syscall_trace_enter() (git-fixes). - arm64: vdso32: make vdso32 install conditional (git-fixes). - arm: mm: use __pfn_to_section() to get mem_section (git-fixes). - ata: ahci: Disable SXS for Hisilicon Kunpeng920 (git-fixes). - blk-iocost: ioc_pd_free() shouldn't assume irq disabled (git-fixes). - blk-mq: Swap two calls in blk_mq_exit_queue() (git-fixes). - block/genhd: use atomic_t for disk_event->block (bsc#1185497). - block: Fix three kernel-doc warnings (git-fixes). - block: fix get_max_io_size() (git-fixes). - bnxt_en: Fix RX consumer index logic in the error path (git-fixes). - bnxt_en: fix ternary sign extension bug in bnxt_show_temp() (git-fixes). - bpf: Fix leakage of uninitialized bpf stack under speculation (bsc#1155518). - bpf: Fix masking negation logic upon negative dst register (bsc#1155518). - btrfs: fix race between transaction aborts and fsyncs leading to use-after-free (bsc#1186441). - btrfs: fix race when picking most recent mod log operation for an old root (bsc#1186439). - cdc-wdm: untangle a circular dependency between callback and softint (git-fixes). - cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom (git-fixes). - cdrom: gdrom: initialize global variable at init time (git-fixes). - ceph: do not clobber i_snap_caps on non-I_NEW inode (bsc#1186501). - ceph: fix inode leak on getattr error in __fh_to_dentry (bsc#1186501). - ceph: fix up error handling with snapdirs (bsc#1186501). - ceph: only check pool permissions for regular files (bsc#1186501). - cfg80211: scan: drop entry from hidden_list on overflow (git-fixes). - clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return (git-fixes). - cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758). - crypto: api - check for ERR pointers in crypto_destroy_tfm() (git-fixes). - crypto: mips/poly1305 - enable for all MIPS processors (git-fixes). - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init (git-fixes). - crypto: qat - Fix a double free in adf_create_ring (git-fixes). - crypto: qat - do not release uninitialized resources (git-fixes). - crypto: qat - fix error path in adf_isr_resource_alloc() (git-fixes). - crypto: qat - fix unmap invalid dma address (git-fixes). - crypto: stm32/cryp - Fix PM reference leak on stm32-cryp.c (git-fixes). - crypto: stm32/hash - Fix PM reference leak on stm32-hash.c (git-fixes). - cxgb4: Fix unintentional sign extension issues (git-fixes). - dm: avoid filesystem lookup in dm_get_dev_t() (git-fixes). - dmaengine: dw-edma: Fix crash on loading/unloading driver (git-fixes). - docs: kernel-parameters: Add gpio_mockup_named_lines (git-fixes). - docs: kernel-parameters: Move gpio-mockup for alphabetic order (git-fixes). - drivers: hv: Fix whitespace errors (bsc#1185725). - drm/amd/display: Fix UBSAN warning for not a valid value for type '_Bool' (git-fixes). - drm/amd/display: Fix two cursor duplication when using overlay (git-fixes). - drm/amd/display: Force vsync flip when reconfiguring MPCC (git-fixes). - drm/amd/display: Reject non-zero src_y and src_x for video planes (git-fixes). - drm/amd/display: fix dml prefetch validation (git-fixes). - drm/amd/display: fixed divide by zero kernel crash during dsc enablement (git-fixes). - drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f (git-fixes). - drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid compute hang (git-fixes). - drm/amdgpu: fix NULL pointer dereference (git-fixes). - drm/amdgpu: mask the xgmi number of hops reported from psp to kfd (git-fixes). - drm/amdkfd: Fix cat debugfs hang_hws file causes system crash bug (git-fixes). - drm/i915: Avoid div-by-zero on gen2 (git-fixes). - drm/meson: fix shutdown crash when component not probed (git-fixes). - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal (git-fixes). - drm/msm/mdp5: Do not multiply vclk line count by 100 (git-fixes). - drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected (git-fixes). - drm/radeon: Avoid power table parsing memory leaks (git-fixes). - drm/radeon: Fix off-by-one power_state index heap overwrite (git-fixes). - drm/vkms: fix misuse of WARN_ON (git-fixes). - drm: Added orientation quirk for OneGX1 Pro (git-fixes). - ethernet:enic: Fix a use after free bug in enic_hard_start_xmit (git-fixes). - extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged (git-fixes). - extcon: arizona: Fix various races on driver unbind (git-fixes). - fbdev: zero-fill colormap in fbcmap.c (git-fixes). - firmware: arm_scpi: Prevent the ternary sign expansion bug (git-fixes). - fs/epoll: restore waking from ep_done_scan() (bsc#1183868). - ftrace: Handle commands when closing set_ftrace_filter file (git-fixes). - futex: Change utime parameter to be 'const ... *' (git-fixes). - futex: Do not apply time namespace adjustment on FUTEX_LOCK_PI (bsc#1164648). - futex: Get rid of the val2 conditional dance (git-fixes). - futex: Make syscall entry points less convoluted (git-fixes). - genirq/irqdomain: Do not try to free an interrupt that has no (git-fixes) - genirq: Disable interrupts for force threaded handlers (git-fixes) - genirq: Reduce irqdebug cacheline bouncing (bsc#1185703 ltc#192641). - gpio: xilinx: Correct kernel doc for xgpio_probe() (git-fixes). - gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 (git-fixes). - hrtimer: Update softirq_expires_next correctly after (git-fixes) - hwmon: (occ) Fix poll rate limiting (git-fixes). - i2c: Add I2C_AQ_NO_REP_START adapter quirk (git-fixes). - i2c: bail out early when RDWR parameters are wrong (git-fixes). - i2c: i801: Do not generate an interrupt on bus reset (git-fixes). - i2c: s3c2410: fix possible NULL pointer deref on read message after write (git-fixes). - i2c: sh_mobile: Use new clock calculation formulas for RZ/G2E (git-fixes). - i40e: Fix PHY type identifiers for 2.5G and 5G adapters (git-fixes). - i40e: Fix use-after-free in i40e_client_subtask() (git-fixes). - i40e: fix broken XDP support (git-fixes). - i40e: fix the restart auto-negotiation after FEC modified (git-fixes). - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043). - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043). - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043). - ibmvnic: remove default label from to_string switch (bsc#1152457 ltc#174432 git-fixes). - ics932s401: fix broken handling of errors when word reading fails (git-fixes). - iio: adc: ad7124: Fix missbalanced regulator enable / disable on error (git-fixes). - iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers (git-fixes). - iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp() (git-fixes). - iio: adc: ad7793: Add missing error code in ad7793_setup() (git-fixes). - iio: gyro: fxas21002c: balance runtime power in error path (git-fixes). - iio: gyro: mpu3050: Fix reported temperature value (git-fixes). - iio: proximity: pulsedlight: Fix rumtime PM imbalance on error (git-fixes). - iio: tsl2583: Fix division by a zero lux_val (git-fixes). - intel_th: Consistency and off-by-one fix (git-fixes). - iommu/amd: Add support for map/unmap_resource (jsc#ECO-3482). - ipc/mqueue, msg, sem: Avoid relying on a stack reference past its expiry (bsc#1185988). - ipmi/watchdog: Stop watchdog timer when the current action is 'none' (bsc#1184855). - kernel-docs.spec.in: Build using an utf-8 locale. Sphinx cannot handle UTF-8 input in non-UTF-8 locale. - leds: lp5523: check return value of lp5xx_read and jump to cleanup code (git-fixes). - lpfc: Decouple port_template and vport_template (bsc#185032). - mac80211: clear the beacon's CRC after channel switch (git-fixes). - md-cluster: fix use-after-free issue when removing rdev (bsc#1184082). - md/raid1: properly indicate failure when ending a failed write request (bsc#1185680). - md: do not flush workqueue unconditionally in md_open (bsc#1184081). - md: factor out a mddev_find_locked helper from mddev_find (bsc#1184081). - md: md_open returns -EBUSY when entering racing area (bsc#1184081). - md: split mddev_find (bsc#1184081). - media: adv7604: fix possible use-after-free in adv76xx_remove() (git-fixes). - media: drivers: media: pci: sta2x11: fix Kconfig dependency on GPIOLIB (git-fixes). - media: dvb-usb: fix memory leak in dvb_usb_adapter_init (git-fixes). - media: em28xx: fix memory leak (git-fixes). - media: gspca/sq905.c: fix uninitialized variable (git-fixes). - media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove() (git-fixes). - media: i2c: adv7842: fix possible use-after-free in adv7842_remove() (git-fixes). - media: i2c: tda1997: Fix possible use-after-free in tda1997x_remove() (git-fixes). - media: imx: capture: Return -EPIPE from __capture_legacy_try_fmt() (git-fixes). - media: ite-cir: check for receive overflow (git-fixes). - media: media/saa7164: fix saa7164_encoder_register() memory leak bugs (git-fixes). - media: platform: sti: Fix runtime PM imbalance in regs_show (git-fixes). - media: tc358743: fix possible use-after-free in tc358743_remove() (git-fixes). - mfd: arizona: Fix rumtime PM imbalance on error (git-fixes). - misc/uss720: fix memory leak in uss720_probe (git-fixes). - mlxsw: spectrum_mr: Update egress RIF list before route's action (git-fixes). - mm: memcontrol: fix cpuhotplug statistics flushing (bsc#1185606). - mmc: block: Update ext_csd.cache_ctrl if it was written (git-fixes). - mmc: core: Do a power cycle when the CMD11 fails (git-fixes). - mmc: core: Set read only for SD cards with permanent write protect bit (git-fixes). - mmc: sdhci-pci-gli: increase 1.8V regulator wait (git-fixes). - mmc: sdhci-pci: Add PCI IDs for Intel LKF (git-fixes). - mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based controllers (git-fixes). - mmc: sdhci: Check for reset prior to DMA address unmap (git-fixes). - net, xdp: Update pkt_type if generic XDP changes unicast MAC (git-fixes). - net: enetc: fix link error again (git-fixes). - net: hns3: Fix for geneve tx checksum bug (git-fixes). - net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() (git-fixes). - net: hns3: clear unnecessary reset request in hclge_reset_rebuild (git-fixes). - net: hns3: disable phy loopback setting in hclge_mac_start_phy (git-fixes). - net: hns3: fix for vxlan gpe tx checksum bug (git-fixes). - net: hns3: fix incorrect configuration for igu_egu_hw_err (git-fixes). - net: hns3: initialize the message content in hclge_get_link_mode() (git-fixes). - net: hns3: use netif_tx_disable to stop the transmit queue (git-fixes). - net: thunderx: Fix unintentional sign extension issue (git-fixes). - net: usb: fix memory leak in smsc75xx_bind (git-fixes). - netdevice: Add missing IFF_PHONY_HEADROOM self-definition (git-fixes). - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950). - netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950). - netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950). - nvme-core: add cancel tagset helpers (bsc#1183976). - nvme-fabrics: decode host pathing error for connect (bsc#1179827). - nvme-fc: check sgl supported by target (bsc#1179827). - nvme-fc: clear q_live at beginning of association teardown (bsc#1186479). - nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted (bsc#1184259). - nvme-fc: set NVME_REQ_CANCELLED in nvme_fc_terminate_exchange() (bsc#1184259). - nvme-fc: short-circuit reconnect retries (bsc#1179827). - nvme-multipath: fix double initialization of ANA state (bsc#1178612, bsc#1184259). - nvme-multipath: reset bdev to ns head when failover (bsc#178378 bsc#1182999). - nvme-pci: Remove tag from process cq (git-fixes). - nvme-pci: Remove two-pass completions (git-fixes). - nvme-pci: Simplify nvme_poll_irqdisable (git-fixes). - nvme-pci: align io queue count with allocted nvme_queue in (git-fixes). - nvme-pci: avoid race between nvme_reap_pending_cqes() and nvme_poll() (git-fixes). - nvme-pci: dma read memory barrier for completions (git-fixes). - nvme-pci: fix 'slimmer CQ head update' (git-fixes). - nvme-pci: make sure write/poll_queues less or equal then cpu (git-fixes). - nvme-pci: remove last_sq_tail (git-fixes). - nvme-pci: remove volatile cqes (git-fixes). - nvme-pci: slimmer CQ head update (git-fixes). - nvme-pci: use simple suspend when a HMB is enabled (git-fixes). - nvme-tcp: Fix possible race of io_work and direct send (git-fixes). - nvme-tcp: Fix warning with CONFIG_DEBUG_PREEMPT (git-fixes). - nvme-tcp: add clean action for failed reconnection (bsc#1183976). - nvme-tcp: fix kconfig dependency warning when !CRYPTO (git-fixes). - nvme-tcp: fix misuse of __smp_processor_id with preemption (git-fixes). - nvme-tcp: fix possible hang waiting for icresp response (bsc#1179519). - nvme-tcp: use cancel tagset helper for tear down (bsc#1183976). - nvme: Fix NULL dereference for pci nvme controllers (bsc#1182378). - nvme: add 'kato' sysfs attribute (bsc#1179825). - nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request() (bsc#1184259). - nvme: define constants for identification values (git-fixes). - nvme: do not intialize hwmon for discovery controllers (bsc#1184259). - nvme: do not intialize hwmon for discovery controllers (git-fixes). - nvme: document nvme controller states (git-fixes). - nvme: explicitly update mpath disk capacity on revalidation (git-fixes). - nvme: expose reconnect_delay and ctrl_loss_tmo via sysfs (bsc#1182378). - nvme: fix controller instance leak (git-fixes). - nvme: fix deadlock in disconnect during scan_work and/or ana_work (git-fixes). - nvme: fix possible deadlock when I/O is blocked (git-fixes). - nvme: remove superfluous else in nvme_ctrl_loss_tmo_store (bsc#1182378). - nvme: retrigger ANA log update if group descriptor isn't found (git-fixes) - nvme: sanitize KATO setting (bsc#1179825). - nvme: simplify error logic in nvme_validate_ns() (bsc#1184259). - nvmet: fix a memory leak (git-fixes). - nvmet: seset ns->file when open fails (bsc#1183873). - nvmet: use new ana_log_size instead the old one (bsc#1184259). - nxp-i2c: restore includes for kABI (bsc#1185589). - nxp-nci: add NXP1002 id (bsc#1185589). - phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() (git-fixes). - pinctrl: ingenic: Improve unreachable code generation (git-fixes). - pinctrl: samsung: use 'int' for register masks in Exynos (git-fixes). - platform/mellanox: mlxbf-tmfifo: Fix a memory barrier issue (git-fixes). - platform/x86: intel_pmc_core: Do not use global pmcdev in quirks (git-fixes). - platform/x86: thinkpad_acpi: Correct thermal sensor allocation (git-fixes). - posix-timers: Preserve return value in clock_adjtime32() (git-fixes) - power: supply: Use IRQF_ONESHOT (git-fixes). - power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() (git-fixes). - power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() (git-fixes). - powerpc/64s: Fix crashes when toggling entry flush barrier (bsc#1177666 git-fixes). - powerpc/64s: Fix crashes when toggling stf barrier (bsc#1087082 git-fixes). - qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth (git-fixes). - rtc: pcf2127: handle timestamp interrupts (bsc#1185495). - s390/dasd: fix hanging DASD driver unbind (bsc#1183932 LTC#192153). - s390/entry: save the caller of psw_idle (bsc#1185677). - s390/kdump: fix out-of-memory with PCI (bsc#1182257 LTC#191375). - sched/eas: Do not update misfit status if the task is pinned (git-fixes) - sched/fair: Avoid stale CPU util_est value for schedutil in (git-fixes) - sched/fair: Fix unfairness caused by missing load decay (git-fixes) - scripts/git_sort/git_sort.py: add bpf git repo - scsi: core: Run queue in case of I/O resource contention failure (bsc#1186416). - scsi: fnic: Kill 'exclude_id' argument to fnic_cleanup_io() (bsc#1179851). - scsi: libfc: Avoid invoking response handler twice if ep is already completed (bsc#1186573). - scsi: lpfc: Add a option to enable interlocked ABTS before job completion (bsc#1186451). - scsi: lpfc: Add ndlp kref accounting for resume RPI path (bsc#1186451). - scsi: lpfc: Fix 'Unexpected timeout' error in direct attach topology (bsc#1186451). - scsi: lpfc: Fix Node recovery when driver is handling simultaneous PLOGIs (bsc#1186451). - scsi: lpfc: Fix bad memory access during VPD DUMP mailbox command (bsc#1186451). - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs (bsc#1186451). - scsi: lpfc: Fix node handling for Fabric Controller and Domain Controller (bsc#1186451). - scsi: lpfc: Fix non-optimized ERSP handling (bsc#1186451). - scsi: lpfc: Fix unreleased RPIs when NPIV ports are created (bsc#1186451). - scsi: lpfc: Ignore GID-FT response that may be received after a link flip (bsc#1186451). - scsi: lpfc: Reregister FPIN types if ELS_RDF is received from fabric controller (bsc#1186451). - scsi: lpfc: Update lpfc version to 12.8.0.10 (bsc#1186451). - sctp: delay auto_asconf init until binding the first addr (<cover.1620748346.git.mkubecek at suse.cz>). - serial: core: fix suspicious security_locked_down() call (git-fixes). - serial: core: return early on unsupported ioctls (git-fixes). - serial: sh-sci: Fix off-by-one error in FIFO threshold register setting (git-fixes). - serial: stm32: fix incorrect characters on console (git-fixes). - serial: stm32: fix tx_empty condition (git-fixes). - serial: tegra: Fix a mask operation that is always true (git-fixes). - smc: disallow TCP_ULP in smc_setsockopt() (git-fixes). - spi: ath79: always call chipselect function (git-fixes). - spi: ath79: remove spi-master setup and cleanup assignment (git-fixes). - spi: dln2: Fix reference leak to master (git-fixes). - spi: omap-100k: Fix reference leak to master (git-fixes). - spi: qup: fix PM reference leak in spi_qup_remove() (git-fixes). - spi: spi-fsl-dspi: Fix a resource leak in an error handling path (git-fixes). - staging: emxx_udc: fix loop in _nbu2ss_nuke() (git-fixes). - staging: iio: cdc: ad7746: avoid overwrite of num_channels (git-fixes). - tcp: fix to update snd_wl1 in bulk receiver fast path (<cover.1620748346.git.mkubecek at suse.cz>). - thermal/drivers/ti-soc-thermal/bandgap Remove unused variable 'val' (git-fixes). - thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue (git-fixes). - tracing: Map all PIDs to command lines (git-fixes). - tty: amiserial: fix TIOCSSERIAL permission check (git-fixes). - tty: fix memory leak in vc_deallocate (git-fixes). - tty: moxa: fix TIOCSSERIAL jiffies conversions (git-fixes). - tty: moxa: fix TIOCSSERIAL permission check (git-fixes). - uio: uio_hv_generic: use devm_kzalloc() for private data alloc (git-fixes). - uio_hv_generic: Fix a memory leak in error handling paths (git-fixes). - uio_hv_generic: Fix another memory leak in error handling paths (git-fixes). - uio_hv_generic: add missed sysfs_remove_bin_file (git-fixes). - usb: core: hub: Fix PM reference leak in usb_port_resume() (git-fixes). - usb: core: hub: fix race condition about TRSMRCY of resume (git-fixes). - usb: dwc2: Fix gadget DMA unmap direction (git-fixes). - usb: dwc3: gadget: Enable suspend events (git-fixes). - usb: dwc3: gadget: Return success always for kick transfer in ep queue (git-fixes). - usb: dwc3: omap: improve extcon initialization (git-fixes). - usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield (git-fixes). - usb: fotg210-hcd: Fix an error message (git-fixes). - usb: gadget/function/f_fs string table fix for multiple languages (git-fixes). - usb: gadget: dummy_hcd: fix gpf in gadget_setup (git-fixes). - usb: gadget: f_uac1: validate input parameters (git-fixes). - usb: gadget: f_uac2: validate input parameters (git-fixes). - usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen() (git-fixes). - usb: gadget: uvc: add bInterval checking for HS mode (git-fixes). - usb: musb: fix PM reference leak in musb_irq_work() (git-fixes). - usb: sl811-hcd: improve misleading indentation (git-fixes). - usb: webcam: Invalid size of Processing Unit Descriptor (git-fixes). - usb: xhci: Fix port minor revision (git-fixes). - usb: xhci: Increase timeout for HC halt (git-fixes). - vgacon: Record video mode changes with VT_RESIZEX (git-fixes). - video: hyperv_fb: Add ratelimit on error message (bsc#1185725). - vrf: fix a comment about loopback device (git-fixes). - watchdog/softlockup: Remove obsolete check of last reported task (bsc#1185982). - watchdog/softlockup: report the overall time of softlockups (bsc#1185982). - watchdog: explicitly update timestamp when reporting softlockup (bsc#1185982). - watchdog: rename __touch_watchdog() to a better descriptive name (bsc#1185982). - whitespace cleanup - wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join (git-fixes). - wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt (git-fixes). - workqueue: Minor follow-ups to the rescuer destruction change (bsc#1185911). - workqueue: more destroy_workqueue() fixes (bsc#1185911). - x86/cpu: Initialize MSR_TSC_AUX if RDTSCP *or* RDPID is supported (bsc#1152489). - xhci: Do not use GFP_KERNEL in (potentially) atomic context (git-fixes). - xhci: check control context is valid before dereferencing it (git-fixes). - xhci: fix potential array out of bounds with several interrupters (git-fixes). - xsk: Respect device's headroom and tailroom on generic xmit path (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1910-1 Released: Wed Jun 9 09:37:41 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1186673 This update for openssh fixes the following issues: - Further attempts to mitigate instances of secrets lingering in memory after a session exits to meet key zeroization requirements. (bsc#1186673) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1923-1 Released: Thu Jun 10 08:37:00 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: important References: 1183194 This update for nfs-utils fixes the following issues: - Ensured thread safety when opening files over NFS to prevent a use-after-free issue (bsc#1183194) From sle-security-updates at lists.suse.com Fri Jun 11 13:35:08 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 11 Jun 2021 15:35:08 +0200 (CEST) Subject: SUSE-IU-2021:536-1: Security update of sles-15-sp2-chost-byos-v20210610 Message-ID: <20210611133508.DB2A5B46F0D@westernhagen.suse.de> SUSE Image Update Advisory: sles-15-sp2-chost-byos-v20210610 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2021:536-1 Image Tags : sles-15-sp2-chost-byos-v20210610:20210610 Image Release : Severity : important Type : security References : 1021918 1029961 1043990 1055117 1065729 1080040 1087082 1089870 1106014 1115550 1133021 1152457 1152457 1152489 1152489 1153687 1155518 1156395 1156395 1162964 1164648 1167260 1168838 1168894 1169122 1169348 1170092 1170094 1170858 1174162 1174416 1174426 1176370 1177315 1177666 1178089 1178378 1178418 1178491 1178577 1178612 1178624 1178675 1179243 1179519 1179825 1179827 1179851 1179851 1180478 1180846 1180851 1180851 1181161 1181351 1181443 1181540 1181610 1181651 1181679 1181874 1181874 1181911 1182016 1182057 1182257 1182372 1182378 1182613 1182904 1182936 1182936 1182950 1182999 1183063 1183194 1183194 1183203 1183268 1183289 1183346 1183374 1183589 1183628 1183628 1183732 1183797 1183826 1183868 1183873 1183932 1183947 1183976 1184081 1184082 1184208 1184209 1184259 1184326 1184358 1184399 1184400 1184435 1184436 1184507 1184514 1184611 1184614 1184650 1184687 1184724 1184728 1184730 1184731 1184736 1184737 1184738 1184740 1184741 1184742 1184760 1184811 1184829 1184855 1184893 1184912 1184934 1184942 1184957 1184969 1184984 1184997 1184997 1184997 1185041 1185113 1185163 1185170 1185190 1185233 1185239 1185239 1185244 1185269 1185277 1185325 1185365 1185408 1185409 1185410 1185417 1185428 1185438 1185454 1185464 1185464 1185464 1185472 1185491 1185495 1185497 1185549 1185562 1185580 1185586 1185587 1185589 1185606 1185642 1185645 1185677 1185680 1185698 1185703 1185725 1185758 1185848 1185849 1185859 1185860 1185861 1185862 1185863 1185898 1185899 1185910 1185911 1185938 1185950 1185961 1185961 1185982 1185987 1185988 1186015 1186060 1186061 1186062 1186111 1186114 1186285 1186320 1186390 1186416 1186439 1186441 1186451 1186460 1186479 1186484 1186498 1186501 1186573 1186673 1186681 CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2021-22898 CVE-2021-23134 CVE-2021-29155 CVE-2021-29650 CVE-2021-32399 CVE-2021-33034 CVE-2021-33200 CVE-2021-3426 CVE-2021-3491 CVE-2021-3516 CVE-2021-3517 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 CVE-2021-3541 ----------------------------------------------------------------- The container sles-15-sp2-chost-byos-v20210610 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1544-1 Released: Fri May 7 16:34:41 2021 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libzypp fixes the following issues: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1557-1 Released: Tue May 11 09:50:00 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1183374,CVE-2021-3426 This update for python3 fixes the following issues: - CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1564-1 Released: Tue May 11 13:29:55 2021 Summary: Security update for shim Type: security Severity: important References: 1177315,1182057,1185464 This update for shim fixes the following issues: - Update to the unified shim binary for SBAT support (bsc#1182057) + Merged EKU codesign check (bsc#1177315) - shim-install: Always assume 'removable' for Azure to avoid the endless reset loop (bsc#1185464). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1566-1 Released: Wed May 12 09:39:16 2021 Summary: Recommended update for chrony Type: recommended Severity: moderate References: 1162964,1184400 This update for chrony fixes the following issues: - Fix build with glibc-2.31 (bsc#1162964) - Use /run instead of /var/run for PIDFile in chronyd.service (bsc#1184400) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1574-1 Released: Wed May 12 12:04:51 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1043990,1055117,1065729,1152457,1152489,1156395,1167260,1168838,1174416,1174426,1178089,1179243,1179851,1180846,1181161,1182613,1183063,1183203,1183289,1184208,1184209,1184436,1184514,1184650,1184724,1184728,1184730,1184731,1184736,1184737,1184738,1184740,1184741,1184742,1184760,1184811,1184893,1184934,1184942,1184957,1184969,1184984,1185041,1185113,1185233,1185244,1185269,1185365,1185454,1185472,1185491,1185549,1185586,1185587,CVE-2021-29155,CVE-2021-29650 The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-29650: Fixed an issue with the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208). - CVE-2021-29155: Fixed an issue that was discovered in kernel/bpf/verifier.c that performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation was not correctly accounted for when restricting subsequent operations (bnc#1184942). The following non-security bugs were fixed: - ACPI: CPPC: Replace cppc_attr with kobj_attribute (git-fixes). - ALSA: core: remove redundant spin_lock pair in snd_card_disconnect (git-fixes). - ALSA: emu8000: Fix a use after free in snd_emu8000_create_mixer (git-fixes). - ALSA: hda/cirrus: Add error handling into CS8409 I2C functions (git-fixes). - ALSA: hda/cirrus: Add Headphone and Headset MIC Volume Control (git-fixes). - ALSA: hda/cirrus: Add jack detect interrupt support from CS42L42 companion codec (git-fixes). - ALSA: hda/cirrus: Add support for CS8409 HDA bridge and CS42L42 companion codec (git-fixes). - ALSA: hda/cirrus: Cleanup patch_cirrus.c code (git-fixes). - ALSA: hda/cirrus: Fix CS42L42 Headset Mic volume control name (git-fixes). - ALSA: hda/cirrus: Make CS8409 driver more generic by using fixups (git-fixes). - ALSA: hda/cirrus: Set Initial DMIC volume for Bullseye to -26 dB (git-fixes). - ALSA: hda/cirrus: Use CS8409 filter to fix abnormal sounds on Bullseye (git-fixes). - ALSA: hda/realtek: Add quirk for Intel Clevo PCx0Dx (git-fixes). - ALSA: hda/realtek: fix mic boost on Intel NUC 8 (git-fixes). - ALSA: hda/realtek: fix static noise on ALC285 Lenovo laptops (git-fixes). - ALSA: hda/realtek: GA503 use same quirks as GA401 (git-fixes). - ALSA: hda/realtek - Headset Mic issue on HP platform (git-fixes). - ALSA: hda/realtek: Remove redundant entry for ALC861 Haier/Uniwill devices (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Acer quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 ASUS quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Dell quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 HP quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Lenovo quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Sony quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC662 quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Acer quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Clevo quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Sony quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order remaining ALC269 quirk table entries (git-fixes). - ALSA: sb: Fix two use after free in snd_sb_qsound_build (git-fixes). - ALSA: usb-audio: Add DJM450 to Pioneer format quirk (git-fixes). - ALSA: usb-audio: Add error checks for usb_driver_claim_interface() calls (git-fixes). - ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX (git-fixes). - ALSA: usb-audio: Configure Pioneer DJM-850 samplerate (git-fixes). - ALSA: usb-audio: DJM-750: ensure format is set (git-fixes). - ALSA: usb-audio: Explicitly set up the clock selector (git-fixes). - ALSA: usb-audio: Fix implicit sync clearance at stopping stream (git-fixes). - ALSA: usb-audio: Fix Pioneer DJM devices URB_CONTROL request direction to set samplerate (git-fixes). - ALSA: usb: midi: do not return -ENOMEM when usb_urb_ep_type_check fails (git-fixes). - arm: dts: add imx7d pcf2127 fix to blacklist - ASoC: ak5558: correct reset polarity (git-fixes). - ASoC: ak5558: Fix s/show/slow/ typo (git-fixes). - ASoC: Intel: kbl_da7219_max98927: Fix kabylake_ssp_fixup function (git-fixes). - ASoC: samsung: tm2_wm5110: check of of_parse return value (git-fixes). - ASoC: simple-card: fix possible uninitialized single_cpu local variable (git-fixes). - ASoC: SOF: Intel: HDA: fix core status verification (git-fixes). - ASoC: SOF: Intel: hda: remove unnecessary parentheses (git-fixes). - ata: libahci_platform: fix IRQ check (git-fixes). - ath10k: Fix ath10k_wmi_tlv_op_pull_peer_stats_info() unlock without lock (git-fixes). - ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices (git-fixes). - backlight: journada720: Fix Wmisleading-indentation warning (git-fixes). - blkcg: fix memleak for iolatency (git-fixes). - block, bfq: set next_rq to waker_bfqq->next_rq in waker injection (bsc#1168838). - block: recalculate segment count for multi-segment discards correctly (bsc#1184724). - block: rsxx: select CONFIG_CRC32 (git-fixes). - bluetooth: eliminate the potential race condition when removing the HCI controller (git-fixes). - bnxt_en: reverse order of TX disable and carrier off (git-fixes). - bsg: free the request before return error code (git-fixes). - btrfs: fix qgroup data rsv leak caused by falloc failure (bsc#1185549). - btrfs: fix race between swap file activation and snapshot creation (bsc#1185587). - btrfs: fix race between writes to swap files and scrub (bsc#1185586). - btrfs: track qgroup released data in own variable in insert_prealloc_file_extent (bsc#1185549). - bus: qcom: Put child node before return (git-fixes). - cfg80211: remove WARN_ON() in cfg80211_sme_connect (git-fixes). - clk: exynos7: Mark aclk_fsys1_200 as critical (git-fixes). - clk: mvebu: armada-37xx-periph: Fix switching CPU freq from 250 Mhz to 1 GHz (git-fixes). - clk: mvebu: armada-37xx-periph: Fix workaround for switching from L1 to L0 (git-fixes). - clk: mvebu: armada-37xx-periph: remove .set_parent method for CPU PM clock (git-fixes). - clk: qcom: a53-pll: Add missing MODULE_DEVICE_TABLE (git-fixes). - clk: uniphier: Fix potential infinite loop (git-fixes). - clk: zynqmp: move zynqmp_pll_set_mode out of round_rate callback (git-fixes). - coresight: etm4x: Fix issues on trcseqevr access (git-fixes). - coresight: etm4x: Fix save and restore of TRCVMIDCCTLR1 register (git-fixes). - coresight: tmc-etr: Fix barrier packet insertion for perf buffer (git-fixes). - cpufreq: armada-37xx: Fix determining base CPU frequency (git-fixes). - cpufreq: armada-37xx: Fix driver cleanup when registration failed (git-fixes). - cpufreq: armada-37xx: Fix setting TBG parent for load levels (git-fixes). - cpufreq: armada-37xx: Fix the AVS value for load L1 (git-fixes). - cpufreq: Kconfig: fix documentation links (git-fixes). - crypto: arm/curve25519 - Move '.fpu' after '.arch' (git-fixes). - crypto: rng - fix crypto_rng_reset() refcounting when !CRYPTO_STATS (git-fixes). - cxgb4: avoid collecting SGE_QBASE regs during traffic (git-fixes). - cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds (git-fixes). - dmaengine: dw: Make it dependent to HAS_IOMEM (git-fixes). - dm: eliminate potential source of excessive kernel log noise (git-fixes). - dm era: Fix bitset memory leaks (git-fixes). - dm era: only resize metadata in preresume (git-fixes). - dm era: Recover committed writeset after crash (git-fixes). - dm era: Reinitialize bitset cache before digesting a new writeset (git-fixes). - dm era: Use correct value size in equality function of writeset tree (git-fixes). - dm era: Verify the data block size hasn't changed (git-fixes). - dm: fix bug with RCU locking in dm_blk_report_zones (git-fixes). - dm integrity: fix error reporting in bitmap mode after creation (git-fixes). - dm ioctl: fix error return code in target_message (git-fixes). - dm mpath: fix racey management of PG initialization (git-fixes). - dm raid: fix discard limits for raid1 (git-fixes). - dm: remove invalid sparse __acquires and __releases annotations (git-fixes). - dm writecache: fix the maximum number of arguments (git-fixes). - dm writecache: handle DAX to partitions on persistent memory correctly (git-fixes). - dm writecache: remove BUG() and fail gracefully instead (git-fixes). - dm zoned: select CONFIG_CRC32 (git-fixes). - dpaa_eth: copy timestamp fields to new skb in A-050385 workaround (git-fixes). - dpaa_eth: fix the RX headroom size alignment (git-fixes). - dpaa_eth: Remove unnecessary boolean expression in dpaa_get_headroom (git-fixes). - dpaa_eth: Use random MAC address when none is given (bsc#1184811). - drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' (git-fixes). - drm/amdkfd: fix build error with AMD_IOMMU_V2=m (git-fixes). - drm/ast: Add 25MHz refclk support (bsc#1174416). - drm/ast: Add support for 1152x864 mode (bsc#1174416). - drm/ast: Add support for AIP200 (bsc#1174416). - drm/ast: AST2500 fixups (bsc#1174416). - drm/ast: Correct mode table for AST2500 precatch (bsc#1174416). - drm/ast: Disable screen on register init (bsc#1174416). - drm/ast: Disable VGA decoding while driver is active (bsc#1174416). - drm/ast: drm/ast: Fix boot address for AST2500 (bsc#1174416). - drm/ast: Fix P2A config detection (bsc#1174416). - drm/ast: Fix register access in non-P2A mode for DP501 (bsc#1174416). - drm/ast: Keep MISC fields when enabling VGA (bsc#1174416). - drm/i915/gvt: Fix error code in intel_gvt_init_device() (git-fixes). - drm/imx: imx-ldb: fix out of bounds array access warning (git-fixes). - drm/msm: Fix a5xx/a6xx timestamps (git-fixes). - drm/omap: fix misleading indentation in pixinc() (git-fixes). - drm/radeon: fix copy of uninitialized variable back to userspace (git-fixes). - drm/tegra: dc: Do not set PLL clock to 0Hz (git-fixes). - e1000e: add rtnl_lock() to e1000_reset_task (git-fixes). - e1000e: Fix duplicate include guard (git-fixes). - e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 (git-fixes). - enetc: Let the hardware auto-advance the taprio base-time of 0 (git-fixes). - enetc: Workaround for MDIO register access issue (git-fixes). - ethernet/netronome/nfp: Fix a use after free in nfp_bpf_ctrl_msg_rx (git-fixes). - ext4: do not try to set xattr into ea_inode if value is empty (bsc#1184730). - ext4: find old entry again if failed to rename whiteout (bsc#1184742). - ext4: fix potential error in ext4_do_update_inode (bsc#1184731). - ext4: fix potential htree index checksum corruption (bsc#1184728). - firmware: qcom-scm: Fix QCOM_SCM configuration (git-fixes). - fnic: use scsi_host_busy_iter() to traverse commands (bsc#1179851). - fotg210-udc: Complete OUT requests on short packets (git-fixes). - fotg210-udc: Do not DMA more than the buffer can take (git-fixes). - fotg210-udc: Fix DMA on EP0 for length > max packet size (git-fixes). - fotg210-udc: Fix EP0 IN requests bigger than two packets (git-fixes). - fotg210-udc: Mask GRP2 interrupts we do not handle (git-fixes). - fotg210-udc: Remove a dubious condition leading to fotg210_done (git-fixes). - fs: direct-io: fix missing sdio->boundary (bsc#1184736). - fs/jfs: fix potential integer overflow on shift of a int (bsc#1184741). - fsl/fman: reuse set_mac_address() in dtsec init() (bsc#1184811). - fsl/fman: tolerate missing MAC address in device tree (bsc#1184811). - gpio: omap: Save and restore sysconfig (git-fixes). - gpio: sysfs: Obey valid_mask (git-fixes). - HID: alps: fix error return code in alps_input_configured() (git-fixes). - HID: google: add don USB id (git-fixes). - HID: plantronics: Workaround for double volume key presses (git-fixes). - HID: wacom: Assign boolean values to a bool variable (git-fixes). - HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices (git-fixes). - i2c: cadence: add IRQ check (git-fixes). - i2c: emev2: add IRQ check (git-fixes). - i2c: img-scb: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: jz4780: add IRQ check (git-fixes). - i2c: omap: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: sh7760: add IRQ check (git-fixes). - i2c: sh7760: fix IRQ error path (git-fixes). - i2c: sprd: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i40e: Added Asym_Pause to supported link modes (git-fixes). - i40e: Add zero-initialization of AQ command structures (git-fixes). - i40e: Fix addition of RX filters after enabling FW LLDP agent (git-fixes). - i40e: Fix add TC filter for IPv6 (git-fixes). - i40e: Fix display statistics for veb_tc (git-fixes). - i40e: Fix endianness conversions (git-fixes). - i40e: Fix flow for IPv6 next header (extension header) (git-fixes). - i40e: Fix kernel oops when i40e driver removes VF's (git-fixes). - i40e: Fix overwriting flow control settings during driver loading (git-fixes). - i40e: Fix sparse errors in i40e_txrx.c (git-fixes). - i40e: Fix sparse warning: missing error code 'err' (git-fixes). - i40e: fix the panic when running bpf in xdpdrv mode (git-fixes). - ibmvnic: avoid calling napi_disable() twice (bsc#1065729). - ibmvnic: clean up the remaining debugfs data structures (bsc#1065729). - ibmvnic: correctly use dev_consume/free_skb_irq (jsc#SLE-17268 jsc#SLE-17043 bsc#1179243 ltc#189290 git-fixes). - ibmvnic: improve failover sysfs entry (bsc#1043990 ltc#155681 git-fixes). - ibmvnic: print adapter state as a string (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: print reset reason as a string (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: queue reset work in system_long_wq (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: remove duplicate napi_schedule call in do_reset function (bsc#1065729). - ibmvnic: remove duplicate napi_schedule call in open function (bsc#1065729). - ice: Account for port VLAN in VF max packet size calculation (git-fixes). - ice: Cleanup fltr list in case of allocation issues (git-fixes). - ice: Fix for dereference of NULL pointer (git-fixes). - ice: Increase control queue timeout (git-fixes). - ice: prevent ice_open and ice_stop during reset (git-fixes). - igb: check timestamp validity (git-fixes). - igb: Fix duplicate include guard (git-fixes). - igc: Fix Pause Frame Advertising (git-fixes). - igc: Fix Supported Pause Frame Link Setting (git-fixes). - igc: reinit_locked() should be called with rtnl_lock (git-fixes). - iio:accel:adis16201: Fix wrong axis assignment that prevents loading (git-fixes). - ima: Free IMA measurement buffer after kexec syscall (git-fixes). - Input: i8042 - fix Pegatron C15B ID entry (git-fixes). - Input: nspire-keypad - enable interrupts only when opened (git-fixes). - Input: s6sy761 - fix coordinate read bit shift (git-fixes). - interconnect: core: fix error return code of icc_link_destroy() (git-fixes). - iopoll: introduce read_poll_timeout macro (git-fixes). - ipw2x00: potential buffer overflow in libipw_wx_set_encodeext() (git-fixes). - irqchip: Add support for Layerscape external interrupt lines (bsc#1185233). - irqchip/ls-extirq: add IRQCHIP_SKIP_SET_WAKE to the irqchip flags (bsc#1185233). - irqchip/ls-extirq: Add LS1043A, LS1088A external interrupt support (bsc#1185233). - isofs: release buffer head before return (bsc#1182613). - ixgbe: fail to create xfrm offload of IPsec tunnel mode SA (git-fixes). - jffs2: fix use after free in jffs2_sum_write_data() (bsc#1184740). - kABI: cover up change in struct kvm_arch (bsc#1184969). - kABI: Fix kABI caused by fixes for bsc#1174426 (bsc#1174426). - kABI: powerpc/pseries: Add shutdown() to vio_driver and vio_bus (bsc#1184209 ltc#190917). - kernel/smp: make csdlock timeout depend on boot parameter (bsc#1180846). - KVM: kvmclock: Fix vCPUs > 64 can't be online/hotpluged (bsc#1152489). - KVM: PPC: Book3S HV P9: Restore host CTRL SPR after guest exit (bsc#1156395). - KVM: PPC: Make the VMX instruction emulation routines static (bsc#1156395). - libnvdimm/label: Return -ENXIO for no slot in __blk_label_update (bsc#1185269). - libnvdimm/namespace: Fix reaping of invalidated block-window-namespace labels (bsc#1185269). - libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC (bsc#1184969 git-fixes). - libnvdimm/security: ensure sysfs poll thread woke up and fetch updated attr (git-fixes). - liquidio: Fix unintented sign extension of a left shift of a u16 (git-fixes). - locking/qrwlock: Fix ordering in queued_write_lock_slowpath() (bsc#1185041). - mac80211: bail out if cipher schemes are invalid (git-fixes). - mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN (git-fixes). - macvlan: macvlan_count_rx() needs to be aware of preemption (git-fixes). - media: dvbdev: Fix memory leak in dvb_media_device_free() (git-fixes). - media: m88rs6000t: avoid potential out-of-bounds reads on arrays (git-fixes). - media: mantis: remove orphan mantis_core.c (git-fixes). - media: omap4iss: return error code when omap4iss_get() failed (git-fixes). - media: platform: sunxi: sun6i-csi: fix error return code of sun6i_video_start_streaming() (git-fixes). - media: staging/intel-ipu3: Fix memory leak in imu_fmt (git-fixes). - media: staging/intel-ipu3: Fix race condition during set_fmt (git-fixes). - media: staging/intel-ipu3: Fix set_fmt error handling (git-fixes). - media: v4l2-ctrls.c: fix race condition in hdl->requests list (git-fixes). - memory: gpmc: fix out of bounds read and dereference on gpmc_cs[] (git-fixes). - memory: pl353: fix mask of ECC page_size config register (git-fixes). - mfd: lpc_sch: Partially revert 'Add support for Intel Quark X1000' (git-fixes). - mfd: stm32-timers: Avoid clearing auto reload register (git-fixes). - misc: lis3lv02d: Fix false-positive WARN on various HP models (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_datagram payload (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_notify_bm_set_msg struct (git-fixes). - mmc: core: Correct descriptions in mmc_of_parse() (git-fixes). - mmc: cqhci: Add cqhci_deactivate() (git-fixes). - mmc: mmc_spi: Drop unused NO_IRQ definition (git-fixes). - mmc: sdhci-of-arasan: Add missed checks for devm_clk_register() (git-fixes). - mmc: sdhci-of-dwcmshc: fix rpmb access (git-fixes). - mmc: sdhci-of-dwcmshc: implement specific set_uhs_signaling (git-fixes). - mmc: sdhci-of-esdhc: make sure delay chain locked for HS400 (git-fixes). - mmc: sdhci-of-esdhc: set timeout to max before tuning (git-fixes). - mmc: sdhci-pci: Fix SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers (git-fixes). - mmc: sdhci: Use Auto CMD Auto Select only when v4_mode is true (git-fixes). - mmc: uniphier-sd: Fix an error handling path in uniphier_sd_probe() (git-fixes). - mmc: uniphier-sd: Fix a resource leak in the remove function (git-fixes). - mm/rmap: fix potential pte_unmap on an not mapped pte (git-fixes). - Move upstreamed i915 fix into sorted section - mt7601u: fix always true expression (git-fixes). - mtd: Handle possible -EPROBE_DEFER from parse_mtd_partitions() (git-fixes). - mtd: rawnand: brcmnand: fix OOB R/W with Hamming ECC (git-fixes). - mtd: rawnand: fsmc: Fix error code in fsmc_nand_probe() (git-fixes). - mtd: rawnand: gpmi: Fix a double free in gpmi_nand_init (git-fixes). - mtd: rawnand: qcom: Return actual error code instead of -ENODEV (git-fixes). - mtd: require write permissions for locking and badblock ioctls (git-fixes). - mtd: spinand: core: add missing MODULE_DEVICE_TABLE() (git-fixes). - mtd: spi-nor: Rename 'n25q512a' to 'mt25qu512a (n25q512a)' (bsc#1167260). - mtd: spi-nor: Split mt25qu512a (n25q512a) entry into two (bsc#1167260). - nbd: fix a block_device refcount leak in nbd_release (git-fixes). - net: atlantic: fix out of range usage of active_vlans array (git-fixes). - net: atlantic: fix potential error handling (git-fixes). - net: atlantic: fix use after free kasan warn (git-fixes). - net: dsa: felix: implement port flushing on .phylink_mac_link_down (git-fixes). - net: enetc: remove bogus write to SIRXIDR from enetc_setup_rxbdr (git-fixes). - net: enetc: take the MDIO lock only once per NAPI poll cycle (git-fixes). - net: geneve: check skb is large enough for IPv4/IPv6 header (git-fixes). - net: geneve: modify IP header check in geneve6_xmit_skb and geneve_xmit_skb (git-fixes). - net: hns3: clear VF down state bit before request link status (git-fixes). - net: hns3: fix bug when calculating the TCAM table info (git-fixes). - net: hns3: fix query vlan mask value error for flow director (git-fixes). - net: hns3: Remove un-necessary 'else-if' in the hclge_reset_event() (git-fixes). - net: ll_temac: Add more error handling of dma_map_single() calls (git-fixes). - net: ll_temac: Fix race condition causing TX hang (git-fixes). - net: ll_temac: Fix RX buffer descriptor handling on GFP_ATOMIC pressure (git-fixes). - net: ll_temac: Handle DMA halt condition caused by buffer underrun (git-fixes). - net/mlx4_core: Add missed mlx4_free_cmd_mailbox() (git-fixes). - net/mlx5: Do not request more than supported EQs (git-fixes). - net/mlx5e: Do not match on Geneve options in case option masks are all zero (git-fixes). - net/mlx5e: Fix error path for ethtool set-priv-flag (git-fixes). - net/mlx5e: Fix ethtool indication of connector type (git-fixes). - net/mlx5e: fix ingress_ifindex check in mlx5e_flower_parse_meta (jsc#SLE-8464). - net:nfc:digital: Fix a double free in digital_tg_recv_dep_req (git-fixes). - net: phy: intel-xway: enable integrated led functions (git-fixes). - net: phy: marvell: fix m88e1011_set_downshift (git-fixes). - net: phy: marvell: fix m88e1111_set_downshift (git-fixes). - net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template (git-fixes). - net: smc911x: Adjust indentation in smc911x_phy_configure (git-fixes). - net: stmmac: fix missing IFF_MULTICAST check in dwmac4_set_filter (git-fixes). - net: stmmac: xgmac: fix missing IFF_MULTICAST checki in dwxgmac2_set_filter (git-fixes). - net: tulip: Adjust indentation in {dmfe, uli526x}_init_module (git-fixes). - nfc: pn533: prevent potential memory corruption (git-fixes). - nfp: flower: ignore duplicate merge hints from FW (git-fixes). - node: fix device cleanups in error handling code (git-fixes). - null_blk: fix passing of REQ_FUA flag in null_handle_rq (git-fixes). - nvme-fabrics: reject I/O to offline device (bsc#1181161). - nvme-tcp: fix possible hang when failing to set io queues (bsc#1181161). - ocfs2: fix a use after free on error (bsc#1184738). - pata_arasan_cf: fix IRQ check (git-fixes). - pata_ipx4xx_cf: fix IRQ check (git-fixes). - PCI/AER: Add pcie_walk_rcec() to RCEC AER handling (bsc#1174426). - PCI/AER: Add RCEC AER error injection support (bsc#1174426). - PCI/AER: Clear AER status from Root Port when resetting Downstream Port (bsc#1174426). - PCI/AER: Specify the type of Port that was reset (bsc#1174426). - PCI/AER: Use 'aer' variable for capability offset (bsc#1174426). - PCI/AER: Write AER Capability only when we control it (bsc#1174426). - PCI: designware-ep: Fix the Header Type check (git-fixes). - PCI/ERR: Add pcie_link_rcec() to associate RCiEPs (bsc#1174426). - PCI/ERR: Add pci_walk_bridge() to pcie_do_recovery() (bsc#1174426). - PCI/ERR: Avoid negated conditional for clarity (bsc#1174426). - PCI/ERR: Bind RCEC devices to the Root Port driver (bsc#1174426). - PCI/ERR: Cache RCEC EA Capability offset in pci_init_capabilities() (bsc#1174426). - PCI/ERR: Clear AER status only when we control AER (bsc#1174426). - PCI/ERR: Clear PCIe Device Status errors only if OS owns AER (bsc#1174426). - PCI/ERR: Clear status of the reporting device (bsc#1174426). - PCI/ERR: Recover from RCEC AER errors (bsc#1174426). - PCI/ERR: Recover from RCiEP AER errors (bsc#1174426). - PCI/ERR: Rename reset_link() to reset_subordinates() (bsc#1174426). - PCI/ERR: Retain status from error notification (bsc#1174426). - PCI/ERR: Simplify by computing pci_pcie_type() once (bsc#1174426). - PCI/ERR: Simplify by using pci_upstream_bridge() (bsc#1174426). - PCI/ERR: Use 'bridge' for clarity in pcie_do_recovery() (bsc#1174426). - PCI/PME: Add pcie_walk_rcec() to RCEC PME handling (bsc#1174426). - PCI/portdrv: Report reset for frozen channel (bsc#1174426). - PCI: tegra: Fix ASPM-L1SS advertisement disable code (git-fixes). - PCI: tegra: Move 'dbi' accesses to post common DWC initialization (git-fixes). - phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y, unconditionally (git-fixes). - pinctrl: core: Fix kernel doc string for pin_get_name() (git-fixes). - pinctrl: Ingenic: Add missing pins to the JZ4770 MAC MII group (git-fixes). - platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards with critclk_systems DMI table (git-fixes). - PM: runtime: Add documentation for pm_runtime_resume_and_get() (git-fixes). - powerepc/book3s64/hash: Align start/end address correctly with bolt mapping (bsc#1184957). - powerpc/64s: Fix pte update for kernel memory on radix (bsc#1055117 git-fixes). - powerpc/asm-offsets: GPR14 is not needed either (bsc#1065729). - powerpc/eeh: Fix EEH handling for hugepages in ioremap space (bsc#1156395). - powerpc/fadump: Mark fadump_calculate_reserve_size as __init (bsc#1065729). - powerpc/mm: Add cond_resched() while removing hpte mappings (bsc#1183289 ltc#191637). - powerpc/papr_scm: Fix build error due to wrong printf specifier (bsc#1184969). - powerpc/papr_scm: Implement support for H_SCM_FLUSH hcall (bsc#1184969). - powerpc/perf: Fix PMU constraint check for EBB events (bsc#1065729). - powerpc/prom: Mark identical_pvr_fixup as __init (bsc#1065729). - powerpc/pseries: Add shutdown() to vio_driver and vio_bus (bsc#1184209 ltc#190917). - powerpc/time: Enable sched clock for irqtime (bsc#1156395). - regmap: set debugfs_name to NULL after it is freed (git-fixes). - regulator: Avoid a double 'of_node_get' in 'regulator_of_get_init_node()' (git-fixes). - reintroduce cqhci_suspend for kABI (git-fixes). - reiserfs: update reiserfs_xattrs_initialized() condition (bsc#1184737). - rpm/constraints.in: bump disk space to 45GB on riscv64 - rpm/kernel-obs-build.spec.in: Include essiv with dm-crypt (boo#1183063). - rpm/macros.kernel-source: fix KMP failure in %install (bsc#1185244) - rpm/mkspec: Use tilde instead of dot for version string with rc (bsc#1184650) - rsi: Use resume_noirq for SDIO (git-fixes). - rsxx: remove extraneous 'const' qualifier (git-fixes). - rtc: ds1307: Fix wday settings for rx8130 (git-fixes). - rtc: fsl-ftm-alarm: add MODULE_TABLE() (bsc#1185454). - rtc: fsl-ftm-alarm: avoid struct rtc_time conversions (bsc#1185454). - rtc: fsl-ftm-alarm: enable acpi support (bsc#1185454). - rtc: fsl-ftm-alarm: fix freeze(s2idle) failed to wake (bsc#1185454). - rtc: fsl-ftm-alarm: report alarm to core (bsc#1185454). - rtc: fsl-ftm-alarm: switch to ktime_get_real_seconds (bsc#1185454). - rtc: fsl-ftm-alarm: switch to rtc_time64_to_tm/rtc_tm_to_time64 (bsc#1185454). - rtc: fsl-ftm-alarm: update acpi device id (bsc#1185454). - rtc: pcf2127: add alarm support (bsc#1185233). - rtc: pcf2127: add pca2129 device id (bsc#1185233). - rtc: pcf2127: add tamper detection support (bsc#1185233). - rtc: pcf2127: add watchdog feature support (bsc#1185233). - rtc: pcf2127: bugfix: watchdog build dependency (bsc#1185233). - rtc: pcf2127: cleanup register and bit defines (bsc#1185233). - rtc: pcf2127: convert to devm_rtc_allocate_device (bsc#1185233). - rtc: pcf2127: fix a bug when not specify interrupts property (bsc#1185233). - rtc: pcf2127: fix alarm handling (bsc#1185233). - rtc: pcf2127: fix pcf2127_nvmem_read/write() returns (bsc#1185233). - rtc: pcf2127: handle boot-enabled watchdog feature (bsc#1185233). - rtc: pcf2127: let the core handle rtc range (bsc#1185233). - rtc: pcf2127: move watchdog initialisation to a separate function (bsc#1185233). - rtc: pcf2127: only use watchdog when explicitly available (bsc#1185233). - rtc: pcf2127: properly set flag WD_CD for rtc chips(pcf2129, pca2129) (bsc#1185233). - rtc: pcf2127: remove unnecessary #ifdef (bsc#1185233). - rtc: pcf2127: set regmap max_register (bsc#1185233). - rtc: pcf2127: watchdog: handle nowayout feature (bsc#1185233). - rtlwifi: 8821ae: upgrade PHY and RF parameters (git-fixes). - rtw88: Fix array overrun in rtw_get_tx_power_params() (git-fixes). - sata_mv: add IRQ checks (git-fixes). - scsi: block: Fix a race in the runtime power management code (git-fixes). - scsi: core: add scsi_host_busy_iter() (bsc#1179851). - scsi: core: Only return started requests from scsi_host_find_tag() (bsc#1179851). - scsi: lpfc: Copyright updates for 12.8.0.9 patches (bsc#1185472). - scsi: lpfc: Eliminate use of LPFC_DRIVER_NAME in lpfc_attr.c (bsc#1185472). - scsi: lpfc: Fix a bunch of kernel-doc issues (bsc#1185472). - scsi: lpfc: Fix a bunch of kernel-doc misdemeanours (bsc#1185472). - scsi: lpfc: Fix a bunch of misnamed functions (bsc#1185472). - scsi: lpfc: Fix a few incorrectly named functions (bsc#1185472). - scsi: lpfc: Fix a typo (bsc#1185472). - scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO response (bsc#1185472). - scsi: lpfc: Fix DMA virtual address ptr assignment in bsg (bsc#1185365). - scsi: lpfc: Fix error handling for mailboxes completed in MBX_POLL mode (bsc#1185472). - scsi: lpfc: Fix formatting and misspelling issues (bsc#1185472). - scsi: lpfc: Fix gcc -Wstringop-overread warning (bsc#1185472). - scsi: lpfc: Fix illegal memory access on Abort IOCBs (bsc#1183203). - scsi: lpfc: Fix incorrectly documented function lpfc_debugfs_commonxripools_data() (bsc#1185472). - scsi: lpfc: Fix incorrect naming of __lpfc_update_fcf_record() (bsc#1185472). - scsi: lpfc: Fix kernel-doc formatting issue (bsc#1185472). - scsi: lpfc: Fix lack of device removal on port swaps with PRLIs (bsc#1185472). - scsi: lpfc: Fix lpfc_hdw_queue attribute being ignored (bsc#1185472). - scsi: lpfc: Fix missing FDMI registrations after Mgmt Svc login (bsc#1185472). - scsi: lpfc: Fix NMI crash during rmmod due to circular hbalock dependency (bsc#1185472). - scsi: lpfc: Fix reference counting errors in lpfc_cmpl_els_rsp() (bsc#1185472). - scsi: lpfc: Fix rmmod crash due to bad ring pointers to abort_iotag (bsc#1185472). - scsi: lpfc: Fix silent memory allocation failure in lpfc_sli4_bsg_link_diag_test() (bsc#1185472). - scsi: lpfc: Fix some error codes in debugfs (bsc#1185472). - scsi: lpfc: Fix use-after-free on unused nodes after port swap (bsc#1185472). - scsi: lpfc: Fix various trivial errors in comments and log messages (bsc#1185472). - scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic (bsc#1185472). - scsi: lpfc: Standardize discovery object logging format (bsc#1185472). - scsi: lpfc: Update lpfc version to 12.8.0.9 (bsc#1185472). - scsi: qla2xxx: Add error counters to debugfs node (bsc#1185491). - scsi: qla2xxx: Add H:C:T info in the log message for fc ports (bsc#1185491). - scsi: qla2xxx: Always check the return value of qla24xx_get_isp_stats() (bsc#1185491). - scsi: qla2xxx: Assign boolean values to a bool variable (bsc#1185491). - scsi: qla2xxx: Check kzalloc() return value (bsc#1185491). - scsi: qla2xxx: Consolidate zio threshold setting for both FCP NVMe (bsc#1185491). - scsi: qla2xxx: Constify struct qla_tgt_func_tmpl (bsc#1185491). - scsi: qla2xxx: Do logout even if fabric scan retries got exhausted (bsc#1185491). - scsi: qla2xxx: Enable NVMe CONF (BIT_7) when enabling SLER (bsc#1185491). - scsi: qla2xxx: fc_remote_port_chkready() returns a SCSI result value (bsc#1185491). - scsi: qla2xxx: Fix a couple of misdocumented functions (bsc#1185491). - scsi: qla2xxx: Fix a couple of misnamed functions (bsc#1185491). - scsi: qla2xxx: Fix broken #endif placement (bsc#1185491). - scsi: qla2xxx: Fix crash in PCIe error handling (bsc#1185491). - scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() (bsc#1185491). - scsi: qla2xxx: Fix endianness annotations (bsc#1185491). - scsi: qla2xxx: Fix incorrectly named function qla8044_check_temp() (bsc#1185491). - scsi: qla2xxx: Fix IOPS drop seen in some adapters (bsc#1185491). - scsi: qla2xxx: Fix mailbox Ch erroneous error (bsc#1185491). - scsi: qla2xxx: Fix mailbox recovery during PCIe error (bsc#1185491). - scsi: qla2xxx: Fix RISC RESET completion polling (bsc#1185491). - scsi: qla2xxx: Fix some incorrect formatting/spelling issues (bsc#1185491). - scsi: qla2xxx: Fix some memory corruption (bsc#1185491). - scsi: qla2xxx: Fix stuck session (bsc#1185491). - scsi: qla2xxx: Fix use after free in bsg (bsc#1185491). - scsi: qla2xxx: Implementation to get and manage host, target stats and initiator port (bsc#1185491). - scsi: qla2xxx: Move some messages from debug to normal log level (bsc#1185491). - scsi: qla2xxx: Remove redundant NULL check (bsc#1185491). - scsi: qla2xxx: Remove unnecessary NULL check (bsc#1185491). - scsi: qla2xxx: Remove unneeded if-null-free check (bsc#1185491). - scsi: qla2xxx: Replace __qla2x00_marker()'s missing underscores (bsc#1185491). - scsi: qla2xxx: Reserve extra IRQ vectors (bsc#1184436). - scsi: qla2xxx: Reuse existing error handling path (bsc#1185491). - scsi: qla2xxx: Simplify if statement (bsc#1185491). - scsi: qla2xxx: Simplify qla8044_minidump_process_control() (bsc#1185491). - scsi: qla2xxx: Simplify the calculation of variables (bsc#1185491). - scsi: qla2xxx: Suppress Coverity complaints about dseg_r* (bsc#1185491). - scsi: qla2xxx: Update default AER debug mask (bsc#1185491). - scsi: qla2xxx: Update version to 10.02.00.105-k (bsc#1185491). - scsi: qla2xxx: Update version to 10.02.00.106-k (bsc#1185491). - scsi: qla2xxx: Use dma_pool_zalloc() (bsc#1185491). - scsi: qla2xxx: Wait for ABTS response on I/O timeouts for NVMe (bsc#1185491). - scsi: smartpqi: Correct driver removal with HBA disks (bsc#1178089). - scsi: smartpqi: Correct pqi_sas_smp_handler busy condition (bsc#1178089). - scsi: smartpqi: Update version to 1.2.16-012 (bsc#1178089). - selftests/powerpc: Add pkey helpers for rights (bsc#1184934 ltc#191460). - selftests/powerpc: Add test for execute-disabled pkeys (bsc#1184934 ltc#191460). - selftests/powerpc: Add test for pkey siginfo verification (bsc#1184934 ltc#191460). - selftests/powerpc: Add wrapper for gettid (bsc#1184934 ltc#191460). - selftests/powerpc: Fix exit status of pkey tests (bsc#1184934 ltc#191460). - selftests/powerpc: Fix L1D flushing tests for Power10 (bsc#1184934 ltc#191460). - selftests/powerpc: Fix pkey syscall redefinitions (bsc#1184934 ltc#191460). - selftests/powerpc: Move pkey helpers to headers (bsc#1184934 ltc#191460). - selftests/powerpc: refactor entry and rfi_flush tests (bsc#1184934 ltc#191460). - soc: aspeed: fix a ternary sign expansion bug (git-fixes). - soc: qcom: mdt_loader: Detect truncated read of segments (git-fixes). - soc: qcom: mdt_loader: Validate that p_filesz p_memsz (git-fixes). - soundwire: bus: Fix device found flag correctly (git-fixes). - soundwire: stream: fix memory leak in stream config error path (git-fixes). - spi: fsl-dspi: fix NULL pointer dereference (bsc#1167260). - spi: fsl-dspi: fix use-after-free in remove path (bsc#1167260). - spi: fsl-dspi: fix wrong pointer in suspend/resume (bsc#1167260). - spi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware() (git-fixes). - spi: Introduce dspi_slave_abort() function for NXP's dspi SPI driver (bsc#1167260). - spi: spi-fsl-dspi: Accelerate transfers using larger word size if possible (bsc#1167260). - spi: spi-fsl-dspi: Add comments around dspi_pop_tx and dspi_push_rx functions (bsc#1167260). - spi: spi-fsl-dspi: Adding shutdown hook (bsc#1167260). - spi: spi-fsl-dspi: Add support for LS1028A (bsc#1167260). - spi: spi-fsl-dspi: Always use the TCFQ devices in poll mode (bsc#1167260). - spi: spi-fsl-dspi: Avoid NULL pointer in dspi_slave_abort for non-DMA mode (bsc#1167260). - spi: spi-fsl-dspi: Avoid reading more data than written in EOQ mode (bsc#1167260). - spi: spi-fsl-dspi: Change usage pattern of SPI_MCR_* and SPI_CTAR_* macros (bsc#1167260). - spi: spi-fsl-dspi: Convert TCFQ users to XSPI FIFO mode (bsc#1167260). - spi: spi-fsl-dspi: Convert the instantiations that support it to DMA (bsc#1167260). - spi: spi-fsl-dspi: delete EOQ transfer mode (bsc#1167260). - spi: spi-fsl-dspi: Demistify magic value in SPI_SR_CLEAR (bsc#1167260). - spi: spi-fsl-dspi: Do not access reserved fields in SPI_MCR (bsc#1167260). - spi: spi-fsl-dspi: Do not mask off undefined bits (bsc#1167260). - spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours (bsc#1167260). - spi: spi-fsl-dspi: Fix 16-bit word order in 32-bit XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Fix bits-per-word acceleration in DMA mode (bsc#1167260). - spi: spi-fsl-dspi: Fix code alignment (bsc#1167260). - spi: spi-fsl-dspi: fix DMA mapping (bsc#1167260). - spi: spi-fsl-dspi: Fix external abort on interrupt in resume or exit paths (bsc#1167260). - spi: spi-fsl-dspi: Fix interrupt-less DMA mode taking an XSPI code path (bsc#1167260). - spi: spi-fsl-dspi: Fix little endian access to PUSHR CMD and TXDATA (bsc#1167260). - spi: spi-fsl-dspi: Fix lockup if device is removed during SPI transfer (bsc#1167260). - spi: spi-fsl-dspi: Fix lockup if device is shutdown during SPI transfer (bsc#1167260). - spi: spi-fsl-dspi: fix native data copy (bsc#1167260). - spi: spi-fsl-dspi: Fix race condition in TCFQ/EOQ interrupt (bsc#1167260). - spi: spi-fsl-dspi: Fix typos (bsc#1167260). - spi: spi-fsl-dspi: Free DMA memory with matching function (bsc#1167260). - spi: spi-fsl-dspi: Implement .max_message_size method for EOQ mode (bsc#1167260). - spi: spi-fsl-dspi: Initialize completion before possible interrupt (bsc#1167260). - spi: spi-fsl-dspi: LS2080A and LX2160A support XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Make bus-num property optional (bsc#1167260). - spi: spi-fsl-dspi: Move dspi_interrupt above dspi_transfer_one_message (bsc#1167260). - spi: spi-fsl-dspi: Move invariant configs out of dspi_transfer_one_message (bsc#1167260). - spi: spi-fsl-dspi: Optimize dspi_setup_accel for lowest interrupt count (bsc#1167260). - spi: spi-fsl-dspi: Parameterize the FIFO size and DMA buffer size (bsc#1167260). - spi: spi-fsl-dspi: Protect against races on dspi->words_in_flight (bsc#1167260). - spi: spi-fsl-dspi: Reduce indentation in dspi_release_dma() (bsc#1167260). - spi: spi-fsl-dspi: Reduce indentation level in dspi_interrupt (bsc#1167260). - spi: spi-fsl-dspi: remove git-fixes Remove git-fixes. Prepare to update the driver. References: bsc#1167260 - spi: spi-fsl-dspi: Remove impossible to reach error check (bsc#1167260). - spi: spi-fsl-dspi: Remove pointless assignment of master->transfer to NULL (bsc#1167260). - spi: spi-fsl-dspi: Remove unused chip->void_write_data (bsc#1167260). - spi: spi-fsl-dspi: Remove unused defines and includes (bsc#1167260). - spi: spi-fsl-dspi: Remove unused initialization of 'ret' in dspi_probe (bsc#1167260). - spi: spi-fsl-dspi: Rename fifo_{read,write} and {tx,cmd}_fifo_write (bsc#1167260). - spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion (bsc#1167260). - spi: spi-fsl-dspi: Replace legacy spi_master names with spi_controller (bsc#1167260). - spi: spi-fsl-dspi: set ColdFire to DMA mode (bsc#1167260). - spi: spi-fsl-dspi: Simplify bytes_per_word gymnastics (bsc#1167260). - spi: spi-fsl-dspi: Take software timestamp in dspi_fifo_write (bsc#1167260). - spi: spi-fsl-dspi: Use BIT() and GENMASK() macros (bsc#1167260). - spi: spi-fsl-dspi: Use dma_request_chan() instead dma_request_slave_channel() (bsc#1167260). - spi: spi-fsl-dspi: Use EOQ for last word in buffer even for XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Use poll mode in case the platform IRQ is missing (bsc#1167260). - spi: spi-fsl-dspi: Use reverse Christmas tree declaration order (bsc#1167260). - spi: spi-fsl-dspi: Use specific compatible strings for all SoC instantiations (bsc#1167260). - spi: spi-fsl-dspi: use XSPI mode instead of DMA for DPAA2 SoCs (bsc#1167260). - spi: spi-ti-qspi: Free DMA resources (git-fixes). - staging: fwserial: fix TIOCGSERIAL implementation (git-fixes). - staging: fwserial: fix TIOCSSERIAL implementation (git-fixes). - staging: fwserial: fix TIOCSSERIAL jiffies conversions (git-fixes). - staging: fwserial: fix TIOCSSERIAL permission check (git-fixes). - staging: rtl8192u: Fix potential infinite loop (git-fixes). - usb: CDC-ACM: fix poison/unpoison imbalance (bsc#1184984). - usb: CDC-ACM: fix poison/unpoison imbalance (git-fixes). - usb: cdc-acm: fix TIOCGSERIAL implementation (git-fixes). - usb: cdc-acm: fix unprivileged TIOCCSERIAL (git-fixes). - usb: dwc2: Fix hibernation between host and device modes (git-fixes). - usb: dwc2: Fix host mode hibernation exit with remote wakeup flow (git-fixes). - usb: dwc2: Fix session request interrupt handler (git-fixes). - usb: dwc3: gadget: Fix START_TRANSFER link state check (git-fixes). - usb: dwc3: keystone: use devm_platform_ioremap_resource() to simplify code (git-fixes). - usb: dwc3: meson-g12a: use devm_platform_ioremap_resource() to simplify code (git-fixes). - usb: dwc3: Switch to use device_property_count_u32() (git-fixes). - usb: gadget: aspeed: fix dma map failure (git-fixes). - usb: gadget: Fix double free of device descriptor pointers (git-fixes). - usb: gadget: pch_udc: Check for DMA mapping error (git-fixes). - usb: gadget: pch_udc: Check if driver is present before calling ->setup() (git-fixes). - usb: gadget: pch_udc: Move pch_udc_init() to satisfy kernel doc (git-fixes). - usb: gadget: pch_udc: Replace cpu_to_le32() by lower_32_bits() (git-fixes). - usb: gadget: pch_udc: Revert d3cb25a12138 completely (git-fixes). - usb: gadget: r8a66597: Add missing null check on return from platform_get_resource (git-fixes). - usb: gadget: udc: fix wrong pointer passed to IS_ERR() and PTR_ERR() (git-fixes). - usb: Remove dev_err() usage after platform_get_irq() (git-fixes). - usb: serial: ark3116: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: f81232: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: f81534: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: fix return value for unsupported ioctls (git-fixes). - usb: serial: mos7720: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: opticon: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: quatech2: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: ssu100: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: usb_wwan: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: usb_wwan: fix TIOCSSERIAL jiffies conversions (git-fixes). - usb: serial: usb_wwan: fix unprivileged TIOCCSERIAL (git-fixes). - usb: typec: tcpci: Check ROLE_CONTROL while interpreting CC_STATUS (git-fixes). - usb: typec: tcpm: Address incorrect values of tcpm psy for fixed supply (git-fixes). - usb: typec: tcpm: Honour pSnkStdby requirement during negotiation (git-fixes). - veth: Store queue_mapping independently of XDP prog presence (git-fixes). - vfio/pci: Add missing range check in vfio_pci_mmap (git-fixes). - virt_wifi: Return micros for BSS TSF values (git-fixes). - vxlan: move debug check after netdev unregister (git-fixes). - workqueue: Move the position of debug_work_activate() in __queue_work() (bsc#1184893). - x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access (bsc#1152489). - x86/insn: Add some Intel instructions to the opcode map (bsc#1184760). - x86/insn: Add some more Intel instructions to the opcode map (bsc#1184760). - x86/microcode: Check for offline CPUs before requesting new microcode (bsc#1152489). - x86/mm: Fix NX bit clearing issue in kernel_map_pages_in_pgd (bsc#1152489). - x86/platform/uv: Set section block size for hubless architectures (bsc#1152489). - x86/reboot: Force all cpus to exit VMX root if VMX is supported (bsc#1152489). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1582-1 Released: Wed May 12 13:40:03 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1184687,1185190 This update for lvm2 fixes the following issues: - Honor 'lvm.conf' parameter event_activation=0 on 'pvscan --cache -aay'. (bsc#1185190) - Fixed and issue when LVM can't be disabled on boot. (bsc#1184687) - Update patch for avoiding apply warning messages. (bsc#1012973) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1600-1 Released: Thu May 13 16:34:08 2021 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1185277 This update for dracut fixes the following issue: Update to version 049.1+suse.188.gbf445638: - Do not resolve symbolic links before `instmod`. (bsc#1185277) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1636-1 Released: Wed May 19 13:33:56 2021 Summary: Recommended update for grub2 Type: security Severity: moderate References: 1185580 This update for grub2 fixes the following issues: - Fixed error with the shim_lock protocol that is not found on aarch64 (bsc#1185580). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1669-1 Released: Thu May 20 11:10:44 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1181540,1181651,1183194,1185170 This update for nfs-utils fixes the following issues: - The '/var/run' is long deprecated - switch all relevant paths to '/run'. (bsc#1185170) - Improve logging of authentication (bsc#1181540) - Add man page of the 'nconnect mount'. (bsc#1181651) - Fixed an issue when HANA crashed due to inaccessible/hanging NFS mount. (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1672-1 Released: Thu May 20 13:44:41 2021 Summary: Recommended update for supportutils Type: recommended Severity: moderate References: 1021918,1089870,1168894,1169122,1169348,1170092,1170094,1170858,1176370,1178491,1180478,1181351,1181610,1181679,1181911,1182904,1182950,1183732,1183826,1184829,1184912 This update for supportutils fixes the following issues: - Collects rotated logs with different compression types (bsc#1180478) - Captures now IBM Power bootlist (jsc#SLE-15557) - Fixed some errors with supportutils in combination with the btrfs filesystem (bsc#1168894) - Fixed an issue with ntp.txt, when it contains large binary data (bsc#1169122) - Checks package signatures in rpm.txt (bsc#1021918) - Optimize find (bsc#1184912) - Using zypper --xmlout (bsc#1181351) - Error fix for sysfs.txt (bsc#1089870) - Added list-timers to systemd.txt (bsc#1169348) - Including nfs4 in search (bsc#1184829) - [powerpc] Collect dynamic_debug log files for ibmvNIC #98 (bsc#1183826) - Fixed mismatched taint flags (bsc#1178491) - Removed redundant fdisk code that can cause timeout issues (bsc#1181679) - Supportconfig processes -f without hanging (bsc#1182904) - Collect logs for power specific components (using iprconfig) pr#94 (bsc#1182950) - [powerpc] Collect logs for power specific components (HNV) pr#88 (bsc#1181911) - Includes NVMe information with OPTION_NVME=1 in nvme.txt (bsc#1176370, SLE-15932) - No longer truncates boot log (bsc#1181610) - Collects rotated logs with different compression types (bsc#1180478) - Capture IBM Power bootlist (SLE-15557) - [powerpc] Collect logs for power specific components #72 (bscn#1176895) - Fixed btrfs errors (bsc#1168894) - Large ntp.txt with binary data (bsc#1169122) - Only include hostinfo details in /etc/motd (bsc#1170092) - Fixed CPU load average calculation (bsc#1170094) - Understands 3rd party packages on SLES or OpenSUSE (bsc#1170858) - Implement persistens host information across reboots (bsc#1183732) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1675-1 Released: Thu May 20 15:00:23 2021 Summary: Recommended update for snappy Type: recommended Severity: moderate References: 1080040,1184507 This update for snappy fixes the following issues: Update from version 1.1.3 to 1.1.8 - Small performance improvements. - Removed `snappy::string` alias for `std::string`. - Improved `CMake` configuration. - Improved packages descriptions. - Fix RPM groups. - Aarch64 fixes - PPC speedups - PIE improvements - Fix license install. (bsc#1080040) - Fix a 1% performance regression when snappy is used in PIE executable. - Improve compression performance by 5%. - Improve decompression performance by 20%. - Use better download URL. - Fix a build issue for tensorflow2. (bsc#1184507) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1700-1 Released: Mon May 24 16:39:35 2021 Summary: Recommended update for google-guest-agent, google-guest-oslogin, google-osconfig-agent Type: recommended Severity: moderate References: 1185848,1185849 This update for google-guest-agent, google-guest-oslogin, google-osconfig-agent contains the following fixes: - Update to version 20210414.00 (bsc#1185848, bsc#1185849) * start sshd (#106) * Add systemd-networkd.service restart dependency. (#104) * Update error message for handleHealthCheckRequest. (#105) - Update to version 20210429.00 (bsc#1185848, bsc#1185849) * correct pagetoken in groupsforuser (#59) * resolve self groups last (#58) * support empty groups (#57) * no paginating to find groups (#56) * clear users vector (#55) * correct usage of pagetoken (#54) - Update to version 20210506.00 (bsc#1185848, bsc#1185849) * Add more os policy assignment examples (#348) * e2e_tests: enable stable tests for OSPolicies (#347) * Align start and end task logs (#346) * ConfigTask: add additional info logs (#345) * e2e_tests: add validation tests (#344) * Config Task: make sure agent respects policy mode (#343) * update * e2e_tests: readd retries to OSPolicies * Set minWaitDuration as a string instead of object (#341) * e2e_tests: Fix a few SUSE tests (#339) * Remove pre-release flag from config (#340) * e2e_tests: fixup OSPolicy tests (#338) * e2e_tests: unlock mutex for CreatePolicies as soon as create finishes (#337) * e2e_tests: Don't retry failed OSPolicy tests, fix msi test (#336) * Examples for os policy assignments (#334) * e2e_tests: increase the deadline for OSPolicy tests and only start after a zone has been secured (#335) * Fix panic when installing MSI (#332) * e2e_tests: Add test cases of installing dbe, rpm and msi packages (#333) * e2e_tests: add more logging * e2e_tests: (#330) * e2e_test: Add timouts to OSPolicy tests so we don't wait forever (#329) * Create top level directories for gcloud and console for os policy assignment examples (#328) * e2e_tests: Move api from an internal directory (#327) * Make sure we use the same test name for reruns (#326) * Add CONFIG_V1 capability (#325) * e2e_tests: reduce size of instances, use pd-balanced, rerun failed tests once (#324) * Only report installed packages for dpkg (#322) * e2e_tests: fix windows package and repository tests (#323) * Add top level directories for os policy examples (#321) * e2e_tests: move to using inventory api for inventory reporting (#320) * e2e_tests: add ExecResource tests (#319) * ExecResource: make sure we set permissions correctly for downloaded files (#318) * Config task: only run post check on resources that have already been evaluated (#317) * e2e_test: reorganize OSPolicy tests to be per Resource type (#316) * Set custom user agent (#299) * e2e_tests: check InstanceOSPoliciesCompliance for each test case, add LocalPath FileResource test (#314) * PackageResource: make sure to run AptUpdate prior to package install (#315) * Fix bugs/add more logging for OSPolicies (#313) * Change metadata http client to ignore http proxies (#312) * e2e_test: add tests for FileResource (#311) * Add task_type context logging (#310) * Fix e2e_test typo (#309) * Fix e2e_tests (#308) * Disable OSPolicies by default since it is an unreleased feature (#307) * e2e_tests: Add more OSPolicies package and repo tests (#306) * Do not enforce repo_gpgcheck in guestpolicies (#305) * Gather inventory 3-5min after agent start (#303) * e2e_tests: add OSPolicies tests for package install (#302) * Add helpful error log if a service account is missing (#304) * OSPolicies: correct apt repo extension, remove yum/zypper gpgcheck override (#301) * Update cos library to parse new version of packages file (#300) * config_task: Rework config step logic (#296) * e2e_test: enable serial logs in cos to support ReportInventory test (#297) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1702-1 Released: Tue May 25 09:53:56 2021 Summary: Recommended update for shim Type: recommended Severity: moderate References: 1185464,1185961 This update for shim fixes the following issues: - shim-install: instead of assuming 'removable' for Azure, remove fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot to make \EFI\Boot bootable and keep the boot option created by efibootmgr (bsc#1185464, bsc#1185961) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1762-1 Released: Wed May 26 12:30:01 2021 Summary: Security update for curl Type: security Severity: moderate References: 1186114,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1773-1 Released: Wed May 26 17:22:21 2021 Summary: Recommended update for python3 Type: recommended Severity: low References: This update for python3 fixes the following issues: - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1801-1 Released: Mon May 31 07:36:01 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1115550,1174162 This update for openssh fixes the following issues: - Fixed a race condition leading to a sshd termination of multichannel sessions with non-root users (bsc#1115550, bsc#1174162). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1833-1 Released: Wed Jun 2 15:32:28 2021 Summary: Recommended update for zypper Type: recommended Severity: moderate References: 1153687,1180851,1181874,1182372,1182936,1183268,1183589,1183628,1184997,1185239 This update for zypper fixes the following issues: zypper was upgraded to 1.14.44: - man page: Recommend the needs-rebooting command to test whether a system reboot is suggested. - patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268) - Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687) - Protect against strict/relaxed user umask via sudo. (bsc#1183589) - xml summary: Add solvables repository alias. (bsc#1182372) libzypp was upgraded from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1846-1 Released: Fri Jun 4 08:46:37 2021 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1185910 This update for mozilla-nss fixes the following issue: - Provide some missing binaries from `mozilla-nss` not added in `SLE-Module-Basesystem_15-SP3`. (bsc#1185910) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1879-1 Released: Tue Jun 8 09:16:09 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1184326,1184399,1184997,1185325 This update for libzypp, zypper fixes the following issues: libzypp was updated to 17.26.0: - Work around download.o.o broken https redirects. - Allow trusted repos to add additional signing keys (bsc#1184326) Repositories signed with a trusted gpg key may import additional package signing keys. This is needed if different keys were used to sign the the packages shipped by the repository. - MediaCurl: Fix logging of redirects. - Use 15.3 resolver problem and solution texts on all distros. - $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the zypp lock (bsc#1184399) Helps boot time services like 'zypper purge-kernels' to wait for the zypp lock until other services using zypper have completed. - Fix purge-kernels is broken in Leap 15.3 (bsc#1185325) Leap 15.3 introduces a new kernel package called kernel-flavour-extra, which contain kmp's. Currently kmp's are detected by name '.*-kmp(-.*)?' but this does not work which those new packages. This patch fixes the problem by checking packages for kmod(*) and ksym(*) provides and only falls back to name checking if the package in question does not provide one of those. - Introduce zypp-runpurge, a tool to run purge-kernels on testcases. zypper was updated to 1.14.45: - Fix service detection with cgroupv2 (bsc#1184997) - Add hints to 'trust GPG key' prompt. - Add report when receiving new package signing keys from a trusted repo (bsc#1184326) - Added translation using Weblate (Kabyle) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1882-1 Released: Tue Jun 8 13:25:36 2021 Summary: Recommended update for shim Type: recommended Severity: moderate References: 1185464,1185961 This update for shim fixes the following issues: - shim-install: remove the unexpected residual 'removable' label for Azure (bsc#1185464, bsc#1185961) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1890-1 Released: Tue Jun 8 15:08:16 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1087082,1133021,1152457,1152489,1155518,1156395,1164648,1177666,1178378,1178418,1178612,1179519,1179825,1179827,1179851,1182257,1182378,1182999,1183346,1183868,1183873,1183932,1183947,1183976,1184081,1184082,1184259,1184611,1184855,1185428,1185495,1185497,1185589,1185606,1185642,1185645,1185677,1185680,1185703,1185725,1185758,1185859,1185860,1185861,1185862,1185863,1185898,1185899,1185911,1185938,1185950,1185982,1185987,1185988,1186060,1186061,1186062,1186111,1186285,1186320,1186390,1186416,1186439,1186441,1186451,1186460,1186479,1186484,1186498,1186501,1186573,1186681,CVE-2020-24586,CVE-2020-24587,CVE-2020-24588,CVE-2020-26139,CVE-2020-26141,CVE-2020-26145,CVE-2020-26147,CVE-2021-23134,CVE-2021-32399,CVE-2021-33034,CVE-2021-33200,CVE-2021-3491 The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111) - CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062) - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060) - CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859). - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862). - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859). - CVE-2020-24588: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (bnc#1185861) - CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860) - CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987) The following non-security bugs were fixed: - ACPI / hotplug / PCI: Fix reference count leak in enable_slot() (git-fixes). - ACPI: GTDT: Do not corrupt interrupt mappings on watchdow probe failure (git-fixes). - ACPI: custom_method: fix a possible memory leak (git-fixes). - ACPI: custom_method: fix potential use-after-free issue (git-fixes). - ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro (git-fixes). - ALSA: bebob: enable to deliver MIDI messages for multiple ports (git-fixes). - ALSA: dice: fix stream format at middle sampling rate for Alesis iO 26 (git-fixes). - ALSA: dice: fix stream format for TC Electronic Konnekt Live at high sampling transfer frequency (git-fixes). - ALSA: firewire-lib: fix calculation for size of IR context payload (git-fixes). - ALSA: firewire-lib: fix check for the size of isochronous packet payload (git-fixes). - ALSA: hda/conexant: Re-order CX5066 quirk table entries (git-fixes). - ALSA: hda/realtek: ALC285 Thinkpad jack pin quirk is unreachable (git-fixes). - ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293 (git-fixes). - ALSA: hda/realtek: Headphone volume is controlled by Front mixer (git-fixes). - ALSA: hda/realtek: reset eapd coeff to default value for alc287 (git-fixes). - ALSA: hda: fixup headset for ASUS GU502 laptop (git-fixes). - ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP (git-fixes). - ALSA: hdsp: do not disable if not enabled (git-fixes). - ALSA: hdspm: do not disable if not enabled (git-fixes). - ALSA: intel8x0: Do not update period unless prepared (git-fixes). - ALSA: line6: Fix racy initialization of LINE6 MIDI (git-fixes). - ALSA: rme9652: do not disable if not enabled (git-fixes). - ALSA: usb-audio: Validate MS endpoint descriptors (git-fixes). - ALSA: usb-audio: fix control-request direction (git-fixes). - ALSA: usb-audio: scarlett2: Fix device hang with ehci-pci (git-fixes). - ALSA: usb-audio: scarlett2: Improve driver startup messages (git-fixes). - ALSA: usb-audio: scarlett2: snd_scarlett_gen2_controls_create() can be static (git-fixes). - ARM64: vdso32: Install vdso32 from vdso_install (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF (git-fixes). - ASoC: cs35l33: fix an error code in probe() (git-fixes). - ASoC: cs42l42: Regmap must use_single_read/write (git-fixes). - ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init() (git-fixes). - ASoC: rsnd: core: Check convert rate in rsnd_hw_params (git-fixes). - ASoC: rt286: Generalize support for ALC3263 codec (git-fixes). - ASoC: rt286: Make RT286_SET_GPIO_* readable and writable (git-fixes). - Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS (git-fixes). - Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes). - Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default (git-fixes). - Bluetooth: check for zapped sk before connecting (git-fixes). - Bluetooth: initialize skb_queue_head at l2cap_chan_create() (git-fixes). - Drivers: hv: vmbus: Fix Suspend-to-Idle for Generation-2 VM (git-fixes). - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725). - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725). - Drivers: hv: vmbus: Use after free in __vmbus_open() (git-fixes). - Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices (git-fixes). - Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state (git-fixes). - KVM: s390: fix guarded storage control register handling (bsc#1133021). - Move upstreamed media fixes into sorted section - NFC: nci: fix memory leak in nci_allocate_device (git-fixes). - PCI/RCEC: Fix RCiEP device to RCEC association (git-fixes). - PCI: Allow VPD access for QLogic ISP2722 (git-fixes). - PCI: PM: Do not read power state in pci_enable_device_flags() (git-fixes). - PCI: Release OF node in pci_scan_device()'s error path (git-fixes). - PCI: endpoint: Fix missing destroy_workqueue() (git-fixes). - PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc() (git-fixes). - PCI: thunder: Fix compile testing (git-fixes). - PM / devfreq: Use more accurate returned new_freq as resume_freq (git-fixes). - RDMA/addr: create addr_wq with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/core: create ib_cm with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/hns: Delete redundant abnormal interrupt status (git-fixes). - RDMA/hns: Delete redundant condition judgment related to eq (git-fixes). - RDMA/qedr: Fix error return code in qedr_iw_connect() (jsc#SLE-8215). - RDMA/srpt: Fix error return code in srpt_cm_req_recv() (git-fixes). - Revert 'arm64: vdso: Fix compilation with clang older than 8' (git-fixes). - Revert 'gdrom: fix a memory leak bug' (git-fixes). - Revert 'i3c master: fix missing destroy_workqueue() on error in i3c_master_register' (git-fixes). - Revert 'leds: lp5523: fix a missing check of return value of lp55xx_read' (git-fixes). - Revert 337f13046ff0 ('futex: Allow FUTEX_CLOCK_REALTIME with FUTEX_WAIT op') (git-fixes). - SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428). - SUNRPC: More fixes for backlog congestion (bsc#1185428). - USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet (git-fixes). - USB: Add reset-resume quirk for WD19's Realtek Hub (git-fixes). - USB: serial: pl2303: add support for PL2303HXN (bsc#1186320). - USB: serial: pl2303: fix line-speed handling on newer chips (bsc#1186320). - USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check (git-fixes). - USB: trancevibrator: fix control-request direction (git-fixes). - amdgpu: avoid incorrect %hu format string (git-fixes). - arm64/mm: Fix pfn_valid() for ZONE_DEVICE based memory (git-fixes). - arm64: Add missing ISB after invalidating TLB in __primary_switch (git-fixes). - arm64: avoid -Woverride-init warning (git-fixes). - arm64: kasan: fix page_alloc tagging with DEBUG_VIRTUAL (git-fixes). - arm64: kdump: update ppos when reading elfcorehdr (git-fixes). - arm64: kexec_file: fix memory leakage in create_dtb() when fdt_open_into() fails (git-fixes). - arm64: link with -z norelro for LLD or aarch64-elf (git-fixes). - arm64: link with -z norelro regardless of CONFIG_RELOCATABLE (git-fixes). - arm64: ptrace: Fix seccomp of traced syscall -1 (NO_SYSCALL) (git-fixes). - arm64: ptrace: Use NO_SYSCALL instead of -1 in syscall_trace_enter() (git-fixes). - arm64: vdso32: make vdso32 install conditional (git-fixes). - arm: mm: use __pfn_to_section() to get mem_section (git-fixes). - ata: ahci: Disable SXS for Hisilicon Kunpeng920 (git-fixes). - blk-iocost: ioc_pd_free() shouldn't assume irq disabled (git-fixes). - blk-mq: Swap two calls in blk_mq_exit_queue() (git-fixes). - block/genhd: use atomic_t for disk_event->block (bsc#1185497). - block: Fix three kernel-doc warnings (git-fixes). - block: fix get_max_io_size() (git-fixes). - bnxt_en: Fix RX consumer index logic in the error path (git-fixes). - bnxt_en: fix ternary sign extension bug in bnxt_show_temp() (git-fixes). - bpf: Fix leakage of uninitialized bpf stack under speculation (bsc#1155518). - bpf: Fix masking negation logic upon negative dst register (bsc#1155518). - btrfs: fix race between transaction aborts and fsyncs leading to use-after-free (bsc#1186441). - btrfs: fix race when picking most recent mod log operation for an old root (bsc#1186439). - cdc-wdm: untangle a circular dependency between callback and softint (git-fixes). - cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom (git-fixes). - cdrom: gdrom: initialize global variable at init time (git-fixes). - ceph: do not clobber i_snap_caps on non-I_NEW inode (bsc#1186501). - ceph: fix inode leak on getattr error in __fh_to_dentry (bsc#1186501). - ceph: fix up error handling with snapdirs (bsc#1186501). - ceph: only check pool permissions for regular files (bsc#1186501). - cfg80211: scan: drop entry from hidden_list on overflow (git-fixes). - clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return (git-fixes). - cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758). - crypto: api - check for ERR pointers in crypto_destroy_tfm() (git-fixes). - crypto: mips/poly1305 - enable for all MIPS processors (git-fixes). - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init (git-fixes). - crypto: qat - Fix a double free in adf_create_ring (git-fixes). - crypto: qat - do not release uninitialized resources (git-fixes). - crypto: qat - fix error path in adf_isr_resource_alloc() (git-fixes). - crypto: qat - fix unmap invalid dma address (git-fixes). - crypto: stm32/cryp - Fix PM reference leak on stm32-cryp.c (git-fixes). - crypto: stm32/hash - Fix PM reference leak on stm32-hash.c (git-fixes). - cxgb4: Fix unintentional sign extension issues (git-fixes). - dm: avoid filesystem lookup in dm_get_dev_t() (git-fixes). - dmaengine: dw-edma: Fix crash on loading/unloading driver (git-fixes). - docs: kernel-parameters: Add gpio_mockup_named_lines (git-fixes). - docs: kernel-parameters: Move gpio-mockup for alphabetic order (git-fixes). - drivers: hv: Fix whitespace errors (bsc#1185725). - drm/amd/display: Fix UBSAN warning for not a valid value for type '_Bool' (git-fixes). - drm/amd/display: Fix two cursor duplication when using overlay (git-fixes). - drm/amd/display: Force vsync flip when reconfiguring MPCC (git-fixes). - drm/amd/display: Reject non-zero src_y and src_x for video planes (git-fixes). - drm/amd/display: fix dml prefetch validation (git-fixes). - drm/amd/display: fixed divide by zero kernel crash during dsc enablement (git-fixes). - drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f (git-fixes). - drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid compute hang (git-fixes). - drm/amdgpu: fix NULL pointer dereference (git-fixes). - drm/amdgpu: mask the xgmi number of hops reported from psp to kfd (git-fixes). - drm/amdkfd: Fix cat debugfs hang_hws file causes system crash bug (git-fixes). - drm/i915: Avoid div-by-zero on gen2 (git-fixes). - drm/meson: fix shutdown crash when component not probed (git-fixes). - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal (git-fixes). - drm/msm/mdp5: Do not multiply vclk line count by 100 (git-fixes). - drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected (git-fixes). - drm/radeon: Avoid power table parsing memory leaks (git-fixes). - drm/radeon: Fix off-by-one power_state index heap overwrite (git-fixes). - drm/vkms: fix misuse of WARN_ON (git-fixes). - drm: Added orientation quirk for OneGX1 Pro (git-fixes). - ethernet:enic: Fix a use after free bug in enic_hard_start_xmit (git-fixes). - extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged (git-fixes). - extcon: arizona: Fix various races on driver unbind (git-fixes). - fbdev: zero-fill colormap in fbcmap.c (git-fixes). - firmware: arm_scpi: Prevent the ternary sign expansion bug (git-fixes). - fs/epoll: restore waking from ep_done_scan() (bsc#1183868). - ftrace: Handle commands when closing set_ftrace_filter file (git-fixes). - futex: Change utime parameter to be 'const ... *' (git-fixes). - futex: Do not apply time namespace adjustment on FUTEX_LOCK_PI (bsc#1164648). - futex: Get rid of the val2 conditional dance (git-fixes). - futex: Make syscall entry points less convoluted (git-fixes). - genirq/irqdomain: Do not try to free an interrupt that has no (git-fixes) - genirq: Disable interrupts for force threaded handlers (git-fixes) - genirq: Reduce irqdebug cacheline bouncing (bsc#1185703 ltc#192641). - gpio: xilinx: Correct kernel doc for xgpio_probe() (git-fixes). - gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 (git-fixes). - hrtimer: Update softirq_expires_next correctly after (git-fixes) - hwmon: (occ) Fix poll rate limiting (git-fixes). - i2c: Add I2C_AQ_NO_REP_START adapter quirk (git-fixes). - i2c: bail out early when RDWR parameters are wrong (git-fixes). - i2c: i801: Do not generate an interrupt on bus reset (git-fixes). - i2c: s3c2410: fix possible NULL pointer deref on read message after write (git-fixes). - i2c: sh_mobile: Use new clock calculation formulas for RZ/G2E (git-fixes). - i40e: Fix PHY type identifiers for 2.5G and 5G adapters (git-fixes). - i40e: Fix use-after-free in i40e_client_subtask() (git-fixes). - i40e: fix broken XDP support (git-fixes). - i40e: fix the restart auto-negotiation after FEC modified (git-fixes). - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043). - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043). - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043). - ibmvnic: remove default label from to_string switch (bsc#1152457 ltc#174432 git-fixes). - ics932s401: fix broken handling of errors when word reading fails (git-fixes). - iio: adc: ad7124: Fix missbalanced regulator enable / disable on error (git-fixes). - iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers (git-fixes). - iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp() (git-fixes). - iio: adc: ad7793: Add missing error code in ad7793_setup() (git-fixes). - iio: gyro: fxas21002c: balance runtime power in error path (git-fixes). - iio: gyro: mpu3050: Fix reported temperature value (git-fixes). - iio: proximity: pulsedlight: Fix rumtime PM imbalance on error (git-fixes). - iio: tsl2583: Fix division by a zero lux_val (git-fixes). - intel_th: Consistency and off-by-one fix (git-fixes). - iommu/amd: Add support for map/unmap_resource (jsc#ECO-3482). - ipc/mqueue, msg, sem: Avoid relying on a stack reference past its expiry (bsc#1185988). - ipmi/watchdog: Stop watchdog timer when the current action is 'none' (bsc#1184855). - kernel-docs.spec.in: Build using an utf-8 locale. Sphinx cannot handle UTF-8 input in non-UTF-8 locale. - leds: lp5523: check return value of lp5xx_read and jump to cleanup code (git-fixes). - lpfc: Decouple port_template and vport_template (bsc#185032). - mac80211: clear the beacon's CRC after channel switch (git-fixes). - md-cluster: fix use-after-free issue when removing rdev (bsc#1184082). - md/raid1: properly indicate failure when ending a failed write request (bsc#1185680). - md: do not flush workqueue unconditionally in md_open (bsc#1184081). - md: factor out a mddev_find_locked helper from mddev_find (bsc#1184081). - md: md_open returns -EBUSY when entering racing area (bsc#1184081). - md: split mddev_find (bsc#1184081). - media: adv7604: fix possible use-after-free in adv76xx_remove() (git-fixes). - media: drivers: media: pci: sta2x11: fix Kconfig dependency on GPIOLIB (git-fixes). - media: dvb-usb: fix memory leak in dvb_usb_adapter_init (git-fixes). - media: em28xx: fix memory leak (git-fixes). - media: gspca/sq905.c: fix uninitialized variable (git-fixes). - media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove() (git-fixes). - media: i2c: adv7842: fix possible use-after-free in adv7842_remove() (git-fixes). - media: i2c: tda1997: Fix possible use-after-free in tda1997x_remove() (git-fixes). - media: imx: capture: Return -EPIPE from __capture_legacy_try_fmt() (git-fixes). - media: ite-cir: check for receive overflow (git-fixes). - media: media/saa7164: fix saa7164_encoder_register() memory leak bugs (git-fixes). - media: platform: sti: Fix runtime PM imbalance in regs_show (git-fixes). - media: tc358743: fix possible use-after-free in tc358743_remove() (git-fixes). - mfd: arizona: Fix rumtime PM imbalance on error (git-fixes). - misc/uss720: fix memory leak in uss720_probe (git-fixes). - mlxsw: spectrum_mr: Update egress RIF list before route's action (git-fixes). - mm: memcontrol: fix cpuhotplug statistics flushing (bsc#1185606). - mmc: block: Update ext_csd.cache_ctrl if it was written (git-fixes). - mmc: core: Do a power cycle when the CMD11 fails (git-fixes). - mmc: core: Set read only for SD cards with permanent write protect bit (git-fixes). - mmc: sdhci-pci-gli: increase 1.8V regulator wait (git-fixes). - mmc: sdhci-pci: Add PCI IDs for Intel LKF (git-fixes). - mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based controllers (git-fixes). - mmc: sdhci: Check for reset prior to DMA address unmap (git-fixes). - net, xdp: Update pkt_type if generic XDP changes unicast MAC (git-fixes). - net: enetc: fix link error again (git-fixes). - net: hns3: Fix for geneve tx checksum bug (git-fixes). - net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() (git-fixes). - net: hns3: clear unnecessary reset request in hclge_reset_rebuild (git-fixes). - net: hns3: disable phy loopback setting in hclge_mac_start_phy (git-fixes). - net: hns3: fix for vxlan gpe tx checksum bug (git-fixes). - net: hns3: fix incorrect configuration for igu_egu_hw_err (git-fixes). - net: hns3: initialize the message content in hclge_get_link_mode() (git-fixes). - net: hns3: use netif_tx_disable to stop the transmit queue (git-fixes). - net: thunderx: Fix unintentional sign extension issue (git-fixes). - net: usb: fix memory leak in smsc75xx_bind (git-fixes). - netdevice: Add missing IFF_PHONY_HEADROOM self-definition (git-fixes). - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950). - netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950). - netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950). - nvme-core: add cancel tagset helpers (bsc#1183976). - nvme-fabrics: decode host pathing error for connect (bsc#1179827). - nvme-fc: check sgl supported by target (bsc#1179827). - nvme-fc: clear q_live at beginning of association teardown (bsc#1186479). - nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted (bsc#1184259). - nvme-fc: set NVME_REQ_CANCELLED in nvme_fc_terminate_exchange() (bsc#1184259). - nvme-fc: short-circuit reconnect retries (bsc#1179827). - nvme-multipath: fix double initialization of ANA state (bsc#1178612, bsc#1184259). - nvme-multipath: reset bdev to ns head when failover (bsc#178378 bsc#1182999). - nvme-pci: Remove tag from process cq (git-fixes). - nvme-pci: Remove two-pass completions (git-fixes). - nvme-pci: Simplify nvme_poll_irqdisable (git-fixes). - nvme-pci: align io queue count with allocted nvme_queue in (git-fixes). - nvme-pci: avoid race between nvme_reap_pending_cqes() and nvme_poll() (git-fixes). - nvme-pci: dma read memory barrier for completions (git-fixes). - nvme-pci: fix 'slimmer CQ head update' (git-fixes). - nvme-pci: make sure write/poll_queues less or equal then cpu (git-fixes). - nvme-pci: remove last_sq_tail (git-fixes). - nvme-pci: remove volatile cqes (git-fixes). - nvme-pci: slimmer CQ head update (git-fixes). - nvme-pci: use simple suspend when a HMB is enabled (git-fixes). - nvme-tcp: Fix possible race of io_work and direct send (git-fixes). - nvme-tcp: Fix warning with CONFIG_DEBUG_PREEMPT (git-fixes). - nvme-tcp: add clean action for failed reconnection (bsc#1183976). - nvme-tcp: fix kconfig dependency warning when !CRYPTO (git-fixes). - nvme-tcp: fix misuse of __smp_processor_id with preemption (git-fixes). - nvme-tcp: fix possible hang waiting for icresp response (bsc#1179519). - nvme-tcp: use cancel tagset helper for tear down (bsc#1183976). - nvme: Fix NULL dereference for pci nvme controllers (bsc#1182378). - nvme: add 'kato' sysfs attribute (bsc#1179825). - nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request() (bsc#1184259). - nvme: define constants for identification values (git-fixes). - nvme: do not intialize hwmon for discovery controllers (bsc#1184259). - nvme: do not intialize hwmon for discovery controllers (git-fixes). - nvme: document nvme controller states (git-fixes). - nvme: explicitly update mpath disk capacity on revalidation (git-fixes). - nvme: expose reconnect_delay and ctrl_loss_tmo via sysfs (bsc#1182378). - nvme: fix controller instance leak (git-fixes). - nvme: fix deadlock in disconnect during scan_work and/or ana_work (git-fixes). - nvme: fix possible deadlock when I/O is blocked (git-fixes). - nvme: remove superfluous else in nvme_ctrl_loss_tmo_store (bsc#1182378). - nvme: retrigger ANA log update if group descriptor isn't found (git-fixes) - nvme: sanitize KATO setting (bsc#1179825). - nvme: simplify error logic in nvme_validate_ns() (bsc#1184259). - nvmet: fix a memory leak (git-fixes). - nvmet: seset ns->file when open fails (bsc#1183873). - nvmet: use new ana_log_size instead the old one (bsc#1184259). - nxp-i2c: restore includes for kABI (bsc#1185589). - nxp-nci: add NXP1002 id (bsc#1185589). - phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() (git-fixes). - pinctrl: ingenic: Improve unreachable code generation (git-fixes). - pinctrl: samsung: use 'int' for register masks in Exynos (git-fixes). - platform/mellanox: mlxbf-tmfifo: Fix a memory barrier issue (git-fixes). - platform/x86: intel_pmc_core: Do not use global pmcdev in quirks (git-fixes). - platform/x86: thinkpad_acpi: Correct thermal sensor allocation (git-fixes). - posix-timers: Preserve return value in clock_adjtime32() (git-fixes) - power: supply: Use IRQF_ONESHOT (git-fixes). - power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() (git-fixes). - power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() (git-fixes). - powerpc/64s: Fix crashes when toggling entry flush barrier (bsc#1177666 git-fixes). - powerpc/64s: Fix crashes when toggling stf barrier (bsc#1087082 git-fixes). - qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth (git-fixes). - rtc: pcf2127: handle timestamp interrupts (bsc#1185495). - s390/dasd: fix hanging DASD driver unbind (bsc#1183932 LTC#192153). - s390/entry: save the caller of psw_idle (bsc#1185677). - s390/kdump: fix out-of-memory with PCI (bsc#1182257 LTC#191375). - sched/eas: Do not update misfit status if the task is pinned (git-fixes) - sched/fair: Avoid stale CPU util_est value for schedutil in (git-fixes) - sched/fair: Fix unfairness caused by missing load decay (git-fixes) - scripts/git_sort/git_sort.py: add bpf git repo - scsi: core: Run queue in case of I/O resource contention failure (bsc#1186416). - scsi: fnic: Kill 'exclude_id' argument to fnic_cleanup_io() (bsc#1179851). - scsi: libfc: Avoid invoking response handler twice if ep is already completed (bsc#1186573). - scsi: lpfc: Add a option to enable interlocked ABTS before job completion (bsc#1186451). - scsi: lpfc: Add ndlp kref accounting for resume RPI path (bsc#1186451). - scsi: lpfc: Fix 'Unexpected timeout' error in direct attach topology (bsc#1186451). - scsi: lpfc: Fix Node recovery when driver is handling simultaneous PLOGIs (bsc#1186451). - scsi: lpfc: Fix bad memory access during VPD DUMP mailbox command (bsc#1186451). - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs (bsc#1186451). - scsi: lpfc: Fix node handling for Fabric Controller and Domain Controller (bsc#1186451). - scsi: lpfc: Fix non-optimized ERSP handling (bsc#1186451). - scsi: lpfc: Fix unreleased RPIs when NPIV ports are created (bsc#1186451). - scsi: lpfc: Ignore GID-FT response that may be received after a link flip (bsc#1186451). - scsi: lpfc: Reregister FPIN types if ELS_RDF is received from fabric controller (bsc#1186451). - scsi: lpfc: Update lpfc version to 12.8.0.10 (bsc#1186451). - sctp: delay auto_asconf init until binding the first addr (<cover.1620748346.git.mkubecek at suse.cz>). - serial: core: fix suspicious security_locked_down() call (git-fixes). - serial: core: return early on unsupported ioctls (git-fixes). - serial: sh-sci: Fix off-by-one error in FIFO threshold register setting (git-fixes). - serial: stm32: fix incorrect characters on console (git-fixes). - serial: stm32: fix tx_empty condition (git-fixes). - serial: tegra: Fix a mask operation that is always true (git-fixes). - smc: disallow TCP_ULP in smc_setsockopt() (git-fixes). - spi: ath79: always call chipselect function (git-fixes). - spi: ath79: remove spi-master setup and cleanup assignment (git-fixes). - spi: dln2: Fix reference leak to master (git-fixes). - spi: omap-100k: Fix reference leak to master (git-fixes). - spi: qup: fix PM reference leak in spi_qup_remove() (git-fixes). - spi: spi-fsl-dspi: Fix a resource leak in an error handling path (git-fixes). - staging: emxx_udc: fix loop in _nbu2ss_nuke() (git-fixes). - staging: iio: cdc: ad7746: avoid overwrite of num_channels (git-fixes). - tcp: fix to update snd_wl1 in bulk receiver fast path (<cover.1620748346.git.mkubecek at suse.cz>). - thermal/drivers/ti-soc-thermal/bandgap Remove unused variable 'val' (git-fixes). - thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue (git-fixes). - tracing: Map all PIDs to command lines (git-fixes). - tty: amiserial: fix TIOCSSERIAL permission check (git-fixes). - tty: fix memory leak in vc_deallocate (git-fixes). - tty: moxa: fix TIOCSSERIAL jiffies conversions (git-fixes). - tty: moxa: fix TIOCSSERIAL permission check (git-fixes). - uio: uio_hv_generic: use devm_kzalloc() for private data alloc (git-fixes). - uio_hv_generic: Fix a memory leak in error handling paths (git-fixes). - uio_hv_generic: Fix another memory leak in error handling paths (git-fixes). - uio_hv_generic: add missed sysfs_remove_bin_file (git-fixes). - usb: core: hub: Fix PM reference leak in usb_port_resume() (git-fixes). - usb: core: hub: fix race condition about TRSMRCY of resume (git-fixes). - usb: dwc2: Fix gadget DMA unmap direction (git-fixes). - usb: dwc3: gadget: Enable suspend events (git-fixes). - usb: dwc3: gadget: Return success always for kick transfer in ep queue (git-fixes). - usb: dwc3: omap: improve extcon initialization (git-fixes). - usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield (git-fixes). - usb: fotg210-hcd: Fix an error message (git-fixes). - usb: gadget/function/f_fs string table fix for multiple languages (git-fixes). - usb: gadget: dummy_hcd: fix gpf in gadget_setup (git-fixes). - usb: gadget: f_uac1: validate input parameters (git-fixes). - usb: gadget: f_uac2: validate input parameters (git-fixes). - usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen() (git-fixes). - usb: gadget: uvc: add bInterval checking for HS mode (git-fixes). - usb: musb: fix PM reference leak in musb_irq_work() (git-fixes). - usb: sl811-hcd: improve misleading indentation (git-fixes). - usb: webcam: Invalid size of Processing Unit Descriptor (git-fixes). - usb: xhci: Fix port minor revision (git-fixes). - usb: xhci: Increase timeout for HC halt (git-fixes). - vgacon: Record video mode changes with VT_RESIZEX (git-fixes). - video: hyperv_fb: Add ratelimit on error message (bsc#1185725). - vrf: fix a comment about loopback device (git-fixes). - watchdog/softlockup: Remove obsolete check of last reported task (bsc#1185982). - watchdog/softlockup: report the overall time of softlockups (bsc#1185982). - watchdog: explicitly update timestamp when reporting softlockup (bsc#1185982). - watchdog: rename __touch_watchdog() to a better descriptive name (bsc#1185982). - whitespace cleanup - wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join (git-fixes). - wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt (git-fixes). - workqueue: Minor follow-ups to the rescuer destruction change (bsc#1185911). - workqueue: more destroy_workqueue() fixes (bsc#1185911). - x86/cpu: Initialize MSR_TSC_AUX if RDTSCP *or* RDPID is supported (bsc#1152489). - xhci: Do not use GFP_KERNEL in (potentially) atomic context (git-fixes). - xhci: check control context is valid before dereferencing it (git-fixes). - xhci: fix potential array out of bounds with several interrupters (git-fixes). - xsk: Respect device's headroom and tailroom on generic xmit path (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1910-1 Released: Wed Jun 9 09:37:41 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1186673 This update for openssh fixes the following issues: - Further attempts to mitigate instances of secrets lingering in memory after a session exits to meet key zeroization requirements. (bsc#1186673) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1923-1 Released: Thu Jun 10 08:37:00 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: important References: 1183194 This update for nfs-utils fixes the following issues: - Ensured thread safety when opening files over NFS to prevent a use-after-free issue (bsc#1183194) From sle-security-updates at lists.suse.com Fri Jun 11 16:17:16 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 11 Jun 2021 18:17:16 +0200 (CEST) Subject: SUSE-SU-2021:1957-1: moderate: Security update for libjpeg-turbo Message-ID: <20210611161716.9348EFD07@maintenance.suse.de> SUSE Security Update: Security update for libjpeg-turbo ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1957-1 Rating: moderate References: #1186764 Cross-References: CVE-2020-17541 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libjpeg-turbo fixes the following issues: - CVE-2020-17541: Fixed a stack-based buffer overflow in the "transform" component (bsc#1186764). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1957=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1957=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libjpeg62-devel-62.2.0-31.25.1 libjpeg8-devel-8.1.2-31.25.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libjpeg-turbo-1.5.3-31.25.1 libjpeg-turbo-debuginfo-1.5.3-31.25.1 libjpeg-turbo-debugsource-1.5.3-31.25.1 libjpeg62-62.2.0-31.25.1 libjpeg62-debuginfo-62.2.0-31.25.1 libjpeg62-turbo-1.5.3-31.25.1 libjpeg62-turbo-debugsource-1.5.3-31.25.1 libjpeg8-8.1.2-31.25.1 libjpeg8-debuginfo-8.1.2-31.25.1 libturbojpeg0-8.1.2-31.25.1 libturbojpeg0-debuginfo-8.1.2-31.25.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libjpeg62-32bit-62.2.0-31.25.1 libjpeg62-debuginfo-32bit-62.2.0-31.25.1 libjpeg8-32bit-8.1.2-31.25.1 libjpeg8-debuginfo-32bit-8.1.2-31.25.1 References: https://www.suse.com/security/cve/CVE-2020-17541.html https://bugzilla.suse.com/1186764 From sle-security-updates at lists.suse.com Fri Jun 11 16:18:34 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 11 Jun 2021 18:18:34 +0200 (CEST) Subject: SUSE-SU-2021:1956-1: important: Security update for spice Message-ID: <20210611161834.28511FD07@maintenance.suse.de> SUSE Security Update: Security update for spice ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1956-1 Rating: important References: #1177158 #1181686 Cross-References: CVE-2020-14355 CVE-2021-20201 CVSS scores: CVE-2020-14355 (NVD) : 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2020-14355 (SUSE): 6.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2021-20201 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-20201 (SUSE): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for spice fixes the following issues: - CVE-2021-20201: client initiated renegotiation causing denial of service (bsc#1181686) - CVE-2020-14355: Fixed multiple buffer overflow vulnerabilities in QUIC decoding code (bsc#1177158) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1956=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1956=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1956=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1956=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1956=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1956=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1956=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1956=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1956=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libspice-server-devel-0.14.1-4.3.1 libspice-server1-0.14.1-4.3.1 libspice-server1-debuginfo-0.14.1-4.3.1 spice-debugsource-0.14.1-4.3.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libspice-server-devel-0.14.1-4.3.1 libspice-server1-0.14.1-4.3.1 libspice-server1-debuginfo-0.14.1-4.3.1 spice-debugsource-0.14.1-4.3.1 - SUSE Manager Proxy 4.0 (x86_64): libspice-server-devel-0.14.1-4.3.1 libspice-server1-0.14.1-4.3.1 libspice-server1-debuginfo-0.14.1-4.3.1 spice-debugsource-0.14.1-4.3.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libspice-server-devel-0.14.1-4.3.1 libspice-server1-0.14.1-4.3.1 libspice-server1-debuginfo-0.14.1-4.3.1 spice-debugsource-0.14.1-4.3.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libspice-server-devel-0.14.1-4.3.1 libspice-server1-0.14.1-4.3.1 libspice-server1-debuginfo-0.14.1-4.3.1 spice-debugsource-0.14.1-4.3.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libspice-server-devel-0.14.1-4.3.1 libspice-server1-0.14.1-4.3.1 libspice-server1-debuginfo-0.14.1-4.3.1 spice-debugsource-0.14.1-4.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libspice-server-devel-0.14.1-4.3.1 libspice-server1-0.14.1-4.3.1 libspice-server1-debuginfo-0.14.1-4.3.1 spice-debugsource-0.14.1-4.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libspice-server-devel-0.14.1-4.3.1 libspice-server1-0.14.1-4.3.1 libspice-server1-debuginfo-0.14.1-4.3.1 spice-debugsource-0.14.1-4.3.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libspice-server-devel-0.14.1-4.3.1 libspice-server1-0.14.1-4.3.1 libspice-server1-debuginfo-0.14.1-4.3.1 spice-debugsource-0.14.1-4.3.1 - SUSE CaaS Platform 4.0 (x86_64): libspice-server-devel-0.14.1-4.3.1 libspice-server1-0.14.1-4.3.1 libspice-server1-debuginfo-0.14.1-4.3.1 spice-debugsource-0.14.1-4.3.1 References: https://www.suse.com/security/cve/CVE-2020-14355.html https://www.suse.com/security/cve/CVE-2021-20201.html https://bugzilla.suse.com/1177158 https://bugzilla.suse.com/1181686 From sle-security-updates at lists.suse.com Fri Jun 11 16:20:00 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 11 Jun 2021 18:20:00 +0200 (CEST) Subject: SUSE-SU-2021:1963-1: moderate: Security update for crowbar-openstack, grafana, kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store Message-ID: <20210611162000.AFD0BFD07@maintenance.suse.de> SUSE Security Update: Security update for crowbar-openstack, grafana, kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1963-1 Rating: moderate References: #1044849 #1179805 #1181379 #1183803 #1184148 #1185623 #1186608 #1186611 SOC-11435 Cross-References: CVE-2017-11481 CVE-2017-11499 CVE-2019-25025 CVE-2020-29651 CVE-2021-27358 CVE-2021-28658 CVE-2021-31542 CVE-2021-3281 CVE-2021-33203 CVE-2021-33571 CVSS scores: CVE-2017-11481 (NVD) : 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2017-11481 (SUSE): 5.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2017-11499 (NVD) : 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-11499 (SUSE): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-25025 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2019-25025 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-29651 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-29651 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-27358 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27358 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28658 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-28658 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-31542 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-31542 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-3281 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2021-3281 (SUSE): 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H CVE-2021-33571 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud 7 ______________________________________________________________________________ An update that fixes 10 vulnerabilities, contains one feature is now available. Description: This update for crowbar-openstack, grafana, kibana, monasca-installer, python-Django, python-py, rubygem-activerecord-session_store contains the following fixes: Security fixes included in this update: crowbar-openstack: - CVE-2016-8611: Added rate limiting for the '/images' API POST method (bsc#1005886). grafana: - CVE-2021-27358: Fixed a denial of service via remote API call (bsc#1183803) kibana: - CVE-2017-11499: Fixed a vulnerability in nodejs, related to the HashTable implementation, which could cause a denial of service (bsc#1044849) - CVE-2017-11481: Fixed a cross site scripting vulnerability via via URL fields (bsc#1044849) python-Django: - CVE-2021-3281: Fixed a directory traversal via archive.extract() (bsc#1181379) - CVE-2021-28658: Fixed a directory traversal via uploaded files (bsc#1184148) - CVE-2021-31542: Fixed a directory traversal via uploaded files with suitably crafted file names (bsc#1185623) - CVE-2021-33203:Fixed potential path-traversal via admindocs' TemplateDetailView (bsc#1186608) - CVE-2021-33571: Tighten validator checks to not allow leading zeros in IPv4 addresses, which potentially leads to further attacks (bsc#1186611) python-py: - CVE-2020-29651: Fixed a denial of service via regular expressions (bsc#1179805) rubygem-activerecord-session_store: - CVE-2019-25025: Fixed a timing attacks targeting the session id which could allow an attack to hijack sessions (bsc#1183174) Non-security fixes included in this update: Changes in crowbar-openstack: - Update to version 4.0+git.1616146720.44daffca0: * monasca: restart Kibana on update (bsc#1044849) Changes in grafana_Update: - Add CVE-2021-27358.patch (bsc#1183803, CVE-2021-27358) * Prevent unauthenticated remote attackers from causing a DoS through the snapshots API. Changes in kibana_Update: - Ensure /etc/sysconfig/kibana is present - Update to Kibana 4.6.6 (bsc#1044849, CVE-2017-11499, ESA-2017-14, ESA-2017-16) * [4.6] ignore forked code for babel transpile build phase (#13483) * Allow more than match queries in custom filters (#8614) (#10857) * [state] don't make extra $location.replace() calls (#9954) * [optimizer] move to querystring-browser package for up-to-date api * [state/unhashUrl] use encode-uri-query to generate cleanly encoded urls * server: refactor log_interceptor to be more DRY (#9617) * server: downgrade ECANCELED logs to debug (#9616) * server: do not treat logged warnings as errors (#8746) (#9610) * [server/logger] downgrade EPIPE errors to debug level (#9023) * Add basepath when redirecting from a trailling slash (#9035) * [es/kibanaIndex] use unmapped_type rather than ignore_unmapped (#8968) * [server/shortUrl] validate urls before shortening them - Add CVE-2017-11481.patch (bsc#1044849, CVE-2017-11481) * This fixes an XSS vulnerability in URL fields - Remove %dir declaration from /opt/kibana/optimize to ensure no files owned by root end up in there - Exclude /opt/kibana/optimize from %fdupes - Restart service on upgrade - Do not copy LICENSE.txt and README.txt to /opt/kibana - Fix rpmlint warnings/errors - Switch to explicit patch application - Fix source URL - Fix logic for systemd/systemv detection Changes in monasca-installer_Update: - Add support-influxdb-1.2.patch (SOC-11435) Changes in python-Django_Update: - Fixed potential path-traversal via admindocs' TemplateDetailView.(bsc#1186608, CVE-2021-33203) - Prevented leading zeros in IPv4 addresses. (bsc#1186611, CVE-2021-33571) - Add delegate-os-path-filename-generation-to-storage.patch (bsc#1185623) * Needed for CVE-2021-31542.patch to apply - Tightened path & file name sanitation in file uploads. (bsc#1185623, CVE-2021-31542) - Fixed potential directory-traversal via uploaded files. (bsc#1184148, CVE-2021-28658) - Fixes a potential directory traversal when extracting archives. (bsc#1181379, CVE-2021-3281) Changes in python-py_Update: - Add CVE-2020-29651.patch (CVE-2020-29651, bsc#1179805) * svnwc: fix regular expression vulnerable to DoS in blame functionality - Ensure /usr/share/licenses exists Changes in rubygem-activerecord-session_store_Update: - added CVE-2019-25025.patch (CVE-2019-25025, bsc#1183174) * This requires CVE-2019-16782.patch to be included in rubygem-actionpack-4_2 to work correctly. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-1963=1 Package List: - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): ruby2.1-rubygem-activerecord-session_store-0.1.2-3.4.2 - SUSE OpenStack Cloud 7 (x86_64): grafana-6.7.4-1.24.2 kibana-4.6.6-9.2 kibana-debuginfo-4.6.6-9.2 - SUSE OpenStack Cloud 7 (noarch): crowbar-openstack-4.0+git.1616146720.44daffca0-9.81.2 monasca-installer-20180608_12.47-16.2 python-Django-1.8.19-3.29.1 python-py-1.8.1-11.16.2 References: https://www.suse.com/security/cve/CVE-2017-11481.html https://www.suse.com/security/cve/CVE-2017-11499.html https://www.suse.com/security/cve/CVE-2019-25025.html https://www.suse.com/security/cve/CVE-2020-29651.html https://www.suse.com/security/cve/CVE-2021-27358.html https://www.suse.com/security/cve/CVE-2021-28658.html https://www.suse.com/security/cve/CVE-2021-31542.html https://www.suse.com/security/cve/CVE-2021-3281.html https://www.suse.com/security/cve/CVE-2021-33203.html https://www.suse.com/security/cve/CVE-2021-33571.html https://bugzilla.suse.com/1044849 https://bugzilla.suse.com/1179805 https://bugzilla.suse.com/1181379 https://bugzilla.suse.com/1183803 https://bugzilla.suse.com/1184148 https://bugzilla.suse.com/1185623 https://bugzilla.suse.com/1186608 https://bugzilla.suse.com/1186611 From sle-security-updates at lists.suse.com Fri Jun 11 16:24:30 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 11 Jun 2021 18:24:30 +0200 (CEST) Subject: SUSE-SU-2021:1960-1: moderate: Security update for freeradius-server Message-ID: <20210611162430.7C4F3FD07@maintenance.suse.de> SUSE Security Update: Security update for freeradius-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1960-1 Rating: moderate References: #1184016 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for freeradius-server fixes the following issues: - Do not log passwords in logfiles (bsc#1184016) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1960=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1960=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1960=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1960=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1960=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1960=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1960=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1960=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1960=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1960=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): freeradius-server-3.0.15-2.20.1 freeradius-server-debuginfo-3.0.15-2.20.1 freeradius-server-debugsource-3.0.15-2.20.1 freeradius-server-doc-3.0.15-2.20.1 freeradius-server-krb5-3.0.15-2.20.1 freeradius-server-krb5-debuginfo-3.0.15-2.20.1 freeradius-server-ldap-3.0.15-2.20.1 freeradius-server-ldap-debuginfo-3.0.15-2.20.1 freeradius-server-libs-3.0.15-2.20.1 freeradius-server-libs-debuginfo-3.0.15-2.20.1 freeradius-server-mysql-3.0.15-2.20.1 freeradius-server-mysql-debuginfo-3.0.15-2.20.1 freeradius-server-perl-3.0.15-2.20.1 freeradius-server-perl-debuginfo-3.0.15-2.20.1 freeradius-server-postgresql-3.0.15-2.20.1 freeradius-server-postgresql-debuginfo-3.0.15-2.20.1 freeradius-server-python-3.0.15-2.20.1 freeradius-server-python-debuginfo-3.0.15-2.20.1 freeradius-server-sqlite-3.0.15-2.20.1 freeradius-server-sqlite-debuginfo-3.0.15-2.20.1 freeradius-server-utils-3.0.15-2.20.1 freeradius-server-utils-debuginfo-3.0.15-2.20.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): freeradius-server-3.0.15-2.20.1 freeradius-server-debuginfo-3.0.15-2.20.1 freeradius-server-debugsource-3.0.15-2.20.1 freeradius-server-doc-3.0.15-2.20.1 freeradius-server-krb5-3.0.15-2.20.1 freeradius-server-krb5-debuginfo-3.0.15-2.20.1 freeradius-server-ldap-3.0.15-2.20.1 freeradius-server-ldap-debuginfo-3.0.15-2.20.1 freeradius-server-libs-3.0.15-2.20.1 freeradius-server-libs-debuginfo-3.0.15-2.20.1 freeradius-server-mysql-3.0.15-2.20.1 freeradius-server-mysql-debuginfo-3.0.15-2.20.1 freeradius-server-perl-3.0.15-2.20.1 freeradius-server-perl-debuginfo-3.0.15-2.20.1 freeradius-server-postgresql-3.0.15-2.20.1 freeradius-server-postgresql-debuginfo-3.0.15-2.20.1 freeradius-server-python-3.0.15-2.20.1 freeradius-server-python-debuginfo-3.0.15-2.20.1 freeradius-server-sqlite-3.0.15-2.20.1 freeradius-server-sqlite-debuginfo-3.0.15-2.20.1 freeradius-server-utils-3.0.15-2.20.1 freeradius-server-utils-debuginfo-3.0.15-2.20.1 - SUSE OpenStack Cloud 9 (x86_64): freeradius-server-3.0.15-2.20.1 freeradius-server-debuginfo-3.0.15-2.20.1 freeradius-server-debugsource-3.0.15-2.20.1 freeradius-server-doc-3.0.15-2.20.1 freeradius-server-krb5-3.0.15-2.20.1 freeradius-server-krb5-debuginfo-3.0.15-2.20.1 freeradius-server-ldap-3.0.15-2.20.1 freeradius-server-ldap-debuginfo-3.0.15-2.20.1 freeradius-server-libs-3.0.15-2.20.1 freeradius-server-libs-debuginfo-3.0.15-2.20.1 freeradius-server-mysql-3.0.15-2.20.1 freeradius-server-mysql-debuginfo-3.0.15-2.20.1 freeradius-server-perl-3.0.15-2.20.1 freeradius-server-perl-debuginfo-3.0.15-2.20.1 freeradius-server-postgresql-3.0.15-2.20.1 freeradius-server-postgresql-debuginfo-3.0.15-2.20.1 freeradius-server-python-3.0.15-2.20.1 freeradius-server-python-debuginfo-3.0.15-2.20.1 freeradius-server-sqlite-3.0.15-2.20.1 freeradius-server-sqlite-debuginfo-3.0.15-2.20.1 freeradius-server-utils-3.0.15-2.20.1 freeradius-server-utils-debuginfo-3.0.15-2.20.1 - SUSE OpenStack Cloud 8 (x86_64): freeradius-server-3.0.15-2.20.1 freeradius-server-debuginfo-3.0.15-2.20.1 freeradius-server-debugsource-3.0.15-2.20.1 freeradius-server-doc-3.0.15-2.20.1 freeradius-server-krb5-3.0.15-2.20.1 freeradius-server-krb5-debuginfo-3.0.15-2.20.1 freeradius-server-ldap-3.0.15-2.20.1 freeradius-server-ldap-debuginfo-3.0.15-2.20.1 freeradius-server-libs-3.0.15-2.20.1 freeradius-server-libs-debuginfo-3.0.15-2.20.1 freeradius-server-mysql-3.0.15-2.20.1 freeradius-server-mysql-debuginfo-3.0.15-2.20.1 freeradius-server-perl-3.0.15-2.20.1 freeradius-server-perl-debuginfo-3.0.15-2.20.1 freeradius-server-postgresql-3.0.15-2.20.1 freeradius-server-postgresql-debuginfo-3.0.15-2.20.1 freeradius-server-python-3.0.15-2.20.1 freeradius-server-python-debuginfo-3.0.15-2.20.1 freeradius-server-sqlite-3.0.15-2.20.1 freeradius-server-sqlite-debuginfo-3.0.15-2.20.1 freeradius-server-utils-3.0.15-2.20.1 freeradius-server-utils-debuginfo-3.0.15-2.20.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): freeradius-server-3.0.15-2.20.1 freeradius-server-debuginfo-3.0.15-2.20.1 freeradius-server-debugsource-3.0.15-2.20.1 freeradius-server-doc-3.0.15-2.20.1 freeradius-server-krb5-3.0.15-2.20.1 freeradius-server-krb5-debuginfo-3.0.15-2.20.1 freeradius-server-ldap-3.0.15-2.20.1 freeradius-server-ldap-debuginfo-3.0.15-2.20.1 freeradius-server-libs-3.0.15-2.20.1 freeradius-server-libs-debuginfo-3.0.15-2.20.1 freeradius-server-mysql-3.0.15-2.20.1 freeradius-server-mysql-debuginfo-3.0.15-2.20.1 freeradius-server-perl-3.0.15-2.20.1 freeradius-server-perl-debuginfo-3.0.15-2.20.1 freeradius-server-postgresql-3.0.15-2.20.1 freeradius-server-postgresql-debuginfo-3.0.15-2.20.1 freeradius-server-python-3.0.15-2.20.1 freeradius-server-python-debuginfo-3.0.15-2.20.1 freeradius-server-sqlite-3.0.15-2.20.1 freeradius-server-sqlite-debuginfo-3.0.15-2.20.1 freeradius-server-utils-3.0.15-2.20.1 freeradius-server-utils-debuginfo-3.0.15-2.20.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): freeradius-server-3.0.15-2.20.1 freeradius-server-debuginfo-3.0.15-2.20.1 freeradius-server-debugsource-3.0.15-2.20.1 freeradius-server-doc-3.0.15-2.20.1 freeradius-server-krb5-3.0.15-2.20.1 freeradius-server-krb5-debuginfo-3.0.15-2.20.1 freeradius-server-ldap-3.0.15-2.20.1 freeradius-server-ldap-debuginfo-3.0.15-2.20.1 freeradius-server-libs-3.0.15-2.20.1 freeradius-server-libs-debuginfo-3.0.15-2.20.1 freeradius-server-mysql-3.0.15-2.20.1 freeradius-server-mysql-debuginfo-3.0.15-2.20.1 freeradius-server-perl-3.0.15-2.20.1 freeradius-server-perl-debuginfo-3.0.15-2.20.1 freeradius-server-postgresql-3.0.15-2.20.1 freeradius-server-postgresql-debuginfo-3.0.15-2.20.1 freeradius-server-python-3.0.15-2.20.1 freeradius-server-python-debuginfo-3.0.15-2.20.1 freeradius-server-sqlite-3.0.15-2.20.1 freeradius-server-sqlite-debuginfo-3.0.15-2.20.1 freeradius-server-utils-3.0.15-2.20.1 freeradius-server-utils-debuginfo-3.0.15-2.20.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): freeradius-server-3.0.15-2.20.1 freeradius-server-debuginfo-3.0.15-2.20.1 freeradius-server-debugsource-3.0.15-2.20.1 freeradius-server-doc-3.0.15-2.20.1 freeradius-server-krb5-3.0.15-2.20.1 freeradius-server-krb5-debuginfo-3.0.15-2.20.1 freeradius-server-ldap-3.0.15-2.20.1 freeradius-server-ldap-debuginfo-3.0.15-2.20.1 freeradius-server-libs-3.0.15-2.20.1 freeradius-server-libs-debuginfo-3.0.15-2.20.1 freeradius-server-mysql-3.0.15-2.20.1 freeradius-server-mysql-debuginfo-3.0.15-2.20.1 freeradius-server-perl-3.0.15-2.20.1 freeradius-server-perl-debuginfo-3.0.15-2.20.1 freeradius-server-postgresql-3.0.15-2.20.1 freeradius-server-postgresql-debuginfo-3.0.15-2.20.1 freeradius-server-python-3.0.15-2.20.1 freeradius-server-python-debuginfo-3.0.15-2.20.1 freeradius-server-sqlite-3.0.15-2.20.1 freeradius-server-sqlite-debuginfo-3.0.15-2.20.1 freeradius-server-utils-3.0.15-2.20.1 freeradius-server-utils-debuginfo-3.0.15-2.20.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): freeradius-server-3.0.15-2.20.1 freeradius-server-debuginfo-3.0.15-2.20.1 freeradius-server-debugsource-3.0.15-2.20.1 freeradius-server-doc-3.0.15-2.20.1 freeradius-server-krb5-3.0.15-2.20.1 freeradius-server-krb5-debuginfo-3.0.15-2.20.1 freeradius-server-ldap-3.0.15-2.20.1 freeradius-server-ldap-debuginfo-3.0.15-2.20.1 freeradius-server-libs-3.0.15-2.20.1 freeradius-server-libs-debuginfo-3.0.15-2.20.1 freeradius-server-mysql-3.0.15-2.20.1 freeradius-server-mysql-debuginfo-3.0.15-2.20.1 freeradius-server-perl-3.0.15-2.20.1 freeradius-server-perl-debuginfo-3.0.15-2.20.1 freeradius-server-postgresql-3.0.15-2.20.1 freeradius-server-postgresql-debuginfo-3.0.15-2.20.1 freeradius-server-python-3.0.15-2.20.1 freeradius-server-python-debuginfo-3.0.15-2.20.1 freeradius-server-sqlite-3.0.15-2.20.1 freeradius-server-sqlite-debuginfo-3.0.15-2.20.1 freeradius-server-utils-3.0.15-2.20.1 freeradius-server-utils-debuginfo-3.0.15-2.20.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): freeradius-server-3.0.15-2.20.1 freeradius-server-debuginfo-3.0.15-2.20.1 freeradius-server-debugsource-3.0.15-2.20.1 freeradius-server-doc-3.0.15-2.20.1 freeradius-server-krb5-3.0.15-2.20.1 freeradius-server-krb5-debuginfo-3.0.15-2.20.1 freeradius-server-ldap-3.0.15-2.20.1 freeradius-server-ldap-debuginfo-3.0.15-2.20.1 freeradius-server-libs-3.0.15-2.20.1 freeradius-server-libs-debuginfo-3.0.15-2.20.1 freeradius-server-mysql-3.0.15-2.20.1 freeradius-server-mysql-debuginfo-3.0.15-2.20.1 freeradius-server-perl-3.0.15-2.20.1 freeradius-server-perl-debuginfo-3.0.15-2.20.1 freeradius-server-postgresql-3.0.15-2.20.1 freeradius-server-postgresql-debuginfo-3.0.15-2.20.1 freeradius-server-python-3.0.15-2.20.1 freeradius-server-python-debuginfo-3.0.15-2.20.1 freeradius-server-sqlite-3.0.15-2.20.1 freeradius-server-sqlite-debuginfo-3.0.15-2.20.1 freeradius-server-utils-3.0.15-2.20.1 freeradius-server-utils-debuginfo-3.0.15-2.20.1 - HPE Helion Openstack 8 (x86_64): freeradius-server-3.0.15-2.20.1 freeradius-server-debuginfo-3.0.15-2.20.1 freeradius-server-debugsource-3.0.15-2.20.1 freeradius-server-doc-3.0.15-2.20.1 freeradius-server-krb5-3.0.15-2.20.1 freeradius-server-krb5-debuginfo-3.0.15-2.20.1 freeradius-server-ldap-3.0.15-2.20.1 freeradius-server-ldap-debuginfo-3.0.15-2.20.1 freeradius-server-libs-3.0.15-2.20.1 freeradius-server-libs-debuginfo-3.0.15-2.20.1 freeradius-server-mysql-3.0.15-2.20.1 freeradius-server-mysql-debuginfo-3.0.15-2.20.1 freeradius-server-perl-3.0.15-2.20.1 freeradius-server-perl-debuginfo-3.0.15-2.20.1 freeradius-server-postgresql-3.0.15-2.20.1 freeradius-server-postgresql-debuginfo-3.0.15-2.20.1 freeradius-server-python-3.0.15-2.20.1 freeradius-server-python-debuginfo-3.0.15-2.20.1 freeradius-server-sqlite-3.0.15-2.20.1 freeradius-server-sqlite-debuginfo-3.0.15-2.20.1 freeradius-server-utils-3.0.15-2.20.1 freeradius-server-utils-debuginfo-3.0.15-2.20.1 References: https://bugzilla.suse.com/1184016 From sle-security-updates at lists.suse.com Fri Jun 11 16:25:56 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 11 Jun 2021 18:25:56 +0200 (CEST) Subject: SUSE-SU-2021:1962-1: moderate: Security update for ardana-neutron, ardana-swift, cassandra, crowbar-openstack, grafana, kibana, openstack-dashboard, openstack-ironic, openstack-neutron, openstack-neutron-gbp, openstack-nova, python-Django1, python-py, python-pysaml2, python-xmlschema, rubygem-activerecord-session_store, venv-openstack-keystone Message-ID: <20210611162556.C730DFD07@maintenance.suse.de> SUSE Security Update: Security update for ardana-neutron, ardana-swift, cassandra, crowbar-openstack, grafana, kibana, openstack-dashboard, openstack-ironic, openstack-neutron, openstack-neutron-gbp, openstack-nova, python-Django1, python-py, python-pysaml2, python-xmlschema, rubygem-activerecord-session_store, venv-openstack-keystone ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1962-1 Rating: moderate References: #1044849 #1048688 #1115960 #1148383 #1170657 #1171909 #1172409 #1172450 #1174583 #1178243 #1179805 #1181277 #1181278 #1181689 #1181690 #1182317 #1182433 #1183174 #1183803 #1184148 #1185623 #1186608 #1186611 SOC-10357 SOC-11453 Cross-References: CVE-2017-11481 CVE-2017-11499 CVE-2018-18623 CVE-2018-18624 CVE-2018-18625 CVE-2018-19039 CVE-2019-15043 CVE-2019-25025 CVE-2020-10743 CVE-2020-11110 CVE-2020-12052 CVE-2020-13379 CVE-2020-17516 CVE-2020-24303 CVE-2020-29651 CVE-2021-21238 CVE-2021-21239 CVE-2021-23336 CVE-2021-27358 CVE-2021-28658 CVE-2021-31542 CVE-2021-33203 CVE-2021-33571 CVSS scores: CVE-2017-11481 (NVD) : 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2017-11481 (SUSE): 5.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2017-11499 (NVD) : 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-11499 (SUSE): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-18623 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2018-18623 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2018-18624 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2018-18624 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2018-18625 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2018-18625 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2018-19039 (NVD) : 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2018-19039 (SUSE): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2019-15043 (NVD) : 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-15043 (SUSE): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2019-25025 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2019-25025 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-10743 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2020-10743 (SUSE): 3.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVE-2020-11110 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-11110 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-12052 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-12052 (SUSE): 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVE-2020-13379 (NVD) : 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2020-13379 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-17516 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-17516 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-24303 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-24303 (SUSE): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE-2020-29651 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-29651 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-21238 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-21238 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-21239 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-21239 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-23336 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H CVE-2021-23336 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H CVE-2021-27358 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27358 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28658 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-28658 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-31542 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-31542 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-33571 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 ______________________________________________________________________________ An update that fixes 23 vulnerabilities, contains two features is now available. Description: This update for ardana-neutron, ardana-swift, cassandra, crowbar-openstack, grafana, kibana, openstack-dashboard, openstack-ironic, openstack-neutron, openstack-neutron-gbp, openstack-nova, python-Django1, python-py, python-pysaml2, python-xmlschema, rubygem-activerecord-session_store, venv-openstack-keystone contains the following fixes: Security fixes included in this update: cassandra: - CVE-2020-17516: Fixed an issue where encryption between nodes was not enforced correctly for certain internode_encryption settings (bsc#1181689) grafana: - CVE-2018-18623, CVE-2018-18624, CVE-2018-18625: Fixed multiple cross site scripting vulnerabilities in the dashboard. (bsc#1172450) - CVE-2021-27358: Fixed a denial of service via remote API call. (bsc#1183803) - CVE-2019-15043: Fixed a denial of service by an unauthenticated user in the snapshot HTTP API (bsc#1148383) - CVE-2020-13379: Fixed an information leak to unauthenticated users. (bsc#1172409) - CVE-2020-12052: Fixed a cross site scripting vulnerability with the annotation popup (bsc#1170657) - CVE-2018-19039: Fixed an issue where a privileged user could exfiltrate files (bsc#1115960) - CVE-2020-11110: Fixed a stored cross site scripting vulnerability. (bsc#1174583) - CVE-2020-24303: Fixed a cross site scripting vulnerability in a query alias for ElasticSearch datasources (bsc#1178243) kibana: - CVE-2017-11499: Fixed a vulnerability in nodejs, related to the HashTable implementation, which could cause a denial of service. (bsc#1044849) - CVE-2017-11481: Fixed a cross site scripting vulnerability via via URL fields. (bsc#1044849) - CVE-2020-10743: Fixed a clickjacking issue because X-Frame-Option was not used by default. (bsc#1171909) python-Django: - CVE-2021-23336: Fixed a web cache poisoning via django.utils.http.limited_parse_qsl(). (bsc#1182433) - CVE-2021-28658: Fixed a directory traversal via uploaded files. (bsc#1184148) - CVE-2021-31542: Fixed a directory traversal via uploaded files with suitably crafted file names. (bsc#1185623) - CVE-2021-33203: Fixed potential path-traversal via admindocs' TemplateDetailView. (bsc#1186608) - CVE-2021-33571: Tighten validator checks to not allow leading zeros in IPv4 addresses, which potentially leads to further attacks. (bsc#1186611) python-py: - CVE-2020-29651: Fixed a denial of service via regular expressions. (bsc#1179805) python-pysaml2: - CVE-2021-21238: Fixed improper verification of cryptographic signatures for signed SAML documents. (bsc#1181277) - CVE-2021-21239: Fixed improper verification of cryptographic signatures when using CryptoBackendXmlSec1(). (bsc#1181278) rubygem-activerecord-session_store: - CVE-2019-25025: Fixed a timing attacks targeting the session id which could allow an attack to hijack sessions. (bsc#1183174) Non-security changes included in this update: Changes in ardana-neutron: - Update to version 9.0+git.1615223676.777f0b3: * Allow users to stop monitoring rootwrap daemon (bsc#1182317) Changes in ardana-swift: - Update to version 9.0+git.1618235096.90974ed: * Run swiftlm-scan in the UTC timezone (bsc#1181690) Changes in cassandra: - update to 3.11.10 (bsc#1181689, CVE-2020-17516) * Fix digest computation for queries with fetched but non queried columns (CASSANDRA-15962) * Reduce amount of allocations during batch statement execution (CASSANDRA-16201) * Update jflex-1.6.0.jar to match upstream (CASSANDRA-16393) * Fix DecimalDeserializer#toString OOM (CASSANDRA-14925) * Rate limit validation compactions using compaction_throughput_mb_per_sec (CASSANDRA-16161) * SASI's `max_compaction_flush_memory_in_mb` settings over 100GB revert to default of 1GB (CASSANDRA-16071) * Prevent unbounded number of pending flushing tasks (CASSANDRA-16261) * Improve empty hint file handling during startup (CASSANDRA-16162) * Allow empty string in collections with COPY FROM in cqlsh (CASSANDRA-16372) * Fix skipping on pre-3.0 created compact storage sstables due to missing primary key liveness (CASSANDRA-16226) * Extend the exclusion of replica filtering protection to other indices instead of just SASI (CASSANDRA-16311) * Synchronize transaction logs for JBOD (CASSANDRA-16225) * Fix the counting of cells per partition (CASSANDRA-16259) * Fix serial read/non-applying CAS linearizability (CASSANDRA-12126) * Avoid potential NPE in JVMStabilityInspector (CASSANDRA-16294) * Improved check of num_tokens against the length of initial_token (CASSANDRA-14477) * Fix a race condition on ColumnFamilyStore and TableMetrics (CASSANDRA-16228) * Remove the SEPExecutor blocking behavior (CASSANDRA-16186) * Fix invalid cell value skipping when reading from disk (CASSANDRA-16223) * Prevent invoking enable/disable gossip when not in NORMAL (CASSANDRA-16146) * Wait for schema agreement when bootstrapping (CASSANDRA-15158) * Fix the histogram merge of the table metrics (CASSANDRA-16259) * Synchronize Keyspace instance store/clear (CASSANDRA-16210) * Fix ColumnFilter to avoid querying cells of unselected complex columns (CASSANDRA-15977) * Fix memory leak in CompressedChunkReader (CASSANDRA-15880) * Don't attempt value skipping with mixed version cluster (CASSANDRA-15833) * Avoid failing compactions with very large partitions (CASSANDRA-15164) * Make sure LCS handles duplicate sstable added/removed notifications correctly (CASSANDRA-14103) * Fix OOM when terminating repair session (CASSANDRA-15902) * Avoid marking shutting down nodes as up after receiving gossip shutdown message (CASSANDRA-16094) * Check SSTables for latest version before dropping compact storage (CASSANDRA-16063) * Handle unexpected columns due to schema races (CASSANDRA-15899) * Add flag to ignore unreplicated keyspaces during repair (CASSANDRA-15160) * Package tools/bin scripts as executable (CASSANDRA-16151) * Fixed a NullPointerException when calling nodetool enablethrift (CASSANDRA-16127) * Correctly interpret SASI's `max_compaction_flush_memory_in_mb` setting in megabytes not bytes (CASSANDRA-16071) * Fix short read protection for GROUP BY queries (CASSANDRA-15459) * Frozen RawTuple is not annotated with frozen in the toString method (CASSANDRA-15857) Merged from 3.0: * Use IF NOT EXISTS for index and UDT create statements in snapshot schema files (CASSANDRA-13935) * Fix gossip shutdown order (CASSANDRA-15816) * Remove broken 'defrag-on-read' optimization (CASSANDRA-15432) * Check for endpoint collision with hibernating nodes (CASSANDRA-14599) * Operational improvements and hardening for replica filtering protection (CASSANDRA-15907) * stop_paranoid disk failure policy is ignored on CorruptSSTableException after node is up (CASSANDRA-15191) * Forbid altering UDTs used in partition keys (CASSANDRA-15933) * Fix empty/null json string representation (CASSANDRA-15896) * 3.x fails to start if commit log has range tombstones from a column which is also deleted (CASSANDRA-15970) * Handle difference in timestamp precision between java8 and java11 in LogFIle.java (CASSANDRA-16050) Merged from 2.2: * Fix CQL parsing of collections when the column type is reversed (CASSANDRA-15814) * Only allow strings to be passed to JMX authentication (CASSANDRA-16077) * Fix cqlsh output when fetching all rows in batch mode (CASSANDRA-15905) * Upgrade Jackson to 2.9.10 (CASSANDRA-15867) * Fix CQL formatting of read command restrictions for slow query log (CASSANDRA-15503) * Allow sstableloader to use SSL on the native port (CASSANDRA-14904) * Backport CASSANDRA-12189: escape string literals (CASSANDRA-15948) * Avoid hinted handoff per-host throttle being arounded to 0 in large cluster (CASSANDRA-15859) * Avoid emitting empty range tombstones from RangeTombstoneList (CASSANDRA-15924) * Avoid thread starvation, and improve compare-and-swap performance, in the slab allocators (CASSANDRA-15922) * Add token to tombstone warning and error messages (CASSANDRA-15890) * Fixed range read concurrency factor computation and capped as 10 times tpc cores (CASSANDRA-15752) * Catch exception on bootstrap resume and init native transport (CASSANDRA-15863) * Fix replica-side filtering returning stale data with CL > ONE (CASSANDRA-8272, CASSANDRA-8273) * Fix duplicated row on 2.x upgrades when multi-rows range tombstones interact with collection ones (CASSANDRA-15805) * Rely on snapshotted session infos on StreamResultFuture.maybeComplete to avoid race conditions (CASSANDRA-15667) * EmptyType doesn't override writeValue so could attempt to write bytes when expected not to (CASSANDRA-15790) * Fix index queries on partition key columns when some partitions contains only static data (CASSANDRA-13666) * Avoid creating duplicate rows during major upgrades (CASSANDRA-15789) * liveDiskSpaceUsed and totalDiskSpaceUsed get corrupted if IndexSummaryRedistribution gets interrupted (CASSANDRA-15674) * Fix Debian init start/stop (CASSANDRA-15770) * Fix infinite loop on index query paging in tables with clustering (CASSANDRA-14242) * Fix chunk index overflow due to large sstable with small chunk length (CASSANDRA-15595) * Allow selecting static column only when querying static index (CASSANDRA-14242) * cqlsh return non-zero status when STDIN CQL fails (CASSANDRA-15623) * Don't skip sstables in slice queries based only on local min/max/deletion timestamp (CASSANDRA-15690) * Memtable memory allocations may deadlock (CASSANDRA-15367) * Run evictFromMembership in GossipStage (CASSANDRA-15592) * Fix nomenclature of allow and deny lists (CASSANDRA-15862) * Remove generated files from source artifact (CASSANDRA-15849) * Remove duplicated tools binaries from tarballs (CASSANDRA-15768) * Duplicate results with DISTINCT queries in mixed mode (CASSANDRA-15501) * Disable JMX rebinding (CASSANDRA-15653) * Fix writing of snapshot manifest when the table has table-backed secondary indexes (CASSANDRA-10968) * Fix parse error in cqlsh COPY FROM and formatting for map of blobs (CASSANDRA-15679) * Fix Commit log replays when static column clustering keys are collections (CASSANDRA-14365) * Fix Red Hat init script on newer systemd versions (CASSANDRA-15273) * Allow EXTRA_CLASSPATH to work on tar/source installations (CASSANDRA-15567) * Fix bad UDT sstable metadata serialization headers written by C* 3.0 on upgrade and in sstablescrub (CASSANDRA-15035) * Fix nodetool compactionstats showing extra pending task for TWCS - patch implemented (CASSANDRA-15409) * Fix SELECT JSON formatting for the "duration" type (CASSANDRA-15075) * Fix LegacyLayout to have same behavior as 2.x when handling unknown column names (CASSANDRA-15081) * Update nodetool help stop output (CASSANDRA-15401) * Run in-jvm upgrade dtests in circleci (CASSANDRA-15506) * Include updates to static column in mutation size calculations (CASSANDRA-15293) * Fix point-in-time recoevery ignoring timestamp of updates to static columns (CASSANDRA-15292) * GC logs are also put under $CASSANDRA_LOG_DIR (CASSANDRA-14306) * Fix sstabledump's position key value when partitions have multiple rows (CASSANDRA-14721) * Avoid over-scanning data directories in LogFile.verify() (CASSANDRA-15364) * Bump generations and document changes to system_distributed and system_traces in 3.0, 3.11 (CASSANDRA-15441) * Fix system_traces creation timestamp; optimise system keyspace upgrades (CASSANDRA-15398) * Fix various data directory prefix matching issues (CASSANDRA-13974) * Minimize clustering values in metadata collector (CASSANDRA-15400) * Avoid over-trimming of results in mixed mode clusters (CASSANDRA-15405) * validate value sizes in LegacyLayout (CASSANDRA-15373) * Ensure that tracing doesn't break connections in 3.x/4.0 mixed mode by default (CASSANDRA-15385) * Make sure index summary redistribution does not start when compactions are paused (CASSANDRA-15265) * Ensure legacy rows have primary key livenessinfo when they contain illegal cells (CASSANDRA-15365) * Fix race condition when setting bootstrap flags (CASSANDRA-14878) * Fix NativeLibrary.tryOpenDirectory callers for Windows (CASSANDRA-15426) * Fix SELECT JSON output for empty blobs (CASSANDRA-15435) * In-JVM DTest: Set correct internode message version for upgrade test (CASSANDRA-15371) * In-JVM DTest: Support NodeTool in dtest (CASSANDRA-15429) * Fix NativeLibrary.tryOpenDirectory callers for Windows (CASSANDRA-15426) * Fix SASI non-literal string comparisons (range operators) (CASSANDRA-15169) * Make sure user defined compaction transactions are always closed (CASSANDRA-15123) * Fix cassandra-env.sh to use $CASSANDRA_CONF to find cassandra-jaas.config (CASSANDRA-14305) * Fixed nodetool cfstats printing index name twice (CASSANDRA-14903) * Add flag to disable SASI indexes, and warnings on creation (CASSANDRA-14866) * Add ability to cap max negotiable protocol version (CASSANDRA-15193) * Gossip tokens on startup if available (CASSANDRA-15335) * Fix resource leak in CompressedSequentialWriter (CASSANDRA-15340) * Fix bad merge that reverted CASSANDRA-14993 (CASSANDRA-15289) * Fix LegacyLayout RangeTombstoneList IndexOutOfBoundsException when upgrading and RangeTombstone bounds are asymmetric (CASSANDRA-15172) * Fix NPE when using allocate_tokens_for_keyspace on new DC/rack (CASSANDRA-14952) * Filter sstables earlier when running cleanup (CASSANDRA-15100) * Use mean row count instead of mean column count for index selectivity calculation (CASSANDRA-15259) * Avoid updating unchanged gossip states (CASSANDRA-15097) * Prevent recreation of previously dropped columns with a different kind (CASSANDRA-14948) * Prevent client requests from blocking on executor task queue (CASSANDRA-15013) * Toughen up column drop/recreate type validations (CASSANDRA-15204) * LegacyLayout should handle paging states that cross a collection column (CASSANDRA-15201) * Prevent RuntimeException when username or password is empty/null (CASSANDRA-15198) * Multiget thrift query returns null records after digest mismatch (CASSANDRA-14812) * Skipping illegal legacy cells can break reverse iteration of indexed partitions (CASSANDRA-15178) * Handle paging states serialized with a different version than the session's (CASSANDRA-15176) * Throw IOE instead of asserting on unsupporter peer versions (CASSANDRA-15066) * Update token metadata when handling MOVING/REMOVING_TOKEN events (CASSANDRA-15120) * Add ability to customize cassandra log directory using $CASSANDRA_LOG_DIR (CASSANDRA-15090) * Skip cells with illegal column names when reading legacy sstables (CASSANDRA-15086) * Fix assorted gossip races and add related runtime checks (CASSANDRA-15059) * Fix mixed mode partition range scans with limit (CASSANDRA-15072) * cassandra-stress works with frozen collections: list and set (CASSANDRA-14907) * Fix handling FS errors on writing and reading flat files - LogTransaction and hints (CASSANDRA-15053) * Avoid double closing the iterator to avoid overcounting the number of requests (CASSANDRA-15058) * Improve `nodetool status -r` speed (CASSANDRA-14847) * Improve merkle tree size and time on heap (CASSANDRA-14096) * Add missing commands to nodetool_completion (CASSANDRA-14916) * Anti-compaction temporarily corrupts sstable state for readers (CASSANDRA-15004) * Catch non-IOException in FileUtils.close to make sure that all resources are closed (CASSANDRA-15225) * Handle exceptions during authentication/authorization (CASSANDRA-15041) * Support cross version messaging in in-jvm upgrade dtests (CASSANDRA-15078) * Fix index summary redistribution cancellation (CASSANDRA-15045) * Fixing invalid CQL in security documentation (CASSANDRA-15020) * Allow instance class loaders to be garbage collected for inJVM dtest (CASSANDRA-15170) * Add support for network topology and query tracing for inJVM dtest (CASSANDRA-15319) * Correct sstable sorting for garbagecollect and levelled compaction (CASSANDRA-14870) * Severe concurrency issues in STCS,DTCS,TWCS,TMD.Topology,TypeParser * Add a script to make running the cqlsh tests in cassandra repo easier (CASSANDRA-14951) * If SizeEstimatesRecorder misses a 'onDropTable' notification, the size_estimates table will never be cleared for that table. (CASSANDRA-14905) * Counters fail to increment in 2.1/2.2 to 3.X mixed version clusters (CASSANDRA-14958) * Streaming needs to synchronise access to LifecycleTransaction (CASSANDRA-14554) * Fix cassandra-stress write hang with default options (CASSANDRA-14616) * Differentiate between slices and RTs when decoding legacy bounds (CASSANDRA-14919) * Netty epoll IOExceptions caused by unclean client disconnects being logged at INFO (CASSANDRA-14909) * Unfiltered.isEmpty conflicts with Row extends AbstractCollection.isEmpty (CASSANDRA-14588) * RangeTombstoneList doesn't properly clean up mergeable or superseded rts in some cases (CASSANDRA-14894) * Fix handling of collection tombstones for dropped columns from legacy sstables (CASSANDRA-14912) * Throw exception if Columns serialized subset encode more columns than possible (CASSANDRA-14591) * Drop/add column name with different Kind can result in corruption (CASSANDRA-14843) * Fix missing rows when reading 2.1 SSTables with static columns in 3.0 (CASSANDRA-14873) * Move TWCS message 'No compaction necessary for bucket size' to Trace level (CASSANDRA-14884) * Sstable min/max metadata can cause data loss (CASSANDRA-14861) * Dropped columns can cause reverse sstable iteration to return prematurely (CASSANDRA-14838) * Legacy sstables with multi block range tombstones create invalid bound sequences (CASSANDRA-14823) * Expand range tombstone validation checks to multiple interim request stages (CASSANDRA-14824) * Reverse order reads can return incomplete results (CASSANDRA-14803) * Avoid calling iter.next() in a loop when notifying indexers about range tombstones (CASSANDRA-14794) * Fix purging semi-expired RT boundaries in reversed iterators (CASSANDRA-14672) * DESC order reads can fail to return the last Unfiltered in the partition (CASSANDRA-14766) * Fix corrupted collection deletions for dropped columns in 3.0 <-> 2.{1,2} messages (CASSANDRA-14568) * Fix corrupted static collection deletions in 3.0 <-> 2.{1,2} messages (CASSANDRA-14568) * Handle failures in parallelAllSSTableOperation (cleanup/upgradesstables/etc) (CASSANDRA-14657) * Improve TokenMetaData cache populating performance avoid long locking (CASSANDRA-14660) * Backport: Flush netty client messages immediately (not by default) (CASSANDRA-13651) * Fix static column order for SELECT * wildcard queries (CASSANDRA-14638) * sstableloader should use discovered broadcast address to connect intra-cluster (CASSANDRA-14522) * Fix reading columns with non-UTF names from schema (CASSANDRA-14468) * Don't enable client transports when bootstrap is pending (CASSANDRA-14525) * MigrationManager attempts to pull schema from different major version nodes (CASSANDRA-14928) * Fix incorrect cqlsh results when selecting same columns multiple times (CASSANDRA-13262) * Returns null instead of NaN or Infinity in JSON strings (CASSANDRA-14377) * Paged Range Slice queries with DISTINCT can drop rows from results (CASSANDRA-14956) Changes in crowbar-openstack: - Update to version 6.0+git.1616146717.a89ae0f4e: * monasca: restart Kibana on update (bsc#1044849) Changes in grafana - Add CVE-2021-27358.patch (bsc#1183803, CVE-2021-27358) * Prevent unauthenticated remote attackers from causing a DoS through the snapshots API. Changes in kibana: - Ensure /etc/sysconfig/kibana is present - Update to Kibana 4.6.6 (bsc#1044849, CVE-2017-11499, ESA-2017-14, ESA-2017-16) * [4.6] ignore forked code for babel transpile build phase (#13483) * Allow more than match queries in custom filters (#8614) (#10857) * [state] don't make extra $location.replace() calls (#9954) * [optimizer] move to querystring-browser package for up-to-date api * [state/unhashUrl] use encode-uri-query to generate cleanly encoded urls * server: refactor log_interceptor to be more DRY (#9617) * server: downgrade ECANCELED logs to debug (#9616) * server: do not treat logged warnings as errors (#8746) (#9610) * [server/logger] downgrade EPIPE errors to debug level (#9023) * Add basepath when redirecting from a trailling slash (#9035) * [es/kibanaIndex] use unmapped_type rather than ignore_unmapped (#8968) * [server/shortUrl] validate urls before shortening them - Add CVE-2017-11481.patch (bsc#1044849, CVE-2017-11481) * This fixes an XSS vulnerability in URL fields - Remove %dir declaration from /opt/kibana/optimize to ensure no files owned by root end up in there - Exclude /opt/kibana/optimize from %fdupes - Restart service on upgrade - Do not copy LICENSE.txt and README.txt to /opt/kibana - Fix rpmlint warnings/errors - Switch to explicit patch application - Fix source URL - Fix logic for systemd/systemv detection - Add 0001-Configurable-custom-response-headers-for-server.patch (bsc#1171909, CVE-2020-10743) - Added kibana.yml symlink (bsc#1048688, FATE#323204) Changes in openstack-dashboard: - Update to version horizon-14.1.1.dev11: * Consume tempest-horizon from PyPI release Changes in openstack-ironic: - Update to version ironic-11.1.5.dev17: * Remove lower-constraints job Changes in openstack-ironic: - Update to version ironic-11.1.5.dev17: * Remove lower-constraints job Changes in openstack-neutron: - Update to version neutron-13.0.8.dev164: * Schedule networks to new segments if needed - Update to version neutron-13.0.8.dev162: * Fix invalid JSON generated by quota details - Update to version neutron-13.0.8.dev160: * Fix deletion of rfp interfaces when router is re-enabled - Update to version neutron-13.0.8.dev159: * [OVS FW] Allow egress ICMPv6 only for know addresses * [OVS FW] Clean conntrack entries with mark == CT\_MARK\_INVALID - Update to version neutron-13.0.8.dev155: * Fix removal of dvr-src mac flows when non-gateway port on router is deleted - Update to version neutron-13.0.8.dev153: * Add some wait time between stopping and starting again ovsdb monitor * Workaround for TCP checksum issue with ovs-dpdk and veth pair - Update to version neutron-13.0.8.dev149: * Fix wrong packet\_type set for IPv6 GRE tunnels in OVS - Update to version neutron-13.0.8.dev148: * Fix losses of ovs flows when ovs is restarted Changes in openstack-neutron: - Update to version neutron-13.0.8.dev164: * Schedule networks to new segments if needed - Update to version neutron-13.0.8.dev162: * Fix invalid JSON generated by quota details - Update to version neutron-13.0.8.dev160: * Fix deletion of rfp interfaces when router is re-enabled - Update to version neutron-13.0.8.dev159: * [OVS FW] Allow egress ICMPv6 only for know addresses * [OVS FW] Clean conntrack entries with mark == CT\_MARK\_INVALID - Update to version neutron-13.0.8.dev155: * Fix removal of dvr-src mac flows when non-gateway port on router is deleted - Update to version neutron-13.0.8.dev153: * Add some wait time between stopping and starting again ovsdb monitor * Workaround for TCP checksum issue with ovs-dpdk and veth pair - Update to version neutron-13.0.8.dev149: * Fix wrong packet\_type set for IPv6 GRE tunnels in OVS - Update to version neutron-13.0.8.dev148: * Fix losses of ovs flows when ovs is restarted Changes in openstack-neutron-gbp: - Update to version group-based-policy-12.0.1.dev29: * gbp-validate: Tenant and resource level scoping 2014.2.0rc1 - Update to version group-based-policy-12.0.1.dev27: * Import data\_utils from the new location - Update to version group-based-policy-12.0.1.dev26: * Add SNAT port's Mac Address to the host\_snat\_ips dictionary - Update to version group-based-policy-12.0.1.dev25: * Add support for victoria 2014.2.rc1 - Update to version group-based-policy-12.0.1.dev24: * Fix deletion of SVI networks - Update to version group-based-policy-12.0.1.dev23: * Allow per-port qos configuration on dhcp port 2014.2rc1 - Update to version group-based-policy-12.0.1.dev22: * Add connectivity parameter to driver * [AIM] Fix ERSPAN extension 2014.2.rc1 - Update to version group-based-policy-12.0.1.dev19: * Fix exception with cleanup 2014.2.0rc1 - Update to version group-based-policy-12.0.1.dev18: * Add workaround to get\_subnets Changes in openstack-nova: - Update to version nova-18.3.1.dev82: * [stable-only] gate: Pin CEPH\_RELEASE to nautilus in LM hook * Change default num\_retries for glance to 3 Changes in openstack-nova: - Update to version nova-18.3.1.dev82: * [stable-only] gate: Pin CEPH\_RELEASE to nautilus in LM hook * Change default num\_retries for glance to 3 Changes in python-Django1: - Add CVE-2021-33203.patch (bsc#1186608, CVE-2021-33203) * Fixed potential path-traversal via admindocs' TemplateDetailView. - Add CVE-2021-33571.patch (bsc#1186611, CVE-2021-33571) * Prevented leading zeros in IPv4 addresses. - Add CVE-2021-31542.patch (bsc#1185623, CVE-2021-31542) * Fixed CVE-2021-31542 -- Tightened path and file name sanitation in file uploads. - Add CVE-2021-28658.patch (bsc#1184148, CVE-2021-28658) * Fixed potential directory-traversal via uploaded files - Add CVE-2021-23336.patch (bsc#1182433, CVE-2021-23336) * Fixed web cache poisoning via django.utils.http.limited_parse_qsl() Changes in python-py: - Add CVE-2020-29651.patch ((bsc#1179805, CVE-2020-29651) * svnwc: fix regular expression vulnerable to DoS in blame functionality Changes in python-pysaml2: - Fix patches (SOC-11453) * 0005-Fix-CVE-2021-21238-SAML-XML-Signature-wrapping.patch - rename saml2.xml to saml2.samlxml to avoid overriding the xml module in the system module path - add missing __init__.py files - add missing saml2/data package to setup.py * 0007-Make-previous-commits-python2-compatible.patch so as not to - Adjust to saml2.xml to saml2.samlxml changes - Fix a few more syntax errors and Python2-isms. - Fix CVE-2021-21238, bsc#1181277 with 0002-Strengthen-XSW-tests.patch , 0003-Fix-the-parser-to-not-break-on-ePTID-AttributeValues.patch , 0004-Add-xsd-schemas.patch , 0005-Fix-CVE-2021-21238-SAML-XML-Signature-wrapping.patch . This adds a dependency on python-xmlschema, which depends on python-elementpath, thus both need to be added for this to work. The used python-xmlschema needs to support the sandbox argument which was added in 1.2.0 and refined in 1.2.1, but that version doesn't support python2, so a patched version that does both is needed. Add 0007-Make-previous-commits-python2-compatible.patch to not add a dependency on reportlib_resources and make other changes python2 compatible. . Fix CVE-2021-21239, bsc#1181278 with 0006-Fix-CVE-2021-21239-Restrict-the-key-data-that-xmlsec.patch Changes in python-xmlschema: - Add 3 patches to backport sandbox argument, which is needed by a security fix in python-pysaml2 and one patch to make backport python2 compatible. - Upstream url changed - Add rpmlintrc to make it work on Leap 42.3 - Update to 1.0.18: * Fix for *ModelVisitor.iter_unordered_content()* * Fixed default converter, AbderaConverter and JsonMLConverter for xs:anyType decode * Fixed validation tests with all converters * Added UnorderedConverter to validation tests - Update to 1.0.17: * Enhancement of validation-only speed (~15%) * Added *is_valid()* and *iter_errors()* to module API - Update to 1.0.16: * Improved XMLResource class for working with compressed files * Fix for validation with XSD wildcards and 'lax' process content * Fix ambiguous items validation for xs:choice and xs:sequence models - Handle UnicodeDecodeErrors during build process - Update to 1.0.15: * Improved XPath 2.0 bindings * Added logging for schema initialization and building (handled with argument loglevel) * Update encoding of collapsed contents with a new model based reordering method * Removed XLink namespace from meta-schema (loaded from a fallback location like XHTML) * Fixed half of failed W3C instance tests (remain 255 over 15344 tests) - Initial commit, needed by pytest 5.1.2 Changes in python-elementpath: - Update to 1.3.1: * Improved schema proxy * Improved XSD type matching using paths * Cached parent path for XPathContext (only Python 3) * Improve typed selection with TypedAttribute and TypedElement named-tuples * Add iter_results to XPathContext * Remove XMLSchemaProxy from package * Fix descendant shortcut operator '//' * Fix text() function * Fix typed select of '(name)' token * Fix 24-hour time for DateTime - Skip test_hashing to fix 32bit builds - Initial commit needed by python-xmlschema Changes in rubygem-activerecord-session_store: - added CVE-2019-25025.patch (CVE-2019-25025, bsc#1183174) * This requires CVE-2019-16782.patch to be included in rubygem-actionpack-4_2 to work correctly. Changes in venv-openstack-keystone - Add python-xmlschema and python-elementpath for new python-pysaml2 version. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1962=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1962=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): crowbar-openstack-6.0+git.1616146717.a89ae0f4e-3.34.4 openstack-dashboard-14.1.1~dev11-3.24.6 openstack-ironic-11.1.5~dev17-3.25.5 openstack-ironic-api-11.1.5~dev17-3.25.5 openstack-ironic-conductor-11.1.5~dev17-3.25.5 openstack-neutron-13.0.8~dev164-3.37.4 openstack-neutron-dhcp-agent-13.0.8~dev164-3.37.4 openstack-neutron-gbp-12.0.1~dev29-3.25.3 openstack-neutron-ha-tool-13.0.8~dev164-3.37.4 openstack-neutron-l3-agent-13.0.8~dev164-3.37.4 openstack-neutron-linuxbridge-agent-13.0.8~dev164-3.37.4 openstack-neutron-macvtap-agent-13.0.8~dev164-3.37.4 openstack-neutron-metadata-agent-13.0.8~dev164-3.37.4 openstack-neutron-metering-agent-13.0.8~dev164-3.37.4 openstack-neutron-openvswitch-agent-13.0.8~dev164-3.37.4 openstack-neutron-server-13.0.8~dev164-3.37.4 openstack-nova-18.3.1~dev82-3.37.6 openstack-nova-api-18.3.1~dev82-3.37.6 openstack-nova-cells-18.3.1~dev82-3.37.6 openstack-nova-compute-18.3.1~dev82-3.37.6 openstack-nova-conductor-18.3.1~dev82-3.37.6 openstack-nova-console-18.3.1~dev82-3.37.6 openstack-nova-novncproxy-18.3.1~dev82-3.37.6 openstack-nova-placement-api-18.3.1~dev82-3.37.6 openstack-nova-scheduler-18.3.1~dev82-3.37.6 openstack-nova-serialproxy-18.3.1~dev82-3.37.6 openstack-nova-vncproxy-18.3.1~dev82-3.37.6 python-Django1-1.11.29-3.25.1 python-elementpath-1.3.1-1.3.2 python-horizon-14.1.1~dev11-3.24.6 python-ironic-11.1.5~dev17-3.25.5 python-neutron-13.0.8~dev164-3.37.4 python-neutron-gbp-12.0.1~dev29-3.25.3 python-nova-18.3.1~dev82-3.37.6 python-openstack_auth-14.1.1~dev11-3.24.6 python-py-1.5.4-3.3.2 python-pysaml2-4.5.0-4.6.2 python-xmlschema-1.0.18-1.3.2 - SUSE OpenStack Cloud Crowbar 9 (x86_64): cassandra-3.11.10-3.3.3 cassandra-debuginfo-3.11.10-3.3.3 cassandra-debugsource-3.11.10-3.3.3 cassandra-tools-3.11.10-3.3.3 grafana-6.7.4-3.23.2 grafana-debuginfo-6.7.4-3.23.2 kibana-4.6.6-4.9.2 kibana-debuginfo-4.6.6-4.9.2 ruby2.1-rubygem-activerecord-session_store-0.1.2-4.3.2 - SUSE OpenStack Cloud 9 (noarch): ardana-neutron-9.0+git.1615223676.777f0b3-3.25.2 ardana-swift-9.0+git.1618235096.90974ed-3.10.2 openstack-dashboard-14.1.1~dev11-3.24.6 openstack-ironic-11.1.5~dev17-3.25.5 openstack-ironic-api-11.1.5~dev17-3.25.5 openstack-ironic-conductor-11.1.5~dev17-3.25.5 openstack-neutron-13.0.8~dev164-3.37.4 openstack-neutron-dhcp-agent-13.0.8~dev164-3.37.4 openstack-neutron-gbp-12.0.1~dev29-3.25.3 openstack-neutron-ha-tool-13.0.8~dev164-3.37.4 openstack-neutron-l3-agent-13.0.8~dev164-3.37.4 openstack-neutron-linuxbridge-agent-13.0.8~dev164-3.37.4 openstack-neutron-macvtap-agent-13.0.8~dev164-3.37.4 openstack-neutron-metadata-agent-13.0.8~dev164-3.37.4 openstack-neutron-metering-agent-13.0.8~dev164-3.37.4 openstack-neutron-openvswitch-agent-13.0.8~dev164-3.37.4 openstack-neutron-server-13.0.8~dev164-3.37.4 openstack-nova-18.3.1~dev82-3.37.6 openstack-nova-api-18.3.1~dev82-3.37.6 openstack-nova-cells-18.3.1~dev82-3.37.6 openstack-nova-compute-18.3.1~dev82-3.37.6 openstack-nova-conductor-18.3.1~dev82-3.37.6 openstack-nova-console-18.3.1~dev82-3.37.6 openstack-nova-novncproxy-18.3.1~dev82-3.37.6 openstack-nova-placement-api-18.3.1~dev82-3.37.6 openstack-nova-scheduler-18.3.1~dev82-3.37.6 openstack-nova-serialproxy-18.3.1~dev82-3.37.6 openstack-nova-vncproxy-18.3.1~dev82-3.37.6 python-Django1-1.11.29-3.25.1 python-elementpath-1.3.1-1.3.2 python-horizon-14.1.1~dev11-3.24.6 python-ironic-11.1.5~dev17-3.25.5 python-neutron-13.0.8~dev164-3.37.4 python-neutron-gbp-12.0.1~dev29-3.25.3 python-nova-18.3.1~dev82-3.37.6 python-openstack_auth-14.1.1~dev11-3.24.6 python-py-1.5.4-3.3.2 python-pysaml2-4.5.0-4.6.2 python-xmlschema-1.0.18-1.3.2 venv-openstack-barbican-x86_64-7.0.1~dev24-3.23.1 venv-openstack-cinder-x86_64-13.0.10~dev20-3.26.1 venv-openstack-designate-x86_64-7.0.2~dev2-3.23.1 venv-openstack-glance-x86_64-17.0.1~dev30-3.21.1 venv-openstack-heat-x86_64-11.0.4~dev4-3.23.1 venv-openstack-horizon-x86_64-14.1.1~dev11-4.27.3 venv-openstack-ironic-x86_64-11.1.5~dev17-4.21.2 venv-openstack-keystone-x86_64-14.2.1~dev4-3.24.3 venv-openstack-magnum-x86_64-7.2.1~dev1-4.23.1 venv-openstack-manila-x86_64-7.4.2~dev60-3.29.1 venv-openstack-monasca-ceilometer-x86_64-1.8.2~dev3-3.23.2 venv-openstack-monasca-x86_64-2.7.1~dev10-3.21.1 venv-openstack-neutron-x86_64-13.0.8~dev164-6.27.3 venv-openstack-nova-x86_64-18.3.1~dev82-3.27.3 venv-openstack-octavia-x86_64-3.2.3~dev7-4.23.1 venv-openstack-sahara-x86_64-9.0.2~dev15-3.23.1 venv-openstack-swift-x86_64-2.19.2~dev48-2.18.1 - SUSE OpenStack Cloud 9 (x86_64): cassandra-3.11.10-3.3.3 cassandra-debuginfo-3.11.10-3.3.3 cassandra-debugsource-3.11.10-3.3.3 cassandra-tools-3.11.10-3.3.3 grafana-6.7.4-3.23.2 grafana-debuginfo-6.7.4-3.23.2 kibana-4.6.6-4.9.2 kibana-debuginfo-4.6.6-4.9.2 References: https://www.suse.com/security/cve/CVE-2017-11481.html https://www.suse.com/security/cve/CVE-2017-11499.html https://www.suse.com/security/cve/CVE-2018-18623.html https://www.suse.com/security/cve/CVE-2018-18624.html https://www.suse.com/security/cve/CVE-2018-18625.html https://www.suse.com/security/cve/CVE-2018-19039.html https://www.suse.com/security/cve/CVE-2019-15043.html https://www.suse.com/security/cve/CVE-2019-25025.html https://www.suse.com/security/cve/CVE-2020-10743.html https://www.suse.com/security/cve/CVE-2020-11110.html https://www.suse.com/security/cve/CVE-2020-12052.html https://www.suse.com/security/cve/CVE-2020-13379.html https://www.suse.com/security/cve/CVE-2020-17516.html https://www.suse.com/security/cve/CVE-2020-24303.html https://www.suse.com/security/cve/CVE-2020-29651.html https://www.suse.com/security/cve/CVE-2021-21238.html https://www.suse.com/security/cve/CVE-2021-21239.html https://www.suse.com/security/cve/CVE-2021-23336.html https://www.suse.com/security/cve/CVE-2021-27358.html https://www.suse.com/security/cve/CVE-2021-28658.html https://www.suse.com/security/cve/CVE-2021-31542.html https://www.suse.com/security/cve/CVE-2021-33203.html https://www.suse.com/security/cve/CVE-2021-33571.html https://bugzilla.suse.com/1044849 https://bugzilla.suse.com/1048688 https://bugzilla.suse.com/1115960 https://bugzilla.suse.com/1148383 https://bugzilla.suse.com/1170657 https://bugzilla.suse.com/1171909 https://bugzilla.suse.com/1172409 https://bugzilla.suse.com/1172450 https://bugzilla.suse.com/1174583 https://bugzilla.suse.com/1178243 https://bugzilla.suse.com/1179805 https://bugzilla.suse.com/1181277 https://bugzilla.suse.com/1181278 https://bugzilla.suse.com/1181689 https://bugzilla.suse.com/1181690 https://bugzilla.suse.com/1182317 https://bugzilla.suse.com/1182433 https://bugzilla.suse.com/1183174 https://bugzilla.suse.com/1183803 https://bugzilla.suse.com/1184148 https://bugzilla.suse.com/1185623 https://bugzilla.suse.com/1186608 https://bugzilla.suse.com/1186611 From sle-security-updates at lists.suse.com Fri Jun 11 16:29:55 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 11 Jun 2021 18:29:55 +0200 (CEST) Subject: SUSE-SU-2021:1958-1: moderate: Security update for libjpeg-turbo Message-ID: <20210611162955.CC64BFD07@maintenance.suse.de> SUSE Security Update: Security update for libjpeg-turbo ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1958-1 Rating: moderate References: #1186764 Cross-References: CVE-2020-17541 Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libjpeg-turbo fixes the following issues: - CVE-2020-17541: Fixed a stack-based buffer overflow in the "transform" component (bsc#1186764). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1958=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-1958=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-1958=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-1958=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-1958=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1958=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1958=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): libjpeg8-8.1.2-5.18.1 libjpeg8-debuginfo-8.1.2-5.18.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (aarch64 ppc64le s390x x86_64): libjpeg-turbo-1.5.3-5.18.1 libjpeg-turbo-debuginfo-1.5.3-5.18.1 libjpeg-turbo-debugsource-1.5.3-5.18.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (aarch64 ppc64le s390x x86_64): libjpeg-turbo-1.5.3-5.18.1 libjpeg-turbo-debuginfo-1.5.3-5.18.1 libjpeg-turbo-debugsource-1.5.3-5.18.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (x86_64): libjpeg8-32bit-8.1.2-5.18.1 libjpeg8-32bit-debuginfo-8.1.2-5.18.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (x86_64): libjpeg8-32bit-8.1.2-5.18.1 libjpeg8-32bit-debuginfo-8.1.2-5.18.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libjpeg62-62.2.0-5.18.1 libjpeg62-debuginfo-62.2.0-5.18.1 libjpeg62-devel-62.2.0-5.18.1 libjpeg8-8.1.2-5.18.1 libjpeg8-debuginfo-8.1.2-5.18.1 libjpeg8-devel-8.1.2-5.18.1 libturbojpeg0-8.1.2-5.18.1 libturbojpeg0-debuginfo-8.1.2-5.18.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libjpeg62-62.2.0-5.18.1 libjpeg62-debuginfo-62.2.0-5.18.1 libjpeg62-devel-62.2.0-5.18.1 libjpeg8-8.1.2-5.18.1 libjpeg8-debuginfo-8.1.2-5.18.1 libjpeg8-devel-8.1.2-5.18.1 libturbojpeg0-8.1.2-5.18.1 libturbojpeg0-debuginfo-8.1.2-5.18.1 References: https://www.suse.com/security/cve/CVE-2020-17541.html https://bugzilla.suse.com/1186764 From sle-security-updates at lists.suse.com Fri Jun 11 16:31:22 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 11 Jun 2021 18:31:22 +0200 (CEST) Subject: SUSE-SU-2021:1961-1: important: Security update for squid Message-ID: <20210611163122.62C2EFD07@maintenance.suse.de> SUSE Security Update: Security update for squid ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1961-1 Rating: important References: #1171164 #1171569 #1183436 #1185916 #1185918 #1185919 #1185921 #1185923 Cross-References: CVE-2020-25097 CVE-2021-28651 CVE-2021-28652 CVE-2021-28662 CVE-2021-31806 CVSS scores: CVE-2020-25097 (NVD) : 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2020-25097 (SUSE): 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2021-28651 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28651 (SUSE): 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H CVE-2021-28652 (NVD) : 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2021-28652 (SUSE): 6.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2021-28662 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-28662 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-31806 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-31806 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has three fixes is now available. Description: This update for squid fixes the following issues: - update to 4.15: - CVE-2021-28652: Broken cache manager URL parsing (bsc#1185918) - CVE-2021-28651: Memory leak in RFC 2169 response parsing (bsc#1185921) - CVE-2021-28662: Limit HeaderLookupTable_t::lookup() to BadHdr and specific IDs (bsc#1185919) - CVE-2021-31806: Handle more Range requests (bsc#1185916) - CVE-2020-25097: HTTP Request Smuggling vulnerability (bsc#1183436) - Handle more partial responses (bsc#1185923) - fix previous change to reinstante permissions macros, because the wrong path has been used (bsc#1171569). - use libexecdir instead of libdir to conform to recent changes in Factory (bsc#1171164). - Reinstate permissions macros for pinger binary, because the permissions package is also responsible for setting up the cap_net_raw capability, currently a fresh squid install doesn't get a capability bit at all (bsc#1171569). - Change pinger and basic_pam_auth helper to use standard permissions. pinger uses cap_net_raw=ep instead (bsc#1171569) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1961=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1961=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1961=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1961=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1961=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1961=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1961=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1961=1 - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-1961=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-1961=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1961=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1961=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1961=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-1961=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1961=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): squid-4.15-5.26.1 squid-debuginfo-4.15-5.26.1 squid-debugsource-4.15-5.26.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): squid-4.15-5.26.1 squid-debuginfo-4.15-5.26.1 squid-debugsource-4.15-5.26.1 - SUSE Manager Proxy 4.0 (x86_64): squid-4.15-5.26.1 squid-debuginfo-4.15-5.26.1 squid-debugsource-4.15-5.26.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): squid-4.15-5.26.1 squid-debuginfo-4.15-5.26.1 squid-debugsource-4.15-5.26.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): squid-4.15-5.26.1 squid-debuginfo-4.15-5.26.1 squid-debugsource-4.15-5.26.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): squid-4.15-5.26.1 squid-debuginfo-4.15-5.26.1 squid-debugsource-4.15-5.26.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): squid-4.15-5.26.1 squid-debuginfo-4.15-5.26.1 squid-debugsource-4.15-5.26.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): squid-4.15-5.26.1 squid-debuginfo-4.15-5.26.1 squid-debugsource-4.15-5.26.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): squid-4.15-5.26.1 squid-debuginfo-4.15-5.26.1 squid-debugsource-4.15-5.26.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): squid-4.15-5.26.1 squid-debuginfo-4.15-5.26.1 squid-debugsource-4.15-5.26.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): squid-4.15-5.26.1 squid-debuginfo-4.15-5.26.1 squid-debugsource-4.15-5.26.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): squid-4.15-5.26.1 squid-debuginfo-4.15-5.26.1 squid-debugsource-4.15-5.26.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): squid-4.15-5.26.1 squid-debuginfo-4.15-5.26.1 squid-debugsource-4.15-5.26.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): squid-4.15-5.26.1 squid-debuginfo-4.15-5.26.1 squid-debugsource-4.15-5.26.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): squid-4.15-5.26.1 squid-debuginfo-4.15-5.26.1 squid-debugsource-4.15-5.26.1 - SUSE CaaS Platform 4.0 (x86_64): squid-4.15-5.26.1 squid-debuginfo-4.15-5.26.1 squid-debugsource-4.15-5.26.1 References: https://www.suse.com/security/cve/CVE-2020-25097.html https://www.suse.com/security/cve/CVE-2021-28651.html https://www.suse.com/security/cve/CVE-2021-28652.html https://www.suse.com/security/cve/CVE-2021-28662.html https://www.suse.com/security/cve/CVE-2021-31806.html https://bugzilla.suse.com/1171164 https://bugzilla.suse.com/1171569 https://bugzilla.suse.com/1183436 https://bugzilla.suse.com/1185916 https://bugzilla.suse.com/1185918 https://bugzilla.suse.com/1185919 https://bugzilla.suse.com/1185921 https://bugzilla.suse.com/1185923 From sle-security-updates at lists.suse.com Fri Jun 11 16:33:33 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 11 Jun 2021 18:33:33 +0200 (CEST) Subject: SUSE-SU-2021:1959-1: moderate: Security update for freeradius-server Message-ID: <20210611163333.7EC58FD17@maintenance.suse.de> SUSE Security Update: Security update for freeradius-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1959-1 Rating: moderate References: #1184016 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for freeradius-server fixes the following issues: - Fixed plaintext password entries in logfiles (bsc#1184016). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1959=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1959=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): freeradius-server-debuginfo-3.0.19-3.9.3 freeradius-server-debugsource-3.0.19-3.9.3 freeradius-server-devel-3.0.19-3.9.3 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): freeradius-server-3.0.19-3.9.3 freeradius-server-debuginfo-3.0.19-3.9.3 freeradius-server-debugsource-3.0.19-3.9.3 freeradius-server-doc-3.0.19-3.9.3 freeradius-server-krb5-3.0.19-3.9.3 freeradius-server-krb5-debuginfo-3.0.19-3.9.3 freeradius-server-ldap-3.0.19-3.9.3 freeradius-server-ldap-debuginfo-3.0.19-3.9.3 freeradius-server-libs-3.0.19-3.9.3 freeradius-server-libs-debuginfo-3.0.19-3.9.3 freeradius-server-mysql-3.0.19-3.9.3 freeradius-server-mysql-debuginfo-3.0.19-3.9.3 freeradius-server-perl-3.0.19-3.9.3 freeradius-server-perl-debuginfo-3.0.19-3.9.3 freeradius-server-postgresql-3.0.19-3.9.3 freeradius-server-postgresql-debuginfo-3.0.19-3.9.3 freeradius-server-python-3.0.19-3.9.3 freeradius-server-python-debuginfo-3.0.19-3.9.3 freeradius-server-sqlite-3.0.19-3.9.3 freeradius-server-sqlite-debuginfo-3.0.19-3.9.3 freeradius-server-utils-3.0.19-3.9.3 freeradius-server-utils-debuginfo-3.0.19-3.9.3 References: https://bugzilla.suse.com/1184016 From sle-security-updates at lists.suse.com Sun Jun 13 05:55:10 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sun, 13 Jun 2021 07:55:10 +0200 (CEST) Subject: SUSE-IU-2021:538-1: Security update of suse-sles-15-sp2-chost-byos-v20210610-gen2 Message-ID: <20210613055510.54698B46F0D@westernhagen.suse.de> SUSE Image Update Advisory: suse-sles-15-sp2-chost-byos-v20210610-gen2 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2021:538-1 Image Tags : suse-sles-15-sp2-chost-byos-v20210610-gen2:20210610 Image Release : Severity : important Type : security References : 1021918 1029961 1043990 1055117 1065729 1080040 1087082 1089870 1106014 1115550 1133021 1152457 1152457 1152489 1152489 1153687 1155518 1156395 1156395 1162964 1164648 1167260 1168838 1168894 1169122 1169348 1170092 1170094 1170858 1174162 1174416 1174426 1176370 1177315 1177666 1178089 1178378 1178418 1178491 1178577 1178612 1178624 1178675 1179243 1179519 1179805 1179825 1179827 1179851 1179851 1180478 1180846 1180851 1180851 1181161 1181351 1181443 1181540 1181610 1181651 1181679 1181874 1181874 1181911 1182016 1182057 1182257 1182372 1182378 1182613 1182904 1182936 1182936 1182950 1182999 1183063 1183194 1183194 1183203 1183268 1183289 1183346 1183374 1183589 1183628 1183628 1183732 1183797 1183826 1183868 1183873 1183932 1183947 1183976 1184081 1184082 1184208 1184209 1184259 1184326 1184358 1184399 1184400 1184435 1184436 1184505 1184507 1184514 1184611 1184614 1184650 1184687 1184724 1184728 1184730 1184731 1184736 1184737 1184738 1184740 1184741 1184742 1184760 1184811 1184829 1184855 1184893 1184912 1184934 1184942 1184957 1184969 1184984 1184997 1184997 1184997 1185041 1185113 1185163 1185170 1185190 1185233 1185239 1185239 1185244 1185269 1185277 1185325 1185365 1185408 1185409 1185410 1185417 1185428 1185438 1185454 1185464 1185464 1185464 1185472 1185491 1185495 1185497 1185549 1185562 1185580 1185586 1185587 1185589 1185606 1185642 1185645 1185677 1185680 1185698 1185703 1185725 1185758 1185859 1185860 1185861 1185862 1185863 1185898 1185899 1185910 1185911 1185938 1185950 1185961 1185961 1185982 1185987 1185988 1186015 1186060 1186061 1186062 1186111 1186114 1186285 1186320 1186382 1186390 1186416 1186439 1186441 1186451 1186460 1186479 1186484 1186498 1186501 1186573 1186673 1186681 CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2020-29651 CVE-2021-22898 CVE-2021-23134 CVE-2021-25217 CVE-2021-29155 CVE-2021-29650 CVE-2021-32399 CVE-2021-33034 CVE-2021-33200 CVE-2021-3426 CVE-2021-3491 CVE-2021-3516 CVE-2021-3517 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 CVE-2021-3541 ----------------------------------------------------------------- The container suse-sles-15-sp2-chost-byos-v20210610-gen2 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1544-1 Released: Fri May 7 16:34:41 2021 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libzypp fixes the following issues: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1557-1 Released: Tue May 11 09:50:00 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1183374,CVE-2021-3426 This update for python3 fixes the following issues: - CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1564-1 Released: Tue May 11 13:29:55 2021 Summary: Security update for shim Type: security Severity: important References: 1177315,1182057,1185464 This update for shim fixes the following issues: - Update to the unified shim binary for SBAT support (bsc#1182057) + Merged EKU codesign check (bsc#1177315) - shim-install: Always assume 'removable' for Azure to avoid the endless reset loop (bsc#1185464). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1566-1 Released: Wed May 12 09:39:16 2021 Summary: Recommended update for chrony Type: recommended Severity: moderate References: 1162964,1184400 This update for chrony fixes the following issues: - Fix build with glibc-2.31 (bsc#1162964) - Use /run instead of /var/run for PIDFile in chronyd.service (bsc#1184400) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1574-1 Released: Wed May 12 12:04:51 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1043990,1055117,1065729,1152457,1152489,1156395,1167260,1168838,1174416,1174426,1178089,1179243,1179851,1180846,1181161,1182613,1183063,1183203,1183289,1184208,1184209,1184436,1184514,1184650,1184724,1184728,1184730,1184731,1184736,1184737,1184738,1184740,1184741,1184742,1184760,1184811,1184893,1184934,1184942,1184957,1184969,1184984,1185041,1185113,1185233,1185244,1185269,1185365,1185454,1185472,1185491,1185549,1185586,1185587,CVE-2021-29155,CVE-2021-29650 The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-29650: Fixed an issue with the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208). - CVE-2021-29155: Fixed an issue that was discovered in kernel/bpf/verifier.c that performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation was not correctly accounted for when restricting subsequent operations (bnc#1184942). The following non-security bugs were fixed: - ACPI: CPPC: Replace cppc_attr with kobj_attribute (git-fixes). - ALSA: core: remove redundant spin_lock pair in snd_card_disconnect (git-fixes). - ALSA: emu8000: Fix a use after free in snd_emu8000_create_mixer (git-fixes). - ALSA: hda/cirrus: Add error handling into CS8409 I2C functions (git-fixes). - ALSA: hda/cirrus: Add Headphone and Headset MIC Volume Control (git-fixes). - ALSA: hda/cirrus: Add jack detect interrupt support from CS42L42 companion codec (git-fixes). - ALSA: hda/cirrus: Add support for CS8409 HDA bridge and CS42L42 companion codec (git-fixes). - ALSA: hda/cirrus: Cleanup patch_cirrus.c code (git-fixes). - ALSA: hda/cirrus: Fix CS42L42 Headset Mic volume control name (git-fixes). - ALSA: hda/cirrus: Make CS8409 driver more generic by using fixups (git-fixes). - ALSA: hda/cirrus: Set Initial DMIC volume for Bullseye to -26 dB (git-fixes). - ALSA: hda/cirrus: Use CS8409 filter to fix abnormal sounds on Bullseye (git-fixes). - ALSA: hda/realtek: Add quirk for Intel Clevo PCx0Dx (git-fixes). - ALSA: hda/realtek: fix mic boost on Intel NUC 8 (git-fixes). - ALSA: hda/realtek: fix static noise on ALC285 Lenovo laptops (git-fixes). - ALSA: hda/realtek: GA503 use same quirks as GA401 (git-fixes). - ALSA: hda/realtek - Headset Mic issue on HP platform (git-fixes). - ALSA: hda/realtek: Remove redundant entry for ALC861 Haier/Uniwill devices (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Acer quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 ASUS quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Dell quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 HP quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Lenovo quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Sony quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC662 quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Acer quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Clevo quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Sony quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order remaining ALC269 quirk table entries (git-fixes). - ALSA: sb: Fix two use after free in snd_sb_qsound_build (git-fixes). - ALSA: usb-audio: Add DJM450 to Pioneer format quirk (git-fixes). - ALSA: usb-audio: Add error checks for usb_driver_claim_interface() calls (git-fixes). - ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX (git-fixes). - ALSA: usb-audio: Configure Pioneer DJM-850 samplerate (git-fixes). - ALSA: usb-audio: DJM-750: ensure format is set (git-fixes). - ALSA: usb-audio: Explicitly set up the clock selector (git-fixes). - ALSA: usb-audio: Fix implicit sync clearance at stopping stream (git-fixes). - ALSA: usb-audio: Fix Pioneer DJM devices URB_CONTROL request direction to set samplerate (git-fixes). - ALSA: usb: midi: do not return -ENOMEM when usb_urb_ep_type_check fails (git-fixes). - arm: dts: add imx7d pcf2127 fix to blacklist - ASoC: ak5558: correct reset polarity (git-fixes). - ASoC: ak5558: Fix s/show/slow/ typo (git-fixes). - ASoC: Intel: kbl_da7219_max98927: Fix kabylake_ssp_fixup function (git-fixes). - ASoC: samsung: tm2_wm5110: check of of_parse return value (git-fixes). - ASoC: simple-card: fix possible uninitialized single_cpu local variable (git-fixes). - ASoC: SOF: Intel: HDA: fix core status verification (git-fixes). - ASoC: SOF: Intel: hda: remove unnecessary parentheses (git-fixes). - ata: libahci_platform: fix IRQ check (git-fixes). - ath10k: Fix ath10k_wmi_tlv_op_pull_peer_stats_info() unlock without lock (git-fixes). - ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices (git-fixes). - backlight: journada720: Fix Wmisleading-indentation warning (git-fixes). - blkcg: fix memleak for iolatency (git-fixes). - block, bfq: set next_rq to waker_bfqq->next_rq in waker injection (bsc#1168838). - block: recalculate segment count for multi-segment discards correctly (bsc#1184724). - block: rsxx: select CONFIG_CRC32 (git-fixes). - bluetooth: eliminate the potential race condition when removing the HCI controller (git-fixes). - bnxt_en: reverse order of TX disable and carrier off (git-fixes). - bsg: free the request before return error code (git-fixes). - btrfs: fix qgroup data rsv leak caused by falloc failure (bsc#1185549). - btrfs: fix race between swap file activation and snapshot creation (bsc#1185587). - btrfs: fix race between writes to swap files and scrub (bsc#1185586). - btrfs: track qgroup released data in own variable in insert_prealloc_file_extent (bsc#1185549). - bus: qcom: Put child node before return (git-fixes). - cfg80211: remove WARN_ON() in cfg80211_sme_connect (git-fixes). - clk: exynos7: Mark aclk_fsys1_200 as critical (git-fixes). - clk: mvebu: armada-37xx-periph: Fix switching CPU freq from 250 Mhz to 1 GHz (git-fixes). - clk: mvebu: armada-37xx-periph: Fix workaround for switching from L1 to L0 (git-fixes). - clk: mvebu: armada-37xx-periph: remove .set_parent method for CPU PM clock (git-fixes). - clk: qcom: a53-pll: Add missing MODULE_DEVICE_TABLE (git-fixes). - clk: uniphier: Fix potential infinite loop (git-fixes). - clk: zynqmp: move zynqmp_pll_set_mode out of round_rate callback (git-fixes). - coresight: etm4x: Fix issues on trcseqevr access (git-fixes). - coresight: etm4x: Fix save and restore of TRCVMIDCCTLR1 register (git-fixes). - coresight: tmc-etr: Fix barrier packet insertion for perf buffer (git-fixes). - cpufreq: armada-37xx: Fix determining base CPU frequency (git-fixes). - cpufreq: armada-37xx: Fix driver cleanup when registration failed (git-fixes). - cpufreq: armada-37xx: Fix setting TBG parent for load levels (git-fixes). - cpufreq: armada-37xx: Fix the AVS value for load L1 (git-fixes). - cpufreq: Kconfig: fix documentation links (git-fixes). - crypto: arm/curve25519 - Move '.fpu' after '.arch' (git-fixes). - crypto: rng - fix crypto_rng_reset() refcounting when !CRYPTO_STATS (git-fixes). - cxgb4: avoid collecting SGE_QBASE regs during traffic (git-fixes). - cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds (git-fixes). - dmaengine: dw: Make it dependent to HAS_IOMEM (git-fixes). - dm: eliminate potential source of excessive kernel log noise (git-fixes). - dm era: Fix bitset memory leaks (git-fixes). - dm era: only resize metadata in preresume (git-fixes). - dm era: Recover committed writeset after crash (git-fixes). - dm era: Reinitialize bitset cache before digesting a new writeset (git-fixes). - dm era: Use correct value size in equality function of writeset tree (git-fixes). - dm era: Verify the data block size hasn't changed (git-fixes). - dm: fix bug with RCU locking in dm_blk_report_zones (git-fixes). - dm integrity: fix error reporting in bitmap mode after creation (git-fixes). - dm ioctl: fix error return code in target_message (git-fixes). - dm mpath: fix racey management of PG initialization (git-fixes). - dm raid: fix discard limits for raid1 (git-fixes). - dm: remove invalid sparse __acquires and __releases annotations (git-fixes). - dm writecache: fix the maximum number of arguments (git-fixes). - dm writecache: handle DAX to partitions on persistent memory correctly (git-fixes). - dm writecache: remove BUG() and fail gracefully instead (git-fixes). - dm zoned: select CONFIG_CRC32 (git-fixes). - dpaa_eth: copy timestamp fields to new skb in A-050385 workaround (git-fixes). - dpaa_eth: fix the RX headroom size alignment (git-fixes). - dpaa_eth: Remove unnecessary boolean expression in dpaa_get_headroom (git-fixes). - dpaa_eth: Use random MAC address when none is given (bsc#1184811). - drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' (git-fixes). - drm/amdkfd: fix build error with AMD_IOMMU_V2=m (git-fixes). - drm/ast: Add 25MHz refclk support (bsc#1174416). - drm/ast: Add support for 1152x864 mode (bsc#1174416). - drm/ast: Add support for AIP200 (bsc#1174416). - drm/ast: AST2500 fixups (bsc#1174416). - drm/ast: Correct mode table for AST2500 precatch (bsc#1174416). - drm/ast: Disable screen on register init (bsc#1174416). - drm/ast: Disable VGA decoding while driver is active (bsc#1174416). - drm/ast: drm/ast: Fix boot address for AST2500 (bsc#1174416). - drm/ast: Fix P2A config detection (bsc#1174416). - drm/ast: Fix register access in non-P2A mode for DP501 (bsc#1174416). - drm/ast: Keep MISC fields when enabling VGA (bsc#1174416). - drm/i915/gvt: Fix error code in intel_gvt_init_device() (git-fixes). - drm/imx: imx-ldb: fix out of bounds array access warning (git-fixes). - drm/msm: Fix a5xx/a6xx timestamps (git-fixes). - drm/omap: fix misleading indentation in pixinc() (git-fixes). - drm/radeon: fix copy of uninitialized variable back to userspace (git-fixes). - drm/tegra: dc: Do not set PLL clock to 0Hz (git-fixes). - e1000e: add rtnl_lock() to e1000_reset_task (git-fixes). - e1000e: Fix duplicate include guard (git-fixes). - e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 (git-fixes). - enetc: Let the hardware auto-advance the taprio base-time of 0 (git-fixes). - enetc: Workaround for MDIO register access issue (git-fixes). - ethernet/netronome/nfp: Fix a use after free in nfp_bpf_ctrl_msg_rx (git-fixes). - ext4: do not try to set xattr into ea_inode if value is empty (bsc#1184730). - ext4: find old entry again if failed to rename whiteout (bsc#1184742). - ext4: fix potential error in ext4_do_update_inode (bsc#1184731). - ext4: fix potential htree index checksum corruption (bsc#1184728). - firmware: qcom-scm: Fix QCOM_SCM configuration (git-fixes). - fnic: use scsi_host_busy_iter() to traverse commands (bsc#1179851). - fotg210-udc: Complete OUT requests on short packets (git-fixes). - fotg210-udc: Do not DMA more than the buffer can take (git-fixes). - fotg210-udc: Fix DMA on EP0 for length > max packet size (git-fixes). - fotg210-udc: Fix EP0 IN requests bigger than two packets (git-fixes). - fotg210-udc: Mask GRP2 interrupts we do not handle (git-fixes). - fotg210-udc: Remove a dubious condition leading to fotg210_done (git-fixes). - fs: direct-io: fix missing sdio->boundary (bsc#1184736). - fs/jfs: fix potential integer overflow on shift of a int (bsc#1184741). - fsl/fman: reuse set_mac_address() in dtsec init() (bsc#1184811). - fsl/fman: tolerate missing MAC address in device tree (bsc#1184811). - gpio: omap: Save and restore sysconfig (git-fixes). - gpio: sysfs: Obey valid_mask (git-fixes). - HID: alps: fix error return code in alps_input_configured() (git-fixes). - HID: google: add don USB id (git-fixes). - HID: plantronics: Workaround for double volume key presses (git-fixes). - HID: wacom: Assign boolean values to a bool variable (git-fixes). - HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices (git-fixes). - i2c: cadence: add IRQ check (git-fixes). - i2c: emev2: add IRQ check (git-fixes). - i2c: img-scb: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: jz4780: add IRQ check (git-fixes). - i2c: omap: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: sh7760: add IRQ check (git-fixes). - i2c: sh7760: fix IRQ error path (git-fixes). - i2c: sprd: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i40e: Added Asym_Pause to supported link modes (git-fixes). - i40e: Add zero-initialization of AQ command structures (git-fixes). - i40e: Fix addition of RX filters after enabling FW LLDP agent (git-fixes). - i40e: Fix add TC filter for IPv6 (git-fixes). - i40e: Fix display statistics for veb_tc (git-fixes). - i40e: Fix endianness conversions (git-fixes). - i40e: Fix flow for IPv6 next header (extension header) (git-fixes). - i40e: Fix kernel oops when i40e driver removes VF's (git-fixes). - i40e: Fix overwriting flow control settings during driver loading (git-fixes). - i40e: Fix sparse errors in i40e_txrx.c (git-fixes). - i40e: Fix sparse warning: missing error code 'err' (git-fixes). - i40e: fix the panic when running bpf in xdpdrv mode (git-fixes). - ibmvnic: avoid calling napi_disable() twice (bsc#1065729). - ibmvnic: clean up the remaining debugfs data structures (bsc#1065729). - ibmvnic: correctly use dev_consume/free_skb_irq (jsc#SLE-17268 jsc#SLE-17043 bsc#1179243 ltc#189290 git-fixes). - ibmvnic: improve failover sysfs entry (bsc#1043990 ltc#155681 git-fixes). - ibmvnic: print adapter state as a string (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: print reset reason as a string (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: queue reset work in system_long_wq (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: remove duplicate napi_schedule call in do_reset function (bsc#1065729). - ibmvnic: remove duplicate napi_schedule call in open function (bsc#1065729). - ice: Account for port VLAN in VF max packet size calculation (git-fixes). - ice: Cleanup fltr list in case of allocation issues (git-fixes). - ice: Fix for dereference of NULL pointer (git-fixes). - ice: Increase control queue timeout (git-fixes). - ice: prevent ice_open and ice_stop during reset (git-fixes). - igb: check timestamp validity (git-fixes). - igb: Fix duplicate include guard (git-fixes). - igc: Fix Pause Frame Advertising (git-fixes). - igc: Fix Supported Pause Frame Link Setting (git-fixes). - igc: reinit_locked() should be called with rtnl_lock (git-fixes). - iio:accel:adis16201: Fix wrong axis assignment that prevents loading (git-fixes). - ima: Free IMA measurement buffer after kexec syscall (git-fixes). - Input: i8042 - fix Pegatron C15B ID entry (git-fixes). - Input: nspire-keypad - enable interrupts only when opened (git-fixes). - Input: s6sy761 - fix coordinate read bit shift (git-fixes). - interconnect: core: fix error return code of icc_link_destroy() (git-fixes). - iopoll: introduce read_poll_timeout macro (git-fixes). - ipw2x00: potential buffer overflow in libipw_wx_set_encodeext() (git-fixes). - irqchip: Add support for Layerscape external interrupt lines (bsc#1185233). - irqchip/ls-extirq: add IRQCHIP_SKIP_SET_WAKE to the irqchip flags (bsc#1185233). - irqchip/ls-extirq: Add LS1043A, LS1088A external interrupt support (bsc#1185233). - isofs: release buffer head before return (bsc#1182613). - ixgbe: fail to create xfrm offload of IPsec tunnel mode SA (git-fixes). - jffs2: fix use after free in jffs2_sum_write_data() (bsc#1184740). - kABI: cover up change in struct kvm_arch (bsc#1184969). - kABI: Fix kABI caused by fixes for bsc#1174426 (bsc#1174426). - kABI: powerpc/pseries: Add shutdown() to vio_driver and vio_bus (bsc#1184209 ltc#190917). - kernel/smp: make csdlock timeout depend on boot parameter (bsc#1180846). - KVM: kvmclock: Fix vCPUs > 64 can't be online/hotpluged (bsc#1152489). - KVM: PPC: Book3S HV P9: Restore host CTRL SPR after guest exit (bsc#1156395). - KVM: PPC: Make the VMX instruction emulation routines static (bsc#1156395). - libnvdimm/label: Return -ENXIO for no slot in __blk_label_update (bsc#1185269). - libnvdimm/namespace: Fix reaping of invalidated block-window-namespace labels (bsc#1185269). - libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC (bsc#1184969 git-fixes). - libnvdimm/security: ensure sysfs poll thread woke up and fetch updated attr (git-fixes). - liquidio: Fix unintented sign extension of a left shift of a u16 (git-fixes). - locking/qrwlock: Fix ordering in queued_write_lock_slowpath() (bsc#1185041). - mac80211: bail out if cipher schemes are invalid (git-fixes). - mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN (git-fixes). - macvlan: macvlan_count_rx() needs to be aware of preemption (git-fixes). - media: dvbdev: Fix memory leak in dvb_media_device_free() (git-fixes). - media: m88rs6000t: avoid potential out-of-bounds reads on arrays (git-fixes). - media: mantis: remove orphan mantis_core.c (git-fixes). - media: omap4iss: return error code when omap4iss_get() failed (git-fixes). - media: platform: sunxi: sun6i-csi: fix error return code of sun6i_video_start_streaming() (git-fixes). - media: staging/intel-ipu3: Fix memory leak in imu_fmt (git-fixes). - media: staging/intel-ipu3: Fix race condition during set_fmt (git-fixes). - media: staging/intel-ipu3: Fix set_fmt error handling (git-fixes). - media: v4l2-ctrls.c: fix race condition in hdl->requests list (git-fixes). - memory: gpmc: fix out of bounds read and dereference on gpmc_cs[] (git-fixes). - memory: pl353: fix mask of ECC page_size config register (git-fixes). - mfd: lpc_sch: Partially revert 'Add support for Intel Quark X1000' (git-fixes). - mfd: stm32-timers: Avoid clearing auto reload register (git-fixes). - misc: lis3lv02d: Fix false-positive WARN on various HP models (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_datagram payload (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_notify_bm_set_msg struct (git-fixes). - mmc: core: Correct descriptions in mmc_of_parse() (git-fixes). - mmc: cqhci: Add cqhci_deactivate() (git-fixes). - mmc: mmc_spi: Drop unused NO_IRQ definition (git-fixes). - mmc: sdhci-of-arasan: Add missed checks for devm_clk_register() (git-fixes). - mmc: sdhci-of-dwcmshc: fix rpmb access (git-fixes). - mmc: sdhci-of-dwcmshc: implement specific set_uhs_signaling (git-fixes). - mmc: sdhci-of-esdhc: make sure delay chain locked for HS400 (git-fixes). - mmc: sdhci-of-esdhc: set timeout to max before tuning (git-fixes). - mmc: sdhci-pci: Fix SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers (git-fixes). - mmc: sdhci: Use Auto CMD Auto Select only when v4_mode is true (git-fixes). - mmc: uniphier-sd: Fix an error handling path in uniphier_sd_probe() (git-fixes). - mmc: uniphier-sd: Fix a resource leak in the remove function (git-fixes). - mm/rmap: fix potential pte_unmap on an not mapped pte (git-fixes). - Move upstreamed i915 fix into sorted section - mt7601u: fix always true expression (git-fixes). - mtd: Handle possible -EPROBE_DEFER from parse_mtd_partitions() (git-fixes). - mtd: rawnand: brcmnand: fix OOB R/W with Hamming ECC (git-fixes). - mtd: rawnand: fsmc: Fix error code in fsmc_nand_probe() (git-fixes). - mtd: rawnand: gpmi: Fix a double free in gpmi_nand_init (git-fixes). - mtd: rawnand: qcom: Return actual error code instead of -ENODEV (git-fixes). - mtd: require write permissions for locking and badblock ioctls (git-fixes). - mtd: spinand: core: add missing MODULE_DEVICE_TABLE() (git-fixes). - mtd: spi-nor: Rename 'n25q512a' to 'mt25qu512a (n25q512a)' (bsc#1167260). - mtd: spi-nor: Split mt25qu512a (n25q512a) entry into two (bsc#1167260). - nbd: fix a block_device refcount leak in nbd_release (git-fixes). - net: atlantic: fix out of range usage of active_vlans array (git-fixes). - net: atlantic: fix potential error handling (git-fixes). - net: atlantic: fix use after free kasan warn (git-fixes). - net: dsa: felix: implement port flushing on .phylink_mac_link_down (git-fixes). - net: enetc: remove bogus write to SIRXIDR from enetc_setup_rxbdr (git-fixes). - net: enetc: take the MDIO lock only once per NAPI poll cycle (git-fixes). - net: geneve: check skb is large enough for IPv4/IPv6 header (git-fixes). - net: geneve: modify IP header check in geneve6_xmit_skb and geneve_xmit_skb (git-fixes). - net: hns3: clear VF down state bit before request link status (git-fixes). - net: hns3: fix bug when calculating the TCAM table info (git-fixes). - net: hns3: fix query vlan mask value error for flow director (git-fixes). - net: hns3: Remove un-necessary 'else-if' in the hclge_reset_event() (git-fixes). - net: ll_temac: Add more error handling of dma_map_single() calls (git-fixes). - net: ll_temac: Fix race condition causing TX hang (git-fixes). - net: ll_temac: Fix RX buffer descriptor handling on GFP_ATOMIC pressure (git-fixes). - net: ll_temac: Handle DMA halt condition caused by buffer underrun (git-fixes). - net/mlx4_core: Add missed mlx4_free_cmd_mailbox() (git-fixes). - net/mlx5: Do not request more than supported EQs (git-fixes). - net/mlx5e: Do not match on Geneve options in case option masks are all zero (git-fixes). - net/mlx5e: Fix error path for ethtool set-priv-flag (git-fixes). - net/mlx5e: Fix ethtool indication of connector type (git-fixes). - net/mlx5e: fix ingress_ifindex check in mlx5e_flower_parse_meta (jsc#SLE-8464). - net:nfc:digital: Fix a double free in digital_tg_recv_dep_req (git-fixes). - net: phy: intel-xway: enable integrated led functions (git-fixes). - net: phy: marvell: fix m88e1011_set_downshift (git-fixes). - net: phy: marvell: fix m88e1111_set_downshift (git-fixes). - net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template (git-fixes). - net: smc911x: Adjust indentation in smc911x_phy_configure (git-fixes). - net: stmmac: fix missing IFF_MULTICAST check in dwmac4_set_filter (git-fixes). - net: stmmac: xgmac: fix missing IFF_MULTICAST checki in dwxgmac2_set_filter (git-fixes). - net: tulip: Adjust indentation in {dmfe, uli526x}_init_module (git-fixes). - nfc: pn533: prevent potential memory corruption (git-fixes). - nfp: flower: ignore duplicate merge hints from FW (git-fixes). - node: fix device cleanups in error handling code (git-fixes). - null_blk: fix passing of REQ_FUA flag in null_handle_rq (git-fixes). - nvme-fabrics: reject I/O to offline device (bsc#1181161). - nvme-tcp: fix possible hang when failing to set io queues (bsc#1181161). - ocfs2: fix a use after free on error (bsc#1184738). - pata_arasan_cf: fix IRQ check (git-fixes). - pata_ipx4xx_cf: fix IRQ check (git-fixes). - PCI/AER: Add pcie_walk_rcec() to RCEC AER handling (bsc#1174426). - PCI/AER: Add RCEC AER error injection support (bsc#1174426). - PCI/AER: Clear AER status from Root Port when resetting Downstream Port (bsc#1174426). - PCI/AER: Specify the type of Port that was reset (bsc#1174426). - PCI/AER: Use 'aer' variable for capability offset (bsc#1174426). - PCI/AER: Write AER Capability only when we control it (bsc#1174426). - PCI: designware-ep: Fix the Header Type check (git-fixes). - PCI/ERR: Add pcie_link_rcec() to associate RCiEPs (bsc#1174426). - PCI/ERR: Add pci_walk_bridge() to pcie_do_recovery() (bsc#1174426). - PCI/ERR: Avoid negated conditional for clarity (bsc#1174426). - PCI/ERR: Bind RCEC devices to the Root Port driver (bsc#1174426). - PCI/ERR: Cache RCEC EA Capability offset in pci_init_capabilities() (bsc#1174426). - PCI/ERR: Clear AER status only when we control AER (bsc#1174426). - PCI/ERR: Clear PCIe Device Status errors only if OS owns AER (bsc#1174426). - PCI/ERR: Clear status of the reporting device (bsc#1174426). - PCI/ERR: Recover from RCEC AER errors (bsc#1174426). - PCI/ERR: Recover from RCiEP AER errors (bsc#1174426). - PCI/ERR: Rename reset_link() to reset_subordinates() (bsc#1174426). - PCI/ERR: Retain status from error notification (bsc#1174426). - PCI/ERR: Simplify by computing pci_pcie_type() once (bsc#1174426). - PCI/ERR: Simplify by using pci_upstream_bridge() (bsc#1174426). - PCI/ERR: Use 'bridge' for clarity in pcie_do_recovery() (bsc#1174426). - PCI/PME: Add pcie_walk_rcec() to RCEC PME handling (bsc#1174426). - PCI/portdrv: Report reset for frozen channel (bsc#1174426). - PCI: tegra: Fix ASPM-L1SS advertisement disable code (git-fixes). - PCI: tegra: Move 'dbi' accesses to post common DWC initialization (git-fixes). - phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y, unconditionally (git-fixes). - pinctrl: core: Fix kernel doc string for pin_get_name() (git-fixes). - pinctrl: Ingenic: Add missing pins to the JZ4770 MAC MII group (git-fixes). - platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards with critclk_systems DMI table (git-fixes). - PM: runtime: Add documentation for pm_runtime_resume_and_get() (git-fixes). - powerepc/book3s64/hash: Align start/end address correctly with bolt mapping (bsc#1184957). - powerpc/64s: Fix pte update for kernel memory on radix (bsc#1055117 git-fixes). - powerpc/asm-offsets: GPR14 is not needed either (bsc#1065729). - powerpc/eeh: Fix EEH handling for hugepages in ioremap space (bsc#1156395). - powerpc/fadump: Mark fadump_calculate_reserve_size as __init (bsc#1065729). - powerpc/mm: Add cond_resched() while removing hpte mappings (bsc#1183289 ltc#191637). - powerpc/papr_scm: Fix build error due to wrong printf specifier (bsc#1184969). - powerpc/papr_scm: Implement support for H_SCM_FLUSH hcall (bsc#1184969). - powerpc/perf: Fix PMU constraint check for EBB events (bsc#1065729). - powerpc/prom: Mark identical_pvr_fixup as __init (bsc#1065729). - powerpc/pseries: Add shutdown() to vio_driver and vio_bus (bsc#1184209 ltc#190917). - powerpc/time: Enable sched clock for irqtime (bsc#1156395). - regmap: set debugfs_name to NULL after it is freed (git-fixes). - regulator: Avoid a double 'of_node_get' in 'regulator_of_get_init_node()' (git-fixes). - reintroduce cqhci_suspend for kABI (git-fixes). - reiserfs: update reiserfs_xattrs_initialized() condition (bsc#1184737). - rpm/constraints.in: bump disk space to 45GB on riscv64 - rpm/kernel-obs-build.spec.in: Include essiv with dm-crypt (boo#1183063). - rpm/macros.kernel-source: fix KMP failure in %install (bsc#1185244) - rpm/mkspec: Use tilde instead of dot for version string with rc (bsc#1184650) - rsi: Use resume_noirq for SDIO (git-fixes). - rsxx: remove extraneous 'const' qualifier (git-fixes). - rtc: ds1307: Fix wday settings for rx8130 (git-fixes). - rtc: fsl-ftm-alarm: add MODULE_TABLE() (bsc#1185454). - rtc: fsl-ftm-alarm: avoid struct rtc_time conversions (bsc#1185454). - rtc: fsl-ftm-alarm: enable acpi support (bsc#1185454). - rtc: fsl-ftm-alarm: fix freeze(s2idle) failed to wake (bsc#1185454). - rtc: fsl-ftm-alarm: report alarm to core (bsc#1185454). - rtc: fsl-ftm-alarm: switch to ktime_get_real_seconds (bsc#1185454). - rtc: fsl-ftm-alarm: switch to rtc_time64_to_tm/rtc_tm_to_time64 (bsc#1185454). - rtc: fsl-ftm-alarm: update acpi device id (bsc#1185454). - rtc: pcf2127: add alarm support (bsc#1185233). - rtc: pcf2127: add pca2129 device id (bsc#1185233). - rtc: pcf2127: add tamper detection support (bsc#1185233). - rtc: pcf2127: add watchdog feature support (bsc#1185233). - rtc: pcf2127: bugfix: watchdog build dependency (bsc#1185233). - rtc: pcf2127: cleanup register and bit defines (bsc#1185233). - rtc: pcf2127: convert to devm_rtc_allocate_device (bsc#1185233). - rtc: pcf2127: fix a bug when not specify interrupts property (bsc#1185233). - rtc: pcf2127: fix alarm handling (bsc#1185233). - rtc: pcf2127: fix pcf2127_nvmem_read/write() returns (bsc#1185233). - rtc: pcf2127: handle boot-enabled watchdog feature (bsc#1185233). - rtc: pcf2127: let the core handle rtc range (bsc#1185233). - rtc: pcf2127: move watchdog initialisation to a separate function (bsc#1185233). - rtc: pcf2127: only use watchdog when explicitly available (bsc#1185233). - rtc: pcf2127: properly set flag WD_CD for rtc chips(pcf2129, pca2129) (bsc#1185233). - rtc: pcf2127: remove unnecessary #ifdef (bsc#1185233). - rtc: pcf2127: set regmap max_register (bsc#1185233). - rtc: pcf2127: watchdog: handle nowayout feature (bsc#1185233). - rtlwifi: 8821ae: upgrade PHY and RF parameters (git-fixes). - rtw88: Fix array overrun in rtw_get_tx_power_params() (git-fixes). - sata_mv: add IRQ checks (git-fixes). - scsi: block: Fix a race in the runtime power management code (git-fixes). - scsi: core: add scsi_host_busy_iter() (bsc#1179851). - scsi: core: Only return started requests from scsi_host_find_tag() (bsc#1179851). - scsi: lpfc: Copyright updates for 12.8.0.9 patches (bsc#1185472). - scsi: lpfc: Eliminate use of LPFC_DRIVER_NAME in lpfc_attr.c (bsc#1185472). - scsi: lpfc: Fix a bunch of kernel-doc issues (bsc#1185472). - scsi: lpfc: Fix a bunch of kernel-doc misdemeanours (bsc#1185472). - scsi: lpfc: Fix a bunch of misnamed functions (bsc#1185472). - scsi: lpfc: Fix a few incorrectly named functions (bsc#1185472). - scsi: lpfc: Fix a typo (bsc#1185472). - scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO response (bsc#1185472). - scsi: lpfc: Fix DMA virtual address ptr assignment in bsg (bsc#1185365). - scsi: lpfc: Fix error handling for mailboxes completed in MBX_POLL mode (bsc#1185472). - scsi: lpfc: Fix formatting and misspelling issues (bsc#1185472). - scsi: lpfc: Fix gcc -Wstringop-overread warning (bsc#1185472). - scsi: lpfc: Fix illegal memory access on Abort IOCBs (bsc#1183203). - scsi: lpfc: Fix incorrectly documented function lpfc_debugfs_commonxripools_data() (bsc#1185472). - scsi: lpfc: Fix incorrect naming of __lpfc_update_fcf_record() (bsc#1185472). - scsi: lpfc: Fix kernel-doc formatting issue (bsc#1185472). - scsi: lpfc: Fix lack of device removal on port swaps with PRLIs (bsc#1185472). - scsi: lpfc: Fix lpfc_hdw_queue attribute being ignored (bsc#1185472). - scsi: lpfc: Fix missing FDMI registrations after Mgmt Svc login (bsc#1185472). - scsi: lpfc: Fix NMI crash during rmmod due to circular hbalock dependency (bsc#1185472). - scsi: lpfc: Fix reference counting errors in lpfc_cmpl_els_rsp() (bsc#1185472). - scsi: lpfc: Fix rmmod crash due to bad ring pointers to abort_iotag (bsc#1185472). - scsi: lpfc: Fix silent memory allocation failure in lpfc_sli4_bsg_link_diag_test() (bsc#1185472). - scsi: lpfc: Fix some error codes in debugfs (bsc#1185472). - scsi: lpfc: Fix use-after-free on unused nodes after port swap (bsc#1185472). - scsi: lpfc: Fix various trivial errors in comments and log messages (bsc#1185472). - scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic (bsc#1185472). - scsi: lpfc: Standardize discovery object logging format (bsc#1185472). - scsi: lpfc: Update lpfc version to 12.8.0.9 (bsc#1185472). - scsi: qla2xxx: Add error counters to debugfs node (bsc#1185491). - scsi: qla2xxx: Add H:C:T info in the log message for fc ports (bsc#1185491). - scsi: qla2xxx: Always check the return value of qla24xx_get_isp_stats() (bsc#1185491). - scsi: qla2xxx: Assign boolean values to a bool variable (bsc#1185491). - scsi: qla2xxx: Check kzalloc() return value (bsc#1185491). - scsi: qla2xxx: Consolidate zio threshold setting for both FCP NVMe (bsc#1185491). - scsi: qla2xxx: Constify struct qla_tgt_func_tmpl (bsc#1185491). - scsi: qla2xxx: Do logout even if fabric scan retries got exhausted (bsc#1185491). - scsi: qla2xxx: Enable NVMe CONF (BIT_7) when enabling SLER (bsc#1185491). - scsi: qla2xxx: fc_remote_port_chkready() returns a SCSI result value (bsc#1185491). - scsi: qla2xxx: Fix a couple of misdocumented functions (bsc#1185491). - scsi: qla2xxx: Fix a couple of misnamed functions (bsc#1185491). - scsi: qla2xxx: Fix broken #endif placement (bsc#1185491). - scsi: qla2xxx: Fix crash in PCIe error handling (bsc#1185491). - scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() (bsc#1185491). - scsi: qla2xxx: Fix endianness annotations (bsc#1185491). - scsi: qla2xxx: Fix incorrectly named function qla8044_check_temp() (bsc#1185491). - scsi: qla2xxx: Fix IOPS drop seen in some adapters (bsc#1185491). - scsi: qla2xxx: Fix mailbox Ch erroneous error (bsc#1185491). - scsi: qla2xxx: Fix mailbox recovery during PCIe error (bsc#1185491). - scsi: qla2xxx: Fix RISC RESET completion polling (bsc#1185491). - scsi: qla2xxx: Fix some incorrect formatting/spelling issues (bsc#1185491). - scsi: qla2xxx: Fix some memory corruption (bsc#1185491). - scsi: qla2xxx: Fix stuck session (bsc#1185491). - scsi: qla2xxx: Fix use after free in bsg (bsc#1185491). - scsi: qla2xxx: Implementation to get and manage host, target stats and initiator port (bsc#1185491). - scsi: qla2xxx: Move some messages from debug to normal log level (bsc#1185491). - scsi: qla2xxx: Remove redundant NULL check (bsc#1185491). - scsi: qla2xxx: Remove unnecessary NULL check (bsc#1185491). - scsi: qla2xxx: Remove unneeded if-null-free check (bsc#1185491). - scsi: qla2xxx: Replace __qla2x00_marker()'s missing underscores (bsc#1185491). - scsi: qla2xxx: Reserve extra IRQ vectors (bsc#1184436). - scsi: qla2xxx: Reuse existing error handling path (bsc#1185491). - scsi: qla2xxx: Simplify if statement (bsc#1185491). - scsi: qla2xxx: Simplify qla8044_minidump_process_control() (bsc#1185491). - scsi: qla2xxx: Simplify the calculation of variables (bsc#1185491). - scsi: qla2xxx: Suppress Coverity complaints about dseg_r* (bsc#1185491). - scsi: qla2xxx: Update default AER debug mask (bsc#1185491). - scsi: qla2xxx: Update version to 10.02.00.105-k (bsc#1185491). - scsi: qla2xxx: Update version to 10.02.00.106-k (bsc#1185491). - scsi: qla2xxx: Use dma_pool_zalloc() (bsc#1185491). - scsi: qla2xxx: Wait for ABTS response on I/O timeouts for NVMe (bsc#1185491). - scsi: smartpqi: Correct driver removal with HBA disks (bsc#1178089). - scsi: smartpqi: Correct pqi_sas_smp_handler busy condition (bsc#1178089). - scsi: smartpqi: Update version to 1.2.16-012 (bsc#1178089). - selftests/powerpc: Add pkey helpers for rights (bsc#1184934 ltc#191460). - selftests/powerpc: Add test for execute-disabled pkeys (bsc#1184934 ltc#191460). - selftests/powerpc: Add test for pkey siginfo verification (bsc#1184934 ltc#191460). - selftests/powerpc: Add wrapper for gettid (bsc#1184934 ltc#191460). - selftests/powerpc: Fix exit status of pkey tests (bsc#1184934 ltc#191460). - selftests/powerpc: Fix L1D flushing tests for Power10 (bsc#1184934 ltc#191460). - selftests/powerpc: Fix pkey syscall redefinitions (bsc#1184934 ltc#191460). - selftests/powerpc: Move pkey helpers to headers (bsc#1184934 ltc#191460). - selftests/powerpc: refactor entry and rfi_flush tests (bsc#1184934 ltc#191460). - soc: aspeed: fix a ternary sign expansion bug (git-fixes). - soc: qcom: mdt_loader: Detect truncated read of segments (git-fixes). - soc: qcom: mdt_loader: Validate that p_filesz p_memsz (git-fixes). - soundwire: bus: Fix device found flag correctly (git-fixes). - soundwire: stream: fix memory leak in stream config error path (git-fixes). - spi: fsl-dspi: fix NULL pointer dereference (bsc#1167260). - spi: fsl-dspi: fix use-after-free in remove path (bsc#1167260). - spi: fsl-dspi: fix wrong pointer in suspend/resume (bsc#1167260). - spi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware() (git-fixes). - spi: Introduce dspi_slave_abort() function for NXP's dspi SPI driver (bsc#1167260). - spi: spi-fsl-dspi: Accelerate transfers using larger word size if possible (bsc#1167260). - spi: spi-fsl-dspi: Add comments around dspi_pop_tx and dspi_push_rx functions (bsc#1167260). - spi: spi-fsl-dspi: Adding shutdown hook (bsc#1167260). - spi: spi-fsl-dspi: Add support for LS1028A (bsc#1167260). - spi: spi-fsl-dspi: Always use the TCFQ devices in poll mode (bsc#1167260). - spi: spi-fsl-dspi: Avoid NULL pointer in dspi_slave_abort for non-DMA mode (bsc#1167260). - spi: spi-fsl-dspi: Avoid reading more data than written in EOQ mode (bsc#1167260). - spi: spi-fsl-dspi: Change usage pattern of SPI_MCR_* and SPI_CTAR_* macros (bsc#1167260). - spi: spi-fsl-dspi: Convert TCFQ users to XSPI FIFO mode (bsc#1167260). - spi: spi-fsl-dspi: Convert the instantiations that support it to DMA (bsc#1167260). - spi: spi-fsl-dspi: delete EOQ transfer mode (bsc#1167260). - spi: spi-fsl-dspi: Demistify magic value in SPI_SR_CLEAR (bsc#1167260). - spi: spi-fsl-dspi: Do not access reserved fields in SPI_MCR (bsc#1167260). - spi: spi-fsl-dspi: Do not mask off undefined bits (bsc#1167260). - spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours (bsc#1167260). - spi: spi-fsl-dspi: Fix 16-bit word order in 32-bit XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Fix bits-per-word acceleration in DMA mode (bsc#1167260). - spi: spi-fsl-dspi: Fix code alignment (bsc#1167260). - spi: spi-fsl-dspi: fix DMA mapping (bsc#1167260). - spi: spi-fsl-dspi: Fix external abort on interrupt in resume or exit paths (bsc#1167260). - spi: spi-fsl-dspi: Fix interrupt-less DMA mode taking an XSPI code path (bsc#1167260). - spi: spi-fsl-dspi: Fix little endian access to PUSHR CMD and TXDATA (bsc#1167260). - spi: spi-fsl-dspi: Fix lockup if device is removed during SPI transfer (bsc#1167260). - spi: spi-fsl-dspi: Fix lockup if device is shutdown during SPI transfer (bsc#1167260). - spi: spi-fsl-dspi: fix native data copy (bsc#1167260). - spi: spi-fsl-dspi: Fix race condition in TCFQ/EOQ interrupt (bsc#1167260). - spi: spi-fsl-dspi: Fix typos (bsc#1167260). - spi: spi-fsl-dspi: Free DMA memory with matching function (bsc#1167260). - spi: spi-fsl-dspi: Implement .max_message_size method for EOQ mode (bsc#1167260). - spi: spi-fsl-dspi: Initialize completion before possible interrupt (bsc#1167260). - spi: spi-fsl-dspi: LS2080A and LX2160A support XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Make bus-num property optional (bsc#1167260). - spi: spi-fsl-dspi: Move dspi_interrupt above dspi_transfer_one_message (bsc#1167260). - spi: spi-fsl-dspi: Move invariant configs out of dspi_transfer_one_message (bsc#1167260). - spi: spi-fsl-dspi: Optimize dspi_setup_accel for lowest interrupt count (bsc#1167260). - spi: spi-fsl-dspi: Parameterize the FIFO size and DMA buffer size (bsc#1167260). - spi: spi-fsl-dspi: Protect against races on dspi->words_in_flight (bsc#1167260). - spi: spi-fsl-dspi: Reduce indentation in dspi_release_dma() (bsc#1167260). - spi: spi-fsl-dspi: Reduce indentation level in dspi_interrupt (bsc#1167260). - spi: spi-fsl-dspi: remove git-fixes Remove git-fixes. Prepare to update the driver. References: bsc#1167260 - spi: spi-fsl-dspi: Remove impossible to reach error check (bsc#1167260). - spi: spi-fsl-dspi: Remove pointless assignment of master->transfer to NULL (bsc#1167260). - spi: spi-fsl-dspi: Remove unused chip->void_write_data (bsc#1167260). - spi: spi-fsl-dspi: Remove unused defines and includes (bsc#1167260). - spi: spi-fsl-dspi: Remove unused initialization of 'ret' in dspi_probe (bsc#1167260). - spi: spi-fsl-dspi: Rename fifo_{read,write} and {tx,cmd}_fifo_write (bsc#1167260). - spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion (bsc#1167260). - spi: spi-fsl-dspi: Replace legacy spi_master names with spi_controller (bsc#1167260). - spi: spi-fsl-dspi: set ColdFire to DMA mode (bsc#1167260). - spi: spi-fsl-dspi: Simplify bytes_per_word gymnastics (bsc#1167260). - spi: spi-fsl-dspi: Take software timestamp in dspi_fifo_write (bsc#1167260). - spi: spi-fsl-dspi: Use BIT() and GENMASK() macros (bsc#1167260). - spi: spi-fsl-dspi: Use dma_request_chan() instead dma_request_slave_channel() (bsc#1167260). - spi: spi-fsl-dspi: Use EOQ for last word in buffer even for XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Use poll mode in case the platform IRQ is missing (bsc#1167260). - spi: spi-fsl-dspi: Use reverse Christmas tree declaration order (bsc#1167260). - spi: spi-fsl-dspi: Use specific compatible strings for all SoC instantiations (bsc#1167260). - spi: spi-fsl-dspi: use XSPI mode instead of DMA for DPAA2 SoCs (bsc#1167260). - spi: spi-ti-qspi: Free DMA resources (git-fixes). - staging: fwserial: fix TIOCGSERIAL implementation (git-fixes). - staging: fwserial: fix TIOCSSERIAL implementation (git-fixes). - staging: fwserial: fix TIOCSSERIAL jiffies conversions (git-fixes). - staging: fwserial: fix TIOCSSERIAL permission check (git-fixes). - staging: rtl8192u: Fix potential infinite loop (git-fixes). - usb: CDC-ACM: fix poison/unpoison imbalance (bsc#1184984). - usb: CDC-ACM: fix poison/unpoison imbalance (git-fixes). - usb: cdc-acm: fix TIOCGSERIAL implementation (git-fixes). - usb: cdc-acm: fix unprivileged TIOCCSERIAL (git-fixes). - usb: dwc2: Fix hibernation between host and device modes (git-fixes). - usb: dwc2: Fix host mode hibernation exit with remote wakeup flow (git-fixes). - usb: dwc2: Fix session request interrupt handler (git-fixes). - usb: dwc3: gadget: Fix START_TRANSFER link state check (git-fixes). - usb: dwc3: keystone: use devm_platform_ioremap_resource() to simplify code (git-fixes). - usb: dwc3: meson-g12a: use devm_platform_ioremap_resource() to simplify code (git-fixes). - usb: dwc3: Switch to use device_property_count_u32() (git-fixes). - usb: gadget: aspeed: fix dma map failure (git-fixes). - usb: gadget: Fix double free of device descriptor pointers (git-fixes). - usb: gadget: pch_udc: Check for DMA mapping error (git-fixes). - usb: gadget: pch_udc: Check if driver is present before calling ->setup() (git-fixes). - usb: gadget: pch_udc: Move pch_udc_init() to satisfy kernel doc (git-fixes). - usb: gadget: pch_udc: Replace cpu_to_le32() by lower_32_bits() (git-fixes). - usb: gadget: pch_udc: Revert d3cb25a12138 completely (git-fixes). - usb: gadget: r8a66597: Add missing null check on return from platform_get_resource (git-fixes). - usb: gadget: udc: fix wrong pointer passed to IS_ERR() and PTR_ERR() (git-fixes). - usb: Remove dev_err() usage after platform_get_irq() (git-fixes). - usb: serial: ark3116: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: f81232: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: f81534: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: fix return value for unsupported ioctls (git-fixes). - usb: serial: mos7720: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: opticon: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: quatech2: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: ssu100: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: usb_wwan: fix TIOCGSERIAL implementation (git-fixes). - usb: serial: usb_wwan: fix TIOCSSERIAL jiffies conversions (git-fixes). - usb: serial: usb_wwan: fix unprivileged TIOCCSERIAL (git-fixes). - usb: typec: tcpci: Check ROLE_CONTROL while interpreting CC_STATUS (git-fixes). - usb: typec: tcpm: Address incorrect values of tcpm psy for fixed supply (git-fixes). - usb: typec: tcpm: Honour pSnkStdby requirement during negotiation (git-fixes). - veth: Store queue_mapping independently of XDP prog presence (git-fixes). - vfio/pci: Add missing range check in vfio_pci_mmap (git-fixes). - virt_wifi: Return micros for BSS TSF values (git-fixes). - vxlan: move debug check after netdev unregister (git-fixes). - workqueue: Move the position of debug_work_activate() in __queue_work() (bsc#1184893). - x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access (bsc#1152489). - x86/insn: Add some Intel instructions to the opcode map (bsc#1184760). - x86/insn: Add some more Intel instructions to the opcode map (bsc#1184760). - x86/microcode: Check for offline CPUs before requesting new microcode (bsc#1152489). - x86/mm: Fix NX bit clearing issue in kernel_map_pages_in_pgd (bsc#1152489). - x86/platform/uv: Set section block size for hubless architectures (bsc#1152489). - x86/reboot: Force all cpus to exit VMX root if VMX is supported (bsc#1152489). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1582-1 Released: Wed May 12 13:40:03 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1184687,1185190 This update for lvm2 fixes the following issues: - Honor 'lvm.conf' parameter event_activation=0 on 'pvscan --cache -aay'. (bsc#1185190) - Fixed and issue when LVM can't be disabled on boot. (bsc#1184687) - Update patch for avoiding apply warning messages. (bsc#1012973) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1600-1 Released: Thu May 13 16:34:08 2021 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1185277 This update for dracut fixes the following issue: Update to version 049.1+suse.188.gbf445638: - Do not resolve symbolic links before `instmod`. (bsc#1185277) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1636-1 Released: Wed May 19 13:33:56 2021 Summary: Recommended update for grub2 Type: security Severity: moderate References: 1185580 This update for grub2 fixes the following issues: - Fixed error with the shim_lock protocol that is not found on aarch64 (bsc#1185580). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1669-1 Released: Thu May 20 11:10:44 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1181540,1181651,1183194,1185170 This update for nfs-utils fixes the following issues: - The '/var/run' is long deprecated - switch all relevant paths to '/run'. (bsc#1185170) - Improve logging of authentication (bsc#1181540) - Add man page of the 'nconnect mount'. (bsc#1181651) - Fixed an issue when HANA crashed due to inaccessible/hanging NFS mount. (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1672-1 Released: Thu May 20 13:44:41 2021 Summary: Recommended update for supportutils Type: recommended Severity: moderate References: 1021918,1089870,1168894,1169122,1169348,1170092,1170094,1170858,1176370,1178491,1180478,1181351,1181610,1181679,1181911,1182904,1182950,1183732,1183826,1184829,1184912 This update for supportutils fixes the following issues: - Collects rotated logs with different compression types (bsc#1180478) - Captures now IBM Power bootlist (jsc#SLE-15557) - Fixed some errors with supportutils in combination with the btrfs filesystem (bsc#1168894) - Fixed an issue with ntp.txt, when it contains large binary data (bsc#1169122) - Checks package signatures in rpm.txt (bsc#1021918) - Optimize find (bsc#1184912) - Using zypper --xmlout (bsc#1181351) - Error fix for sysfs.txt (bsc#1089870) - Added list-timers to systemd.txt (bsc#1169348) - Including nfs4 in search (bsc#1184829) - [powerpc] Collect dynamic_debug log files for ibmvNIC #98 (bsc#1183826) - Fixed mismatched taint flags (bsc#1178491) - Removed redundant fdisk code that can cause timeout issues (bsc#1181679) - Supportconfig processes -f without hanging (bsc#1182904) - Collect logs for power specific components (using iprconfig) pr#94 (bsc#1182950) - [powerpc] Collect logs for power specific components (HNV) pr#88 (bsc#1181911) - Includes NVMe information with OPTION_NVME=1 in nvme.txt (bsc#1176370, SLE-15932) - No longer truncates boot log (bsc#1181610) - Collects rotated logs with different compression types (bsc#1180478) - Capture IBM Power bootlist (SLE-15557) - [powerpc] Collect logs for power specific components #72 (bscn#1176895) - Fixed btrfs errors (bsc#1168894) - Large ntp.txt with binary data (bsc#1169122) - Only include hostinfo details in /etc/motd (bsc#1170092) - Fixed CPU load average calculation (bsc#1170094) - Understands 3rd party packages on SLES or OpenSUSE (bsc#1170858) - Implement persistens host information across reboots (bsc#1183732) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1675-1 Released: Thu May 20 15:00:23 2021 Summary: Recommended update for snappy Type: recommended Severity: moderate References: 1080040,1184507 This update for snappy fixes the following issues: Update from version 1.1.3 to 1.1.8 - Small performance improvements. - Removed `snappy::string` alias for `std::string`. - Improved `CMake` configuration. - Improved packages descriptions. - Fix RPM groups. - Aarch64 fixes - PPC speedups - PIE improvements - Fix license install. (bsc#1080040) - Fix a 1% performance regression when snappy is used in PIE executable. - Improve compression performance by 5%. - Improve decompression performance by 20%. - Use better download URL. - Fix a build issue for tensorflow2. (bsc#1184507) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1702-1 Released: Tue May 25 09:53:56 2021 Summary: Recommended update for shim Type: recommended Severity: moderate References: 1185464,1185961 This update for shim fixes the following issues: - shim-install: instead of assuming 'removable' for Azure, remove fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot to make \EFI\Boot bootable and keep the boot option created by efibootmgr (bsc#1185464, bsc#1185961) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1762-1 Released: Wed May 26 12:30:01 2021 Summary: Security update for curl Type: security Severity: moderate References: 1186114,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1773-1 Released: Wed May 26 17:22:21 2021 Summary: Recommended update for python3 Type: recommended Severity: low References: This update for python3 fixes the following issues: - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1801-1 Released: Mon May 31 07:36:01 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1115550,1174162 This update for openssh fixes the following issues: - Fixed a race condition leading to a sshd termination of multichannel sessions with non-root users (bsc#1115550, bsc#1174162). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1833-1 Released: Wed Jun 2 15:32:28 2021 Summary: Recommended update for zypper Type: recommended Severity: moderate References: 1153687,1180851,1181874,1182372,1182936,1183268,1183589,1183628,1184997,1185239 This update for zypper fixes the following issues: zypper was upgraded to 1.14.44: - man page: Recommend the needs-rebooting command to test whether a system reboot is suggested. - patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268) - Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687) - Protect against strict/relaxed user umask via sudo. (bsc#1183589) - xml summary: Add solvables repository alias. (bsc#1182372) libzypp was upgraded from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1841-1 Released: Wed Jun 2 16:30:17 2021 Summary: Security update for dhcp Type: security Severity: important References: 1186382,CVE-2021-25217 This update for dhcp fixes the following issues: - CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1846-1 Released: Fri Jun 4 08:46:37 2021 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1185910 This update for mozilla-nss fixes the following issue: - Provide some missing binaries from `mozilla-nss` not added in `SLE-Module-Basesystem_15-SP3`. (bsc#1185910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1859-1 Released: Fri Jun 4 09:02:38 2021 Summary: Security update for python-py Type: security Severity: moderate References: 1179805,1184505,CVE-2020-29651 This update for python-py fixes the following issues: - CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1879-1 Released: Tue Jun 8 09:16:09 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1184326,1184399,1184997,1185325 This update for libzypp, zypper fixes the following issues: libzypp was updated to 17.26.0: - Work around download.o.o broken https redirects. - Allow trusted repos to add additional signing keys (bsc#1184326) Repositories signed with a trusted gpg key may import additional package signing keys. This is needed if different keys were used to sign the the packages shipped by the repository. - MediaCurl: Fix logging of redirects. - Use 15.3 resolver problem and solution texts on all distros. - $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the zypp lock (bsc#1184399) Helps boot time services like 'zypper purge-kernels' to wait for the zypp lock until other services using zypper have completed. - Fix purge-kernels is broken in Leap 15.3 (bsc#1185325) Leap 15.3 introduces a new kernel package called kernel-flavour-extra, which contain kmp's. Currently kmp's are detected by name '.*-kmp(-.*)?' but this does not work which those new packages. This patch fixes the problem by checking packages for kmod(*) and ksym(*) provides and only falls back to name checking if the package in question does not provide one of those. - Introduce zypp-runpurge, a tool to run purge-kernels on testcases. zypper was updated to 1.14.45: - Fix service detection with cgroupv2 (bsc#1184997) - Add hints to 'trust GPG key' prompt. - Add report when receiving new package signing keys from a trusted repo (bsc#1184326) - Added translation using Weblate (Kabyle) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1882-1 Released: Tue Jun 8 13:25:36 2021 Summary: Recommended update for shim Type: recommended Severity: moderate References: 1185464,1185961 This update for shim fixes the following issues: - shim-install: remove the unexpected residual 'removable' label for Azure (bsc#1185464, bsc#1185961) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1890-1 Released: Tue Jun 8 15:08:16 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1087082,1133021,1152457,1152489,1155518,1156395,1164648,1177666,1178378,1178418,1178612,1179519,1179825,1179827,1179851,1182257,1182378,1182999,1183346,1183868,1183873,1183932,1183947,1183976,1184081,1184082,1184259,1184611,1184855,1185428,1185495,1185497,1185589,1185606,1185642,1185645,1185677,1185680,1185703,1185725,1185758,1185859,1185860,1185861,1185862,1185863,1185898,1185899,1185911,1185938,1185950,1185982,1185987,1185988,1186060,1186061,1186062,1186111,1186285,1186320,1186390,1186416,1186439,1186441,1186451,1186460,1186479,1186484,1186498,1186501,1186573,1186681,CVE-2020-24586,CVE-2020-24587,CVE-2020-24588,CVE-2020-26139,CVE-2020-26141,CVE-2020-26145,CVE-2020-26147,CVE-2021-23134,CVE-2021-32399,CVE-2021-33034,CVE-2021-33200,CVE-2021-3491 The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111) - CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062) - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060) - CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859). - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862). - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859). - CVE-2020-24588: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (bnc#1185861) - CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860) - CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987) The following non-security bugs were fixed: - ACPI / hotplug / PCI: Fix reference count leak in enable_slot() (git-fixes). - ACPI: GTDT: Do not corrupt interrupt mappings on watchdow probe failure (git-fixes). - ACPI: custom_method: fix a possible memory leak (git-fixes). - ACPI: custom_method: fix potential use-after-free issue (git-fixes). - ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro (git-fixes). - ALSA: bebob: enable to deliver MIDI messages for multiple ports (git-fixes). - ALSA: dice: fix stream format at middle sampling rate for Alesis iO 26 (git-fixes). - ALSA: dice: fix stream format for TC Electronic Konnekt Live at high sampling transfer frequency (git-fixes). - ALSA: firewire-lib: fix calculation for size of IR context payload (git-fixes). - ALSA: firewire-lib: fix check for the size of isochronous packet payload (git-fixes). - ALSA: hda/conexant: Re-order CX5066 quirk table entries (git-fixes). - ALSA: hda/realtek: ALC285 Thinkpad jack pin quirk is unreachable (git-fixes). - ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293 (git-fixes). - ALSA: hda/realtek: Headphone volume is controlled by Front mixer (git-fixes). - ALSA: hda/realtek: reset eapd coeff to default value for alc287 (git-fixes). - ALSA: hda: fixup headset for ASUS GU502 laptop (git-fixes). - ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP (git-fixes). - ALSA: hdsp: do not disable if not enabled (git-fixes). - ALSA: hdspm: do not disable if not enabled (git-fixes). - ALSA: intel8x0: Do not update period unless prepared (git-fixes). - ALSA: line6: Fix racy initialization of LINE6 MIDI (git-fixes). - ALSA: rme9652: do not disable if not enabled (git-fixes). - ALSA: usb-audio: Validate MS endpoint descriptors (git-fixes). - ALSA: usb-audio: fix control-request direction (git-fixes). - ALSA: usb-audio: scarlett2: Fix device hang with ehci-pci (git-fixes). - ALSA: usb-audio: scarlett2: Improve driver startup messages (git-fixes). - ALSA: usb-audio: scarlett2: snd_scarlett_gen2_controls_create() can be static (git-fixes). - ARM64: vdso32: Install vdso32 from vdso_install (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF (git-fixes). - ASoC: cs35l33: fix an error code in probe() (git-fixes). - ASoC: cs42l42: Regmap must use_single_read/write (git-fixes). - ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init() (git-fixes). - ASoC: rsnd: core: Check convert rate in rsnd_hw_params (git-fixes). - ASoC: rt286: Generalize support for ALC3263 codec (git-fixes). - ASoC: rt286: Make RT286_SET_GPIO_* readable and writable (git-fixes). - Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS (git-fixes). - Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes). - Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default (git-fixes). - Bluetooth: check for zapped sk before connecting (git-fixes). - Bluetooth: initialize skb_queue_head at l2cap_chan_create() (git-fixes). - Drivers: hv: vmbus: Fix Suspend-to-Idle for Generation-2 VM (git-fixes). - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725). - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725). - Drivers: hv: vmbus: Use after free in __vmbus_open() (git-fixes). - Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices (git-fixes). - Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state (git-fixes). - KVM: s390: fix guarded storage control register handling (bsc#1133021). - Move upstreamed media fixes into sorted section - NFC: nci: fix memory leak in nci_allocate_device (git-fixes). - PCI/RCEC: Fix RCiEP device to RCEC association (git-fixes). - PCI: Allow VPD access for QLogic ISP2722 (git-fixes). - PCI: PM: Do not read power state in pci_enable_device_flags() (git-fixes). - PCI: Release OF node in pci_scan_device()'s error path (git-fixes). - PCI: endpoint: Fix missing destroy_workqueue() (git-fixes). - PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc() (git-fixes). - PCI: thunder: Fix compile testing (git-fixes). - PM / devfreq: Use more accurate returned new_freq as resume_freq (git-fixes). - RDMA/addr: create addr_wq with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/core: create ib_cm with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/hns: Delete redundant abnormal interrupt status (git-fixes). - RDMA/hns: Delete redundant condition judgment related to eq (git-fixes). - RDMA/qedr: Fix error return code in qedr_iw_connect() (jsc#SLE-8215). - RDMA/srpt: Fix error return code in srpt_cm_req_recv() (git-fixes). - Revert 'arm64: vdso: Fix compilation with clang older than 8' (git-fixes). - Revert 'gdrom: fix a memory leak bug' (git-fixes). - Revert 'i3c master: fix missing destroy_workqueue() on error in i3c_master_register' (git-fixes). - Revert 'leds: lp5523: fix a missing check of return value of lp55xx_read' (git-fixes). - Revert 337f13046ff0 ('futex: Allow FUTEX_CLOCK_REALTIME with FUTEX_WAIT op') (git-fixes). - SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428). - SUNRPC: More fixes for backlog congestion (bsc#1185428). - USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet (git-fixes). - USB: Add reset-resume quirk for WD19's Realtek Hub (git-fixes). - USB: serial: pl2303: add support for PL2303HXN (bsc#1186320). - USB: serial: pl2303: fix line-speed handling on newer chips (bsc#1186320). - USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check (git-fixes). - USB: trancevibrator: fix control-request direction (git-fixes). - amdgpu: avoid incorrect %hu format string (git-fixes). - arm64/mm: Fix pfn_valid() for ZONE_DEVICE based memory (git-fixes). - arm64: Add missing ISB after invalidating TLB in __primary_switch (git-fixes). - arm64: avoid -Woverride-init warning (git-fixes). - arm64: kasan: fix page_alloc tagging with DEBUG_VIRTUAL (git-fixes). - arm64: kdump: update ppos when reading elfcorehdr (git-fixes). - arm64: kexec_file: fix memory leakage in create_dtb() when fdt_open_into() fails (git-fixes). - arm64: link with -z norelro for LLD or aarch64-elf (git-fixes). - arm64: link with -z norelro regardless of CONFIG_RELOCATABLE (git-fixes). - arm64: ptrace: Fix seccomp of traced syscall -1 (NO_SYSCALL) (git-fixes). - arm64: ptrace: Use NO_SYSCALL instead of -1 in syscall_trace_enter() (git-fixes). - arm64: vdso32: make vdso32 install conditional (git-fixes). - arm: mm: use __pfn_to_section() to get mem_section (git-fixes). - ata: ahci: Disable SXS for Hisilicon Kunpeng920 (git-fixes). - blk-iocost: ioc_pd_free() shouldn't assume irq disabled (git-fixes). - blk-mq: Swap two calls in blk_mq_exit_queue() (git-fixes). - block/genhd: use atomic_t for disk_event->block (bsc#1185497). - block: Fix three kernel-doc warnings (git-fixes). - block: fix get_max_io_size() (git-fixes). - bnxt_en: Fix RX consumer index logic in the error path (git-fixes). - bnxt_en: fix ternary sign extension bug in bnxt_show_temp() (git-fixes). - bpf: Fix leakage of uninitialized bpf stack under speculation (bsc#1155518). - bpf: Fix masking negation logic upon negative dst register (bsc#1155518). - btrfs: fix race between transaction aborts and fsyncs leading to use-after-free (bsc#1186441). - btrfs: fix race when picking most recent mod log operation for an old root (bsc#1186439). - cdc-wdm: untangle a circular dependency between callback and softint (git-fixes). - cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom (git-fixes). - cdrom: gdrom: initialize global variable at init time (git-fixes). - ceph: do not clobber i_snap_caps on non-I_NEW inode (bsc#1186501). - ceph: fix inode leak on getattr error in __fh_to_dentry (bsc#1186501). - ceph: fix up error handling with snapdirs (bsc#1186501). - ceph: only check pool permissions for regular files (bsc#1186501). - cfg80211: scan: drop entry from hidden_list on overflow (git-fixes). - clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return (git-fixes). - cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758). - crypto: api - check for ERR pointers in crypto_destroy_tfm() (git-fixes). - crypto: mips/poly1305 - enable for all MIPS processors (git-fixes). - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init (git-fixes). - crypto: qat - Fix a double free in adf_create_ring (git-fixes). - crypto: qat - do not release uninitialized resources (git-fixes). - crypto: qat - fix error path in adf_isr_resource_alloc() (git-fixes). - crypto: qat - fix unmap invalid dma address (git-fixes). - crypto: stm32/cryp - Fix PM reference leak on stm32-cryp.c (git-fixes). - crypto: stm32/hash - Fix PM reference leak on stm32-hash.c (git-fixes). - cxgb4: Fix unintentional sign extension issues (git-fixes). - dm: avoid filesystem lookup in dm_get_dev_t() (git-fixes). - dmaengine: dw-edma: Fix crash on loading/unloading driver (git-fixes). - docs: kernel-parameters: Add gpio_mockup_named_lines (git-fixes). - docs: kernel-parameters: Move gpio-mockup for alphabetic order (git-fixes). - drivers: hv: Fix whitespace errors (bsc#1185725). - drm/amd/display: Fix UBSAN warning for not a valid value for type '_Bool' (git-fixes). - drm/amd/display: Fix two cursor duplication when using overlay (git-fixes). - drm/amd/display: Force vsync flip when reconfiguring MPCC (git-fixes). - drm/amd/display: Reject non-zero src_y and src_x for video planes (git-fixes). - drm/amd/display: fix dml prefetch validation (git-fixes). - drm/amd/display: fixed divide by zero kernel crash during dsc enablement (git-fixes). - drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f (git-fixes). - drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid compute hang (git-fixes). - drm/amdgpu: fix NULL pointer dereference (git-fixes). - drm/amdgpu: mask the xgmi number of hops reported from psp to kfd (git-fixes). - drm/amdkfd: Fix cat debugfs hang_hws file causes system crash bug (git-fixes). - drm/i915: Avoid div-by-zero on gen2 (git-fixes). - drm/meson: fix shutdown crash when component not probed (git-fixes). - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal (git-fixes). - drm/msm/mdp5: Do not multiply vclk line count by 100 (git-fixes). - drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected (git-fixes). - drm/radeon: Avoid power table parsing memory leaks (git-fixes). - drm/radeon: Fix off-by-one power_state index heap overwrite (git-fixes). - drm/vkms: fix misuse of WARN_ON (git-fixes). - drm: Added orientation quirk for OneGX1 Pro (git-fixes). - ethernet:enic: Fix a use after free bug in enic_hard_start_xmit (git-fixes). - extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged (git-fixes). - extcon: arizona: Fix various races on driver unbind (git-fixes). - fbdev: zero-fill colormap in fbcmap.c (git-fixes). - firmware: arm_scpi: Prevent the ternary sign expansion bug (git-fixes). - fs/epoll: restore waking from ep_done_scan() (bsc#1183868). - ftrace: Handle commands when closing set_ftrace_filter file (git-fixes). - futex: Change utime parameter to be 'const ... *' (git-fixes). - futex: Do not apply time namespace adjustment on FUTEX_LOCK_PI (bsc#1164648). - futex: Get rid of the val2 conditional dance (git-fixes). - futex: Make syscall entry points less convoluted (git-fixes). - genirq/irqdomain: Do not try to free an interrupt that has no (git-fixes) - genirq: Disable interrupts for force threaded handlers (git-fixes) - genirq: Reduce irqdebug cacheline bouncing (bsc#1185703 ltc#192641). - gpio: xilinx: Correct kernel doc for xgpio_probe() (git-fixes). - gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 (git-fixes). - hrtimer: Update softirq_expires_next correctly after (git-fixes) - hwmon: (occ) Fix poll rate limiting (git-fixes). - i2c: Add I2C_AQ_NO_REP_START adapter quirk (git-fixes). - i2c: bail out early when RDWR parameters are wrong (git-fixes). - i2c: i801: Do not generate an interrupt on bus reset (git-fixes). - i2c: s3c2410: fix possible NULL pointer deref on read message after write (git-fixes). - i2c: sh_mobile: Use new clock calculation formulas for RZ/G2E (git-fixes). - i40e: Fix PHY type identifiers for 2.5G and 5G adapters (git-fixes). - i40e: Fix use-after-free in i40e_client_subtask() (git-fixes). - i40e: fix broken XDP support (git-fixes). - i40e: fix the restart auto-negotiation after FEC modified (git-fixes). - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043). - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043). - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043). - ibmvnic: remove default label from to_string switch (bsc#1152457 ltc#174432 git-fixes). - ics932s401: fix broken handling of errors when word reading fails (git-fixes). - iio: adc: ad7124: Fix missbalanced regulator enable / disable on error (git-fixes). - iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers (git-fixes). - iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp() (git-fixes). - iio: adc: ad7793: Add missing error code in ad7793_setup() (git-fixes). - iio: gyro: fxas21002c: balance runtime power in error path (git-fixes). - iio: gyro: mpu3050: Fix reported temperature value (git-fixes). - iio: proximity: pulsedlight: Fix rumtime PM imbalance on error (git-fixes). - iio: tsl2583: Fix division by a zero lux_val (git-fixes). - intel_th: Consistency and off-by-one fix (git-fixes). - iommu/amd: Add support for map/unmap_resource (jsc#ECO-3482). - ipc/mqueue, msg, sem: Avoid relying on a stack reference past its expiry (bsc#1185988). - ipmi/watchdog: Stop watchdog timer when the current action is 'none' (bsc#1184855). - kernel-docs.spec.in: Build using an utf-8 locale. Sphinx cannot handle UTF-8 input in non-UTF-8 locale. - leds: lp5523: check return value of lp5xx_read and jump to cleanup code (git-fixes). - lpfc: Decouple port_template and vport_template (bsc#185032). - mac80211: clear the beacon's CRC after channel switch (git-fixes). - md-cluster: fix use-after-free issue when removing rdev (bsc#1184082). - md/raid1: properly indicate failure when ending a failed write request (bsc#1185680). - md: do not flush workqueue unconditionally in md_open (bsc#1184081). - md: factor out a mddev_find_locked helper from mddev_find (bsc#1184081). - md: md_open returns -EBUSY when entering racing area (bsc#1184081). - md: split mddev_find (bsc#1184081). - media: adv7604: fix possible use-after-free in adv76xx_remove() (git-fixes). - media: drivers: media: pci: sta2x11: fix Kconfig dependency on GPIOLIB (git-fixes). - media: dvb-usb: fix memory leak in dvb_usb_adapter_init (git-fixes). - media: em28xx: fix memory leak (git-fixes). - media: gspca/sq905.c: fix uninitialized variable (git-fixes). - media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove() (git-fixes). - media: i2c: adv7842: fix possible use-after-free in adv7842_remove() (git-fixes). - media: i2c: tda1997: Fix possible use-after-free in tda1997x_remove() (git-fixes). - media: imx: capture: Return -EPIPE from __capture_legacy_try_fmt() (git-fixes). - media: ite-cir: check for receive overflow (git-fixes). - media: media/saa7164: fix saa7164_encoder_register() memory leak bugs (git-fixes). - media: platform: sti: Fix runtime PM imbalance in regs_show (git-fixes). - media: tc358743: fix possible use-after-free in tc358743_remove() (git-fixes). - mfd: arizona: Fix rumtime PM imbalance on error (git-fixes). - misc/uss720: fix memory leak in uss720_probe (git-fixes). - mlxsw: spectrum_mr: Update egress RIF list before route's action (git-fixes). - mm: memcontrol: fix cpuhotplug statistics flushing (bsc#1185606). - mmc: block: Update ext_csd.cache_ctrl if it was written (git-fixes). - mmc: core: Do a power cycle when the CMD11 fails (git-fixes). - mmc: core: Set read only for SD cards with permanent write protect bit (git-fixes). - mmc: sdhci-pci-gli: increase 1.8V regulator wait (git-fixes). - mmc: sdhci-pci: Add PCI IDs for Intel LKF (git-fixes). - mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based controllers (git-fixes). - mmc: sdhci: Check for reset prior to DMA address unmap (git-fixes). - net, xdp: Update pkt_type if generic XDP changes unicast MAC (git-fixes). - net: enetc: fix link error again (git-fixes). - net: hns3: Fix for geneve tx checksum bug (git-fixes). - net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() (git-fixes). - net: hns3: clear unnecessary reset request in hclge_reset_rebuild (git-fixes). - net: hns3: disable phy loopback setting in hclge_mac_start_phy (git-fixes). - net: hns3: fix for vxlan gpe tx checksum bug (git-fixes). - net: hns3: fix incorrect configuration for igu_egu_hw_err (git-fixes). - net: hns3: initialize the message content in hclge_get_link_mode() (git-fixes). - net: hns3: use netif_tx_disable to stop the transmit queue (git-fixes). - net: thunderx: Fix unintentional sign extension issue (git-fixes). - net: usb: fix memory leak in smsc75xx_bind (git-fixes). - netdevice: Add missing IFF_PHONY_HEADROOM self-definition (git-fixes). - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950). - netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950). - netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950). - nvme-core: add cancel tagset helpers (bsc#1183976). - nvme-fabrics: decode host pathing error for connect (bsc#1179827). - nvme-fc: check sgl supported by target (bsc#1179827). - nvme-fc: clear q_live at beginning of association teardown (bsc#1186479). - nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted (bsc#1184259). - nvme-fc: set NVME_REQ_CANCELLED in nvme_fc_terminate_exchange() (bsc#1184259). - nvme-fc: short-circuit reconnect retries (bsc#1179827). - nvme-multipath: fix double initialization of ANA state (bsc#1178612, bsc#1184259). - nvme-multipath: reset bdev to ns head when failover (bsc#178378 bsc#1182999). - nvme-pci: Remove tag from process cq (git-fixes). - nvme-pci: Remove two-pass completions (git-fixes). - nvme-pci: Simplify nvme_poll_irqdisable (git-fixes). - nvme-pci: align io queue count with allocted nvme_queue in (git-fixes). - nvme-pci: avoid race between nvme_reap_pending_cqes() and nvme_poll() (git-fixes). - nvme-pci: dma read memory barrier for completions (git-fixes). - nvme-pci: fix 'slimmer CQ head update' (git-fixes). - nvme-pci: make sure write/poll_queues less or equal then cpu (git-fixes). - nvme-pci: remove last_sq_tail (git-fixes). - nvme-pci: remove volatile cqes (git-fixes). - nvme-pci: slimmer CQ head update (git-fixes). - nvme-pci: use simple suspend when a HMB is enabled (git-fixes). - nvme-tcp: Fix possible race of io_work and direct send (git-fixes). - nvme-tcp: Fix warning with CONFIG_DEBUG_PREEMPT (git-fixes). - nvme-tcp: add clean action for failed reconnection (bsc#1183976). - nvme-tcp: fix kconfig dependency warning when !CRYPTO (git-fixes). - nvme-tcp: fix misuse of __smp_processor_id with preemption (git-fixes). - nvme-tcp: fix possible hang waiting for icresp response (bsc#1179519). - nvme-tcp: use cancel tagset helper for tear down (bsc#1183976). - nvme: Fix NULL dereference for pci nvme controllers (bsc#1182378). - nvme: add 'kato' sysfs attribute (bsc#1179825). - nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request() (bsc#1184259). - nvme: define constants for identification values (git-fixes). - nvme: do not intialize hwmon for discovery controllers (bsc#1184259). - nvme: do not intialize hwmon for discovery controllers (git-fixes). - nvme: document nvme controller states (git-fixes). - nvme: explicitly update mpath disk capacity on revalidation (git-fixes). - nvme: expose reconnect_delay and ctrl_loss_tmo via sysfs (bsc#1182378). - nvme: fix controller instance leak (git-fixes). - nvme: fix deadlock in disconnect during scan_work and/or ana_work (git-fixes). - nvme: fix possible deadlock when I/O is blocked (git-fixes). - nvme: remove superfluous else in nvme_ctrl_loss_tmo_store (bsc#1182378). - nvme: retrigger ANA log update if group descriptor isn't found (git-fixes) - nvme: sanitize KATO setting (bsc#1179825). - nvme: simplify error logic in nvme_validate_ns() (bsc#1184259). - nvmet: fix a memory leak (git-fixes). - nvmet: seset ns->file when open fails (bsc#1183873). - nvmet: use new ana_log_size instead the old one (bsc#1184259). - nxp-i2c: restore includes for kABI (bsc#1185589). - nxp-nci: add NXP1002 id (bsc#1185589). - phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() (git-fixes). - pinctrl: ingenic: Improve unreachable code generation (git-fixes). - pinctrl: samsung: use 'int' for register masks in Exynos (git-fixes). - platform/mellanox: mlxbf-tmfifo: Fix a memory barrier issue (git-fixes). - platform/x86: intel_pmc_core: Do not use global pmcdev in quirks (git-fixes). - platform/x86: thinkpad_acpi: Correct thermal sensor allocation (git-fixes). - posix-timers: Preserve return value in clock_adjtime32() (git-fixes) - power: supply: Use IRQF_ONESHOT (git-fixes). - power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() (git-fixes). - power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() (git-fixes). - powerpc/64s: Fix crashes when toggling entry flush barrier (bsc#1177666 git-fixes). - powerpc/64s: Fix crashes when toggling stf barrier (bsc#1087082 git-fixes). - qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth (git-fixes). - rtc: pcf2127: handle timestamp interrupts (bsc#1185495). - s390/dasd: fix hanging DASD driver unbind (bsc#1183932 LTC#192153). - s390/entry: save the caller of psw_idle (bsc#1185677). - s390/kdump: fix out-of-memory with PCI (bsc#1182257 LTC#191375). - sched/eas: Do not update misfit status if the task is pinned (git-fixes) - sched/fair: Avoid stale CPU util_est value for schedutil in (git-fixes) - sched/fair: Fix unfairness caused by missing load decay (git-fixes) - scripts/git_sort/git_sort.py: add bpf git repo - scsi: core: Run queue in case of I/O resource contention failure (bsc#1186416). - scsi: fnic: Kill 'exclude_id' argument to fnic_cleanup_io() (bsc#1179851). - scsi: libfc: Avoid invoking response handler twice if ep is already completed (bsc#1186573). - scsi: lpfc: Add a option to enable interlocked ABTS before job completion (bsc#1186451). - scsi: lpfc: Add ndlp kref accounting for resume RPI path (bsc#1186451). - scsi: lpfc: Fix 'Unexpected timeout' error in direct attach topology (bsc#1186451). - scsi: lpfc: Fix Node recovery when driver is handling simultaneous PLOGIs (bsc#1186451). - scsi: lpfc: Fix bad memory access during VPD DUMP mailbox command (bsc#1186451). - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs (bsc#1186451). - scsi: lpfc: Fix node handling for Fabric Controller and Domain Controller (bsc#1186451). - scsi: lpfc: Fix non-optimized ERSP handling (bsc#1186451). - scsi: lpfc: Fix unreleased RPIs when NPIV ports are created (bsc#1186451). - scsi: lpfc: Ignore GID-FT response that may be received after a link flip (bsc#1186451). - scsi: lpfc: Reregister FPIN types if ELS_RDF is received from fabric controller (bsc#1186451). - scsi: lpfc: Update lpfc version to 12.8.0.10 (bsc#1186451). - sctp: delay auto_asconf init until binding the first addr (<cover.1620748346.git.mkubecek at suse.cz>). - serial: core: fix suspicious security_locked_down() call (git-fixes). - serial: core: return early on unsupported ioctls (git-fixes). - serial: sh-sci: Fix off-by-one error in FIFO threshold register setting (git-fixes). - serial: stm32: fix incorrect characters on console (git-fixes). - serial: stm32: fix tx_empty condition (git-fixes). - serial: tegra: Fix a mask operation that is always true (git-fixes). - smc: disallow TCP_ULP in smc_setsockopt() (git-fixes). - spi: ath79: always call chipselect function (git-fixes). - spi: ath79: remove spi-master setup and cleanup assignment (git-fixes). - spi: dln2: Fix reference leak to master (git-fixes). - spi: omap-100k: Fix reference leak to master (git-fixes). - spi: qup: fix PM reference leak in spi_qup_remove() (git-fixes). - spi: spi-fsl-dspi: Fix a resource leak in an error handling path (git-fixes). - staging: emxx_udc: fix loop in _nbu2ss_nuke() (git-fixes). - staging: iio: cdc: ad7746: avoid overwrite of num_channels (git-fixes). - tcp: fix to update snd_wl1 in bulk receiver fast path (<cover.1620748346.git.mkubecek at suse.cz>). - thermal/drivers/ti-soc-thermal/bandgap Remove unused variable 'val' (git-fixes). - thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue (git-fixes). - tracing: Map all PIDs to command lines (git-fixes). - tty: amiserial: fix TIOCSSERIAL permission check (git-fixes). - tty: fix memory leak in vc_deallocate (git-fixes). - tty: moxa: fix TIOCSSERIAL jiffies conversions (git-fixes). - tty: moxa: fix TIOCSSERIAL permission check (git-fixes). - uio: uio_hv_generic: use devm_kzalloc() for private data alloc (git-fixes). - uio_hv_generic: Fix a memory leak in error handling paths (git-fixes). - uio_hv_generic: Fix another memory leak in error handling paths (git-fixes). - uio_hv_generic: add missed sysfs_remove_bin_file (git-fixes). - usb: core: hub: Fix PM reference leak in usb_port_resume() (git-fixes). - usb: core: hub: fix race condition about TRSMRCY of resume (git-fixes). - usb: dwc2: Fix gadget DMA unmap direction (git-fixes). - usb: dwc3: gadget: Enable suspend events (git-fixes). - usb: dwc3: gadget: Return success always for kick transfer in ep queue (git-fixes). - usb: dwc3: omap: improve extcon initialization (git-fixes). - usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield (git-fixes). - usb: fotg210-hcd: Fix an error message (git-fixes). - usb: gadget/function/f_fs string table fix for multiple languages (git-fixes). - usb: gadget: dummy_hcd: fix gpf in gadget_setup (git-fixes). - usb: gadget: f_uac1: validate input parameters (git-fixes). - usb: gadget: f_uac2: validate input parameters (git-fixes). - usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen() (git-fixes). - usb: gadget: uvc: add bInterval checking for HS mode (git-fixes). - usb: musb: fix PM reference leak in musb_irq_work() (git-fixes). - usb: sl811-hcd: improve misleading indentation (git-fixes). - usb: webcam: Invalid size of Processing Unit Descriptor (git-fixes). - usb: xhci: Fix port minor revision (git-fixes). - usb: xhci: Increase timeout for HC halt (git-fixes). - vgacon: Record video mode changes with VT_RESIZEX (git-fixes). - video: hyperv_fb: Add ratelimit on error message (bsc#1185725). - vrf: fix a comment about loopback device (git-fixes). - watchdog/softlockup: Remove obsolete check of last reported task (bsc#1185982). - watchdog/softlockup: report the overall time of softlockups (bsc#1185982). - watchdog: explicitly update timestamp when reporting softlockup (bsc#1185982). - watchdog: rename __touch_watchdog() to a better descriptive name (bsc#1185982). - whitespace cleanup - wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join (git-fixes). - wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt (git-fixes). - workqueue: Minor follow-ups to the rescuer destruction change (bsc#1185911). - workqueue: more destroy_workqueue() fixes (bsc#1185911). - x86/cpu: Initialize MSR_TSC_AUX if RDTSCP *or* RDPID is supported (bsc#1152489). - xhci: Do not use GFP_KERNEL in (potentially) atomic context (git-fixes). - xhci: check control context is valid before dereferencing it (git-fixes). - xhci: fix potential array out of bounds with several interrupters (git-fixes). - xsk: Respect device's headroom and tailroom on generic xmit path (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1910-1 Released: Wed Jun 9 09:37:41 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1186673 This update for openssh fixes the following issues: - Further attempts to mitigate instances of secrets lingering in memory after a session exits to meet key zeroization requirements. (bsc#1186673) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1923-1 Released: Thu Jun 10 08:37:00 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: important References: 1183194 This update for nfs-utils fixes the following issues: - Ensured thread safety when opening files over NFS to prevent a use-after-free issue (bsc#1183194) From sle-security-updates at lists.suse.com Mon Jun 14 06:03:44 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 14 Jun 2021 08:03:44 +0200 (CEST) Subject: SUSE-CU-2021:245-1: Security update of ses/6/cephcsi/cephcsi Message-ID: <20210614060344.D1DF8B46F0D@westernhagen.suse.de> SUSE Container Update Advisory: ses/6/cephcsi/cephcsi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:245-1 Container Tags : ses/6/cephcsi/cephcsi:1.2.0.0 , ses/6/cephcsi/cephcsi:1.2.0.0.1.5.436 , ses/6/cephcsi/cephcsi:latest Container Release : 1.5.436 Severity : important Type : security References : 1029961 1106014 1161268 1172308 1178577 1178624 1178675 1179805 1182016 1183194 1183760 1184505 1185049 1185910 1186015 CVE-2020-29651 CVE-2021-3541 ----------------------------------------------------------------- The container ses/6/cephcsi/cephcsi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1846-1 Released: Fri Jun 4 08:46:37 2021 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1185910 This update for mozilla-nss fixes the following issue: - Provide some missing binaries from `mozilla-nss` not added in `SLE-Module-Basesystem_15-SP3`. (bsc#1185910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1859-1 Released: Fri Jun 4 09:02:38 2021 Summary: Security update for python-py Type: security Severity: moderate References: 1179805,1184505,CVE-2020-29651 This update for python-py fixes the following issues: - CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1923-1 Released: Thu Jun 10 08:37:00 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: important References: 1183194 This update for nfs-utils fixes the following issues: - Ensured thread safety when opening files over NFS to prevent a use-after-free issue (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1953-1 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1161268,1172308 This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1967-1 Released: Mon Jun 14 06:49:40 2021 Summary: Recommended update for ceph Type: recommended Severity: important References: 1183760,1185049 This update for ceph fixes the following issues: - os/FileStore: don't propagate split/merge error to 'create'/'remove' (bsc#1183760) - os/FileStore: fix to handle readdir error correctly (bsc#1185049) From sle-security-updates at lists.suse.com Mon Jun 14 06:06:37 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 14 Jun 2021 08:06:37 +0200 (CEST) Subject: SUSE-CU-2021:246-1: Security update of ses/6/ceph/ceph Message-ID: <20210614060637.15F95B46F0D@westernhagen.suse.de> SUSE Container Update Advisory: ses/6/ceph/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:246-1 Container Tags : ses/6/ceph/ceph:14.2.21.410 , ses/6/ceph/ceph:14.2.21.410.1.5.432 , ses/6/ceph/ceph:latest Container Release : 1.5.432 Severity : important Type : security References : 1029961 1106014 1161268 1172308 1178577 1178624 1178675 1179805 1182016 1183194 1183760 1184505 1185049 1185910 1186015 CVE-2020-29651 CVE-2021-3541 ----------------------------------------------------------------- The container ses/6/ceph/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1846-1 Released: Fri Jun 4 08:46:37 2021 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1185910 This update for mozilla-nss fixes the following issue: - Provide some missing binaries from `mozilla-nss` not added in `SLE-Module-Basesystem_15-SP3`. (bsc#1185910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1859-1 Released: Fri Jun 4 09:02:38 2021 Summary: Security update for python-py Type: security Severity: moderate References: 1179805,1184505,CVE-2020-29651 This update for python-py fixes the following issues: - CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1923-1 Released: Thu Jun 10 08:37:00 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: important References: 1183194 This update for nfs-utils fixes the following issues: - Ensured thread safety when opening files over NFS to prevent a use-after-free issue (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1953-1 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1161268,1172308 This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1967-1 Released: Mon Jun 14 06:49:40 2021 Summary: Recommended update for ceph Type: recommended Severity: important References: 1183760,1185049 This update for ceph fixes the following issues: - os/FileStore: don't propagate split/merge error to 'create'/'remove' (bsc#1183760) - os/FileStore: fix to handle readdir error correctly (bsc#1185049) From sle-security-updates at lists.suse.com Mon Jun 14 06:09:29 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 14 Jun 2021 08:09:29 +0200 (CEST) Subject: SUSE-CU-2021:247-1: Security update of ses/6/rook/ceph Message-ID: <20210614060929.EAB67B46F0D@westernhagen.suse.de> SUSE Container Update Advisory: ses/6/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:247-1 Container Tags : ses/6/rook/ceph:1.1.1.0 , ses/6/rook/ceph:1.1.1.0.1.5.430 , ses/6/rook/ceph:latest Container Release : 1.5.430 Severity : important Type : security References : 1029961 1106014 1161268 1172308 1178577 1178624 1178675 1179805 1182016 1183194 1183760 1184505 1185049 1185910 1186015 CVE-2020-29651 CVE-2021-3541 ----------------------------------------------------------------- The container ses/6/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1846-1 Released: Fri Jun 4 08:46:37 2021 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1185910 This update for mozilla-nss fixes the following issue: - Provide some missing binaries from `mozilla-nss` not added in `SLE-Module-Basesystem_15-SP3`. (bsc#1185910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1859-1 Released: Fri Jun 4 09:02:38 2021 Summary: Security update for python-py Type: security Severity: moderate References: 1179805,1184505,CVE-2020-29651 This update for python-py fixes the following issues: - CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1923-1 Released: Thu Jun 10 08:37:00 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: important References: 1183194 This update for nfs-utils fixes the following issues: - Ensured thread safety when opening files over NFS to prevent a use-after-free issue (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1953-1 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1161268,1172308 This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1967-1 Released: Mon Jun 14 06:49:40 2021 Summary: Recommended update for ceph Type: recommended Severity: important References: 1183760,1185049 This update for ceph fixes the following issues: - os/FileStore: don't propagate split/merge error to 'create'/'remove' (bsc#1183760) - os/FileStore: fix to handle readdir error correctly (bsc#1185049) From sle-security-updates at lists.suse.com Mon Jun 14 19:16:45 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 14 Jun 2021 21:16:45 +0200 (CEST) Subject: SUSE-SU-2021:14747-1: important: Security update for xterm Message-ID: <20210614191645.46D5CFD07@maintenance.suse.de> SUSE Security Update: Security update for xterm ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14747-1 Rating: important References: #1182091 Cross-References: CVE-2021-27135 CVSS scores: CVE-2021-27135 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-27135 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xterm fixes the following issues: - CVE-2021-27135: Fixed buffer-overflow when clicking on selected utf8 text. (bsc#1182091) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-xterm-14747=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-xterm-14747=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xterm-14747=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-xterm-14747=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): xterm-238-3.3.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): xterm-238-3.3.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): xterm-debuginfo-238-3.3.1 xterm-debugsource-238-3.3.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): xterm-debuginfo-238-3.3.1 xterm-debugsource-238-3.3.1 References: https://www.suse.com/security/cve/CVE-2021-27135.html https://bugzilla.suse.com/1182091 From sle-security-updates at lists.suse.com Mon Jun 14 19:17:57 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 14 Jun 2021 21:17:57 +0200 (CEST) Subject: SUSE-SU-2021:1970-1: moderate: Security update for postgresql10 Message-ID: <20210614191757.E8165FD07@maintenance.suse.de> SUSE Security Update: Security update for postgresql10 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1970-1 Rating: moderate References: #1183168 #1185924 #1185925 Cross-References: CVE-2021-32027 CVE-2021-32028 CVSS scores: CVE-2021-32027 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32027 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2021-32028 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Legacy Software 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for postgresql10 fixes the following issues: - Upgrade to version 10.17: - CVE-2021-32027: Fixed integer overflows in array subscripting calculations (bsc#1185924). - CVE-2021-32028: Fixed mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE target lists (bsc#1185925). - Don't use %_stop_on_removal, because it was meant to be private and got removed from openSUSE. %_restart_on_update is also private, but still supported and needed for now (bsc#1183168). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-1970=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP3-2021-1970=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1970=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): postgresql10-contrib-10.17-8.35.1 postgresql10-contrib-debuginfo-10.17-8.35.1 postgresql10-debuginfo-10.17-8.35.1 postgresql10-debugsource-10.17-8.35.1 postgresql10-devel-10.17-8.35.1 postgresql10-devel-debuginfo-10.17-8.35.1 postgresql10-plperl-10.17-8.35.1 postgresql10-plperl-debuginfo-10.17-8.35.1 postgresql10-plpython-10.17-8.35.1 postgresql10-plpython-debuginfo-10.17-8.35.1 postgresql10-pltcl-10.17-8.35.1 postgresql10-pltcl-debuginfo-10.17-8.35.1 postgresql10-server-10.17-8.35.1 postgresql10-server-debuginfo-10.17-8.35.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): postgresql10-docs-10.17-8.35.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3 (aarch64 ppc64le s390x x86_64): postgresql10-10.17-8.35.1 postgresql10-contrib-10.17-8.35.1 postgresql10-contrib-debuginfo-10.17-8.35.1 postgresql10-debuginfo-10.17-8.35.1 postgresql10-debugsource-10.17-8.35.1 postgresql10-devel-10.17-8.35.1 postgresql10-devel-debuginfo-10.17-8.35.1 postgresql10-plperl-10.17-8.35.1 postgresql10-plperl-debuginfo-10.17-8.35.1 postgresql10-plpython-10.17-8.35.1 postgresql10-plpython-debuginfo-10.17-8.35.1 postgresql10-pltcl-10.17-8.35.1 postgresql10-pltcl-debuginfo-10.17-8.35.1 postgresql10-server-10.17-8.35.1 postgresql10-server-debuginfo-10.17-8.35.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): postgresql10-10.17-8.35.1 postgresql10-debuginfo-10.17-8.35.1 postgresql10-debugsource-10.17-8.35.1 References: https://www.suse.com/security/cve/CVE-2021-32027.html https://www.suse.com/security/cve/CVE-2021-32028.html https://bugzilla.suse.com/1183168 https://bugzilla.suse.com/1185924 https://bugzilla.suse.com/1185925 From sle-security-updates at lists.suse.com Tue Jun 15 06:04:05 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 15 Jun 2021 08:04:05 +0200 (CEST) Subject: SUSE-CU-2021:248-1: Security update of ses/7/cephcsi/cephcsi Message-ID: <20210615060405.E065FB46F0D@westernhagen.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/cephcsi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:248-1 Container Tags : ses/7/cephcsi/cephcsi:3.2.2 , ses/7/cephcsi/cephcsi:3.2.2.0.3.430 , ses/7/cephcsi/cephcsi:latest , ses/7/cephcsi/cephcsi:sle15.2.octopus , ses/7/cephcsi/cephcsi:v3.2.2 , ses/7/cephcsi/cephcsi:v3.2.2.0 Container Release : 3.430 Severity : important Type : security References : 1029961 1106014 1153687 1161268 1172308 1174526 1178577 1178624 1178675 1179805 1180851 1181874 1182016 1182372 1182936 1183074 1183194 1183268 1183589 1183628 1184326 1184399 1184505 1184997 1184997 1185239 1185325 1186015 1186642 1186642 1186673 CVE-2020-29651 CVE-2021-20288 CVE-2021-3541 ----------------------------------------------------------------- The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1833-1 Released: Wed Jun 2 15:32:28 2021 Summary: Recommended update for zypper Type: recommended Severity: moderate References: 1153687,1180851,1181874,1182372,1182936,1183268,1183589,1183628,1184997,1185239 This update for zypper fixes the following issues: zypper was upgraded to 1.14.44: - man page: Recommend the needs-rebooting command to test whether a system reboot is suggested. - patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268) - Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687) - Protect against strict/relaxed user umask via sudo. (bsc#1183589) - xml summary: Add solvables repository alias. (bsc#1182372) libzypp was upgraded from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1859-1 Released: Fri Jun 4 09:02:38 2021 Summary: Security update for python-py Type: security Severity: moderate References: 1179805,1184505,CVE-2020-29651 This update for python-py fixes the following issues: - CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1879-1 Released: Tue Jun 8 09:16:09 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1184326,1184399,1184997,1185325 This update for libzypp, zypper fixes the following issues: libzypp was updated to 17.26.0: - Work around download.o.o broken https redirects. - Allow trusted repos to add additional signing keys (bsc#1184326) Repositories signed with a trusted gpg key may import additional package signing keys. This is needed if different keys were used to sign the the packages shipped by the repository. - MediaCurl: Fix logging of redirects. - Use 15.3 resolver problem and solution texts on all distros. - $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the zypp lock (bsc#1184399) Helps boot time services like 'zypper purge-kernels' to wait for the zypp lock until other services using zypper have completed. - Fix purge-kernels is broken in Leap 15.3 (bsc#1185325) Leap 15.3 introduces a new kernel package called kernel-flavour-extra, which contain kmp's. Currently kmp's are detected by name '.*-kmp(-.*)?' but this does not work which those new packages. This patch fixes the problem by checking packages for kmod(*) and ksym(*) provides and only falls back to name checking if the package in question does not provide one of those. - Introduce zypp-runpurge, a tool to run purge-kernels on testcases. zypper was updated to 1.14.45: - Fix service detection with cgroupv2 (bsc#1184997) - Add hints to 'trust GPG key' prompt. - Add report when receiving new package signing keys from a trusted repo (bsc#1184326) - Added translation using Weblate (Kabyle) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1910-1 Released: Wed Jun 9 09:37:41 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1186673 This update for openssh fixes the following issues: - Further attempts to mitigate instances of secrets lingering in memory after a session exits to meet key zeroization requirements. (bsc#1186673) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1923-1 Released: Thu Jun 10 08:37:00 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: important References: 1183194 This update for nfs-utils fixes the following issues: - Ensured thread safety when opening files over NFS to prevent a use-after-free issue (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1935-1 Released: Thu Jun 10 10:45:09 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1186642 This update for gzip fixes the following issue: - gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1937-1 Released: Thu Jun 10 10:47:09 2021 Summary: Recommended update for nghttp2 Type: recommended Severity: moderate References: 1186642 This update for nghttp2 fixes the following issue: - The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1953-1 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1161268,1172308 This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1971-1 Released: Tue Jun 15 06:57:16 2021 Summary: Security update for ceph and ceph-csi Type: security Severity: important References: 1174526,1183074,CVE-2021-20288 This update for ceph and ceph-csi fixes the following issues: ceph: - updated ceph to upstream version 15.2.13: * mgr/dashboard: allow getting fresh inventory data from the orchestrator (bsc#1174526) The whole upstream changelog can be found here: https://ceph.io/releases/v15-2-13-octopus-released/ ceph-csi: - CVE-2021-20288: An authentication flaw was found in ceph in versions prior to 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associated with another user, as ceph does not force the reuse of old keys to generate new ones. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (bsc#1183074) From sle-security-updates at lists.suse.com Tue Jun 15 06:05:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 15 Jun 2021 08:05:27 +0200 (CEST) Subject: SUSE-CU-2021:249-1: Security update of ses/7/ceph/grafana Message-ID: <20210615060527.60A3DB46F0C@westernhagen.suse.de> SUSE Container Update Advisory: ses/7/ceph/grafana ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:249-1 Container Tags : ses/7/ceph/grafana:7.3.1 , ses/7/ceph/grafana:7.3.1.3.492 , ses/7/ceph/grafana:latest , ses/7/ceph/grafana:sle15.2.octopus Container Release : 3.492 Severity : important Type : security References : 1029961 1106014 1153687 1161268 1161276 1172308 1174526 1178219 1178577 1178624 1178675 1180836 1180851 1180851 1181443 1181874 1181874 1181976 1182016 1182372 1182791 1182899 1182936 1182936 1183064 1183074 1183074 1183268 1183589 1183628 1183628 1183791 1183797 1183801 1183899 1184231 1184326 1184358 1184399 1184401 1184435 1184614 1184690 1184997 1184997 1184997 1185163 1185239 1185239 1185325 1185408 1185408 1185409 1185409 1185410 1185410 1185417 1185438 1185562 1185619 1185698 1186015 1186020 1186021 1186114 1186642 CVE-2021-20288 CVE-2021-20288 CVE-2021-20305 CVE-2021-22898 CVE-2021-3509 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3524 CVE-2021-3531 CVE-2021-3537 CVE-2021-3541 ----------------------------------------------------------------- The container ses/7/ceph/grafana was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1141-1 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1182791 This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1169-1 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Type: recommended Severity: low References: 1181976 This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1286-1 Released: Tue Apr 20 20:10:21 2021 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1180836 This recommended update for SLES-release provides the following fix: - Revert the problematic changes previously released and make sure the version is high enough to obsolete the package on containers and images. (bsc#1180836) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1296-1 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Type: optional Severity: low References: 1183791 This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1297-1 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178219 This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1299-1 Released: Wed Apr 21 14:11:41 2021 Summary: Optional update for gpgme Type: optional Severity: low References: 1183801 This update for gpgme fixes the following issues: - Fixed a bug in test cases (bsc#1183801) This patch is optional to install and does not provide any user visible bug fixes. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1412-1 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Type: security Severity: important References: 1184401,CVE-2021-20305 This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1426-1 Released: Thu Apr 29 06:23:13 2021 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: This update for libsolv fixes the following issues: - Fix rare segfault in resolve_jobrules() that could happen if new rules are learnt. - Fix a couple of memory leaks in error cases. - Fix error handling in solv_xfopen_fd() - Fixed 'regex' code on win32. - Fixed memory leak in choice rule generation ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1466-1 Released: Tue May 4 08:30:57 2021 Summary: Security update for permissions Type: security Severity: important References: 1182899 This update for permissions fixes the following issues: - etc/permissions: remove unnecessary entries (bsc#1182899) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1475-1 Released: Tue May 4 08:59:27 2021 Summary: Security update for ceph Type: security Severity: important References: 1183074,1183899,1184231,CVE-2021-20288 This update for ceph fixes the following issues: - ceph was updated to 15.2.11-83-g8a15f484c2: * CVE-2021-20288: Fixed unauthorized global_id reuse (bsc#1183074). * disk gets replaced with no rocksdb/wal (bsc#1184231). * BlueStore handles huge(>4GB) writes from RocksDB to BlueFS poorly, potentially causing data corruption (bsc#1183899). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1528-1 Released: Thu May 6 15:31:23 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1161276 This update for openssl-1_1 fixes the following issues: - Do not list disapproved cipher algorithms while in 'FIPS' mode. (bsc#1161276) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1544-1 Released: Fri May 7 16:34:41 2021 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libzypp fixes the following issues: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1762-1 Released: Wed May 26 12:30:01 2021 Summary: Security update for curl Type: security Severity: moderate References: 1186114,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1777-1 Released: Thu May 27 11:20:53 2021 Summary: Security update for ceph Type: security Severity: important References: 1185619,1186020,1186021,CVE-2021-3509,CVE-2021-3524,CVE-2021-3531 This update for ceph fixes the following issues: - Update to 15.2.12-83-g528da226523: - (CVE-2021-3509) fix cookie injection issue (bsc#1186021) - (CVE-2021-3531) RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name (bsc#1186020) - (CVE-2021-3524) sanitize \r in s3 CORSConfiguration???s ExposeHeader (bsc#1185619) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1833-1 Released: Wed Jun 2 15:32:28 2021 Summary: Recommended update for zypper Type: recommended Severity: moderate References: 1153687,1180851,1181874,1182372,1182936,1183268,1183589,1183628,1184997,1185239 This update for zypper fixes the following issues: zypper was upgraded to 1.14.44: - man page: Recommend the needs-rebooting command to test whether a system reboot is suggested. - patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268) - Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687) - Protect against strict/relaxed user umask via sudo. (bsc#1183589) - xml summary: Add solvables repository alias. (bsc#1182372) libzypp was upgraded from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1879-1 Released: Tue Jun 8 09:16:09 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1184326,1184399,1184997,1185325 This update for libzypp, zypper fixes the following issues: libzypp was updated to 17.26.0: - Work around download.o.o broken https redirects. - Allow trusted repos to add additional signing keys (bsc#1184326) Repositories signed with a trusted gpg key may import additional package signing keys. This is needed if different keys were used to sign the the packages shipped by the repository. - MediaCurl: Fix logging of redirects. - Use 15.3 resolver problem and solution texts on all distros. - $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the zypp lock (bsc#1184399) Helps boot time services like 'zypper purge-kernels' to wait for the zypp lock until other services using zypper have completed. - Fix purge-kernels is broken in Leap 15.3 (bsc#1185325) Leap 15.3 introduces a new kernel package called kernel-flavour-extra, which contain kmp's. Currently kmp's are detected by name '.*-kmp(-.*)?' but this does not work which those new packages. This patch fixes the problem by checking packages for kmod(*) and ksym(*) provides and only falls back to name checking if the package in question does not provide one of those. - Introduce zypp-runpurge, a tool to run purge-kernels on testcases. zypper was updated to 1.14.45: - Fix service detection with cgroupv2 (bsc#1184997) - Add hints to 'trust GPG key' prompt. - Add report when receiving new package signing keys from a trusted repo (bsc#1184326) - Added translation using Weblate (Kabyle) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1937-1 Released: Thu Jun 10 10:47:09 2021 Summary: Recommended update for nghttp2 Type: recommended Severity: moderate References: 1186642 This update for nghttp2 fixes the following issue: - The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1953-1 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1161268,1172308 This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1971-1 Released: Tue Jun 15 06:57:16 2021 Summary: Security update for ceph and ceph-csi Type: security Severity: important References: 1174526,1183074,CVE-2021-20288 This update for ceph and ceph-csi fixes the following issues: ceph: - updated ceph to upstream version 15.2.13: * mgr/dashboard: allow getting fresh inventory data from the orchestrator (bsc#1174526) The whole upstream changelog can be found here: https://ceph.io/releases/v15-2-13-octopus-released/ ceph-csi: - CVE-2021-20288: An authentication flaw was found in ceph in versions prior to 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associated with another user, as ceph does not force the reuse of old keys to generate new ones. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (bsc#1183074) From sle-security-updates at lists.suse.com Tue Jun 15 06:08:45 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 15 Jun 2021 08:08:45 +0200 (CEST) Subject: SUSE-CU-2021:250-1: Security update of ses/7/ceph/ceph Message-ID: <20210615060846.02147B46F0D@westernhagen.suse.de> SUSE Container Update Advisory: ses/7/ceph/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:250-1 Container Tags : ses/7/ceph/ceph:15.2.13.79 , ses/7/ceph/ceph:15.2.13.79.4.232 , ses/7/ceph/ceph:latest , ses/7/ceph/ceph:sle15.2.octopus Container Release : 4.232 Severity : important Type : security References : 1029961 1106014 1153687 1161268 1172308 1174526 1178577 1178624 1178675 1179805 1180851 1181874 1182016 1182372 1182936 1183074 1183194 1183268 1183589 1183628 1184326 1184399 1184505 1184997 1184997 1185239 1185325 1185910 1186015 1186642 1186642 1186642 1186673 CVE-2020-29651 CVE-2021-20288 CVE-2021-3541 ----------------------------------------------------------------- The container ses/7/ceph/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1833-1 Released: Wed Jun 2 15:32:28 2021 Summary: Recommended update for zypper Type: recommended Severity: moderate References: 1153687,1180851,1181874,1182372,1182936,1183268,1183589,1183628,1184997,1185239 This update for zypper fixes the following issues: zypper was upgraded to 1.14.44: - man page: Recommend the needs-rebooting command to test whether a system reboot is suggested. - patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268) - Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687) - Protect against strict/relaxed user umask via sudo. (bsc#1183589) - xml summary: Add solvables repository alias. (bsc#1182372) libzypp was upgraded from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1846-1 Released: Fri Jun 4 08:46:37 2021 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1185910 This update for mozilla-nss fixes the following issue: - Provide some missing binaries from `mozilla-nss` not added in `SLE-Module-Basesystem_15-SP3`. (bsc#1185910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1859-1 Released: Fri Jun 4 09:02:38 2021 Summary: Security update for python-py Type: security Severity: moderate References: 1179805,1184505,CVE-2020-29651 This update for python-py fixes the following issues: - CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1879-1 Released: Tue Jun 8 09:16:09 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1184326,1184399,1184997,1185325 This update for libzypp, zypper fixes the following issues: libzypp was updated to 17.26.0: - Work around download.o.o broken https redirects. - Allow trusted repos to add additional signing keys (bsc#1184326) Repositories signed with a trusted gpg key may import additional package signing keys. This is needed if different keys were used to sign the the packages shipped by the repository. - MediaCurl: Fix logging of redirects. - Use 15.3 resolver problem and solution texts on all distros. - $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the zypp lock (bsc#1184399) Helps boot time services like 'zypper purge-kernels' to wait for the zypp lock until other services using zypper have completed. - Fix purge-kernels is broken in Leap 15.3 (bsc#1185325) Leap 15.3 introduces a new kernel package called kernel-flavour-extra, which contain kmp's. Currently kmp's are detected by name '.*-kmp(-.*)?' but this does not work which those new packages. This patch fixes the problem by checking packages for kmod(*) and ksym(*) provides and only falls back to name checking if the package in question does not provide one of those. - Introduce zypp-runpurge, a tool to run purge-kernels on testcases. zypper was updated to 1.14.45: - Fix service detection with cgroupv2 (bsc#1184997) - Add hints to 'trust GPG key' prompt. - Add report when receiving new package signing keys from a trusted repo (bsc#1184326) - Added translation using Weblate (Kabyle) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1910-1 Released: Wed Jun 9 09:37:41 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1186673 This update for openssh fixes the following issues: - Further attempts to mitigate instances of secrets lingering in memory after a session exits to meet key zeroization requirements. (bsc#1186673) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1923-1 Released: Thu Jun 10 08:37:00 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: important References: 1183194 This update for nfs-utils fixes the following issues: - Ensured thread safety when opening files over NFS to prevent a use-after-free issue (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1935-1 Released: Thu Jun 10 10:45:09 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1186642 This update for gzip fixes the following issue: - gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1937-1 Released: Thu Jun 10 10:47:09 2021 Summary: Recommended update for nghttp2 Type: recommended Severity: moderate References: 1186642 This update for nghttp2 fixes the following issue: - The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1941-1 Released: Thu Jun 10 10:49:52 2021 Summary: Recommended update for sysconfig Type: recommended Severity: moderate References: 1186642 This update for sysconfig fixes the following issue: - sysconfig had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1953-1 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1161268,1172308 This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1971-1 Released: Tue Jun 15 06:57:16 2021 Summary: Security update for ceph and ceph-csi Type: security Severity: important References: 1174526,1183074,CVE-2021-20288 This update for ceph and ceph-csi fixes the following issues: ceph: - updated ceph to upstream version 15.2.13: * mgr/dashboard: allow getting fresh inventory data from the orchestrator (bsc#1174526) The whole upstream changelog can be found here: https://ceph.io/releases/v15-2-13-octopus-released/ ceph-csi: - CVE-2021-20288: An authentication flaw was found in ceph in versions prior to 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associated with another user, as ceph does not force the reuse of old keys to generate new ones. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (bsc#1183074) From sle-security-updates at lists.suse.com Tue Jun 15 06:12:06 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 15 Jun 2021 08:12:06 +0200 (CEST) Subject: SUSE-CU-2021:251-1: Security update of ses/7/rook/ceph Message-ID: <20210615061206.416ECB46F0D@westernhagen.suse.de> SUSE Container Update Advisory: ses/7/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:251-1 Container Tags : ses/7/rook/ceph:1.5.10 , ses/7/rook/ceph:1.5.10.4 , ses/7/rook/ceph:1.5.10.4.1.1658 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus Container Release : 1.1658 Severity : important Type : security References : 1029961 1106014 1153687 1161268 1172308 1174526 1178577 1178624 1178675 1179805 1180851 1181874 1182016 1182372 1182936 1183074 1183194 1183268 1183589 1183628 1184326 1184399 1184505 1184997 1184997 1185239 1185325 1186015 1186642 1186642 1186673 CVE-2020-29651 CVE-2021-20288 CVE-2021-3541 ----------------------------------------------------------------- The container ses/7/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1833-1 Released: Wed Jun 2 15:32:28 2021 Summary: Recommended update for zypper Type: recommended Severity: moderate References: 1153687,1180851,1181874,1182372,1182936,1183268,1183589,1183628,1184997,1185239 This update for zypper fixes the following issues: zypper was upgraded to 1.14.44: - man page: Recommend the needs-rebooting command to test whether a system reboot is suggested. - patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268) - Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687) - Protect against strict/relaxed user umask via sudo. (bsc#1183589) - xml summary: Add solvables repository alias. (bsc#1182372) libzypp was upgraded from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1859-1 Released: Fri Jun 4 09:02:38 2021 Summary: Security update for python-py Type: security Severity: moderate References: 1179805,1184505,CVE-2020-29651 This update for python-py fixes the following issues: - CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1879-1 Released: Tue Jun 8 09:16:09 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1184326,1184399,1184997,1185325 This update for libzypp, zypper fixes the following issues: libzypp was updated to 17.26.0: - Work around download.o.o broken https redirects. - Allow trusted repos to add additional signing keys (bsc#1184326) Repositories signed with a trusted gpg key may import additional package signing keys. This is needed if different keys were used to sign the the packages shipped by the repository. - MediaCurl: Fix logging of redirects. - Use 15.3 resolver problem and solution texts on all distros. - $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the zypp lock (bsc#1184399) Helps boot time services like 'zypper purge-kernels' to wait for the zypp lock until other services using zypper have completed. - Fix purge-kernels is broken in Leap 15.3 (bsc#1185325) Leap 15.3 introduces a new kernel package called kernel-flavour-extra, which contain kmp's. Currently kmp's are detected by name '.*-kmp(-.*)?' but this does not work which those new packages. This patch fixes the problem by checking packages for kmod(*) and ksym(*) provides and only falls back to name checking if the package in question does not provide one of those. - Introduce zypp-runpurge, a tool to run purge-kernels on testcases. zypper was updated to 1.14.45: - Fix service detection with cgroupv2 (bsc#1184997) - Add hints to 'trust GPG key' prompt. - Add report when receiving new package signing keys from a trusted repo (bsc#1184326) - Added translation using Weblate (Kabyle) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1910-1 Released: Wed Jun 9 09:37:41 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1186673 This update for openssh fixes the following issues: - Further attempts to mitigate instances of secrets lingering in memory after a session exits to meet key zeroization requirements. (bsc#1186673) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1923-1 Released: Thu Jun 10 08:37:00 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: important References: 1183194 This update for nfs-utils fixes the following issues: - Ensured thread safety when opening files over NFS to prevent a use-after-free issue (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1935-1 Released: Thu Jun 10 10:45:09 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1186642 This update for gzip fixes the following issue: - gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1937-1 Released: Thu Jun 10 10:47:09 2021 Summary: Recommended update for nghttp2 Type: recommended Severity: moderate References: 1186642 This update for nghttp2 fixes the following issue: - The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1953-1 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1161268,1172308 This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1971-1 Released: Tue Jun 15 06:57:16 2021 Summary: Security update for ceph and ceph-csi Type: security Severity: important References: 1174526,1183074,CVE-2021-20288 This update for ceph and ceph-csi fixes the following issues: ceph: - updated ceph to upstream version 15.2.13: * mgr/dashboard: allow getting fresh inventory data from the orchestrator (bsc#1174526) The whole upstream changelog can be found here: https://ceph.io/releases/v15-2-13-octopus-released/ ceph-csi: - CVE-2021-20288: An authentication flaw was found in ceph in versions prior to 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associated with another user, as ceph does not force the reuse of old keys to generate new ones. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (bsc#1183074) From sle-security-updates at lists.suse.com Tue Jun 15 16:19:21 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 15 Jun 2021 18:19:21 +0200 (CEST) Subject: SUSE-SU-2021:1975-1: important: Security update for the Linux Kernel Message-ID: <20210615161921.81DDEFD84@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1975-1 Rating: important References: #1043990 #1047233 #1055117 #1065729 #1087082 #1113295 #1133021 #1152457 #1152472 #1152489 #1153274 #1154353 #1155518 #1156256 #1156395 #1159280 #1160634 #1164648 #1167260 #1167574 #1167773 #1168777 #1168838 #1169709 #1171295 #1173485 #1174416 #1174426 #1175995 #1176447 #1176774 #1177028 #1177326 #1177411 #1177437 #1177666 #1178089 #1178134 #1178163 #1178181 #1178330 #1178378 #1178418 #1178612 #1179243 #1179454 #1179458 #1179519 #1179825 #1179827 #1179851 #1180100 #1180197 #1180814 #1180846 #1180980 #1181104 #1181161 #1181383 #1181507 #1181674 #1181862 #1182077 #1182257 #1182377 #1182378 #1182552 #1182574 #1182591 #1182613 #1182712 #1182713 #1182715 #1182716 #1182717 #1182999 #1183022 #1183048 #1183069 #1183077 #1183095 #1183120 #1183203 #1183249 #1183252 #1183277 #1183278 #1183279 #1183280 #1183281 #1183282 #1183283 #1183284 #1183285 #1183286 #1183287 #1183288 #1183289 #1183310 #1183311 #1183312 #1183313 #1183314 #1183315 #1183316 #1183317 #1183318 #1183319 #1183320 #1183321 #1183322 #1183323 #1183324 #1183325 #1183326 #1183346 #1183366 #1183369 #1183386 #1183405 #1183412 #1183427 #1183428 #1183445 #1183447 #1183491 #1183501 #1183509 #1183530 #1183534 #1183540 #1183593 #1183596 #1183598 #1183637 #1183646 #1183658 #1183662 #1183686 #1183692 #1183696 #1183750 #1183757 #1183775 #1183815 #1183843 #1183859 #1183868 #1183871 #1183873 #1183932 #1183947 #1183976 #1184074 #1184081 #1184082 #1184120 #1184167 #1184168 #1184170 #1184171 #1184176 #1184192 #1184193 #1184194 #1184196 #1184197 #1184198 #1184199 #1184208 #1184209 #1184211 #1184217 #1184218 #1184219 #1184220 #1184224 #1184259 #1184264 #1184386 #1184388 #1184391 #1184393 #1184436 #1184485 #1184509 #1184511 #1184512 #1184514 #1184583 #1184585 #1184611 #1184615 #1184650 #1184710 #1184724 #1184728 #1184730 #1184731 #1184736 #1184737 #1184738 #1184740 #1184741 #1184742 #1184760 #1184769 #1184811 #1184855 #1184893 #1184934 #1184942 #1184943 #1184952 #1184953 #1184955 #1184957 #1184969 #1184984 #1185010 #1185041 #1185110 #1185113 #1185233 #1185269 #1185365 #1185428 #1185454 #1185472 #1185491 #1185495 #1185497 #1185549 #1185550 #1185558 #1185573 #1185581 #1185586 #1185587 #1185589 #1185606 #1185640 #1185641 #1185642 #1185645 #1185670 #1185677 #1185680 #1185703 #1185725 #1185736 #1185758 #1185796 #1185840 #1185857 #1185859 #1185860 #1185861 #1185862 #1185863 #1185898 #1185899 #1185911 #1185938 #1185950 #1185954 #1185980 #1185982 #1185987 #1185988 #1186009 #1186060 #1186061 #1186062 #1186111 #1186118 #1186219 #1186285 #1186320 #1186349 #1186352 #1186353 #1186354 #1186355 #1186356 #1186357 #1186390 #1186401 #1186408 #1186416 #1186439 #1186441 #1186451 #1186460 #1186467 #1186479 #1186484 #1186498 #1186501 #1186512 #1186573 #1186681 Cross-References: CVE-2019-18814 CVE-2019-19769 CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-25670 CVE-2020-25671 CVE-2020-25672 CVE-2020-25673 CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2020-27170 CVE-2020-27171 CVE-2020-27673 CVE-2020-27815 CVE-2020-35519 CVE-2020-36310 CVE-2020-36311 CVE-2020-36312 CVE-2020-36322 CVE-2021-20268 CVE-2021-23134 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-28038 CVE-2021-28375 CVE-2021-28660 CVE-2021-28688 CVE-2021-28950 CVE-2021-28952 CVE-2021-28964 CVE-2021-28971 CVE-2021-28972 CVE-2021-29154 CVE-2021-29155 CVE-2021-29264 CVE-2021-29265 CVE-2021-29647 CVE-2021-29650 CVE-2021-30002 CVE-2021-32399 CVE-2021-33034 CVE-2021-33200 CVE-2021-3428 CVE-2021-3444 CVE-2021-3483 CVE-2021-3489 CVE-2021-3490 CVE-2021-3491 CVSS scores: CVE-2019-18814 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-18814 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2019-19769 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2019-19769 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H CVE-2020-24586 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24586 (SUSE): 4.7 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVE-2020-24587 (NVD) : 2.6 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24587 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-24588 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2020-24588 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-25670 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25671 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-25671 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25672 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-25672 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25673 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25673 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2020-26139 (NVD) : 5.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26139 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-26141 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26145 (SUSE): 5.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26147 (NVD) : 5.4 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N CVE-2020-27170 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-27170 (SUSE): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-27171 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2020-27171 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2020-27673 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-27673 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-27815 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-27815 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-35519 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-35519 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-36310 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-36310 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36311 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-36311 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-36312 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-36312 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2020-36322 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-20268 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-20268 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27363 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2021-27363 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27365 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27365 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28038 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28038 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28375 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28375 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-28660 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28660 (SUSE): 8 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-28688 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28688 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28950 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28952 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28964 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28971 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28972 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28972 (SUSE): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-29154 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29154 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29155 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-29155 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-29264 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-29265 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-29265 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-29647 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-29650 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-29650 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-30002 (NVD) : 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-30002 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-33200 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33200 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3428 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2021-3444 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3444 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3483 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3483 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H CVE-2021-3489 (NVD) : 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-3489 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3490 (NVD) : 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-3490 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3491 (NVD) : 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-3491 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP3 ______________________________________________________________________________ An update that solves 52 vulnerabilities and has 250 fixes is now available. Description: The SUSE Linux Enterprise 15 SP3 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111) - CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062) - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060) - CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859). - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862). - CVE-2020-24588: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (bnc#1185861) - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859). - CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860) - CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987) - CVE-2021-29650: Fixed an issue with the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208). - CVE-2021-29155: Fixed an issue that was discovered in kernel/bpf/verifier.c that performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation was not correctly accounted for when restricting subsequent operations (bnc#1184942). - CVE-2021-3444: Fixed an issue with the bpf verifier which did not properly handle mod32 destination register truncation when the source register was known to be 0 leading to out of bounds read (bsc#1184170). - CVE-2021-3428: Fixed an integer overflow in ext4_es_cache_extent (bsc#1173485). - CVE-2021-29647: Fixed an issue in qrtr_recvmsg which could have allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bsc#1184192 ). - CVE-2021-29265: Fixed an issue in usbip_sockfd_store which could have allowed attackers to cause a denial of service due to race conditions during an update of the local and shared status (bsc#1184167). - CVE-2021-29264: Fixed an issue in the Freescale Gianfar Ethernet driver which could have allowed attackers to cause a system crash due to a calculation of negative fragment size (bsc#1184168). - CVE-2021-28972: Fixed a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly (bsc#1184198). - CVE-2021-28971: Fixed an issue in intel_pmu_drain_pebs_nhm which could have caused a system crash because the PEBS status in a PEBS record was mishandled (bsc#1184196 ). - CVE-2021-28964: Fixed a race condition in get_old_root which could have allowed attackers to cause a denial of service (bsc#1184193). - CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc#1183646). - CVE-2021-28660: Fixed an out of bounds write in rtw_wx_set_scan (bsc#1183593 ). - CVE-2021-28375: Fixed an issue in fastrpc_internal_invoke which did not prevent user applications from sending kernel RPC messages (bsc#1183596). - CVE-2021-28038: Fixed an issue with the netback driver which was lacking necessary treatment of errors such as failed memory allocations (bsc#1183022). - CVE-2021-27365: Fixed an issue where an unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bsc#1182715). - CVE-2021-27364: Fixed an issue where an attacker could craft Netlink messages (bsc#1182717). - CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1182716). - CVE-2020-35519: Fixed an out-of-bounds memory access was found in x25_bind (bsc#1183696). - CVE-2020-27815: Fixed an issue in JFS filesystem where could have allowed an attacker to execute code (bsc#1179454). - CVE-2020-27171: Fixed an off-by-one error affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183775). - CVE-2020-27170: Fixed potential side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183686). - CVE-2019-19769: Fixed a use-after-free in the perf_trace_lock_acquire function (bsc#1159280 ). - CVE-2019-18814: Fixed a use-after-free when aa_label_parse() fails in aa_audit_rule_init() (bsc#1156256). - CVE-2021-3483: Fixed a use-after-free in nosy.c (bsc#1184393). - CVE-2021-30002: Fixed a memory leak for large arguments in video_usercopy (bsc#1184120). - CVE-2021-29154: Fixed incorrect computation of branch displacements, allowing arbitrary code execution (bsc#1184391). - CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h due to a retry loop continually was finding the same bad inode (bsc#1184194). - CVE-2021-28952: Fixed a buffer overflow in the soundwire device driver, triggered when an unexpected port ID number is encountered. (bnc#1184197). - CVE-2021-20268: Fixed an out-of-bounds access flaw in the implementation of the eBPF code verifier. This flaw allowed a local user to crash the system or possibly escalate their privileges. (bnc#1183077) - CVE-2020-27673: Fixed a vulnerability with xen, where guest OS users could cause a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411). - CVE-2020-36312: Fixed a memory leak upon a kmalloc failure (bsc#1184509 ). - CVE-2020-36311: Fixed a denial of service (soft lockup) by triggering destruction of a large SEV VM (bsc#1184511). - CVE-2020-36310: Fixed infinite loop for certain nested page faults (bsc#1184512). - CVE-2021-3489: Fixed an issue where the eBPF RINGBUF bpf_ringbuf_reserve did not check that the allocated size was smaller than the ringbuf size (bnc#1185640). - CVE-2021-3490: Fixed an issue where the eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) did not update the 32-bit bounds (bnc#1185641 bnc#1185796 ). - CVE-2020-36322: Fixed an issue was discovered in FUSE filesystem implementation which could have caused a system crash (bsc#1184211). - CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673: Fixed multiple bugs in NFC subsytem (bsc#1178181). The following non-security bugs were fixed: - ACPI / hotplug / PCI: Fix reference count leak in enable_slot() (git-fixes). - ACPI / idle: override c-state latency when not in conformance with s0ix (bsc#1185840). - ACPI: CPPC: Replace cppc_attr with kobj_attribute (git-fixes). - ACPI: GTDT: Do not corrupt interrupt mappings on watchdow probe failure (git-fixes). - ACPI: PM: Add ACPI ID of Alder Lake Fan (git-fixes). - ACPI: PM: s2idle: Add AMD support to handle _DSM (bsc#1185840). - ACPI: PM: s2idle: Add missing LPS0 functions for AMD (bsc#1185840). - ACPI: PM: s2idle: Drop unused local variables and related code (bsc#1185840). - ACPI: PM: s2idle: Move x86-specific code to the x86 directory (bsc#1185840). - ACPI: custom_method: fix a possible memory leak (git-fixes). - ACPI: custom_method: fix potential use-after-free issue (git-fixes). - ACPI: processor: Fix CPU0 wakeup in acpi_idle_play_dead() (git-fixes). - ACPI: processor: Fix build when CONFIG_ACPI_PROCESSOR=m (git-fixes). - ACPI: scan: Rearrange memory allocation in acpi_device_add() (git-fixes). - ACPI: video: Add DMI quirk for GIGABYTE GB-BXBT-2807 (git-fixes). - ACPI: video: Add missing callback back for Sony VPCEH3U1E (git-fixes). - ACPICA: Always create namespace nodes using acpi_ns_create_node() (git-fixes). - ACPICA: Enable sleep button on ACPI legacy wake (bsc#1181383). - ACPICA: Fix race in generic_serial_bus (I2C) and GPIO op_region parameter handling (git-fixes). - ALSA: Convert strlcpy to strscpy when return value is unused (git-fixes). - ALSA: aloop: Fix initialization of controls (git-fixes). - ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro (git-fixes). - ALSA: bebob: enable to deliver MIDI messages for multiple ports (git-fixes). - ALSA: core: remove redundant spin_lock pair in snd_card_disconnect (git-fixes). - ALSA: dice: fix null pointer dereference when node is disconnected (git-fixes). - ALSA: dice: fix stream format at middle sampling rate for Alesis iO 26 (git-fixes). - ALSA: dice: fix stream format for TC Electronic Konnekt Live at high sampling transfer frequency (git-fixes). - ALSA: emu8000: Fix a use after free in snd_emu8000_create_mixer (git-fixes). - ALSA: firewire-lib: fix amdtp_packet tracepoints event for packet_index field (git-fixes). - ALSA: firewire-lib: fix calculation for size of IR context payload (git-fixes). - ALSA: firewire-lib: fix check for the size of isochronous packet payload (git-fixes). - ALSA: hda/ca0132: Add Sound BlasterX AE-5 Plus support (git-fixes). - ALSA: hda/cirrus: Add Headphone and Headset MIC Volume Control (git-fixes). - ALSA: hda/cirrus: Add error handling into CS8409 I2C functions (git-fixes). - ALSA: hda/cirrus: Add jack detect interrupt support from CS42L42 companion codec (git-fixes). - ALSA: hda/cirrus: Add support for CS8409 HDA bridge and CS42L42 companion codec (git-fixes). - ALSA: hda/cirrus: Cleanup patch_cirrus.c code (git-fixes). - ALSA: hda/cirrus: Fix CS42L42 Headset Mic volume control name (git-fixes). - ALSA: hda/cirrus: Make CS8409 driver more generic by using fixups (git-fixes). - ALSA: hda/cirrus: Set Initial DMIC volume for Bullseye to -26 dB (git-fixes). - ALSA: hda/cirrus: Use CS8409 filter to fix abnormal sounds on Bullseye (git-fixes). - ALSA: hda/conexant: Add quirk for mute LED control on HP ZBook G5 (git-fixes). - ALSA: hda/conexant: Apply quirk for another HP ZBook G5 model (git-fixes). - ALSA: hda/conexant: Re-order CX5066 quirk table entries (git-fixes). - ALSA: hda/conexant: Re-order CX5066 quirk table entries (git-fixes). - ALSA: hda/hdmi: Cancel pending works before suspend (bsc#1182377). - ALSA: hda/hdmi: Cancel pending works before suspend (git-fixes). - ALSA: hda/hdmi: fix race in handling acomp ELD notification at resume (git-fixes). - ALSA: hda/realtek - Headset Mic issue on HP platform (git-fixes). - ALSA: hda/realtek: ALC285 Thinkpad jack pin quirk is unreachable (git-fixes). - ALSA: hda/realtek: Add fixup for HP OMEN laptop (git-fixes). - ALSA: hda/realtek: Add fixup for HP Spectre x360 15-df0xxx (git-fixes). - ALSA: hda/realtek: Add quirk for Intel Clevo PCx0Dx (git-fixes). - ALSA: hda/realtek: Add quirk for Lenovo Ideapad S740 (git-fixes). - ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293 (git-fixes). - ALSA: hda/realtek: Apply headset-mic quirks for Xiaomi Redmibook Air (git-fixes). - ALSA: hda/realtek: Chain in pop reduction fixup for ThinkStation P340 (git-fixes). - ALSA: hda/realtek: Enable mute/micmute LEDs and limit mic boost on EliteBook 845 G8 (git-fixes). - ALSA: hda/realtek: Fix silent headphone output on ASUS UX430UA (git-fixes). - ALSA: hda/realtek: Fix speaker amp on HP Envy AiO 32 (git-fixes). - ALSA: hda/realtek: Fix speaker amp setup on Acer Aspire E1 (git-fixes). - ALSA: hda/realtek: GA503 use same quirks as GA401 (git-fixes). - ALSA: hda/realtek: Headphone volume is controlled by Front mixer (git-fixes). - ALSA: hda/realtek: Re-order ALC269 ASUS quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Acer quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Dell quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 HP quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Lenovo quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Sony quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC662 quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Acer quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Clevo quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Sony quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order remaining ALC269 quirk table entries (git-fixes). - ALSA: hda/realtek: Remove redundant entry for ALC861 Haier/Uniwill devices (git-fixes). - ALSA: hda/realtek: apply pin quirk for XiaomiNotebook Pro (git-fixes). - ALSA: hda/realtek: call alc_update_headset_mode() in hp_automute_hook (git-fixes). - ALSA: hda/realtek: fix a determine_headset_type issue for a Dell AIO (git-fixes). - ALSA: hda/realtek: fix mic boost on Intel NUC 8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Zbook Fury 15 G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Zbook Fury 17 G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Zbook G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP 440 G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP 640 G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP 840 G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP 850 G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP 855 G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 445 G7 (git-fixes). - ALSA: hda/realtek: fix static noise on ALC285 Lenovo laptops (git-fixes). - ALSA: hda/realtek: reset eapd coeff to default value for alc287 (git-fixes). - ALSA: hda/realtek: the bass speaker can't output sound on Yoga 9i (git-fixes). - ALSA: hda: Add missing sanity checks in PM prepare/complete callbacks (git-fixes). - ALSA: hda: Avoid spurious unsol event handling during S3/S4 (bsc#1182377). - ALSA: hda: Avoid spurious unsol event handling during S3/S4 (git-fixes). - ALSA: hda: Drop the BATCH workaround for AMD controllers (git-fixes). - ALSA: hda: Flush pending unsolicited events before suspend (bsc#1182377). - ALSA: hda: Re-add dropped snd_poewr_change_state() calls (git-fixes). - ALSA: hda: fixup headset for ASUS GU502 laptop (git-fixes). - ALSA: hda: fixup headset for ASUS GU502 laptop (git-fixes). - ALSA: hda: generic: Fix the micmute led init state (git-fixes). - ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP (git-fixes). - ALSA: hda: ignore invalid NHLT table (git-fixes). - ALSA: hdsp: do not disable if not enabled (git-fixes). - ALSA: hdspm: do not disable if not enabled (git-fixes). - ALSA: intel8x0: Do not update period unless prepared (git-fixes). - ALSA: line6: Fix racy initialization of LINE6 MIDI (git-fixes). - ALSA: rme9652: do not disable if not enabled (git-fixes). - ALSA: sb: Fix two use after free in snd_sb_qsound_build (git-fixes). - ALSA: usb-audio: Add DJM-450 to the quirks table (git-fixes). - ALSA: usb-audio: Add DJM450 to Pioneer format quirk (git-fixes). - ALSA: usb-audio: Add DJM450 to Pioneer format quirk (git-fixes). - ALSA: usb-audio: Add DJM750 to Pioneer mixer quirk (git-fixes). - ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX (git-fixes). - ALSA: usb-audio: Add Pioneer DJM-850 to quirks-table (git-fixes). - ALSA: usb-audio: Add dB range mapping for Sennheiser Communications Headset PC 8 (git-fixes). - ALSA: usb-audio: Add error checks for usb_driver_claim_interface() calls (git-fixes). - ALSA: usb-audio: Add implicit feeback support for the BOSS GT-1 (git-fixes). - ALSA: usb-audio: Add support for Pioneer DJM-750 (git-fixes). - ALSA: usb-audio: Add support for many Roland devices' implicit feedback quirks (git-fixes). - ALSA: usb-audio: Apply implicit feedback mode for BOSS devices (git-fixes). - ALSA: usb-audio: Apply sample rate quirk to Logitech Connect (git-fixes). - ALSA: usb-audio: Carve out connector value checking into a helper (git-fixes). - ALSA: usb-audio: Check connector value on resume (git-fixes). - ALSA: usb-audio: Configure Pioneer DJM-850 samplerate (git-fixes). - ALSA: usb-audio: Convert remaining strlcpy() to strscpy() (git-fixes). - ALSA: usb-audio: Convert the last strlcpy() usage (git-fixes). - ALSA: usb-audio: DJM-750: ensure format is set (git-fixes). - ALSA: usb-audio: Declare Pioneer DJM-850 mixer controls (git-fixes). - ALSA: usb-audio: Drop implicit fb quirk entries dubbed for capture (git-fixes). - ALSA: usb-audio: Explicitly set up the clock selector (git-fixes). - ALSA: usb-audio: Fix "RANGE setting not yet supported" errors (git-fixes). - ALSA: usb-audio: Fix Pioneer DJM devices URB_CONTROL request direction to set samplerate (git-fixes). - ALSA: usb-audio: Fix Pioneer DJM devices URB_CONTROL request direction to set samplerate (git-fixes). - ALSA: usb-audio: Fix implicit sync clearance at stopping stream (git-fixes). - ALSA: usb-audio: Fix potential out-of-bounce access in MIDI EP parser (git-fixes). - ALSA: usb-audio: Fix unintentional sign extension issue (git-fixes). - ALSA: usb-audio: Generic application of implicit fb to Roland/BOSS devices (git-fixes). - ALSA: usb-audio: Re-apply implicit feedback mode to Pioneer devices (git-fixes). - ALSA: usb-audio: Remove redundant assignment to len (git-fixes). - ALSA: usb-audio: Skip probe of UA-101 devices (git-fixes). - ALSA: usb-audio: Skip the clock selector inquiry for single connections (git-fixes). - ALSA: usb-audio: Validate MS endpoint descriptors (git-fixes). - ALSA: usb-audio: add mixer quirks for Pioneer DJM-900NXS2 (git-fixes). - ALSA: usb-audio: fix NULL ptr dereference in usb_audio_probe (bsc#1182552). - ALSA: usb-audio: fix Pioneer DJM-850 control label info (git-fixes). - ALSA: usb-audio: fix control-request direction (git-fixes). - ALSA: usb-audio: fix use after free in usb_audio_disconnect (bsc#1182552). - ALSA: usb-audio: generate midi streaming substream names from jack names (git-fixes). - ALSA: usb-audio: scarlett2: Fix device hang with ehci-pci (git-fixes). - ALSA: usb-audio: scarlett2: Improve driver startup messages (git-fixes). - ALSA: usb-audio: scarlett2: snd_scarlett_gen2_controls_create() can be static (git-fixes). - ALSA: usb-audio: use usb headers rather than define structs locally (git-fixes). - ALSA: usb: Use DIV_ROUND_UP() instead of open-coding it (git-fixes). - ALSA: usb: midi: do not return -ENOMEM when usb_urb_ep_type_check fails (git-fixes). - ARM64: vdso32: Install vdso32 from vdso_install (git-fixes). - ASoC: Intel: Add DMI quirk table to soc_intel_is_byt_cr() (git-fixes). - ASoC: Intel: boards: sof-wm8804: add check for PLL setting (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for ARCHOS Cesium 140 (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Acer One S1002 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Estar Beauty HD MID 7316R tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Voyo Winpad A15 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF (git-fixes). - ASoC: Intel: bytcr_rt5640: Fix HP Pavilion x2 10-p0XX OVCD current threshold (git-fixes). - ASoC: Intel: bytcr_rt5651: Add quirk for the Jumper EZpad 7 tablet (git-fixes). - ASoC: Intel: kbl_da7219_max98927: Fix kabylake_ssp_fixup function (git-fixes). - ASoC: Intel: sof_sdw: add quirk for HP Spectre x360 convertible (git-fixes). - ASoC: Intel: sof_sdw: add quirk for new ADL-P Rvp (git-fixes). - ASoC: Intel: sof_sdw: reorganize quirks by generation (git-fixes). - ASoC: SOF: Intel: HDA: fix core status verification (git-fixes). - ASoC: SOF: Intel: HDA: fix core status verification (git-fixes). - ASoC: SOF: Intel: hda: remove unnecessary parentheses (git-fixes). - ASoC: SOF: Intel: unregister DMIC device on probe error (git-fixes). - ASoC: SOF: intel: fix wrong poll bits in dsp power down (git-fixes). - ASoC: ak4458: Add MODULE_DEVICE_TABLE (git-fixes). - ASoC: ak5558: Add MODULE_DEVICE_TABLE (git-fixes). - ASoC: ak5558: Fix s/show/slow/ typo (git-fixes). - ASoC: ak5558: correct reset polarity (git-fixes). - ASoC: codecs: wcd934x: add a sanity check in set channel map (git-fixes). - ASoC: cs35l33: fix an error code in probe() (git-fixes). - ASoC: cs42l42: Always wait at least 3ms after reset (git-fixes). - ASoC: cs42l42: Do not enable/disable regulator at Bias Level (git-fixes). - ASoC: cs42l42: Fix Bitclock polarity inversion (git-fixes). - ASoC: cs42l42: Fix channel width support (git-fixes). - ASoC: cs42l42: Fix mixer volume control (git-fixes). - ASoC: cs42l42: Regmap must use_single_read/write (git-fixes). - ASoC: cygnus: fix for_each_child.cocci warnings (git-fixes). - ASoC: es8316: Simplify adc_pga_gain_tlv table (git-fixes). - ASoC: fsl_esai: Fix TDM slot setup for I2S mode (git-fixes). - ASoC: fsl_ssi: Fix TDM slot setup for I2S mode (git-fixes). - ASoC: intel: atom: Remove 44100 sample-rate from the media and deep-buffer DAI descriptions (git-fixes). - ASoC: intel: atom: Stop advertising non working S24LE support (git-fixes). - ASoC: max98373: Added 30ms turn on/off time delay (git-fixes). - ASoC: max98373: Changed amp shutdown register as volatile (git-fixes). - ASoC: qcom: lpass-cpu: Fix lpass dai ids parse (git-fixes). - ASoC: qcom: sdm845: Fix array out of bounds access (git-fixes). - ASoC: qcom: sdm845: Fix array out of range on rx slim channels (git-fixes). - ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init() (git-fixes). - ASoC: rsnd: check all BUSIF status when error (git-fixes). - ASoC: rsnd: core: Check convert rate in rsnd_hw_params (git-fixes). - ASoC: rt1015: fix i2c communication error (git-fixes). - ASoC: rt286: Generalize support for ALC3263 codec (git-fixes). - ASoC: rt286: Make RT286_SET_GPIO_* readable and writable (git-fixes). - ASoC: rt5640: Fix dac- and adc- vol-tlv values being off by a factor of 10 (git-fixes). - ASoC: rt5651: Fix dac- and adc- vol-tlv values being off by a factor of 10 (git-fixes). - ASoC: rt5659: Update MCLK rate in set_sysclk() (git-fixes). - ASoC: rt5670: Add a quirk for the Dell Venue 10 Pro 5055 (git-fixes). - ASoC: rt5670: Add emulated 'DAC1 Playback Switch' control (git-fixes). - ASoC: rt5670: Remove 'HP Playback Switch' control (git-fixes). - ASoC: rt5670: Remove 'OUT Channel Switch' control (git-fixes). - ASoC: rt5670: Remove ADC vol-ctrl mute bits poking from Sto1 ADC mixer settings (git-fixes). - ASoC: rt711: add snd_soc_component remove callback (git-fixes). - ASoC: samsung: snow: remove useless test (git-fixes). - ASoC: samsung: tm2_wm5110: check of of_parse return value (git-fixes). - ASoC: sgtl5000: set DAP_AVC_CTRL register to correct default value on probe (git-fixes). - ASoC: simple-card-utils: Do not handle device clock (git-fixes). - ASoC: simple-card: fix possible uninitialized single_cpu local variable (git-fixes). - ASoC: soc-core kABI workaround (git-fixes). - ASoC: soc-core: Prevent warning if no DMI table is present (git-fixes). - ASoC: sunxi: sun4i-codec: fill ASoC card owner (git-fixes). - ASoC: wm8960: Fix wrong bclk and lrclk with pll enabled for some chips (git-fixes). - ASoC: wm8960: Remove bitclk relax condition in wm8960_configure_sysclk (git-fixes). - Bluetooth: Fix incorrect status handling in LE PHY UPDATE event (git-fixes). - Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data (git-fixes). - Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS (git-fixes). - Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes). - Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default (git-fixes). - Bluetooth: avoid deadlock between hci_dev->lock and socket lock (git-fixes). - Bluetooth: btqca: Add valid le states quirk (git-fixes). - Bluetooth: btusb: Enable quirk boolean flag for Mediatek Chip (git-fixes). - Bluetooth: check for zapped sk before connecting (git-fixes). - Bluetooth: hci_h5: Set HCI_QUIRK_SIMULTANEOUS_DISCOVERY for btrtl (git-fixes). - Bluetooth: initialize skb_queue_head at l2cap_chan_create() (git-fixes). - Documentation/ABI: sysfs-platform-ideapad-laptop: update device attribute paths (git-fixes). - Drivers: hv: vmbus: Fix Suspend-to-Idle for Generation-2 VM (git-fixes). - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725). - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725). - Drivers: hv: vmbus: Use after free in __vmbus_open() (git-fixes). - EDAC/amd64: Check for memory before fully initializing an instance (bsc#1183815). - EDAC/amd64: Get rid of the ECC disabled long message (bsc#1183815). - EDAC/amd64: Use cached data when checking for ECC (bsc#1183815). - Goodix Fingerprint device is not a modem (git-fixes). - HID: alps: fix error return code in alps_input_configured() (git-fixes). - HID: google: add don USB id (git-fixes). - HID: i2c-hid: Add I2C_HID_QUIRK_NO_IRQ_AFTER_RESET for ITE8568 EC on Voyo Winpad A15 (git-fixes). - HID: mf: add support for 0079:1846 Mayflash/Dragonrise USB Gamecube Adapter (git-fixes). - HID: plantronics: Workaround for double volume key presses (git-fixes). - HID: wacom: Assign boolean values to a bool variable (git-fixes). - HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices (git-fixes). - HSI: Fix PM usage counter unbalance in ssi_hw_init (git-fixes). - Hibernation: Fix Hibernate not blocked in Secure Boot with no EFI secret key - IB/hfi1: Fix probe time panic when AIP is enabled with a buggy BIOS (jsc#SLE-13208). - IB/hfi1: Rework AIP and VNIC dummy netdev usage (jsc#SLE-13208). - Input: applespi - do not wait for responses to commands indefinitely (git-fixes). - Input: elantech - fix protocol errors for some trackpoints in SMBus mode (git-fixes). - Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices (git-fixes). - Input: i8042 - fix Pegatron C15B ID entry (git-fixes). - Input: nspire-keypad - enable interrupts only when opened (git-fixes). - Input: s6sy761 - fix coordinate read bit shift (git-fixes). - Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state (git-fixes). - KEYS: trusted: Fix TPM reservation for seal/unseal (git-fixes). - KEYS: trusted: Fix memory leak on object td (git-fixes). - KVM x86: Extend AMD specific guest behavior to Hygon virtual CPUs (bsc#1183447). - KVM: PPC: Book3S HV P9: Restore host CTRL SPR after guest exit (bsc#1156395). - KVM: PPC: Make the VMX instruction emulation routines static (bsc#1156395). - KVM: SVM: Clear the CR4 register on reset (bsc#1183252). - KVM: kvmclock: Fix vCPUs > 64 can't be online/hotpluged (bsc#1152489). - KVM: nVMX: Properly handle userspace interrupt window request (bsc#1183427). - KVM: s390: fix guarded storage control register handling (bsc#1133021). - KVM: x86: Add helpers to perform CPUID-based guest vendor check (bsc#1183445). - KVM: x86: Allow guests to see MSR_IA32_TSX_CTRL even if tsx=off (bsc#1183287). - KVM: x86: Allow guests to see MSR_IA32_TSX_CTRL even if tsx=off (bsc#1183323). - KVM: x86: Expose XSAVEERPTR to the guest (jsc#SLE-13573). - KVM: x86: Return -E2BIG when KVM_GET_SUPPORTED_CPUID hits max entries (bsc#1183428). - KVM: x86: Set so called 'reserved CR3 bits in LM mask' at vCPU reset (bsc#1183288). - KVM: x86: Set so called 'reserved CR3 bits in LM mask' at vCPU reset (bsc#1183324). - KVM: x86: do not reset microcode version on INIT or RESET (bsc#1183412). - KVM: x86: list MSR_IA32_UCODE_REV as an emulated MSR (bsc#1183369). - NFC: nci: fix memory leak in nci_allocate_device (git-fixes). - PCI/AER: Add RCEC AER error injection support (bsc#1174426). - PCI/AER: Add pcie_walk_rcec() to RCEC AER handling (bsc#1174426). - PCI/AER: Clear AER status from Root Port when resetting Downstream Port (bsc#1174426). - PCI/AER: Specify the type of Port that was reset (bsc#1174426). - PCI/AER: Use "aer" variable for capability offset (bsc#1174426). - PCI/AER: Write AER Capability only when we control it (bsc#1174426). - PCI/ERR: Add pci_walk_bridge() to pcie_do_recovery() (bsc#1174426). - PCI/ERR: Add pcie_link_rcec() to associate RCiEPs (bsc#1174426). - PCI/ERR: Avoid negated conditional for clarity (bsc#1174426). - PCI/ERR: Bind RCEC devices to the Root Port driver (bsc#1174426). - PCI/ERR: Bind RCEC devices to the Root Port driver (jsc#SLE-13736 jsc#SLE-14845). - PCI/ERR: Cache RCEC EA Capability offset in pci_init_capabilities() (bsc#1174426). - PCI/ERR: Clear AER status only when we control AER (bsc#1174426). - PCI/ERR: Clear PCIe Device Status errors only if OS owns AER (bsc#1174426). - PCI/ERR: Clear status of the reporting device (bsc#1174426). - PCI/ERR: Recover from RCEC AER errors (bsc#1174426). - PCI/ERR: Recover from RCiEP AER errors (bsc#1174426). - PCI/ERR: Rename reset_link() to reset_subordinates() (bsc#1174426). - PCI/ERR: Retain status from error notification (bsc#1174426). - PCI/ERR: Simplify by computing pci_pcie_type() once (bsc#1174426). - PCI/ERR: Simplify by using pci_upstream_bridge() (bsc#1174426). - PCI/ERR: Use "bridge" for clarity in pcie_do_recovery() (bsc#1174426). - PCI/PME: Add pcie_walk_rcec() to RCEC PME handling (bsc#1174426). - PCI/RCEC: Fix RCiEP device to RCEC association (git-fixes). - PCI/RCEC: Fix RCiEP device to RCEC association (jsc#SLE-13736 jsc#SLE-14845 git-fixes). - PCI/portdrv: Report reset for frozen channel (bsc#1174426). - PCI: Add a REBAR size quirk for Sapphire RX 5600 XT Pulse (git-fixes). - PCI: Add function 1 DMA alias quirk for Marvell 9215 SATA controller (git-fixes). - PCI: Allow VPD access for QLogic ISP2722 (git-fixes). - PCI: Fix pci_register_io_range() memory leak (git-fixes). - PCI: PM: Do not read power state in pci_enable_device_flags() (git-fixes). - PCI: Release OF node in pci_scan_device()'s error path (git-fixes). - PCI: designware-ep: Fix the Header Type check (git-fixes). - PCI: dwc: Move iATU detection earlier (git-fixes). - PCI: endpoint: Fix missing destroy_workqueue() (git-fixes). - PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc() (git-fixes). - PCI: keystone: Let AM65 use the pci_ops defined in pcie-designware-host.c (git-fixes). - PCI: mediatek: Add missing of_node_put() to fix reference leak (git-fixes). - PCI: tegra: Fix ASPM-L1SS advertisement disable code (git-fixes). - PCI: tegra: Move "dbi" accesses to post common DWC initialization (git-fixes). - PCI: thunder: Fix compile testing (git-fixes). - PCI: xgene-msi: Fix race in installing chained irq handler (git-fixes). - PM / devfreq: Use more accurate returned new_freq as resume_freq (git-fixes). - PM: EM: postpone creating the debugfs dir till fs_initcall (git-fixes). - PM: runtime: Add documentation for pm_runtime_resume_and_get() (git-fixes). - PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter (bsc#1183366). - PM: runtime: Fix ordering in pm_runtime_get_suppliers() (git-fixes). - PM: runtime: Fix ordering in pm_runtime_get_suppliers() (git-fixes). - PM: runtime: Fix race getting/putting suppliers at probe (git-fixes). - Platform: OLPC: Fix probe error handling (git-fixes). - RAS/CEC: Correct ce_add_elem()'s returned values (bsc#1152489). - RDMA/addr: create addr_wq with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/cm: Fix IRQ restore in ib_send_cm_sidr_rep (jsc#SLE-15176). - RDMA/core: create ib_cm with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/hns: Delete redundant abnormal interrupt status (git-fixes). - RDMA/hns: Delete redundant condition judgment related to eq (git-fixes). - RDMA/mlx5: Fix drop packet rule in egress table (jsc#SLE-15175). - RDMA/qedr: Fix error return code in qedr_iw_connect() (jsc#SLE-8215). - RDMA/rtrs-clt: Close rtrs client conn before destroying rtrs clt session files (jsc#SLE-15176). - RDMA/rtrs-clt: destroy sysfs after removing session from active list (jsc#SLE-15176). - RDMA/srp: Fix support for unpopulated and unbalanced NUMA nodes (bsc#1169709) - RDMA/srp: Fix support for unpopulated and unbalanced NUMA nodes (bsc#1169709) - RDMA/srpt: Fix error return code in srpt_cm_req_recv() (git-fixes). - Re-enable yenta socket driver for x86_64 (bsc#1186349) - SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428). - SUNRPC: More fixes for backlog congestion (bsc#1185428). - USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet (git-fixes). - USB: Add reset-resume quirk for WD19's Realtek Hub (git-fixes). - USB: CDC-ACM: fix poison/unpoison imbalance (bsc#1184984). - USB: CDC-ACM: fix poison/unpoison imbalance (git-fixes). - USB: cdc-acm: downgrade message to debug (git-fixes). - USB: cdc-acm: fix TIOCGSERIAL implementation (git-fixes). - USB: cdc-acm: fix double free on probe failure (git-fixes). - USB: cdc-acm: fix unprivileged TIOCCSERIAL (git-fixes). - USB: cdc-acm: fix use-after-free after probe failure (git-fixes). - USB: cdc-acm: untangle a circular dependency between callback and softint (git-fixes). - USB: gadget: u_ether: Fix a configfs return code (git-fixes). - USB: gadget: udc: fix wrong pointer passed to IS_ERR() and PTR_ERR() (git-fixes). - USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem (git-fixes). - USB: replace hardcode maximum usb string length by definition (git-fixes). - USB: serial: ark3116: fix TIOCGSERIAL implementation (git-fixes). - USB: serial: ch341: add new Product ID (git-fixes). - USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter (git-fixes). - USB: serial: cp210x: add some more GE USB IDs (git-fixes). - USB: serial: f81232: fix TIOCGSERIAL implementation (git-fixes). - USB: serial: f81534: fix TIOCGSERIAL implementation (git-fixes). - USB: serial: fix return value for unsupported ioctls (git-fixes). - USB: serial: io_edgeport: fix memory leak in edge_startup (git-fixes). - USB: serial: mos7720: fix TIOCGSERIAL implementation (git-fixes). - USB: serial: opticon: fix TIOCGSERIAL implementation (git-fixes). - USB: serial: pl2303: add support for PL2303HXN (bsc#1186320). - USB: serial: pl2303: fix line-speed handling on newer chips (bsc#1186320). - USB: serial: quatech2: fix TIOCGSERIAL implementation (git-fixes). - USB: serial: ssu100: fix TIOCGSERIAL implementation (git-fixes). - USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check (git-fixes). - USB: serial: usb_wwan: fix TIOCGSERIAL implementation (git-fixes). - USB: serial: usb_wwan: fix TIOCSSERIAL jiffies conversions (git-fixes). - USB: serial: usb_wwan: fix unprivileged TIOCCSERIAL (git-fixes). - USB: trancevibrator: fix control-request direction (git-fixes). - USB: usblp: fix a hang in poll() if disconnected (git-fixes). - Update config files. (bsc#1185010) - amd/amdgpu: Disable VCN DPG mode for Picasso (git-fixes). - amdgpu: avoid incorrect %hu format string (git-fixes). - apparmor: Fix aa_label refcnt leak in policy_update (git-fixes). - apparmor: check/put label on apparmor_sk_clone_security() (git-fixes). - appletalk: Fix skb allocation size in loopback case (git-fixes). - arm64/mm: Fix pfn_valid() for ZONE_DEVICE based memory (git-fixes). - arm64: Add missing ISB after invalidating TLB in __primary_switch (git-fixes). - arm64: avoid -Woverride-init warning (git-fixes). - arm64: kasan: fix page_alloc tagging with DEBUG_VIRTUAL (git-fixes). - arm64: kdump: update ppos when reading elfcorehdr (git-fixes). - arm64: kexec_file: fix memory leakage in create_dtb() when fdt_open_into() fails (git-fixes). - arm64: link with -z norelro for LLD or aarch64-elf (git-fixes). - arm64: link with -z norelro regardless of CONFIG_RELOCATABLE (git-fixes). - arm64: make STACKPROTECTOR_PER_TASK configurable (bsc#1181862). - arm64: ptrace: Fix seccomp of traced syscall -1 (NO_SYSCALL) (git-fixes). - arm64: ptrace: Use NO_SYSCALL instead of -1 in syscall_trace_enter() (git-fixes). - arm64: vdso32: make vdso32 install conditional (git-fixes). - arm: mm: use __pfn_to_section() to get mem_section (git-fixes). - ata: ahci: Disable SXS for Hisilicon Kunpeng920 (git-fixes). - ata: libahci_platform: fix IRQ check (git-fixes). - ath10k: Fix a use after free in ath10k_htc_send_bundle (git-fixes). - ath10k: Fix ath10k_wmi_tlv_op_pull_peer_stats_info() unlock without lock (git-fixes). - ath10k: fix wmi mgmt tx queue full due to race condition (git-fixes). - ath10k: hold RCU lock when calling ieee80211_find_sta_by_ifaddr() (git-fixes). - ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices (git-fixes). - ath9k: fix transmitting to stations in dynamic SMPS mode (git-fixes). - atl1c: fix error return code in atl1c_probe() (git-fixes). - atl1e: fix error return code in atl1e_probe() (git-fixes). - backlight: journada720: Fix Wmisleading-indentation warning (git-fixes). - batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field (git-fixes). - binfmt_misc: fix possible deadlock in bm_register_write (git-fixes). - binfmt_misc: fix possible deadlock in bm_register_write (git-fixes). - blk-iocost: ioc_pd_free() shouldn't assume irq disabled (git-fixes). - blk-mq: Swap two calls in blk_mq_exit_queue() (git-fixes). - blk-mq: plug request for shared sbitmap (jsc#SLE-15442 bsc#1180814 ltc#187461 git-fixes). - blk-mq: set default elevator as deadline in case of hctx shared tagset (jsc#SLE-15442 bsc#1180814 ltc#187461 git-fixes). - blkcg: fix memleak for iolatency (git-fixes). - block, bfq: set next_rq to waker_bfqq->next_rq in waker injection (bsc#1168838). - block/genhd: use atomic_t for disk_event->block (bsc#1185497). - block: Fix three kernel-doc warnings (git-fixes). - block: fix get_max_io_size() (git-fixes). - block: recalculate segment count for multi-segment discards correctly (bsc#1184724). - block: rsxx: fix error return code of rsxx_pci_probe() (git-fixes). - block: rsxx: select CONFIG_CRC32 (git-fixes). - bluetooth: eliminate the potential race condition when removing the HCI controller (git-fixes). - bnxt_en: Fix RX consumer index logic in the error path (git-fixes). - bnxt_en: Fix RX consumer index logic in the error path (git-fixes). - bnxt_en: fix ternary sign extension bug in bnxt_show_temp() (git-fixes). - bnxt_en: reliably allocate IRQ table on reset to avoid crash (jsc#SLE-8371 bsc#1153274). - bnxt_en: reverse order of TX disable and carrier off (git-fixes). - bpf, sockmap: Fix sk->prot unhash op reset (bsc#1155518). - bpf,x64: Pad NOPs to make images converge more easily (bsc#1178163). - bpf: Add sanity check for upper ptr_limit (bsc#1183686 bsc#1183775). - bpf: Avoid warning when re-casting __bpf_call_base into __bpf_call_base_args (bsc#1155518). - bpf: Declare __bpf_free_used_maps() unconditionally (bsc#1155518). - bpf: Do not do bpf_cgroup_storage_set() for kuprobe/tp programs (bsc#1155518). - bpf: Enforce that struct_ops programs be GPL-only (bsc#1177028). - bpf: Fix 32 bit src register truncation on div/mod (bsc#1184170). - bpf: Fix an unitialized value in bpf_iter (bsc#1177028). - bpf: Fix leakage of uninitialized bpf stack under speculation (bsc#1155518). - bpf: Fix masking negation logic upon negative dst register (bsc#1155518). - bpf: Fix propagation of 32 bit unsigned bounds from 64 bit bounds (bsc#1177028). - bpf: Fix verifier jsgt branch analysis on max bound (bsc#1155518). - bpf: Refcount task stack in bpf_get_task_stack (bsc#1177028). - bpf: Remove MTU check in __bpf_skb_max_len (bsc#1155518). - bpf: Simplify alu_limit masking for pointer arithmetic (bsc#1183686 bsc#1183775). - bpf: link: Refuse non-O_RDWR flags in BPF_OBJ_GET (bsc#1177028). - bpf_lru_list: Read double-checked variable once without lock (bsc#1155518). - brcmfmac: Add DMI nvram filename quirk for Predia Basic tablet (git-fixes). - brcmfmac: Add DMI nvram filename quirk for Voyo winpad A15 tablet (git-fixes). - brcmfmac: clear EAP/association status bits on linkdown events (git-fixes). - bsg: free the request before return error code (git-fixes). - btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root (bsc#1184217). - btrfs: always pin deleted leaves when there are active tree mod log users (bsc#1184224). - btrfs: fix exhaustion of the system chunk array due to concurrent allocations (bsc#1183386). - btrfs: fix extent buffer leak on failure to copy root (bsc#1184218). - btrfs: fix qgroup data rsv leak caused by falloc failure (bsc#1185549). - btrfs: fix race between swap file activation and snapshot creation (bsc#1185587). - btrfs: fix race between swap file activation and snapshot creation (bsc#1185587). - btrfs: fix race between transaction aborts and fsyncs leading to use-after-free (bsc#1186441). - btrfs: fix race between transaction aborts and fsyncs leading to use-after-free (bsc#1186441). - btrfs: fix race between writes to swap files and scrub (bsc#1185586). - btrfs: fix race between writes to swap files and scrub (bsc#1185586). - btrfs: fix race when cloning extent buffer during rewind of an old root (bsc#1184193). - btrfs: fix race when picking most recent mod log operation for an old root (bsc#1186439). - btrfs: fix race when picking most recent mod log operation for an old root (bsc#1186439). - btrfs: fix stale data exposure after cloning a hole with NO_HOLES enabled (bsc#1184220). - btrfs: fix subvolume/snapshot deletion not triggered on mount (bsc#1184219). - btrfs: track qgroup released data in own variable in insert_prealloc_file_extent (bsc#1185549). - bus: fsl-mc: add the dpdbg device type (bsc#1185670). - bus: fsl-mc: list more commands as accepted through the ioctl (bsc#1185670). - bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD (git-fixes). - bus: qcom: Put child node before return (git-fixes). - bus: ti-sysc: Fix warning on unbind if reset is not deasserted (git-fixes). - can: c_can: move runtime PM enable/disable to c_can_platform (git-fixes). - can: c_can_pci: c_can_pci_remove(): fix use-after-free (git-fixes). - can: flexcan: assert FRZ bit in flexcan_chip_freeze() (git-fixes). - can: flexcan: enable RX FIFO after FRZ/HALT valid (git-fixes). - can: flexcan: flexcan_chip_freeze(): fix chip freeze for missing bitrate (git-fixes). - can: flexcan: invoke flexcan_chip_freeze() to enter freeze mode (git-fixes). - can: m_can: m_can_do_rx_poll(): fix extraneous msg loss warning (git-fixes). - can: peak_usb: Revert "can: peak_usb: add forgotten supported devices" (git-fixes). - can: peak_usb: add forgotten supported devices (git-fixes). - can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership (git-fixes). - cdc-acm: fix BREAK rx code path adding necessary calls (git-fixes). - cdc-wdm: untangle a circular dependency between callback and softint (git-fixes). - cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom (git-fixes). - cdrom: gdrom: initialize global variable at init time (git-fixes). - ceph: do not clobber i_snap_caps on non-I_NEW inode (bsc#1186501). - ceph: do not clobber i_snap_caps on non-I_NEW inode (bsc#1186501). - ceph: fix inode leak on getattr error in __fh_to_dentry (bsc#1186501). - ceph: fix inode leak on getattr error in __fh_to_dentry (bsc#1186501). - ceph: fix up error handling with snapdirs (bsc#1186501). - ceph: fix up error handling with snapdirs (bsc#1186501). - ceph: only check pool permissions for regular files (bsc#1186501). - ceph: only check pool permissions for regular files (bsc#1186501). - cfg80211: remove WARN_ON() in cfg80211_sme_connect (git-fixes). - cfg80211: scan: drop entry from hidden_list on overflow (git-fixes). - ch_ktls: Fix kernel panic (jsc#SLE-15131). - ch_ktls: do not send snd_una update to TCB in middle (jsc#SLE-15131). - ch_ktls: fix device connection close (jsc#SLE-15131). - ch_ktls: fix enum-conversion warning (jsc#SLE-15129). - ch_ktls: tcb close causes tls connection failure (jsc#SLE-15131). - cifs: New optype for session operations (bsc#1181507). - cifs: Tracepoints and logs for tracing credit changes (bsc#1181507). - cifs: change noisy error message to FYI (bsc#1181507). - cifs: check pointer before freeing (bsc#1183534). - cifs: do not send close in compound create+close requests (bsc#1181507). - cifs: print MIDs in decimal notation (bsc#1181507). - cifs: return proper error code in statfs(2) (bsc#1181507). - cifs_debug: use %pd instead of messing with ->d_name (bsc#1181507). - clk: exynos7: Mark aclk_fsys1_200 as critical (git-fixes). - clk: fix invalid usage of list cursor in register (git-fixes). - clk: fix invalid usage of list cursor in unregister (git-fixes). - clk: mvebu: armada-37xx-periph: Fix switching CPU freq from 250 Mhz to 1 GHz (git-fixes). - clk: mvebu: armada-37xx-periph: Fix workaround for switching from L1 to L0 (git-fixes). - clk: mvebu: armada-37xx-periph: remove .set_parent method for CPU PM clock (git-fixes). - clk: qcom: a53-pll: Add missing MODULE_DEVICE_TABLE (git-fixes). - clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return (git-fixes). - clk: socfpga: fix iomem pointer cast on 64-bit (git-fixes). - clk: uniphier: Fix potential infinite loop (git-fixes). - clk: zynqmp: move zynqmp_pll_set_mode out of round_rate callback (git-fixes). - completion: Drop init_completion define (git-fixes). - configfs: fix a use-after-free in __configfs_open_file (git-fixes). - coresight: etm4x: Fix issues on trcseqevr access (git-fixes). - coresight: etm4x: Fix save and restore of TRCVMIDCCTLR1 register (git-fixes). - coresight: remove broken __exit annotations (git-fixes). - coresight: tmc-etr: Fix barrier packet insertion for perf buffer (git-fixes). - cpufreq: Kconfig: fix documentation links (git-fixes). - cpufreq: armada-37xx: Fix determining base CPU frequency (git-fixes). - cpufreq: armada-37xx: Fix driver cleanup when registration failed (git-fixes). - cpufreq: armada-37xx: Fix setting TBG parent for load levels (git-fixes). - cpufreq: armada-37xx: Fix the AVS value for load L1 (git-fixes). - cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758). - cpuidle/pseries: Fixup CEDE0 latency only for POWER10 onwards (bsc#1185550 ltc#192610). - crypto: api - check for ERR pointers in crypto_destroy_tfm() (git-fixes). - crypto: arm/curve25519 - Move '.fpu' after '.arch' (git-fixes). - crypto: chelsio - Read rxchannel-id from firmware (git-fixes). - crypto: mips/poly1305 - enable for all MIPS processors (git-fixes). - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init (git-fixes). - crypto: qat - Fix a double free in adf_create_ring (git-fixes). - crypto: qat - do not release uninitialized resources (git-fixes). - crypto: qat - fix error path in adf_isr_resource_alloc() (git-fixes). - crypto: qat - fix unmap invalid dma address (git-fixes). - crypto: rng - fix crypto_rng_reset() refcounting when !CRYPTO_STATS (git-fixes). - crypto: stm32/cryp - Fix PM reference leak on stm32-cryp.c (git-fixes). - crypto: stm32/hash - Fix PM reference leak on stm32-hash.c (git-fixes). - crypto: tcrypt - avoid signed overflow in byte count (git-fixes). - cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds (git-fixes). - cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds (git-fixes). - cxgb4: Fix unintentional sign extension issues (git-fixes). - cxgb4: avoid collecting SGE_QBASE regs during traffic (git-fixes). - dm era: Fix bitset memory leaks (git-fixes). - dm era: Recover committed writeset after crash (git-fixes). - dm era: Reinitialize bitset cache before digesting a new writeset (git-fixes). - dm era: Update in-core bitset after committing the metadata (git-fixes). - dm era: Use correct value size in equality function of writeset tree (git-fixes). - dm era: Verify the data block size hasn't changed (git-fixes). - dm era: only resize metadata in preresume (git-fixes). - dm integrity: fix error reporting in bitmap mode after creation (git-fixes). - dm ioctl: fix error return code in target_message (git-fixes). - dm mpath: fix racey management of PG initialization (git-fixes). - dm mpath: switch paths in dm_blk_ioctl() code path (bsc#1167574, bsc#1175995, bsc#1184485). - dm raid: fix discard limits for raid1 (git-fixes). - dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails (bsc#1185581). - dm writecache: fix the maximum number of arguments (git-fixes). - dm writecache: handle DAX to partitions on persistent memory correctly (git-fixes). - dm writecache: remove BUG() and fail gracefully instead (git-fixes). - dm zoned: select CONFIG_CRC32 (git-fixes). - dm: avoid filesystem lookup in dm_get_dev_t() (git-fixes). - dm: eliminate potential source of excessive kernel log noise (git-fixes). - dm: fix bug with RCU locking in dm_blk_report_zones (git-fixes). - dm: remove invalid sparse __acquires and __releases annotations (git-fixes). - dmaengine: Fix a double free in dma_async_device_register (git-fixes). - dmaengine: dw-edma: Fix crash on loading/unloading driver (git-fixes). - dmaengine: dw: Make it dependent to HAS_IOMEM (git-fixes). - dmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback (git-fixes). - dmaengine: idxd: Fix potential null dereference on pointer status (git-fixes). - dmaengine: idxd: cleanup pci interrupt vector allocation management (git-fixes). - dmaengine: idxd: clear MSIX permission entry on shutdown (git-fixes). - dmaengine: idxd: fix cdev setup and free device lifetime issues (git-fixes). - dmaengine: idxd: fix delta_rec and crc size field for completion record (git-fixes). - dmaengine: idxd: fix dma device lifetime (git-fixes). - dmaengine: idxd: fix opcap sysfs attribute output (git-fixes). - dmaengine: idxd: fix wq cleanup of WQCFG registers (git-fixes). - dmaengine: idxd: fix wq size store permission state (git-fixes). - dmaengine: idxd: removal of pcim managed mmio mapping (git-fixes). - docs: kernel-parameters: Add gpio_mockup_named_lines (git-fixes). - docs: kernel-parameters: Move gpio-mockup for alphabetic order (git-fixes). - dpaa_eth: Remove unnecessary boolean expression in dpaa_get_headroom (git-fixes). - dpaa_eth: Use random MAC address when none is given (bsc#1184811). - dpaa_eth: copy timestamp fields to new skb in A-050385 workaround (git-fixes). - dpaa_eth: fix the RX headroom size alignment (git-fixes). - dpaa_eth: update the buffer layout for non-A050385 erratum scenarios (git-fixes). - drivers: hv: Fix whitespace errors (bsc#1185725). - drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' (git-fixes). - drivers: video: fbcon: fix NULL dereference in fbcon_cursor() (git-fixes). - drivers: video: fbcon: fix NULL dereference in fbcon_cursor() (git-fixes). - drm/amd/display/dc/dce/dce_aux: Remove duplicate line causing 'field overwritten' issue (git-fixes). - drm/amd/display: Check for DSC support instead of ASIC revision (git-fixes). - drm/amd/display: Correct algorithm for reversed gamma (git-fixes). - drm/amd/display: DCHUB underflow counter increasing in some scenarios (git-fixes). - drm/amd/display: Do not optimize bandwidth before disabling planes (git-fixes). - drm/amd/display: Fix UBSAN warning for not a valid value for type '_Bool' (git-fixes). - drm/amd/display: Fix UBSAN: shift-out-of-bounds warning (git-fixes). - drm/amd/display: Fix debugfs link_settings entry (git-fixes). - drm/amd/display: Fix nested FPU context in dcn21_validate_bandwidth() (git-fixes). - drm/amd/display: Fix off by one in hdmi_14_process_transaction() (git-fixes). - drm/amd/display: Fix two cursor duplication when using overlay (git-fixes). - drm/amd/display: Force vsync flip when reconfiguring MPCC (git-fixes). - drm/amd/display: Guard against NULL pointer deref when get_i2c_info fails (git-fixes). - drm/amd/display: Initialize attribute for hdcp_srm sysfs file (git-fixes). - drm/amd/display: Reject non-zero src_y and src_x for video planes (git-fixes). - drm/amd/display: Revert dram_clock_change_latency for DCN2.1 (git-fixes). - drm/amd/display: Try YCbCr420 color when YCbCr444 fails (git-fixes). - drm/amd/display: add handling for hdcp2 rx id list validation (git-fixes). - drm/amd/display: changing sr exit latency (git-fixes). - drm/amd/display: fix dml prefetch validation (git-fixes). - drm/amd/display: fixed divide by zero kernel crash during dsc enablement (git-fixes). - drm/amd/display: turn DPMS off on connector unplug (git-fixes). - drm/amd/pm: fix workload mismatch on vega10 (git-fixes). - drm/amd/powerplay: fix spelling mistake "smu_state_memroy_block" (bsc#1152489) - drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f (git-fixes). - drm/amdgpu/display/dm: add missing parameter documentation (git-fixes). - drm/amdgpu/display: buffer INTERRUPT_LOW_IRQ_CONTEXT interrupt work (git-fixes). - drm/amdgpu/display: remove redundant continue statement (git-fixes). - drm/amdgpu/display: restore AUX_DPHY_TX_CONTROL for DCN2.x (git-fixes). - drm/amdgpu/display: use GFP_ATOMIC in dcn21_validate_bandwidth_fp() (git-fixes). - drm/amdgpu/swsmu: add interrupt work function (git-fixes). - drm/amdgpu/swsmu: add interrupt work handler for smu11 parts (git-fixes). - drm/amdgpu: Add additional Sienna Cichlid PCI ID (git-fixes). - drm/amdgpu: Add check to prevent IH overflow (git-fixes). - drm/amdgpu: Add mem sync flag for IB allocated by SA (git-fixes). - drm/amdgpu: Fix GPU TLB update error when PAGE_SIZE > AMDGPU_PAGE_SIZE (git-fixes). - drm/amdgpu: Fix some unload driver issues (git-fixes). - drm/amdgpu: Init GFX10_ADDR_CONFIG for VCN v3 in DPG mode (git-fixes). - drm/amdgpu: check alignment on CPU page for bo map (git-fixes). - drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid compute hang (git-fixes). - drm/amdgpu: fb BO should be ttm_bo_type_device (git-fixes). - drm/amdgpu: fix NULL pointer dereference (git-fixes). - drm/amdgpu: fix concurrent VM flushes on Vega/Navi v2 (git-fixes). - drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings() (git-fixes). - drm/amdgpu: fix parameter error of RREG32_PCIE() in amdgpu_regs_pcie (git-fixes). - drm/amdgpu: mask the xgmi number of hops reported from psp to kfd (git-fixes). - drm/amdgpu: remove unused variable from struct amdgpu_bo (git-fixes). - drm/amdgpu: update gc golden setting for Navi12 (git-fixes). - drm/amdgpu: update sdma golden setting for Navi12 (git-fixes). - drm/amdkfd: Fix UBSAN shift-out-of-bounds warning (git-fixes). - drm/amdkfd: Fix cat debugfs hang_hws file causes system crash bug (git-fixes). - drm/amdkfd: Put ACPI table after using it (bsc#1152489) Backporting notes: * context changes - drm/amdkfd: dqm fence memory corruption (git-fixes). - drm/amdkfd: fix build error with AMD_IOMMU_V2=m (git-fixes). - drm/ast: AST2500 fixups (bsc#1174416). - drm/ast: AST2500 fixups (bsc#1174416). - drm/ast: Add 25MHz refclk support (bsc#1174416). - drm/ast: Add 25MHz refclk support (bsc#1174416). - drm/ast: Add support for 1152x864 mode (bsc#1174416). - drm/ast: Add support for 1152x864 mode (bsc#1174416). - drm/ast: Add support for AIP200 (bsc#1174416). - drm/ast: Add support for AIP200 (bsc#1174416). - drm/ast: Correct mode table for AST2500 precatch (bsc#1174416). - drm/ast: Correct mode table for AST2500 precatch (bsc#1174416). - drm/ast: Disable VGA decoding while driver is active (bsc#1174416). - drm/ast: Disable VGA decoding while driver is active (bsc#1174416). - drm/ast: Disable screen on register init (bsc#1174416). - drm/ast: Disable screen on register init (bsc#1174416). - drm/ast: Fix P2A config detection (bsc#1174416). - drm/ast: Fix P2A config detection (bsc#1174416). - drm/ast: Fix invalid usage of AST_MAX_HWC_WIDTH in cursor atomic_check (git-fixes). - drm/ast: Fix register access in non-P2A mode for DP501 (bsc#1174416). - drm/ast: Fix register access in non-P2A mode for DP501 (bsc#1174416). - drm/ast: Keep MISC fields when enabling VGA (bsc#1174416). - drm/ast: Keep MISC fields when enabling VGA (bsc#1174416). - drm/ast: drm/ast: Fix boot address for AST2500 (bsc#1174416). - drm/ast: drm/ast: Fix boot address for AST2500 (bsc#1174416). - drm/compat: Clear bounce structures (git-fixes). - drm/dp_mst: Revise broadcast msg lct & lcr (git-fixes). - drm/dp_mst: Set CLEAR_PAYLOAD_ID_TABLE as broadcast (git-fixes). - drm/hisilicon: Fix use-after-free (git-fixes). - drm/i915/display: fix compiler warning about array overrun (git-fixes). - drm/i915/gt: Clear CACHE_MODE prior to clearing residuals (git-fixes). - drm/i915/gt: Disable HiZ Raw Stall Optimization on broken gen7 (git-fixes). - drm/i915/gvt: Fix error code in intel_gvt_init_device() (git-fixes). - drm/i915/gvt: Set SNOOP for PAT3 on BXT/APL to workaround GPU BB hang (git-fixes). - drm/i915/overlay: Fix active retire callback alignment (git-fixes). - drm/i915/selftests: Fix some error codes (git-fixes). - drm/i915: Avoid div-by-zero on gen2 (git-fixes). - drm/i915: Fix ICL MG PHY vswing handling (git-fixes). - drm/i915: Fix crash in auto_retire (git-fixes). - drm/i915: Fix invalid access to ACPI _DSM objects (bsc#1184074). - drm/i915: Hold onto an explicit ref to i915_vma_work.pinned (git-fixes). - drm/i915: Read C0DRB3/C1DRB3 as 16 bits again (git-fixes). - drm/i915: Wedge the GPU if command parser setup fails (git-fixes). - drm/imx: imx-ldb: fix out of bounds array access warning (git-fixes). - drm/ingenic: Fix non-OSD mode (git-fixes). - drm/ingenic: Register devm action to cleanup encoders (git-fixes). - drm/komeda: Fix bit check to import to value of proper type (git-fixes). - drm/lima: fix reference leak in lima_pm_busy (git-fixes). - drm/mcde/panel: Inverse misunderstood flag (git-fixes). - drm/mediatek: Fix aal size config (bsc#1152489) Backporting notes: * replaced mtk_ddp_write() with writel() - drm/meson: fix shutdown crash when component not probed (git-fixes). - drm/msm/a5xx: Remove overwriting A5XX_PC_DBG_ECO_CNTL register (git-fixes). - drm/msm/adreno: a5xx_power: Do not apply A540 lm_setup to other GPUs (git-fixes). - drm/msm/gem: Add obj->lock wrappers (bsc#1152489) Backporting notes: * taken for 9b73bde39cf2 ("drm/msm: Fix use-after-free in msm_gem with carveout") * context changes - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal (git-fixes). - drm/msm/mdp5: Do not multiply vclk line count by 100 (git-fixes). - drm/msm: Fix WARN_ON() splat in _free_object() (bsc#1152489) Backporting notes: * context changes - drm/msm: Fix a5xx/a6xx timestamps (git-fixes). - drm/msm: Fix races managing the OOB state for timestamp vs (bsc#1152489) Backporting notes: * context changes - drm/msm: Fix suspend/resume on i.MX5 (git-fixes). - drm/msm: Fix use-after-free in msm_gem with carveout (bsc#1152489) Backporting notes: * context changes - drm/msm: Ratelimit invalid-fence message (git-fixes). - drm/msm: Set drvdata to NULL when msm_drm_init() fails (git-fixes). - drm/msm: fix shutdown hook in case GPU components failed to bind (git-fixes). - drm/nouveau/kms/nv50-: Get rid of bogus nouveau_conn_mode_valid() (git-fixes). - drm/nouveau: bail out of nouveau_channel_new if channel init fails (bsc#1152489) - drm/omap: fix misleading indentation in pixinc() (git-fixes). - drm/panfrost: Clear MMU irqs before handling the fault (git-fixes). - drm/panfrost: Do not corrupt the queue mutex on open/close (bsc#1152472) Backporting notes: * context changes - drm/panfrost: Do not try to map pages that are already mapped (git-fixes). - drm/panfrost: Fix job timeout handling (bsc#1152472) Backporting notes: * context changes - drm/panfrost: Remove unused variables in panfrost_job_close() (bsc#1152472) - drm/probe-helper: Check epoch counter in output_poll_execute() (git-fixes). - drm/qxl: do not run release if qxl failed to init (git-fixes). - drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected (git-fixes). - drm/radeon: Avoid power table parsing memory leaks (git-fixes). - drm/radeon: Fix a missing check bug in radeon_dp_mst_detect() (git-fixes). - drm/radeon: Fix off-by-one power_state index heap overwrite (git-fixes). - drm/radeon: fix AGP dependency (git-fixes). - drm/radeon: fix copy of uninitialized variable back to userspace (git-fixes). - drm/shmem-helper: Check for purged buffers in fault handler (git-fixes). - drm/shmem-helper: Do not remove the offset in vm_area_struct pgoff (git-fixes). - drm/shmem-helpers: vunmap: Do not put pages for dma-buf (git-fixes). - drm/sun4i: tcon: fix inverted DCLK polarity (bsc#1152489) Backporting notes: * context changes - drm/tegra: Fix reference leak when pm_runtime_get_sync() fails (git-fixes). - drm/tegra: dc: Do not set PLL clock to 0Hz (git-fixes). - drm/tegra: dc: Restore coupling of display controllers (git-fixes). - drm/tegra: sor: Grab runtime PM reference across reset (git-fixes). - drm/tilcdc: send vblank event when disabling crtc (git-fixes). - drm/vc4: crtc: Reduce PV fifo threshold on hvs4 (git-fixes). - drm/vc4: hdmi: Restore cec physical address on reconnect (bsc#1152472) Backporting notes: * context changes * change vc4_hdmi to vc4->hdmi * removed references to encoder->hdmi_monitor - drm/vkms: fix misuse of WARN_ON (git-fixes). - drm: Added orientation quirk for OneGX1 Pro (git-fixes). - drm: meson_drv add shutdown function (git-fixes). - drm: rcar-du: Fix PM reference leak in rcar_cmm_enable() (git-fixes). - drm: rcar-du: Fix crash when using LVDS1 clock for CRTC (bsc#1152489) Backporting notes: * context changes - drm: rcar-du: Fix leak of CMM platform device reference (git-fixes). - drm: xlnx: zynqmp: fix a memset in zynqmp_dp_train() (git-fixes). - e1000e: Fix duplicate include guard (git-fixes). - e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 (git-fixes). - e1000e: add rtnl_lock() to e1000_reset_task (git-fixes). - efi: use 32-bit alignment for efi_guid_t literals (git-fixes). - enetc: Fix reporting of h/w packet counters (git-fixes). - enetc: Let the hardware auto-advance the taprio base-time of 0 (git-fixes). - enetc: Workaround for MDIO register access issue (git-fixes). - epoll: check for events when removing a timed out thread from the wait queue (git-fixes). - ethernet/netronome/nfp: Fix a use after free in nfp_bpf_ctrl_msg_rx (git-fixes). - ethernet: alx: fix order of calls on resume (git-fixes). - ethernet:enic: Fix a use after free bug in enic_hard_start_xmit (git-fixes). - ethtool: fix incorrect datatype in set_eee ops (bsc#1176447). - ethtool: fix missing NLM_F_MULTI flag when dumping (bsc#1176447). - ethtool: pause: make sure we init driver stats (jsc#SLE-15075). - exec: Move would_dump into flush_old_exec (git-fixes). - ext4: do not try to set xattr into ea_inode if value is empty (bsc#1184730). - ext4: find old entry again if failed to rename whiteout (bsc#1184742). - ext4: fix potential error in ext4_do_update_inode (bsc#1184731). - ext4: fix potential htree index checksum corruption (bsc#1184728). - extcon: Add stubs for extcon_register_notifier_all() functions (git-fixes). - extcon: Fix error handling in extcon_dev_register (git-fixes). - extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged (git-fixes). - extcon: arizona: Fix various races on driver unbind (git-fixes). - fbdev: zero-fill colormap in fbcmap.c (git-fixes). - fbmem: add margin check to fb_check_caps() (git-fixes). - firmware/efi: Fix a use after bug in efi_mem_reserve_persistent (git-fixes). - firmware: arm_scpi: Prevent the ternary sign expansion bug (git-fixes). - firmware: qcom-scm: Fix QCOM_SCM configuration (git-fixes). - firmware: qcom_scm: Fix kernel-doc function names to match (git-fixes). - firmware: qcom_scm: Make __qcom_scm_is_call_available() return bool (git-fixes). - firmware: qcom_scm: Reduce locking section for __get_convention() (git-fixes). - firmware: qcom_scm: Workaround lack of "is available" call on SC7180 (git-fixes). - flow_dissector: fix byteorder of dissected ICMP ID (bsc#1154353). - fnic: use scsi_host_busy_iter() to traverse commands (bsc#1179851). - fotg210-udc: Complete OUT requests on short packets (git-fixes). - fotg210-udc: Do not DMA more than the buffer can take (git-fixes). - fotg210-udc: Fix DMA on EP0 for length > max packet size (git-fixes). - fotg210-udc: Fix EP0 IN requests bigger than two packets (git-fixes). - fotg210-udc: Mask GRP2 interrupts we do not handle (git-fixes). - fotg210-udc: Remove a dubious condition leading to fotg210_done (git-fixes). - fs/epoll: restore waking from ep_done_scan() (bsc#1183868). - fs/jfs: fix potential integer overflow on shift of a int (bsc#1184741). - fs: direct-io: fix missing sdio->boundary (bsc#1184736). - fsl/fman: check dereferencing null pointer (git-fixes). - fsl/fman: fix dereference null return value (git-fixes). - fsl/fman: fix eth hash table allocation (git-fixes). - fsl/fman: fix unreachable code (git-fixes). - fsl/fman: reuse set_mac_address() in dtsec init() (bsc#1184811). - fsl/fman: tolerate missing MAC address in device tree (bsc#1184811). - fsl/fman: use 32-bit unsigned integer (git-fixes). - ftrace/x86: Tell objtool to ignore nondeterministic ftrace stack layout (bsc#1177028). - ftrace: Fix modify_ftrace_direct (bsc#1177028). - ftrace: Handle commands when closing set_ftrace_filter file (git-fixes). - fuse: fix bad inode (bsc#1184211). - fuse: fix bad inode (bsc#1184211). - fuse: fix live lock in fuse_iget() (bsc#1184211). - fuse: fix live lock in fuse_iget() (bsc#1184211). - fuse: fix write deadlock (bsc#1185573). - fuse: verify write return (git-fixes). - futex: Change utime parameter to be 'const ... *' (git-fixes). - futex: Do not apply time namespace adjustment on FUTEX_LOCK_PI (bsc#1164648). - futex: Get rid of the val2 conditional dance (git-fixes). - futex: Make syscall entry points less convoluted (git-fixes). - gcc-plugins: drop support for GCC <= 4.7 (bcs#1181862). - gcc-plugins: make it possible to disable CONFIG_GCC_PLUGINS again (bcs#1181862). - gcc-plugins: simplify GCC plugin-dev capability test (bsc#1181862). - geneve: do not modify the shared tunnel info when PMTU triggers an ICMP reply (bsc#1176447). - geneve: do not modify the shared tunnel info when PMTU triggers an ICMP reply (git-fixes). - genirq/irqdomain: Do not try to free an interrupt that has no (git-fixes) - genirq: Disable interrupts for force threaded handlers (git-fixes) - genirq: Reduce irqdebug cacheline bouncing (bsc#1185703 ltc#192641). - gianfar: Account for Tx PTP timestamp in the skb headroom (git-fixes). - gianfar: Fix TX timestamping with a stacked DSA driver (git-fixes). - gianfar: Handle error code at MAC address change (git-fixes). - gianfar: Replace skb_realloc_headroom with skb_cow_head for PTP (git-fixes). - gpio: omap: Save and restore sysconfig (git-fixes). - gpio: pca953x: Set IRQ type when handle Intel Galileo Gen 2 (git-fixes). - gpio: sysfs: Obey valid_mask (git-fixes). - gpio: xilinx: Correct kernel doc for xgpio_probe() (git-fixes). - gpio: zynq: fix reference leak in zynq_gpio functions (git-fixes). - gpiolib: Do not free if pin ranges are not defined (git-fixes). - gpiolib: acpi: Add missing IRQF_ONESHOT (git-fixes). - gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 (git-fixes). - gpu/xen: Fix a use after free in xen_drm_drv_init (git-fixes). - hrtimer: Update softirq_expires_next correctly after (git-fixes) - hv_netvsc: Reset the RSC count if NVSP_STAT_FAIL in netvsc_receive() (git-fixes). - hwmon: (ina3221) Fix PM usage counter unbalance in ina3221_write_enable (git-fixes). - hwmon: (occ) Fix poll rate limiting (git-fixes). - i2c: Add I2C_AQ_NO_REP_START adapter quirk (git-fixes). - i2c: bail out early when RDWR parameters are wrong (git-fixes). - i2c: cadence: add IRQ check (git-fixes). - i2c: emev2: add IRQ check (git-fixes). - i2c: i801: Do not generate an interrupt on bus reset (git-fixes). - i2c: img-scb: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: jz4780: add IRQ check (git-fixes). - i2c: mlxbf: add IRQ check (git-fixes). - i2c: omap: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: rcar: faster irq code to minimize HW race condition (git-fixes). - i2c: rcar: optimize cacheline to minimize HW race condition (git-fixes). - i2c: s3c2410: fix possible NULL pointer deref on read message after write (git-fixes). - i2c: sh7760: add IRQ check (git-fixes). - i2c: sh7760: fix IRQ error path (git-fixes). - i2c: sh_mobile: Use new clock calculation formulas for RZ/G2E (git-fixes). - i2c: sprd: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: tegra: Add missing pm_runtime_put() (bsc#1184386). - i2c: tegra: Check errors for both positive and negative values (bsc#1184386). - i2c: tegra: Clean up and improve comments (bsc#1184386). - i2c: tegra: Clean up printk messages (bsc#1184386). - i2c: tegra: Clean up probe function (bsc#1184386). - i2c: tegra: Clean up variable names (bsc#1184386). - i2c: tegra: Clean up variable types (bsc#1184386). - i2c: tegra: Clean up whitespaces, newlines and indentation (bsc#1184386). - i2c: tegra: Create i2c_writesl_vi() to use with VI I2C for filling TX FIFO (bsc#1184386). - i2c: tegra: Factor out error recovery from tegra_i2c_xfer_msg() (bsc#1184386). - i2c: tegra: Factor out hardware initialization into separate function (bsc#1184386). - i2c: tegra: Factor out packet header setup from tegra_i2c_xfer_msg() (bsc#1184386). - i2c: tegra: Factor out register polling into separate function (bsc#1184386). - i2c: tegra: Handle potential error of tegra_i2c_flush_fifos() (bsc#1184386). - i2c: tegra: Improve driver module description (bsc#1184386). - i2c: tegra: Improve formatting of variables (bsc#1184386). - i2c: tegra: Initialize div-clk rate unconditionally (bsc#1184386). - i2c: tegra: Make tegra_i2c_flush_fifos() usable in atomic transfer (bsc#1184386). - i2c: tegra: Mask interrupt in tegra_i2c_issue_bus_clear() (bsc#1184386). - i2c: tegra: Move out all device-tree parsing into tegra_i2c_parse_dt() (bsc#1184386). - i2c: tegra: Remove "dma" variable from tegra_i2c_xfer_msg() (bsc#1184386). - i2c: tegra: Remove error message used for devm_request_irq() failure (bsc#1184386). - i2c: tegra: Remove i2c_dev.clk_divisor_non_hs_mode member (bsc#1184386). - i2c: tegra: Remove likely/unlikely from the code (bsc#1184386). - i2c: tegra: Remove outdated barrier() (bsc#1184386). - i2c: tegra: Remove redundant check in tegra_i2c_issue_bus_clear() (bsc#1184386). - i2c: tegra: Rename wait/poll functions (bsc#1184386). - i2c: tegra: Reorder location of functions in the code (bsc#1184386). - i2c: tegra: Runtime PM always available on Tegra (bsc#1184386). - i2c: tegra: Use clk-bulk helpers (bsc#1184386). - i2c: tegra: Use devm_platform_get_and_ioremap_resource() (bsc#1184386). - i2c: tegra: Use platform_get_irq() (bsc#1184386). - i2c: tegra: Use reset_control_reset() (bsc#1184386). - i2c: tegra: Use threaded interrupt (bsc#1184386). - i2c: tegra: Wait for config load atomically while in ISR (bsc#1184386). - i40e: Add zero-initialization of AQ command structures (git-fixes). - i40e: Added Asym_Pause to supported link modes (git-fixes). - i40e: Fix PHY type identifiers for 2.5G and 5G adapters (git-fixes). - i40e: Fix add TC filter for IPv6 (git-fixes). - i40e: Fix addition of RX filters after enabling FW LLDP agent (git-fixes). - i40e: Fix display statistics for veb_tc (git-fixes). - i40e: Fix endianness conversions (git-fixes). - i40e: Fix flow for IPv6 next header (extension header) (git-fixes). - i40e: Fix kernel oops when i40e driver removes VF's (git-fixes). - i40e: Fix overwriting flow control settings during driver loading (git-fixes). - i40e: Fix parameters in aq_get_phy_register() (jsc#SLE-8025). - i40e: Fix sparse error: 'vsi->netdev' could be null (jsc#SLE-8025). - i40e: Fix sparse error: uninitialized symbol 'ring' (jsc#SLE-13701). - i40e: Fix sparse errors in i40e_txrx.c (git-fixes). - i40e: Fix sparse errors in i40e_txrx.c (git-fixes). - i40e: Fix sparse warning: missing error code 'err' (git-fixes). - i40e: Fix use-after-free in i40e_client_subtask() (git-fixes). - i40e: fix broken XDP support (git-fixes). - i40e: fix the panic when running bpf in xdpdrv mode (git-fixes). - i40e: fix the restart auto-negotiation after FEC modified (git-fixes). - i915/perf: Start hrtimer only if sampling the OA buffer (git-fixes). - iavf: Fix incorrect adapter get in iavf_resume (git-fixes). - iavf: use generic power management (git-fixes). - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043). - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043). - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043). - ibmvnic: add comments for spinlock_t definitions (bsc#1183871 ltc#192139). - ibmvnic: avoid calling napi_disable() twice (bsc#1065729). - ibmvnic: avoid multiple line dereference (bsc#1183871 ltc#192139). - ibmvnic: clean up the remaining debugfs data structures (bsc#1065729). - ibmvnic: correctly use dev_consume/free_skb_irq (jsc#SLE-17268 jsc#SLE-17043 bsc#1179243 ltc#189290 git-fixes). - ibmvnic: fix block comments (bsc#1183871 ltc#192139). - ibmvnic: fix braces (bsc#1183871 ltc#192139). - ibmvnic: fix miscellaneous checks (bsc#1183871 ltc#192139). - ibmvnic: improve failover sysfs entry (bsc#1043990 ltc#155681 git-fixes). - ibmvnic: merge do_change_param_reset into do_reset (bsc#1183871 ltc#192139). - ibmvnic: prefer 'unsigned long' over 'unsigned long int' (bsc#1183871 ltc#192139). - ibmvnic: prefer strscpy over strlcpy (bsc#1183871 ltc#192139). - ibmvnic: print adapter state as a string (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: print reset reason as a string (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: queue reset work in system_long_wq (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: remove default label from to_string switch (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: remove duplicate napi_schedule call in do_reset function (bsc#1065729). - ibmvnic: remove duplicate napi_schedule call in open function (bsc#1065729). - ibmvnic: remove unnecessary rmb() inside ibmvnic_poll (bsc#1183871 ltc#192139). - ibmvnic: remove unused spinlock_t stats_lock definition (bsc#1183871 ltc#192139). - ibmvnic: rework to ensure SCRQ entry reads are properly ordered (bsc#1183871 ltc#192139). - ice: Account for port VLAN in VF max packet size calculation (git-fixes). - ice: Account for port VLAN in VF max packet size calculation (git-fixes). - ice: Cleanup fltr list in case of allocation issues (git-fixes). - ice: Continue probe on link/PHY errors (jsc#SLE-12878). - ice: Fix for dereference of NULL pointer (git-fixes). - ice: Increase control queue timeout (git-fixes). - ice: Use port number instead of PF ID for WoL (jsc#SLE-12878). - ice: fix memory allocation call (jsc#SLE-12878). - ice: fix memory leak if register_netdev_fails (git-fixes). - ice: fix memory leak in ice_vsi_setup (git-fixes). - ice: fix memory leak of aRFS after resuming from suspend (jsc#SLE-12878). - ice: prevent ice_open and ice_stop during reset (git-fixes). - ice: remove DCBNL_DEVRESET bit from PF state (jsc#SLE-7926). - ics932s401: fix broken handling of errors when word reading fails (git-fixes). - igb: Fix duplicate include guard (git-fixes). - igb: XDP extack message on error (jsc#SLE-13536). - igb: XDP xmit back fix error code (jsc#SLE-13536). - igb: avoid premature Rx buffer reuse (jsc#SLE-13536). - igb: avoid transmit queue timeout in xdp path (jsc#SLE-13536). - igb: check timestamp validity (git-fixes). - igb: skb add metasize for xdp (jsc#SLE-13536). - igb: take VLAN double header into account (jsc#SLE-13536). - igb: use xdp_do_flush (jsc#SLE-13536). - igc: Fix Pause Frame Advertising (git-fixes). - igc: Fix Supported Pause Frame Link Setting (git-fixes). - igc: Fix igc_ptp_rx_pktstamp() (bsc#1160634). - igc: Fix igc_ptp_rx_pktstamp() (bsc#1160634). - igc: reinit_locked() should be called with rtnl_lock (git-fixes). - igc: reinit_locked() should be called with rtnl_lock (git-fixes). - iio: adc: ad7124: Fix missbalanced regulator enable / disable on error (git-fixes). - iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers (git-fixes). - iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp() (git-fixes). - iio: adc: ad7793: Add missing error code in ad7793_setup() (git-fixes). - iio: adc: ad7949: fix wrong ADC result due to incorrect bit mask (git-fixes). - iio: adis16400: Fix an error code in adis16400_initial_setup() (git-fixes). - iio: gyro: fxas21002c: balance runtime power in error path (git-fixes). - iio: gyro: mpu3050: Fix error handling in mpu3050_trigger_handler (git-fixes). - iio: gyro: mpu3050: Fix reported temperature value (git-fixes). - iio: hid-sensor-humidity: Fix alignment issue of timestamp channel (git-fixes). - iio: hid-sensor-prox: Fix scale not correct issue (git-fixes). - iio: hid-sensor-temperature: Fix issues of timestamp channel (git-fixes). - iio: proximity: pulsedlight: Fix rumtime PM imbalance on error (git-fixes). - iio: tsl2583: Fix division by a zero lux_val (git-fixes). - iio:accel:adis16201: Fix wrong axis assignment that prevents loading (git-fixes). - iio:adc:qcom-spmi-vadc: add default scale to LR_MUX2_BAT_ID channel (git-fixes). - ima: Free IMA measurement buffer after kexec syscall (git-fixes). - include/linux/sched/mm.h: use rcu_dereference in in_vfork() (git-fixes). - intel_th: Consistency and off-by-one fix (git-fixes). - intel_th: pci: Add Alder Lake-M support (git-fixes). - intel_th: pci: Add Rocket Lake CPU support (git-fixes). - interconnect: core: fix error return code of icc_link_destroy() (git-fixes). - iommu/amd: Add support for map/unmap_resource (jsc#ECO-3482). - iommu/amd: Fix sleeping in atomic in increase_address_space() (bsc#1183277). - iommu/amd: Fix sleeping in atomic in increase_address_space() (bsc#1183310). - iommu/intel: Fix memleak in intel_irq_remapping_alloc (bsc#1183278). - iommu/intel: Fix memleak in intel_irq_remapping_alloc (bsc#1183312). - iommu/qcom: add missing put_device() call in qcom_iommu_of_xlate() (bsc#1183313). - iommu/qcom: add missing put_device() call in qcom_iommu_of_xlate() (bsc#1183637). - iommu/vt-d: Add get_domain_info() helper (bsc#1183279). - iommu/vt-d: Avoid panic if iommu init fails in tboot system (bsc#1183280). - iommu/vt-d: Avoid panic if iommu init fails in tboot system (bsc#1183315). - iommu/vt-d: Correctly check addr alignment in qi_flush_dev_iotlb_pasid() (bsc#1183281). - iommu/vt-d: Correctly check addr alignment in qi_flush_dev_iotlb_pasid() (bsc#1183316). - iommu/vt-d: Do not use flush-queue when caching-mode is on (bsc#1183282). - iommu/vt-d: Do not use flush-queue when caching-mode is on (bsc#1183317). - iommu/vt-d: Fix general protection fault in aux_detach_device() (bsc#1183283). - iommu/vt-d: Fix general protection fault in aux_detach_device() (bsc#1183318). - iommu/vt-d: Fix ineffective devTLB invalidation for subdevices (bsc#1183284). - iommu/vt-d: Fix ineffective devTLB invalidation for subdevices (bsc#1183319). - iommu/vt-d: Fix status code for Allocate/Free PASID command (bsc#1183320). - iommu/vt-d: Fix unaligned addresses for intel_flush_svm_range_dev() (bsc#1183285). - iommu/vt-d: Fix unaligned addresses for intel_flush_svm_range_dev() (bsc#1183321). - iommu/vt-d: Move intel_iommu info from struct intel_svm to struct intel_svm_dev (bsc#1183286). - iommu/vt-d: Move intel_iommu info from struct intel_svm to struct intel_svm_dev (bsc#1183322). - iommu/vt-d: Use device numa domain if RHSA is missing (bsc#1184585). - iommu: Check dev->iommu in dev_iommu_priv_get() before dereferencing it (bsc#1183311). - iommu: Switch gather->end to the inclusive end (bsc#1183314). - ionic: linearize tso skb with too many frags (bsc#1167773). - ionic: linearize tso skb with too many frags (bsc#1167773). - iopoll: introduce read_poll_timeout macro (git-fixes). - ipc/mqueue, msg, sem: Avoid relying on a stack reference past its expiry (bsc#1185988). - ipmi/watchdog: Stop watchdog timer when the current action is 'none' (bsc#1184855). - ipw2x00: potential buffer overflow in libipw_wx_set_encodeext() (git-fixes). - irqchip/ls-extirq: Add LS1043A, LS1088A external interrupt support (bsc#1184264). - irqchip/ls-extirq: Add LS1043A, LS1088A external interrupt support (bsc#1185233). - irqchip/ls-extirq: add IRQCHIP_SKIP_SET_WAKE to the irqchip flags (bsc#1184264). - irqchip/ls-extirq: add IRQCHIP_SKIP_SET_WAKE to the irqchip flags (bsc#1185233). - irqchip: Add support for Layerscape external interrupt lines (bsc#1185233). - isofs: release buffer head before return (bsc#1182613). - iwlwifi: add support for Qu with AX201 device (git-fixes). - iwlwifi: pcie: make cfg vs. trans_cfg more robust (git-fixes). - ixgbe: fail to create xfrm offload of IPsec tunnel mode SA (git-fixes). - ixgbe: fix unbalanced device enable/disable in suspend/resume (jsc#SLE-13706). - jffs2: fix use after free in jffs2_sum_write_data() (bsc#1184740). - kABI: Fix kABI caused by fixes for bsc#1174426 (bsc#1174426). - kABI: cover up change in struct kvm_arch (bsc#1184969). - kABI: powerpc/pmem: Include pmem prototypes (bsc#1113295 git-fixes). - kABI: powerpc/pseries: Add shutdown() to vio_driver and vio_bus (bsc#1184209 ltc#190917). - kABI: repair after "nVMX: Properly handle userspace interrupt window request" - kbuild: Fail if gold linker is detected (bcs#1181862). - kbuild: add dummy toolchains to enable all cc-option etc. in Kconfig (bcs#1181862). - kbuild: change *FLAGS_<basetarget>.o to take the path relative to $(obj) (bcs#1181862). - kbuild: dummy-tools, fix inverted tests for gcc (bcs#1181862). - kbuild: dummy-tools, support MPROFILE_KERNEL checks for ppc (bsc#1181862). - kbuild: improve cc-option to clean up all temporary files (bsc#1178330). - kbuild: include scripts/Makefile.* only when relevant CONFIG is enabled (bcs#1181862). - kbuild: simplify GCC_PLUGINS enablement in dummy-tools/gcc (bcs#1181862). - kbuild: stop filtering out $(GCC_PLUGINS_CFLAGS) from cc-option base (bcs#1181862). - kbuild: use -S instead of -E for precise cc-option test in Kconfig (bsc#1178330). - kconfig: introduce m32-flag and m64-flag (bcs#1181862). - kernel-docs.spec.in: Build using an utf-8 locale. Sphinx cannot handle UTF-8 input in non-UTF-8 locale. - kernel/smp: make csdlock timeout depend on boot parameter (bsc#1180846). - kvm: svm: Update svm_xsaves_supported (jsc#SLE-13573). - kvm: x86: Enumerate support for CLZERO instruction (jsc#SLE-13573). - leds: lp5523: check return value of lp5xx_read and jump to cleanup code (git-fixes). - lib/syscall: fix syscall registers retrieval on 32-bit platforms (git-fixes). - libbpf: Add explicit padding to bpf_xdp_set_link_opts (bsc#1177028). - libbpf: Add explicit padding to btf_dump_emit_type_decl_opts (bsc#1177028). - libbpf: Clear map_info before each bpf_obj_get_info_by_fd (bsc#1155518). - libbpf: Fix BTF dump of pointer-to-array-of-struct (bsc#1155518). - libbpf: Fix INSTALL flag order (bsc#1155518). - libbpf: Fix bail out from 'ringbuf_process_ring()' on error (bsc#1177028). - libbpf: Fix error path in bpf_object__elf_init() (bsc#1177028). - libbpf: Fix signed overflow in ringbuf_process_ring (bsc#1177028). - libbpf: Initialize the bpf_seq_printf parameters array field by field (bsc#1177028). - libbpf: Only create rx and tx XDP rings when necessary (bsc#1155518). - libbpf: Use SOCK_CLOEXEC when opening the netlink socket (bsc#1155518). - libnvdimm/label: Return -ENXIO for no slot in __blk_label_update (bsc#1185269). - libnvdimm/namespace: Fix reaping of invalidated block-window-namespace labels (bsc#1185269). - libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC (bsc#1184969 git-fixes). - libnvdimm/security: ensure sysfs poll thread woke up and fetch updated attr (git-fixes). - liquidio: Fix unintented sign extension of a left shift of a u16 (git-fixes). - locking/mutex: Fix non debug version of mutex_lock_io_nested() (git-fixes). - locking/qrwlock: Fix ordering in queued_write_lock_slowpath() (bsc#1185041). - lpfc: Decouple port_template and vport_template (bsc#185032). - mISDN: fix crash in fritzpci (git-fixes). - mac80211: Allow HE operation to be longer than expected (git-fixes). - mac80211: bail out if cipher schemes are invalid (git-fixes). - mac80211: choose first enabled channel for monitor (git-fixes). - mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN (git-fixes). - mac80211: clear the beacon's CRC after channel switch (git-fixes). - mac80211: fix TXQ AC confusion (git-fixes). - mac80211: fix double free in ibss_leave (git-fixes). - mac80211: fix rate mask reset (git-fixes). - macvlan: macvlan_count_rx() needs to be aware of preemption (git-fixes). - md-cluster: fix use-after-free issue when removing rdev (bsc#1184082). - md/raid1: properly indicate failure when ending a failed write request (bsc#1185680). - md: do not flush workqueue unconditionally in md_open (bsc#1184081). - md: factor out a mddev_find_locked helper from mddev_find (bsc#1184081). - md: md_open returns -EBUSY when entering racing area (bsc#1184081). - md: split mddev_find (bsc#1184081). - mdio: fix mdio-thunder.c dependency & build error (git-fixes). - media: adv7604: fix possible use-after-free in adv76xx_remove() (git-fixes). - media: cros-ec-cec: do not bail on device_init_wakeup failure (git-fixes). - media: cx23885: add more quirks for reset DMA on some AMD IOMMU (git-fixes). - media: drivers: media: pci: sta2x11: fix Kconfig dependency on GPIOLIB (git-fixes). - media: dvb-usb: fix memory leak in dvb_usb_adapter_init (git-fixes). - media: dvbdev: Fix memory leak in dvb_media_device_free() (git-fixes). - media: em28xx: fix memory leak (git-fixes). - media: gspca/sq905.c: fix uninitialized variable (git-fixes). - media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove() (git-fixes). - media: i2c: adv7842: fix possible use-after-free in adv7842_remove() (git-fixes). - media: i2c: tda1997: Fix possible use-after-free in tda1997x_remove() (git-fixes). - media: imx: capture: Return -EPIPE from __capture_legacy_try_fmt() (git-fixes). - media: ite-cir: check for receive overflow (git-fixes). - media: m88rs6000t: avoid potential out-of-bounds reads on arrays (git-fixes). - media: mantis: remove orphan mantis_core.c (git-fixes). - media: mceusb: sanity check for prescaler value (git-fixes). - media: media/saa7164: fix saa7164_encoder_register() memory leak bugs (git-fixes). - media: omap4iss: return error code when omap4iss_get() failed (git-fixes). - media: platform: sti: Fix runtime PM imbalance in regs_show (git-fixes). - media: platform: sunxi: sun6i-csi: fix error return code of sun6i_video_start_streaming() (git-fixes). - media: rc: compile rc-cec.c into rc-core (git-fixes). - media: saa7134: use sg_dma_len when building pgtable (git-fixes). - media: saa7146: use sg_dma_len when building pgtable (git-fixes). - media: staging/intel-ipu3: Fix memory leak in imu_fmt (git-fixes). - media: staging/intel-ipu3: Fix race condition during set_fmt (git-fixes). - media: staging/intel-ipu3: Fix set_fmt error handling (git-fixes). - media: tc358743: fix possible use-after-free in tc358743_remove() (git-fixes). - media: usbtv: Fix deadlock on suspend (git-fixes). - media: uvcvideo: Allow entities with no pads (git-fixes). - media: v4l2-ctrls.c: fix race condition in hdl->requests list (git-fixes). - media: v4l2-ctrls.c: fix shift-out-of-bounds in std_validate (git-fixes). - media: v4l: vsp1: Fix bru null pointer access (git-fixes). - media: v4l: vsp1: Fix uif null pointer access (git-fixes). - media: vicodec: add missing v4l2_ctrl_request_hdl_put() (git-fixes). - memory: gpmc: fix out of bounds read and dereference on gpmc_cs[] (git-fixes). - memory: mtk-smi: Fix PM usage counter unbalance in mtk_smi ops (bsc#1183325). - memory: pl353: fix mask of ECC page_size config register (git-fixes). - mfd: arizona: Fix rumtime PM imbalance on error (git-fixes). - mfd: intel_pmt: Fix nuisance messages and handling of disabled capabilities (git-fixes). - mfd: lpc_sch: Partially revert "Add support for Intel Quark X1000" (git-fixes). - mfd: stm32-timers: Avoid clearing auto reload register (git-fixes). - misc/pvpanic: Export module FDT device table (git-fixes). - misc/uss720: fix memory leak in uss720_probe (git-fixes). - misc: eeprom_93xx46: Add quirk to support Microchip 93LC46B eeprom (git-fixes). - misc: fastrpc: restrict user apps from sending kernel RPC messages (git-fixes). - misc: lis3lv02d: Fix false-positive WARN on various HP models (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_datagram payload (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_notify_bm_set_msg struct (git-fixes). - mlxsw: spectrum_mr: Update egress RIF list before route's action (git-fixes). - mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (bsc#1168777). - mm/rmap: fix potential pte_unmap on an not mapped pte (git-fixes). - mm: hugetlbfs: fix cannot migrate the fallocated HugeTLB page (git-fixes). - mm: memcontrol: fix cpuhotplug statistics flushing (bsc#1185606). - mmc: block: Update ext_csd.cache_ctrl if it was written (git-fixes). - mmc: core: Correct descriptions in mmc_of_parse() (git-fixes). - mmc: core: Do a power cycle when the CMD11 fails (git-fixes). - mmc: core: Fix partition switch time for eMMC (git-fixes). - mmc: core: Set read only for SD cards with permanent write protect bit (git-fixes). - mmc: cqhci: Add cqhci_deactivate() (git-fixes). - mmc: cqhci: Fix random crash when remove mmc module/card (git-fixes). - mmc: mmc_spi: Drop unused NO_IRQ definition (git-fixes). - mmc: mxs-mmc: Fix a resource leak in an error handling path in 'mxs_mmc_probe()' (git-fixes). - mmc: sdhci-iproc: Cap min clock frequency on BCM2711 (bsc#1186009) - mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711 (bsc#1186009) - mmc: sdhci-of-arasan: Add missed checks for devm_clk_register() (git-fixes). - mmc: sdhci-of-dwcmshc: fix rpmb access (git-fixes). - mmc: sdhci-of-dwcmshc: implement specific set_uhs_signaling (git-fixes). - mmc: sdhci-of-dwcmshc: set SDHCI_QUIRK2_PRESET_VALUE_BROKEN (git-fixes). - mmc: sdhci-of-esdhc: make sure delay chain locked for HS400 (git-fixes). - mmc: sdhci-of-esdhc: set timeout to max before tuning (git-fixes). - mmc: sdhci-pci-gli: increase 1.8V regulator wait (git-fixes). - mmc: sdhci-pci: Add PCI IDs for Intel LKF (git-fixes). - mmc: sdhci-pci: Fix SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers (git-fixes). - mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based controllers (git-fixes). - mmc: sdhci: Check for reset prior to DMA address unmap (git-fixes). - mmc: sdhci: Use Auto CMD Auto Select only when v4_mode is true (git-fixes). - mmc: uniphier-sd: Fix a resource leak in the remove function (git-fixes). - mmc: uniphier-sd: Fix an error handling path in uniphier_sd_probe() (git-fixes). - mount: fix mounting of detached mounts onto targets that reside on shared mounts (git-fixes). - mt7601u: fix always true expression (git-fixes). - mt76: dma: do not report truncated frames to mac80211 (git-fixes). - mt76: mt7615: fix entering driver-own state on mt7663 (git-fixes). - mt76: mt7615: support loading EEPROM for MT7613BE (git-fixes). - mt76: mt76x0: disable GTK offloading (git-fixes). - mt76: mt7915: fix aggr len debugfs node (git-fixes). - mt76: mt7915: fix txpower init for TSSI off chips (git-fixes). - mtd: Handle possible -EPROBE_DEFER from parse_mtd_partitions() (git-fixes). - mtd: rawnand: atmel: Update ecc_stats.corrected counter (git-fixes). - mtd: rawnand: brcmnand: fix OOB R/W with Hamming ECC (git-fixes). - mtd: rawnand: fsmc: Fix error code in fsmc_nand_probe() (git-fixes). - mtd: rawnand: gpmi: Fix a double free in gpmi_nand_init (git-fixes). - mtd: rawnand: qcom: Return actual error code instead of -ENODEV (git-fixes). - mtd: require write permissions for locking and badblock ioctls (git-fixes). - mtd: spi-nor: Rename "n25q512a" to "mt25qu512a (n25q512a)" (bsc#1167260). - mtd: spi-nor: Split mt25qu512a (n25q512a) entry into two (bsc#1167260). - mtd: spinand: core: add missing MODULE_DEVICE_TABLE() (git-fixes). - mwifiex: pcie: skip cancel_work_sync() on reset failure path (git-fixes). - nbd: fix a block_device refcount leak in nbd_release (git-fixes). - net, xdp: Update pkt_type if generic XDP changes unicast MAC (git-fixes). - net/mlx4_core: Add missed mlx4_free_cmd_mailbox() (git-fixes). - net/mlx4_en: update moderation when config reset (git-fixes). - net/mlx5: Add back multicast stats for uplink representor (jsc#SLE-15172). - net/mlx5: Delete extra dump stack that gives nothing (git-fixes). - net/mlx5: Do not request more than supported EQs (git-fixes). - net/mlx5: Fix PPLM register mapping (jsc#SLE-8464). - net/mlx5: Fix bit-wise and with zero (jsc#SLE-15172). - net/mlx5: Fix health error state handling (bsc#1186467). - net/mlx5e: Allow to match on MPLS parameters only for MPLS over UDP (jsc#SLE-15172). - net/mlx5e: Do not match on Geneve options in case option masks are all zero (git-fixes). - net/mlx5e: E-switch, Fix rate calculation division (jsc#SLE-8464). - net/mlx5e: Fix error path for ethtool set-priv-flag (git-fixes). - net/mlx5e: Fix ethtool indication of connector type (git-fixes). - net/mlx5e: Fix setting of RS FEC mode (jsc#SLE-15172). - net/mlx5e: Offload tuple rewrite for non-CT flows (jsc#SLE-15172). - net/mlx5e: RX, Mind the MPWQE gaps when calculating offsets (jsc#SLE-15172). - net/mlx5e: fix ingress_ifindex check in mlx5e_flower_parse_meta (jsc#SLE-8464). - net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template (git-fixes). - net/sched: act_ct: fix wild memory access when clearing fragments (bsc#1176447). - net: arc_emac: Fix memleak in arc_mdio_probe (git-fixes). - net: atheros: switch from 'pci_' to 'dma_' API (git-fixes). - net: atlantic: fix out of range usage of active_vlans array (git-fixes). - net: atlantic: fix potential error handling (git-fixes). - net: atlantic: fix use after free kasan warn (git-fixes). - net: b44: fix error return code in b44_init_one() (git-fixes). - net: bonding: fix error return code of bond_neigh_init() (bsc#1154353). - net: cdc-phonet: fix data-interface release on probe failure (git-fixes). - net: cls_api: Fix uninitialised struct field bo->unlocked_driver_cb (bsc#1176447). - net: dsa: felix: implement port flushing on .phylink_mac_link_down (git-fixes). - net: dsa: rtl8366: Fix VLAN semantics (git-fixes). - net: dsa: rtl8366: Fix VLAN set-up (git-fixes). - net: dsa: rtl8366rb: Support all 4096 VLANs (git-fixes). - net: enetc: allow hardware timestamping on TX queues with tc-etf enabled (git-fixes). - net: enetc: do not disable VLAN filtering in IFF_PROMISC mode (git-fixes). - net: enetc: fix link error again (git-fixes). - net: enetc: remove bogus write to SIRXIDR from enetc_setup_rxbdr (git-fixes). - net: enetc: take the MDIO lock only once per NAPI poll cycle (git-fixes). - net: enic: Cure the enic api locking trainwreck (git-fixes). - net: ethernet: aquantia: Fix wrong return value (git-fixes). - net: ethernet: cavium: octeon_mgmt: use phy_start and phy_stop (git-fixes). - net: ethernet: ibm: ibmvnic: Fix some kernel-doc misdemeanours (bsc#1183871 ltc#192139). - net: ethernet: ti: cpsw: fix clean up of vlan mc entries for host port (git-fixes). - net: ethernet: ti: cpsw: fix error return code in cpsw_probe() (git-fixes). - net: fec: Fix PHY init after phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix reference count leak in fec series ops (git-fixes). - net: gemini: Fix another missing clk_disable_unprepare() in probe (git-fixes). - net: gemini: Fix missing free_netdev() in error path of gemini_ethernet_port_probe() (git-fixes). - net: geneve: check skb is large enough for IPv4/IPv6 header (git-fixes). - net: geneve: modify IP header check in geneve6_xmit_skb and geneve_xmit_skb (git-fixes). - net: gianfar: Add of_node_put() before goto statement (git-fixes). - net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device (git-fixes). - net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after calling ether_setup (git-fixes). - net: hns3: Fix for geneve tx checksum bug (git-fixes). - net: hns3: Remove the left over redundant check & assignment (bsc#1154353). - net: hns3: Remove un-necessary 'else-if' in the hclge_reset_event() (git-fixes). - net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() (git-fixes). - net: hns3: clear VF down state bit before request link status (git-fixes). - net: hns3: clear unnecessary reset request in hclge_reset_rebuild (git-fixes). - net: hns3: disable phy loopback setting in hclge_mac_start_phy (git-fixes). - net: hns3: fix bug when calculating the TCAM table info (git-fixes). - net: hns3: fix for vxlan gpe tx checksum bug (git-fixes). - net: hns3: fix incorrect configuration for igu_egu_hw_err (git-fixes). - net: hns3: fix query vlan mask value error for flow director (git-fixes). - net: hns3: initialize the message content in hclge_get_link_mode() (git-fixes). - net: hns3: use netif_tx_disable to stop the transmit queue (git-fixes). - net: korina: cast KSEG0 address to pointer in kfree (git-fixes). - net: korina: fix kfree of rx/tx descriptor array (git-fixes). - net: lantiq: Wait for the GPHY firmware to be ready (git-fixes). - net: ll_temac: Add more error handling of dma_map_single() calls (git-fixes). - net: ll_temac: Fix RX buffer descriptor handling on GFP_ATOMIC pressure (git-fixes). - net: ll_temac: Fix race condition causing TX hang (git-fixes). - net: ll_temac: Handle DMA halt condition caused by buffer underrun (git-fixes). - net: mvneta: fix double free of txq->buf (git-fixes). - net: mvneta: make tx buffer array agnostic (git-fixes). - net: pasemi: fix error return code in pasemi_mac_open() (git-fixes). - net: phy: broadcom: Only advertise EEE for supported modes (git-fixes). - net: phy: intel-xway: enable integrated led functions (git-fixes). - net: phy: marvell: fix m88e1011_set_downshift (git-fixes). - net: phy: marvell: fix m88e1111_set_downshift (git-fixes). - net: qcom/emac: add missed clk_disable_unprepare in error path of emac_clks_phase1_init (git-fixes). - net: qualcomm: rmnet: Fix incorrect receive packet handling during cleanup (git-fixes). - net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405) - net: smc911x: Adjust indentation in smc911x_phy_configure (git-fixes). - net: spider_net: Fix the size used in a 'dma_free_coherent()' call (git-fixes). - net: stmmac: Fix incorrect location to set real_num_rx|tx_queues (git-fixes). - net: stmmac: Use rtnl_lock/unlock on netif_set_real_num_rx_queues() call (git-fixes). - net: stmmac: fix missing IFF_MULTICAST check in dwmac4_set_filter (git-fixes). - net: stmmac: removed enabling eee in EEE set callback (git-fixes). - net: stmmac: use netif_tx_start|stop_all_queues() function (git-fixes). - net: stmmac: xgmac: fix missing IFF_MULTICAST checki in dwxgmac2_set_filter (git-fixes). - net: thunderx: Fix unintentional sign extension issue (git-fixes). - net: tulip: Adjust indentation in {dmfe, uli526x}_init_module (git-fixes). - net: usb: ax88179_178a: fix missing stop entry in driver_info (git-fixes). - net: usb: fix memory leak in smsc75xx_bind (git-fixes). - net: usb: qmi_wwan: allow qmimux add/del with master up (git-fixes). - net: usb: qmi_wwan: support ZTE P685M modem (git-fixes). - net: wan/lmc: unregister device when no matching device is found (git-fixes). - net:nfc:digital: Fix a double free in digital_tg_recv_dep_req (git-fixes). - netdevice: Add missing IFF_PHONY_HEADROOM self-definition (git-fixes). - netdevsim: init u64 stats for 32bit hardware (git-fixes). - netfilter: conntrack: Make global sysctls readonly in non-init netns (bsc#1176447). - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950). - netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950). - netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950). - netfilter: flowtable: Make sure GC works periodically in idle system (bsc#1176447). - netfilter: flowtable: fix NAT IPv6 offload mangling (bsc#1176447). - netfilter: nftables: allow to update flowtable flags (bsc#1176447). - netfilter: nftables: report EOPNOTSUPP on unsupported flowtable flags (bsc#1176447). - netsec: restore phy power state after controller reset (bsc#1183757). - nfc: pn533: prevent potential memory corruption (git-fixes). - nfp: devlink: initialize the devlink port attribute "lanes" (bsc#1176447). - nfp: flower: add ipv6 bit to pre_tunnel control message (bsc#1176447). - nfp: flower: fix pre_tun mask id allocation (bsc#1154353). - nfp: flower: ignore duplicate merge hints from FW (git-fixes). - node: fix device cleanups in error handling code (git-fixes). - null_blk: fix passing of REQ_FUA flag in null_handle_rq (git-fixes). - nvme-core: add cancel tagset helpers (bsc#1183976). - nvme-fabrics: decode host pathing error for connect (bsc#1179827). - nvme-fabrics: fix kato initialization (bsc#1182591). - nvme-fabrics: only reserve a single tag (bsc#1182077). - nvme-fabrics: reject I/O to offline device (bsc#1181161). - nvme-fc: check sgl supported by target (bsc#1179827). - nvme-fc: clear q_live at beginning of association teardown (bsc#1186479). - nvme-fc: fix racing controller reset and create association (bsc#1183048). - nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted (bsc#1180197). - nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted (bsc#1184259). - nvme-fc: set NVME_REQ_CANCELLED in nvme_fc_terminate_exchange() (bsc#1180197). - nvme-fc: set NVME_REQ_CANCELLED in nvme_fc_terminate_exchange() (bsc#1184259). - nvme-fc: short-circuit reconnect retries (bsc#1179827). - nvme-hwmon: Return error code when registration fails (bsc#1177326). - nvme-hwmon: Return error code when registration fails (bsc#1177326). - nvme-multipath: fix double initialization of ANA state (bsc#1178612, bsc#1184259). - nvme-multipath: reset bdev to ns head when failover (bsc#178378 bsc#1182999). - nvme-pci: Remove tag from process cq (git-fixes). - nvme-pci: Remove two-pass completions (git-fixes). - nvme-pci: Simplify nvme_poll_irqdisable (git-fixes). - nvme-pci: align io queue count with allocted nvme_queue in (git-fixes). - nvme-pci: avoid race between nvme_reap_pending_cqes() and nvme_poll() (git-fixes). - nvme-pci: dma read memory barrier for completions (git-fixes). - nvme-pci: fix "slimmer CQ head update" (git-fixes). - nvme-pci: make sure write/poll_queues less or equal then cpu (git-fixes). - nvme-pci: remove last_sq_tail (git-fixes). - nvme-pci: remove volatile cqes (git-fixes). - nvme-pci: slimmer CQ head update (git-fixes). - nvme-pci: use simple suspend when a HMB is enabled (git-fixes). - nvme-tcp: Fix possible race of io_work and direct send (git-fixes). - nvme-tcp: Fix warning with CONFIG_DEBUG_PREEMPT (git-fixes). - nvme-tcp: add clean action for failed reconnection (bsc#1183976). - nvme-tcp: fix kconfig dependency warning when !CRYPTO (git-fixes). - nvme-tcp: fix misuse of __smp_processor_id with preemption (git-fixes). - nvme-tcp: fix possible hang waiting for icresp response (bsc#1179519). - nvme-tcp: fix possible hang when failing to set io queues (bsc#1181161). - nvme-tcp: use cancel tagset helper for tear down (bsc#1183976). - nvme: Fix NULL dereference for pci nvme controllers (bsc#1182378). - nvme: add 'kato' sysfs attribute (bsc#1179825). - nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request() (bsc#1180197). - nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request() (bsc#1184259). - nvme: allocate the keep alive request using BLK_MQ_REQ_NOWAIT (bsc#1182077). - nvme: call nvme_identify_ns as the first thing in nvme_alloc_ns_block (bsc#1180197). - nvme: clean up the check for too large logic block sizes (bsc#1180197). - nvme: define constants for identification values (git-fixes). - nvme: do not intialize hwmon for discovery controllers (bsc#1184259). - nvme: do not intialize hwmon for discovery controllers (git-fixes). - nvme: document nvme controller states (git-fixes). - nvme: explicitly update mpath disk capacity on revalidation (git-fixes). - nvme: expose reconnect_delay and ctrl_loss_tmo via sysfs (bsc#1182378). - nvme: factor out a nvme_configure_metadata helper (bsc#1180197). - nvme: fix controller instance leak (git-fixes). - nvme: fix deadlock in disconnect during scan_work and/or ana_work (git-fixes). - nvme: fix initialization of the zone bitmaps (bsc#1180197). - nvme: fix possible deadlock when I/O is blocked (git-fixes). - nvme: freeze the queue over ->lba_shift updates (bsc#1180197). - nvme: lift the check for an unallocated namespace into nvme_identify_ns (bsc#1180197). - nvme: merge nvme_keep_alive into nvme_keep_alive_work (bsc#1182077). - nvme: move nvme_validate_ns (bsc#1180197). - nvme: opencode revalidate_disk in nvme_validate_ns (bsc#1180197). - nvme: query namespace identifiers before adding the namespace (bsc#1180197). - nvme: refactor nvme_validate_ns (bsc#1180197). - nvme: remove nvme_identify_ns_list (bsc#1180197). - nvme: remove nvme_update_formats (bsc#1180197). - nvme: remove superfluous else in nvme_ctrl_loss_tmo_store (bsc#1182378). - nvme: remove the 0 lba_shift check in nvme_update_ns_info (bsc#1180197). - nvme: remove the disk argument to nvme_update_zone_info (bsc#1180197). - nvme: rename __nvme_revalidate_disk (bsc#1180197). - nvme: rename _nvme_revalidate_disk (bsc#1180197). - nvme: rename nvme_validate_ns to nvme_validate_or_alloc_ns (bsc#1180197). - nvme: retrigger ANA log update if group descriptor isn't found (git-fixes) - nvme: return an error if nvme_set_queue_count() fails (bsc#1180197). - nvme: revalidate zone bitmaps in nvme_update_ns_info (bsc#1180197). - nvme: sanitize KATO setting (bsc#1179825). - nvme: set the queue limits in nvme_update_ns_info (bsc#1180197). - nvme: simplify error logic in nvme_validate_ns() (bsc#1180197). - nvme: simplify error logic in nvme_validate_ns() (bsc#1184259). - nvme: update the known admin effects (bsc#1180197). - nvmet-rdma: Fix list_del corruption on queue establishment failure (bsc#1183501). - nvmet: fix a memory leak (git-fixes). - nvmet: seset ns->file when open fails (bsc#1183873). - nvmet: use new ana_log_size instead the old one (bsc#1184259). - nxp-i2c: restore includes for kABI (bsc#1185589). - nxp-nci: add NXP1002 id (bsc#1185589). - ocfs2: fix a use after free on error (bsc#1184738). - ovl: fix dentry leak in ovl_get_redirect (bsc#1184176). - ovl: fix out of date comment and unreachable code (bsc#1184176). - ovl: fix regression with re-formatted lower squashfs (bsc#1184176). - ovl: fix unneeded call to ovl_change_flags() (bsc#1184176). - ovl: fix value of i_ino for lower hardlink corner case (bsc#1184176). - ovl: initialize error in ovl_copy_xattr (bsc#1184176). - ovl: relax WARN_ON() when decoding lower directory file handle (bsc#1184176). - partitions/ibm: fix non-DASD devices (bsc#1185857 LTC#192526). - pata_arasan_cf: fix IRQ check (git-fixes). - pata_ipx4xx_cf: fix IRQ check (git-fixes). - perf/amd/uncore: Fix sysfs type mismatch (bsc#1178134). - phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y, unconditionally (git-fixes). - phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() (git-fixes). - pinctrl: Ingenic: Add missing pins to the JZ4770 MAC MII group (git-fixes). - pinctrl: core: Fix kernel doc string for pin_get_name() (git-fixes). - pinctrl: ingenic: Improve unreachable code generation (git-fixes). - pinctrl: lewisburg: Update number of pins in community (git-fixes). - pinctrl: qcom: spmi-gpio: fix warning about irq chip reusage (git-fixes). - pinctrl: rockchip: fix restore error in resume (git-fixes). - pinctrl: samsung: use 'int' for register masks in Exynos (git-fixes). - platform/mellanox: mlxbf-tmfifo: Fix a memory barrier issue (git-fixes). - platform/x86: acer-wmi: Add ACER_CAP_KBD_DOCK quirk for the Aspire Switch 10E SW3-016 (git-fixes). - platform/x86: acer-wmi: Add ACER_CAP_SET_FUNCTION_MODE capability flag (git-fixes). - platform/x86: acer-wmi: Add new force_caps module parameter (git-fixes). - platform/x86: acer-wmi: Add support for SW_TABLET_MODE on Switch devices (git-fixes). - platform/x86: acer-wmi: Cleanup ACER_CAP_FOO defines (git-fixes). - platform/x86: acer-wmi: Cleanup accelerometer device handling (git-fixes). - platform/x86: intel-hid: Support Lenovo ThinkPad X1 Tablet Gen 2 (git-fixes). - platform/x86: intel-vbtn: Stop reporting SW_DOCK events (git-fixes). - platform/x86: intel_int0002_vgpio: Only call enable_irq_wake() when using s2idle (git-fixes). - platform/x86: intel_pmc_core: Do not use global pmcdev in quirks (git-fixes). - platform/x86: intel_pmt_crashlog: Fix incorrect macros (git-fixes). - platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards with critclk_systems DMI table (git-fixes). - platform/x86: thinkpad_acpi: Allow the FnLock LED to change state (git-fixes). - platform/x86: thinkpad_acpi: Correct thermal sensor allocation (git-fixes). - posix-timers: Preserve return value in clock_adjtime32() (git-fixes) - post.sh: Return an error when module update fails (bsc#1047233 bsc#1184388). - power: supply: Use IRQF_ONESHOT (git-fixes). - power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() (git-fixes). - power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() (git-fixes). - powerepc/book3s64/hash: Align start/end address correctly with bolt mapping (bsc#1184957). - powerpc/64s/exception: Clean up a missed SRR specifier (jsc#SLE-9246 git-fixes). - powerpc/64s: Fix crashes when toggling entry flush barrier (bsc#1177666 git-fixes). - powerpc/64s: Fix crashes when toggling stf barrier (bsc#1087082 git-fixes). - powerpc/64s: Fix instruction encoding for lis in ppc_function_entry() (bsc#1065729). - powerpc/64s: Fix pte update for kernel memory on radix (bsc#1055117 git-fixes). - powerpc/asm-offsets: GPR14 is not needed either (bsc#1065729). - powerpc/book3s64/radix: Remove WARN_ON in destroy_context() (bsc#1183692 ltc#191963). - powerpc/eeh: Fix EEH handling for hugepages in ioremap space (bsc#1156395). - powerpc/fadump: Mark fadump_calculate_reserve_size as __init (bsc#1065729). - powerpc/kexec_file: Use current CPU info while setting up FDT (bsc#1184615 ltc#189835). - powerpc/kuap: Restore AMR after replaying soft interrupts (bsc#1156395). - powerpc/mm: Add cond_resched() while removing hpte mappings (bsc#1183289 ltc#191637). - powerpc/papr_scm: Fix build error due to wrong printf specifier (bsc#1184969). - powerpc/papr_scm: Implement support for H_SCM_FLUSH hcall (bsc#1184969). - powerpc/perf: Fix PMU constraint check for EBB events (bsc#1065729). - powerpc/perf: Fix sampled instruction type for larx/stcx (jsc#SLE-13513). - powerpc/perf: Fix the threshold event selection for memory events in power10 (jsc#SLE-13513). - powerpc/pmem: Include pmem prototypes (bsc#1113295 git-fixes). - powerpc/prom: Mark identical_pvr_fixup as __init (bsc#1065729). - powerpc/pseries/mobility: handle premature return from H_JOIN (bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922). - powerpc/pseries/mobility: use struct for shared state (bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922). - powerpc/pseries/ras: Remove unused variable 'status' (bsc#1065729). - powerpc/pseries: Add shutdown() to vio_driver and vio_bus (bsc#1184209 ltc#190917). - powerpc/pseries: Do not trace hcall tracing wrapper (bsc#1185110 ltc#192091). - powerpc/pseries: Fix hcall tracing recursion in pv queued spinlocks (bsc#1185110 ltc#192091). - powerpc/pseries: use notrace hcall variant for H_CEDE idle (bsc#1185110 ltc#192091). - powerpc/pseries: warn if recursing into the hcall tracing code (bsc#1185110 ltc#192091). - powerpc/smp: Reintroduce cpu_core_mask (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes). - powerpc/sstep: Check instruction validity against ISA version before emulation (bsc#1156395). - powerpc/sstep: Check instruction validity against ISA version before emulation (bsc#1156395). - powerpc/sstep: Fix darn emulation (bsc#1156395). - powerpc/sstep: Fix incorrect return from analyze_instr() (bsc#1156395). - powerpc/sstep: Fix load-store and update emulation (bsc#1156395). - powerpc/time: Enable sched clock for irqtime (bsc#1156395). - powerpc/uaccess: Avoid might_fault() when user access is enabled (bsc#1156395). - powerpc/uaccess: Perform barrier_nospec() in KUAP allowance helpers (bsc#1156395). - powerpc/uaccess: Simplify unsafe_put_user() implementation (bsc#1156395). - powerpc/xive: Drop check on irq_data in xive_core_debug_show() (bsc#1177437 ltc#188522 jsc#SLE-13294 git-fixes). - powerpc/xmon: Fix build failure for 8xx (jsc#SLE-12936 git-fixes). - powerpc: Fix inverted SET_FULL_REGS bitop (jsc#SLE-9246 git-fixes). - powerpc: Fix missing declaration ofable_kernel_vsx() (git-fixes). - proc: fix lookup in /proc/net subdirectories after setns(2) (git-fixes). - qlcnic: fix error return code in qlcnic_83xx_restart_hw() (git-fixes). - qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth (git-fixes). - qxl: Fix uninitialised struct field head.surface_id (git-fixes). - r8169: do not advertise pause in jumbo mode (git-fixes). - r8169: fix DMA being used after buffer free if WoL is enabled (git-fixes). - r8169: tweak max read request size for newer chips also in jumbo mtu mode (git-fixes). - regmap: set debugfs_name to NULL after it is freed (git-fixes). - regulator: Avoid a double 'of_node_get' in 'regulator_of_get_init_node()' (git-fixes). - regulator: bd9571mwv: Fix AVS and DVFS voltage range (git-fixes). - reintroduce cqhci_suspend for kABI (git-fixes). - reiserfs: update reiserfs_xattrs_initialized() condition (bsc#1184737). - rsi: Fix TX EAPOL packet handling against iwlwifi AP (git-fixes). - rsi: Move card interrupt handling to RX thread (git-fixes). - rsi: Use resume_noirq for SDIO (git-fixes). - rsxx: remove extraneous 'const' qualifier (git-fixes). - rtc: ds1307: Fix wday settings for rx8130 (git-fixes). - rtc: fsl-ftm-alarm: add MODULE_TABLE() (bsc#1185454). - rtc: fsl-ftm-alarm: avoid struct rtc_time conversions (bsc#1185454). - rtc: fsl-ftm-alarm: enable acpi support (bsc#1185454). - rtc: fsl-ftm-alarm: fix freeze(s2idle) failed to wake (bsc#1185454). - rtc: fsl-ftm-alarm: report alarm to core (bsc#1185454). - rtc: fsl-ftm-alarm: switch to ktime_get_real_seconds (bsc#1185454). - rtc: fsl-ftm-alarm: switch to rtc_time64_to_tm/rtc_tm_to_time64 (bsc#1185454). - rtc: fsl-ftm-alarm: update acpi device id (bsc#1185454). - rtc: pcf2127: add alarm support (bsc#1185233). - rtc: pcf2127: add pca2129 device id (bsc#1185233). - rtc: pcf2127: add tamper detection support (bsc#1185233). - rtc: pcf2127: add watchdog feature support (bsc#1185233). - rtc: pcf2127: bugfix: watchdog build dependency (bsc#1185233). - rtc: pcf2127: cleanup register and bit defines (bsc#1185233). - rtc: pcf2127: convert to devm_rtc_allocate_device (bsc#1185233). - rtc: pcf2127: fix a bug when not specify interrupts property (bsc#1185233). - rtc: pcf2127: fix alarm handling (bsc#1185233). - rtc: pcf2127: fix pcf2127_nvmem_read/write() returns (bsc#1185233). - rtc: pcf2127: handle boot-enabled watchdog feature (bsc#1185233). - rtc: pcf2127: handle timestamp interrupts (bsc#1185495). - rtc: pcf2127: let the core handle rtc range (bsc#1185233). - rtc: pcf2127: move watchdog initialisation to a separate function (bsc#1185233). - rtc: pcf2127: only use watchdog when explicitly available (bsc#1185233). - rtc: pcf2127: properly set flag WD_CD for rtc chips(pcf2129, pca2129) (bsc#1185233). - rtc: pcf2127: remove unnecessary #ifdef (bsc#1185233). - rtc: pcf2127: set regmap max_register (bsc#1185233). - rtc: pcf2127: watchdog: handle nowayout feature (bsc#1185233). - rtlwifi: 8821ae: upgrade PHY and RF parameters (git-fixes). - rtw88: Fix an error code in rtw_debugfs_set_rsvd_page() (git-fixes). - rtw88: Fix array overrun in rtw_get_tx_power_params() (git-fixes). - rtw88: coex: 8821c: correct antenna switch function (git-fixes). - s390/cio: return -EFAULT if copy_to_user() fails (git-fixes). - s390/cio: return -EFAULT if copy_to_user() fails (git-fixes). - s390/crypto: return -EFAULT if copy_to_user() fails (git-fixes). - s390/dasd: fix hanging DASD driver unbind (bsc#1183932 LTC#192153). - s390/dasd: fix hanging IO request during DASD driver unbind (git-fixes). - s390/entry: save the caller of psw_idle (bsc#1185677). - s390/ipl: support NVMe IPL kernel parameters (bsc#1185980 LTC#192679). - s390/kdump: fix out-of-memory with PCI (bsc#1182257 LTC#191375). - s390/pci: fix leak of PCI device structure (git-fixes). - s390/qeth: fix memory leak after failed TX Buffer allocation (git-fixes). - s390/qeth: fix notification for pending buffers during teardown (git-fixes). - s390/qeth: improve completion of pending TX buffers (git-fixes). - s390/qeth: schedule TX NAPI on QAOB completion (git-fixes). - s390/vtime: fix increased steal time accounting (bsc#1183859). - s390/zcrypt: return EIO when msg retry limit reached (git-fixes). - samples, bpf: Add missing munmap in xdpsock (bsc#1155518). - samples/bpf: Fix possible hang in xdpsock with multiple threads (bsc#1155518). - sata_mv: add IRQ checks (git-fixes). - sched/eas: Do not update misfit status if the task is pinned (git-fixes) - sched/fair: Avoid stale CPU util_est value for schedutil in (git-fixes) - sched/fair: Fix shift-out-of-bounds in load_balance() (git fixes (sched)). - sched/fair: Fix unfairness caused by missing load decay (git-fixes) - scripts/git_sort/git_sort.py: add bpf git repo - scsi: aacraid: Improve compat_ioctl handlers (bsc#1186352). - scsi: block: Fix a race in the runtime power management code (git-fixes). - scsi: core: Only return started requests from scsi_host_find_tag() (bsc#1179851). - scsi: core: Run queue in case of I/O resource contention failure (bsc#1186416). - scsi: core: add scsi_host_busy_iter() (bsc#1179851). - scsi: fnic: Kill 'exclude_id' argument to fnic_cleanup_io() (bsc#1179851). - scsi: fnic: Remove bogus ratelimit messages (bsc#1183249). - scsi: libfc: Avoid invoking response handler twice if ep is already completed (bsc#1186573). - scsi: lpfc: Add a option to enable interlocked ABTS before job completion (bsc#1186451). - scsi: lpfc: Add ndlp kref accounting for resume RPI path (bsc#1186451). - scsi: lpfc: Change wording of invalid pci reset log message (bsc#1182574). - scsi: lpfc: Copyright updates for 12.8.0.9 patches (bsc#1185472). - scsi: lpfc: Correct function header comments related to ndlp reference counting (bsc#1182574). - scsi: lpfc: Eliminate use of LPFC_DRIVER_NAME in lpfc_attr.c (bsc#1185472). - scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology (bsc#1186451). - scsi: lpfc: Fix ADISC handling that never frees nodes (bsc#1182574). - scsi: lpfc: Fix DMA virtual address ptr assignment in bsg (bsc#1185365). - scsi: lpfc: Fix FLOGI failure due to accessing a freed node (bsc#1182574). - scsi: lpfc: Fix NMI crash during rmmod due to circular hbalock dependency (bsc#1185472). - scsi: lpfc: Fix Node recovery when driver is handling simultaneous PLOGIs (bsc#1186451). - scsi: lpfc: Fix PLOGI ACC to be transmit after REG_LOGIN (bsc#1182574). - scsi: lpfc: Fix a bunch of kernel-doc issues (bsc#1185472). - scsi: lpfc: Fix a bunch of kernel-doc misdemeanours (bsc#1185472). - scsi: lpfc: Fix a bunch of misnamed functions (bsc#1185472). - scsi: lpfc: Fix a few incorrectly named functions (bsc#1185472). - scsi: lpfc: Fix a typo (bsc#1185472). - scsi: lpfc: Fix bad memory access during VPD DUMP mailbox command (bsc#1186451). - scsi: lpfc: Fix crash caused by switch reboot (bsc#1182574). - scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO response (bsc#1185472). - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs (bsc#1186451). - scsi: lpfc: Fix dropped FLOGI during pt2pt discovery recovery (bsc#1182574). - scsi: lpfc: Fix error handling for mailboxes completed in MBX_POLL mode (bsc#1185472). - scsi: lpfc: Fix formatting and misspelling issues (bsc#1185472). - scsi: lpfc: Fix gcc -Wstringop-overread warning (bsc#1185472). - scsi: lpfc: Fix illegal memory access on Abort IOCBs (bsc#1183203). - scsi: lpfc: Fix incorrect dbde assignment when building target abts wqe (bsc#1182574). - scsi: lpfc: Fix incorrect naming of __lpfc_update_fcf_record() (bsc#1185472). - scsi: lpfc: Fix incorrectly documented function lpfc_debugfs_commonxripools_data() (bsc#1185472). - scsi: lpfc: Fix kernel-doc formatting issue (bsc#1185472). - scsi: lpfc: Fix lack of device removal on port swaps with PRLIs (bsc#1185472). - scsi: lpfc: Fix lpfc_els_retry() possible null pointer dereference (bsc#1182574). - scsi: lpfc: Fix lpfc_hdw_queue attribute being ignored (bsc#1185472). - scsi: lpfc: Fix missing FDMI registrations after Mgmt Svc login (bsc#1185472). - scsi: lpfc: Fix node handling for Fabric Controller and Domain Controller (bsc#1186451). - scsi: lpfc: Fix nodeinfo debugfs output (bsc#1182574). - scsi: lpfc: Fix non-optimized ERSP handling (bsc#1186451). - scsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb() (bsc#1182574). - scsi: lpfc: Fix pt2pt connection does not recover after LOGO (bsc#1182574). - scsi: lpfc: Fix pt2pt state transition causing rmmod hang (bsc#1182574). - scsi: lpfc: Fix reference counting errors in lpfc_cmpl_els_rsp() (bsc#1185472). - scsi: lpfc: Fix reftag generation sizing errors (bsc#1182574). - scsi: lpfc: Fix rmmod crash due to bad ring pointers to abort_iotag (bsc#1185472). - scsi: lpfc: Fix silent memory allocation failure in lpfc_sli4_bsg_link_diag_test() (bsc#1185472). - scsi: lpfc: Fix some error codes in debugfs (bsc#1185472). - scsi: lpfc: Fix stale node accesses on stale RRQ request (bsc#1182574). - scsi: lpfc: Fix status returned in lpfc_els_retry() error exit path (bsc#1182574). - scsi: lpfc: Fix unnecessary null check in lpfc_release_scsi_buf (bsc#1182574). - scsi: lpfc: Fix unreleased RPIs when NPIV ports are created (bsc#1186451). - scsi: lpfc: Fix use after free in lpfc_els_free_iocb (bsc#1182574). - scsi: lpfc: Fix use-after-free on unused nodes after port swap (bsc#1185472). - scsi: lpfc: Fix various trivial errors in comments and log messages (bsc#1185472). - scsi: lpfc: Fix vport indices in lpfc_find_vport_by_vpid() (bsc#1182574). - scsi: lpfc: Ignore GID-FT response that may be received after a link flip (bsc#1186451). - scsi: lpfc: Reduce LOG_TRACE_EVENT logging for vports (bsc#1182574). - scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic (bsc#1185472). - scsi: lpfc: Reregister FPIN types if ELS_RDF is received from fabric controller (bsc#1186451). - scsi: lpfc: Standardize discovery object logging format (bsc#1185472). - scsi: lpfc: Update copyrights for 12.8.0.7 and 12.8.0.8 changes (bsc#1182574). - scsi: lpfc: Update lpfc version to 12.8.0.10 (bsc#1186451). - scsi: lpfc: Update lpfc version to 12.8.0.8 (bsc#1182574). - scsi: lpfc: Update lpfc version to 12.8.0.9 (bsc#1185472). - scsi: mpt3sas: Only one vSES is present even when IOC has multi vSES (bsc#1185954). - scsi: pm80xx: Do not sleep in atomic context (bsc#1186353). - scsi: pm80xx: Fix chip initialization failure (bsc#1186354). - scsi: pm80xx: Fix potential infinite loop (bsc#1186354). - scsi: pm80xx: Increase timeout for pm80xx mpi_uninit_check() (bsc#1186355). - scsi: qla2xxx: Add H:C:T info in the log message for fc ports (bsc#1185491). - scsi: qla2xxx: Add error counters to debugfs node (bsc#1185491). - scsi: qla2xxx: Always check the return value of qla24xx_get_isp_stats() (bsc#1185491). - scsi: qla2xxx: Assign boolean values to a bool variable (bsc#1185491). - scsi: qla2xxx: Check kzalloc() return value (bsc#1185491). - scsi: qla2xxx: Consolidate zio threshold setting for both FCP & NVMe (bsc#1185491). - scsi: qla2xxx: Constify struct qla_tgt_func_tmpl (bsc#1185491). - scsi: qla2xxx: Do logout even if fabric scan retries got exhausted (bsc#1185491). - scsi: qla2xxx: Enable NVMe CONF (BIT_7) when enabling SLER (bsc#1185491). - scsi: qla2xxx: Fix IOPS drop seen in some adapters (bsc#1185491). - scsi: qla2xxx: Fix RISC RESET completion polling (bsc#1185491). - scsi: qla2xxx: Fix a couple of misdocumented functions (bsc#1185491). - scsi: qla2xxx: Fix a couple of misnamed functions (bsc#1185491). - scsi: qla2xxx: Fix broken #endif placement (bsc#1185491). - scsi: qla2xxx: Fix crash in PCIe error handling (bsc#1185491). - scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() (bsc#1185491). - scsi: qla2xxx: Fix endianness annotations (bsc#1185491). - scsi: qla2xxx: Fix incorrectly named function qla8044_check_temp() (bsc#1185491). - scsi: qla2xxx: Fix mailbox Ch erroneous error (bsc#1185491). - scsi: qla2xxx: Fix mailbox recovery during PCIe error (bsc#1185491). - scsi: qla2xxx: Fix some incorrect formatting/spelling issues (bsc#1185491). - scsi: qla2xxx: Fix some memory corruption (bsc#1185491). - scsi: qla2xxx: Fix stuck session (bsc#1185491). - scsi: qla2xxx: Fix use after free in bsg (bsc#1185491). - scsi: qla2xxx: Implementation to get and manage host, target stats and initiator port (bsc#1185491). - scsi: qla2xxx: Move some messages from debug to normal log level (bsc#1185491). - scsi: qla2xxx: Remove redundant NULL check (bsc#1185491). - scsi: qla2xxx: Remove unnecessary NULL check (bsc#1185491). - scsi: qla2xxx: Remove unneeded if-null-free check (bsc#1185491). - scsi: qla2xxx: Replace __qla2x00_marker()'s missing underscores (bsc#1185491). - scsi: qla2xxx: Reserve extra IRQ vectors (bsc#1184436). - scsi: qla2xxx: Reuse existing error handling path (bsc#1185491). - scsi: qla2xxx: Simplify if statement (bsc#1185491). - scsi: qla2xxx: Simplify qla8044_minidump_process_control() (bsc#1185491). - scsi: qla2xxx: Simplify the calculation of variables (bsc#1185491). - scsi: qla2xxx: Suppress Coverity complaints about dseg_r* (bsc#1185491). - scsi: qla2xxx: Update default AER debug mask (bsc#1185491). - scsi: qla2xxx: Update version to 10.02.00.105-k (bsc#1185491). - scsi: qla2xxx: Update version to 10.02.00.106-k (bsc#1185491). - scsi: qla2xxx: Use dma_pool_zalloc() (bsc#1185491). - scsi: qla2xxx: Wait for ABTS response on I/O timeouts for NVMe (bsc#1185491). - scsi: qla2xxx: fc_remote_port_chkready() returns a SCSI result value (bsc#1185491). - scsi: smartpqi: Correct driver removal with HBA disks (bsc#1178089). - scsi: smartpqi: Correct driver removal with HBA disks (bsc#1178089). - scsi: smartpqi: Correct pqi_sas_smp_handler busy condition (bsc#1178089). - scsi: smartpqi: Correct pqi_sas_smp_handler busy condition (bsc#1178089). - scsi: smartpqi: Update version to 1.2.16-012 (bsc#1178089). - scsi: smartpqi: Update version to 1.2.16-012 (bsc#1178089). - scsi: target: pscsi: Avoid OOM in pscsi_map_sg() (bsc#1183843). - scsi: target: pscsi: Clean up after failure in pscsi_map_sg() (bsc#1183843). - scsi: target: tcmu: Fix use-after-free of se_cmd->priv (bsc#1186356). - scsi: target: tcmu: Fix warning: 'page' may be used uninitialized (bsc#1186357). - sctp: delay auto_asconf init until binding the first addr (<cover.1620748346.git.mkubecek at suse.cz>). - security: keys: trusted: fix TPM2 authorizations (git-fixes). - selftests/bpf: Fix BPF_CORE_READ_BITFIELD() macro (bsc#1177028). - selftests/bpf: Fix the ASSERT_ERR_PTR macro (bsc#1177028). - selftests/bpf: Mask bpf_csum_diff() return value to 16 bits in test_verifier (bsc#1155518). - selftests/bpf: No need to drop the packet when there is no geneve opt (bsc#1155518). - selftests/bpf: Re-generate vmlinux.h and BPF skeletons if bpftool changed (bsc#1177028). - selftests/bpf: Set gopt opt_class to 0 if get tunnel opt failed (bsc#1155518). - selftests/powerpc: Add pkey helpers for rights (bsc#1184934 ltc#191460). - selftests/powerpc: Add test for execute-disabled pkeys (bsc#1184934 ltc#191460). - selftests/powerpc: Add test for pkey siginfo verification (bsc#1184934 ltc#191460). - selftests/powerpc: Add wrapper for gettid (bsc#1184934 ltc#191460). - selftests/powerpc: Fix L1D flushing tests for Power10 (bsc#1184934 ltc#191460). - selftests/powerpc: Fix exit status of pkey tests (bsc#1184934 ltc#191460). - selftests/powerpc: Fix pkey syscall redefinitions (bsc#1184934 ltc#191460). - selftests/powerpc: Move pkey helpers to headers (bsc#1184934 ltc#191460). - selftests/powerpc: refactor entry and rfi_flush tests (bsc#1184934 ltc#191460). - selftests: mlxsw: Remove a redundant if statement in tc_flower_scale test (bsc#1176774). - selinux: Fix error return code in sel_ib_pkey_sid_slow() (git-fixes). - selinux: fix error initialization in inode_doinit_with_dentry() (git-fixes). - selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling (git-fixes). - serial: core: fix suspicious security_locked_down() call (git-fixes). - serial: core: return early on unsupported ioctls (git-fixes). - serial: sh-sci: Fix off-by-one error in FIFO threshold register setting (git-fixes). - serial: stm32: fix incorrect characters on console (git-fixes). - serial: stm32: fix tx_empty condition (git-fixes). - serial: tegra: Fix a mask operation that is always true (git-fixes). - smb3: Fix out-of-bounds bug in SMB2_negotiate() (bsc#1183540). - smb3: add dynamic trace point to trace when credits obtained (bsc#1181507). - smb3: fix crediting for compounding when only one request in flight (bsc#1181507). - smc: disallow TCP_ULP in smc_setsockopt() (git-fixes). - soc/fsl: qbman: fix conflicting alignment attributes (git-fixes). - soc: aspeed: fix a ternary sign expansion bug (git-fixes). - soc: fsl: qe: replace qe_io{read,write}* wrappers by generic io{read,write}* (git-fixes). - soc: qcom: mdt_loader: Detect truncated read of segments (git-fixes). - soc: qcom: mdt_loader: Validate that p_filesz < p_memsz (git-fixes). - software node: Fix node registration (git-fixes). - soundwire: bus: Fix device found flag correctly (git-fixes). - soundwire: stream: fix memory leak in stream config error path (git-fixes). - spi: Introduce dspi_slave_abort() function for NXP's dspi SPI driver (bsc#1167260). - spi: ath79: always call chipselect function (git-fixes). - spi: ath79: remove spi-master setup and cleanup assignment (git-fixes). - spi: cadence: set cqspi to the driver_data field of struct device (git-fixes). - spi: dln2: Fix reference leak to master (git-fixes). - spi: fsl-dspi: fix NULL pointer dereference (bsc#1167260). - spi: fsl-dspi: fix use-after-free in remove path (bsc#1167260). - spi: fsl-dspi: fix wrong pointer in suspend/resume (bsc#1167260). - spi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware() (git-fixes). - spi: omap-100k: Fix reference leak to master (git-fixes). - spi: qup: fix PM reference leak in spi_qup_remove() (git-fixes). - spi: spi-fsl-dspi: Accelerate transfers using larger word size if possible (bsc#1167260). - spi: spi-fsl-dspi: Add comments around dspi_pop_tx and dspi_push_rx functions (bsc#1167260). - spi: spi-fsl-dspi: Add support for LS1028A (bsc#1167260). - spi: spi-fsl-dspi: Adding shutdown hook (bsc#1167260). - spi: spi-fsl-dspi: Always use the TCFQ devices in poll mode (bsc#1167260). - spi: spi-fsl-dspi: Avoid NULL pointer in dspi_slave_abort for non-DMA mode (bsc#1167260). - spi: spi-fsl-dspi: Avoid reading more data than written in EOQ mode (bsc#1167260). - spi: spi-fsl-dspi: Change usage pattern of SPI_MCR_* and SPI_CTAR_* macros (bsc#1167260). - spi: spi-fsl-dspi: Convert TCFQ users to XSPI FIFO mode (bsc#1167260). - spi: spi-fsl-dspi: Convert the instantiations that support it to DMA (bsc#1167260). - spi: spi-fsl-dspi: Demistify magic value in SPI_SR_CLEAR (bsc#1167260). - spi: spi-fsl-dspi: Do not access reserved fields in SPI_MCR (bsc#1167260). - spi: spi-fsl-dspi: Do not mask off undefined bits (bsc#1167260). - spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours (bsc#1167260). - spi: spi-fsl-dspi: Fix 16-bit word order in 32-bit XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Fix a resource leak in an error handling path (git-fixes). - spi: spi-fsl-dspi: Fix bits-per-word acceleration in DMA mode (bsc#1167260). - spi: spi-fsl-dspi: Fix code alignment (bsc#1167260). - spi: spi-fsl-dspi: Fix external abort on interrupt in resume or exit paths (bsc#1167260). - spi: spi-fsl-dspi: Fix interrupt-less DMA mode taking an XSPI code path (bsc#1167260). - spi: spi-fsl-dspi: Fix little endian access to PUSHR CMD and TXDATA (bsc#1167260). - spi: spi-fsl-dspi: Fix lockup if device is removed during SPI transfer (bsc#1167260). - spi: spi-fsl-dspi: Fix lockup if device is shutdown during SPI transfer (bsc#1167260). - spi: spi-fsl-dspi: Fix race condition in TCFQ/EOQ interrupt (bsc#1167260). - spi: spi-fsl-dspi: Fix typos (bsc#1167260). - spi: spi-fsl-dspi: Free DMA memory with matching function (bsc#1167260). - spi: spi-fsl-dspi: Implement .max_message_size method for EOQ mode (bsc#1167260). - spi: spi-fsl-dspi: Initialize completion before possible interrupt (bsc#1167260). - spi: spi-fsl-dspi: LS2080A and LX2160A support XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Make bus-num property optional (bsc#1167260). - spi: spi-fsl-dspi: Move dspi_interrupt above dspi_transfer_one_message (bsc#1167260). - spi: spi-fsl-dspi: Move invariant configs out of dspi_transfer_one_message (bsc#1167260). - spi: spi-fsl-dspi: Optimize dspi_setup_accel for lowest interrupt count (bsc#1167260). - spi: spi-fsl-dspi: Parameterize the FIFO size and DMA buffer size (bsc#1167260). - spi: spi-fsl-dspi: Protect against races on dspi->words_in_flight (bsc#1167260). - spi: spi-fsl-dspi: Reduce indentation in dspi_release_dma() (bsc#1167260). - spi: spi-fsl-dspi: Reduce indentation level in dspi_interrupt (bsc#1167260). - spi: spi-fsl-dspi: Remove impossible to reach error check (bsc#1167260). - spi: spi-fsl-dspi: Remove pointless assignment of master->transfer to NULL (bsc#1167260). - spi: spi-fsl-dspi: Remove unused chip->void_write_data (bsc#1167260). - spi: spi-fsl-dspi: Remove unused defines and includes (bsc#1167260). - spi: spi-fsl-dspi: Remove unused initialization of 'ret' in dspi_probe (bsc#1167260). - spi: spi-fsl-dspi: Rename fifo_{read,write} and {tx,cmd}_fifo_write (bsc#1167260). - spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion (bsc#1167260). - spi: spi-fsl-dspi: Replace legacy spi_master names with spi_controller (bsc#1167260). - spi: spi-fsl-dspi: Simplify bytes_per_word gymnastics (bsc#1167260). - spi: spi-fsl-dspi: Take software timestamp in dspi_fifo_write (bsc#1167260). - spi: spi-fsl-dspi: Use BIT() and GENMASK() macros (bsc#1167260). - spi: spi-fsl-dspi: Use EOQ for last word in buffer even for XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Use dma_request_chan() instead dma_request_slave_channel() (bsc#1167260). - spi: spi-fsl-dspi: Use poll mode in case the platform IRQ is missing (bsc#1167260). - spi: spi-fsl-dspi: Use reverse Christmas tree declaration order (bsc#1167260). - spi: spi-fsl-dspi: Use specific compatible strings for all SoC instantiations (bsc#1167260). - spi: spi-fsl-dspi: delete EOQ transfer mode (bsc#1167260). - spi: spi-fsl-dspi: fix DMA mapping (bsc#1167260). - spi: spi-fsl-dspi: fix native data copy (bsc#1167260). - spi: spi-fsl-dspi: remove git-fixes Remove git-fixes. Prepare to update the driver. References: bsc#1167260 - spi: spi-fsl-dspi: set ColdFire to DMA mode (bsc#1167260). - spi: spi-fsl-dspi: use XSPI mode instead of DMA for DPAA2 SoCs (bsc#1167260). - spi: spi-ti-qspi: Free DMA resources (git-fixes). - spi: stm32: make spurious and overrun interrupts visible (git-fixes). - squashfs: fix inode lookup sanity checks (bsc#1183750). - squashfs: fix xattr id and id lookup sanity checks (bsc#1183750). - staging: bcm2835-audio: Replace unsafe strcpy() with strscpy() (git-fixes). - staging: comedi: addi_apci_1032: Fix endian problem for COS sample (git-fixes). - staging: comedi: addi_apci_1500: Fix endian problem for command sample (git-fixes). - staging: comedi: adv_pci1710: Fix endian problem for AI command data (git-fixes). - staging: comedi: cb_pcidas64: fix request_irq() warn (git-fixes). - staging: comedi: cb_pcidas: fix request_irq() warn (git-fixes). - staging: comedi: das6402: Fix endian problem for AI command data (git-fixes). - staging: comedi: das800: Fix endian problem for AI command data (git-fixes). - staging: comedi: dmm32at: Fix endian problem for AI command data (git-fixes). - staging: comedi: me4000: Fix endian problem for AI command data (git-fixes). - staging: comedi: pcl711: Fix endian problem for AI command data (git-fixes). - staging: comedi: pcl818: Fix endian problem for AI command data (git-fixes). - staging: emxx_udc: fix loop in _nbu2ss_nuke() (git-fixes). - staging: fwserial: Fix error handling in fwserial_create (git-fixes). - staging: fwserial: fix TIOCGSERIAL implementation (git-fixes). - staging: fwserial: fix TIOCSSERIAL implementation (git-fixes). - staging: fwserial: fix TIOCSSERIAL jiffies conversions (git-fixes). - staging: fwserial: fix TIOCSSERIAL permission check (git-fixes). - staging: iio: cdc: ad7746: avoid overwrite of num_channels (git-fixes). - staging: ks7010: prevent buffer overflow in ks_wlan_set_scan() (git-fixes). - staging: most: sound: add sanity check for function argument (git-fixes). - staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data() (git-fixes). - staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan() (git-fixes). - staging: rtl8192e: Change state information from u16 to u8 (git-fixes). - staging: rtl8192e: Fix incorrect source in memcpy() (git-fixes). - staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan (git-fixes). - staging: rtl8192u: Fix potential infinite loop (git-fixes). - staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan() (git-fixes). - staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd (git-fixes). - staging: rtl8712: unterminated string leads to read overflow (git-fixes). - stop_machine: mark helpers __always_inline (git-fixes). - supported.conf: - supported.conf: add bsc1185010 dependency - supported.conf: mark usb_otg_fsm as supported (bsc#1185010) - tcp: fix to update snd_wl1 in bulk receiver fast path (<cover.1620748346.git.mkubecek at suse.cz>). - tee: optee: remove need_resched() before cond_resched() (git-fixes). - tee: optee: replace might_sleep with cond_resched (git-fixes). - thermal/core: Add NULL pointer check before using cooling device stats (git-fixes). - thermal/drivers/cpufreq_cooling: Update cpufreq_state only if state has changed (git-fixes). - thermal/drivers/ti-soc-thermal/bandgap Remove unused variable 'val' (git-fixes). - thermal: thermal_of: Fix error return code of thermal_of_populate_bind_params() (git-fixes). - thunderbolt: Fix a leak in tb_retimer_add() (git-fixes). - thunderbolt: Fix a leak in tb_retimer_add() (git-fixes). - thunderbolt: Fix off by one in tb_port_find_retimer() (git-fixes). - thunderbolt: Fix off by one in tb_port_find_retimer() (git-fixes). - thunderbolt: Initialize HopID IDAs in tb_switch_alloc() (git-fixes). - thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue (git-fixes). - tools/resolve_btfids: Fix build error with older host toolchains (bsc#1177028). - tpm: acpi: Check eventlog signature before using it (git-fixes). - tracing: Map all PIDs to command lines (git-fixes). - tty: amiserial: fix TIOCSSERIAL permission check (git-fixes). - tty: fix memory leak in vc_deallocate (git-fixes). - tty: moxa: fix TIOCSSERIAL jiffies conversions (git-fixes). - tty: moxa: fix TIOCSSERIAL permission check (git-fixes). - tty: serial: lpuart: fix lpuart32_write usage (git-fixes). - tty: serial: ucc_uart: replace qe_io{read,write}* wrappers by generic io{read,write}* (git-fixes). - udlfb: Fix memory leak in dlfb_usb_probe (git-fixes). - uio: uio_hv_generic: use devm_kzalloc() for private data alloc (git-fixes). - uio_hv_generic: Fix a memory leak in error handling paths (git-fixes). - uio_hv_generic: Fix another memory leak in error handling paths (git-fixes). - uio_hv_generic: add missed sysfs_remove_bin_file (git-fixes). - usb-storage: Add quirk to defeat Kindle's automatic unload (git-fixes). - usb: Remove dev_err() usage after platform_get_irq() (git-fixes). - usb: core: hub: Fix PM reference leak in usb_port_resume() (git-fixes). - usb: core: hub: fix race condition about TRSMRCY of resume (git-fixes). - usb: dwc2: Fix HPRT0.PrtSusp bit setting for HiKey 960 board (git-fixes). - usb: dwc2: Fix gadget DMA unmap direction (git-fixes). - usb: dwc2: Fix hibernation between host and device modes (git-fixes). - usb: dwc2: Fix host mode hibernation exit with remote wakeup flow (git-fixes). - usb: dwc2: Fix session request interrupt handler (git-fixes). - usb: dwc2: Prevent core suspend when port connection flag is 0 (git-fixes). - usb: dwc3: Switch to use device_property_count_u32() (git-fixes). - usb: dwc3: Update soft-reset wait polling rate (git-fixes). - usb: dwc3: gadget: Enable suspend events (git-fixes). - usb: dwc3: gadget: Fix START_TRANSFER link state check (git-fixes). - usb: dwc3: gadget: Return success always for kick transfer in ep queue (git-fixes). - usb: dwc3: keystone: use devm_platform_ioremap_resource() to simplify code (git-fixes). - usb: dwc3: meson-g12a: use devm_platform_ioremap_resource() to simplify code (git-fixes). - usb: dwc3: omap: improve extcon initialization (git-fixes). - usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield (git-fixes). - usb: dwc3: qcom: Add missing DWC3 OF node refcount decrement (git-fixes). - usb: dwc3: qcom: Honor wakeup enabled/disabled state (git-fixes). - usb: fotg210-hcd: Fix an error message (git-fixes). - usb: gadget/function/f_fs string table fix for multiple languages (git-fixes). - usb: gadget: Fix double free of device descriptor pointers (git-fixes). - usb: gadget: aspeed: fix dma map failure (git-fixes). - usb: gadget: configfs: Fix KASAN use-after-free (git-fixes). - usb: gadget: dummy_hcd: fix gpf in gadget_setup (git-fixes). - usb: gadget: f_uac1: stop playback on function disable (git-fixes). - usb: gadget: f_uac1: validate input parameters (git-fixes). - usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot (git-fixes). - usb: gadget: f_uac2: validate input parameters (git-fixes). - usb: gadget: pch_udc: Check for DMA mapping error (git-fixes). - usb: gadget: pch_udc: Check if driver is present before calling ->setup() (git-fixes). - usb: gadget: pch_udc: Move pch_udc_init() to satisfy kernel doc (git-fixes). - usb: gadget: pch_udc: Replace cpu_to_le32() by lower_32_bits() (git-fixes). - usb: gadget: pch_udc: Revert d3cb25a12138 completely (git-fixes). - usb: gadget: r8a66597: Add missing null check on return from platform_get_resource (git-fixes). - usb: gadget: udc: amd5536udc_pci fix null-ptr-dereference (git-fixes). - usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen() (git-fixes). - usb: gadget: uvc: add bInterval checking for HS mode (git-fixes). - usb: musb: Fix suspend with devices connected for a64 (git-fixes). - usb: musb: fix PM reference leak in musb_irq_work() (git-fixes). - usb: pci-quirks: disable D3cold on xhci suspend for s2idle on AMD Renoire (bsc#1185840). - usb: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM (git-fixes). - usb: roles: Call try_module_get() from usb_role_switch_find_by_fwnode() (git-fixes). - usb: roles: Call try_module_get() from usb_role_switch_find_by_fwnode() (git-fixes). - usb: sl811-hcd: improve misleading indentation (git-fixes). - usb: typec: Remove vdo[3] part of tps6598x_rx_identity_reg struct (git-fixes). - usb: typec: tcpci: Check ROLE_CONTROL while interpreting CC_STATUS (git-fixes). - usb: typec: tcpm: Address incorrect values of tcpm psy for fixed supply (git-fixes). - usb: typec: tcpm: Honour pSnkStdby requirement during negotiation (git-fixes). - usb: typec: tcpm: Invoke power_supply_changed for tcpm-source-psy- (git-fixes). - usb: typec: tcpm: Invoke power_supply_changed for tcpm-source-psy- (git-fixes). - usb: typec: tps6598x: Fix return value check in tps6598x_probe() (git-fixes). - usb: typec: tps6598x: Fix return value check in tps6598x_probe() (git-fixes). - usb: typec: ucsi: Put fwnode in any case during ->probe() (git-fixes). - usb: webcam: Invalid size of Processing Unit Descriptor (git-fixes). - usb: xhci-mtk: fix broken streams issue on 0.96 xHCI (git-fixes). - usb: xhci-mtk: improve bandwidth scheduling with TT (git-fixes). - usb: xhci-mtk: remove or operator for setting schedule parameters (git-fixes). - usb: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing (git-fixes). - usb: xhci: Fix port minor revision (git-fixes). - usb: xhci: Increase timeout for HC halt (git-fixes). - usb: xhci: do not perform Soft Retry for some xHCI hosts (git-fixes). - usbip: Fix incorrect double assignment to udc->ud.tcp_rx (git-fixes). - usbip: fix stub_dev to check for stream socket (git-fixes). - usbip: fix stub_dev usbip_sockfd_store() races leading to gpf (git-fixes). - usbip: fix vhci_hcd attach_store() races leading to gpf (git-fixes). - usbip: fix vhci_hcd to check for stream socket (git-fixes). - usbip: fix vudc to check for stream socket (git-fixes). - usbip: fix vudc usbip_sockfd_store races leading to gpf (git-fixes). - usbip: tools: fix build error for multiple definition (git-fixes). - usbip: vhci_hcd fix shift out-of-bounds in vhci_hub_control() (git-fixes). - use __netdev_notify_peers in ibmvnic (bsc#1183871 ltc#192139). - veth: Store queue_mapping independently of XDP prog presence (git-fixes). - vfio-pci/zdev: fix possible segmentation fault issue (git-fixes). - vfio/iommu_type1: Populate full dirty when detach non-pinned group (bsc#1183326). - vfio/mdev: Do not allow a mdev_type to have a NULL parent pointer (git-fixes). - vfio/mdev: Make to_mdev_device() into a static inline (git-fixes). - vfio/pci: Add missing range check in vfio_pci_mmap (git-fixes). - vfio/pci: Move VGA and VF initialization to functions (git-fixes). - vfio/pci: Re-order vfio_pci_probe() (git-fixes). - vgacon: Record video mode changes with VT_RESIZEX (git-fixes). - video: fbdev: acornfb: remove free_unused_pages() (bsc#1152489) - video: hyperv_fb: Add ratelimit on error message (bsc#1185725). - video: hyperv_fb: Fix a double free in hvfb_probe (git-fixes). - virt_wifi: Return micros for BSS TSF values (git-fixes). - virtiofs: fix memory leak in virtio_fs_probe() (bsc#1185558). - vrf: fix a comment about loopback device (git-fixes). - vt/consolemap: do font sum unsigned (git-fixes). - vxlan: do not modify the shared tunnel info when PMTU triggers an ICMP reply (bsc#1176447). - vxlan: move debug check after netdev unregister (git-fixes). - watchdog/softlockup: Remove obsolete check of last reported task (bsc#1185982). - watchdog/softlockup: report the overall time of softlockups (bsc#1185982). - watchdog: explicitly update timestamp when reporting softlockup (bsc#1185982). - watchdog: rename __touch_watchdog() to a better descriptive name (bsc#1185982). - whitespace cleanup - wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join (git-fixes). - wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt (git-fixes). - wlcore: Fix command execute failure 19 for wl12xx (git-fixes). - workqueue: Minor follow-ups to the rescuer destruction change (bsc#1185911). - workqueue: Move the position of debug_work_activate() in __queue_work() (bsc#1184893). - workqueue: more destroy_workqueue() fixes (bsc#1185911). - x86,swiotlb: Adjust SWIOTLB bounce buffer size for SEV guests (bsc#1186219). - x86/cpu: Initialize MSR_TSC_AUX if RDTSCP *or* RDPID is supported (bsc#1152489). - x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access (bsc#1152489). - x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task (bsc#1152489). - x86/insn: Add some Intel instructions to the opcode map (bsc#1184760). - x86/insn: Add some more Intel instructions to the opcode map (bsc#1184760). - x86/ioapic: Ignore IRQ2 again (bsc#1152489). - x86/mem_encrypt: Correct physical address calculation in __set_clr_pte_enc() (bsc#1152489). - x86/microcode: Check for offline CPUs before requesting new microcode (bsc#1152489). - x86/mm: Fix NX bit clearing issue in kernel_map_pages_in_pgd (bsc#1152489). - x86/platform/uv: Set section block size for hubless architectures (bsc#1152489). - x86/reboot: Force all cpus to exit VMX root if VMX is supported (bsc#1152489). - x86/sev-es: Invalidate the GHCB after completing VMGEXIT (bsc#1178134). - x86/sev-es: Move sev_es_put_ghcb() in prep for follow on patch (bsc#1178134). - x86: Introduce TS_COMPAT_RESTART to fix get_nr_restart_syscall() (bsc#1152489). - xen/events: avoid handling the same event on two cpus at the same time (git-fixes). - xen/events: do not unmask an event channel when an eoi is pending (git-fixes). - xen/events: reset affinity of 2-level event when tearing it down (git-fixes). - xen/evtchn: Change irq_info lock to raw_spinlock_t (git-fixes). - xfrm: Provide private skb extensions for segmented and hw offloaded ESP packets (bsc#1176447). - xfs: group quota should return EDQUOT when prj quota enabled (bsc#1180980). - xhci: Do not use GFP_KERNEL in (potentially) atomic context (git-fixes). - xhci: Fix repeated xhci wake after suspend due to uncleared internal wake state (git-fixes). - xhci: Improve detection of device initiated wake signal (git-fixes). - xhci: check control context is valid before dereferencing it (git-fixes). - xhci: fix potential array out of bounds with several interrupters (git-fixes). - xsk: Respect device's headroom and tailroom on generic xmit path (git-fixes). - xsk: Respect device's headroom and tailroom on generic xmit path (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP3: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2021-1975=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP3 (x86_64): kernel-azure-5.3.18-38.3.1 kernel-azure-debuginfo-5.3.18-38.3.1 kernel-azure-debugsource-5.3.18-38.3.1 kernel-azure-devel-5.3.18-38.3.1 kernel-azure-devel-debuginfo-5.3.18-38.3.1 kernel-syms-azure-5.3.18-38.3.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP3 (noarch): kernel-devel-azure-5.3.18-38.3.1 kernel-source-azure-5.3.18-38.3.1 References: https://www.suse.com/security/cve/CVE-2019-18814.html https://www.suse.com/security/cve/CVE-2019-19769.html https://www.suse.com/security/cve/CVE-2020-24586.html https://www.suse.com/security/cve/CVE-2020-24587.html https://www.suse.com/security/cve/CVE-2020-24588.html https://www.suse.com/security/cve/CVE-2020-25670.html https://www.suse.com/security/cve/CVE-2020-25671.html https://www.suse.com/security/cve/CVE-2020-25672.html https://www.suse.com/security/cve/CVE-2020-25673.html https://www.suse.com/security/cve/CVE-2020-26139.html https://www.suse.com/security/cve/CVE-2020-26141.html https://www.suse.com/security/cve/CVE-2020-26145.html https://www.suse.com/security/cve/CVE-2020-26147.html https://www.suse.com/security/cve/CVE-2020-27170.html https://www.suse.com/security/cve/CVE-2020-27171.html https://www.suse.com/security/cve/CVE-2020-27673.html https://www.suse.com/security/cve/CVE-2020-27815.html https://www.suse.com/security/cve/CVE-2020-35519.html https://www.suse.com/security/cve/CVE-2020-36310.html https://www.suse.com/security/cve/CVE-2020-36311.html https://www.suse.com/security/cve/CVE-2020-36312.html https://www.suse.com/security/cve/CVE-2020-36322.html https://www.suse.com/security/cve/CVE-2021-20268.html https://www.suse.com/security/cve/CVE-2021-23134.html https://www.suse.com/security/cve/CVE-2021-27363.html https://www.suse.com/security/cve/CVE-2021-27364.html https://www.suse.com/security/cve/CVE-2021-27365.html https://www.suse.com/security/cve/CVE-2021-28038.html https://www.suse.com/security/cve/CVE-2021-28375.html https://www.suse.com/security/cve/CVE-2021-28660.html https://www.suse.com/security/cve/CVE-2021-28688.html https://www.suse.com/security/cve/CVE-2021-28950.html https://www.suse.com/security/cve/CVE-2021-28952.html https://www.suse.com/security/cve/CVE-2021-28964.html https://www.suse.com/security/cve/CVE-2021-28971.html https://www.suse.com/security/cve/CVE-2021-28972.html https://www.suse.com/security/cve/CVE-2021-29154.html https://www.suse.com/security/cve/CVE-2021-29155.html https://www.suse.com/security/cve/CVE-2021-29264.html https://www.suse.com/security/cve/CVE-2021-29265.html https://www.suse.com/security/cve/CVE-2021-29647.html https://www.suse.com/security/cve/CVE-2021-29650.html https://www.suse.com/security/cve/CVE-2021-30002.html https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://www.suse.com/security/cve/CVE-2021-33200.html https://www.suse.com/security/cve/CVE-2021-3428.html https://www.suse.com/security/cve/CVE-2021-3444.html https://www.suse.com/security/cve/CVE-2021-3483.html https://www.suse.com/security/cve/CVE-2021-3489.html https://www.suse.com/security/cve/CVE-2021-3490.html https://www.suse.com/security/cve/CVE-2021-3491.html https://bugzilla.suse.com/1043990 https://bugzilla.suse.com/1047233 https://bugzilla.suse.com/1055117 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1087082 https://bugzilla.suse.com/1113295 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1152457 https://bugzilla.suse.com/1152472 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1153274 https://bugzilla.suse.com/1154353 https://bugzilla.suse.com/1155518 https://bugzilla.suse.com/1156256 https://bugzilla.suse.com/1156395 https://bugzilla.suse.com/1159280 https://bugzilla.suse.com/1160634 https://bugzilla.suse.com/1164648 https://bugzilla.suse.com/1167260 https://bugzilla.suse.com/1167574 https://bugzilla.suse.com/1167773 https://bugzilla.suse.com/1168777 https://bugzilla.suse.com/1168838 https://bugzilla.suse.com/1169709 https://bugzilla.suse.com/1171295 https://bugzilla.suse.com/1173485 https://bugzilla.suse.com/1174416 https://bugzilla.suse.com/1174426 https://bugzilla.suse.com/1175995 https://bugzilla.suse.com/1176447 https://bugzilla.suse.com/1176774 https://bugzilla.suse.com/1177028 https://bugzilla.suse.com/1177326 https://bugzilla.suse.com/1177411 https://bugzilla.suse.com/1177437 https://bugzilla.suse.com/1177666 https://bugzilla.suse.com/1178089 https://bugzilla.suse.com/1178134 https://bugzilla.suse.com/1178163 https://bugzilla.suse.com/1178181 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/1178378 https://bugzilla.suse.com/1178418 https://bugzilla.suse.com/1178612 https://bugzilla.suse.com/1179243 https://bugzilla.suse.com/1179454 https://bugzilla.suse.com/1179458 https://bugzilla.suse.com/1179519 https://bugzilla.suse.com/1179825 https://bugzilla.suse.com/1179827 https://bugzilla.suse.com/1179851 https://bugzilla.suse.com/1180100 https://bugzilla.suse.com/1180197 https://bugzilla.suse.com/1180814 https://bugzilla.suse.com/1180846 https://bugzilla.suse.com/1180980 https://bugzilla.suse.com/1181104 https://bugzilla.suse.com/1181161 https://bugzilla.suse.com/1181383 https://bugzilla.suse.com/1181507 https://bugzilla.suse.com/1181674 https://bugzilla.suse.com/1181862 https://bugzilla.suse.com/1182077 https://bugzilla.suse.com/1182257 https://bugzilla.suse.com/1182377 https://bugzilla.suse.com/1182378 https://bugzilla.suse.com/1182552 https://bugzilla.suse.com/1182574 https://bugzilla.suse.com/1182591 https://bugzilla.suse.com/1182613 https://bugzilla.suse.com/1182712 https://bugzilla.suse.com/1182713 https://bugzilla.suse.com/1182715 https://bugzilla.suse.com/1182716 https://bugzilla.suse.com/1182717 https://bugzilla.suse.com/1182999 https://bugzilla.suse.com/1183022 https://bugzilla.suse.com/1183048 https://bugzilla.suse.com/1183069 https://bugzilla.suse.com/1183077 https://bugzilla.suse.com/1183095 https://bugzilla.suse.com/1183120 https://bugzilla.suse.com/1183203 https://bugzilla.suse.com/1183249 https://bugzilla.suse.com/1183252 https://bugzilla.suse.com/1183277 https://bugzilla.suse.com/1183278 https://bugzilla.suse.com/1183279 https://bugzilla.suse.com/1183280 https://bugzilla.suse.com/1183281 https://bugzilla.suse.com/1183282 https://bugzilla.suse.com/1183283 https://bugzilla.suse.com/1183284 https://bugzilla.suse.com/1183285 https://bugzilla.suse.com/1183286 https://bugzilla.suse.com/1183287 https://bugzilla.suse.com/1183288 https://bugzilla.suse.com/1183289 https://bugzilla.suse.com/1183310 https://bugzilla.suse.com/1183311 https://bugzilla.suse.com/1183312 https://bugzilla.suse.com/1183313 https://bugzilla.suse.com/1183314 https://bugzilla.suse.com/1183315 https://bugzilla.suse.com/1183316 https://bugzilla.suse.com/1183317 https://bugzilla.suse.com/1183318 https://bugzilla.suse.com/1183319 https://bugzilla.suse.com/1183320 https://bugzilla.suse.com/1183321 https://bugzilla.suse.com/1183322 https://bugzilla.suse.com/1183323 https://bugzilla.suse.com/1183324 https://bugzilla.suse.com/1183325 https://bugzilla.suse.com/1183326 https://bugzilla.suse.com/1183346 https://bugzilla.suse.com/1183366 https://bugzilla.suse.com/1183369 https://bugzilla.suse.com/1183386 https://bugzilla.suse.com/1183405 https://bugzilla.suse.com/1183412 https://bugzilla.suse.com/1183427 https://bugzilla.suse.com/1183428 https://bugzilla.suse.com/1183445 https://bugzilla.suse.com/1183447 https://bugzilla.suse.com/1183491 https://bugzilla.suse.com/1183501 https://bugzilla.suse.com/1183509 https://bugzilla.suse.com/1183530 https://bugzilla.suse.com/1183534 https://bugzilla.suse.com/1183540 https://bugzilla.suse.com/1183593 https://bugzilla.suse.com/1183596 https://bugzilla.suse.com/1183598 https://bugzilla.suse.com/1183637 https://bugzilla.suse.com/1183646 https://bugzilla.suse.com/1183658 https://bugzilla.suse.com/1183662 https://bugzilla.suse.com/1183686 https://bugzilla.suse.com/1183692 https://bugzilla.suse.com/1183696 https://bugzilla.suse.com/1183750 https://bugzilla.suse.com/1183757 https://bugzilla.suse.com/1183775 https://bugzilla.suse.com/1183815 https://bugzilla.suse.com/1183843 https://bugzilla.suse.com/1183859 https://bugzilla.suse.com/1183868 https://bugzilla.suse.com/1183871 https://bugzilla.suse.com/1183873 https://bugzilla.suse.com/1183932 https://bugzilla.suse.com/1183947 https://bugzilla.suse.com/1183976 https://bugzilla.suse.com/1184074 https://bugzilla.suse.com/1184081 https://bugzilla.suse.com/1184082 https://bugzilla.suse.com/1184120 https://bugzilla.suse.com/1184167 https://bugzilla.suse.com/1184168 https://bugzilla.suse.com/1184170 https://bugzilla.suse.com/1184171 https://bugzilla.suse.com/1184176 https://bugzilla.suse.com/1184192 https://bugzilla.suse.com/1184193 https://bugzilla.suse.com/1184194 https://bugzilla.suse.com/1184196 https://bugzilla.suse.com/1184197 https://bugzilla.suse.com/1184198 https://bugzilla.suse.com/1184199 https://bugzilla.suse.com/1184208 https://bugzilla.suse.com/1184209 https://bugzilla.suse.com/1184211 https://bugzilla.suse.com/1184217 https://bugzilla.suse.com/1184218 https://bugzilla.suse.com/1184219 https://bugzilla.suse.com/1184220 https://bugzilla.suse.com/1184224 https://bugzilla.suse.com/1184259 https://bugzilla.suse.com/1184264 https://bugzilla.suse.com/1184386 https://bugzilla.suse.com/1184388 https://bugzilla.suse.com/1184391 https://bugzilla.suse.com/1184393 https://bugzilla.suse.com/1184436 https://bugzilla.suse.com/1184485 https://bugzilla.suse.com/1184509 https://bugzilla.suse.com/1184511 https://bugzilla.suse.com/1184512 https://bugzilla.suse.com/1184514 https://bugzilla.suse.com/1184583 https://bugzilla.suse.com/1184585 https://bugzilla.suse.com/1184611 https://bugzilla.suse.com/1184615 https://bugzilla.suse.com/1184650 https://bugzilla.suse.com/1184710 https://bugzilla.suse.com/1184724 https://bugzilla.suse.com/1184728 https://bugzilla.suse.com/1184730 https://bugzilla.suse.com/1184731 https://bugzilla.suse.com/1184736 https://bugzilla.suse.com/1184737 https://bugzilla.suse.com/1184738 https://bugzilla.suse.com/1184740 https://bugzilla.suse.com/1184741 https://bugzilla.suse.com/1184742 https://bugzilla.suse.com/1184760 https://bugzilla.suse.com/1184769 https://bugzilla.suse.com/1184811 https://bugzilla.suse.com/1184855 https://bugzilla.suse.com/1184893 https://bugzilla.suse.com/1184934 https://bugzilla.suse.com/1184942 https://bugzilla.suse.com/1184943 https://bugzilla.suse.com/1184952 https://bugzilla.suse.com/1184953 https://bugzilla.suse.com/1184955 https://bugzilla.suse.com/1184957 https://bugzilla.suse.com/1184969 https://bugzilla.suse.com/1184984 https://bugzilla.suse.com/1185010 https://bugzilla.suse.com/1185041 https://bugzilla.suse.com/1185110 https://bugzilla.suse.com/1185113 https://bugzilla.suse.com/1185233 https://bugzilla.suse.com/1185269 https://bugzilla.suse.com/1185365 https://bugzilla.suse.com/1185428 https://bugzilla.suse.com/1185454 https://bugzilla.suse.com/1185472 https://bugzilla.suse.com/1185491 https://bugzilla.suse.com/1185495 https://bugzilla.suse.com/1185497 https://bugzilla.suse.com/1185549 https://bugzilla.suse.com/1185550 https://bugzilla.suse.com/1185558 https://bugzilla.suse.com/1185573 https://bugzilla.suse.com/1185581 https://bugzilla.suse.com/1185586 https://bugzilla.suse.com/1185587 https://bugzilla.suse.com/1185589 https://bugzilla.suse.com/1185606 https://bugzilla.suse.com/1185640 https://bugzilla.suse.com/1185641 https://bugzilla.suse.com/1185642 https://bugzilla.suse.com/1185645 https://bugzilla.suse.com/1185670 https://bugzilla.suse.com/1185677 https://bugzilla.suse.com/1185680 https://bugzilla.suse.com/1185703 https://bugzilla.suse.com/1185725 https://bugzilla.suse.com/1185736 https://bugzilla.suse.com/1185758 https://bugzilla.suse.com/1185796 https://bugzilla.suse.com/1185840 https://bugzilla.suse.com/1185857 https://bugzilla.suse.com/1185859 https://bugzilla.suse.com/1185860 https://bugzilla.suse.com/1185861 https://bugzilla.suse.com/1185862 https://bugzilla.suse.com/1185863 https://bugzilla.suse.com/1185898 https://bugzilla.suse.com/1185899 https://bugzilla.suse.com/1185911 https://bugzilla.suse.com/1185938 https://bugzilla.suse.com/1185950 https://bugzilla.suse.com/1185954 https://bugzilla.suse.com/1185980 https://bugzilla.suse.com/1185982 https://bugzilla.suse.com/1185987 https://bugzilla.suse.com/1185988 https://bugzilla.suse.com/1186009 https://bugzilla.suse.com/1186060 https://bugzilla.suse.com/1186061 https://bugzilla.suse.com/1186062 https://bugzilla.suse.com/1186111 https://bugzilla.suse.com/1186118 https://bugzilla.suse.com/1186219 https://bugzilla.suse.com/1186285 https://bugzilla.suse.com/1186320 https://bugzilla.suse.com/1186349 https://bugzilla.suse.com/1186352 https://bugzilla.suse.com/1186353 https://bugzilla.suse.com/1186354 https://bugzilla.suse.com/1186355 https://bugzilla.suse.com/1186356 https://bugzilla.suse.com/1186357 https://bugzilla.suse.com/1186390 https://bugzilla.suse.com/1186401 https://bugzilla.suse.com/1186408 https://bugzilla.suse.com/1186416 https://bugzilla.suse.com/1186439 https://bugzilla.suse.com/1186441 https://bugzilla.suse.com/1186451 https://bugzilla.suse.com/1186460 https://bugzilla.suse.com/1186467 https://bugzilla.suse.com/1186479 https://bugzilla.suse.com/1186484 https://bugzilla.suse.com/1186498 https://bugzilla.suse.com/1186501 https://bugzilla.suse.com/1186512 https://bugzilla.suse.com/1186573 https://bugzilla.suse.com/1186681 From sle-security-updates at lists.suse.com Tue Jun 15 16:56:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 15 Jun 2021 18:56:26 +0200 (CEST) Subject: SUSE-SU-2021:1979-1: important: Security update for snakeyaml Message-ID: <20210615165626.9AC4DFD84@maintenance.suse.de> SUSE Security Update: Security update for snakeyaml ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1979-1 Rating: important References: #1159488 #1186088 Cross-References: CVE-2017-18640 CVSS scores: CVE-2017-18640 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-18640 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for snakeyaml fixes the following issues: - Upgrade to 1.28 - CVE-2017-18640: The Alias feature allows entity expansion during a load operation (bsc#1159488, bsc#1186088) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-1979=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch): snakeyaml-1.28-12.3.1 References: https://www.suse.com/security/cve/CVE-2017-18640.html https://bugzilla.suse.com/1159488 https://bugzilla.suse.com/1186088 From sle-security-updates at lists.suse.com Tue Jun 15 17:02:36 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 15 Jun 2021 19:02:36 +0200 (CEST) Subject: SUSE-SU-2021:14748-1: important: Security update for xorg-x11-libX11 Message-ID: <20210615170236.EE8B0FD84@maintenance.suse.de> SUSE Security Update: Security update for xorg-x11-libX11 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14748-1 Rating: important References: #1186643 Cross-References: CVE-2021-31535 CVSS scores: CVE-2021-31535 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-31535 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xorg-x11-libX11 fixes the following issues: - Regression in the fix for CVE-2021-31535, causing segfaults for xforms applications like fdesign (bsc#1186643). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-xorg-x11-libX11-14748=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-xorg-x11-libX11-14748=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-xorg-x11-libX11-14748=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-xorg-x11-libX11-14748=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): xorg-x11-libX11-7.4-5.11.72.27.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): xorg-x11-libX11-32bit-7.4-5.11.72.27.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): xorg-x11-libX11-7.4-5.11.72.27.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): xorg-x11-libX11-debuginfo-7.4-5.11.72.27.1 xorg-x11-libX11-debugsource-7.4-5.11.72.27.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): xorg-x11-libX11-debuginfo-7.4-5.11.72.27.1 xorg-x11-libX11-debugsource-7.4-5.11.72.27.1 References: https://www.suse.com/security/cve/CVE-2021-31535.html https://bugzilla.suse.com/1186643 From sle-security-updates at lists.suse.com Tue Jun 15 17:04:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 15 Jun 2021 19:04:26 +0200 (CEST) Subject: SUSE-SU-2021:1977-1: important: Security update for the Linux Kernel Message-ID: <20210615170426.15721FD84@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1977-1 Rating: important References: #1055117 #1065729 #1087082 #1113295 #1133021 #1152457 #1152472 #1152489 #1153274 #1154353 #1155518 #1156395 #1160634 #1164648 #1167260 #1167574 #1167773 #1168777 #1168838 #1169709 #1171295 #1173485 #1174416 #1174426 #1175995 #1176447 #1176774 #1177028 #1177326 #1177666 #1178089 #1178134 #1178163 #1178330 #1178378 #1178418 #1179243 #1179519 #1179825 #1179827 #1179851 #1180197 #1180814 #1180846 #1181104 #1181383 #1181507 #1181674 #1181862 #1182077 #1182257 #1182377 #1182552 #1182574 #1182613 #1182712 #1182715 #1182717 #1182999 #1183022 #1183069 #1183252 #1183277 #1183278 #1183279 #1183280 #1183281 #1183282 #1183283 #1183284 #1183285 #1183286 #1183287 #1183288 #1183289 #1183310 #1183311 #1183312 #1183313 #1183314 #1183315 #1183316 #1183317 #1183318 #1183319 #1183320 #1183321 #1183322 #1183323 #1183324 #1183326 #1183346 #1183366 #1183369 #1183386 #1183405 #1183412 #1183427 #1183428 #1183445 #1183447 #1183491 #1183501 #1183509 #1183530 #1183534 #1183540 #1183593 #1183596 #1183598 #1183637 #1183646 #1183658 #1183662 #1183686 #1183692 #1183750 #1183757 #1183775 #1183815 #1183868 #1183871 #1183873 #1183947 #1183976 #1184074 #1184081 #1184082 #1184120 #1184167 #1184168 #1184170 #1184171 #1184192 #1184193 #1184194 #1184196 #1184197 #1184198 #1184199 #1184208 #1184209 #1184211 #1184217 #1184218 #1184219 #1184220 #1184224 #1184264 #1184386 #1184388 #1184391 #1184393 #1184436 #1184485 #1184514 #1184585 #1184611 #1184615 #1184650 #1184710 #1184724 #1184728 #1184730 #1184731 #1184736 #1184737 #1184738 #1184740 #1184741 #1184742 #1184769 #1184811 #1184855 #1184934 #1184942 #1184943 #1184955 #1184969 #1184984 #1185010 #1185113 #1185233 #1185269 #1185428 #1185491 #1185495 #1185549 #1185550 #1185558 #1185573 #1185581 #1185586 #1185587 #1185606 #1185640 #1185641 #1185642 #1185645 #1185670 #1185680 #1185703 #1185725 #1185736 #1185758 #1185796 #1185840 #1185857 #1185898 #1185899 #1185911 #1185938 #1185950 #1185980 #1185988 #1186009 #1186061 #1186111 #1186118 #1186219 #1186285 #1186320 #1186349 #1186352 #1186353 #1186354 #1186355 #1186356 #1186357 #1186401 #1186408 #1186439 #1186441 #1186479 #1186484 #1186498 #1186501 #1186512 #1186681 Cross-References: CVE-2019-18814 CVE-2019-19769 CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-25670 CVE-2020-25671 CVE-2020-25672 CVE-2020-25673 CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2020-27170 CVE-2020-27171 CVE-2020-27673 CVE-2020-27815 CVE-2020-35519 CVE-2020-36310 CVE-2020-36311 CVE-2020-36312 CVE-2020-36322 CVE-2021-20268 CVE-2021-23134 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-28038 CVE-2021-28375 CVE-2021-28660 CVE-2021-28688 CVE-2021-28950 CVE-2021-28952 CVE-2021-28964 CVE-2021-28971 CVE-2021-28972 CVE-2021-29154 CVE-2021-29155 CVE-2021-29264 CVE-2021-29265 CVE-2021-29647 CVE-2021-29650 CVE-2021-30002 CVE-2021-32399 CVE-2021-33034 CVE-2021-33200 CVE-2021-3428 CVE-2021-3444 CVE-2021-3483 CVE-2021-3489 CVE-2021-3490 CVE-2021-3491 CVSS scores: CVE-2019-18814 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-18814 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2019-19769 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2019-19769 (SUSE): 5.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H CVE-2020-24586 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24586 (SUSE): 4.7 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVE-2020-24587 (NVD) : 2.6 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24587 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-24588 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2020-24588 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-25670 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25671 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-25671 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25672 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-25672 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25673 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-25673 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2020-26139 (NVD) : 5.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26139 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-26141 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26145 (SUSE): 5.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26147 (NVD) : 5.4 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N CVE-2020-27170 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-27170 (SUSE): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-27171 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2020-27171 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2020-27673 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-27673 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-27815 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-27815 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-35519 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-35519 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-36310 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-36310 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36311 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-36311 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-36312 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-36312 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2020-36322 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-20268 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-20268 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27363 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L CVE-2021-27363 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27364 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2021-27365 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-27365 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28038 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28038 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28375 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28375 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-28660 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28660 (SUSE): 8 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-28688 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28688 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28950 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28952 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28964 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28971 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28972 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28972 (SUSE): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-29154 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29154 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29155 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-29155 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-29264 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-29265 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-29265 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-29647 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-29650 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-29650 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-30002 (NVD) : 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-30002 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-33200 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33200 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3428 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2021-3444 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3444 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3483 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3483 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H CVE-2021-3489 (NVD) : 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-3489 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3490 (NVD) : 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-3490 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3491 (NVD) : 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-3491 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Linux Enterprise Module for Live Patching 15-SP3 SUSE Linux Enterprise Module for Legacy Software 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise High Availability 15-SP3 ______________________________________________________________________________ An update that solves 52 vulnerabilities and has 187 fixes is now available. Description: The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111) - CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062) - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060) - CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859). - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862). - CVE-2020-24588: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (bnc#1185861) - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859). - CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860) - CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987) - CVE-2021-29650: Fixed an issue with the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208). - CVE-2021-29155: Fixed an issue that was discovered in kernel/bpf/verifier.c that performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation was not correctly accounted for when restricting subsequent operations (bnc#1184942). - CVE-2021-3444: Fixed an issue with the bpf verifier which did not properly handle mod32 destination register truncation when the source register was known to be 0 leading to out of bounds read (bsc#1184170). - CVE-2021-3428: Fixed an integer overflow in ext4_es_cache_extent (bsc#1173485). - CVE-2021-29647: Fixed an issue in qrtr_recvmsg which could have allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bsc#1184192 ). - CVE-2021-29265: Fixed an issue in usbip_sockfd_store which could have allowed attackers to cause a denial of service due to race conditions during an update of the local and shared status (bsc#1184167). - CVE-2021-29264: Fixed an issue in the Freescale Gianfar Ethernet driver which could have allowed attackers to cause a system crash due to a calculation of negative fragment size (bsc#1184168). - CVE-2021-28972: Fixed a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly (bsc#1184198). - CVE-2021-28971: Fixed an issue in intel_pmu_drain_pebs_nhm which could have caused a system crash because the PEBS status in a PEBS record was mishandled (bsc#1184196 ). - CVE-2021-28964: Fixed a race condition in get_old_root which could have allowed attackers to cause a denial of service (bsc#1184193). - CVE-2021-28688: Fixed an issue introduced by XSA-365 (bsc#1183646). - CVE-2021-28660: Fixed an out of bounds write in rtw_wx_set_scan (bsc#1183593 ). - CVE-2021-28375: Fixed an issue in fastrpc_internal_invoke which did not prevent user applications from sending kernel RPC messages (bsc#1183596). - CVE-2021-28038: Fixed an issue with the netback driver which was lacking necessary treatment of errors such as failed memory allocations (bsc#1183022). - CVE-2021-27365: Fixed an issue where an unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bsc#1182715). - CVE-2021-27364: Fixed an issue where an attacker could craft Netlink messages (bsc#1182717). - CVE-2021-27363: Fixed a kernel pointer leak which could have been used to determine the address of the iscsi_transport structure (bsc#1182716). - CVE-2020-35519: Fixed an out-of-bounds memory access was found in x25_bind (bsc#1183696). - CVE-2020-27815: Fixed an issue in JFS filesystem where could have allowed an attacker to execute code (bsc#1179454). - CVE-2020-27171: Fixed an off-by-one error affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183775). - CVE-2020-27170: Fixed potential side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bsc#1183686). - CVE-2019-19769: Fixed a use-after-free in the perf_trace_lock_acquire function (bsc#1159280 ). - CVE-2019-18814: Fixed a use-after-free when aa_label_parse() fails in aa_audit_rule_init() (bsc#1156256). - CVE-2021-3483: Fixed a use-after-free in nosy.c (bsc#1184393). - CVE-2021-30002: Fixed a memory leak for large arguments in video_usercopy (bsc#1184120). - CVE-2021-29154: Fixed incorrect computation of branch displacements, allowing arbitrary code execution (bsc#1184391). - CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h due to a retry loop continually was finding the same bad inode (bsc#1184194). - CVE-2021-28952: Fixed a buffer overflow in the soundwire device driver, triggered when an unexpected port ID number is encountered. (bnc#1184197). - CVE-2021-20268: Fixed an out-of-bounds access flaw in the implementation of the eBPF code verifier. This flaw allowed a local user to crash the system or possibly escalate their privileges. (bnc#1183077) - CVE-2020-27673: Fixed a vulnerability with xen, where guest OS users could cause a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411). - CVE-2020-36312: Fixed a memory leak upon a kmalloc failure (bsc#1184509 ). - CVE-2020-36311: Fixed a denial of service (soft lockup) by triggering destruction of a large SEV VM (bsc#1184511). - CVE-2020-36310: Fixed infinite loop for certain nested page faults (bsc#1184512). - CVE-2021-3489: Fixed an issue where the eBPF RINGBUF bpf_ringbuf_reserve did not check that the allocated size was smaller than the ringbuf size (bnc#1185640). - CVE-2021-3490: Fixed an issue where the eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) did not update the 32-bit bounds (bnc#1185641 bnc#1185796 ). - CVE-2020-36322: Fixed an issue was discovered in FUSE filesystem implementation which could have caused a system crash (bsc#1184211). - CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673: Fixed multiple bugs in NFC subsytem (bsc#1178181). The following non-security bugs were fixed: - ACPI / hotplug / PCI: Fix reference count leak in enable_slot() (git-fixes). - ACPI / idle: override c-state latency when not in conformance with s0ix (bsc#1185840). - ACPI: CPPC: Replace cppc_attr with kobj_attribute (git-fixes). - ACPI: GTDT: Do not corrupt interrupt mappings on watchdow probe failure (git-fixes). - ACPI: PM: Add ACPI ID of Alder Lake Fan (git-fixes). - ACPI: PM: s2idle: Add AMD support to handle _DSM (bsc#1185840). - ACPI: PM: s2idle: Add missing LPS0 functions for AMD (bsc#1185840). - ACPI: PM: s2idle: Drop unused local variables and related code (bsc#1185840). - ACPI: PM: s2idle: Move x86-specific code to the x86 directory (bsc#1185840). - ACPI: custom_method: fix a possible memory leak (git-fixes). - ACPI: custom_method: fix potential use-after-free issue (git-fixes). - ACPI: processor: Fix CPU0 wakeup in acpi_idle_play_dead() (git-fixes). - ACPI: processor: Fix build when CONFIG_ACPI_PROCESSOR=m (git-fixes). - ACPI: scan: Rearrange memory allocation in acpi_device_add() (git-fixes). - ACPI: video: Add DMI quirk for GIGABYTE GB-BXBT-2807 (git-fixes). - ACPI: video: Add missing callback back for Sony VPCEH3U1E (git-fixes). - ACPICA: Always create namespace nodes using acpi_ns_create_node() (git-fixes). - ACPICA: Enable sleep button on ACPI legacy wake (bsc#1181383). - ACPICA: Fix race in generic_serial_bus (I2C) and GPIO op_region parameter handling (git-fixes). - ALSA: Convert strlcpy to strscpy when return value is unused (git-fixes). - ALSA: aloop: Fix initialization of controls (git-fixes). - ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro (git-fixes). - ALSA: bebob: enable to deliver MIDI messages for multiple ports (git-fixes). - ALSA: core: remove redundant spin_lock pair in snd_card_disconnect (git-fixes). - ALSA: dice: fix null pointer dereference when node is disconnected (git-fixes). - ALSA: dice: fix stream format at middle sampling rate for Alesis iO 26 (git-fixes). - ALSA: dice: fix stream format for TC Electronic Konnekt Live at high sampling transfer frequency (git-fixes). - ALSA: emu8000: Fix a use after free in snd_emu8000_create_mixer (git-fixes). - ALSA: firewire-lib: fix amdtp_packet tracepoints event for packet_index field (git-fixes). - ALSA: firewire-lib: fix calculation for size of IR context payload (git-fixes). - ALSA: firewire-lib: fix check for the size of isochronous packet payload (git-fixes). - ALSA: hda/ca0132: Add Sound BlasterX AE-5 Plus support (git-fixes). - ALSA: hda/cirrus: Add Headphone and Headset MIC Volume Control (git-fixes). - ALSA: hda/cirrus: Add error handling into CS8409 I2C functions (git-fixes). - ALSA: hda/cirrus: Add jack detect interrupt support from CS42L42 companion codec (git-fixes). - ALSA: hda/cirrus: Add support for CS8409 HDA bridge and CS42L42 companion codec (git-fixes). - ALSA: hda/cirrus: Cleanup patch_cirrus.c code (git-fixes). - ALSA: hda/cirrus: Fix CS42L42 Headset Mic volume control name (git-fixes). - ALSA: hda/cirrus: Make CS8409 driver more generic by using fixups (git-fixes). - ALSA: hda/cirrus: Set Initial DMIC volume for Bullseye to -26 dB (git-fixes). - ALSA: hda/cirrus: Use CS8409 filter to fix abnormal sounds on Bullseye (git-fixes). - ALSA: hda/conexant: Add quirk for mute LED control on HP ZBook G5 (git-fixes). - ALSA: hda/conexant: Apply quirk for another HP ZBook G5 model (git-fixes). - ALSA: hda/conexant: Re-order CX5066 quirk table entries (git-fixes). - ALSA: hda/conexant: Re-order CX5066 quirk table entries (git-fixes). - ALSA: hda/hdmi: Cancel pending works before suspend (bsc#1182377). - ALSA: hda/hdmi: Cancel pending works before suspend (git-fixes). - ALSA: hda/hdmi: fix race in handling acomp ELD notification at resume (git-fixes). - ALSA: hda/realtek - Headset Mic issue on HP platform (git-fixes). - ALSA: hda/realtek: ALC285 Thinkpad jack pin quirk is unreachable (git-fixes). - ALSA: hda/realtek: Add fixup for HP OMEN laptop (git-fixes). - ALSA: hda/realtek: Add fixup for HP Spectre x360 15-df0xxx (git-fixes). - ALSA: hda/realtek: Add quirk for Intel Clevo PCx0Dx (git-fixes). - ALSA: hda/realtek: Add quirk for Lenovo Ideapad S740 (git-fixes). - ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293 (git-fixes). - ALSA: hda/realtek: Apply headset-mic quirks for Xiaomi Redmibook Air (git-fixes). - ALSA: hda/realtek: Chain in pop reduction fixup for ThinkStation P340 (git-fixes). - ALSA: hda/realtek: Enable mute/micmute LEDs and limit mic boost on EliteBook 845 G8 (git-fixes). - ALSA: hda/realtek: Fix silent headphone output on ASUS UX430UA (git-fixes). - ALSA: hda/realtek: Fix speaker amp on HP Envy AiO 32 (git-fixes). - ALSA: hda/realtek: Fix speaker amp setup on Acer Aspire E1 (git-fixes). - ALSA: hda/realtek: GA503 use same quirks as GA401 (git-fixes). - ALSA: hda/realtek: Headphone volume is controlled by Front mixer (git-fixes). - ALSA: hda/realtek: Re-order ALC269 ASUS quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Acer quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Dell quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 HP quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Lenovo quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC269 Sony quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC662 quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Acer quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Clevo quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order ALC882 Sony quirk table entries (git-fixes). - ALSA: hda/realtek: Re-order remaining ALC269 quirk table entries (git-fixes). - ALSA: hda/realtek: Remove redundant entry for ALC861 Haier/Uniwill devices (git-fixes). - ALSA: hda/realtek: apply pin quirk for XiaomiNotebook Pro (git-fixes). - ALSA: hda/realtek: call alc_update_headset_mode() in hp_automute_hook (git-fixes). - ALSA: hda/realtek: fix a determine_headset_type issue for a Dell AIO (git-fixes). - ALSA: hda/realtek: fix mic boost on Intel NUC 8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Zbook Fury 15 G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Zbook Fury 17 G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Zbook G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP 440 G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP 640 G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP 840 G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP 850 G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP 855 G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 445 G7 (git-fixes). - ALSA: hda/realtek: fix static noise on ALC285 Lenovo laptops (git-fixes). - ALSA: hda/realtek: reset eapd coeff to default value for alc287 (git-fixes). - ALSA: hda/realtek: the bass speaker can't output sound on Yoga 9i (git-fixes). - ALSA: hda: Add missing sanity checks in PM prepare/complete callbacks (git-fixes). - ALSA: hda: Avoid spurious unsol event handling during S3/S4 (bsc#1182377). - ALSA: hda: Avoid spurious unsol event handling during S3/S4 (git-fixes). - ALSA: hda: Drop the BATCH workaround for AMD controllers (git-fixes). - ALSA: hda: Flush pending unsolicited events before suspend (bsc#1182377). - ALSA: hda: Re-add dropped snd_poewr_change_state() calls (git-fixes). - ALSA: hda: fixup headset for ASUS GU502 laptop (git-fixes). - ALSA: hda: fixup headset for ASUS GU502 laptop (git-fixes). - ALSA: hda: generic: Fix the micmute led init state (git-fixes). - ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP (git-fixes). - ALSA: hda: ignore invalid NHLT table (git-fixes). - ALSA: hdsp: do not disable if not enabled (git-fixes). - ALSA: hdspm: do not disable if not enabled (git-fixes). - ALSA: intel8x0: Do not update period unless prepared (git-fixes). - ALSA: line6: Fix racy initialization of LINE6 MIDI (git-fixes). - ALSA: rme9652: do not disable if not enabled (git-fixes). - ALSA: sb: Fix two use after free in snd_sb_qsound_build (git-fixes). - ALSA: usb-audio: Add DJM-450 to the quirks table (git-fixes). - ALSA: usb-audio: Add DJM450 to Pioneer format quirk (git-fixes). - ALSA: usb-audio: Add DJM450 to Pioneer format quirk (git-fixes). - ALSA: usb-audio: Add DJM750 to Pioneer mixer quirk (git-fixes). - ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX (git-fixes). - ALSA: usb-audio: Add Pioneer DJM-850 to quirks-table (git-fixes). - ALSA: usb-audio: Add dB range mapping for Sennheiser Communications Headset PC 8 (git-fixes). - ALSA: usb-audio: Add error checks for usb_driver_claim_interface() calls (git-fixes). - ALSA: usb-audio: Add implicit feeback support for the BOSS GT-1 (git-fixes). - ALSA: usb-audio: Add support for Pioneer DJM-750 (git-fixes). - ALSA: usb-audio: Add support for many Roland devices' implicit feedback quirks (git-fixes). - ALSA: usb-audio: Apply implicit feedback mode for BOSS devices (git-fixes). - ALSA: usb-audio: Apply sample rate quirk to Logitech Connect (git-fixes). - ALSA: usb-audio: Carve out connector value checking into a helper (git-fixes). - ALSA: usb-audio: Check connector value on resume (git-fixes). - ALSA: usb-audio: Configure Pioneer DJM-850 samplerate (git-fixes). - ALSA: usb-audio: Convert remaining strlcpy() to strscpy() (git-fixes). - ALSA: usb-audio: Convert the last strlcpy() usage (git-fixes). - ALSA: usb-audio: DJM-750: ensure format is set (git-fixes). - ALSA: usb-audio: Declare Pioneer DJM-850 mixer controls (git-fixes). - ALSA: usb-audio: Drop implicit fb quirk entries dubbed for capture (git-fixes). - ALSA: usb-audio: Explicitly set up the clock selector (git-fixes). - ALSA: usb-audio: Fix "RANGE setting not yet supported" errors (git-fixes). - ALSA: usb-audio: Fix Pioneer DJM devices URB_CONTROL request direction to set samplerate (git-fixes). - ALSA: usb-audio: Fix Pioneer DJM devices URB_CONTROL request direction to set samplerate (git-fixes). - ALSA: usb-audio: Fix implicit sync clearance at stopping stream (git-fixes). - ALSA: usb-audio: Fix potential out-of-bounce access in MIDI EP parser (git-fixes). - ALSA: usb-audio: Fix unintentional sign extension issue (git-fixes). - ALSA: usb-audio: Generic application of implicit fb to Roland/BOSS devices (git-fixes). - ALSA: usb-audio: Re-apply implicit feedback mode to Pioneer devices (git-fixes). - ALSA: usb-audio: Remove redundant assignment to len (git-fixes). - ALSA: usb-audio: Skip probe of UA-101 devices (git-fixes). - ALSA: usb-audio: Skip the clock selector inquiry for single connections (git-fixes). - ALSA: usb-audio: Validate MS endpoint descriptors (git-fixes). - ALSA: usb-audio: add mixer quirks for Pioneer DJM-900NXS2 (git-fixes). - ALSA: usb-audio: fix NULL ptr dereference in usb_audio_probe (bsc#1182552). - ALSA: usb-audio: fix Pioneer DJM-850 control label info (git-fixes). - ALSA: usb-audio: fix control-request direction (git-fixes). - ALSA: usb-audio: fix use after free in usb_audio_disconnect (bsc#1182552). - ALSA: usb-audio: generate midi streaming substream names from jack names (git-fixes). - ALSA: usb-audio: scarlett2: Fix device hang with ehci-pci (git-fixes). - ALSA: usb-audio: scarlett2: Improve driver startup messages (git-fixes). - ALSA: usb-audio: scarlett2: snd_scarlett_gen2_controls_create() can be static (git-fixes). - ALSA: usb-audio: use usb headers rather than define structs locally (git-fixes). - ALSA: usb: Use DIV_ROUND_UP() instead of open-coding it (git-fixes). - ALSA: usb: midi: do not return -ENOMEM when usb_urb_ep_type_check fails (git-fixes). - ASoC: Intel: Add DMI quirk table to soc_intel_is_byt_cr() (git-fixes). - ASoC: Intel: boards: sof-wm8804: add check for PLL setting (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for ARCHOS Cesium 140 (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Acer One S1002 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Estar Beauty HD MID 7316R tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Voyo Winpad A15 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF (git-fixes). - ASoC: Intel: bytcr_rt5640: Fix HP Pavilion x2 10-p0XX OVCD current threshold (git-fixes). - ASoC: Intel: bytcr_rt5651: Add quirk for the Jumper EZpad 7 tablet (git-fixes). - ASoC: Intel: kbl_da7219_max98927: Fix kabylake_ssp_fixup function (git-fixes). - ASoC: Intel: sof_sdw: add quirk for HP Spectre x360 convertible (git-fixes). - ASoC: Intel: sof_sdw: add quirk for new ADL-P Rvp (git-fixes). - ASoC: Intel: sof_sdw: reorganize quirks by generation (git-fixes). - ASoC: SOF: Intel: HDA: fix core status verification (git-fixes). - ASoC: SOF: Intel: HDA: fix core status verification (git-fixes). - ASoC: SOF: Intel: hda: remove unnecessary parentheses (git-fixes). - ASoC: SOF: Intel: unregister DMIC device on probe error (git-fixes). - ASoC: SOF: intel: fix wrong poll bits in dsp power down (git-fixes). - ASoC: ak4458: Add MODULE_DEVICE_TABLE (git-fixes). - ASoC: ak5558: Add MODULE_DEVICE_TABLE (git-fixes). - ASoC: ak5558: Fix s/show/slow/ typo (git-fixes). - ASoC: ak5558: correct reset polarity (git-fixes). - ASoC: codecs: wcd934x: add a sanity check in set channel map (git-fixes). - ASoC: cs35l33: fix an error code in probe() (git-fixes). - ASoC: cs42l42: Always wait at least 3ms after reset (git-fixes). - ASoC: cs42l42: Do not enable/disable regulator at Bias Level (git-fixes). - ASoC: cs42l42: Fix Bitclock polarity inversion (git-fixes). - ASoC: cs42l42: Fix channel width support (git-fixes). - ASoC: cs42l42: Fix mixer volume control (git-fixes). - ASoC: cs42l42: Regmap must use_single_read/write (git-fixes). - ASoC: cygnus: fix for_each_child.cocci warnings (git-fixes). - ASoC: es8316: Simplify adc_pga_gain_tlv table (git-fixes). - ASoC: fsl_esai: Fix TDM slot setup for I2S mode (git-fixes). - ASoC: fsl_ssi: Fix TDM slot setup for I2S mode (git-fixes). - ASoC: intel: atom: Remove 44100 sample-rate from the media and deep-buffer DAI descriptions (git-fixes). - ASoC: intel: atom: Stop advertising non working S24LE support (git-fixes). - ASoC: max98373: Added 30ms turn on/off time delay (git-fixes). - ASoC: max98373: Changed amp shutdown register as volatile (git-fixes). - ASoC: qcom: lpass-cpu: Fix lpass dai ids parse (git-fixes). - ASoC: qcom: sdm845: Fix array out of bounds access (git-fixes). - ASoC: qcom: sdm845: Fix array out of range on rx slim channels (git-fixes). - ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init() (git-fixes). - ASoC: rsnd: check all BUSIF status when error (git-fixes). - ASoC: rsnd: core: Check convert rate in rsnd_hw_params (git-fixes). - ASoC: rt1015: fix i2c communication error (git-fixes). - ASoC: rt286: Generalize support for ALC3263 codec (git-fixes). - ASoC: rt286: Make RT286_SET_GPIO_* readable and writable (git-fixes). - ASoC: rt5640: Fix dac- and adc- vol-tlv values being off by a factor of 10 (git-fixes). - ASoC: rt5651: Fix dac- and adc- vol-tlv values being off by a factor of 10 (git-fixes). - ASoC: rt5659: Update MCLK rate in set_sysclk() (git-fixes). - ASoC: rt5670: Add a quirk for the Dell Venue 10 Pro 5055 (git-fixes). - ASoC: rt5670: Add emulated 'DAC1 Playback Switch' control (git-fixes). - ASoC: rt5670: Remove 'HP Playback Switch' control (git-fixes). - ASoC: rt5670: Remove 'OUT Channel Switch' control (git-fixes). - ASoC: rt5670: Remove ADC vol-ctrl mute bits poking from Sto1 ADC mixer settings (git-fixes). - ASoC: rt711: add snd_soc_component remove callback (git-fixes). - ASoC: samsung: snow: remove useless test (git-fixes). - ASoC: samsung: tm2_wm5110: check of of_parse return value (git-fixes). - ASoC: sgtl5000: set DAP_AVC_CTRL register to correct default value on probe (git-fixes). - ASoC: simple-card-utils: Do not handle device clock (git-fixes). - ASoC: simple-card: fix possible uninitialized single_cpu local variable (git-fixes). - ASoC: soc-core kABI workaround (git-fixes). - ASoC: soc-core: Prevent warning if no DMI table is present (git-fixes). - ASoC: sunxi: sun4i-codec: fill ASoC card owner (git-fixes). - ASoC: wm8960: Fix wrong bclk and lrclk with pll enabled for some chips (git-fixes). - ASoC: wm8960: Remove bitclk relax condition in wm8960_configure_sysclk (git-fixes). - Bluetooth: Fix incorrect status handling in LE PHY UPDATE event (git-fixes). - Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data (git-fixes). - Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS (git-fixes). - Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes). - Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default (git-fixes). - Bluetooth: avoid deadlock between hci_dev->lock and socket lock (git-fixes). - Bluetooth: btqca: Add valid le states quirk (git-fixes). - Bluetooth: btusb: Enable quirk boolean flag for Mediatek Chip (git-fixes). - Bluetooth: check for zapped sk before connecting (git-fixes). - Bluetooth: hci_h5: Set HCI_QUIRK_SIMULTANEOUS_DISCOVERY for btrtl (git-fixes). - Bluetooth: initialize skb_queue_head at l2cap_chan_create() (git-fixes). - Drivers: hv: vmbus: Fix Suspend-to-Idle for Generation-2 VM (git-fixes). - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725). - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725). - Drivers: hv: vmbus: Use after free in __vmbus_open() (git-fixes). - EDAC/amd64: Check for memory before fully initializing an instance (bsc#1183815). - EDAC/amd64: Get rid of the ECC disabled long message (bsc#1183815). - EDAC/amd64: Use cached data when checking for ECC (bsc#1183815). - Goodix Fingerprint device is not a modem (git-fixes). - HID: alps: fix error return code in alps_input_configured() (git-fixes). - HID: google: add don USB id (git-fixes). - HID: i2c-hid: Add I2C_HID_QUIRK_NO_IRQ_AFTER_RESET for ITE8568 EC on Voyo Winpad A15 (git-fixes). - HID: mf: add support for 0079:1846 Mayflash/Dragonrise USB Gamecube Adapter (git-fixes). - HID: plantronics: Workaround for double volume key presses (git-fixes). - HID: wacom: Assign boolean values to a bool variable (git-fixes). - HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices (git-fixes). - HSI: Fix PM usage counter unbalance in ssi_hw_init (git-fixes). - IB/hfi1: Fix probe time panic when AIP is enabled with a buggy BIOS (jsc#SLE-13208). - IB/hfi1: Rework AIP and VNIC dummy netdev usage (jsc#SLE-13208). - Input: applespi - do not wait for responses to commands indefinitely (git-fixes). - Input: elantech - fix protocol errors for some trackpoints in SMBus mode (git-fixes). - Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices (git-fixes). - Input: i8042 - fix Pegatron C15B ID entry (git-fixes). - Input: nspire-keypad - enable interrupts only when opened (git-fixes). - Input: s6sy761 - fix coordinate read bit shift (git-fixes). - Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state (git-fixes). - KEYS: trusted: Fix TPM reservation for seal/unseal (git-fixes). - KEYS: trusted: Fix memory leak on object td (git-fixes). - KVM x86: Extend AMD specific guest behavior to Hygon virtual CPUs (bsc#1183447). - KVM: PPC: Book3S HV P9: Restore host CTRL SPR after guest exit (bsc#1156395). - KVM: PPC: Make the VMX instruction emulation routines static (bsc#1156395). - KVM: SVM: Clear the CR4 register on reset (bsc#1183252). - KVM: kvmclock: Fix vCPUs > 64 can't be online/hotpluged (bsc#1152489). - KVM: nVMX: Properly handle userspace interrupt window request (bsc#1183427). - KVM: s390: fix guarded storage control register handling (bsc#1133021). - KVM: x86: Add helpers to perform CPUID-based guest vendor check (bsc#1183445). - KVM: x86: Allow guests to see MSR_IA32_TSX_CTRL even if tsx=off (bsc#1183287). - KVM: x86: Allow guests to see MSR_IA32_TSX_CTRL even if tsx=off (bsc#1183323). - KVM: x86: Expose XSAVEERPTR to the guest (jsc#SLE-13573). - KVM: x86: Return -E2BIG when KVM_GET_SUPPORTED_CPUID hits max entries (bsc#1183428). - KVM: x86: Set so called 'reserved CR3 bits in LM mask' at vCPU reset (bsc#1183288). - KVM: x86: Set so called 'reserved CR3 bits in LM mask' at vCPU reset (bsc#1183324). - KVM: x86: do not reset microcode version on INIT or RESET (bsc#1183412). - KVM: x86: list MSR_IA32_UCODE_REV as an emulated MSR (bsc#1183369). - NFC: nci: fix memory leak in nci_allocate_device (git-fixes). - PCI/AER: Add RCEC AER error injection support (bsc#1174426). - PCI/AER: Add pcie_walk_rcec() to RCEC AER handling (bsc#1174426). - PCI/AER: Clear AER status from Root Port when resetting Downstream Port (bsc#1174426). - PCI/AER: Specify the type of Port that was reset (bsc#1174426). - PCI/AER: Use "aer" variable for capability offset (bsc#1174426). - PCI/AER: Write AER Capability only when we control it (bsc#1174426). - PCI/ERR: Add pci_walk_bridge() to pcie_do_recovery() (bsc#1174426). - PCI/ERR: Add pcie_link_rcec() to associate RCiEPs (bsc#1174426). - PCI/ERR: Avoid negated conditional for clarity (bsc#1174426). - PCI/ERR: Bind RCEC devices to the Root Port driver (bsc#1174426). - PCI/ERR: Bind RCEC devices to the Root Port driver (jsc#SLE-13736 jsc#SLE-14845). - PCI/ERR: Cache RCEC EA Capability offset in pci_init_capabilities() (bsc#1174426). - PCI/ERR: Clear AER status only when we control AER (bsc#1174426). - PCI/ERR: Clear PCIe Device Status errors only if OS owns AER (bsc#1174426). - PCI/ERR: Clear status of the reporting device (bsc#1174426). - PCI/ERR: Recover from RCEC AER errors (bsc#1174426). - PCI/ERR: Recover from RCiEP AER errors (bsc#1174426). - PCI/ERR: Rename reset_link() to reset_subordinates() (bsc#1174426). - PCI/ERR: Retain status from error notification (bsc#1174426). - PCI/ERR: Simplify by computing pci_pcie_type() once (bsc#1174426). - PCI/ERR: Simplify by using pci_upstream_bridge() (bsc#1174426). - PCI/ERR: Use "bridge" for clarity in pcie_do_recovery() (bsc#1174426). - PCI/PME: Add pcie_walk_rcec() to RCEC PME handling (bsc#1174426). - PCI/RCEC: Fix RCiEP device to RCEC association (git-fixes). - PCI/RCEC: Fix RCiEP device to RCEC association (jsc#SLE-13736 jsc#SLE-14845 git-fixes). - PCI/portdrv: Report reset for frozen channel (bsc#1174426). - PCI: Add a REBAR size quirk for Sapphire RX 5600 XT Pulse (git-fixes). - PCI: Add function 1 DMA alias quirk for Marvell 9215 SATA controller (git-fixes). - PCI: Allow VPD access for QLogic ISP2722 (git-fixes). - PCI: Fix pci_register_io_range() memory leak (git-fixes). - PCI: PM: Do not read power state in pci_enable_device_flags() (git-fixes). - PCI: Release OF node in pci_scan_device()'s error path (git-fixes). - PCI: designware-ep: Fix the Header Type check (git-fixes). - PCI: dwc: Move iATU detection earlier (git-fixes). - PCI: endpoint: Fix missing destroy_workqueue() (git-fixes). - PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc() (git-fixes). - PCI: keystone: Let AM65 use the pci_ops defined in pcie-designware-host.c (git-fixes). - PCI: mediatek: Add missing of_node_put() to fix reference leak (git-fixes). - PCI: tegra: Fix ASPM-L1SS advertisement disable code (git-fixes). - PCI: tegra: Move "dbi" accesses to post common DWC initialization (git-fixes). - PCI: thunder: Fix compile testing (git-fixes). - PCI: xgene-msi: Fix race in installing chained irq handler (git-fixes). - PM / devfreq: Use more accurate returned new_freq as resume_freq (git-fixes). - PM: EM: postpone creating the debugfs dir till fs_initcall (git-fixes). - PM: runtime: Add documentation for pm_runtime_resume_and_get() (git-fixes). - PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter (bsc#1183366). - PM: runtime: Fix ordering in pm_runtime_get_suppliers() (git-fixes). - PM: runtime: Fix ordering in pm_runtime_get_suppliers() (git-fixes). - PM: runtime: Fix race getting/putting suppliers at probe (git-fixes). - Platform: OLPC: Fix probe error handling (git-fixes). - RAS/CEC: Correct ce_add_elem()'s returned values (bsc#1152489). - RDMA/addr: create addr_wq with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/cm: Fix IRQ restore in ib_send_cm_sidr_rep (jsc#SLE-15176). - RDMA/core: create ib_cm with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/hns: Delete redundant abnormal interrupt status (git-fixes). - RDMA/hns: Delete redundant condition judgment related to eq (git-fixes). - RDMA/mlx5: Fix drop packet rule in egress table (jsc#SLE-15175). - RDMA/qedr: Fix error return code in qedr_iw_connect() (jsc#SLE-8215). - RDMA/rtrs-clt: Close rtrs client conn before destroying rtrs clt session files (jsc#SLE-15176). - RDMA/rtrs-clt: destroy sysfs after removing session from active list (jsc#SLE-15176). - RDMA/srp: Fix support for unpopulated and unbalanced NUMA nodes (bsc#1169709) - RDMA/srp: Fix support for unpopulated and unbalanced NUMA nodes (bsc#1169709) - RDMA/srpt: Fix error return code in srpt_cm_req_recv() (git-fixes). - Re-enable yenta socket driver for x86_64 (bsc#1186349) - SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428). - USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet (git-fixes). - USB: Add reset-resume quirk for WD19's Realtek Hub (git-fixes). - USB: CDC-ACM: fix poison/unpoison imbalance (bsc#1184984). - USB: CDC-ACM: fix poison/unpoison imbalance (git-fixes). - USB: cdc-acm: downgrade message to debug (git-fixes). - USB: cdc-acm: fix TIOCGSERIAL implementation (git-fixes). - USB: cdc-acm: fix double free on probe failure (git-fixes). - USB: cdc-acm: fix unprivileged TIOCCSERIAL (git-fixes). - USB: cdc-acm: fix use-after-free after probe failure (git-fixes). - USB: cdc-acm: untangle a circular dependency between callback and softint (git-fixes). - USB: gadget: u_ether: Fix a configfs return code (git-fixes). - USB: gadget: udc: fix wrong pointer passed to IS_ERR() and PTR_ERR() (git-fixes). - USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem (git-fixes). - USB: replace hardcode maximum usb string length by definition (git-fixes). - USB: serial: ark3116: fix TIOCGSERIAL implementation (git-fixes). - USB: serial: ch341: add new Product ID (git-fixes). - USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter (git-fixes). - USB: serial: cp210x: add some more GE USB IDs (git-fixes). - USB: serial: f81232: fix TIOCGSERIAL implementation (git-fixes). - USB: serial: f81534: fix TIOCGSERIAL implementation (git-fixes). - USB: serial: fix return value for unsupported ioctls (git-fixes). - USB: serial: io_edgeport: fix memory leak in edge_startup (git-fixes). - USB: serial: mos7720: fix TIOCGSERIAL implementation (git-fixes). - USB: serial: opticon: fix TIOCGSERIAL implementation (git-fixes). - USB: serial: pl2303: add support for PL2303HXN (bsc#1186320). - USB: serial: pl2303: fix line-speed handling on newer chips (bsc#1186320). - USB: serial: quatech2: fix TIOCGSERIAL implementation (git-fixes). - USB: serial: ssu100: fix TIOCGSERIAL implementation (git-fixes). - USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check (git-fixes). - USB: serial: usb_wwan: fix TIOCGSERIAL implementation (git-fixes). - USB: serial: usb_wwan: fix TIOCSSERIAL jiffies conversions (git-fixes). - USB: serial: usb_wwan: fix unprivileged TIOCCSERIAL (git-fixes). - USB: usblp: fix a hang in poll() if disconnected (git-fixes). - Update bug reference for USB-audio fixes (bsc#1182552 bsc#1183598) - amd/amdgpu: Disable VCN DPG mode for Picasso (git-fixes). - amdgpu: avoid incorrect %hu format string (git-fixes). - apparmor: Fix aa_label refcnt leak in policy_update (git-fixes). - apparmor: check/put label on apparmor_sk_clone_security() (git-fixes). - appletalk: Fix skb allocation size in loopback case (git-fixes). - arm64: make STACKPROTECTOR_PER_TASK configurable (bsc#1181862). - ata: ahci: Disable SXS for Hisilicon Kunpeng920 (git-fixes). - ata: libahci_platform: fix IRQ check (git-fixes). - ath10k: Fix a use after free in ath10k_htc_send_bundle (git-fixes). - ath10k: Fix ath10k_wmi_tlv_op_pull_peer_stats_info() unlock without lock (git-fixes). - ath10k: fix wmi mgmt tx queue full due to race condition (git-fixes). - ath10k: hold RCU lock when calling ieee80211_find_sta_by_ifaddr() (git-fixes). - ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices (git-fixes). - ath9k: fix transmitting to stations in dynamic SMPS mode (git-fixes). - atl1c: fix error return code in atl1c_probe() (git-fixes). - atl1e: fix error return code in atl1e_probe() (git-fixes). - backlight: journada720: Fix Wmisleading-indentation warning (git-fixes). - batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field (git-fixes). - binfmt_misc: fix possible deadlock in bm_register_write (git-fixes). - binfmt_misc: fix possible deadlock in bm_register_write (git-fixes). - blk-iocost: ioc_pd_free() shouldn't assume irq disabled (git-fixes). - blk-mq: plug request for shared sbitmap (jsc#SLE-15442 bsc#1180814 ltc#187461 git-fixes). - blk-mq: set default elevator as deadline in case of hctx shared tagset (jsc#SLE-15442 bsc#1180814 ltc#187461 git-fixes). - blkcg: fix memleak for iolatency (git-fixes). - block, bfq: set next_rq to waker_bfqq->next_rq in waker injection (bsc#1168838). - block: fix get_max_io_size() (git-fixes). - block: recalculate segment count for multi-segment discards correctly (bsc#1184724). - block: rsxx: fix error return code of rsxx_pci_probe() (git-fixes). - block: rsxx: select CONFIG_CRC32 (git-fixes). - bluetooth: eliminate the potential race condition when removing the HCI controller (git-fixes). - bnxt_en: Fix RX consumer index logic in the error path (git-fixes). - bnxt_en: Fix RX consumer index logic in the error path (git-fixes). - bnxt_en: fix ternary sign extension bug in bnxt_show_temp() (git-fixes). - bnxt_en: reliably allocate IRQ table on reset to avoid crash (jsc#SLE-8371 bsc#1153274). - bnxt_en: reverse order of TX disable and carrier off (git-fixes). - bpf, sockmap: Fix sk->prot unhash op reset (bsc#1155518). - bpf,x64: Pad NOPs to make images converge more easily (bsc#1178163). - bpf: Add sanity check for upper ptr_limit (bsc#1183686 bsc#1183775). - bpf: Avoid warning when re-casting __bpf_call_base into __bpf_call_base_args (bsc#1155518). - bpf: Declare __bpf_free_used_maps() unconditionally (bsc#1155518). - bpf: Do not do bpf_cgroup_storage_set() for kuprobe/tp programs (bsc#1155518). - bpf: Enforce that struct_ops programs be GPL-only (bsc#1177028). - bpf: Fix 32 bit src register truncation on div/mod (bsc#1184170). - bpf: Fix an unitialized value in bpf_iter (bsc#1177028). - bpf: Fix leakage of uninitialized bpf stack under speculation (bsc#1155518). - bpf: Fix masking negation logic upon negative dst register (bsc#1155518). - bpf: Fix propagation of 32 bit unsigned bounds from 64 bit bounds (bsc#1177028). - bpf: Fix verifier jsgt branch analysis on max bound (bsc#1155518). - bpf: Refcount task stack in bpf_get_task_stack (bsc#1177028). - bpf: Remove MTU check in __bpf_skb_max_len (bsc#1155518). - bpf: Simplify alu_limit masking for pointer arithmetic (bsc#1183686 bsc#1183775). - bpf: link: Refuse non-O_RDWR flags in BPF_OBJ_GET (bsc#1177028). - bpf_lru_list: Read double-checked variable once without lock (bsc#1155518). - brcmfmac: Add DMI nvram filename quirk for Predia Basic tablet (git-fixes). - brcmfmac: Add DMI nvram filename quirk for Voyo winpad A15 tablet (git-fixes). - brcmfmac: clear EAP/association status bits on linkdown events (git-fixes). - bsg: free the request before return error code (git-fixes). - btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root (bsc#1184217). - btrfs: always pin deleted leaves when there are active tree mod log users (bsc#1184224). - btrfs: fix exhaustion of the system chunk array due to concurrent allocations (bsc#1183386). - btrfs: fix extent buffer leak on failure to copy root (bsc#1184218). - btrfs: fix qgroup data rsv leak caused by falloc failure (bsc#1185549). - btrfs: fix race between swap file activation and snapshot creation (bsc#1185587). - btrfs: fix race between swap file activation and snapshot creation (bsc#1185587). - btrfs: fix race between transaction aborts and fsyncs leading to use-after-free (bsc#1186441). - btrfs: fix race between transaction aborts and fsyncs leading to use-after-free (bsc#1186441). - btrfs: fix race between writes to swap files and scrub (bsc#1185586). - btrfs: fix race between writes to swap files and scrub (bsc#1185586). - btrfs: fix race when cloning extent buffer during rewind of an old root (bsc#1184193). - btrfs: fix race when picking most recent mod log operation for an old root (bsc#1186439). - btrfs: fix race when picking most recent mod log operation for an old root (bsc#1186439). - btrfs: fix stale data exposure after cloning a hole with NO_HOLES enabled (bsc#1184220). - btrfs: fix subvolume/snapshot deletion not triggered on mount (bsc#1184219). - btrfs: track qgroup released data in own variable in insert_prealloc_file_extent (bsc#1185549). - bus: fsl-mc: add the dpdbg device type (bsc#1185670). - bus: fsl-mc: list more commands as accepted through the ioctl (bsc#1185670). - bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD (git-fixes). - bus: qcom: Put child node before return (git-fixes). - bus: ti-sysc: Fix warning on unbind if reset is not deasserted (git-fixes). - can: c_can: move runtime PM enable/disable to c_can_platform (git-fixes). - can: c_can_pci: c_can_pci_remove(): fix use-after-free (git-fixes). - can: flexcan: assert FRZ bit in flexcan_chip_freeze() (git-fixes). - can: flexcan: enable RX FIFO after FRZ/HALT valid (git-fixes). - can: flexcan: flexcan_chip_freeze(): fix chip freeze for missing bitrate (git-fixes). - can: flexcan: invoke flexcan_chip_freeze() to enter freeze mode (git-fixes). - can: m_can: m_can_do_rx_poll(): fix extraneous msg loss warning (git-fixes). - can: peak_usb: Revert "can: peak_usb: add forgotten supported devices" (git-fixes). - can: peak_usb: add forgotten supported devices (git-fixes). - can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership (git-fixes). - cdc-acm: fix BREAK rx code path adding necessary calls (git-fixes). - cdc-wdm: untangle a circular dependency between callback and softint (git-fixes). - ceph: do not clobber i_snap_caps on non-I_NEW inode (bsc#1186501). - ceph: fix inode leak on getattr error in __fh_to_dentry (bsc#1186501). - ceph: fix up error handling with snapdirs (bsc#1186501). - ceph: only check pool permissions for regular files (bsc#1186501). - cfg80211: remove WARN_ON() in cfg80211_sme_connect (git-fixes). - cfg80211: scan: drop entry from hidden_list on overflow (git-fixes). - ch_ktls: Fix kernel panic (jsc#SLE-15131). - ch_ktls: do not send snd_una update to TCB in middle (jsc#SLE-15131). - ch_ktls: fix device connection close (jsc#SLE-15131). - ch_ktls: fix enum-conversion warning (jsc#SLE-15129). - ch_ktls: tcb close causes tls connection failure (jsc#SLE-15131). - cifs: New optype for session operations (bsc#1181507). - cifs: Tracepoints and logs for tracing credit changes (bsc#1181507). - cifs: change noisy error message to FYI (bsc#1181507). - cifs: check pointer before freeing (bsc#1183534). - cifs: do not send close in compound create+close requests (bsc#1181507). - cifs: print MIDs in decimal notation (bsc#1181507). - cifs: return proper error code in statfs(2) (bsc#1181507). - cifs_debug: use %pd instead of messing with ->d_name (bsc#1181507). - clk: exynos7: Mark aclk_fsys1_200 as critical (git-fixes). - clk: fix invalid usage of list cursor in register (git-fixes). - clk: fix invalid usage of list cursor in unregister (git-fixes). - clk: mvebu: armada-37xx-periph: Fix switching CPU freq from 250 Mhz to 1 GHz (git-fixes). - clk: mvebu: armada-37xx-periph: Fix workaround for switching from L1 to L0 (git-fixes). - clk: mvebu: armada-37xx-periph: remove .set_parent method for CPU PM clock (git-fixes). - clk: qcom: a53-pll: Add missing MODULE_DEVICE_TABLE (git-fixes). - clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return (git-fixes). - clk: socfpga: fix iomem pointer cast on 64-bit (git-fixes). - clk: uniphier: Fix potential infinite loop (git-fixes). - clk: zynqmp: move zynqmp_pll_set_mode out of round_rate callback (git-fixes). - completion: Drop init_completion define (git-fixes). - configfs: fix a use-after-free in __configfs_open_file (git-fixes). - coresight: etm4x: Fix issues on trcseqevr access (git-fixes). - coresight: etm4x: Fix save and restore of TRCVMIDCCTLR1 register (git-fixes). - coresight: remove broken __exit annotations (git-fixes). - coresight: tmc-etr: Fix barrier packet insertion for perf buffer (git-fixes). - cpufreq: Kconfig: fix documentation links (git-fixes). - cpufreq: armada-37xx: Fix determining base CPU frequency (git-fixes). - cpufreq: armada-37xx: Fix driver cleanup when registration failed (git-fixes). - cpufreq: armada-37xx: Fix setting TBG parent for load levels (git-fixes). - cpufreq: armada-37xx: Fix the AVS value for load L1 (git-fixes). - cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758). - cpuidle/pseries: Fixup CEDE0 latency only for POWER10 onwards (bsc#1185550 ltc#192610). - crypto: api - check for ERR pointers in crypto_destroy_tfm() (git-fixes). - crypto: arm/curve25519 - Move '.fpu' after '.arch' (git-fixes). - crypto: chelsio - Read rxchannel-id from firmware (git-fixes). - crypto: mips/poly1305 - enable for all MIPS processors (git-fixes). - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init (git-fixes). - crypto: qat - Fix a double free in adf_create_ring (git-fixes). - crypto: qat - do not release uninitialized resources (git-fixes). - crypto: qat - fix error path in adf_isr_resource_alloc() (git-fixes). - crypto: qat - fix unmap invalid dma address (git-fixes). - crypto: rng - fix crypto_rng_reset() refcounting when !CRYPTO_STATS (git-fixes). - crypto: stm32/cryp - Fix PM reference leak on stm32-cryp.c (git-fixes). - crypto: stm32/hash - Fix PM reference leak on stm32-hash.c (git-fixes). - crypto: tcrypt - avoid signed overflow in byte count (git-fixes). - cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds (git-fixes). - cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds (git-fixes). - cxgb4: Fix unintentional sign extension issues (git-fixes). - cxgb4: avoid collecting SGE_QBASE regs during traffic (git-fixes). - dm era: Fix bitset memory leaks (git-fixes). - dm era: Recover committed writeset after crash (git-fixes). - dm era: Reinitialize bitset cache before digesting a new writeset (git-fixes). - dm era: Update in-core bitset after committing the metadata (git-fixes). - dm era: Use correct value size in equality function of writeset tree (git-fixes). - dm era: Verify the data block size hasn't changed (git-fixes). - dm era: only resize metadata in preresume (git-fixes). - dm integrity: fix error reporting in bitmap mode after creation (git-fixes). - dm ioctl: fix error return code in target_message (git-fixes). - dm mpath: fix racey management of PG initialization (git-fixes). - dm mpath: switch paths in dm_blk_ioctl() code path (bsc#1167574, bsc#1175995, bsc#1184485). - dm raid: fix discard limits for raid1 (git-fixes). - dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails (bsc#1185581). - dm writecache: fix the maximum number of arguments (git-fixes). - dm writecache: handle DAX to partitions on persistent memory correctly (git-fixes). - dm writecache: remove BUG() and fail gracefully instead (git-fixes). - dm zoned: select CONFIG_CRC32 (git-fixes). - dm: avoid filesystem lookup in dm_get_dev_t() (git-fixes). - dm: eliminate potential source of excessive kernel log noise (git-fixes). - dm: fix bug with RCU locking in dm_blk_report_zones (git-fixes). - dm: remove invalid sparse __acquires and __releases annotations (git-fixes). - dmaengine: Fix a double free in dma_async_device_register (git-fixes). - dmaengine: dw-edma: Fix crash on loading/unloading driver (git-fixes). - dmaengine: dw: Make it dependent to HAS_IOMEM (git-fixes). - dmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback (git-fixes). - dmaengine: idxd: Fix potential null dereference on pointer status (git-fixes). - dmaengine: idxd: cleanup pci interrupt vector allocation management (git-fixes). - dmaengine: idxd: clear MSIX permission entry on shutdown (git-fixes). - dmaengine: idxd: fix cdev setup and free device lifetime issues (git-fixes). - dmaengine: idxd: fix delta_rec and crc size field for completion record (git-fixes). - dmaengine: idxd: fix dma device lifetime (git-fixes). - dmaengine: idxd: fix opcap sysfs attribute output (git-fixes). - dmaengine: idxd: fix wq cleanup of WQCFG registers (git-fixes). - dmaengine: idxd: fix wq size store permission state (git-fixes). - dmaengine: idxd: removal of pcim managed mmio mapping (git-fixes). - docs: kernel-parameters: Add gpio_mockup_named_lines (git-fixes). - docs: kernel-parameters: Move gpio-mockup for alphabetic order (git-fixes). - dpaa_eth: Remove unnecessary boolean expression in dpaa_get_headroom (git-fixes). - dpaa_eth: Use random MAC address when none is given (bsc#1184811). - dpaa_eth: copy timestamp fields to new skb in A-050385 workaround (git-fixes). - dpaa_eth: fix the RX headroom size alignment (git-fixes). - dpaa_eth: update the buffer layout for non-A050385 erratum scenarios (git-fixes). - drivers: hv: Fix whitespace errors (bsc#1185725). - drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' (git-fixes). - drivers: video: fbcon: fix NULL dereference in fbcon_cursor() (git-fixes). - drivers: video: fbcon: fix NULL dereference in fbcon_cursor() (git-fixes). - drm/amd/display/dc/dce/dce_aux: Remove duplicate line causing 'field overwritten' issue (git-fixes). - drm/amd/display: Check for DSC support instead of ASIC revision (git-fixes). - drm/amd/display: Correct algorithm for reversed gamma (git-fixes). - drm/amd/display: DCHUB underflow counter increasing in some scenarios (git-fixes). - drm/amd/display: Do not optimize bandwidth before disabling planes (git-fixes). - drm/amd/display: Fix UBSAN warning for not a valid value for type '_Bool' (git-fixes). - drm/amd/display: Fix UBSAN: shift-out-of-bounds warning (git-fixes). - drm/amd/display: Fix debugfs link_settings entry (git-fixes). - drm/amd/display: Fix nested FPU context in dcn21_validate_bandwidth() (git-fixes). - drm/amd/display: Fix off by one in hdmi_14_process_transaction() (git-fixes). - drm/amd/display: Fix two cursor duplication when using overlay (git-fixes). - drm/amd/display: Force vsync flip when reconfiguring MPCC (git-fixes). - drm/amd/display: Guard against NULL pointer deref when get_i2c_info fails (git-fixes). - drm/amd/display: Initialize attribute for hdcp_srm sysfs file (git-fixes). - drm/amd/display: Reject non-zero src_y and src_x for video planes (git-fixes). - drm/amd/display: Revert dram_clock_change_latency for DCN2.1 (git-fixes). - drm/amd/display: Try YCbCr420 color when YCbCr444 fails (git-fixes). - drm/amd/display: add handling for hdcp2 rx id list validation (git-fixes). - drm/amd/display: changing sr exit latency (git-fixes). - drm/amd/display: fix dml prefetch validation (git-fixes). - drm/amd/display: fixed divide by zero kernel crash during dsc enablement (git-fixes). - drm/amd/display: turn DPMS off on connector unplug (git-fixes). - drm/amd/pm: fix workload mismatch on vega10 (git-fixes). - drm/amd/powerplay: fix spelling mistake "smu_state_memroy_block" -> (bsc#1152489) Backporting notes: * rename amd/pm to amd/powerplay * context changes - drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f (git-fixes). - drm/amdgpu/display/dm: add missing parameter documentation (git-fixes). - drm/amdgpu/display: buffer INTERRUPT_LOW_IRQ_CONTEXT interrupt work (git-fixes). - drm/amdgpu/display: remove redundant continue statement (git-fixes). - drm/amdgpu/display: restore AUX_DPHY_TX_CONTROL for DCN2.x (git-fixes). - drm/amdgpu/display: use GFP_ATOMIC in dcn21_validate_bandwidth_fp() (git-fixes). - drm/amdgpu/swsmu: add interrupt work function (git-fixes). - drm/amdgpu/swsmu: add interrupt work handler for smu11 parts (git-fixes). - drm/amdgpu: Add additional Sienna Cichlid PCI ID (git-fixes). - drm/amdgpu: Add check to prevent IH overflow (git-fixes). - drm/amdgpu: Add mem sync flag for IB allocated by SA (git-fixes). - drm/amdgpu: Fix GPU TLB update error when PAGE_SIZE > AMDGPU_PAGE_SIZE (git-fixes). - drm/amdgpu: Fix some unload driver issues (git-fixes). - drm/amdgpu: Init GFX10_ADDR_CONFIG for VCN v3 in DPG mode (git-fixes). - drm/amdgpu: check alignment on CPU page for bo map (git-fixes). - drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid compute hang (git-fixes). - drm/amdgpu: fb BO should be ttm_bo_type_device (git-fixes). - drm/amdgpu: fix NULL pointer dereference (git-fixes). - drm/amdgpu: fix concurrent VM flushes on Vega/Navi v2 (git-fixes). - drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings() (git-fixes). - drm/amdgpu: fix parameter error of RREG32_PCIE() in amdgpu_regs_pcie (git-fixes). - drm/amdgpu: mask the xgmi number of hops reported from psp to kfd (git-fixes). - drm/amdgpu: remove unused variable from struct amdgpu_bo (git-fixes). - drm/amdgpu: update gc golden setting for Navi12 (git-fixes). - drm/amdgpu: update sdma golden setting for Navi12 (git-fixes). - drm/amdkfd: Fix UBSAN shift-out-of-bounds warning (git-fixes). - drm/amdkfd: Fix cat debugfs hang_hws file causes system crash bug (git-fixes). - drm/amdkfd: Put ACPI table after using it (bsc#1152489) Backporting notes: * context changes - drm/amdkfd: dqm fence memory corruption (git-fixes). - drm/amdkfd: fix build error with AMD_IOMMU_V2=m (git-fixes). - drm/ast: AST2500 fixups (bsc#1174416). - drm/ast: AST2500 fixups (bsc#1174416). - drm/ast: Add 25MHz refclk support (bsc#1174416). - drm/ast: Add 25MHz refclk support (bsc#1174416). - drm/ast: Add support for 1152x864 mode (bsc#1174416). - drm/ast: Add support for 1152x864 mode (bsc#1174416). - drm/ast: Add support for AIP200 (bsc#1174416). - drm/ast: Add support for AIP200 (bsc#1174416). - drm/ast: Correct mode table for AST2500 precatch (bsc#1174416). - drm/ast: Correct mode table for AST2500 precatch (bsc#1174416). - drm/ast: Disable VGA decoding while driver is active (bsc#1174416). - drm/ast: Disable VGA decoding while driver is active (bsc#1174416). - drm/ast: Disable screen on register init (bsc#1174416). - drm/ast: Disable screen on register init (bsc#1174416). - drm/ast: Fix P2A config detection (bsc#1174416). - drm/ast: Fix P2A config detection (bsc#1174416). - drm/ast: Fix invalid usage of AST_MAX_HWC_WIDTH in cursor atomic_check (git-fixes). - drm/ast: Fix register access in non-P2A mode for DP501 (bsc#1174416). - drm/ast: Fix register access in non-P2A mode for DP501 (bsc#1174416). - drm/ast: Keep MISC fields when enabling VGA (bsc#1174416). - drm/ast: Keep MISC fields when enabling VGA (bsc#1174416). - drm/ast: drm/ast: Fix boot address for AST2500 (bsc#1174416). - drm/ast: drm/ast: Fix boot address for AST2500 (bsc#1174416). - drm/compat: Clear bounce structures (git-fixes). - drm/dp_mst: Revise broadcast msg lct & lcr (git-fixes). - drm/dp_mst: Set CLEAR_PAYLOAD_ID_TABLE as broadcast (git-fixes). - drm/hisilicon: Fix use-after-free (git-fixes). - drm/i915/display: fix compiler warning about array overrun (git-fixes). - drm/i915/gt: Clear CACHE_MODE prior to clearing residuals (git-fixes). - drm/i915/gt: Disable HiZ Raw Stall Optimization on broken gen7 (git-fixes). - drm/i915/gvt: Fix error code in intel_gvt_init_device() (git-fixes). - drm/i915/gvt: Set SNOOP for PAT3 on BXT/APL to workaround GPU BB hang (git-fixes). - drm/i915/overlay: Fix active retire callback alignment (git-fixes). - drm/i915/selftests: Fix some error codes (git-fixes). - drm/i915: Avoid div-by-zero on gen2 (git-fixes). - drm/i915: Fix ICL MG PHY vswing handling (git-fixes). - drm/i915: Fix crash in auto_retire (git-fixes). - drm/i915: Fix invalid access to ACPI _DSM objects (bsc#1184074). - drm/i915: Hold onto an explicit ref to i915_vma_work.pinned (git-fixes). - drm/i915: Read C0DRB3/C1DRB3 as 16 bits again (git-fixes). - drm/i915: Wedge the GPU if command parser setup fails (git-fixes). - drm/imx: imx-ldb: fix out of bounds array access warning (git-fixes). - drm/ingenic: Fix non-OSD mode (git-fixes). - drm/ingenic: Register devm action to cleanup encoders (git-fixes). - drm/komeda: Fix bit check to import to value of proper type (git-fixes). - drm/lima: fix reference leak in lima_pm_busy (git-fixes). - drm/mcde/panel: Inverse misunderstood flag (git-fixes). - drm/mediatek: Fix aal size config (bsc#1152489) Backporting notes: * replaced mtk_ddp_write() with writel() - drm/msm/a5xx: Remove overwriting A5XX_PC_DBG_ECO_CNTL register (git-fixes). - drm/msm/adreno: a5xx_power: Do not apply A540 lm_setup to other GPUs (git-fixes). - drm/msm/gem: Add obj->lock wrappers (bsc#1152489) Backporting notes: * taken for 9b73bde39cf2 ("drm/msm: Fix use-after-free in msm_gem with carveout") * context changes - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal (git-fixes). - drm/msm/mdp5: Do not multiply vclk line count by 100 (git-fixes). - drm/msm: Fix WARN_ON() splat in _free_object() (bsc#1152489) Backporting notes: * context changes - drm/msm: Fix a5xx/a6xx timestamps (git-fixes). - drm/msm: Fix races managing the OOB state for timestamp vs (bsc#1152489) Backporting notes: * context changes - drm/msm: Fix suspend/resume on i.MX5 (git-fixes). - drm/msm: Fix use-after-free in msm_gem with carveout (bsc#1152489) Backporting notes: * context changes - drm/msm: Ratelimit invalid-fence message (git-fixes). - drm/msm: Set drvdata to NULL when msm_drm_init() fails (git-fixes). - drm/msm: fix shutdown hook in case GPU components failed to bind (git-fixes). - drm/nouveau/kms/nv50-: Get rid of bogus nouveau_conn_mode_valid() (git-fixes). - drm/omap: fix misleading indentation in pixinc() (git-fixes). - drm/panfrost: Clear MMU irqs before handling the fault (git-fixes). - drm/panfrost: Do not corrupt the queue mutex on open/close (bsc#1152472) Backporting notes: * context changes - drm/panfrost: Do not try to map pages that are already mapped (git-fixes). - drm/panfrost: Fix job timeout handling (bsc#1152472) Backporting notes: * context changes - drm/panfrost: Remove unused variables in panfrost_job_close() (bsc#1152472) - drm/probe-helper: Check epoch counter in output_poll_execute() (git-fixes). - drm/qxl: do not run release if qxl failed to init (git-fixes). - drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected (git-fixes). - drm/radeon: Avoid power table parsing memory leaks (git-fixes). - drm/radeon: Fix a missing check bug in radeon_dp_mst_detect() (git-fixes). - drm/radeon: Fix off-by-one power_state index heap overwrite (git-fixes). - drm/radeon: fix AGP dependency (git-fixes). - drm/radeon: fix copy of uninitialized variable back to userspace (git-fixes). - drm/shmem-helper: Check for purged buffers in fault handler (git-fixes). - drm/shmem-helper: Do not remove the offset in vm_area_struct pgoff (git-fixes). - drm/shmem-helpers: vunmap: Do not put pages for dma-buf (git-fixes). - drm/sun4i: tcon: fix inverted DCLK polarity (bsc#1152489) Backporting notes: * context changes - drm/tegra: Fix reference leak when pm_runtime_get_sync() fails (git-fixes). - drm/tegra: dc: Do not set PLL clock to 0Hz (git-fixes). - drm/tegra: dc: Restore coupling of display controllers (git-fixes). - drm/tegra: sor: Grab runtime PM reference across reset (git-fixes). - drm/tilcdc: send vblank event when disabling crtc (git-fixes). - drm/vc4: crtc: Reduce PV fifo threshold on hvs4 (git-fixes). - drm/vc4: hdmi: Restore cec physical address on reconnect (bsc#1152472) Backporting notes: * context changes * change vc4_hdmi to vc4->hdmi * removed references to encoder->hdmi_monitor - drm/vkms: fix misuse of WARN_ON (git-fixes). - drm: Added orientation quirk for OneGX1 Pro (git-fixes). - drm: meson_drv add shutdown function (git-fixes). - drm: rcar-du: Fix PM reference leak in rcar_cmm_enable() (git-fixes). - drm: rcar-du: Fix crash when using LVDS1 clock for CRTC (bsc#1152489) Backporting notes: * context changes - drm: rcar-du: Fix leak of CMM platform device reference (git-fixes). - drm: xlnx: zynqmp: fix a memset in zynqmp_dp_train() (git-fixes). - e1000e: Fix duplicate include guard (git-fixes). - e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 (git-fixes). - e1000e: add rtnl_lock() to e1000_reset_task (git-fixes). - efi: use 32-bit alignment for efi_guid_t literals (git-fixes). - enetc: Fix reporting of h/w packet counters (git-fixes). - enetc: Let the hardware auto-advance the taprio base-time of 0 (git-fixes). - enetc: Workaround for MDIO register access issue (git-fixes). - epoll: check for events when removing a timed out thread from the wait queue (git-fixes). - ethernet/netronome/nfp: Fix a use after free in nfp_bpf_ctrl_msg_rx (git-fixes). - ethernet: alx: fix order of calls on resume (git-fixes). - ethernet:enic: Fix a use after free bug in enic_hard_start_xmit (git-fixes). - ethtool: fix incorrect datatype in set_eee ops (bsc#1176447). - ethtool: fix missing NLM_F_MULTI flag when dumping (bsc#1176447). - ethtool: pause: make sure we init driver stats (jsc#SLE-15075). - exec: Move would_dump into flush_old_exec (git-fixes). - ext4: do not try to set xattr into ea_inode if value is empty (bsc#1184730). - ext4: find old entry again if failed to rename whiteout (bsc#1184742). - ext4: fix potential error in ext4_do_update_inode (bsc#1184731). - ext4: fix potential htree index checksum corruption (bsc#1184728). - extcon: Add stubs for extcon_register_notifier_all() functions (git-fixes). - extcon: Fix error handling in extcon_dev_register (git-fixes). - extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged (git-fixes). - extcon: arizona: Fix various races on driver unbind (git-fixes). - fbdev: zero-fill colormap in fbcmap.c (git-fixes). - fbmem: add margin check to fb_check_caps() (git-fixes). - firmware/efi: Fix a use after bug in efi_mem_reserve_persistent (git-fixes). - firmware: arm_scpi: Prevent the ternary sign expansion bug (git-fixes). - firmware: qcom-scm: Fix QCOM_SCM configuration (git-fixes). - firmware: qcom_scm: Fix kernel-doc function names to match (git-fixes). - firmware: qcom_scm: Make __qcom_scm_is_call_available() return bool (git-fixes). - firmware: qcom_scm: Reduce locking section for __get_convention() (git-fixes). - firmware: qcom_scm: Workaround lack of "is available" call on SC7180 (git-fixes). - flow_dissector: fix byteorder of dissected ICMP ID (bsc#1154353). - fnic: use scsi_host_busy_iter() to traverse commands (bsc#1179851). - fotg210-udc: Complete OUT requests on short packets (git-fixes). - fotg210-udc: Do not DMA more than the buffer can take (git-fixes). - fotg210-udc: Fix DMA on EP0 for length > max packet size (git-fixes). - fotg210-udc: Fix EP0 IN requests bigger than two packets (git-fixes). - fotg210-udc: Mask GRP2 interrupts we do not handle (git-fixes). - fotg210-udc: Remove a dubious condition leading to fotg210_done (git-fixes). - fs/epoll: restore waking from ep_done_scan() (bsc#1183868). - fs/jfs: fix potential integer overflow on shift of a int (bsc#1184741). - fs: direct-io: fix missing sdio->boundary (bsc#1184736). - fsl/fman: check dereferencing null pointer (git-fixes). - fsl/fman: fix dereference null return value (git-fixes). - fsl/fman: fix eth hash table allocation (git-fixes). - fsl/fman: fix unreachable code (git-fixes). - fsl/fman: reuse set_mac_address() in dtsec init() (bsc#1184811). - fsl/fman: tolerate missing MAC address in device tree (bsc#1184811). - fsl/fman: use 32-bit unsigned integer (git-fixes). - ftrace/x86: Tell objtool to ignore nondeterministic ftrace stack layout (bsc#1177028). - ftrace: Fix modify_ftrace_direct (bsc#1177028). - ftrace: Handle commands when closing set_ftrace_filter file (git-fixes). - fuse: fix bad inode (bsc#1184211). - fuse: fix bad inode (bsc#1184211). - fuse: fix live lock in fuse_iget() (bsc#1184211). - fuse: fix live lock in fuse_iget() (bsc#1184211). - fuse: fix write deadlock (bsc#1185573). - fuse: verify write return (git-fixes). - futex: Change utime parameter to be 'const ... *' (git-fixes). - futex: Do not apply time namespace adjustment on FUTEX_LOCK_PI (bsc#1164648). - futex: Get rid of the val2 conditional dance (git-fixes). - futex: Make syscall entry points less convoluted (git-fixes). - gcc-plugins: drop support for GCC <= 4.7 (bcs#1181862). - gcc-plugins: make it possible to disable CONFIG_GCC_PLUGINS again (bcs#1181862). - gcc-plugins: simplify GCC plugin-dev capability test (bsc#1181862). - geneve: do not modify the shared tunnel info when PMTU triggers an ICMP reply (bsc#1176447). - geneve: do not modify the shared tunnel info when PMTU triggers an ICMP reply (git-fixes). - genirq/irqdomain: Do not try to free an interrupt that has no (git-fixes) - genirq: Disable interrupts for force threaded handlers (git-fixes) - genirq: Reduce irqdebug cacheline bouncing (bsc#1185703 ltc#192641). - gianfar: Account for Tx PTP timestamp in the skb headroom (git-fixes). - gianfar: Fix TX timestamping with a stacked DSA driver (git-fixes). - gianfar: Handle error code at MAC address change (git-fixes). - gianfar: Replace skb_realloc_headroom with skb_cow_head for PTP (git-fixes). - gpio: omap: Save and restore sysconfig (git-fixes). - gpio: pca953x: Set IRQ type when handle Intel Galileo Gen 2 (git-fixes). - gpio: sysfs: Obey valid_mask (git-fixes). - gpio: xilinx: Correct kernel doc for xgpio_probe() (git-fixes). - gpio: zynq: fix reference leak in zynq_gpio functions (git-fixes). - gpiolib: Do not free if pin ranges are not defined (git-fixes). - gpiolib: acpi: Add missing IRQF_ONESHOT (git-fixes). - gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 (git-fixes). - gpu/xen: Fix a use after free in xen_drm_drv_init (git-fixes). - hrtimer: Update softirq_expires_next correctly after (git-fixes) - hv_netvsc: Reset the RSC count if NVSP_STAT_FAIL in netvsc_receive() (git-fixes). - hwmon: (ina3221) Fix PM usage counter unbalance in ina3221_write_enable (git-fixes). - hwmon: (occ) Fix poll rate limiting (git-fixes). - i2c: Add I2C_AQ_NO_REP_START adapter quirk (git-fixes). - i2c: bail out early when RDWR parameters are wrong (git-fixes). - i2c: cadence: add IRQ check (git-fixes). - i2c: emev2: add IRQ check (git-fixes). - i2c: img-scb: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: jz4780: add IRQ check (git-fixes). - i2c: mlxbf: add IRQ check (git-fixes). - i2c: omap: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: rcar: faster irq code to minimize HW race condition (git-fixes). - i2c: rcar: optimize cacheline to minimize HW race condition (git-fixes). - i2c: sh7760: add IRQ check (git-fixes). - i2c: sh7760: fix IRQ error path (git-fixes). - i2c: sprd: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: tegra: Add missing pm_runtime_put() (bsc#1184386). - i2c: tegra: Check errors for both positive and negative values (bsc#1184386). - i2c: tegra: Clean up and improve comments (bsc#1184386). - i2c: tegra: Clean up printk messages (bsc#1184386). - i2c: tegra: Clean up probe function (bsc#1184386). - i2c: tegra: Clean up variable names (bsc#1184386). - i2c: tegra: Clean up variable types (bsc#1184386). - i2c: tegra: Clean up whitespaces, newlines and indentation (bsc#1184386). - i2c: tegra: Create i2c_writesl_vi() to use with VI I2C for filling TX FIFO (bsc#1184386). - i2c: tegra: Factor out error recovery from tegra_i2c_xfer_msg() (bsc#1184386). - i2c: tegra: Factor out hardware initialization into separate function (bsc#1184386). - i2c: tegra: Factor out packet header setup from tegra_i2c_xfer_msg() (bsc#1184386). - i2c: tegra: Factor out register polling into separate function (bsc#1184386). - i2c: tegra: Handle potential error of tegra_i2c_flush_fifos() (bsc#1184386). - i2c: tegra: Improve driver module description (bsc#1184386). - i2c: tegra: Improve formatting of variables (bsc#1184386). - i2c: tegra: Initialize div-clk rate unconditionally (bsc#1184386). - i2c: tegra: Make tegra_i2c_flush_fifos() usable in atomic transfer (bsc#1184386). - i2c: tegra: Mask interrupt in tegra_i2c_issue_bus_clear() (bsc#1184386). - i2c: tegra: Move out all device-tree parsing into tegra_i2c_parse_dt() (bsc#1184386). - i2c: tegra: Remove "dma" variable from tegra_i2c_xfer_msg() (bsc#1184386). - i2c: tegra: Remove error message used for devm_request_irq() failure (bsc#1184386). - i2c: tegra: Remove i2c_dev.clk_divisor_non_hs_mode member (bsc#1184386). - i2c: tegra: Remove likely/unlikely from the code (bsc#1184386). - i2c: tegra: Remove outdated barrier() (bsc#1184386). - i2c: tegra: Remove redundant check in tegra_i2c_issue_bus_clear() (bsc#1184386). - i2c: tegra: Rename wait/poll functions (bsc#1184386). - i2c: tegra: Reorder location of functions in the code (bsc#1184386). - i2c: tegra: Runtime PM always available on Tegra (bsc#1184386). - i2c: tegra: Use clk-bulk helpers (bsc#1184386). - i2c: tegra: Use devm_platform_get_and_ioremap_resource() (bsc#1184386). - i2c: tegra: Use platform_get_irq() (bsc#1184386). - i2c: tegra: Use reset_control_reset() (bsc#1184386). - i2c: tegra: Use threaded interrupt (bsc#1184386). - i2c: tegra: Wait for config load atomically while in ISR (bsc#1184386). - i40e: Add zero-initialization of AQ command structures (git-fixes). - i40e: Added Asym_Pause to supported link modes (git-fixes). - i40e: Fix PHY type identifiers for 2.5G and 5G adapters (git-fixes). - i40e: Fix add TC filter for IPv6 (git-fixes). - i40e: Fix addition of RX filters after enabling FW LLDP agent (git-fixes). - i40e: Fix display statistics for veb_tc (git-fixes). - i40e: Fix endianness conversions (git-fixes). - i40e: Fix flow for IPv6 next header (extension header) (git-fixes). - i40e: Fix kernel oops when i40e driver removes VF's (git-fixes). - i40e: Fix overwriting flow control settings during driver loading (git-fixes). - i40e: Fix parameters in aq_get_phy_register() (jsc#SLE-8025). - i40e: Fix sparse error: 'vsi->netdev' could be null (jsc#SLE-8025). - i40e: Fix sparse error: uninitialized symbol 'ring' (jsc#SLE-13701). - i40e: Fix sparse errors in i40e_txrx.c (git-fixes). - i40e: Fix sparse errors in i40e_txrx.c (git-fixes). - i40e: Fix sparse warning: missing error code 'err' (git-fixes). - i40e: Fix use-after-free in i40e_client_subtask() (git-fixes). - i40e: fix broken XDP support (git-fixes). - i40e: fix the panic when running bpf in xdpdrv mode (git-fixes). - i40e: fix the restart auto-negotiation after FEC modified (git-fixes). - i915/perf: Start hrtimer only if sampling the OA buffer (git-fixes). - iavf: Fix incorrect adapter get in iavf_resume (git-fixes). - iavf: use generic power management (git-fixes). - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043). - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043). - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043). - ibmvnic: add comments for spinlock_t definitions (bsc#1183871 ltc#192139). - ibmvnic: avoid calling napi_disable() twice (bsc#1065729). - ibmvnic: avoid multiple line dereference (bsc#1183871 ltc#192139). - ibmvnic: clean up the remaining debugfs data structures (bsc#1065729). - ibmvnic: correctly use dev_consume/free_skb_irq (jsc#SLE-17268 jsc#SLE-17043 bsc#1179243 ltc#189290 git-fixes). - ibmvnic: fix block comments (bsc#1183871 ltc#192139). - ibmvnic: fix braces (bsc#1183871 ltc#192139). - ibmvnic: fix miscellaneous checks (bsc#1183871 ltc#192139). - ibmvnic: improve failover sysfs entry (bsc#1043990 ltc#155681 git-fixes). - ibmvnic: merge do_change_param_reset into do_reset (bsc#1183871 ltc#192139). - ibmvnic: prefer 'unsigned long' over 'unsigned long int' (bsc#1183871 ltc#192139). - ibmvnic: prefer strscpy over strlcpy (bsc#1183871 ltc#192139). - ibmvnic: print adapter state as a string (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: print reset reason as a string (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: queue reset work in system_long_wq (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: remove default label from to_string switch (bsc#1152457 ltc#174432 git-fixes). - ibmvnic: remove duplicate napi_schedule call in do_reset function (bsc#1065729). - ibmvnic: remove duplicate napi_schedule call in open function (bsc#1065729). - ibmvnic: remove unnecessary rmb() inside ibmvnic_poll (bsc#1183871 ltc#192139). - ibmvnic: remove unused spinlock_t stats_lock definition (bsc#1183871 ltc#192139). - ibmvnic: rework to ensure SCRQ entry reads are properly ordered (bsc#1183871 ltc#192139). - ice: Account for port VLAN in VF max packet size calculation (git-fixes). - ice: Account for port VLAN in VF max packet size calculation (git-fixes). - ice: Cleanup fltr list in case of allocation issues (git-fixes). - ice: Continue probe on link/PHY errors (jsc#SLE-12878). - ice: Fix for dereference of NULL pointer (git-fixes). - ice: Increase control queue timeout (git-fixes). - ice: Use port number instead of PF ID for WoL (jsc#SLE-12878). - ice: fix memory allocation call (jsc#SLE-12878). - ice: fix memory leak if register_netdev_fails (git-fixes). - ice: fix memory leak in ice_vsi_setup (git-fixes). - ice: fix memory leak of aRFS after resuming from suspend (jsc#SLE-12878). - ice: prevent ice_open and ice_stop during reset (git-fixes). - ice: remove DCBNL_DEVRESET bit from PF state (jsc#SLE-7926). - ics932s401: fix broken handling of errors when word reading fails (git-fixes). - igb: Fix duplicate include guard (git-fixes). - igb: XDP extack message on error (jsc#SLE-13536). - igb: XDP xmit back fix error code (jsc#SLE-13536). - igb: avoid premature Rx buffer reuse (jsc#SLE-13536). - igb: avoid transmit queue timeout in xdp path (jsc#SLE-13536). - igb: check timestamp validity (git-fixes). - igb: skb add metasize for xdp (jsc#SLE-13536). - igb: take VLAN double header into account (jsc#SLE-13536). - igb: use xdp_do_flush (jsc#SLE-13536). - igc: Fix Pause Frame Advertising (git-fixes). - igc: Fix Supported Pause Frame Link Setting (git-fixes). - igc: Fix igc_ptp_rx_pktstamp() (bsc#1160634). - igc: Fix igc_ptp_rx_pktstamp() (bsc#1160634). - igc: reinit_locked() should be called with rtnl_lock (git-fixes). - igc: reinit_locked() should be called with rtnl_lock (git-fixes). - iio: adc: ad7949: fix wrong ADC result due to incorrect bit mask (git-fixes). - iio: adis16400: Fix an error code in adis16400_initial_setup() (git-fixes). - iio: gyro: mpu3050: Fix error handling in mpu3050_trigger_handler (git-fixes). - iio: gyro: mpu3050: Fix reported temperature value (git-fixes). - iio: hid-sensor-humidity: Fix alignment issue of timestamp channel (git-fixes). - iio: hid-sensor-prox: Fix scale not correct issue (git-fixes). - iio: hid-sensor-temperature: Fix issues of timestamp channel (git-fixes). - iio: proximity: pulsedlight: Fix rumtime PM imbalance on error (git-fixes). - iio: tsl2583: Fix division by a zero lux_val (git-fixes). - iio:accel:adis16201: Fix wrong axis assignment that prevents loading (git-fixes). - iio:adc:qcom-spmi-vadc: add default scale to LR_MUX2_BAT_ID channel (git-fixes). - ima: Free IMA measurement buffer after kexec syscall (git-fixes). - include/linux/sched/mm.h: use rcu_dereference in in_vfork() (git-fixes). - intel_th: Consistency and off-by-one fix (git-fixes). - intel_th: pci: Add Alder Lake-M support (git-fixes). - intel_th: pci: Add Rocket Lake CPU support (git-fixes). - interconnect: core: fix error return code of icc_link_destroy() (git-fixes). - iommu/amd: Add support for map/unmap_resource (jsc#ECO-3482). - iommu/amd: Fix sleeping in atomic in increase_address_space() (bsc#1183277). - iommu/amd: Fix sleeping in atomic in increase_address_space() (bsc#1183310). - iommu/intel: Fix memleak in intel_irq_remapping_alloc (bsc#1183278). - iommu/intel: Fix memleak in intel_irq_remapping_alloc (bsc#1183312). - iommu/qcom: add missing put_device() call in qcom_iommu_of_xlate() (bsc#1183313). - iommu/qcom: add missing put_device() call in qcom_iommu_of_xlate() (bsc#1183637). - iommu/vt-d: Add get_domain_info() helper (bsc#1183279). - iommu/vt-d: Avoid panic if iommu init fails in tboot system (bsc#1183280). - iommu/vt-d: Avoid panic if iommu init fails in tboot system (bsc#1183315). - iommu/vt-d: Correctly check addr alignment in qi_flush_dev_iotlb_pasid() (bsc#1183281). - iommu/vt-d: Correctly check addr alignment in qi_flush_dev_iotlb_pasid() (bsc#1183316). - iommu/vt-d: Do not use flush-queue when caching-mode is on (bsc#1183282). - iommu/vt-d: Do not use flush-queue when caching-mode is on (bsc#1183317). - iommu/vt-d: Fix general protection fault in aux_detach_device() (bsc#1183283). - iommu/vt-d: Fix general protection fault in aux_detach_device() (bsc#1183318). - iommu/vt-d: Fix ineffective devTLB invalidation for subdevices (bsc#1183284). - iommu/vt-d: Fix ineffective devTLB invalidation for subdevices (bsc#1183319). - iommu/vt-d: Fix status code for Allocate/Free PASID command (bsc#1183320). - iommu/vt-d: Fix unaligned addresses for intel_flush_svm_range_dev() (bsc#1183285). - iommu/vt-d: Fix unaligned addresses for intel_flush_svm_range_dev() (bsc#1183321). - iommu/vt-d: Move intel_iommu info from struct intel_svm to struct intel_svm_dev (bsc#1183286). - iommu/vt-d: Move intel_iommu info from struct intel_svm to struct intel_svm_dev (bsc#1183322). - iommu/vt-d: Use device numa domain if RHSA is missing (bsc#1184585). - iommu: Check dev->iommu in dev_iommu_priv_get() before dereferencing it (bsc#1183311). - iommu: Switch gather->end to the inclusive end (bsc#1183314). - ionic: linearize tso skb with too many frags (bsc#1167773). - ionic: linearize tso skb with too many frags (bsc#1167773). - iopoll: introduce read_poll_timeout macro (git-fixes). - ipc/mqueue, msg, sem: Avoid relying on a stack reference past its expiry (bsc#1185988). - ipmi/watchdog: Stop watchdog timer when the current action is 'none' (bsc#1184855). - ipw2x00: potential buffer overflow in libipw_wx_set_encodeext() (git-fixes). - irqchip/ls-extirq: Add LS1043A, LS1088A external interrupt support (bsc#1184264). - irqchip/ls-extirq: Add LS1043A, LS1088A external interrupt support (bsc#1185233). - irqchip/ls-extirq: add IRQCHIP_SKIP_SET_WAKE to the irqchip flags (bsc#1184264). - irqchip/ls-extirq: add IRQCHIP_SKIP_SET_WAKE to the irqchip flags (bsc#1185233). - irqchip: Add support for Layerscape external interrupt lines (bsc#1185233). - isofs: release buffer head before return (bsc#1182613). - iwlwifi: add support for Qu with AX201 device (git-fixes). - iwlwifi: pcie: make cfg vs. trans_cfg more robust (git-fixes). - ixgbe: fail to create xfrm offload of IPsec tunnel mode SA (git-fixes). - ixgbe: fix unbalanced device enable/disable in suspend/resume (jsc#SLE-13706). - jffs2: fix use after free in jffs2_sum_write_data() (bsc#1184740). - kABI: Fix kABI caused by fixes for bsc#1174426 (bsc#1174426). - kABI: cover up change in struct kvm_arch (bsc#1184969). - kABI: powerpc/pmem: Include pmem prototypes (bsc#1113295 git-fixes). - kABI: powerpc/pseries: Add shutdown() to vio_driver and vio_bus (bsc#1184209 ltc#190917). - kbuild: Fail if gold linker is detected (bcs#1181862). - kbuild: add dummy toolchains to enable all cc-option etc. in Kconfig (bcs#1181862). - kbuild: change *FLAGS_<basetarget>.o to take the path relative to $(obj) (bcs#1181862). - kbuild: dummy-tools, fix inverted tests for gcc (bcs#1181862). - kbuild: dummy-tools, support MPROFILE_KERNEL checks for ppc (bsc#1181862). - kbuild: improve cc-option to clean up all temporary files (bsc#1178330). - kbuild: include scripts/Makefile.* only when relevant CONFIG is enabled (bcs#1181862). - kbuild: simplify GCC_PLUGINS enablement in dummy-tools/gcc (bcs#1181862). - kbuild: stop filtering out $(GCC_PLUGINS_CFLAGS) from cc-option base (bcs#1181862). - kbuild: use -S instead of -E for precise cc-option test in Kconfig (bsc#1178330). - kconfig: introduce m32-flag and m64-flag (bcs#1181862). - kernel-docs.spec.in: Build using an utf-8 locale. Sphinx cannot handle UTF-8 input in non-UTF-8 locale. - kernel/smp: make csdlock timeout depend on boot parameter (bsc#1180846). - kvm: svm: Update svm_xsaves_supported (jsc#SLE-13573). - kvm: x86: Enumerate support for CLZERO instruction (jsc#SLE-13573). - leds: lp5523: check return value of lp5xx_read and jump to cleanup code (git-fixes). - lib/syscall: fix syscall registers retrieval on 32-bit platforms (git-fixes). - libbpf: Add explicit padding to bpf_xdp_set_link_opts (bsc#1177028). - libbpf: Add explicit padding to btf_dump_emit_type_decl_opts (bsc#1177028). - libbpf: Clear map_info before each bpf_obj_get_info_by_fd (bsc#1155518). - libbpf: Fix BTF dump of pointer-to-array-of-struct (bsc#1155518). - libbpf: Fix INSTALL flag order (bsc#1155518). - libbpf: Fix bail out from 'ringbuf_process_ring()' on error (bsc#1177028). - libbpf: Fix error path in bpf_object__elf_init() (bsc#1177028). - libbpf: Fix signed overflow in ringbuf_process_ring (bsc#1177028). - libbpf: Initialize the bpf_seq_printf parameters array field by field (bsc#1177028). - libbpf: Only create rx and tx XDP rings when necessary (bsc#1155518). - libbpf: Use SOCK_CLOEXEC when opening the netlink socket (bsc#1155518). - libnvdimm/label: Return -ENXIO for no slot in __blk_label_update (bsc#1185269). - libnvdimm/namespace: Fix reaping of invalidated block-window-namespace labels (bsc#1185269). - libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC (bsc#1184969 git-fixes). - libnvdimm/security: ensure sysfs poll thread woke up and fetch updated attr (git-fixes). - liquidio: Fix unintented sign extension of a left shift of a u16 (git-fixes). - locking/mutex: Fix non debug version of mutex_lock_io_nested() (git-fixes). - locking/qrwlock: Fix ordering in queued_write_lock_slowpath() (bsc#1185041). - lpfc: Decouple port_template and vport_template (bsc#185032). - mISDN: fix crash in fritzpci (git-fixes). - mac80211: Allow HE operation to be longer than expected (git-fixes). - mac80211: bail out if cipher schemes are invalid (git-fixes). - mac80211: choose first enabled channel for monitor (git-fixes). - mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN (git-fixes). - mac80211: clear the beacon's CRC after channel switch (git-fixes). - mac80211: fix TXQ AC confusion (git-fixes). - mac80211: fix double free in ibss_leave (git-fixes). - mac80211: fix rate mask reset (git-fixes). - macvlan: macvlan_count_rx() needs to be aware of preemption (git-fixes). - md-cluster: fix use-after-free issue when removing rdev (bsc#1184082). - md/raid1: properly indicate failure when ending a failed write request (bsc#1185680). - md: do not flush workqueue unconditionally in md_open (bsc#1184081). - md: factor out a mddev_find_locked helper from mddev_find (bsc#1184081). - md: md_open returns -EBUSY when entering racing area (bsc#1184081). - md: split mddev_find (bsc#1184081). - mdio: fix mdio-thunder.c dependency & build error (git-fixes). - media: adv7604: fix possible use-after-free in adv76xx_remove() (git-fixes). - media: cros-ec-cec: do not bail on device_init_wakeup failure (git-fixes). - media: cx23885: add more quirks for reset DMA on some AMD IOMMU (git-fixes). - media: drivers: media: pci: sta2x11: fix Kconfig dependency on GPIOLIB (git-fixes). - media: dvb-usb: fix memory leak in dvb_usb_adapter_init (git-fixes). - media: dvbdev: Fix memory leak in dvb_media_device_free() (git-fixes). - media: em28xx: fix memory leak (git-fixes). - media: gspca/sq905.c: fix uninitialized variable (git-fixes). - media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove() (git-fixes). - media: i2c: adv7842: fix possible use-after-free in adv7842_remove() (git-fixes). - media: i2c: tda1997: Fix possible use-after-free in tda1997x_remove() (git-fixes). - media: imx: capture: Return -EPIPE from __capture_legacy_try_fmt() (git-fixes). - media: ite-cir: check for receive overflow (git-fixes). - media: m88rs6000t: avoid potential out-of-bounds reads on arrays (git-fixes). - media: mantis: remove orphan mantis_core.c (git-fixes). - media: mceusb: sanity check for prescaler value (git-fixes). - media: media/saa7164: fix saa7164_encoder_register() memory leak bugs (git-fixes). - media: omap4iss: return error code when omap4iss_get() failed (git-fixes). - media: platform: sti: Fix runtime PM imbalance in regs_show (git-fixes). - media: platform: sunxi: sun6i-csi: fix error return code of sun6i_video_start_streaming() (git-fixes). - media: rc: compile rc-cec.c into rc-core (git-fixes). - media: saa7134: use sg_dma_len when building pgtable (git-fixes). - media: saa7146: use sg_dma_len when building pgtable (git-fixes). - media: staging/intel-ipu3: Fix memory leak in imu_fmt (git-fixes). - media: staging/intel-ipu3: Fix race condition during set_fmt (git-fixes). - media: staging/intel-ipu3: Fix set_fmt error handling (git-fixes). - media: tc358743: fix possible use-after-free in tc358743_remove() (git-fixes). - media: usbtv: Fix deadlock on suspend (git-fixes). - media: uvcvideo: Allow entities with no pads (git-fixes). - media: v4l2-ctrls.c: fix race condition in hdl->requests list (git-fixes). - media: v4l2-ctrls.c: fix shift-out-of-bounds in std_validate (git-fixes). - media: v4l: vsp1: Fix bru null pointer access (git-fixes). - media: v4l: vsp1: Fix uif null pointer access (git-fixes). - media: vicodec: add missing v4l2_ctrl_request_hdl_put() (git-fixes). - memory: gpmc: fix out of bounds read and dereference on gpmc_cs[] (git-fixes). - memory: mtk-smi: Fix PM usage counter unbalance in mtk_smi ops (bsc#1183325). - memory: pl353: fix mask of ECC page_size config register (git-fixes). - mfd: arizona: Fix rumtime PM imbalance on error (git-fixes). - mfd: intel_pmt: Fix nuisance messages and handling of disabled capabilities (git-fixes). - mfd: lpc_sch: Partially revert "Add support for Intel Quark X1000" (git-fixes). - mfd: stm32-timers: Avoid clearing auto reload register (git-fixes). - misc/pvpanic: Export module FDT device table (git-fixes). - misc: eeprom_93xx46: Add quirk to support Microchip 93LC46B eeprom (git-fixes). - misc: fastrpc: restrict user apps from sending kernel RPC messages (git-fixes). - misc: lis3lv02d: Fix false-positive WARN on various HP models (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_datagram payload (git-fixes). - misc: vmw_vmci: explicitly initialize vmci_notify_bm_set_msg struct (git-fixes). - mlxsw: spectrum_mr: Update egress RIF list before route's action (git-fixes). - mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (bsc#1168777). - mm/rmap: fix potential pte_unmap on an not mapped pte (git-fixes). - mm: hugetlbfs: fix cannot migrate the fallocated HugeTLB page (git-fixes). - mm: memcontrol: fix cpuhotplug statistics flushing (bsc#1185606). - mmc: block: Update ext_csd.cache_ctrl if it was written (git-fixes). - mmc: core: Correct descriptions in mmc_of_parse() (git-fixes). - mmc: core: Do a power cycle when the CMD11 fails (git-fixes). - mmc: core: Fix partition switch time for eMMC (git-fixes). - mmc: core: Set read only for SD cards with permanent write protect bit (git-fixes). - mmc: cqhci: Add cqhci_deactivate() (git-fixes). - mmc: cqhci: Fix random crash when remove mmc module/card (git-fixes). - mmc: mmc_spi: Drop unused NO_IRQ definition (git-fixes). - mmc: mxs-mmc: Fix a resource leak in an error handling path in 'mxs_mmc_probe()' (git-fixes). - mmc: sdhci-iproc: Cap min clock frequency on BCM2711 (bsc#1186009) - mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711 (bsc#1186009) - mmc: sdhci-of-arasan: Add missed checks for devm_clk_register() (git-fixes). - mmc: sdhci-of-dwcmshc: fix rpmb access (git-fixes). - mmc: sdhci-of-dwcmshc: implement specific set_uhs_signaling (git-fixes). - mmc: sdhci-of-dwcmshc: set SDHCI_QUIRK2_PRESET_VALUE_BROKEN (git-fixes). - mmc: sdhci-of-esdhc: make sure delay chain locked for HS400 (git-fixes). - mmc: sdhci-of-esdhc: set timeout to max before tuning (git-fixes). - mmc: sdhci-pci-gli: increase 1.8V regulator wait (git-fixes). - mmc: sdhci-pci: Add PCI IDs for Intel LKF (git-fixes). - mmc: sdhci-pci: Fix SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers (git-fixes). - mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based controllers (git-fixes). - mmc: sdhci: Check for reset prior to DMA address unmap (git-fixes). - mmc: sdhci: Use Auto CMD Auto Select only when v4_mode is true (git-fixes). - mmc: uniphier-sd: Fix a resource leak in the remove function (git-fixes). - mmc: uniphier-sd: Fix an error handling path in uniphier_sd_probe() (git-fixes). - mount: fix mounting of detached mounts onto targets that reside on shared mounts (git-fixes). - mt7601u: fix always true expression (git-fixes). - mt76: dma: do not report truncated frames to mac80211 (git-fixes). - mt76: mt7615: fix entering driver-own state on mt7663 (git-fixes). - mt76: mt7615: support loading EEPROM for MT7613BE (git-fixes). - mt76: mt76x0: disable GTK offloading (git-fixes). - mt76: mt7915: fix aggr len debugfs node (git-fixes). - mt76: mt7915: fix txpower init for TSSI off chips (git-fixes). - mtd: Handle possible -EPROBE_DEFER from parse_mtd_partitions() (git-fixes). - mtd: rawnand: atmel: Update ecc_stats.corrected counter (git-fixes). - mtd: rawnand: brcmnand: fix OOB R/W with Hamming ECC (git-fixes). - mtd: rawnand: fsmc: Fix error code in fsmc_nand_probe() (git-fixes). - mtd: rawnand: gpmi: Fix a double free in gpmi_nand_init (git-fixes). - mtd: rawnand: qcom: Return actual error code instead of -ENODEV (git-fixes). - mtd: require write permissions for locking and badblock ioctls (git-fixes). - mtd: spi-nor: Rename "n25q512a" to "mt25qu512a (n25q512a)" (bsc#1167260). - mtd: spi-nor: Split mt25qu512a (n25q512a) entry into two (bsc#1167260). - mtd: spinand: core: add missing MODULE_DEVICE_TABLE() (git-fixes). - mwifiex: pcie: skip cancel_work_sync() on reset failure path (git-fixes). - nbd: fix a block_device refcount leak in nbd_release (git-fixes). - net, xdp: Update pkt_type if generic XDP changes unicast MAC (git-fixes). - net/mlx4_core: Add missed mlx4_free_cmd_mailbox() (git-fixes). - net/mlx4_en: update moderation when config reset (git-fixes). - net/mlx5: Add back multicast stats for uplink representor (jsc#SLE-15172). - net/mlx5: Delete extra dump stack that gives nothing (git-fixes). - net/mlx5: Do not request more than supported EQs (git-fixes). - net/mlx5: Fix PPLM register mapping (jsc#SLE-8464). - net/mlx5: Fix bit-wise and with zero (jsc#SLE-15172). - net/mlx5: Fix health error state handling (bsc#1186467). - net/mlx5e: Allow to match on MPLS parameters only for MPLS over UDP (jsc#SLE-15172). - net/mlx5e: Do not match on Geneve options in case option masks are all zero (git-fixes). - net/mlx5e: E-switch, Fix rate calculation division (jsc#SLE-8464). - net/mlx5e: Fix error path for ethtool set-priv-flag (git-fixes). - net/mlx5e: Fix ethtool indication of connector type (git-fixes). - net/mlx5e: Fix setting of RS FEC mode (jsc#SLE-15172). - net/mlx5e: Offload tuple rewrite for non-CT flows (jsc#SLE-15172). - net/mlx5e: RX, Mind the MPWQE gaps when calculating offsets (jsc#SLE-15172). - net/mlx5e: fix ingress_ifindex check in mlx5e_flower_parse_meta (jsc#SLE-8464). - net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template (git-fixes). - net/sched: act_ct: fix wild memory access when clearing fragments (bsc#1176447). - net: arc_emac: Fix memleak in arc_mdio_probe (git-fixes). - net: atheros: switch from 'pci_' to 'dma_' API (git-fixes). - net: atlantic: fix out of range usage of active_vlans array (git-fixes). - net: atlantic: fix potential error handling (git-fixes). - net: atlantic: fix use after free kasan warn (git-fixes). - net: b44: fix error return code in b44_init_one() (git-fixes). - net: bonding: fix error return code of bond_neigh_init() (bsc#1154353). - net: cdc-phonet: fix data-interface release on probe failure (git-fixes). - net: cls_api: Fix uninitialised struct field bo->unlocked_driver_cb (bsc#1176447). - net: dsa: felix: implement port flushing on .phylink_mac_link_down (git-fixes). - net: dsa: rtl8366: Fix VLAN semantics (git-fixes). - net: dsa: rtl8366: Fix VLAN set-up (git-fixes). - net: dsa: rtl8366rb: Support all 4096 VLANs (git-fixes). - net: enetc: allow hardware timestamping on TX queues with tc-etf enabled (git-fixes). - net: enetc: do not disable VLAN filtering in IFF_PROMISC mode (git-fixes). - net: enetc: fix link error again (git-fixes). - net: enetc: remove bogus write to SIRXIDR from enetc_setup_rxbdr (git-fixes). - net: enetc: take the MDIO lock only once per NAPI poll cycle (git-fixes). - net: enic: Cure the enic api locking trainwreck (git-fixes). - net: ethernet: aquantia: Fix wrong return value (git-fixes). - net: ethernet: cavium: octeon_mgmt: use phy_start and phy_stop (git-fixes). - net: ethernet: ibm: ibmvnic: Fix some kernel-doc misdemeanours (bsc#1183871 ltc#192139). - net: ethernet: ti: cpsw: fix clean up of vlan mc entries for host port (git-fixes). - net: ethernet: ti: cpsw: fix error return code in cpsw_probe() (git-fixes). - net: fec: Fix PHY init after phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix reference count leak in fec series ops (git-fixes). - net: gemini: Fix another missing clk_disable_unprepare() in probe (git-fixes). - net: gemini: Fix missing free_netdev() in error path of gemini_ethernet_port_probe() (git-fixes). - net: geneve: check skb is large enough for IPv4/IPv6 header (git-fixes). - net: geneve: modify IP header check in geneve6_xmit_skb and geneve_xmit_skb (git-fixes). - net: gianfar: Add of_node_put() before goto statement (git-fixes). - net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device (git-fixes). - net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after calling ether_setup (git-fixes). - net: hns3: Fix for geneve tx checksum bug (git-fixes). - net: hns3: Remove the left over redundant check & assignment (bsc#1154353). - net: hns3: Remove un-necessary 'else-if' in the hclge_reset_event() (git-fixes). - net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() (git-fixes). - net: hns3: clear VF down state bit before request link status (git-fixes). - net: hns3: clear unnecessary reset request in hclge_reset_rebuild (git-fixes). - net: hns3: disable phy loopback setting in hclge_mac_start_phy (git-fixes). - net: hns3: fix bug when calculating the TCAM table info (git-fixes). - net: hns3: fix for vxlan gpe tx checksum bug (git-fixes). - net: hns3: fix incorrect configuration for igu_egu_hw_err (git-fixes). - net: hns3: fix query vlan mask value error for flow director (git-fixes). - net: hns3: initialize the message content in hclge_get_link_mode() (git-fixes). - net: hns3: use netif_tx_disable to stop the transmit queue (git-fixes). - net: korina: cast KSEG0 address to pointer in kfree (git-fixes). - net: korina: fix kfree of rx/tx descriptor array (git-fixes). - net: lantiq: Wait for the GPHY firmware to be ready (git-fixes). - net: ll_temac: Add more error handling of dma_map_single() calls (git-fixes). - net: ll_temac: Fix RX buffer descriptor handling on GFP_ATOMIC pressure (git-fixes). - net: ll_temac: Fix race condition causing TX hang (git-fixes). - net: ll_temac: Handle DMA halt condition caused by buffer underrun (git-fixes). - net: mvneta: fix double free of txq->buf (git-fixes). - net: mvneta: make tx buffer array agnostic (git-fixes). - net: pasemi: fix error return code in pasemi_mac_open() (git-fixes). - net: phy: broadcom: Only advertise EEE for supported modes (git-fixes). - net: phy: intel-xway: enable integrated led functions (git-fixes). - net: phy: marvell: fix m88e1011_set_downshift (git-fixes). - net: phy: marvell: fix m88e1111_set_downshift (git-fixes). - net: qcom/emac: add missed clk_disable_unprepare in error path of emac_clks_phase1_init (git-fixes). - net: qualcomm: rmnet: Fix incorrect receive packet handling during cleanup (git-fixes). - net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405) - net: smc911x: Adjust indentation in smc911x_phy_configure (git-fixes). - net: spider_net: Fix the size used in a 'dma_free_coherent()' call (git-fixes). - net: stmmac: Fix incorrect location to set real_num_rx|tx_queues (git-fixes). - net: stmmac: Use rtnl_lock/unlock on netif_set_real_num_rx_queues() call (git-fixes). - net: stmmac: fix missing IFF_MULTICAST check in dwmac4_set_filter (git-fixes). - net: stmmac: removed enabling eee in EEE set callback (git-fixes). - net: stmmac: use netif_tx_start|stop_all_queues() function (git-fixes). - net: stmmac: xgmac: fix missing IFF_MULTICAST checki in dwxgmac2_set_filter (git-fixes). - net: thunderx: Fix unintentional sign extension issue (git-fixes). - net: tulip: Adjust indentation in {dmfe, uli526x}_init_module (git-fixes). - net: usb: ax88179_178a: fix missing stop entry in driver_info (git-fixes). - net: usb: qmi_wwan: allow qmimux add/del with master up (git-fixes). - net: usb: qmi_wwan: support ZTE P685M modem (git-fixes). - net: wan/lmc: unregister device when no matching device is found (git-fixes). - net:nfc:digital: Fix a double free in digital_tg_recv_dep_req (git-fixes). - netdevice: Add missing IFF_PHONY_HEADROOM self-definition (git-fixes). - netdevsim: init u64 stats for 32bit hardware (git-fixes). - netfilter: conntrack: Make global sysctls readonly in non-init netns (bsc#1176447). - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950). - netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950). - netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950). - netfilter: flowtable: Make sure GC works periodically in idle system (bsc#1176447). - netfilter: flowtable: fix NAT IPv6 offload mangling (bsc#1176447). - netfilter: nftables: allow to update flowtable flags (bsc#1176447). - netfilter: nftables: report EOPNOTSUPP on unsupported flowtable flags (bsc#1176447). - netsec: restore phy power state after controller reset (bsc#1183757). - nfc: pn533: prevent potential memory corruption (git-fixes). - nfp: devlink: initialize the devlink port attribute "lanes" (bsc#1176447). - nfp: flower: add ipv6 bit to pre_tunnel control message (bsc#1176447). - nfp: flower: fix pre_tun mask id allocation (bsc#1154353). - nfp: flower: ignore duplicate merge hints from FW (git-fixes). - node: fix device cleanups in error handling code (git-fixes). - null_blk: fix passing of REQ_FUA flag in null_handle_rq (git-fixes). - nvme-core: add cancel tagset helpers (bsc#1183976). - nvme-fabrics: decode host pathing error for connect (bsc#1179827). - nvme-fabrics: fix kato initialization (bsc#1182591). - nvme-fabrics: only reserve a single tag (bsc#1182077). - nvme-fabrics: reject I/O to offline device (bsc#1181161). - nvme-fc: check sgl supported by target (bsc#1179827). - nvme-fc: clear q_live at beginning of association teardown (bsc#1186479). - nvme-fc: fix racing controller reset and create association (bsc#1183048). - nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted (bsc#1180197). - nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted (bsc#1184259). - nvme-fc: set NVME_REQ_CANCELLED in nvme_fc_terminate_exchange() (bsc#1180197). - nvme-fc: set NVME_REQ_CANCELLED in nvme_fc_terminate_exchange() (bsc#1184259). - nvme-fc: short-circuit reconnect retries (bsc#1179827). - nvme-hwmon: Return error code when registration fails (bsc#1177326). - nvme-hwmon: Return error code when registration fails (bsc#1177326). - nvme-multipath: fix double initialization of ANA state (bsc#1178612, bsc#1184259). - nvme-multipath: reset bdev to ns head when failover (bsc#178378 bsc#1182999). - nvme-tcp: Fix possible race of io_work and direct send (git-fixes). - nvme-tcp: Fix warning with CONFIG_DEBUG_PREEMPT (git-fixes). - nvme-tcp: add clean action for failed reconnection (bsc#1183976). - nvme-tcp: fix kconfig dependency warning when !CRYPTO (git-fixes). - nvme-tcp: fix misuse of __smp_processor_id with preemption (git-fixes). - nvme-tcp: fix possible hang waiting for icresp response (bsc#1179519). - nvme-tcp: fix possible hang when failing to set io queues (bsc#1181161). - nvme-tcp: use cancel tagset helper for tear down (bsc#1183976). - nvme: Fix NULL dereference for pci nvme controllers (bsc#1182378). - nvme: add 'kato' sysfs attribute (bsc#1179825). - nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request() (bsc#1180197). - nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request() (bsc#1184259). - nvme: allocate the keep alive request using BLK_MQ_REQ_NOWAIT (bsc#1182077). - nvme: call nvme_identify_ns as the first thing in nvme_alloc_ns_block (bsc#1180197). - nvme: clean up the check for too large logic block sizes (bsc#1180197). - nvme: define constants for identification values (git-fixes). - nvme: do not intialize hwmon for discovery controllers (bsc#1184259). - nvme: do not intialize hwmon for discovery controllers (git-fixes). - nvme: explicitly update mpath disk capacity on revalidation (git-fixes). - nvme: expose reconnect_delay and ctrl_loss_tmo via sysfs (bsc#1182378). - nvme: factor out a nvme_configure_metadata helper (bsc#1180197). - nvme: fix controller instance leak (git-fixes). - nvme: fix initialization of the zone bitmaps (bsc#1180197). - nvme: fix possible deadlock when I/O is blocked (git-fixes). - nvme: freeze the queue over ->lba_shift updates (bsc#1180197). - nvme: lift the check for an unallocated namespace into nvme_identify_ns (bsc#1180197). - nvme: merge nvme_keep_alive into nvme_keep_alive_work (bsc#1182077). - nvme: move nvme_validate_ns (bsc#1180197). - nvme: opencode revalidate_disk in nvme_validate_ns (bsc#1180197). - nvme: query namespace identifiers before adding the namespace (bsc#1180197). - nvme: refactor nvme_validate_ns (bsc#1180197). - nvme: remove nvme_identify_ns_list (bsc#1180197). - nvme: remove nvme_update_formats (bsc#1180197). - nvme: remove superfluous else in nvme_ctrl_loss_tmo_store (bsc#1182378). - nvme: remove the 0 lba_shift check in nvme_update_ns_info (bsc#1180197). - nvme: remove the disk argument to nvme_update_zone_info (bsc#1180197). - nvme: rename __nvme_revalidate_disk (bsc#1180197). - nvme: rename _nvme_revalidate_disk (bsc#1180197). - nvme: rename nvme_validate_ns to nvme_validate_or_alloc_ns (bsc#1180197). - nvme: retrigger ANA log update if group descriptor isn't found (git-fixes) - nvme: return an error if nvme_set_queue_count() fails (bsc#1180197). - nvme: revalidate zone bitmaps in nvme_update_ns_info (bsc#1180197). - nvme: sanitize KATO setting (bsc#1179825). - nvme: set the queue limits in nvme_update_ns_info (bsc#1180197). - nvme: simplify error logic in nvme_validate_ns() (bsc#1180197). - nvme: simplify error logic in nvme_validate_ns() (bsc#1184259). - nvme: update the known admin effects (bsc#1180197). - nvmet-rdma: Fix list_del corruption on queue establishment failure (bsc#1183501). - nvmet: fix a memory leak (git-fixes). - nvmet: seset ns->file when open fails (bsc#1183873). - nvmet: use new ana_log_size instead the old one (bsc#1184259). - ocfs2: fix a use after free on error (bsc#1184738). - ovl: fix dentry leak in ovl_get_redirect (bsc#1184176). - ovl: fix out of date comment and unreachable code (bsc#1184176). - ovl: fix regression with re-formatted lower squashfs (bsc#1184176). - ovl: fix unneeded call to ovl_change_flags() (bsc#1184176). - ovl: fix value of i_ino for lower hardlink corner case (bsc#1184176). - ovl: initialize error in ovl_copy_xattr (bsc#1184176). - ovl: relax WARN_ON() when decoding lower directory file handle (bsc#1184176). - pata_arasan_cf: fix IRQ check (git-fixes). - pata_ipx4xx_cf: fix IRQ check (git-fixes). - perf/amd/uncore: Fix sysfs type mismatch (bsc#1178134). - phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y, unconditionally (git-fixes). - phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() (git-fixes). - partitions/ibm: fix non-DASD devices (bsc#1185857 LTC#192526). - pinctrl: Ingenic: Add missing pins to the JZ4770 MAC MII group (git-fixes). - pinctrl: core: Fix kernel doc string for pin_get_name() (git-fixes). - pinctrl: ingenic: Improve unreachable code generation (git-fixes). - pinctrl: lewisburg: Update number of pins in community (git-fixes). - pinctrl: qcom: spmi-gpio: fix warning about irq chip reusage (git-fixes). - pinctrl: rockchip: fix restore error in resume (git-fixes). - pinctrl: samsung: use 'int' for register masks in Exynos (git-fixes). - platform/mellanox: mlxbf-tmfifo: Fix a memory barrier issue (git-fixes). - platform/x86: acer-wmi: Add ACER_CAP_KBD_DOCK quirk for the Aspire Switch 10E SW3-016 (git-fixes). - platform/x86: acer-wmi: Add ACER_CAP_SET_FUNCTION_MODE capability flag (git-fixes). - platform/x86: acer-wmi: Add new force_caps module parameter (git-fixes). - platform/x86: acer-wmi: Add support for SW_TABLET_MODE on Switch devices (git-fixes). - platform/x86: acer-wmi: Cleanup ACER_CAP_FOO defines (git-fixes). - platform/x86: acer-wmi: Cleanup accelerometer device handling (git-fixes). - platform/x86: intel-hid: Support Lenovo ThinkPad X1 Tablet Gen 2 (git-fixes). - platform/x86: intel-vbtn: Stop reporting SW_DOCK events (git-fixes). - platform/x86: intel_int0002_vgpio: Only call enable_irq_wake() when using s2idle (git-fixes). - platform/x86: intel_pmc_core: Do not use global pmcdev in quirks (git-fixes). - platform/x86: intel_pmt_crashlog: Fix incorrect macros (git-fixes). - platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards with critclk_systems DMI table (git-fixes). - platform/x86: thinkpad_acpi: Allow the FnLock LED to change state (git-fixes). - platform/x86: thinkpad_acpi: Correct thermal sensor allocation (git-fixes). - posix-timers: Preserve return value in clock_adjtime32() (git-fixes) - post.sh: Return an error when module update fails (bsc#1047233 bsc#1184388). - power: supply: Use IRQF_ONESHOT (git-fixes). - power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() (git-fixes). - power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() (git-fixes). - powerepc/book3s64/hash: Align start/end address correctly with bolt mapping (bsc#1184957). - powerpc/64s/exception: Clean up a missed SRR specifier (jsc#SLE-9246 git-fixes). - powerpc/64s: Fix crashes when toggling entry flush barrier (bsc#1177666 git-fixes). - powerpc/64s: Fix crashes when toggling stf barrier (bsc#1087082 git-fixes). - powerpc/64s: Fix instruction encoding for lis in ppc_function_entry() (bsc#1065729). - powerpc/64s: Fix pte update for kernel memory on radix (bsc#1055117 git-fixes). - powerpc/asm-offsets: GPR14 is not needed either (bsc#1065729). - powerpc/book3s64/radix: Remove WARN_ON in destroy_context() (bsc#1183692 ltc#191963). - powerpc/eeh: Fix EEH handling for hugepages in ioremap space (bsc#1156395). - powerpc/fadump: Mark fadump_calculate_reserve_size as __init (bsc#1065729). - powerpc/kexec_file: Use current CPU info while setting up FDT (bsc#1184615 ltc#189835). - powerpc/kuap: Restore AMR after replaying soft interrupts (bsc#1156395). - powerpc/mm: Add cond_resched() while removing hpte mappings (bsc#1183289 ltc#191637). - powerpc/papr_scm: Fix build error due to wrong printf specifier (bsc#1184969). - powerpc/papr_scm: Implement support for H_SCM_FLUSH hcall (bsc#1184969). - powerpc/perf: Fix PMU constraint check for EBB events (bsc#1065729). - powerpc/perf: Fix sampled instruction type for larx/stcx (jsc#SLE-13513). - powerpc/perf: Fix the threshold event selection for memory events in power10 (jsc#SLE-13513). - powerpc/pmem: Include pmem prototypes (bsc#1113295 git-fixes). - powerpc/prom: Mark identical_pvr_fixup as __init (bsc#1065729). - powerpc/pseries/mobility: handle premature return from H_JOIN (bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922). - powerpc/pseries/mobility: use struct for shared state (bsc#1181674 ltc#189159 git-fixes bsc#1183662 ltc#191922). - powerpc/pseries/ras: Remove unused variable 'status' (bsc#1065729). - powerpc/pseries: Add shutdown() to vio_driver and vio_bus (bsc#1184209 ltc#190917). - powerpc/pseries: Do not trace hcall tracing wrapper (bsc#1185110 ltc#192091). - powerpc/pseries: Fix hcall tracing recursion in pv queued spinlocks (bsc#1185110 ltc#192091). - powerpc/pseries: use notrace hcall variant for H_CEDE idle (bsc#1185110 ltc#192091). - powerpc/pseries: warn if recursing into the hcall tracing code (bsc#1185110 ltc#192091). - powerpc/smp: Reintroduce cpu_core_mask (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes). - powerpc/sstep: Check instruction validity against ISA version before emulation (bsc#1156395). - powerpc/sstep: Check instruction validity against ISA version before emulation (bsc#1156395). - powerpc/sstep: Fix darn emulation (bsc#1156395). - powerpc/sstep: Fix incorrect return from analyze_instr() (bsc#1156395). - powerpc/sstep: Fix load-store and update emulation (bsc#1156395). - powerpc/time: Enable sched clock for irqtime (bsc#1156395). - powerpc/uaccess: Avoid might_fault() when user access is enabled (bsc#1156395). - powerpc/uaccess: Perform barrier_nospec() in KUAP allowance helpers (bsc#1156395). - powerpc/uaccess: Simplify unsafe_put_user() implementation (bsc#1156395). - powerpc/xive: Drop check on irq_data in xive_core_debug_show() (bsc#1177437 ltc#188522 jsc#SLE-13294 git-fixes). - powerpc/xmon: Fix build failure for 8xx (jsc#SLE-12936 git-fixes). - powerpc: Fix inverted SET_FULL_REGS bitop (jsc#SLE-9246 git-fixes). - powerpc: Fix missing declaration ofable_kernel_vsx() (git-fixes). - proc: fix lookup in /proc/net subdirectories after setns(2) (git-fixes). - qlcnic: fix error return code in qlcnic_83xx_restart_hw() (git-fixes). - qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth (git-fixes). - qxl: Fix uninitialised struct field head.surface_id (git-fixes). - r8169: do not advertise pause in jumbo mode (git-fixes). - r8169: fix DMA being used after buffer free if WoL is enabled (git-fixes). - r8169: tweak max read request size for newer chips also in jumbo mtu mode (git-fixes). - regmap: set debugfs_name to NULL after it is freed (git-fixes). - regulator: Avoid a double 'of_node_get' in 'regulator_of_get_init_node()' (git-fixes). - regulator: bd9571mwv: Fix AVS and DVFS voltage range (git-fixes). - reintroduce cqhci_suspend for kABI (git-fixes). - reiserfs: update reiserfs_xattrs_initialized() condition (bsc#1184737). - rsi: Fix TX EAPOL packet handling against iwlwifi AP (git-fixes). - rsi: Move card interrupt handling to RX thread (git-fixes). - rsi: Use resume_noirq for SDIO (git-fixes). - rsxx: remove extraneous 'const' qualifier (git-fixes). - rtc: ds1307: Fix wday settings for rx8130 (git-fixes). - rtc: fsl-ftm-alarm: add MODULE_TABLE() (bsc#1185454). - rtc: fsl-ftm-alarm: avoid struct rtc_time conversions (bsc#1185454). - rtc: fsl-ftm-alarm: enable acpi support (bsc#1185454). - rtc: fsl-ftm-alarm: fix freeze(s2idle) failed to wake (bsc#1185454). - rtc: fsl-ftm-alarm: report alarm to core (bsc#1185454). - rtc: fsl-ftm-alarm: switch to ktime_get_real_seconds (bsc#1185454). - rtc: fsl-ftm-alarm: switch to rtc_time64_to_tm/rtc_tm_to_time64 (bsc#1185454). - rtc: fsl-ftm-alarm: update acpi device id (bsc#1185454). - rtc: pcf2127: add alarm support (bsc#1185233). - rtc: pcf2127: add pca2129 device id (bsc#1185233). - rtc: pcf2127: add tamper detection support (bsc#1185233). - rtc: pcf2127: add watchdog feature support (bsc#1185233). - rtc: pcf2127: bugfix: watchdog build dependency (bsc#1185233). - rtc: pcf2127: cleanup register and bit defines (bsc#1185233). - rtc: pcf2127: convert to devm_rtc_allocate_device (bsc#1185233). - rtc: pcf2127: fix a bug when not specify interrupts property (bsc#1185233). - rtc: pcf2127: fix alarm handling (bsc#1185233). - rtc: pcf2127: fix pcf2127_nvmem_read/write() returns (bsc#1185233). - rtc: pcf2127: handle boot-enabled watchdog feature (bsc#1185233). - rtc: pcf2127: handle timestamp interrupts (bsc#1185495). - rtc: pcf2127: let the core handle rtc range (bsc#1185233). - rtc: pcf2127: move watchdog initialisation to a separate function (bsc#1185233). - rtc: pcf2127: only use watchdog when explicitly available (bsc#1185233). - rtc: pcf2127: properly set flag WD_CD for rtc chips(pcf2129, pca2129) (bsc#1185233). - rtc: pcf2127: remove unnecessary #ifdef (bsc#1185233). - rtc: pcf2127: set regmap max_register (bsc#1185233). - rtc: pcf2127: watchdog: handle nowayout feature (bsc#1185233). - rtlwifi: 8821ae: upgrade PHY and RF parameters (git-fixes). - rtw88: Fix an error code in rtw_debugfs_set_rsvd_page() (git-fixes). - rtw88: Fix array overrun in rtw_get_tx_power_params() (git-fixes). - rtw88: coex: 8821c: correct antenna switch function (git-fixes). - s390/cio: return -EFAULT if copy_to_user() fails (git-fixes). - s390/cio: return -EFAULT if copy_to_user() fails (git-fixes). - s390/crypto: return -EFAULT if copy_to_user() fails (git-fixes). - s390/dasd: fix hanging DASD driver unbind (bsc#1183932 LTC#192153). - s390/dasd: fix hanging IO request during DASD driver unbind (git-fixes). - s390/entry: save the caller of psw_idle (bsc#1185677). - s390/ipl: support NVMe IPL kernel parameters (bsc#1185980 LTC#192679). - s390/kdump: fix out-of-memory with PCI (bsc#1182257 LTC#191375). - s390/pci: fix leak of PCI device structure (git-fixes). - s390/qeth: fix memory leak after failed TX Buffer allocation (git-fixes). - s390/qeth: fix notification for pending buffers during teardown (git-fixes). - s390/qeth: improve completion of pending TX buffers (git-fixes). - s390/qeth: schedule TX NAPI on QAOB completion (git-fixes). - s390/vtime: fix increased steal time accounting (bsc#1183859). - s390/zcrypt: return EIO when msg retry limit reached (git-fixes). - samples, bpf: Add missing munmap in xdpsock (bsc#1155518). - samples/bpf: Fix possible hang in xdpsock with multiple threads (bsc#1155518). - sata_mv: add IRQ checks (git-fixes). - sched/eas: Do not update misfit status if the task is pinned (git-fixes) - sched/fair: Avoid stale CPU util_est value for schedutil in (git-fixes) - sched/fair: Fix shift-out-of-bounds in load_balance() (git fixes (sched)). - sched/fair: Fix unfairness caused by missing load decay (git-fixes) - scripts/git_sort/git_sort.py: add bpf git repo - scsi: aacraid: Improve compat_ioctl handlers (bsc#1186352). - scsi: block: Fix a race in the runtime power management code (git-fixes). - scsi: core: Only return started requests from scsi_host_find_tag() (bsc#1179851). - scsi: core: Run queue in case of I/O resource contention failure (bsc#1186416). - scsi: core: add scsi_host_busy_iter() (bsc#1179851). - scsi: fnic: Kill 'exclude_id' argument to fnic_cleanup_io() (bsc#1179851). - scsi: fnic: Remove bogus ratelimit messages (bsc#1183249). - scsi: libfc: Avoid invoking response handler twice if ep is already completed (bsc#1186573). - scsi: lpfc: Add a option to enable interlocked ABTS before job completion (bsc#1186451). - scsi: lpfc: Add ndlp kref accounting for resume RPI path (bsc#1186451). - scsi: lpfc: Change wording of invalid pci reset log message (bsc#1182574). - scsi: lpfc: Correct function header comments related to ndlp reference counting (bsc#1182574). - scsi: lpfc: Eliminate use of LPFC_DRIVER_NAME in lpfc_attr.c (bsc#1185472). - scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology (bsc#1186451). - scsi: lpfc: Fix ADISC handling that never frees nodes (bsc#1182574). - scsi: lpfc: Fix DMA virtual address ptr assignment in bsg (bsc#1185365). - scsi: lpfc: Fix FLOGI failure due to accessing a freed node (bsc#1182574). - scsi: lpfc: Fix NMI crash during rmmod due to circular hbalock dependency (bsc#1185472). - scsi: lpfc: Fix Node recovery when driver is handling simultaneous PLOGIs (bsc#1186451). - scsi: lpfc: Fix PLOGI ACC to be transmit after REG_LOGIN (bsc#1182574). - scsi: lpfc: Fix a bunch of kernel-doc issues (bsc#1185472). - scsi: lpfc: Fix a bunch of kernel-doc misdemeanours (bsc#1185472). - scsi: lpfc: Fix a bunch of misnamed functions (bsc#1185472). - scsi: lpfc: Fix a few incorrectly named functions (bsc#1185472). - scsi: lpfc: Fix a typo (bsc#1185472). - scsi: lpfc: Fix bad memory access during VPD DUMP mailbox command (bsc#1186451). - scsi: lpfc: Fix crash caused by switch reboot (bsc#1182574). - scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO response (bsc#1185472). - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs (bsc#1186451). - scsi: lpfc: Fix dropped FLOGI during pt2pt discovery recovery (bsc#1182574). - scsi: lpfc: Fix error handling for mailboxes completed in MBX_POLL mode (bsc#1185472). - scsi: lpfc: Fix formatting and misspelling issues (bsc#1185472). - scsi: lpfc: Fix gcc -Wstringop-overread warning (bsc#1185472). - scsi: lpfc: Fix illegal memory access on Abort IOCBs (bsc#1183203). - scsi: lpfc: Fix incorrect dbde assignment when building target abts wqe (bsc#1182574). - scsi: lpfc: Fix incorrect naming of __lpfc_update_fcf_record() (bsc#1185472). - scsi: lpfc: Fix incorrectly documented function lpfc_debugfs_commonxripools_data() (bsc#1185472). - scsi: lpfc: Fix kernel-doc formatting issue (bsc#1185472). - scsi: lpfc: Fix lack of device removal on port swaps with PRLIs (bsc#1185472). - scsi: lpfc: Fix lpfc_els_retry() possible null pointer dereference (bsc#1182574). - scsi: lpfc: Fix lpfc_hdw_queue attribute being ignored (bsc#1185472). - scsi: lpfc: Fix missing FDMI registrations after Mgmt Svc login (bsc#1185472). - scsi: lpfc: Fix node handling for Fabric Controller and Domain Controller (bsc#1186451). - scsi: lpfc: Fix nodeinfo debugfs output (bsc#1182574). - scsi: lpfc: Fix non-optimized ERSP handling (bsc#1186451). - scsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb() (bsc#1182574). - scsi: lpfc: Fix pt2pt connection does not recover after LOGO (bsc#1182574). - scsi: lpfc: Fix pt2pt state transition causing rmmod hang (bsc#1182574). - scsi: lpfc: Fix reference counting errors in lpfc_cmpl_els_rsp() (bsc#1185472). - scsi: lpfc: Fix reftag generation sizing errors (bsc#1182574). - scsi: lpfc: Fix rmmod crash due to bad ring pointers to abort_iotag (bsc#1185472). - scsi: lpfc: Fix silent memory allocation failure in lpfc_sli4_bsg_link_diag_test() (bsc#1185472). - scsi: lpfc: Fix some error codes in debugfs (bsc#1185472). - scsi: lpfc: Fix stale node accesses on stale RRQ request (bsc#1182574). - scsi: lpfc: Fix status returned in lpfc_els_retry() error exit path (bsc#1182574). - scsi: lpfc: Fix unnecessary null check in lpfc_release_scsi_buf (bsc#1182574). - scsi: lpfc: Fix unreleased RPIs when NPIV ports are created (bsc#1186451). - scsi: lpfc: Fix use after free in lpfc_els_free_iocb (bsc#1182574). - scsi: lpfc: Fix use-after-free on unused nodes after port swap (bsc#1185472). - scsi: lpfc: Fix various trivial errors in comments and log messages (bsc#1185472). - scsi: lpfc: Fix vport indices in lpfc_find_vport_by_vpid() (bsc#1182574). - scsi: lpfc: Ignore GID-FT response that may be received after a link flip (bsc#1186451). - scsi: lpfc: Reduce LOG_TRACE_EVENT logging for vports (bsc#1182574). - scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic (bsc#1185472). - scsi: lpfc: Reregister FPIN types if ELS_RDF is received from fabric controller (bsc#1186451). - scsi: lpfc: Standardize discovery object logging format (bsc#1185472). - scsi: lpfc: Update copyrights for 12.8.0.7 and 12.8.0.8 changes (bsc#1182574). - scsi: lpfc: Update lpfc version to 12.8.0.10 (bsc#1186451). - scsi: lpfc: Update lpfc version to 12.8.0.8 (bsc#1182574). - scsi: lpfc: Update lpfc version to 12.8.0.9 (bsc#1185472). - scsi: mpt3sas: Only one vSES is present even when IOC has multi vSES (bsc#1185954). - scsi: pm80xx: Do not sleep in atomic context (bsc#1186353). - scsi: pm80xx: Fix chip initialization failure (bsc#1186354). - scsi: pm80xx: Fix potential infinite loop (bsc#1186354). - scsi: pm80xx: Increase timeout for pm80xx mpi_uninit_check() (bsc#1186355). - scsi: qla2xxx: Add H:C:T info in the log message for fc ports (bsc#1185491). - scsi: qla2xxx: Add error counters to debugfs node (bsc#1185491). - scsi: qla2xxx: Always check the return value of qla24xx_get_isp_stats() (bsc#1185491). - scsi: qla2xxx: Assign boolean values to a bool variable (bsc#1185491). - scsi: qla2xxx: Check kzalloc() return value (bsc#1185491). - scsi: qla2xxx: Consolidate zio threshold setting for both FCP & NVMe (bsc#1185491). - scsi: qla2xxx: Constify struct qla_tgt_func_tmpl (bsc#1185491). - scsi: qla2xxx: Do logout even if fabric scan retries got exhausted (bsc#1185491). - scsi: qla2xxx: Enable NVMe CONF (BIT_7) when enabling SLER (bsc#1185491). - scsi: qla2xxx: Fix IOPS drop seen in some adapters (bsc#1185491). - scsi: qla2xxx: Fix RISC RESET completion polling (bsc#1185491). - scsi: qla2xxx: Fix a couple of misdocumented functions (bsc#1185491). - scsi: qla2xxx: Fix a couple of misnamed functions (bsc#1185491). - scsi: qla2xxx: Fix broken #endif placement (bsc#1185491). - scsi: qla2xxx: Fix crash in PCIe error handling (bsc#1185491). - scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() (bsc#1185491). - scsi: qla2xxx: Fix endianness annotations (bsc#1185491). - scsi: qla2xxx: Fix incorrectly named function qla8044_check_temp() (bsc#1185491). - scsi: qla2xxx: Fix mailbox Ch erroneous error (bsc#1185491). - scsi: qla2xxx: Fix mailbox recovery during PCIe error (bsc#1185491). - scsi: qla2xxx: Fix some incorrect formatting/spelling issues (bsc#1185491). - scsi: qla2xxx: Fix some memory corruption (bsc#1185491). - scsi: qla2xxx: Fix stuck session (bsc#1185491). - scsi: qla2xxx: Fix use after free in bsg (bsc#1185491). - scsi: qla2xxx: Implementation to get and manage host, target stats and initiator port (bsc#1185491). - scsi: qla2xxx: Move some messages from debug to normal log level (bsc#1185491). - scsi: qla2xxx: Remove redundant NULL check (bsc#1185491). - scsi: qla2xxx: Remove unnecessary NULL check (bsc#1185491). - scsi: qla2xxx: Remove unneeded if-null-free check (bsc#1185491). - scsi: qla2xxx: Replace __qla2x00_marker()'s missing underscores (bsc#1185491). - scsi: qla2xxx: Reserve extra IRQ vectors (bsc#1184436). - scsi: qla2xxx: Reuse existing error handling path (bsc#1185491). - scsi: qla2xxx: Simplify if statement (bsc#1185491). - scsi: qla2xxx: Simplify qla8044_minidump_process_control() (bsc#1185491). - scsi: qla2xxx: Simplify the calculation of variables (bsc#1185491). - scsi: qla2xxx: Suppress Coverity complaints about dseg_r* (bsc#1185491). - scsi: qla2xxx: Update default AER debug mask (bsc#1185491). - scsi: qla2xxx: Update version to 10.02.00.105-k (bsc#1185491). - scsi: qla2xxx: Update version to 10.02.00.106-k (bsc#1185491). - scsi: qla2xxx: Use dma_pool_zalloc() (bsc#1185491). - scsi: qla2xxx: Wait for ABTS response on I/O timeouts for NVMe (bsc#1185491). - scsi: qla2xxx: fc_remote_port_chkready() returns a SCSI result value (bsc#1185491). - scsi: smartpqi: Correct driver removal with HBA disks (bsc#1178089). - scsi: smartpqi: Correct driver removal with HBA disks (bsc#1178089). - scsi: smartpqi: Correct pqi_sas_smp_handler busy condition (bsc#1178089). - scsi: smartpqi: Correct pqi_sas_smp_handler busy condition (bsc#1178089). - scsi: smartpqi: Update version to 1.2.16-012 (bsc#1178089). - scsi: smartpqi: Update version to 1.2.16-012 (bsc#1178089). - scsi: target: pscsi: Avoid OOM in pscsi_map_sg() (bsc#1183843). - scsi: target: pscsi: Clean up after failure in pscsi_map_sg() (bsc#1183843). - scsi: target: tcmu: Fix use-after-free of se_cmd->priv (bsc#1186356). - scsi: target: tcmu: Fix warning: 'page' may be used uninitialized (bsc#1186357). - sctp: delay auto_asconf init until binding the first addr (<cover.1620748346.git.mkubecek at suse.cz>). - security: keys: trusted: fix TPM2 authorizations (git-fixes). - selftests/bpf: Fix BPF_CORE_READ_BITFIELD() macro (bsc#1177028). - selftests/bpf: Fix the ASSERT_ERR_PTR macro (bsc#1177028). - selftests/bpf: Mask bpf_csum_diff() return value to 16 bits in test_verifier (bsc#1155518). - selftests/bpf: No need to drop the packet when there is no geneve opt (bsc#1155518). - selftests/bpf: Re-generate vmlinux.h and BPF skeletons if bpftool changed (bsc#1177028). - selftests/bpf: Set gopt opt_class to 0 if get tunnel opt failed (bsc#1155518). - selftests/powerpc: Add pkey helpers for rights (bsc#1184934 ltc#191460). - selftests/powerpc: Add test for execute-disabled pkeys (bsc#1184934 ltc#191460). - selftests/powerpc: Add test for pkey siginfo verification (bsc#1184934 ltc#191460). - selftests/powerpc: Add wrapper for gettid (bsc#1184934 ltc#191460). - selftests/powerpc: Fix L1D flushing tests for Power10 (bsc#1184934 ltc#191460). - selftests/powerpc: Fix exit status of pkey tests (bsc#1184934 ltc#191460). - selftests/powerpc: Fix pkey syscall redefinitions (bsc#1184934 ltc#191460). - selftests/powerpc: Move pkey helpers to headers (bsc#1184934 ltc#191460). - selftests/powerpc: refactor entry and rfi_flush tests (bsc#1184934 ltc#191460). - selftests: mlxsw: Remove a redundant if statement in tc_flower_scale test (bsc#1176774). - selinux: Fix error return code in sel_ib_pkey_sid_slow() (git-fixes). - selinux: fix error initialization in inode_doinit_with_dentry() (git-fixes). - selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling (git-fixes). - serial: core: return early on unsupported ioctls (git-fixes). - serial: stm32: fix incorrect characters on console (git-fixes). - serial: stm32: fix tx_empty condition (git-fixes). - smb3: Fix out-of-bounds bug in SMB2_negotiate() (bsc#1183540). - smb3: add dynamic trace point to trace when credits obtained (bsc#1181507). - smb3: fix crediting for compounding when only one request in flight (bsc#1181507). - smc: disallow TCP_ULP in smc_setsockopt() (git-fixes). - soc/fsl: qbman: fix conflicting alignment attributes (git-fixes). - soc: aspeed: fix a ternary sign expansion bug (git-fixes). - soc: fsl: qe: replace qe_io{read,write}* wrappers by generic io{read,write}* (git-fixes). - soc: qcom: mdt_loader: Detect truncated read of segments (git-fixes). - soc: qcom: mdt_loader: Validate that p_filesz < p_memsz (git-fixes). - software node: Fix node registration (git-fixes). - soundwire: bus: Fix device found flag correctly (git-fixes). - soundwire: stream: fix memory leak in stream config error path (git-fixes). - spi: Introduce dspi_slave_abort() function for NXP's dspi SPI driver (bsc#1167260). - spi: ath79: always call chipselect function (git-fixes). - spi: ath79: remove spi-master setup and cleanup assignment (git-fixes). - spi: cadence: set cqspi to the driver_data field of struct device (git-fixes). - spi: dln2: Fix reference leak to master (git-fixes). - spi: fsl-dspi: fix NULL pointer dereference (bsc#1167260). - spi: fsl-dspi: fix use-after-free in remove path (bsc#1167260). - spi: fsl-dspi: fix wrong pointer in suspend/resume (bsc#1167260). - spi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware() (git-fixes). - spi: omap-100k: Fix reference leak to master (git-fixes). - spi: qup: fix PM reference leak in spi_qup_remove() (git-fixes). - spi: spi-fsl-dspi: Accelerate transfers using larger word size if possible (bsc#1167260). - spi: spi-fsl-dspi: Add comments around dspi_pop_tx and dspi_push_rx functions (bsc#1167260). - spi: spi-fsl-dspi: Add support for LS1028A (bsc#1167260). - spi: spi-fsl-dspi: Adding shutdown hook (bsc#1167260). - spi: spi-fsl-dspi: Always use the TCFQ devices in poll mode (bsc#1167260). - spi: spi-fsl-dspi: Avoid NULL pointer in dspi_slave_abort for non-DMA mode (bsc#1167260). - spi: spi-fsl-dspi: Avoid reading more data than written in EOQ mode (bsc#1167260). - spi: spi-fsl-dspi: Change usage pattern of SPI_MCR_* and SPI_CTAR_* macros (bsc#1167260). - spi: spi-fsl-dspi: Convert TCFQ users to XSPI FIFO mode (bsc#1167260). - spi: spi-fsl-dspi: Convert the instantiations that support it to DMA (bsc#1167260). - spi: spi-fsl-dspi: Demistify magic value in SPI_SR_CLEAR (bsc#1167260). - spi: spi-fsl-dspi: Do not access reserved fields in SPI_MCR (bsc#1167260). - spi: spi-fsl-dspi: Do not mask off undefined bits (bsc#1167260). - spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours (bsc#1167260). - spi: spi-fsl-dspi: Fix 16-bit word order in 32-bit XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Fix a resource leak in an error handling path (git-fixes). - spi: spi-fsl-dspi: Fix bits-per-word acceleration in DMA mode (bsc#1167260). - spi: spi-fsl-dspi: Fix code alignment (bsc#1167260). - spi: spi-fsl-dspi: Fix external abort on interrupt in resume or exit paths (bsc#1167260). - spi: spi-fsl-dspi: Fix interrupt-less DMA mode taking an XSPI code path (bsc#1167260). - spi: spi-fsl-dspi: Fix little endian access to PUSHR CMD and TXDATA (bsc#1167260). - spi: spi-fsl-dspi: Fix lockup if device is removed during SPI transfer (bsc#1167260). - spi: spi-fsl-dspi: Fix lockup if device is shutdown during SPI transfer (bsc#1167260). - spi: spi-fsl-dspi: Fix race condition in TCFQ/EOQ interrupt (bsc#1167260). - spi: spi-fsl-dspi: Fix typos (bsc#1167260). - spi: spi-fsl-dspi: Free DMA memory with matching function (bsc#1167260). - spi: spi-fsl-dspi: Implement .max_message_size method for EOQ mode (bsc#1167260). - spi: spi-fsl-dspi: Initialize completion before possible interrupt (bsc#1167260). - spi: spi-fsl-dspi: LS2080A and LX2160A support XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Make bus-num property optional (bsc#1167260). - spi: spi-fsl-dspi: Move dspi_interrupt above dspi_transfer_one_message (bsc#1167260). - spi: spi-fsl-dspi: Move invariant configs out of dspi_transfer_one_message (bsc#1167260). - spi: spi-fsl-dspi: Optimize dspi_setup_accel for lowest interrupt count (bsc#1167260). - spi: spi-fsl-dspi: Parameterize the FIFO size and DMA buffer size (bsc#1167260). - spi: spi-fsl-dspi: Protect against races on dspi->words_in_flight (bsc#1167260). - spi: spi-fsl-dspi: Reduce indentation in dspi_release_dma() (bsc#1167260). - spi: spi-fsl-dspi: Reduce indentation level in dspi_interrupt (bsc#1167260). - spi: spi-fsl-dspi: Remove impossible to reach error check (bsc#1167260). - spi: spi-fsl-dspi: Remove pointless assignment of master->transfer to NULL (bsc#1167260). - spi: spi-fsl-dspi: Remove unused chip->void_write_data (bsc#1167260). - spi: spi-fsl-dspi: Remove unused defines and includes (bsc#1167260). - spi: spi-fsl-dspi: Remove unused initialization of 'ret' in dspi_probe (bsc#1167260). - spi: spi-fsl-dspi: Rename fifo_{read,write} and {tx,cmd}_fifo_write (bsc#1167260). - spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion (bsc#1167260). - spi: spi-fsl-dspi: Replace legacy spi_master names with spi_controller (bsc#1167260). - spi: spi-fsl-dspi: Simplify bytes_per_word gymnastics (bsc#1167260). - spi: spi-fsl-dspi: Take software timestamp in dspi_fifo_write (bsc#1167260). - spi: spi-fsl-dspi: Use BIT() and GENMASK() macros (bsc#1167260). - spi: spi-fsl-dspi: Use EOQ for last word in buffer even for XSPI mode (bsc#1167260). - spi: spi-fsl-dspi: Use dma_request_chan() instead dma_request_slave_channel() (bsc#1167260). - spi: spi-fsl-dspi: Use poll mode in case the platform IRQ is missing (bsc#1167260). - spi: spi-fsl-dspi: Use reverse Christmas tree declaration order (bsc#1167260). - spi: spi-fsl-dspi: Use specific compatible strings for all SoC instantiations (bsc#1167260). - spi: spi-fsl-dspi: delete EOQ transfer mode (bsc#1167260). - spi: spi-fsl-dspi: fix DMA mapping (bsc#1167260). - spi: spi-fsl-dspi: fix native data copy (bsc#1167260). - spi: spi-fsl-dspi: remove git-fixes Remove git-fixes. Prepare to update the driver. References: bsc#1167260 - spi: spi-fsl-dspi: set ColdFire to DMA mode (bsc#1167260). - spi: spi-fsl-dspi: use XSPI mode instead of DMA for DPAA2 SoCs (bsc#1167260). - spi: spi-ti-qspi: Free DMA resources (git-fixes). - spi: stm32: make spurious and overrun interrupts visible (git-fixes). - squashfs: fix inode lookup sanity checks (bsc#1183750). - squashfs: fix xattr id and id lookup sanity checks (bsc#1183750). - staging: bcm2835-audio: Replace unsafe strcpy() with strscpy() (git-fixes). - staging: comedi: addi_apci_1032: Fix endian problem for COS sample (git-fixes). - staging: comedi: addi_apci_1500: Fix endian problem for command sample (git-fixes). - staging: comedi: adv_pci1710: Fix endian problem for AI command data (git-fixes). - staging: comedi: cb_pcidas64: fix request_irq() warn (git-fixes). - staging: comedi: cb_pcidas: fix request_irq() warn (git-fixes). - staging: comedi: das6402: Fix endian problem for AI command data (git-fixes). - staging: comedi: das800: Fix endian problem for AI command data (git-fixes). - staging: comedi: dmm32at: Fix endian problem for AI command data (git-fixes). - staging: comedi: me4000: Fix endian problem for AI command data (git-fixes). - staging: comedi: pcl711: Fix endian problem for AI command data (git-fixes). - staging: comedi: pcl818: Fix endian problem for AI command data (git-fixes). - staging: fwserial: Fix error handling in fwserial_create (git-fixes). - staging: fwserial: fix TIOCGSERIAL implementation (git-fixes). - staging: fwserial: fix TIOCSSERIAL implementation (git-fixes). - staging: fwserial: fix TIOCSSERIAL jiffies conversions (git-fixes). - staging: fwserial: fix TIOCSSERIAL permission check (git-fixes). - staging: ks7010: prevent buffer overflow in ks_wlan_set_scan() (git-fixes). - staging: most: sound: add sanity check for function argument (git-fixes). - staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data() (git-fixes). - staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan() (git-fixes). - staging: rtl8192e: Change state information from u16 to u8 (git-fixes). - staging: rtl8192e: Fix incorrect source in memcpy() (git-fixes). - staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan (git-fixes). - staging: rtl8192u: Fix potential infinite loop (git-fixes). - staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan() (git-fixes). - staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd (git-fixes). - staging: rtl8712: unterminated string leads to read overflow (git-fixes). - stop_machine: mark helpers __always_inline (git-fixes). - supported.conf: - supported.conf: add bsc1185010 dependency - supported.conf: mark usb_otg_fsm as supported (bsc#1185010) - tcp: fix to update snd_wl1 in bulk receiver fast path (<cover.1620748346.git.mkubecek at suse.cz>). - tee: optee: remove need_resched() before cond_resched() (git-fixes). - tee: optee: replace might_sleep with cond_resched (git-fixes). - thermal/core: Add NULL pointer check before using cooling device stats (git-fixes). - thermal/drivers/cpufreq_cooling: Update cpufreq_state only if state has changed (git-fixes). - thermal/drivers/ti-soc-thermal/bandgap Remove unused variable 'val' (git-fixes). - thermal: thermal_of: Fix error return code of thermal_of_populate_bind_params() (git-fixes). - thunderbolt: Fix a leak in tb_retimer_add() (git-fixes). - thunderbolt: Fix a leak in tb_retimer_add() (git-fixes). - thunderbolt: Fix off by one in tb_port_find_retimer() (git-fixes). - thunderbolt: Fix off by one in tb_port_find_retimer() (git-fixes). - thunderbolt: Initialize HopID IDAs in tb_switch_alloc() (git-fixes). - tools/resolve_btfids: Fix build error with older host toolchains (bsc#1177028). - tpm: acpi: Check eventlog signature before using it (git-fixes). - tracing: Map all PIDs to command lines (git-fixes). - tty: amiserial: fix TIOCSSERIAL permission check (git-fixes). - tty: fix memory leak in vc_deallocate (git-fixes). - tty: moxa: fix TIOCSSERIAL jiffies conversions (git-fixes). - tty: moxa: fix TIOCSSERIAL permission check (git-fixes). - tty: serial: lpuart: fix lpuart32_write usage (git-fixes). - tty: serial: ucc_uart: replace qe_io{read,write}* wrappers by generic io{read,write}* (git-fixes). - udlfb: Fix memory leak in dlfb_usb_probe (git-fixes). - uio: uio_hv_generic: use devm_kzalloc() for private data alloc (git-fixes). - uio_hv_generic: Fix a memory leak in error handling paths (git-fixes). - uio_hv_generic: Fix another memory leak in error handling paths (git-fixes). - uio_hv_generic: add missed sysfs_remove_bin_file (git-fixes). - usb-storage: Add quirk to defeat Kindle's automatic unload (git-fixes). - usb: Remove dev_err() usage after platform_get_irq() (git-fixes). - usb: core: hub: Fix PM reference leak in usb_port_resume() (git-fixes). - usb: core: hub: fix race condition about TRSMRCY of resume (git-fixes). - usb: dwc2: Fix HPRT0.PrtSusp bit setting for HiKey 960 board (git-fixes). - usb: dwc2: Fix gadget DMA unmap direction (git-fixes). - usb: dwc2: Fix hibernation between host and device modes (git-fixes). - usb: dwc2: Fix host mode hibernation exit with remote wakeup flow (git-fixes). - usb: dwc2: Fix session request interrupt handler (git-fixes). - usb: dwc2: Prevent core suspend when port connection flag is 0 (git-fixes). - usb: dwc3: Switch to use device_property_count_u32() (git-fixes). - usb: dwc3: Update soft-reset wait polling rate (git-fixes). - usb: dwc3: gadget: Fix START_TRANSFER link state check (git-fixes). - usb: dwc3: gadget: Return success always for kick transfer in ep queue (git-fixes). - usb: dwc3: keystone: use devm_platform_ioremap_resource() to simplify code (git-fixes). - usb: dwc3: meson-g12a: use devm_platform_ioremap_resource() to simplify code (git-fixes). - usb: dwc3: omap: improve extcon initialization (git-fixes). - usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield (git-fixes). - usb: dwc3: qcom: Add missing DWC3 OF node refcount decrement (git-fixes). - usb: dwc3: qcom: Honor wakeup enabled/disabled state (git-fixes). - usb: fotg210-hcd: Fix an error message (git-fixes). - usb: gadget/function/f_fs string table fix for multiple languages (git-fixes). - usb: gadget: Fix double free of device descriptor pointers (git-fixes). - usb: gadget: aspeed: fix dma map failure (git-fixes). - usb: gadget: configfs: Fix KASAN use-after-free (git-fixes). - usb: gadget: dummy_hcd: fix gpf in gadget_setup (git-fixes). - usb: gadget: f_uac1: stop playback on function disable (git-fixes). - usb: gadget: f_uac1: validate input parameters (git-fixes). - usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot (git-fixes). - usb: gadget: f_uac2: validate input parameters (git-fixes). - usb: gadget: pch_udc: Check for DMA mapping error (git-fixes). - usb: gadget: pch_udc: Check if driver is present before calling ->setup() (git-fixes). - usb: gadget: pch_udc: Move pch_udc_init() to satisfy kernel doc (git-fixes). - usb: gadget: pch_udc: Replace cpu_to_le32() by lower_32_bits() (git-fixes). - usb: gadget: pch_udc: Revert d3cb25a12138 completely (git-fixes). - usb: gadget: r8a66597: Add missing null check on return from platform_get_resource (git-fixes). - usb: gadget: udc: amd5536udc_pci fix null-ptr-dereference (git-fixes). - usb: gadget: uvc: add bInterval checking for HS mode (git-fixes). - usb: musb: Fix suspend with devices connected for a64 (git-fixes). - usb: musb: fix PM reference leak in musb_irq_work() (git-fixes). - usb: pci-quirks: disable D3cold on xhci suspend for s2idle on AMD Renoire (bsc#1185840). - usb: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM (git-fixes). - usb: roles: Call try_module_get() from usb_role_switch_find_by_fwnode() (git-fixes). - usb: roles: Call try_module_get() from usb_role_switch_find_by_fwnode() (git-fixes). - usb: sl811-hcd: improve misleading indentation (git-fixes). - usb: typec: Remove vdo[3] part of tps6598x_rx_identity_reg struct (git-fixes). - usb: typec: tcpci: Check ROLE_CONTROL while interpreting CC_STATUS (git-fixes). - usb: typec: tcpm: Address incorrect values of tcpm psy for fixed supply (git-fixes). - usb: typec: tcpm: Honour pSnkStdby requirement during negotiation (git-fixes). - usb: typec: tcpm: Invoke power_supply_changed for tcpm-source-psy- (git-fixes). - usb: typec: tcpm: Invoke power_supply_changed for tcpm-source-psy- (git-fixes). - usb: typec: tps6598x: Fix return value check in tps6598x_probe() (git-fixes). - usb: typec: tps6598x: Fix return value check in tps6598x_probe() (git-fixes). - usb: typec: ucsi: Put fwnode in any case during ->probe() (git-fixes). - usb: webcam: Invalid size of Processing Unit Descriptor (git-fixes). - usb: xhci-mtk: fix broken streams issue on 0.96 xHCI (git-fixes). - usb: xhci-mtk: improve bandwidth scheduling with TT (git-fixes). - usb: xhci-mtk: remove or operator for setting schedule parameters (git-fixes). - usb: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing (git-fixes). - usb: xhci: Fix port minor revision (git-fixes). - usb: xhci: Increase timeout for HC halt (git-fixes). - usb: xhci: do not perform Soft Retry for some xHCI hosts (git-fixes). - usbip: Fix incorrect double assignment to udc->ud.tcp_rx (git-fixes). - usbip: fix stub_dev to check for stream socket (git-fixes). - usbip: fix stub_dev usbip_sockfd_store() races leading to gpf (git-fixes). - usbip: fix vhci_hcd attach_store() races leading to gpf (git-fixes). - usbip: fix vhci_hcd to check for stream socket (git-fixes). - usbip: fix vudc to check for stream socket (git-fixes). - usbip: fix vudc usbip_sockfd_store races leading to gpf (git-fixes). - usbip: tools: fix build error for multiple definition (git-fixes). - usbip: vhci_hcd fix shift out-of-bounds in vhci_hub_control() (git-fixes). - use __netdev_notify_peers in ibmvnic (bsc#1183871 ltc#192139). - veth: Store queue_mapping independently of XDP prog presence (git-fixes). - vfio-pci/zdev: fix possible segmentation fault issue (git-fixes). - vfio/iommu_type1: Populate full dirty when detach non-pinned group (bsc#1183326). - vfio/mdev: Do not allow a mdev_type to have a NULL parent pointer (git-fixes). - vfio/mdev: Make to_mdev_device() into a static inline (git-fixes). - vfio/pci: Add missing range check in vfio_pci_mmap (git-fixes). - vfio/pci: Move VGA and VF initialization to functions (git-fixes). - vfio/pci: Re-order vfio_pci_probe() (git-fixes). - vgacon: Record video mode changes with VT_RESIZEX (git-fixes). - video: fbdev: acornfb: remove free_unused_pages() (bsc#1152489) - video: hyperv_fb: Add ratelimit on error message (bsc#1185725). - video: hyperv_fb: Fix a double free in hvfb_probe (git-fixes). - virt_wifi: Return micros for BSS TSF values (git-fixes). - virtiofs: fix memory leak in virtio_fs_probe() (bsc#1185558). - vrf: fix a comment about loopback device (git-fixes). - vt/consolemap: do font sum unsigned (git-fixes). - vxlan: do not modify the shared tunnel info when PMTU triggers an ICMP reply (bsc#1176447). - vxlan: move debug check after netdev unregister (git-fixes). - watchdog/softlockup: Remove obsolete check of last reported task (bsc#1185982). - watchdog/softlockup: report the overall time of softlockups (bsc#1185982). - watchdog: explicitly update timestamp when reporting softlockup (bsc#1185982). - watchdog: rename __touch_watchdog() to a better descriptive name (bsc#1185982). - whitespace cleanup - wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join (git-fixes). - wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt (git-fixes). - wlcore: Fix command execute failure 19 for wl12xx (git-fixes). - workqueue: Minor follow-ups to the rescuer destruction change (bsc#1185911). - workqueue: Move the position of debug_work_activate() in __queue_work() (bsc#1184893). - workqueue: more destroy_workqueue() fixes (bsc#1185911). - x86,swiotlb: Adjust SWIOTLB bounce buffer size for SEV guests (bsc#1186219). - x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access (bsc#1152489). - x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task (bsc#1152489). - x86/insn: Add some Intel instructions to the opcode map (bsc#1184760). - x86/insn: Add some more Intel instructions to the opcode map (bsc#1184760). - x86/ioapic: Ignore IRQ2 again (bsc#1152489). - x86/mem_encrypt: Correct physical address calculation in __set_clr_pte_enc() (bsc#1152489). - x86/microcode: Check for offline CPUs before requesting new microcode (bsc#1152489). - x86/mm: Fix NX bit clearing issue in kernel_map_pages_in_pgd (bsc#1152489). - x86/platform/uv: Set section block size for hubless architectures (bsc#1152489). - x86/reboot: Force all cpus to exit VMX root if VMX is supported (bsc#1152489). - x86/sev-es: Invalidate the GHCB after completing VMGEXIT (bsc#1178134). - x86/sev-es: Move sev_es_put_ghcb() in prep for follow on patch (bsc#1178134). - x86: Introduce TS_COMPAT_RESTART to fix get_nr_restart_syscall() (bsc#1152489). - xen/events: avoid handling the same event on two cpus at the same time (git-fixes). - xen/events: do not unmask an event channel when an eoi is pending (git-fixes). - xen/events: reset affinity of 2-level event when tearing it down (git-fixes). - xen/evtchn: Change irq_info lock to raw_spinlock_t (git-fixes). - xfrm: Provide private skb extensions for segmented and hw offloaded ESP packets (bsc#1176447). - xfs: group quota should return EDQUOT when prj quota enabled (bsc#1180980). - xhci: Do not use GFP_KERNEL in (potentially) atomic context (git-fixes). - xhci: Fix repeated xhci wake after suspend due to uncleared internal wake state (git-fixes). - xhci: Improve detection of device initiated wake signal (git-fixes). - xhci: check control context is valid before dereferencing it (git-fixes). - xhci: fix potential array out of bounds with several interrupters (git-fixes). - xsk: Respect device's headroom and tailroom on generic xmit path (git-fixes). - xsk: Respect device's headroom and tailroom on generic xmit path (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-1977=1 - SUSE Linux Enterprise Module for Live Patching 15-SP3: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP3-2021-1977=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP3-2021-1977=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-1977=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1977=1 - SUSE Linux Enterprise High Availability 15-SP3: zypper in -t patch SUSE-SLE-Product-HA-15-SP3-2021-1977=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64): kernel-default-debuginfo-5.3.18-59.5.2 kernel-default-debugsource-5.3.18-59.5.2 kernel-default-extra-5.3.18-59.5.2 kernel-default-extra-debuginfo-5.3.18-59.5.2 kernel-preempt-debuginfo-5.3.18-59.5.2 kernel-preempt-debugsource-5.3.18-59.5.2 kernel-preempt-extra-5.3.18-59.5.2 kernel-preempt-extra-debuginfo-5.3.18-59.5.2 - SUSE Linux Enterprise Module for Live Patching 15-SP3 (ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-59.5.2 kernel-default-debugsource-5.3.18-59.5.2 kernel-default-livepatch-5.3.18-59.5.2 kernel-default-livepatch-devel-5.3.18-59.5.2 kernel-livepatch-5_3_18-59_5-default-1-7.5.1 kernel-livepatch-5_3_18-59_5-default-debuginfo-1-7.5.1 kernel-livepatch-SLE15-SP3_Update_1-debugsource-1-7.5.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-59.5.2 kernel-default-debugsource-5.3.18-59.5.2 reiserfs-kmp-default-5.3.18-59.5.2 reiserfs-kmp-default-debuginfo-5.3.18-59.5.2 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): kernel-obs-build-5.3.18-59.5.1 kernel-obs-build-debugsource-5.3.18-59.5.1 kernel-syms-5.3.18-59.5.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 x86_64): kernel-preempt-debuginfo-5.3.18-59.5.2 kernel-preempt-debugsource-5.3.18-59.5.2 kernel-preempt-devel-5.3.18-59.5.2 kernel-preempt-devel-debuginfo-5.3.18-59.5.2 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (noarch): kernel-docs-5.3.18-59.5.2 kernel-source-5.3.18-59.5.2 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): kernel-default-5.3.18-59.5.2 kernel-default-base-5.3.18-59.5.2.18.2.2 kernel-default-debuginfo-5.3.18-59.5.2 kernel-default-debugsource-5.3.18-59.5.2 kernel-default-devel-5.3.18-59.5.2 kernel-default-devel-debuginfo-5.3.18-59.5.2 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 x86_64): kernel-preempt-5.3.18-59.5.2 kernel-preempt-debuginfo-5.3.18-59.5.2 kernel-preempt-debugsource-5.3.18-59.5.2 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64): kernel-64kb-5.3.18-59.5.2 kernel-64kb-debuginfo-5.3.18-59.5.2 kernel-64kb-debugsource-5.3.18-59.5.2 kernel-64kb-devel-5.3.18-59.5.2 kernel-64kb-devel-debuginfo-5.3.18-59.5.2 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): kernel-devel-5.3.18-59.5.2 kernel-macros-5.3.18-59.5.2 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (s390x): kernel-zfcpdump-5.3.18-59.5.2 kernel-zfcpdump-debuginfo-5.3.18-59.5.2 kernel-zfcpdump-debugsource-5.3.18-59.5.2 - SUSE Linux Enterprise High Availability 15-SP3 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-5.3.18-59.5.2 cluster-md-kmp-default-debuginfo-5.3.18-59.5.2 dlm-kmp-default-5.3.18-59.5.2 dlm-kmp-default-debuginfo-5.3.18-59.5.2 gfs2-kmp-default-5.3.18-59.5.2 gfs2-kmp-default-debuginfo-5.3.18-59.5.2 kernel-default-debuginfo-5.3.18-59.5.2 kernel-default-debugsource-5.3.18-59.5.2 ocfs2-kmp-default-5.3.18-59.5.2 ocfs2-kmp-default-debuginfo-5.3.18-59.5.2 References: https://www.suse.com/security/cve/CVE-2019-18814.html https://www.suse.com/security/cve/CVE-2019-19769.html https://www.suse.com/security/cve/CVE-2020-24586.html https://www.suse.com/security/cve/CVE-2020-24587.html https://www.suse.com/security/cve/CVE-2020-24588.html https://www.suse.com/security/cve/CVE-2020-25670.html https://www.suse.com/security/cve/CVE-2020-25671.html https://www.suse.com/security/cve/CVE-2020-25672.html https://www.suse.com/security/cve/CVE-2020-25673.html https://www.suse.com/security/cve/CVE-2020-26139.html https://www.suse.com/security/cve/CVE-2020-26141.html https://www.suse.com/security/cve/CVE-2020-26145.html https://www.suse.com/security/cve/CVE-2020-26147.html https://www.suse.com/security/cve/CVE-2020-27170.html https://www.suse.com/security/cve/CVE-2020-27171.html https://www.suse.com/security/cve/CVE-2020-27673.html https://www.suse.com/security/cve/CVE-2020-27815.html https://www.suse.com/security/cve/CVE-2020-35519.html https://www.suse.com/security/cve/CVE-2020-36310.html https://www.suse.com/security/cve/CVE-2020-36311.html https://www.suse.com/security/cve/CVE-2020-36312.html https://www.suse.com/security/cve/CVE-2020-36322.html https://www.suse.com/security/cve/CVE-2021-20268.html https://www.suse.com/security/cve/CVE-2021-23134.html https://www.suse.com/security/cve/CVE-2021-27363.html https://www.suse.com/security/cve/CVE-2021-27364.html https://www.suse.com/security/cve/CVE-2021-27365.html https://www.suse.com/security/cve/CVE-2021-28038.html https://www.suse.com/security/cve/CVE-2021-28375.html https://www.suse.com/security/cve/CVE-2021-28660.html https://www.suse.com/security/cve/CVE-2021-28688.html https://www.suse.com/security/cve/CVE-2021-28950.html https://www.suse.com/security/cve/CVE-2021-28952.html https://www.suse.com/security/cve/CVE-2021-28964.html https://www.suse.com/security/cve/CVE-2021-28971.html https://www.suse.com/security/cve/CVE-2021-28972.html https://www.suse.com/security/cve/CVE-2021-29154.html https://www.suse.com/security/cve/CVE-2021-29155.html https://www.suse.com/security/cve/CVE-2021-29264.html https://www.suse.com/security/cve/CVE-2021-29265.html https://www.suse.com/security/cve/CVE-2021-29647.html https://www.suse.com/security/cve/CVE-2021-29650.html https://www.suse.com/security/cve/CVE-2021-30002.html https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://www.suse.com/security/cve/CVE-2021-33200.html https://www.suse.com/security/cve/CVE-2021-3428.html https://www.suse.com/security/cve/CVE-2021-3444.html https://www.suse.com/security/cve/CVE-2021-3483.html https://www.suse.com/security/cve/CVE-2021-3489.html https://www.suse.com/security/cve/CVE-2021-3490.html https://www.suse.com/security/cve/CVE-2021-3491.html https://bugzilla.suse.com/1055117 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1087082 https://bugzilla.suse.com/1113295 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1152457 https://bugzilla.suse.com/1152472 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1153274 https://bugzilla.suse.com/1154353 https://bugzilla.suse.com/1155518 https://bugzilla.suse.com/1156395 https://bugzilla.suse.com/1160634 https://bugzilla.suse.com/1164648 https://bugzilla.suse.com/1167260 https://bugzilla.suse.com/1167574 https://bugzilla.suse.com/1167773 https://bugzilla.suse.com/1168777 https://bugzilla.suse.com/1168838 https://bugzilla.suse.com/1169709 https://bugzilla.suse.com/1171295 https://bugzilla.suse.com/1173485 https://bugzilla.suse.com/1174416 https://bugzilla.suse.com/1174426 https://bugzilla.suse.com/1175995 https://bugzilla.suse.com/1176447 https://bugzilla.suse.com/1176774 https://bugzilla.suse.com/1177028 https://bugzilla.suse.com/1177326 https://bugzilla.suse.com/1177666 https://bugzilla.suse.com/1178089 https://bugzilla.suse.com/1178134 https://bugzilla.suse.com/1178163 https://bugzilla.suse.com/1178330 https://bugzilla.suse.com/1178378 https://bugzilla.suse.com/1178418 https://bugzilla.suse.com/1179243 https://bugzilla.suse.com/1179519 https://bugzilla.suse.com/1179825 https://bugzilla.suse.com/1179827 https://bugzilla.suse.com/1179851 https://bugzilla.suse.com/1180197 https://bugzilla.suse.com/1180814 https://bugzilla.suse.com/1180846 https://bugzilla.suse.com/1181104 https://bugzilla.suse.com/1181383 https://bugzilla.suse.com/1181507 https://bugzilla.suse.com/1181674 https://bugzilla.suse.com/1181862 https://bugzilla.suse.com/1182077 https://bugzilla.suse.com/1182257 https://bugzilla.suse.com/1182377 https://bugzilla.suse.com/1182552 https://bugzilla.suse.com/1182574 https://bugzilla.suse.com/1182613 https://bugzilla.suse.com/1182712 https://bugzilla.suse.com/1182715 https://bugzilla.suse.com/1182717 https://bugzilla.suse.com/1182999 https://bugzilla.suse.com/1183022 https://bugzilla.suse.com/1183069 https://bugzilla.suse.com/1183252 https://bugzilla.suse.com/1183277 https://bugzilla.suse.com/1183278 https://bugzilla.suse.com/1183279 https://bugzilla.suse.com/1183280 https://bugzilla.suse.com/1183281 https://bugzilla.suse.com/1183282 https://bugzilla.suse.com/1183283 https://bugzilla.suse.com/1183284 https://bugzilla.suse.com/1183285 https://bugzilla.suse.com/1183286 https://bugzilla.suse.com/1183287 https://bugzilla.suse.com/1183288 https://bugzilla.suse.com/1183289 https://bugzilla.suse.com/1183310 https://bugzilla.suse.com/1183311 https://bugzilla.suse.com/1183312 https://bugzilla.suse.com/1183313 https://bugzilla.suse.com/1183314 https://bugzilla.suse.com/1183315 https://bugzilla.suse.com/1183316 https://bugzilla.suse.com/1183317 https://bugzilla.suse.com/1183318 https://bugzilla.suse.com/1183319 https://bugzilla.suse.com/1183320 https://bugzilla.suse.com/1183321 https://bugzilla.suse.com/1183322 https://bugzilla.suse.com/1183323 https://bugzilla.suse.com/1183324 https://bugzilla.suse.com/1183326 https://bugzilla.suse.com/1183346 https://bugzilla.suse.com/1183366 https://bugzilla.suse.com/1183369 https://bugzilla.suse.com/1183386 https://bugzilla.suse.com/1183405 https://bugzilla.suse.com/1183412 https://bugzilla.suse.com/1183427 https://bugzilla.suse.com/1183428 https://bugzilla.suse.com/1183445 https://bugzilla.suse.com/1183447 https://bugzilla.suse.com/1183491 https://bugzilla.suse.com/1183501 https://bugzilla.suse.com/1183509 https://bugzilla.suse.com/1183530 https://bugzilla.suse.com/1183534 https://bugzilla.suse.com/1183540 https://bugzilla.suse.com/1183593 https://bugzilla.suse.com/1183596 https://bugzilla.suse.com/1183598 https://bugzilla.suse.com/1183637 https://bugzilla.suse.com/1183646 https://bugzilla.suse.com/1183658 https://bugzilla.suse.com/1183662 https://bugzilla.suse.com/1183686 https://bugzilla.suse.com/1183692 https://bugzilla.suse.com/1183750 https://bugzilla.suse.com/1183757 https://bugzilla.suse.com/1183775 https://bugzilla.suse.com/1183815 https://bugzilla.suse.com/1183868 https://bugzilla.suse.com/1183871 https://bugzilla.suse.com/1183873 https://bugzilla.suse.com/1183947 https://bugzilla.suse.com/1183976 https://bugzilla.suse.com/1184074 https://bugzilla.suse.com/1184081 https://bugzilla.suse.com/1184082 https://bugzilla.suse.com/1184120 https://bugzilla.suse.com/1184167 https://bugzilla.suse.com/1184168 https://bugzilla.suse.com/1184170 https://bugzilla.suse.com/1184171 https://bugzilla.suse.com/1184192 https://bugzilla.suse.com/1184193 https://bugzilla.suse.com/1184194 https://bugzilla.suse.com/1184196 https://bugzilla.suse.com/1184197 https://bugzilla.suse.com/1184198 https://bugzilla.suse.com/1184199 https://bugzilla.suse.com/1184208 https://bugzilla.suse.com/1184209 https://bugzilla.suse.com/1184211 https://bugzilla.suse.com/1184217 https://bugzilla.suse.com/1184218 https://bugzilla.suse.com/1184219 https://bugzilla.suse.com/1184220 https://bugzilla.suse.com/1184224 https://bugzilla.suse.com/1184264 https://bugzilla.suse.com/1184386 https://bugzilla.suse.com/1184388 https://bugzilla.suse.com/1184391 https://bugzilla.suse.com/1184393 https://bugzilla.suse.com/1184436 https://bugzilla.suse.com/1184485 https://bugzilla.suse.com/1184514 https://bugzilla.suse.com/1184585 https://bugzilla.suse.com/1184611 https://bugzilla.suse.com/1184615 https://bugzilla.suse.com/1184650 https://bugzilla.suse.com/1184710 https://bugzilla.suse.com/1184724 https://bugzilla.suse.com/1184728 https://bugzilla.suse.com/1184730 https://bugzilla.suse.com/1184731 https://bugzilla.suse.com/1184736 https://bugzilla.suse.com/1184737 https://bugzilla.suse.com/1184738 https://bugzilla.suse.com/1184740 https://bugzilla.suse.com/1184741 https://bugzilla.suse.com/1184742 https://bugzilla.suse.com/1184769 https://bugzilla.suse.com/1184811 https://bugzilla.suse.com/1184855 https://bugzilla.suse.com/1184934 https://bugzilla.suse.com/1184942 https://bugzilla.suse.com/1184943 https://bugzilla.suse.com/1184955 https://bugzilla.suse.com/1184969 https://bugzilla.suse.com/1184984 https://bugzilla.suse.com/1185010 https://bugzilla.suse.com/1185113 https://bugzilla.suse.com/1185233 https://bugzilla.suse.com/1185269 https://bugzilla.suse.com/1185428 https://bugzilla.suse.com/1185491 https://bugzilla.suse.com/1185495 https://bugzilla.suse.com/1185549 https://bugzilla.suse.com/1185550 https://bugzilla.suse.com/1185558 https://bugzilla.suse.com/1185573 https://bugzilla.suse.com/1185581 https://bugzilla.suse.com/1185586 https://bugzilla.suse.com/1185587 https://bugzilla.suse.com/1185606 https://bugzilla.suse.com/1185640 https://bugzilla.suse.com/1185641 https://bugzilla.suse.com/1185642 https://bugzilla.suse.com/1185645 https://bugzilla.suse.com/1185670 https://bugzilla.suse.com/1185680 https://bugzilla.suse.com/1185703 https://bugzilla.suse.com/1185725 https://bugzilla.suse.com/1185736 https://bugzilla.suse.com/1185758 https://bugzilla.suse.com/1185796 https://bugzilla.suse.com/1185840 https://bugzilla.suse.com/1185857 https://bugzilla.suse.com/1185898 https://bugzilla.suse.com/1185899 https://bugzilla.suse.com/1185911 https://bugzilla.suse.com/1185938 https://bugzilla.suse.com/1185950 https://bugzilla.suse.com/1185980 https://bugzilla.suse.com/1185988 https://bugzilla.suse.com/1186009 https://bugzilla.suse.com/1186061 https://bugzilla.suse.com/1186111 https://bugzilla.suse.com/1186118 https://bugzilla.suse.com/1186219 https://bugzilla.suse.com/1186285 https://bugzilla.suse.com/1186320 https://bugzilla.suse.com/1186349 https://bugzilla.suse.com/1186352 https://bugzilla.suse.com/1186353 https://bugzilla.suse.com/1186354 https://bugzilla.suse.com/1186355 https://bugzilla.suse.com/1186356 https://bugzilla.suse.com/1186357 https://bugzilla.suse.com/1186401 https://bugzilla.suse.com/1186408 https://bugzilla.suse.com/1186439 https://bugzilla.suse.com/1186441 https://bugzilla.suse.com/1186479 https://bugzilla.suse.com/1186484 https://bugzilla.suse.com/1186498 https://bugzilla.suse.com/1186501 https://bugzilla.suse.com/1186512 https://bugzilla.suse.com/1186681 From sle-security-updates at lists.suse.com Tue Jun 15 17:35:34 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 15 Jun 2021 19:35:34 +0200 (CEST) Subject: SUSE-SU-2021:1978-1: important: Security update for snakeyaml Message-ID: <20210615173534.86F21FD84@maintenance.suse.de> SUSE Security Update: Security update for snakeyaml ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1978-1 Rating: important References: #1159488 #1186088 Cross-References: CVE-2017-18640 CVSS scores: CVE-2017-18640 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-18640 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.0 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for snakeyaml fixes the following issues: - Upgrade to 1.28 - CVE-2017-18640: The Alias feature allows entity expansion during a load operation (bsc#1159488, bsc#1186088) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2021-1978=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch): snakeyaml-1.28-12.3.1 References: https://www.suse.com/security/cve/CVE-2017-18640.html https://bugzilla.suse.com/1159488 https://bugzilla.suse.com/1186088 From sle-security-updates at lists.suse.com Tue Jun 15 17:37:47 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 15 Jun 2021 19:37:47 +0200 (CEST) Subject: SUSE-SU-2021:1980-1: moderate: Security update for java-1_8_0-openjdk Message-ID: <20210615173747.DBB3AFD84@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1980-1 Rating: moderate References: #1185055 Cross-References: CVE-2021-2163 CVSS scores: CVE-2021-2163 (NVD) : 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-2163 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for java-1_8_0-openjdk fixes the following issues: - Update to version jdk8u292 (icedtea 3.19.0). - CVE-2021-2161: Fixed incomplete enforcement of JAR signing disabled algorithms (bsc#1185055). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1980=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1980=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1980=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1980=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1980=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1980=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1980=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1980=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1980=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1980=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1980=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1980=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): java-1_8_0-openjdk-1.8.0.292-27.60.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-debugsource-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-27.60.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): java-1_8_0-openjdk-1.8.0.292-27.60.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-debugsource-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-27.60.1 - SUSE OpenStack Cloud 9 (x86_64): java-1_8_0-openjdk-1.8.0.292-27.60.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-debugsource-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-27.60.1 - SUSE OpenStack Cloud 8 (x86_64): java-1_8_0-openjdk-1.8.0.292-27.60.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-debugsource-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-27.60.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.292-27.60.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-debugsource-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-27.60.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.292-27.60.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-debugsource-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-27.60.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.292-27.60.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-debugsource-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-27.60.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.292-27.60.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-debugsource-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-27.60.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.292-27.60.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-debugsource-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-27.60.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): java-1_8_0-openjdk-1.8.0.292-27.60.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-debugsource-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-27.60.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): java-1_8_0-openjdk-1.8.0.292-27.60.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-debugsource-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-27.60.1 - HPE Helion Openstack 8 (x86_64): java-1_8_0-openjdk-1.8.0.292-27.60.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-debugsource-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-1.8.0.292-27.60.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-1.8.0.292-27.60.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-1.8.0.292-27.60.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-27.60.1 References: https://www.suse.com/security/cve/CVE-2021-2163.html https://bugzilla.suse.com/1185055 From sle-security-updates at lists.suse.com Thu Jun 17 10:23:20 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 17 Jun 2021 12:23:20 +0200 (CEST) Subject: SUSE-CU-2021:252-1: Security update of suse/sle15 Message-ID: <20210617102320.12EECB46F0E@westernhagen.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:252-1 Container Tags : suse/sle15:15.3 , suse/sle15:15.3.17.5.1 Container Release : 17.5.1 Severity : important Type : security References : 1029961 1106014 1153687 1161276 1178577 1178624 1178675 1180851 1180851 1181443 1181874 1181874 1182016 1182372 1182899 1182936 1182936 1183064 1183268 1183589 1183628 1183628 1184326 1184358 1184399 1184435 1184614 1184997 1184997 1184997 1185163 1185239 1185239 1185325 1185408 1185408 1185409 1185409 1185410 1185410 1185417 1185438 1185562 1185698 1186015 1186114 1186642 CVE-2021-22898 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 CVE-2021-3541 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1466-1 Released: Tue May 4 08:30:57 2021 Summary: Security update for permissions Type: security Severity: important References: 1182899 This update for permissions fixes the following issues: - etc/permissions: remove unnecessary entries (bsc#1182899) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1526-1 Released: Thu May 6 08:57:30 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1528-1 Released: Thu May 6 15:31:23 2021 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1161276 This update for openssl-1_1 fixes the following issues: - Do not list disapproved cipher algorithms while in 'FIPS' mode. (bsc#1161276) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1544-1 Released: Fri May 7 16:34:41 2021 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libzypp fixes the following issues: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1762-1 Released: Wed May 26 12:30:01 2021 Summary: Security update for curl Type: security Severity: moderate References: 1186114,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Allow partial chain verification [jsc#SLE-17956] * Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. * Set FLAG_TRUSTED_FIRST unconditionally. * Do not check partial chains with CRL check. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1825-1 Released: Tue Jun 1 16:24:01 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1833-1 Released: Wed Jun 2 15:32:28 2021 Summary: Recommended update for zypper Type: recommended Severity: moderate References: 1153687,1180851,1181874,1182372,1182936,1183268,1183589,1183628,1184997,1185239 This update for zypper fixes the following issues: zypper was upgraded to 1.14.44: - man page: Recommend the needs-rebooting command to test whether a system reboot is suggested. - patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268) - Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687) - Protect against strict/relaxed user umask via sudo. (bsc#1183589) - xml summary: Add solvables repository alias. (bsc#1182372) libzypp was upgraded from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1879-1 Released: Tue Jun 8 09:16:09 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1184326,1184399,1184997,1185325 This update for libzypp, zypper fixes the following issues: libzypp was updated to 17.26.0: - Work around download.o.o broken https redirects. - Allow trusted repos to add additional signing keys (bsc#1184326) Repositories signed with a trusted gpg key may import additional package signing keys. This is needed if different keys were used to sign the the packages shipped by the repository. - MediaCurl: Fix logging of redirects. - Use 15.3 resolver problem and solution texts on all distros. - $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the zypp lock (bsc#1184399) Helps boot time services like 'zypper purge-kernels' to wait for the zypp lock until other services using zypper have completed. - Fix purge-kernels is broken in Leap 15.3 (bsc#1185325) Leap 15.3 introduces a new kernel package called kernel-flavour-extra, which contain kmp's. Currently kmp's are detected by name '.*-kmp(-.*)?' but this does not work which those new packages. This patch fixes the problem by checking packages for kmod(*) and ksym(*) provides and only falls back to name checking if the package in question does not provide one of those. - Introduce zypp-runpurge, a tool to run purge-kernels on testcases. zypper was updated to 1.14.45: - Fix service detection with cgroupv2 (bsc#1184997) - Add hints to 'trust GPG key' prompt. - Add report when receiving new package signing keys from a trusted repo (bsc#1184326) - Added translation using Weblate (Kabyle) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1937-1 Released: Thu Jun 10 10:47:09 2021 Summary: Recommended update for nghttp2 Type: recommended Severity: moderate References: 1186642 This update for nghttp2 fixes the following issue: - The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) From sle-security-updates at lists.suse.com Thu Jun 17 13:17:15 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 17 Jun 2021 15:17:15 +0200 (CEST) Subject: SUSE-SU-2021:14750-1: important: Security update for inn Message-ID: <20210617131715.6F9F4FD07@maintenance.suse.de> SUSE Security Update: Security update for inn ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14750-1 Rating: important References: #1182321 Cross-References: CVE-2021-31998 CVSS scores: CVE-2021-31998 (SUSE): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for inn fixes the following issues: - CVE-2021-31998: Fixed locale privialge escalation during the update of inn (bsc#1182321). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-inn-14750=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-inn-14750=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-inn-14750=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-inn-14750=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): inn-2.4.2-170.21.3.6.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): inn-2.4.2-170.21.3.6.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): inn-debuginfo-2.4.2-170.21.3.6.1 inn-debugsource-2.4.2-170.21.3.6.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): inn-debuginfo-2.4.2-170.21.3.6.1 inn-debugsource-2.4.2-170.21.3.6.1 References: https://www.suse.com/security/cve/CVE-2021-31998.html https://bugzilla.suse.com/1182321 From sle-security-updates at lists.suse.com Thu Jun 17 13:18:42 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 17 Jun 2021 15:18:42 +0200 (CEST) Subject: SUSE-SU-2021:1990-1: important: Security update for webkit2gtk3 Message-ID: <20210617131842.32D4BFD07@maintenance.suse.de> SUSE Security Update: Security update for webkit2gtk3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1990-1 Rating: important References: #1177087 #1179122 #1179451 #1182286 #1184155 #1184262 Cross-References: CVE-2020-13543 CVE-2020-13558 CVE-2020-13584 CVE-2020-27918 CVE-2020-29623 CVE-2020-9947 CVE-2020-9948 CVE-2020-9951 CVE-2020-9983 CVE-2021-1765 CVE-2021-1788 CVE-2021-1789 CVE-2021-1799 CVE-2021-1801 CVE-2021-1844 CVE-2021-1870 CVE-2021-1871 CVSS scores: CVE-2020-13543 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-13543 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-13558 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-13558 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-13584 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-13584 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-27918 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-27918 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-29623 (NVD) : 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2020-29623 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2020-9947 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-9947 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-9948 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-9951 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-9951 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-9983 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-9983 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-1765 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-1765 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-1788 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-1788 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-1789 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-1789 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-1799 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-1799 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-1801 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-1801 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-1844 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-1844 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-1870 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-1871 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-1871 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: This update for webkit2gtk3 fixes the following issues: - Update to version 2.32.1: + Improve handling of Media Capture devices. + Improve WebAudio playback. + Improve video orientation handling. + Improve seeking support for MSE playback. + Improve flush support in EME decryptors. + Fix HTTP status codes for requests done through a custom URI handler. + Fix the Bubblewrap sandbox in certain 32-bit systems. + Fix inconsistencies between the WebKitWebView.is-muted property state and values returned by webkit_web_view_is_playing_audio(). + Fix the build with ENABLE_VIDEO=OFF. + Fix wrong timestamps for long-lived cookies. + Fix UI process crash when failing to load favicons. + Fix several crashes and rendering issues. - Including Security fixes for: CVE-2021-1788, CVE-2021-1844, CVE-2021-1871, CVE-2020-27918, CVE-2020-29623, CVE-2021-1765, CVE-2021-1789, CVE-2021-1799, CVE-2021-1801, CVE-2021-1870, CVE-2020-13558, CVE-2020-13584, CVE-2020-9983, CVE-2020-13543, CVE-2020-9947, CVE-2020-9948, CVE-2020-9951. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1990=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1990=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-1990=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-1990=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-1990=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1990=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1990=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1990=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1990=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1990=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1990=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1990=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-1990=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libjavascriptcoregtk-4_0-18-2.32.1-2.63.3 libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3 libwebkit2gtk-4_0-37-2.32.1-2.63.3 libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3 typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3 webkit2gtk3-debugsource-2.32.1-2.63.3 - SUSE OpenStack Cloud Crowbar 9 (noarch): libwebkit2gtk3-lang-2.32.1-2.63.3 - SUSE OpenStack Cloud Crowbar 8 (noarch): libwebkit2gtk3-lang-2.32.1-2.63.3 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libjavascriptcoregtk-4_0-18-2.32.1-2.63.3 libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3 libwebkit2gtk-4_0-37-2.32.1-2.63.3 libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3 typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3 webkit2gtk3-debugsource-2.32.1-2.63.3 - SUSE OpenStack Cloud 9 (x86_64): libjavascriptcoregtk-4_0-18-2.32.1-2.63.3 libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3 libwebkit2gtk-4_0-37-2.32.1-2.63.3 libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3 typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3 webkit2gtk3-debugsource-2.32.1-2.63.3 - SUSE OpenStack Cloud 9 (noarch): libwebkit2gtk3-lang-2.32.1-2.63.3 - SUSE OpenStack Cloud 8 (noarch): libwebkit2gtk3-lang-2.32.1-2.63.3 - SUSE OpenStack Cloud 8 (x86_64): libjavascriptcoregtk-4_0-18-2.32.1-2.63.3 libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3 libwebkit2gtk-4_0-37-2.32.1-2.63.3 libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3 typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3 webkit2gtk3-debugsource-2.32.1-2.63.3 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3 webkit2gtk3-debugsource-2.32.1-2.63.3 webkit2gtk3-devel-2.32.1-2.63.3 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libjavascriptcoregtk-4_0-18-2.32.1-2.63.3 libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3 libwebkit2gtk-4_0-37-2.32.1-2.63.3 libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3 typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3 webkit2gtk3-debugsource-2.32.1-2.63.3 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): libwebkit2gtk3-lang-2.32.1-2.63.3 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libjavascriptcoregtk-4_0-18-2.32.1-2.63.3 libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3 libwebkit2gtk-4_0-37-2.32.1-2.63.3 libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3 typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3 webkit2gtk3-debugsource-2.32.1-2.63.3 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): libwebkit2gtk3-lang-2.32.1-2.63.3 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.32.1-2.63.3 libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3 libwebkit2gtk-4_0-37-2.32.1-2.63.3 libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3 typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3 webkit2gtk3-debugsource-2.32.1-2.63.3 - SUSE Linux Enterprise Server 12-SP5 (noarch): libwebkit2gtk3-lang-2.32.1-2.63.3 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.32.1-2.63.3 libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3 libwebkit2gtk-4_0-37-2.32.1-2.63.3 libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3 typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3 webkit2gtk3-debugsource-2.32.1-2.63.3 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): libwebkit2gtk3-lang-2.32.1-2.63.3 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.32.1-2.63.3 libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3 libwebkit2gtk-4_0-37-2.32.1-2.63.3 libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3 typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3 webkit2gtk3-debugsource-2.32.1-2.63.3 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): libwebkit2gtk3-lang-2.32.1-2.63.3 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libjavascriptcoregtk-4_0-18-2.32.1-2.63.3 libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3 libwebkit2gtk-4_0-37-2.32.1-2.63.3 libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3 typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2-4_0-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3 webkit2gtk3-debugsource-2.32.1-2.63.3 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): libwebkit2gtk3-lang-2.32.1-2.63.3 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libjavascriptcoregtk-4_0-18-2.32.1-2.63.3 libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3 libwebkit2gtk-4_0-37-2.32.1-2.63.3 libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3 typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3 webkit2gtk3-debugsource-2.32.1-2.63.3 webkit2gtk3-devel-2.32.1-2.63.3 - HPE Helion Openstack 8 (x86_64): libjavascriptcoregtk-4_0-18-2.32.1-2.63.3 libjavascriptcoregtk-4_0-18-debuginfo-2.32.1-2.63.3 libwebkit2gtk-4_0-37-2.32.1-2.63.3 libwebkit2gtk-4_0-37-debuginfo-2.32.1-2.63.3 typelib-1_0-JavaScriptCore-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2-4_0-2.32.1-2.63.3 typelib-1_0-WebKit2WebExtension-4_0-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-2.32.1-2.63.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.1-2.63.3 webkit2gtk3-debugsource-2.32.1-2.63.3 - HPE Helion Openstack 8 (noarch): libwebkit2gtk3-lang-2.32.1-2.63.3 References: https://www.suse.com/security/cve/CVE-2020-13543.html https://www.suse.com/security/cve/CVE-2020-13558.html https://www.suse.com/security/cve/CVE-2020-13584.html https://www.suse.com/security/cve/CVE-2020-27918.html https://www.suse.com/security/cve/CVE-2020-29623.html https://www.suse.com/security/cve/CVE-2020-9947.html https://www.suse.com/security/cve/CVE-2020-9948.html https://www.suse.com/security/cve/CVE-2020-9951.html https://www.suse.com/security/cve/CVE-2020-9983.html https://www.suse.com/security/cve/CVE-2021-1765.html https://www.suse.com/security/cve/CVE-2021-1788.html https://www.suse.com/security/cve/CVE-2021-1789.html https://www.suse.com/security/cve/CVE-2021-1799.html https://www.suse.com/security/cve/CVE-2021-1801.html https://www.suse.com/security/cve/CVE-2021-1844.html https://www.suse.com/security/cve/CVE-2021-1870.html https://www.suse.com/security/cve/CVE-2021-1871.html https://bugzilla.suse.com/1177087 https://bugzilla.suse.com/1179122 https://bugzilla.suse.com/1179451 https://bugzilla.suse.com/1182286 https://bugzilla.suse.com/1184155 https://bugzilla.suse.com/1184262 From sle-security-updates at lists.suse.com Thu Jun 17 13:22:09 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 17 Jun 2021 15:22:09 +0200 (CEST) Subject: SUSE-SU-2021:14749-1: important: Security update for apache2 Message-ID: <20210617132209.D1DA9FD07@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14749-1 Rating: important References: #1186922 #1187174 Cross-References: CVE-2020-35452 CVE-2021-30641 CVSS scores: CVE-2020-35452 (NVD) : 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-35452 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-30641 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for apache2 fixes the following issues: - fixed CVE-2021-30641 [bsc#1187174]: MergeSlashes regression - fixed CVE-2020-35452 [bsc#1186922]: Single zero byte stack overflow in mod_auth_digest Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-apache2-14749=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-apache2-14749=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-apache2-14749=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-apache2-14749=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): apache2-2.2.34-70.35.1 apache2-doc-2.2.34-70.35.1 apache2-example-pages-2.2.34-70.35.1 apache2-prefork-2.2.34-70.35.1 apache2-utils-2.2.34-70.35.1 apache2-worker-2.2.34-70.35.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): apache2-2.2.34-70.35.1 apache2-devel-2.2.34-70.35.1 apache2-doc-2.2.34-70.35.1 apache2-example-pages-2.2.34-70.35.1 apache2-prefork-2.2.34-70.35.1 apache2-utils-2.2.34-70.35.1 apache2-worker-2.2.34-70.35.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): apache2-debuginfo-2.2.34-70.35.1 apache2-debugsource-2.2.34-70.35.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): apache2-debuginfo-2.2.34-70.35.1 apache2-debugsource-2.2.34-70.35.1 References: https://www.suse.com/security/cve/CVE-2020-35452.html https://www.suse.com/security/cve/CVE-2021-30641.html https://bugzilla.suse.com/1186922 https://bugzilla.suse.com/1187174 From sle-security-updates at lists.suse.com Thu Jun 17 13:23:34 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 17 Jun 2021 15:23:34 +0200 (CEST) Subject: SUSE-SU-2021:1989-1: moderate: Security update for java-1_8_0-openjdk Message-ID: <20210617132334.E0B36FD07@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1989-1 Rating: moderate References: #1185055 Cross-References: CVE-2021-2163 CVSS scores: CVE-2021-2163 (NVD) : 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-2163 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Legacy Software 15-SP3 SUSE Linux Enterprise Module for Legacy Software 15-SP2 SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for java-1_8_0-openjdk fixes the following issues: - Update to version jdk8u292 (icedtea 3.19.0). - CVE-2021-2161: Fixed incomplete enforcement of JAR signing disabled algorithms (bsc#1185055). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1989=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1989=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1989=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1989=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1989=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1989=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1989=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-1989=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP3-2021-1989=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2021-1989=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-1989=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.292-3.52.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-debugsource-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-3.52.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): java-1_8_0-openjdk-1.8.0.292-3.52.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-debugsource-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-3.52.1 - SUSE Manager Proxy 4.0 (x86_64): java-1_8_0-openjdk-1.8.0.292-3.52.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-debugsource-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-3.52.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.292-3.52.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-debugsource-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-3.52.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.292-3.52.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-debugsource-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-3.52.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.292-3.52.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-debugsource-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-3.52.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): java-1_8_0-openjdk-1.8.0.292-3.52.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-debugsource-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-3.52.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): java-1_8_0-openjdk-1.8.0.292-3.52.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-debugsource-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-3.52.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.292-3.52.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-debugsource-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-3.52.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.292-3.52.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-debugsource-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-3.52.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): java-1_8_0-openjdk-1.8.0.292-3.52.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-debugsource-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-3.52.1 - SUSE CaaS Platform 4.0 (x86_64): java-1_8_0-openjdk-1.8.0.292-3.52.1 java-1_8_0-openjdk-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-debugsource-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-1.8.0.292-3.52.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-1.8.0.292-3.52.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-1.8.0.292-3.52.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.292-3.52.1 References: https://www.suse.com/security/cve/CVE-2021-2163.html https://bugzilla.suse.com/1185055 From sle-security-updates at lists.suse.com Thu Jun 17 16:17:51 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 17 Jun 2021 18:17:51 +0200 (CEST) Subject: SUSE-SU-2021:1994-1: moderate: Security update for postgresql12 Message-ID: <20210617161751.62B2DFD07@maintenance.suse.de> SUSE Security Update: Security update for postgresql12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1994-1 Rating: moderate References: #1179945 #1183118 #1183168 #1185924 #1185925 #1185926 Cross-References: CVE-2021-32027 CVE-2021-32028 CVE-2021-32029 CVSS scores: CVE-2021-32027 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32027 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2021-32028 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-32029 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Legacy Software 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves three vulnerabilities and has three fixes is now available. Description: This update for postgresql12 fixes the following issues: Upgrade to version 12.7: - CVE-2021-32027: Fixed integer overflows in array subscripting calculations (bsc#1185924). - CVE-2021-32028: Fixed mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE target lists (bsc#1185925). - CVE-2021-32029: Fixed possibly-incorrect computation of UPDATE ... RETURNING outputs for joined cross-partition updates (bsc#1185926). - Don't use %_stop_on_removal, because it was meant to be private and got removed from openSUSE. %_restart_on_update is also private, but still supported and needed for now (bsc#1183168). - Re-enable build of the llvmjit subpackage on SLE, but it will only be delivered on PackageHub for now (bsc#1183118). - Disable icu for PostgreSQL 10 (and older) on TW (bsc#1179945). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-1994=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP3-2021-1994=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1994=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): postgresql12-contrib-12.7-8.20.1 postgresql12-contrib-debuginfo-12.7-8.20.1 postgresql12-debuginfo-12.7-8.20.1 postgresql12-debugsource-12.7-8.20.1 postgresql12-devel-12.7-8.20.1 postgresql12-devel-debuginfo-12.7-8.20.1 postgresql12-plperl-12.7-8.20.1 postgresql12-plperl-debuginfo-12.7-8.20.1 postgresql12-plpython-12.7-8.20.1 postgresql12-plpython-debuginfo-12.7-8.20.1 postgresql12-pltcl-12.7-8.20.1 postgresql12-pltcl-debuginfo-12.7-8.20.1 postgresql12-server-12.7-8.20.1 postgresql12-server-debuginfo-12.7-8.20.1 postgresql12-server-devel-12.7-8.20.1 postgresql12-server-devel-debuginfo-12.7-8.20.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): postgresql12-docs-12.7-8.20.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3 (aarch64 ppc64le s390x x86_64): postgresql12-12.7-8.20.1 postgresql12-contrib-12.7-8.20.1 postgresql12-contrib-debuginfo-12.7-8.20.1 postgresql12-debuginfo-12.7-8.20.1 postgresql12-debugsource-12.7-8.20.1 postgresql12-devel-12.7-8.20.1 postgresql12-devel-debuginfo-12.7-8.20.1 postgresql12-plperl-12.7-8.20.1 postgresql12-plperl-debuginfo-12.7-8.20.1 postgresql12-plpython-12.7-8.20.1 postgresql12-plpython-debuginfo-12.7-8.20.1 postgresql12-pltcl-12.7-8.20.1 postgresql12-pltcl-debuginfo-12.7-8.20.1 postgresql12-server-12.7-8.20.1 postgresql12-server-debuginfo-12.7-8.20.1 postgresql12-server-devel-12.7-8.20.1 postgresql12-server-devel-debuginfo-12.7-8.20.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3 (noarch): postgresql12-docs-12.7-8.20.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): postgresql12-12.7-8.20.1 postgresql12-debuginfo-12.7-8.20.1 postgresql12-debugsource-12.7-8.20.1 References: https://www.suse.com/security/cve/CVE-2021-32027.html https://www.suse.com/security/cve/CVE-2021-32028.html https://www.suse.com/security/cve/CVE-2021-32029.html https://bugzilla.suse.com/1179945 https://bugzilla.suse.com/1183118 https://bugzilla.suse.com/1183168 https://bugzilla.suse.com/1185924 https://bugzilla.suse.com/1185925 https://bugzilla.suse.com/1185926 From sle-security-updates at lists.suse.com Thu Jun 17 16:21:02 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 17 Jun 2021 18:21:02 +0200 (CEST) Subject: SUSE-SU-2021:1995-1: important: Security update for xstream Message-ID: <20210617162102.44C9BFD07@maintenance.suse.de> SUSE Security Update: Security update for xstream ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1995-1 Rating: important References: #1186651 Cross-References: CVE-2021-29505 CVSS scores: CVE-2021-29505 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29505 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.2 SUSE Linux Enterprise Module for SUSE Manager Server 4.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xstream fixes the following issues: Upgrade to 1.4.17 - CVE-2021-29505: Fixed potential code execution when unmarshalling with XStream instances using an uninitialized security framework (bsc#1186651) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2021-1995=1 - SUSE Linux Enterprise Module for SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-1995=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-1995=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-1995=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch): xstream-1.4.17-3.11.2 - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch): xstream-1.4.17-3.11.2 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (noarch): xstream-1.4.17-3.11.2 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): xstream-1.4.17-3.11.2 References: https://www.suse.com/security/cve/CVE-2021-29505.html https://bugzilla.suse.com/1186651 From sle-security-updates at lists.suse.com Thu Jun 17 19:17:24 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 17 Jun 2021 21:17:24 +0200 (CEST) Subject: SUSE-SU-2021:2003-1: important: Security update for MozillaThunderbird Message-ID: <20210617191724.D7C53FD07@maintenance.suse.de> SUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2003-1 Rating: important References: #1186696 Cross-References: CVE-2021-29964 CVE-2021-29967 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Linux Enterprise Workstation Extension 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for MozillaThunderbird fixes the following issues: Mozilla Thunderbird 78.11 (bsc#1186696) Security issues fixed: - CVE-2021-29964: Out of bounds-read when parsing a `WM_COPYDATA` message - CVE-2021-29967: Memory safety bugs fixed in Thunderbird 78.11 General improvements: - OpenPGP could not be disabled for an account if a key was previously configured - Recipients were unable to decrypt some messages when the sender had changed the message encryption from OpenPGP to S/MIME - Contacts moved between CardDAV address books were not synced to the new server - CardDAV compatibility fixes for Google Contacts - Folder pane had no clear indication of focus on macOS Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-2003=1 - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-2003=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64): MozillaThunderbird-78.11.0-8.30.1 MozillaThunderbird-debuginfo-78.11.0-8.30.1 MozillaThunderbird-debugsource-78.11.0-8.30.1 MozillaThunderbird-translations-common-78.11.0-8.30.1 MozillaThunderbird-translations-other-78.11.0-8.30.1 - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): MozillaThunderbird-78.11.0-8.30.1 MozillaThunderbird-debuginfo-78.11.0-8.30.1 MozillaThunderbird-debugsource-78.11.0-8.30.1 MozillaThunderbird-translations-common-78.11.0-8.30.1 MozillaThunderbird-translations-other-78.11.0-8.30.1 References: https://www.suse.com/security/cve/CVE-2021-29964.html https://www.suse.com/security/cve/CVE-2021-29967.html https://bugzilla.suse.com/1186696 From sle-security-updates at lists.suse.com Thu Jun 17 19:18:42 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 17 Jun 2021 21:18:42 +0200 (CEST) Subject: SUSE-SU-2021:2008-1: important: Security update for python-rsa Message-ID: <20210617191842.207AEFD07@maintenance.suse.de> SUSE Security Update: Security update for python-rsa ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2008-1 Rating: important References: #1172389 Cross-References: CVE-2020-13757 CVSS scores: CVE-2020-13757 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-13757 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Module for Public Cloud 15 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-rsa fixes the following issues: - CVE-2020-13757: Proper handling of leading '\0' bytes during decryption of ciphertext (bsc#1172389) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-2008=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-2008=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-2008=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-2008=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-2008=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-2008=1 - SUSE Linux Enterprise Module for Public Cloud 15: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-2021-2008=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-2008=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-2008=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-2008=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-2008=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-2008=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-2008=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-2008=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (noarch): python3-rsa-3.4.2-3.4.1 - SUSE Manager Retail Branch Server 4.0 (noarch): python3-rsa-3.4.2-3.4.1 - SUSE Manager Proxy 4.0 (noarch): python3-rsa-3.4.2-3.4.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): python3-rsa-3.4.2-3.4.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): python3-rsa-3.4.2-3.4.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): python3-rsa-3.4.2-3.4.1 - SUSE Linux Enterprise Module for Public Cloud 15 (noarch): python3-rsa-3.4.2-3.4.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (noarch): python2-rsa-3.4.2-3.4.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (noarch): python2-rsa-3.4.2-3.4.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): python3-rsa-3.4.2-3.4.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): python3-rsa-3.4.2-3.4.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): python3-rsa-3.4.2-3.4.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): python3-rsa-3.4.2-3.4.1 - SUSE Enterprise Storage 6 (noarch): python3-rsa-3.4.2-3.4.1 - SUSE CaaS Platform 4.0 (noarch): python3-rsa-3.4.2-3.4.1 References: https://www.suse.com/security/cve/CVE-2020-13757.html https://bugzilla.suse.com/1172389 From sle-security-updates at lists.suse.com Thu Jun 17 19:20:08 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 17 Jun 2021 21:20:08 +0200 (CEST) Subject: SUSE-SU-2021:2004-1: important: Security update for apache2 Message-ID: <20210617192008.82B03FD07@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2004-1 Rating: important References: #1145740 #1180530 #1182703 #1186922 #1186923 #1186924 #1187017 #1187174 Cross-References: CVE-2019-10092 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641 CVE-2021-31618 CVSS scores: CVE-2019-10092 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2019-10092 (SUSE): 7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N CVE-2020-35452 (NVD) : 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-35452 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-26690 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-26691 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-30641 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2021-31618 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has two fixes is now available. Description: This update for apache2 fixes the following issues: - CVE-2021-30641: Fixed MergeSlashes regression (bsc#1187174) - CVE-2021-31618: Fixed NULL pointer dereference on specially crafted HTTP/2 request (bsc#1186924) - CVE-2020-35452: Fixed Single zero byte stack overflow in mod_auth_digest (bsc#1186922) - CVE-2021-26690: Fixed mod_session NULL pointer dereference in parser (bsc#1186923) - CVE-2021-26691: Fixed Heap overflow in mod_session (bsc#1187017) - Fixed potential content spoofing with default error pages (bsc#1182703) - Fixed for an issue when 'gensslcert' does not set CA:True. (bsc#1180530) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-2004=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-2004=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-2004=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-2004=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-2004=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-2004=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-2004=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-2004=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-2004=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-2004=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2004=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2004=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-2004=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): apache2-2.4.33-3.50.1 apache2-debuginfo-2.4.33-3.50.1 apache2-debugsource-2.4.33-3.50.1 apache2-devel-2.4.33-3.50.1 apache2-prefork-2.4.33-3.50.1 apache2-prefork-debuginfo-2.4.33-3.50.1 apache2-utils-2.4.33-3.50.1 apache2-utils-debuginfo-2.4.33-3.50.1 apache2-worker-2.4.33-3.50.1 apache2-worker-debuginfo-2.4.33-3.50.1 - SUSE Manager Server 4.0 (noarch): apache2-doc-2.4.33-3.50.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): apache2-2.4.33-3.50.1 apache2-debuginfo-2.4.33-3.50.1 apache2-debugsource-2.4.33-3.50.1 apache2-devel-2.4.33-3.50.1 apache2-prefork-2.4.33-3.50.1 apache2-prefork-debuginfo-2.4.33-3.50.1 apache2-utils-2.4.33-3.50.1 apache2-utils-debuginfo-2.4.33-3.50.1 apache2-worker-2.4.33-3.50.1 apache2-worker-debuginfo-2.4.33-3.50.1 - SUSE Manager Retail Branch Server 4.0 (noarch): apache2-doc-2.4.33-3.50.1 - SUSE Manager Proxy 4.0 (noarch): apache2-doc-2.4.33-3.50.1 - SUSE Manager Proxy 4.0 (x86_64): apache2-2.4.33-3.50.1 apache2-debuginfo-2.4.33-3.50.1 apache2-debugsource-2.4.33-3.50.1 apache2-devel-2.4.33-3.50.1 apache2-prefork-2.4.33-3.50.1 apache2-prefork-debuginfo-2.4.33-3.50.1 apache2-utils-2.4.33-3.50.1 apache2-utils-debuginfo-2.4.33-3.50.1 apache2-worker-2.4.33-3.50.1 apache2-worker-debuginfo-2.4.33-3.50.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): apache2-2.4.33-3.50.1 apache2-debuginfo-2.4.33-3.50.1 apache2-debugsource-2.4.33-3.50.1 apache2-devel-2.4.33-3.50.1 apache2-prefork-2.4.33-3.50.1 apache2-prefork-debuginfo-2.4.33-3.50.1 apache2-utils-2.4.33-3.50.1 apache2-utils-debuginfo-2.4.33-3.50.1 apache2-worker-2.4.33-3.50.1 apache2-worker-debuginfo-2.4.33-3.50.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): apache2-doc-2.4.33-3.50.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): apache2-2.4.33-3.50.1 apache2-debuginfo-2.4.33-3.50.1 apache2-debugsource-2.4.33-3.50.1 apache2-devel-2.4.33-3.50.1 apache2-prefork-2.4.33-3.50.1 apache2-prefork-debuginfo-2.4.33-3.50.1 apache2-utils-2.4.33-3.50.1 apache2-utils-debuginfo-2.4.33-3.50.1 apache2-worker-2.4.33-3.50.1 apache2-worker-debuginfo-2.4.33-3.50.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): apache2-doc-2.4.33-3.50.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): apache2-2.4.33-3.50.1 apache2-debuginfo-2.4.33-3.50.1 apache2-debugsource-2.4.33-3.50.1 apache2-devel-2.4.33-3.50.1 apache2-prefork-2.4.33-3.50.1 apache2-prefork-debuginfo-2.4.33-3.50.1 apache2-utils-2.4.33-3.50.1 apache2-utils-debuginfo-2.4.33-3.50.1 apache2-worker-2.4.33-3.50.1 apache2-worker-debuginfo-2.4.33-3.50.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): apache2-doc-2.4.33-3.50.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): apache2-2.4.33-3.50.1 apache2-debuginfo-2.4.33-3.50.1 apache2-debugsource-2.4.33-3.50.1 apache2-devel-2.4.33-3.50.1 apache2-prefork-2.4.33-3.50.1 apache2-prefork-debuginfo-2.4.33-3.50.1 apache2-utils-2.4.33-3.50.1 apache2-utils-debuginfo-2.4.33-3.50.1 apache2-worker-2.4.33-3.50.1 apache2-worker-debuginfo-2.4.33-3.50.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): apache2-doc-2.4.33-3.50.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): apache2-2.4.33-3.50.1 apache2-debuginfo-2.4.33-3.50.1 apache2-debugsource-2.4.33-3.50.1 apache2-devel-2.4.33-3.50.1 apache2-prefork-2.4.33-3.50.1 apache2-prefork-debuginfo-2.4.33-3.50.1 apache2-utils-2.4.33-3.50.1 apache2-utils-debuginfo-2.4.33-3.50.1 apache2-worker-2.4.33-3.50.1 apache2-worker-debuginfo-2.4.33-3.50.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): apache2-doc-2.4.33-3.50.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): apache2-2.4.33-3.50.1 apache2-debuginfo-2.4.33-3.50.1 apache2-debugsource-2.4.33-3.50.1 apache2-devel-2.4.33-3.50.1 apache2-prefork-2.4.33-3.50.1 apache2-prefork-debuginfo-2.4.33-3.50.1 apache2-utils-2.4.33-3.50.1 apache2-utils-debuginfo-2.4.33-3.50.1 apache2-worker-2.4.33-3.50.1 apache2-worker-debuginfo-2.4.33-3.50.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): apache2-doc-2.4.33-3.50.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): apache2-2.4.33-3.50.1 apache2-debuginfo-2.4.33-3.50.1 apache2-debugsource-2.4.33-3.50.1 apache2-devel-2.4.33-3.50.1 apache2-prefork-2.4.33-3.50.1 apache2-prefork-debuginfo-2.4.33-3.50.1 apache2-utils-2.4.33-3.50.1 apache2-utils-debuginfo-2.4.33-3.50.1 apache2-worker-2.4.33-3.50.1 apache2-worker-debuginfo-2.4.33-3.50.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): apache2-doc-2.4.33-3.50.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): apache2-2.4.33-3.50.1 apache2-debuginfo-2.4.33-3.50.1 apache2-debugsource-2.4.33-3.50.1 apache2-devel-2.4.33-3.50.1 apache2-prefork-2.4.33-3.50.1 apache2-prefork-debuginfo-2.4.33-3.50.1 apache2-utils-2.4.33-3.50.1 apache2-utils-debuginfo-2.4.33-3.50.1 apache2-worker-2.4.33-3.50.1 apache2-worker-debuginfo-2.4.33-3.50.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): apache2-doc-2.4.33-3.50.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): apache2-2.4.33-3.50.1 apache2-debuginfo-2.4.33-3.50.1 apache2-debugsource-2.4.33-3.50.1 apache2-devel-2.4.33-3.50.1 apache2-prefork-2.4.33-3.50.1 apache2-prefork-debuginfo-2.4.33-3.50.1 apache2-utils-2.4.33-3.50.1 apache2-utils-debuginfo-2.4.33-3.50.1 apache2-worker-2.4.33-3.50.1 apache2-worker-debuginfo-2.4.33-3.50.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): apache2-doc-2.4.33-3.50.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): apache2-2.4.33-3.50.1 apache2-debuginfo-2.4.33-3.50.1 apache2-debugsource-2.4.33-3.50.1 apache2-devel-2.4.33-3.50.1 apache2-prefork-2.4.33-3.50.1 apache2-prefork-debuginfo-2.4.33-3.50.1 apache2-utils-2.4.33-3.50.1 apache2-utils-debuginfo-2.4.33-3.50.1 apache2-worker-2.4.33-3.50.1 apache2-worker-debuginfo-2.4.33-3.50.1 - SUSE Enterprise Storage 6 (noarch): apache2-doc-2.4.33-3.50.1 - SUSE CaaS Platform 4.0 (x86_64): apache2-2.4.33-3.50.1 apache2-debuginfo-2.4.33-3.50.1 apache2-debugsource-2.4.33-3.50.1 apache2-devel-2.4.33-3.50.1 apache2-prefork-2.4.33-3.50.1 apache2-prefork-debuginfo-2.4.33-3.50.1 apache2-utils-2.4.33-3.50.1 apache2-utils-debuginfo-2.4.33-3.50.1 apache2-worker-2.4.33-3.50.1 apache2-worker-debuginfo-2.4.33-3.50.1 - SUSE CaaS Platform 4.0 (noarch): apache2-doc-2.4.33-3.50.1 References: https://www.suse.com/security/cve/CVE-2019-10092.html https://www.suse.com/security/cve/CVE-2020-35452.html https://www.suse.com/security/cve/CVE-2021-26690.html https://www.suse.com/security/cve/CVE-2021-26691.html https://www.suse.com/security/cve/CVE-2021-30641.html https://www.suse.com/security/cve/CVE-2021-31618.html https://bugzilla.suse.com/1145740 https://bugzilla.suse.com/1180530 https://bugzilla.suse.com/1182703 https://bugzilla.suse.com/1186922 https://bugzilla.suse.com/1186923 https://bugzilla.suse.com/1186924 https://bugzilla.suse.com/1187017 https://bugzilla.suse.com/1187174 From sle-security-updates at lists.suse.com Thu Jun 17 19:22:09 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 17 Jun 2021 21:22:09 +0200 (CEST) Subject: SUSE-SU-2021:1999-1: moderate: Security update for tpm2.0-tools Message-ID: <20210617192209.E3E7DFD07@maintenance.suse.de> SUSE Security Update: Security update for tpm2.0-tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1999-1 Rating: moderate References: #1186490 Cross-References: CVE-2021-3565 CVSS scores: CVE-2021-3565 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-3565 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tpm2.0-tools fixes the following issues: - CVE-2021-3565: Fixed issue when no encrypted session with the TPM is used (bsc#1186490). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1999=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): tpm2.0-tools-4.1-3.3.1 tpm2.0-tools-debuginfo-4.1-3.3.1 tpm2.0-tools-debugsource-4.1-3.3.1 References: https://www.suse.com/security/cve/CVE-2021-3565.html https://bugzilla.suse.com/1186490 From sle-security-updates at lists.suse.com Thu Jun 17 19:24:45 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 17 Jun 2021 21:24:45 +0200 (CEST) Subject: SUSE-SU-2021:2006-1: important: Security update for apache2 Message-ID: <20210617192445.059E7FD07@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2006-1 Rating: important References: #1186922 #1186923 #1186924 #1187017 #1187174 Cross-References: CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641 CVE-2021-31618 CVSS scores: CVE-2020-35452 (NVD) : 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-35452 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-26690 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-26691 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-30641 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2021-31618 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for apache2 fixes the following issues: - fixed CVE-2021-30641 [bsc#1187174]: MergeSlashes regression - fixed CVE-2021-31618 [bsc#1186924]: NULL pointer dereference on specially crafted HTTP/2 request - fixed CVE-2020-35452 [bsc#1186922]: Single zero byte stack overflow in mod_auth_digest - fixed CVE-2021-26690 [bsc#1186923]: mod_session NULL pointer dereference in parser - fixed CVE-2021-26691 [bsc#1187017]: Heap overflow in mod_session Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-2006=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-2006=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-2006=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-2006=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-2006=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-2006=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-2006=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-2006=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-2006=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-2006=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-2006=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-2006=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-2006=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): apache2-doc-2.4.23-29.74.1 - SUSE OpenStack Cloud Crowbar 9 (x86_64): apache2-2.4.23-29.74.1 apache2-debuginfo-2.4.23-29.74.1 apache2-debugsource-2.4.23-29.74.1 apache2-example-pages-2.4.23-29.74.1 apache2-prefork-2.4.23-29.74.1 apache2-prefork-debuginfo-2.4.23-29.74.1 apache2-utils-2.4.23-29.74.1 apache2-utils-debuginfo-2.4.23-29.74.1 apache2-worker-2.4.23-29.74.1 apache2-worker-debuginfo-2.4.23-29.74.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): apache2-2.4.23-29.74.1 apache2-debuginfo-2.4.23-29.74.1 apache2-debugsource-2.4.23-29.74.1 apache2-example-pages-2.4.23-29.74.1 apache2-prefork-2.4.23-29.74.1 apache2-prefork-debuginfo-2.4.23-29.74.1 apache2-utils-2.4.23-29.74.1 apache2-utils-debuginfo-2.4.23-29.74.1 apache2-worker-2.4.23-29.74.1 apache2-worker-debuginfo-2.4.23-29.74.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): apache2-doc-2.4.23-29.74.1 - SUSE OpenStack Cloud 9 (x86_64): apache2-2.4.23-29.74.1 apache2-debuginfo-2.4.23-29.74.1 apache2-debugsource-2.4.23-29.74.1 apache2-example-pages-2.4.23-29.74.1 apache2-prefork-2.4.23-29.74.1 apache2-prefork-debuginfo-2.4.23-29.74.1 apache2-utils-2.4.23-29.74.1 apache2-utils-debuginfo-2.4.23-29.74.1 apache2-worker-2.4.23-29.74.1 apache2-worker-debuginfo-2.4.23-29.74.1 - SUSE OpenStack Cloud 9 (noarch): apache2-doc-2.4.23-29.74.1 - SUSE OpenStack Cloud 8 (x86_64): apache2-2.4.23-29.74.1 apache2-debuginfo-2.4.23-29.74.1 apache2-debugsource-2.4.23-29.74.1 apache2-example-pages-2.4.23-29.74.1 apache2-prefork-2.4.23-29.74.1 apache2-prefork-debuginfo-2.4.23-29.74.1 apache2-utils-2.4.23-29.74.1 apache2-utils-debuginfo-2.4.23-29.74.1 apache2-worker-2.4.23-29.74.1 apache2-worker-debuginfo-2.4.23-29.74.1 - SUSE OpenStack Cloud 8 (noarch): apache2-doc-2.4.23-29.74.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): apache2-debuginfo-2.4.23-29.74.1 apache2-debugsource-2.4.23-29.74.1 apache2-devel-2.4.23-29.74.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): apache2-2.4.23-29.74.1 apache2-debuginfo-2.4.23-29.74.1 apache2-debugsource-2.4.23-29.74.1 apache2-example-pages-2.4.23-29.74.1 apache2-prefork-2.4.23-29.74.1 apache2-prefork-debuginfo-2.4.23-29.74.1 apache2-utils-2.4.23-29.74.1 apache2-utils-debuginfo-2.4.23-29.74.1 apache2-worker-2.4.23-29.74.1 apache2-worker-debuginfo-2.4.23-29.74.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): apache2-doc-2.4.23-29.74.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): apache2-2.4.23-29.74.1 apache2-debuginfo-2.4.23-29.74.1 apache2-debugsource-2.4.23-29.74.1 apache2-example-pages-2.4.23-29.74.1 apache2-prefork-2.4.23-29.74.1 apache2-prefork-debuginfo-2.4.23-29.74.1 apache2-utils-2.4.23-29.74.1 apache2-utils-debuginfo-2.4.23-29.74.1 apache2-worker-2.4.23-29.74.1 apache2-worker-debuginfo-2.4.23-29.74.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): apache2-doc-2.4.23-29.74.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): apache2-2.4.23-29.74.1 apache2-debuginfo-2.4.23-29.74.1 apache2-debugsource-2.4.23-29.74.1 apache2-example-pages-2.4.23-29.74.1 apache2-prefork-2.4.23-29.74.1 apache2-prefork-debuginfo-2.4.23-29.74.1 apache2-utils-2.4.23-29.74.1 apache2-utils-debuginfo-2.4.23-29.74.1 apache2-worker-2.4.23-29.74.1 apache2-worker-debuginfo-2.4.23-29.74.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): apache2-doc-2.4.23-29.74.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): apache2-2.4.23-29.74.1 apache2-debuginfo-2.4.23-29.74.1 apache2-debugsource-2.4.23-29.74.1 apache2-example-pages-2.4.23-29.74.1 apache2-prefork-2.4.23-29.74.1 apache2-prefork-debuginfo-2.4.23-29.74.1 apache2-utils-2.4.23-29.74.1 apache2-utils-debuginfo-2.4.23-29.74.1 apache2-worker-2.4.23-29.74.1 apache2-worker-debuginfo-2.4.23-29.74.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): apache2-doc-2.4.23-29.74.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): apache2-2.4.23-29.74.1 apache2-debuginfo-2.4.23-29.74.1 apache2-debugsource-2.4.23-29.74.1 apache2-example-pages-2.4.23-29.74.1 apache2-prefork-2.4.23-29.74.1 apache2-prefork-debuginfo-2.4.23-29.74.1 apache2-utils-2.4.23-29.74.1 apache2-utils-debuginfo-2.4.23-29.74.1 apache2-worker-2.4.23-29.74.1 apache2-worker-debuginfo-2.4.23-29.74.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): apache2-doc-2.4.23-29.74.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): apache2-2.4.23-29.74.1 apache2-debuginfo-2.4.23-29.74.1 apache2-debugsource-2.4.23-29.74.1 apache2-example-pages-2.4.23-29.74.1 apache2-prefork-2.4.23-29.74.1 apache2-prefork-debuginfo-2.4.23-29.74.1 apache2-utils-2.4.23-29.74.1 apache2-utils-debuginfo-2.4.23-29.74.1 apache2-worker-2.4.23-29.74.1 apache2-worker-debuginfo-2.4.23-29.74.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): apache2-doc-2.4.23-29.74.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): apache2-doc-2.4.23-29.74.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): apache2-2.4.23-29.74.1 apache2-debuginfo-2.4.23-29.74.1 apache2-debugsource-2.4.23-29.74.1 apache2-example-pages-2.4.23-29.74.1 apache2-prefork-2.4.23-29.74.1 apache2-prefork-debuginfo-2.4.23-29.74.1 apache2-utils-2.4.23-29.74.1 apache2-utils-debuginfo-2.4.23-29.74.1 apache2-worker-2.4.23-29.74.1 apache2-worker-debuginfo-2.4.23-29.74.1 - HPE Helion Openstack 8 (x86_64): apache2-2.4.23-29.74.1 apache2-debuginfo-2.4.23-29.74.1 apache2-debugsource-2.4.23-29.74.1 apache2-example-pages-2.4.23-29.74.1 apache2-prefork-2.4.23-29.74.1 apache2-prefork-debuginfo-2.4.23-29.74.1 apache2-utils-2.4.23-29.74.1 apache2-utils-debuginfo-2.4.23-29.74.1 apache2-worker-2.4.23-29.74.1 apache2-worker-debuginfo-2.4.23-29.74.1 - HPE Helion Openstack 8 (noarch): apache2-doc-2.4.23-29.74.1 References: https://www.suse.com/security/cve/CVE-2020-35452.html https://www.suse.com/security/cve/CVE-2021-26690.html https://www.suse.com/security/cve/CVE-2021-26691.html https://www.suse.com/security/cve/CVE-2021-30641.html https://www.suse.com/security/cve/CVE-2021-31618.html https://bugzilla.suse.com/1186922 https://bugzilla.suse.com/1186923 https://bugzilla.suse.com/1186924 https://bugzilla.suse.com/1187017 https://bugzilla.suse.com/1187174 From sle-security-updates at lists.suse.com Thu Jun 17 19:27:44 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 17 Jun 2021 21:27:44 +0200 (CEST) Subject: SUSE-SU-2021:2005-1: important: Security update for jetty-minimal Message-ID: <20210617192744.082E2FD07@maintenance.suse.de> SUSE Security Update: Security update for jetty-minimal ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2005-1 Rating: important References: #1184366 #1184367 #1184368 #1187117 Cross-References: CVE-2021-28163 CVE-2021-28164 CVE-2021-28165 CVE-2021-28169 CVSS scores: CVE-2021-28163 (NVD) : 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVE-2021-28163 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-28164 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-28164 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-28165 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28165 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28169 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for jetty-minimal fixes the following issues: Update to version 9.4.42.v20210604 - Fix: bsc#1187117, CVE-2021-28169 - possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory - Fix: bsc#1184367, CVE-2021-28165 - jetty server high CPU when client send data length > 17408 - Fix: bsc#1184368, CVE-2021-28164 - Normalize ambiguous URIs - Fix: bsc#1184366, CVE-2021-28163 - Exclude webapps directory from deployment scan Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-2005=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-2005=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP3 (noarch): jetty-http-9.4.42-3.9.1 jetty-io-9.4.42-3.9.1 jetty-security-9.4.42-3.9.1 jetty-server-9.4.42-3.9.1 jetty-servlet-9.4.42-3.9.1 jetty-util-9.4.42-3.9.1 jetty-util-ajax-9.4.42-3.9.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): jetty-http-9.4.42-3.9.1 jetty-io-9.4.42-3.9.1 jetty-security-9.4.42-3.9.1 jetty-server-9.4.42-3.9.1 jetty-servlet-9.4.42-3.9.1 jetty-util-9.4.42-3.9.1 jetty-util-ajax-9.4.42-3.9.1 References: https://www.suse.com/security/cve/CVE-2021-28163.html https://www.suse.com/security/cve/CVE-2021-28164.html https://www.suse.com/security/cve/CVE-2021-28165.html https://www.suse.com/security/cve/CVE-2021-28169.html https://bugzilla.suse.com/1184366 https://bugzilla.suse.com/1184367 https://bugzilla.suse.com/1184368 https://bugzilla.suse.com/1187117 From sle-security-updates at lists.suse.com Thu Jun 17 19:29:13 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 17 Jun 2021 21:29:13 +0200 (CEST) Subject: SUSE-SU-2021:1998-1: moderate: Security update for tpm2.0-tools Message-ID: <20210617192913.886A3FD07@maintenance.suse.de> SUSE Security Update: Security update for tpm2.0-tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1998-1 Rating: moderate References: #1186490 Cross-References: CVE-2021-3565 CVSS scores: CVE-2021-3565 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-3565 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tpm2.0-tools fixes the following issues: - CVE-2021-3565: Fixed issue when no encrypted session with the TPM is used (bsc#1186490). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-1998=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): tpm2.0-tools-4.3.0-4.3.1 tpm2.0-tools-debuginfo-4.3.0-4.3.1 tpm2.0-tools-debugsource-4.3.0-4.3.1 References: https://www.suse.com/security/cve/CVE-2021-3565.html https://bugzilla.suse.com/1186490 From sle-security-updates at lists.suse.com Thu Jun 17 19:30:29 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 17 Jun 2021 21:30:29 +0200 (CEST) Subject: SUSE-SU-2021:2007-1: important: Security update for caribou Message-ID: <20210617193029.7D38FFD07@maintenance.suse.de> SUSE Security Update: Security update for caribou ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2007-1 Rating: important References: #1186617 Cross-References: CVE-2021-3567 CVSS scores: CVE-2021-3567 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for caribou fixes the following issues: Security issue fixed: - CVE-2021-3567: Fixed a segfault when attempting to use shifted characters (bsc#1186617). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-2007=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-2007=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-2007=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-2007=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-2007=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-2007=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-2007=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-2007=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-2007=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-2007=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2007=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2007=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-2007=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): caribou-0.4.21-5.3.1 caribou-common-0.4.21-5.3.1 caribou-debuginfo-0.4.21-5.3.1 caribou-debugsource-0.4.21-5.3.1 caribou-devel-0.4.21-5.3.1 caribou-gtk-module-common-0.4.21-5.3.1 caribou-gtk2-module-0.4.21-5.3.1 caribou-gtk2-module-debuginfo-0.4.21-5.3.1 caribou-gtk3-module-0.4.21-5.3.1 caribou-gtk3-module-debuginfo-0.4.21-5.3.1 libcaribou0-0.4.21-5.3.1 libcaribou0-debuginfo-0.4.21-5.3.1 typelib-1_0-Caribou-1_0-0.4.21-5.3.1 - SUSE Manager Server 4.0 (noarch): caribou-lang-0.4.21-5.3.1 - SUSE Manager Retail Branch Server 4.0 (noarch): caribou-lang-0.4.21-5.3.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): caribou-0.4.21-5.3.1 caribou-common-0.4.21-5.3.1 caribou-debuginfo-0.4.21-5.3.1 caribou-debugsource-0.4.21-5.3.1 caribou-devel-0.4.21-5.3.1 caribou-gtk-module-common-0.4.21-5.3.1 caribou-gtk2-module-0.4.21-5.3.1 caribou-gtk2-module-debuginfo-0.4.21-5.3.1 caribou-gtk3-module-0.4.21-5.3.1 caribou-gtk3-module-debuginfo-0.4.21-5.3.1 libcaribou0-0.4.21-5.3.1 libcaribou0-debuginfo-0.4.21-5.3.1 typelib-1_0-Caribou-1_0-0.4.21-5.3.1 - SUSE Manager Proxy 4.0 (noarch): caribou-lang-0.4.21-5.3.1 - SUSE Manager Proxy 4.0 (x86_64): caribou-0.4.21-5.3.1 caribou-common-0.4.21-5.3.1 caribou-debuginfo-0.4.21-5.3.1 caribou-debugsource-0.4.21-5.3.1 caribou-devel-0.4.21-5.3.1 caribou-gtk-module-common-0.4.21-5.3.1 caribou-gtk2-module-0.4.21-5.3.1 caribou-gtk2-module-debuginfo-0.4.21-5.3.1 caribou-gtk3-module-0.4.21-5.3.1 caribou-gtk3-module-debuginfo-0.4.21-5.3.1 libcaribou0-0.4.21-5.3.1 libcaribou0-debuginfo-0.4.21-5.3.1 typelib-1_0-Caribou-1_0-0.4.21-5.3.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): caribou-0.4.21-5.3.1 caribou-common-0.4.21-5.3.1 caribou-debuginfo-0.4.21-5.3.1 caribou-debugsource-0.4.21-5.3.1 caribou-devel-0.4.21-5.3.1 caribou-gtk-module-common-0.4.21-5.3.1 caribou-gtk2-module-0.4.21-5.3.1 caribou-gtk2-module-debuginfo-0.4.21-5.3.1 caribou-gtk3-module-0.4.21-5.3.1 caribou-gtk3-module-debuginfo-0.4.21-5.3.1 libcaribou0-0.4.21-5.3.1 libcaribou0-debuginfo-0.4.21-5.3.1 typelib-1_0-Caribou-1_0-0.4.21-5.3.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): caribou-lang-0.4.21-5.3.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): caribou-0.4.21-5.3.1 caribou-common-0.4.21-5.3.1 caribou-debuginfo-0.4.21-5.3.1 caribou-debugsource-0.4.21-5.3.1 caribou-devel-0.4.21-5.3.1 caribou-gtk-module-common-0.4.21-5.3.1 caribou-gtk2-module-0.4.21-5.3.1 caribou-gtk2-module-debuginfo-0.4.21-5.3.1 caribou-gtk3-module-0.4.21-5.3.1 caribou-gtk3-module-debuginfo-0.4.21-5.3.1 libcaribou0-0.4.21-5.3.1 libcaribou0-debuginfo-0.4.21-5.3.1 typelib-1_0-Caribou-1_0-0.4.21-5.3.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): caribou-lang-0.4.21-5.3.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): caribou-0.4.21-5.3.1 caribou-common-0.4.21-5.3.1 caribou-debuginfo-0.4.21-5.3.1 caribou-debugsource-0.4.21-5.3.1 caribou-devel-0.4.21-5.3.1 caribou-gtk-module-common-0.4.21-5.3.1 caribou-gtk2-module-0.4.21-5.3.1 caribou-gtk2-module-debuginfo-0.4.21-5.3.1 caribou-gtk3-module-0.4.21-5.3.1 caribou-gtk3-module-debuginfo-0.4.21-5.3.1 libcaribou0-0.4.21-5.3.1 libcaribou0-debuginfo-0.4.21-5.3.1 typelib-1_0-Caribou-1_0-0.4.21-5.3.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): caribou-lang-0.4.21-5.3.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): caribou-lang-0.4.21-5.3.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): caribou-0.4.21-5.3.1 caribou-common-0.4.21-5.3.1 caribou-debuginfo-0.4.21-5.3.1 caribou-debugsource-0.4.21-5.3.1 caribou-devel-0.4.21-5.3.1 caribou-gtk-module-common-0.4.21-5.3.1 caribou-gtk2-module-0.4.21-5.3.1 caribou-gtk2-module-debuginfo-0.4.21-5.3.1 caribou-gtk3-module-0.4.21-5.3.1 caribou-gtk3-module-debuginfo-0.4.21-5.3.1 libcaribou0-0.4.21-5.3.1 libcaribou0-debuginfo-0.4.21-5.3.1 typelib-1_0-Caribou-1_0-0.4.21-5.3.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): caribou-0.4.21-5.3.1 caribou-common-0.4.21-5.3.1 caribou-debuginfo-0.4.21-5.3.1 caribou-debugsource-0.4.21-5.3.1 caribou-devel-0.4.21-5.3.1 caribou-gtk-module-common-0.4.21-5.3.1 caribou-gtk2-module-0.4.21-5.3.1 caribou-gtk2-module-debuginfo-0.4.21-5.3.1 caribou-gtk3-module-0.4.21-5.3.1 caribou-gtk3-module-debuginfo-0.4.21-5.3.1 libcaribou0-0.4.21-5.3.1 libcaribou0-debuginfo-0.4.21-5.3.1 typelib-1_0-Caribou-1_0-0.4.21-5.3.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): caribou-lang-0.4.21-5.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): caribou-0.4.21-5.3.1 caribou-common-0.4.21-5.3.1 caribou-debuginfo-0.4.21-5.3.1 caribou-debugsource-0.4.21-5.3.1 caribou-devel-0.4.21-5.3.1 caribou-gtk-module-common-0.4.21-5.3.1 caribou-gtk2-module-0.4.21-5.3.1 caribou-gtk2-module-debuginfo-0.4.21-5.3.1 caribou-gtk3-module-0.4.21-5.3.1 caribou-gtk3-module-debuginfo-0.4.21-5.3.1 libcaribou0-0.4.21-5.3.1 libcaribou0-debuginfo-0.4.21-5.3.1 typelib-1_0-Caribou-1_0-0.4.21-5.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): caribou-lang-0.4.21-5.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): caribou-0.4.21-5.3.1 caribou-common-0.4.21-5.3.1 caribou-debuginfo-0.4.21-5.3.1 caribou-debugsource-0.4.21-5.3.1 caribou-devel-0.4.21-5.3.1 caribou-gtk-module-common-0.4.21-5.3.1 caribou-gtk2-module-0.4.21-5.3.1 caribou-gtk2-module-debuginfo-0.4.21-5.3.1 caribou-gtk3-module-0.4.21-5.3.1 caribou-gtk3-module-debuginfo-0.4.21-5.3.1 libcaribou0-0.4.21-5.3.1 libcaribou0-debuginfo-0.4.21-5.3.1 typelib-1_0-Caribou-1_0-0.4.21-5.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): caribou-lang-0.4.21-5.3.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): caribou-0.4.21-5.3.1 caribou-common-0.4.21-5.3.1 caribou-debuginfo-0.4.21-5.3.1 caribou-debugsource-0.4.21-5.3.1 caribou-devel-0.4.21-5.3.1 caribou-gtk-module-common-0.4.21-5.3.1 caribou-gtk2-module-0.4.21-5.3.1 caribou-gtk2-module-debuginfo-0.4.21-5.3.1 caribou-gtk3-module-0.4.21-5.3.1 caribou-gtk3-module-debuginfo-0.4.21-5.3.1 libcaribou0-0.4.21-5.3.1 libcaribou0-debuginfo-0.4.21-5.3.1 typelib-1_0-Caribou-1_0-0.4.21-5.3.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): caribou-lang-0.4.21-5.3.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): caribou-0.4.21-5.3.1 caribou-common-0.4.21-5.3.1 caribou-debuginfo-0.4.21-5.3.1 caribou-debugsource-0.4.21-5.3.1 caribou-devel-0.4.21-5.3.1 caribou-gtk-module-common-0.4.21-5.3.1 caribou-gtk2-module-0.4.21-5.3.1 caribou-gtk2-module-debuginfo-0.4.21-5.3.1 caribou-gtk3-module-0.4.21-5.3.1 caribou-gtk3-module-debuginfo-0.4.21-5.3.1 libcaribou0-0.4.21-5.3.1 libcaribou0-debuginfo-0.4.21-5.3.1 typelib-1_0-Caribou-1_0-0.4.21-5.3.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): caribou-lang-0.4.21-5.3.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): caribou-0.4.21-5.3.1 caribou-common-0.4.21-5.3.1 caribou-debuginfo-0.4.21-5.3.1 caribou-debugsource-0.4.21-5.3.1 caribou-devel-0.4.21-5.3.1 caribou-gtk-module-common-0.4.21-5.3.1 caribou-gtk2-module-0.4.21-5.3.1 caribou-gtk2-module-debuginfo-0.4.21-5.3.1 caribou-gtk3-module-0.4.21-5.3.1 caribou-gtk3-module-debuginfo-0.4.21-5.3.1 libcaribou0-0.4.21-5.3.1 libcaribou0-debuginfo-0.4.21-5.3.1 typelib-1_0-Caribou-1_0-0.4.21-5.3.1 - SUSE Enterprise Storage 6 (noarch): caribou-lang-0.4.21-5.3.1 - SUSE CaaS Platform 4.0 (noarch): caribou-lang-0.4.21-5.3.1 - SUSE CaaS Platform 4.0 (x86_64): caribou-0.4.21-5.3.1 caribou-common-0.4.21-5.3.1 caribou-debuginfo-0.4.21-5.3.1 caribou-debugsource-0.4.21-5.3.1 caribou-devel-0.4.21-5.3.1 caribou-gtk-module-common-0.4.21-5.3.1 caribou-gtk2-module-0.4.21-5.3.1 caribou-gtk2-module-debuginfo-0.4.21-5.3.1 caribou-gtk3-module-0.4.21-5.3.1 caribou-gtk3-module-debuginfo-0.4.21-5.3.1 libcaribou0-0.4.21-5.3.1 libcaribou0-debuginfo-0.4.21-5.3.1 typelib-1_0-Caribou-1_0-0.4.21-5.3.1 References: https://www.suse.com/security/cve/CVE-2021-3567.html https://bugzilla.suse.com/1186617 From sle-security-updates at lists.suse.com Fri Jun 18 10:17:39 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 12:17:39 +0200 (CEST) Subject: SUSE-SU-2021:2011-1: important: Security update for xterm Message-ID: <20210618101739.6D0E1FDE0@maintenance.suse.de> SUSE Security Update: Security update for xterm ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2011-1 Rating: important References: #1182091 Cross-References: CVE-2021-27135 CVSS scores: CVE-2021-27135 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-27135 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xterm fixes the following issues: - CVE-2021-27135: Fixed buffer-overflow when clicking on selected utf8 text. (bsc#1182091) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-2011=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-2011=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): xterm-330-11.3.1 xterm-bin-330-11.3.1 xterm-bin-debuginfo-330-11.3.1 xterm-debugsource-330-11.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): xterm-330-11.3.1 xterm-bin-330-11.3.1 xterm-bin-debuginfo-330-11.3.1 xterm-debugsource-330-11.3.1 References: https://www.suse.com/security/cve/CVE-2021-27135.html https://bugzilla.suse.com/1182091 From sle-security-updates at lists.suse.com Fri Jun 18 10:20:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 12:20:25 +0200 (CEST) Subject: SUSE-SU-2021:2010-1: moderate: Security update for python-PyJWT Message-ID: <20210618102025.2FFD2FDE0@maintenance.suse.de> SUSE Security Update: Security update for python-PyJWT ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2010-1 Rating: moderate References: #1186173 Cross-References: CVE-2017-12880 CVSS scores: CVE-2017-12880 (SUSE): 8.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Module for Public Cloud 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-PyJWT fixes the following issues: python-JWT was updated to 1.5.3. (bsc#1186173) update to version 1.5.3: * Changed + Increase required version of the cryptography package to >=1.4.0. * Fixed + Remove uses of deprecated functions from the cryptography package. + Warn about missing algorithms param to decode() only when verify param is True #281 update to version 1.5.2: - Ensure correct arguments order in decode super call [7c1e61d][7c1e61d] - Change optparse for argparse. [#238][238] - Guard against PKCS1 PEM encododed public keys [#277][277] - Add deprecation warning when decoding without specifying `algorithms` [#277][277] - Improve deprecation messages [#270][270] - PyJWT.decode: move verify param into options [#271][271] - Support for Python 3.6 [#262][262] - Expose jwt.InvalidAlgorithmError [#264][264] - Add support for ECDSA public keys in RFC 4253 (OpenSSH) format [#244][244] - Renamed commandline script `jwt` to `jwt-cli` to avoid issues with the script clobbering the `jwt` module in some circumstances. [#187][187] - Better error messages when using an algorithm that requires the cryptography package, but it isn't available [#230][230] - Tokens with future 'iat' values are no longer rejected [#190][190] - Non-numeric 'iat' values now raise InvalidIssuedAtError instead of DecodeError - Remove rejection of future 'iat' claims [#252][252] - Add back 'ES512' for backward compatibility (for now) [#225][225] - Fix incorrectly named ECDSA algorithm [#219][219] - Fix rpm build [#196][196] - Add JWK support for HMAC and RSA keys [#202][202] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-2010=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2021-2010=1 Package List: - SUSE OpenStack Cloud 7 (noarch): python-PyJWT-1.5.3-3.13.1 - SUSE Linux Enterprise Module for Public Cloud 12 (noarch): python-PyJWT-1.5.3-3.13.1 python3-PyJWT-1.5.3-3.13.1 References: https://www.suse.com/security/cve/CVE-2017-12880.html https://bugzilla.suse.com/1186173 From sle-security-updates at lists.suse.com Fri Jun 18 10:21:39 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 12:21:39 +0200 (CEST) Subject: SUSE-SU-2021:2012-1: important: Security update for python-urllib3 Message-ID: <20210618102139.87A62FDE0@maintenance.suse.de> SUSE Security Update: Security update for python-urllib3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2012-1 Rating: important References: #1187045 Cross-References: CVE-2021-33503 CVSS scores: CVE-2021-33503 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-urllib3 fixes the following issues: - CVE-2021-33503: Fixed a denial of service when the URL contained many @ characters in the authority component (bsc#1187045) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-2012=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): python3-urllib3-1.25.10-4.3.1 References: https://www.suse.com/security/cve/CVE-2021-33503.html https://bugzilla.suse.com/1187045 From sle-security-updates at lists.suse.com Fri Jun 18 10:22:57 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 12:22:57 +0200 (CEST) Subject: SUSE-SU-2021:2014-1: important: Security update for xterm Message-ID: <20210618102257.04C0AFDE0@maintenance.suse.de> SUSE Security Update: Security update for xterm ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2014-1 Rating: important References: #1182091 Cross-References: CVE-2021-27135 CVSS scores: CVE-2021-27135 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-27135 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xterm fixes the following issues: - CVE-2021-27135: Fixed buffer-overflow when clicking on selected utf8 text. (bsc#1182091) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-2014=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-2014=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-2014=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-2014=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-2014=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-2014=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-2014=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-2014=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-2014=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-2014=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-2014=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-2014=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): xterm-308-5.3.1 xterm-debuginfo-308-5.3.1 xterm-debugsource-308-5.3.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): xterm-308-5.3.1 xterm-debuginfo-308-5.3.1 xterm-debugsource-308-5.3.1 - SUSE OpenStack Cloud 9 (x86_64): xterm-308-5.3.1 xterm-debuginfo-308-5.3.1 xterm-debugsource-308-5.3.1 - SUSE OpenStack Cloud 8 (x86_64): xterm-308-5.3.1 xterm-debuginfo-308-5.3.1 xterm-debugsource-308-5.3.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): xterm-308-5.3.1 xterm-debuginfo-308-5.3.1 xterm-debugsource-308-5.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): xterm-308-5.3.1 xterm-debuginfo-308-5.3.1 xterm-debugsource-308-5.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): xterm-308-5.3.1 xterm-debuginfo-308-5.3.1 xterm-debugsource-308-5.3.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): xterm-308-5.3.1 xterm-debuginfo-308-5.3.1 xterm-debugsource-308-5.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): xterm-308-5.3.1 xterm-debuginfo-308-5.3.1 xterm-debugsource-308-5.3.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): xterm-308-5.3.1 xterm-debuginfo-308-5.3.1 xterm-debugsource-308-5.3.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): xterm-308-5.3.1 xterm-debuginfo-308-5.3.1 xterm-debugsource-308-5.3.1 - HPE Helion Openstack 8 (x86_64): xterm-308-5.3.1 xterm-debuginfo-308-5.3.1 xterm-debugsource-308-5.3.1 References: https://www.suse.com/security/cve/CVE-2021-27135.html https://bugzilla.suse.com/1182091 From sle-security-updates at lists.suse.com Fri Jun 18 10:24:19 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 12:24:19 +0200 (CEST) Subject: SUSE-SU-2021:2013-1: important: Security update for xterm Message-ID: <20210618102419.DBB64FDE0@maintenance.suse.de> SUSE Security Update: Security update for xterm ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2013-1 Rating: important References: #1169444 #1182091 Cross-References: CVE-2021-27135 CVSS scores: CVE-2021-27135 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-27135 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for xterm fixes the following issues: - CVE-2021-27135: Fixed buffer-overflow when clicking on selected utf8 text. (bsc#1182091) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-2013=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-2013=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-2013=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-2013=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-2013=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-2013=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-2013=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-2013=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-2013=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-2013=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2013=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2013=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-2013=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): xterm-330-4.3.1 xterm-bin-330-4.3.1 xterm-bin-debuginfo-330-4.3.1 xterm-debugsource-330-4.3.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): xterm-330-4.3.1 xterm-bin-330-4.3.1 xterm-bin-debuginfo-330-4.3.1 xterm-debugsource-330-4.3.1 - SUSE Manager Proxy 4.0 (x86_64): xterm-330-4.3.1 xterm-bin-330-4.3.1 xterm-bin-debuginfo-330-4.3.1 xterm-debugsource-330-4.3.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): xterm-330-4.3.1 xterm-bin-330-4.3.1 xterm-bin-debuginfo-330-4.3.1 xterm-debugsource-330-4.3.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): xterm-330-4.3.1 xterm-bin-330-4.3.1 xterm-bin-debuginfo-330-4.3.1 xterm-debugsource-330-4.3.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): xterm-330-4.3.1 xterm-bin-330-4.3.1 xterm-bin-debuginfo-330-4.3.1 xterm-debugsource-330-4.3.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): xterm-330-4.3.1 xterm-bin-330-4.3.1 xterm-bin-debuginfo-330-4.3.1 xterm-debugsource-330-4.3.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): xterm-330-4.3.1 xterm-bin-330-4.3.1 xterm-bin-debuginfo-330-4.3.1 xterm-debugsource-330-4.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): xterm-330-4.3.1 xterm-bin-330-4.3.1 xterm-bin-debuginfo-330-4.3.1 xterm-debugsource-330-4.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): xterm-330-4.3.1 xterm-bin-330-4.3.1 xterm-bin-debuginfo-330-4.3.1 xterm-debugsource-330-4.3.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): xterm-330-4.3.1 xterm-bin-330-4.3.1 xterm-bin-debuginfo-330-4.3.1 xterm-debugsource-330-4.3.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): xterm-330-4.3.1 xterm-bin-330-4.3.1 xterm-bin-debuginfo-330-4.3.1 xterm-debugsource-330-4.3.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): xterm-330-4.3.1 xterm-bin-330-4.3.1 xterm-bin-debuginfo-330-4.3.1 xterm-debugsource-330-4.3.1 - SUSE CaaS Platform 4.0 (x86_64): xterm-330-4.3.1 xterm-bin-330-4.3.1 xterm-bin-debuginfo-330-4.3.1 xterm-debugsource-330-4.3.1 References: https://www.suse.com/security/cve/CVE-2021-27135.html https://bugzilla.suse.com/1169444 https://bugzilla.suse.com/1182091 From sle-security-updates at lists.suse.com Fri Jun 18 13:17:48 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 15:17:48 +0200 (CEST) Subject: SUSE-SU-2021:2042-1: important: Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) Message-ID: <20210618131748.50AA3FDE0@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2042-1 Rating: important References: #1185899 #1186235 #1186285 Cross-References: CVE-2021-32399 CVE-2021-33034 CVSS scores: CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 4.4.180-94_138 fixes several issues. The following issues were fixed: - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - Fixed a regression with the last livepatch which caused a kernel warning during sysfs read (bsc#1186235). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-2035=1 SUSE-SLE-SAP-12-SP3-2021-2042=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-2035=1 SUSE-SLE-SERVER-12-SP3-2021-2042=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_138-default-6-2.2 kgraft-patch-4_4_180-94_138-default-debuginfo-6-2.2 kgraft-patch-4_4_180-94_141-default-5-2.2 kgraft-patch-4_4_180-94_141-default-debuginfo-5-2.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_138-default-6-2.2 kgraft-patch-4_4_180-94_138-default-debuginfo-6-2.2 kgraft-patch-4_4_180-94_141-default-5-2.2 kgraft-patch-4_4_180-94_141-default-debuginfo-5-2.2 References: https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://bugzilla.suse.com/1185899 https://bugzilla.suse.com/1186235 https://bugzilla.suse.com/1186285 From sle-security-updates at lists.suse.com Fri Jun 18 13:19:42 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 15:19:42 +0200 (CEST) Subject: SUSE-SU-2021:2025-1: important: Security update for the Linux Kernel (Live Patch 7 for SLE 12 SP5) Message-ID: <20210618131942.85772FDE0@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 7 for SLE 12 SP5) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2025-1 Rating: important References: #1185847 #1185899 #1186285 Cross-References: CVE-2021-32399 CVE-2021-33034 CVSS scores: CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP2 SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 4.12.14-122_29 fixes several issues. The following issues were fixed: - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - Fixed a data loss/data corruption that occurs if there is a write error on an md/raid array (bsc#1185680). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-2029=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2030=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2031=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2032=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2033=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2034=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2036=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2037=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2038=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2039=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2040=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2041=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2021-2044=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-2045=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-2046=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-2047=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-2048=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-2050=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-2051=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-2052=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-2054=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-2055=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-2056=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-2017=1 SUSE-SLE-Live-Patching-12-SP5-2021-2018=1 SUSE-SLE-Live-Patching-12-SP5-2021-2019=1 SUSE-SLE-Live-Patching-12-SP5-2021-2068=1 SUSE-SLE-Live-Patching-12-SP5-2021-2069=1 SUSE-SLE-Live-Patching-12-SP5-2021-2070=1 SUSE-SLE-Live-Patching-12-SP5-2021-2071=1 SUSE-SLE-Live-Patching-12-SP5-2021-2072=1 SUSE-SLE-Live-Patching-12-SP5-2021-2073=1 SUSE-SLE-Live-Patching-12-SP5-2021-2074=1 SUSE-SLE-Live-Patching-12-SP5-2021-2075=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2021-2021=1 SUSE-SLE-Live-Patching-12-SP4-2021-2022=1 SUSE-SLE-Live-Patching-12-SP4-2021-2023=1 SUSE-SLE-Live-Patching-12-SP4-2021-2024=1 SUSE-SLE-Live-Patching-12-SP4-2021-2025=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-22-default-12-5.2 kernel-livepatch-5_3_18-22-default-debuginfo-12-5.2 kernel-livepatch-5_3_18-24_12-default-10-2.2 kernel-livepatch-5_3_18-24_12-default-debuginfo-10-2.2 kernel-livepatch-5_3_18-24_15-default-10-2.2 kernel-livepatch-5_3_18-24_15-default-debuginfo-10-2.2 kernel-livepatch-5_3_18-24_24-default-10-2.2 kernel-livepatch-5_3_18-24_24-default-debuginfo-10-2.2 kernel-livepatch-5_3_18-24_29-default-8-2.2 kernel-livepatch-5_3_18-24_29-default-debuginfo-8-2.2 kernel-livepatch-5_3_18-24_34-default-8-2.2 kernel-livepatch-5_3_18-24_34-default-debuginfo-8-2.2 kernel-livepatch-5_3_18-24_37-default-8-2.2 kernel-livepatch-5_3_18-24_37-default-debuginfo-8-2.2 kernel-livepatch-5_3_18-24_43-default-7-2.2 kernel-livepatch-5_3_18-24_43-default-debuginfo-7-2.2 kernel-livepatch-5_3_18-24_46-default-7-2.2 kernel-livepatch-5_3_18-24_46-default-debuginfo-7-2.2 kernel-livepatch-5_3_18-24_49-default-6-2.2 kernel-livepatch-5_3_18-24_49-default-debuginfo-6-2.2 kernel-livepatch-5_3_18-24_52-default-5-2.2 kernel-livepatch-5_3_18-24_52-default-debuginfo-5-2.2 kernel-livepatch-5_3_18-24_9-default-11-2.2 kernel-livepatch-5_3_18-24_9-default-debuginfo-11-2.2 kernel-livepatch-SLE15-SP2_Update_0-debugsource-12-5.2 kernel-livepatch-SLE15-SP2_Update_1-debugsource-11-2.2 kernel-livepatch-SLE15-SP2_Update_10-debugsource-6-2.2 kernel-livepatch-SLE15-SP2_Update_11-debugsource-5-2.2 kernel-livepatch-SLE15-SP2_Update_2-debugsource-10-2.2 kernel-livepatch-SLE15-SP2_Update_3-debugsource-10-2.2 kernel-livepatch-SLE15-SP2_Update_4-debugsource-10-2.2 kernel-livepatch-SLE15-SP2_Update_5-debugsource-8-2.2 kernel-livepatch-SLE15-SP2_Update_6-debugsource-8-2.2 kernel-livepatch-SLE15-SP2_Update_7-debugsource-8-2.2 kernel-livepatch-SLE15-SP2_Update_8-debugsource-7-2.2 kernel-livepatch-SLE15-SP2_Update_9-debugsource-7-2.2 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_48-default-11-2.2 kernel-livepatch-4_12_14-197_51-default-11-2.2 kernel-livepatch-4_12_14-197_56-default-10-2.2 kernel-livepatch-4_12_14-197_61-default-9-2.2 kernel-livepatch-4_12_14-197_64-default-8-2.2 kernel-livepatch-4_12_14-197_67-default-8-2.2 kernel-livepatch-4_12_14-197_72-default-7-2.2 kernel-livepatch-4_12_14-197_75-default-7-2.2 kernel-livepatch-4_12_14-197_78-default-7-2.2 kernel-livepatch-4_12_14-197_83-default-6-2.2 kernel-livepatch-4_12_14-197_86-default-5-2.2 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_26-default-13-2.2 kgraft-patch-4_12_14-122_29-default-13-2.2 kgraft-patch-4_12_14-122_32-default-13-2.2 kgraft-patch-4_12_14-122_37-default-12-2.2 kgraft-patch-4_12_14-122_41-default-11-2.2 kgraft-patch-4_12_14-122_46-default-9-2.2 kgraft-patch-4_12_14-122_51-default-9-2.2 kgraft-patch-4_12_14-122_54-default-7-2.2 kgraft-patch-4_12_14-122_57-default-7-2.2 kgraft-patch-4_12_14-122_60-default-6-2.2 kgraft-patch-4_12_14-122_63-default-5-2.2 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kgraft-patch-4_12_14-95_57-default-11-2.2 kgraft-patch-4_12_14-95_60-default-10-2.2 kgraft-patch-4_12_14-95_65-default-7-2.2 kgraft-patch-4_12_14-95_68-default-6-2.2 kgraft-patch-4_12_14-95_71-default-5-2.2 References: https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://bugzilla.suse.com/1185847 https://bugzilla.suse.com/1185899 https://bugzilla.suse.com/1186285 From sle-security-updates at lists.suse.com Fri Jun 18 13:21:34 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 15:21:34 +0200 (CEST) Subject: SUSE-SU-2021:2067-1: important: Security update for the Linux Kernel (Live Patch 17 for SLE 12 SP5) Message-ID: <20210618132134.D84B6FDE0@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 17 for SLE 12 SP5) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2067-1 Rating: important References: #1185847 #1185899 #1186061 #1186285 Cross-References: CVE-2021-23134 CVE-2021-32399 CVE-2021-33034 CVSS scores: CVE-2021-23134 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP2 SUSE Linux Enterprise Live Patching 12-SP5 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 4.12.14-122_66 fixes several issues. The following issues were fixed: - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111). - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges (bnc#1186060). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - Fixed a data loss/data corruption that occurs if there is a write error on an md/raid array (bsc#1185680). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-2028=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-2067=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-24_61-default-2-2.1 kernel-livepatch-5_3_18-24_61-default-debuginfo-2-2.1 kernel-livepatch-SLE15-SP2_Update_12-debugsource-2-2.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_66-default-3-2.1 References: https://www.suse.com/security/cve/CVE-2021-23134.html https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://bugzilla.suse.com/1185847 https://bugzilla.suse.com/1185899 https://bugzilla.suse.com/1186061 https://bugzilla.suse.com/1186285 From sle-security-updates at lists.suse.com Fri Jun 18 13:23:09 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 15:23:09 +0200 (CEST) Subject: SUSE-SU-2021:2020-1: important: Security update for the Linux Kernel (Live Patch 18 for SLE 12 SP5) Message-ID: <20210618132310.00C15FDE0@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 18 for SLE 12 SP5) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2020-1 Rating: important References: #1185847 #1185899 #1186061 #1186285 #1186498 Cross-References: CVE-2021-23134 CVE-2021-32399 CVE-2021-33034 CVE-2021-33200 CVSS scores: CVE-2021-23134 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-33200 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33200 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 4.12.14-122_71 fixes several issues. The following issues were fixed: - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111). - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges (bnc#1186060). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - Fixed a data loss/data corruption that occurs if there is a write error on an md/raid array (bsc#1185680). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2021-2043=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-2066=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2021-2020=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_89-default-2-2.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_71-default-2-2.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kgraft-patch-4_12_14-95_74-default-2-2.1 References: https://www.suse.com/security/cve/CVE-2021-23134.html https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://www.suse.com/security/cve/CVE-2021-33200.html https://bugzilla.suse.com/1185847 https://bugzilla.suse.com/1185899 https://bugzilla.suse.com/1186061 https://bugzilla.suse.com/1186285 https://bugzilla.suse.com/1186498 From sle-security-updates at lists.suse.com Fri Jun 18 13:24:54 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 15:24:54 +0200 (CEST) Subject: SUSE-SU-2021:2026-1: important: Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) Message-ID: <20210618132454.2691CFDE0@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2026-1 Rating: important References: #1176931 #1182294 #1186235 #1186285 Cross-References: CVE-2020-0429 CVE-2021-28688 CVE-2021-33034 CVSS scores: CVE-2020-0429 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28688 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-28688 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 4.4.180-94_144 fixes several issues. The following issues were fixed: - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111). - CVE-2021-28688: Fixed an issue introduced by XSA-365, leaving around zombie domains after xen guest has died (bsc#1183646). - CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with system execution privileges needed. (bsc#1176724). - Fixed a regression with the last livepatch which caused a kernel warning during sysfs read (bsc#1186235). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-2026=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-2026=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_144-default-2-2.1 kgraft-patch-4_4_180-94_144-default-debuginfo-2-2.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_144-default-2-2.1 kgraft-patch-4_4_180-94_144-default-debuginfo-2-2.1 References: https://www.suse.com/security/cve/CVE-2020-0429.html https://www.suse.com/security/cve/CVE-2021-28688.html https://www.suse.com/security/cve/CVE-2021-33034.html https://bugzilla.suse.com/1176931 https://bugzilla.suse.com/1182294 https://bugzilla.suse.com/1186235 https://bugzilla.suse.com/1186285 From sle-security-updates at lists.suse.com Fri Jun 18 13:26:29 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 15:26:29 +0200 (CEST) Subject: SUSE-SU-2021:2027-1: important: Security update for the Linux Kernel (Live Patch 13 for SLE 15 SP2) Message-ID: <20210618132629.10DF9FDE0@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 13 for SLE 15 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2027-1 Rating: important References: #1185847 #1186061 #1186285 #1186498 Cross-References: CVE-2021-23134 CVE-2021-33034 CVE-2021-33200 CVSS scores: CVE-2021-23134 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-33200 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33200 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP2 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 5.3.18-24_64 fixes several issues. The following issues were fixed: - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111). - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges (bnc#1186060). - Fixed a data loss/data corruption that occurs if there is a write error on an md/raid array (bsc#1185680). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-2027=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-24_64-default-2-2.1 kernel-livepatch-5_3_18-24_64-default-debuginfo-2-2.1 kernel-livepatch-SLE15-SP2_Update_13-debugsource-2-2.1 References: https://www.suse.com/security/cve/CVE-2021-23134.html https://www.suse.com/security/cve/CVE-2021-33034.html https://www.suse.com/security/cve/CVE-2021-33200.html https://bugzilla.suse.com/1185847 https://bugzilla.suse.com/1186061 https://bugzilla.suse.com/1186285 https://bugzilla.suse.com/1186498 From sle-security-updates at lists.suse.com Fri Jun 18 13:28:07 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 15:28:07 +0200 (CEST) Subject: SUSE-SU-2021:2016-1: moderate: Security update for libxml2 Message-ID: <20210618132807.9697EFDE0@maintenance.suse.de> SUSE Security Update: Security update for libxml2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2016-1 Rating: moderate References: #1186015 Cross-References: CVE-2021-3541 CVSS scores: CVE-2021-3541 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack that could bypass all existing protection mechanisms (bsc#1186015). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-2016=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-2016=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libxml2-debugsource-2.9.4-46.46.1 libxml2-devel-2.9.4-46.46.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libxml2-2-2.9.4-46.46.1 libxml2-2-debuginfo-2.9.4-46.46.1 libxml2-debugsource-2.9.4-46.46.1 libxml2-tools-2.9.4-46.46.1 libxml2-tools-debuginfo-2.9.4-46.46.1 python-libxml2-2.9.4-46.46.1 python-libxml2-debuginfo-2.9.4-46.46.1 python-libxml2-debugsource-2.9.4-46.46.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libxml2-2-32bit-2.9.4-46.46.1 libxml2-2-debuginfo-32bit-2.9.4-46.46.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): libxml2-doc-2.9.4-46.46.1 References: https://www.suse.com/security/cve/CVE-2021-3541.html https://bugzilla.suse.com/1186015 From sle-security-updates at lists.suse.com Fri Jun 18 13:29:21 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 15:29:21 +0200 (CEST) Subject: SUSE-SU-2021:2057-1: important: Security update for the Linux Kernel (Live Patch 24 for SLE 15) Message-ID: <20210618132921.8B5FFFDE0@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 24 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2057-1 Rating: important References: #1185899 #1186061 #1186285 #1186498 Cross-References: CVE-2021-23134 CVE-2021-32399 CVE-2021-33034 CVE-2021-33200 CVSS scores: CVE-2021-23134 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-33200 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33200 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-150_72 fixes several issues. The following security issues were fixed: - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111). - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges (bnc#1186060). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2021-2057=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_72-default-2-2.1 kernel-livepatch-4_12_14-150_72-default-debuginfo-2-2.1 References: https://www.suse.com/security/cve/CVE-2021-23134.html https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://www.suse.com/security/cve/CVE-2021-33200.html https://bugzilla.suse.com/1185899 https://bugzilla.suse.com/1186061 https://bugzilla.suse.com/1186285 https://bugzilla.suse.com/1186498 From sle-security-updates at lists.suse.com Fri Jun 18 13:31:01 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 15:31:01 +0200 (CEST) Subject: SUSE-SU-2021:2060-1: important: Security update for the Linux Kernel (Live Patch 22 for SLE 15) Message-ID: <20210618133101.50BD9FDE0@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 22 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2060-1 Rating: important References: #1185899 #1186285 Cross-References: CVE-2021-32399 CVE-2021-33034 CVSS scores: CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-150_66 fixes several issues. The following security issues were fixed: - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-2049=1 SUSE-SLE-SAP-12-SP3-2021-2053=1 SUSE-SLE-SAP-12-SP3-2021-2058=1 SUSE-SLE-SAP-12-SP3-2021-2065=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-2049=1 SUSE-SLE-SERVER-12-SP3-2021-2053=1 SUSE-SLE-SERVER-12-SP3-2021-2058=1 SUSE-SLE-SERVER-12-SP3-2021-2065=1 - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2021-2059=1 SUSE-SLE-Module-Live-Patching-15-2021-2060=1 SUSE-SLE-Module-Live-Patching-15-2021-2061=1 SUSE-SLE-Module-Live-Patching-15-2021-2062=1 SUSE-SLE-Module-Live-Patching-15-2021-2063=1 SUSE-SLE-Module-Live-Patching-15-2021-2064=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_124-default-11-2.3 kgraft-patch-4_4_180-94_124-default-debuginfo-11-2.3 kgraft-patch-4_4_180-94_127-default-11-2.2 kgraft-patch-4_4_180-94_127-default-debuginfo-11-2.2 kgraft-patch-4_4_180-94_130-default-10-2.2 kgraft-patch-4_4_180-94_130-default-debuginfo-10-2.2 kgraft-patch-4_4_180-94_135-default-8-2.2 kgraft-patch-4_4_180-94_135-default-debuginfo-8-2.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_124-default-11-2.3 kgraft-patch-4_4_180-94_124-default-debuginfo-11-2.3 kgraft-patch-4_4_180-94_127-default-11-2.2 kgraft-patch-4_4_180-94_127-default-debuginfo-11-2.2 kgraft-patch-4_4_180-94_130-default-10-2.2 kgraft-patch-4_4_180-94_130-default-debuginfo-10-2.2 kgraft-patch-4_4_180-94_135-default-8-2.2 kgraft-patch-4_4_180-94_135-default-debuginfo-8-2.2 - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_52-default-11-2.2 kernel-livepatch-4_12_14-150_52-default-debuginfo-11-2.2 kernel-livepatch-4_12_14-150_55-default-11-2.2 kernel-livepatch-4_12_14-150_55-default-debuginfo-11-2.2 kernel-livepatch-4_12_14-150_58-default-10-2.2 kernel-livepatch-4_12_14-150_58-default-debuginfo-10-2.2 kernel-livepatch-4_12_14-150_63-default-8-2.2 kernel-livepatch-4_12_14-150_63-default-debuginfo-8-2.2 kernel-livepatch-4_12_14-150_66-default-6-2.2 kernel-livepatch-4_12_14-150_66-default-debuginfo-6-2.2 kernel-livepatch-4_12_14-150_69-default-5-2.2 kernel-livepatch-4_12_14-150_69-default-debuginfo-5-2.2 References: https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://bugzilla.suse.com/1185899 https://bugzilla.suse.com/1186285 From sle-security-updates at lists.suse.com Fri Jun 18 16:17:05 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 18:17:05 +0200 (CEST) Subject: SUSE-SU-2021:2080-1: important: Security update for gupnp Message-ID: <20210618161705.A4E48FD84@maintenance.suse.de> SUSE Security Update: Security update for gupnp ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2080-1 Rating: important References: #1186590 Cross-References: CVE-2021-33516 CVSS scores: CVE-2021-33516 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2021-33516 (SUSE): 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gupnp fixes the following issues: - CVE-2021-33516: Fixed a DNS rebinding, which could trick the browser into triggering actions against local UPnP services (bsc#1186590). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2021-2080=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-2080=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): gupnp-debugsource-0.20.18-8.3.1 libgupnp-1_0-4-0.20.18-8.3.1 libgupnp-1_0-4-debuginfo-0.20.18-8.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): gupnp-debugsource-0.20.18-8.3.1 libgupnp-1_0-4-0.20.18-8.3.1 libgupnp-1_0-4-debuginfo-0.20.18-8.3.1 libgupnp-devel-0.20.18-8.3.1 typelib-1_0-GUPnP-1_0-0.20.18-8.3.1 References: https://www.suse.com/security/cve/CVE-2021-33516.html https://bugzilla.suse.com/1186590 From sle-security-updates at lists.suse.com Fri Jun 18 19:17:43 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 21:17:43 +0200 (CEST) Subject: SUSE-SU-2021:2082-1: moderate: Security update for go1.15 Message-ID: <20210618191743.ABBA5FD84@maintenance.suse.de> SUSE Security Update: Security update for go1.15 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2082-1 Rating: moderate References: #1175132 #1185790 Cross-References: CVE-2021-31525 CVSS scores: CVE-2021-31525 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-31525 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for go1.15 fixes the following issues: - Updated go to upstream version 1.15.12 (released 2021-05-06) (bsc#1175132). - CVE-2021-31525: Fixed stack overflow via net/http ReadRequest (bsc#1185790). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-2082=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-2082=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): go1.15-1.15.12-1.30.1 go1.15-doc-1.15.12-1.30.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 x86_64): go1.15-race-1.15.12-1.30.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): go1.15-1.15.12-1.30.1 go1.15-doc-1.15.12-1.30.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 x86_64): go1.15-race-1.15.12-1.30.1 References: https://www.suse.com/security/cve/CVE-2021-31525.html https://bugzilla.suse.com/1175132 https://bugzilla.suse.com/1185790 From sle-security-updates at lists.suse.com Fri Jun 18 19:19:05 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 21:19:05 +0200 (CEST) Subject: SUSE-SU-2021:2085-1: moderate: Security update for go1.16 Message-ID: <20210618191905.D9160FD84@maintenance.suse.de> SUSE Security Update: Security update for go1.16 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2085-1 Rating: moderate References: #1182345 #1185790 Cross-References: CVE-2021-31525 CVSS scores: CVE-2021-31525 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-31525 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for go1.16 fixes the following issues: - Updated go to upstream version 1.16.4 (released 2021-05-06) (bsc#1182345). - CVE-2021-31525: Fixed stack overflow via net/http ReadRequest (bsc#1185790). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-2085=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-2085=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): go1.16-1.16.4-1.14.2 go1.16-doc-1.16.4-1.14.2 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 x86_64): go1.16-race-1.16.4-1.14.2 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): go1.16-1.16.4-1.14.2 go1.16-doc-1.16.4-1.14.2 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 x86_64): go1.16-race-1.16.4-1.14.2 References: https://www.suse.com/security/cve/CVE-2021-31525.html https://bugzilla.suse.com/1182345 https://bugzilla.suse.com/1185790 From sle-security-updates at lists.suse.com Fri Jun 18 19:20:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 18 Jun 2021 21:20:26 +0200 (CEST) Subject: SUSE-SU-2021:14751-1: important: Security update for libgcrypt Message-ID: <20210618192026.C0C34FD84@maintenance.suse.de> SUSE Security Update: Security update for libgcrypt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14751-1 Rating: important References: #1187212 Cross-References: CVE-2021-33560 CVSS scores: CVE-2021-33560 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-33560 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libgcrypt fixes the following issues: - CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-libgcrypt-14751=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-libgcrypt-14751=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-libgcrypt-14751=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-libgcrypt-14751=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): libgcrypt11-1.5.0-0.26.6.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): libgcrypt11-32bit-1.5.0-0.26.6.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): libgcrypt11-1.5.0-0.26.6.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): libgcrypt-debuginfo-1.5.0-0.26.6.1 libgcrypt-debugsource-1.5.0-0.26.6.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): libgcrypt-debuginfo-1.5.0-0.26.6.1 libgcrypt-debugsource-1.5.0-0.26.6.1 References: https://www.suse.com/security/cve/CVE-2021-33560.html https://bugzilla.suse.com/1187212 From sle-security-updates at lists.suse.com Mon Jun 21 22:23:05 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 00:23:05 +0200 (CEST) Subject: SUSE-SU-2021:2098-1: moderate: Security update for SUSE Manager Server 4.1 Message-ID: <20210621222305.290C1FD07@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Server 4.1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2098-1 Rating: moderate References: #1151558 #1172711 #1175216 #1178767 #1180673 #1182744 #1183573 #1183649 #1183845 #1183864 #1184005 #1184286 #1184311 #1184332 #1184351 #1184361 #1184471 #1184475 #1184561 #1184617 #1184849 #1184892 #1184929 #1184940 #1185042 #1185097 #1185281 #1185506 #1185568 #1185965 #1186025 #1186124 #1186346 #1186508 #1186765 #1186852 #1186858 Cross-References: CVE-2021-28657 CVE-2021-31607 CVSS scores: CVE-2021-28657 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-28657 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-31607 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.1 ______________________________________________________________________________ An update that solves two vulnerabilities and has 35 fixes is now available. Description: This update fixes the following issues: cobbler: - Make `fence_ipmitool` a wrapper for `fence_ipmilan` using always `lanplus`. (bsc#1184361) - Remove unused template for `fence_ipmitool`. - Prevent some race conditions when writting tftpboot files and the destination directory is not existing. (bsc#1186124) - Fix trail stripping in case of using UTF symbols. (bsc#1184561) golang-github-prometheus-node_exporter: - Update to 1.1.2 * Bug fixes + Handle errors from disabled PSI subsystem + Sanitize strings from /sys/class/power_supply + Silence missing netclass errors + Fix ineffassign issue + Fix some noisy log lines + filesystem_freebsd: Fix label values + Fix various procfs parsing errors + Handle no data from powersupplyclass + udp_queues_linux.go: change upd to udp in two error strings + Fix node_scrape_collector_success behaviour + Fix NodeRAIDDegraded to not use a string rule expressions + Fix node_md_disks state label from fail to failed + Handle EPERM for syscall in timex collector + bcache: fix typo in a metric name + Fix XFS read/write stats * Changes + Improve filter flag names + Add btrfs and powersupplyclass to list of exporters enabled by default * Features + Add fibre channel collector + Expose cpu bugs and flags as info metrics + Add network_route collector + Add zoneinfo collector * Enhancements + Add more InfiniBand counters + Add flag to aggr ipvs metrics to avoid high cardinality metrics + Adding backlog/current queue length to qdisc collector + Include TCP OutRsts in netstat metrics + Add pool size to entropy collector + Remove CGO dependencies for OpenBSD amd64 + bcache: add writeback_rate_debug status + Add check state for mdadm arrays via node_md_state metric + Expose XFS inode statistics + Expose zfs zpool state + Added an ability to pass collector.supervisord.url via SUPERVISORD_URL environment variable - Do not include sources (bsc#1151558) - Remove rc symlink grafana-formula: - Fix Grafana dashboards requiring single series (bsc#1184471) patterns-suse-manager: - Add require for py27-compat-salt (salt 3002 does not provide python2-salt anymore) prometheus-exporter-formula: - Add support for schema migration (bsc#1186025) pxe-yomi-image-sle15: - Remove PermitEmptyPasswords from SSH config (Fix bsc#1182744) py26-compat-salt: - Prevent command injection in the snapper module (bsc#1185281) (CVE-2021-31607) spacewalk-admin: - Stop jabberd when osa-dispatcher is enabled (bsc#1185042) spacewalk-backend: - Fix binary blob corruptions in tradidional config file deployment (bsc#1183864) - Fix for GPG checking on synchonizing mirrored dpkg repo (bsc#1184351) - switch to www group for satellite logs (bsc#1185097) - Fail traditional errata and package actions when they act on retracted items - Add advisory_status to reposync and ISS - Add minrate/timeout configuration values for downloading DEB/RPM packages spacewalk-branding: - Add the CSS class for retracted errata/packages spacewalk-certs-tools: - Add support of DISABLE_LOCAL_REPOS=0 for salt minions (bsc#1185568) - Add missing environment variable SALT_RUNNING for pkg module to the minion configuration - Fix typo: activaion -> activation spacewalk-java: - Change Prometheus exporters formula data schema to make it more generic and extendable - Do not require advisory_status to be set in ErrataHandler.create (bsc#1185965) - Speed up pages to compare or add packages to channels (bsc#1178767) - Bugfix: Remove the unneeded check that was stopping updating a virtual instance type (bsc#1180673) - Exclude minions from the list of locally-managed/sandbox systems when copying config files (bsc#1184940) - Lower case fqdn comparation when calculating minion connection path (bsc#1184849) - Bugfix: Retracted Patches: Filter minion correctly when executing package install (bsc#1184929) - Implement retracted patches - For a SUSE system get metadata and package from same source (bsc#1184475) - Check if the directory exists prior to modular data cleanup (bsc#1184311) - Assign right base product for res8 (bsc#1184005) - Fix docs link in my organization configuration (bsc#1184286) - Only update the kickstart path in cobbler if necessary (bsc#1175216) spacewalk-utils: - Bugfix for ubuntu-18.04 repo urls: multiverse, restricted and backports - Add multiverse, restricted and backports to Ubuntu 16.04, 18.04 and 20.04 spacewalk-web: - Upgrade react-select to 4.3.0 and lodash to 4.17.21 - Show the info about unsynced patches in the Content Lifecycle Management screens susemanager: - Add bootstrap repo data for SUSE Manager 4.1 Proxy - Require gio-branding-SLE for SLE15 but not for openSUSE Leap 15 - Add bootstrap repo data for OES2018-SP3-x86_64 (bsc#1183845) - Enable bootstrap repository creation for openSUSE Leap 15.3 for Uyuni - Add python3-distro to RES8, SLE15, Ubuntu20.04 and Debian 10 bootstrap repositories to fix bootstrapping issues (bsc#1184332) - Add python3-pycryptodome to Ubuntu and Debian 10 bootstrap repos (bsc#1186346) - Add gnupg and its dependencies to debian 10 bootstrap repo susemanager-build-keys: - Add SUSE Linux Enterprise 15-SP3 Updates for openSUSE Leap 15.3 key (bsc#1186852) susemanager-doc-indexes: - Adds additional dependencies for Debian client registration in Client Configuration Guide (bsc#1183649) - Remove some openSUSE Leap 15.1 references - Add reposync configuration settings to Troubleshooting chapter of the Administration Guide - Update the entry about module.run for SAP Guide susemanager-docs_en: - Adds additional dependencies for Debian client registration in Client Configuration Guide (bsc#1183649) - Remove some openSUSE Leap 15.1 references - Add reposync configuration settings to Troubleshooting chapter of the Administration Guide - Update the entry about module.run for SAP Guide susemanager-schema: - DB schema & migrations for retracted patches susemanager-sls: - Exclude openSUSE Leap 15.3 from product installation (bsc#1186858) - Enable certificate deployment for Leap 15.3 clients which is needed for bootstrapping (bsc#1186765) - Do not install python2-salt on Salt 3002.2 Docker build hosts (bsc#1185506) - Add support for 'disable_local_repos' salt minion config parameter(bsc#1185568) - Fix insecure JMX configuration (bsc#1184617) - Avoid conflicts with running ioloop on mgr_events engine (bsc#1172711) - Keep salt-minion when it is installed to prevent update problems with dependend packages not available in the bootstrap repo (bsc#1183573) - Fix installation of gnupg on Debian 10 susemanager-sync-data: - Add OES2018 SP3 (bsc#1183845) tika-core: - New upstream version 1.26. * Infinite loop in the MP3Parser (bsc#1184892 CVE-2021-28657) * Out of memory error while loading a file in PDFBox before 2.0.23. * Infinite loop while loading a file in PDFBox before 2.0.23. * System.exit vulnerability in Tika's OneNote Parser; out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. * Excessive memory usage (DoS) vulnerability in Apache Tika's PSDParser * Infinite Loop (DoS) vulnerability in Apache Tika's PSDParser uyuni-common-libs: - Maintainer field in debian packages are only recommended (bsc#1186508) How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-2098=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x x86_64): golang-github-prometheus-node_exporter-1.1.2-3.6.5 patterns-suma_retail-4.1-6.9.2 patterns-suma_server-4.1-6.9.2 python3-uyuni-common-libs-4.1.8-3.9.1 spacewalk-branding-4.1.12-3.12.2 susemanager-4.1.26-3.25.1 susemanager-tools-4.1.26-3.25.1 - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch): cobbler-3.0.0+git20190806.32c4bae0-5.11.1 grafana-formula-0.4.1-3.9.2 prometheus-exporters-formula-0.9.1-3.22.1 py26-compat-salt-2016.11.10-6.14.2 py27-compat-salt-3000.3-6.3.2 python3-spacewalk-certs-tools-4.1.17-3.17.2 spacewalk-admin-4.1.9-3.12.2 spacewalk-backend-4.1.25-4.32.6 spacewalk-backend-app-4.1.25-4.32.6 spacewalk-backend-applet-4.1.25-4.32.6 spacewalk-backend-config-files-4.1.25-4.32.6 spacewalk-backend-config-files-common-4.1.25-4.32.6 spacewalk-backend-config-files-tool-4.1.25-4.32.6 spacewalk-backend-iss-4.1.25-4.32.6 spacewalk-backend-iss-export-4.1.25-4.32.6 spacewalk-backend-package-push-server-4.1.25-4.32.6 spacewalk-backend-server-4.1.25-4.32.6 spacewalk-backend-sql-4.1.25-4.32.6 spacewalk-backend-sql-postgresql-4.1.25-4.32.6 spacewalk-backend-tools-4.1.25-4.32.6 spacewalk-backend-xml-export-libs-4.1.25-4.32.6 spacewalk-backend-xmlrpc-4.1.25-4.32.6 spacewalk-base-4.1.26-3.24.8 spacewalk-base-minimal-4.1.26-3.24.8 spacewalk-base-minimal-config-4.1.26-3.24.8 spacewalk-certs-tools-4.1.17-3.17.2 spacewalk-html-4.1.26-3.24.8 spacewalk-java-4.1.36-3.44.1 spacewalk-java-config-4.1.36-3.44.1 spacewalk-java-lib-4.1.36-3.44.1 spacewalk-java-postgresql-4.1.36-3.44.1 spacewalk-taskomatic-4.1.36-3.44.1 spacewalk-utils-4.1.16-3.18.2 spacewalk-utils-extras-4.1.16-3.18.2 susemanager-build-keys-15.2.4-3.17.1 susemanager-build-keys-web-15.2.4-3.17.1 susemanager-doc-indexes-4.1-11.34.8 susemanager-docs_en-4.1-11.34.2 susemanager-docs_en-pdf-4.1-11.34.2 susemanager-schema-4.1.21-3.30.6 susemanager-sls-4.1.28-3.42.1 susemanager-sync-data-4.1.14-3.23.2 susemanager-web-libs-4.1.26-3.24.8 tika-core-1.26-3.5.2 uyuni-config-modules-4.1.28-3.42.1 References: https://www.suse.com/security/cve/CVE-2021-28657.html https://www.suse.com/security/cve/CVE-2021-31607.html https://bugzilla.suse.com/1151558 https://bugzilla.suse.com/1172711 https://bugzilla.suse.com/1175216 https://bugzilla.suse.com/1178767 https://bugzilla.suse.com/1180673 https://bugzilla.suse.com/1182744 https://bugzilla.suse.com/1183573 https://bugzilla.suse.com/1183649 https://bugzilla.suse.com/1183845 https://bugzilla.suse.com/1183864 https://bugzilla.suse.com/1184005 https://bugzilla.suse.com/1184286 https://bugzilla.suse.com/1184311 https://bugzilla.suse.com/1184332 https://bugzilla.suse.com/1184351 https://bugzilla.suse.com/1184361 https://bugzilla.suse.com/1184471 https://bugzilla.suse.com/1184475 https://bugzilla.suse.com/1184561 https://bugzilla.suse.com/1184617 https://bugzilla.suse.com/1184849 https://bugzilla.suse.com/1184892 https://bugzilla.suse.com/1184929 https://bugzilla.suse.com/1184940 https://bugzilla.suse.com/1185042 https://bugzilla.suse.com/1185097 https://bugzilla.suse.com/1185281 https://bugzilla.suse.com/1185506 https://bugzilla.suse.com/1185568 https://bugzilla.suse.com/1185965 https://bugzilla.suse.com/1186025 https://bugzilla.suse.com/1186124 https://bugzilla.suse.com/1186346 https://bugzilla.suse.com/1186508 https://bugzilla.suse.com/1186765 https://bugzilla.suse.com/1186852 https://bugzilla.suse.com/1186858 From sle-security-updates at lists.suse.com Mon Jun 21 22:38:09 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 00:38:09 +0200 (CEST) Subject: SUSE-SU-2021:2104-1: critical: Security update for Salt Message-ID: <20210621223809.D5F46FD07@maintenance.suse.de> SUSE Security Update: Security update for Salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2104-1 Rating: critical References: #1171257 #1176293 #1179831 #1181368 #1182281 #1182293 #1182382 #1185092 #1185281 #1186674 ECO-3212 SLE-18028 SLE-18033 Cross-References: CVE-2021-25315 CVE-2021-31607 CVSS scores: CVE-2021-25315 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25315 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves two vulnerabilities, contains three features and has 8 fixes is now available. Description: This update fixes the following issues: salt: Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028) - Check if dpkgnotify is executable (bsc#1186674) - Drop support for Python2. Obsoletes `python2-salt` package (jsc#SLE-18028) - Virt module updates * network: handle missing ipv4 netmask attribute * more network support * PCI/USB host devices passthrough support - Set distro requirement to oldest supported version in requirements/base.txt - Bring missing part of async batch implementation back (bsc#1182382, CVE-2021-25315) - Always require python3-distro (bsc#1182293) - Remove deprecated warning that breaks minion execution when "server_id_use_crc" opts is missing - Fix pkg states when DEB package has "all" arch - Do not force beacons configuration to be a list. - Remove msgpack < 1.0.0 from base requirements (bsc#1176293) - Msgpack support for version >= 1.0.0 (bsc#1171257) - Fix issue parsing errors in ansiblegate state module - Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607) - Transactional_update: detect recursion in the executor - Add subpackage salt-transactional-update (jsc#SLE-18033) - Remove duplicate directories from specfile - Improvements on "ansiblegate" module (bsc#1185092): * New methods: ansible.targets / ansible.discover_playbooks - Add support for Alibaba Cloud Linux 2 (Aliyun Linux) - Regression fix of salt-ssh on processing targets - Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281) - Add notify beacon for Debian/Ubuntu systems - Fix zmq bug that causes salt-call to freeze (bsc#1181368) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-2104=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-2104=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2104=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2104=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): python3-salt-3002.2-8.41.8.1 salt-3002.2-8.41.8.1 salt-api-3002.2-8.41.8.1 salt-cloud-3002.2-8.41.8.1 salt-doc-3002.2-8.41.8.1 salt-master-3002.2-8.41.8.1 salt-minion-3002.2-8.41.8.1 salt-proxy-3002.2-8.41.8.1 salt-ssh-3002.2-8.41.8.1 salt-standalone-formulas-configuration-3002.2-8.41.8.1 salt-syndic-3002.2-8.41.8.1 salt-transactional-update-3002.2-8.41.8.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): salt-bash-completion-3002.2-8.41.8.1 salt-fish-completion-3002.2-8.41.8.1 salt-zsh-completion-3002.2-8.41.8.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): python3-salt-3002.2-8.41.8.1 salt-3002.2-8.41.8.1 salt-api-3002.2-8.41.8.1 salt-cloud-3002.2-8.41.8.1 salt-doc-3002.2-8.41.8.1 salt-master-3002.2-8.41.8.1 salt-minion-3002.2-8.41.8.1 salt-proxy-3002.2-8.41.8.1 salt-ssh-3002.2-8.41.8.1 salt-standalone-formulas-configuration-3002.2-8.41.8.1 salt-syndic-3002.2-8.41.8.1 salt-transactional-update-3002.2-8.41.8.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): salt-bash-completion-3002.2-8.41.8.1 salt-fish-completion-3002.2-8.41.8.1 salt-zsh-completion-3002.2-8.41.8.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): python3-salt-3002.2-8.41.8.1 salt-3002.2-8.41.8.1 salt-api-3002.2-8.41.8.1 salt-cloud-3002.2-8.41.8.1 salt-doc-3002.2-8.41.8.1 salt-master-3002.2-8.41.8.1 salt-minion-3002.2-8.41.8.1 salt-proxy-3002.2-8.41.8.1 salt-ssh-3002.2-8.41.8.1 salt-standalone-formulas-configuration-3002.2-8.41.8.1 salt-syndic-3002.2-8.41.8.1 salt-transactional-update-3002.2-8.41.8.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): salt-bash-completion-3002.2-8.41.8.1 salt-fish-completion-3002.2-8.41.8.1 salt-zsh-completion-3002.2-8.41.8.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): python3-salt-3002.2-8.41.8.1 salt-3002.2-8.41.8.1 salt-api-3002.2-8.41.8.1 salt-cloud-3002.2-8.41.8.1 salt-doc-3002.2-8.41.8.1 salt-master-3002.2-8.41.8.1 salt-minion-3002.2-8.41.8.1 salt-proxy-3002.2-8.41.8.1 salt-ssh-3002.2-8.41.8.1 salt-standalone-formulas-configuration-3002.2-8.41.8.1 salt-syndic-3002.2-8.41.8.1 salt-transactional-update-3002.2-8.41.8.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): salt-bash-completion-3002.2-8.41.8.1 salt-fish-completion-3002.2-8.41.8.1 salt-zsh-completion-3002.2-8.41.8.1 References: https://www.suse.com/security/cve/CVE-2021-25315.html https://www.suse.com/security/cve/CVE-2021-31607.html https://bugzilla.suse.com/1171257 https://bugzilla.suse.com/1176293 https://bugzilla.suse.com/1179831 https://bugzilla.suse.com/1181368 https://bugzilla.suse.com/1182281 https://bugzilla.suse.com/1182293 https://bugzilla.suse.com/1182382 https://bugzilla.suse.com/1185092 https://bugzilla.suse.com/1185281 https://bugzilla.suse.com/1186674 From sle-security-updates at lists.suse.com Mon Jun 21 22:40:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 00:40:27 +0200 (CEST) Subject: SUSE-SU-2021:2111-1: moderate: Security update for SUSE Manager Client Tools Message-ID: <20210621224027.3AD50FDE0@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2111-1 Rating: moderate References: #1171257 #1173557 #1176293 #1179831 #1180583 #1180584 #1180585 #1181368 #1182281 #1182293 #1182382 #1185092 #1185281 #1186674 ECO-3212 SLE-18028 SLE-18033 Cross-References: CVE-2021-25315 CVE-2021-31607 CVSS scores: CVE-2021-25315 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25315 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Debian 10-CLIENT-TOOLS ______________________________________________________________________________ An update that solves two vulnerabilities, contains three features and has 12 fixes is now available. Description: This update fixes the following issues: salt: - Check if dpkgnotify is executable (bsc#1186674) - Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028)) - Drop support for Python2. Obsoletes `python2-salt` package (jsc#SLE-18028) - Virt module updates * network: handle missing ipv4 netmask attribute * more network support * PCI/USB host devices passthrough support - Set distro requirement to oldest supported version in requirements/base.txt - Bring missing part of async batch implementation back (bsc#1182382, CVE-2021-25315) - Always require python3-distro (bsc#1182293) - Remove deprecated warning that breaks minion execution when "server_id_use_crc" opts is missing - Fix pkg states when DEB package has "all" arch - Do not force beacons configuration to be a list. - Remove msgpack < 1.0.0 from base requirements (bsc#1176293) - Msgpack support for version >= 1.0.0 (bsc#1171257) - Fix issue parsing errors in ansiblegate state module - Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607) - Transactional_update: detect recursion in the executor - Add subpackage salt-transactional-update (jsc#SLE-18033) - Remove duplicate directories from specfile - Improvements on "ansiblegate" module (bsc#1185092): * New methods: ansible.targets / ansible.discover_playbooks - Add support for Alibaba Cloud Linux 2 (Aliyun Linux) - Regression fix of salt-ssh on processing targets - Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281) - Add notify beacon for Debian/Ubuntu systems - Fix zmq bug that causes salt-call to freeze (bsc#1181368) spacecmd: - Rename system migration to system transfer - Rename SP to product migration - Update translation strings - Add group_addconfigchannel and group_removeconfigchannel - Add group_listconfigchannels and configchannel_listgroups - Fix spacecmd compat with Python 3 - Deprecated "Software Crashes" feature - Document advanced package search on '--help' (bsc#1180583) - Fixed advanced search on 'package_listinstalledsystems' - Fixed duplicate results when using multiple search criteria (bsc#1180585) - Fixed "non-advanced" package search when using multiple package names (bsc#1180584) - Update translations - Fix: make spacecmd build on Debian - Add Service Pack migration operations (bsc#1173557) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Debian 10-CLIENT-TOOLS: zypper in -t patch SUSE-Debian-10-CLIENT-TOOLS-x86_64-2021-2111=1 Package List: - SUSE Manager Debian 10-CLIENT-TOOLS (all): salt-common-3002.2+ds-1+2.27.1 salt-minion-3002.2+ds-1+2.27.1 scap-security-guide-debian-0.1.55git20210323-2.3.1 spacecmd-4.2.8-2.9.1 References: https://www.suse.com/security/cve/CVE-2021-25315.html https://www.suse.com/security/cve/CVE-2021-31607.html https://bugzilla.suse.com/1171257 https://bugzilla.suse.com/1173557 https://bugzilla.suse.com/1176293 https://bugzilla.suse.com/1179831 https://bugzilla.suse.com/1180583 https://bugzilla.suse.com/1180584 https://bugzilla.suse.com/1180585 https://bugzilla.suse.com/1181368 https://bugzilla.suse.com/1182281 https://bugzilla.suse.com/1182293 https://bugzilla.suse.com/1182382 https://bugzilla.suse.com/1185092 https://bugzilla.suse.com/1185281 https://bugzilla.suse.com/1186674 From sle-security-updates at lists.suse.com Mon Jun 21 22:43:14 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 00:43:14 +0200 (CEST) Subject: SUSE-SU-2021:2105-1: critical: Security update for salt Message-ID: <20210621224314.7CEFEFD07@maintenance.suse.de> SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2105-1 Rating: critical References: #1171257 #1176293 #1179831 #1181368 #1182281 #1182293 #1182382 #1185092 #1185281 #1186674 ECO-3212 SLE-18028 SLE-18033 Cross-References: CVE-2018-15750 CVE-2018-15751 CVE-2020-11651 CVE-2020-11652 CVE-2020-25592 CVE-2021-25315 CVE-2021-31607 CVSS scores: CVE-2018-15750 (NVD) : 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2018-15750 (SUSE): 8.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N CVE-2018-15751 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-15751 (SUSE): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-11651 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-11651 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-11652 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-11652 (SUSE): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-25592 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-25592 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25315 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25315 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves 7 vulnerabilities, contains three features and has three fixes is now available. Description: This update for salt fixes the following issues: Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028) - Check if dpkgnotify is executable (bsc#1186674) - Drop support for Python2. Obsoletes `python2-salt` package (jsc#SLE-18028) - virt module updates * network: handle missing ipv4 netmask attribute * more network support * PCI/USB host devices passthrough support - Set distro requirement to oldest supported version in requirements/base.txt - Bring missing part of async batch implementation back (bsc#1182382, CVE-2021-25315) - Always require python3-distro (bsc#1182293) - Remove deprecated warning that breaks minion execution when "server_id_use_crc" opts is missing - Fix pkg states when DEB package has "all" arch - Do not force beacons configuration to be a list. - Remove msgpack < 1.0.0 from base requirements (bsc#1176293) - msgpack support for version >= 1.0.0 (bsc#1171257) - Fix issue parsing errors in ansiblegate state module - Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607) - transactional_update: detect recursion in the executor - Add subpackage salt-transactional-update (jsc#SLE-18033) - Remove duplicate directories from specfile - Improvements on "ansiblegate" module (bsc#1185092): * New methods: ansible.targets / ansible.discover_playbooks - Add support for Alibaba Cloud Linux 2 (Aliyun Linux) - Regression fix of salt-ssh on processing targets - Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281) - Add notify beacon for Debian/Ubuntu systems - Fix zmq bug that causes salt-call to freeze (bsc#1181368) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-2105=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-2105=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-2105=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-2105=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-2105=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-2105=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-2105=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-2105=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-2105=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): python3-salt-3002.2-37.1 salt-3002.2-37.1 salt-api-3002.2-37.1 salt-cloud-3002.2-37.1 salt-doc-3002.2-37.1 salt-master-3002.2-37.1 salt-minion-3002.2-37.1 salt-proxy-3002.2-37.1 salt-ssh-3002.2-37.1 salt-standalone-formulas-configuration-3002.2-37.1 salt-syndic-3002.2-37.1 salt-transactional-update-3002.2-37.1 - SUSE Manager Server 4.0 (noarch): salt-bash-completion-3002.2-37.1 salt-fish-completion-3002.2-37.1 salt-zsh-completion-3002.2-37.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): python3-salt-3002.2-37.1 salt-3002.2-37.1 salt-api-3002.2-37.1 salt-cloud-3002.2-37.1 salt-doc-3002.2-37.1 salt-master-3002.2-37.1 salt-minion-3002.2-37.1 salt-proxy-3002.2-37.1 salt-ssh-3002.2-37.1 salt-standalone-formulas-configuration-3002.2-37.1 salt-syndic-3002.2-37.1 salt-transactional-update-3002.2-37.1 - SUSE Manager Retail Branch Server 4.0 (noarch): salt-bash-completion-3002.2-37.1 salt-fish-completion-3002.2-37.1 salt-zsh-completion-3002.2-37.1 - SUSE Manager Proxy 4.0 (noarch): salt-bash-completion-3002.2-37.1 salt-fish-completion-3002.2-37.1 salt-zsh-completion-3002.2-37.1 - SUSE Manager Proxy 4.0 (x86_64): python3-salt-3002.2-37.1 salt-3002.2-37.1 salt-api-3002.2-37.1 salt-cloud-3002.2-37.1 salt-doc-3002.2-37.1 salt-master-3002.2-37.1 salt-minion-3002.2-37.1 salt-proxy-3002.2-37.1 salt-ssh-3002.2-37.1 salt-standalone-formulas-configuration-3002.2-37.1 salt-syndic-3002.2-37.1 salt-transactional-update-3002.2-37.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): python3-salt-3002.2-37.1 salt-3002.2-37.1 salt-api-3002.2-37.1 salt-cloud-3002.2-37.1 salt-doc-3002.2-37.1 salt-master-3002.2-37.1 salt-minion-3002.2-37.1 salt-proxy-3002.2-37.1 salt-ssh-3002.2-37.1 salt-standalone-formulas-configuration-3002.2-37.1 salt-syndic-3002.2-37.1 salt-transactional-update-3002.2-37.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): salt-bash-completion-3002.2-37.1 salt-fish-completion-3002.2-37.1 salt-zsh-completion-3002.2-37.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): python3-salt-3002.2-37.1 salt-3002.2-37.1 salt-api-3002.2-37.1 salt-cloud-3002.2-37.1 salt-doc-3002.2-37.1 salt-master-3002.2-37.1 salt-minion-3002.2-37.1 salt-proxy-3002.2-37.1 salt-ssh-3002.2-37.1 salt-standalone-formulas-configuration-3002.2-37.1 salt-syndic-3002.2-37.1 salt-transactional-update-3002.2-37.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): salt-bash-completion-3002.2-37.1 salt-fish-completion-3002.2-37.1 salt-zsh-completion-3002.2-37.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): salt-bash-completion-3002.2-37.1 salt-fish-completion-3002.2-37.1 salt-zsh-completion-3002.2-37.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): python3-salt-3002.2-37.1 salt-3002.2-37.1 salt-api-3002.2-37.1 salt-cloud-3002.2-37.1 salt-doc-3002.2-37.1 salt-master-3002.2-37.1 salt-minion-3002.2-37.1 salt-proxy-3002.2-37.1 salt-ssh-3002.2-37.1 salt-standalone-formulas-configuration-3002.2-37.1 salt-syndic-3002.2-37.1 salt-transactional-update-3002.2-37.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): python3-salt-3002.2-37.1 salt-3002.2-37.1 salt-api-3002.2-37.1 salt-cloud-3002.2-37.1 salt-doc-3002.2-37.1 salt-master-3002.2-37.1 salt-minion-3002.2-37.1 salt-proxy-3002.2-37.1 salt-ssh-3002.2-37.1 salt-standalone-formulas-configuration-3002.2-37.1 salt-syndic-3002.2-37.1 salt-transactional-update-3002.2-37.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): salt-bash-completion-3002.2-37.1 salt-fish-completion-3002.2-37.1 salt-zsh-completion-3002.2-37.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): python3-salt-3002.2-37.1 salt-3002.2-37.1 salt-api-3002.2-37.1 salt-cloud-3002.2-37.1 salt-doc-3002.2-37.1 salt-master-3002.2-37.1 salt-minion-3002.2-37.1 salt-proxy-3002.2-37.1 salt-ssh-3002.2-37.1 salt-standalone-formulas-configuration-3002.2-37.1 salt-syndic-3002.2-37.1 salt-transactional-update-3002.2-37.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): salt-bash-completion-3002.2-37.1 salt-fish-completion-3002.2-37.1 salt-zsh-completion-3002.2-37.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): python3-salt-3002.2-37.1 salt-3002.2-37.1 salt-api-3002.2-37.1 salt-cloud-3002.2-37.1 salt-doc-3002.2-37.1 salt-master-3002.2-37.1 salt-minion-3002.2-37.1 salt-proxy-3002.2-37.1 salt-ssh-3002.2-37.1 salt-standalone-formulas-configuration-3002.2-37.1 salt-syndic-3002.2-37.1 salt-transactional-update-3002.2-37.1 - SUSE Enterprise Storage 6 (noarch): salt-bash-completion-3002.2-37.1 salt-fish-completion-3002.2-37.1 salt-zsh-completion-3002.2-37.1 - SUSE CaaS Platform 4.0 (noarch): salt-bash-completion-3002.2-37.1 salt-fish-completion-3002.2-37.1 salt-zsh-completion-3002.2-37.1 - SUSE CaaS Platform 4.0 (x86_64): python3-salt-3002.2-37.1 salt-3002.2-37.1 salt-api-3002.2-37.1 salt-cloud-3002.2-37.1 salt-doc-3002.2-37.1 salt-master-3002.2-37.1 salt-minion-3002.2-37.1 salt-proxy-3002.2-37.1 salt-ssh-3002.2-37.1 salt-standalone-formulas-configuration-3002.2-37.1 salt-syndic-3002.2-37.1 salt-transactional-update-3002.2-37.1 References: https://www.suse.com/security/cve/CVE-2018-15750.html https://www.suse.com/security/cve/CVE-2018-15751.html https://www.suse.com/security/cve/CVE-2020-11651.html https://www.suse.com/security/cve/CVE-2020-11652.html https://www.suse.com/security/cve/CVE-2020-25592.html https://www.suse.com/security/cve/CVE-2021-25315.html https://www.suse.com/security/cve/CVE-2021-31607.html https://bugzilla.suse.com/1171257 https://bugzilla.suse.com/1176293 https://bugzilla.suse.com/1179831 https://bugzilla.suse.com/1181368 https://bugzilla.suse.com/1182281 https://bugzilla.suse.com/1182293 https://bugzilla.suse.com/1182382 https://bugzilla.suse.com/1185092 https://bugzilla.suse.com/1185281 https://bugzilla.suse.com/1186674 From sle-security-updates at lists.suse.com Mon Jun 21 22:45:22 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 00:45:22 +0200 (CEST) Subject: SUSE-SU-2021:2102-1: important: Security update for Salt Message-ID: <20210621224522.98556FD07@maintenance.suse.de> SUSE Security Update: Security update for Salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2102-1 Rating: important References: #1173692 #1179831 #1181368 #1182281 #1185092 #1185281 Cross-References: CVE-2021-31607 CVSS scores: CVE-2021-31607 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Tools 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 ______________________________________________________________________________ An update that solves one vulnerability and has 5 fixes is now available. Description: This update fixes the following issues: salt: - Parsing Epoch out of version provided during pkg remove (bsc#1173692) - Fix issue parsing errors in ansiblegate state module - Prevent command injection in the snapper module (bsc#1185281) (CVE-2021-31607) - Transactional_update: detect recursion in the executor - Add subpackage salt-transactional-update - Remove duplicate directories from specfile - Improvements on "ansiblegate" module (bsc#1185092): * New methods: ansible.targets / ansible.discover_playbooks * General bugfixes - Add support for Alibaba Cloud Linux 2 (Aliyun Linux) - Regression fix of salt-ssh on processing targets - Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281) - Add notify beacon for Debian/Ubuntu systems - Fix zmq bug that causes salt-call to freeze (bsc#1181368) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 12: zypper in -t patch SUSE-SLE-Manager-Tools-12-2021-2102=1 - SUSE Linux Enterprise Module for Advanced Systems Management 12: zypper in -t patch SUSE-SLE-Module-Adv-Systems-Management-12-2021-2102=1 Package List: - SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64): python2-salt-3000-46.142.2 python3-salt-3000-46.142.2 salt-3000-46.142.2 salt-doc-3000-46.142.2 salt-minion-3000-46.142.2 - SUSE Linux Enterprise Module for Advanced Systems Management 12 (ppc64le s390x x86_64): python2-salt-3000-46.142.2 salt-3000-46.142.2 salt-api-3000-46.142.2 salt-cloud-3000-46.142.2 salt-doc-3000-46.142.2 salt-master-3000-46.142.2 salt-minion-3000-46.142.2 salt-proxy-3000-46.142.2 salt-ssh-3000-46.142.2 salt-standalone-formulas-configuration-3000-46.142.2 salt-syndic-3000-46.142.2 - SUSE Linux Enterprise Module for Advanced Systems Management 12 (noarch): salt-bash-completion-3000-46.142.2 salt-zsh-completion-3000-46.142.2 References: https://www.suse.com/security/cve/CVE-2021-31607.html https://bugzilla.suse.com/1173692 https://bugzilla.suse.com/1179831 https://bugzilla.suse.com/1181368 https://bugzilla.suse.com/1182281 https://bugzilla.suse.com/1185092 https://bugzilla.suse.com/1185281 From sle-security-updates at lists.suse.com Mon Jun 21 22:48:02 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 00:48:02 +0200 (CEST) Subject: SUSE-SU-2021:2110-1: moderate: Security update for SUSE Manager Client Tools Message-ID: <20210621224802.7BC9AFD07@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2110-1 Rating: moderate References: #1173557 #1179831 #1180583 #1180584 #1180585 #1181368 #1182281 #1185092 #1185281 Cross-References: CVE-2021-31607 CVSS scores: CVE-2021-31607 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Debian 9.0-CLIENT-TOOLS ______________________________________________________________________________ An update that solves one vulnerability and has 8 fixes is now available. Description: This update fixes the following issues: salt: - Fix issue parsing errors in ansiblegate state module - Prevent command injection in the snapper module (bsc#1185281) (CVE-2021-31607) - Transactional_update: detect recursion in the executor - Add subpackage salt-transactional-update - Remove duplicate directories from specfile - Improvements on "ansiblegate" module (bsc#1185092): * New methods: ansible.targets / ansible.discover_playbooks - Add support for Alibaba Cloud Linux 2 (Aliyun Linux) - Regression fix of salt-ssh on processing targets - Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281) - Add notify beacon for Debian/Ubuntu systems - Fix zmq bug that causes salt-call to freeze (bsc#1181368) spacecmd: - Rename system migration to system transfer - Rename SP to product migration - Update translation strings - Add group_addconfigchannel and group_removeconfigchannel - Add group_listconfigchannels and configchannel_listgroups - Fix spacecmd compat with Python 3 - Deprecated "Software Crashes" feature - Document advanced package search on '--help' (bsc#1180583) - Fixed advanced search on 'package_listinstalledsystems' - Fixed duplicate results when using multiple search criteria (bsc#1180585) - Fixed "non-advanced" package search when using multiple package names (bsc#1180584) - Update translations - Fix: make spacecmd build on Debian - Add Service Pack migration operations (bsc#1173557) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Debian 9.0-CLIENT-TOOLS: zypper in -t patch SUSE-Debian-9.0-CLIENT-TOOLS-x86_64-2021-2110=1 Package List: - SUSE Manager Debian 9.0-CLIENT-TOOLS (all): salt-common-3000+ds-1+2.23.1 salt-minion-3000+ds-1+2.23.1 scap-security-guide-debian-0.1.55git20210323-2.3.1 spacecmd-4.2.8-2.10.1 References: https://www.suse.com/security/cve/CVE-2021-31607.html https://bugzilla.suse.com/1173557 https://bugzilla.suse.com/1179831 https://bugzilla.suse.com/1180583 https://bugzilla.suse.com/1180584 https://bugzilla.suse.com/1180585 https://bugzilla.suse.com/1181368 https://bugzilla.suse.com/1182281 https://bugzilla.suse.com/1185092 https://bugzilla.suse.com/1185281 From sle-security-updates at lists.suse.com Mon Jun 21 22:50:05 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 00:50:05 +0200 (CEST) Subject: SUSE-SU-2021:14753-1: important: Security update for SUSE Manager Client Tools Message-ID: <20210621225005.C08E6FD07@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14753-1 Rating: important References: #1173557 #1177884 #1177928 #1180583 #1180584 #1180585 #1185178 #1185281 Cross-References: CVE-2021-31607 CVSS scores: CVE-2021-31607 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS ______________________________________________________________________________ An update that solves one vulnerability and has 7 fixes is now available. Description: This update fixes the following issues: golang-github-wrouesnel-postgres_exporter: - Add support for aarch64 mgr-cfg: - SPEC: Updated Python definitions for RHEL8 and quoted text comparisons. mgr-custom-info: - Update package version to 4.2.0 mgr-daemon: - Update translation strings - Update the translations from weblate - Added quotes around %{_vendor} token for the if statements in spec file. - Fix removal of mgr-deamon with selinux enabled (bsc#1177928) - Updating translations from weblate mgr-osad: - Change the log file permissions as expected by logrotate (bsc#1177884) - Change deprecated path /var/run into /run for systemd (bsc#1185178) - Python fixes - Removal of RHEL5 mgr-push: - Defined __python for python2. - Excluded RHEL8 for Python 2 build. mgr-virtualization: - Update package version to 4.2.0 rhnlib: - Update package version to 4.2.0 salt: - Prevent command injection in the snapper module (bsc#1185281) (CVE-2021-31607) spacecmd: - Rename system migration to system transfer - Rename SP to product migration - Update translation strings - Add group_addconfigchannel and group_removeconfigchannel - Add group_listconfigchannels and configchannel_listgroups - Fix spacecmd compat with Python 3 - Deprecated "Software Crashes" feature - Document advanced package search on '--help' (bsc#1180583) - Fixed advanced search on 'package_listinstalledsystems' - Fixed duplicate results when using multiple search criteria (bsc#1180585) - Fixed "non-advanced" package search when using multiple package names (bsc#1180584) - Update translations - Fix: make spacecmd build on Debian - Add Service Pack migration operations (bsc#1173557) spacewalk-client-tools: - Update the translations from weblate - Drop the --noSSLServerURL option - Updated RHEL Python requirements. - Added quotes around %{_vendor}. spacewalk-koan: - Fix for spacewalk-koan test spacewalk-oscap: - Update package version to 4.2.0 spacewalk-remote-utils: - Update package version to 4.2.0 supportutils-plugin-susemanager-client: - Update package version to 4.2.0 suseRegisterInfo: - Add support for Amazon Linux 2 - Add support for Alibaba Cloud Linux 2 - Adapted for RHEL build. uyuni-base: - Added Apache as prerequisite for RHEL and Fedora (due to required users). - Removed RHEL specific folder rights from SPEC file. - Added RHEL8 compatibility. uyuni-common-libs: - Cleaning up unused Python 2 build leftovers. - Disabled debug package build. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS: zypper in -t patch slesctsp4-client-tools-202105-14753=1 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS: zypper in -t patch slesctsp3-client-tools-202105-14753=1 Package List: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (i586 ia64 ppc64 s390x x86_64): mgr-cfg-4.2.2-5.15.2 mgr-cfg-actions-4.2.2-5.15.2 mgr-cfg-client-4.2.2-5.15.2 mgr-cfg-management-4.2.2-5.15.2 mgr-custom-info-4.2.1-5.9.2 mgr-daemon-4.2.7-5.26.1 mgr-osad-4.2.5-5.27.2 mgr-push-4.2.2-5.9.2 mgr-virtualization-host-4.2.1-5.17.3 python2-mgr-cfg-4.2.2-5.15.2 python2-mgr-cfg-actions-4.2.2-5.15.2 python2-mgr-cfg-client-4.2.2-5.15.2 python2-mgr-cfg-management-4.2.2-5.15.2 python2-mgr-osa-common-4.2.5-5.27.2 python2-mgr-osad-4.2.5-5.27.2 python2-mgr-push-4.2.2-5.9.2 python2-mgr-virtualization-common-4.2.1-5.17.3 python2-mgr-virtualization-host-4.2.1-5.17.3 python2-rhnlib-4.2.3-12.31.1 python2-spacewalk-check-4.2.10-27.50.1 python2-spacewalk-client-setup-4.2.10-27.50.1 python2-spacewalk-client-tools-4.2.10-27.50.1 python2-spacewalk-koan-4.2.3-9.21.1 python2-spacewalk-oscap-4.2.1-6.15.3 python2-suseRegisterInfo-4.2.3-6.15.1 python2-uyuni-common-libs-4.2.3-5.12.1 salt-2016.11.10-43.75.1 salt-doc-2016.11.10-43.75.1 salt-minion-2016.11.10-43.75.1 spacecmd-4.2.8-18.84.1 spacewalk-check-4.2.10-27.50.1 spacewalk-client-setup-4.2.10-27.50.1 spacewalk-client-tools-4.2.10-27.50.1 spacewalk-koan-4.2.3-9.21.1 spacewalk-oscap-4.2.1-6.15.3 suseRegisterInfo-4.2.3-6.15.1 - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (i586 x86_64): golang-github-wrouesnel-postgres_exporter-0.4.7-5.12.1 - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (noarch): spacewalk-remote-utils-4.2.1-6.18.2 supportutils-plugin-susemanager-client-4.2.2-9.21.1 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (i586 ia64 ppc64 s390x x86_64): mgr-cfg-4.2.2-5.15.2 mgr-cfg-actions-4.2.2-5.15.2 mgr-cfg-client-4.2.2-5.15.2 mgr-cfg-management-4.2.2-5.15.2 mgr-custom-info-4.2.1-5.9.2 mgr-daemon-4.2.7-5.26.1 mgr-osad-4.2.5-5.27.2 mgr-push-4.2.2-5.9.2 mgr-virtualization-host-4.2.1-5.17.3 python2-mgr-cfg-4.2.2-5.15.2 python2-mgr-cfg-actions-4.2.2-5.15.2 python2-mgr-cfg-client-4.2.2-5.15.2 python2-mgr-cfg-management-4.2.2-5.15.2 python2-mgr-osa-common-4.2.5-5.27.2 python2-mgr-osad-4.2.5-5.27.2 python2-mgr-push-4.2.2-5.9.2 python2-mgr-virtualization-common-4.2.1-5.17.3 python2-mgr-virtualization-host-4.2.1-5.17.3 python2-rhnlib-4.2.3-12.31.1 python2-spacewalk-check-4.2.10-27.50.1 python2-spacewalk-client-setup-4.2.10-27.50.1 python2-spacewalk-client-tools-4.2.10-27.50.1 python2-spacewalk-koan-4.2.3-9.21.1 python2-spacewalk-oscap-4.2.1-6.15.3 python2-suseRegisterInfo-4.2.3-6.15.1 python2-uyuni-common-libs-4.2.3-5.12.1 salt-2016.11.10-43.75.1 salt-doc-2016.11.10-43.75.1 salt-minion-2016.11.10-43.75.1 spacecmd-4.2.8-18.84.1 spacewalk-check-4.2.10-27.50.1 spacewalk-client-setup-4.2.10-27.50.1 spacewalk-client-tools-4.2.10-27.50.1 spacewalk-koan-4.2.3-9.21.1 spacewalk-oscap-4.2.1-6.15.3 suseRegisterInfo-4.2.3-6.15.1 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (i586 x86_64): golang-github-wrouesnel-postgres_exporter-0.4.7-5.12.1 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (noarch): spacewalk-remote-utils-4.2.1-6.18.2 supportutils-plugin-susemanager-client-4.2.2-9.21.1 References: https://www.suse.com/security/cve/CVE-2021-31607.html https://bugzilla.suse.com/1173557 https://bugzilla.suse.com/1177884 https://bugzilla.suse.com/1177928 https://bugzilla.suse.com/1180583 https://bugzilla.suse.com/1180584 https://bugzilla.suse.com/1180585 https://bugzilla.suse.com/1185178 https://bugzilla.suse.com/1185281 From sle-security-updates at lists.suse.com Mon Jun 21 22:54:01 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 00:54:01 +0200 (CEST) Subject: SUSE-SU-2021:14756-1: moderate: Security update for SUSE Manager Client Tools Message-ID: <20210621225401.6BACEFD07@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14756-1 Rating: moderate References: #1171257 #1173557 #1176293 #1179831 #1180583 #1180584 #1180585 #1181368 #1182281 #1182293 #1182382 #1185092 #1185281 #1186674 ECO-3212 SLE-18028 SLE-18033 Cross-References: CVE-2021-25315 CVE-2021-31607 CVSS scores: CVE-2021-25315 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25315 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Ubuntu 20.04-CLIENT-TOOLS ______________________________________________________________________________ An update that solves two vulnerabilities, contains three features and has 12 fixes is now available. Description: This update fixes the following issues: salt: - Check if dpkgnotify is executable (bsc#1186674) - Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028) - Drop support for Python2. Obsoletes `python2-salt` package (jsc#SLE-18028) - Virt module updates * network: handle missing ipv4 netmask attribute * more network support * PCI/USB host devices passthrough support - Set distro requirement to oldest supported version in requirements/base.txt - Bring missing part of async batch implementation back (bsc#1182382, CVE-2021-25315) - Always require python3-distro (bsc#1182293) - Remove deprecated warning that breaks minion execution when "server_id_use_crc" opts is missing - Fix pkg states when DEB package has "all" arch - Do not force beacons configuration to be a list. - Remove msgpack < 1.0.0 from base requirements (bsc#1176293) - Msgpack support for version >= 1.0.0 (bsc#1171257) - Fix issue parsing errors in ansiblegate state module - Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607) - Transactional_update: detect recursion in the executor - Add subpackage salt-transactional-update (jsc#SLE-18033) - Remove duplicate directories from specfile - Improvements on "ansiblegate" module (bsc#1185092): * New methods: ansible.targets / ansible.discover_playbooks - Add support for Alibaba Cloud Linux 2 (Aliyun Linux) - Regression fix of salt-ssh on processing targets - Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281) - Add notify beacon for Debian/Ubuntu systems - Fix zmq bug that causes salt-call to freeze (bsc#1181368) spacecmd: - Rename system migration to system transfer - Rename SP to product migration - Update translation strings - Add group_addconfigchannel and group_removeconfigchannel - Add group_listconfigchannels and configchannel_listgroups - Fix spacecmd compat with Python 3 - Deprecated "Software Crashes" feature - Document advanced package search on '--help' (bsc#1180583) - Fixed advanced search on 'package_listinstalledsystems' - Fixed duplicate results when using multiple search criteria (bsc#1180585) - Fixed "non-advanced" package search when using multiple package names (bsc#1180584) - Update translations - Fix: make spacecmd build on Debian - Add Service Pack migration operations (bsc#1173557) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 20.04-CLIENT-TOOLS: zypper in -t patch suse-ubu204ct-client-tools-202105-14756=1 Package List: - SUSE Manager Ubuntu 20.04-CLIENT-TOOLS (amd64): libopenscap-dev-1.2.16-1build1~uyuni1 libopenscap-perl-1.2.16-1build1~uyuni1 libopenscap8-1.2.16-1build1~uyuni1 libopenscap8-dbg-1.2.16-1build1~uyuni1 python-openscap-1.2.16-1build1~uyuni1 - SUSE Manager Ubuntu 20.04-CLIENT-TOOLS (all): salt-common-3002.2+ds-1+2.48.1 salt-minion-3002.2+ds-1+2.48.1 scap-security-guide-ubuntu-0.1.55git20210323-2.3.3 spacecmd-4.2.8-2.24.3 References: https://www.suse.com/security/cve/CVE-2021-25315.html https://www.suse.com/security/cve/CVE-2021-31607.html https://bugzilla.suse.com/1171257 https://bugzilla.suse.com/1173557 https://bugzilla.suse.com/1176293 https://bugzilla.suse.com/1179831 https://bugzilla.suse.com/1180583 https://bugzilla.suse.com/1180584 https://bugzilla.suse.com/1180585 https://bugzilla.suse.com/1181368 https://bugzilla.suse.com/1182281 https://bugzilla.suse.com/1182293 https://bugzilla.suse.com/1182382 https://bugzilla.suse.com/1185092 https://bugzilla.suse.com/1185281 https://bugzilla.suse.com/1186674 From sle-security-updates at lists.suse.com Mon Jun 21 22:57:48 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 00:57:48 +0200 (CEST) Subject: SUSE-SU-2021:2114-1: moderate: Security update for SUSE Manager Server 4.0 Message-ID: <20210621225748.5148DFD07@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Server 4.0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2114-1 Rating: moderate References: #1172711 #1182817 #1184005 #1184283 #1184311 #1184332 #1184361 #1184471 #1184475 #1184561 #1184617 #1184861 #1184892 #1185097 #1185281 #1185506 #1186124 #1186346 #1186508 Cross-References: CVE-2021-28657 CVE-2021-31607 CVSS scores: CVE-2021-28657 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-28657 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-31607 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.0 ______________________________________________________________________________ An update that solves two vulnerabilities and has 17 fixes is now available. Description: This update fixes the following issues: cobbler: - Make "fence_ipmitool" a wrapper for "fence_ipmilan" using always lanplus (bsc#1184361) - Remove unused template for fence_ipmitool. - Prevent some race conditions when writing tftpboot files and the destination directory is not existing (bsc#1186124) - Fix trail stripping in case of using UTF symbols (bsc#1184561) grafana-formula: - Fix Grafana dashboards requiring single series (bsc#1184471) patterns-suse-manager: - Add require for py27-compat-salt (salt 3002 does not provide python2-salt anymore) prometheus-exporters-formula: - Move exporters configurations to dedicated group `prometheus_exporters` - Add formula data schema migration script - This version changes the formula data schema and is not backwards compatible. Downgrading from this version will require reconfiguring the formula for all your minions. - Add Ubuntu support for Prometheus exporters' reverse proxy pxe-default-image-sle15: - Adapt rpm-properties.xml for containment-rpm-pxe v0.2.1 and newer py26-compat-salt: - Prevent command injection in the snapper module (bsc#1185281) (CVE-2021-31607) spacewalk-backend: - Maintainer field in debian packages are only recommended (bsc#1186508) - Switch to www group for satellite logs (bsc#1185097) spacewalk-java: - Change Prometheus exporters formula data schema to make it more generic and extendable - Adapt logging for testing accessability of URLs (bsc#1182817) - Fix problem reading product_tree.json from wrong location in offline setups (bsc#1184283) - For a SUSE system get metadata and package from same source (bsc#1184475) - Check if the directory exists prior to modular data cleanup (bsc#1184311) - Assign right base product for res8 (bsc#1184005) - Fix check for for mirrorlist URLs when refreshing products (bsc#1184861) spacewalk-utils: - Bugfix for ubuntu-18.04 repo urls: multiverse, restricted and backports - Add multiverse, restricted and backports to Ubuntu 16.04, 18.04 and 20.04 spacewalk-web: - Update the WebUI version to 4.0.14 susemanager: - Add python3-pycryptodome to Ubuntu 18 and 20 bootstrap repos (bsc#1186346) - Require gio-branding-SLE for SLE15 but not for openSUSE Leap 15 - Add python3-distro to RES8, SLE15 and Ubuntu20.04 bootstrap repositories to fix bootstrapping issues (bsc#1184332) susemanager-doc-indexes: - Update for Disconnected Setup chapter in Administration Guide susemanager-docs_en: - Update for Disconnected Setup chapter in Administration Guide susemanager-sls: - Do not install python2-salt on Salt 3002.2 Docker build hosts (bsc#1185506) - Fix insecure JMX configuration (bsc#1184617) - Avoid conflicts with running ioloop on mgr_events engine (bsc#1172711) tika-core: - New upstream version 1.26. Fixes: * Infinite loop in the MP3Parser (bsc#1184892, CVE-2021-28657) * Out of memory error while loading a file in PDFBox before 2.0.23. * Infinite loop while loading a file in PDFBox before 2.0.23. * System.exit vulnerability in Tika's OneNote Parser; out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. * Excessive memory usage (DoS) vulnerability in Apache Tika's PSDParser * Infinite Loop (DoS) vulnerability in Apache Tika's PSDParser How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema: `spacewalk-schema-upgrade` 5. Start the Spacewalk service: `spacewalk-service start` Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.0-2021-2114=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (ppc64le s390x x86_64): patterns-suma_retail-4.0-9.19.3 patterns-suma_server-4.0-9.19.3 susemanager-4.0.34-3.52.3 susemanager-tools-4.0.34-3.52.3 - SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (noarch): cobbler-3.0.0+git20190806.32c4bae0-7.22.3 grafana-formula-0.2.3-4.16.3 prometheus-exporters-formula-0.7.6-3.19.3 pxe-default-image-sle15-4.0.1-20210621145802 py26-compat-salt-2016.11.10-10.28.3 py27-compat-salt-3000.3-4.3.3 python3-spacewalk-backend-libs-4.0.38-3.47.4 spacewalk-backend-4.0.38-3.47.4 spacewalk-backend-app-4.0.38-3.47.4 spacewalk-backend-applet-4.0.38-3.47.4 spacewalk-backend-config-files-4.0.38-3.47.4 spacewalk-backend-config-files-common-4.0.38-3.47.4 spacewalk-backend-config-files-tool-4.0.38-3.47.4 spacewalk-backend-iss-4.0.38-3.47.4 spacewalk-backend-iss-export-4.0.38-3.47.4 spacewalk-backend-package-push-server-4.0.38-3.47.4 spacewalk-backend-server-4.0.38-3.47.4 spacewalk-backend-sql-4.0.38-3.47.4 spacewalk-backend-sql-postgresql-4.0.38-3.47.4 spacewalk-backend-tools-4.0.38-3.47.4 spacewalk-backend-xml-export-libs-4.0.38-3.47.4 spacewalk-backend-xmlrpc-4.0.38-3.47.4 spacewalk-base-4.0.28-3.45.1 spacewalk-base-minimal-4.0.28-3.45.1 spacewalk-base-minimal-config-4.0.28-3.45.1 spacewalk-html-4.0.28-3.45.1 spacewalk-java-4.0.44-3.57.5 spacewalk-java-config-4.0.44-3.57.5 spacewalk-java-lib-4.0.44-3.57.5 spacewalk-java-postgresql-4.0.44-3.57.5 spacewalk-taskomatic-4.0.44-3.57.5 spacewalk-utils-4.0.21-3.30.3 susemanager-doc-indexes-4.0-10.36.4 susemanager-docs_en-4.0-10.36.3 susemanager-docs_en-pdf-4.0-10.36.3 susemanager-sls-4.0.35-3.48.3 susemanager-web-libs-4.0.28-3.45.1 tika-core-1.26-3.6.3 References: https://www.suse.com/security/cve/CVE-2021-28657.html https://www.suse.com/security/cve/CVE-2021-31607.html https://bugzilla.suse.com/1172711 https://bugzilla.suse.com/1182817 https://bugzilla.suse.com/1184005 https://bugzilla.suse.com/1184283 https://bugzilla.suse.com/1184311 https://bugzilla.suse.com/1184332 https://bugzilla.suse.com/1184361 https://bugzilla.suse.com/1184471 https://bugzilla.suse.com/1184475 https://bugzilla.suse.com/1184561 https://bugzilla.suse.com/1184617 https://bugzilla.suse.com/1184861 https://bugzilla.suse.com/1184892 https://bugzilla.suse.com/1185097 https://bugzilla.suse.com/1185281 https://bugzilla.suse.com/1185506 https://bugzilla.suse.com/1186124 https://bugzilla.suse.com/1186346 https://bugzilla.suse.com/1186508 From sle-security-updates at lists.suse.com Mon Jun 21 23:01:20 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 01:01:20 +0200 (CEST) Subject: SUSE-SU-2021:2106-1: critical: Security update for salt Message-ID: <20210621230120.86D9BFD07@maintenance.suse.de> SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2106-1 Rating: critical References: #1171257 #1176293 #1179831 #1181368 #1182281 #1182293 #1182382 #1185092 #1185281 #1186674 ECO-3212 SLE-18028 SLE-18033 Cross-References: CVE-2018-15750 CVE-2018-15751 CVE-2020-11651 CVE-2020-11652 CVE-2020-25592 CVE-2021-25315 CVE-2021-31607 CVSS scores: CVE-2018-15750 (NVD) : 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2018-15750 (SUSE): 8.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N CVE-2018-15751 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-15751 (SUSE): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-11651 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-11651 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-11652 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-11652 (SUSE): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-25592 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-25592 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25315 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25315 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Transactional Server 15-SP2 SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Python2 15-SP3 SUSE Linux Enterprise Module for Python2 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves 7 vulnerabilities, contains three features and has three fixes is now available. Description: This update for salt fixes the following issues: Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028) - Check if dpkgnotify is executable (bsc#1186674) - Drop support for Python2. Obsoletes `python2-salt` package (jsc#SLE-18028) - virt module updates * network: handle missing ipv4 netmask attribute * more network support * PCI/USB host devices passthrough support - Set distro requirement to oldest supported version in requirements/base.txt - Bring missing part of async batch implementation back (CVE-2021-25315, bsc#1182382) - Always require `python3-distro` (bsc#1182293) - Remove deprecated warning that breaks minion execution when "server_id_use_crc" opts is missing - Fix pkg states when DEB package has "all" arch - Do not force beacons configuration to be a list. - Remove msgpack < 1.0.0 from base requirements (bsc#1176293) - msgpack support for version >= 1.0.0 (bsc#1171257) - Fix issue parsing errors in ansiblegate state module - Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607) - transactional_update: detect recursion in the executor - Add subpackage salt-transactional-update (jsc#SLE-18033) - Improvements on "ansiblegate" module (bsc#1185092): * New methods: ansible.targets / ansible.discover_playbooks - Add support for Alibaba Cloud Linux 2 (Aliyun Linux) - Regression fix of salt-ssh on processing targets - Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281) - Add notify beacon for Debian/Ubuntu systems - Fix zmq bug that causes salt-call to freeze (bsc#1181368) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-2106=1 - SUSE Linux Enterprise Module for Transactional Server 15-SP2: zypper in -t patch SUSE-SLE-Module-Transactional-Server-15-SP2-2021-2106=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-2106=1 - SUSE Linux Enterprise Module for Python2 15-SP3: zypper in -t patch SUSE-SLE-Module-Python2-15-SP3-2021-2106=1 - SUSE Linux Enterprise Module for Python2 15-SP2: zypper in -t patch SUSE-SLE-Module-Python2-15-SP2-2021-2106=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-2106=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-2106=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): python3-salt-3002.2-37.1 salt-3002.2-37.1 salt-minion-3002.2-37.1 salt-transactional-update-3002.2-37.1 - SUSE MicroOS 5.0 (noarch): python3-distro-1.5.0-3.5.1 - SUSE Linux Enterprise Module for Transactional Server 15-SP2 (aarch64 ppc64le s390x x86_64): salt-transactional-update-3002.2-37.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): salt-api-3002.2-37.1 salt-cloud-3002.2-37.1 salt-master-3002.2-37.1 salt-proxy-3002.2-37.1 salt-ssh-3002.2-37.1 salt-standalone-formulas-configuration-3002.2-37.1 salt-syndic-3002.2-37.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): salt-fish-completion-3002.2-37.1 - SUSE Linux Enterprise Module for Python2 15-SP3 (noarch): python2-distro-1.5.0-3.5.1 - SUSE Linux Enterprise Module for Python2 15-SP2 (noarch): python2-distro-1.5.0-3.5.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): python3-distro-1.5.0-3.5.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): python3-salt-3002.2-37.1 salt-3002.2-37.1 salt-doc-3002.2-37.1 salt-minion-3002.2-37.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): python3-distro-1.5.0-3.5.1 salt-bash-completion-3002.2-37.1 salt-zsh-completion-3002.2-37.1 References: https://www.suse.com/security/cve/CVE-2018-15750.html https://www.suse.com/security/cve/CVE-2018-15751.html https://www.suse.com/security/cve/CVE-2020-11651.html https://www.suse.com/security/cve/CVE-2020-11652.html https://www.suse.com/security/cve/CVE-2020-25592.html https://www.suse.com/security/cve/CVE-2021-25315.html https://www.suse.com/security/cve/CVE-2021-31607.html https://bugzilla.suse.com/1171257 https://bugzilla.suse.com/1176293 https://bugzilla.suse.com/1179831 https://bugzilla.suse.com/1181368 https://bugzilla.suse.com/1182281 https://bugzilla.suse.com/1182293 https://bugzilla.suse.com/1182382 https://bugzilla.suse.com/1185092 https://bugzilla.suse.com/1185281 https://bugzilla.suse.com/1186674 From sle-security-updates at lists.suse.com Mon Jun 21 23:03:46 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 01:03:46 +0200 (CEST) Subject: SUSE-SU-2021:14755-1: moderate: Security update for SUSE Manager Client Tools Message-ID: <20210621230346.1D31CFD07@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14755-1 Rating: moderate References: #1171257 #1173557 #1176293 #1179831 #1180583 #1180584 #1180585 #1181368 #1182281 #1182293 #1182382 #1185092 #1185281 #1186674 ECO-3212 SLE-18028 SLE-18033 Cross-References: CVE-2021-25315 CVE-2021-31607 CVSS scores: CVE-2021-25315 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25315 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-31607 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Ubuntu 18.04-CLIENT-TOOLS ______________________________________________________________________________ An update that solves two vulnerabilities, contains three features and has 12 fixes is now available. Description: This update fixes the following issues: salt: - Check if dpkgnotify is executable (bsc#1186674) - Update to Salt release version 3002.2 (jsc#ECO-3212- Check if dpkgnotify is executable (bsc#1186674)) - Drop support for Python2. Obsoletes `python2-salt` package (jsc#SLE-18028) - Virt module updates * network: handle missing ipv4 netmask attribute * more network support * PCI/USB host devices passthrough support - Set distro requirement to oldest supported version in requirements/base.txt - Bring missing part of async batch implementation back (bsc#1182382, CVE-2021-25315) - Always require python3-distro (bsc#1182293) - Remove deprecated warning that breaks minion execution when "server_id_use_crc" opts is missing - Fix pkg states when DEB package has "all" arch - Do not force beacons configuration to be a list. - Remove msgpack < 1.0.0 from base requirements (bsc#1176293) - Msgpack support for version >= 1.0.0 (bsc#1171257) - Fix issue parsing errors in ansiblegate state module - Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607) - Transactional_update: detect recursion in the executor - Add subpackage salt-transactional-update (jsc#SLE-18033) - Remove duplicate directories from specfile - Improvements on "ansiblegate" module (bsc#1185092): * New methods: ansible.targets / ansible.discover_playbooks - Add support for Alibaba Cloud Linux 2 (Aliyun Linux) - Regression fix of salt-ssh on processing targets - Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281) - Add notify beacon for Debian/Ubuntu systems - Fix zmq bug that causes salt-call to freeze (bsc#1181368) spacecmd: - Rename system migration to system transfer - Rename SP to product migration - Update translation strings - Add group_addconfigchannel and group_removeconfigchannel - Add group_listconfigchannels and configchannel_listgroups - Fix spacecmd compat with Python 3 - Deprecated "Software Crashes" feature - Document advanced package search on '--help' (bsc#1180583) - Fixed advanced search on 'package_listinstalledsystems' - Fixed duplicate results when using multiple search criteria (bsc#1180585) - Fixed "non-advanced" package search when using multiple package names (bsc#1180584) - Update translations - Fix: make spacecmd build on Debian - Add Service Pack migration operations (bsc#1173557) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS: zypper in -t patch suse-ubu184ct-client-tools-202105-14755=1 Package List: - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS (amd64): libopenscap-dev-1.2.15-1build1~uyuni1 libopenscap-perl-1.2.15-1build1~uyuni1 libopenscap8-1.2.15-1build1~uyuni1 libopenscap8-dbg-1.2.15-1build1~uyuni1 python-openscap-1.2.15-1build1~uyuni1 python3-pycryptodome-3.4.7-1ubuntu1 - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS (all): salt-common-3002.2+ds-1+89.1 salt-minion-3002.2+ds-1+89.1 scap-security-guide-ubuntu-0.1.55git20210323-2.3 spacecmd-4.2.8-26.2 References: https://www.suse.com/security/cve/CVE-2021-25315.html https://www.suse.com/security/cve/CVE-2021-31607.html https://bugzilla.suse.com/1171257 https://bugzilla.suse.com/1173557 https://bugzilla.suse.com/1176293 https://bugzilla.suse.com/1179831 https://bugzilla.suse.com/1180583 https://bugzilla.suse.com/1180584 https://bugzilla.suse.com/1180585 https://bugzilla.suse.com/1181368 https://bugzilla.suse.com/1182281 https://bugzilla.suse.com/1182293 https://bugzilla.suse.com/1182382 https://bugzilla.suse.com/1185092 https://bugzilla.suse.com/1185281 https://bugzilla.suse.com/1186674 From sle-security-updates at lists.suse.com Tue Jun 22 16:17:31 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 18:17:31 +0200 (CEST) Subject: SUSE-SU-2021:2118-1: important: Security update for ovmf Message-ID: <20210622161731.DB5EAFDE0@maintenance.suse.de> SUSE Security Update: Security update for ovmf ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2118-1 Rating: important References: #1186151 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP3 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for ovmf fixes the following issues: - Fixed a possible buffer overflow in IScsiDxe (bsc#1186151) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-2118=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 x86_64): ovmf-202008-10.8.1 ovmf-tools-202008-10.8.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (noarch): qemu-ovmf-x86_64-202008-10.8.1 qemu-uefi-aarch64-202008-10.8.1 References: https://bugzilla.suse.com/1186151 From sle-security-updates at lists.suse.com Tue Jun 22 16:19:05 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 18:19:05 +0200 (CEST) Subject: SUSE-SU-2021:2121-1: moderate: Security update for ansible Message-ID: <20210622161905.E606AFD07@maintenance.suse.de> SUSE Security Update: Security update for ansible ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2121-1 Rating: moderate References: #1180816 #1180942 #1181119 #1181935 #1183684 Cross-References: CVE-2021-20178 CVE-2021-20180 CVE-2021-20191 CVE-2021-20228 CVE-2021-3447 CVSS scores: CVE-2021-20178 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-20178 (SUSE): 5 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVE-2021-20180 (SUSE): 5 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVE-2021-20191 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-20191 (SUSE): 5 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVE-2021-20228 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-20228 (SUSE): 5 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVE-2021-3447 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-3447 (SUSE): 5 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for ansible fixes the following issues: - Update to 2.9.22: - CVE-2021-3447: multiple modules expose secured values (bsc#1183684) - CVE-2021-20228: basic.py no_log with fallback option (bsc#1181935) - CVE-2021-20191: multiple collections exposes secured values (bsc#1181119) - CVE-2021-20180: bitbucket_pipeline_variable exposes sensitive values (bsc#1180942) - CVE-2021-20178: user data leak in snmp_facts module (bsc#1180816) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-2121=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-2121=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-2121=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): ansible-2.9.22-3.18.1 - SUSE OpenStack Cloud 8 (x86_64): ansible-2.9.22-3.18.1 - HPE Helion Openstack 8 (x86_64): ansible-2.9.22-3.18.1 References: https://www.suse.com/security/cve/CVE-2021-20178.html https://www.suse.com/security/cve/CVE-2021-20180.html https://www.suse.com/security/cve/CVE-2021-20191.html https://www.suse.com/security/cve/CVE-2021-20228.html https://www.suse.com/security/cve/CVE-2021-3447.html https://bugzilla.suse.com/1180816 https://bugzilla.suse.com/1180942 https://bugzilla.suse.com/1181119 https://bugzilla.suse.com/1181935 https://bugzilla.suse.com/1183684 From sle-security-updates at lists.suse.com Tue Jun 22 16:20:59 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 18:20:59 +0200 (CEST) Subject: SUSE-SU-2021:2125-1: important: Security update for wireshark Message-ID: <20210622162059.76B55FD07@maintenance.suse.de> SUSE Security Update: Security update for wireshark ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2125-1 Rating: important References: #1179930 #1179931 #1179932 #1179933 #1180102 #1180232 #1181598 #1181599 #1183353 #1184110 #1185128 Cross-References: CVE-2020-26418 CVE-2020-26419 CVE-2020-26420 CVE-2020-26421 CVE-2020-26422 CVE-2021-22173 CVE-2021-22174 CVE-2021-22191 CVE-2021-22207 CVSS scores: CVE-2020-26418 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-26418 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-26419 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-26420 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-26420 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2020-26421 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-26421 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26422 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-26422 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-22173 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-22173 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2021-22174 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-22174 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2021-22191 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-22191 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-22207 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-22207 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has two fixes is now available. Description: This update for wireshark, libvirt, sbc and libqt5-qtmultimedia fixes the following issues: Update wireshark to version 3.4.5 - New and updated support and bug fixes for multiple protocols - Asynchronous DNS resolution is always enabled - Protobuf fields can be dissected as Wireshark (header) fields - UI improvements Including security fixes for: - CVE-2021-22191: Wireshark could open unsafe URLs (bsc#1183353). - CVE-2021-22207: MS-WSP dissector excessive memory consumption (bsc#1185128) - CVE-2020-26422: QUIC dissector crash (bsc#1180232) - CVE-2020-26418: Kafka dissector memory leak (bsc#1179930) - CVE-2020-26419: Multiple dissector memory leaks (bsc#1179931) - CVE-2020-26420: RTPS dissector memory leak (bsc#1179932) - CVE-2020-26421: USB HID dissector crash (bsc#1179933) - CVE-2021-22173: Fix USB HID dissector memory leak (bsc#1181598) - CVE-2021-22174: Fix USB HID dissector crash (bsc#1181599) libqt5-qtmultimedia and sbc are necessary dependencies. libvirt is needed to rebuild wireshark-plugin-libvirt. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-2125=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-2125=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-2125=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-2125=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-2125=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-2125=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-2125=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-2125=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-2125=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-2125=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-2125=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-2125=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-2125=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-2125=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2125=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2125=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-2125=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libQt5Multimedia5-5.9.7-7.2.1 libQt5Multimedia5-debuginfo-5.9.7-7.2.1 libqt5-qtmultimedia-debugsource-5.9.7-7.2.1 libqt5-qtmultimedia-devel-5.9.7-7.2.1 libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 libwireshark14-3.4.5-3.53.1 libwireshark14-debuginfo-3.4.5-3.53.1 libwiretap11-3.4.5-3.53.1 libwiretap11-debuginfo-3.4.5-3.53.1 libwsutil12-3.4.5-3.53.1 libwsutil12-debuginfo-3.4.5-3.53.1 sbc-debuginfo-1.3-3.2.1 sbc-debugsource-1.3-3.2.1 sbc-devel-1.3-3.2.1 wireshark-3.4.5-3.53.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 wireshark-devel-3.4.5-3.53.1 wireshark-ui-qt-3.4.5-3.53.1 wireshark-ui-qt-debuginfo-3.4.5-3.53.1 - SUSE Manager Server 4.0 (noarch): libqt5-qtmultimedia-private-headers-devel-5.9.7-7.2.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libQt5Multimedia5-5.9.7-7.2.1 libQt5Multimedia5-debuginfo-5.9.7-7.2.1 libqt5-qtmultimedia-debugsource-5.9.7-7.2.1 libqt5-qtmultimedia-devel-5.9.7-7.2.1 libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 libwireshark14-3.4.5-3.53.1 libwireshark14-debuginfo-3.4.5-3.53.1 libwiretap11-3.4.5-3.53.1 libwiretap11-debuginfo-3.4.5-3.53.1 libwsutil12-3.4.5-3.53.1 libwsutil12-debuginfo-3.4.5-3.53.1 sbc-debuginfo-1.3-3.2.1 sbc-debugsource-1.3-3.2.1 sbc-devel-1.3-3.2.1 wireshark-3.4.5-3.53.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 wireshark-devel-3.4.5-3.53.1 wireshark-ui-qt-3.4.5-3.53.1 wireshark-ui-qt-debuginfo-3.4.5-3.53.1 - SUSE Manager Retail Branch Server 4.0 (noarch): libqt5-qtmultimedia-private-headers-devel-5.9.7-7.2.1 - SUSE Manager Proxy 4.0 (x86_64): libQt5Multimedia5-5.9.7-7.2.1 libQt5Multimedia5-debuginfo-5.9.7-7.2.1 libqt5-qtmultimedia-debugsource-5.9.7-7.2.1 libqt5-qtmultimedia-devel-5.9.7-7.2.1 libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 libwireshark14-3.4.5-3.53.1 libwireshark14-debuginfo-3.4.5-3.53.1 libwiretap11-3.4.5-3.53.1 libwiretap11-debuginfo-3.4.5-3.53.1 libwsutil12-3.4.5-3.53.1 libwsutil12-debuginfo-3.4.5-3.53.1 sbc-debuginfo-1.3-3.2.1 sbc-debugsource-1.3-3.2.1 sbc-devel-1.3-3.2.1 wireshark-3.4.5-3.53.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 wireshark-devel-3.4.5-3.53.1 wireshark-ui-qt-3.4.5-3.53.1 wireshark-ui-qt-debuginfo-3.4.5-3.53.1 - SUSE Manager Proxy 4.0 (noarch): libqt5-qtmultimedia-private-headers-devel-5.9.7-7.2.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libQt5Multimedia5-5.9.7-7.2.1 libQt5Multimedia5-debuginfo-5.9.7-7.2.1 libqt5-qtmultimedia-debugsource-5.9.7-7.2.1 libqt5-qtmultimedia-devel-5.9.7-7.2.1 libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 libwireshark14-3.4.5-3.53.1 libwireshark14-debuginfo-3.4.5-3.53.1 libwiretap11-3.4.5-3.53.1 libwiretap11-debuginfo-3.4.5-3.53.1 libwsutil12-3.4.5-3.53.1 libwsutil12-debuginfo-3.4.5-3.53.1 sbc-debuginfo-1.3-3.2.1 sbc-debugsource-1.3-3.2.1 sbc-devel-1.3-3.2.1 wireshark-3.4.5-3.53.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 wireshark-devel-3.4.5-3.53.1 wireshark-ui-qt-3.4.5-3.53.1 wireshark-ui-qt-debuginfo-3.4.5-3.53.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): libqt5-qtmultimedia-private-headers-devel-5.9.7-7.2.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 libvirt-4.0.0-9.37.21 libvirt-admin-4.0.0-9.37.21 libvirt-admin-debuginfo-4.0.0-9.37.21 libvirt-client-4.0.0-9.37.21 libvirt-client-debuginfo-4.0.0-9.37.21 libvirt-daemon-4.0.0-9.37.21 libvirt-daemon-config-network-4.0.0-9.37.21 libvirt-daemon-config-nwfilter-4.0.0-9.37.21 libvirt-daemon-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-interface-4.0.0-9.37.21 libvirt-daemon-driver-interface-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-lxc-4.0.0-9.37.21 libvirt-daemon-driver-lxc-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-network-4.0.0-9.37.21 libvirt-daemon-driver-network-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-nodedev-4.0.0-9.37.21 libvirt-daemon-driver-nodedev-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-nwfilter-4.0.0-9.37.21 libvirt-daemon-driver-nwfilter-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-qemu-4.0.0-9.37.21 libvirt-daemon-driver-qemu-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-secret-4.0.0-9.37.21 libvirt-daemon-driver-secret-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-4.0.0-9.37.21 libvirt-daemon-driver-storage-core-4.0.0-9.37.21 libvirt-daemon-driver-storage-core-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-disk-4.0.0-9.37.21 libvirt-daemon-driver-storage-disk-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-iscsi-4.0.0-9.37.21 libvirt-daemon-driver-storage-iscsi-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-logical-4.0.0-9.37.21 libvirt-daemon-driver-storage-logical-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-mpath-4.0.0-9.37.21 libvirt-daemon-driver-storage-mpath-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-scsi-4.0.0-9.37.21 libvirt-daemon-driver-storage-scsi-debuginfo-4.0.0-9.37.21 libvirt-daemon-hooks-4.0.0-9.37.21 libvirt-daemon-lxc-4.0.0-9.37.21 libvirt-daemon-qemu-4.0.0-9.37.21 libvirt-debugsource-4.0.0-9.37.21 libvirt-devel-4.0.0-9.37.21 libvirt-doc-4.0.0-9.37.21 libvirt-libs-4.0.0-9.37.21 libvirt-libs-debuginfo-4.0.0-9.37.21 libvirt-lock-sanlock-4.0.0-9.37.21 libvirt-lock-sanlock-debuginfo-4.0.0-9.37.21 libvirt-nss-4.0.0-9.37.21 libvirt-nss-debuginfo-4.0.0-9.37.21 libwireshark14-3.4.5-3.53.1 libwireshark14-debuginfo-3.4.5-3.53.1 libwiretap11-3.4.5-3.53.1 libwiretap11-debuginfo-3.4.5-3.53.1 libwsutil12-3.4.5-3.53.1 libwsutil12-debuginfo-3.4.5-3.53.1 sbc-debuginfo-1.3-3.2.1 sbc-debugsource-1.3-3.2.1 sbc-devel-1.3-3.2.1 wireshark-3.4.5-3.53.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 wireshark-devel-3.4.5-3.53.1 wireshark-ui-qt-3.4.5-3.53.1 wireshark-ui-qt-debuginfo-3.4.5-3.53.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libvirt-daemon-driver-libxl-4.0.0-9.37.21 libvirt-daemon-driver-libxl-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-rbd-4.0.0-9.37.21 libvirt-daemon-driver-storage-rbd-debuginfo-4.0.0-9.37.21 libvirt-daemon-xen-4.0.0-9.37.21 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libQt5Multimedia5-5.9.7-7.2.1 libQt5Multimedia5-debuginfo-5.9.7-7.2.1 libqt5-qtmultimedia-debugsource-5.9.7-7.2.1 libqt5-qtmultimedia-devel-5.9.7-7.2.1 libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 libwireshark14-3.4.5-3.53.1 libwireshark14-debuginfo-3.4.5-3.53.1 libwiretap11-3.4.5-3.53.1 libwiretap11-debuginfo-3.4.5-3.53.1 libwsutil12-3.4.5-3.53.1 libwsutil12-debuginfo-3.4.5-3.53.1 sbc-debuginfo-1.3-3.2.1 sbc-debugsource-1.3-3.2.1 sbc-devel-1.3-3.2.1 wireshark-3.4.5-3.53.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 wireshark-devel-3.4.5-3.53.1 wireshark-ui-qt-3.4.5-3.53.1 wireshark-ui-qt-debuginfo-3.4.5-3.53.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): libqt5-qtmultimedia-private-headers-devel-5.9.7-7.2.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): libqt5-qtmultimedia-private-headers-devel-5.9.7-7.2.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libQt5Multimedia5-5.9.7-7.2.1 libQt5Multimedia5-debuginfo-5.9.7-7.2.1 libqt5-qtmultimedia-debugsource-5.9.7-7.2.1 libqt5-qtmultimedia-devel-5.9.7-7.2.1 libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 libwireshark14-3.4.5-3.53.1 libwireshark14-debuginfo-3.4.5-3.53.1 libwiretap11-3.4.5-3.53.1 libwiretap11-debuginfo-3.4.5-3.53.1 libwsutil12-3.4.5-3.53.1 libwsutil12-debuginfo-3.4.5-3.53.1 sbc-debuginfo-1.3-3.2.1 sbc-debugsource-1.3-3.2.1 sbc-devel-1.3-3.2.1 wireshark-3.4.5-3.53.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 wireshark-devel-3.4.5-3.53.1 wireshark-ui-qt-3.4.5-3.53.1 wireshark-ui-qt-debuginfo-3.4.5-3.53.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 libvirt-4.0.0-9.37.21 libvirt-admin-4.0.0-9.37.21 libvirt-admin-debuginfo-4.0.0-9.37.21 libvirt-client-4.0.0-9.37.21 libvirt-client-debuginfo-4.0.0-9.37.21 libvirt-daemon-4.0.0-9.37.21 libvirt-daemon-config-network-4.0.0-9.37.21 libvirt-daemon-config-nwfilter-4.0.0-9.37.21 libvirt-daemon-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-interface-4.0.0-9.37.21 libvirt-daemon-driver-interface-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-lxc-4.0.0-9.37.21 libvirt-daemon-driver-lxc-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-network-4.0.0-9.37.21 libvirt-daemon-driver-network-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-nodedev-4.0.0-9.37.21 libvirt-daemon-driver-nodedev-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-nwfilter-4.0.0-9.37.21 libvirt-daemon-driver-nwfilter-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-qemu-4.0.0-9.37.21 libvirt-daemon-driver-qemu-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-secret-4.0.0-9.37.21 libvirt-daemon-driver-secret-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-4.0.0-9.37.21 libvirt-daemon-driver-storage-core-4.0.0-9.37.21 libvirt-daemon-driver-storage-core-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-disk-4.0.0-9.37.21 libvirt-daemon-driver-storage-disk-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-iscsi-4.0.0-9.37.21 libvirt-daemon-driver-storage-iscsi-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-logical-4.0.0-9.37.21 libvirt-daemon-driver-storage-logical-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-mpath-4.0.0-9.37.21 libvirt-daemon-driver-storage-mpath-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-scsi-4.0.0-9.37.21 libvirt-daemon-driver-storage-scsi-debuginfo-4.0.0-9.37.21 libvirt-daemon-hooks-4.0.0-9.37.21 libvirt-daemon-lxc-4.0.0-9.37.21 libvirt-daemon-qemu-4.0.0-9.37.21 libvirt-debugsource-4.0.0-9.37.21 libvirt-devel-4.0.0-9.37.21 libvirt-doc-4.0.0-9.37.21 libvirt-libs-4.0.0-9.37.21 libvirt-libs-debuginfo-4.0.0-9.37.21 libvirt-lock-sanlock-4.0.0-9.37.21 libvirt-lock-sanlock-debuginfo-4.0.0-9.37.21 libvirt-nss-4.0.0-9.37.21 libvirt-nss-debuginfo-4.0.0-9.37.21 libwireshark14-3.4.5-3.53.1 libwireshark14-debuginfo-3.4.5-3.53.1 libwiretap11-3.4.5-3.53.1 libwiretap11-debuginfo-3.4.5-3.53.1 libwsutil12-3.4.5-3.53.1 libwsutil12-debuginfo-3.4.5-3.53.1 sbc-debuginfo-1.3-3.2.1 sbc-debugsource-1.3-3.2.1 sbc-devel-1.3-3.2.1 wireshark-3.4.5-3.53.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 wireshark-devel-3.4.5-3.53.1 wireshark-ui-qt-3.4.5-3.53.1 wireshark-ui-qt-debuginfo-3.4.5-3.53.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64): libvirt-daemon-driver-storage-rbd-4.0.0-9.37.21 libvirt-daemon-driver-storage-rbd-debuginfo-4.0.0-9.37.21 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 sbc-debuginfo-1.3-3.2.1 sbc-debugsource-1.3-3.2.1 sbc-devel-1.3-3.2.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 wireshark-devel-3.4.5-3.53.1 wireshark-ui-qt-3.4.5-3.53.1 wireshark-ui-qt-debuginfo-3.4.5-3.53.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 sbc-debuginfo-1.3-3.2.1 sbc-debugsource-1.3-3.2.1 sbc-devel-1.3-3.2.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 wireshark-devel-3.4.5-3.53.1 wireshark-ui-qt-3.4.5-3.53.1 wireshark-ui-qt-debuginfo-3.4.5-3.53.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 libwireshark14-3.4.5-3.53.1 libwireshark14-debuginfo-3.4.5-3.53.1 libwiretap11-3.4.5-3.53.1 libwiretap11-debuginfo-3.4.5-3.53.1 libwsutil12-3.4.5-3.53.1 libwsutil12-debuginfo-3.4.5-3.53.1 wireshark-3.4.5-3.53.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 libwireshark14-3.4.5-3.53.1 libwireshark14-debuginfo-3.4.5-3.53.1 libwiretap11-3.4.5-3.53.1 libwiretap11-debuginfo-3.4.5-3.53.1 libwsutil12-3.4.5-3.53.1 libwsutil12-debuginfo-3.4.5-3.53.1 wireshark-3.4.5-3.53.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libQt5Multimedia5-5.9.7-7.2.1 libQt5Multimedia5-debuginfo-5.9.7-7.2.1 libqt5-qtmultimedia-debugsource-5.9.7-7.2.1 libqt5-qtmultimedia-devel-5.9.7-7.2.1 libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 libwireshark14-3.4.5-3.53.1 libwireshark14-debuginfo-3.4.5-3.53.1 libwiretap11-3.4.5-3.53.1 libwiretap11-debuginfo-3.4.5-3.53.1 libwsutil12-3.4.5-3.53.1 libwsutil12-debuginfo-3.4.5-3.53.1 sbc-debuginfo-1.3-3.2.1 sbc-debugsource-1.3-3.2.1 sbc-devel-1.3-3.2.1 wireshark-3.4.5-3.53.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 wireshark-devel-3.4.5-3.53.1 wireshark-ui-qt-3.4.5-3.53.1 wireshark-ui-qt-debuginfo-3.4.5-3.53.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): libqt5-qtmultimedia-private-headers-devel-5.9.7-7.2.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libQt5Multimedia5-5.9.7-7.2.1 libQt5Multimedia5-debuginfo-5.9.7-7.2.1 libqt5-qtmultimedia-debugsource-5.9.7-7.2.1 libqt5-qtmultimedia-devel-5.9.7-7.2.1 libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 libwireshark14-3.4.5-3.53.1 libwireshark14-debuginfo-3.4.5-3.53.1 libwiretap11-3.4.5-3.53.1 libwiretap11-debuginfo-3.4.5-3.53.1 libwsutil12-3.4.5-3.53.1 libwsutil12-debuginfo-3.4.5-3.53.1 sbc-debuginfo-1.3-3.2.1 sbc-debugsource-1.3-3.2.1 sbc-devel-1.3-3.2.1 wireshark-3.4.5-3.53.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 wireshark-devel-3.4.5-3.53.1 wireshark-ui-qt-3.4.5-3.53.1 wireshark-ui-qt-debuginfo-3.4.5-3.53.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): libqt5-qtmultimedia-private-headers-devel-5.9.7-7.2.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 libvirt-4.0.0-9.37.21 libvirt-admin-4.0.0-9.37.21 libvirt-admin-debuginfo-4.0.0-9.37.21 libvirt-client-4.0.0-9.37.21 libvirt-client-debuginfo-4.0.0-9.37.21 libvirt-daemon-4.0.0-9.37.21 libvirt-daemon-config-network-4.0.0-9.37.21 libvirt-daemon-config-nwfilter-4.0.0-9.37.21 libvirt-daemon-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-interface-4.0.0-9.37.21 libvirt-daemon-driver-interface-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-lxc-4.0.0-9.37.21 libvirt-daemon-driver-lxc-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-network-4.0.0-9.37.21 libvirt-daemon-driver-network-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-nodedev-4.0.0-9.37.21 libvirt-daemon-driver-nodedev-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-nwfilter-4.0.0-9.37.21 libvirt-daemon-driver-nwfilter-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-qemu-4.0.0-9.37.21 libvirt-daemon-driver-qemu-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-secret-4.0.0-9.37.21 libvirt-daemon-driver-secret-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-4.0.0-9.37.21 libvirt-daemon-driver-storage-core-4.0.0-9.37.21 libvirt-daemon-driver-storage-core-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-disk-4.0.0-9.37.21 libvirt-daemon-driver-storage-disk-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-iscsi-4.0.0-9.37.21 libvirt-daemon-driver-storage-iscsi-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-logical-4.0.0-9.37.21 libvirt-daemon-driver-storage-logical-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-mpath-4.0.0-9.37.21 libvirt-daemon-driver-storage-mpath-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-rbd-4.0.0-9.37.21 libvirt-daemon-driver-storage-rbd-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-scsi-4.0.0-9.37.21 libvirt-daemon-driver-storage-scsi-debuginfo-4.0.0-9.37.21 libvirt-daemon-hooks-4.0.0-9.37.21 libvirt-daemon-lxc-4.0.0-9.37.21 libvirt-daemon-qemu-4.0.0-9.37.21 libvirt-debugsource-4.0.0-9.37.21 libvirt-devel-4.0.0-9.37.21 libvirt-doc-4.0.0-9.37.21 libvirt-libs-4.0.0-9.37.21 libvirt-libs-debuginfo-4.0.0-9.37.21 libvirt-lock-sanlock-4.0.0-9.37.21 libvirt-lock-sanlock-debuginfo-4.0.0-9.37.21 libvirt-nss-4.0.0-9.37.21 libvirt-nss-debuginfo-4.0.0-9.37.21 libwireshark14-3.4.5-3.53.1 libwireshark14-debuginfo-3.4.5-3.53.1 libwiretap11-3.4.5-3.53.1 libwiretap11-debuginfo-3.4.5-3.53.1 libwsutil12-3.4.5-3.53.1 libwsutil12-debuginfo-3.4.5-3.53.1 sbc-debuginfo-1.3-3.2.1 sbc-debugsource-1.3-3.2.1 sbc-devel-1.3-3.2.1 wireshark-3.4.5-3.53.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 wireshark-devel-3.4.5-3.53.1 wireshark-ui-qt-3.4.5-3.53.1 wireshark-ui-qt-debuginfo-3.4.5-3.53.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libvirt-daemon-driver-libxl-4.0.0-9.37.21 libvirt-daemon-driver-libxl-debuginfo-4.0.0-9.37.21 libvirt-daemon-xen-4.0.0-9.37.21 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 libvirt-4.0.0-9.37.21 libvirt-admin-4.0.0-9.37.21 libvirt-admin-debuginfo-4.0.0-9.37.21 libvirt-client-4.0.0-9.37.21 libvirt-client-debuginfo-4.0.0-9.37.21 libvirt-daemon-4.0.0-9.37.21 libvirt-daemon-config-network-4.0.0-9.37.21 libvirt-daemon-config-nwfilter-4.0.0-9.37.21 libvirt-daemon-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-interface-4.0.0-9.37.21 libvirt-daemon-driver-interface-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-lxc-4.0.0-9.37.21 libvirt-daemon-driver-lxc-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-network-4.0.0-9.37.21 libvirt-daemon-driver-network-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-nodedev-4.0.0-9.37.21 libvirt-daemon-driver-nodedev-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-nwfilter-4.0.0-9.37.21 libvirt-daemon-driver-nwfilter-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-qemu-4.0.0-9.37.21 libvirt-daemon-driver-qemu-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-secret-4.0.0-9.37.21 libvirt-daemon-driver-secret-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-4.0.0-9.37.21 libvirt-daemon-driver-storage-core-4.0.0-9.37.21 libvirt-daemon-driver-storage-core-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-disk-4.0.0-9.37.21 libvirt-daemon-driver-storage-disk-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-iscsi-4.0.0-9.37.21 libvirt-daemon-driver-storage-iscsi-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-logical-4.0.0-9.37.21 libvirt-daemon-driver-storage-logical-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-mpath-4.0.0-9.37.21 libvirt-daemon-driver-storage-mpath-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-rbd-4.0.0-9.37.21 libvirt-daemon-driver-storage-rbd-debuginfo-4.0.0-9.37.21 libvirt-daemon-driver-storage-scsi-4.0.0-9.37.21 libvirt-daemon-driver-storage-scsi-debuginfo-4.0.0-9.37.21 libvirt-daemon-hooks-4.0.0-9.37.21 libvirt-daemon-lxc-4.0.0-9.37.21 libvirt-daemon-qemu-4.0.0-9.37.21 libvirt-debugsource-4.0.0-9.37.21 libvirt-devel-4.0.0-9.37.21 libvirt-doc-4.0.0-9.37.21 libvirt-libs-4.0.0-9.37.21 libvirt-libs-debuginfo-4.0.0-9.37.21 libvirt-lock-sanlock-4.0.0-9.37.21 libvirt-lock-sanlock-debuginfo-4.0.0-9.37.21 libvirt-nss-4.0.0-9.37.21 libvirt-nss-debuginfo-4.0.0-9.37.21 libwireshark14-3.4.5-3.53.1 libwireshark14-debuginfo-3.4.5-3.53.1 libwiretap11-3.4.5-3.53.1 libwiretap11-debuginfo-3.4.5-3.53.1 libwsutil12-3.4.5-3.53.1 libwsutil12-debuginfo-3.4.5-3.53.1 sbc-debuginfo-1.3-3.2.1 sbc-debugsource-1.3-3.2.1 sbc-devel-1.3-3.2.1 wireshark-3.4.5-3.53.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 wireshark-devel-3.4.5-3.53.1 wireshark-ui-qt-3.4.5-3.53.1 wireshark-ui-qt-debuginfo-3.4.5-3.53.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libvirt-daemon-driver-libxl-4.0.0-9.37.21 libvirt-daemon-driver-libxl-debuginfo-4.0.0-9.37.21 libvirt-daemon-xen-4.0.0-9.37.21 - SUSE Enterprise Storage 6 (aarch64 x86_64): libQt5Multimedia5-5.9.7-7.2.1 libQt5Multimedia5-debuginfo-5.9.7-7.2.1 libqt5-qtmultimedia-debugsource-5.9.7-7.2.1 libqt5-qtmultimedia-devel-5.9.7-7.2.1 libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 libwireshark14-3.4.5-3.53.1 libwireshark14-debuginfo-3.4.5-3.53.1 libwiretap11-3.4.5-3.53.1 libwiretap11-debuginfo-3.4.5-3.53.1 libwsutil12-3.4.5-3.53.1 libwsutil12-debuginfo-3.4.5-3.53.1 sbc-debuginfo-1.3-3.2.1 sbc-debugsource-1.3-3.2.1 sbc-devel-1.3-3.2.1 wireshark-3.4.5-3.53.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 wireshark-devel-3.4.5-3.53.1 wireshark-ui-qt-3.4.5-3.53.1 wireshark-ui-qt-debuginfo-3.4.5-3.53.1 - SUSE Enterprise Storage 6 (noarch): libqt5-qtmultimedia-private-headers-devel-5.9.7-7.2.1 - SUSE CaaS Platform 4.0 (x86_64): libQt5Multimedia5-5.9.7-7.2.1 libQt5Multimedia5-debuginfo-5.9.7-7.2.1 libqt5-qtmultimedia-debugsource-5.9.7-7.2.1 libqt5-qtmultimedia-devel-5.9.7-7.2.1 libsbc1-1.3-3.2.1 libsbc1-debuginfo-1.3-3.2.1 libwireshark14-3.4.5-3.53.1 libwireshark14-debuginfo-3.4.5-3.53.1 libwiretap11-3.4.5-3.53.1 libwiretap11-debuginfo-3.4.5-3.53.1 libwsutil12-3.4.5-3.53.1 libwsutil12-debuginfo-3.4.5-3.53.1 sbc-debuginfo-1.3-3.2.1 sbc-debugsource-1.3-3.2.1 sbc-devel-1.3-3.2.1 wireshark-3.4.5-3.53.1 wireshark-debuginfo-3.4.5-3.53.1 wireshark-debugsource-3.4.5-3.53.1 wireshark-devel-3.4.5-3.53.1 wireshark-ui-qt-3.4.5-3.53.1 wireshark-ui-qt-debuginfo-3.4.5-3.53.1 - SUSE CaaS Platform 4.0 (noarch): libqt5-qtmultimedia-private-headers-devel-5.9.7-7.2.1 References: https://www.suse.com/security/cve/CVE-2020-26418.html https://www.suse.com/security/cve/CVE-2020-26419.html https://www.suse.com/security/cve/CVE-2020-26420.html https://www.suse.com/security/cve/CVE-2020-26421.html https://www.suse.com/security/cve/CVE-2020-26422.html https://www.suse.com/security/cve/CVE-2021-22173.html https://www.suse.com/security/cve/CVE-2021-22174.html https://www.suse.com/security/cve/CVE-2021-22191.html https://www.suse.com/security/cve/CVE-2021-22207.html https://bugzilla.suse.com/1179930 https://bugzilla.suse.com/1179931 https://bugzilla.suse.com/1179932 https://bugzilla.suse.com/1179933 https://bugzilla.suse.com/1180102 https://bugzilla.suse.com/1180232 https://bugzilla.suse.com/1181598 https://bugzilla.suse.com/1181599 https://bugzilla.suse.com/1183353 https://bugzilla.suse.com/1184110 https://bugzilla.suse.com/1185128 From sle-security-updates at lists.suse.com Tue Jun 22 16:23:30 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 18:23:30 +0200 (CEST) Subject: SUSE-SU-2021:2122-1: important: Security update for dovecot23 Message-ID: <20210622162330.19624FD07@maintenance.suse.de> SUSE Security Update: Security update for dovecot23 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2122-1 Rating: important References: #1187418 #1187419 Cross-References: CVE-2021-29157 CVE-2021-33515 CVSS scores: CVE-2021-29157 (SUSE): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-33515 (SUSE): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for dovecot23 fixes the following issues: - CVE-2021-29157: Local attacker can login as any user and access their emails (bsc#1187418) - CVE-2021-33515: Attacker can potentially steal user credentials and mails (bsc#1187419) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-2122=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-2122=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2122=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2122=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): dovecot23-2.3.11.3-4.35.1 dovecot23-backend-mysql-2.3.11.3-4.35.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-4.35.1 dovecot23-backend-pgsql-2.3.11.3-4.35.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-4.35.1 dovecot23-backend-sqlite-2.3.11.3-4.35.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-4.35.1 dovecot23-debuginfo-2.3.11.3-4.35.1 dovecot23-debugsource-2.3.11.3-4.35.1 dovecot23-devel-2.3.11.3-4.35.1 dovecot23-fts-2.3.11.3-4.35.1 dovecot23-fts-debuginfo-2.3.11.3-4.35.1 dovecot23-fts-lucene-2.3.11.3-4.35.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-4.35.1 dovecot23-fts-solr-2.3.11.3-4.35.1 dovecot23-fts-solr-debuginfo-2.3.11.3-4.35.1 dovecot23-fts-squat-2.3.11.3-4.35.1 dovecot23-fts-squat-debuginfo-2.3.11.3-4.35.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): dovecot23-2.3.11.3-4.35.1 dovecot23-backend-mysql-2.3.11.3-4.35.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-4.35.1 dovecot23-backend-pgsql-2.3.11.3-4.35.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-4.35.1 dovecot23-backend-sqlite-2.3.11.3-4.35.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-4.35.1 dovecot23-debuginfo-2.3.11.3-4.35.1 dovecot23-debugsource-2.3.11.3-4.35.1 dovecot23-devel-2.3.11.3-4.35.1 dovecot23-fts-2.3.11.3-4.35.1 dovecot23-fts-debuginfo-2.3.11.3-4.35.1 dovecot23-fts-lucene-2.3.11.3-4.35.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-4.35.1 dovecot23-fts-solr-2.3.11.3-4.35.1 dovecot23-fts-solr-debuginfo-2.3.11.3-4.35.1 dovecot23-fts-squat-2.3.11.3-4.35.1 dovecot23-fts-squat-debuginfo-2.3.11.3-4.35.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): dovecot23-2.3.11.3-4.35.1 dovecot23-backend-mysql-2.3.11.3-4.35.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-4.35.1 dovecot23-backend-pgsql-2.3.11.3-4.35.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-4.35.1 dovecot23-backend-sqlite-2.3.11.3-4.35.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-4.35.1 dovecot23-debuginfo-2.3.11.3-4.35.1 dovecot23-debugsource-2.3.11.3-4.35.1 dovecot23-devel-2.3.11.3-4.35.1 dovecot23-fts-2.3.11.3-4.35.1 dovecot23-fts-debuginfo-2.3.11.3-4.35.1 dovecot23-fts-lucene-2.3.11.3-4.35.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-4.35.1 dovecot23-fts-solr-2.3.11.3-4.35.1 dovecot23-fts-solr-debuginfo-2.3.11.3-4.35.1 dovecot23-fts-squat-2.3.11.3-4.35.1 dovecot23-fts-squat-debuginfo-2.3.11.3-4.35.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): dovecot23-2.3.11.3-4.35.1 dovecot23-backend-mysql-2.3.11.3-4.35.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-4.35.1 dovecot23-backend-pgsql-2.3.11.3-4.35.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-4.35.1 dovecot23-backend-sqlite-2.3.11.3-4.35.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-4.35.1 dovecot23-debuginfo-2.3.11.3-4.35.1 dovecot23-debugsource-2.3.11.3-4.35.1 dovecot23-devel-2.3.11.3-4.35.1 dovecot23-fts-2.3.11.3-4.35.1 dovecot23-fts-debuginfo-2.3.11.3-4.35.1 dovecot23-fts-lucene-2.3.11.3-4.35.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-4.35.1 dovecot23-fts-solr-2.3.11.3-4.35.1 dovecot23-fts-solr-debuginfo-2.3.11.3-4.35.1 dovecot23-fts-squat-2.3.11.3-4.35.1 dovecot23-fts-squat-debuginfo-2.3.11.3-4.35.1 References: https://www.suse.com/security/cve/CVE-2021-29157.html https://www.suse.com/security/cve/CVE-2021-33515.html https://bugzilla.suse.com/1187418 https://bugzilla.suse.com/1187419 From sle-security-updates at lists.suse.com Tue Jun 22 16:24:53 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 18:24:53 +0200 (CEST) Subject: SUSE-SU-2021:14757-1: important: Security update for OpenEXR Message-ID: <20210622162453.0592AFD07@maintenance.suse.de> SUSE Security Update: Security update for OpenEXR ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14757-1 Rating: important References: #1184354 #1187395 Cross-References: CVE-2021-3479 CVE-2021-3605 CVSS scores: CVE-2021-3479 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-3479 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-3605 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for OpenEXR fixes the following issues: - Fixed CVE-2021-3479 [bsc#1184354]: Out-of-memory caused by allocation of a very large buffer - Fixed CVE-2021-3605 [bsc#1187395]: Heap buffer overflow in the rleUncompress function Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-OpenEXR-14757=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-OpenEXR-14757=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-OpenEXR-14757=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-OpenEXR-14757=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): OpenEXR-1.6.1-83.17.25.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): OpenEXR-32bit-1.6.1-83.17.25.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): OpenEXR-1.6.1-83.17.25.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): OpenEXR-debuginfo-1.6.1-83.17.25.1 OpenEXR-debugsource-1.6.1-83.17.25.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): OpenEXR-debuginfo-32bit-1.6.1-83.17.25.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): OpenEXR-debuginfo-1.6.1-83.17.25.1 OpenEXR-debugsource-1.6.1-83.17.25.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (s390x x86_64): OpenEXR-debuginfo-32bit-1.6.1-83.17.25.1 References: https://www.suse.com/security/cve/CVE-2021-3479.html https://www.suse.com/security/cve/CVE-2021-3605.html https://bugzilla.suse.com/1184354 https://bugzilla.suse.com/1187395 From sle-security-updates at lists.suse.com Tue Jun 22 16:26:11 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 18:26:11 +0200 (CEST) Subject: SUSE-SU-2021:2117-1: important: Security update for ovmf Message-ID: <20210622162611.B0EA3FD07@maintenance.suse.de> SUSE Security Update: Security update for ovmf ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2117-1 Rating: important References: #1177789 #1183578 #1183579 #1186151 Cross-References: CVE-2019-14584 CVE-2021-28210 CVE-2021-28211 CVSS scores: CVE-2019-14584 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2019-14584 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-28210 (SUSE): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H CVE-2021-28211 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for ovmf fixes the following issues: - Fixed a possible buffer overflow in IScsiDxe (bsc#1186151) - CVE-2021-28211: ovmf: edk2: possible heap corruption with LzmaUefiDecompressGetInfo (bsc#1183578) - CVE-2021-28210: ovmf: unlimited FV recursion, round 2 (bsc#1183579) - CVE-2019-14584: ovmf,shim: NULL pointer dereference in AuthenticodeVerify() (bsc#1177789) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-2117=1 Package List: - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): ovmf-2015+git1462940744.321151f-19.23.1 ovmf-tools-2015+git1462940744.321151f-19.23.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): qemu-ovmf-x86_64-2015+git1462940744.321151f-19.23.1 References: https://www.suse.com/security/cve/CVE-2019-14584.html https://www.suse.com/security/cve/CVE-2021-28210.html https://www.suse.com/security/cve/CVE-2021-28211.html https://bugzilla.suse.com/1177789 https://bugzilla.suse.com/1183578 https://bugzilla.suse.com/1183579 https://bugzilla.suse.com/1186151 From sle-security-updates at lists.suse.com Tue Jun 22 16:27:41 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 18:27:41 +0200 (CEST) Subject: SUSE-SU-2021:2119-1: important: Security update for ovmf Message-ID: <20210622162741.59F12FD07@maintenance.suse.de> SUSE Security Update: Security update for ovmf ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2119-1 Rating: important References: #1186151 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for ovmf fixes the following issues: - Fixed a possible buffer overflow in IScsiDxe (bsc#1186151) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-2119=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-2119=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-2119=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-2119=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-2119=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-2119=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): qemu-ovmf-x86_64-2017+git1492060560.b6d11d7c46-4.44.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): ovmf-2017+git1492060560.b6d11d7c46-4.44.1 ovmf-tools-2017+git1492060560.b6d11d7c46-4.44.1 - SUSE OpenStack Cloud 8 (noarch): qemu-ovmf-x86_64-2017+git1492060560.b6d11d7c46-4.44.1 - SUSE OpenStack Cloud 8 (x86_64): ovmf-2017+git1492060560.b6d11d7c46-4.44.1 ovmf-tools-2017+git1492060560.b6d11d7c46-4.44.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): ovmf-2017+git1492060560.b6d11d7c46-4.44.1 ovmf-tools-2017+git1492060560.b6d11d7c46-4.44.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): qemu-ovmf-x86_64-2017+git1492060560.b6d11d7c46-4.44.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 x86_64): ovmf-2017+git1492060560.b6d11d7c46-4.44.1 ovmf-tools-2017+git1492060560.b6d11d7c46-4.44.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): qemu-ovmf-x86_64-2017+git1492060560.b6d11d7c46-4.44.1 qemu-uefi-aarch64-2017+git1492060560.b6d11d7c46-4.44.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): ovmf-2017+git1492060560.b6d11d7c46-4.44.1 ovmf-tools-2017+git1492060560.b6d11d7c46-4.44.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): qemu-ovmf-x86_64-2017+git1492060560.b6d11d7c46-4.44.1 - HPE Helion Openstack 8 (noarch): qemu-ovmf-x86_64-2017+git1492060560.b6d11d7c46-4.44.1 - HPE Helion Openstack 8 (x86_64): ovmf-2017+git1492060560.b6d11d7c46-4.44.1 ovmf-tools-2017+git1492060560.b6d11d7c46-4.44.1 References: https://bugzilla.suse.com/1186151 From sle-security-updates at lists.suse.com Tue Jun 22 16:28:56 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 18:28:56 +0200 (CEST) Subject: SUSE-SU-2021:2123-1: important: Security update for dovecot23 Message-ID: <20210622162856.8160BFD07@maintenance.suse.de> SUSE Security Update: Security update for dovecot23 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2123-1 Rating: important References: #1187418 #1187419 Cross-References: CVE-2021-29157 CVE-2021-33515 CVSS scores: CVE-2021-29157 (SUSE): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-33515 (SUSE): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Module for Server Applications 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for dovecot23 fixes the following issues: - CVE-2021-29157: Local attacker can login as any user and access their emails (bsc#1187418) - CVE-2021-33515: Attacker can potentially steal user credentials and mails (bsc#1187419) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-2123=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-2123=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): dovecot23-2.3.11.3-55.1 dovecot23-backend-mysql-2.3.11.3-55.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-55.1 dovecot23-backend-pgsql-2.3.11.3-55.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-55.1 dovecot23-backend-sqlite-2.3.11.3-55.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-55.1 dovecot23-debuginfo-2.3.11.3-55.1 dovecot23-debugsource-2.3.11.3-55.1 dovecot23-devel-2.3.11.3-55.1 dovecot23-fts-2.3.11.3-55.1 dovecot23-fts-debuginfo-2.3.11.3-55.1 dovecot23-fts-lucene-2.3.11.3-55.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-55.1 dovecot23-fts-solr-2.3.11.3-55.1 dovecot23-fts-solr-debuginfo-2.3.11.3-55.1 dovecot23-fts-squat-2.3.11.3-55.1 dovecot23-fts-squat-debuginfo-2.3.11.3-55.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): dovecot23-2.3.11.3-55.1 dovecot23-backend-mysql-2.3.11.3-55.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-55.1 dovecot23-backend-pgsql-2.3.11.3-55.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-55.1 dovecot23-backend-sqlite-2.3.11.3-55.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-55.1 dovecot23-debuginfo-2.3.11.3-55.1 dovecot23-debugsource-2.3.11.3-55.1 dovecot23-devel-2.3.11.3-55.1 dovecot23-fts-2.3.11.3-55.1 dovecot23-fts-debuginfo-2.3.11.3-55.1 dovecot23-fts-lucene-2.3.11.3-55.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-55.1 dovecot23-fts-solr-2.3.11.3-55.1 dovecot23-fts-solr-debuginfo-2.3.11.3-55.1 dovecot23-fts-squat-2.3.11.3-55.1 dovecot23-fts-squat-debuginfo-2.3.11.3-55.1 References: https://www.suse.com/security/cve/CVE-2021-29157.html https://www.suse.com/security/cve/CVE-2021-33515.html https://bugzilla.suse.com/1187418 https://bugzilla.suse.com/1187419 From sle-security-updates at lists.suse.com Tue Jun 22 16:30:20 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 18:30:20 +0200 (CEST) Subject: SUSE-SU-2021:2124-1: important: Security update for dovecot23 Message-ID: <20210622163020.689D0FD07@maintenance.suse.de> SUSE Security Update: Security update for dovecot23 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2124-1 Rating: important References: #1187418 #1187419 Cross-References: CVE-2021-29157 CVE-2021-33515 CVSS scores: CVE-2021-29157 (SUSE): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-33515 (SUSE): 4.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for dovecot23 fixes the following issues: - CVE-2021-29157: Local attacker can login as any user and access their emails (bsc#1187418) - CVE-2021-33515: Attacker can potentially steal user credentials and mails (bsc#1187419) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-2124=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-2124=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-2124=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-2124=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-2124=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-2124=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-2124=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-2124=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-2124=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): dovecot23-2.3.11.3-24.1 dovecot23-backend-mysql-2.3.11.3-24.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-24.1 dovecot23-backend-pgsql-2.3.11.3-24.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-24.1 dovecot23-backend-sqlite-2.3.11.3-24.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-24.1 dovecot23-debuginfo-2.3.11.3-24.1 dovecot23-debugsource-2.3.11.3-24.1 dovecot23-devel-2.3.11.3-24.1 dovecot23-fts-2.3.11.3-24.1 dovecot23-fts-debuginfo-2.3.11.3-24.1 dovecot23-fts-lucene-2.3.11.3-24.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-24.1 dovecot23-fts-solr-2.3.11.3-24.1 dovecot23-fts-solr-debuginfo-2.3.11.3-24.1 dovecot23-fts-squat-2.3.11.3-24.1 dovecot23-fts-squat-debuginfo-2.3.11.3-24.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): dovecot23-2.3.11.3-24.1 dovecot23-backend-mysql-2.3.11.3-24.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-24.1 dovecot23-backend-pgsql-2.3.11.3-24.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-24.1 dovecot23-backend-sqlite-2.3.11.3-24.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-24.1 dovecot23-debuginfo-2.3.11.3-24.1 dovecot23-debugsource-2.3.11.3-24.1 dovecot23-devel-2.3.11.3-24.1 dovecot23-fts-2.3.11.3-24.1 dovecot23-fts-debuginfo-2.3.11.3-24.1 dovecot23-fts-lucene-2.3.11.3-24.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-24.1 dovecot23-fts-solr-2.3.11.3-24.1 dovecot23-fts-solr-debuginfo-2.3.11.3-24.1 dovecot23-fts-squat-2.3.11.3-24.1 dovecot23-fts-squat-debuginfo-2.3.11.3-24.1 - SUSE Manager Proxy 4.0 (x86_64): dovecot23-2.3.11.3-24.1 dovecot23-backend-mysql-2.3.11.3-24.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-24.1 dovecot23-backend-pgsql-2.3.11.3-24.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-24.1 dovecot23-backend-sqlite-2.3.11.3-24.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-24.1 dovecot23-debuginfo-2.3.11.3-24.1 dovecot23-debugsource-2.3.11.3-24.1 dovecot23-devel-2.3.11.3-24.1 dovecot23-fts-2.3.11.3-24.1 dovecot23-fts-debuginfo-2.3.11.3-24.1 dovecot23-fts-lucene-2.3.11.3-24.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-24.1 dovecot23-fts-solr-2.3.11.3-24.1 dovecot23-fts-solr-debuginfo-2.3.11.3-24.1 dovecot23-fts-squat-2.3.11.3-24.1 dovecot23-fts-squat-debuginfo-2.3.11.3-24.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): dovecot23-2.3.11.3-24.1 dovecot23-backend-mysql-2.3.11.3-24.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-24.1 dovecot23-backend-pgsql-2.3.11.3-24.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-24.1 dovecot23-backend-sqlite-2.3.11.3-24.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-24.1 dovecot23-debuginfo-2.3.11.3-24.1 dovecot23-debugsource-2.3.11.3-24.1 dovecot23-devel-2.3.11.3-24.1 dovecot23-fts-2.3.11.3-24.1 dovecot23-fts-debuginfo-2.3.11.3-24.1 dovecot23-fts-lucene-2.3.11.3-24.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-24.1 dovecot23-fts-solr-2.3.11.3-24.1 dovecot23-fts-solr-debuginfo-2.3.11.3-24.1 dovecot23-fts-squat-2.3.11.3-24.1 dovecot23-fts-squat-debuginfo-2.3.11.3-24.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): dovecot23-2.3.11.3-24.1 dovecot23-backend-mysql-2.3.11.3-24.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-24.1 dovecot23-backend-pgsql-2.3.11.3-24.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-24.1 dovecot23-backend-sqlite-2.3.11.3-24.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-24.1 dovecot23-debuginfo-2.3.11.3-24.1 dovecot23-debugsource-2.3.11.3-24.1 dovecot23-devel-2.3.11.3-24.1 dovecot23-fts-2.3.11.3-24.1 dovecot23-fts-debuginfo-2.3.11.3-24.1 dovecot23-fts-lucene-2.3.11.3-24.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-24.1 dovecot23-fts-solr-2.3.11.3-24.1 dovecot23-fts-solr-debuginfo-2.3.11.3-24.1 dovecot23-fts-squat-2.3.11.3-24.1 dovecot23-fts-squat-debuginfo-2.3.11.3-24.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): dovecot23-2.3.11.3-24.1 dovecot23-backend-mysql-2.3.11.3-24.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-24.1 dovecot23-backend-pgsql-2.3.11.3-24.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-24.1 dovecot23-backend-sqlite-2.3.11.3-24.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-24.1 dovecot23-debuginfo-2.3.11.3-24.1 dovecot23-debugsource-2.3.11.3-24.1 dovecot23-devel-2.3.11.3-24.1 dovecot23-fts-2.3.11.3-24.1 dovecot23-fts-debuginfo-2.3.11.3-24.1 dovecot23-fts-lucene-2.3.11.3-24.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-24.1 dovecot23-fts-solr-2.3.11.3-24.1 dovecot23-fts-solr-debuginfo-2.3.11.3-24.1 dovecot23-fts-squat-2.3.11.3-24.1 dovecot23-fts-squat-debuginfo-2.3.11.3-24.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): dovecot23-2.3.11.3-24.1 dovecot23-backend-mysql-2.3.11.3-24.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-24.1 dovecot23-backend-pgsql-2.3.11.3-24.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-24.1 dovecot23-backend-sqlite-2.3.11.3-24.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-24.1 dovecot23-debuginfo-2.3.11.3-24.1 dovecot23-debugsource-2.3.11.3-24.1 dovecot23-devel-2.3.11.3-24.1 dovecot23-fts-2.3.11.3-24.1 dovecot23-fts-debuginfo-2.3.11.3-24.1 dovecot23-fts-lucene-2.3.11.3-24.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-24.1 dovecot23-fts-solr-2.3.11.3-24.1 dovecot23-fts-solr-debuginfo-2.3.11.3-24.1 dovecot23-fts-squat-2.3.11.3-24.1 dovecot23-fts-squat-debuginfo-2.3.11.3-24.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): dovecot23-2.3.11.3-24.1 dovecot23-backend-mysql-2.3.11.3-24.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-24.1 dovecot23-backend-pgsql-2.3.11.3-24.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-24.1 dovecot23-backend-sqlite-2.3.11.3-24.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-24.1 dovecot23-debuginfo-2.3.11.3-24.1 dovecot23-debugsource-2.3.11.3-24.1 dovecot23-devel-2.3.11.3-24.1 dovecot23-fts-2.3.11.3-24.1 dovecot23-fts-debuginfo-2.3.11.3-24.1 dovecot23-fts-lucene-2.3.11.3-24.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-24.1 dovecot23-fts-solr-2.3.11.3-24.1 dovecot23-fts-solr-debuginfo-2.3.11.3-24.1 dovecot23-fts-squat-2.3.11.3-24.1 dovecot23-fts-squat-debuginfo-2.3.11.3-24.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): dovecot23-2.3.11.3-24.1 dovecot23-backend-mysql-2.3.11.3-24.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-24.1 dovecot23-backend-pgsql-2.3.11.3-24.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-24.1 dovecot23-backend-sqlite-2.3.11.3-24.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-24.1 dovecot23-debuginfo-2.3.11.3-24.1 dovecot23-debugsource-2.3.11.3-24.1 dovecot23-devel-2.3.11.3-24.1 dovecot23-fts-2.3.11.3-24.1 dovecot23-fts-debuginfo-2.3.11.3-24.1 dovecot23-fts-lucene-2.3.11.3-24.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-24.1 dovecot23-fts-solr-2.3.11.3-24.1 dovecot23-fts-solr-debuginfo-2.3.11.3-24.1 dovecot23-fts-squat-2.3.11.3-24.1 dovecot23-fts-squat-debuginfo-2.3.11.3-24.1 - SUSE CaaS Platform 4.0 (x86_64): dovecot23-2.3.11.3-24.1 dovecot23-backend-mysql-2.3.11.3-24.1 dovecot23-backend-mysql-debuginfo-2.3.11.3-24.1 dovecot23-backend-pgsql-2.3.11.3-24.1 dovecot23-backend-pgsql-debuginfo-2.3.11.3-24.1 dovecot23-backend-sqlite-2.3.11.3-24.1 dovecot23-backend-sqlite-debuginfo-2.3.11.3-24.1 dovecot23-debuginfo-2.3.11.3-24.1 dovecot23-debugsource-2.3.11.3-24.1 dovecot23-devel-2.3.11.3-24.1 dovecot23-fts-2.3.11.3-24.1 dovecot23-fts-debuginfo-2.3.11.3-24.1 dovecot23-fts-lucene-2.3.11.3-24.1 dovecot23-fts-lucene-debuginfo-2.3.11.3-24.1 dovecot23-fts-solr-2.3.11.3-24.1 dovecot23-fts-solr-debuginfo-2.3.11.3-24.1 dovecot23-fts-squat-2.3.11.3-24.1 dovecot23-fts-squat-debuginfo-2.3.11.3-24.1 References: https://www.suse.com/security/cve/CVE-2021-29157.html https://www.suse.com/security/cve/CVE-2021-33515.html https://bugzilla.suse.com/1187418 https://bugzilla.suse.com/1187419 From sle-security-updates at lists.suse.com Tue Jun 22 19:18:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 22 Jun 2021 21:18:25 +0200 (CEST) Subject: SUSE-SU-2021:2127-1: important: Security update for apache2 Message-ID: <20210622191825.B120AFD07@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2127-1 Rating: important References: #1186922 #1186923 #1186924 #1187017 #1187040 #1187174 Cross-References: CVE-2020-13950 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641 CVE-2021-31618 CVSS scores: CVE-2020-13950 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-13950 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-35452 (NVD) : 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2020-35452 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-26690 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-26690 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-26691 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-30641 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2021-30641 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2021-31618 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for apache2 fixes the following issues: - fixed CVE-2021-30641 [bsc#1187174]: MergeSlashes regression - fixed CVE-2021-31618 [bsc#1186924]: NULL pointer dereference on specially crafted HTTP/2 request - fixed CVE-2020-13950 [bsc#1187040]: mod_proxy NULL pointer dereference - fixed CVE-2020-35452 [bsc#1186922]: Single zero byte stack overflow in mod_auth_digest - fixed CVE-2021-26690 [bsc#1186923]: mod_session NULL pointer dereference in parser - fixed CVE-2021-26691 [bsc#1187017]: Heap overflow in mod_session Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-2127=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-2127=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-2127=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-2127=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-2127=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): apache2-debuginfo-2.4.43-3.22.1 apache2-debugsource-2.4.43-3.22.1 apache2-devel-2.4.43-3.22.1 apache2-worker-2.4.43-3.22.1 apache2-worker-debuginfo-2.4.43-3.22.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (noarch): apache2-doc-2.4.43-3.22.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): apache2-debuginfo-2.4.43-3.22.1 apache2-debugsource-2.4.43-3.22.1 apache2-devel-2.4.43-3.22.1 apache2-worker-2.4.43-3.22.1 apache2-worker-debuginfo-2.4.43-3.22.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): apache2-doc-2.4.43-3.22.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (aarch64 ppc64le s390x x86_64): apache2-debuginfo-2.4.43-3.22.1 apache2-debugsource-2.4.43-3.22.1 apache2-event-2.4.43-3.22.1 apache2-event-debuginfo-2.4.43-3.22.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): apache2-2.4.43-3.22.1 apache2-debuginfo-2.4.43-3.22.1 apache2-debugsource-2.4.43-3.22.1 apache2-prefork-2.4.43-3.22.1 apache2-prefork-debuginfo-2.4.43-3.22.1 apache2-utils-2.4.43-3.22.1 apache2-utils-debuginfo-2.4.43-3.22.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): apache2-2.4.43-3.22.1 apache2-debuginfo-2.4.43-3.22.1 apache2-debugsource-2.4.43-3.22.1 apache2-prefork-2.4.43-3.22.1 apache2-prefork-debuginfo-2.4.43-3.22.1 apache2-utils-2.4.43-3.22.1 apache2-utils-debuginfo-2.4.43-3.22.1 References: https://www.suse.com/security/cve/CVE-2020-13950.html https://www.suse.com/security/cve/CVE-2020-35452.html https://www.suse.com/security/cve/CVE-2021-26690.html https://www.suse.com/security/cve/CVE-2021-26691.html https://www.suse.com/security/cve/CVE-2021-30641.html https://www.suse.com/security/cve/CVE-2021-31618.html https://bugzilla.suse.com/1186922 https://bugzilla.suse.com/1186923 https://bugzilla.suse.com/1186924 https://bugzilla.suse.com/1187017 https://bugzilla.suse.com/1187040 https://bugzilla.suse.com/1187174 From sle-security-updates at lists.suse.com Wed Jun 23 16:17:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 23 Jun 2021 18:17:25 +0200 (CEST) Subject: SUSE-SU-2021:2137-1: important: Security update for cryptctl Message-ID: <20210623161725.AFFB0F78F@maintenance.suse.de> SUSE Security Update: Security update for cryptctl ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2137-1 Rating: important References: #1186226 Cross-References: CVE-2019-18906 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for cryptctl fixes the following issues: Update to version 2.4: - CVE-2019-18906: Client side password hashing was equivalent to clear text password storage (bsc#1186226) - First step to use plain text password instead of hashed password. - Move repository into the SUSE github organization - in RPC server, if client comes from localhost, remember its ipv4 localhost address instead of ipv6 address - tell a record to clear expired pending commands upon saving a command result; introduce pending commands RPC test case - avoid hard coding 127.0.0.1 in host ID of alive message test; let system administrator mount and unmount disks by issuing these two commands on key server. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP5: zypper in -t patch SUSE-SLE-SAP-12-SP5-2021-2137=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-2137=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-2137=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-2137=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP5 (ppc64le x86_64): cryptctl-2.4-2.10.1 cryptctl-debuginfo-2.4-2.10.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): cryptctl-2.4-2.10.1 cryptctl-debuginfo-2.4-2.10.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): cryptctl-2.4-2.10.1 cryptctl-debuginfo-2.4-2.10.1 - SUSE Linux Enterprise Server 12-SP5 (ppc64le x86_64): cryptctl-2.4-2.10.1 cryptctl-debuginfo-2.4-2.10.1 References: https://www.suse.com/security/cve/CVE-2019-18906.html https://bugzilla.suse.com/1186226 From sle-security-updates at lists.suse.com Wed Jun 23 16:19:41 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 23 Jun 2021 18:19:41 +0200 (CEST) Subject: SUSE-SU-2021:2136-1: important: Security update for cryptctl Message-ID: <20210623161942.00504F78F@maintenance.suse.de> SUSE Security Update: Security update for cryptctl ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2136-1 Rating: important References: #1186226 Cross-References: CVE-2019-18906 Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Module for SAP Applications 15-SP1 SUSE Linux Enterprise Module for SAP Applications 15 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for cryptctl fixes the following issues: Update to version 2.4: - CVE-2019-18906: Client side password hashing was equivalent to clear text password storage (bsc#1186226) - First step to use plain text password instead of hashed password. - Move repository into the SUSE github organization - in RPC server, if client comes from localhost, remember its ipv4 localhost address instead of ipv6 address - tell a record to clear expired pending commands upon saving a command result; introduce pending commands RPC test case - avoid hard coding 127.0.0.1 in host ID of alive message test; let system administrator mount and unmount disks by issuing these two commands on key server. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-2136=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-2136=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-2136=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-2136=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-2136=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-2136=1 - SUSE Linux Enterprise Module for SAP Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-SAP-Applications-15-SP1-2021-2136=1 - SUSE Linux Enterprise Module for SAP Applications 15: zypper in -t patch SUSE-SLE-Module-SAP-Applications-15-2021-2136=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-2136=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-2136=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-2136=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-2136=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-2136=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le x86_64): cryptctl-2.4-4.5.1 cryptctl-debuginfo-2.4-4.5.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): cryptctl-2.4-4.5.1 cryptctl-debuginfo-2.4-4.5.1 - SUSE Manager Proxy 4.0 (x86_64): cryptctl-2.4-4.5.1 cryptctl-debuginfo-2.4-4.5.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): cryptctl-2.4-4.5.1 cryptctl-debuginfo-2.4-4.5.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (ppc64le x86_64): cryptctl-2.4-4.5.1 cryptctl-debuginfo-2.4-4.5.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): cryptctl-2.4-4.5.1 cryptctl-debuginfo-2.4-4.5.1 - SUSE Linux Enterprise Module for SAP Applications 15-SP1 (ppc64le x86_64): cryptctl-2.4-4.5.1 cryptctl-debuginfo-2.4-4.5.1 - SUSE Linux Enterprise Module for SAP Applications 15 (ppc64le x86_64): cryptctl-2.4-4.5.1 cryptctl-debuginfo-2.4-4.5.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (ppc64le x86_64): cryptctl-2.4-4.5.1 cryptctl-debuginfo-2.4-4.5.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (ppc64le x86_64): cryptctl-2.4-4.5.1 cryptctl-debuginfo-2.4-4.5.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): cryptctl-2.4-4.5.1 cryptctl-debuginfo-2.4-4.5.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): cryptctl-2.4-4.5.1 cryptctl-debuginfo-2.4-4.5.1 - SUSE Enterprise Storage 6 (x86_64): cryptctl-2.4-4.5.1 cryptctl-debuginfo-2.4-4.5.1 - SUSE CaaS Platform 4.0 (x86_64): cryptctl-2.4-4.5.1 cryptctl-debuginfo-2.4-4.5.1 References: https://www.suse.com/security/cve/CVE-2019-18906.html https://bugzilla.suse.com/1186226 From sle-security-updates at lists.suse.com Wed Jun 23 16:23:07 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 23 Jun 2021 18:23:07 +0200 (CEST) Subject: SUSE-SU-2021:2135-1: important: Security update for libnettle Message-ID: <20210623162307.35D2DF78F@maintenance.suse.de> SUSE Security Update: Security update for libnettle ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2135-1 Rating: important References: #1187060 Cross-References: CVE-2021-3580 CVSS scores: CVE-2021-3580 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libnettle fixes the following issues: - CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-2135=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-2135=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-2135=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-2135=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-2135=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-2135=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-2135=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-2135=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-2135=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-2135=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-2135=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-2135=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-2135=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libhogweed2-2.7.1-13.6.1 libhogweed2-32bit-2.7.1-13.6.1 libhogweed2-debuginfo-2.7.1-13.6.1 libhogweed2-debuginfo-32bit-2.7.1-13.6.1 libnettle-debugsource-2.7.1-13.6.1 libnettle4-2.7.1-13.6.1 libnettle4-32bit-2.7.1-13.6.1 libnettle4-debuginfo-2.7.1-13.6.1 libnettle4-debuginfo-32bit-2.7.1-13.6.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libhogweed2-2.7.1-13.6.1 libhogweed2-32bit-2.7.1-13.6.1 libhogweed2-debuginfo-2.7.1-13.6.1 libhogweed2-debuginfo-32bit-2.7.1-13.6.1 libnettle-debugsource-2.7.1-13.6.1 libnettle4-2.7.1-13.6.1 libnettle4-32bit-2.7.1-13.6.1 libnettle4-debuginfo-2.7.1-13.6.1 libnettle4-debuginfo-32bit-2.7.1-13.6.1 - SUSE OpenStack Cloud 9 (x86_64): libhogweed2-2.7.1-13.6.1 libhogweed2-32bit-2.7.1-13.6.1 libhogweed2-debuginfo-2.7.1-13.6.1 libhogweed2-debuginfo-32bit-2.7.1-13.6.1 libnettle-debugsource-2.7.1-13.6.1 libnettle4-2.7.1-13.6.1 libnettle4-32bit-2.7.1-13.6.1 libnettle4-debuginfo-2.7.1-13.6.1 libnettle4-debuginfo-32bit-2.7.1-13.6.1 - SUSE OpenStack Cloud 8 (x86_64): libhogweed2-2.7.1-13.6.1 libhogweed2-32bit-2.7.1-13.6.1 libhogweed2-debuginfo-2.7.1-13.6.1 libhogweed2-debuginfo-32bit-2.7.1-13.6.1 libnettle-debugsource-2.7.1-13.6.1 libnettle4-2.7.1-13.6.1 libnettle4-32bit-2.7.1-13.6.1 libnettle4-debuginfo-2.7.1-13.6.1 libnettle4-debuginfo-32bit-2.7.1-13.6.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libnettle-debugsource-2.7.1-13.6.1 libnettle-devel-2.7.1-13.6.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libhogweed2-2.7.1-13.6.1 libhogweed2-debuginfo-2.7.1-13.6.1 libnettle-debugsource-2.7.1-13.6.1 libnettle4-2.7.1-13.6.1 libnettle4-debuginfo-2.7.1-13.6.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libhogweed2-32bit-2.7.1-13.6.1 libhogweed2-debuginfo-32bit-2.7.1-13.6.1 libnettle4-32bit-2.7.1-13.6.1 libnettle4-debuginfo-32bit-2.7.1-13.6.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libhogweed2-2.7.1-13.6.1 libhogweed2-debuginfo-2.7.1-13.6.1 libnettle-debugsource-2.7.1-13.6.1 libnettle4-2.7.1-13.6.1 libnettle4-debuginfo-2.7.1-13.6.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libhogweed2-32bit-2.7.1-13.6.1 libhogweed2-debuginfo-32bit-2.7.1-13.6.1 libnettle4-32bit-2.7.1-13.6.1 libnettle4-debuginfo-32bit-2.7.1-13.6.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libhogweed2-2.7.1-13.6.1 libhogweed2-debuginfo-2.7.1-13.6.1 libnettle-debugsource-2.7.1-13.6.1 libnettle4-2.7.1-13.6.1 libnettle4-debuginfo-2.7.1-13.6.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libhogweed2-32bit-2.7.1-13.6.1 libhogweed2-debuginfo-32bit-2.7.1-13.6.1 libnettle4-32bit-2.7.1-13.6.1 libnettle4-debuginfo-32bit-2.7.1-13.6.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libhogweed2-2.7.1-13.6.1 libhogweed2-debuginfo-2.7.1-13.6.1 libnettle-debugsource-2.7.1-13.6.1 libnettle4-2.7.1-13.6.1 libnettle4-debuginfo-2.7.1-13.6.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libhogweed2-32bit-2.7.1-13.6.1 libhogweed2-debuginfo-32bit-2.7.1-13.6.1 libnettle4-32bit-2.7.1-13.6.1 libnettle4-debuginfo-32bit-2.7.1-13.6.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libhogweed2-2.7.1-13.6.1 libhogweed2-debuginfo-2.7.1-13.6.1 libnettle-debugsource-2.7.1-13.6.1 libnettle4-2.7.1-13.6.1 libnettle4-debuginfo-2.7.1-13.6.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libhogweed2-32bit-2.7.1-13.6.1 libhogweed2-debuginfo-32bit-2.7.1-13.6.1 libnettle4-32bit-2.7.1-13.6.1 libnettle4-debuginfo-32bit-2.7.1-13.6.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libhogweed2-2.7.1-13.6.1 libhogweed2-32bit-2.7.1-13.6.1 libhogweed2-debuginfo-2.7.1-13.6.1 libhogweed2-debuginfo-32bit-2.7.1-13.6.1 libnettle-debugsource-2.7.1-13.6.1 libnettle4-2.7.1-13.6.1 libnettle4-32bit-2.7.1-13.6.1 libnettle4-debuginfo-2.7.1-13.6.1 libnettle4-debuginfo-32bit-2.7.1-13.6.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libhogweed2-2.7.1-13.6.1 libhogweed2-32bit-2.7.1-13.6.1 libhogweed2-debuginfo-2.7.1-13.6.1 libhogweed2-debuginfo-32bit-2.7.1-13.6.1 libnettle-debugsource-2.7.1-13.6.1 libnettle4-2.7.1-13.6.1 libnettle4-32bit-2.7.1-13.6.1 libnettle4-debuginfo-2.7.1-13.6.1 libnettle4-debuginfo-32bit-2.7.1-13.6.1 - HPE Helion Openstack 8 (x86_64): libhogweed2-2.7.1-13.6.1 libhogweed2-32bit-2.7.1-13.6.1 libhogweed2-debuginfo-2.7.1-13.6.1 libhogweed2-debuginfo-32bit-2.7.1-13.6.1 libnettle-debugsource-2.7.1-13.6.1 libnettle4-2.7.1-13.6.1 libnettle4-32bit-2.7.1-13.6.1 libnettle4-debuginfo-2.7.1-13.6.1 libnettle4-debuginfo-32bit-2.7.1-13.6.1 References: https://www.suse.com/security/cve/CVE-2021-3580.html https://bugzilla.suse.com/1187060 From sle-security-updates at lists.suse.com Wed Jun 23 19:17:52 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 23 Jun 2021 21:17:52 +0200 (CEST) Subject: SUSE-SU-2021:2147-1: moderate: Security update for freeradius-server Message-ID: <20210623191752.D6F0AF74A@maintenance.suse.de> SUSE Security Update: Security update for freeradius-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2147-1 Rating: moderate References: #1184016 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Module for Server Applications 15-SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for freeradius-server fixes the following issues: - Fixed plaintext password entries in logfiles (bsc#1184016). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-2147=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-2147=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): freeradius-server-3.0.21-3.9.1 freeradius-server-debuginfo-3.0.21-3.9.1 freeradius-server-debugsource-3.0.21-3.9.1 freeradius-server-devel-3.0.21-3.9.1 freeradius-server-krb5-3.0.21-3.9.1 freeradius-server-krb5-debuginfo-3.0.21-3.9.1 freeradius-server-ldap-3.0.21-3.9.1 freeradius-server-ldap-debuginfo-3.0.21-3.9.1 freeradius-server-libs-3.0.21-3.9.1 freeradius-server-libs-debuginfo-3.0.21-3.9.1 freeradius-server-mysql-3.0.21-3.9.1 freeradius-server-mysql-debuginfo-3.0.21-3.9.1 freeradius-server-perl-3.0.21-3.9.1 freeradius-server-perl-debuginfo-3.0.21-3.9.1 freeradius-server-postgresql-3.0.21-3.9.1 freeradius-server-postgresql-debuginfo-3.0.21-3.9.1 freeradius-server-python3-3.0.21-3.9.1 freeradius-server-python3-debuginfo-3.0.21-3.9.1 freeradius-server-sqlite-3.0.21-3.9.1 freeradius-server-sqlite-debuginfo-3.0.21-3.9.1 freeradius-server-utils-3.0.21-3.9.1 freeradius-server-utils-debuginfo-3.0.21-3.9.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): freeradius-server-3.0.21-3.9.1 freeradius-server-debuginfo-3.0.21-3.9.1 freeradius-server-debugsource-3.0.21-3.9.1 freeradius-server-devel-3.0.21-3.9.1 freeradius-server-krb5-3.0.21-3.9.1 freeradius-server-krb5-debuginfo-3.0.21-3.9.1 freeradius-server-ldap-3.0.21-3.9.1 freeradius-server-ldap-debuginfo-3.0.21-3.9.1 freeradius-server-libs-3.0.21-3.9.1 freeradius-server-libs-debuginfo-3.0.21-3.9.1 freeradius-server-mysql-3.0.21-3.9.1 freeradius-server-mysql-debuginfo-3.0.21-3.9.1 freeradius-server-perl-3.0.21-3.9.1 freeradius-server-perl-debuginfo-3.0.21-3.9.1 freeradius-server-postgresql-3.0.21-3.9.1 freeradius-server-postgresql-debuginfo-3.0.21-3.9.1 freeradius-server-python3-3.0.21-3.9.1 freeradius-server-python3-debuginfo-3.0.21-3.9.1 freeradius-server-sqlite-3.0.21-3.9.1 freeradius-server-sqlite-debuginfo-3.0.21-3.9.1 freeradius-server-utils-3.0.21-3.9.1 freeradius-server-utils-debuginfo-3.0.21-3.9.1 References: https://bugzilla.suse.com/1184016 From sle-security-updates at lists.suse.com Wed Jun 23 19:19:15 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 23 Jun 2021 21:19:15 +0200 (CEST) Subject: SUSE-SU-2021:2143-1: important: Security update for libnettle Message-ID: <20210623191915.A71DDF74A@maintenance.suse.de> SUSE Security Update: Security update for libnettle ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2143-1 Rating: important References: #1187060 Cross-References: CVE-2021-3580 CVSS scores: CVE-2021-3580 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.0 SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libnettle fixes the following issues: - CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-2143=1 - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-2143=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-2143=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-2143=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-2143=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-2143=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-2143=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-2143=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-2143=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-2143=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-2143=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-2143=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-2143=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2143=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2143=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-2143=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): libhogweed4-3.4.1-4.18.1 libhogweed4-debuginfo-3.4.1-4.18.1 libnettle-debugsource-3.4.1-4.18.1 libnettle6-3.4.1-4.18.1 libnettle6-debuginfo-3.4.1-4.18.1 - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libhogweed4-3.4.1-4.18.1 libhogweed4-debuginfo-3.4.1-4.18.1 libnettle-debugsource-3.4.1-4.18.1 libnettle-devel-3.4.1-4.18.1 libnettle6-3.4.1-4.18.1 libnettle6-debuginfo-3.4.1-4.18.1 - SUSE Manager Server 4.0 (x86_64): libhogweed4-32bit-3.4.1-4.18.1 libhogweed4-32bit-debuginfo-3.4.1-4.18.1 libnettle6-32bit-3.4.1-4.18.1 libnettle6-32bit-debuginfo-3.4.1-4.18.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libhogweed4-3.4.1-4.18.1 libhogweed4-32bit-3.4.1-4.18.1 libhogweed4-32bit-debuginfo-3.4.1-4.18.1 libhogweed4-debuginfo-3.4.1-4.18.1 libnettle-debugsource-3.4.1-4.18.1 libnettle-devel-3.4.1-4.18.1 libnettle6-3.4.1-4.18.1 libnettle6-32bit-3.4.1-4.18.1 libnettle6-32bit-debuginfo-3.4.1-4.18.1 libnettle6-debuginfo-3.4.1-4.18.1 - SUSE Manager Proxy 4.0 (x86_64): libhogweed4-3.4.1-4.18.1 libhogweed4-32bit-3.4.1-4.18.1 libhogweed4-32bit-debuginfo-3.4.1-4.18.1 libhogweed4-debuginfo-3.4.1-4.18.1 libnettle-debugsource-3.4.1-4.18.1 libnettle-devel-3.4.1-4.18.1 libnettle6-3.4.1-4.18.1 libnettle6-32bit-3.4.1-4.18.1 libnettle6-32bit-debuginfo-3.4.1-4.18.1 libnettle6-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libhogweed4-3.4.1-4.18.1 libhogweed4-debuginfo-3.4.1-4.18.1 libnettle-debugsource-3.4.1-4.18.1 libnettle-devel-3.4.1-4.18.1 libnettle6-3.4.1-4.18.1 libnettle6-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): libhogweed4-32bit-3.4.1-4.18.1 libhogweed4-32bit-debuginfo-3.4.1-4.18.1 libnettle6-32bit-3.4.1-4.18.1 libnettle6-32bit-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libhogweed4-3.4.1-4.18.1 libhogweed4-debuginfo-3.4.1-4.18.1 libnettle-debugsource-3.4.1-4.18.1 libnettle-devel-3.4.1-4.18.1 libnettle6-3.4.1-4.18.1 libnettle6-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libhogweed4-32bit-3.4.1-4.18.1 libhogweed4-32bit-debuginfo-3.4.1-4.18.1 libnettle6-32bit-3.4.1-4.18.1 libnettle6-32bit-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libhogweed4-3.4.1-4.18.1 libhogweed4-debuginfo-3.4.1-4.18.1 libnettle-debugsource-3.4.1-4.18.1 libnettle-devel-3.4.1-4.18.1 libnettle6-3.4.1-4.18.1 libnettle6-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): libhogweed4-32bit-3.4.1-4.18.1 libhogweed4-32bit-debuginfo-3.4.1-4.18.1 libnettle6-32bit-3.4.1-4.18.1 libnettle6-32bit-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libhogweed4-3.4.1-4.18.1 libhogweed4-32bit-3.4.1-4.18.1 libhogweed4-32bit-debuginfo-3.4.1-4.18.1 libhogweed4-debuginfo-3.4.1-4.18.1 libnettle-debugsource-3.4.1-4.18.1 libnettle-devel-3.4.1-4.18.1 libnettle6-3.4.1-4.18.1 libnettle6-32bit-3.4.1-4.18.1 libnettle6-32bit-debuginfo-3.4.1-4.18.1 libnettle6-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libhogweed4-3.4.1-4.18.1 libhogweed4-debuginfo-3.4.1-4.18.1 libnettle-debugsource-3.4.1-4.18.1 libnettle-devel-3.4.1-4.18.1 libnettle6-3.4.1-4.18.1 libnettle6-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libhogweed4-3.4.1-4.18.1 libhogweed4-debuginfo-3.4.1-4.18.1 libnettle-debugsource-3.4.1-4.18.1 libnettle-devel-3.4.1-4.18.1 libnettle6-3.4.1-4.18.1 libnettle6-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): libhogweed4-32bit-3.4.1-4.18.1 libhogweed4-32bit-debuginfo-3.4.1-4.18.1 libnettle6-32bit-3.4.1-4.18.1 libnettle6-32bit-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libhogweed4-3.4.1-4.18.1 libhogweed4-debuginfo-3.4.1-4.18.1 libnettle-debugsource-3.4.1-4.18.1 libnettle-devel-3.4.1-4.18.1 libnettle6-3.4.1-4.18.1 libnettle6-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libhogweed4-32bit-3.4.1-4.18.1 libhogweed4-32bit-debuginfo-3.4.1-4.18.1 libnettle6-32bit-3.4.1-4.18.1 libnettle6-32bit-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libhogweed4-3.4.1-4.18.1 libhogweed4-debuginfo-3.4.1-4.18.1 libnettle-debugsource-3.4.1-4.18.1 libnettle-devel-3.4.1-4.18.1 libnettle6-3.4.1-4.18.1 libnettle6-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): libhogweed4-32bit-3.4.1-4.18.1 libhogweed4-32bit-debuginfo-3.4.1-4.18.1 libnettle6-32bit-3.4.1-4.18.1 libnettle6-32bit-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libhogweed4-3.4.1-4.18.1 libhogweed4-debuginfo-3.4.1-4.18.1 libnettle-debugsource-3.4.1-4.18.1 libnettle-devel-3.4.1-4.18.1 libnettle6-3.4.1-4.18.1 libnettle6-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): libhogweed4-32bit-3.4.1-4.18.1 libhogweed4-32bit-debuginfo-3.4.1-4.18.1 libnettle6-32bit-3.4.1-4.18.1 libnettle6-32bit-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libhogweed4-3.4.1-4.18.1 libhogweed4-debuginfo-3.4.1-4.18.1 libnettle-debugsource-3.4.1-4.18.1 libnettle-devel-3.4.1-4.18.1 libnettle6-3.4.1-4.18.1 libnettle6-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libhogweed4-32bit-3.4.1-4.18.1 libhogweed4-32bit-debuginfo-3.4.1-4.18.1 libnettle6-32bit-3.4.1-4.18.1 libnettle6-32bit-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libhogweed4-3.4.1-4.18.1 libhogweed4-debuginfo-3.4.1-4.18.1 libnettle-debugsource-3.4.1-4.18.1 libnettle-devel-3.4.1-4.18.1 libnettle6-3.4.1-4.18.1 libnettle6-debuginfo-3.4.1-4.18.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libhogweed4-32bit-3.4.1-4.18.1 libhogweed4-32bit-debuginfo-3.4.1-4.18.1 libnettle6-32bit-3.4.1-4.18.1 libnettle6-32bit-debuginfo-3.4.1-4.18.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libhogweed4-3.4.1-4.18.1 libhogweed4-debuginfo-3.4.1-4.18.1 libnettle-debugsource-3.4.1-4.18.1 libnettle-devel-3.4.1-4.18.1 libnettle6-3.4.1-4.18.1 libnettle6-debuginfo-3.4.1-4.18.1 - SUSE Enterprise Storage 6 (x86_64): libhogweed4-32bit-3.4.1-4.18.1 libhogweed4-32bit-debuginfo-3.4.1-4.18.1 libnettle6-32bit-3.4.1-4.18.1 libnettle6-32bit-debuginfo-3.4.1-4.18.1 - SUSE CaaS Platform 4.0 (x86_64): libhogweed4-3.4.1-4.18.1 libhogweed4-32bit-3.4.1-4.18.1 libhogweed4-32bit-debuginfo-3.4.1-4.18.1 libhogweed4-debuginfo-3.4.1-4.18.1 libnettle-debugsource-3.4.1-4.18.1 libnettle-devel-3.4.1-4.18.1 libnettle6-3.4.1-4.18.1 libnettle6-32bit-3.4.1-4.18.1 libnettle6-32bit-debuginfo-3.4.1-4.18.1 libnettle6-debuginfo-3.4.1-4.18.1 References: https://www.suse.com/security/cve/CVE-2021-3580.html https://bugzilla.suse.com/1187060 From sle-security-updates at lists.suse.com Wed Jun 23 19:20:33 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 23 Jun 2021 21:20:33 +0200 (CEST) Subject: SUSE-SU-2021:2145-1: moderate: Security update for libsolv Message-ID: <20210623192033.D303BF74A@maintenance.suse.de> SUSE Security Update: Security update for libsolv ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2145-1 Rating: moderate References: #1161510 #1186229 SLE-17973 Cross-References: CVE-2019-20387 CVE-2021-3200 CVSS scores: CVE-2019-20387 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-20387 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2021-3200 (NVD) : 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2021-3200 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that fixes two vulnerabilities, contains one feature is now available. Description: This update for libsolv fixes the following issues: Security issues fixed: - CVE-2019-20387: Fixed heap-buffer-overflow in repodata_schema2id (bsc#1161510) - CVE-2021-3200: testcase_read: error out if repos are added or the system is changed too late (bsc#1186229) Other issues fixed: - backport support for blacklisted packages to support ptf packages and retracted patches - fix ruleinfo of complex dependencies returning the wrong origin - fix SOLVER_FLAG_FOCUS_BEST updateing packages without reason - fix add_complex_recommends() selecting conflicted packages in rare cases - fix potential segfault in resolve_jobrules - fix solv_zchunk decoding error if large chunks are used Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-2145=1 Package List: - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libsolv-debugsource-0.6.37-2.27.24.1 libsolv-devel-0.6.37-2.27.24.1 libsolv-tools-0.6.37-2.27.24.1 libsolv-tools-debuginfo-0.6.37-2.27.24.1 libzypp-16.21.4-27.75.1 libzypp-debuginfo-16.21.4-27.75.1 libzypp-debugsource-16.21.4-27.75.1 libzypp-devel-16.21.4-27.75.1 perl-solv-0.6.37-2.27.24.1 perl-solv-debuginfo-0.6.37-2.27.24.1 python-solv-0.6.37-2.27.24.1 python-solv-debuginfo-0.6.37-2.27.24.1 References: https://www.suse.com/security/cve/CVE-2019-20387.html https://www.suse.com/security/cve/CVE-2021-3200.html https://bugzilla.suse.com/1161510 https://bugzilla.suse.com/1186229 From sle-security-updates at lists.suse.com Thu Jun 24 13:34:10 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 24 Jun 2021 15:34:10 +0200 (CEST) Subject: SUSE-SU-2021:2152-1: important: Security update for ovmf Message-ID: <20210624133410.43EF4F78F@maintenance.suse.de> SUSE Security Update: Security update for ovmf ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2152-1 Rating: important References: #1186151 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for ovmf fixes the following issues: - Fixed a possible buffer overflow in IScsiDxe (bsc#1186151) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-2152=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-2152=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-2152=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-2152=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-2152=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): ovmf-2017+git1510945757.b2662641d5-3.38.1 ovmf-tools-2017+git1510945757.b2662641d5-3.38.1 - SUSE OpenStack Cloud Crowbar 9 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-3.38.1 - SUSE OpenStack Cloud 9 (x86_64): ovmf-2017+git1510945757.b2662641d5-3.38.1 ovmf-tools-2017+git1510945757.b2662641d5-3.38.1 - SUSE OpenStack Cloud 9 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-3.38.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): ovmf-2017+git1510945757.b2662641d5-3.38.1 ovmf-tools-2017+git1510945757.b2662641d5-3.38.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-3.38.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 x86_64): ovmf-2017+git1510945757.b2662641d5-3.38.1 ovmf-tools-2017+git1510945757.b2662641d5-3.38.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-3.38.1 qemu-uefi-aarch64-2017+git1510945757.b2662641d5-3.38.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 x86_64): ovmf-2017+git1510945757.b2662641d5-3.38.1 ovmf-tools-2017+git1510945757.b2662641d5-3.38.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-3.38.1 qemu-uefi-aarch64-2017+git1510945757.b2662641d5-3.38.1 References: https://bugzilla.suse.com/1186151 From sle-security-updates at lists.suse.com Thu Jun 24 13:15:34 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 24 Jun 2021 15:15:34 +0200 (CEST) Subject: SUSE-SU-2021:2153-1: important: Security update for gupnp Message-ID: <20210624131534.BD7D9F74A@maintenance.suse.de> SUSE Security Update: Security update for gupnp ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2153-1 Rating: important References: #1186590 Cross-References: CVE-2021-33516 CVSS scores: CVE-2021-33516 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2021-33516 (SUSE): 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gupnp fixes the following issues: - CVE-2021-33516: Fixed a DNS rebinding, which could trick the browser into triggering actions against local UPnP services (bsc#1186590). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-2153=1 - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-2153=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-2153=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-2153=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-2153=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-2153=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64): gupnp-debugsource-1.2.2-3.3.1 typelib-1_0-GUPnP-1_0-1.2.2-3.3.1 - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): gupnp-debugsource-1.2.2-3.3.1 typelib-1_0-GUPnP-1_0-1.2.2-3.3.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (aarch64 ppc64le s390x x86_64): gupnp-debugsource-1.2.2-3.3.1 libgupnp-devel-1.2.2-3.3.1 typelib-1_0-GUPnP-1_0-1.2.2-3.3.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (aarch64 ppc64le s390x x86_64): gupnp-debugsource-1.2.2-3.3.1 libgupnp-devel-1.2.2-3.3.1 typelib-1_0-GUPnP-1_0-1.2.2-3.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): gupnp-debugsource-1.2.2-3.3.1 libgupnp-1_2-0-1.2.2-3.3.1 libgupnp-1_2-0-debuginfo-1.2.2-3.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): gupnp-debugsource-1.2.2-3.3.1 libgupnp-1_2-0-1.2.2-3.3.1 libgupnp-1_2-0-debuginfo-1.2.2-3.3.1 References: https://www.suse.com/security/cve/CVE-2021-33516.html https://bugzilla.suse.com/1186590 From sle-security-updates at lists.suse.com Thu Jun 24 13:19:09 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 24 Jun 2021 15:19:09 +0200 (CEST) Subject: SUSE-SU-2021:2151-1: important: Security update for ovmf Message-ID: <20210624131909.E09C2F74A@maintenance.suse.de> SUSE Security Update: Security update for ovmf ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2151-1 Rating: important References: #1186151 Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Server Applications 15-SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for ovmf fixes the following issues: - Fixed a possible buffer overflow in IScsiDxe (bsc#1186151) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-2151=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-2151=1 Package List: - SUSE MicroOS 5.0 (noarch): qemu-ovmf-x86_64-201911-7.21.1 qemu-uefi-aarch64-201911-7.21.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 x86_64): ovmf-201911-7.21.1 ovmf-tools-201911-7.21.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): qemu-ovmf-x86_64-201911-7.21.1 qemu-uefi-aarch64-201911-7.21.1 References: https://bugzilla.suse.com/1186151 From sle-security-updates at lists.suse.com Thu Jun 24 19:20:14 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 24 Jun 2021 21:20:14 +0200 (CEST) Subject: SUSE-SU-2021:2155-1: important: Security update for libgcrypt Message-ID: <20210624192014.4678EF78F@maintenance.suse.de> SUSE Security Update: Security update for libgcrypt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2155-1 Rating: important References: #1187212 Cross-References: CVE-2021-33560 CVSS scores: CVE-2021-33560 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-33560 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libgcrypt fixes the following issues: - CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-2155=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-2155=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2155=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2155=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libgcrypt-debugsource-1.8.2-6.52.1 libgcrypt-devel-1.8.2-6.52.1 libgcrypt-devel-debuginfo-1.8.2-6.52.1 libgcrypt20-1.8.2-6.52.1 libgcrypt20-debuginfo-1.8.2-6.52.1 libgcrypt20-hmac-1.8.2-6.52.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libgcrypt20-32bit-1.8.2-6.52.1 libgcrypt20-32bit-debuginfo-1.8.2-6.52.1 libgcrypt20-hmac-32bit-1.8.2-6.52.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libgcrypt-debugsource-1.8.2-6.52.1 libgcrypt-devel-1.8.2-6.52.1 libgcrypt-devel-debuginfo-1.8.2-6.52.1 libgcrypt20-1.8.2-6.52.1 libgcrypt20-debuginfo-1.8.2-6.52.1 libgcrypt20-hmac-1.8.2-6.52.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libgcrypt-debugsource-1.8.2-6.52.1 libgcrypt-devel-1.8.2-6.52.1 libgcrypt-devel-debuginfo-1.8.2-6.52.1 libgcrypt20-1.8.2-6.52.1 libgcrypt20-debuginfo-1.8.2-6.52.1 libgcrypt20-hmac-1.8.2-6.52.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libgcrypt20-32bit-1.8.2-6.52.1 libgcrypt20-32bit-debuginfo-1.8.2-6.52.1 libgcrypt20-hmac-32bit-1.8.2-6.52.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libgcrypt-debugsource-1.8.2-6.52.1 libgcrypt-devel-1.8.2-6.52.1 libgcrypt-devel-debuginfo-1.8.2-6.52.1 libgcrypt20-1.8.2-6.52.1 libgcrypt20-debuginfo-1.8.2-6.52.1 libgcrypt20-hmac-1.8.2-6.52.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libgcrypt20-32bit-1.8.2-6.52.1 libgcrypt20-32bit-debuginfo-1.8.2-6.52.1 libgcrypt20-hmac-32bit-1.8.2-6.52.1 References: https://www.suse.com/security/cve/CVE-2021-33560.html https://bugzilla.suse.com/1187212 From sle-security-updates at lists.suse.com Thu Jun 24 19:22:03 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 24 Jun 2021 21:22:03 +0200 (CEST) Subject: SUSE-SU-2021:2157-1: important: Security update for libgcrypt Message-ID: <20210624192203.5995FF78F@maintenance.suse.de> SUSE Security Update: Security update for libgcrypt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2157-1 Rating: important References: #1187212 Cross-References: CVE-2021-33560 CVSS scores: CVE-2021-33560 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-33560 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE MicroOS 5.0 SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libgcrypt fixes the following issues: - CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-2157=1 - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-2157=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-2157=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-2157=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-2157=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-2157=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-2157=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-2157=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-2157=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-2157=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-2157=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-2157=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): libgcrypt-debugsource-1.8.2-8.39.1 libgcrypt20-1.8.2-8.39.1 libgcrypt20-debuginfo-1.8.2-8.39.1 - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libgcrypt-debugsource-1.8.2-8.39.1 libgcrypt-devel-1.8.2-8.39.1 libgcrypt-devel-debuginfo-1.8.2-8.39.1 libgcrypt20-1.8.2-8.39.1 libgcrypt20-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-1.8.2-8.39.1 - SUSE Manager Server 4.0 (x86_64): libgcrypt20-32bit-1.8.2-8.39.1 libgcrypt20-32bit-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-32bit-1.8.2-8.39.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libgcrypt-debugsource-1.8.2-8.39.1 libgcrypt-devel-1.8.2-8.39.1 libgcrypt-devel-debuginfo-1.8.2-8.39.1 libgcrypt20-1.8.2-8.39.1 libgcrypt20-32bit-1.8.2-8.39.1 libgcrypt20-32bit-debuginfo-1.8.2-8.39.1 libgcrypt20-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-1.8.2-8.39.1 libgcrypt20-hmac-32bit-1.8.2-8.39.1 - SUSE Manager Proxy 4.0 (x86_64): libgcrypt-debugsource-1.8.2-8.39.1 libgcrypt-devel-1.8.2-8.39.1 libgcrypt-devel-debuginfo-1.8.2-8.39.1 libgcrypt20-1.8.2-8.39.1 libgcrypt20-32bit-1.8.2-8.39.1 libgcrypt20-32bit-debuginfo-1.8.2-8.39.1 libgcrypt20-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-1.8.2-8.39.1 libgcrypt20-hmac-32bit-1.8.2-8.39.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libgcrypt-debugsource-1.8.2-8.39.1 libgcrypt-devel-1.8.2-8.39.1 libgcrypt-devel-debuginfo-1.8.2-8.39.1 libgcrypt20-1.8.2-8.39.1 libgcrypt20-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-1.8.2-8.39.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): libgcrypt20-32bit-1.8.2-8.39.1 libgcrypt20-32bit-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-32bit-1.8.2-8.39.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libgcrypt-debugsource-1.8.2-8.39.1 libgcrypt-devel-1.8.2-8.39.1 libgcrypt-devel-debuginfo-1.8.2-8.39.1 libgcrypt20-1.8.2-8.39.1 libgcrypt20-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-1.8.2-8.39.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): libgcrypt20-32bit-1.8.2-8.39.1 libgcrypt20-32bit-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-32bit-1.8.2-8.39.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libgcrypt-debugsource-1.8.2-8.39.1 libgcrypt-devel-1.8.2-8.39.1 libgcrypt-devel-debuginfo-1.8.2-8.39.1 libgcrypt20-1.8.2-8.39.1 libgcrypt20-32bit-1.8.2-8.39.1 libgcrypt20-32bit-debuginfo-1.8.2-8.39.1 libgcrypt20-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-1.8.2-8.39.1 libgcrypt20-hmac-32bit-1.8.2-8.39.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libgcrypt-debugsource-1.8.2-8.39.1 libgcrypt-devel-1.8.2-8.39.1 libgcrypt-devel-debuginfo-1.8.2-8.39.1 libgcrypt20-1.8.2-8.39.1 libgcrypt20-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-1.8.2-8.39.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): libgcrypt20-32bit-1.8.2-8.39.1 libgcrypt20-32bit-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-32bit-1.8.2-8.39.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libgcrypt-debugsource-1.8.2-8.39.1 libgcrypt-devel-1.8.2-8.39.1 libgcrypt-devel-debuginfo-1.8.2-8.39.1 libgcrypt20-1.8.2-8.39.1 libgcrypt20-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-1.8.2-8.39.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libgcrypt20-32bit-1.8.2-8.39.1 libgcrypt20-32bit-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-32bit-1.8.2-8.39.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libgcrypt-debugsource-1.8.2-8.39.1 libgcrypt-devel-1.8.2-8.39.1 libgcrypt-devel-debuginfo-1.8.2-8.39.1 libgcrypt20-1.8.2-8.39.1 libgcrypt20-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-1.8.2-8.39.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): libgcrypt20-32bit-1.8.2-8.39.1 libgcrypt20-32bit-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-32bit-1.8.2-8.39.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libgcrypt-debugsource-1.8.2-8.39.1 libgcrypt-devel-1.8.2-8.39.1 libgcrypt-devel-debuginfo-1.8.2-8.39.1 libgcrypt20-1.8.2-8.39.1 libgcrypt20-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-1.8.2-8.39.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): libgcrypt20-32bit-1.8.2-8.39.1 libgcrypt20-32bit-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-32bit-1.8.2-8.39.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libgcrypt-debugsource-1.8.2-8.39.1 libgcrypt-devel-1.8.2-8.39.1 libgcrypt-devel-debuginfo-1.8.2-8.39.1 libgcrypt20-1.8.2-8.39.1 libgcrypt20-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-1.8.2-8.39.1 - SUSE Enterprise Storage 6 (x86_64): libgcrypt20-32bit-1.8.2-8.39.1 libgcrypt20-32bit-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-32bit-1.8.2-8.39.1 - SUSE CaaS Platform 4.0 (x86_64): libgcrypt-debugsource-1.8.2-8.39.1 libgcrypt-devel-1.8.2-8.39.1 libgcrypt-devel-debuginfo-1.8.2-8.39.1 libgcrypt20-1.8.2-8.39.1 libgcrypt20-32bit-1.8.2-8.39.1 libgcrypt20-32bit-debuginfo-1.8.2-8.39.1 libgcrypt20-debuginfo-1.8.2-8.39.1 libgcrypt20-hmac-1.8.2-8.39.1 libgcrypt20-hmac-32bit-1.8.2-8.39.1 References: https://www.suse.com/security/cve/CVE-2021-33560.html https://bugzilla.suse.com/1187212 From sle-security-updates at lists.suse.com Thu Jun 24 19:23:19 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 24 Jun 2021 21:23:19 +0200 (CEST) Subject: SUSE-SU-2021:2158-1: important: Security update for openexr Message-ID: <20210624192319.73275F78F@maintenance.suse.de> SUSE Security Update: Security update for openexr ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2158-1 Rating: important References: #1187310 #1187395 Cross-References: CVE-2021-3598 CVE-2021-3605 CVSS scores: CVE-2021-3598 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-3605 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for openexr fixes the following issues: - Fixed CVE-2021-3605 [bsc#1187395]: Heap buffer overflow in the rleUncompress function - Fixed CVE-2021-3598 [bsc#1187310]: Heap buffer overflow in Imf_3_1:CharPtrIO:readChars Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-2158=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-2158=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-2158=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-2158=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-2158=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-2158=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-2158=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-2158=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-2158=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-2158=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-2158=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-2158=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2158=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2158=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-2158=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libIlmImf-2_2-23-2.2.1-3.32.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.32.1 libIlmImfUtil-2_2-23-2.2.1-3.32.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.32.1 openexr-debuginfo-2.2.1-3.32.1 openexr-debugsource-2.2.1-3.32.1 openexr-devel-2.2.1-3.32.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libIlmImf-2_2-23-2.2.1-3.32.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.32.1 libIlmImfUtil-2_2-23-2.2.1-3.32.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.32.1 openexr-debuginfo-2.2.1-3.32.1 openexr-debugsource-2.2.1-3.32.1 openexr-devel-2.2.1-3.32.1 - SUSE Manager Proxy 4.0 (x86_64): libIlmImf-2_2-23-2.2.1-3.32.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.32.1 libIlmImfUtil-2_2-23-2.2.1-3.32.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.32.1 openexr-debuginfo-2.2.1-3.32.1 openexr-debugsource-2.2.1-3.32.1 openexr-devel-2.2.1-3.32.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libIlmImf-2_2-23-2.2.1-3.32.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.32.1 libIlmImfUtil-2_2-23-2.2.1-3.32.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.32.1 openexr-debuginfo-2.2.1-3.32.1 openexr-debugsource-2.2.1-3.32.1 openexr-devel-2.2.1-3.32.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libIlmImf-2_2-23-2.2.1-3.32.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.32.1 libIlmImfUtil-2_2-23-2.2.1-3.32.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.32.1 openexr-debuginfo-2.2.1-3.32.1 openexr-debugsource-2.2.1-3.32.1 openexr-devel-2.2.1-3.32.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libIlmImf-2_2-23-2.2.1-3.32.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.32.1 libIlmImfUtil-2_2-23-2.2.1-3.32.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.32.1 openexr-debuginfo-2.2.1-3.32.1 openexr-debugsource-2.2.1-3.32.1 openexr-devel-2.2.1-3.32.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libIlmImf-2_2-23-2.2.1-3.32.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.32.1 libIlmImfUtil-2_2-23-2.2.1-3.32.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.32.1 openexr-debuginfo-2.2.1-3.32.1 openexr-debugsource-2.2.1-3.32.1 openexr-devel-2.2.1-3.32.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libIlmImf-2_2-23-2.2.1-3.32.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.32.1 libIlmImfUtil-2_2-23-2.2.1-3.32.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.32.1 openexr-debuginfo-2.2.1-3.32.1 openexr-debugsource-2.2.1-3.32.1 openexr-devel-2.2.1-3.32.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): libIlmImf-2_2-23-2.2.1-3.32.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.32.1 libIlmImfUtil-2_2-23-2.2.1-3.32.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.32.1 openexr-debuginfo-2.2.1-3.32.1 openexr-debugsource-2.2.1-3.32.1 openexr-devel-2.2.1-3.32.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): libIlmImf-2_2-23-2.2.1-3.32.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.32.1 libIlmImfUtil-2_2-23-2.2.1-3.32.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.32.1 openexr-debuginfo-2.2.1-3.32.1 openexr-debugsource-2.2.1-3.32.1 openexr-devel-2.2.1-3.32.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libIlmImf-2_2-23-2.2.1-3.32.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.32.1 libIlmImfUtil-2_2-23-2.2.1-3.32.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.32.1 openexr-debuginfo-2.2.1-3.32.1 openexr-debugsource-2.2.1-3.32.1 openexr-devel-2.2.1-3.32.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libIlmImf-2_2-23-2.2.1-3.32.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.32.1 libIlmImfUtil-2_2-23-2.2.1-3.32.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.32.1 openexr-debuginfo-2.2.1-3.32.1 openexr-debugsource-2.2.1-3.32.1 openexr-devel-2.2.1-3.32.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libIlmImf-2_2-23-2.2.1-3.32.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.32.1 libIlmImfUtil-2_2-23-2.2.1-3.32.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.32.1 openexr-debuginfo-2.2.1-3.32.1 openexr-debugsource-2.2.1-3.32.1 openexr-devel-2.2.1-3.32.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libIlmImf-2_2-23-2.2.1-3.32.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.32.1 libIlmImfUtil-2_2-23-2.2.1-3.32.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.32.1 openexr-debuginfo-2.2.1-3.32.1 openexr-debugsource-2.2.1-3.32.1 openexr-devel-2.2.1-3.32.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libIlmImf-2_2-23-2.2.1-3.32.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.32.1 libIlmImfUtil-2_2-23-2.2.1-3.32.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.32.1 openexr-debuginfo-2.2.1-3.32.1 openexr-debugsource-2.2.1-3.32.1 openexr-devel-2.2.1-3.32.1 - SUSE CaaS Platform 4.0 (x86_64): libIlmImf-2_2-23-2.2.1-3.32.1 libIlmImf-2_2-23-debuginfo-2.2.1-3.32.1 libIlmImfUtil-2_2-23-2.2.1-3.32.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-3.32.1 openexr-debuginfo-2.2.1-3.32.1 openexr-debugsource-2.2.1-3.32.1 openexr-devel-2.2.1-3.32.1 References: https://www.suse.com/security/cve/CVE-2021-3598.html https://www.suse.com/security/cve/CVE-2021-3605.html https://bugzilla.suse.com/1187310 https://bugzilla.suse.com/1187395 From sle-security-updates at lists.suse.com Thu Jun 24 19:24:38 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 24 Jun 2021 21:24:38 +0200 (CEST) Subject: SUSE-SU-2021:2156-1: important: Security update for libgcrypt Message-ID: <20210624192438.2E872F78F@maintenance.suse.de> SUSE Security Update: Security update for libgcrypt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2156-1 Rating: important References: #1187212 Cross-References: CVE-2021-33560 CVSS scores: CVE-2021-33560 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-33560 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libgcrypt fixes the following issues: - CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-2156=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-2156=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-2156=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-2156=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-2156=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-2156=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-2156=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-2156=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-2156=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-2156=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-2156=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-2156=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-2156=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libgcrypt-debugsource-1.6.1-16.77.1 libgcrypt20-1.6.1-16.77.1 libgcrypt20-32bit-1.6.1-16.77.1 libgcrypt20-debuginfo-1.6.1-16.77.1 libgcrypt20-debuginfo-32bit-1.6.1-16.77.1 libgcrypt20-hmac-1.6.1-16.77.1 libgcrypt20-hmac-32bit-1.6.1-16.77.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libgcrypt-debugsource-1.6.1-16.77.1 libgcrypt20-1.6.1-16.77.1 libgcrypt20-32bit-1.6.1-16.77.1 libgcrypt20-debuginfo-1.6.1-16.77.1 libgcrypt20-debuginfo-32bit-1.6.1-16.77.1 libgcrypt20-hmac-1.6.1-16.77.1 libgcrypt20-hmac-32bit-1.6.1-16.77.1 - SUSE OpenStack Cloud 9 (x86_64): libgcrypt-debugsource-1.6.1-16.77.1 libgcrypt20-1.6.1-16.77.1 libgcrypt20-32bit-1.6.1-16.77.1 libgcrypt20-debuginfo-1.6.1-16.77.1 libgcrypt20-debuginfo-32bit-1.6.1-16.77.1 libgcrypt20-hmac-1.6.1-16.77.1 libgcrypt20-hmac-32bit-1.6.1-16.77.1 - SUSE OpenStack Cloud 8 (x86_64): libgcrypt-debugsource-1.6.1-16.77.1 libgcrypt20-1.6.1-16.77.1 libgcrypt20-32bit-1.6.1-16.77.1 libgcrypt20-debuginfo-1.6.1-16.77.1 libgcrypt20-debuginfo-32bit-1.6.1-16.77.1 libgcrypt20-hmac-1.6.1-16.77.1 libgcrypt20-hmac-32bit-1.6.1-16.77.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libgcrypt-debugsource-1.6.1-16.77.1 libgcrypt-devel-1.6.1-16.77.1 libgcrypt-devel-debuginfo-1.6.1-16.77.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libgcrypt-debugsource-1.6.1-16.77.1 libgcrypt20-1.6.1-16.77.1 libgcrypt20-debuginfo-1.6.1-16.77.1 libgcrypt20-hmac-1.6.1-16.77.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libgcrypt20-32bit-1.6.1-16.77.1 libgcrypt20-debuginfo-32bit-1.6.1-16.77.1 libgcrypt20-hmac-32bit-1.6.1-16.77.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libgcrypt-debugsource-1.6.1-16.77.1 libgcrypt20-1.6.1-16.77.1 libgcrypt20-debuginfo-1.6.1-16.77.1 libgcrypt20-hmac-1.6.1-16.77.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libgcrypt20-32bit-1.6.1-16.77.1 libgcrypt20-debuginfo-32bit-1.6.1-16.77.1 libgcrypt20-hmac-32bit-1.6.1-16.77.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libgcrypt-debugsource-1.6.1-16.77.1 libgcrypt20-1.6.1-16.77.1 libgcrypt20-debuginfo-1.6.1-16.77.1 libgcrypt20-hmac-1.6.1-16.77.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libgcrypt20-32bit-1.6.1-16.77.1 libgcrypt20-debuginfo-32bit-1.6.1-16.77.1 libgcrypt20-hmac-32bit-1.6.1-16.77.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libgcrypt-debugsource-1.6.1-16.77.1 libgcrypt20-1.6.1-16.77.1 libgcrypt20-debuginfo-1.6.1-16.77.1 libgcrypt20-hmac-1.6.1-16.77.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libgcrypt20-32bit-1.6.1-16.77.1 libgcrypt20-debuginfo-32bit-1.6.1-16.77.1 libgcrypt20-hmac-32bit-1.6.1-16.77.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libgcrypt-debugsource-1.6.1-16.77.1 libgcrypt20-1.6.1-16.77.1 libgcrypt20-debuginfo-1.6.1-16.77.1 libgcrypt20-hmac-1.6.1-16.77.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libgcrypt20-32bit-1.6.1-16.77.1 libgcrypt20-debuginfo-32bit-1.6.1-16.77.1 libgcrypt20-hmac-32bit-1.6.1-16.77.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libgcrypt-debugsource-1.6.1-16.77.1 libgcrypt20-1.6.1-16.77.1 libgcrypt20-32bit-1.6.1-16.77.1 libgcrypt20-debuginfo-1.6.1-16.77.1 libgcrypt20-debuginfo-32bit-1.6.1-16.77.1 libgcrypt20-hmac-1.6.1-16.77.1 libgcrypt20-hmac-32bit-1.6.1-16.77.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libgcrypt-debugsource-1.6.1-16.77.1 libgcrypt20-1.6.1-16.77.1 libgcrypt20-32bit-1.6.1-16.77.1 libgcrypt20-debuginfo-1.6.1-16.77.1 libgcrypt20-debuginfo-32bit-1.6.1-16.77.1 libgcrypt20-hmac-1.6.1-16.77.1 libgcrypt20-hmac-32bit-1.6.1-16.77.1 - HPE Helion Openstack 8 (x86_64): libgcrypt-debugsource-1.6.1-16.77.1 libgcrypt20-1.6.1-16.77.1 libgcrypt20-32bit-1.6.1-16.77.1 libgcrypt20-debuginfo-1.6.1-16.77.1 libgcrypt20-debuginfo-32bit-1.6.1-16.77.1 libgcrypt20-hmac-1.6.1-16.77.1 libgcrypt20-hmac-32bit-1.6.1-16.77.1 References: https://www.suse.com/security/cve/CVE-2021-33560.html https://bugzilla.suse.com/1187212 From sle-security-updates at lists.suse.com Thu Jun 24 19:25:50 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 24 Jun 2021 21:25:50 +0200 (CEST) Subject: SUSE-SU-2021:2159-1: important: Security update for openexr Message-ID: <20210624192550.0493AF78F@maintenance.suse.de> SUSE Security Update: Security update for openexr ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2159-1 Rating: important References: #1184354 #1187310 #1187395 Cross-References: CVE-2021-3479 CVE-2021-3598 CVE-2021-3605 CVSS scores: CVE-2021-3479 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-3479 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-3598 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-3605 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for openexr fixes the following issues: - Fixed CVE-2021-3479 [bsc#1184354]: Out-of-memory caused by allocation of a very large buffer - Fixed CVE-2021-3605 [bsc#1187395]: Heap buffer overflow in the rleUncompress function - Fixed CVE-2021-3598 [bsc#1187310]: Heap buffer overflow in Imf_3_1:CharPtrIO:readChars Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-2159=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-2159=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-2159=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-2159=1 - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2021-2159=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-2159=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-2159=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-2159=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-2159=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-2159=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-2159=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-2159=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-2159=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-2159=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.34.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.34.1 openexr-2.1.0-6.34.1 openexr-debuginfo-2.1.0-6.34.1 openexr-debugsource-2.1.0-6.34.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.34.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.34.1 openexr-2.1.0-6.34.1 openexr-debuginfo-2.1.0-6.34.1 openexr-debugsource-2.1.0-6.34.1 - SUSE OpenStack Cloud 9 (x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.34.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.34.1 openexr-2.1.0-6.34.1 openexr-debuginfo-2.1.0-6.34.1 openexr-debugsource-2.1.0-6.34.1 - SUSE OpenStack Cloud 8 (x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.34.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.34.1 openexr-2.1.0-6.34.1 openexr-debuginfo-2.1.0-6.34.1 openexr-debugsource-2.1.0-6.34.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): libIlmImf-Imf_2_1-21-32bit-2.1.0-6.34.1 libIlmImf-Imf_2_1-21-debuginfo-32bit-2.1.0-6.34.1 openexr-debugsource-2.1.0-6.34.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): openexr-debuginfo-2.1.0-6.34.1 openexr-debugsource-2.1.0-6.34.1 openexr-devel-2.1.0-6.34.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.34.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.34.1 openexr-2.1.0-6.34.1 openexr-debuginfo-2.1.0-6.34.1 openexr-debugsource-2.1.0-6.34.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.34.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.34.1 openexr-2.1.0-6.34.1 openexr-debuginfo-2.1.0-6.34.1 openexr-debugsource-2.1.0-6.34.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.34.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.34.1 openexr-2.1.0-6.34.1 openexr-debuginfo-2.1.0-6.34.1 openexr-debugsource-2.1.0-6.34.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.34.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.34.1 openexr-2.1.0-6.34.1 openexr-debuginfo-2.1.0-6.34.1 openexr-debugsource-2.1.0-6.34.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.34.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.34.1 openexr-2.1.0-6.34.1 openexr-debuginfo-2.1.0-6.34.1 openexr-debugsource-2.1.0-6.34.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.34.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.34.1 openexr-2.1.0-6.34.1 openexr-debuginfo-2.1.0-6.34.1 openexr-debugsource-2.1.0-6.34.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.34.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.34.1 openexr-2.1.0-6.34.1 openexr-debuginfo-2.1.0-6.34.1 openexr-debugsource-2.1.0-6.34.1 - HPE Helion Openstack 8 (x86_64): libIlmImf-Imf_2_1-21-2.1.0-6.34.1 libIlmImf-Imf_2_1-21-debuginfo-2.1.0-6.34.1 openexr-2.1.0-6.34.1 openexr-debuginfo-2.1.0-6.34.1 openexr-debugsource-2.1.0-6.34.1 References: https://www.suse.com/security/cve/CVE-2021-3479.html https://www.suse.com/security/cve/CVE-2021-3598.html https://www.suse.com/security/cve/CVE-2021-3605.html https://bugzilla.suse.com/1184354 https://bugzilla.suse.com/1187310 https://bugzilla.suse.com/1187395 From sle-security-updates at lists.suse.com Fri Jun 25 13:15:59 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 25 Jun 2021 15:15:59 +0200 (CEST) Subject: SUSE-SU-2021:2161-1: important: Security update for ovmf Message-ID: <20210625131559.06B8EF78F@maintenance.suse.de> SUSE Security Update: Security update for ovmf ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2161-1 Rating: important References: #1183578 #1183579 #1186151 Cross-References: CVE-2021-28210 CVE-2021-28211 CVSS scores: CVE-2021-28210 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28210 (SUSE): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H CVE-2021-28211 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-28211 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for ovmf fixes the following issues: - Fixed a possible buffer overflow in IScsiDxe (bsc#1186151) - CVE-2021-28211: ovmf: edk2: possible heap corruption with LzmaUefiDecompressGetInfo (bsc#1183578) - CVE-2021-28210: ovmf: unlimited FV recursion, round 2 (bsc#1183579) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-2161=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-2161=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-2161=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-2161=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-2161=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-2161=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-2161=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-2161=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-2161=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-2161=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2161=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2161=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-2161=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (x86_64): ovmf-2017+git1510945757.b2662641d5-5.43.1 ovmf-tools-2017+git1510945757.b2662641d5-5.43.1 - SUSE Manager Server 4.0 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-5.43.1 - SUSE Manager Retail Branch Server 4.0 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-5.43.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): ovmf-2017+git1510945757.b2662641d5-5.43.1 ovmf-tools-2017+git1510945757.b2662641d5-5.43.1 - SUSE Manager Proxy 4.0 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-5.43.1 - SUSE Manager Proxy 4.0 (x86_64): ovmf-2017+git1510945757.b2662641d5-5.43.1 ovmf-tools-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): ovmf-2017+git1510945757.b2662641d5-5.43.1 ovmf-tools-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): ovmf-2017+git1510945757.b2662641d5-5.43.1 ovmf-tools-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 x86_64): ovmf-2017+git1510945757.b2662641d5-5.43.1 ovmf-tools-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-5.43.1 qemu-uefi-aarch64-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): ovmf-2017+git1510945757.b2662641d5-5.43.1 ovmf-tools-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64): ovmf-2017+git1510945757.b2662641d5-5.43.1 ovmf-tools-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): qemu-uefi-aarch64-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): ovmf-2017+git1510945757.b2662641d5-5.43.1 ovmf-tools-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-5.43.1 qemu-uefi-aarch64-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): ovmf-2017+git1510945757.b2662641d5-5.43.1 ovmf-tools-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-5.43.1 qemu-uefi-aarch64-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): ovmf-2017+git1510945757.b2662641d5-5.43.1 ovmf-tools-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-5.43.1 qemu-uefi-aarch64-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): ovmf-2017+git1510945757.b2662641d5-5.43.1 ovmf-tools-2017+git1510945757.b2662641d5-5.43.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-5.43.1 qemu-uefi-aarch64-2017+git1510945757.b2662641d5-5.43.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): ovmf-2017+git1510945757.b2662641d5-5.43.1 ovmf-tools-2017+git1510945757.b2662641d5-5.43.1 - SUSE Enterprise Storage 6 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-5.43.1 qemu-uefi-aarch64-2017+git1510945757.b2662641d5-5.43.1 - SUSE CaaS Platform 4.0 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-5.43.1 - SUSE CaaS Platform 4.0 (x86_64): ovmf-2017+git1510945757.b2662641d5-5.43.1 ovmf-tools-2017+git1510945757.b2662641d5-5.43.1 References: https://www.suse.com/security/cve/CVE-2021-28210.html https://www.suse.com/security/cve/CVE-2021-28211.html https://bugzilla.suse.com/1183578 https://bugzilla.suse.com/1183579 https://bugzilla.suse.com/1186151 From sle-security-updates at lists.suse.com Fri Jun 25 19:15:54 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 25 Jun 2021 21:15:54 +0200 (CEST) Subject: SUSE-SU-2021:2164-1: moderate: Security update for zziplib Message-ID: <20210625191554.B3897F74A@maintenance.suse.de> SUSE Security Update: Security update for zziplib ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2164-1 Rating: moderate References: #1187526 Cross-References: CVE-2020-18442 CVSS scores: CVE-2020-18442 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-18442 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for zziplib fixes the following issues: - CVE-2020-18442: Fixed infinite loop in zzip_file_read() as used in unzzip_cat_file() (bsc#1187526). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2021-2164=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-2164=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): libzzip-0-13-0.13.67-10.33.1 libzzip-0-13-debuginfo-0.13.67-10.33.1 zziplib-debugsource-0.13.67-10.33.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libzzip-0-13-0.13.67-10.33.1 libzzip-0-13-debuginfo-0.13.67-10.33.1 zziplib-debugsource-0.13.67-10.33.1 zziplib-devel-0.13.67-10.33.1 zziplib-devel-debuginfo-0.13.67-10.33.1 References: https://www.suse.com/security/cve/CVE-2020-18442.html https://bugzilla.suse.com/1187526 From sle-security-updates at lists.suse.com Fri Jun 25 19:18:38 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 25 Jun 2021 21:18:38 +0200 (CEST) Subject: SUSE-SU-2021:2163-1: moderate: Security update for bouncycastle Message-ID: <20210625191838.87792F74A@maintenance.suse.de> SUSE Security Update: Security update for bouncycastle ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2163-1 Rating: moderate References: #1186328 Cross-References: CVE-2020-15522 CVSS scores: CVE-2020-15522 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-15522 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for bouncycastle fixes the following issues: - CVE-2020-15522: Fixed a timing issue within the EC math library (bsc#1186328). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-2163=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-2163=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP3 (noarch): bouncycastle-1.64-3.3.1 bouncycastle-pg-1.64-3.3.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): bouncycastle-1.64-3.3.1 bouncycastle-pg-1.64-3.3.1 References: https://www.suse.com/security/cve/CVE-2020-15522.html https://bugzilla.suse.com/1186328 From sle-security-updates at lists.suse.com Mon Jun 28 16:16:44 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 28 Jun 2021 18:16:44 +0200 (CEST) Subject: SUSE-SU-2021:14758-1: important: Security update for microcode_ctl Message-ID: <20210628161644.D90CBF78F@maintenance.suse.de> SUSE Security Update: Security update for microcode_ctl ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14758-1 Rating: important References: #1179833 #1179836 #1179837 #1179839 Cross-References: CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 CVSS scores: CVE-2020-24489 (SUSE): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2020-24511 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-24512 (SUSE): 2.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2020-24513 (SUSE): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for microcode_ctl fixes the following issues: Updated to Intel CPU Microcode 20210525 release: - CVE-2020-24513: A domain bypass transient execution vulnerability was discovered on some Intel Atom processors that use a micro-architectural incident channel. (bsc#1179833) - CVE-2020-24511: The IBRS feature to mitigate Spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (bsc#1179836) - CVE-2020-24512: Fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837) - CVE-2020-24489: Fixed Intel VT-d device pass through potential local privilege escalation (bsc#1179839) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-microcode_ctl-14758=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-microcode_ctl-14758=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 x86_64): microcode_ctl-1.17-102.83.71.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): microcode_ctl-1.17-102.83.71.1 References: https://www.suse.com/security/cve/CVE-2020-24489.html https://www.suse.com/security/cve/CVE-2020-24511.html https://www.suse.com/security/cve/CVE-2020-24512.html https://www.suse.com/security/cve/CVE-2020-24513.html https://bugzilla.suse.com/1179833 https://bugzilla.suse.com/1179836 https://bugzilla.suse.com/1179837 https://bugzilla.suse.com/1179839 From sle-security-updates at lists.suse.com Mon Jun 28 19:18:43 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 28 Jun 2021 21:18:43 +0200 (CEST) Subject: SUSE-SU-2021:14759-1: important: Security update for arpwatch Message-ID: <20210628191843.EE6C4F74A@maintenance.suse.de> SUSE Security Update: Security update for arpwatch ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14759-1 Rating: important References: #1186240 Cross-References: CVE-2021-25321 CVSS scores: CVE-2021-25321 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for arpwatch fixes the following issues: - CVE-2021-25321: Fixed local privilege escalation from runtime user to root (bsc#1186240). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-arpwatch-14759=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-arpwatch-14759=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-arpwatch-14759=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-arpwatch-14759=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): arpwatch-2.1a15-131.23.2.6.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): arpwatch-2.1a15-131.23.2.6.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): arpwatch-debuginfo-2.1a15-131.23.2.6.1 arpwatch-debugsource-2.1a15-131.23.2.6.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): arpwatch-debuginfo-2.1a15-131.23.2.6.1 arpwatch-debugsource-2.1a15-131.23.2.6.1 References: https://www.suse.com/security/cve/CVE-2021-25321.html https://bugzilla.suse.com/1186240 From sle-security-updates at lists.suse.com Mon Jun 28 19:19:51 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 28 Jun 2021 21:19:51 +0200 (CEST) Subject: SUSE-SU-2021:2180-1: important: Security update for libsolv Message-ID: <20210628191951.595E4F74A@maintenance.suse.de> SUSE Security Update: Security update for libsolv ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2180-1 Rating: important References: #1161510 #1186229 SLE-17973 Cross-References: CVE-2019-20387 CVE-2021-3200 CVSS scores: CVE-2019-20387 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-20387 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2021-3200 (NVD) : 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2021-3200 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes two vulnerabilities, contains one feature is now available. Description: This update for libsolv fixes the following issues: Security issues fixed: - CVE-2019-20387: Fixed heap-buffer-overflow in repodata_schema2id (bsc#1161510) - CVE-2021-3200: testcase_read: error out if repos are added or the system is changed too late (bsc#1186229) Other issues fixed: - backport support for blacklisted packages to support ptf packages and retracted patches - fix ruleinfo of complex dependencies returning the wrong origin - fix SOLVER_FLAG_FOCUS_BEST updateing packages without reason - fix add_complex_recommends() selecting conflicted packages in rare cases - fix potential segfault in resolve_jobrules - fix solv_zchunk decoding error if large chunks are used Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-2180=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-2180=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-2180=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-2180=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-2180=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-2180=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-2180=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-2180=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-2180=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-2180=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-2180=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-2180=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libsolv-debugsource-0.6.37-2.33.1 libsolv-devel-0.6.37-2.33.1 libsolv-tools-0.6.37-2.33.1 libsolv-tools-debuginfo-0.6.37-2.33.1 libzypp-16.21.4-2.51.1 libzypp-debuginfo-16.21.4-2.51.1 libzypp-debugsource-16.21.4-2.51.1 libzypp-devel-16.21.4-2.51.1 perl-solv-0.6.37-2.33.1 perl-solv-debuginfo-0.6.37-2.33.1 python-solv-0.6.37-2.33.1 python-solv-debuginfo-0.6.37-2.33.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libsolv-debugsource-0.6.37-2.33.1 libsolv-devel-0.6.37-2.33.1 libsolv-tools-0.6.37-2.33.1 libsolv-tools-debuginfo-0.6.37-2.33.1 libzypp-16.21.4-2.51.1 libzypp-debuginfo-16.21.4-2.51.1 libzypp-debugsource-16.21.4-2.51.1 libzypp-devel-16.21.4-2.51.1 perl-solv-0.6.37-2.33.1 perl-solv-debuginfo-0.6.37-2.33.1 python-solv-0.6.37-2.33.1 python-solv-debuginfo-0.6.37-2.33.1 - SUSE OpenStack Cloud 9 (x86_64): libsolv-debugsource-0.6.37-2.33.1 libsolv-devel-0.6.37-2.33.1 libsolv-tools-0.6.37-2.33.1 libsolv-tools-debuginfo-0.6.37-2.33.1 libzypp-16.21.4-2.51.1 libzypp-debuginfo-16.21.4-2.51.1 libzypp-debugsource-16.21.4-2.51.1 libzypp-devel-16.21.4-2.51.1 perl-solv-0.6.37-2.33.1 perl-solv-debuginfo-0.6.37-2.33.1 python-solv-0.6.37-2.33.1 python-solv-debuginfo-0.6.37-2.33.1 - SUSE OpenStack Cloud 8 (x86_64): libsolv-debugsource-0.6.37-2.33.1 libsolv-devel-0.6.37-2.33.1 libsolv-tools-0.6.37-2.33.1 libsolv-tools-debuginfo-0.6.37-2.33.1 libzypp-16.21.4-2.51.1 libzypp-debuginfo-16.21.4-2.51.1 libzypp-debugsource-16.21.4-2.51.1 libzypp-devel-16.21.4-2.51.1 perl-solv-0.6.37-2.33.1 perl-solv-debuginfo-0.6.37-2.33.1 python-solv-0.6.37-2.33.1 python-solv-debuginfo-0.6.37-2.33.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libsolv-debugsource-0.6.37-2.33.1 libsolv-devel-0.6.37-2.33.1 libsolv-devel-debuginfo-0.6.37-2.33.1 libzypp-debuginfo-16.21.4-2.51.1 libzypp-debugsource-16.21.4-2.51.1 libzypp-devel-16.21.4-2.51.1 libzypp-devel-doc-16.21.4-2.51.1 perl-solv-0.6.37-2.33.1 perl-solv-debuginfo-0.6.37-2.33.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libsolv-debugsource-0.6.37-2.33.1 libsolv-devel-0.6.37-2.33.1 libsolv-tools-0.6.37-2.33.1 libsolv-tools-debuginfo-0.6.37-2.33.1 libzypp-16.21.4-2.51.1 libzypp-debuginfo-16.21.4-2.51.1 libzypp-debugsource-16.21.4-2.51.1 libzypp-devel-16.21.4-2.51.1 perl-solv-0.6.37-2.33.1 perl-solv-debuginfo-0.6.37-2.33.1 python-solv-0.6.37-2.33.1 python-solv-debuginfo-0.6.37-2.33.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libsolv-debugsource-0.6.37-2.33.1 libsolv-devel-0.6.37-2.33.1 libsolv-tools-0.6.37-2.33.1 libsolv-tools-debuginfo-0.6.37-2.33.1 libzypp-16.21.4-2.51.1 libzypp-debuginfo-16.21.4-2.51.1 libzypp-debugsource-16.21.4-2.51.1 libzypp-devel-16.21.4-2.51.1 perl-solv-0.6.37-2.33.1 perl-solv-debuginfo-0.6.37-2.33.1 python-solv-0.6.37-2.33.1 python-solv-debuginfo-0.6.37-2.33.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libsolv-debugsource-0.6.37-2.33.1 libsolv-devel-0.6.37-2.33.1 libsolv-tools-0.6.37-2.33.1 libsolv-tools-debuginfo-0.6.37-2.33.1 libzypp-16.21.4-2.51.1 libzypp-debuginfo-16.21.4-2.51.1 libzypp-debugsource-16.21.4-2.51.1 libzypp-devel-16.21.4-2.51.1 perl-solv-0.6.37-2.33.1 perl-solv-debuginfo-0.6.37-2.33.1 python-solv-0.6.37-2.33.1 python-solv-debuginfo-0.6.37-2.33.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libsolv-debugsource-0.6.37-2.33.1 libsolv-devel-0.6.37-2.33.1 libsolv-tools-0.6.37-2.33.1 libsolv-tools-debuginfo-0.6.37-2.33.1 libzypp-16.21.4-2.51.1 libzypp-debuginfo-16.21.4-2.51.1 libzypp-debugsource-16.21.4-2.51.1 libzypp-devel-16.21.4-2.51.1 perl-solv-0.6.37-2.33.1 perl-solv-debuginfo-0.6.37-2.33.1 python-solv-0.6.37-2.33.1 python-solv-debuginfo-0.6.37-2.33.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libsolv-debugsource-0.6.37-2.33.1 libsolv-devel-0.6.37-2.33.1 libsolv-tools-0.6.37-2.33.1 libsolv-tools-debuginfo-0.6.37-2.33.1 libzypp-16.21.4-2.51.1 libzypp-debuginfo-16.21.4-2.51.1 libzypp-debugsource-16.21.4-2.51.1 libzypp-devel-16.21.4-2.51.1 perl-solv-0.6.37-2.33.1 perl-solv-debuginfo-0.6.37-2.33.1 python-solv-0.6.37-2.33.1 python-solv-debuginfo-0.6.37-2.33.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libsolv-debugsource-0.6.37-2.33.1 libsolv-devel-0.6.37-2.33.1 libsolv-tools-0.6.37-2.33.1 libsolv-tools-debuginfo-0.6.37-2.33.1 libzypp-16.21.4-2.51.1 libzypp-debuginfo-16.21.4-2.51.1 libzypp-debugsource-16.21.4-2.51.1 libzypp-devel-16.21.4-2.51.1 perl-solv-0.6.37-2.33.1 perl-solv-debuginfo-0.6.37-2.33.1 python-solv-0.6.37-2.33.1 python-solv-debuginfo-0.6.37-2.33.1 - HPE Helion Openstack 8 (x86_64): libsolv-debugsource-0.6.37-2.33.1 libsolv-devel-0.6.37-2.33.1 libsolv-tools-0.6.37-2.33.1 libsolv-tools-debuginfo-0.6.37-2.33.1 libzypp-16.21.4-2.51.1 libzypp-debuginfo-16.21.4-2.51.1 libzypp-debugsource-16.21.4-2.51.1 libzypp-devel-16.21.4-2.51.1 perl-solv-0.6.37-2.33.1 perl-solv-debuginfo-0.6.37-2.33.1 python-solv-0.6.37-2.33.1 python-solv-debuginfo-0.6.37-2.33.1 References: https://www.suse.com/security/cve/CVE-2019-20387.html https://www.suse.com/security/cve/CVE-2021-3200.html https://bugzilla.suse.com/1161510 https://bugzilla.suse.com/1186229 From sle-security-updates at lists.suse.com Mon Jun 28 19:45:10 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 28 Jun 2021 21:45:10 +0200 (CEST) Subject: SUSE-SU-2021:2175-1: important: Security update for arpwatch Message-ID: <20210628194510.07B91F74A@maintenance.suse.de> SUSE Security Update: Security update for arpwatch ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2175-1 Rating: important References: #1186240 Cross-References: CVE-2021-25321 CVSS scores: CVE-2021-25321 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for arpwatch fixes the following issues: - CVE-2021-25321: Fixed local privilege escalation from runtime user to root (bsc#1186240). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-2175=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-2175=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-2175=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-2175=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-2175=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-2175=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-2175=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-2175=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-2175=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-2175=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-2175=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-2175=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-2175=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): arpwatch-2.1a15-159.9.1 arpwatch-debuginfo-2.1a15-159.9.1 arpwatch-debugsource-2.1a15-159.9.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): arpwatch-2.1a15-159.9.1 arpwatch-debuginfo-2.1a15-159.9.1 arpwatch-debugsource-2.1a15-159.9.1 - SUSE OpenStack Cloud 9 (x86_64): arpwatch-2.1a15-159.9.1 arpwatch-debuginfo-2.1a15-159.9.1 arpwatch-debugsource-2.1a15-159.9.1 - SUSE OpenStack Cloud 8 (x86_64): arpwatch-2.1a15-159.9.1 arpwatch-debuginfo-2.1a15-159.9.1 arpwatch-debugsource-2.1a15-159.9.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): arpwatch-debuginfo-2.1a15-159.9.1 arpwatch-debugsource-2.1a15-159.9.1 arpwatch-ethercodes-build-2.1a15-159.9.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): arpwatch-2.1a15-159.9.1 arpwatch-debuginfo-2.1a15-159.9.1 arpwatch-debugsource-2.1a15-159.9.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): arpwatch-2.1a15-159.9.1 arpwatch-debuginfo-2.1a15-159.9.1 arpwatch-debugsource-2.1a15-159.9.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): arpwatch-2.1a15-159.9.1 arpwatch-debuginfo-2.1a15-159.9.1 arpwatch-debugsource-2.1a15-159.9.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): arpwatch-2.1a15-159.9.1 arpwatch-debuginfo-2.1a15-159.9.1 arpwatch-debugsource-2.1a15-159.9.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): arpwatch-2.1a15-159.9.1 arpwatch-debuginfo-2.1a15-159.9.1 arpwatch-debugsource-2.1a15-159.9.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): arpwatch-2.1a15-159.9.1 arpwatch-debuginfo-2.1a15-159.9.1 arpwatch-debugsource-2.1a15-159.9.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): arpwatch-2.1a15-159.9.1 arpwatch-debuginfo-2.1a15-159.9.1 arpwatch-debugsource-2.1a15-159.9.1 - HPE Helion Openstack 8 (x86_64): arpwatch-2.1a15-159.9.1 arpwatch-debuginfo-2.1a15-159.9.1 arpwatch-debugsource-2.1a15-159.9.1 References: https://www.suse.com/security/cve/CVE-2021-25321.html https://bugzilla.suse.com/1186240 From sle-security-updates at lists.suse.com Mon Jun 28 19:50:29 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 28 Jun 2021 21:50:29 +0200 (CEST) Subject: SUSE-SU-2021:2186-1: important: Security update for go1.16 Message-ID: <20210628195029.51043F78F@maintenance.suse.de> SUSE Security Update: Security update for go1.16 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2186-1 Rating: important References: #1182345 #1186622 #1187443 #1187444 #1187445 Cross-References: CVE-2021-33195 CVE-2021-33196 CVE-2021-33197 CVE-2021-33198 CVSS scores: CVE-2021-33195 (SUSE): 6.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N CVE-2021-33196 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-33197 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2021-33198 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update for go1.16 fixes the following issues: Update to 1.16.5. Includes these security fixes - CVE-2021-33195: net: Lookup functions may return invalid host names (bsc#1187443). - CVE-2021-33196: archive/zip: malformed archive may cause panic or memory exhaustion (bsc#1186622). - CVE-2021-33197: net/http/httputil: ReverseProxy forwards Connection headers if first one is empty (bsc#1187444) - CVE-2021-33198: math/big: (*Rat).SetString with "1.770p02041010010011001001" crashes with "makeslice: len out of range" (bsc#1187445). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-2186=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-2186=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): go1.16-1.16.5-1.17.1 go1.16-doc-1.16.5-1.17.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 x86_64): go1.16-race-1.16.5-1.17.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): go1.16-1.16.5-1.17.1 go1.16-doc-1.16.5-1.17.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 x86_64): go1.16-race-1.16.5-1.17.1 References: https://www.suse.com/security/cve/CVE-2021-33195.html https://www.suse.com/security/cve/CVE-2021-33196.html https://www.suse.com/security/cve/CVE-2021-33197.html https://www.suse.com/security/cve/CVE-2021-33198.html https://bugzilla.suse.com/1182345 https://bugzilla.suse.com/1186622 https://bugzilla.suse.com/1187443 https://bugzilla.suse.com/1187444 https://bugzilla.suse.com/1187445 From sle-security-updates at lists.suse.com Mon Jun 28 19:56:11 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 28 Jun 2021 21:56:11 +0200 (CEST) Subject: SUSE-SU-2021:2184-1: important: Security update for the Linux Kernel Message-ID: <20210628195611.E0BBFF78F@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2184-1 Rating: important References: #1087082 #1152489 #1154353 #1174978 #1176447 #1176771 #1177666 #1178134 #1178378 #1178612 #1179610 #1182999 #1183712 #1184259 #1184436 #1184631 #1185195 #1185428 #1185497 #1185570 #1185589 #1185675 #1185701 #1186155 #1186286 #1186460 #1186463 #1186472 #1186501 #1186672 #1186677 #1186681 #1186752 #1186885 #1186928 #1186949 #1186950 #1186951 #1186952 #1186953 #1186954 #1186955 #1186956 #1186957 #1186958 #1186959 #1186960 #1186961 #1186962 #1186963 #1186964 #1186965 #1186966 #1186967 #1186968 #1186969 #1186970 #1186971 #1186972 #1186973 #1186974 #1186976 #1186977 #1186978 #1186979 #1186980 #1186981 #1186982 #1186983 #1186984 #1186985 #1186986 #1186987 #1186988 #1186989 #1186990 #1186991 #1186992 #1186993 #1186994 #1186995 #1186996 #1186997 #1186998 #1186999 #1187000 #1187001 #1187002 #1187003 #1187038 #1187039 #1187050 #1187052 #1187067 #1187068 #1187069 #1187072 #1187143 #1187144 #1187167 #1187334 #1187344 #1187345 #1187346 #1187347 #1187348 #1187349 #1187350 #1187351 #1187357 #1187711 Cross-References: CVE-2020-26558 CVE-2020-36385 CVE-2020-36386 CVE-2021-0129 CVSS scores: CVE-2020-26558 (NVD) : 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26558 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-36385 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-36385 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-36386 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-36386 (SUSE): 5.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2021-0129 (NVD) : 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-0129 (SUSE): 6.4 CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Linux Enterprise Module for Live Patching 15-SP3 SUSE Linux Enterprise Module for Legacy Software 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise High Availability 15-SP3 ______________________________________________________________________________ An update that solves four vulnerabilities and has 107 fixes is now available. Description: The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. (bnc#1179610 bnc#1186463) - CVE-2021-0129: Improper access control in BlueZ may have allowed an authenticated user to potentially enable information disclosure via adjacent access (bnc#1186463). - CVE-2020-36385: Fixed a use-after-free in drivers/infiniband/core/ucma.c which could be triggered if the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called (bnc#1187050). - CVE-2020-36386: Fixed a slab out-of-bounds read in hci_extended_inquiry_result_evt (bnc#1187038). The following non-security bugs were fixed: - ACPICA: Clean up context mutex during object deletion (git-fixes). - ALSA: hda/cirrus: Set Initial DMIC volume to -26 dB (git-fixes). - ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx (git-fixes). - ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP EliteBook x360 1040 G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Elite Dragonfly G2 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 840 Aero G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP ZBook Power G8 (git-fixes). - ALSA: hda/realtek: headphone and mic do not work on an Acer laptop (git-fixes). - ALSA: hda: update the power_state during the direct-complete (git-fixes). - ALSA: seq: Fix race of snd_seq_timer_open() (git-fixes). - ALSA: timer: Fix master timer notification (git-fixes). - arm64: Add missing ISB after invalidating TLB in __primary_switch (git-fixes). - arm64: avoid -Woverride-init warning (git-fixes). - arm64: kasan: fix page_alloc tagging with DEBUG_VIRTUAL (git-fixes). - arm64: kdump: update ppos when reading elfcorehdr (git-fixes). - arm64: kexec_file: fix memory leakage in create_dtb() when fdt_open_into() fails (git-fixes). - arm64: link with -z norelro for LLD or aarch64-elf (git-fixes). - arm64: link with -z norelro regardless of CONFIG_RELOCATABLE (git-fixes). - arm64/mm: Fix pfn_valid() for ZONE_DEVICE based memory (git-fixes). - arm64: ptrace: Fix seccomp of traced syscall -1 (NO_SYSCALL) (git-fixes). - arm64: ptrace: Use NO_SYSCALL instead of -1 in syscall_trace_enter() (git-fixes). - ARM64: vdso32: Install vdso32 from vdso_install (git-fixes). - arm64: vdso32: make vdso32 install conditional (git-fixes). - arm: mm: use __pfn_to_section() to get mem_section (git-fixes). - ASoC: amd: fix for pcm_read() error (git-fixes). - ASoC: cs43130: handle errors in cs43130_probe() properly (git-fixes). - ASoC: Intel: soc-acpi: remove TGL RVP mixed SoundWire/TDM config (git-fixes). - ASoC: max98088: fix ni clock divider calculation (git-fixes). - ath6kl: return error code in ath6kl_wmi_set_roam_lrssi_cmd() (git-fixes). - bcache: avoid oversized read request in cache missing code path (bsc#1187357, bsc#1185570, bsc#1184631). - bcache: Convert to DEFINE_SHOW_ATTRIBUTE (bsc#1187357). - bcache: do not pass BIOSET_NEED_BVECS for the 'bio_set' embedded in 'cache_set' (bsc#1187357). - bcache: fix a regression of code compiling failure in debug.c (bsc#1187357). - bcache: inherit the optimal I/O size (bsc#1187357). - bcache: reduce redundant code in bch_cached_dev_run() (bsc#1187357). - bcache: remove bcache device self-defined readahead (bsc#1187357, bsc#1185570, bsc#1184631). - bcache: remove PTR_CACHE (bsc#1187357). - bcache: Use 64-bit arithmetic instead of 32-bit (bsc#1187357). - bcache: use NULL instead of using plain integer as pointer (bsc#1187357). - blk-mq: Swap two calls in blk_mq_exit_queue() (git-fixes). - blk-settings: align max_sectors on "logical_block_size" boundary (bsc#1185195). - block/genhd: use atomic_t for disk_event->block (bsc#1185497). - block: return the correct bvec when checking for gaps (bsc#1187143). - block: return the correct bvec when checking for gaps (bsc#1187144). - Bluetooth: fix the erroneous flush_work() order (git-fixes). - brcmfmac: Add clm_blob firmware files to modinfo (bsc#1186677). - brcmfmac: properly check for bus register errors (git-fixes). - btrfs: open device without device_list_mutex (bsc#1176771). - bus: ti-sysc: Fix flakey idling of uarts and stop using swsup_sidle_act (git-fixes). - cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom (git-fixes). - cdrom: gdrom: initialize global variable at init time (git-fixes). - ceph: do not clobber i_snap_caps on non-I_NEW inode (bsc#1186501). - ceph: fix inode leak on getattr error in __fh_to_dentry (bsc#1186501). - ceph: fix up error handling with snapdirs (bsc#1186501). - ceph: only check pool permissions for regular files (bsc#1186501). - char: hpet: add checks after calling ioremap (git-fixes). - chelsio/chtls: unlock on error in chtls_pt_recvmsg() (jsc#SLE-15129). - cxgb4: avoid accessing registers when clearing filters (git-fixes). - cxgb4: avoid link re-train during TC-MQPRIO configuration (jsc#SLE-8389). - cxgb4/ch_ktls: Clear resources when pf4 device is removed (jsc#SLE-15129). - cxgb4: fix regression with HASH tc prio value update (jsc#SLE-15131). - devlink: Correct VIRTUAL port to not have phys_port attributes (jsc#SLE-15172). - dmaengine: idxd: add missing dsa driver unregister (git-fixes). - dmaengine: idxd: Use cpu_feature_enabled() (git-fixes). - dmaengine: qcom_hidma: comment platform_driver_register call (git-fixes). - drm/amd/amdgpu: fix a potential deadlock in gpu reset (git-fixes). - drm/amd/amdgpu: fix refcount leak (git-fixes). - drm/amd/display: Disconnect non-DP with no EDID (git-fixes). - drm/amdgpu: Do not query CE and UE errors (git-fixes). - drm/amdgpu: Fix a use-after-free (git-fixes). - drm/amdgpu/jpeg2.0: add cancel_delayed_work_sync before power gate (git-fixes). - drm/amdgpu/jpeg2.5: add cancel_delayed_work_sync before power gate (git-fixes). - drm/amdgpu/jpeg3: add cancel_delayed_work_sync before power gate (git-fixes). - drm/amdgpu: make sure we unpin the UVD BO (git-fixes). - drm/amdgpu: stop touching sched.ready in the backend (git-fixes). - drm/amdgpu/vcn1: add cancel_delayed_work_sync before power gate (git-fixes). - drm/amdgpu/vcn2.0: add cancel_delayed_work_sync before power gate (git-fixes). - drm/amdgpu/vcn2.5: add cancel_delayed_work_sync before power gate (git-fixes). - drm/amdgpu/vcn3: add cancel_delayed_work_sync before power gate (git-fixes). - drm/amdkfd: correct sienna_cichlid SDMA RLC register offset error (git-fixes). - drm/i915/selftests: Fix return value check in live_breadcrumbs_smoketest() (git-fixes). - drm/mcde: Fix off by 10^3 in calculation (git-fixes). - drm/meson: fix shutdown crash when component not probed (git-fixes). - drm/msm/a6xx: fix incorrectly set uavflagprd_inv field for A650 (git-fixes). - drm/msm/a6xx: update/fix CP_PROTECT initialization (git-fixes). - efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared (git-fixes). - efi: cper: fix snprintf() use in cper_dimm_err_location() (git-fixes). - efi/libstub: prevent read overflow in find_file_option() (git-fixes). - Enable CONFIG_PCI_PF_STUB for Nvidia Ampere vGPU support (jsc#SLE-17882 jsc#ECO-3691) - fs/nfs: Use fatal_signal_pending instead of signal_pending (git-fixes). - gpio: cadence: Add missing MODULE_DEVICE_TABLE (git-fixes). - gpio: wcd934x: Fix shift-out-of-bounds error (git-fixes). - gve: Add NULL pointer checks when freeing irqs (git-fixes). - gve: Correct SKB queue index validation (git-fixes). - gve: Update mgmt_msix_idx if num_ntfy changes (git-fixes). - gve: Upgrade memory barrier in poll routine (git-fixes). - HID: i2c-hid: fix format string mismatch (git-fixes). - HID: i2c-hid: Skip ELAN power-on command after reset (git-fixes). - HID: magicmouse: fix NULL-deref on disconnect (git-fixes). - HID: multitouch: require Finger field to mark Win8 reports as MT (git-fixes). - HID: pidff: fix error return code in hid_pidff_init() (git-fixes). - hwmon: (dell-smm-hwmon) Fix index values (git-fixes). - i2c: i801: Do not generate an interrupt on bus reset (git-fixes). - i2c: imx: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: qcom-geni: Suspend and resume the bus during SYSTEM_SLEEP_PM ops (git-fixes). - i2c: s3c2410: fix possible NULL pointer deref on read message after write (git-fixes). - i2c: sh_mobile: Use new clock calculation formulas for RZ/G2E (git-fixes). - ice: Allow all LLDP packets from PF to Tx (jsc#SLE-7926). - ice: Fix allowing VF to request more/less queues via virtchnl (jsc#SLE-12878). - ice: Fix VFR issues for AVF drivers that expect ATQLEN cleared (git-fixes). - ice: handle the VF VSI rebuild failure (jsc#SLE-12878). - iio: adc: ad7124: Fix missbalanced regulator enable / disable on error (git-fixes). - iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers (git-fixes). - iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp() (git-fixes). - iio: adc: ad7793: Add missing error code in ad7793_setup() (git-fixes). - iio: gyro: fxas21002c: balance runtime power in error path (git-fixes). - iommu/amd: Keep track of amd_iommu_irq_remap state (https://bugzilla.kernel.org/show_bug.cgi?id=212133). - iommu: Fix a boundary issue to avoid performance drop (bsc#1187344). - iommu/virtio: Add missing MODULE_DEVICE_TABLE (bsc#1187345). - iommu/vt-d: Remove WO permissions on second-level paging entries (bsc#1187346). - iommu/vt-d: Report right snoop capability when using FL for IOVA (bsc#1187347). - iommu/vt-d: Use user privilege for RID2PASID translation (bsc#1187348). - isdn: mISDN: correctly handle ph_info allocation failure in hfcsusb_ph_info (git-fixes). - isdn: mISDNinfineon: check/cleanup ioremap failure correctly in setup_io (git-fixes). - ixgbe: fix large MTU request from VF (git-fixes). - kABI workaround for rtw88 (git-fixes). - kABI workaround for struct lis3lv02d change (git-fixes). - lib: crc64: fix kernel-doc warning (bsc#1187357). - libertas: register sysfs groups properly (git-fixes). - locking/mutex: clear MUTEX_FLAGS if wait_list is empty due to signal (git-fixes). - md: bcache: avoid -Wempty-body warnings (bsc#1187357). - md: bcache: Trivial typo fixes in the file journal.c (bsc#1187357). - md: Fix missing unused status line of /proc/mdstat (git-fixes). - media: dvb: Add check on sp8870_readreg return (git-fixes). - media: dvb: Add check on sp8870_readreg return (git-fixes). - media: gspca: mt9m111: Check write_bridge for timeout (git-fixes). - media: gspca: mt9m111: Check write_bridge for timeout (git-fixes). - media: gspca: properly check for errors in po1030_probe() (git-fixes). - media: gspca: properly check for errors in po1030_probe() (git-fixes). - mei: request autosuspend after sending rx flow control (git-fixes). - misc/uss720: fix memory leak in uss720_probe (git-fixes). - mmc: sdhci: Clear unused bounce buffer at DMA mmap error path (bsc#1187039). - net: bnx2: Fix error return code in bnx2_init_board() (git-fixes). - netfilter: nf_tables: missing error reporting for not selected expressions (bsc#1176447). - netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version (bsc#1176447). - net: fix iteration for sctp transport seq_files (git-fixes). - net: hns3: fix incorrect resp_msg issue (jsc#SLE-14777). - net: hns3: Limiting the scope of vector_ring_chain variable (git-fixes). - net: hns3: put off calling register_netdev() until client initialize complete (bsc#1154353). - net/mlx4: Fix EEPROM dump support (git-fixes). - net/mlx5: DR, Create multi-destination flow table with level less than 64 (jsc#SLE-8464). - net/mlx5e: Fix error path of updating netdev queues (jsc#SLE-15172). - net/mlx5e: Fix incompatible casting (jsc#SLE-15172). - net/mlx5e: Fix multipath lag activation (git-fixes). - net/mlx5e: Fix null deref accessing lag dev (jsc#SLE-15172). - net/mlx5e: Fix nullptr in add_vlan_push_action() (git-fixes). - net/mlx5e: reset XPS on error flow if netdev isn't registered yet (jsc#SLE-15172). - net/mlx5: Set reformat action when needed for termination rules (jsc#SLE-15172). - net/mlx5: Set term table as an unmanaged flow table (jsc#SLE-15172). - net/sched: act_ct: Offload connections with commit action (jsc#SLE-15172). - net/sched: fq_pie: fix OOB access in the traffic path (jsc#SLE-15172). - net/sched: fq_pie: re-factor fix for fq_pie endless loop (jsc#SLE-15172). - net: usb: fix memory leak in smsc75xx_bind (git-fixes). - net: zero-initialize tc skb extension on allocation (bsc#1176447). - nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect (git-fixes). - NFC: SUSE specific brutal fix for runtime PM (bsc#1185589). - NFS: Deal correctly with attribute generation counter overflow (git-fixes). - NFS: Do not corrupt the value of pg_bytes_written in nfs_do_recoalesce() (git-fixes). - NFS: Do not discard pNFS layout segments that are marked for return (git-fixes). - NFS: Do not gratuitously clear the inode cache when lookup failed (git-fixes). - NFS: Do not revalidate the directory permissions on a lookup failure (git-fixes). - nfsd: register pernet ops last, unregister first (git-fixes). - NFSD: Repair misuse of sv_lock in 5.10.16-rt30 (git-fixes). - NFS: fix an incorrect limit in filelayout_decode_layout() (git-fixes). - NFS: Fix an Oopsable condition in __nfs_pageio_add_request() (git-fixes). - NFSv4.2: Always flush out writes in nfs42_proc_fallocate() (git-fixes). - NFSv42: Copy offload should update the file size when appropriate (git-fixes). - NFSv4.2 fix handling of sr_eof in SEEK's reply (git-fixes). - NFSv4.2: fix return value of _nfs4_get_security_label() (git-fixes). - NFSv4: Do not discard segments marked for return in _pnfs_return_layout() (git-fixes). - NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return() (git-fixes). - NFSv4: Fix v4.0/v4.1 SEEK_DATA return -ENOTSUPP when set NFS_V4_2 config (git-fixes). - nvme: add new line after variable declatation (bsc#1184259, bsc#1178612, bsc#1186155). - nvme: document nvme controller states (git-fixes). - nvme: do not check nvme_req flags for new req (bsc#1184259, bsc#1178612, bsc#1186155). - nvme: fix deadlock in disconnect during scan_work and/or ana_work (git-fixes). - nvme: mark nvme_setup_passsthru() inline (bsc#1184259, bsc#1178612, bsc#1186155). - nvme-multipath: fix double initialization of ANA state (bsc#1178612, bsc#1184259, bsc#1186155). - nvme-pci: align io queue count with allocted nvme_queue in (git-fixes). - nvme-pci: avoid race between nvme_reap_pending_cqes() and nvme_poll() (git-fixes). - nvme-pci: dma read memory barrier for completions (git-fixes). - nvme-pci: fix "slimmer CQ head update" (git-fixes). - nvme-pci: make sure write/poll_queues less or equal then cpu (git-fixes). - nvme-pci: remove last_sq_tail (git-fixes). - nvme-pci: Remove tag from process cq (git-fixes). - nvme-pci: Remove two-pass completions (git-fixes). - nvme-pci: remove volatile cqes (git-fixes). - nvme-pci: Simplify nvme_poll_irqdisable (git-fixes). - nvme-pci: slimmer CQ head update (git-fixes). - nvme-pci: use simple suspend when a HMB is enabled (git-fixes). - nvme: reduce checks for zero command effects (bsc#1184259, bsc#1178612, bsc#1186155). - nvme: rename nvme_init_identify() (bsc#1184259, bsc#1178612, bsc#1186155). - nvme: split init identify into helper (bsc#1184259, bsc#1178612, bsc#1186155). - nvmet: use new ana_log_size instead the old one (bsc#1178612, bsc#1184259, bsc#1186155). - nvme: use NVME_CTRL_CMIC_ANA macro (bsc#1184259, bsc#1178612, bsc#1186155). - nxp-i2c: restore includes for kABI (bsc#1185589). - nxp-nci: add NXP1002 id (bsc#1185589). - PCI/LINK: Remove bandwidth notification (bsc#1183712). - pid: take a reference when initializing `cad_pid` (bsc#1152489). - platform/x86: hp_accel: Avoid invoking _INI to speed up resume (git-fixes). - platform/x86: hp-wireless: add AMD's hardware id to the supported list (git-fixes). - platform/x86: intel_punit_ipc: Append MODULE_DEVICE_TABLE for ACPI (git-fixes). - platform/x86: touchscreen_dmi: Add info for the Mediacom Winpad 7.0 W700 tablet (git-fixes). - PM: sleep: Add pm_debug_messages kernel command line option (bsc#1186752). - pNFS/flexfiles: fix incorrect size check in decode_nfs_fh() (git-fixes). - pNFS/NFSv4: Fix a layout segment leak in pnfs_layout_process() (git-fixes). - powerpc/32: Fix boot failure with CONFIG_STACKPROTECTOR (jsc#SLE-13847 git-fixes). - powerpc/kprobes: Fix validation of prefixed instructions across page boundary (jsc#SLE-13847 git-fixes). - regulator: core: resolve supply for boot-on/always-on regulators (git-fixes). - regulator: max77620: Use device_set_of_node_from_dev() (git-fixes). - rtw88: 8822c: add LC calibration for RTL8822C (git-fixes). - scsi: aacraid: Fix an oops in error handling (bsc#1187072). - scsi: aacraid: Remove erroneous fallthrough annotation (bsc#1186950). - scsi: aacraid: Use memdup_user() as a cleanup (bsc#1186951). - scsi: acornscsi: Fix an error handling path in acornscsi_probe() (bsc#1186952). - scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs() (bsc#1186953). - scsi: be2iscsi: Revert "Fix a theoretical leak in beiscsi_create_eqs()" (bsc#1187067). - scsi: bfa: Fix error return in bfad_pci_init() (bsc#1186954). - scsi: bnx2fc: Fix Kconfig warning & CNIC build errors (bsc#1186955). - scsi: bnx2i: Requires MMU (bsc#1186956). - scsi: csiostor: Fix wrong return value in csio_hw_prep_fw() (bsc#1186957). - scsi: cumana_2: Fix different dev_id between request_irq() and free_irq() (bsc#1186958). - scsi: cxgb3i: Fix some leaks in init_act_open() (bsc#1186959). - scsi: cxgb4i: Fix TLS dependency (bsc#1186960). - scsi: eesox: Fix different dev_id between request_irq() and free_irq() (bsc#1186961). - scsi: fnic: Fix error return code in fnic_probe() (bsc#1186962). - scsi: hisi_sas: Fix IRQ checks (bsc#1186963). - scsi: hisi_sas: Remove preemptible() (bsc#1186964). - scsi: jazz_esp: Add IRQ check (bsc#1186965). - scsi: libfc: Fix enum-conversion warning (bsc#1186966). - scsi: libsas: Fix error path in sas_notify_lldd_dev_found() (bsc#1186967). - scsi: libsas: Reset num_scatter if libata marks qc as NODATA (bsc#1187068). - scsi: libsas: Set data_dir as DMA_NONE if libata marks qc as NODATA (bsc#1186968). - scsi: lpfc: Fix ancient double free (bsc#1186969). - scsi: lpfc: Fix failure to transmit ABTS on FC link (git-fixes). - scsi: megaraid_sas: Check user-provided offsets (bsc#1186970). - scsi: megaraid_sas: Clear affinity hint (bsc#1186971). - scsi: megaraid_sas: Do not call disable_irq from process IRQ poll (bsc#1186972). - scsi: megaraid_sas: Fix MEGASAS_IOC_FIRMWARE regression (bsc#1186973). - scsi: megaraid_sas: Remove undefined ENABLE_IRQ_POLL macro (bsc#1186974). - scsi: mesh: Fix panic after host or bus reset (bsc#1186976). - scsi: mpt3sas: Do not use GFP_KERNEL in atomic context (bsc#1186977). - scsi: mpt3sas: Fix error return code of mpt3sas_base_attach() (bsc#1186978). - scsi: mpt3sas: Fix ioctl timeout (bsc#1186979). - scsi: myrs: Fix a double free in myrs_cleanup() (bsc#1186980). - scsi: pm80xx: Fix error return in pm8001_pci_probe() (bsc#1186981). - scsi: powertec: Fix different dev_id between request_irq() and free_irq() (bsc#1186982). - scsi: qedi: Check for buffer overflow in qedi_set_path() (bsc#1186983). - scsi: qedi: Fix error return code of qedi_alloc_global_queues() (bsc#1186984). - scsi: qedi: Fix missing destroy_workqueue() on error in __qedi_probe (bsc#1186985). - scsi: qla2xxx: Prevent PRLI in target mode (git-fixes). - scsi: qla4xxx: Fix an error handling path in 'qla4xxx_get_host_stats()' (bsc#1186986). - scsi: qla4xxx: Remove in_interrupt() (bsc#1186987). - scsi: scsi_debug: Add check for sdebug_max_queue during module init (bsc#1186988). - scsi: scsi_dh_alua: Retry RTPG on a different path after failure (bsc#1174978 bsc#1185701). - scsi: sd: Fix Opal support (bsc#1186989). - scsi: smartpqi: Add additional logging for LUN resets (bsc#1186472). - scsi: smartpqi: Add host level stream detection enable (bsc#1186472). - scsi: smartpqi: Add new PCI IDs (bsc#1186472). - scsi: smartpqi: Add phy ID support for the physical drives (bsc#1186472). - scsi: smartpqi: Add stream detection (bsc#1186472). - scsi: smartpqi: Add support for BMIC sense feature cmd and feature bits (bsc#1186472). - scsi: smartpqi: Add support for long firmware version (bsc#1186472). - scsi: smartpqi: Add support for new product ids (bsc#1186472). - scsi: smartpqi: Add support for RAID1 writes (bsc#1186472). - scsi: smartpqi: Add support for RAID5 and RAID6 writes (bsc#1186472). - scsi: smartpqi: Add support for wwid (bsc#1186472). - scsi: smartpqi: Align code with oob driver (bsc#1186472). - scsi: smartpqi: Convert snprintf() to scnprintf() (bsc#1186472). - scsi: smartpqi: Correct request leakage during reset operations (bsc#1186472). - scsi: smartpqi: Correct system hangs when resuming from hibernation (bsc#1186472). - scsi: smartpqi: Disable WRITE SAME for HBA NVMe disks (bsc#1186472). - scsi: smartpqi: Fix blocks_per_row static checker issue (bsc#1186472). - scsi: smartpqi: Fix device pointer variable reference static checker issue (bsc#1186472). - scsi: smartpqi: Fix driver synchronization issues (bsc#1186472). - scsi: smartpqi: Refactor aio submission code (bsc#1186472). - scsi: smartpqi: Refactor scatterlist code (bsc#1186472). - scsi: smartpqi: Remove timeouts from internal cmds (bsc#1186472). - scsi: smartpqi: Remove unused functions (bsc#1186472). - scsi: smartpqi: Synchronize device resets with mutex (bsc#1186472). - scsi: smartpqi: Update device scan operations (bsc#1186472). - scsi: smartpqi: Update enclosure identifier in sysfs (bsc#1186472). - scsi: smartpqi: Update event handler (bsc#1186472). - scsi: smartpqi: Update OFA management (bsc#1186472). - scsi: smartpqi: Update RAID bypass handling (bsc#1186472). - scsi: smartpqi: Update SAS initiator_port_protocols and target_port_protocols (bsc#1186472). - scsi: smartpqi: Update soft reset management for OFA (bsc#1186472). - scsi: smartpqi: Update suspend/resume and shutdown (bsc#1186472). - scsi: smartpqi: Update version to 2.1.8-045 (bsc#1186472). - scsi: smartpqi: Use host-wide tag space (bsc#1186472). - scsi: sni_53c710: Add IRQ check (bsc#1186990). - scsi: sun3x_esp: Add IRQ check (bsc#1186991). - scsi: ufs: Add quirk to disallow reset of interrupt aggregation (bsc#1186992). - scsi: ufs: Add quirk to enable host controller without hce (bsc#1186993). - scsi: ufs: Add quirk to fix abnormal ocs fatal error (bsc#1186994). - scsi: ufs: Add quirk to fix mishandling utrlclr/utmrlclr (bsc#1186995). - scsi: ufs: core: Narrow down fast path in system suspend path (bsc#1186996). - scsi: ufs: Do not update urgent bkops level when toggling auto bkops (bsc#1186997). - scsi: ufs: Fix race between shutdown and runtime resume flow (bsc#1186998). - scsi: ufshcd: use an enum for quirks (bsc#1186999). - scsi: ufs: Introduce UFSHCD_QUIRK_PRDT_BYTE_GRAN quirk (bsc#1187000). - scsi: ufs: Make ufshcd_print_trs() consider UFSHCD_QUIRK_PRDT_BYTE_GRAN (bsc#1187069). - scsi: ufs: Properly release resources if a task is aborted successfully (bsc#1187001). - scsi: ufs-qcom: Fix scheduling while atomic issue (bsc#1187002). - scsi: ufs: ufshcd-pltfrm: Fix deferred probing (bsc#1187003). - serial: 8250_pci: handle FL_NOIRQ board flag (git-fixes). - serial: core: fix suspicious security_locked_down() call (git-fixes). - serial: max310x: unregister uart driver in case of failure and abort (git-fixes). - serial: rp2: use 'request_firmware' instead of 'request_firmware_nowait' (git-fixes). - serial: sh-sci: Fix off-by-one error in FIFO threshold register setting (git-fixes). - serial: tegra: Fix a mask operation that is always true (git-fixes). - staging: emxx_udc: fix loop in _nbu2ss_nuke() (git-fixes). - staging: iio: cdc: ad7746: avoid overwrite of num_channels (git-fixes). - staging: rtl8723bs: Fix uninitialized variables (git-fixes). - sunrpc: fix refcount leak for rpc auth modules (git-fixes). - SUNRPC: More fixes for backlog congestion (bsc#1185428). - SUNRPC: Move fault injection call sites (git-fixes). - SUNRPC: Set memalloc_nofs_save() for sync tasks (git-fixes). - svcrdma: disable timeouts on rdma backchannel (git-fixes). - thermal/drivers/intel: Initialize RW trip to THERMAL_TEMP_INVALID (git-fixes). - thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue (git-fixes). - thunderbolt: usb4: Fix NVM read buffer bounds and offset issue (git-fixes). - tpm: fix error return code in tpm2_get_cc_attrs_tbl() (git-fixes). - ttyprintk: Add TTY hangup callback (git-fixes). - UCSI fixup of array of PDOs (git-fixes). - usb: chipidea: imx: Fix Battery Charger 1.2 CDP detection (git-fixes). - usb: core: reduce power-on-good delay time of root hub (git-fixes). - usb: dwc3: gadget: Enable suspend events (git-fixes). - usb: fix various gadgets null ptr deref on 10gbps cabling (git-fixes). - USB: f_ncm: ncm_bitrate (speed) is unsigned (git-fixes). - usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen() (git-fixes). - usb: musb: fix MUSB_QUIRK_B_DISCONNECT_99 handling (git-fixes). - usb: pd: Set PD_T_SINK_WAIT_CAP to 310ms (git-fixes). - USB: serial: cp210x: fix alternate function for CP2102N QFN20 (git-fixes). - USB: serial: ftdi_sio: add IDs for IDS GmbH Products (git-fixes). - USB: serial: option: add Telit LE910-S1 compositions 0x7010, 0x7011 (git-fixes). - USB: serial: pl2303: add device id for ADLINK ND-6530 GC (git-fixes). - USB: serial: quatech2: fix control-request directions (git-fixes). - USB: serial: ti_usb_3410_5052: add startech.com device id (git-fixes). - USB: trancevibrator: fix control-request direction (git-fixes). - usb: typec: intel_pmc_mux: Put fwnode in error case during ->probe() (git-fixes). - usb: typec: mux: Fix copy-paste mistake in typec_mux_match (git-fixes). - usb: typec: mux: Fix matching with typec_altmode_desc (git-fixes). - usb: typec: tcpm: Use LE to CPU conversion when accessing msg->header (git-fixes). - usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path (git-fixes). - usb: typec: ucsi: Retrieve all the PDOs instead of just the first 4 (git-fixes). - usb: typec: wcove: Use LE to CPU conversion when accessing msg->header (git-fixes). - USB: usbfs: Do not WARN about excessively large memory allocations (git-fixes). - vfio/pci: Fix error return code in vfio_ecap_init() (git-fixes). - vfio/pci: zap_vma_ptes() needs MMU (git-fixes). - vfio/platform: fix module_put call in error flow (git-fixes). - vmlinux.lds.h: Avoid orphan section with !SMP (git-fixes). - vsock/vmci: log once the failed queue pair allocation (git-fixes). - wireguard: allowedips: initialize list head in selftest (git-fixes). - wireguard: do not use -O3 (git-fixes). - wireguard: peer: allocate in kmem_cache (git-fixes). - wireguard: peer: put frequently used members above cache lines (git-fixes). - wireguard: queueing: get rid of per-peer ring buffers (git-fixes). - wireguard: selftests: make sure rp_filter is disabled on vethc (git-fixes). - wireguard: selftests: remove old conntrack kconfig value (git-fixes). - wireguard: use synchronize_net rather than synchronize_rcu (git-fixes). - x86/apic: Mark _all_ legacy interrupts when IO/APIC is missing (bsc#1152489). - x86/boot/64: Explicitly map boot_params and command line (jsc#SLE-14337). - x86/boot/compressed/64: Add 32-bit boot #VC handler (jsc#SLE-14337). - x86/boot/compressed/64: Add CPUID sanity check to 32-bit boot-path (jsc#SLE-14337). - x86/boot/compressed/64: Check SEV encryption in 64-bit boot-path (jsc#SLE-14337). - x86/boot/compressed/64: Check SEV encryption in the 32-bit boot-path (jsc#SLE-14337). - x86/boot/compressed/64: Cleanup exception handling before booting kernel (jsc#SLE-14337). - x86/boot/compressed/64: Introduce sev_status (jsc#SLE-14337). - x86/boot/compressed/64: Reload CS in startup_32 (jsc#SLE-14337). - x86/boot/compressed/64: Sanity-check CPUID results in the early #VC handler (jsc#SLE-14337). - x86/boot/compressed/64: Setup IDT in startup_32 boot path (jsc#SLE-14337). - x86/cpufeatures: Force disable X86_FEATURE_ENQCMD and remove update_pasid() (bsc#1178134). - x86/cpu: Initialize MSR_TSC_AUX if RDTSCP *or* RDPID is supported (bsc#1152489). - x86/fault: Do not send SIGSEGV twice on SEGV_PKUERR (bsc#1152489). - x86: fix seq_file iteration for pat.c (git-fixes). - x86/fpu: Prevent state corruption in __fpu__restore_sig() (bsc#1178134). - x86/head/64: Check SEV encryption before switching to kernel page-table (jsc#SLE-14337). - x86/head/64: Disable stack protection for head$(BITS).o (jsc#SLE-14337). - x86/ioremap: Map efi_mem_reserve() memory as encrypted for SEV (bsc#1186885). - x86/sev: Check SME/SEV support in CPUID first (jsc#SLE-14337). - x86/sev: Do not require Hypervisor CPUID bit for SEV guests (jsc#SLE-14337). - x86/sev-es: Do not return NULL from sev_es_get_ghcb() (bsc#1187349). - x86/sev-es: Do not support MMIO to/from encrypted memory (jsc#SLE-14337). - x86/sev-es: Forward page-faults which happen during emulation (bsc#1187350). - x86/sev-es: Replace open-coded hlt-loops with sev_es_terminate() (jsc#SLE-14337). - x86/sev-es: Use __put_user()/__get_user() for data accesses (bsc#1187351). - xfrm: policy: Read seqcount outside of rcu-read side in xfrm_policy_lookup_bytype (bsc#1185675). - xprtrdma: Avoid Receive Queue wrapping (git-fixes). - xprtrdma: rpcrdma_mr_pop() already does list_del_init() (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-2184=1 - SUSE Linux Enterprise Module for Live Patching 15-SP3: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP3-2021-2184=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP3-2021-2184=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-2184=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-2184=1 - SUSE Linux Enterprise High Availability 15-SP3: zypper in -t patch SUSE-SLE-Product-HA-15-SP3-2021-2184=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64): kernel-default-debuginfo-5.3.18-59.10.1 kernel-default-debugsource-5.3.18-59.10.1 kernel-default-extra-5.3.18-59.10.1 kernel-default-extra-debuginfo-5.3.18-59.10.1 kernel-preempt-debuginfo-5.3.18-59.10.1 kernel-preempt-debugsource-5.3.18-59.10.1 kernel-preempt-extra-5.3.18-59.10.1 kernel-preempt-extra-debuginfo-5.3.18-59.10.1 - SUSE Linux Enterprise Module for Live Patching 15-SP3 (ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-59.10.1 kernel-default-debugsource-5.3.18-59.10.1 kernel-default-livepatch-5.3.18-59.10.1 kernel-default-livepatch-devel-5.3.18-59.10.1 kernel-livepatch-5_3_18-59_10-default-1-7.5.1 kernel-livepatch-5_3_18-59_10-default-debuginfo-1-7.5.1 kernel-livepatch-SLE15-SP3_Update_2-debugsource-1-7.5.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-59.10.1 kernel-default-debugsource-5.3.18-59.10.1 reiserfs-kmp-default-5.3.18-59.10.1 reiserfs-kmp-default-debuginfo-5.3.18-59.10.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): kernel-obs-build-5.3.18-59.10.1 kernel-obs-build-debugsource-5.3.18-59.10.1 kernel-syms-5.3.18-59.10.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 x86_64): kernel-preempt-debuginfo-5.3.18-59.10.1 kernel-preempt-debugsource-5.3.18-59.10.1 kernel-preempt-devel-5.3.18-59.10.1 kernel-preempt-devel-debuginfo-5.3.18-59.10.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (noarch): kernel-docs-5.3.18-59.10.1 kernel-source-5.3.18-59.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): kernel-default-5.3.18-59.10.1 kernel-default-base-5.3.18-59.10.1.18.4.2 kernel-default-debuginfo-5.3.18-59.10.1 kernel-default-debugsource-5.3.18-59.10.1 kernel-default-devel-5.3.18-59.10.1 kernel-default-devel-debuginfo-5.3.18-59.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 x86_64): kernel-preempt-5.3.18-59.10.1 kernel-preempt-debuginfo-5.3.18-59.10.1 kernel-preempt-debugsource-5.3.18-59.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64): kernel-64kb-5.3.18-59.10.1 kernel-64kb-debuginfo-5.3.18-59.10.1 kernel-64kb-debugsource-5.3.18-59.10.1 kernel-64kb-devel-5.3.18-59.10.1 kernel-64kb-devel-debuginfo-5.3.18-59.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): kernel-devel-5.3.18-59.10.1 kernel-macros-5.3.18-59.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (s390x): kernel-zfcpdump-5.3.18-59.10.1 kernel-zfcpdump-debuginfo-5.3.18-59.10.1 kernel-zfcpdump-debugsource-5.3.18-59.10.1 - SUSE Linux Enterprise High Availability 15-SP3 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-5.3.18-59.10.1 cluster-md-kmp-default-debuginfo-5.3.18-59.10.1 dlm-kmp-default-5.3.18-59.10.1 dlm-kmp-default-debuginfo-5.3.18-59.10.1 gfs2-kmp-default-5.3.18-59.10.1 gfs2-kmp-default-debuginfo-5.3.18-59.10.1 kernel-default-debuginfo-5.3.18-59.10.1 kernel-default-debugsource-5.3.18-59.10.1 ocfs2-kmp-default-5.3.18-59.10.1 ocfs2-kmp-default-debuginfo-5.3.18-59.10.1 References: https://www.suse.com/security/cve/CVE-2020-26558.html https://www.suse.com/security/cve/CVE-2020-36385.html https://www.suse.com/security/cve/CVE-2020-36386.html https://www.suse.com/security/cve/CVE-2021-0129.html https://bugzilla.suse.com/1087082 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154353 https://bugzilla.suse.com/1174978 https://bugzilla.suse.com/1176447 https://bugzilla.suse.com/1176771 https://bugzilla.suse.com/1177666 https://bugzilla.suse.com/1178134 https://bugzilla.suse.com/1178378 https://bugzilla.suse.com/1178612 https://bugzilla.suse.com/1179610 https://bugzilla.suse.com/1182999 https://bugzilla.suse.com/1183712 https://bugzilla.suse.com/1184259 https://bugzilla.suse.com/1184436 https://bugzilla.suse.com/1184631 https://bugzilla.suse.com/1185195 https://bugzilla.suse.com/1185428 https://bugzilla.suse.com/1185497 https://bugzilla.suse.com/1185570 https://bugzilla.suse.com/1185589 https://bugzilla.suse.com/1185675 https://bugzilla.suse.com/1185701 https://bugzilla.suse.com/1186155 https://bugzilla.suse.com/1186286 https://bugzilla.suse.com/1186460 https://bugzilla.suse.com/1186463 https://bugzilla.suse.com/1186472 https://bugzilla.suse.com/1186501 https://bugzilla.suse.com/1186672 https://bugzilla.suse.com/1186677 https://bugzilla.suse.com/1186681 https://bugzilla.suse.com/1186752 https://bugzilla.suse.com/1186885 https://bugzilla.suse.com/1186928 https://bugzilla.suse.com/1186949 https://bugzilla.suse.com/1186950 https://bugzilla.suse.com/1186951 https://bugzilla.suse.com/1186952 https://bugzilla.suse.com/1186953 https://bugzilla.suse.com/1186954 https://bugzilla.suse.com/1186955 https://bugzilla.suse.com/1186956 https://bugzilla.suse.com/1186957 https://bugzilla.suse.com/1186958 https://bugzilla.suse.com/1186959 https://bugzilla.suse.com/1186960 https://bugzilla.suse.com/1186961 https://bugzilla.suse.com/1186962 https://bugzilla.suse.com/1186963 https://bugzilla.suse.com/1186964 https://bugzilla.suse.com/1186965 https://bugzilla.suse.com/1186966 https://bugzilla.suse.com/1186967 https://bugzilla.suse.com/1186968 https://bugzilla.suse.com/1186969 https://bugzilla.suse.com/1186970 https://bugzilla.suse.com/1186971 https://bugzilla.suse.com/1186972 https://bugzilla.suse.com/1186973 https://bugzilla.suse.com/1186974 https://bugzilla.suse.com/1186976 https://bugzilla.suse.com/1186977 https://bugzilla.suse.com/1186978 https://bugzilla.suse.com/1186979 https://bugzilla.suse.com/1186980 https://bugzilla.suse.com/1186981 https://bugzilla.suse.com/1186982 https://bugzilla.suse.com/1186983 https://bugzilla.suse.com/1186984 https://bugzilla.suse.com/1186985 https://bugzilla.suse.com/1186986 https://bugzilla.suse.com/1186987 https://bugzilla.suse.com/1186988 https://bugzilla.suse.com/1186989 https://bugzilla.suse.com/1186990 https://bugzilla.suse.com/1186991 https://bugzilla.suse.com/1186992 https://bugzilla.suse.com/1186993 https://bugzilla.suse.com/1186994 https://bugzilla.suse.com/1186995 https://bugzilla.suse.com/1186996 https://bugzilla.suse.com/1186997 https://bugzilla.suse.com/1186998 https://bugzilla.suse.com/1186999 https://bugzilla.suse.com/1187000 https://bugzilla.suse.com/1187001 https://bugzilla.suse.com/1187002 https://bugzilla.suse.com/1187003 https://bugzilla.suse.com/1187038 https://bugzilla.suse.com/1187039 https://bugzilla.suse.com/1187050 https://bugzilla.suse.com/1187052 https://bugzilla.suse.com/1187067 https://bugzilla.suse.com/1187068 https://bugzilla.suse.com/1187069 https://bugzilla.suse.com/1187072 https://bugzilla.suse.com/1187143 https://bugzilla.suse.com/1187144 https://bugzilla.suse.com/1187167 https://bugzilla.suse.com/1187334 https://bugzilla.suse.com/1187344 https://bugzilla.suse.com/1187345 https://bugzilla.suse.com/1187346 https://bugzilla.suse.com/1187347 https://bugzilla.suse.com/1187348 https://bugzilla.suse.com/1187349 https://bugzilla.suse.com/1187350 https://bugzilla.suse.com/1187351 https://bugzilla.suse.com/1187357 https://bugzilla.suse.com/1187711 From sle-security-updates at lists.suse.com Mon Jun 28 20:10:11 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 28 Jun 2021 22:10:11 +0200 (CEST) Subject: SUSE-SU-2021:2177-1: important: Security update for arpwatch Message-ID: <20210628201011.13E9DF78F@maintenance.suse.de> SUSE Security Update: Security update for arpwatch ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2177-1 Rating: important References: #1186240 Cross-References: CVE-2021-25321 CVSS scores: CVE-2021-25321 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for arpwatch fixes the following issues: - CVE-2021-25321: Fixed local privilege escalation from runtime user to root (bsc#1186240). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-2177=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-2177=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-2177=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-2177=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-2177=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-2177=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-2177=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-2177=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-2177=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-2177=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-2177=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-2177=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2177=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2177=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-2177=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): arpwatch-2.1a15-5.12.1 arpwatch-debuginfo-2.1a15-5.12.1 arpwatch-debugsource-2.1a15-5.12.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): arpwatch-2.1a15-5.12.1 arpwatch-debuginfo-2.1a15-5.12.1 arpwatch-debugsource-2.1a15-5.12.1 - SUSE Manager Proxy 4.0 (x86_64): arpwatch-2.1a15-5.12.1 arpwatch-debuginfo-2.1a15-5.12.1 arpwatch-debugsource-2.1a15-5.12.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): arpwatch-2.1a15-5.12.1 arpwatch-debuginfo-2.1a15-5.12.1 arpwatch-debugsource-2.1a15-5.12.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): arpwatch-2.1a15-5.12.1 arpwatch-debuginfo-2.1a15-5.12.1 arpwatch-debugsource-2.1a15-5.12.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): arpwatch-2.1a15-5.12.1 arpwatch-debuginfo-2.1a15-5.12.1 arpwatch-debugsource-2.1a15-5.12.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): arpwatch-2.1a15-5.12.1 arpwatch-debuginfo-2.1a15-5.12.1 arpwatch-debugsource-2.1a15-5.12.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): arpwatch-2.1a15-5.12.1 arpwatch-debuginfo-2.1a15-5.12.1 arpwatch-debugsource-2.1a15-5.12.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): arpwatch-2.1a15-5.12.1 arpwatch-debuginfo-2.1a15-5.12.1 arpwatch-debugsource-2.1a15-5.12.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): arpwatch-2.1a15-5.12.1 arpwatch-debuginfo-2.1a15-5.12.1 arpwatch-debugsource-2.1a15-5.12.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): arpwatch-2.1a15-5.12.1 arpwatch-debuginfo-2.1a15-5.12.1 arpwatch-debugsource-2.1a15-5.12.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): arpwatch-2.1a15-5.12.1 arpwatch-debuginfo-2.1a15-5.12.1 arpwatch-debugsource-2.1a15-5.12.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): arpwatch-2.1a15-5.12.1 arpwatch-debuginfo-2.1a15-5.12.1 arpwatch-debugsource-2.1a15-5.12.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): arpwatch-2.1a15-5.12.1 arpwatch-debuginfo-2.1a15-5.12.1 arpwatch-debugsource-2.1a15-5.12.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): arpwatch-2.1a15-5.12.1 arpwatch-debuginfo-2.1a15-5.12.1 arpwatch-debugsource-2.1a15-5.12.1 - SUSE CaaS Platform 4.0 (x86_64): arpwatch-2.1a15-5.12.1 arpwatch-debuginfo-2.1a15-5.12.1 arpwatch-debugsource-2.1a15-5.12.1 References: https://www.suse.com/security/cve/CVE-2021-25321.html https://bugzilla.suse.com/1186240 From sle-security-updates at lists.suse.com Mon Jun 28 20:11:16 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 28 Jun 2021 22:11:16 +0200 (CEST) Subject: SUSE-SU-2021:2195-1: moderate: Security update for python-urllib3, python-requests Message-ID: <20210628201116.3F9E5F78F@maintenance.suse.de> SUSE Security Update: Security update for python-urllib3, python-requests ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2195-1 Rating: moderate References: #1176784 #1182421 #1187045 ECO-3105 ECO-3352 Cross-References: CVE-2021-33503 CVSS scores: CVE-2021-33503 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves one vulnerability, contains two features and has two fixes is now available. Description: This update for python-urllib3 and python-requests fixes the following issues: Security fix: - Improve performance of sub-authority splitting in URL. (bsc#1187045, CVE-2021-33503) Non-security changes: - Update python-urllib3 to version 1.25.10 to stay compatible with changes needed in the Server and Public Cloud products. (bsc#1182421, jsc#ECO-3352) - Update python-requests to version 2.24.0 to stay compatible with changes needed in the Server and Public Cloud products. (bsc#1176784, jsc#ECO-3105)) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-2195=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-2195=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-2195=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): python-requests-2.24.0-3.3.1 python-urllib3-1.25.10-5.19.1 - SUSE OpenStack Cloud 8 (noarch): python-requests-2.24.0-3.3.1 python-urllib3-1.25.10-5.19.1 - HPE Helion Openstack 8 (noarch): python-requests-2.24.0-3.3.1 python-urllib3-1.25.10-5.19.1 References: https://www.suse.com/security/cve/CVE-2021-33503.html https://bugzilla.suse.com/1176784 https://bugzilla.suse.com/1182421 https://bugzilla.suse.com/1187045 From sle-security-updates at lists.suse.com Wed Jun 30 13:26:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 30 Jun 2021 15:26:25 +0200 (CEST) Subject: SUSE-SU-2021:2196-1: moderate: Security update for lua53 Message-ID: <20210630132625.63CEAFCEF@maintenance.suse.de> SUSE Security Update: Security update for lua53 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2196-1 Rating: moderate References: #1175448 #1175449 Cross-References: CVE-2020-24370 CVE-2020-24371 CVSS scores: CVE-2020-24370 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-24370 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-24371 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-24371 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for lua53 fixes the following issues: Update to version 5.3.6: - CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449) - CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448) - Long brackets with a huge number of '=' overflow some internal buffer arithmetic. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-2196=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-2196=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-2196=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): liblua5_3-5-5.3.6-3.6.1 liblua5_3-5-debuginfo-5.3.6-3.6.1 lua53-debuginfo-5.3.6-3.6.1 lua53-debugsource-5.3.6-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): liblua5_3-5-5.3.6-3.6.1 liblua5_3-5-debuginfo-5.3.6-3.6.1 lua53-5.3.6-3.6.1 lua53-debuginfo-5.3.6-3.6.1 lua53-debugsource-5.3.6-3.6.1 lua53-devel-5.3.6-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): liblua5_3-5-32bit-5.3.6-3.6.1 liblua5_3-5-32bit-debuginfo-5.3.6-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): liblua5_3-5-5.3.6-3.6.1 liblua5_3-5-debuginfo-5.3.6-3.6.1 lua53-5.3.6-3.6.1 lua53-debuginfo-5.3.6-3.6.1 lua53-debugsource-5.3.6-3.6.1 lua53-devel-5.3.6-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): liblua5_3-5-32bit-5.3.6-3.6.1 liblua5_3-5-32bit-debuginfo-5.3.6-3.6.1 References: https://www.suse.com/security/cve/CVE-2020-24370.html https://www.suse.com/security/cve/CVE-2020-24371.html https://bugzilla.suse.com/1175448 https://bugzilla.suse.com/1175449 From sle-security-updates at lists.suse.com Wed Jun 30 13:29:29 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 30 Jun 2021 15:29:29 +0200 (CEST) Subject: SUSE-SU-2021:2202-1: important: Security update for the Linux Kernel Message-ID: <20210630132929.556B3FCEF@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2202-1 Rating: important References: #1152489 #1154353 #1174978 #1176447 #1176771 #1178134 #1178612 #1179610 #1183712 #1184259 #1184436 #1184631 #1185195 #1185570 #1185589 #1185675 #1185701 #1186155 #1186286 #1186463 #1186472 #1186672 #1186677 #1186752 #1186885 #1186928 #1186949 #1186950 #1186951 #1186952 #1186953 #1186954 #1186955 #1186956 #1186957 #1186958 #1186959 #1186960 #1186961 #1186962 #1186963 #1186964 #1186965 #1186966 #1186967 #1186968 #1186969 #1186970 #1186971 #1186972 #1186973 #1186974 #1186976 #1186977 #1186978 #1186979 #1186980 #1186981 #1186982 #1186983 #1186984 #1186985 #1186986 #1186987 #1186988 #1186989 #1186990 #1186991 #1186992 #1186993 #1186994 #1186995 #1186996 #1186997 #1186998 #1186999 #1187000 #1187001 #1187002 #1187003 #1187038 #1187039 #1187050 #1187052 #1187067 #1187068 #1187069 #1187072 #1187143 #1187144 #1187167 #1187334 #1187344 #1187345 #1187346 #1187347 #1187348 #1187349 #1187350 #1187351 #1187357 #1187711 Cross-References: CVE-2020-26558 CVE-2020-36385 CVE-2020-36386 CVE-2021-0129 CVSS scores: CVE-2020-26558 (NVD) : 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26558 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-36385 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-36385 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-36386 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-36386 (SUSE): 5.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2021-0129 (NVD) : 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-0129 (SUSE): 6.4 CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP3 ______________________________________________________________________________ An update that solves four vulnerabilities and has 98 fixes is now available. Description: The SUSE Linux Enterprise 15 SP3 azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-26558: Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification 2.1 may permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing by reflection of the public key and the authentication evidence of the initiating device, potentially permitting this attacker to complete authenticated pairing with the responding device using the correct Passkey for the pairing session. (bnc#1179610 bnc#1186463) - CVE-2021-0129: Improper access control in BlueZ may have allowed an authenticated user to potentially enable information disclosure via adjacent access (bnc#1186463). - CVE-2020-36385: Fixed a use-after-free in drivers/infiniband/core/ucma.c which could be triggered if the ctx is reached via the ctx_list in some ucma_migrate_id situations where ucma_close is called (bnc#1187050). - CVE-2020-36386: Fixed a slab out-of-bounds read in hci_extended_inquiry_result_evt (bnc#1187038). The following non-security bugs were fixed: - ACPICA: Clean up context mutex during object deletion (git-fixes). - ALSA: hda/cirrus: Set Initial DMIC volume to -26 dB (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Elite Dragonfly G2 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP EliteBook x360 1040 G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 840 Aero G8 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP ZBook Power G8 (git-fixes). - ALSA: hda/realtek: headphone and mic do not work on an Acer laptop (git-fixes). - ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx (git-fixes). - ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx (git-fixes). - ALSA: hda: update the power_state during the direct-complete (git-fixes). - ALSA: seq: Fix race of snd_seq_timer_open() (git-fixes). - ALSA: timer: Fix master timer notification (git-fixes). - ASoC: Intel: soc-acpi: remove TGL RVP mixed SoundWire/TDM config (git-fixes). - ASoC: amd: fix for pcm_read() error (git-fixes). - ASoC: cs43130: handle errors in cs43130_probe() properly (git-fixes). - ASoC: max98088: fix ni clock divider calculation (git-fixes). - Bluetooth: fix the erroneous flush_work() order (git-fixes). - Enable CONFIG_PCI_PF_STUB for Nvidia Ampere vGPU support (jsc#SLE-17882 jsc#ECO-3691) - HID: i2c-hid: Skip ELAN power-on command after reset (git-fixes). - HID: i2c-hid: fix format string mismatch (git-fixes). - HID: magicmouse: fix NULL-deref on disconnect (git-fixes). - HID: multitouch: require Finger field to mark Win8 reports as MT (git-fixes). - HID: pidff: fix error return code in hid_pidff_init() (git-fixes). - NFC: SUSE specific brutal fix for runtime PM (bsc#1185589). - NFS: Deal correctly with attribute generation counter overflow (git-fixes). - NFS: Do not corrupt the value of pg_bytes_written in nfs_do_recoalesce() (git-fixes). - NFS: Do not discard pNFS layout segments that are marked for return (git-fixes). - NFS: Do not gratuitously clear the inode cache when lookup failed (git-fixes). - NFS: Do not revalidate the directory permissions on a lookup failure (git-fixes). - NFS: Fix an Oopsable condition in __nfs_pageio_add_request() (git-fixes). - NFS: fix an incorrect limit in filelayout_decode_layout() (git-fixes). - NFSD: Repair misuse of sv_lock in 5.10.16-rt30 (git-fixes). - NFSv4.2 fix handling of sr_eof in SEEK's reply (git-fixes). - NFSv4.2: Always flush out writes in nfs42_proc_fallocate() (git-fixes). - NFSv4.2: fix return value of _nfs4_get_security_label() (git-fixes). - NFSv42: Copy offload should update the file size when appropriate (git-fixes). - NFSv4: Do not discard segments marked for return in _pnfs_return_layout() (git-fixes). - NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return() (git-fixes). - NFSv4: Fix v4.0/v4.1 SEEK_DATA return -ENOTSUPP when set NFS_V4_2 config (git-fixes). - PCI/LINK: Remove bandwidth notification (bsc#1183712). - PM: sleep: Add pm_debug_messages kernel command line option (bsc#1186752). - SUNRPC: Move fault injection call sites (git-fixes). - SUNRPC: Set memalloc_nofs_save() for sync tasks (git-fixes). - UCSI fixup of array of PDOs (git-fixes). - USB: f_ncm: ncm_bitrate (speed) is unsigned (git-fixes). - USB: serial: cp210x: fix alternate function for CP2102N QFN20 (git-fixes). - USB: serial: ftdi_sio: add IDs for IDS GmbH Products (git-fixes). - USB: serial: option: add Telit LE910-S1 compositions 0x7010, 0x7011 (git-fixes). - USB: serial: pl2303: add device id for ADLINK ND-6530 GC (git-fixes). - USB: serial: quatech2: fix control-request directions (git-fixes). - USB: serial: ti_usb_3410_5052: add startech.com device id (git-fixes). - USB: usbfs: Do not WARN about excessively large memory allocations (git-fixes). - ath6kl: return error code in ath6kl_wmi_set_roam_lrssi_cmd() (git-fixes). - bcache: Convert to DEFINE_SHOW_ATTRIBUTE (bsc#1187357). - bcache: Use 64-bit arithmetic instead of 32-bit (bsc#1187357). - bcache: avoid oversized read request in cache missing code path (bsc#1187357, bsc#1185570, bsc#1184631). - bcache: do not pass BIOSET_NEED_BVECS for the 'bio_set' embedded in 'cache_set' (bsc#1187357). - bcache: fix a regression of code compiling failure in debug.c (bsc#1187357). - bcache: inherit the optimal I/O size (bsc#1187357). - bcache: reduce redundant code in bch_cached_dev_run() (bsc#1187357). - bcache: remove PTR_CACHE (bsc#1187357). - bcache: remove bcache device self-defined readahead (bsc#1187357, bsc#1185570, bsc#1184631). - bcache: use NULL instead of using plain integer as pointer (bsc#1187357). - blk-settings: align max_sectors on "logical_block_size" boundary (bsc#1185195). - block: return the correct bvec when checking for gaps (bsc#1187143). - block: return the correct bvec when checking for gaps (bsc#1187144). - brcmfmac: Add clm_blob firmware files to modinfo (bsc#1186677). - brcmfmac: properly check for bus register errors (git-fixes). - btrfs: open device without device_list_mutex (bsc#1176771). - bus: ti-sysc: Fix flakey idling of uarts and stop using swsup_sidle_act (git-fixes). - char: hpet: add checks after calling ioremap (git-fixes). - chelsio/chtls: unlock on error in chtls_pt_recvmsg() (jsc#SLE-15129). - cxgb4/ch_ktls: Clear resources when pf4 device is removed (jsc#SLE-15129). - cxgb4: avoid accessing registers when clearing filters (git-fixes). - cxgb4: avoid link re-train during TC-MQPRIO configuration (jsc#SLE-8389). - cxgb4: fix regression with HASH tc prio value update (jsc#SLE-15131). - devlink: Correct VIRTUAL port to not have phys_port attributes (jsc#SLE-15172). - dmaengine: idxd: Use cpu_feature_enabled() (git-fixes). - dmaengine: idxd: add missing dsa driver unregister (git-fixes). - dmaengine: qcom_hidma: comment platform_driver_register call (git-fixes). - drm/amd/amdgpu: fix a potential deadlock in gpu reset (git-fixes). - drm/amd/amdgpu: fix refcount leak (git-fixes). - drm/amd/display: Disconnect non-DP with no EDID (git-fixes). - drm/amd/display: Disconnect non-DP with no EDID (git-fixes). - drm/amdgpu/jpeg2.0: add cancel_delayed_work_sync before power gate (git-fixes). - drm/amdgpu/jpeg2.5: add cancel_delayed_work_sync before power gate (git-fixes). - drm/amdgpu/jpeg3: add cancel_delayed_work_sync before power gate (git-fixes). - drm/amdgpu/vcn1: add cancel_delayed_work_sync before power gate (git-fixes). - drm/amdgpu/vcn2.0: add cancel_delayed_work_sync before power gate (git-fixes). - drm/amdgpu/vcn2.5: add cancel_delayed_work_sync before power gate (git-fixes). - drm/amdgpu/vcn3: add cancel_delayed_work_sync before power gate (git-fixes). - drm/amdgpu: Do not query CE and UE errors (git-fixes). - drm/amdgpu: Fix a use-after-free (git-fixes). - drm/amdgpu: make sure we unpin the UVD BO (git-fixes). - drm/amdgpu: stop touching sched.ready in the backend (git-fixes). - drm/amdkfd: correct sienna_cichlid SDMA RLC register offset error (git-fixes). - drm/i915/selftests: Fix return value check in live_breadcrumbs_smoketest() (git-fixes). - drm/mcde: Fix off by 10^3 in calculation (git-fixes). - drm/msm/a6xx: fix incorrectly set uavflagprd_inv field for A650 (git-fixes). - drm/msm/a6xx: update/fix CP_PROTECT initialization (git-fixes). - efi/libstub: prevent read overflow in find_file_option() (git-fixes). - efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared (git-fixes). - efi: cper: fix snprintf() use in cper_dimm_err_location() (git-fixes). - fs/nfs: Use fatal_signal_pending instead of signal_pending (git-fixes). - gpio: cadence: Add missing MODULE_DEVICE_TABLE (git-fixes). - gpio: wcd934x: Fix shift-out-of-bounds error (git-fixes). - gve: Add NULL pointer checks when freeing irqs (git-fixes). - gve: Correct SKB queue index validation (git-fixes). - gve: Update mgmt_msix_idx if num_ntfy changes (git-fixes). - gve: Upgrade memory barrier in poll routine (git-fixes). - hwmon: (dell-smm-hwmon) Fix index values (git-fixes). - i2c: imx: fix reference leak when pm_runtime_get_sync fails (git-fixes). - i2c: qcom-geni: Suspend and resume the bus during SYSTEM_SLEEP_PM ops (git-fixes). - ice: Allow all LLDP packets from PF to Tx (jsc#SLE-7926). - ice: Fix VFR issues for AVF drivers that expect ATQLEN cleared (git-fixes). - ice: Fix allowing VF to request more/less queues via virtchnl (jsc#SLE-12878). - ice: handle the VF VSI rebuild failure (jsc#SLE-12878). - iommu/amd: Keep track of amd_iommu_irq_remap state (https://bugzilla.kernel.org/show_bug.cgi?id=212133). - iommu/virtio: Add missing MODULE_DEVICE_TABLE (bsc#1187345). - iommu/vt-d: Remove WO permissions on second-level paging entries (bsc#1187346). - iommu/vt-d: Report right snoop capability when using FL for IOVA (bsc#1187347). - iommu/vt-d: Use user privilege for RID2PASID translation (bsc#1187348). - iommu: Fix a boundary issue to avoid performance drop (bsc#1187344). - isdn: mISDN: correctly handle ph_info allocation failure in hfcsusb_ph_info (git-fixes). - isdn: mISDNinfineon: check/cleanup ioremap failure correctly in setup_io (git-fixes). - ixgbe: fix large MTU request from VF (git-fixes). - kABI workaround for rtw88 (git-fixes). - kABI workaround for struct lis3lv02d change (git-fixes). - lib: crc64: fix kernel-doc warning (bsc#1187357). - libertas: register sysfs groups properly (git-fixes). - locking/mutex: clear MUTEX_FLAGS if wait_list is empty due to signal (git-fixes). - md: Fix missing unused status line of /proc/mdstat (git-fixes). - md: bcache: Trivial typo fixes in the file journal.c (bsc#1187357). - md: bcache: avoid -Wempty-body warnings (bsc#1187357). - media: dvb: Add check on sp8870_readreg return (git-fixes). - media: dvb: Add check on sp8870_readreg return (git-fixes). - media: gspca: mt9m111: Check write_bridge for timeout (git-fixes). - media: gspca: mt9m111: Check write_bridge for timeout (git-fixes). - media: gspca: properly check for errors in po1030_probe() (git-fixes). - media: gspca: properly check for errors in po1030_probe() (git-fixes). - mei: request autosuspend after sending rx flow control (git-fixes). - mmc: sdhci: Clear unused bounce buffer at DMA mmap error path (bsc#1187039). - net/mlx4: Fix EEPROM dump support (git-fixes). - net/mlx5: DR, Create multi-destination flow table with level less than 64 (jsc#SLE-8464). - net/mlx5: Set reformat action when needed for termination rules (jsc#SLE-15172). - net/mlx5: Set term table as an unmanaged flow table (jsc#SLE-15172). - net/mlx5e: Fix error path of updating netdev queues (jsc#SLE-15172). - net/mlx5e: Fix incompatible casting (jsc#SLE-15172). - net/mlx5e: Fix multipath lag activation (git-fixes). - net/mlx5e: Fix null deref accessing lag dev (jsc#SLE-15172). - net/mlx5e: Fix nullptr in add_vlan_push_action() (git-fixes). - net/mlx5e: reset XPS on error flow if netdev isn't registered yet (jsc#SLE-15172). - net/sched: act_ct: Offload connections with commit action (jsc#SLE-15172). - net/sched: fq_pie: fix OOB access in the traffic path (jsc#SLE-15172). - net/sched: fq_pie: re-factor fix for fq_pie endless loop (jsc#SLE-15172). - net: bnx2: Fix error return code in bnx2_init_board() (git-fixes). - net: fix iteration for sctp transport seq_files (git-fixes). - net: hns3: Limiting the scope of vector_ring_chain variable (git-fixes). - net: hns3: fix incorrect resp_msg issue (jsc#SLE-14777). - net: hns3: put off calling register_netdev() until client initialize complete (bsc#1154353). - net: zero-initialize tc skb extension on allocation (bsc#1176447). - netfilter: nf_tables: missing error reporting for not selected expressions (bsc#1176447). - netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version (bsc#1176447). - nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect (git-fixes). - nfsd: register pernet ops last, unregister first (git-fixes). - nvme-multipath: fix double initialization of ANA state (bsc#1178612, bsc#1184259, bsc#1186155). - nvme: add new line after variable declatation (bsc#1184259, bsc#1178612, bsc#1186155). - nvme: do not check nvme_req flags for new req (bsc#1184259, bsc#1178612, bsc#1186155). - nvme: mark nvme_setup_passsthru() inline (bsc#1184259, bsc#1178612, bsc#1186155). - nvme: reduce checks for zero command effects (bsc#1184259, bsc#1178612, bsc#1186155). - nvme: rename nvme_init_identify() (bsc#1184259, bsc#1178612, bsc#1186155). - nvme: split init identify into helper (bsc#1184259, bsc#1178612, bsc#1186155). - nvme: use NVME_CTRL_CMIC_ANA macro (bsc#1184259, bsc#1178612, bsc#1186155). - nvmet: use new ana_log_size instead the old one (bsc#1178612, bsc#1184259, bsc#1186155). - pNFS/NFSv4: Fix a layout segment leak in pnfs_layout_process() (git-fixes). - pNFS/flexfiles: fix incorrect size check in decode_nfs_fh() (git-fixes). - pid: take a reference when initializing `cad_pid` (bsc#1152489). - platform/x86: hp-wireless: add AMD's hardware id to the supported list (git-fixes). - platform/x86: hp_accel: Avoid invoking _INI to speed up resume (git-fixes). - platform/x86: intel_punit_ipc: Append MODULE_DEVICE_TABLE for ACPI (git-fixes). - platform/x86: touchscreen_dmi: Add info for the Mediacom Winpad 7.0 W700 tablet (git-fixes). - powerpc/32: Fix boot failure with CONFIG_STACKPROTECTOR (jsc#SLE-13847 git-fixes). - powerpc/kprobes: Fix validation of prefixed instructions across page boundary (jsc#SLE-13847 git-fixes). - regulator: core: resolve supply for boot-on/always-on regulators (git-fixes). - regulator: max77620: Use device_set_of_node_from_dev() (git-fixes). - rtw88: 8822c: add LC calibration for RTL8822C (git-fixes). - scsi: aacraid: Fix an oops in error handling (bsc#1187072). - scsi: aacraid: Remove erroneous fallthrough annotation (bsc#1186950). - scsi: aacraid: Use memdup_user() as a cleanup (bsc#1186951). - scsi: acornscsi: Fix an error handling path in acornscsi_probe() (bsc#1186952). - scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs() (bsc#1186953). - scsi: be2iscsi: Revert "Fix a theoretical leak in beiscsi_create_eqs()" (bsc#1187067). - scsi: bfa: Fix error return in bfad_pci_init() (bsc#1186954). - scsi: bnx2fc: Fix Kconfig warning & CNIC build errors (bsc#1186955). - scsi: bnx2i: Requires MMU (bsc#1186956). - scsi: csiostor: Fix wrong return value in csio_hw_prep_fw() (bsc#1186957). - scsi: cumana_2: Fix different dev_id between request_irq() and free_irq() (bsc#1186958). - scsi: cxgb3i: Fix some leaks in init_act_open() (bsc#1186959). - scsi: cxgb4i: Fix TLS dependency (bsc#1186960). - scsi: eesox: Fix different dev_id between request_irq() and free_irq() (bsc#1186961). - scsi: fnic: Fix error return code in fnic_probe() (bsc#1186962). - scsi: hisi_sas: Fix IRQ checks (bsc#1186963). - scsi: hisi_sas: Remove preemptible() (bsc#1186964). - scsi: jazz_esp: Add IRQ check (bsc#1186965). - scsi: libfc: Fix enum-conversion warning (bsc#1186966). - scsi: libsas: Fix error path in sas_notify_lldd_dev_found() (bsc#1186967). - scsi: libsas: Reset num_scatter if libata marks qc as NODATA (bsc#1187068). - scsi: libsas: Set data_dir as DMA_NONE if libata marks qc as NODATA (bsc#1186968). - scsi: lpfc: Fix ancient double free (bsc#1186969). - scsi: lpfc: Fix failure to transmit ABTS on FC link (git-fixes). - scsi: megaraid_sas: Check user-provided offsets (bsc#1186970). - scsi: megaraid_sas: Clear affinity hint (bsc#1186971). - scsi: megaraid_sas: Do not call disable_irq from process IRQ poll (bsc#1186972). - scsi: megaraid_sas: Fix MEGASAS_IOC_FIRMWARE regression (bsc#1186973). - scsi: megaraid_sas: Remove undefined ENABLE_IRQ_POLL macro (bsc#1186974). - scsi: mesh: Fix panic after host or bus reset (bsc#1186976). - scsi: mpt3sas: Do not use GFP_KERNEL in atomic context (bsc#1186977). - scsi: mpt3sas: Fix error return code of mpt3sas_base_attach() (bsc#1186978). - scsi: mpt3sas: Fix ioctl timeout (bsc#1186979). - scsi: myrs: Fix a double free in myrs_cleanup() (bsc#1186980). - scsi: pm80xx: Fix error return in pm8001_pci_probe() (bsc#1186981). - scsi: powertec: Fix different dev_id between request_irq() and free_irq() (bsc#1186982). - scsi: qedi: Check for buffer overflow in qedi_set_path() (bsc#1186983). - scsi: qedi: Fix error return code of qedi_alloc_global_queues() (bsc#1186984). - scsi: qedi: Fix missing destroy_workqueue() on error in __qedi_probe (bsc#1186985). - scsi: qla2xxx: Prevent PRLI in target mode (git-fixes). - scsi: qla4xxx: Fix an error handling path in 'qla4xxx_get_host_stats()' (bsc#1186986). - scsi: qla4xxx: Remove in_interrupt() (bsc#1186987). - scsi: scsi_debug: Add check for sdebug_max_queue during module init (bsc#1186988). - scsi: scsi_dh_alua: Retry RTPG on a different path after failure (bsc#1174978 bsc#1185701). - scsi: sd: Fix Opal support (bsc#1186989). - scsi: smartpqi: Add additional logging for LUN resets (bsc#1186472). - scsi: smartpqi: Add host level stream detection enable (bsc#1186472). - scsi: smartpqi: Add new PCI IDs (bsc#1186472). - scsi: smartpqi: Add phy ID support for the physical drives (bsc#1186472). - scsi: smartpqi: Add stream detection (bsc#1186472). - scsi: smartpqi: Add support for BMIC sense feature cmd and feature bits (bsc#1186472). - scsi: smartpqi: Add support for RAID1 writes (bsc#1186472). - scsi: smartpqi: Add support for RAID5 and RAID6 writes (bsc#1186472). - scsi: smartpqi: Add support for long firmware version (bsc#1186472). - scsi: smartpqi: Add support for new product ids (bsc#1186472). - scsi: smartpqi: Add support for wwid (bsc#1186472). - scsi: smartpqi: Align code with oob driver (bsc#1186472). - scsi: smartpqi: Convert snprintf() to scnprintf() (bsc#1186472). - scsi: smartpqi: Correct request leakage during reset operations (bsc#1186472). - scsi: smartpqi: Correct system hangs when resuming from hibernation (bsc#1186472). - scsi: smartpqi: Disable WRITE SAME for HBA NVMe disks (bsc#1186472). - scsi: smartpqi: Fix blocks_per_row static checker issue (bsc#1186472). - scsi: smartpqi: Fix device pointer variable reference static checker issue (bsc#1186472). - scsi: smartpqi: Fix driver synchronization issues (bsc#1186472). - scsi: smartpqi: Refactor aio submission code (bsc#1186472). - scsi: smartpqi: Refactor scatterlist code (bsc#1186472). - scsi: smartpqi: Remove timeouts from internal cmds (bsc#1186472). - scsi: smartpqi: Remove unused functions (bsc#1186472). - scsi: smartpqi: Synchronize device resets with mutex (bsc#1186472). - scsi: smartpqi: Update OFA management (bsc#1186472). - scsi: smartpqi: Update RAID bypass handling (bsc#1186472). - scsi: smartpqi: Update SAS initiator_port_protocols and target_port_protocols (bsc#1186472). - scsi: smartpqi: Update device scan operations (bsc#1186472). - scsi: smartpqi: Update enclosure identifier in sysfs (bsc#1186472). - scsi: smartpqi: Update event handler (bsc#1186472). - scsi: smartpqi: Update soft reset management for OFA (bsc#1186472). - scsi: smartpqi: Update suspend/resume and shutdown (bsc#1186472). - scsi: smartpqi: Update version to 2.1.8-045 (bsc#1186472). - scsi: smartpqi: Use host-wide tag space (bsc#1186472). - scsi: sni_53c710: Add IRQ check (bsc#1186990). - scsi: sun3x_esp: Add IRQ check (bsc#1186991). - scsi: ufs-qcom: Fix scheduling while atomic issue (bsc#1187002). - scsi: ufs: Add quirk to disallow reset of interrupt aggregation (bsc#1186992). - scsi: ufs: Add quirk to enable host controller without hce (bsc#1186993). - scsi: ufs: Add quirk to fix abnormal ocs fatal error (bsc#1186994). - scsi: ufs: Add quirk to fix mishandling utrlclr/utmrlclr (bsc#1186995). - scsi: ufs: Do not update urgent bkops level when toggling auto bkops (bsc#1186997). - scsi: ufs: Fix race between shutdown and runtime resume flow (bsc#1186998). - scsi: ufs: Introduce UFSHCD_QUIRK_PRDT_BYTE_GRAN quirk (bsc#1187000). - scsi: ufs: Make ufshcd_print_trs() consider UFSHCD_QUIRK_PRDT_BYTE_GRAN (bsc#1187069). - scsi: ufs: Properly release resources if a task is aborted successfully (bsc#1187001). - scsi: ufs: core: Narrow down fast path in system suspend path (bsc#1186996). - scsi: ufs: ufshcd-pltfrm: Fix deferred probing (bsc#1187003). - scsi: ufshcd: use an enum for quirks (bsc#1186999). - serial: 8250_pci: handle FL_NOIRQ board flag (git-fixes). - serial: max310x: unregister uart driver in case of failure and abort (git-fixes). - serial: rp2: use 'request_firmware' instead of 'request_firmware_nowait' (git-fixes). - staging: rtl8723bs: Fix uninitialized variables (git-fixes). - sunrpc: fix refcount leak for rpc auth modules (git-fixes). - svcrdma: disable timeouts on rdma backchannel (git-fixes). - thermal/drivers/intel: Initialize RW trip to THERMAL_TEMP_INVALID (git-fixes). - thunderbolt: usb4: Fix NVM read buffer bounds and offset issue (git-fixes). - tpm: fix error return code in tpm2_get_cc_attrs_tbl() (git-fixes). - ttyprintk: Add TTY hangup callback (git-fixes). - usb: chipidea: imx: Fix Battery Charger 1.2 CDP detection (git-fixes). - usb: core: reduce power-on-good delay time of root hub (git-fixes). - usb: fix various gadgets null ptr deref on 10gbps cabling (git-fixes). - usb: musb: fix MUSB_QUIRK_B_DISCONNECT_99 handling (git-fixes). - usb: pd: Set PD_T_SINK_WAIT_CAP to 310ms (git-fixes). - usb: typec: intel_pmc_mux: Put fwnode in error case during ->probe() (git-fixes). - usb: typec: mux: Fix copy-paste mistake in typec_mux_match (git-fixes). - usb: typec: mux: Fix matching with typec_altmode_desc (git-fixes). - usb: typec: tcpm: Use LE to CPU conversion when accessing msg->header (git-fixes). - usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path (git-fixes). - usb: typec: ucsi: Retrieve all the PDOs instead of just the first 4 (git-fixes). - usb: typec: wcove: Use LE to CPU conversion when accessing msg->header (git-fixes). - vfio/pci: Fix error return code in vfio_ecap_init() (git-fixes). - vfio/pci: zap_vma_ptes() needs MMU (git-fixes). - vfio/platform: fix module_put call in error flow (git-fixes). - vmlinux.lds.h: Avoid orphan section with !SMP (git-fixes). - vsock/vmci: log once the failed queue pair allocation (git-fixes). - wireguard: allowedips: initialize list head in selftest (git-fixes). - wireguard: do not use -O3 (git-fixes). - wireguard: peer: allocate in kmem_cache (git-fixes). - wireguard: peer: put frequently used members above cache lines (git-fixes). - wireguard: queueing: get rid of per-peer ring buffers (git-fixes). - wireguard: selftests: make sure rp_filter is disabled on vethc (git-fixes). - wireguard: selftests: remove old conntrack kconfig value (git-fixes). - wireguard: use synchronize_net rather than synchronize_rcu (git-fixes). - x86/apic: Mark _all_ legacy interrupts when IO/APIC is missing (bsc#1152489). - x86/boot/64: Explicitly map boot_params and command line (jsc#SLE-14337). - x86/boot/compressed/64: Add 32-bit boot #VC handler (jsc#SLE-14337). - x86/boot/compressed/64: Add CPUID sanity check to 32-bit boot-path (jsc#SLE-14337). - x86/boot/compressed/64: Check SEV encryption in 64-bit boot-path (jsc#SLE-14337). - x86/boot/compressed/64: Check SEV encryption in the 32-bit boot-path (jsc#SLE-14337). - x86/boot/compressed/64: Cleanup exception handling before booting kernel (jsc#SLE-14337). - x86/boot/compressed/64: Introduce sev_status (jsc#SLE-14337). - x86/boot/compressed/64: Reload CS in startup_32 (jsc#SLE-14337). - x86/boot/compressed/64: Sanity-check CPUID results in the early #VC handler (jsc#SLE-14337). - x86/boot/compressed/64: Setup IDT in startup_32 boot path (jsc#SLE-14337). - x86/cpufeatures: Force disable X86_FEATURE_ENQCMD and remove update_pasid() (bsc#1178134). - x86/fault: Do not send SIGSEGV twice on SEGV_PKUERR (bsc#1152489). - x86/fpu: Prevent state corruption in __fpu__restore_sig() (bsc#1178134). - x86/head/64: Check SEV encryption before switching to kernel page-table (jsc#SLE-14337). - x86/head/64: Disable stack protection for head$(BITS).o (jsc#SLE-14337). - x86/ioremap: Map efi_mem_reserve() memory as encrypted for SEV (bsc#1186885). - x86/sev-es: Do not return NULL from sev_es_get_ghcb() (bsc#1187349). - x86/sev-es: Do not support MMIO to/from encrypted memory (jsc#SLE-14337). - x86/sev-es: Forward page-faults which happen during emulation (bsc#1187350). - x86/sev-es: Replace open-coded hlt-loops with sev_es_terminate() (jsc#SLE-14337). - x86/sev-es: Use __put_user()/__get_user() for data accesses (bsc#1187351). - x86/sev: Check SME/SEV support in CPUID first (jsc#SLE-14337). - x86/sev: Do not require Hypervisor CPUID bit for SEV guests (jsc#SLE-14337). - x86: fix seq_file iteration for pat.c (git-fixes). - xfrm: policy: Read seqcount outside of rcu-read side in xfrm_policy_lookup_bytype (bsc#1185675). - xprtrdma: Avoid Receive Queue wrapping (git-fixes). - xprtrdma: rpcrdma_mr_pop() already does list_del_init() (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP3: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2021-2202=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP3 (x86_64): kernel-azure-5.3.18-38.8.1 kernel-azure-debuginfo-5.3.18-38.8.1 kernel-azure-debugsource-5.3.18-38.8.1 kernel-azure-devel-5.3.18-38.8.1 kernel-azure-devel-debuginfo-5.3.18-38.8.1 kernel-syms-azure-5.3.18-38.8.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP3 (noarch): kernel-devel-azure-5.3.18-38.8.1 kernel-source-azure-5.3.18-38.8.1 References: https://www.suse.com/security/cve/CVE-2020-26558.html https://www.suse.com/security/cve/CVE-2020-36385.html https://www.suse.com/security/cve/CVE-2020-36386.html https://www.suse.com/security/cve/CVE-2021-0129.html https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154353 https://bugzilla.suse.com/1174978 https://bugzilla.suse.com/1176447 https://bugzilla.suse.com/1176771 https://bugzilla.suse.com/1178134 https://bugzilla.suse.com/1178612 https://bugzilla.suse.com/1179610 https://bugzilla.suse.com/1183712 https://bugzilla.suse.com/1184259 https://bugzilla.suse.com/1184436 https://bugzilla.suse.com/1184631 https://bugzilla.suse.com/1185195 https://bugzilla.suse.com/1185570 https://bugzilla.suse.com/1185589 https://bugzilla.suse.com/1185675 https://bugzilla.suse.com/1185701 https://bugzilla.suse.com/1186155 https://bugzilla.suse.com/1186286 https://bugzilla.suse.com/1186463 https://bugzilla.suse.com/1186472 https://bugzilla.suse.com/1186672 https://bugzilla.suse.com/1186677 https://bugzilla.suse.com/1186752 https://bugzilla.suse.com/1186885 https://bugzilla.suse.com/1186928 https://bugzilla.suse.com/1186949 https://bugzilla.suse.com/1186950 https://bugzilla.suse.com/1186951 https://bugzilla.suse.com/1186952 https://bugzilla.suse.com/1186953 https://bugzilla.suse.com/1186954 https://bugzilla.suse.com/1186955 https://bugzilla.suse.com/1186956 https://bugzilla.suse.com/1186957 https://bugzilla.suse.com/1186958 https://bugzilla.suse.com/1186959 https://bugzilla.suse.com/1186960 https://bugzilla.suse.com/1186961 https://bugzilla.suse.com/1186962 https://bugzilla.suse.com/1186963 https://bugzilla.suse.com/1186964 https://bugzilla.suse.com/1186965 https://bugzilla.suse.com/1186966 https://bugzilla.suse.com/1186967 https://bugzilla.suse.com/1186968 https://bugzilla.suse.com/1186969 https://bugzilla.suse.com/1186970 https://bugzilla.suse.com/1186971 https://bugzilla.suse.com/1186972 https://bugzilla.suse.com/1186973 https://bugzilla.suse.com/1186974 https://bugzilla.suse.com/1186976 https://bugzilla.suse.com/1186977 https://bugzilla.suse.com/1186978 https://bugzilla.suse.com/1186979 https://bugzilla.suse.com/1186980 https://bugzilla.suse.com/1186981 https://bugzilla.suse.com/1186982 https://bugzilla.suse.com/1186983 https://bugzilla.suse.com/1186984 https://bugzilla.suse.com/1186985 https://bugzilla.suse.com/1186986 https://bugzilla.suse.com/1186987 https://bugzilla.suse.com/1186988 https://bugzilla.suse.com/1186989 https://bugzilla.suse.com/1186990 https://bugzilla.suse.com/1186991 https://bugzilla.suse.com/1186992 https://bugzilla.suse.com/1186993 https://bugzilla.suse.com/1186994 https://bugzilla.suse.com/1186995 https://bugzilla.suse.com/1186996 https://bugzilla.suse.com/1186997 https://bugzilla.suse.com/1186998 https://bugzilla.suse.com/1186999 https://bugzilla.suse.com/1187000 https://bugzilla.suse.com/1187001 https://bugzilla.suse.com/1187002 https://bugzilla.suse.com/1187003 https://bugzilla.suse.com/1187038 https://bugzilla.suse.com/1187039 https://bugzilla.suse.com/1187050 https://bugzilla.suse.com/1187052 https://bugzilla.suse.com/1187067 https://bugzilla.suse.com/1187068 https://bugzilla.suse.com/1187069 https://bugzilla.suse.com/1187072 https://bugzilla.suse.com/1187143 https://bugzilla.suse.com/1187144 https://bugzilla.suse.com/1187167 https://bugzilla.suse.com/1187334 https://bugzilla.suse.com/1187344 https://bugzilla.suse.com/1187345 https://bugzilla.suse.com/1187346 https://bugzilla.suse.com/1187347 https://bugzilla.suse.com/1187348 https://bugzilla.suse.com/1187349 https://bugzilla.suse.com/1187350 https://bugzilla.suse.com/1187351 https://bugzilla.suse.com/1187357 https://bugzilla.suse.com/1187711 From sle-security-updates at lists.suse.com Wed Jun 30 13:42:32 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 30 Jun 2021 15:42:32 +0200 (CEST) Subject: SUSE-SU-2021:2198-1: important: Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP3) Message-ID: <20210630134232.99B7BFCEF@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2198-1 Rating: important References: #1183658 #1184710 #1184952 #1185796 #1185847 #1185856 #1185899 #1186285 Cross-References: CVE-2020-36322 CVE-2021-28660 CVE-2021-29154 CVE-2021-32399 CVE-2021-33034 CVE-2021-3489 CVE-2021-3490 CVSS scores: CVE-2020-36322 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-36322 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-28660 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-28660 (SUSE): 8 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29154 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-29154 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-3489 (NVD) : 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-3489 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3490 (NVD) : 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-3490 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP3 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 5.3.18-57 fixes several issues. The following issues were fixed: - CVE-2021-3489: Fixed an issue where the eBPF RINGBUF bpf_ringbuf_reserve did not check that the allocated size was smaller than the ringbuf size (bsc#1185640). - CVE-2021-3490: Fixed an issue where the eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) did not update the 32-bit bounds (bsc#1185641). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values (bsc#1186111). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bsc#1184611). - CVE-2020-36322: Fixed an issue was discovered in FUSE filesystem implementation which could have caused a system crash (bsc#1184211). - CVE-2021-29154: Fixed incorrect computation of branch displacements, allowing arbitrary code execution (bsc#1184391). - CVE-2021-28660: Fixed an out of bounds write in rtw_wx_set_scan (bsc#1183593). - Fixed a data loss/data corruption that occurs if there is a write error on an md/raid array (bsc#1185847). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP3: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP3-2021-2198=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP3 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-57-default-2-3.1 kernel-livepatch-5_3_18-57-default-debuginfo-2-3.1 kernel-livepatch-SLE15-SP3_Update_0-debugsource-2-3.1 References: https://www.suse.com/security/cve/CVE-2020-36322.html https://www.suse.com/security/cve/CVE-2021-28660.html https://www.suse.com/security/cve/CVE-2021-29154.html https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://www.suse.com/security/cve/CVE-2021-3489.html https://www.suse.com/security/cve/CVE-2021-3490.html https://bugzilla.suse.com/1183658 https://bugzilla.suse.com/1184710 https://bugzilla.suse.com/1184952 https://bugzilla.suse.com/1185796 https://bugzilla.suse.com/1185847 https://bugzilla.suse.com/1185856 https://bugzilla.suse.com/1185899 https://bugzilla.suse.com/1186285 From sle-security-updates at lists.suse.com Wed Jun 30 13:47:44 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 30 Jun 2021 15:47:44 +0200 (CEST) Subject: SUSE-SU-2021:2208-1: important: Security update for the Linux Kernel Message-ID: <20210630134744.86D5AFCEF@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2208-1 Rating: important References: #1087082 #1133021 #1152457 #1152489 #1155518 #1156395 #1162702 #1164648 #1176564 #1177666 #1178418 #1178612 #1179827 #1179851 #1182378 #1182999 #1183346 #1183868 #1183873 #1183932 #1183947 #1184081 #1184082 #1184611 #1184855 #1185428 #1185497 #1185589 #1185606 #1185645 #1185677 #1185680 #1185696 #1185703 #1185725 #1185758 #1185859 #1185861 #1185863 #1185898 #1185899 #1185911 #1185938 #1185987 #1185988 #1186061 #1186285 #1186320 #1186439 #1186441 #1186460 #1186498 #1186501 #1186573 Cross-References: CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2021-23134 CVE-2021-32399 CVE-2021-33034 CVE-2021-33200 CVE-2021-3491 CVSS scores: CVE-2020-24586 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24586 (SUSE): 4.7 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N CVE-2020-24587 (NVD) : 2.6 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2020-24587 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-24588 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVE-2020-24588 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-26139 (NVD) : 5.3 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26139 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-26141 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26145 (SUSE): 5.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2020-26147 (NVD) : 5.4 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N CVE-2021-23134 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-23134 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32399 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33034 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-33200 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33200 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3491 (NVD) : 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-3491 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Realtime 15-SP3 ______________________________________________________________________________ An update that solves 12 vulnerabilities and has 42 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 RT kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484). - CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111) - CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062) - CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060) - CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642). - CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611). - CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859). - CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862). - CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859). - CVE-2020-24588: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (bnc#1185861) - CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860) - CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987) The following non-security bugs were fixed: - ACPI / hotplug / PCI: Fix reference count leak in enable_slot() (git-fixes). - ACPI: GTDT: Do not corrupt interrupt mappings on watchdow probe failure (git-fixes). - ACPI: custom_method: fix a possible memory leak (git-fixes). - ACPI: custom_method: fix potential use-after-free issue (git-fixes). - ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro (git-fixes). - ALSA: bebob: enable to deliver MIDI messages for multiple ports (git-fixes). - ALSA: dice: fix stream format at middle sampling rate for Alesis iO 26 (git-fixes). - ALSA: dice: fix stream format for TC Electronic Konnekt Live at high sampling transfer frequency (git-fixes). - ALSA: firewire-lib: fix calculation for size of IR context payload (git-fixes). - ALSA: firewire-lib: fix check for the size of isochronous packet payload (git-fixes). - ALSA: hda/conexant: Re-order CX5066 quirk table entries (git-fixes). - ALSA: hda/realtek: ALC285 Thinkpad jack pin quirk is unreachable (git-fixes). - ALSA: hda/realtek: Add some CLOVE SSIDs of ALC293 (git-fixes). - ALSA: hda/realtek: Headphone volume is controlled by Front mixer (git-fixes). - ALSA: hda/realtek: reset eapd coeff to default value for alc287 (git-fixes). - ALSA: hda: fixup headset for ASUS GU502 laptop (git-fixes). - ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP (git-fixes). - ALSA: hdsp: do not disable if not enabled (git-fixes). - ALSA: hdspm: do not disable if not enabled (git-fixes). - ALSA: intel8x0: Do not update period unless prepared (git-fixes). - ALSA: line6: Fix racy initialization of LINE6 MIDI (git-fixes). - ALSA: rme9652: do not disable if not enabled (git-fixes). - ALSA: usb-audio: Validate MS endpoint descriptors (git-fixes). - ALSA: usb-audio: fix control-request direction (git-fixes). - ALSA: usb-audio: scarlett2: Fix device hang with ehci-pci (git-fixes). - ALSA: usb-audio: scarlett2: Improve driver startup messages (git-fixes). - ALSA: usb-audio: scarlett2: snd_scarlett_gen2_controls_create() can be static (git-fixes). - ARM64: vdso32: Install vdso32 from vdso_install (git-fixes). - ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet (git-fixes). - ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF (git-fixes). - ASoC: cs35l33: fix an error code in probe() (git-fixes). - ASoC: cs42l42: Regmap must use_single_read/write (git-fixes). - ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init() (git-fixes). - ASoC: rsnd: core: Check convert rate in rsnd_hw_params (git-fixes). - ASoC: rt286: Generalize support for ALC3263 codec (git-fixes). - ASoC: rt286: Make RT286_SET_GPIO_* readable and writable (git-fixes). - Bluetooth: L2CAP: Fix handling LE modes by L2CAP_OPTIONS (git-fixes). - Bluetooth: SMP: Fail if remote and local public keys are identical (git-fixes). - Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default (git-fixes). - Bluetooth: check for zapped sk before connecting (git-fixes). - Bluetooth: initialize skb_queue_head at l2cap_chan_create() (git-fixes). - Drivers: hv: vmbus: Fix Suspend-to-Idle for Generation-2 VM (git-fixes). - Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725). - Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725). - Drivers: hv: vmbus: Use after free in __vmbus_open() (git-fixes). - Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices (git-fixes). - Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state (git-fixes). - KVM: s390: fix guarded storage control register handling (bsc#1133021). - Move upstreamed media fixes into sorted section - NFC: nci: fix memory leak in nci_allocate_device (git-fixes). - PCI/RCEC: Fix RCiEP device to RCEC association (git-fixes). - PCI: Allow VPD access for QLogic ISP2722 (git-fixes). - PCI: PM: Do not read power state in pci_enable_device_flags() (git-fixes). - PCI: Release OF node in pci_scan_device()'s error path (git-fixes). - PCI: endpoint: Fix missing destroy_workqueue() (git-fixes). - PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc() (git-fixes). - PCI: thunder: Fix compile testing (git-fixes). - PM / devfreq: Use more accurate returned new_freq as resume_freq (git-fixes). - RDMA/addr: create addr_wq with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/core: create ib_cm with WQ_MEM_RECLAIM flag (bsc#1183346). - RDMA/hns: Delete redundant abnormal interrupt status (git-fixes). - RDMA/hns: Delete redundant condition judgment related to eq (git-fixes). - RDMA/qedr: Fix error return code in qedr_iw_connect() (jsc#SLE-8215). - RDMA/srpt: Fix error return code in srpt_cm_req_recv() (git-fixes). - SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428). - SUNRPC: More fixes for backlog congestion (bsc#1185428). - USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet (git-fixes). - USB: Add reset-resume quirk for WD19's Realtek Hub (git-fixes). - USB: serial: pl2303: add support for PL2303HXN (bsc#1186320). - USB: serial: pl2303: fix line-speed handling on newer chips (bsc#1186320). - USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check (git-fixes). - USB: trancevibrator: fix control-request direction (git-fixes). - amdgpu: avoid incorrect %hu format string (git-fixes). - arm64/mm: Fix pfn_valid() for ZONE_DEVICE based memory (git-fixes). - arm64: Add missing ISB after invalidating TLB in __primary_switch (git-fixes). - arm64: avoid -Woverride-init warning (git-fixes). - arm64: kasan: fix page_alloc tagging with DEBUG_VIRTUAL (git-fixes). - arm64: kdump: update ppos when reading elfcorehdr (git-fixes). - arm64: kexec_file: fix memory leakage in create_dtb() when fdt_open_into() fails (git-fixes). - arm64: link with -z norelro for LLD or aarch64-elf (git-fixes). - arm64: link with -z norelro regardless of CONFIG_RELOCATABLE (git-fixes). - arm64: ptrace: Fix seccomp of traced syscall -1 (NO_SYSCALL) (git-fixes). - arm64: ptrace: Use NO_SYSCALL instead of -1 in syscall_trace_enter() (git-fixes). - arm64: vdso32: make vdso32 install conditional (git-fixes). - arm: mm: use __pfn_to_section() to get mem_section (git-fixes). - ata: ahci: Disable SXS for Hisilicon Kunpeng920 (git-fixes). - blk-iocost: ioc_pd_free() shouldn't assume irq disabled (git-fixes). - blk-mq: Swap two calls in blk_mq_exit_queue() (git-fixes). - block/genhd: use atomic_t for disk_event->block (bsc#1185497). - block: Fix three kernel-doc warnings (git-fixes). - block: fix get_max_io_size() (git-fixes). - bnxt_en: Fix RX consumer index logic in the error path (git-fixes). - bnxt_en: fix ternary sign extension bug in bnxt_show_temp() (git-fixes). - bpf: Fix leakage of uninitialized bpf stack under speculation (bsc#1155518). - bpf: Fix masking negation logic upon negative dst register (bsc#1155518). - btrfs: fix race between transaction aborts and fsyncs leading to use-after-free (bsc#1186441). - btrfs: fix race when picking most recent mod log operation for an old root (bsc#1186439). - cdc-wdm: untangle a circular dependency between callback and softint (git-fixes). - cdrom: gdrom: deallocate struct gdrom_unit fields in remove_gdrom (git-fixes). - cdrom: gdrom: initialize global variable at init time (git-fixes). - ceph: do not clobber i_snap_caps on non-I_NEW inode (bsc#1186501). - ceph: fix inode leak on getattr error in __fh_to_dentry (bsc#1186501). - ceph: fix up error handling with snapdirs (bsc#1186501). - ceph: only check pool permissions for regular files (bsc#1186501). - cfg80211: scan: drop entry from hidden_list on overflow (git-fixes). - clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return (git-fixes). - cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758). - crypto: api - check for ERR pointers in crypto_destroy_tfm() (git-fixes). - crypto: mips/poly1305 - enable for all MIPS processors (git-fixes). - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init (git-fixes). - crypto: qat - Fix a double free in adf_create_ring (git-fixes). - crypto: qat - do not release uninitialized resources (git-fixes). - crypto: qat - fix error path in adf_isr_resource_alloc() (git-fixes). - crypto: qat - fix unmap invalid dma address (git-fixes). - crypto: stm32/cryp - Fix PM reference leak on stm32-cryp.c (git-fixes). - crypto: stm32/hash - Fix PM reference leak on stm32-hash.c (git-fixes). - cxgb4: Fix unintentional sign extension issues (git-fixes). - dm: avoid filesystem lookup in dm_get_dev_t() (git-fixes). - dmaengine: dw-edma: Fix crash on loading/unloading driver (git-fixes). - docs: kernel-parameters: Add gpio_mockup_named_lines (git-fixes). - docs: kernel-parameters: Move gpio-mockup for alphabetic order (git-fixes). - drivers: hv: Fix whitespace errors (bsc#1185725). - drm/amd/display: Fix UBSAN warning for not a valid value for type '_Bool' (git-fixes). - drm/amd/display: Fix two cursor duplication when using overlay (git-fixes). - drm/amd/display: Force vsync flip when reconfiguring MPCC (git-fixes). - drm/amd/display: Reject non-zero src_y and src_x for video planes (git-fixes). - drm/amd/display: fix dml prefetch validation (git-fixes). - drm/amd/display: fixed divide by zero kernel crash during dsc enablement (git-fixes). - drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f (git-fixes). - drm/amdgpu: disable 3DCGCG on picasso/raven1 to avoid compute hang (git-fixes). - drm/amdgpu: fix NULL pointer dereference (git-fixes). - drm/amdgpu: mask the xgmi number of hops reported from psp to kfd (git-fixes). - drm/amdkfd: Fix cat debugfs hang_hws file causes system crash bug (git-fixes). - drm/i915: Avoid div-by-zero on gen2 (git-fixes). - drm/meson: fix shutdown crash when component not probed (git-fixes). - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal (git-fixes). - drm/msm/mdp5: Do not multiply vclk line count by 100 (git-fixes). - drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected (git-fixes). - drm/radeon: Avoid power table parsing memory leaks (git-fixes). - drm/radeon: Fix off-by-one power_state index heap overwrite (git-fixes). - drm/vkms: fix misuse of WARN_ON (git-fixes). - drm: Added orientation quirk for OneGX1 Pro (git-fixes). - ethernet:enic: Fix a use after free bug in enic_hard_start_xmit (git-fixes). - extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged (git-fixes). - extcon: arizona: Fix various races on driver unbind (git-fixes). - fbdev: zero-fill colormap in fbcmap.c (git-fixes). - firmware: arm_scpi: Prevent the ternary sign expansion bug (git-fixes). - fs/epoll: restore waking from ep_done_scan() (bsc#1183868). - ftrace: Handle commands when closing set_ftrace_filter file (git-fixes). - futex: Change utime parameter to be 'const ... *' (git-fixes). - futex: Do not apply time namespace adjustment on FUTEX_LOCK_PI (bsc#1164648). - futex: Get rid of the val2 conditional dance (git-fixes). - futex: Make syscall entry points less convoluted (git-fixes). - genirq/irqdomain: Do not try to free an interrupt that has no (git-fixes) - genirq: Disable interrupts for force threaded handlers (git-fixes) - genirq: Reduce irqdebug cacheline bouncing (bsc#1185703 ltc#192641). - gpio: xilinx: Correct kernel doc for xgpio_probe() (git-fixes). - gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 (git-fixes). - hrtimer: Update softirq_expires_next correctly after (git-fixes) - hwmon: (occ) Fix poll rate limiting (git-fixes). - i2c: Add I2C_AQ_NO_REP_START adapter quirk (git-fixes). - i2c: bail out early when RDWR parameters are wrong (git-fixes). - i2c: i801: Do not generate an interrupt on bus reset (git-fixes). - i2c: s3c2410: fix possible NULL pointer deref on read message after write (git-fixes). - i2c: sh_mobile: Use new clock calculation formulas for RZ/G2E (git-fixes). - i40e: Fix PHY type identifiers for 2.5G and 5G adapters (git-fixes). - i40e: Fix use-after-free in i40e_client_subtask() (git-fixes). - i40e: fix broken XDP support (git-fixes). - i40e: fix the restart auto-negotiation after FEC modified (git-fixes). - ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043). - ibmvfc: Handle move login failure (bsc#1185938 ltc#192043). - ibmvfc: Reinit target retries (bsc#1185938 ltc#192043). - ibmvnic: remove default label from to_string switch (bsc#1152457 ltc#174432 git-fixes). - ics932s401: fix broken handling of errors when word reading fails (git-fixes). - iio: adc: ad7124: Fix missbalanced regulator enable / disable on error (git-fixes). - iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers (git-fixes). - iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp() (git-fixes). - iio: adc: ad7793: Add missing error code in ad7793_setup() (git-fixes). - iio: gyro: fxas21002c: balance runtime power in error path (git-fixes). - iio: gyro: mpu3050: Fix reported temperature value (git-fixes). - iio: proximity: pulsedlight: Fix rumtime PM imbalance on error (git-fixes). - iio: tsl2583: Fix division by a zero lux_val (git-fixes). - intel_th: Consistency and off-by-one fix (git-fixes). - iommu/amd: Add support for map/unmap_resource (jsc#ECO-3482). - ipc/mqueue, msg, sem: Avoid relying on a stack reference past its expiry (bsc#1185988). - ipmi/watchdog: Stop watchdog timer when the current action is 'none' (bsc#1184855). - kernel-docs.spec.in: Build using an utf-8 locale. Sphinx cannot handle UTF-8 input in non-UTF-8 locale. - leds: lp5523: check return value of lp5xx_read and jump to cleanup code (git-fixes). - locking/seqlock: Tweak DEFINE_SEQLOCK() kernel doc (bsc#1176564 bsc#1162702). - lpfc: Decouple port_template and vport_template (bsc#185032). - mac80211: clear the beacon's CRC after channel switch (git-fixes). - md-cluster: fix use-after-free issue when removing rdev (bsc#1184082). - md/raid1: properly indicate failure when ending a failed write request (bsc#1185680). - md: do not flush workqueue unconditionally in md_open (bsc#1184081). - md: factor out a mddev_find_locked helper from mddev_find (bsc#1184081). - md: md_open returns -EBUSY when entering racing area (bsc#1184081). - md: split mddev_find (bsc#1184081). - media: adv7604: fix possible use-after-free in adv76xx_remove() (git-fixes). - media: drivers: media: pci: sta2x11: fix Kconfig dependency on GPIOLIB (git-fixes). - media: dvb-usb: fix memory leak in dvb_usb_adapter_init (git-fixes). - media: em28xx: fix memory leak (git-fixes). - media: gspca/sq905.c: fix uninitialized variable (git-fixes). - media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove() (git-fixes). - media: i2c: adv7842: fix possible use-after-free in adv7842_remove() (git-fixes). - media: i2c: tda1997: Fix possible use-after-free in tda1997x_remove() (git-fixes). - media: imx: capture: Return -EPIPE from __capture_legacy_try_fmt() (git-fixes). - media: ite-cir: check for receive overflow (git-fixes). - media: media/saa7164: fix saa7164_encoder_register() memory leak bugs (git-fixes). - media: platform: sti: Fix runtime PM imbalance in regs_show (git-fixes). - media: tc358743: fix possible use-after-free in tc358743_remove() (git-fixes). - mfd: arizona: Fix rumtime PM imbalance on error (git-fixes). - misc/uss720: fix memory leak in uss720_probe (git-fixes). - mlxsw: spectrum_mr: Update egress RIF list before route's action (git-fixes). - mm: memcontrol: fix cpuhotplug statistics flushing (bsc#1185606). - mmc: block: Update ext_csd.cache_ctrl if it was written (git-fixes). - mmc: core: Do a power cycle when the CMD11 fails (git-fixes). - mmc: core: Set read only for SD cards with permanent write protect bit (git-fixes). - mmc: sdhci-pci-gli: increase 1.8V regulator wait (git-fixes). - mmc: sdhci-pci: Add PCI IDs for Intel LKF (git-fixes). - mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based controllers (git-fixes). - mmc: sdhci: Check for reset prior to DMA address unmap (git-fixes). - net, xdp: Update pkt_type if generic XDP changes unicast MAC (git-fixes). - net: enetc: fix link error again (git-fixes). - net: hns3: Fix for geneve tx checksum bug (git-fixes). - net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() (git-fixes). - net: hns3: clear unnecessary reset request in hclge_reset_rebuild (git-fixes). - net: hns3: disable phy loopback setting in hclge_mac_start_phy (git-fixes). - net: hns3: fix for vxlan gpe tx checksum bug (git-fixes). - net: hns3: fix incorrect configuration for igu_egu_hw_err (git-fixes). - net: hns3: initialize the message content in hclge_get_link_mode() (git-fixes). - net: hns3: use netif_tx_disable to stop the transmit queue (git-fixes). - net: thunderx: Fix unintentional sign extension issue (git-fixes). - net: usb: fix memory leak in smsc75xx_bind (git-fixes). - net: xfrm: Localize sequence counter per network namespace (bsc#1185696). - net: xfrm: Use sequence counter with associated spinlock (bsc#1185696). - netdevice: Add missing IFF_PHONY_HEADROOM self-definition (git-fixes). - netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950). - netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950). - netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950). - nvme-core: add cancel tagset helpers (bsc#1183976). - nvme-fabrics: decode host pathing error for connect (bsc#1179827). - nvme-fc: check sgl supported by target (bsc#1179827). - nvme-fc: clear q_live at beginning of association teardown (bsc#1186479). - nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted (bsc#1184259). - nvme-fc: set NVME_REQ_CANCELLED in nvme_fc_terminate_exchange() (bsc#1184259). - nvme-fc: short-circuit reconnect retries (bsc#1179827). - nvme-multipath: fix double initialization of ANA state (bsc#1178612, bsc#1184259). - nvme-multipath: reset bdev to ns head when failover (bsc#178378 bsc#1182999). - nvme-pci: Remove tag from process cq (git-fixes). - nvme-pci: Remove two-pass completions (git-fixes). - nvme-pci: Simplify nvme_poll_irqdisable (git-fixes). - nvme-pci: align io queue count with allocted nvme_queue in (git-fixes). - nvme-pci: avoid race between nvme_reap_pending_cqes() and nvme_poll() (git-fixes). - nvme-pci: dma read memory barrier for completions (git-fixes). - nvme-pci: fix "slimmer CQ head update" (git-fixes). - nvme-pci: make sure write/poll_queues less or equal then cpu (git-fixes). - nvme-pci: remove last_sq_tail (git-fixes). - nvme-pci: remove volatile cqes (git-fixes). - nvme-pci: slimmer CQ head update (git-fixes). - nvme-pci: use simple suspend when a HMB is enabled (git-fixes). - nvme-tcp: Fix possible race of io_work and direct send (git-fixes). - nvme-tcp: Fix warning with CONFIG_DEBUG_PREEMPT (git-fixes). - nvme-tcp: add clean action for failed reconnection (bsc#1183976). - nvme-tcp: fix kconfig dependency warning when !CRYPTO (git-fixes). - nvme-tcp: fix misuse of __smp_processor_id with preemption (git-fixes). - nvme-tcp: fix possible hang waiting for icresp response (bsc#1179519). - nvme-tcp: use cancel tagset helper for tear down (bsc#1183976). - nvme: Fix NULL dereference for pci nvme controllers (bsc#1182378). - nvme: add 'kato' sysfs attribute (bsc#1179825). - nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request() (bsc#1184259). - nvme: define constants for identification values (git-fixes). - nvme: do not intialize hwmon for discovery controllers (bsc#1184259). - nvme: do not intialize hwmon for discovery controllers (git-fixes). - nvme: document nvme controller states (git-fixes). - nvme: explicitly update mpath disk capacity on revalidation (git-fixes). - nvme: expose reconnect_delay and ctrl_loss_tmo via sysfs (bsc#1182378). - nvme: fix controller instance leak (git-fixes). - nvme: fix deadlock in disconnect during scan_work and/or ana_work (git-fixes). - nvme: fix possible deadlock when I/O is blocked (git-fixes). - nvme: remove superfluous else in nvme_ctrl_loss_tmo_store (bsc#1182378). - nvme: retrigger ANA log update if group descriptor isn't found (git-fixes) - nvme: sanitize KATO setting (bsc#1179825). - nvme: simplify error logic in nvme_validate_ns() (bsc#1184259). - nvmet: fix a memory leak (git-fixes). - nvmet: seset ns->file when open fails (bsc#1183873). - nvmet: use new ana_log_size instead the old one (bsc#1184259). - nxp-i2c: restore includes for kABI (bsc#1185589). - nxp-nci: add NXP1002 id (bsc#1185589). - phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() (git-fixes). - pinctrl: ingenic: Improve unreachable code generation (git-fixes). - pinctrl: samsung: use 'int' for register masks in Exynos (git-fixes). - platform/mellanox: mlxbf-tmfifo: Fix a memory barrier issue (git-fixes). - platform/x86: intel_pmc_core: Do not use global pmcdev in quirks (git-fixes). - platform/x86: thinkpad_acpi: Correct thermal sensor allocation (git-fixes). - posix-timers: Preserve return value in clock_adjtime32() (git-fixes) - power: supply: Use IRQF_ONESHOT (git-fixes). - power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() (git-fixes). - power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() (git-fixes). - powerpc/64s: Fix crashes when toggling entry flush barrier (bsc#1177666 git-fixes). - powerpc/64s: Fix crashes when toggling stf barrier (bsc#1087082 git-fixes). - qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth (git-fixes). - rtc: pcf2127: handle timestamp interrupts (bsc#1185495). - s390/dasd: fix hanging DASD driver unbind (bsc#1183932 LTC#192153). - s390/entry: save the caller of psw_idle (bsc#1185677). - s390/kdump: fix out-of-memory with PCI (bsc#1182257 LTC#191375). - sched/eas: Do not update misfit status if the task is pinned (git-fixes) - sched/fair: Avoid stale CPU util_est value for schedutil in (git-fixes) - sched/fair: Fix unfairness caused by missing load decay (git-fixes) - scripts/git_sort/git_sort.py: add bpf git repo - scsi: core: Run queue in case of I/O resource contention failure (bsc#1186416). - scsi: fnic: Kill 'exclude_id' argument to fnic_cleanup_io() (bsc#1179851). - scsi: libfc: Avoid invoking response handler twice if ep is already completed (bsc#1186573). - scsi: lpfc: Add a option to enable interlocked ABTS before job completion (bsc#1186451). - scsi: lpfc: Add ndlp kref accounting for resume RPI path (bsc#1186451). - scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology (bsc#1186451). - scsi: lpfc: Fix Node recovery when driver is handling simultaneous PLOGIs (bsc#1186451). - scsi: lpfc: Fix bad memory access during VPD DUMP mailbox command (bsc#1186451). - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs (bsc#1186451). - scsi: lpfc: Fix node handling for Fabric Controller and Domain Controller (bsc#1186451). - scsi: lpfc: Fix non-optimized ERSP handling (bsc#1186451). - scsi: lpfc: Fix unreleased RPIs when NPIV ports are created (bsc#1186451). - scsi: lpfc: Ignore GID-FT response that may be received after a link flip (bsc#1186451). - scsi: lpfc: Reregister FPIN types if ELS_RDF is received from fabric controller (bsc#1186451). - scsi: lpfc: Update lpfc version to 12.8.0.10 (bsc#1186451). - sctp: delay auto_asconf init until binding the first addr - seqlock,lockdep: Fix seqcount_latch_init() (bsc#1176564 bsc#1162702). - serial: core: fix suspicious security_locked_down() call (git-fixes). - serial: core: return early on unsupported ioctls (git-fixes). - serial: sh-sci: Fix off-by-one error in FIFO threshold register setting (git-fixes). - serial: stm32: fix incorrect characters on console (git-fixes). - serial: stm32: fix tx_empty condition (git-fixes). - serial: tegra: Fix a mask operation that is always true (git-fixes). - smc: disallow TCP_ULP in smc_setsockopt() (git-fixes). - spi: ath79: always call chipselect function (git-fixes). - spi: ath79: remove spi-master setup and cleanup assignment (git-fixes). - spi: dln2: Fix reference leak to master (git-fixes). - spi: omap-100k: Fix reference leak to master (git-fixes). - spi: qup: fix PM reference leak in spi_qup_remove() (git-fixes). - spi: spi-fsl-dspi: Fix a resource leak in an error handling path (git-fixes). - staging: emxx_udc: fix loop in _nbu2ss_nuke() (git-fixes). - staging: iio: cdc: ad7746: avoid overwrite of num_channels (git-fixes). - tcp: fix to update snd_wl1 in bulk receiver fast path - thermal/drivers/ti-soc-thermal/bandgap Remove unused variable 'val' (git-fixes). - thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue (git-fixes). - tracing: Map all PIDs to command lines (git-fixes). - tty: amiserial: fix TIOCSSERIAL permission check (git-fixes). - tty: fix memory leak in vc_deallocate (git-fixes). - tty: moxa: fix TIOCSSERIAL jiffies conversions (git-fixes). - tty: moxa: fix TIOCSSERIAL permission check (git-fixes). - uio: uio_hv_generic: use devm_kzalloc() for private data alloc (git-fixes). - uio_hv_generic: Fix a memory leak in error handling paths (git-fixes). - uio_hv_generic: Fix another memory leak in error handling paths (git-fixes). - uio_hv_generic: add missed sysfs_remove_bin_file (git-fixes). - usb: core: hub: Fix PM reference leak in usb_port_resume() (git-fixes). - usb: core: hub: fix race condition about TRSMRCY of resume (git-fixes). - usb: dwc2: Fix gadget DMA unmap direction (git-fixes). - usb: dwc3: gadget: Enable suspend events (git-fixes). - usb: dwc3: gadget: Return success always for kick transfer in ep queue (git-fixes). - usb: dwc3: omap: improve extcon initialization (git-fixes). - usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield (git-fixes). - usb: fotg210-hcd: Fix an error message (git-fixes). - usb: gadget/function/f_fs string table fix for multiple languages (git-fixes). - usb: gadget: dummy_hcd: fix gpf in gadget_setup (git-fixes). - usb: gadget: f_uac1: validate input parameters (git-fixes). - usb: gadget: f_uac2: validate input parameters (git-fixes). - usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen() (git-fixes). - usb: gadget: uvc: add bInterval checking for HS mode (git-fixes). - usb: musb: fix PM reference leak in musb_irq_work() (git-fixes). - usb: sl811-hcd: improve misleading indentation (git-fixes). - usb: webcam: Invalid size of Processing Unit Descriptor (git-fixes). - usb: xhci: Fix port minor revision (git-fixes). - usb: xhci: Increase timeout for HC halt (git-fixes). - vgacon: Record video mode changes with VT_RESIZEX (git-fixes). - video: hyperv_fb: Add ratelimit on error message (bsc#1185725). - vrf: fix a comment about loopback device (git-fixes). - watchdog/softlockup: Remove obsolete check of last reported task (bsc#1185982). - watchdog/softlockup: report the overall time of softlockups (bsc#1185982). - watchdog: explicitly update timestamp when reporting softlockup (bsc#1185982). - watchdog: rename __touch_watchdog() to a better descriptive name (bsc#1185982). - whitespace cleanup - wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join (git-fixes). - wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt (git-fixes). - workqueue: Minor follow-ups to the rescuer destruction change (bsc#1185911). - workqueue: more destroy_workqueue() fixes (bsc#1185911). - x86/cpu: Initialize MSR_TSC_AUX if RDTSCP *or* RDPID is supported (bsc#1152489). - xhci: Do not use GFP_KERNEL in (potentially) atomic context (git-fixes). - xhci: check control context is valid before dereferencing it (git-fixes). - xhci: fix potential array out of bounds with several interrupters (git-fixes). - xsk: Respect device's headroom and tailroom on generic xmit path (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-2208=1 - SUSE Linux Enterprise Module for Realtime 15-SP3: zypper in -t patch SUSE-SLE-Module-RT-15-SP3-2021-2208=1 Package List: - SUSE MicroOS 5.0 (x86_64): kernel-rt-5.3.18-8.13.1 kernel-rt-debuginfo-5.3.18-8.13.1 kernel-rt-debugsource-5.3.18-8.13.1 - SUSE Linux Enterprise Module for Realtime 15-SP3 (x86_64): cluster-md-kmp-rt-5.3.18-8.13.1 cluster-md-kmp-rt-debuginfo-5.3.18-8.13.1 dlm-kmp-rt-5.3.18-8.13.1 dlm-kmp-rt-debuginfo-5.3.18-8.13.1 gfs2-kmp-rt-5.3.18-8.13.1 gfs2-kmp-rt-debuginfo-5.3.18-8.13.1 kernel-rt-5.3.18-8.13.1 kernel-rt-debuginfo-5.3.18-8.13.1 kernel-rt-debugsource-5.3.18-8.13.1 kernel-rt-devel-5.3.18-8.13.1 kernel-rt-devel-debuginfo-5.3.18-8.13.1 kernel-rt_debug-debuginfo-5.3.18-8.13.1 kernel-rt_debug-debugsource-5.3.18-8.13.1 kernel-rt_debug-devel-5.3.18-8.13.1 kernel-rt_debug-devel-debuginfo-5.3.18-8.13.1 kernel-syms-rt-5.3.18-8.13.1 ocfs2-kmp-rt-5.3.18-8.13.1 ocfs2-kmp-rt-debuginfo-5.3.18-8.13.1 - SUSE Linux Enterprise Module for Realtime 15-SP3 (noarch): kernel-devel-rt-5.3.18-8.13.1 kernel-source-rt-5.3.18-8.13.1 References: https://www.suse.com/security/cve/CVE-2020-24586.html https://www.suse.com/security/cve/CVE-2020-24587.html https://www.suse.com/security/cve/CVE-2020-24588.html https://www.suse.com/security/cve/CVE-2020-26139.html https://www.suse.com/security/cve/CVE-2020-26141.html https://www.suse.com/security/cve/CVE-2020-26145.html https://www.suse.com/security/cve/CVE-2020-26147.html https://www.suse.com/security/cve/CVE-2021-23134.html https://www.suse.com/security/cve/CVE-2021-32399.html https://www.suse.com/security/cve/CVE-2021-33034.html https://www.suse.com/security/cve/CVE-2021-33200.html https://www.suse.com/security/cve/CVE-2021-3491.html https://bugzilla.suse.com/1087082 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1152457 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1155518 https://bugzilla.suse.com/1156395 https://bugzilla.suse.com/1162702 https://bugzilla.suse.com/1164648 https://bugzilla.suse.com/1176564 https://bugzilla.suse.com/1177666 https://bugzilla.suse.com/1178418 https://bugzilla.suse.com/1178612 https://bugzilla.suse.com/1179827 https://bugzilla.suse.com/1179851 https://bugzilla.suse.com/1182378 https://bugzilla.suse.com/1182999 https://bugzilla.suse.com/1183346 https://bugzilla.suse.com/1183868 https://bugzilla.suse.com/1183873 https://bugzilla.suse.com/1183932 https://bugzilla.suse.com/1183947 https://bugzilla.suse.com/1184081 https://bugzilla.suse.com/1184082 https://bugzilla.suse.com/1184611 https://bugzilla.suse.com/1184855 https://bugzilla.suse.com/1185428 https://bugzilla.suse.com/1185497 https://bugzilla.suse.com/1185589 https://bugzilla.suse.com/1185606 https://bugzilla.suse.com/1185645 https://bugzilla.suse.com/1185677 https://bugzilla.suse.com/1185680 https://bugzilla.suse.com/1185696 https://bugzilla.suse.com/1185703 https://bugzilla.suse.com/1185725 https://bugzilla.suse.com/1185758 https://bugzilla.suse.com/1185859 https://bugzilla.suse.com/1185861 https://bugzilla.suse.com/1185863 https://bugzilla.suse.com/1185898 https://bugzilla.suse.com/1185899 https://bugzilla.suse.com/1185911 https://bugzilla.suse.com/1185938 https://bugzilla.suse.com/1185987 https://bugzilla.suse.com/1185988 https://bugzilla.suse.com/1186061 https://bugzilla.suse.com/1186285 https://bugzilla.suse.com/1186320 https://bugzilla.suse.com/1186439 https://bugzilla.suse.com/1186441 https://bugzilla.suse.com/1186460 https://bugzilla.suse.com/1186498 https://bugzilla.suse.com/1186501 https://bugzilla.suse.com/1186573 From sle-security-updates at lists.suse.com Wed Jun 30 19:16:57 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 30 Jun 2021 21:16:57 +0200 (CEST) Subject: SUSE-SU-2021:2214-1: important: Security update for go1.15 Message-ID: <20210630191657.D489CFCEF@maintenance.suse.de> SUSE Security Update: Security update for go1.15 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2214-1 Rating: important References: #1175132 #1186622 #1187443 #1187444 #1187445 Cross-References: CVE-2021-33195 CVE-2021-33196 CVE-2021-33197 CVE-2021-33198 CVSS scores: CVE-2021-33195 (SUSE): 6.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N CVE-2021-33196 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-33197 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2021-33198 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update for go1.15 fixes the following issues: Update to 1.15.13. Includes these security fixes - CVE-2021-33195: net: Lookup functions may return invalid host names (bsc#1187443). - CVE-2021-33196: archive/zip: malformed archive may cause panic or memory exhaustion (bsc#1186622). - CVE-2021-33197: net/http/httputil: ReverseProxy forwards Connection headers if first one is empty (bsc#1187444) - CVE-2021-33198: math/big: (*Rat).SetString with "1.770p02041010010011001001" crashes with "makeslice: len out of range" (bsc#1187445). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-2214=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-2214=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-2214=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-2214=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-2214=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-2214=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-2214=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-2214=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-2214=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-2214=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-2214=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): go1.15-1.15.13-1.33.1 go1.15-doc-1.15.13-1.33.1 - SUSE Manager Server 4.0 (x86_64): go1.15-race-1.15.13-1.33.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): go1.15-1.15.13-1.33.1 go1.15-doc-1.15.13-1.33.1 go1.15-race-1.15.13-1.33.1 - SUSE Manager Proxy 4.0 (x86_64): go1.15-1.15.13-1.33.1 go1.15-doc-1.15.13-1.33.1 go1.15-race-1.15.13-1.33.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): go1.15-1.15.13-1.33.1 go1.15-doc-1.15.13-1.33.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): go1.15-race-1.15.13-1.33.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): go1.15-1.15.13-1.33.1 go1.15-doc-1.15.13-1.33.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 x86_64): go1.15-race-1.15.13-1.33.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): go1.15-1.15.13-1.33.1 go1.15-doc-1.15.13-1.33.1 go1.15-race-1.15.13-1.33.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): go1.15-1.15.13-1.33.1 go1.15-doc-1.15.13-1.33.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 x86_64): go1.15-race-1.15.13-1.33.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): go1.15-1.15.13-1.33.1 go1.15-doc-1.15.13-1.33.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 x86_64): go1.15-race-1.15.13-1.33.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): go1.15-1.15.13-1.33.1 go1.15-doc-1.15.13-1.33.1 go1.15-race-1.15.13-1.33.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): go1.15-1.15.13-1.33.1 go1.15-doc-1.15.13-1.33.1 go1.15-race-1.15.13-1.33.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): go1.15-1.15.13-1.33.1 go1.15-doc-1.15.13-1.33.1 go1.15-race-1.15.13-1.33.1 - SUSE CaaS Platform 4.0 (x86_64): go1.15-1.15.13-1.33.1 go1.15-doc-1.15.13-1.33.1 go1.15-race-1.15.13-1.33.1 References: https://www.suse.com/security/cve/CVE-2021-33195.html https://www.suse.com/security/cve/CVE-2021-33196.html https://www.suse.com/security/cve/CVE-2021-33197.html https://www.suse.com/security/cve/CVE-2021-33198.html https://bugzilla.suse.com/1175132 https://bugzilla.suse.com/1186622 https://bugzilla.suse.com/1187443 https://bugzilla.suse.com/1187444 https://bugzilla.suse.com/1187445 From sle-security-updates at lists.suse.com Wed Jun 30 19:18:34 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 30 Jun 2021 21:18:34 +0200 (CEST) Subject: SUSE-SU-2021:2212-1: moderate: Security update for qemu Message-ID: <20210630191834.A6CF8FCEF@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2212-1 Rating: moderate References: #1184574 #1185591 #1185981 #1185990 #1186010 #1187013 Cross-References: CVE-2021-3544 CVE-2021-3545 CVE-2021-3546 CVSS scores: CVE-2021-3544 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-3544 (SUSE): 5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2021-3545 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2021-3545 (SUSE): 5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2021-3546 (NVD) : 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-3546 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves three vulnerabilities and has three fixes is now available. Description: This update for qemu fixes the following issues: Security issues fixed: - CVE-2021-3546: Fix out-of-bounds write in virgl_cmd_get_capset (bsc#1185981) - CVE-2021-3544: Fix memory leaks found in the virtio vhost-user GPU device (bsc#1186010) - CVE-2021-3545: Fix information disclosure due to uninitialized memory read (bsc#1185990) Non-security issues fixed: - Fix testsuite error (bsc#1184574) - Fix qemu crash with iothread when block commit after snapshot (bsc#1187013) - Fix qemu hang while cancelling migrating hugepage vm (bsc#1185591) - Use RCU to avoid race during scsi hotplug/hotunplug (bsc#1184574) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-2212=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-2212=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-2212=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): qemu-4.2.1-11.22.1 qemu-debuginfo-4.2.1-11.22.1 qemu-debugsource-4.2.1-11.22.1 qemu-tools-4.2.1-11.22.1 qemu-tools-debuginfo-4.2.1-11.22.1 - SUSE MicroOS 5.0 (aarch64): qemu-arm-4.2.1-11.22.1 qemu-arm-debuginfo-4.2.1-11.22.1 - SUSE MicroOS 5.0 (x86_64): qemu-x86-4.2.1-11.22.1 qemu-x86-debuginfo-4.2.1-11.22.1 - SUSE MicroOS 5.0 (noarch): qemu-ipxe-1.0.0+-11.22.1 qemu-seabios-1.12.1+-11.22.1 qemu-sgabios-8-11.22.1 qemu-vgabios-1.12.1+-11.22.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): qemu-4.2.1-11.22.1 qemu-block-curl-4.2.1-11.22.1 qemu-block-curl-debuginfo-4.2.1-11.22.1 qemu-block-iscsi-4.2.1-11.22.1 qemu-block-iscsi-debuginfo-4.2.1-11.22.1 qemu-block-rbd-4.2.1-11.22.1 qemu-block-rbd-debuginfo-4.2.1-11.22.1 qemu-block-ssh-4.2.1-11.22.1 qemu-block-ssh-debuginfo-4.2.1-11.22.1 qemu-debuginfo-4.2.1-11.22.1 qemu-debugsource-4.2.1-11.22.1 qemu-guest-agent-4.2.1-11.22.1 qemu-guest-agent-debuginfo-4.2.1-11.22.1 qemu-lang-4.2.1-11.22.1 qemu-ui-spice-app-4.2.1-11.22.1 qemu-ui-spice-app-debuginfo-4.2.1-11.22.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (s390x x86_64): qemu-kvm-4.2.1-11.22.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64): qemu-arm-4.2.1-11.22.1 qemu-arm-debuginfo-4.2.1-11.22.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (ppc64le): qemu-ppc-4.2.1-11.22.1 qemu-ppc-debuginfo-4.2.1-11.22.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (x86_64): qemu-audio-alsa-4.2.1-11.22.1 qemu-audio-alsa-debuginfo-4.2.1-11.22.1 qemu-audio-pa-4.2.1-11.22.1 qemu-audio-pa-debuginfo-4.2.1-11.22.1 qemu-ui-curses-4.2.1-11.22.1 qemu-ui-curses-debuginfo-4.2.1-11.22.1 qemu-ui-gtk-4.2.1-11.22.1 qemu-ui-gtk-debuginfo-4.2.1-11.22.1 qemu-x86-4.2.1-11.22.1 qemu-x86-debuginfo-4.2.1-11.22.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): qemu-ipxe-1.0.0+-11.22.1 qemu-microvm-4.2.1-11.22.1 qemu-seabios-1.12.1+-11.22.1 qemu-sgabios-8-11.22.1 qemu-vgabios-1.12.1+-11.22.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (s390x): qemu-s390-4.2.1-11.22.1 qemu-s390-debuginfo-4.2.1-11.22.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): qemu-debuginfo-4.2.1-11.22.1 qemu-debugsource-4.2.1-11.22.1 qemu-tools-4.2.1-11.22.1 qemu-tools-debuginfo-4.2.1-11.22.1 References: https://www.suse.com/security/cve/CVE-2021-3544.html https://www.suse.com/security/cve/CVE-2021-3545.html https://www.suse.com/security/cve/CVE-2021-3546.html https://bugzilla.suse.com/1184574 https://bugzilla.suse.com/1185591 https://bugzilla.suse.com/1185981 https://bugzilla.suse.com/1185990 https://bugzilla.suse.com/1186010 https://bugzilla.suse.com/1187013 From sle-security-updates at lists.suse.com Wed Jun 30 19:22:30 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 30 Jun 2021 21:22:30 +0200 (CEST) Subject: SUSE-SU-2021:14760-1: moderate: Security update for curl Message-ID: <20210630192230.CA241FCEF@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14760-1 Rating: moderate References: #1186114 Cross-References: CVE-2021-22898 CVSS scores: CVE-2021-22898 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-22898 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Server 11-SECURITY SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-curl-14760=1 - SUSE Linux Enterprise Server 11-SECURITY: zypper in -t patch secsp3-curl-14760=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-curl-14760=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-curl-14760=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-curl-14760=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): curl-7.37.0-70.66.1 libcurl4-7.37.0-70.66.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): libcurl4-32bit-7.37.0-70.66.1 - SUSE Linux Enterprise Server 11-SECURITY (i586 ia64 ppc64 s390x x86_64): curl-openssl1-7.37.0-70.66.1 libcurl4-openssl1-7.37.0-70.66.1 - SUSE Linux Enterprise Server 11-SECURITY (ppc64 s390x x86_64): libcurl4-openssl1-32bit-7.37.0-70.66.1 - SUSE Linux Enterprise Server 11-SECURITY (ia64): libcurl4-openssl1-x86-7.37.0-70.66.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): curl-7.37.0-70.66.1 libcurl-devel-7.37.0-70.66.1 libcurl4-7.37.0-70.66.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): curl-debuginfo-7.37.0-70.66.1 curl-debugsource-7.37.0-70.66.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): curl-debuginfo-7.37.0-70.66.1 curl-debugsource-7.37.0-70.66.1 References: https://www.suse.com/security/cve/CVE-2021-22898.html https://bugzilla.suse.com/1186114 From sle-security-updates at lists.suse.com Wed Jun 30 19:23:38 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 30 Jun 2021 21:23:38 +0200 (CEST) Subject: SUSE-SU-2021:2213-1: moderate: Security update for qemu Message-ID: <20210630192338.76C65FCEF@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2213-1 Rating: moderate References: #1185981 #1185990 #1186010 Cross-References: CVE-2021-3544 CVE-2021-3545 CVE-2021-3546 CVSS scores: CVE-2021-3544 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-3544 (SUSE): 5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2021-3545 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2021-3545 (SUSE): 5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2021-3546 (NVD) : 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-3546 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for qemu fixes the following issues: - CVE-2021-3546: Fixed out-of-bounds write in virgl_cmd_get_capset (bsc#1185981). - CVE-2021-3544: Fixed memory leaks found in the virtio vhost-user GPU device (bsc#1186010). - CVE-2021-3545: Fixed information disclosure due to uninitialized memory read (bsc#1185990). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-2213=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-2213=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): qemu-5.2.0-20.1 qemu-block-curl-5.2.0-20.1 qemu-block-curl-debuginfo-5.2.0-20.1 qemu-block-iscsi-5.2.0-20.1 qemu-block-iscsi-debuginfo-5.2.0-20.1 qemu-block-rbd-5.2.0-20.1 qemu-block-rbd-debuginfo-5.2.0-20.1 qemu-block-ssh-5.2.0-20.1 qemu-block-ssh-debuginfo-5.2.0-20.1 qemu-chardev-baum-5.2.0-20.1 qemu-chardev-baum-debuginfo-5.2.0-20.1 qemu-debuginfo-5.2.0-20.1 qemu-debugsource-5.2.0-20.1 qemu-guest-agent-5.2.0-20.1 qemu-guest-agent-debuginfo-5.2.0-20.1 qemu-ksm-5.2.0-20.1 qemu-lang-5.2.0-20.1 qemu-ui-curses-5.2.0-20.1 qemu-ui-curses-debuginfo-5.2.0-20.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le x86_64): qemu-audio-spice-5.2.0-20.1 qemu-audio-spice-debuginfo-5.2.0-20.1 qemu-chardev-spice-5.2.0-20.1 qemu-chardev-spice-debuginfo-5.2.0-20.1 qemu-hw-display-qxl-5.2.0-20.1 qemu-hw-display-qxl-debuginfo-5.2.0-20.1 qemu-hw-display-virtio-vga-5.2.0-20.1 qemu-hw-display-virtio-vga-debuginfo-5.2.0-20.1 qemu-hw-usb-redirect-5.2.0-20.1 qemu-hw-usb-redirect-debuginfo-5.2.0-20.1 qemu-ui-gtk-5.2.0-20.1 qemu-ui-gtk-debuginfo-5.2.0-20.1 qemu-ui-opengl-5.2.0-20.1 qemu-ui-opengl-debuginfo-5.2.0-20.1 qemu-ui-spice-app-5.2.0-20.1 qemu-ui-spice-app-debuginfo-5.2.0-20.1 qemu-ui-spice-core-5.2.0-20.1 qemu-ui-spice-core-debuginfo-5.2.0-20.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (s390x x86_64): qemu-hw-display-virtio-gpu-5.2.0-20.1 qemu-hw-display-virtio-gpu-debuginfo-5.2.0-20.1 qemu-hw-display-virtio-gpu-pci-5.2.0-20.1 qemu-hw-display-virtio-gpu-pci-debuginfo-5.2.0-20.1 qemu-kvm-5.2.0-20.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64): qemu-arm-5.2.0-20.1 qemu-arm-debuginfo-5.2.0-20.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (ppc64le): qemu-ppc-5.2.0-20.1 qemu-ppc-debuginfo-5.2.0-20.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (x86_64): qemu-audio-alsa-5.2.0-20.1 qemu-audio-alsa-debuginfo-5.2.0-20.1 qemu-audio-pa-5.2.0-20.1 qemu-audio-pa-debuginfo-5.2.0-20.1 qemu-x86-5.2.0-20.1 qemu-x86-debuginfo-5.2.0-20.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (noarch): qemu-ipxe-1.0.0+-20.1 qemu-seabios-1.14.0_0_g155821a-20.1 qemu-sgabios-8-20.1 qemu-skiboot-5.2.0-20.1 qemu-vgabios-1.14.0_0_g155821a-20.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (s390x): qemu-hw-s390x-virtio-gpu-ccw-5.2.0-20.1 qemu-hw-s390x-virtio-gpu-ccw-debuginfo-5.2.0-20.1 qemu-s390x-5.2.0-20.1 qemu-s390x-debuginfo-5.2.0-20.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): qemu-debuginfo-5.2.0-20.1 qemu-debugsource-5.2.0-20.1 qemu-tools-5.2.0-20.1 qemu-tools-debuginfo-5.2.0-20.1 References: https://www.suse.com/security/cve/CVE-2021-3544.html https://www.suse.com/security/cve/CVE-2021-3545.html https://www.suse.com/security/cve/CVE-2021-3546.html https://bugzilla.suse.com/1185981 https://bugzilla.suse.com/1185990 https://bugzilla.suse.com/1186010 From sle-security-updates at lists.suse.com Wed Jun 30 19:28:37 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 30 Jun 2021 21:28:37 +0200 (CEST) Subject: SUSE-SU-2021:2211-1: important: Security update for dbus-1 Message-ID: <20210630192837.4150EFCEF@maintenance.suse.de> SUSE Security Update: Security update for dbus-1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2211-1 Rating: important References: #1187105 Cross-References: CVE-2020-35512 CVSS scores: CVE-2020-35512 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-35512 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for dbus-1 fixes the following issues: - CVE-2020-35512: Fixed a use-after-free or potential undefined behaviour caused by shared UID's (bsc#1187105) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-2211=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-2211=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2211=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-2211=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): dbus-1-1.12.2-3.11.1 dbus-1-debuginfo-1.12.2-3.11.1 dbus-1-debugsource-1.12.2-3.11.1 dbus-1-devel-1.12.2-3.11.1 dbus-1-x11-1.12.2-3.11.1 dbus-1-x11-debuginfo-1.12.2-3.11.1 dbus-1-x11-debugsource-1.12.2-3.11.1 libdbus-1-3-1.12.2-3.11.1 libdbus-1-3-debuginfo-1.12.2-3.11.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): dbus-1-32bit-debuginfo-1.12.2-3.11.1 libdbus-1-3-32bit-1.12.2-3.11.1 libdbus-1-3-32bit-debuginfo-1.12.2-3.11.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): dbus-1-1.12.2-3.11.1 dbus-1-debuginfo-1.12.2-3.11.1 dbus-1-debugsource-1.12.2-3.11.1 dbus-1-devel-1.12.2-3.11.1 dbus-1-x11-1.12.2-3.11.1 dbus-1-x11-debuginfo-1.12.2-3.11.1 dbus-1-x11-debugsource-1.12.2-3.11.1 libdbus-1-3-1.12.2-3.11.1 libdbus-1-3-debuginfo-1.12.2-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): dbus-1-1.12.2-3.11.1 dbus-1-debuginfo-1.12.2-3.11.1 dbus-1-debugsource-1.12.2-3.11.1 dbus-1-devel-1.12.2-3.11.1 dbus-1-x11-1.12.2-3.11.1 dbus-1-x11-debuginfo-1.12.2-3.11.1 dbus-1-x11-debugsource-1.12.2-3.11.1 libdbus-1-3-1.12.2-3.11.1 libdbus-1-3-debuginfo-1.12.2-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): dbus-1-32bit-debuginfo-1.12.2-3.11.1 libdbus-1-3-32bit-1.12.2-3.11.1 libdbus-1-3-32bit-debuginfo-1.12.2-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): dbus-1-1.12.2-3.11.1 dbus-1-debuginfo-1.12.2-3.11.1 dbus-1-debugsource-1.12.2-3.11.1 dbus-1-devel-1.12.2-3.11.1 dbus-1-x11-1.12.2-3.11.1 dbus-1-x11-debuginfo-1.12.2-3.11.1 dbus-1-x11-debugsource-1.12.2-3.11.1 libdbus-1-3-1.12.2-3.11.1 libdbus-1-3-debuginfo-1.12.2-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): dbus-1-32bit-debuginfo-1.12.2-3.11.1 libdbus-1-3-32bit-1.12.2-3.11.1 libdbus-1-3-32bit-debuginfo-1.12.2-3.11.1 References: https://www.suse.com/security/cve/CVE-2020-35512.html https://bugzilla.suse.com/1187105