From sle-security-updates at lists.suse.com Mon Mar 1 14:17:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 1 Mar 2021 15:17:26 +0100 (CET) Subject: SUSE-SU-2021:0658-1: moderate: Security update for rpmlint Message-ID: <20210301141726.5EB7AFD14@maintenance.suse.de> SUSE Security Update: Security update for rpmlint ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0658-1 Rating: moderate References: #1169614 Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for rpmlint fixes the following issues: - Whitelist PAM modules and DBUS rules for cockpit (bsc#1169614) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-658=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-658=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-658=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-658=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-658=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-658=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-658=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-658=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-658=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): rpmlint-mini-1.10-7.11.1 rpmlint-mini-debuginfo-1.10-7.11.1 rpmlint-mini-debugsource-1.10-7.11.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): rpmlint-mini-1.10-7.11.1 rpmlint-mini-debuginfo-1.10-7.11.1 rpmlint-mini-debugsource-1.10-7.11.1 - SUSE Manager Proxy 4.0 (x86_64): rpmlint-mini-1.10-7.11.1 rpmlint-mini-debuginfo-1.10-7.11.1 rpmlint-mini-debugsource-1.10-7.11.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): rpmlint-mini-1.10-7.11.1 rpmlint-mini-debuginfo-1.10-7.11.1 rpmlint-mini-debugsource-1.10-7.11.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): rpmlint-mini-1.10-7.11.1 rpmlint-mini-debuginfo-1.10-7.11.1 rpmlint-mini-debugsource-1.10-7.11.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): rpmlint-mini-1.10-7.11.1 rpmlint-mini-debuginfo-1.10-7.11.1 rpmlint-mini-debugsource-1.10-7.11.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): rpmlint-mini-1.10-7.11.1 rpmlint-mini-debuginfo-1.10-7.11.1 rpmlint-mini-debugsource-1.10-7.11.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): rpmlint-mini-1.10-7.11.1 rpmlint-mini-debuginfo-1.10-7.11.1 rpmlint-mini-debugsource-1.10-7.11.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): rpmlint-mini-1.10-7.11.1 rpmlint-mini-debuginfo-1.10-7.11.1 rpmlint-mini-debugsource-1.10-7.11.1 - SUSE CaaS Platform 4.0 (x86_64): rpmlint-mini-1.10-7.11.1 rpmlint-mini-debuginfo-1.10-7.11.1 rpmlint-mini-debugsource-1.10-7.11.1 References: https://bugzilla.suse.com/1169614 From sle-security-updates at lists.suse.com Mon Mar 1 17:16:29 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 1 Mar 2021 18:16:29 +0100 (CET) Subject: SUSE-SU-2021:0659-1: important: Security update for MozillaFirefox Message-ID: <20210301171629.4361DFD14@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0659-1 Rating: important References: #1182357 #1182614 Cross-References: CVE-2021-23968 CVE-2021-23969 CVE-2021-23973 CVE-2021-23978 CVSS scores: CVE-2021-23968 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-23969 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-23973 (SUSE): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-23978 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.8.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2021-08 (bsc#1182614) * CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources * CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-659=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-659=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.8.0-8.32.2 MozillaFirefox-debuginfo-78.8.0-8.32.2 MozillaFirefox-debugsource-78.8.0-8.32.2 MozillaFirefox-translations-common-78.8.0-8.32.2 MozillaFirefox-translations-other-78.8.0-8.32.2 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le x86_64): MozillaFirefox-devel-78.8.0-8.32.2 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.8.0-8.32.2 MozillaFirefox-debuginfo-78.8.0-8.32.2 MozillaFirefox-debugsource-78.8.0-8.32.2 MozillaFirefox-devel-78.8.0-8.32.2 MozillaFirefox-translations-common-78.8.0-8.32.2 MozillaFirefox-translations-other-78.8.0-8.32.2 References: https://www.suse.com/security/cve/CVE-2021-23968.html https://www.suse.com/security/cve/CVE-2021-23969.html https://www.suse.com/security/cve/CVE-2021-23973.html https://www.suse.com/security/cve/CVE-2021-23978.html https://bugzilla.suse.com/1182357 https://bugzilla.suse.com/1182614 From sle-security-updates at lists.suse.com Mon Mar 1 20:16:21 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 1 Mar 2021 21:16:21 +0100 (CET) Subject: SUSE-SU-2021:0664-1: moderate: Security update for gnome-autoar Message-ID: <20210301201621.DC9E7FD14@maintenance.suse.de> SUSE Security Update: Security update for gnome-autoar ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0664-1 Rating: moderate References: #1181930 Cross-References: CVE-2020-36241 CVSS scores: CVE-2020-36241 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-36241 (SUSE): 3.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gnome-autoar fixes the following issues: - CVE-2020-36241: Skip problematic files that might be extracted outside of the destination dir to prevent potential directory traversal (bsc#1181930). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2021-664=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): gnome-autoar-debugsource-0.2.2-3.5.1 libgnome-autoar-0-0-0.2.2-3.5.1 libgnome-autoar-0-0-debuginfo-0.2.2-3.5.1 libgnome-autoar-gtk-0-0-0.2.2-3.5.1 libgnome-autoar-gtk-0-0-debuginfo-0.2.2-3.5.1 References: https://www.suse.com/security/cve/CVE-2020-36241.html https://bugzilla.suse.com/1181930 From sle-security-updates at lists.suse.com Mon Mar 1 20:17:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 1 Mar 2021 21:17:27 +0100 (CET) Subject: SUSE-SU-2021:0667-1: important: Security update for MozillaFirefox Message-ID: <20210301201727.4CEC0FD14@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0667-1 Rating: important References: #1182357 #1182614 Cross-References: CVE-2021-23968 CVE-2021-23969 CVE-2021-23973 CVE-2021-23978 CVSS scores: CVE-2021-23968 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-23969 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-23973 (SUSE): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-23978 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.8.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2021-08 (bsc#1182614) * CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources * CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-667=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-667=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-667=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-667=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-667=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-667=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-667=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-667=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-667=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-667=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-667=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-667=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-667=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-667=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-667=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-667=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): MozillaFirefox-78.8.0-112.51.1 MozillaFirefox-debuginfo-78.8.0-112.51.1 MozillaFirefox-debugsource-78.8.0-112.51.1 MozillaFirefox-devel-78.8.0-112.51.1 MozillaFirefox-translations-common-78.8.0-112.51.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): MozillaFirefox-78.8.0-112.51.1 MozillaFirefox-debuginfo-78.8.0-112.51.1 MozillaFirefox-debugsource-78.8.0-112.51.1 MozillaFirefox-devel-78.8.0-112.51.1 MozillaFirefox-translations-common-78.8.0-112.51.1 - SUSE OpenStack Cloud 9 (x86_64): MozillaFirefox-78.8.0-112.51.1 MozillaFirefox-debuginfo-78.8.0-112.51.1 MozillaFirefox-debugsource-78.8.0-112.51.1 MozillaFirefox-devel-78.8.0-112.51.1 MozillaFirefox-translations-common-78.8.0-112.51.1 - SUSE OpenStack Cloud 8 (x86_64): MozillaFirefox-78.8.0-112.51.1 MozillaFirefox-debuginfo-78.8.0-112.51.1 MozillaFirefox-debugsource-78.8.0-112.51.1 MozillaFirefox-devel-78.8.0-112.51.1 MozillaFirefox-translations-common-78.8.0-112.51.1 - SUSE OpenStack Cloud 7 (s390x x86_64): MozillaFirefox-78.8.0-112.51.1 MozillaFirefox-debuginfo-78.8.0-112.51.1 MozillaFirefox-debugsource-78.8.0-112.51.1 MozillaFirefox-devel-78.8.0-112.51.1 MozillaFirefox-translations-common-78.8.0-112.51.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-78.8.0-112.51.1 MozillaFirefox-debugsource-78.8.0-112.51.1 MozillaFirefox-devel-78.8.0-112.51.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): MozillaFirefox-78.8.0-112.51.1 MozillaFirefox-debuginfo-78.8.0-112.51.1 MozillaFirefox-debugsource-78.8.0-112.51.1 MozillaFirefox-devel-78.8.0-112.51.1 MozillaFirefox-translations-common-78.8.0-112.51.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): MozillaFirefox-78.8.0-112.51.1 MozillaFirefox-debuginfo-78.8.0-112.51.1 MozillaFirefox-debugsource-78.8.0-112.51.1 MozillaFirefox-devel-78.8.0-112.51.1 MozillaFirefox-translations-common-78.8.0-112.51.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): MozillaFirefox-78.8.0-112.51.1 MozillaFirefox-debuginfo-78.8.0-112.51.1 MozillaFirefox-debugsource-78.8.0-112.51.1 MozillaFirefox-devel-78.8.0-112.51.1 MozillaFirefox-translations-common-78.8.0-112.51.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.8.0-112.51.1 MozillaFirefox-debuginfo-78.8.0-112.51.1 MozillaFirefox-debugsource-78.8.0-112.51.1 MozillaFirefox-devel-78.8.0-112.51.1 MozillaFirefox-translations-common-78.8.0-112.51.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.8.0-112.51.1 MozillaFirefox-debuginfo-78.8.0-112.51.1 MozillaFirefox-debugsource-78.8.0-112.51.1 MozillaFirefox-devel-78.8.0-112.51.1 MozillaFirefox-translations-common-78.8.0-112.51.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.8.0-112.51.1 MozillaFirefox-debuginfo-78.8.0-112.51.1 MozillaFirefox-debugsource-78.8.0-112.51.1 MozillaFirefox-devel-78.8.0-112.51.1 MozillaFirefox-translations-common-78.8.0-112.51.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): MozillaFirefox-78.8.0-112.51.1 MozillaFirefox-debuginfo-78.8.0-112.51.1 MozillaFirefox-debugsource-78.8.0-112.51.1 MozillaFirefox-devel-78.8.0-112.51.1 MozillaFirefox-translations-common-78.8.0-112.51.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): MozillaFirefox-78.8.0-112.51.1 MozillaFirefox-debuginfo-78.8.0-112.51.1 MozillaFirefox-debugsource-78.8.0-112.51.1 MozillaFirefox-devel-78.8.0-112.51.1 MozillaFirefox-translations-common-78.8.0-112.51.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): MozillaFirefox-78.8.0-112.51.1 MozillaFirefox-debuginfo-78.8.0-112.51.1 MozillaFirefox-debugsource-78.8.0-112.51.1 MozillaFirefox-devel-78.8.0-112.51.1 MozillaFirefox-translations-common-78.8.0-112.51.1 - HPE Helion Openstack 8 (x86_64): MozillaFirefox-78.8.0-112.51.1 MozillaFirefox-debuginfo-78.8.0-112.51.1 MozillaFirefox-debugsource-78.8.0-112.51.1 MozillaFirefox-devel-78.8.0-112.51.1 MozillaFirefox-translations-common-78.8.0-112.51.1 References: https://www.suse.com/security/cve/CVE-2021-23968.html https://www.suse.com/security/cve/CVE-2021-23969.html https://www.suse.com/security/cve/CVE-2021-23973.html https://www.suse.com/security/cve/CVE-2021-23978.html https://bugzilla.suse.com/1182357 https://bugzilla.suse.com/1182614 From sle-security-updates at lists.suse.com Mon Mar 1 20:19:39 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 1 Mar 2021 21:19:39 +0100 (CET) Subject: SUSE-SU-2021:0665-1: moderate: Security update for java-1_8_0-openjdk Message-ID: <20210301201939.63C3FFD14@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0665-1 Rating: moderate References: #1181239 Cross-References: CVE-2020-14803 CVSS scores: CVE-2020-14803 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2020-14803 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Legacy Software 15-SP3 SUSE Linux Enterprise Module for Legacy Software 15-SP2 SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for java-1_8_0-openjdk fixes the following issues: - Update to version jdk8u282 (icedtea 3.18.0) * January 2021 CPU (bsc#1181239) * Security fixes + JDK-8247619: Improve Direct Buffering of Characters (CVE-2020-14803) * Import of OpenJDK 8 u282 build 01 + JDK-6962725: Regtest javax/swing/JFileChooser/6738668/ /bug6738668.java fails under Linux + JDK-8025936: Windows .pdb and .map files does not have proper dependencies setup + JDK-8030350: Enable additional compiler warnings for GCC + JDK-8031423: Test java/awt/dnd/DisposeFrameOnDragCrash/ /DisposeFrameOnDragTest.java fails by Timeout on Windows + JDK-8036122: Fix warning 'format not a string literal' + JDK-8051853: new URI("x/").resolve("..").getSchemeSpecificPart() returns null! + JDK-8132664: closed/javax/swing/DataTransfer/DefaultNoDrop/ /DefaultNoDrop.java locks on Windows + JDK-8134632: Mark javax/sound/midi/Devices/ /InitializationHang.java as headful + JDK-8148854: Class names "SomeClass" and "LSomeClass;" treated by JVM as an equivalent + JDK-8148916: Mark bug6400879.java as intermittently failing + JDK-8148983: Fix extra comma in changes for JDK-8148916 + JDK-8160438: javax/swing/plaf/nimbus/8057791/bug8057791.java fails + JDK-8165808: Add release barriers when allocating objects with concurrent collection + JDK-8185003: JMX: Add a version of ThreadMXBean.dumpAllThreads with a maxDepth argument + JDK-8202076: test/jdk/java/io/File/WinSpecialFiles.java on windows with VS2017 + JDK-8207766: [testbug] Adapt tests for Aix. + JDK-8212070: Introduce diagnostic flag to abort VM on failed JIT compilation + JDK-8213448: [TESTBUG] enhance jfr/jvm/TestDumpOnCrash + JDK-8215727: Restore JFR thread sampler loop to old / previous behavior + JDK-8220657: JFR.dump does not work when filename is set + JDK-8221342: [TESTBUG] Generate Dockerfile for docker testing + JDK-8224502: [TESTBUG] JDK docker test TestSystemMetrics.java fails with access issues and OOM + JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes() can be quicker for self thread + JDK-8231968: getCurrentThreadAllocatedBytes default implementation s/b getThreadAllocatedBytes + JDK-8232114: JVM crashed at imjpapi.dll in native code + JDK-8234270: [REDO] JDK-8204128 NMT might report incorrect numbers for Compiler area + JDK-8234339: replace JLI_StrTok in java_md_solinux.c + JDK-8238448: RSASSA-PSS signature verification fail when using certain odd key sizes + JDK-8242335: Additional Tests for RSASSA-PSS + JDK-8244225: stringop-overflow warning on strncpy call from compile_the_world_in + JDK-8245400: Upgrade to LittleCMS 2.11 + JDK-8248214: Add paddings for TaskQueueSuper to reduce false-sharing cache contention + JDK-8249176: Update GlobalSignR6CA test certificates + JDK-8250665: Wrong translation for the month name of May in ar_JO,LB,SY + JDK-8250928: JFR: Improve hash algorithm for stack traces + JDK-8251469: Better cleanup for test/jdk/javax/imageio/SetOutput.java + JDK-8251840: Java_sun_awt_X11_XToolkit_getDefaultScreenData should not be in make/mapfiles/libawt_xawt/mapfile-vers + JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider rather than JRE + JDK-8252395: [8u] --with-native-debug-symbols=external doesn't include debuginfo files for binaries + JDK-8252497: Incorrect numeric currency code for ROL + JDK-8252754: Hash code calculation of JfrStackTrace is inconsistent + JDK-8252904: VM crashes when JFR is used and JFR event class is transformed + JDK-8252975: [8u] JDK-8252395 breaks the build for --with-native-debug-symbols=internal + JDK-8253284: Zero OrderAccess barrier mappings are incorrect + JDK-8253550: [8u] JDK-8252395 breaks the build for make STRIP_POLICY=no_strip + JDK-8253752: test/sun/management/jmxremote/bootstrap/ /RmiBootstrapTest.java fails randomly + JDK-8254081: java/security/cert/PolicyNode/ /GetPolicyQualifiers.java fails due to an expired certificate + JDK-8254144: Non-x86 Zero builds fail with return-type warning in os_linux_zero.cpp + JDK-8254166: Zero: return-type warning in zeroInterpreter_zero.cpp + JDK-8254683: [TEST_BUG] jdk/test/sun/tools/jconsole/ /WorkerDeadlockTest.java fails + JDK-8255003: Build failures on Solaris Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-665=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-665=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-665=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-665=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-665=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-665=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-665=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-665=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP3-2021-665=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2021-665=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-665=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.282-3.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-debugsource-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.282-3.48.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): java-1_8_0-openjdk-1.8.0.282-3.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-debugsource-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.282-3.48.1 - SUSE Manager Proxy 4.0 (x86_64): java-1_8_0-openjdk-1.8.0.282-3.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-debugsource-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.282-3.48.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.282-3.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-debugsource-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.282-3.48.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.282-3.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-debugsource-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.282-3.48.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.282-3.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-debugsource-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.282-3.48.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): java-1_8_0-openjdk-1.8.0.282-3.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-debugsource-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.282-3.48.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): java-1_8_0-openjdk-1.8.0.282-3.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-debugsource-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.282-3.48.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.282-3.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-debugsource-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.282-3.48.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.282-3.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-debugsource-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.282-3.48.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): java-1_8_0-openjdk-1.8.0.282-3.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-debugsource-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.282-3.48.1 - SUSE CaaS Platform 4.0 (x86_64): java-1_8_0-openjdk-1.8.0.282-3.48.1 java-1_8_0-openjdk-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-debugsource-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-1.8.0.282-3.48.1 java-1_8_0-openjdk-demo-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-1.8.0.282-3.48.1 java-1_8_0-openjdk-devel-debuginfo-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-1.8.0.282-3.48.1 java-1_8_0-openjdk-headless-debuginfo-1.8.0.282-3.48.1 References: https://www.suse.com/security/cve/CVE-2020-14803.html https://bugzilla.suse.com/1181239 From sle-security-updates at lists.suse.com Mon Mar 1 20:22:10 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 1 Mar 2021 21:22:10 +0100 (CET) Subject: SUSE-SU-2021:0670-1: important: Security update for java-1_8_0-ibm Message-ID: <20210301202210.1257CFD14@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0670-1 Rating: important References: #1181239 #1182186 Cross-References: CVE-2020-14803 CVE-2020-27221 CVSS scores: CVE-2020-14803 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2020-14803 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2020-27221 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-27221 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Legacy Software 15-SP3 SUSE Linux Enterprise Module for Legacy Software 15-SP2 SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for java-1_8_0-ibm fixes the following issues: - Update to Java 8.0 Service Refresh 6 Fix Pack 25 [bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803] * CVE-2020-27221: Potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. * CVE-2020-14803: Unauthenticated attacker with network access via multiple protocols allows to compromise Java SE. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-670=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-670=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-670=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-670=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-670=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-670=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-670=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-670=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP3-2021-670=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2021-670=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-670=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-devel-1.8.0_sr6.25-3.50.1 - SUSE Manager Server 4.0 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-plugin-1.8.0_sr6.25-3.50.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): java-1_8_0-ibm-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-alsa-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-devel-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-plugin-1.8.0_sr6.25-3.50.1 - SUSE Manager Proxy 4.0 (x86_64): java-1_8_0-ibm-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-alsa-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-devel-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-plugin-1.8.0_sr6.25-3.50.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): java-1_8_0-ibm-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-devel-1.8.0_sr6.25-3.50.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-plugin-1.8.0_sr6.25-3.50.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): java-1_8_0-ibm-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-devel-1.8.0_sr6.25-3.50.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-plugin-1.8.0_sr6.25-3.50.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-devel-1.8.0_sr6.25-3.50.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-plugin-1.8.0_sr6.25-3.50.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): java-1_8_0-ibm-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-alsa-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-devel-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-plugin-1.8.0_sr6.25-3.50.1 - SUSE Linux Enterprise Server 15-LTSS (s390x): java-1_8_0-ibm-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-devel-1.8.0_sr6.25-3.50.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3 (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-devel-1.8.0_sr6.25-3.50.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-plugin-1.8.0_sr6.25-3.50.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-devel-1.8.0_sr6.25-3.50.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-plugin-1.8.0_sr6.25-3.50.1 - SUSE Enterprise Storage 6 (x86_64): java-1_8_0-ibm-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-alsa-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-devel-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-plugin-1.8.0_sr6.25-3.50.1 - SUSE CaaS Platform 4.0 (x86_64): java-1_8_0-ibm-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-alsa-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-devel-1.8.0_sr6.25-3.50.1 java-1_8_0-ibm-plugin-1.8.0_sr6.25-3.50.1 References: https://www.suse.com/security/cve/CVE-2020-14803.html https://www.suse.com/security/cve/CVE-2020-27221.html https://bugzilla.suse.com/1181239 https://bugzilla.suse.com/1182186 From sle-security-updates at lists.suse.com Mon Mar 1 20:23:23 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 1 Mar 2021 21:23:23 +0100 (CET) Subject: SUSE-SU-2021:0663-1: important: Security update for open-iscsi Message-ID: <20210301202323.A6FCDFD14@maintenance.suse.de> SUSE Security Update: Security update for open-iscsi ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0663-1 Rating: important References: #1179908 Cross-References: CVE-2020-13987 CVE-2020-13988 CVE-2020-17437 CVE-2020-17438 CVSS scores: CVE-2020-13987 (SUSE): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2020-13988 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-17437 (NVD) : 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2020-17437 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-17438 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-17438 (SUSE): 7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for open-iscsi fixes the following issues: Fixes for CVE-2019-17437, CVE-2020-17438, CVE-2020-13987 and CVE-2020-13988 (bsc#1179908): - check for TCP urgent pointer past end of frame - check for u8 overflow when processing TCP options - check for header length underflow during checksum calculation Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-663=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-663=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-663=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-663=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-663=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): iscsiuio-0.7.8.2-12.27.2 iscsiuio-debuginfo-0.7.8.2-12.27.2 libopeniscsiusr0_2_0-2.0.876-12.27.2 libopeniscsiusr0_2_0-debuginfo-2.0.876-12.27.2 open-iscsi-2.0.876-12.27.2 open-iscsi-debuginfo-2.0.876-12.27.2 open-iscsi-debugsource-2.0.876-12.27.2 - SUSE OpenStack Cloud 9 (x86_64): iscsiuio-0.7.8.2-12.27.2 iscsiuio-debuginfo-0.7.8.2-12.27.2 libopeniscsiusr0_2_0-2.0.876-12.27.2 libopeniscsiusr0_2_0-debuginfo-2.0.876-12.27.2 open-iscsi-2.0.876-12.27.2 open-iscsi-debuginfo-2.0.876-12.27.2 open-iscsi-debugsource-2.0.876-12.27.2 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): iscsiuio-0.7.8.2-12.27.2 iscsiuio-debuginfo-0.7.8.2-12.27.2 libopeniscsiusr0_2_0-2.0.876-12.27.2 libopeniscsiusr0_2_0-debuginfo-2.0.876-12.27.2 open-iscsi-2.0.876-12.27.2 open-iscsi-debuginfo-2.0.876-12.27.2 open-iscsi-debugsource-2.0.876-12.27.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): iscsiuio-0.7.8.2-12.27.2 iscsiuio-debuginfo-0.7.8.2-12.27.2 libopeniscsiusr0_2_0-2.0.876-12.27.2 libopeniscsiusr0_2_0-debuginfo-2.0.876-12.27.2 open-iscsi-2.0.876-12.27.2 open-iscsi-debuginfo-2.0.876-12.27.2 open-iscsi-debugsource-2.0.876-12.27.2 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): iscsiuio-0.7.8.2-12.27.2 iscsiuio-debuginfo-0.7.8.2-12.27.2 libopeniscsiusr0_2_0-2.0.876-12.27.2 libopeniscsiusr0_2_0-debuginfo-2.0.876-12.27.2 open-iscsi-2.0.876-12.27.2 open-iscsi-debuginfo-2.0.876-12.27.2 open-iscsi-debugsource-2.0.876-12.27.2 References: https://www.suse.com/security/cve/CVE-2020-13987.html https://www.suse.com/security/cve/CVE-2020-13988.html https://www.suse.com/security/cve/CVE-2020-17437.html https://www.suse.com/security/cve/CVE-2020-17438.html https://bugzilla.suse.com/1179908 From sle-security-updates at lists.suse.com Mon Mar 1 20:24:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 1 Mar 2021 21:24:26 +0100 (CET) Subject: SUSE-SU-2021:0668-1: important: Security update for python-cryptography Message-ID: <20210301202426.78470FD14@maintenance.suse.de> SUSE Security Update: Security update for python-cryptography ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0668-1 Rating: important References: #1182066 Cross-References: CVE-2020-36242 CVSS scores: CVE-2020-36242 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2020-36242 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-cryptography fixes the following issues: - CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte values could result in an integer overflow and buffer overflow (bsc#1182066). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-668=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-668=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): python-cryptography-2.3.1-3.3.1 python-cryptography-debuginfo-2.3.1-3.3.1 python-cryptography-debugsource-2.3.1-3.3.1 - SUSE OpenStack Cloud 9 (x86_64): python-cryptography-2.3.1-3.3.1 python-cryptography-debuginfo-2.3.1-3.3.1 python-cryptography-debugsource-2.3.1-3.3.1 References: https://www.suse.com/security/cve/CVE-2020-36242.html https://bugzilla.suse.com/1182066 From sle-security-updates at lists.suse.com Mon Mar 1 20:25:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 1 Mar 2021 21:25:26 +0100 (CET) Subject: SUSE-SU-2021:14657-1: important: Security update for MozillaFirefox Message-ID: <20210301202526.1D887FD14@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14657-1 Rating: important References: #1182357 #1182614 Cross-References: CVE-2021-23968 CVE-2021-23969 CVE-2021-23973 CVE-2021-23978 CVSS scores: CVE-2021-23968 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-23969 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-23973 (SUSE): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-23978 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.8.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2021-08 (bsc#1182614) * CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources * CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-MozillaFirefox-14657=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-MozillaFirefox-14657=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): MozillaFirefox-78.8.0-78.120.1 MozillaFirefox-translations-common-78.8.0-78.120.1 MozillaFirefox-translations-other-78.8.0-78.120.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64): MozillaFirefox-debuginfo-78.8.0-78.120.1 References: https://www.suse.com/security/cve/CVE-2021-23968.html https://www.suse.com/security/cve/CVE-2021-23969.html https://www.suse.com/security/cve/CVE-2021-23973.html https://www.suse.com/security/cve/CVE-2021-23978.html https://bugzilla.suse.com/1182357 https://bugzilla.suse.com/1182614 From sle-security-updates at lists.suse.com Mon Mar 1 20:26:38 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 1 Mar 2021 21:26:38 +0100 (CET) Subject: SUSE-SU-2020:2173-2: moderate: Security update for perl-XML-Twig Message-ID: <20210301202638.EA62AFD14@maintenance.suse.de> SUSE Security Update: Security update for perl-XML-Twig ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:2173-2 Rating: moderate References: #1008644 Cross-References: CVE-2016-9180 CVSS scores: CVE-2016-9180 (NVD) : 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2016-9180 (SUSE): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for perl-XML-Twig fixes the following issues: - Security fix [bsc#1008644, CVE-2016-9180] * Added: the no_xxe option to XML::Twig::new, which causes the parse to fail if external entities are used (to prevent malicious XML to access the filesystem). * Setting expand_external_ents to 0 or -1 currently doesn't work as expected; To completely turn off expanding external entities use no_xxe. * Update documentation for XML::Twig to mention problems with expand_external_ents and add information about new no_xxe argument Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-666=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-666=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-666=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-666=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-666=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-666=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-666=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-666=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-666=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-666=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-666=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-666=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-666=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-666=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): perl-XML-Twig-3.44-5.3.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): perl-XML-Twig-3.44-5.3.1 - SUSE OpenStack Cloud 9 (noarch): perl-XML-Twig-3.44-5.3.1 - SUSE OpenStack Cloud 8 (noarch): perl-XML-Twig-3.44-5.3.1 - SUSE OpenStack Cloud 7 (noarch): perl-XML-Twig-3.44-5.3.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): perl-XML-Twig-3.44-5.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): perl-XML-Twig-3.44-5.3.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): perl-XML-Twig-3.44-5.3.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): perl-XML-Twig-3.44-5.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): perl-XML-Twig-3.44-5.3.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): perl-XML-Twig-3.44-5.3.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): perl-XML-Twig-3.44-5.3.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): perl-XML-Twig-3.44-5.3.1 - HPE Helion Openstack 8 (noarch): perl-XML-Twig-3.44-5.3.1 References: https://www.suse.com/security/cve/CVE-2016-9180.html https://bugzilla.suse.com/1008644 From sle-security-updates at lists.suse.com Mon Mar 1 20:27:49 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 1 Mar 2021 21:27:49 +0100 (CET) Subject: SUSE-SU-2021:0661-1: important: Security update for MozillaThunderbird Message-ID: <20210301202749.92EE9FD14@maintenance.suse.de> SUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0661-1 Rating: important References: #1182357 #1182614 Cross-References: CVE-2021-23968 CVE-2021-23969 CVE-2021-23973 CVE-2021-23978 CVSS scores: CVE-2021-23968 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-23969 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-23973 (SUSE): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-23978 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for MozillaThunderbird fixes the following issues: - Mozilla Thunderbird 78.8 * fixed: Importing an address book from a CSV file always reported an error * fixed: Security information for S/MIME messages was not displayed correctly prior to a draft being saved * fixed: Calendar: FileLink UI fixes for Caldav calendars * fixed: Recurring tasks were always marked incomplete; unable to use filters * fixed: Various UI widgets not working * fixed: Dark theme improvements * fixed: Extension manager was missing link to addon support web page * fixed: Various security fixes MFSA 2021-09 (bsc#1182614) * CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources * CVE-2021-23978: Memory safety bugs fixed in Thunderbird 78.8 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-661=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): MozillaThunderbird-78.8.0-8.15.4 MozillaThunderbird-debuginfo-78.8.0-8.15.4 MozillaThunderbird-debugsource-78.8.0-8.15.4 MozillaThunderbird-translations-common-78.8.0-8.15.4 MozillaThunderbird-translations-other-78.8.0-8.15.4 References: https://www.suse.com/security/cve/CVE-2021-23968.html https://www.suse.com/security/cve/CVE-2021-23969.html https://www.suse.com/security/cve/CVE-2021-23973.html https://www.suse.com/security/cve/CVE-2021-23978.html https://bugzilla.suse.com/1182357 https://bugzilla.suse.com/1182614 From sle-security-updates at lists.suse.com Mon Mar 1 20:28:50 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 1 Mar 2021 21:28:50 +0100 (CET) Subject: SUSE-SU-2021:0669-1: important: Security update for python-cryptography Message-ID: <20210301202850.D86BBFD14@maintenance.suse.de> SUSE Security Update: Security update for python-cryptography ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0669-1 Rating: important References: #1182066 Cross-References: CVE-2020-36242 CVSS scores: CVE-2020-36242 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2020-36242 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-cryptography fixes the following issues: - CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte values could result in an integer overflow and buffer overflow (bsc#1182066). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-669=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-669=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-669=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): python-cryptography-2.0.3-3.10.1 python-cryptography-debuginfo-2.0.3-3.10.1 python-cryptography-debugsource-2.0.3-3.10.1 - SUSE OpenStack Cloud 8 (x86_64): python-cryptography-2.0.3-3.10.1 python-cryptography-debuginfo-2.0.3-3.10.1 python-cryptography-debugsource-2.0.3-3.10.1 - HPE Helion Openstack 8 (x86_64): python-cryptography-2.0.3-3.10.1 python-cryptography-debuginfo-2.0.3-3.10.1 python-cryptography-debugsource-2.0.3-3.10.1 References: https://www.suse.com/security/cve/CVE-2020-36242.html https://bugzilla.suse.com/1182066 From sle-security-updates at lists.suse.com Tue Mar 2 14:17:07 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 2 Mar 2021 15:17:07 +0100 (CET) Subject: SUSE-SU-2021:0675-1: important: Security update for python-cryptography Message-ID: <20210302141707.B9C6AFD14@maintenance.suse.de> SUSE Security Update: Security update for python-cryptography ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0675-1 Rating: important References: #1182066 Cross-References: CVE-2020-36242 CVSS scores: CVE-2020-36242 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2020-36242 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-cryptography fixes the following issues: - CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte values could result in an integer overflow and buffer overflow (bsc#1182066). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-675=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-675=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-675=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-675=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-675=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-675=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-675=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-675=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-675=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-675=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-675=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-675=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-675=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-675=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-675=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): python-cryptography-2.1.4-7.34.1 python-cryptography-debuginfo-2.1.4-7.34.1 python-cryptography-debugsource-2.1.4-7.34.1 python3-cryptography-2.1.4-7.34.1 python3-cryptography-debuginfo-2.1.4-7.34.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): python-cryptography-2.1.4-7.34.1 python-cryptography-debuginfo-2.1.4-7.34.1 python-cryptography-debugsource-2.1.4-7.34.1 python3-cryptography-2.1.4-7.34.1 - SUSE OpenStack Cloud 9 (x86_64): python-cryptography-2.1.4-7.34.1 python-cryptography-debuginfo-2.1.4-7.34.1 python-cryptography-debugsource-2.1.4-7.34.1 python3-cryptography-2.1.4-7.34.1 python3-cryptography-debuginfo-2.1.4-7.34.1 - SUSE OpenStack Cloud 8 (x86_64): python-cryptography-2.1.4-7.34.1 python-cryptography-debuginfo-2.1.4-7.34.1 python-cryptography-debugsource-2.1.4-7.34.1 python3-cryptography-2.1.4-7.34.1 - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): python-cryptography-2.1.4-7.34.1 python-cryptography-debuginfo-2.1.4-7.34.1 python-cryptography-debugsource-2.1.4-7.34.1 - SUSE OpenStack Cloud 7 (s390x x86_64): python3-cryptography-2.1.4-7.34.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): python-cryptography-2.1.4-7.34.1 python-cryptography-debuginfo-2.1.4-7.34.1 python-cryptography-debugsource-2.1.4-7.34.1 python3-cryptography-2.1.4-7.34.1 python3-cryptography-debuginfo-2.1.4-7.34.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): python-cryptography-2.1.4-7.34.1 python-cryptography-debuginfo-2.1.4-7.34.1 python-cryptography-debugsource-2.1.4-7.34.1 python3-cryptography-2.1.4-7.34.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): python-cryptography-2.1.4-7.34.1 python-cryptography-debuginfo-2.1.4-7.34.1 python-cryptography-debugsource-2.1.4-7.34.1 python3-cryptography-2.1.4-7.34.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): python-cryptography-2.1.4-7.34.1 python-cryptography-debuginfo-2.1.4-7.34.1 python-cryptography-debugsource-2.1.4-7.34.1 python3-cryptography-2.1.4-7.34.1 python3-cryptography-debuginfo-2.1.4-7.34.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): python-cryptography-2.1.4-7.34.1 python-cryptography-debuginfo-2.1.4-7.34.1 python-cryptography-debugsource-2.1.4-7.34.1 python3-cryptography-2.1.4-7.34.1 python3-cryptography-debuginfo-2.1.4-7.34.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): python-cryptography-2.1.4-7.34.1 python-cryptography-debuginfo-2.1.4-7.34.1 python-cryptography-debugsource-2.1.4-7.34.1 python3-cryptography-2.1.4-7.34.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): python-cryptography-2.1.4-7.34.1 python-cryptography-debuginfo-2.1.4-7.34.1 python-cryptography-debugsource-2.1.4-7.34.1 python3-cryptography-2.1.4-7.34.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): python-cryptography-2.1.4-7.34.1 python-cryptography-debuginfo-2.1.4-7.34.1 python-cryptography-debugsource-2.1.4-7.34.1 python3-cryptography-2.1.4-7.34.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): python-cryptography-2.1.4-7.34.1 python-cryptography-debuginfo-2.1.4-7.34.1 python-cryptography-debugsource-2.1.4-7.34.1 python3-cryptography-2.1.4-7.34.1 - HPE Helion Openstack 8 (x86_64): python-cryptography-2.1.4-7.34.1 python-cryptography-debuginfo-2.1.4-7.34.1 python-cryptography-debugsource-2.1.4-7.34.1 python3-cryptography-2.1.4-7.34.1 References: https://www.suse.com/security/cve/CVE-2020-36242.html https://bugzilla.suse.com/1182066 From sle-security-updates at lists.suse.com Tue Mar 2 14:18:21 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 2 Mar 2021 15:18:21 +0100 (CET) Subject: SUSE-SU-2021:0676-1: important: Security update for MozillaFirefox Message-ID: <20210302141821.2A999FD14@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0676-1 Rating: important References: #1181848 #1182357 #1182614 Cross-References: CVE-2021-23968 CVE-2021-23969 CVE-2021-23973 CVE-2021-23978 CVSS scores: CVE-2021-23968 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-23969 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-23973 (SUSE): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-23978 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.8.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2021-08 (bsc#1182614) * CVE-2021-23969: Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23968: Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23973: MediaError message property could have leaked information about cross-origin resources * CVE-2021-23978: Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 * Fixed: Prevent access to NTFS special paths that could lead to filesystem corruption. * Buffer overflow in depth pitch calculations for compressed textures Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-676=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-676=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-676=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-676=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-676=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-676=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-676=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-676=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-676=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): MozillaFirefox-78.8.0-3.133.1 MozillaFirefox-debuginfo-78.8.0-3.133.1 MozillaFirefox-debugsource-78.8.0-3.133.1 MozillaFirefox-devel-78.8.0-3.133.1 MozillaFirefox-translations-common-78.8.0-3.133.1 MozillaFirefox-translations-other-78.8.0-3.133.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): MozillaFirefox-78.8.0-3.133.1 MozillaFirefox-debuginfo-78.8.0-3.133.1 MozillaFirefox-debugsource-78.8.0-3.133.1 MozillaFirefox-devel-78.8.0-3.133.1 MozillaFirefox-translations-common-78.8.0-3.133.1 MozillaFirefox-translations-other-78.8.0-3.133.1 - SUSE Manager Proxy 4.0 (x86_64): MozillaFirefox-78.8.0-3.133.1 MozillaFirefox-debuginfo-78.8.0-3.133.1 MozillaFirefox-debugsource-78.8.0-3.133.1 MozillaFirefox-devel-78.8.0-3.133.1 MozillaFirefox-translations-common-78.8.0-3.133.1 MozillaFirefox-translations-other-78.8.0-3.133.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): MozillaFirefox-78.8.0-3.133.1 MozillaFirefox-debuginfo-78.8.0-3.133.1 MozillaFirefox-debugsource-78.8.0-3.133.1 MozillaFirefox-devel-78.8.0-3.133.1 MozillaFirefox-translations-common-78.8.0-3.133.1 MozillaFirefox-translations-other-78.8.0-3.133.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.8.0-3.133.1 MozillaFirefox-debuginfo-78.8.0-3.133.1 MozillaFirefox-debugsource-78.8.0-3.133.1 MozillaFirefox-devel-78.8.0-3.133.1 MozillaFirefox-translations-common-78.8.0-3.133.1 MozillaFirefox-translations-other-78.8.0-3.133.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): MozillaFirefox-78.8.0-3.133.1 MozillaFirefox-debuginfo-78.8.0-3.133.1 MozillaFirefox-debugsource-78.8.0-3.133.1 MozillaFirefox-devel-78.8.0-3.133.1 MozillaFirefox-translations-common-78.8.0-3.133.1 MozillaFirefox-translations-other-78.8.0-3.133.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): MozillaFirefox-78.8.0-3.133.1 MozillaFirefox-debuginfo-78.8.0-3.133.1 MozillaFirefox-debugsource-78.8.0-3.133.1 MozillaFirefox-devel-78.8.0-3.133.1 MozillaFirefox-translations-common-78.8.0-3.133.1 MozillaFirefox-translations-other-78.8.0-3.133.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): MozillaFirefox-78.8.0-3.133.1 MozillaFirefox-debuginfo-78.8.0-3.133.1 MozillaFirefox-debugsource-78.8.0-3.133.1 MozillaFirefox-devel-78.8.0-3.133.1 MozillaFirefox-translations-common-78.8.0-3.133.1 MozillaFirefox-translations-other-78.8.0-3.133.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): MozillaFirefox-78.8.0-3.133.1 MozillaFirefox-debuginfo-78.8.0-3.133.1 MozillaFirefox-debugsource-78.8.0-3.133.1 MozillaFirefox-devel-78.8.0-3.133.1 MozillaFirefox-translations-common-78.8.0-3.133.1 MozillaFirefox-translations-other-78.8.0-3.133.1 - SUSE CaaS Platform 4.0 (x86_64): MozillaFirefox-78.8.0-3.133.1 MozillaFirefox-debuginfo-78.8.0-3.133.1 MozillaFirefox-debugsource-78.8.0-3.133.1 MozillaFirefox-devel-78.8.0-3.133.1 MozillaFirefox-translations-common-78.8.0-3.133.1 MozillaFirefox-translations-other-78.8.0-3.133.1 References: https://www.suse.com/security/cve/CVE-2021-23968.html https://www.suse.com/security/cve/CVE-2021-23969.html https://www.suse.com/security/cve/CVE-2021-23973.html https://www.suse.com/security/cve/CVE-2021-23978.html https://bugzilla.suse.com/1181848 https://bugzilla.suse.com/1182357 https://bugzilla.suse.com/1182614 From sle-security-updates at lists.suse.com Tue Mar 2 14:19:40 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 2 Mar 2021 15:19:40 +0100 (CET) Subject: SUSE-SU-2021:0673-1: important: Security update for nodejs10 Message-ID: <20210302141940.284AAFD14@maintenance.suse.de> SUSE Security Update: Security update for nodejs10 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0673-1 Rating: important References: #1182333 #1182619 #1182620 Cross-References: CVE-2021-22883 CVE-2021-22884 CVE-2021-23840 CVSS scores: CVE-2021-22883 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-22884 (SUSE): 5.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L CVE-2021-23840 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23840 (SUSE): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H Affected Products: SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for nodejs10 fixes the following issues: New upstream LTS version 10.24.0: - CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (bsc#1182619) - CVE-2021-22884: DNS rebinding in --inspect (bsc#1182620) - CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate (bsc#1182333) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2021-673=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): nodejs10-10.24.0-1.36.2 nodejs10-debuginfo-10.24.0-1.36.2 nodejs10-debugsource-10.24.0-1.36.2 nodejs10-devel-10.24.0-1.36.2 npm10-10.24.0-1.36.2 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): nodejs10-docs-10.24.0-1.36.2 References: https://www.suse.com/security/cve/CVE-2021-22883.html https://www.suse.com/security/cve/CVE-2021-22884.html https://www.suse.com/security/cve/CVE-2021-23840.html https://bugzilla.suse.com/1182333 https://bugzilla.suse.com/1182619 https://bugzilla.suse.com/1182620 From sle-security-updates at lists.suse.com Tue Mar 2 14:21:02 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 2 Mar 2021 15:21:02 +0100 (CET) Subject: SUSE-SU-2021:0674-1: important: Security update for nodejs10 Message-ID: <20210302142102.7DF48FD14@maintenance.suse.de> SUSE Security Update: Security update for nodejs10 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0674-1 Rating: important References: #1182333 #1182619 #1182620 Cross-References: CVE-2021-22883 CVE-2021-22884 CVE-2021-23840 CVSS scores: CVE-2021-22883 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-22884 (SUSE): 5.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L CVE-2021-23840 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23840 (SUSE): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Web Scripting 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for nodejs10 fixes the following issues: New upstream LTS version 10.24.0: - CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (bsc#1182619) - CVE-2021-22884: DNS rebinding in --inspect (bsc#1182620) - CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate (bsc#1182333) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-674=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-674=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-674=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-674=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-674=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-674=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-674=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-674=1 - SUSE Linux Enterprise Module for Web Scripting 15-SP2: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP2-2021-674=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-674=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-674=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-674=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-674=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-674=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): nodejs10-10.24.0-1.33.2 nodejs10-debuginfo-10.24.0-1.33.2 nodejs10-debugsource-10.24.0-1.33.2 nodejs10-devel-10.24.0-1.33.2 npm10-10.24.0-1.33.2 - SUSE Manager Server 4.0 (noarch): nodejs10-docs-10.24.0-1.33.2 - SUSE Manager Retail Branch Server 4.0 (noarch): nodejs10-docs-10.24.0-1.33.2 - SUSE Manager Retail Branch Server 4.0 (x86_64): nodejs10-10.24.0-1.33.2 nodejs10-debuginfo-10.24.0-1.33.2 nodejs10-debugsource-10.24.0-1.33.2 nodejs10-devel-10.24.0-1.33.2 npm10-10.24.0-1.33.2 - SUSE Manager Proxy 4.0 (x86_64): nodejs10-10.24.0-1.33.2 nodejs10-debuginfo-10.24.0-1.33.2 nodejs10-debugsource-10.24.0-1.33.2 nodejs10-devel-10.24.0-1.33.2 npm10-10.24.0-1.33.2 - SUSE Manager Proxy 4.0 (noarch): nodejs10-docs-10.24.0-1.33.2 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): nodejs10-10.24.0-1.33.2 nodejs10-debuginfo-10.24.0-1.33.2 nodejs10-debugsource-10.24.0-1.33.2 nodejs10-devel-10.24.0-1.33.2 npm10-10.24.0-1.33.2 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): nodejs10-docs-10.24.0-1.33.2 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): nodejs10-10.24.0-1.33.2 nodejs10-debuginfo-10.24.0-1.33.2 nodejs10-debugsource-10.24.0-1.33.2 nodejs10-devel-10.24.0-1.33.2 npm10-10.24.0-1.33.2 - SUSE Linux Enterprise Server for SAP 15 (noarch): nodejs10-docs-10.24.0-1.33.2 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): nodejs10-10.24.0-1.33.2 nodejs10-debuginfo-10.24.0-1.33.2 nodejs10-debugsource-10.24.0-1.33.2 nodejs10-devel-10.24.0-1.33.2 npm10-10.24.0-1.33.2 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): nodejs10-docs-10.24.0-1.33.2 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): nodejs10-docs-10.24.0-1.33.2 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): nodejs10-10.24.0-1.33.2 nodejs10-debuginfo-10.24.0-1.33.2 nodejs10-debugsource-10.24.0-1.33.2 nodejs10-devel-10.24.0-1.33.2 npm10-10.24.0-1.33.2 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): nodejs10-10.24.0-1.33.2 nodejs10-debuginfo-10.24.0-1.33.2 nodejs10-debugsource-10.24.0-1.33.2 nodejs10-devel-10.24.0-1.33.2 npm10-10.24.0-1.33.2 - SUSE Linux Enterprise Server 15-LTSS (noarch): nodejs10-docs-10.24.0-1.33.2 - SUSE Linux Enterprise Module for Web Scripting 15-SP2 (aarch64 ppc64le s390x x86_64): nodejs10-10.24.0-1.33.2 nodejs10-debuginfo-10.24.0-1.33.2 nodejs10-debugsource-10.24.0-1.33.2 nodejs10-devel-10.24.0-1.33.2 npm10-10.24.0-1.33.2 - SUSE Linux Enterprise Module for Web Scripting 15-SP2 (noarch): nodejs10-docs-10.24.0-1.33.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): nodejs10-10.24.0-1.33.2 nodejs10-debuginfo-10.24.0-1.33.2 nodejs10-debugsource-10.24.0-1.33.2 nodejs10-devel-10.24.0-1.33.2 npm10-10.24.0-1.33.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): nodejs10-docs-10.24.0-1.33.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): nodejs10-10.24.0-1.33.2 nodejs10-debuginfo-10.24.0-1.33.2 nodejs10-debugsource-10.24.0-1.33.2 nodejs10-devel-10.24.0-1.33.2 npm10-10.24.0-1.33.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): nodejs10-docs-10.24.0-1.33.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): nodejs10-10.24.0-1.33.2 nodejs10-debuginfo-10.24.0-1.33.2 nodejs10-debugsource-10.24.0-1.33.2 nodejs10-devel-10.24.0-1.33.2 npm10-10.24.0-1.33.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): nodejs10-docs-10.24.0-1.33.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): nodejs10-10.24.0-1.33.2 nodejs10-debuginfo-10.24.0-1.33.2 nodejs10-debugsource-10.24.0-1.33.2 nodejs10-devel-10.24.0-1.33.2 npm10-10.24.0-1.33.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): nodejs10-docs-10.24.0-1.33.2 - SUSE Enterprise Storage 6 (aarch64 x86_64): nodejs10-10.24.0-1.33.2 nodejs10-debuginfo-10.24.0-1.33.2 nodejs10-debugsource-10.24.0-1.33.2 nodejs10-devel-10.24.0-1.33.2 npm10-10.24.0-1.33.2 - SUSE Enterprise Storage 6 (noarch): nodejs10-docs-10.24.0-1.33.2 - SUSE CaaS Platform 4.0 (noarch): nodejs10-docs-10.24.0-1.33.2 - SUSE CaaS Platform 4.0 (x86_64): nodejs10-10.24.0-1.33.2 nodejs10-debuginfo-10.24.0-1.33.2 nodejs10-debugsource-10.24.0-1.33.2 nodejs10-devel-10.24.0-1.33.2 npm10-10.24.0-1.33.2 References: https://www.suse.com/security/cve/CVE-2021-22883.html https://www.suse.com/security/cve/CVE-2021-22884.html https://www.suse.com/security/cve/CVE-2021-23840.html https://bugzilla.suse.com/1182333 https://bugzilla.suse.com/1182619 https://bugzilla.suse.com/1182620 From sle-security-updates at lists.suse.com Tue Mar 2 20:18:30 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 2 Mar 2021 21:18:30 +0100 (CET) Subject: SUSE-SU-2021:0290-1: Test update for SLE-Micro Message-ID: <20210302201830.14CF6FD17@maintenance.suse.de> SUSE Security Update: Test update for SLE-Micro ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0290-1 Rating: low References: Affected Products: SUSE MicroOS 5.0 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This is a test update for the SLE-Micro product. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-290=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): update-test-security-5.1-31.1 update-test-trivial-5.1-31.1 References: From sle-security-updates at lists.suse.com Tue Mar 2 23:16:44 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Mar 2021 00:16:44 +0100 (CET) Subject: SUSE-SU-2021:0685-1: important: Security update for grub2 Message-ID: <20210302231644.6CF64FD14@maintenance.suse.de> SUSE Security Update: Security update for grub2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0685-1 Rating: important References: #1175970 #1176711 #1177883 #1179264 #1179265 #1182057 #1182262 #1182263 Cross-References: CVE-2020-14372 CVE-2020-25632 CVE-2020-25647 CVE-2020-27749 CVE-2020-27779 CVE-2021-20225 CVE-2021-20233 CVSS scores: CVE-2020-14372 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-25632 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-25647 (SUSE): 7.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2020-27749 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-27779 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20225 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20233 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves 7 vulnerabilities and has one errata is now available. Description: This update for grub2 fixes the following issues: grub2 now implements the new "SBAT" method for SHIM based secure boot revocation. (bsc#1182057) Following security issues are fixed that can violate secure boot constraints: - CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711) - CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883) - CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264) - CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970) - CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262) - CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-685=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-685=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-685=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-685=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): grub2-2.02-19.66.1 grub2-debuginfo-2.02-19.66.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le): grub2-powerpc-ieee1275-2.02-19.66.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): grub2-snapper-plugin-2.02-19.66.1 grub2-systemd-sleep-plugin-2.02-19.66.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): grub2-debugsource-2.02-19.66.1 grub2-i386-pc-2.02-19.66.1 grub2-x86_64-efi-2.02-19.66.1 grub2-x86_64-xen-2.02-19.66.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): grub2-2.02-19.66.1 grub2-debuginfo-2.02-19.66.1 grub2-debugsource-2.02-19.66.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64): grub2-arm64-efi-2.02-19.66.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): grub2-snapper-plugin-2.02-19.66.1 grub2-systemd-sleep-plugin-2.02-19.66.1 - SUSE Linux Enterprise Server 15-LTSS (s390x): grub2-s390x-emu-2.02-19.66.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): grub2-2.02-19.66.1 grub2-debuginfo-2.02-19.66.1 grub2-debugsource-2.02-19.66.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64): grub2-arm64-efi-2.02-19.66.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): grub2-snapper-plugin-2.02-19.66.1 grub2-systemd-sleep-plugin-2.02-19.66.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): grub2-i386-pc-2.02-19.66.1 grub2-x86_64-efi-2.02-19.66.1 grub2-x86_64-xen-2.02-19.66.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): grub2-2.02-19.66.1 grub2-debuginfo-2.02-19.66.1 grub2-debugsource-2.02-19.66.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64): grub2-arm64-efi-2.02-19.66.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): grub2-i386-pc-2.02-19.66.1 grub2-x86_64-efi-2.02-19.66.1 grub2-x86_64-xen-2.02-19.66.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): grub2-snapper-plugin-2.02-19.66.1 grub2-systemd-sleep-plugin-2.02-19.66.1 References: https://www.suse.com/security/cve/CVE-2020-14372.html https://www.suse.com/security/cve/CVE-2020-25632.html https://www.suse.com/security/cve/CVE-2020-25647.html https://www.suse.com/security/cve/CVE-2020-27749.html https://www.suse.com/security/cve/CVE-2020-27779.html https://www.suse.com/security/cve/CVE-2021-20225.html https://www.suse.com/security/cve/CVE-2021-20233.html https://bugzilla.suse.com/1175970 https://bugzilla.suse.com/1176711 https://bugzilla.suse.com/1177883 https://bugzilla.suse.com/1179264 https://bugzilla.suse.com/1179265 https://bugzilla.suse.com/1182057 https://bugzilla.suse.com/1182262 https://bugzilla.suse.com/1182263 From sle-security-updates at lists.suse.com Tue Mar 2 23:18:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Mar 2021 00:18:25 +0100 (CET) Subject: SUSE-SU-2021:0686-1: moderate: Security update for nodejs8 Message-ID: <20210302231825.34BAEFD14@maintenance.suse.de> SUSE Security Update: Security update for nodejs8 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0686-1 Rating: moderate References: #1182620 Cross-References: CVE-2021-22884 CVSS scores: CVE-2021-22884 (SUSE): 5.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L Affected Products: SUSE Linux Enterprise Module for Web Scripting 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for nodejs8 fixes the following issues: - CVE-2021-22884: DNS rebinding in --inspect (bsc#1182620) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 15-SP2: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP2-2021-686=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 15-SP2 (aarch64 ppc64le s390x x86_64): nodejs8-8.17.0-10.9.2 nodejs8-debuginfo-8.17.0-10.9.2 nodejs8-debugsource-8.17.0-10.9.2 nodejs8-devel-8.17.0-10.9.2 npm8-8.17.0-10.9.2 - SUSE Linux Enterprise Module for Web Scripting 15-SP2 (noarch): nodejs8-docs-8.17.0-10.9.2 References: https://www.suse.com/security/cve/CVE-2021-22884.html https://bugzilla.suse.com/1182620 From sle-security-updates at lists.suse.com Tue Mar 2 23:19:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Mar 2021 00:19:25 +0100 (CET) Subject: SUSE-SU-2021:0687-1: moderate: Security update for gnome-autoar Message-ID: <20210302231925.D157FFD14@maintenance.suse.de> SUSE Security Update: Security update for gnome-autoar ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0687-1 Rating: moderate References: #1181930 Cross-References: CVE-2020-36241 CVSS scores: CVE-2020-36241 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-36241 (SUSE): 3.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gnome-autoar fixes the following issues: - CVE-2020-36241: Skip problematic files that might be extracted outside of the destination dir to prevent potential directory traversal (bsc#1181930). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-687=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): gnome-autoar-debuginfo-0.2.3-3.3.1 gnome-autoar-debugsource-0.2.3-3.3.1 gnome-autoar-devel-0.2.3-3.3.1 libgnome-autoar-0-0-0.2.3-3.3.1 libgnome-autoar-0-0-debuginfo-0.2.3-3.3.1 libgnome-autoar-gtk-0-0-0.2.3-3.3.1 libgnome-autoar-gtk-0-0-debuginfo-0.2.3-3.3.1 typelib-1_0-GnomeAutoar-0_1-0.2.3-3.3.1 typelib-1_0-GnomeAutoarGtk-0_1-0.2.3-3.3.1 References: https://www.suse.com/security/cve/CVE-2020-36241.html https://bugzilla.suse.com/1181930 From sle-security-updates at lists.suse.com Tue Mar 2 23:21:38 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Mar 2021 00:21:38 +0100 (CET) Subject: SUSE-SU-2021:0689-1: important: Security update for bind Message-ID: <20210302232138.29FEAFD14@maintenance.suse.de> SUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0689-1 Rating: important References: #1180933 Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for bind fixes the following issues: - dnssec-keygen can no longer generate HMAC keys. Use tsig-keygen instead. [bsc#1180933] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-689=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-689=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-689=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-689=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-689=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-689=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-689=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-689=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-689=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-689=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-689=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-689=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-689=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-689=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-689=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): bind-9.16.6-12.44.1 bind-chrootenv-9.16.6-12.44.1 bind-debuginfo-9.16.6-12.44.1 bind-debugsource-9.16.6-12.44.1 bind-devel-9.16.6-12.44.1 bind-utils-9.16.6-12.44.1 bind-utils-debuginfo-9.16.6-12.44.1 libbind9-1600-9.16.6-12.44.1 libbind9-1600-debuginfo-9.16.6-12.44.1 libdns1605-9.16.6-12.44.1 libdns1605-debuginfo-9.16.6-12.44.1 libirs-devel-9.16.6-12.44.1 libirs1601-9.16.6-12.44.1 libirs1601-debuginfo-9.16.6-12.44.1 libisc1606-9.16.6-12.44.1 libisc1606-debuginfo-9.16.6-12.44.1 libisccc1600-9.16.6-12.44.1 libisccc1600-debuginfo-9.16.6-12.44.1 libisccfg1600-9.16.6-12.44.1 libisccfg1600-debuginfo-9.16.6-12.44.1 libns1604-9.16.6-12.44.1 libns1604-debuginfo-9.16.6-12.44.1 - SUSE Manager Server 4.0 (noarch): bind-doc-9.16.6-12.44.1 python3-bind-9.16.6-12.44.1 - SUSE Manager Retail Branch Server 4.0 (noarch): bind-doc-9.16.6-12.44.1 python3-bind-9.16.6-12.44.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): bind-9.16.6-12.44.1 bind-chrootenv-9.16.6-12.44.1 bind-debuginfo-9.16.6-12.44.1 bind-debugsource-9.16.6-12.44.1 bind-devel-9.16.6-12.44.1 bind-utils-9.16.6-12.44.1 bind-utils-debuginfo-9.16.6-12.44.1 libbind9-1600-9.16.6-12.44.1 libbind9-1600-debuginfo-9.16.6-12.44.1 libdns1605-9.16.6-12.44.1 libdns1605-debuginfo-9.16.6-12.44.1 libirs-devel-9.16.6-12.44.1 libirs1601-9.16.6-12.44.1 libirs1601-debuginfo-9.16.6-12.44.1 libisc1606-9.16.6-12.44.1 libisc1606-debuginfo-9.16.6-12.44.1 libisccc1600-9.16.6-12.44.1 libisccc1600-debuginfo-9.16.6-12.44.1 libisccfg1600-9.16.6-12.44.1 libisccfg1600-debuginfo-9.16.6-12.44.1 libns1604-9.16.6-12.44.1 libns1604-debuginfo-9.16.6-12.44.1 - SUSE Manager Proxy 4.0 (noarch): bind-doc-9.16.6-12.44.1 python3-bind-9.16.6-12.44.1 - SUSE Manager Proxy 4.0 (x86_64): bind-9.16.6-12.44.1 bind-chrootenv-9.16.6-12.44.1 bind-debuginfo-9.16.6-12.44.1 bind-debugsource-9.16.6-12.44.1 bind-devel-9.16.6-12.44.1 bind-utils-9.16.6-12.44.1 bind-utils-debuginfo-9.16.6-12.44.1 libbind9-1600-9.16.6-12.44.1 libbind9-1600-debuginfo-9.16.6-12.44.1 libdns1605-9.16.6-12.44.1 libdns1605-debuginfo-9.16.6-12.44.1 libirs-devel-9.16.6-12.44.1 libirs1601-9.16.6-12.44.1 libirs1601-debuginfo-9.16.6-12.44.1 libisc1606-9.16.6-12.44.1 libisc1606-debuginfo-9.16.6-12.44.1 libisccc1600-9.16.6-12.44.1 libisccc1600-debuginfo-9.16.6-12.44.1 libisccfg1600-9.16.6-12.44.1 libisccfg1600-debuginfo-9.16.6-12.44.1 libns1604-9.16.6-12.44.1 libns1604-debuginfo-9.16.6-12.44.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): bind-9.16.6-12.44.1 bind-chrootenv-9.16.6-12.44.1 bind-debuginfo-9.16.6-12.44.1 bind-debugsource-9.16.6-12.44.1 bind-devel-9.16.6-12.44.1 bind-utils-9.16.6-12.44.1 bind-utils-debuginfo-9.16.6-12.44.1 libbind9-1600-9.16.6-12.44.1 libbind9-1600-debuginfo-9.16.6-12.44.1 libdns1605-9.16.6-12.44.1 libdns1605-debuginfo-9.16.6-12.44.1 libirs-devel-9.16.6-12.44.1 libirs1601-9.16.6-12.44.1 libirs1601-debuginfo-9.16.6-12.44.1 libisc1606-9.16.6-12.44.1 libisc1606-debuginfo-9.16.6-12.44.1 libisccc1600-9.16.6-12.44.1 libisccc1600-debuginfo-9.16.6-12.44.1 libisccfg1600-9.16.6-12.44.1 libisccfg1600-debuginfo-9.16.6-12.44.1 libns1604-9.16.6-12.44.1 libns1604-debuginfo-9.16.6-12.44.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): bind-doc-9.16.6-12.44.1 python3-bind-9.16.6-12.44.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): bind-9.16.6-12.44.1 bind-chrootenv-9.16.6-12.44.1 bind-debuginfo-9.16.6-12.44.1 bind-debugsource-9.16.6-12.44.1 bind-devel-9.16.6-12.44.1 bind-utils-9.16.6-12.44.1 bind-utils-debuginfo-9.16.6-12.44.1 libbind9-1600-9.16.6-12.44.1 libbind9-1600-debuginfo-9.16.6-12.44.1 libdns1605-9.16.6-12.44.1 libdns1605-debuginfo-9.16.6-12.44.1 libirs-devel-9.16.6-12.44.1 libirs1601-9.16.6-12.44.1 libirs1601-debuginfo-9.16.6-12.44.1 libisc1606-9.16.6-12.44.1 libisc1606-debuginfo-9.16.6-12.44.1 libisccc1600-9.16.6-12.44.1 libisccc1600-debuginfo-9.16.6-12.44.1 libisccfg1600-9.16.6-12.44.1 libisccfg1600-debuginfo-9.16.6-12.44.1 libns1604-9.16.6-12.44.1 libns1604-debuginfo-9.16.6-12.44.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): bind-doc-9.16.6-12.44.1 python3-bind-9.16.6-12.44.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): bind-9.16.6-12.44.1 bind-chrootenv-9.16.6-12.44.1 bind-debuginfo-9.16.6-12.44.1 bind-debugsource-9.16.6-12.44.1 bind-devel-9.16.6-12.44.1 bind-utils-9.16.6-12.44.1 bind-utils-debuginfo-9.16.6-12.44.1 libbind9-1600-9.16.6-12.44.1 libbind9-1600-debuginfo-9.16.6-12.44.1 libdns1605-9.16.6-12.44.1 libdns1605-debuginfo-9.16.6-12.44.1 libirs-devel-9.16.6-12.44.1 libirs1601-9.16.6-12.44.1 libirs1601-debuginfo-9.16.6-12.44.1 libisc1606-9.16.6-12.44.1 libisc1606-debuginfo-9.16.6-12.44.1 libisccc1600-9.16.6-12.44.1 libisccc1600-debuginfo-9.16.6-12.44.1 libisccfg1600-9.16.6-12.44.1 libisccfg1600-debuginfo-9.16.6-12.44.1 libns1604-9.16.6-12.44.1 libns1604-debuginfo-9.16.6-12.44.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): bind-doc-9.16.6-12.44.1 python3-bind-9.16.6-12.44.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): bind-doc-9.16.6-12.44.1 python3-bind-9.16.6-12.44.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): bind-9.16.6-12.44.1 bind-chrootenv-9.16.6-12.44.1 bind-debuginfo-9.16.6-12.44.1 bind-debugsource-9.16.6-12.44.1 bind-devel-9.16.6-12.44.1 bind-utils-9.16.6-12.44.1 bind-utils-debuginfo-9.16.6-12.44.1 libbind9-1600-9.16.6-12.44.1 libbind9-1600-debuginfo-9.16.6-12.44.1 libdns1605-9.16.6-12.44.1 libdns1605-debuginfo-9.16.6-12.44.1 libirs-devel-9.16.6-12.44.1 libirs1601-9.16.6-12.44.1 libirs1601-debuginfo-9.16.6-12.44.1 libisc1606-9.16.6-12.44.1 libisc1606-debuginfo-9.16.6-12.44.1 libisccc1600-9.16.6-12.44.1 libisccc1600-debuginfo-9.16.6-12.44.1 libisccfg1600-9.16.6-12.44.1 libisccfg1600-debuginfo-9.16.6-12.44.1 libns1604-9.16.6-12.44.1 libns1604-debuginfo-9.16.6-12.44.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): bind-9.16.6-12.44.1 bind-chrootenv-9.16.6-12.44.1 bind-debuginfo-9.16.6-12.44.1 bind-debugsource-9.16.6-12.44.1 bind-devel-9.16.6-12.44.1 bind-utils-9.16.6-12.44.1 bind-utils-debuginfo-9.16.6-12.44.1 libbind9-1600-9.16.6-12.44.1 libbind9-1600-debuginfo-9.16.6-12.44.1 libdns1605-9.16.6-12.44.1 libdns1605-debuginfo-9.16.6-12.44.1 libirs-devel-9.16.6-12.44.1 libirs1601-9.16.6-12.44.1 libirs1601-debuginfo-9.16.6-12.44.1 libisc1606-9.16.6-12.44.1 libisc1606-debuginfo-9.16.6-12.44.1 libisccc1600-9.16.6-12.44.1 libisccc1600-debuginfo-9.16.6-12.44.1 libisccfg1600-9.16.6-12.44.1 libisccfg1600-debuginfo-9.16.6-12.44.1 libns1604-9.16.6-12.44.1 libns1604-debuginfo-9.16.6-12.44.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): bind-doc-9.16.6-12.44.1 python3-bind-9.16.6-12.44.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): bind-9.16.6-12.44.1 bind-chrootenv-9.16.6-12.44.1 bind-debuginfo-9.16.6-12.44.1 bind-debugsource-9.16.6-12.44.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): bind-doc-9.16.6-12.44.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): bind-debuginfo-9.16.6-12.44.1 bind-debugsource-9.16.6-12.44.1 bind-devel-9.16.6-12.44.1 bind-utils-9.16.6-12.44.1 bind-utils-debuginfo-9.16.6-12.44.1 libbind9-1600-9.16.6-12.44.1 libbind9-1600-debuginfo-9.16.6-12.44.1 libdns1605-9.16.6-12.44.1 libdns1605-debuginfo-9.16.6-12.44.1 libirs-devel-9.16.6-12.44.1 libirs1601-9.16.6-12.44.1 libirs1601-debuginfo-9.16.6-12.44.1 libisc1606-9.16.6-12.44.1 libisc1606-debuginfo-9.16.6-12.44.1 libisccc1600-9.16.6-12.44.1 libisccc1600-debuginfo-9.16.6-12.44.1 libisccfg1600-9.16.6-12.44.1 libisccfg1600-debuginfo-9.16.6-12.44.1 libns1604-9.16.6-12.44.1 libns1604-debuginfo-9.16.6-12.44.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): python3-bind-9.16.6-12.44.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): bind-9.16.6-12.44.1 bind-chrootenv-9.16.6-12.44.1 bind-debuginfo-9.16.6-12.44.1 bind-debugsource-9.16.6-12.44.1 bind-devel-9.16.6-12.44.1 bind-utils-9.16.6-12.44.1 bind-utils-debuginfo-9.16.6-12.44.1 libbind9-1600-9.16.6-12.44.1 libbind9-1600-debuginfo-9.16.6-12.44.1 libdns1605-9.16.6-12.44.1 libdns1605-debuginfo-9.16.6-12.44.1 libirs-devel-9.16.6-12.44.1 libirs1601-9.16.6-12.44.1 libirs1601-debuginfo-9.16.6-12.44.1 libisc1606-9.16.6-12.44.1 libisc1606-debuginfo-9.16.6-12.44.1 libisccc1600-9.16.6-12.44.1 libisccc1600-debuginfo-9.16.6-12.44.1 libisccfg1600-9.16.6-12.44.1 libisccfg1600-debuginfo-9.16.6-12.44.1 libns1604-9.16.6-12.44.1 libns1604-debuginfo-9.16.6-12.44.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): bind-doc-9.16.6-12.44.1 python3-bind-9.16.6-12.44.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): bind-9.16.6-12.44.1 bind-chrootenv-9.16.6-12.44.1 bind-debuginfo-9.16.6-12.44.1 bind-debugsource-9.16.6-12.44.1 bind-devel-9.16.6-12.44.1 bind-utils-9.16.6-12.44.1 bind-utils-debuginfo-9.16.6-12.44.1 libbind9-1600-9.16.6-12.44.1 libbind9-1600-debuginfo-9.16.6-12.44.1 libdns1605-9.16.6-12.44.1 libdns1605-debuginfo-9.16.6-12.44.1 libirs-devel-9.16.6-12.44.1 libirs1601-9.16.6-12.44.1 libirs1601-debuginfo-9.16.6-12.44.1 libisc1606-9.16.6-12.44.1 libisc1606-debuginfo-9.16.6-12.44.1 libisccc1600-9.16.6-12.44.1 libisccc1600-debuginfo-9.16.6-12.44.1 libisccfg1600-9.16.6-12.44.1 libisccfg1600-debuginfo-9.16.6-12.44.1 libns1604-9.16.6-12.44.1 libns1604-debuginfo-9.16.6-12.44.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): bind-doc-9.16.6-12.44.1 python3-bind-9.16.6-12.44.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): bind-9.16.6-12.44.1 bind-chrootenv-9.16.6-12.44.1 bind-debuginfo-9.16.6-12.44.1 bind-debugsource-9.16.6-12.44.1 bind-devel-9.16.6-12.44.1 bind-utils-9.16.6-12.44.1 bind-utils-debuginfo-9.16.6-12.44.1 libbind9-1600-9.16.6-12.44.1 libbind9-1600-debuginfo-9.16.6-12.44.1 libdns1605-9.16.6-12.44.1 libdns1605-debuginfo-9.16.6-12.44.1 libirs-devel-9.16.6-12.44.1 libirs1601-9.16.6-12.44.1 libirs1601-debuginfo-9.16.6-12.44.1 libisc1606-9.16.6-12.44.1 libisc1606-debuginfo-9.16.6-12.44.1 libisccc1600-9.16.6-12.44.1 libisccc1600-debuginfo-9.16.6-12.44.1 libisccfg1600-9.16.6-12.44.1 libisccfg1600-debuginfo-9.16.6-12.44.1 libns1604-9.16.6-12.44.1 libns1604-debuginfo-9.16.6-12.44.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): bind-doc-9.16.6-12.44.1 python3-bind-9.16.6-12.44.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): bind-9.16.6-12.44.1 bind-chrootenv-9.16.6-12.44.1 bind-debuginfo-9.16.6-12.44.1 bind-debugsource-9.16.6-12.44.1 bind-devel-9.16.6-12.44.1 bind-utils-9.16.6-12.44.1 bind-utils-debuginfo-9.16.6-12.44.1 libbind9-1600-9.16.6-12.44.1 libbind9-1600-debuginfo-9.16.6-12.44.1 libdns1605-9.16.6-12.44.1 libdns1605-debuginfo-9.16.6-12.44.1 libirs-devel-9.16.6-12.44.1 libirs1601-9.16.6-12.44.1 libirs1601-debuginfo-9.16.6-12.44.1 libisc1606-9.16.6-12.44.1 libisc1606-debuginfo-9.16.6-12.44.1 libisccc1600-9.16.6-12.44.1 libisccc1600-debuginfo-9.16.6-12.44.1 libisccfg1600-9.16.6-12.44.1 libisccfg1600-debuginfo-9.16.6-12.44.1 libns1604-9.16.6-12.44.1 libns1604-debuginfo-9.16.6-12.44.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): bind-doc-9.16.6-12.44.1 python3-bind-9.16.6-12.44.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): bind-9.16.6-12.44.1 bind-chrootenv-9.16.6-12.44.1 bind-debuginfo-9.16.6-12.44.1 bind-debugsource-9.16.6-12.44.1 bind-devel-9.16.6-12.44.1 bind-utils-9.16.6-12.44.1 bind-utils-debuginfo-9.16.6-12.44.1 libbind9-1600-9.16.6-12.44.1 libbind9-1600-debuginfo-9.16.6-12.44.1 libdns1605-9.16.6-12.44.1 libdns1605-debuginfo-9.16.6-12.44.1 libirs-devel-9.16.6-12.44.1 libirs1601-9.16.6-12.44.1 libirs1601-debuginfo-9.16.6-12.44.1 libisc1606-9.16.6-12.44.1 libisc1606-debuginfo-9.16.6-12.44.1 libisccc1600-9.16.6-12.44.1 libisccc1600-debuginfo-9.16.6-12.44.1 libisccfg1600-9.16.6-12.44.1 libisccfg1600-debuginfo-9.16.6-12.44.1 libns1604-9.16.6-12.44.1 libns1604-debuginfo-9.16.6-12.44.1 - SUSE Enterprise Storage 6 (noarch): bind-doc-9.16.6-12.44.1 python3-bind-9.16.6-12.44.1 - SUSE CaaS Platform 4.0 (noarch): bind-doc-9.16.6-12.44.1 python3-bind-9.16.6-12.44.1 - SUSE CaaS Platform 4.0 (x86_64): bind-9.16.6-12.44.1 bind-chrootenv-9.16.6-12.44.1 bind-debuginfo-9.16.6-12.44.1 bind-debugsource-9.16.6-12.44.1 bind-devel-9.16.6-12.44.1 bind-utils-9.16.6-12.44.1 bind-utils-debuginfo-9.16.6-12.44.1 libbind9-1600-9.16.6-12.44.1 libbind9-1600-debuginfo-9.16.6-12.44.1 libdns1605-9.16.6-12.44.1 libdns1605-debuginfo-9.16.6-12.44.1 libirs-devel-9.16.6-12.44.1 libirs1601-9.16.6-12.44.1 libirs1601-debuginfo-9.16.6-12.44.1 libisc1606-9.16.6-12.44.1 libisc1606-debuginfo-9.16.6-12.44.1 libisccc1600-9.16.6-12.44.1 libisccc1600-debuginfo-9.16.6-12.44.1 libisccfg1600-9.16.6-12.44.1 libisccfg1600-debuginfo-9.16.6-12.44.1 libns1604-9.16.6-12.44.1 libns1604-debuginfo-9.16.6-12.44.1 References: https://bugzilla.suse.com/1180933 From sle-security-updates at lists.suse.com Tue Mar 2 23:22:52 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Mar 2021 00:22:52 +0100 (CET) Subject: SUSE-SU-2021:0681-1: important: Security update for grub2 Message-ID: <20210302232252.AC6ADFD14@maintenance.suse.de> SUSE Security Update: Security update for grub2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0681-1 Rating: important References: #1175970 #1176711 #1177883 #1179264 #1179265 #1182057 #1182262 #1182263 Cross-References: CVE-2020-14372 CVE-2020-25632 CVE-2020-25647 CVE-2020-27749 CVE-2020-27779 CVE-2021-20225 CVE-2021-20233 CVSS scores: CVE-2020-14372 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-25632 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-25647 (SUSE): 7.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2020-27749 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-27779 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20225 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20233 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that solves 7 vulnerabilities and has one errata is now available. Description: This update for grub2 fixes the following issues: grub2 now implements the new "SBAT" method for SHIM based secure boot revocation. (bsc#1182057) Following security issues are fixed that can violate secure boot constraints: - CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711) - CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883) - CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264) - CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970) - CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262) - CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-681=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-681=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-681=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-681=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-681=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): grub2-snapper-plugin-2.02-12.47.1 grub2-systemd-sleep-plugin-2.02-12.47.1 grub2-x86_64-xen-2.02-12.47.1 - SUSE OpenStack Cloud Crowbar 9 (x86_64): grub2-2.02-12.47.1 grub2-debuginfo-2.02-12.47.1 grub2-debugsource-2.02-12.47.1 grub2-i386-pc-2.02-12.47.1 grub2-x86_64-efi-2.02-12.47.1 - SUSE OpenStack Cloud 9 (x86_64): grub2-2.02-12.47.1 grub2-debuginfo-2.02-12.47.1 grub2-debugsource-2.02-12.47.1 grub2-i386-pc-2.02-12.47.1 grub2-x86_64-efi-2.02-12.47.1 - SUSE OpenStack Cloud 9 (noarch): grub2-snapper-plugin-2.02-12.47.1 grub2-systemd-sleep-plugin-2.02-12.47.1 grub2-x86_64-xen-2.02-12.47.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): grub2-2.02-12.47.1 grub2-debuginfo-2.02-12.47.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le): grub2-powerpc-ieee1275-2.02-12.47.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): grub2-debugsource-2.02-12.47.1 grub2-i386-pc-2.02-12.47.1 grub2-x86_64-efi-2.02-12.47.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): grub2-snapper-plugin-2.02-12.47.1 grub2-systemd-sleep-plugin-2.02-12.47.1 grub2-x86_64-xen-2.02-12.47.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): grub2-2.02-12.47.1 grub2-debuginfo-2.02-12.47.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 s390x x86_64): grub2-debugsource-2.02-12.47.1 - SUSE Linux Enterprise Server 12-SP5 (ppc64le): grub2-powerpc-ieee1275-2.02-12.47.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64): grub2-arm64-efi-2.02-12.47.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): grub2-i386-pc-2.02-12.47.1 grub2-x86_64-efi-2.02-12.47.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): grub2-snapper-plugin-2.02-12.47.1 grub2-systemd-sleep-plugin-2.02-12.47.1 grub2-x86_64-xen-2.02-12.47.1 - SUSE Linux Enterprise Server 12-SP5 (s390x): grub2-s390x-emu-2.02-12.47.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): grub2-2.02-12.47.1 grub2-debuginfo-2.02-12.47.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 s390x x86_64): grub2-debugsource-2.02-12.47.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64): grub2-arm64-efi-2.02-12.47.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (ppc64le): grub2-powerpc-ieee1275-2.02-12.47.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): grub2-snapper-plugin-2.02-12.47.1 grub2-systemd-sleep-plugin-2.02-12.47.1 grub2-x86_64-xen-2.02-12.47.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (x86_64): grub2-i386-pc-2.02-12.47.1 grub2-x86_64-efi-2.02-12.47.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x): grub2-s390x-emu-2.02-12.47.1 References: https://www.suse.com/security/cve/CVE-2020-14372.html https://www.suse.com/security/cve/CVE-2020-25632.html https://www.suse.com/security/cve/CVE-2020-25647.html https://www.suse.com/security/cve/CVE-2020-27749.html https://www.suse.com/security/cve/CVE-2020-27779.html https://www.suse.com/security/cve/CVE-2021-20225.html https://www.suse.com/security/cve/CVE-2021-20233.html https://bugzilla.suse.com/1175970 https://bugzilla.suse.com/1176711 https://bugzilla.suse.com/1177883 https://bugzilla.suse.com/1179264 https://bugzilla.suse.com/1179265 https://bugzilla.suse.com/1182057 https://bugzilla.suse.com/1182262 https://bugzilla.suse.com/1182263 From sle-security-updates at lists.suse.com Tue Mar 2 23:24:44 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Mar 2021 00:24:44 +0100 (CET) Subject: SUSE-SU-2021:0683-1: important: Security update for grub2 Message-ID: <20210302232444.24CCDFD14@maintenance.suse.de> SUSE Security Update: Security update for grub2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0683-1 Rating: important References: #1175970 #1176711 #1177883 #1179264 #1179265 #1182057 #1182262 #1182263 Cross-References: CVE-2020-14372 CVE-2020-25632 CVE-2020-25647 CVE-2020-27749 CVE-2020-27779 CVE-2021-20225 CVE-2021-20233 CVSS scores: CVE-2020-14372 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-25632 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-25647 (SUSE): 7.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2020-27749 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-27779 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20225 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20233 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has one errata is now available. Description: This update for grub2 fixes the following issues: grub2 implements the new "SBAT" method for SHIM based secure boot revocation. (bsc#1182057) - CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711) - CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883) - CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264) - CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970) - CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262) - CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-683=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-683=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): grub2-x86_64-xen-2.04-9.34.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): grub2-2.04-9.34.1 grub2-debuginfo-2.04-9.34.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 s390x x86_64): grub2-debugsource-2.04-9.34.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): grub2-arm64-efi-2.04-9.34.1 grub2-i386-pc-2.04-9.34.1 grub2-powerpc-ieee1275-2.04-9.34.1 grub2-snapper-plugin-2.04-9.34.1 grub2-systemd-sleep-plugin-2.04-9.34.1 grub2-x86_64-efi-2.04-9.34.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (s390x): grub2-s390x-emu-2.04-9.34.1 References: https://www.suse.com/security/cve/CVE-2020-14372.html https://www.suse.com/security/cve/CVE-2020-25632.html https://www.suse.com/security/cve/CVE-2020-25647.html https://www.suse.com/security/cve/CVE-2020-27749.html https://www.suse.com/security/cve/CVE-2020-27779.html https://www.suse.com/security/cve/CVE-2021-20225.html https://www.suse.com/security/cve/CVE-2021-20233.html https://bugzilla.suse.com/1175970 https://bugzilla.suse.com/1176711 https://bugzilla.suse.com/1177883 https://bugzilla.suse.com/1179264 https://bugzilla.suse.com/1179265 https://bugzilla.suse.com/1182057 https://bugzilla.suse.com/1182262 https://bugzilla.suse.com/1182263 From sle-security-updates at lists.suse.com Tue Mar 2 23:27:48 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Mar 2021 00:27:48 +0100 (CET) Subject: SUSE-SU-2021:0682-1: important: Security update for grub2 Message-ID: <20210302232748.82B9CFD14@maintenance.suse.de> SUSE Security Update: Security update for grub2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0682-1 Rating: important References: #1175970 #1176711 #1177883 #1179264 #1179265 #1182057 #1182262 #1182263 Cross-References: CVE-2020-14372 CVE-2020-25632 CVE-2020-25647 CVE-2020-27749 CVE-2020-27779 CVE-2021-20225 CVE-2021-20233 CVSS scores: CVE-2020-14372 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-25632 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-25647 (SUSE): 7.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2020-27749 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-27779 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20225 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20233 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has one errata is now available. Description: This update for grub2 fixes the following issues: grub2 now implements the new "SBAT" method for SHIM based secure boot revocation. (bsc#1182057) Following security issues are fixed that can violate secure boot constraints: - CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711) - CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883) - CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264) - CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970) - CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262) - CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-682=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-682=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-682=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-682=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-682=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-682=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): grub2-2.02-4.69.1 grub2-debuginfo-2.02-4.69.1 grub2-debugsource-2.02-4.69.1 grub2-i386-pc-2.02-4.69.1 grub2-x86_64-efi-2.02-4.69.1 grub2-x86_64-xen-2.02-4.69.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): grub2-snapper-plugin-2.02-4.69.1 grub2-systemd-sleep-plugin-2.02-4.69.1 - SUSE OpenStack Cloud 8 (x86_64): grub2-2.02-4.69.1 grub2-debuginfo-2.02-4.69.1 grub2-debugsource-2.02-4.69.1 grub2-i386-pc-2.02-4.69.1 grub2-x86_64-efi-2.02-4.69.1 grub2-x86_64-xen-2.02-4.69.1 - SUSE OpenStack Cloud 8 (noarch): grub2-snapper-plugin-2.02-4.69.1 grub2-systemd-sleep-plugin-2.02-4.69.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): grub2-2.02-4.69.1 grub2-debuginfo-2.02-4.69.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le): grub2-powerpc-ieee1275-2.02-4.69.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): grub2-snapper-plugin-2.02-4.69.1 grub2-systemd-sleep-plugin-2.02-4.69.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): grub2-debugsource-2.02-4.69.1 grub2-i386-pc-2.02-4.69.1 grub2-x86_64-efi-2.02-4.69.1 grub2-x86_64-xen-2.02-4.69.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): grub2-2.02-4.69.1 grub2-debuginfo-2.02-4.69.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 s390x x86_64): grub2-debugsource-2.02-4.69.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le): grub2-powerpc-ieee1275-2.02-4.69.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64): grub2-arm64-efi-2.02-4.69.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): grub2-i386-pc-2.02-4.69.1 grub2-x86_64-efi-2.02-4.69.1 grub2-x86_64-xen-2.02-4.69.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): grub2-snapper-plugin-2.02-4.69.1 grub2-systemd-sleep-plugin-2.02-4.69.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x): grub2-s390x-emu-2.02-4.69.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): grub2-snapper-plugin-2.02-4.69.1 grub2-systemd-sleep-plugin-2.02-4.69.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): grub2-2.02-4.69.1 grub2-debuginfo-2.02-4.69.1 grub2-debugsource-2.02-4.69.1 grub2-i386-pc-2.02-4.69.1 grub2-x86_64-efi-2.02-4.69.1 grub2-x86_64-xen-2.02-4.69.1 - HPE Helion Openstack 8 (x86_64): grub2-2.02-4.69.1 grub2-debuginfo-2.02-4.69.1 grub2-debugsource-2.02-4.69.1 grub2-i386-pc-2.02-4.69.1 grub2-x86_64-efi-2.02-4.69.1 grub2-x86_64-xen-2.02-4.69.1 - HPE Helion Openstack 8 (noarch): grub2-snapper-plugin-2.02-4.69.1 grub2-systemd-sleep-plugin-2.02-4.69.1 References: https://www.suse.com/security/cve/CVE-2020-14372.html https://www.suse.com/security/cve/CVE-2020-25632.html https://www.suse.com/security/cve/CVE-2020-25647.html https://www.suse.com/security/cve/CVE-2020-27749.html https://www.suse.com/security/cve/CVE-2020-27779.html https://www.suse.com/security/cve/CVE-2021-20225.html https://www.suse.com/security/cve/CVE-2021-20233.html https://bugzilla.suse.com/1175970 https://bugzilla.suse.com/1176711 https://bugzilla.suse.com/1177883 https://bugzilla.suse.com/1179264 https://bugzilla.suse.com/1179265 https://bugzilla.suse.com/1182057 https://bugzilla.suse.com/1182262 https://bugzilla.suse.com/1182263 From sle-security-updates at lists.suse.com Tue Mar 2 23:29:41 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Mar 2021 00:29:41 +0100 (CET) Subject: SUSE-SU-2021:0679-1: important: Security update for grub2 Message-ID: <20210302232941.E1C53FD14@maintenance.suse.de> SUSE Security Update: Security update for grub2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0679-1 Rating: important References: #1175970 #1176711 #1177883 #1179264 #1179265 #1182057 #1182262 #1182263 Cross-References: CVE-2020-14372 CVE-2020-25632 CVE-2020-25647 CVE-2020-27749 CVE-2020-27779 CVE-2021-20225 CVE-2021-20233 CVSS scores: CVE-2020-14372 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-25632 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-25647 (SUSE): 7.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2020-27749 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-27779 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20225 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20233 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that solves 7 vulnerabilities and has one errata is now available. Description: This update for grub2 fixes the following issues: grub2 now implements the new "SBAT" method for SHIM based secure boot revocation. (bsc#1182057) Following security issues are fixed that can violate secure boot constraints: - CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711) - CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883) - CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264) - CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970) - CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262) - CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263) grub2 was bumped to version 2.02, same as SUSE Linux Enterprise 12 SP3. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-679=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-679=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-679=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-679=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): grub2-2.02-115.59.1 grub2-debuginfo-2.02-115.59.1 grub2-debugsource-2.02-115.59.1 - SUSE OpenStack Cloud 7 (noarch): grub2-snapper-plugin-2.02-115.59.1 grub2-systemd-sleep-plugin-2.02-115.59.1 - SUSE OpenStack Cloud 7 (x86_64): grub2-i386-pc-2.02-115.59.1 grub2-x86_64-efi-2.02-115.59.1 grub2-x86_64-xen-2.02-115.59.1 - SUSE OpenStack Cloud 7 (s390x): grub2-s390x-emu-2.02-115.59.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): grub2-2.02-115.59.1 grub2-debuginfo-2.02-115.59.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le): grub2-powerpc-ieee1275-2.02-115.59.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): grub2-debugsource-2.02-115.59.1 grub2-i386-pc-2.02-115.59.1 grub2-x86_64-efi-2.02-115.59.1 grub2-x86_64-xen-2.02-115.59.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): grub2-snapper-plugin-2.02-115.59.1 grub2-systemd-sleep-plugin-2.02-115.59.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): grub2-2.02-115.59.1 grub2-debuginfo-2.02-115.59.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): grub2-debugsource-2.02-115.59.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le): grub2-powerpc-ieee1275-2.02-115.59.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): grub2-i386-pc-2.02-115.59.1 grub2-x86_64-efi-2.02-115.59.1 grub2-x86_64-xen-2.02-115.59.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): grub2-snapper-plugin-2.02-115.59.1 grub2-systemd-sleep-plugin-2.02-115.59.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x): grub2-s390x-emu-2.02-115.59.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): grub2-snapper-plugin-2.02-115.59.1 grub2-systemd-sleep-plugin-2.02-115.59.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): grub2-2.02-115.59.1 grub2-debuginfo-2.02-115.59.1 grub2-debugsource-2.02-115.59.1 grub2-i386-pc-2.02-115.59.1 grub2-x86_64-efi-2.02-115.59.1 grub2-x86_64-xen-2.02-115.59.1 References: https://www.suse.com/security/cve/CVE-2020-14372.html https://www.suse.com/security/cve/CVE-2020-25632.html https://www.suse.com/security/cve/CVE-2020-25647.html https://www.suse.com/security/cve/CVE-2020-27749.html https://www.suse.com/security/cve/CVE-2020-27779.html https://www.suse.com/security/cve/CVE-2021-20225.html https://www.suse.com/security/cve/CVE-2021-20233.html https://bugzilla.suse.com/1175970 https://bugzilla.suse.com/1176711 https://bugzilla.suse.com/1177883 https://bugzilla.suse.com/1179264 https://bugzilla.suse.com/1179265 https://bugzilla.suse.com/1182057 https://bugzilla.suse.com/1182262 https://bugzilla.suse.com/1182263 From sle-security-updates at lists.suse.com Tue Mar 2 23:31:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Mar 2021 00:31:27 +0100 (CET) Subject: SUSE-SU-2021:14659-1: important: Security update for grub2 Message-ID: <20210302233127.A2D90FD14@maintenance.suse.de> SUSE Security Update: Security update for grub2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14659-1 Rating: important References: #1175970 #1176711 #1177883 #1179264 #1179265 #1182057 #1182262 #1182263 Cross-References: CVE-2017-9763 CVE-2020-14372 CVE-2020-25632 CVE-2020-25647 CVE-2020-27749 CVE-2020-27779 CVE-2021-20225 CVE-2021-20233 CVSS scores: CVE-2017-9763 (NVD) : 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-9763 (SUSE): 4.1 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2020-14372 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-25632 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-25647 (SUSE): 7.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2020-27749 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-27779 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20225 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20233 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for grub2 fixes the following issues: grub2 now implements the new "SBAT" method for SHIM based secure boot revocation. (bsc#1182057) grub2 was updated to the 2.02 version (same as SUSE Linux Enterprise 12 SP3). Following security issues are fixed that can violate secure boot constraints: - CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711) - CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883) - CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264) - CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970) - CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262) - CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-grub2-14659=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-grub2-14659=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): grub2-x86_64-efi-2.02-0.66.26.1 grub2-x86_64-xen-2.02-0.66.26.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64): grub2-debuginfo-2.02-0.66.26.1 grub2-debugsource-2.02-0.66.26.1 References: https://www.suse.com/security/cve/CVE-2017-9763.html https://www.suse.com/security/cve/CVE-2020-14372.html https://www.suse.com/security/cve/CVE-2020-25632.html https://www.suse.com/security/cve/CVE-2020-25647.html https://www.suse.com/security/cve/CVE-2020-27749.html https://www.suse.com/security/cve/CVE-2020-27779.html https://www.suse.com/security/cve/CVE-2021-20225.html https://www.suse.com/security/cve/CVE-2021-20233.html https://bugzilla.suse.com/1175970 https://bugzilla.suse.com/1176711 https://bugzilla.suse.com/1177883 https://bugzilla.suse.com/1179264 https://bugzilla.suse.com/1179265 https://bugzilla.suse.com/1182057 https://bugzilla.suse.com/1182262 https://bugzilla.suse.com/1182263 From sle-security-updates at lists.suse.com Tue Mar 2 23:33:14 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Mar 2021 00:33:14 +0100 (CET) Subject: SUSE-SU-2021:0684-1: important: Security update for grub2 Message-ID: <20210302233314.0FE72FD14@maintenance.suse.de> SUSE Security Update: Security update for grub2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0684-1 Rating: important References: #1175970 #1176711 #1177883 #1179264 #1179265 #1182057 #1182262 #1182263 Cross-References: CVE-2020-14372 CVE-2020-25632 CVE-2020-25647 CVE-2020-27749 CVE-2020-27779 CVE-2021-20225 CVE-2021-20233 CVSS scores: CVE-2020-14372 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-25632 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-25647 (SUSE): 7.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2020-27749 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-27779 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20225 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-20233 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has one errata is now available. Description: This update for grub2 fixes the following issues: grub2 now implements the new "SBAT" method for SHIM based secure boot revocation. (bsc#1182057) Following security issues are fixed that can violate secure boot constraints: - CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711) - CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883) - CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264) - CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970) - CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262) - CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-684=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-684=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-684=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-684=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-684=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-684=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-684=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-684=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-684=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): grub2-2.02-26.43.1 grub2-debuginfo-2.02-26.43.1 - SUSE Manager Server 4.0 (s390x x86_64): grub2-debugsource-2.02-26.43.1 - SUSE Manager Server 4.0 (noarch): grub2-i386-pc-2.02-26.43.1 grub2-powerpc-ieee1275-2.02-26.43.1 grub2-snapper-plugin-2.02-26.43.1 grub2-systemd-sleep-plugin-2.02-26.43.1 grub2-x86_64-efi-2.02-26.43.1 grub2-x86_64-xen-2.02-26.43.1 - SUSE Manager Server 4.0 (s390x): grub2-s390x-emu-2.02-26.43.1 - SUSE Manager Retail Branch Server 4.0 (noarch): grub2-i386-pc-2.02-26.43.1 grub2-snapper-plugin-2.02-26.43.1 grub2-systemd-sleep-plugin-2.02-26.43.1 grub2-x86_64-efi-2.02-26.43.1 grub2-x86_64-xen-2.02-26.43.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): grub2-2.02-26.43.1 grub2-debuginfo-2.02-26.43.1 grub2-debugsource-2.02-26.43.1 - SUSE Manager Proxy 4.0 (x86_64): grub2-2.02-26.43.1 grub2-debuginfo-2.02-26.43.1 grub2-debugsource-2.02-26.43.1 - SUSE Manager Proxy 4.0 (noarch): grub2-i386-pc-2.02-26.43.1 grub2-snapper-plugin-2.02-26.43.1 grub2-systemd-sleep-plugin-2.02-26.43.1 grub2-x86_64-efi-2.02-26.43.1 grub2-x86_64-xen-2.02-26.43.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): grub2-2.02-26.43.1 grub2-debuginfo-2.02-26.43.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): grub2-debugsource-2.02-26.43.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): grub2-i386-pc-2.02-26.43.1 grub2-powerpc-ieee1275-2.02-26.43.1 grub2-snapper-plugin-2.02-26.43.1 grub2-systemd-sleep-plugin-2.02-26.43.1 grub2-x86_64-efi-2.02-26.43.1 grub2-x86_64-xen-2.02-26.43.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): grub2-2.02-26.43.1 grub2-debuginfo-2.02-26.43.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 s390x x86_64): grub2-debugsource-2.02-26.43.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): grub2-arm64-efi-2.02-26.43.1 grub2-i386-pc-2.02-26.43.1 grub2-powerpc-ieee1275-2.02-26.43.1 grub2-snapper-plugin-2.02-26.43.1 grub2-systemd-sleep-plugin-2.02-26.43.1 grub2-x86_64-efi-2.02-26.43.1 grub2-x86_64-xen-2.02-26.43.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (s390x): grub2-s390x-emu-2.02-26.43.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): grub2-2.02-26.43.1 grub2-debuginfo-2.02-26.43.1 grub2-debugsource-2.02-26.43.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): grub2-i386-pc-2.02-26.43.1 grub2-snapper-plugin-2.02-26.43.1 grub2-systemd-sleep-plugin-2.02-26.43.1 grub2-x86_64-efi-2.02-26.43.1 grub2-x86_64-xen-2.02-26.43.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): grub2-2.02-26.43.1 grub2-debuginfo-2.02-26.43.1 grub2-debugsource-2.02-26.43.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): grub2-arm64-efi-2.02-26.43.1 grub2-i386-pc-2.02-26.43.1 grub2-snapper-plugin-2.02-26.43.1 grub2-systemd-sleep-plugin-2.02-26.43.1 grub2-x86_64-efi-2.02-26.43.1 grub2-x86_64-xen-2.02-26.43.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): grub2-2.02-26.43.1 grub2-debuginfo-2.02-26.43.1 grub2-debugsource-2.02-26.43.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): grub2-arm64-efi-2.02-26.43.1 grub2-i386-pc-2.02-26.43.1 grub2-snapper-plugin-2.02-26.43.1 grub2-systemd-sleep-plugin-2.02-26.43.1 grub2-x86_64-efi-2.02-26.43.1 grub2-x86_64-xen-2.02-26.43.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): grub2-2.02-26.43.1 grub2-debuginfo-2.02-26.43.1 grub2-debugsource-2.02-26.43.1 - SUSE Enterprise Storage 6 (noarch): grub2-arm64-efi-2.02-26.43.1 grub2-i386-pc-2.02-26.43.1 grub2-snapper-plugin-2.02-26.43.1 grub2-systemd-sleep-plugin-2.02-26.43.1 grub2-x86_64-efi-2.02-26.43.1 grub2-x86_64-xen-2.02-26.43.1 - SUSE CaaS Platform 4.0 (x86_64): grub2-2.02-26.43.1 grub2-debuginfo-2.02-26.43.1 grub2-debugsource-2.02-26.43.1 - SUSE CaaS Platform 4.0 (noarch): grub2-i386-pc-2.02-26.43.1 grub2-snapper-plugin-2.02-26.43.1 grub2-systemd-sleep-plugin-2.02-26.43.1 grub2-x86_64-efi-2.02-26.43.1 grub2-x86_64-xen-2.02-26.43.1 References: https://www.suse.com/security/cve/CVE-2020-14372.html https://www.suse.com/security/cve/CVE-2020-25632.html https://www.suse.com/security/cve/CVE-2020-25647.html https://www.suse.com/security/cve/CVE-2020-27749.html https://www.suse.com/security/cve/CVE-2020-27779.html https://www.suse.com/security/cve/CVE-2021-20225.html https://www.suse.com/security/cve/CVE-2021-20233.html https://bugzilla.suse.com/1175970 https://bugzilla.suse.com/1176711 https://bugzilla.suse.com/1177883 https://bugzilla.suse.com/1179264 https://bugzilla.suse.com/1179265 https://bugzilla.suse.com/1182057 https://bugzilla.suse.com/1182262 https://bugzilla.suse.com/1182263 From sle-security-updates at lists.suse.com Wed Mar 3 20:18:35 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Mar 2021 21:18:35 +0100 (CET) Subject: SUSE-SU-2021:0693-1: important: Security update for openldap2 Message-ID: <20210303201835.EDF21FD14@maintenance.suse.de> SUSE Security Update: Security update for openldap2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0693-1 Rating: important References: #1182279 #1182408 #1182411 #1182412 #1182413 #1182415 #1182416 #1182417 #1182418 #1182419 #1182420 Cross-References: CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2021-27212 CVSS scores: CVE-2020-36221 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36221 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36222 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36222 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36223 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36223 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36224 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36224 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36225 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36225 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36226 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36226 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36227 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36227 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36228 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36228 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36229 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36229 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36230 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36230 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27212 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27212 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-693=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-693=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-693=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-693=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-693=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-693=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-693=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-693=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-693=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-693=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-693=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-693=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-693=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-693=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-693=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-693=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): openldap2-doc-2.4.41-18.83.1 - SUSE OpenStack Cloud Crowbar 9 (x86_64): libldap-2_4-2-2.4.41-18.83.1 libldap-2_4-2-32bit-2.4.41-18.83.1 libldap-2_4-2-debuginfo-2.4.41-18.83.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1 openldap2-2.4.41-18.83.1 openldap2-back-meta-2.4.41-18.83.1 openldap2-back-meta-debuginfo-2.4.41-18.83.1 openldap2-client-2.4.41-18.83.1 openldap2-client-debuginfo-2.4.41-18.83.1 openldap2-debuginfo-2.4.41-18.83.1 openldap2-debugsource-2.4.41-18.83.1 openldap2-ppolicy-check-password-1.2-18.83.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): openldap2-doc-2.4.41-18.83.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libldap-2_4-2-2.4.41-18.83.1 libldap-2_4-2-32bit-2.4.41-18.83.1 libldap-2_4-2-debuginfo-2.4.41-18.83.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1 openldap2-2.4.41-18.83.1 openldap2-back-meta-2.4.41-18.83.1 openldap2-back-meta-debuginfo-2.4.41-18.83.1 openldap2-client-2.4.41-18.83.1 openldap2-client-debuginfo-2.4.41-18.83.1 openldap2-debuginfo-2.4.41-18.83.1 openldap2-debugsource-2.4.41-18.83.1 openldap2-ppolicy-check-password-1.2-18.83.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1 - SUSE OpenStack Cloud 9 (noarch): openldap2-doc-2.4.41-18.83.1 - SUSE OpenStack Cloud 9 (x86_64): libldap-2_4-2-2.4.41-18.83.1 libldap-2_4-2-32bit-2.4.41-18.83.1 libldap-2_4-2-debuginfo-2.4.41-18.83.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1 openldap2-2.4.41-18.83.1 openldap2-back-meta-2.4.41-18.83.1 openldap2-back-meta-debuginfo-2.4.41-18.83.1 openldap2-client-2.4.41-18.83.1 openldap2-client-debuginfo-2.4.41-18.83.1 openldap2-debuginfo-2.4.41-18.83.1 openldap2-debugsource-2.4.41-18.83.1 openldap2-ppolicy-check-password-1.2-18.83.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1 - SUSE OpenStack Cloud 8 (x86_64): libldap-2_4-2-2.4.41-18.83.1 libldap-2_4-2-32bit-2.4.41-18.83.1 libldap-2_4-2-debuginfo-2.4.41-18.83.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1 openldap2-2.4.41-18.83.1 openldap2-back-meta-2.4.41-18.83.1 openldap2-back-meta-debuginfo-2.4.41-18.83.1 openldap2-client-2.4.41-18.83.1 openldap2-client-debuginfo-2.4.41-18.83.1 openldap2-debuginfo-2.4.41-18.83.1 openldap2-debugsource-2.4.41-18.83.1 openldap2-ppolicy-check-password-1.2-18.83.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1 - SUSE OpenStack Cloud 8 (noarch): openldap2-doc-2.4.41-18.83.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libldap-2_4-2-2.4.41-18.83.1 libldap-2_4-2-32bit-2.4.41-18.83.1 libldap-2_4-2-debuginfo-2.4.41-18.83.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1 openldap2-2.4.41-18.83.1 openldap2-back-meta-2.4.41-18.83.1 openldap2-back-meta-debuginfo-2.4.41-18.83.1 openldap2-client-2.4.41-18.83.1 openldap2-client-debuginfo-2.4.41-18.83.1 openldap2-debuginfo-2.4.41-18.83.1 openldap2-debugsource-2.4.41-18.83.1 openldap2-ppolicy-check-password-1.2-18.83.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1 - SUSE OpenStack Cloud 7 (noarch): openldap2-doc-2.4.41-18.83.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): openldap2-back-perl-2.4.41-18.83.1 openldap2-back-perl-debuginfo-2.4.41-18.83.1 openldap2-debuginfo-2.4.41-18.83.1 openldap2-debugsource-2.4.41-18.83.1 openldap2-devel-2.4.41-18.83.1 openldap2-devel-static-2.4.41-18.83.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libldap-2_4-2-2.4.41-18.83.1 libldap-2_4-2-debuginfo-2.4.41-18.83.1 openldap2-2.4.41-18.83.1 openldap2-back-meta-2.4.41-18.83.1 openldap2-back-meta-debuginfo-2.4.41-18.83.1 openldap2-client-2.4.41-18.83.1 openldap2-client-debuginfo-2.4.41-18.83.1 openldap2-debuginfo-2.4.41-18.83.1 openldap2-debugsource-2.4.41-18.83.1 openldap2-ppolicy-check-password-1.2-18.83.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libldap-2_4-2-32bit-2.4.41-18.83.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): openldap2-doc-2.4.41-18.83.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libldap-2_4-2-2.4.41-18.83.1 libldap-2_4-2-debuginfo-2.4.41-18.83.1 openldap2-2.4.41-18.83.1 openldap2-back-meta-2.4.41-18.83.1 openldap2-back-meta-debuginfo-2.4.41-18.83.1 openldap2-client-2.4.41-18.83.1 openldap2-client-debuginfo-2.4.41-18.83.1 openldap2-debuginfo-2.4.41-18.83.1 openldap2-debugsource-2.4.41-18.83.1 openldap2-ppolicy-check-password-1.2-18.83.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): openldap2-doc-2.4.41-18.83.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libldap-2_4-2-32bit-2.4.41-18.83.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libldap-2_4-2-2.4.41-18.83.1 libldap-2_4-2-debuginfo-2.4.41-18.83.1 openldap2-2.4.41-18.83.1 openldap2-back-meta-2.4.41-18.83.1 openldap2-back-meta-debuginfo-2.4.41-18.83.1 openldap2-client-2.4.41-18.83.1 openldap2-client-debuginfo-2.4.41-18.83.1 openldap2-debuginfo-2.4.41-18.83.1 openldap2-debugsource-2.4.41-18.83.1 openldap2-ppolicy-check-password-1.2-18.83.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): openldap2-doc-2.4.41-18.83.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libldap-2_4-2-32bit-2.4.41-18.83.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libldap-2_4-2-2.4.41-18.83.1 libldap-2_4-2-debuginfo-2.4.41-18.83.1 openldap2-2.4.41-18.83.1 openldap2-back-meta-2.4.41-18.83.1 openldap2-back-meta-debuginfo-2.4.41-18.83.1 openldap2-client-2.4.41-18.83.1 openldap2-client-debuginfo-2.4.41-18.83.1 openldap2-debuginfo-2.4.41-18.83.1 openldap2-debugsource-2.4.41-18.83.1 openldap2-ppolicy-check-password-1.2-18.83.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libldap-2_4-2-32bit-2.4.41-18.83.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): openldap2-doc-2.4.41-18.83.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libldap-2_4-2-2.4.41-18.83.1 libldap-2_4-2-debuginfo-2.4.41-18.83.1 openldap2-2.4.41-18.83.1 openldap2-back-meta-2.4.41-18.83.1 openldap2-back-meta-debuginfo-2.4.41-18.83.1 openldap2-client-2.4.41-18.83.1 openldap2-client-debuginfo-2.4.41-18.83.1 openldap2-debuginfo-2.4.41-18.83.1 openldap2-debugsource-2.4.41-18.83.1 openldap2-ppolicy-check-password-1.2-18.83.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libldap-2_4-2-32bit-2.4.41-18.83.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): openldap2-doc-2.4.41-18.83.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libldap-2_4-2-2.4.41-18.83.1 libldap-2_4-2-debuginfo-2.4.41-18.83.1 openldap2-2.4.41-18.83.1 openldap2-back-meta-2.4.41-18.83.1 openldap2-back-meta-debuginfo-2.4.41-18.83.1 openldap2-client-2.4.41-18.83.1 openldap2-client-debuginfo-2.4.41-18.83.1 openldap2-debuginfo-2.4.41-18.83.1 openldap2-debugsource-2.4.41-18.83.1 openldap2-ppolicy-check-password-1.2-18.83.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libldap-2_4-2-32bit-2.4.41-18.83.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): openldap2-doc-2.4.41-18.83.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): openldap2-doc-2.4.41-18.83.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libldap-2_4-2-2.4.41-18.83.1 libldap-2_4-2-32bit-2.4.41-18.83.1 libldap-2_4-2-debuginfo-2.4.41-18.83.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1 openldap2-2.4.41-18.83.1 openldap2-back-meta-2.4.41-18.83.1 openldap2-back-meta-debuginfo-2.4.41-18.83.1 openldap2-client-2.4.41-18.83.1 openldap2-client-debuginfo-2.4.41-18.83.1 openldap2-debuginfo-2.4.41-18.83.1 openldap2-debugsource-2.4.41-18.83.1 openldap2-ppolicy-check-password-1.2-18.83.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libldap-2_4-2-2.4.41-18.83.1 libldap-2_4-2-debuginfo-2.4.41-18.83.1 openldap2-2.4.41-18.83.1 openldap2-back-meta-2.4.41-18.83.1 openldap2-back-meta-debuginfo-2.4.41-18.83.1 openldap2-client-2.4.41-18.83.1 openldap2-client-debuginfo-2.4.41-18.83.1 openldap2-debuginfo-2.4.41-18.83.1 openldap2-debugsource-2.4.41-18.83.1 openldap2-ppolicy-check-password-1.2-18.83.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libldap-2_4-2-32bit-2.4.41-18.83.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): openldap2-doc-2.4.41-18.83.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): openldap2-doc-2.4.41-18.83.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libldap-2_4-2-2.4.41-18.83.1 libldap-2_4-2-32bit-2.4.41-18.83.1 libldap-2_4-2-debuginfo-2.4.41-18.83.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1 openldap2-2.4.41-18.83.1 openldap2-back-meta-2.4.41-18.83.1 openldap2-back-meta-debuginfo-2.4.41-18.83.1 openldap2-client-2.4.41-18.83.1 openldap2-client-debuginfo-2.4.41-18.83.1 openldap2-debuginfo-2.4.41-18.83.1 openldap2-debugsource-2.4.41-18.83.1 - HPE Helion Openstack 8 (noarch): openldap2-doc-2.4.41-18.83.1 - HPE Helion Openstack 8 (x86_64): libldap-2_4-2-2.4.41-18.83.1 libldap-2_4-2-32bit-2.4.41-18.83.1 libldap-2_4-2-debuginfo-2.4.41-18.83.1 libldap-2_4-2-debuginfo-32bit-2.4.41-18.83.1 openldap2-2.4.41-18.83.1 openldap2-back-meta-2.4.41-18.83.1 openldap2-back-meta-debuginfo-2.4.41-18.83.1 openldap2-client-2.4.41-18.83.1 openldap2-client-debuginfo-2.4.41-18.83.1 openldap2-debuginfo-2.4.41-18.83.1 openldap2-debugsource-2.4.41-18.83.1 openldap2-ppolicy-check-password-1.2-18.83.1 openldap2-ppolicy-check-password-debuginfo-1.2-18.83.1 References: https://www.suse.com/security/cve/CVE-2020-36221.html https://www.suse.com/security/cve/CVE-2020-36222.html https://www.suse.com/security/cve/CVE-2020-36223.html https://www.suse.com/security/cve/CVE-2020-36224.html https://www.suse.com/security/cve/CVE-2020-36225.html https://www.suse.com/security/cve/CVE-2020-36226.html https://www.suse.com/security/cve/CVE-2020-36227.html https://www.suse.com/security/cve/CVE-2020-36228.html https://www.suse.com/security/cve/CVE-2020-36229.html https://www.suse.com/security/cve/CVE-2020-36230.html https://www.suse.com/security/cve/CVE-2021-27212.html https://bugzilla.suse.com/1182279 https://bugzilla.suse.com/1182408 https://bugzilla.suse.com/1182411 https://bugzilla.suse.com/1182412 https://bugzilla.suse.com/1182413 https://bugzilla.suse.com/1182415 https://bugzilla.suse.com/1182416 https://bugzilla.suse.com/1182417 https://bugzilla.suse.com/1182418 https://bugzilla.suse.com/1182419 https://bugzilla.suse.com/1182420 From sle-security-updates at lists.suse.com Wed Mar 3 20:20:48 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Mar 2021 21:20:48 +0100 (CET) Subject: SUSE-SU-2021:0696-1: important: Security update for python-cryptography Message-ID: <20210303202048.96060FD14@maintenance.suse.de> SUSE Security Update: Security update for python-cryptography ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0696-1 Rating: important References: #1182066 Cross-References: CVE-2020-36242 CVSS scores: CVE-2020-36242 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVE-2020-36242 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-cryptography fixes the following issues: - CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte values could result in an integer overflow and buffer overflow (bsc#1182066). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-696=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-696=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-696=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-696=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-696=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-696=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-696=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-696=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-696=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-696=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-696=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-696=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-696=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): python-cryptography-debuginfo-2.1.4-4.9.2 python-cryptography-debugsource-2.1.4-4.9.2 python2-cryptography-2.1.4-4.9.2 python2-cryptography-debuginfo-2.1.4-4.9.2 python3-cryptography-2.1.4-4.9.2 python3-cryptography-debuginfo-2.1.4-4.9.2 - SUSE Manager Retail Branch Server 4.0 (x86_64): python-cryptography-debuginfo-2.1.4-4.9.2 python-cryptography-debugsource-2.1.4-4.9.2 python2-cryptography-2.1.4-4.9.2 python2-cryptography-debuginfo-2.1.4-4.9.2 python3-cryptography-2.1.4-4.9.2 python3-cryptography-debuginfo-2.1.4-4.9.2 - SUSE Manager Proxy 4.0 (x86_64): python-cryptography-debuginfo-2.1.4-4.9.2 python-cryptography-debugsource-2.1.4-4.9.2 python2-cryptography-2.1.4-4.9.2 python2-cryptography-debuginfo-2.1.4-4.9.2 python3-cryptography-2.1.4-4.9.2 python3-cryptography-debuginfo-2.1.4-4.9.2 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): python-cryptography-debuginfo-2.1.4-4.9.2 python-cryptography-debugsource-2.1.4-4.9.2 python2-cryptography-2.1.4-4.9.2 python2-cryptography-debuginfo-2.1.4-4.9.2 python3-cryptography-2.1.4-4.9.2 python3-cryptography-debuginfo-2.1.4-4.9.2 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): python-cryptography-debuginfo-2.1.4-4.9.2 python-cryptography-debugsource-2.1.4-4.9.2 python2-cryptography-2.1.4-4.9.2 python2-cryptography-debuginfo-2.1.4-4.9.2 python3-cryptography-2.1.4-4.9.2 python3-cryptography-debuginfo-2.1.4-4.9.2 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): python-cryptography-debuginfo-2.1.4-4.9.2 python-cryptography-debugsource-2.1.4-4.9.2 python2-cryptography-2.1.4-4.9.2 python2-cryptography-debuginfo-2.1.4-4.9.2 python3-cryptography-2.1.4-4.9.2 python3-cryptography-debuginfo-2.1.4-4.9.2 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): python-cryptography-debuginfo-2.1.4-4.9.2 python-cryptography-debugsource-2.1.4-4.9.2 python2-cryptography-2.1.4-4.9.2 python2-cryptography-debuginfo-2.1.4-4.9.2 python3-cryptography-2.1.4-4.9.2 python3-cryptography-debuginfo-2.1.4-4.9.2 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): python-cryptography-debuginfo-2.1.4-4.9.2 python-cryptography-debugsource-2.1.4-4.9.2 python2-cryptography-2.1.4-4.9.2 python2-cryptography-debuginfo-2.1.4-4.9.2 python3-cryptography-2.1.4-4.9.2 python3-cryptography-debuginfo-2.1.4-4.9.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): python-cryptography-debuginfo-2.1.4-4.9.2 python-cryptography-debugsource-2.1.4-4.9.2 python2-cryptography-2.1.4-4.9.2 python2-cryptography-debuginfo-2.1.4-4.9.2 python3-cryptography-2.1.4-4.9.2 python3-cryptography-debuginfo-2.1.4-4.9.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): python-cryptography-debuginfo-2.1.4-4.9.2 python-cryptography-debugsource-2.1.4-4.9.2 python2-cryptography-2.1.4-4.9.2 python2-cryptography-debuginfo-2.1.4-4.9.2 python3-cryptography-2.1.4-4.9.2 python3-cryptography-debuginfo-2.1.4-4.9.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): python-cryptography-debuginfo-2.1.4-4.9.2 python-cryptography-debugsource-2.1.4-4.9.2 python2-cryptography-2.1.4-4.9.2 python2-cryptography-debuginfo-2.1.4-4.9.2 python3-cryptography-2.1.4-4.9.2 python3-cryptography-debuginfo-2.1.4-4.9.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): python-cryptography-debuginfo-2.1.4-4.9.2 python-cryptography-debugsource-2.1.4-4.9.2 python2-cryptography-2.1.4-4.9.2 python2-cryptography-debuginfo-2.1.4-4.9.2 python3-cryptography-2.1.4-4.9.2 python3-cryptography-debuginfo-2.1.4-4.9.2 - SUSE Enterprise Storage 6 (aarch64 x86_64): python-cryptography-debuginfo-2.1.4-4.9.2 python-cryptography-debugsource-2.1.4-4.9.2 python2-cryptography-2.1.4-4.9.2 python2-cryptography-debuginfo-2.1.4-4.9.2 python3-cryptography-2.1.4-4.9.2 python3-cryptography-debuginfo-2.1.4-4.9.2 - SUSE CaaS Platform 4.0 (x86_64): python-cryptography-debuginfo-2.1.4-4.9.2 python-cryptography-debugsource-2.1.4-4.9.2 python2-cryptography-2.1.4-4.9.2 python2-cryptography-debuginfo-2.1.4-4.9.2 python3-cryptography-2.1.4-4.9.2 python3-cryptography-debuginfo-2.1.4-4.9.2 References: https://www.suse.com/security/cve/CVE-2020-36242.html https://bugzilla.suse.com/1182066 From sle-security-updates at lists.suse.com Wed Mar 3 20:22:00 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Mar 2021 21:22:00 +0100 (CET) Subject: SUSE-SU-2021:0695-1: moderate: Security update for postgresql12 Message-ID: <20210303202200.900F4FD14@maintenance.suse.de> SUSE Security Update: Security update for postgresql12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0695-1 Rating: moderate References: #1179765 #1182040 Cross-References: CVE-2021-3393 CVSS scores: CVE-2021-3393 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for postgresql12 fixes the following issues: Upgrade to version 12.6: - Reindexing might be needed after applying this update. - CVE-2021-3393, bsc#1182040: Fix information leakage in constraint-violation error messages. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-695=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-695=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-695=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-695=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-695=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-695=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-695=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-695=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-695=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libecpg6-12.6-3.21.4 libecpg6-debuginfo-12.6-3.21.4 libpq5-12.6-3.21.4 libpq5-debuginfo-12.6-3.21.4 postgresql12-12.6-3.21.4 postgresql12-contrib-12.6-3.21.4 postgresql12-contrib-debuginfo-12.6-3.21.4 postgresql12-debuginfo-12.6-3.21.4 postgresql12-debugsource-12.6-3.21.4 postgresql12-devel-12.6-3.21.4 postgresql12-devel-debuginfo-12.6-3.21.4 postgresql12-plperl-12.6-3.21.4 postgresql12-plperl-debuginfo-12.6-3.21.4 postgresql12-plpython-12.6-3.21.4 postgresql12-plpython-debuginfo-12.6-3.21.4 postgresql12-pltcl-12.6-3.21.4 postgresql12-pltcl-debuginfo-12.6-3.21.4 postgresql12-server-12.6-3.21.4 postgresql12-server-debuginfo-12.6-3.21.4 postgresql12-server-devel-12.6-3.21.4 postgresql12-server-devel-debuginfo-12.6-3.21.4 - SUSE Manager Server 4.0 (noarch): postgresql12-docs-12.6-3.21.4 - SUSE Manager Server 4.0 (x86_64): libpq5-32bit-12.6-3.21.4 libpq5-32bit-debuginfo-12.6-3.21.4 - SUSE Manager Retail Branch Server 4.0 (noarch): postgresql12-docs-12.6-3.21.4 - SUSE Manager Retail Branch Server 4.0 (x86_64): libecpg6-12.6-3.21.4 libecpg6-debuginfo-12.6-3.21.4 libpq5-12.6-3.21.4 libpq5-32bit-12.6-3.21.4 libpq5-32bit-debuginfo-12.6-3.21.4 libpq5-debuginfo-12.6-3.21.4 postgresql12-12.6-3.21.4 postgresql12-contrib-12.6-3.21.4 postgresql12-contrib-debuginfo-12.6-3.21.4 postgresql12-debuginfo-12.6-3.21.4 postgresql12-debugsource-12.6-3.21.4 postgresql12-devel-12.6-3.21.4 postgresql12-devel-debuginfo-12.6-3.21.4 postgresql12-plperl-12.6-3.21.4 postgresql12-plperl-debuginfo-12.6-3.21.4 postgresql12-plpython-12.6-3.21.4 postgresql12-plpython-debuginfo-12.6-3.21.4 postgresql12-pltcl-12.6-3.21.4 postgresql12-pltcl-debuginfo-12.6-3.21.4 postgresql12-server-12.6-3.21.4 postgresql12-server-debuginfo-12.6-3.21.4 postgresql12-server-devel-12.6-3.21.4 postgresql12-server-devel-debuginfo-12.6-3.21.4 - SUSE Manager Proxy 4.0 (noarch): postgresql12-docs-12.6-3.21.4 - SUSE Manager Proxy 4.0 (x86_64): libecpg6-12.6-3.21.4 libecpg6-debuginfo-12.6-3.21.4 libpq5-12.6-3.21.4 libpq5-32bit-12.6-3.21.4 libpq5-32bit-debuginfo-12.6-3.21.4 libpq5-debuginfo-12.6-3.21.4 postgresql12-12.6-3.21.4 postgresql12-contrib-12.6-3.21.4 postgresql12-contrib-debuginfo-12.6-3.21.4 postgresql12-debuginfo-12.6-3.21.4 postgresql12-debugsource-12.6-3.21.4 postgresql12-devel-12.6-3.21.4 postgresql12-devel-debuginfo-12.6-3.21.4 postgresql12-plperl-12.6-3.21.4 postgresql12-plperl-debuginfo-12.6-3.21.4 postgresql12-plpython-12.6-3.21.4 postgresql12-plpython-debuginfo-12.6-3.21.4 postgresql12-pltcl-12.6-3.21.4 postgresql12-pltcl-debuginfo-12.6-3.21.4 postgresql12-server-12.6-3.21.4 postgresql12-server-debuginfo-12.6-3.21.4 postgresql12-server-devel-12.6-3.21.4 postgresql12-server-devel-debuginfo-12.6-3.21.4 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libecpg6-12.6-3.21.4 libecpg6-debuginfo-12.6-3.21.4 libpq5-12.6-3.21.4 libpq5-debuginfo-12.6-3.21.4 postgresql12-12.6-3.21.4 postgresql12-contrib-12.6-3.21.4 postgresql12-contrib-debuginfo-12.6-3.21.4 postgresql12-debuginfo-12.6-3.21.4 postgresql12-debugsource-12.6-3.21.4 postgresql12-devel-12.6-3.21.4 postgresql12-devel-debuginfo-12.6-3.21.4 postgresql12-plperl-12.6-3.21.4 postgresql12-plperl-debuginfo-12.6-3.21.4 postgresql12-plpython-12.6-3.21.4 postgresql12-plpython-debuginfo-12.6-3.21.4 postgresql12-pltcl-12.6-3.21.4 postgresql12-pltcl-debuginfo-12.6-3.21.4 postgresql12-server-12.6-3.21.4 postgresql12-server-debuginfo-12.6-3.21.4 postgresql12-server-devel-12.6-3.21.4 postgresql12-server-devel-debuginfo-12.6-3.21.4 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): postgresql12-docs-12.6-3.21.4 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): libpq5-32bit-12.6-3.21.4 libpq5-32bit-debuginfo-12.6-3.21.4 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libecpg6-12.6-3.21.4 libecpg6-debuginfo-12.6-3.21.4 libpq5-12.6-3.21.4 libpq5-debuginfo-12.6-3.21.4 postgresql12-12.6-3.21.4 postgresql12-contrib-12.6-3.21.4 postgresql12-contrib-debuginfo-12.6-3.21.4 postgresql12-debuginfo-12.6-3.21.4 postgresql12-debugsource-12.6-3.21.4 postgresql12-devel-12.6-3.21.4 postgresql12-devel-debuginfo-12.6-3.21.4 postgresql12-plperl-12.6-3.21.4 postgresql12-plperl-debuginfo-12.6-3.21.4 postgresql12-plpython-12.6-3.21.4 postgresql12-plpython-debuginfo-12.6-3.21.4 postgresql12-pltcl-12.6-3.21.4 postgresql12-pltcl-debuginfo-12.6-3.21.4 postgresql12-server-12.6-3.21.4 postgresql12-server-debuginfo-12.6-3.21.4 postgresql12-server-devel-12.6-3.21.4 postgresql12-server-devel-debuginfo-12.6-3.21.4 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): libpq5-32bit-12.6-3.21.4 libpq5-32bit-debuginfo-12.6-3.21.4 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): postgresql12-docs-12.6-3.21.4 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): postgresql12-docs-12.6-3.21.4 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libecpg6-12.6-3.21.4 libecpg6-debuginfo-12.6-3.21.4 libpq5-12.6-3.21.4 libpq5-32bit-12.6-3.21.4 libpq5-32bit-debuginfo-12.6-3.21.4 libpq5-debuginfo-12.6-3.21.4 postgresql12-12.6-3.21.4 postgresql12-contrib-12.6-3.21.4 postgresql12-contrib-debuginfo-12.6-3.21.4 postgresql12-debuginfo-12.6-3.21.4 postgresql12-debugsource-12.6-3.21.4 postgresql12-devel-12.6-3.21.4 postgresql12-devel-debuginfo-12.6-3.21.4 postgresql12-plperl-12.6-3.21.4 postgresql12-plperl-debuginfo-12.6-3.21.4 postgresql12-plpython-12.6-3.21.4 postgresql12-plpython-debuginfo-12.6-3.21.4 postgresql12-pltcl-12.6-3.21.4 postgresql12-pltcl-debuginfo-12.6-3.21.4 postgresql12-server-12.6-3.21.4 postgresql12-server-debuginfo-12.6-3.21.4 postgresql12-server-devel-12.6-3.21.4 postgresql12-server-devel-debuginfo-12.6-3.21.4 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libecpg6-12.6-3.21.4 libecpg6-debuginfo-12.6-3.21.4 libpq5-12.6-3.21.4 libpq5-debuginfo-12.6-3.21.4 postgresql12-12.6-3.21.4 postgresql12-contrib-12.6-3.21.4 postgresql12-contrib-debuginfo-12.6-3.21.4 postgresql12-debuginfo-12.6-3.21.4 postgresql12-debugsource-12.6-3.21.4 postgresql12-devel-12.6-3.21.4 postgresql12-devel-debuginfo-12.6-3.21.4 postgresql12-plperl-12.6-3.21.4 postgresql12-plperl-debuginfo-12.6-3.21.4 postgresql12-plpython-12.6-3.21.4 postgresql12-plpython-debuginfo-12.6-3.21.4 postgresql12-pltcl-12.6-3.21.4 postgresql12-pltcl-debuginfo-12.6-3.21.4 postgresql12-server-12.6-3.21.4 postgresql12-server-debuginfo-12.6-3.21.4 postgresql12-server-devel-12.6-3.21.4 postgresql12-server-devel-debuginfo-12.6-3.21.4 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): postgresql12-docs-12.6-3.21.4 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): libpq5-32bit-12.6-3.21.4 libpq5-32bit-debuginfo-12.6-3.21.4 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libecpg6-12.6-3.21.4 libecpg6-debuginfo-12.6-3.21.4 libpq5-12.6-3.21.4 libpq5-debuginfo-12.6-3.21.4 postgresql12-12.6-3.21.4 postgresql12-contrib-12.6-3.21.4 postgresql12-contrib-debuginfo-12.6-3.21.4 postgresql12-debuginfo-12.6-3.21.4 postgresql12-debugsource-12.6-3.21.4 postgresql12-devel-12.6-3.21.4 postgresql12-devel-debuginfo-12.6-3.21.4 postgresql12-plperl-12.6-3.21.4 postgresql12-plperl-debuginfo-12.6-3.21.4 postgresql12-plpython-12.6-3.21.4 postgresql12-plpython-debuginfo-12.6-3.21.4 postgresql12-pltcl-12.6-3.21.4 postgresql12-pltcl-debuginfo-12.6-3.21.4 postgresql12-server-12.6-3.21.4 postgresql12-server-debuginfo-12.6-3.21.4 postgresql12-server-devel-12.6-3.21.4 postgresql12-server-devel-debuginfo-12.6-3.21.4 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): libpq5-32bit-12.6-3.21.4 libpq5-32bit-debuginfo-12.6-3.21.4 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): postgresql12-docs-12.6-3.21.4 - SUSE Enterprise Storage 6 (aarch64 x86_64): libecpg6-12.6-3.21.4 libecpg6-debuginfo-12.6-3.21.4 libpq5-12.6-3.21.4 libpq5-debuginfo-12.6-3.21.4 postgresql12-12.6-3.21.4 postgresql12-contrib-12.6-3.21.4 postgresql12-contrib-debuginfo-12.6-3.21.4 postgresql12-debuginfo-12.6-3.21.4 postgresql12-debugsource-12.6-3.21.4 postgresql12-devel-12.6-3.21.4 postgresql12-devel-debuginfo-12.6-3.21.4 postgresql12-plperl-12.6-3.21.4 postgresql12-plperl-debuginfo-12.6-3.21.4 postgresql12-plpython-12.6-3.21.4 postgresql12-plpython-debuginfo-12.6-3.21.4 postgresql12-pltcl-12.6-3.21.4 postgresql12-pltcl-debuginfo-12.6-3.21.4 postgresql12-server-12.6-3.21.4 postgresql12-server-debuginfo-12.6-3.21.4 postgresql12-server-devel-12.6-3.21.4 postgresql12-server-devel-debuginfo-12.6-3.21.4 - SUSE Enterprise Storage 6 (noarch): postgresql12-docs-12.6-3.21.4 - SUSE Enterprise Storage 6 (x86_64): libpq5-32bit-12.6-3.21.4 libpq5-32bit-debuginfo-12.6-3.21.4 - SUSE CaaS Platform 4.0 (noarch): postgresql12-docs-12.6-3.21.4 - SUSE CaaS Platform 4.0 (x86_64): libecpg6-12.6-3.21.4 libecpg6-debuginfo-12.6-3.21.4 libpq5-12.6-3.21.4 libpq5-32bit-12.6-3.21.4 libpq5-32bit-debuginfo-12.6-3.21.4 libpq5-debuginfo-12.6-3.21.4 postgresql12-12.6-3.21.4 postgresql12-contrib-12.6-3.21.4 postgresql12-contrib-debuginfo-12.6-3.21.4 postgresql12-debuginfo-12.6-3.21.4 postgresql12-debugsource-12.6-3.21.4 postgresql12-devel-12.6-3.21.4 postgresql12-devel-debuginfo-12.6-3.21.4 postgresql12-plperl-12.6-3.21.4 postgresql12-plperl-debuginfo-12.6-3.21.4 postgresql12-plpython-12.6-3.21.4 postgresql12-plpython-debuginfo-12.6-3.21.4 postgresql12-pltcl-12.6-3.21.4 postgresql12-pltcl-debuginfo-12.6-3.21.4 postgresql12-server-12.6-3.21.4 postgresql12-server-debuginfo-12.6-3.21.4 postgresql12-server-devel-12.6-3.21.4 postgresql12-server-devel-debuginfo-12.6-3.21.4 References: https://www.suse.com/security/cve/CVE-2021-3393.html https://bugzilla.suse.com/1179765 https://bugzilla.suse.com/1182040 From sle-security-updates at lists.suse.com Wed Mar 3 20:23:20 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Mar 2021 21:23:20 +0100 (CET) Subject: SUSE-SU-2021:0692-1: important: Security update for openldap2 Message-ID: <20210303202320.76FD6FD14@maintenance.suse.de> SUSE Security Update: Security update for openldap2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0692-1 Rating: important References: #1182279 #1182408 #1182411 #1182412 #1182413 #1182415 #1182416 #1182417 #1182418 #1182419 #1182420 Cross-References: CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2021-27212 CVSS scores: CVE-2020-36221 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36221 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36222 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36222 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36223 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36223 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36224 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36224 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36225 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36225 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36226 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36226 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36227 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36227 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36228 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36228 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36229 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36229 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36230 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36230 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27212 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27212 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server for SAP 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Module for Legacy Software 12 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP5: zypper in -t patch SUSE-SLE-SAP-12-SP5-2021-692=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-692=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-692=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-692=1 - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2021-692=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP5 (ppc64le x86_64): compat-libldap-2_3-0-2.3.37-39.1 compat-libldap-2_3-0-debuginfo-2.3.37-39.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): compat-libldap-2_3-0-2.3.37-39.1 compat-libldap-2_3-0-debuginfo-2.3.37-39.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): compat-libldap-2_3-0-2.3.37-39.1 compat-libldap-2_3-0-debuginfo-2.3.37-39.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): compat-libldap-2_3-0-2.3.37-39.1 compat-libldap-2_3-0-debuginfo-2.3.37-39.1 - SUSE Linux Enterprise Module for Legacy Software 12 (aarch64 ppc64le s390x x86_64): compat-libldap-2_3-0-2.3.37-39.1 compat-libldap-2_3-0-debuginfo-2.3.37-39.1 References: https://www.suse.com/security/cve/CVE-2020-36221.html https://www.suse.com/security/cve/CVE-2020-36222.html https://www.suse.com/security/cve/CVE-2020-36223.html https://www.suse.com/security/cve/CVE-2020-36224.html https://www.suse.com/security/cve/CVE-2020-36225.html https://www.suse.com/security/cve/CVE-2020-36226.html https://www.suse.com/security/cve/CVE-2020-36227.html https://www.suse.com/security/cve/CVE-2020-36228.html https://www.suse.com/security/cve/CVE-2020-36229.html https://www.suse.com/security/cve/CVE-2020-36230.html https://www.suse.com/security/cve/CVE-2021-27212.html https://bugzilla.suse.com/1182279 https://bugzilla.suse.com/1182408 https://bugzilla.suse.com/1182411 https://bugzilla.suse.com/1182412 https://bugzilla.suse.com/1182413 https://bugzilla.suse.com/1182415 https://bugzilla.suse.com/1182416 https://bugzilla.suse.com/1182417 https://bugzilla.suse.com/1182418 https://bugzilla.suse.com/1182419 https://bugzilla.suse.com/1182420 From sle-security-updates at lists.suse.com Wed Mar 3 20:25:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 3 Mar 2021 21:25:27 +0100 (CET) Subject: SUSE-SU-2021:0694-1: important: Security update for kernel-firmware Message-ID: <20210303202527.A3AB5FD14@maintenance.suse.de> SUSE Security Update: Security update for kernel-firmware ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0694-1 Rating: important References: #1181720 #1181735 #1181736 #1181738 Cross-References: CVE-2020-12362 CVE-2020-12363 CVE-2020-12364 CVE-2020-12373 CVSS scores: CVE-2020-12362 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-12362 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-12363 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-12363 (SUSE): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-12364 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-12364 (SUSE): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-12373 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-12373 (SUSE): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for kernel-firmware fixes the following issues: - CVE-2020-12373: Fixed an expired pointer dereference may lead to DOS (bsc#1181738). - CVE-2020-12364: Fixed a null pointer reference may lead to DOS (bsc#1181736). - CVE-2020-12362: Fixed an integer overflow which could have led to privilege escalation (bsc#1181720). - CVE-2020-12363: Fixed an improper input validation which may have led to DOS (bsc#1181735). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-694=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-694=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-694=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-694=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-694=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-694=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-694=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-694=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-694=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-694=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (noarch): kernel-firmware-20200107-3.18.1 ucode-amd-20200107-3.18.1 - SUSE Manager Retail Branch Server 4.0 (noarch): kernel-firmware-20200107-3.18.1 ucode-amd-20200107-3.18.1 - SUSE Manager Proxy 4.0 (noarch): kernel-firmware-20200107-3.18.1 ucode-amd-20200107-3.18.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): kernel-firmware-20200107-3.18.1 ucode-amd-20200107-3.18.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): kernel-firmware-20200107-3.18.1 ucode-amd-20200107-3.18.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): kernel-firmware-20200107-3.18.1 ucode-amd-20200107-3.18.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): kernel-firmware-20200107-3.18.1 ucode-amd-20200107-3.18.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): kernel-firmware-20200107-3.18.1 ucode-amd-20200107-3.18.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): kernel-firmware-20200107-3.18.1 ucode-amd-20200107-3.18.1 - SUSE Enterprise Storage 6 (noarch): kernel-firmware-20200107-3.18.1 ucode-amd-20200107-3.18.1 - SUSE CaaS Platform 4.0 (noarch): kernel-firmware-20200107-3.18.1 ucode-amd-20200107-3.18.1 References: https://www.suse.com/security/cve/CVE-2020-12362.html https://www.suse.com/security/cve/CVE-2020-12363.html https://www.suse.com/security/cve/CVE-2020-12364.html https://www.suse.com/security/cve/CVE-2020-12373.html https://bugzilla.suse.com/1181720 https://bugzilla.suse.com/1181735 https://bugzilla.suse.com/1181736 https://bugzilla.suse.com/1181738 From sle-security-updates at lists.suse.com Thu Mar 4 07:06:36 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 4 Mar 2021 08:06:36 +0100 (CET) Subject: SUSE-CU-2021:61-1: Security update of suse/sles12sp5 Message-ID: <20210304070636.0B268FFA5@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:61-1 Container Tags : suse/sles12sp5:6.5.138 , suse/sles12sp5:latest Container Release : 6.5.138 Severity : important Type : security References : 1182279 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2021-27212 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:693-1 Released: Wed Mar 3 18:13:33 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. From sle-security-updates at lists.suse.com Thu Mar 4 20:15:56 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 4 Mar 2021 21:15:56 +0100 (CET) Subject: SUSE-SU-2021:0713-1: Security update for freeradius-server Message-ID: <20210304201556.5772DFFA5@maintenance.suse.de> SUSE Security Update: Security update for freeradius-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0713-1 Rating: low References: #1180525 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for freeradius-server fixes the following issues: - move logrotate options into specific parts for each log as "global" options will persist past and clobber global options in the main logrotate config (bsc#1180525) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-713=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-713=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): freeradius-server-debuginfo-3.0.19-3.6.1 freeradius-server-debugsource-3.0.19-3.6.1 freeradius-server-devel-3.0.19-3.6.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): freeradius-server-3.0.19-3.6.1 freeradius-server-debuginfo-3.0.19-3.6.1 freeradius-server-debugsource-3.0.19-3.6.1 freeradius-server-doc-3.0.19-3.6.1 freeradius-server-krb5-3.0.19-3.6.1 freeradius-server-krb5-debuginfo-3.0.19-3.6.1 freeradius-server-ldap-3.0.19-3.6.1 freeradius-server-ldap-debuginfo-3.0.19-3.6.1 freeradius-server-libs-3.0.19-3.6.1 freeradius-server-libs-debuginfo-3.0.19-3.6.1 freeradius-server-mysql-3.0.19-3.6.1 freeradius-server-mysql-debuginfo-3.0.19-3.6.1 freeradius-server-perl-3.0.19-3.6.1 freeradius-server-perl-debuginfo-3.0.19-3.6.1 freeradius-server-postgresql-3.0.19-3.6.1 freeradius-server-postgresql-debuginfo-3.0.19-3.6.1 freeradius-server-python-3.0.19-3.6.1 freeradius-server-python-debuginfo-3.0.19-3.6.1 freeradius-server-sqlite-3.0.19-3.6.1 freeradius-server-sqlite-debuginfo-3.0.19-3.6.1 freeradius-server-utils-3.0.19-3.6.1 freeradius-server-utils-debuginfo-3.0.19-3.6.1 References: https://bugzilla.suse.com/1180525 From sle-security-updates at lists.suse.com Thu Mar 4 20:16:59 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 4 Mar 2021 21:16:59 +0100 (CET) Subject: SUSE-SU-2021:0714-1: Security update for freeradius-server Message-ID: <20210304201659.09B34FD17@maintenance.suse.de> SUSE Security Update: Security update for freeradius-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0714-1 Rating: low References: #1180525 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for freeradius-server fixes the following issues: - move logrotate options into specific parts for each log as "global" options will persist past and clobber global options in the main logrotate config (bsc#1180525) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-714=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): freeradius-server-3.0.21-3.6.1 freeradius-server-debuginfo-3.0.21-3.6.1 freeradius-server-debugsource-3.0.21-3.6.1 freeradius-server-devel-3.0.21-3.6.1 freeradius-server-krb5-3.0.21-3.6.1 freeradius-server-krb5-debuginfo-3.0.21-3.6.1 freeradius-server-ldap-3.0.21-3.6.1 freeradius-server-ldap-debuginfo-3.0.21-3.6.1 freeradius-server-libs-3.0.21-3.6.1 freeradius-server-libs-debuginfo-3.0.21-3.6.1 freeradius-server-mysql-3.0.21-3.6.1 freeradius-server-mysql-debuginfo-3.0.21-3.6.1 freeradius-server-perl-3.0.21-3.6.1 freeradius-server-perl-debuginfo-3.0.21-3.6.1 freeradius-server-postgresql-3.0.21-3.6.1 freeradius-server-postgresql-debuginfo-3.0.21-3.6.1 freeradius-server-python3-3.0.21-3.6.1 freeradius-server-python3-debuginfo-3.0.21-3.6.1 freeradius-server-sqlite-3.0.21-3.6.1 freeradius-server-sqlite-debuginfo-3.0.21-3.6.1 freeradius-server-utils-3.0.21-3.6.1 freeradius-server-utils-debuginfo-3.0.21-3.6.1 References: https://bugzilla.suse.com/1180525 From sle-security-updates at lists.suse.com Mon Mar 8 17:16:45 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 8 Mar 2021 18:16:45 +0100 (CET) Subject: SUSE-SU-2021:0720-1: important: Security update for wpa_supplicant Message-ID: <20210308171645.9BFDDFD17@maintenance.suse.de> SUSE Security Update: Security update for wpa_supplicant ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0720-1 Rating: important References: #1182805 Cross-References: CVE-2021-27803 CVSS scores: CVE-2021-27803 (NVD) : 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-27803 (SUSE): 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for wpa_supplicant fixes the following issues: - CVE-2021-27803: Fixed a P2P provision discovery processing vulnerability (bsc#1182805). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-720=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): wpa_supplicant-2.9-23.9.2 wpa_supplicant-debuginfo-2.9-23.9.2 wpa_supplicant-debugsource-2.9-23.9.2 References: https://www.suse.com/security/cve/CVE-2021-27803.html https://bugzilla.suse.com/1182805 From sle-security-updates at lists.suse.com Mon Mar 8 20:17:48 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 8 Mar 2021 21:17:48 +0100 (CET) Subject: SUSE-SU-2021:0722-1: important: Security update for crmsh Message-ID: <20210308201748.2D109FD17@maintenance.suse.de> SUSE Security Update: Security update for crmsh ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0722-1 Rating: important References: #1154927 #1178454 #1178869 #1179999 #1180571 #1180688 Cross-References: CVE-2020-35459 CVE-2021-3020 CVSS scores: CVE-2020-35459 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-35459 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3020 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise High Availability 12-SP5 SUSE Linux Enterprise High Availability 12-SP4 ______________________________________________________________________________ An update that solves two vulnerabilities and has four fixes is now available. Description: This update for crmsh fixes the following issues: - Update to version 4.1.0+git.1614156984.f4f5e146: * Fix: hb_report: walk through hb_report process under hacluster(CVE-2020-35459, bsc#1179999; CVE-2021-3020, bsc#1180571) * Fix: bootstrap: setup authorized ssh access for hacluster(CVE-2020-35459, bsc#1179999; CVE-2021-3020, bsc#1180571) * Dev: utils: change default file mod as 644 for str2file function * Dev: lock: give more specific error message when raise ClaimLockError * Dev: hb_report: Detect if any ocfs2 partitions exist * Fix: hb_report: run lsof with specific ocfs2 device(bsc#1180688) * Dev: corosync: change the permission of corosync.conf to 644 * Fix: bootstrap: Use class Watchdog to simplify watchdog config(bsc#1154927, bsc#1178869) * Fix: bootstrap: make sure sbd device UUID was the same between nodes(bsc#1178454) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2021-722=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2021-722=1 Package List: - SUSE Linux Enterprise High Availability 12-SP5 (noarch): crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 - SUSE Linux Enterprise High Availability 12-SP4 (noarch): crmsh-4.1.0+git.1614156984.f4f5e146-2.56.2 crmsh-scripts-4.1.0+git.1614156984.f4f5e146-2.56.2 References: https://www.suse.com/security/cve/CVE-2020-35459.html https://www.suse.com/security/cve/CVE-2021-3020.html https://bugzilla.suse.com/1154927 https://bugzilla.suse.com/1178454 https://bugzilla.suse.com/1178869 https://bugzilla.suse.com/1179999 https://bugzilla.suse.com/1180571 https://bugzilla.suse.com/1180688 From sle-security-updates at lists.suse.com Mon Mar 8 20:19:37 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 8 Mar 2021 21:19:37 +0100 (CET) Subject: SUSE-SU-2021:0723-1: important: Security update for openldap2 Message-ID: <20210308201937.E6A51FD17@maintenance.suse.de> SUSE Security Update: Security update for openldap2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0723-1 Rating: important References: #1182279 #1182408 #1182411 #1182412 #1182413 #1182415 #1182416 #1182417 #1182418 #1182419 #1182420 Cross-References: CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2021-27212 CVSS scores: CVE-2020-36221 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36221 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36222 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36222 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36223 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36223 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36224 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36224 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36225 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36225 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36226 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36226 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36227 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36227 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36228 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36228 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36229 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36229 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36230 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-36230 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27212 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27212 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Legacy Software 15-SP3 SUSE Linux Enterprise Module for Legacy Software 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-723=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-723=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-723=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-723=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-723=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-723=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-723=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-723=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP3-2021-723=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2021-723=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-723=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-723=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-723=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-723=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-723=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-723=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-723=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-723=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-723=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libldap-2_4-2-2.4.46-9.48.1 libldap-2_4-2-debuginfo-2.4.46-9.48.1 openldap2-2.4.46-9.48.1 openldap2-back-meta-2.4.46-9.48.1 openldap2-back-meta-debuginfo-2.4.46-9.48.1 openldap2-back-perl-2.4.46-9.48.1 openldap2-back-perl-debuginfo-2.4.46-9.48.1 openldap2-client-2.4.46-9.48.1 openldap2-client-debuginfo-2.4.46-9.48.1 openldap2-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-2.4.46-9.48.1 openldap2-devel-static-2.4.46-9.48.1 openldap2-ppolicy-check-password-1.2-9.48.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.48.1 - SUSE Manager Server 4.0 (noarch): libldap-data-2.4.46-9.48.1 - SUSE Manager Server 4.0 (x86_64): libldap-2_4-2-32bit-2.4.46-9.48.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.48.1 openldap2-devel-32bit-2.4.46-9.48.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libldap-2_4-2-2.4.46-9.48.1 libldap-2_4-2-32bit-2.4.46-9.48.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.48.1 libldap-2_4-2-debuginfo-2.4.46-9.48.1 openldap2-2.4.46-9.48.1 openldap2-back-meta-2.4.46-9.48.1 openldap2-back-meta-debuginfo-2.4.46-9.48.1 openldap2-back-perl-2.4.46-9.48.1 openldap2-back-perl-debuginfo-2.4.46-9.48.1 openldap2-client-2.4.46-9.48.1 openldap2-client-debuginfo-2.4.46-9.48.1 openldap2-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-2.4.46-9.48.1 openldap2-devel-32bit-2.4.46-9.48.1 openldap2-devel-static-2.4.46-9.48.1 openldap2-ppolicy-check-password-1.2-9.48.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.48.1 - SUSE Manager Retail Branch Server 4.0 (noarch): libldap-data-2.4.46-9.48.1 - SUSE Manager Proxy 4.0 (x86_64): libldap-2_4-2-2.4.46-9.48.1 libldap-2_4-2-32bit-2.4.46-9.48.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.48.1 libldap-2_4-2-debuginfo-2.4.46-9.48.1 openldap2-2.4.46-9.48.1 openldap2-back-meta-2.4.46-9.48.1 openldap2-back-meta-debuginfo-2.4.46-9.48.1 openldap2-back-perl-2.4.46-9.48.1 openldap2-back-perl-debuginfo-2.4.46-9.48.1 openldap2-client-2.4.46-9.48.1 openldap2-client-debuginfo-2.4.46-9.48.1 openldap2-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-2.4.46-9.48.1 openldap2-devel-32bit-2.4.46-9.48.1 openldap2-devel-static-2.4.46-9.48.1 openldap2-ppolicy-check-password-1.2-9.48.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.48.1 - SUSE Manager Proxy 4.0 (noarch): libldap-data-2.4.46-9.48.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libldap-2_4-2-2.4.46-9.48.1 libldap-2_4-2-debuginfo-2.4.46-9.48.1 openldap2-2.4.46-9.48.1 openldap2-back-meta-2.4.46-9.48.1 openldap2-back-meta-debuginfo-2.4.46-9.48.1 openldap2-back-perl-2.4.46-9.48.1 openldap2-back-perl-debuginfo-2.4.46-9.48.1 openldap2-client-2.4.46-9.48.1 openldap2-client-debuginfo-2.4.46-9.48.1 openldap2-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-2.4.46-9.48.1 openldap2-devel-static-2.4.46-9.48.1 openldap2-ppolicy-check-password-1.2-9.48.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.48.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): libldap-data-2.4.46-9.48.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): libldap-2_4-2-32bit-2.4.46-9.48.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.48.1 openldap2-devel-32bit-2.4.46-9.48.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libldap-2_4-2-2.4.46-9.48.1 libldap-2_4-2-debuginfo-2.4.46-9.48.1 openldap2-2.4.46-9.48.1 openldap2-back-meta-2.4.46-9.48.1 openldap2-back-meta-debuginfo-2.4.46-9.48.1 openldap2-back-perl-2.4.46-9.48.1 openldap2-back-perl-debuginfo-2.4.46-9.48.1 openldap2-client-2.4.46-9.48.1 openldap2-client-debuginfo-2.4.46-9.48.1 openldap2-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-2.4.46-9.48.1 openldap2-devel-static-2.4.46-9.48.1 openldap2-ppolicy-check-password-1.2-9.48.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.48.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): libldap-data-2.4.46-9.48.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libldap-2_4-2-32bit-2.4.46-9.48.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.48.1 openldap2-devel-32bit-2.4.46-9.48.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libldap-2_4-2-2.4.46-9.48.1 libldap-2_4-2-debuginfo-2.4.46-9.48.1 openldap2-2.4.46-9.48.1 openldap2-back-meta-2.4.46-9.48.1 openldap2-back-meta-debuginfo-2.4.46-9.48.1 openldap2-back-perl-2.4.46-9.48.1 openldap2-back-perl-debuginfo-2.4.46-9.48.1 openldap2-client-2.4.46-9.48.1 openldap2-client-debuginfo-2.4.46-9.48.1 openldap2-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-2.4.46-9.48.1 openldap2-devel-static-2.4.46-9.48.1 openldap2-ppolicy-check-password-1.2-9.48.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.48.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): libldap-data-2.4.46-9.48.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): libldap-2_4-2-32bit-2.4.46-9.48.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.48.1 openldap2-devel-32bit-2.4.46-9.48.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): libldap-data-2.4.46-9.48.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libldap-2_4-2-2.4.46-9.48.1 libldap-2_4-2-32bit-2.4.46-9.48.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.48.1 libldap-2_4-2-debuginfo-2.4.46-9.48.1 openldap2-2.4.46-9.48.1 openldap2-back-meta-2.4.46-9.48.1 openldap2-back-meta-debuginfo-2.4.46-9.48.1 openldap2-back-perl-2.4.46-9.48.1 openldap2-back-perl-debuginfo-2.4.46-9.48.1 openldap2-client-2.4.46-9.48.1 openldap2-client-debuginfo-2.4.46-9.48.1 openldap2-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-2.4.46-9.48.1 openldap2-devel-32bit-2.4.46-9.48.1 openldap2-devel-static-2.4.46-9.48.1 openldap2-ppolicy-check-password-1.2-9.48.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.48.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libldap-2_4-2-2.4.46-9.48.1 libldap-2_4-2-debuginfo-2.4.46-9.48.1 openldap2-2.4.46-9.48.1 openldap2-back-meta-2.4.46-9.48.1 openldap2-back-meta-debuginfo-2.4.46-9.48.1 openldap2-back-perl-2.4.46-9.48.1 openldap2-back-perl-debuginfo-2.4.46-9.48.1 openldap2-client-2.4.46-9.48.1 openldap2-client-debuginfo-2.4.46-9.48.1 openldap2-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-2.4.46-9.48.1 openldap2-devel-static-2.4.46-9.48.1 openldap2-ppolicy-check-password-1.2-9.48.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.48.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): libldap-data-2.4.46-9.48.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3 (aarch64 ppc64le s390x x86_64): openldap2-2.4.46-9.48.1 openldap2-back-meta-2.4.46-9.48.1 openldap2-back-meta-debuginfo-2.4.46-9.48.1 openldap2-back-perl-2.4.46-9.48.1 openldap2-back-perl-debuginfo-2.4.46-9.48.1 openldap2-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-ppolicy-check-password-1.2-9.48.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.48.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (aarch64 ppc64le s390x x86_64): openldap2-2.4.46-9.48.1 openldap2-back-meta-2.4.46-9.48.1 openldap2-back-meta-debuginfo-2.4.46-9.48.1 openldap2-back-perl-2.4.46-9.48.1 openldap2-back-perl-debuginfo-2.4.46-9.48.1 openldap2-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-ppolicy-check-password-1.2-9.48.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.48.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (x86_64): openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-32bit-2.4.46-9.48.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (x86_64): openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-32bit-2.4.46-9.48.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libldap-2_4-2-2.4.46-9.48.1 libldap-2_4-2-debuginfo-2.4.46-9.48.1 openldap2-client-2.4.46-9.48.1 openldap2-client-debuginfo-2.4.46-9.48.1 openldap2-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-2.4.46-9.48.1 openldap2-devel-static-2.4.46-9.48.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): libldap-data-2.4.46-9.48.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): libldap-2_4-2-32bit-2.4.46-9.48.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.48.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libldap-2_4-2-2.4.46-9.48.1 libldap-2_4-2-debuginfo-2.4.46-9.48.1 openldap2-client-2.4.46-9.48.1 openldap2-client-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-2.4.46-9.48.1 openldap2-devel-static-2.4.46-9.48.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libldap-2_4-2-32bit-2.4.46-9.48.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.48.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): libldap-data-2.4.46-9.48.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libldap-2_4-2-2.4.46-9.48.1 libldap-2_4-2-debuginfo-2.4.46-9.48.1 openldap2-client-2.4.46-9.48.1 openldap2-client-debuginfo-2.4.46-9.48.1 openldap2-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-2.4.46-9.48.1 openldap2-devel-static-2.4.46-9.48.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): libldap-data-2.4.46-9.48.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): libldap-2_4-2-32bit-2.4.46-9.48.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.48.1 openldap2-devel-32bit-2.4.46-9.48.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libldap-2_4-2-2.4.46-9.48.1 libldap-2_4-2-debuginfo-2.4.46-9.48.1 openldap2-client-2.4.46-9.48.1 openldap2-client-debuginfo-2.4.46-9.48.1 openldap2-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-2.4.46-9.48.1 openldap2-devel-static-2.4.46-9.48.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): libldap-2_4-2-32bit-2.4.46-9.48.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.48.1 openldap2-devel-32bit-2.4.46-9.48.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): libldap-data-2.4.46-9.48.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libldap-2_4-2-2.4.46-9.48.1 libldap-2_4-2-debuginfo-2.4.46-9.48.1 openldap2-client-2.4.46-9.48.1 openldap2-client-debuginfo-2.4.46-9.48.1 openldap2-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-2.4.46-9.48.1 openldap2-devel-static-2.4.46-9.48.1 openldap2-ppolicy-check-password-1.2-9.48.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.48.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libldap-2_4-2-32bit-2.4.46-9.48.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.48.1 openldap2-devel-32bit-2.4.46-9.48.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): libldap-data-2.4.46-9.48.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libldap-2_4-2-2.4.46-9.48.1 libldap-2_4-2-debuginfo-2.4.46-9.48.1 openldap2-client-2.4.46-9.48.1 openldap2-client-debuginfo-2.4.46-9.48.1 openldap2-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-2.4.46-9.48.1 openldap2-devel-static-2.4.46-9.48.1 openldap2-ppolicy-check-password-1.2-9.48.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.48.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): libldap-data-2.4.46-9.48.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libldap-2_4-2-32bit-2.4.46-9.48.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.48.1 openldap2-devel-32bit-2.4.46-9.48.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libldap-2_4-2-2.4.46-9.48.1 libldap-2_4-2-debuginfo-2.4.46-9.48.1 openldap2-2.4.46-9.48.1 openldap2-back-meta-2.4.46-9.48.1 openldap2-back-meta-debuginfo-2.4.46-9.48.1 openldap2-back-perl-2.4.46-9.48.1 openldap2-back-perl-debuginfo-2.4.46-9.48.1 openldap2-client-2.4.46-9.48.1 openldap2-client-debuginfo-2.4.46-9.48.1 openldap2-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-2.4.46-9.48.1 openldap2-devel-static-2.4.46-9.48.1 openldap2-ppolicy-check-password-1.2-9.48.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.48.1 - SUSE Enterprise Storage 6 (noarch): libldap-data-2.4.46-9.48.1 - SUSE Enterprise Storage 6 (x86_64): libldap-2_4-2-32bit-2.4.46-9.48.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.48.1 openldap2-devel-32bit-2.4.46-9.48.1 - SUSE CaaS Platform 4.0 (noarch): libldap-data-2.4.46-9.48.1 - SUSE CaaS Platform 4.0 (x86_64): libldap-2_4-2-2.4.46-9.48.1 libldap-2_4-2-32bit-2.4.46-9.48.1 libldap-2_4-2-32bit-debuginfo-2.4.46-9.48.1 libldap-2_4-2-debuginfo-2.4.46-9.48.1 openldap2-2.4.46-9.48.1 openldap2-back-meta-2.4.46-9.48.1 openldap2-back-meta-debuginfo-2.4.46-9.48.1 openldap2-back-perl-2.4.46-9.48.1 openldap2-back-perl-debuginfo-2.4.46-9.48.1 openldap2-client-2.4.46-9.48.1 openldap2-client-debuginfo-2.4.46-9.48.1 openldap2-debuginfo-2.4.46-9.48.1 openldap2-debugsource-2.4.46-9.48.1 openldap2-devel-2.4.46-9.48.1 openldap2-devel-32bit-2.4.46-9.48.1 openldap2-devel-static-2.4.46-9.48.1 openldap2-ppolicy-check-password-1.2-9.48.1 openldap2-ppolicy-check-password-debuginfo-1.2-9.48.1 References: https://www.suse.com/security/cve/CVE-2020-36221.html https://www.suse.com/security/cve/CVE-2020-36222.html https://www.suse.com/security/cve/CVE-2020-36223.html https://www.suse.com/security/cve/CVE-2020-36224.html https://www.suse.com/security/cve/CVE-2020-36225.html https://www.suse.com/security/cve/CVE-2020-36226.html https://www.suse.com/security/cve/CVE-2020-36227.html https://www.suse.com/security/cve/CVE-2020-36228.html https://www.suse.com/security/cve/CVE-2020-36229.html https://www.suse.com/security/cve/CVE-2020-36230.html https://www.suse.com/security/cve/CVE-2021-27212.html https://bugzilla.suse.com/1182279 https://bugzilla.suse.com/1182408 https://bugzilla.suse.com/1182411 https://bugzilla.suse.com/1182412 https://bugzilla.suse.com/1182413 https://bugzilla.suse.com/1182415 https://bugzilla.suse.com/1182416 https://bugzilla.suse.com/1182417 https://bugzilla.suse.com/1182418 https://bugzilla.suse.com/1182419 https://bugzilla.suse.com/1182420 From sle-security-updates at lists.suse.com Mon Mar 8 20:22:58 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 8 Mar 2021 21:22:58 +0100 (CET) Subject: SUSE-SU-2021:0721-1: important: Security update for wpa_supplicant Message-ID: <20210308202258.B68CEFD17@maintenance.suse.de> SUSE Security Update: Security update for wpa_supplicant ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0721-1 Rating: important References: #1182805 Cross-References: CVE-2021-27803 CVSS scores: CVE-2021-27803 (NVD) : 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-27803 (SUSE): 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for wpa_supplicant fixes the following issues: - CVE-2021-27803: Fixed a P2P provision discovery processing vulnerability (bsc#1182805). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-721=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-721=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-721=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-721=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-721=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-721=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-721=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-721=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-721=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-721=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-721=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-721=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-721=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-721=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-721=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): wpa_supplicant-2.9-4.26.1 wpa_supplicant-debuginfo-2.9-4.26.1 wpa_supplicant-debugsource-2.9-4.26.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): wpa_supplicant-2.9-4.26.1 wpa_supplicant-debuginfo-2.9-4.26.1 wpa_supplicant-debugsource-2.9-4.26.1 - SUSE Manager Proxy 4.0 (x86_64): wpa_supplicant-2.9-4.26.1 wpa_supplicant-debuginfo-2.9-4.26.1 wpa_supplicant-debugsource-2.9-4.26.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): wpa_supplicant-2.9-4.26.1 wpa_supplicant-debuginfo-2.9-4.26.1 wpa_supplicant-debugsource-2.9-4.26.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): wpa_supplicant-2.9-4.26.1 wpa_supplicant-debuginfo-2.9-4.26.1 wpa_supplicant-debugsource-2.9-4.26.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): wpa_supplicant-2.9-4.26.1 wpa_supplicant-debuginfo-2.9-4.26.1 wpa_supplicant-debugsource-2.9-4.26.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): wpa_supplicant-2.9-4.26.1 wpa_supplicant-debuginfo-2.9-4.26.1 wpa_supplicant-debugsource-2.9-4.26.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): wpa_supplicant-2.9-4.26.1 wpa_supplicant-debuginfo-2.9-4.26.1 wpa_supplicant-debugsource-2.9-4.26.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): wpa_supplicant-2.9-4.26.1 wpa_supplicant-debuginfo-2.9-4.26.1 wpa_supplicant-debugsource-2.9-4.26.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): wpa_supplicant-2.9-4.26.1 wpa_supplicant-debuginfo-2.9-4.26.1 wpa_supplicant-debugsource-2.9-4.26.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): wpa_supplicant-2.9-4.26.1 wpa_supplicant-debuginfo-2.9-4.26.1 wpa_supplicant-debugsource-2.9-4.26.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): wpa_supplicant-2.9-4.26.1 wpa_supplicant-debuginfo-2.9-4.26.1 wpa_supplicant-debugsource-2.9-4.26.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): wpa_supplicant-2.9-4.26.1 wpa_supplicant-debuginfo-2.9-4.26.1 wpa_supplicant-debugsource-2.9-4.26.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): wpa_supplicant-2.9-4.26.1 wpa_supplicant-debuginfo-2.9-4.26.1 wpa_supplicant-debugsource-2.9-4.26.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): wpa_supplicant-2.9-4.26.1 wpa_supplicant-debuginfo-2.9-4.26.1 wpa_supplicant-debugsource-2.9-4.26.1 - SUSE CaaS Platform 4.0 (x86_64): wpa_supplicant-2.9-4.26.1 wpa_supplicant-debuginfo-2.9-4.26.1 wpa_supplicant-debugsource-2.9-4.26.1 References: https://www.suse.com/security/cve/CVE-2021-27803.html https://bugzilla.suse.com/1182805 From sle-security-updates at lists.suse.com Mon Mar 8 20:24:05 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 8 Mar 2021 21:24:05 +0100 (CET) Subject: SUSE-SU-2021:0724-1: moderate: Security update for 389-ds Message-ID: <20210308202405.6D38CFD17@maintenance.suse.de> SUSE Security Update: Security update for 389-ds ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0724-1 Rating: moderate References: #1181159 Cross-References: CVE-2020-35518 CVSS scores: CVE-2020-35518 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for 389-ds fixes the following issues: - 389-ds was updated to version 1.4.3.19 - CVE-2020-35518: Fixed an information disclosure during the binding of a DN (bsc#1181159). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-724=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): 389-ds-1.4.3.19~git0.bef0b5bed-3.12.1 389-ds-debuginfo-1.4.3.19~git0.bef0b5bed-3.12.1 389-ds-debugsource-1.4.3.19~git0.bef0b5bed-3.12.1 389-ds-devel-1.4.3.19~git0.bef0b5bed-3.12.1 lib389-1.4.3.19~git0.bef0b5bed-3.12.1 libsvrcore0-1.4.3.19~git0.bef0b5bed-3.12.1 libsvrcore0-debuginfo-1.4.3.19~git0.bef0b5bed-3.12.1 References: https://www.suse.com/security/cve/CVE-2020-35518.html https://bugzilla.suse.com/1181159 From sle-security-updates at lists.suse.com Mon Mar 8 20:25:11 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 8 Mar 2021 21:25:11 +0100 (CET) Subject: SUSE-SU-2021:0725-1: moderate: Security update for openssl-1_0_0 Message-ID: <20210308202511.8784AFD17@maintenance.suse.de> SUSE Security Update: Security update for openssl-1_0_0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0725-1 Rating: moderate References: #1182331 #1182333 Cross-References: CVE-2021-23840 CVE-2021-23841 CVSS scores: CVE-2021-23840 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23840 (SUSE): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2021-23841 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23841 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-725=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-725=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-725=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-725=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-725=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-725=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libopenssl-1_0_0-devel-1.0.2p-3.36.1 libopenssl1_0_0-1.0.2p-3.36.1 libopenssl1_0_0-32bit-1.0.2p-3.36.1 libopenssl1_0_0-debuginfo-1.0.2p-3.36.1 libopenssl1_0_0-debuginfo-32bit-1.0.2p-3.36.1 libopenssl1_0_0-hmac-1.0.2p-3.36.1 libopenssl1_0_0-hmac-32bit-1.0.2p-3.36.1 openssl-1_0_0-1.0.2p-3.36.1 openssl-1_0_0-debuginfo-1.0.2p-3.36.1 openssl-1_0_0-debugsource-1.0.2p-3.36.1 - SUSE OpenStack Cloud Crowbar 9 (noarch): openssl-1_0_0-doc-1.0.2p-3.36.1 - SUSE OpenStack Cloud 9 (x86_64): libopenssl-1_0_0-devel-1.0.2p-3.36.1 libopenssl1_0_0-1.0.2p-3.36.1 libopenssl1_0_0-32bit-1.0.2p-3.36.1 libopenssl1_0_0-debuginfo-1.0.2p-3.36.1 libopenssl1_0_0-debuginfo-32bit-1.0.2p-3.36.1 libopenssl1_0_0-hmac-1.0.2p-3.36.1 libopenssl1_0_0-hmac-32bit-1.0.2p-3.36.1 openssl-1_0_0-1.0.2p-3.36.1 openssl-1_0_0-debuginfo-1.0.2p-3.36.1 openssl-1_0_0-debugsource-1.0.2p-3.36.1 - SUSE OpenStack Cloud 9 (noarch): openssl-1_0_0-doc-1.0.2p-3.36.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libopenssl-1_0_0-devel-1.0.2p-3.36.1 openssl-1_0_0-debuginfo-1.0.2p-3.36.1 openssl-1_0_0-debugsource-1.0.2p-3.36.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libopenssl-1_0_0-devel-1.0.2p-3.36.1 libopenssl1_0_0-1.0.2p-3.36.1 libopenssl1_0_0-debuginfo-1.0.2p-3.36.1 libopenssl1_0_0-hmac-1.0.2p-3.36.1 openssl-1_0_0-1.0.2p-3.36.1 openssl-1_0_0-debuginfo-1.0.2p-3.36.1 openssl-1_0_0-debugsource-1.0.2p-3.36.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libopenssl1_0_0-32bit-1.0.2p-3.36.1 libopenssl1_0_0-debuginfo-32bit-1.0.2p-3.36.1 libopenssl1_0_0-hmac-32bit-1.0.2p-3.36.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): openssl-1_0_0-doc-1.0.2p-3.36.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libopenssl-1_0_0-devel-1.0.2p-3.36.1 libopenssl1_0_0-1.0.2p-3.36.1 libopenssl1_0_0-debuginfo-1.0.2p-3.36.1 libopenssl1_0_0-hmac-1.0.2p-3.36.1 openssl-1_0_0-1.0.2p-3.36.1 openssl-1_0_0-debuginfo-1.0.2p-3.36.1 openssl-1_0_0-debugsource-1.0.2p-3.36.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libopenssl1_0_0-32bit-1.0.2p-3.36.1 libopenssl1_0_0-debuginfo-32bit-1.0.2p-3.36.1 libopenssl1_0_0-hmac-32bit-1.0.2p-3.36.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): openssl-1_0_0-doc-1.0.2p-3.36.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libopenssl-1_0_0-devel-1.0.2p-3.36.1 libopenssl1_0_0-1.0.2p-3.36.1 libopenssl1_0_0-debuginfo-1.0.2p-3.36.1 libopenssl1_0_0-hmac-1.0.2p-3.36.1 openssl-1_0_0-1.0.2p-3.36.1 openssl-1_0_0-debuginfo-1.0.2p-3.36.1 openssl-1_0_0-debugsource-1.0.2p-3.36.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libopenssl1_0_0-32bit-1.0.2p-3.36.1 libopenssl1_0_0-debuginfo-32bit-1.0.2p-3.36.1 libopenssl1_0_0-hmac-32bit-1.0.2p-3.36.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): openssl-1_0_0-doc-1.0.2p-3.36.1 References: https://www.suse.com/security/cve/CVE-2021-23840.html https://www.suse.com/security/cve/CVE-2021-23841.html https://bugzilla.suse.com/1182331 https://bugzilla.suse.com/1182333 From sle-security-updates at lists.suse.com Tue Mar 9 07:06:34 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 08:06:34 +0100 (CET) Subject: SUSE-CU-2021:62-1: Security update of suse/sles12sp5 Message-ID: <20210309070634.8BC75FFA5@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:62-1 Container Tags : suse/sles12sp5:6.5.141 , suse/sles12sp5:latest Container Release : 6.5.141 Severity : moderate Type : security References : 1182331 1182333 CVE-2021-23840 CVE-2021-23841 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:725-1 Released: Mon Mar 8 16:47:37 2021 Summary: Security update for openssl-1_0_0 Type: security Severity: moderate References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_0_0 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) From sle-security-updates at lists.suse.com Tue Mar 9 07:24:00 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 08:24:00 +0100 (CET) Subject: SUSE-CU-2021:63-1: Security update of suse/sle15 Message-ID: <20210309072400.9EB48FFA5@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:63-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.353 Container Release : 4.22.353 Severity : important Type : security References : 1182279 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2021-27212 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. From sle-security-updates at lists.suse.com Tue Mar 9 07:31:09 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 08:31:09 +0100 (CET) Subject: SUSE-CU-2021:64-1: Security update of suse/sle15 Message-ID: <20210309073109.D6289FFA5@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:64-1 Container Tags : suse/sle15:15.2 , suse/sle15:15.2.8.2.860 Container Release : 8.2.860 Severity : important Type : security References : 1182279 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2021-27212 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. From sle-security-updates at lists.suse.com Tue Mar 9 20:19:05 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 21:19:05 +0100 (CET) Subject: SUSE-SU-2021:0738-1: important: Security update for the Linux Kernel Message-ID: <20210309201905.044F8FD17@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0738-1 Rating: important References: #1065600 #1065729 #1078720 #1081134 #1084610 #1132477 #1151927 #1152472 #1152489 #1154353 #1155518 #1156395 #1163776 #1169514 #1170442 #1176248 #1176855 #1177109 #1177326 #1177440 #1177529 #1178142 #1178995 #1179082 #1179137 #1179243 #1179428 #1179660 #1179929 #1180058 #1180846 #1180964 #1180989 #1181133 #1181259 #1181544 #1181574 #1181637 #1181655 #1181671 #1181674 #1181710 #1181720 #1181735 #1181736 #1181738 #1181747 #1181753 #1181818 #1181843 #1181854 #1181896 #1181958 #1181960 #1181985 #1182047 #1182118 #1182128 #1182140 #1182171 #1182175 #1182259 #1182265 #1182266 #1182267 #1182268 #1182271 #1182272 #1182273 #1182275 #1182276 #1182278 #1182283 #1182374 #1182380 #1182381 #1182406 #1182430 #1182439 #1182441 #1182442 #1182443 #1182444 #1182445 #1182446 #1182447 #1182449 #1182454 #1182455 #1182456 #1182457 #1182458 #1182459 #1182460 #1182461 #1182462 #1182463 #1182464 #1182465 #1182466 #1182485 #1182489 #1182490 #1182547 #1182558 #1182560 #1182561 #1182571 #1182599 #1182602 #1182626 #1182650 #1182672 #1182676 #1182683 #1182684 #1182686 #1182770 #1182798 #1182800 #1182801 #1182854 #1182856 Cross-References: CVE-2020-12362 CVE-2020-12363 CVE-2020-12364 CVE-2020-12373 CVE-2020-29368 CVE-2020-29374 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVSS scores: CVE-2020-12362 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-12362 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-12363 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-12363 (SUSE): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-12364 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-12364 (SUSE): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-12373 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-12373 (SUSE): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (SUSE): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-26930 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-26930 (SUSE): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-26931 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26931 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-26932 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26932 (SUSE): 5.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP2 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has 114 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 kernel Azure was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843). - CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753). - CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372). - CVE-2020-12362: Fixed an integer overflow in the firmware which may have allowed a privileged user to potentially enable an escalation of privilege via local access (bsc#1181720). - CVE-2020-12363: Fixed an improper input validation which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181735). - CVE-2020-12364: Fixed a null pointer reference which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181736 ). - CVE-2020-12373: Fixed an expired pointer dereference which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181738). - CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428). The following non-security bugs were fixed: - ACPICA: Fix exception code class checks (git-fixes). - ACPI: configfs: add missing check after configfs_register_default_group() (git-fixes). - ACPI: property: Fix fwnode string properties matching (git-fixes). - ACPI: property: Satisfy kernel doc validator (part 1) (git-fixes). - ACPI: property: Satisfy kernel doc validator (part 2) (git-fixes). - ALSA: hda: Add another CometLake-H PCI ID (git-fixes). - ALSA: hda/hdmi: Drop bogus check at closing a stream (git-fixes). - ALSA: hda/realtek: modify EAPD in the ALC886 (git-fixes). - ALSA: pcm: Assure sync with the pending stop operation at suspend (git-fixes). - ALSA: pcm: Call sync_stop at disconnection (git-fixes). - ALSA: pcm: Do not call sync_stop if it hasn't been stopped (git-fixes). - ALSA: usb-audio: Add implicit fb quirk for BOSS GP-10 (git-fixes). - ALSA: usb-audio: Correct document for snd_usb_endpoint_free_all() (git-fixes). - ALSA: usb-audio: Do not avoid stopping the stream at disconnection (git-fixes). - ALSA: usb-audio: Fix PCM buffer allocation in non-vmalloc mode (git-fixes). - ALSA: usb-audio: Handle invalid running state at releasing EP (git-fixes). - ALSA: usb-audio: More strict state change in EP (git-fixes). - amba: Fix resource leak for drivers without .remove (git-fixes). - arm64: Update config file. Set CONFIG_WATCHDOG_SYSFS to true (bsc#1182560) - ASoC: cpcap: fix microphone timeslot mask (git-fixes). - ASoC: cs42l56: fix up error handling in probe (git-fixes). - ASoC: simple-card-utils: Fix device module clock (git-fixes). - ASoC: SOF: debug: Fix a potential issue on string buffer termination (git-fixes). - ata: ahci_brcm: Add back regulators management (git-fixes). - ata: sata_nv: Fix retrieving of active qcs (git-fixes). - ath10k: Fix error handling in case of CE pipe init failure (git-fixes). - ath9k: fix data bus crash when setting nf_override via debugfs (git-fixes). - bcache: fix overflow in offset_to_stripe() (git-fixes). - blk-mq: call commit_rqs while list empty but error happen (bsc#1182442). - blk-mq: insert request not through ->queue_rq into sw/scheduler queue (bsc#1182443). - blk-mq: move cancel of hctx->run_work to the front of blk_exit_queue (bsc#1182444). - block: fix inflight statistics of part0 (bsc#1182445). - block: respect queue limit of max discard segment (bsc#1182441). - block: virtio_blk: fix handling single range discard request (bsc#1182439). - Bluetooth: btqcomsmd: Fix a resource leak in error handling paths in the probe function (git-fixes). - Bluetooth: btusb: Fix memory leak in btusb_mtk_wmt_recv (git-fixes). - Bluetooth: drop HCI device reference before return (git-fixes). - Bluetooth: Fix initializing response id after clearing struct (git-fixes). - Bluetooth: hci_uart: Fix a race for write_work scheduling (git-fixes). - Bluetooth: Put HCI device if inquiry procedure interrupts (git-fixes). - bnxt_en: Fix accumulation of bp->net_stats_prev (git-fixes). - bnxt_en: fix error return code in bnxt_init_board() (git-fixes). - bnxt_en: fix error return code in bnxt_init_one() (git-fixes). - bnxt_en: Improve stats context resource accounting with RDMA driver loaded (git-fixes). - bnxt_en: read EEPROM A2h address using page 0 (git-fixes). - bnxt_en: Release PCI regions when DMA mask setup fails during probe (git-fixes). - bonding: Fix reference count leak in bond_sysfs_slave_add (git-fixes). - bonding: set dev->needed_headroom in bond_setup_by_slave() (git-fixes). - bonding: wait for sysfs kobject destruction before freeing struct slave (git-fixes). - bpf, cgroup: Fix optlen WARN_ON_ONCE toctou (bsc#1155518). - bpf, cgroup: Fix problematic bounds check (bsc#1155518). - btrfs: add assertion for empty list of transactions at late stage of umount (bsc#1182626). - btrfs: Cleanup try_flush_qgroup (bsc#1182047). - btrfs: Do not flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: Fix race between extent freeing/allocation when using bitmaps (bsc#1181574). - btrfs: fix race between RO remount and the cleaner task (bsc#1182626). - btrfs: fix transaction leak and crash after cleaning up orphans on RO mount (bsc#1182626). - btrfs: fix transaction leak and crash after RO remount caused by qgroup rescan (bsc#1182626). - btrfs: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: lift read-write mount setup from mount and remount (bsc#1182626). - btrfs: Remove btrfs_inode from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: run delayed iputs when remounting RO to avoid leaking them (bsc#1182626). - btrfs: Simplify code flow in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: Unlock extents in btrfs_zero_range in case of errors (bsc#1182047). - caif: no need to check return value of debugfs_create functions (git-fixes). - ceph: fix flush_snap logic after putting caps (bsc#1182854). - cgroup: Fix memory leak when parsing multiple source parameters (bsc#1182683). - cgroup: fix psi monitor for root cgroup (bsc#1182686). - cgroup-v1: add disabled controller check in cgroup1_parse_param() (bsc#1182684). - chelsio/chtls: correct function return and return type (git-fixes). - chelsio/chtls: correct netdevice for vlan interface (git-fixes). - chelsio/chtls: fix a double free in chtls_setkey() (git-fixes). - chelsio/chtls: fix always leaking ctrl_skb (git-fixes). - chelsio/chtls: fix deadlock issue (git-fixes). - chelsio/chtls: fix memory leaks caused by a race (git-fixes). - chelsio/chtls: fix memory leaks in CPL handlers (git-fixes). - chelsio/chtls: fix panic during unload reload chtls (git-fixes). - chelsio/chtls: fix socket lock (git-fixes). - chelsio/chtls: fix tls record info to user (git-fixes). - Cherry-pick ibmvnic patches from SP3 (jsc#SLE-17268). - chtls: Added a check to avoid NULL pointer dereference (git-fixes). - chtls: Fix chtls resources release sequence (git-fixes). - chtls: Fix hardware tid leak (git-fixes). - chtls: Fix panic when route to peer not configured (git-fixes). - chtls: Remove invalid set_tcb call (git-fixes). - chtls: Replace skb_dequeue with skb_peek (git-fixes). - cifs: check all path components in resolved dfs target (bsc#1181710). - cifs: fix nodfs mount option (bsc#1181710). - cifs: introduce helper for finding referral server (bsc#1181710). - cifs: report error instead of invalid when revalidating a dentry fails (bsc#1177440). - cirrus: cs89x0: remove set but not used variable 'lp' (git-fixes). - cirrus: cs89x0: use devm_platform_ioremap_resource() to simplify code (git-fixes). - clk: meson: clk-pll: fix initializing the old rate (fallback) for a PLL (git-fixes). - clk: meson: clk-pll: make "ret" a signed integer (git-fixes). - clk: meson: clk-pll: propagate the error from meson_clk_pll_set_rate() (git-fixes). - clk: qcom: gcc-msm8998: Fix Alpha PLL type for all GPLLs (git-fixes). - clk: sunxi-ng: h6: Fix CEC clock (git-fixes). - clk: sunxi-ng: h6: Fix clock divider range on some clocks (git-fixes). - clk: sunxi-ng: mp: fix parent rate change flag check (git-fixes). - clocksource/drivers/ixp4xx: Select TIMER_OF when needed (git-fixes). - cpufreq: brcmstb-avs-cpufreq: Fix resource leaks in ->remove() (git-fixes). - cpufreq: brcmstb-avs-cpufreq: Free resources in error path (git-fixes). - cpuset: fix race between hotplug work and later CPU offline (bsc#1182676). - crypto: ecdh_helper - Ensure 'len >= secret.len' in decode_key() (git-fixes). - crypto: talitos - Work around SEC6 ERRATA (AES-CTR mode data size error) (git-fixes). - cxgb3: fix error return code in t3_sge_alloc_qset() (git-fixes). - cxgb4: fix all-mask IP address comparison (git-fixes). - cxgb4: fix checks for max queues to allocate (git-fixes). - cxgb4: fix endian conversions for L4 ports in filters (git-fixes). - cxgb4: fix set but unused variable when DCB is disabled (git-fixes). - cxgb4: fix SGE queue dump destination buffer context (git-fixes). - cxgb4: fix the panic caused by non smac rewrite (git-fixes). - cxgb4: move DCB version extern to header file (git-fixes). - cxgb4: move handling L2T ARP failures to caller (git-fixes). - cxgb4: move PTP lock and unlock to caller in Tx path (git-fixes). - cxgb4: parse TC-U32 key values and masks natively (git-fixes). - cxgb4: remove cast when saving IPv4 partial checksum (git-fixes). - cxgb4: set up filter action after rewrites (git-fixes). - cxgb4: use correct type for all-mask IP address comparison (git-fixes). - cxgb4: use unaligned conversion for fetching timestamp (git-fixes). - dmaengine: fsldma: Fix a resource leak in an error handling path of the probe function (git-fixes). - dmaengine: fsldma: Fix a resource leak in the remove function (git-fixes). - dmaengine: hsu: disable spurious interrupt (git-fixes). - dmaengine: owl-dma: Fix a resource leak in the remove function (git-fixes). - dm crypt: avoid truncating the logical block size (git-fixes). - dm: fix bio splitting and its bio completion order for regular IO (git-fixes). - dm thin: fix use-after-free in metadata_pre_commit_callback (bsc#1177529). - dm thin metadata: Avoid returning cmd->bm wild pointer on error (bsc#1177529). - dm thin metadata: fix lockdep complaint (bsc#1177529). - dm thin metadata: Fix use-after-free in dm_bm_set_read_only (bsc#1177529). - dm: use noio when sending kobject event (bsc#1177529). - docs: filesystems: vfs: correct flag name (bsc#1182856). - dpaa2-eth: fix return codes used in ndo_setup_tc (git-fixes). - Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() (git-fixes). - drivers: net: davinci_mdio: fix potential NULL dereference in davinci_mdio_probe() (git-fixes). - drivers: soc: atmel: add null entry at the end of at91_soc_allowed_list[] (git-fixes). - drivers: soc: atmel: Avoid calling at91_soc_init on non AT91 SoCs (git-fixes). - drm/amd/display: Change function decide_dp_link_settings to avoid infinite looping (git-fixes). - drm/amd/display: Decrement refcount of dc_sink before reassignment (git-fixes). - drm/amd/display: Fix 10/12 bpc setup in DCE output bit depth reduction (git-fixes). - drm/amd/display: Fix dc_sink kref count in emulated_link_detect (git-fixes). - drm/amd/display: Fix HDMI deep color output for DCE 6-11 (git-fixes). - drm/amd/display: Free atomic state after drm_atomic_commit (git-fixes). - drm/amd/display: Revert "Fix EDID parsing after resume from suspend" (git-fixes). - drm/amdgpu: Fix macro name _AMDGPU_TRACE_H_ in preprocessor if condition (git-fixes). - drm/fb-helper: Add missed unlocks in setcmap_legacy() (git-fixes). - drm/gma500: Fix error return code in psb_driver_load() (git-fixes). - drm/meson: Unbind all connectors on module removal (bsc#1152472) - drm/sun4i: dw-hdmi: always set clock rate (bsc#1152472) - drm/sun4i: dw-hdmi: Fix max. frequency for H6 (bsc#1152472) - drm/sun4i: Fix H6 HDMI PHY configuration (bsc#1152472) - drm/sun4i: tcon: set sync polarity for tcon1 channel (bsc#1152472) - drm/vc4: hvs: Fix buffer overflow with the dlist handling (bsc#1152489) - Drop HID logitech patch that caused a regression (bsc#1182259) - exec: Always set cap_ambient in cap_bprm_set_creds (git-fixes). - exfat: Avoid allocating upcase table using kcalloc() (git-fixes). - ext4: do not remount read-only with errors=continue on reboot (bsc#1182464). - ext4: fix a memory leak of ext4_free_data (bsc#1182447). - ext4: fix bug for rename with RENAME_WHITEOUT (bsc#1182449). - ext4: fix deadlock with fs freezing and EA inodes (bsc#1182463). - ext4: fix superblock checksum failure when setting password salt (bsc#1182465). - ext4: prevent creating duplicate encrypted filenames (bsc#1182446). - fgraph: Initialize tracing_graph_pause at task creation (git-fixes). - firmware_loader: align .builtin_fw to 8 (git-fixes). - fscrypt: add fscrypt_is_nokey_name() (bsc#1182446). - fscrypt: rename DCACHE_ENCRYPTED_NAME to DCACHE_NOKEY_NAME (bsc#1182446). - fs: fix lazytime expiration handling in __writeback_single_inode() (bsc#1182466). - gma500: clean up error handling in init (git-fixes). - gpio: pcf857x: Fix missing first interrupt (git-fixes). - HID: core: detect and skip invalid inputs to snto32() (git-fixes). - HID: make arrays usage and value to be the same (git-fixes). - HID: wacom: Ignore attempts to overwrite the touch_max value from HID (git-fixes). - hwrng: timeriomem - Fix cooldown period calculation (git-fixes). - i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition (git-fixes). - i2c: iproc: handle only slave interrupts which are enabled (git-fixes). - i2c: mediatek: Move suspend and resume handling to NOIRQ phase (git-fixes). - i2c: stm32f7: fix configuration of the digital filter (git-fixes). - i3c: master: dw: Drop redundant disec call (git-fixes). - i40e: acquire VSI pointer only after VF is initialized (jsc#SLE-8025). - i40e: avoid premature Rx buffer reuse (git-fixes). - i40e: Fix Error I40E_AQ_RC_EINVAL when removing VFs (git-fixes). - i40e: Fix MAC address setting for a VF via Host/VM (git-fixes). - i40e: Fix removing driver while bare-metal VFs pass traffic (git-fixes). - i40e: Revert "i40e: do not report link up for a VF who hasn't enabled queues" (jsc#SLE-8025). - iavf: fix double-release of rtnl_lock (git-fixes). - iavf: fix error return code in iavf_init_get_resources() (git-fixes). - iavf: fix speed reporting over virtchnl (git-fixes). - iavf: Fix updating statistics (git-fixes). - ibmvnic: add memory barrier to protect long term buffer (bsc#1182485 ltc#191591). - ibmvnic: change IBMVNIC_MAX_IND_DESCS to 16 (bsc#1182485 ltc#191591). - ibmvnic: Clean up TX code and TX buffer data structure (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Clear failover_pending if unable to schedule (bsc#1181960 ltc#190997). - ibmvnic: compare adapter->init_done_rc with more readable ibmvnic_rc_codes (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Correctly re-enable interrupts in NAPI polling routine (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: create send_control_ip_offload (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: create send_query_ip_offload (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: device remove has higher precedence over reset (bsc#1065729). - ibmvnic: Do not replenish RX buffers after every polling loop (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Ensure that CRQ entry read are correctly ordered (bsc#1182485 ltc#191591). - ibmvnic: Ensure that device queue memory is cache-line aligned (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Ensure that SCRQ entry reads are correctly ordered (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: fix a race between open and reset (bsc#1176855 ltc#187293). - ibmvnic: fix login buffer memory leak (bsc#1081134 ltc#164631). - ibmvnic: fix NULL pointer dereference in ibmvic_reset_crq (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Fix possibly uninitialized old_num_tx_queues variable warning (jsc#SLE-17268). - ibmvnic: fix rx buffer tracking and index management in replenish_rx_pool partial success (bsc#1179929 ltc#189960). - ibmvnic: Fix TX completion error handling (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Fix use-after-free of VNIC login response buffer (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: handle inconsistent login with reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Harden device Command Response Queue handshake (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: improve ibmvnic_init and ibmvnic_reset_init (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce batched RX buffer descriptor transmission (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce indirect subordinate Command Response Queue buffer (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce xmit_more support using batched subCRQ hcalls (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: merge ibmvnic_reset_init and ibmvnic_init (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: no reset timeout for 5 seconds after reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: reduce wait for completion time (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: remove never executed if statement (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Remove send_subcrq function (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename ibmvnic_send_req_caps to send_request_cap (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename send_cap_queries to send_query_cap (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename send_map_query to send_query_map (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: send_login should check for crq errors (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: serialize access to work queue on remove (bsc#1065729). - ibmvnic: Set to CLOSED state even on error (bsc#1084610 ltc#165122 git-fixes). - ibmvnic: skip send_request_unmap for timeout reset (bsc#1182485 ltc#191591). - ibmvnic: skip tx timeout reset while in resetting (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: stop free_all_rwi on failed reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: store RX and TX subCRQ handle array in ibmvnic_adapter struct (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: track pending login (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: update MAINTAINERS (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Use netdev_alloc_skb instead of alloc_skb to replenish RX buffers (jsc#SLE-17043 bsc#1179243 ltc#189290). - ice: Do not allow more channels than LAN MSI-X available (jsc#SLE-7926). - ice: Fix MSI-X vector fallback logic (jsc#SLE-7926). - igc: check return value of ret_val in igc_config_fc_after_link_up (git-fixes). - igc: fix link speed advertising (git-fixes). - igc: Fix returning wrong statistics (git-fixes). - igc: Report speed and duplex as unknown when device is runtime suspended (git-fixes). - igc: set the default return value to -IGC_ERR_NVM in igc_write_nvm_srwr (git-fixes). - include/linux/memremap.h: remove stale comments (git-fixes). - Input: elo - fix an error code in elo_connect() (git-fixes). - Input: i8042 - unbreak Pegatron C15B (git-fixes). - Input: joydev - prevent potential read overflow in ioctl (git-fixes). - Input: sur40 - fix an error code in sur40_probe() (git-fixes). - Input: xpad - sync supported devices with fork on GitHub (git-fixes). - iwlwifi: mvm: do not send RFH_QUEUE_CONFIG_CMD with no queues (git-fixes). - iwlwifi: mvm: guard against device removal in reprobe (git-fixes). - iwlwifi: mvm: invalidate IDs of internal stations at mvm start (git-fixes). - iwlwifi: mvm: skip power command when unbinding vif during CSA (git-fixes). - iwlwifi: mvm: take mutex for calling iwl_mvm_get_sync_time() (git-fixes). - iwlwifi: pcie: add a NULL check in iwl_pcie_txq_unmap (git-fixes). - iwlwifi: pcie: fix context info memory leak (git-fixes). - iwlwifi: pcie: reschedule in long-running memory reads (git-fixes). - iwlwifi: pcie: use jiffies for memory read spin time limit (git-fixes). - ixgbe: avoid premature Rx buffer reuse (git-fixes). - ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K (git-fixes). - kABI: Fix kABI after AMD SEV PCID fixes (bsc#1178995). - kABI: Fix kABI after modifying struct __call_single_data (bsc#1180846). - kABI: Fix kABI for extended APIC-ID support (bsc#1181259, jsc#ECO-3191). - kABI: repair, after "nVMX: Emulate MTF when performinginstruction emulation" kvm_x86_ops is part of kABI as it's used by LTTng. But it's only read and never allocated in there, so growing it (without altering existing members' offsets) is fine. - kernel-binary.spec: Add back initrd and image symlink ghosts to filelist (bsc#1182140). Fixes: 76a9256314c3 ("rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082).") - kernel/smp: add boot parameter for controlling CSD lock debugging (bsc#1180846). - kernel/smp: add more data to CSD lock debugging (bsc#1180846). - kernel/smp: prepare more CSD lock debugging (bsc#1180846). - kernel/smp: Provide CSD lock timeout diagnostics (bsc#1180846). - KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch (bsc#1181818). - KVM: arm64: Remove S1PTW check from kvm_vcpu_dabt_iswrite() (bsc#1181818). - KVM: nVMX: do not clear mtf_pending when nested events are blocked (bsc#1182489). - KVM: nVMX: Emulate MTF when performing instruction emulation (bsc#1182380). - KVM: nVMX: Handle pending #DB when injecting INIT VM-exit. Pulling in as a dependency of: "KVM: nVMX: Emulate MTF when performing instruction emulation" (bsc#1182380). - KVM: SVM: Update cr3_lm_rsvd_bits for AMD SEV guests (bsc#1178995). - KVM: tracing: Fix unmatched kvm_entry and kvm_exit events (bsc#1182770). - KVM: VMX: Condition ENCLS-exiting enabling on CPU support for SGX1 (bsc#1182798). - KVM: x86: Allocate new rmap and large page tracking when moving memslot (bsc#1182800). - KVM: x86: allow KVM_STATE_NESTED_MTF_PENDING in kvm_state flags (bsc#1182490). - KVM: x86: clear stale x86_emulate_ctxt->intercept value (bsc#1182381). - KVM: x86: do not notify userspace IOAPIC on edge-triggered interrupt EOI (bsc#1182374). - KVM: x86: Gracefully handle __vmalloc() failure during VM allocation (bsc#1182801). - KVM: x86: Introduce cr3_lm_rsvd_bits in kvm_vcpu_arch (bsc#1178995). - KVM: x86: remove stale comment from struct x86_emulate_ctxt (bsc#1182406). - libnvdimm/dimm: Avoid race between probe and available_slots_show() (bsc#1170442). - lib/vsprintf: no_hash_pointers prints all addresses as unhashed (bsc#1182599). - linux/clk.h: use correct kernel-doc notation for 2 functions (git-fixes). - mac80211: 160MHz with extended NSS BW in CSA (git-fixes). - mac80211: fix fast-rx encryption check (git-fixes). - mac80211: fix potential overflow when multiplying to u32 integers (git-fixes). - mac80211: pause TX while changing interface type (git-fixes). - macros.kernel-source: Use spec_install_pre for certificate installation (boo#1182672). Since rpm 4.16 files installed during build phase are lost. - MAINTAINERS: remove John Allen from ibmvnic (jsc#SLE-17043 bsc#1179243 ltc#189290). - matroxfb: avoid -Warray-bounds warning (bsc#1152472) - media: aspeed: fix error return code in aspeed_video_setup_video() (git-fixes). - media: camss: missing error code in msm_video_register() (git-fixes). - media: cx25821: Fix a bug when reallocating some dma memory (git-fixes). - media: em28xx: Fix use-after-free in em28xx_alloc_urbs (git-fixes). - media: i2c: ov5670: Fix PIXEL_RATE minimum value (git-fixes). - media: ipu3-cio2: Fix mbus_code processing in cio2_subdev_set_fmt() (git-fixes). - media: lmedm04: Fix misuse of comma (git-fixes). - media: media/pci: Fix memleak in empress_init (git-fixes). - media: mt9v111: Remove unneeded device-managed puts (git-fixes). - media: pwc: Use correct device for DMA (bsc#1181133). - media: pxa_camera: declare variable when DEBUG is defined (git-fixes). - media: qm1d1c0042: fix error return code in qm1d1c0042_init() (git-fixes). - media: software_node: Fix refcounts in software_node_get_next_child() (git-fixes). - media: tm6000: Fix memleak in tm6000_start_stream (git-fixes). - media: vsp1: Fix an error handling path in the probe function (git-fixes). - mei: hbm: call mei_set_devstate() on hbm stop response (git-fixes). - memory: ti-aemif: Drop child node when jumping out loop (git-fixes). - mfd: bd9571mwv: Use devm_mfd_add_devices() (git-fixes). - mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq() (git-fixes). - misc: eeprom_93xx46: Add module alias to avoid breaking support for non device tree users (git-fixes). - misc: eeprom_93xx46: Fix module alias to enable module autoprobe (git-fixes). - mlxsw: core: Add validation of transceiver temperature thresholds (git-fixes). - mlxsw: core: Fix memory leak on module removal (git-fixes). - mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() (git-fixes). - mlxsw: core: Free EMAD transactions using kfree_rcu() (git-fixes). - mlxsw: core: Increase critical threshold for ASIC thermal zone (git-fixes). - mlxsw: core: Increase scope of RCU read-side critical section (git-fixes). - mlxsw: core: Use variable timeout for EMAD retries (git-fixes). - mlxsw: spectrum_acl: Fix mlxsw_sp_acl_tcam_group_add()'s error path (git-fixes). - mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails (git-fixes). - mmc: core: Limit retries when analyse of SDIO tuples fails (git-fixes). - mmc: renesas_sdhi_internal_dmac: Fix DMA buffer alignment from 8 to 128-bytes (git-fixes). - mmc: sdhci-sprd: Fix some resource leaks in the remove function (git-fixes). - mmc: usdhi6rol0: Fix a resource leak in the error handling path of the probe (git-fixes). - mm/pmem: avoid inserting hugepage PTE entry with fsdax if hugepage support is disabled (bsc#1181896 ltc#191273). - mm: proc: Invalidate TLB after clearing soft-dirty page state (bsc#1163776 ltc#183929 git-fixes). - mm: thp: kABI: move the added flag to the end of enum (bsc#1181896 ltc#191273). - mt76: dma: fix a possible memory leak in mt76_add_fragment() (git-fixes). - net: ag71xx: add missed clk_disable_unprepare in error path of probe (git-fixes). - net: axienet: Fix error return code in axienet_probe() (git-fixes). - net: bcmgenet: Fix WoL with password after deep sleep (git-fixes). - net: bcmgenet: keep MAC in reset until PHY is up (git-fixes). - net: bcmgenet: re-remove bcmgenet_hfb_add_filter (git-fixes). - net: bcmgenet: set Rx mode before starting netif (git-fixes). - net: bcmgenet: use hardware padding of runt frames (git-fixes). - net: broadcom CNIC: requires MMU (git-fixes). - net: caif: Fix debugfs on 64-bit platforms (git-fixes). - net/cxgb4: Check the return from t4_query_params properly (git-fixes). - net: cxgb4: fix return error value in t4_prep_fw (git-fixes). - net: dsa: bcm_sf2: Fix overflow checks (git-fixes). - net: dsa: lantiq_gswip: fix and improve the unsupported interface error (git-fixes). - net: dsa: mt7530: Change the LINK bit to reflect the link status (git-fixes). - net: dsa: mt7530: set CPU port to fallback mode (git-fixes). - net: ena: set initial DMA width to avoid intel iommu issue (git-fixes). - net: ethernet: ave: Fix error returns in ave_init (git-fixes). - net: ethernet: mlx4: Avoid assigning a value to ring_cons but not used it anymore in mlx4_en_xmit() (git-fixes). - net: ethernet: ti: ale: fix allmulti for nu type ale (git-fixes). - net: ethernet: ti: ale: fix seeing unreg mcast packets with promisc and allmulti disabled (git-fixes). - net: ethernet: ti: ale: modify vlan/mdb api for switchdev (git-fixes). - net: ethernet: ti: cpsw: allow untagged traffic on host port (git-fixes). - net: ethernet: ti: fix some return value check of cpsw_ale_create() (git-fixes). - net: gemini: Fix missing clk_disable_unprepare() in error path of gemini_ethernet_port_probe() (git-fixes). - net: gro: do not keep too many GRO packets in napi->rx_list (bsc#1154353). - net: hns3: add a check for queue_id in hclge_reset_vf_queue() (git-fixes). - net: hns3: add a missing uninit debugfs when unload driver (git-fixes). - net: hns3: add reset check for VF updating port based VLAN (git-fixes). - net: hns3: clear port base VLAN when unload PF (git-fixes). - net: hns3: fix aRFS FD rules leftover after add a user FD rule (git-fixes). - net: hns3: fix a TX timeout issue (git-fixes). - net: hns3: fix desc filling bug when skb is expanded or lineared (git-fixes). - net: hns3: fix for mishandle of asserting VF reset fail (git-fixes). - net: hns3: fix for VLAN config when reset failed (git-fixes). - net: hns3: fix RSS config lost after VF reset (git-fixes). - net: hns3: fix set and get link ksettings issue (git-fixes). - net: hns3: fix "tc qdisc del" failed issue (git-fixes). - net: hns3: fix the number of queues actually used by ARQ (git-fixes). - net: hns3: fix use-after-free when doing self test (git-fixes). - net: hns3: fix VF VLAN table entries inconsistent issue (git-fixes). - net: hns: fix return value check in __lb_other_process() (git-fixes). - net: lpc-enet: fix error return code in lpc_mii_init() (git-fixes). - net: macb: fix call to pm_runtime in the suspend/resume functions (git-fixes). - net: macb: fix wakeup test in runtime suspend/resume routines (git-fixes). - net: macb: mark device wake capable when "magic-packet" property present (git-fixes). - net/mlx4_core: fix a memory leak bug (git-fixes). - net/mlx4_core: Fix init_hca fields offset (git-fixes). - net/mlx4_en: Avoid scheduling restart task if it is already running (bsc#1181854). - net/mlx4_en: Handle TX error CQE (bsc#1181854). - net/mlx5: Add handling of port type in rule deletion (git-fixes). - net/mlx5: Annotate mutex destroy for root ns (git-fixes). - net/mlx5: Clear LAG notifier pointer after unregister (git-fixes). - net/mlx5: Disable QoS when min_rates on all VFs are zero (git-fixes). - net/mlx5: Do not call timecounter cyc2time directly from 1PPS flow (git-fixes). - net/mlx5: Do not maintain a case of del_sw_func being null (git-fixes). - net/mlx5e: Correctly handle changing the number of queues when the interface is down (git-fixes). - net/mlx5e: Do not trigger IRQ multiple times on XSK wakeup to avoid WQ overruns (git-fixes). - net/mlx5e: en_accel, Add missing net/geneve.h include (git-fixes). - net/mlx5e: Encapsulate updating netdev queues into a function (git-fixes). - net/mlx5e: E-switch, Fix rate calculation for overflow (jsc#SLE-8464). - net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq (git-fixes). - net/mlx5e: Fix configuration of XPS cpumasks and netdev queues in corner cases (git-fixes). - net/mlx5e: Fix endianness handling in pedit mask (git-fixes). - net/mlx5e: Fix error path of device attach (git-fixes). - net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups (git-fixes). - net/mlx5e: Fix two double free cases (git-fixes). - net/mlx5e: Fix VLAN cleanup flow (git-fixes). - net/mlx5e: Fix VLAN create flow (git-fixes). - net/mlx5e: Get the latest values from counters in switchdev mode (git-fixes). - net/mlx5e: IPoIB, Drop multicast packets that this interface sent (git-fixes). - net/mlx5e: kTLS, Fix wrong value in record tracker enum (git-fixes). - net/mlx5e: Reduce tc unsupported key print level (git-fixes). - net/mlx5e: Rename hw_modify to preactivate (git-fixes). - net/mlx5e: Set of completion request bit should not clear other adjacent bits (git-fixes). - net/mlx5: E-switch, Destroy TSAR after reload interface (git-fixes). - net/mlx5: E-Switch, Hold mutex when querying drop counter in legacy mode (git-fixes). - net/mlx5: E-Switch, Use vport metadata matching by default (git-fixes). - net/mlx5: E-Switch, Use vport metadata matching only when mandatory (git-fixes). - net/mlx5e: Use preactivate hook to set the indirection table (git-fixes). - net/mlx5e: vxlan: Use RCU for vxlan table lookup (git-fixes). - net/mlx5: Fix a bug of using ptp channel index as pin index (git-fixes). - net/mlx5: Fix deletion of duplicate rules (git-fixes). - net/mlx5: Fix failing fw tracer allocation on s390 (git-fixes). - net/mlx5: Fix memory leak on flow table creation error flow (git-fixes). - net/mlx5: Fix request_irqs error flow (git-fixes). - net/mlx5: Fix wrong address reclaim when command interface is down (git-fixes). - net/mlx5: Query PPS pin operational status before registering it (git-fixes). - net/mlx5: Verify Hardware supports requested ptp function on a given pin (git-fixes). - net: moxa: Fix a potential double 'free_irq()' (git-fixes). - net: mscc: ocelot: ANA_AUTOAGE_AGE_PERIOD holds a value in seconds, not ms (git-fixes). - net: mscc: ocelot: fix address ageing time (again) (git-fixes). - net: mscc: ocelot: properly account for VLAN header length when setting MRU (git-fixes). - net: mvpp2: Add TCAM entry to drop flow control pause frames (git-fixes). - net: mvpp2: disable force link UP during port init procedure (git-fixes). - net: mvpp2: Fix error return code in mvpp2_open() (git-fixes). - net: mvpp2: Fix GoP port 3 Networking Complex Control configurations (git-fixes). - net: mvpp2: fix memory leak in mvpp2_rx (git-fixes). - net: mvpp2: fix pkt coalescing int-threshold configuration (git-fixes). - net: mvpp2: prs: fix PPPoE with ipv6 packet parse (git-fixes). - net: mvpp2: Remove Pause and Asym_Pause support (git-fixes). - net: mvpp2: TCAM entry enable should be written after SRAM data (git-fixes). - net: netsec: Correct dma sync for XDP_TX frames (git-fixes). - net: nixge: fix potential memory leak in nixge_probe() (git-fixes). - net: octeon: mgmt: Repair filling of RX ring (git-fixes). - net: phy: at803x: use operating parameters from PHY-specific status (git-fixes). - net: phy: extract link partner advertisement reading (git-fixes). - net: phy: extract pause mode (git-fixes). - net: phy: marvell10g: fix null pointer dereference (git-fixes). - net: phy: marvell10g: fix temperature sensor on 2110 (git-fixes). - net: phy: read MII_CTRL1000 in genphy_read_status only if needed (git-fixes). - net: qca_spi: fix receive buffer size check (git-fixes). - net: qca_spi: Move reset_count to struct qcaspi (git-fixes). - net: qede: fix PTP initialization on recovery (git-fixes). - net: qede: fix use-after-free on recovery and AER handling (git-fixes). - net: qede: stop adding events on an already destroyed workqueue (git-fixes). - net: qed: fix async event callbacks unregistering (git-fixes). - net: qed: fix excessive QM ILT lines consumption (git-fixes). - net: qed: fix "maybe uninitialized" warning (git-fixes). - net: qed: fix NVMe login fails over VFs (git-fixes). - net: qed: RDMA personality shouldn't fail VF load (git-fixes). - net: re-solve some conflicts after net -> net-next merge (bsc#1176855 ltc#187293). - net: rmnet: do not allow to add multiple bridge interfaces (git-fixes). - net: rmnet: do not allow to change mux id if mux id is duplicated (git-fixes). - net: rmnet: fix bridge mode bugs (git-fixes). - net: rmnet: fix lower interface leak (git-fixes). - net: rmnet: fix NULL pointer dereference in rmnet_changelink() (git-fixes). - net: rmnet: fix NULL pointer dereference in rmnet_newlink() (git-fixes). - net: rmnet: fix packet forwarding in rmnet bridge mode (git-fixes). - net: rmnet: fix suspicious RCU usage (git-fixes). - net: rmnet: print error message when command fails (git-fixes). - net: rmnet: remove rcu_read_lock in rmnet_force_unassociate_device() (git-fixes). - net: rmnet: use upper/lower device infrastructure (git-fixes). - net, sctp, filter: remap copy_from_user failure error (bsc#1181637). - net: smc91x: Fix possible memory leak in smc_drv_probe() (git-fixes). - net/sonic: Add mutual exclusion for accessing shared state (git-fixes). - net: stmmac: 16KB buffer must be 16 byte aligned (git-fixes). - net: stmmac: Always arm TX Timer at end of transmission start (git-fixes). - net: stmmac: Do not accept invalid MTU values (git-fixes). - net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes (git-fixes). - net: stmmac: Enable 16KB buffer size (git-fixes). - net: stmmac: fix disabling flexible PPS output (git-fixes). - net: stmmac: fix length of PTP clock's name string (git-fixes). - net: stmmac: Fix the TX IOC in xmit path (git-fixes). - net: stmmac: RX buffer size must be 16 byte aligned (git-fixes). - net: stmmac: selftests: Flow Control test can also run with ASYM Pause (git-fixes). - net: stmmac: selftests: Needs to check the number of Multicast regs (git-fixes). - net: stmmac: xgmac: Clear previous RX buffer size (git-fixes). - net: sun: fix missing release regions in cas_init_one() (git-fixes). - net: team: fix memory leak in __team_options_register (git-fixes). - net: thunderx: initialize VF's mailbox mutex before first usage (git-fixes). - net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family (git-fixes). - net: usb: qmi_wwan: Adding support for Cinterion MV31 (git-fixes). - nvme-hwmon: rework to avoid devm allocation (bsc#1177326). - nvme-multipath: Early exit if no path is available (bsc#1180964). - nvme: re-read ANA log on NS CHANGED AEN (bsc#1179137). - nvmet-tcp: Fix NULL dereference when a connect data comes in h2cdata pdu (bsc#1182547). - objtool: Do not fail on missing symbol table (bsc#1169514). - perf/x86/intel/uncore: Factor out uncore_pci_find_dev_pmu() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_get_dev_die_info() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_pmu_register() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_pmu_unregister() (bsc#1180989). - perf/x86/intel/uncore: Generic support for the PCI sub driver (bsc#1180989). - perf/x86/intel/uncore: Store the logical die id instead of the physical die id (bsc#1180989). - perf/x86/intel/uncore: With > 8 nodes, get pci bus die id from NUMA info (bsc#1180989). - phy: cpcap-usb: Fix warning for missing regulator_disable (git-fixes). - phy: rockchip-emmc: emmc_phy_init() always return 0 (git-fixes). - platform/x86: hp-wmi: Disable tablet-mode reporting by default (git-fixes). - platform/x86: intel-vbtn: Support for tablet mode on Dell Inspiron 7352 (git-fixes). - platform/x86: touchscreen_dmi: Add swap-x-y quirk for Goodix touchscreen on Estar Beauty HD tablet (git-fixes). - powerpc/book3s64/hash: Add cond_resched to avoid soft lockup warning (bsc#1182571 ltc#191345). - powerpc/boot: Delete unneeded .globl _zimage_start (bsc#1156395). - powerpc: Fix alignment bug within the init sections (bsc#1065729). - powerpc/fpu: Drop cvt_fd() and cvt_df() (bsc#1156395). - powerpc/hvcall: add token and codes for H_VASI_SIGNAL (bsc#1181674 ltc#189159). - powerpc: kABI: add back suspend_disable_cpu in machdep_calls (bsc#1181674 ltc#189159). - powerpc/machdep: remove suspend_disable_cpu() (bsc#1181674 ltc#189159). - powerpc/mm/pkeys: Make pkey access check work on execute_only_key (bsc#1181544 ltc#191080 git-fixes). - powerpc/numa: Fix build when CONFIG_NUMA=n (bsc#1132477 ltc#175530). - powerpc/numa: make vphn_enabled, prrn_enabled flags const (bsc#1181674 ltc#189159). - powerpc/numa: remove ability to enable topology updates (bsc#1181674 ltc#189159). - powerpc/numa: remove arch_update_cpu_topology (bsc#1181674 ltc#189159). - powerpc/numa: Remove late request for home node associativity (bsc#1181674 ltc#189159). - powerpc/numa: remove prrn_is_enabled() (bsc#1181674 ltc#189159). - powerpc/numa: remove start/stop_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove timed_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology timer code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology update code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology workqueue code (bsc#1181674 ltc#189159). - powerpc/numa: remove vphn_enabled and prrn_enabled internal flags (bsc#1181674 ltc#189159). - powerpc/numa: stub out numa_update_cpu_topology() (bsc#1181674 ltc#189159). - powerpc/perf: Exclude kernel samples while counting events in user space (bsc#1065729). - powerpc/perf/hv-24x7: Dont create sysfs event files for dummy events (bsc#1182118 ltc#190624). - powerpc/pkeys: Avoid using lockless page table walk (bsc#1181544 ltc#191080). - powerpc/pkeys: Check vma before returning key fault error to the user (bsc#1181544 ltc#191080). - powerpc/powernv/memtrace: Do not leak kernel memory to user space (bsc#1156395). - powerpc/powernv/memtrace: Fix crashing the kernel when enabling concurrently (bsc#1156395). - powerpc/powernv/npu: Do not attempt NPU2 setup on POWER8NVL NPU (bsc#1156395). - powerpc/prom: Fix "ibm,arch-vec-5-platform-support" scan (bsc#1182602 ltc#190924). - powerpc/pseries/dlpar: handle ibm, configure-connector delay status (bsc#1181985 ltc#188074). - powerpc/pseries: Do not enforce MSI affinity with kdump (bsc#1181655 ltc#190855). - powerpc/pseries/eeh: Make pseries_pcibios_bus_add_device() static (bsc#1078720, git-fixes). - powerpc/pseries: extract host bridge from pci_bus prior to bus removal (bsc#1182171 ltc#190900). - powerpc/pseries/hibernation: drop pseries_suspend_begin() from suspend ops (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: pass stream id via function arguments (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: perform post-suspend fixups later (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove prepare_late() callback (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove pseries_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: switch to rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: add missing break to default case (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Add pr_debug() for device tree changes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: do not error on absence of ibm, update-nodes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: error message improvements (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: extract VASI session polling logic (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: refactor node lookup during DT update (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: retry partition suspend after error (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Set pr_fmt() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: signal suspend cancellation to platform (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use rtas_activate_firmware() on resume (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use stop_machine for join/suspend (bsc#1181674 ltc#189159). - powerpc/pseries/ras: Make init_ras_hotplug_IRQ() static (bsc#1065729. git-fixes). - powerpc/pseries: remove dlpar_cpu_readd() (bsc#1181674 ltc#189159). - powerpc/pseries: remove memory "re-add" implementation (bsc#1181674 ltc#189159). - powerpc/pseries: remove obsolete memory hotplug DT notifier code (bsc#1181674 ltc#189159). - powerpc/pseries: remove prrn special case from DT update path (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_activate_firmware() (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/rtas: complete ibm,suspend-me status codes (bsc#1181674 ltc#189159). - powerpc/rtas: dispatch partition migration requests to pseries (bsc#1181674 ltc#189159). - powerpc/rtasd: simplify handle_rtas_event(), emit message on events (bsc#1181674 ltc#189159). - powerpc/rtas: prevent suspend-related sys_rtas use on LE (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_ibm_suspend_me_unsafe() (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_last_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_me_data (bsc#1181674 ltc#189159). - powerpc/rtas: rtas_ibm_suspend_me -> rtas_ibm_suspend_me_unsafe (bsc#1181674 ltc#189159). - power: reset: at91-sama5d2_shdwc: fix wkupdbc mask (git-fixes). - pseries/drmem: do not cache node id in drmem_lmb struct (bsc#1132477 ltc#175530). - pseries/hotplug-memory: hot-add: skip redundant LMB lookup (bsc#1132477 ltc#175530). - qed: fix error return code in qed_iwarp_ll2_start() (git-fixes). - qed: Fix race condition between scheduling and destroying the slowpath workqueue (git-fixes). - qed: Populate nvm-file attributes while reading nvm config partition (git-fixes). - qed: select CONFIG_CRC32 (git-fixes). - qlcnic: fix missing release in qlcnic_83xx_interrupt_test (git-fixes). - quota: Fix memory leak when handling corrupted quota file (bsc#1182650). - quota: Sanity-check quota file headers on load (bsc#1182461). - r8169: fix resuming from suspend on RTL8105e if machine runs on battery (git-fixes). - r8169: fix WoL on shutdown if CONFIG_DEBUG_SHIRQ is set (git-fixes). - rcu/nocb: Perform deferred wake up before last idle's (git-fixes) - rcu/nocb: Trigger self-IPI on late deferred wake up before (git-fixes) - rcu: Pull deferred rcuog wake up to rcu_eqs_enter() callers (git-fixes) - RDMA/efa: Add EFA 0xefa1 PCI ID (bsc#1176248). - RDMA/efa: Count admin commands errors (bsc#1176248). - RDMA/efa: Count mmap failures (bsc#1176248). - RDMA/efa: Do not delay freeing of DMA pages (bsc#1176248). - RDMA/efa: Drop double zeroing for sg_init_table() (bsc#1176248). - RDMA/efa: Expose maximum TX doorbell batch (bsc#1176248). - RDMA/efa: Expose minimum SQ size (bsc#1176248). - RDMA/efa: Fix setting of wrong bit in get/set_feature commands (bsc#1176248). - RDMA/efa: Properly document the interrupt mask register (bsc#1176248). - RDMA/efa: Remove redundant udata check from alloc ucontext response (bsc#1176248). - RDMA/efa: Report create CQ error counter (bsc#1176248). - RDMA/efa: Report host information to the device (bsc#1176248). - RDMA/efa: Unified getters/setters for device structs bitmask access (bsc#1176248). - RDMA/efa: Use in-kernel offsetofend() to check field availability (bsc#1176248). - RDMA/efa: User/kernel compatibility handshake mechanism (bsc#1176248). - RDMA/efa: Use the correct current and new states in modify QP (git-fixes). - regulator: axp20x: Fix reference cout leak (git-fixes). - regulator: core: Avoid debugfs: Directory ... already present! error (git-fixes). - regulator: core: avoid regulator_resolve_supply() race condition (git-fixes). - regulator: Fix lockdep warning resolving supplies (git-fixes). - regulator: s5m8767: Drop regulators OF node reference (git-fixes). - regulator: s5m8767: Fix reference count leak (git-fixes). - reiserfs: add check for an invalid ih_entry_count (bsc#1182462). - Remove debug patch for boot failure (bsc#1182602 ltc#190924). - reset: hisilicon: correct vendor prefix (git-fixes). - Revert "ibmvnic: remove never executed if statement" (jsc#SLE-17043 bsc#1179243 ltc#189290). - Revert "net: bcmgenet: remove unused function in bcmgenet.c" (git-fixes). - Revert "platform/x86: ideapad-laptop: Switch touchpad attribute to be RO" (git-fixes). - Revert "RDMA/mlx5: Fix devlink deadlock on net namespace deletion" (jsc#SLE-8464). - rpm/kernel-subpackage-build: Workaround broken bot (https://github.com/openSUSE/openSUSE-release-tools/issues/2439) - rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058) - rtc: s5m: select REGMAP_I2C (git-fixes). - rxrpc: Fix memory leak in rxrpc_lookup_local (bsc#1154353 bnc#1151927 5.3.9). - s390/vfio-ap: clean up vfio_ap resources when KVM pointer invalidated (git-fixes). - s390/vfio-ap: No need to disable IRQ after queue reset (git-fixes). - sched: Reenable interrupts in do_sched_yield() (git-fixes) - scsi: lpfc: Fix EEH encountering oops with NVMe traffic (bsc#1181958). - sh_eth: check sh_eth_cpu_data::cexcr when dumping registers (git-fixes). - sh_eth: check sh_eth_cpu_data::no_tx_cntrs when dumping registers (git-fixes). - sh_eth: check sh_eth_cpu_data::no_xdfar when dumping registers (git-fixes). - smp: Add source and destination CPUs to __call_single_data (bsc#1180846). - smsc95xx: avoid memory leak in smsc95xx_bind (git-fixes). - smsc95xx: check return value of smsc95xx_reset (git-fixes). - soc: aspeed: snoop: Add clock control logic (git-fixes). - spi: atmel: Put allocated master before return (git-fixes). - spi: pxa2xx: Fix the controller numbering for Wildcat Point (git-fixes). - spi: spi-synquacer: fix set_cs handling (git-fixes). - spi: stm32: properly handle 0 byte transfer (git-fixes). - squashfs: add more sanity checks in id lookup (git-fixes bsc#1182266). - squashfs: add more sanity checks in inode lookup (git-fixes bsc#1182267). - squashfs: add more sanity checks in xattr id lookup (git-fixes bsc#1182268). - staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory rules (git-fixes). - target: disallow emulate_legacy_capacity with RBD object-map (bsc#1177109). - team: set dev->needed_headroom in team_setup_by_port() (git-fixes). - tpm: Remove tpm_dev_wq_lock (git-fixes). - tpm_tis: Clean up locality release (git-fixes). - tpm_tis: Fix check_locality for correct locality acquisition (git-fixes). - tracing: Check length before giving out the filter buffer (git-fixes). - tracing: Do not count ftrace events in top level enable output (git-fixes). - tracing/kprobe: Fix to support kretprobe events on unloaded modules (git-fixes). - tracing/kprobes: Do the notrace functions check without kprobes on ftrace (git-fixes). - tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS (git-fixes). - ubifs: Fix error return code in ubifs_init_authentication() (bsc#1182459). - ubifs: Fix ubifs_tnc_lookup() usage in do_kill_orphans() (bsc#1182454). - ubifs: prevent creating duplicate encrypted filenames (bsc#1182457). - ubifs: ubifs_add_orphan: Fix a memory leak bug (bsc#1182456). - ubifs: ubifs_jnl_write_inode: Fix a memory leak bug (bsc#1182455). - ubifs: wbuf: Do not leak kernel memory to flash (bsc#1182458). - Update config files: activate CONFIG_CSD_LOCK_WAIT_DEBUG for x86 (bsc#1180846). - Update config files: Set ledtrig-default-on as builtin (bsc#1182128) - USB: dwc2: Abort transaction after errors with unknown reason (git-fixes). - USB: dwc2: Fix endpoint direction check in ep_from_windex (git-fixes). - USB: dwc2: Make "trimming xfer length" a debug message (git-fixes). - USB: dwc3: fix clock issue during resume in OTG mode (git-fixes). - USB: gadget: legacy: fix an error code in eth_bind() (git-fixes). - USB: gadget: u_audio: Free requests only after callback (git-fixes). - USB: musb: Fix runtime PM race in musb_queue_resume_work (git-fixes). - USB: quirks: add quirk to start video capture on ELMO L-12F document camera reliable (git-fixes). - USB: quirks: sort quirk entries (git-fixes). - USB: renesas_usbhs: Clear pipe running flag in usbhs_pkt_pop() (git-fixes). - USB: serial: cp210x: add new VID/PID for supporting Teraoka AD2000 (git-fixes). - USB: serial: cp210x: add pid/vid for WSDA-200-USB (git-fixes). - USB: serial: mos7720: fix error code in mos7720_write() (git-fixes). - USB: serial: mos7720: improve OOM-handling in read_mos_reg() (git-fixes). - USB: serial: mos7840: fix error code in mos7840_write() (git-fixes). - USB: serial: option: Adding support for Cinterion MV31 (git-fixes). - USB: usblp: do not call usb_set_interface if there's a single alt (git-fixes). - veth: Adjust hard_start offset on redirect XDP frames (git-fixes). - vfs: Convert squashfs to use the new mount API (git-fixes bsc#1182265). - virtio_net: Fix error code in probe() (git-fixes). - virtio_net: Fix recursive call to cpus_read_lock() (git-fixes). - virtio_net: Keep vnet header zeroed if XDP is loaded for small buffer (git-fixes). - virt: vbox: Do not use wait_event_interruptible when called from kernel context (git-fixes). - vmxnet3: Remove buf_info from device accessible structures (bsc#1181671). - vxlan: fix memleak of fdb (git-fixes). - wext: fix NULL-ptr-dereference with cfg80211's lack of commit() (git-fixes). - writeback: Drop I_DIRTY_TIME_EXPIRE (bsc#1182460). - x86/alternatives: Sync bp_patching update for avoiding NULL pointer exception (bsc#1152489). - x86/apic: Add extra serialization for non-serializing MSRs (bsc#1152489). - x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where available (bsc#1181259, jsc#ECO-3191). - x86/ioapic: Handle Extended Destination ID field in RTE (bsc#1181259, jsc#ECO-3191). - x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181259, jsc#ECO-3191). - x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181259 jsc#ECO-3191). - x86/msi: Only use high bits of MSI address for DMAR unit (bsc#1181259, jsc#ECO-3191). - xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600). - xen/netback: fix spurious event detection for common event case (bsc#1182175). - xfs: ensure inobt record walks always make forward progress (git-fixes bsc#1182272). - xfs: fix an ABBA deadlock in xfs_rename (git-fixes bsc#1182558). - xfs: fix parent pointer scrubber bailing out on unallocated inodes (git-fixes bsc#1182276). - xfs: fix the forward progress assertion in xfs_iwalk_run_callbacks (git-fixes bsc#1182430). - xfs: fix the minrecs logic when dealing with inode root child blocks (git-fixes bsc#1182273). - xfs: ratelimit xfs_discard_page messages (bsc#1182283). - xfs: reduce quota reservation when doing a dax unwritten extent conversion (git-fixes bsc#1182561). - xfs: return corresponding errcode if xfs_initialize_perag() fail (git-fixes bsc#1182275). - xfs: scrub should mark a directory corrupt if any entries cannot be iget'd (git-fixes bsc#1182278). - xfs: strengthen rmap record flags checking (git-fixes bsc#1182271). - xhci: fix bounce buffer usage for non-sg list case (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP2: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2021-738=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP2 (x86_64): kernel-azure-5.3.18-18.38.1 kernel-azure-debuginfo-5.3.18-18.38.1 kernel-azure-debugsource-5.3.18-18.38.1 kernel-azure-devel-5.3.18-18.38.1 kernel-azure-devel-debuginfo-5.3.18-18.38.1 kernel-syms-azure-5.3.18-18.38.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP2 (noarch): kernel-devel-azure-5.3.18-18.38.1 kernel-source-azure-5.3.18-18.38.1 References: https://www.suse.com/security/cve/CVE-2020-12362.html https://www.suse.com/security/cve/CVE-2020-12363.html https://www.suse.com/security/cve/CVE-2020-12364.html https://www.suse.com/security/cve/CVE-2020-12373.html https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2020-29374.html https://www.suse.com/security/cve/CVE-2021-26930.html https://www.suse.com/security/cve/CVE-2021-26931.html https://www.suse.com/security/cve/CVE-2021-26932.html https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1078720 https://bugzilla.suse.com/1081134 https://bugzilla.suse.com/1084610 https://bugzilla.suse.com/1132477 https://bugzilla.suse.com/1151927 https://bugzilla.suse.com/1152472 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154353 https://bugzilla.suse.com/1155518 https://bugzilla.suse.com/1156395 https://bugzilla.suse.com/1163776 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1170442 https://bugzilla.suse.com/1176248 https://bugzilla.suse.com/1176855 https://bugzilla.suse.com/1177109 https://bugzilla.suse.com/1177326 https://bugzilla.suse.com/1177440 https://bugzilla.suse.com/1177529 https://bugzilla.suse.com/1178142 https://bugzilla.suse.com/1178995 https://bugzilla.suse.com/1179082 https://bugzilla.suse.com/1179137 https://bugzilla.suse.com/1179243 https://bugzilla.suse.com/1179428 https://bugzilla.suse.com/1179660 https://bugzilla.suse.com/1179929 https://bugzilla.suse.com/1180058 https://bugzilla.suse.com/1180846 https://bugzilla.suse.com/1180964 https://bugzilla.suse.com/1180989 https://bugzilla.suse.com/1181133 https://bugzilla.suse.com/1181259 https://bugzilla.suse.com/1181544 https://bugzilla.suse.com/1181574 https://bugzilla.suse.com/1181637 https://bugzilla.suse.com/1181655 https://bugzilla.suse.com/1181671 https://bugzilla.suse.com/1181674 https://bugzilla.suse.com/1181710 https://bugzilla.suse.com/1181720 https://bugzilla.suse.com/1181735 https://bugzilla.suse.com/1181736 https://bugzilla.suse.com/1181738 https://bugzilla.suse.com/1181747 https://bugzilla.suse.com/1181753 https://bugzilla.suse.com/1181818 https://bugzilla.suse.com/1181843 https://bugzilla.suse.com/1181854 https://bugzilla.suse.com/1181896 https://bugzilla.suse.com/1181958 https://bugzilla.suse.com/1181960 https://bugzilla.suse.com/1181985 https://bugzilla.suse.com/1182047 https://bugzilla.suse.com/1182118 https://bugzilla.suse.com/1182128 https://bugzilla.suse.com/1182140 https://bugzilla.suse.com/1182171 https://bugzilla.suse.com/1182175 https://bugzilla.suse.com/1182259 https://bugzilla.suse.com/1182265 https://bugzilla.suse.com/1182266 https://bugzilla.suse.com/1182267 https://bugzilla.suse.com/1182268 https://bugzilla.suse.com/1182271 https://bugzilla.suse.com/1182272 https://bugzilla.suse.com/1182273 https://bugzilla.suse.com/1182275 https://bugzilla.suse.com/1182276 https://bugzilla.suse.com/1182278 https://bugzilla.suse.com/1182283 https://bugzilla.suse.com/1182374 https://bugzilla.suse.com/1182380 https://bugzilla.suse.com/1182381 https://bugzilla.suse.com/1182406 https://bugzilla.suse.com/1182430 https://bugzilla.suse.com/1182439 https://bugzilla.suse.com/1182441 https://bugzilla.suse.com/1182442 https://bugzilla.suse.com/1182443 https://bugzilla.suse.com/1182444 https://bugzilla.suse.com/1182445 https://bugzilla.suse.com/1182446 https://bugzilla.suse.com/1182447 https://bugzilla.suse.com/1182449 https://bugzilla.suse.com/1182454 https://bugzilla.suse.com/1182455 https://bugzilla.suse.com/1182456 https://bugzilla.suse.com/1182457 https://bugzilla.suse.com/1182458 https://bugzilla.suse.com/1182459 https://bugzilla.suse.com/1182460 https://bugzilla.suse.com/1182461 https://bugzilla.suse.com/1182462 https://bugzilla.suse.com/1182463 https://bugzilla.suse.com/1182464 https://bugzilla.suse.com/1182465 https://bugzilla.suse.com/1182466 https://bugzilla.suse.com/1182485 https://bugzilla.suse.com/1182489 https://bugzilla.suse.com/1182490 https://bugzilla.suse.com/1182547 https://bugzilla.suse.com/1182558 https://bugzilla.suse.com/1182560 https://bugzilla.suse.com/1182561 https://bugzilla.suse.com/1182571 https://bugzilla.suse.com/1182599 https://bugzilla.suse.com/1182602 https://bugzilla.suse.com/1182626 https://bugzilla.suse.com/1182650 https://bugzilla.suse.com/1182672 https://bugzilla.suse.com/1182676 https://bugzilla.suse.com/1182683 https://bugzilla.suse.com/1182684 https://bugzilla.suse.com/1182686 https://bugzilla.suse.com/1182770 https://bugzilla.suse.com/1182798 https://bugzilla.suse.com/1182800 https://bugzilla.suse.com/1182801 https://bugzilla.suse.com/1182854 https://bugzilla.suse.com/1182856 From sle-security-updates at lists.suse.com Tue Mar 9 20:33:20 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 21:33:20 +0100 (CET) Subject: SUSE-SU-2021:0744-1: important: Security update for the Linux Kernel Message-ID: <20210309203320.C30C0FD17@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0744-1 Rating: important References: #1178372 #1181747 #1181753 #1181843 #1182175 Cross-References: CVE-2020-28374 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVSS scores: CVE-2020-28374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-28374 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2021-26930 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-26930 (SUSE): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-26931 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26931 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-26932 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26932 (SUSE): 5.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise High Availability 12-SP2 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843). - CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753). - CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). - CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372). The following non-security bug was fixed: - xen/netback: fix spurious event detection for common event case (bsc#1182175). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-744=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-744=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-744=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-744=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2021-744=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): kernel-default-4.4.121-92.152.2 kernel-default-base-4.4.121-92.152.2 kernel-default-base-debuginfo-4.4.121-92.152.2 kernel-default-debuginfo-4.4.121-92.152.2 kernel-default-debugsource-4.4.121-92.152.2 kernel-default-devel-4.4.121-92.152.2 kernel-syms-4.4.121-92.152.2 - SUSE OpenStack Cloud 7 (x86_64): kgraft-patch-4_4_121-92_152-default-1-3.3.2 - SUSE OpenStack Cloud 7 (noarch): kernel-devel-4.4.121-92.152.2 kernel-macros-4.4.121-92.152.2 kernel-source-4.4.121-92.152.2 - SUSE OpenStack Cloud 7 (s390x): kernel-default-man-4.4.121-92.152.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kernel-default-4.4.121-92.152.2 kernel-default-base-4.4.121-92.152.2 kernel-default-base-debuginfo-4.4.121-92.152.2 kernel-default-debuginfo-4.4.121-92.152.2 kernel-default-debugsource-4.4.121-92.152.2 kernel-default-devel-4.4.121-92.152.2 kernel-syms-4.4.121-92.152.2 kgraft-patch-4_4_121-92_152-default-1-3.3.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): kernel-devel-4.4.121-92.152.2 kernel-macros-4.4.121-92.152.2 kernel-source-4.4.121-92.152.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): kernel-default-4.4.121-92.152.2 kernel-default-base-4.4.121-92.152.2 kernel-default-base-debuginfo-4.4.121-92.152.2 kernel-default-debuginfo-4.4.121-92.152.2 kernel-default-debugsource-4.4.121-92.152.2 kernel-default-devel-4.4.121-92.152.2 kernel-syms-4.4.121-92.152.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64): kgraft-patch-4_4_121-92_152-default-1-3.3.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): kernel-devel-4.4.121-92.152.2 kernel-macros-4.4.121-92.152.2 kernel-source-4.4.121-92.152.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x): kernel-default-man-4.4.121-92.152.2 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): kernel-devel-4.4.121-92.152.2 kernel-macros-4.4.121-92.152.2 kernel-source-4.4.121-92.152.2 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): kernel-default-4.4.121-92.152.2 kernel-default-base-4.4.121-92.152.2 kernel-default-base-debuginfo-4.4.121-92.152.2 kernel-default-debuginfo-4.4.121-92.152.2 kernel-default-debugsource-4.4.121-92.152.2 kernel-default-devel-4.4.121-92.152.2 kernel-syms-4.4.121-92.152.2 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): cluster-md-kmp-default-4.4.121-92.152.2 cluster-md-kmp-default-debuginfo-4.4.121-92.152.2 cluster-network-kmp-default-4.4.121-92.152.2 cluster-network-kmp-default-debuginfo-4.4.121-92.152.2 dlm-kmp-default-4.4.121-92.152.2 dlm-kmp-default-debuginfo-4.4.121-92.152.2 gfs2-kmp-default-4.4.121-92.152.2 gfs2-kmp-default-debuginfo-4.4.121-92.152.2 kernel-default-debuginfo-4.4.121-92.152.2 kernel-default-debugsource-4.4.121-92.152.2 ocfs2-kmp-default-4.4.121-92.152.2 ocfs2-kmp-default-debuginfo-4.4.121-92.152.2 References: https://www.suse.com/security/cve/CVE-2020-28374.html https://www.suse.com/security/cve/CVE-2021-26930.html https://www.suse.com/security/cve/CVE-2021-26931.html https://www.suse.com/security/cve/CVE-2021-26932.html https://bugzilla.suse.com/1178372 https://bugzilla.suse.com/1181747 https://bugzilla.suse.com/1181753 https://bugzilla.suse.com/1181843 https://bugzilla.suse.com/1182175 From sle-security-updates at lists.suse.com Tue Mar 9 20:34:45 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 21:34:45 +0100 (CET) Subject: SUSE-SU-2021:0753-1: moderate: Security update for openssl-1_1 Message-ID: <20210309203445.D1A4EFD17@maintenance.suse.de> SUSE Security Update: Security update for openssl-1_1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0753-1 Rating: moderate References: #1182331 #1182333 Cross-References: CVE-2021-23840 CVE-2021-23841 CVSS scores: CVE-2021-23840 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23840 (SUSE): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2021-23841 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23841 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-753=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-753=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-753=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-753=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-753=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-753=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-753=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-753=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-753=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libopenssl-1_1-devel-1.1.0i-14.15.1 libopenssl1_1-1.1.0i-14.15.1 libopenssl1_1-debuginfo-1.1.0i-14.15.1 libopenssl1_1-hmac-1.1.0i-14.15.1 openssl-1_1-1.1.0i-14.15.1 openssl-1_1-debuginfo-1.1.0i-14.15.1 openssl-1_1-debugsource-1.1.0i-14.15.1 - SUSE Manager Server 4.0 (x86_64): libopenssl-1_1-devel-32bit-1.1.0i-14.15.1 libopenssl1_1-32bit-1.1.0i-14.15.1 libopenssl1_1-32bit-debuginfo-1.1.0i-14.15.1 libopenssl1_1-hmac-32bit-1.1.0i-14.15.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libopenssl-1_1-devel-1.1.0i-14.15.1 libopenssl-1_1-devel-32bit-1.1.0i-14.15.1 libopenssl1_1-1.1.0i-14.15.1 libopenssl1_1-32bit-1.1.0i-14.15.1 libopenssl1_1-32bit-debuginfo-1.1.0i-14.15.1 libopenssl1_1-debuginfo-1.1.0i-14.15.1 libopenssl1_1-hmac-1.1.0i-14.15.1 libopenssl1_1-hmac-32bit-1.1.0i-14.15.1 openssl-1_1-1.1.0i-14.15.1 openssl-1_1-debuginfo-1.1.0i-14.15.1 openssl-1_1-debugsource-1.1.0i-14.15.1 - SUSE Manager Proxy 4.0 (x86_64): libopenssl-1_1-devel-1.1.0i-14.15.1 libopenssl-1_1-devel-32bit-1.1.0i-14.15.1 libopenssl1_1-1.1.0i-14.15.1 libopenssl1_1-32bit-1.1.0i-14.15.1 libopenssl1_1-32bit-debuginfo-1.1.0i-14.15.1 libopenssl1_1-debuginfo-1.1.0i-14.15.1 libopenssl1_1-hmac-1.1.0i-14.15.1 libopenssl1_1-hmac-32bit-1.1.0i-14.15.1 openssl-1_1-1.1.0i-14.15.1 openssl-1_1-debuginfo-1.1.0i-14.15.1 openssl-1_1-debugsource-1.1.0i-14.15.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libopenssl-1_1-devel-1.1.0i-14.15.1 libopenssl1_1-1.1.0i-14.15.1 libopenssl1_1-debuginfo-1.1.0i-14.15.1 libopenssl1_1-hmac-1.1.0i-14.15.1 openssl-1_1-1.1.0i-14.15.1 openssl-1_1-debuginfo-1.1.0i-14.15.1 openssl-1_1-debugsource-1.1.0i-14.15.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): libopenssl-1_1-devel-32bit-1.1.0i-14.15.1 libopenssl1_1-32bit-1.1.0i-14.15.1 libopenssl1_1-32bit-debuginfo-1.1.0i-14.15.1 libopenssl1_1-hmac-32bit-1.1.0i-14.15.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libopenssl-1_1-devel-1.1.0i-14.15.1 libopenssl1_1-1.1.0i-14.15.1 libopenssl1_1-debuginfo-1.1.0i-14.15.1 libopenssl1_1-hmac-1.1.0i-14.15.1 openssl-1_1-1.1.0i-14.15.1 openssl-1_1-debuginfo-1.1.0i-14.15.1 openssl-1_1-debugsource-1.1.0i-14.15.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): libopenssl-1_1-devel-32bit-1.1.0i-14.15.1 libopenssl1_1-32bit-1.1.0i-14.15.1 libopenssl1_1-32bit-debuginfo-1.1.0i-14.15.1 libopenssl1_1-hmac-32bit-1.1.0i-14.15.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libopenssl-1_1-devel-1.1.0i-14.15.1 libopenssl-1_1-devel-32bit-1.1.0i-14.15.1 libopenssl1_1-1.1.0i-14.15.1 libopenssl1_1-32bit-1.1.0i-14.15.1 libopenssl1_1-32bit-debuginfo-1.1.0i-14.15.1 libopenssl1_1-debuginfo-1.1.0i-14.15.1 libopenssl1_1-hmac-1.1.0i-14.15.1 libopenssl1_1-hmac-32bit-1.1.0i-14.15.1 openssl-1_1-1.1.0i-14.15.1 openssl-1_1-debuginfo-1.1.0i-14.15.1 openssl-1_1-debugsource-1.1.0i-14.15.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libopenssl-1_1-devel-1.1.0i-14.15.1 libopenssl1_1-1.1.0i-14.15.1 libopenssl1_1-debuginfo-1.1.0i-14.15.1 libopenssl1_1-hmac-1.1.0i-14.15.1 openssl-1_1-1.1.0i-14.15.1 openssl-1_1-debuginfo-1.1.0i-14.15.1 openssl-1_1-debugsource-1.1.0i-14.15.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): libopenssl-1_1-devel-32bit-1.1.0i-14.15.1 libopenssl1_1-32bit-1.1.0i-14.15.1 libopenssl1_1-32bit-debuginfo-1.1.0i-14.15.1 libopenssl1_1-hmac-32bit-1.1.0i-14.15.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libopenssl-1_1-devel-1.1.0i-14.15.1 libopenssl1_1-1.1.0i-14.15.1 libopenssl1_1-debuginfo-1.1.0i-14.15.1 libopenssl1_1-hmac-1.1.0i-14.15.1 openssl-1_1-1.1.0i-14.15.1 openssl-1_1-debuginfo-1.1.0i-14.15.1 openssl-1_1-debugsource-1.1.0i-14.15.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): libopenssl-1_1-devel-32bit-1.1.0i-14.15.1 libopenssl1_1-32bit-1.1.0i-14.15.1 libopenssl1_1-32bit-debuginfo-1.1.0i-14.15.1 libopenssl1_1-hmac-32bit-1.1.0i-14.15.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libopenssl-1_1-devel-1.1.0i-14.15.1 libopenssl1_1-1.1.0i-14.15.1 libopenssl1_1-debuginfo-1.1.0i-14.15.1 libopenssl1_1-hmac-1.1.0i-14.15.1 openssl-1_1-1.1.0i-14.15.1 openssl-1_1-debuginfo-1.1.0i-14.15.1 openssl-1_1-debugsource-1.1.0i-14.15.1 - SUSE Enterprise Storage 6 (x86_64): libopenssl-1_1-devel-32bit-1.1.0i-14.15.1 libopenssl1_1-32bit-1.1.0i-14.15.1 libopenssl1_1-32bit-debuginfo-1.1.0i-14.15.1 libopenssl1_1-hmac-32bit-1.1.0i-14.15.1 - SUSE CaaS Platform 4.0 (x86_64): libopenssl-1_1-devel-1.1.0i-14.15.1 libopenssl-1_1-devel-32bit-1.1.0i-14.15.1 libopenssl1_1-1.1.0i-14.15.1 libopenssl1_1-32bit-1.1.0i-14.15.1 libopenssl1_1-32bit-debuginfo-1.1.0i-14.15.1 libopenssl1_1-debuginfo-1.1.0i-14.15.1 libopenssl1_1-hmac-1.1.0i-14.15.1 libopenssl1_1-hmac-32bit-1.1.0i-14.15.1 openssl-1_1-1.1.0i-14.15.1 openssl-1_1-debuginfo-1.1.0i-14.15.1 openssl-1_1-debugsource-1.1.0i-14.15.1 References: https://www.suse.com/security/cve/CVE-2021-23840.html https://www.suse.com/security/cve/CVE-2021-23841.html https://bugzilla.suse.com/1182331 https://bugzilla.suse.com/1182333 From sle-security-updates at lists.suse.com Tue Mar 9 20:35:51 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 21:35:51 +0100 (CET) Subject: SUSE-SU-2021:0743-1: important: Security update for the Linux Kernel Message-ID: <20210309203551.134BFFD17@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0743-1 Rating: important References: #1177440 #1178372 #1181747 #1181753 #1181843 #1182175 Cross-References: CVE-2020-28374 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVSS scores: CVE-2020-28374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-28374 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2021-26930 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-26930 (SUSE): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-26931 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26931 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-26932 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26932 (SUSE): 5.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise High Availability 12-SP3 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves four vulnerabilities and has two fixes is now available. Description: The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843). - CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753). - CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). - CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372). The following non-security bugs were fixed: - cifs: report error instead of invalid when revalidating a dentry fails (bsc#1177440). - xen/netback: fix spurious event detection for common event case (bsc#1182175). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-743=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-743=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-743=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-743=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-743=1 - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2021-743=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-743=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): kernel-devel-4.4.180-94.141.2 kernel-macros-4.4.180-94.141.2 kernel-source-4.4.180-94.141.2 - SUSE OpenStack Cloud Crowbar 8 (x86_64): kernel-default-4.4.180-94.141.2 kernel-default-base-4.4.180-94.141.2 kernel-default-base-debuginfo-4.4.180-94.141.2 kernel-default-debuginfo-4.4.180-94.141.2 kernel-default-debugsource-4.4.180-94.141.2 kernel-default-devel-4.4.180-94.141.2 kernel-default-kgraft-4.4.180-94.141.2 kernel-syms-4.4.180-94.141.2 kgraft-patch-4_4_180-94_141-default-1-4.3.2 kgraft-patch-4_4_180-94_141-default-debuginfo-1-4.3.2 - SUSE OpenStack Cloud 8 (noarch): kernel-devel-4.4.180-94.141.2 kernel-macros-4.4.180-94.141.2 kernel-source-4.4.180-94.141.2 - SUSE OpenStack Cloud 8 (x86_64): kernel-default-4.4.180-94.141.2 kernel-default-base-4.4.180-94.141.2 kernel-default-base-debuginfo-4.4.180-94.141.2 kernel-default-debuginfo-4.4.180-94.141.2 kernel-default-debugsource-4.4.180-94.141.2 kernel-default-devel-4.4.180-94.141.2 kernel-default-kgraft-4.4.180-94.141.2 kernel-syms-4.4.180-94.141.2 kgraft-patch-4_4_180-94_141-default-1-4.3.2 kgraft-patch-4_4_180-94_141-default-debuginfo-1-4.3.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kernel-default-4.4.180-94.141.2 kernel-default-base-4.4.180-94.141.2 kernel-default-base-debuginfo-4.4.180-94.141.2 kernel-default-debuginfo-4.4.180-94.141.2 kernel-default-debugsource-4.4.180-94.141.2 kernel-default-devel-4.4.180-94.141.2 kernel-default-kgraft-4.4.180-94.141.2 kernel-syms-4.4.180-94.141.2 kgraft-patch-4_4_180-94_141-default-1-4.3.2 kgraft-patch-4_4_180-94_141-default-debuginfo-1-4.3.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): kernel-devel-4.4.180-94.141.2 kernel-macros-4.4.180-94.141.2 kernel-source-4.4.180-94.141.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): kernel-default-4.4.180-94.141.2 kernel-default-base-4.4.180-94.141.2 kernel-default-base-debuginfo-4.4.180-94.141.2 kernel-default-debuginfo-4.4.180-94.141.2 kernel-default-debugsource-4.4.180-94.141.2 kernel-default-devel-4.4.180-94.141.2 kernel-syms-4.4.180-94.141.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kernel-default-kgraft-4.4.180-94.141.2 kgraft-patch-4_4_180-94_141-default-1-4.3.2 kgraft-patch-4_4_180-94_141-default-debuginfo-1-4.3.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): kernel-devel-4.4.180-94.141.2 kernel-macros-4.4.180-94.141.2 kernel-source-4.4.180-94.141.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x): kernel-default-man-4.4.180-94.141.2 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): kernel-default-4.4.180-94.141.2 kernel-default-base-4.4.180-94.141.2 kernel-default-base-debuginfo-4.4.180-94.141.2 kernel-default-debuginfo-4.4.180-94.141.2 kernel-default-debugsource-4.4.180-94.141.2 kernel-default-devel-4.4.180-94.141.2 kernel-syms-4.4.180-94.141.2 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): kernel-devel-4.4.180-94.141.2 kernel-macros-4.4.180-94.141.2 kernel-source-4.4.180-94.141.2 - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): cluster-md-kmp-default-4.4.180-94.141.2 cluster-md-kmp-default-debuginfo-4.4.180-94.141.2 dlm-kmp-default-4.4.180-94.141.2 dlm-kmp-default-debuginfo-4.4.180-94.141.2 gfs2-kmp-default-4.4.180-94.141.2 gfs2-kmp-default-debuginfo-4.4.180-94.141.2 kernel-default-debuginfo-4.4.180-94.141.2 kernel-default-debugsource-4.4.180-94.141.2 ocfs2-kmp-default-4.4.180-94.141.2 ocfs2-kmp-default-debuginfo-4.4.180-94.141.2 - HPE Helion Openstack 8 (noarch): kernel-devel-4.4.180-94.141.2 kernel-macros-4.4.180-94.141.2 kernel-source-4.4.180-94.141.2 - HPE Helion Openstack 8 (x86_64): kernel-default-4.4.180-94.141.2 kernel-default-base-4.4.180-94.141.2 kernel-default-base-debuginfo-4.4.180-94.141.2 kernel-default-debuginfo-4.4.180-94.141.2 kernel-default-debugsource-4.4.180-94.141.2 kernel-default-devel-4.4.180-94.141.2 kernel-default-kgraft-4.4.180-94.141.2 kernel-syms-4.4.180-94.141.2 kgraft-patch-4_4_180-94_141-default-1-4.3.2 kgraft-patch-4_4_180-94_141-default-debuginfo-1-4.3.2 References: https://www.suse.com/security/cve/CVE-2020-28374.html https://www.suse.com/security/cve/CVE-2021-26930.html https://www.suse.com/security/cve/CVE-2021-26931.html https://www.suse.com/security/cve/CVE-2021-26932.html https://bugzilla.suse.com/1177440 https://bugzilla.suse.com/1178372 https://bugzilla.suse.com/1181747 https://bugzilla.suse.com/1181753 https://bugzilla.suse.com/1181843 https://bugzilla.suse.com/1182175 From sle-security-updates at lists.suse.com Tue Mar 9 20:39:44 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 21:39:44 +0100 (CET) Subject: SUSE-SU-2021:0739-1: important: Security update for the Linux Kernel Message-ID: <20210309203944.5BE6BFD17@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0739-1 Rating: important References: #1065600 #1065729 #1078720 #1081134 #1084610 #1114648 #1163617 #1163930 #1169514 #1170442 #1176855 #1177440 #1178049 #1179082 #1179142 #1179612 #1179709 #1180058 #1181346 #1181504 #1181574 #1181671 #1181809 #1181854 #1181896 #1181931 #1181960 #1181985 #1181987 #1181996 #1181998 #1182038 #1182047 #1182118 #1182130 #1182140 #1182171 #1182173 #1182175 #1182182 #1182184 #1182195 #1182242 #1182243 #1182248 #1182269 #1182302 #1182307 #1182310 #1182438 #1182447 #1182448 #1182449 #1182460 #1182461 #1182462 #1182463 #1182464 #1182465 #1182466 #1182560 #1182561 #1182571 #1182590 #1182610 #1182612 #1182650 #1182652 Cross-References: CVE-2021-3348 CVSS scores: CVE-2021-3348 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3348 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves one vulnerability and has 67 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel Azure was updated to receive various security and bugfixes. The following security bugs was fixed: - CVE-2021-3348: Fixed a use-after-free read in nbd_queue_rq (bsc#1181504). The following non-security bugs were fixed: - ACPI: configfs: add missing check after configfs_register_default_group() (git-fixes). - ACPI: property: Fix fwnode string properties matching (git-fixes). - ACPI: property: Satisfy kernel doc validator (part 1) (git-fixes). - ALSA: usb-audio: Fix PCM buffer allocation in non-vmalloc mode (git-fixes). - arm64: Update config file. Set CONFIG_WATCHDOG_SYSFS to true (bsc#1182560) - ASoC: cs42l56: fix up error handling in probe (git-fixes). - ath9k: fix data bus crash when setting nf_override via debugfs (git-fixes). - block: fix use-after-free in disk_part_iter_next (bsc#1182610). - Bluetooth: btqcomsmd: Fix a resource leak in error handling paths in the probe function (git-fixes). - Bluetooth: drop HCI device reference before return (git-fixes). - Bluetooth: Fix initializing response id after clearing struct (git-fixes). - Bluetooth: Put HCI device if inquiry procedure interrupts (git-fixes). - bonding: Fix reference count leak in bond_sysfs_slave_add (git-fixes). - bonding: wait for sysfs kobject destruction before freeing struct slave (git-fixes). - btrfs: Cleanup try_flush_qgroup (bsc#1182047). - btrfs: correctly calculate item size used when item key collision happens (bsc#1181996). - btrfs: correctly validate compression type (bsc#1182269). - btrfs: delete the ordered isize update code (bsc#1181998). - btrfs: Do not flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: do not set path->leave_spinning for truncate (bsc#1181998). - btrfs: factor out extent dropping code from hole punch handler (bsc#1182038). - btrfs: fix cloning range with a hole when using the NO_HOLES feature (bsc#1182038). - btrfs: fix data bytes_may_use underflow with fallocate due to failed quota reserve (bsc#1182130) - btrfs: fix ENOSPC errors, leading to transaction aborts, when cloning extents (bsc#1182038). - btrfs: fix hole extent items with a zero size after range cloning (bsc#1182038). - btrfs: fix lost i_size update after cloning inline extent (bsc#1181998). - btrfs: fix mount failure caused by race with umount (bsc#1182248). - btrfs: Fix race between extent freeing/allocation when using bitmaps (bsc#1181574). - btrfs: fix unexpected cow in run_delalloc_nocow (bsc#1181987). - btrfs: fix unexpected failure of nocow buffered writes after snapshotting when low on space (bsc#1181987). - btrfs: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: incremental send, fix file corruption when no-holes feature is enabled (bsc#1182184). - btrfs: Introduce extent_io_tree::owner to distinguish different io_trees (bsc#1181998). - btrfs: introduce per-inode file extent tree (bsc#1181998). - btrfs: prepare for extensions in compression options (bsc#1182269). - btrfs: prop: fix vanished compression property after failed set (bsc#1182269). - btrfs: prop: fix zstd compression parameter validation (bsc#1182269). - btrfs: Remove btrfs_inode from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: replace all uses of btrfs_ordered_update_i_size (bsc#1181998). - btrfs: send, allow clone operations within the same file (bsc#1182173) - btrfs: send, do not issue unnecessary truncate operations (bsc#1182173) - btrfs: send, fix emission of invalid clone operations within the same file (bsc#1182173) - btrfs: send, fix incorrect file layout after hole punching beyond eof (bsc#1182173). - btrfs: send: fix invalid clone operations when cloning from the same file and root (bsc#1182173) - btrfs: send, fix missing truncate for inode with prealloc extent past eof (bsc#1182173). - btrfs: send, orphanize first all conflicting inodes when processing references (bsc#1182243 bsc#1182242). - btrfs: send, recompute reference path after orphanization of a directory (bsc#1182243). - btrfs: Simplify code flow in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: transaction: Avoid deadlock due to bad initialization timing of fs_info::journal_info (bsc#1181931). - btrfs: Unlock extents in btrfs_zero_range in case of errors (bsc#1182047). - btrfs: Use bd_dev to generate index when dev_state_hashtable add items (bsc#1181931). - btrfs: use btrfs_ordered_update_i_size in clone_finish_inode_update (bsc#1181998). - btrfs: use the file extent tree infrastructure (bsc#1181998). - cifs: report error instead of invalid when revalidating a dentry fails (bsc#1177440). - dm: avoid filesystem lookup in dm_get_dev_t() (bsc#1178049). - ext4: do not remount read-only with errors=continue on reboot (bsc#1182464). - ext4: fix a memory leak of ext4_free_data (bsc#1182447). - ext4: fix bug for rename with RENAME_WHITEOUT (bsc#1182449). - ext4: fix deadlock with fs freezing and EA inodes (bsc#1182463). - ext4: fix superblock checksum failure when setting password salt (bsc#1182465). - fgraph: Initialize tracing_graph_pause at task creation (git-fixes). - firmware: imx: select SOC_BUS to fix firmware build (git-fixes). - Fix unsynchronized access to sev members through svm_register_enc_region (bsc#1114648). - fs: fix lazytime expiration handling in __writeback_single_inode() (bsc#1182466). - fs: move I_DIRTY_INODE to fs.h (bsc#1182612). - HID: core: detect and skip invalid inputs to snto32() (git-fixes). - HID: wacom: Ignore attempts to overwrite the touch_max value from HID (git-fixes). - hwrng: timeriomem - Fix cooldown period calculation (git-fixes). - ibmvnic: Clear failover_pending if unable to schedule (bsc#1181960 ltc#190997). - ibmvnic: device remove has higher precedence over reset (bsc#1065729). - ibmvnic: fix a race between open and reset (bsc#1176855 ltc#187293). - ibmvnic: fix login buffer memory leak (bsc#1081134 ltc#164631). - ibmvnic: serialize access to work queue on remove (bsc#1065729). - ibmvnic: Set to CLOSED state even on error (bsc#1084610 ltc#165122 git-fixes). - Input: elo - fix an error code in elo_connect() (git-fixes). - Input: joydev - prevent potential read overflow in ioctl (git-fixes). - iwlwifi: exclude GEO SAR support for 3168 (git-fixes). - kABI: Fix kABI for 12856e7acde4 PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY (bsc#1179612). - kernel-binary.spec: Add back initrd and image symlink ghosts to filelist (bsc#1182140). Fixes: 76a9256314c3 ("rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082).") - kernfs: deal with kernfs_fill_super() failures (bsc#1181809). - KVM: apic: Flush TLB after APIC mode/address change if VPIDs are in use (bsc#1182302). - KVM: Fix kABI for set_virtual_apic_mode (bsc#1182310). - KVM: Fix kABI for tlb_flush (bsc#1182195). - KVM-vmx-Basic-APIC-virtualization-controls-have-thre.patch: (bsc#1182310). - KVM: VMX: check for existence of secondary exec controls before accessing (bsc#1182438). - KVM: VMX: hide flexpriority from guest when disabled at the module level (bsc#1182448). - KVM-vmx-Introduce-lapic_mode-enumeration.patch: (bsc#1182307). - KVM: x86: emulate RDPID (bsc#1182182). - KVM: x86: emulating RDPID failure shall return #UD rather than - KVM: X86: introduce invalidate_gpa argument to tlb flush (bsc#1182195). - libfs: fix error cast of negative value in simple_attr_write() (bsc#1179709). - libnvdimm/dimm: Avoid race between probe and available_slots_show() (bsc#1170442). - mac80211: fix potential overflow when multiplying to u32 integers (git-fixes). - media: cx25821: Fix a bug when reallocating some dma memory (git-fixes). - media: media/pci: Fix memleak in empress_init (git-fixes). - media: pwc: Use correct device for DMA (git-fixes). - media: pxa_camera: declare variable when DEBUG is defined (git-fixes). - media: qm1d1c0042: fix error return code in qm1d1c0042_init() (git-fixes). - media: tm6000: Fix memleak in tm6000_start_stream (git-fixes). - media: vsp1: Fix an error handling path in the probe function (git-fixes). - mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq() (git-fixes). - misc: eeprom_93xx46: Add module alias to avoid breaking support for non device tree users (git-fixes). - misc: eeprom_93xx46: Fix module alias to enable module autoprobe (git-fixes). - mmc: usdhi6rol0: Fix a resource leak in the error handling path of the probe (git-fixes). - mm/pmem: avoid inserting hugepage PTE entry with fsdax if hugepage support is disabled (bsc#1181896 ltc#191273). - mm: thp: kABI: move the added flag to the end of enum (bsc#1181896 ltc#191273). - nbd: Fix memory leak in nbd_add_socket (bsc#1181504). - net: bcmgenet: add support for ethtool rxnfc flows (git-fixes). - net: bcmgenet: code movement (git-fixes). - net: bcmgenet: fix mask check in bcmgenet_validate_flow() (git-fixes). - net: bcmgenet: Fix WoL with password after deep sleep (git-fixes). - net: bcmgenet: re-remove bcmgenet_hfb_add_filter (git-fixes). - net: bcmgenet: set Rx mode before starting netif (git-fixes). - net: bcmgenet: use __be16 for htons(ETH_P_IP) (git-fixes). - net: bcmgenet: Use correct I/O accessors (git-fixes). - net: lpc-enet: fix error return code in lpc_mii_init() (git-fixes). - net/mlx4_en: Handle TX error CQE (bsc#1181854). - net: moxa: Fix a potential double 'free_irq()' (git-fixes). - net: sun: fix missing release regions in cas_init_one() (git-fixes). - nvme-multipath: Early exit if no path is available (git-fixes). - objtool: Do not fail on missing symbol table (bsc#1169514). - PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY (bsc#1179612). - powerpc/book3s64/hash: Add cond_resched to avoid soft lockup warning (bsc#1182571 ltc#191345). - powerpc: Fix alignment bug within the init sections (bsc#1065729). - powerpc/perf: Exclude kernel samples while counting events in user space (bsc#1065729). - powerpc/perf/hv-24x7: Dont create sysfs event files for dummy events (bsc#1182118 ltc#190624). - powerpc/pseries/dlpar: handle ibm, configure-connector delay status (bsc#1181985 ltc#188074). - powerpc/pseries/eeh: Make pseries_pcibios_bus_add_device() static (bsc#1078720, git-fixes). - powerpc/pseries: extract host bridge from pci_bus prior to bus removal (bsc#1182171 ltc#190900). - powerpc/pseries/ras: Make init_ras_hotplug_IRQ() static (bsc#1065729. git-fixes). - power: reset: at91-sama5d2_shdwc: fix wkupdbc mask (git-fixes). - ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() (bsc#1163930). - ptrace: Set PF_SUPERPRIV when checking capability (bsc#1163930). - quota: Fix error codes in v2_read_file_info() (bsc#1182652). - quota: Fix memory leak when handling corrupted quota file (bsc#1182650). - quota: Sanity-check quota file headers on load (bsc#1182461). - regulator: axp20x: Fix reference cout leak (git-fixes). - reiserfs: add check for an invalid ih_entry_count (bsc#1182462). - rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058) - s390/pci: adaptation of iommu to multifunction (bsc#1179612). - s390/pci: Mark all VFs as not implementing PCI_COMMAND_MEMORY (bsc#1179612). - scsi: qla2xxx: Fix description for parameter ql2xenforce_iocb_limit (bsc#1179142). - scsi: target: Fix truncated PR-in ReadKeys response (bsc#1182590). - scsi: target: fix unmap_zeroes_data boolean initialisation (bsc#1163617). - staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory rules (git-fixes). - tools lib traceevent: Fix "robust" test of do_generate_dynamic_list_file (git-fixes). - tpm_tis: Clean up locality release (git-fixes). - tpm_tis: Fix check_locality for correct locality acquisition (git-fixes). - tracing: Check length before giving out the filter buffer (git-fixes). - tracing: Do not count ftrace events in top level enable output (git-fixes). - USB: cdc-acm: blacklist another IR Droid device (git-fixes). - USB: dwc2: Abort transaction after errors with unknown reason (git-fixes). - USB: dwc2: Make "trimming xfer length" a debug message (git-fixes). - USB: musb: Fix runtime PM race in musb_queue_resume_work (git-fixes). - USB: serial: cp210x: add new VID/PID for supporting Teraoka AD2000 (git-fixes). - USB: serial: cp210x: add pid/vid for WSDA-200-USB (git-fixes). - USB: serial: mos7720: fix error code in mos7720_write() (git-fixes). - USB: serial: mos7720: improve OOM-handling in read_mos_reg() (git-fixes). - USB: serial: mos7840: fix error code in mos7840_write() (git-fixes). - USB: serial: option: Adding support for Cinterion MV31 (git-fixes). - USB: serial: option: add LongSung M5710 module support (git-fixes). - USB: uas: Add PNY USB Portable SSD to unusual_uas (git-fixes). - USB: usblp: fix DMA to stack (git-fixes). - vfio/pci: Decouple PCI_COMMAND_MEMORY bit checks from is_virtfn (bsc#1179612). - vmxnet3: Remove buf_info from device accessible structures (bsc#1181671). - writeback: Drop I_DIRTY_TIME_EXPIRE (bsc#1182460). - x86/apic: Add extra serialization for non-serializing MSRs (bsc#1114648). - x86/efistub: Disable paging at mixed mode entry (bsc#1114648). - x86/entry/64/compat: Fix "x86/entry/64/compat: Preserve r8-r11 in int $0x80" (bsc#1114648). - x86/entry/64/compat: Preserve r8-r11 in int $0x80 (bsc#1114648). - x86/resctrl: Fix incorrect local bandwidth when mba_sc is enabled (bsc#1114648). - x86/resctrl: Remove unused struct mbm_state::chunks_bw (bsc#1114648). - xen-blkfront: allow discard-* nodes to be optional (bsc#1181346). - xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600). - xen/netback: fix spurious event detection for common event case (bsc#1182175). - xfs: reduce quota reservation when doing a dax unwritten extent conversion (git-fixes bsc#1182561). - xhci: fix bounce buffer usage for non-sg list case (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-739=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-azure-4.12.14-16.47.1 kernel-source-azure-4.12.14-16.47.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-azure-4.12.14-16.47.1 kernel-azure-base-4.12.14-16.47.1 kernel-azure-base-debuginfo-4.12.14-16.47.1 kernel-azure-debuginfo-4.12.14-16.47.1 kernel-azure-debugsource-4.12.14-16.47.1 kernel-azure-devel-4.12.14-16.47.1 kernel-syms-azure-4.12.14-16.47.1 References: https://www.suse.com/security/cve/CVE-2021-3348.html https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1078720 https://bugzilla.suse.com/1081134 https://bugzilla.suse.com/1084610 https://bugzilla.suse.com/1114648 https://bugzilla.suse.com/1163617 https://bugzilla.suse.com/1163930 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1170442 https://bugzilla.suse.com/1176855 https://bugzilla.suse.com/1177440 https://bugzilla.suse.com/1178049 https://bugzilla.suse.com/1179082 https://bugzilla.suse.com/1179142 https://bugzilla.suse.com/1179612 https://bugzilla.suse.com/1179709 https://bugzilla.suse.com/1180058 https://bugzilla.suse.com/1181346 https://bugzilla.suse.com/1181504 https://bugzilla.suse.com/1181574 https://bugzilla.suse.com/1181671 https://bugzilla.suse.com/1181809 https://bugzilla.suse.com/1181854 https://bugzilla.suse.com/1181896 https://bugzilla.suse.com/1181931 https://bugzilla.suse.com/1181960 https://bugzilla.suse.com/1181985 https://bugzilla.suse.com/1181987 https://bugzilla.suse.com/1181996 https://bugzilla.suse.com/1181998 https://bugzilla.suse.com/1182038 https://bugzilla.suse.com/1182047 https://bugzilla.suse.com/1182118 https://bugzilla.suse.com/1182130 https://bugzilla.suse.com/1182140 https://bugzilla.suse.com/1182171 https://bugzilla.suse.com/1182173 https://bugzilla.suse.com/1182175 https://bugzilla.suse.com/1182182 https://bugzilla.suse.com/1182184 https://bugzilla.suse.com/1182195 https://bugzilla.suse.com/1182242 https://bugzilla.suse.com/1182243 https://bugzilla.suse.com/1182248 https://bugzilla.suse.com/1182269 https://bugzilla.suse.com/1182302 https://bugzilla.suse.com/1182307 https://bugzilla.suse.com/1182310 https://bugzilla.suse.com/1182438 https://bugzilla.suse.com/1182447 https://bugzilla.suse.com/1182448 https://bugzilla.suse.com/1182449 https://bugzilla.suse.com/1182460 https://bugzilla.suse.com/1182461 https://bugzilla.suse.com/1182462 https://bugzilla.suse.com/1182463 https://bugzilla.suse.com/1182464 https://bugzilla.suse.com/1182465 https://bugzilla.suse.com/1182466 https://bugzilla.suse.com/1182560 https://bugzilla.suse.com/1182561 https://bugzilla.suse.com/1182571 https://bugzilla.suse.com/1182590 https://bugzilla.suse.com/1182610 https://bugzilla.suse.com/1182612 https://bugzilla.suse.com/1182650 https://bugzilla.suse.com/1182652 From sle-security-updates at lists.suse.com Tue Mar 9 20:48:01 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 21:48:01 +0100 (CET) Subject: SUSE-SU-2021:0735-1: important: Security update for the Linux Kernel Message-ID: <20210309204801.DA992FD17@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0735-1 Rating: important References: #1065600 #1065729 #1078720 #1081134 #1084610 #1132477 #1151927 #1152472 #1152489 #1154353 #1155518 #1156395 #1163776 #1169514 #1170442 #1176248 #1176855 #1177109 #1177326 #1177440 #1177529 #1178142 #1179082 #1179137 #1179243 #1179428 #1179660 #1179929 #1180058 #1180846 #1180989 #1181133 #1181259 #1181574 #1181637 #1181655 #1181671 #1181674 #1181710 #1181720 #1181735 #1181736 #1181738 #1181747 #1181753 #1181818 #1181843 #1181854 #1181896 #1181958 #1181960 #1181985 #1182047 #1182118 #1182128 #1182140 #1182171 #1182175 #1182259 #1182265 #1182266 #1182267 #1182268 #1182271 #1182272 #1182273 #1182275 #1182276 #1182278 #1182283 #1182374 #1182380 #1182381 #1182406 #1182430 #1182439 #1182441 #1182442 #1182443 #1182444 #1182445 #1182446 #1182447 #1182449 #1182454 #1182455 #1182456 #1182457 #1182458 #1182459 #1182460 #1182461 #1182462 #1182463 #1182464 #1182465 #1182466 #1182485 #1182489 #1182490 #1182547 #1182558 #1182560 #1182561 #1182571 #1182599 #1182602 #1182626 #1182650 #1182672 #1182676 #1182683 #1182684 #1182686 #1182770 #1182798 #1182800 #1182801 #1182854 #1182856 #1183022 Cross-References: CVE-2020-12362 CVE-2020-12363 CVE-2020-12364 CVE-2020-12373 CVE-2020-29368 CVE-2020-29374 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVSS scores: CVE-2020-12362 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-12362 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-12363 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-12363 (SUSE): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-12364 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-12364 (SUSE): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-12373 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-12373 (SUSE): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (SUSE): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-26930 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-26930 (SUSE): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-26931 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26931 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-26932 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26932 (SUSE): 5.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Realtime 15-SP2 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has 112 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 kernel RT was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843). - CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753). - CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372). - CVE-2020-12362: Fixed an integer overflow in the firmware which may have allowed a privileged user to potentially enable an escalation of privilege via local access (bsc#1181720). - CVE-2020-12363: Fixed an improper input validation which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181735). - CVE-2020-12364: Fixed a null pointer reference which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181736 ). - CVE-2020-12373: Fixed an expired pointer dereference which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181738). - CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428). The following non-security bugs were fixed: - ACPICA: Fix exception code class checks (git-fixes). - ACPI: configfs: add missing check after configfs_register_default_group() (git-fixes). - ACPI: property: Fix fwnode string properties matching (git-fixes). - ACPI: property: Satisfy kernel doc validator (part 1) (git-fixes). - ACPI: property: Satisfy kernel doc validator (part 2) (git-fixes). - ALSA: hda: Add another CometLake-H PCI ID (git-fixes). - ALSA: hda/hdmi: Drop bogus check at closing a stream (git-fixes). - ALSA: hda/realtek: modify EAPD in the ALC886 (git-fixes). - ALSA: pcm: Assure sync with the pending stop operation at suspend (git-fixes). - ALSA: pcm: Call sync_stop at disconnection (git-fixes). - ALSA: pcm: Do not call sync_stop if it hasn't been stopped (git-fixes). - ALSA: usb-audio: Add implicit fb quirk for BOSS GP-10 (git-fixes). - ALSA: usb-audio: Correct document for snd_usb_endpoint_free_all() (git-fixes). - ALSA: usb-audio: Do not avoid stopping the stream at disconnection (git-fixes). - ALSA: usb-audio: Fix PCM buffer allocation in non-vmalloc mode (git-fixes). - ALSA: usb-audio: Handle invalid running state at releasing EP (git-fixes). - ALSA: usb-audio: More strict state change in EP (git-fixes). - amba: Fix resource leak for drivers without .remove (git-fixes). - arm64: Update config file. Set CONFIG_WATCHDOG_SYSFS to true (bsc#1182560) - ASoC: cpcap: fix microphone timeslot mask (git-fixes). - ASoC: cs42l56: fix up error handling in probe (git-fixes). - ASoC: simple-card-utils: Fix device module clock (git-fixes). - ASoC: SOF: debug: Fix a potential issue on string buffer termination (git-fixes). - ata: ahci_brcm: Add back regulators management (git-fixes). - ata: sata_nv: Fix retrieving of active qcs (git-fixes). - ath10k: Fix error handling in case of CE pipe init failure (git-fixes). - ath9k: fix data bus crash when setting nf_override via debugfs (git-fixes). - bcache: fix overflow in offset_to_stripe() (git-fixes). - blk-mq: call commit_rqs while list empty but error happen (bsc#1182442). - blk-mq: insert request not through ->queue_rq into sw/scheduler queue (bsc#1182443). - blk-mq: move cancel of hctx->run_work to the front of blk_exit_queue (bsc#1182444). - block: fix inflight statistics of part0 (bsc#1182445). - block: respect queue limit of max discard segment (bsc#1182441). - block: virtio_blk: fix handling single range discard request (bsc#1182439). - Bluetooth: btqcomsmd: Fix a resource leak in error handling paths in the probe function (git-fixes). - Bluetooth: btusb: Fix memory leak in btusb_mtk_wmt_recv (git-fixes). - Bluetooth: drop HCI device reference before return (git-fixes). - Bluetooth: Fix initializing response id after clearing struct (git-fixes). - Bluetooth: hci_uart: Fix a race for write_work scheduling (git-fixes). - Bluetooth: Put HCI device if inquiry procedure interrupts (git-fixes). - bnxt_en: Fix accumulation of bp->net_stats_prev (git-fixes). - bnxt_en: fix error return code in bnxt_init_board() (git-fixes). - bnxt_en: fix error return code in bnxt_init_one() (git-fixes). - bnxt_en: Improve stats context resource accounting with RDMA driver loaded (git-fixes). - bnxt_en: read EEPROM A2h address using page 0 (git-fixes). - bnxt_en: Release PCI regions when DMA mask setup fails during probe (git-fixes). - bonding: Fix reference count leak in bond_sysfs_slave_add (git-fixes). - bonding: set dev->needed_headroom in bond_setup_by_slave() (git-fixes). - bonding: wait for sysfs kobject destruction before freeing struct slave (git-fixes). - bpf, cgroup: Fix optlen WARN_ON_ONCE toctou (bsc#1155518). - bpf, cgroup: Fix problematic bounds check (bsc#1155518). - btrfs: add assertion for empty list of transactions at late stage of umount (bsc#1182626). - btrfs: Cleanup try_flush_qgroup (bsc#1182047). - btrfs: Do not flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: Fix race between extent freeing/allocation when using bitmaps (bsc#1181574). - btrfs: fix race between RO remount and the cleaner task (bsc#1182626). - btrfs: fix transaction leak and crash after cleaning up orphans on RO mount (bsc#1182626). - btrfs: fix transaction leak and crash after RO remount caused by qgroup rescan (bsc#1182626). - btrfs: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: lift read-write mount setup from mount and remount (bsc#1182626). - btrfs: Remove btrfs_inode from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: run delayed iputs when remounting RO to avoid leaking them (bsc#1182626). - btrfs: Simplify code flow in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: Unlock extents in btrfs_zero_range in case of errors (bsc#1182047). - caif: no need to check return value of debugfs_create functions (git-fixes). - ceph: fix flush_snap logic after putting caps (bsc#1182854). - cgroup: Fix memory leak when parsing multiple source parameters (bsc#1182683). - cgroup: fix psi monitor for root cgroup (bsc#1182686). - cgroup-v1: add disabled controller check in cgroup1_parse_param() (bsc#1182684). - chelsio/chtls: correct function return and return type (git-fixes). - chelsio/chtls: correct netdevice for vlan interface (git-fixes). - chelsio/chtls: fix a double free in chtls_setkey() (git-fixes). - chelsio/chtls: fix always leaking ctrl_skb (git-fixes). - chelsio/chtls: fix deadlock issue (git-fixes). - chelsio/chtls: fix memory leaks caused by a race (git-fixes). - chelsio/chtls: fix memory leaks in CPL handlers (git-fixes). - chelsio/chtls: fix panic during unload reload chtls (git-fixes). - chelsio/chtls: fix socket lock (git-fixes). - chelsio/chtls: fix tls record info to user (git-fixes). - Cherry-pick ibmvnic patches from SP3 (jsc#SLE-17268). - chtls: Added a check to avoid NULL pointer dereference (git-fixes). - chtls: Fix chtls resources release sequence (git-fixes). - chtls: Fix hardware tid leak (git-fixes). - chtls: Fix panic when route to peer not configured (git-fixes). - chtls: Remove invalid set_tcb call (git-fixes). - chtls: Replace skb_dequeue with skb_peek (git-fixes). - cifs: check all path components in resolved dfs target (bsc#1181710). - cifs: fix nodfs mount option (bsc#1181710). - cifs: introduce helper for finding referral server (bsc#1181710). - cifs: report error instead of invalid when revalidating a dentry fails (bsc#1177440). - cirrus: cs89x0: remove set but not used variable 'lp' (git-fixes). - cirrus: cs89x0: use devm_platform_ioremap_resource() to simplify code (git-fixes). - clk: meson: clk-pll: fix initializing the old rate (fallback) for a PLL (git-fixes). - clk: meson: clk-pll: make "ret" a signed integer (git-fixes). - clk: meson: clk-pll: propagate the error from meson_clk_pll_set_rate() (git-fixes). - clk: qcom: gcc-msm8998: Fix Alpha PLL type for all GPLLs (git-fixes). - clk: sunxi-ng: h6: Fix CEC clock (git-fixes). - clk: sunxi-ng: h6: Fix clock divider range on some clocks (git-fixes). - clk: sunxi-ng: mp: fix parent rate change flag check (git-fixes). - clocksource/drivers/ixp4xx: Select TIMER_OF when needed (git-fixes). - cpufreq: brcmstb-avs-cpufreq: Fix resource leaks in ->remove() (git-fixes). - cpufreq: brcmstb-avs-cpufreq: Free resources in error path (git-fixes). - cpuset: fix race between hotplug work and later CPU offline (bsc#1182676). - crypto: ecdh_helper - Ensure 'len >= secret.len' in decode_key() (git-fixes). - crypto: talitos - Work around SEC6 ERRATA (AES-CTR mode data size error) (git-fixes). - cxgb3: fix error return code in t3_sge_alloc_qset() (git-fixes). - cxgb4: fix all-mask IP address comparison (git-fixes). - cxgb4: fix checks for max queues to allocate (git-fixes). - cxgb4: fix endian conversions for L4 ports in filters (git-fixes). - cxgb4: fix set but unused variable when DCB is disabled (git-fixes). - cxgb4: fix SGE queue dump destination buffer context (git-fixes). - cxgb4: fix the panic caused by non smac rewrite (git-fixes). - cxgb4: move DCB version extern to header file (git-fixes). - cxgb4: move handling L2T ARP failures to caller (git-fixes). - cxgb4: move PTP lock and unlock to caller in Tx path (git-fixes). - cxgb4: parse TC-U32 key values and masks natively (git-fixes). - cxgb4: remove cast when saving IPv4 partial checksum (git-fixes). - cxgb4: set up filter action after rewrites (git-fixes). - cxgb4: use correct type for all-mask IP address comparison (git-fixes). - cxgb4: use unaligned conversion for fetching timestamp (git-fixes). - dmaengine: fsldma: Fix a resource leak in an error handling path of the probe function (git-fixes). - dmaengine: fsldma: Fix a resource leak in the remove function (git-fixes). - dmaengine: hsu: disable spurious interrupt (git-fixes). - dmaengine: owl-dma: Fix a resource leak in the remove function (git-fixes). - dm crypt: avoid truncating the logical block size (git-fixes). - dm: fix bio splitting and its bio completion order for regular IO (git-fixes). - dm thin: fix use-after-free in metadata_pre_commit_callback (bsc#1177529). - dm thin metadata: Avoid returning cmd->bm wild pointer on error (bsc#1177529). - dm thin metadata: fix lockdep complaint (bsc#1177529). - dm thin metadata: Fix use-after-free in dm_bm_set_read_only (bsc#1177529). - dm: use noio when sending kobject event (bsc#1177529). - docs: filesystems: vfs: correct flag name (bsc#1182856). - dpaa2-eth: fix return codes used in ndo_setup_tc (git-fixes). - drivers: net: davinci_mdio: fix potential NULL dereference in davinci_mdio_probe() (git-fixes). - drm/amd/display: Change function decide_dp_link_settings to avoid infinite looping (git-fixes). - drm/amd/display: Decrement refcount of dc_sink before reassignment (git-fixes). - drm/amd/display: Fix 10/12 bpc setup in DCE output bit depth reduction (git-fixes). - drm/amd/display: Fix dc_sink kref count in emulated_link_detect (git-fixes). - drm/amd/display: Fix HDMI deep color output for DCE 6-11 (git-fixes). - drm/amd/display: Free atomic state after drm_atomic_commit (git-fixes). - drm/amd/display: Revert "Fix EDID parsing after resume from suspend" (git-fixes). - drm/amdgpu: Fix macro name _AMDGPU_TRACE_H_ in preprocessor if condition (git-fixes). - drm/fb-helper: Add missed unlocks in setcmap_legacy() (git-fixes). - drm/gma500: Fix error return code in psb_driver_load() (git-fixes). - drm/meson: Unbind all connectors on module removal (bsc#1152472) - drm/sun4i: dw-hdmi: always set clock rate (bsc#1152472) - drm/sun4i: dw-hdmi: Fix max. frequency for H6 (bsc#1152472) - drm/sun4i: Fix H6 HDMI PHY configuration (bsc#1152472) - drm/sun4i: tcon: set sync polarity for tcon1 channel (bsc#1152472) - drm/vc4: hvs: Fix buffer overflow with the dlist handling (bsc#1152489) - Drop HID logitech patch that caused a regression (bsc#1182259) - ext4: do not remount read-only with errors=continue on reboot (bsc#1182464). - ext4: fix a memory leak of ext4_free_data (bsc#1182447). - ext4: fix bug for rename with RENAME_WHITEOUT (bsc#1182449). - ext4: fix deadlock with fs freezing and EA inodes (bsc#1182463). - ext4: fix superblock checksum failure when setting password salt (bsc#1182465). - ext4: prevent creating duplicate encrypted filenames (bsc#1182446). - fgraph: Initialize tracing_graph_pause at task creation (git-fixes). - firmware_loader: align .builtin_fw to 8 (git-fixes). - fscrypt: add fscrypt_is_nokey_name() (bsc#1182446). - fscrypt: rename DCACHE_ENCRYPTED_NAME to DCACHE_NOKEY_NAME (bsc#1182446). - fs: fix lazytime expiration handling in __writeback_single_inode() (bsc#1182466). - gma500: clean up error handling in init (git-fixes). - gpio: pcf857x: Fix missing first interrupt (git-fixes). - HID: core: detect and skip invalid inputs to snto32() (git-fixes). - HID: make arrays usage and value to be the same (git-fixes). - HID: wacom: Ignore attempts to overwrite the touch_max value from HID (git-fixes). - hwrng: timeriomem - Fix cooldown period calculation (git-fixes). - i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition (git-fixes). - i2c: iproc: handle only slave interrupts which are enabled (git-fixes). - i2c: mediatek: Move suspend and resume handling to NOIRQ phase (git-fixes). - i2c: stm32f7: fix configuration of the digital filter (git-fixes). - i3c: master: dw: Drop redundant disec call (git-fixes). - i40e: acquire VSI pointer only after VF is initialized (jsc#SLE-8025). - i40e: avoid premature Rx buffer reuse (git-fixes). - i40e: Fix Error I40E_AQ_RC_EINVAL when removing VFs (git-fixes). - i40e: Fix MAC address setting for a VF via Host/VM (git-fixes). - i40e: Fix removing driver while bare-metal VFs pass traffic (git-fixes). - i40e: Revert "i40e: do not report link up for a VF who hasn't enabled queues" (jsc#SLE-8025). - iavf: fix double-release of rtnl_lock (git-fixes). - iavf: fix error return code in iavf_init_get_resources() (git-fixes). - iavf: fix speed reporting over virtchnl (git-fixes). - iavf: Fix updating statistics (git-fixes). - ibmvnic: add memory barrier to protect long term buffer (bsc#1182485 ltc#191591). - ibmvnic: change IBMVNIC_MAX_IND_DESCS to 16 (bsc#1182485 ltc#191591). - ibmvnic: Clean up TX code and TX buffer data structure (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Clear failover_pending if unable to schedule (bsc#1181960 ltc#190997). - ibmvnic: compare adapter->init_done_rc with more readable ibmvnic_rc_codes (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Correctly re-enable interrupts in NAPI polling routine (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: create send_control_ip_offload (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: create send_query_ip_offload (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: device remove has higher precedence over reset (bsc#1065729). - ibmvnic: Do not replenish RX buffers after every polling loop (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Ensure that CRQ entry read are correctly ordered (bsc#1182485 ltc#191591). - ibmvnic: Ensure that device queue memory is cache-line aligned (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Ensure that SCRQ entry reads are correctly ordered (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: fix a race between open and reset (bsc#1176855 ltc#187293). - ibmvnic: fix login buffer memory leak (bsc#1081134 ltc#164631). - ibmvnic: fix NULL pointer dereference in ibmvic_reset_crq (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: fix rx buffer tracking and index management in replenish_rx_pool partial success (bsc#1179929 ltc#189960). - ibmvnic: Fix TX completion error handling (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Fix use-after-free of VNIC login response buffer (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: handle inconsistent login with reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Harden device Command Response Queue handshake (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: improve ibmvnic_init and ibmvnic_reset_init (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce batched RX buffer descriptor transmission (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce indirect subordinate Command Response Queue buffer (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce xmit_more support using batched subCRQ hcalls (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: merge ibmvnic_reset_init and ibmvnic_init (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: no reset timeout for 5 seconds after reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: reduce wait for completion time (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: remove never executed if statement (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Remove send_subcrq function (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename ibmvnic_send_req_caps to send_request_cap (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename send_cap_queries to send_query_cap (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename send_map_query to send_query_map (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: send_login should check for crq errors (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: serialize access to work queue on remove (bsc#1065729). - ibmvnic: Set to CLOSED state even on error (bsc#1084610 ltc#165122 git-fixes). - ibmvnic: skip send_request_unmap for timeout reset (bsc#1182485 ltc#191591). - ibmvnic: skip tx timeout reset while in resetting (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: stop free_all_rwi on failed reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: store RX and TX subCRQ handle array in ibmvnic_adapter struct (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: track pending login (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: update MAINTAINERS (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Use netdev_alloc_skb instead of alloc_skb to replenish RX buffers (jsc#SLE-17043 bsc#1179243 ltc#189290). - ice: Do not allow more channels than LAN MSI-X available (jsc#SLE-7926). - ice: Fix MSI-X vector fallback logic (jsc#SLE-7926). - igc: check return value of ret_val in igc_config_fc_after_link_up (git-fixes). - igc: fix link speed advertising (git-fixes). - igc: Fix returning wrong statistics (git-fixes). - igc: Report speed and duplex as unknown when device is runtime suspended (git-fixes). - igc: set the default return value to -IGC_ERR_NVM in igc_write_nvm_srwr (git-fixes). - include/linux/memremap.h: remove stale comments (git-fixes). - Input: elo - fix an error code in elo_connect() (git-fixes). - Input: i8042 - unbreak Pegatron C15B (git-fixes). - Input: joydev - prevent potential read overflow in ioctl (git-fixes). - Input: sur40 - fix an error code in sur40_probe() (git-fixes). - Input: xpad - sync supported devices with fork on GitHub (git-fixes). - iwlwifi: mvm: do not send RFH_QUEUE_CONFIG_CMD with no queues (git-fixes). - iwlwifi: mvm: guard against device removal in reprobe (git-fixes). - iwlwifi: mvm: invalidate IDs of internal stations at mvm start (git-fixes). - iwlwifi: mvm: skip power command when unbinding vif during CSA (git-fixes). - iwlwifi: mvm: take mutex for calling iwl_mvm_get_sync_time() (git-fixes). - iwlwifi: pcie: add a NULL check in iwl_pcie_txq_unmap (git-fixes). - iwlwifi: pcie: fix context info memory leak (git-fixes). - ixgbe: avoid premature Rx buffer reuse (git-fixes). - ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K (git-fixes). - kABI: Fix kABI after modifying struct __call_single_data (bsc#1180846). - kABI: Fix kABI for extended APIC-ID support (bsc#1181259, jsc#ECO-3191). - kernel-binary.spec: Add back initrd and image symlink ghosts to filelist (bsc#1182140). Fixes: 76a9256314c3 ("rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082).") - kernel/smp: add boot parameter for controlling CSD lock debugging (bsc#1180846). - kernel/smp: add more data to CSD lock debugging (bsc#1180846). - kernel/smp: prepare more CSD lock debugging (bsc#1180846). - kernel/smp: Provide CSD lock timeout diagnostics (bsc#1180846). - KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch (bsc#1181818). - KVM: arm64: Remove S1PTW check from kvm_vcpu_dabt_iswrite() (bsc#1181818). - KVM: nVMX: do not clear mtf_pending when nested events are blocked (bsc#1182489). - KVM: nVMX: Emulate MTF when performing instruction emulation (bsc#1182380). - KVM: nVMX: Handle pending #DB when injecting INIT VM-exit. Pulling in as a dependency of: "KVM: nVMX: Emulate MTF when performing instruction emulation" (bsc#1182380). - KVM: tracing: Fix unmatched kvm_entry and kvm_exit events (bsc#1182770). - KVM: VMX: Condition ENCLS-exiting enabling on CPU support for SGX1 (bsc#1182798). - KVM: x86: Allocate new rmap and large page tracking when moving memslot (bsc#1182800). - KVM: x86: allow KVM_STATE_NESTED_MTF_PENDING in kvm_state flags (bsc#1182490). - KVM: x86: clear stale x86_emulate_ctxt->intercept value (bsc#1182381). - KVM: x86: do not notify userspace IOAPIC on edge-triggered interrupt EOI (bsc#1182374). - KVM: x86: Gracefully handle __vmalloc() failure during VM allocation (bsc#1182801). - KVM: x86: remove stale comment from struct x86_emulate_ctxt (bsc#1182406). - libnvdimm/dimm: Avoid race between probe and available_slots_show() (bsc#1170442). - lib/vsprintf: no_hash_pointers prints all addresses as unhashed (bsc#1182599). - linux/clk.h: use correct kernel-doc notation for 2 functions (git-fixes). - mac80211: 160MHz with extended NSS BW in CSA (git-fixes). - mac80211: fix fast-rx encryption check (git-fixes). - mac80211: fix potential overflow when multiplying to u32 integers (git-fixes). - macros.kernel-source: Use spec_install_pre for certificate installation (boo#1182672). Since rpm 4.16 files installed during build phase are lost. - MAINTAINERS: remove John Allen from ibmvnic (jsc#SLE-17043 bsc#1179243 ltc#189290). - matroxfb: avoid -Warray-bounds warning (bsc#1152472) - media: aspeed: fix error return code in aspeed_video_setup_video() (git-fixes). - media: camss: missing error code in msm_video_register() (git-fixes). - media: cx25821: Fix a bug when reallocating some dma memory (git-fixes). - media: em28xx: Fix use-after-free in em28xx_alloc_urbs (git-fixes). - media: i2c: ov5670: Fix PIXEL_RATE minimum value (git-fixes). - media: ipu3-cio2: Fix mbus_code processing in cio2_subdev_set_fmt() (git-fixes). - media: lmedm04: Fix misuse of comma (git-fixes). - media: media/pci: Fix memleak in empress_init (git-fixes). - media: mt9v111: Remove unneeded device-managed puts (git-fixes). - media: pwc: Use correct device for DMA (bsc#1181133). - media: pxa_camera: declare variable when DEBUG is defined (git-fixes). - media: qm1d1c0042: fix error return code in qm1d1c0042_init() (git-fixes). - media: software_node: Fix refcounts in software_node_get_next_child() (git-fixes). - media: tm6000: Fix memleak in tm6000_start_stream (git-fixes). - media: vsp1: Fix an error handling path in the probe function (git-fixes). - mei: hbm: call mei_set_devstate() on hbm stop response (git-fixes). - memory: ti-aemif: Drop child node when jumping out loop (git-fixes). - mfd: bd9571mwv: Use devm_mfd_add_devices() (git-fixes). - mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq() (git-fixes). - misc: eeprom_93xx46: Add module alias to avoid breaking support for non device tree users (git-fixes). - misc: eeprom_93xx46: Fix module alias to enable module autoprobe (git-fixes). - mlxsw: core: Add validation of transceiver temperature thresholds (git-fixes). - mlxsw: core: Fix memory leak on module removal (git-fixes). - mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() (git-fixes). - mlxsw: core: Free EMAD transactions using kfree_rcu() (git-fixes). - mlxsw: core: Increase critical threshold for ASIC thermal zone (git-fixes). - mlxsw: core: Increase scope of RCU read-side critical section (git-fixes). - mlxsw: core: Use variable timeout for EMAD retries (git-fixes). - mlxsw: spectrum_acl: Fix mlxsw_sp_acl_tcam_group_add()'s error path (git-fixes). - mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails (git-fixes). - mmc: core: Limit retries when analyse of SDIO tuples fails (git-fixes). - mmc: renesas_sdhi_internal_dmac: Fix DMA buffer alignment from 8 to 128-bytes (git-fixes). - mmc: sdhci-sprd: Fix some resource leaks in the remove function (git-fixes). - mmc: usdhi6rol0: Fix a resource leak in the error handling path of the probe (git-fixes). - mm/pmem: avoid inserting hugepage PTE entry with fsdax if hugepage support is disabled (bsc#1181896 ltc#191273). - mm: proc: Invalidate TLB after clearing soft-dirty page state (bsc#1163776 ltc#183929 git-fixes). - mm: thp: kABI: move the added flag to the end of enum (bsc#1181896 ltc#191273). - net: ag71xx: add missed clk_disable_unprepare in error path of probe (git-fixes). - net: axienet: Fix error return code in axienet_probe() (git-fixes). - net: bcmgenet: Fix WoL with password after deep sleep (git-fixes). - net: bcmgenet: keep MAC in reset until PHY is up (git-fixes). - net: bcmgenet: re-remove bcmgenet_hfb_add_filter (git-fixes). - net: bcmgenet: set Rx mode before starting netif (git-fixes). - net: bcmgenet: use hardware padding of runt frames (git-fixes). - net: broadcom CNIC: requires MMU (git-fixes). - net: caif: Fix debugfs on 64-bit platforms (git-fixes). - net/cxgb4: Check the return from t4_query_params properly (git-fixes). - net: cxgb4: fix return error value in t4_prep_fw (git-fixes). - net: dsa: bcm_sf2: Fix overflow checks (git-fixes). - net: dsa: lantiq_gswip: fix and improve the unsupported interface error (git-fixes). - net: dsa: mt7530: Change the LINK bit to reflect the link status (git-fixes). - net: dsa: mt7530: set CPU port to fallback mode (git-fixes). - net: ena: set initial DMA width to avoid intel iommu issue (git-fixes). - net: ethernet: ave: Fix error returns in ave_init (git-fixes). - net: ethernet: mlx4: Avoid assigning a value to ring_cons but not used it anymore in mlx4_en_xmit() (git-fixes). - net: ethernet: ti: ale: fix allmulti for nu type ale (git-fixes). - net: ethernet: ti: ale: fix seeing unreg mcast packets with promisc and allmulti disabled (git-fixes). - net: ethernet: ti: ale: modify vlan/mdb api for switchdev (git-fixes). - net: ethernet: ti: cpsw: allow untagged traffic on host port (git-fixes). - net: ethernet: ti: fix some return value check of cpsw_ale_create() (git-fixes). - net: gemini: Fix missing clk_disable_unprepare() in error path of gemini_ethernet_port_probe() (git-fixes). - net: gro: do not keep too many GRO packets in napi->rx_list (bsc#1154353). - net: hns3: add a check for queue_id in hclge_reset_vf_queue() (git-fixes). - net: hns3: add a missing uninit debugfs when unload driver (git-fixes). - net: hns3: add reset check for VF updating port based VLAN (git-fixes). - net: hns3: clear port base VLAN when unload PF (git-fixes). - net: hns3: fix aRFS FD rules leftover after add a user FD rule (git-fixes). - net: hns3: fix a TX timeout issue (git-fixes). - net: hns3: fix desc filling bug when skb is expanded or lineared (git-fixes). - net: hns3: fix for mishandle of asserting VF reset fail (git-fixes). - net: hns3: fix for VLAN config when reset failed (git-fixes). - net: hns3: fix RSS config lost after VF reset (git-fixes). - net: hns3: fix set and get link ksettings issue (git-fixes). - net: hns3: fix "tc qdisc del" failed issue (git-fixes). - net: hns3: fix the number of queues actually used by ARQ (git-fixes). - net: hns3: fix use-after-free when doing self test (git-fixes). - net: hns3: fix VF VLAN table entries inconsistent issue (git-fixes). - net: hns: fix return value check in __lb_other_process() (git-fixes). - net: lpc-enet: fix error return code in lpc_mii_init() (git-fixes). - net: macb: fix call to pm_runtime in the suspend/resume functions (git-fixes). - net: macb: fix wakeup test in runtime suspend/resume routines (git-fixes). - net: macb: mark device wake capable when "magic-packet" property present (git-fixes). - net/mlx4_core: fix a memory leak bug (git-fixes). - net/mlx4_core: Fix init_hca fields offset (git-fixes). - net/mlx4_en: Avoid scheduling restart task if it is already running (bsc#1181854). - net/mlx4_en: Handle TX error CQE (bsc#1181854). - net/mlx5: Add handling of port type in rule deletion (git-fixes). - net/mlx5: Annotate mutex destroy for root ns (git-fixes). - net/mlx5: Clear LAG notifier pointer after unregister (git-fixes). - net/mlx5: Disable QoS when min_rates on all VFs are zero (git-fixes). - net/mlx5: Do not call timecounter cyc2time directly from 1PPS flow (git-fixes). - net/mlx5: Do not maintain a case of del_sw_func being null (git-fixes). - net/mlx5e: Correctly handle changing the number of queues when the interface is down (git-fixes). - net/mlx5e: Do not trigger IRQ multiple times on XSK wakeup to avoid WQ overruns (git-fixes). - net/mlx5e: en_accel, Add missing net/geneve.h include (git-fixes). - net/mlx5e: Encapsulate updating netdev queues into a function (git-fixes). - net/mlx5e: E-switch, Fix rate calculation for overflow (jsc#SLE-8464). - net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq (git-fixes). - net/mlx5e: Fix configuration of XPS cpumasks and netdev queues in corner cases (git-fixes). - net/mlx5e: Fix endianness handling in pedit mask (git-fixes). - net/mlx5e: Fix error path of device attach (git-fixes). - net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups (git-fixes). - net/mlx5e: Fix two double free cases (git-fixes). - net/mlx5e: Fix VLAN cleanup flow (git-fixes). - net/mlx5e: Fix VLAN create flow (git-fixes). - net/mlx5e: Get the latest values from counters in switchdev mode (git-fixes). - net/mlx5e: IPoIB, Drop multicast packets that this interface sent (git-fixes). - net/mlx5e: kTLS, Fix wrong value in record tracker enum (git-fixes). - net/mlx5e: Reduce tc unsupported key print level (git-fixes). - net/mlx5e: Rename hw_modify to preactivate (git-fixes). - net/mlx5e: Set of completion request bit should not clear other adjacent bits (git-fixes). - net/mlx5: E-switch, Destroy TSAR after reload interface (git-fixes). - net/mlx5: E-Switch, Hold mutex when querying drop counter in legacy mode (git-fixes). - net/mlx5: E-Switch, Use vport metadata matching by default (git-fixes). - net/mlx5: E-Switch, Use vport metadata matching only when mandatory (git-fixes). - net/mlx5e: Use preactivate hook to set the indirection table (git-fixes). - net/mlx5e: vxlan: Use RCU for vxlan table lookup (git-fixes). - net/mlx5: Fix a bug of using ptp channel index as pin index (git-fixes). - net/mlx5: Fix deletion of duplicate rules (git-fixes). - net/mlx5: Fix failing fw tracer allocation on s390 (git-fixes). - net/mlx5: Fix memory leak on flow table creation error flow (git-fixes). - net/mlx5: Fix request_irqs error flow (git-fixes). - net/mlx5: Fix wrong address reclaim when command interface is down (git-fixes). - net/mlx5: Query PPS pin operational status before registering it (git-fixes). - net/mlx5: Verify Hardware supports requested ptp function on a given pin (git-fixes). - net: moxa: Fix a potential double 'free_irq()' (git-fixes). - net: mscc: ocelot: ANA_AUTOAGE_AGE_PERIOD holds a value in seconds, not ms (git-fixes). - net: mscc: ocelot: fix address ageing time (again) (git-fixes). - net: mscc: ocelot: properly account for VLAN header length when setting MRU (git-fixes). - net: mvpp2: Add TCAM entry to drop flow control pause frames (git-fixes). - net: mvpp2: disable force link UP during port init procedure (git-fixes). - net: mvpp2: Fix error return code in mvpp2_open() (git-fixes). - net: mvpp2: Fix GoP port 3 Networking Complex Control configurations (git-fixes). - net: mvpp2: fix memory leak in mvpp2_rx (git-fixes). - net: mvpp2: fix pkt coalescing int-threshold configuration (git-fixes). - net: mvpp2: prs: fix PPPoE with ipv6 packet parse (git-fixes). - net: mvpp2: Remove Pause and Asym_Pause support (git-fixes). - net: mvpp2: TCAM entry enable should be written after SRAM data (git-fixes). - net: netsec: Correct dma sync for XDP_TX frames (git-fixes). - net: nixge: fix potential memory leak in nixge_probe() (git-fixes). - net: octeon: mgmt: Repair filling of RX ring (git-fixes). - net: phy: at803x: use operating parameters from PHY-specific status (git-fixes). - net: phy: extract link partner advertisement reading (git-fixes). - net: phy: extract pause mode (git-fixes). - net: phy: marvell10g: fix null pointer dereference (git-fixes). - net: phy: marvell10g: fix temperature sensor on 2110 (git-fixes). - net: phy: read MII_CTRL1000 in genphy_read_status only if needed (git-fixes). - net: qca_spi: fix receive buffer size check (git-fixes). - net: qca_spi: Move reset_count to struct qcaspi (git-fixes). - net: qede: fix PTP initialization on recovery (git-fixes). - net: qede: fix use-after-free on recovery and AER handling (git-fixes). - net: qede: stop adding events on an already destroyed workqueue (git-fixes). - net: qed: fix async event callbacks unregistering (git-fixes). - net: qed: fix excessive QM ILT lines consumption (git-fixes). - net: qed: fix "maybe uninitialized" warning (git-fixes). - net: qed: fix NVMe login fails over VFs (git-fixes). - net: qed: RDMA personality shouldn't fail VF load (git-fixes). - net: re-solve some conflicts after net -> net-next merge (bsc#1176855 ltc#187293). - net: rmnet: do not allow to add multiple bridge interfaces (git-fixes). - net: rmnet: do not allow to change mux id if mux id is duplicated (git-fixes). - net: rmnet: fix bridge mode bugs (git-fixes). - net: rmnet: fix lower interface leak (git-fixes). - net: rmnet: fix NULL pointer dereference in rmnet_changelink() (git-fixes). - net: rmnet: fix NULL pointer dereference in rmnet_newlink() (git-fixes). - net: rmnet: fix packet forwarding in rmnet bridge mode (git-fixes). - net: rmnet: fix suspicious RCU usage (git-fixes). - net: rmnet: print error message when command fails (git-fixes). - net: rmnet: remove rcu_read_lock in rmnet_force_unassociate_device() (git-fixes). - net: rmnet: use upper/lower device infrastructure (git-fixes). - net, sctp, filter: remap copy_from_user failure error (bsc#1181637). - net: smc91x: Fix possible memory leak in smc_drv_probe() (git-fixes). - net/sonic: Add mutual exclusion for accessing shared state (git-fixes). - net: stmmac: 16KB buffer must be 16 byte aligned (git-fixes). - net: stmmac: Always arm TX Timer at end of transmission start (git-fixes). - net: stmmac: Do not accept invalid MTU values (git-fixes). - net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes (git-fixes). - net: stmmac: Enable 16KB buffer size (git-fixes). - net: stmmac: fix disabling flexible PPS output (git-fixes). - net: stmmac: fix length of PTP clock's name string (git-fixes). - net: stmmac: Fix the TX IOC in xmit path (git-fixes). - net: stmmac: RX buffer size must be 16 byte aligned (git-fixes). - net: stmmac: selftests: Flow Control test can also run with ASYM Pause (git-fixes). - net: stmmac: selftests: Needs to check the number of Multicast regs (git-fixes). - net: stmmac: xgmac: Clear previous RX buffer size (git-fixes). - net: sun: fix missing release regions in cas_init_one() (git-fixes). - net: team: fix memory leak in __team_options_register (git-fixes). - net: thunderx: initialize VF's mailbox mutex before first usage (git-fixes). - net: usb: qmi_wwan: Adding support for Cinterion MV31 (git-fixes). - nvme-hwmon: rework to avoid devm allocation (bsc#1177326). - nvme: re-read ANA log on NS CHANGED AEN (bsc#1179137). - nvmet-tcp: Fix NULL dereference when a connect data comes in h2cdata pdu (bsc#1182547). - objtool: Do not fail on missing symbol table (bsc#1169514). - perf/x86/intel/uncore: Factor out uncore_pci_find_dev_pmu() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_get_dev_die_info() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_pmu_register() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_pmu_unregister() (bsc#1180989). - perf/x86/intel/uncore: Generic support for the PCI sub driver (bsc#1180989). - perf/x86/intel/uncore: Store the logical die id instead of the physical die id (bsc#1180989). - perf/x86/intel/uncore: With > 8 nodes, get pci bus die id from NUMA info (bsc#1180989). - phy: cpcap-usb: Fix warning for missing regulator_disable (git-fixes). - phy: rockchip-emmc: emmc_phy_init() always return 0 (git-fixes). - platform/x86: hp-wmi: Disable tablet-mode reporting by default (git-fixes). - platform/x86: intel-vbtn: Support for tablet mode on Dell Inspiron 7352 (git-fixes). - platform/x86: touchscreen_dmi: Add swap-x-y quirk for Goodix touchscreen on Estar Beauty HD tablet (git-fixes). - powerpc/book3s64/hash: Add cond_resched to avoid soft lockup warning (bsc#1182571 ltc#191345). - powerpc/boot: Delete unneeded .globl _zimage_start (bsc#1156395). - powerpc: Fix alignment bug within the init sections (bsc#1065729). - powerpc/fpu: Drop cvt_fd() and cvt_df() (bsc#1156395). - powerpc/hvcall: add token and codes for H_VASI_SIGNAL (bsc#1181674 ltc#189159). - powerpc: kABI: add back suspend_disable_cpu in machdep_calls (bsc#1181674 ltc#189159). - powerpc/machdep: remove suspend_disable_cpu() (bsc#1181674 ltc#189159). - powerpc/numa: Fix build when CONFIG_NUMA=n (bsc#1132477 ltc#175530). - powerpc/numa: make vphn_enabled, prrn_enabled flags const (bsc#1181674 ltc#189159). - powerpc/numa: remove ability to enable topology updates (bsc#1181674 ltc#189159). - powerpc/numa: remove arch_update_cpu_topology (bsc#1181674 ltc#189159). - powerpc/numa: Remove late request for home node associativity (bsc#1181674 ltc#189159). - powerpc/numa: remove prrn_is_enabled() (bsc#1181674 ltc#189159). - powerpc/numa: remove start/stop_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove timed_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology timer code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology update code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology workqueue code (bsc#1181674 ltc#189159). - powerpc/numa: remove vphn_enabled and prrn_enabled internal flags (bsc#1181674 ltc#189159). - powerpc/numa: stub out numa_update_cpu_topology() (bsc#1181674 ltc#189159). - powerpc/perf: Exclude kernel samples while counting events in user space (bsc#1065729). - powerpc/perf/hv-24x7: Dont create sysfs event files for dummy events (bsc#1182118 ltc#190624). - powerpc/powernv/memtrace: Do not leak kernel memory to user space (bsc#1156395). - powerpc/powernv/memtrace: Fix crashing the kernel when enabling concurrently (bsc#1156395). - powerpc/powernv/npu: Do not attempt NPU2 setup on POWER8NVL NPU (bsc#1156395). - powerpc/prom: Fix "ibm,arch-vec-5-platform-support" scan (bsc#1182602 ltc#190924). - powerpc/pseries/dlpar: handle ibm, configure-connector delay status (bsc#1181985 ltc#188074). - powerpc/pseries: Do not enforce MSI affinity with kdump (bsc#1181655 ltc#190855). - powerpc/pseries/eeh: Make pseries_pcibios_bus_add_device() static (bsc#1078720, git-fixes). - powerpc/pseries: extract host bridge from pci_bus prior to bus removal (bsc#1182171 ltc#190900). - powerpc/pseries/hibernation: drop pseries_suspend_begin() from suspend ops (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: pass stream id via function arguments (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: perform post-suspend fixups later (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove prepare_late() callback (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove pseries_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: switch to rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: add missing break to default case (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Add pr_debug() for device tree changes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: do not error on absence of ibm, update-nodes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: error message improvements (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: extract VASI session polling logic (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: refactor node lookup during DT update (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: retry partition suspend after error (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Set pr_fmt() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: signal suspend cancellation to platform (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use rtas_activate_firmware() on resume (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use stop_machine for join/suspend (bsc#1181674 ltc#189159). - powerpc/pseries/ras: Make init_ras_hotplug_IRQ() static (bsc#1065729. git-fixes). - powerpc/pseries: remove dlpar_cpu_readd() (bsc#1181674 ltc#189159). - powerpc/pseries: remove memory "re-add" implementation (bsc#1181674 ltc#189159). - powerpc/pseries: remove obsolete memory hotplug DT notifier code (bsc#1181674 ltc#189159). - powerpc/pseries: remove prrn special case from DT update path (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_activate_firmware() (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/rtas: complete ibm,suspend-me status codes (bsc#1181674 ltc#189159). - powerpc/rtas: dispatch partition migration requests to pseries (bsc#1181674 ltc#189159). - powerpc/rtasd: simplify handle_rtas_event(), emit message on events (bsc#1181674 ltc#189159). - powerpc/rtas: prevent suspend-related sys_rtas use on LE (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_ibm_suspend_me_unsafe() (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_last_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_me_data (bsc#1181674 ltc#189159). - powerpc/rtas: rtas_ibm_suspend_me -> rtas_ibm_suspend_me_unsafe (bsc#1181674 ltc#189159). - power: reset: at91-sama5d2_shdwc: fix wkupdbc mask (git-fixes). - pseries/drmem: do not cache node id in drmem_lmb struct (bsc#1132477 ltc#175530). - pseries/hotplug-memory: hot-add: skip redundant LMB lookup (bsc#1132477 ltc#175530). - qed: fix error return code in qed_iwarp_ll2_start() (git-fixes). - qed: Fix race condition between scheduling and destroying the slowpath workqueue (git-fixes). - qed: Populate nvm-file attributes while reading nvm config partition (git-fixes). - qed: select CONFIG_CRC32 (git-fixes). - qlcnic: fix missing release in qlcnic_83xx_interrupt_test (git-fixes). - quota: Fix memory leak when handling corrupted quota file (bsc#1182650). - quota: Sanity-check quota file headers on load (bsc#1182461). - r8169: fix resuming from suspend on RTL8105e if machine runs on battery (git-fixes). - rcu/nocb: Perform deferred wake up before last idle's (git-fixes) - rcu/nocb: Trigger self-IPI on late deferred wake up before (git-fixes) - rcu: Pull deferred rcuog wake up to rcu_eqs_enter() callers (git-fixes) - RDMA/efa: Add EFA 0xefa1 PCI ID (bsc#1176248). - RDMA/efa: Count admin commands errors (bsc#1176248). - RDMA/efa: Count mmap failures (bsc#1176248). - RDMA/efa: Do not delay freeing of DMA pages (bsc#1176248). - RDMA/efa: Drop double zeroing for sg_init_table() (bsc#1176248). - RDMA/efa: Expose maximum TX doorbell batch (bsc#1176248). - RDMA/efa: Expose minimum SQ size (bsc#1176248). - RDMA/efa: Fix setting of wrong bit in get/set_feature commands (bsc#1176248). - RDMA/efa: Properly document the interrupt mask register (bsc#1176248). - RDMA/efa: Remove redundant udata check from alloc ucontext response (bsc#1176248). - RDMA/efa: Report create CQ error counter (bsc#1176248). - RDMA/efa: Report host information to the device (bsc#1176248). - RDMA/efa: Unified getters/setters for device structs bitmask access (bsc#1176248). - RDMA/efa: Use in-kernel offsetofend() to check field availability (bsc#1176248). - RDMA/efa: User/kernel compatibility handshake mechanism (bsc#1176248). - RDMA/efa: Use the correct current and new states in modify QP (git-fixes). - regulator: axp20x: Fix reference cout leak (git-fixes). - regulator: core: Avoid debugfs: Directory ... already present! error (git-fixes). - regulator: core: avoid regulator_resolve_supply() race condition (git-fixes). - regulator: Fix lockdep warning resolving supplies (git-fixes). - regulator: s5m8767: Drop regulators OF node reference (git-fixes). - regulator: s5m8767: Fix reference count leak (git-fixes). - reiserfs: add check for an invalid ih_entry_count (bsc#1182462). - Remove debug patch for boot failure (bsc#1182602 ltc#190924). - reset: hisilicon: correct vendor prefix (git-fixes). - Revert "ibmvnic: remove never executed if statement" (jsc#SLE-17043 bsc#1179243 ltc#189290). - Revert "net: bcmgenet: remove unused function in bcmgenet.c" (git-fixes). - Revert "platform/x86: ideapad-laptop: Switch touchpad attribute to be RO" (git-fixes). - Revert "RDMA/mlx5: Fix devlink deadlock on net namespace deletion" (jsc#SLE-8464). - rpm/kernel-subpackage-build: Workaround broken bot (https://github.com/openSUSE/openSUSE-release-tools/issues/2439) - rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058) - rtc: s5m: select REGMAP_I2C (git-fixes). - rxrpc: Fix memory leak in rxrpc_lookup_local (bsc#1154353 bnc#1151927 5.3.9). - sched: Reenable interrupts in do_sched_yield() (git-fixes) - scsi: lpfc: Fix EEH encountering oops with NVMe traffic (bsc#1181958). - sh_eth: check sh_eth_cpu_data::cexcr when dumping registers (git-fixes). - sh_eth: check sh_eth_cpu_data::no_tx_cntrs when dumping registers (git-fixes). - sh_eth: check sh_eth_cpu_data::no_xdfar when dumping registers (git-fixes). - smp: Add source and destination CPUs to __call_single_data (bsc#1180846). - smsc95xx: avoid memory leak in smsc95xx_bind (git-fixes). - smsc95xx: check return value of smsc95xx_reset (git-fixes). - soc: aspeed: snoop: Add clock control logic (git-fixes). - spi: atmel: Put allocated master before return (git-fixes). - spi: pxa2xx: Fix the controller numbering for Wildcat Point (git-fixes). - spi: spi-synquacer: fix set_cs handling (git-fixes). - spi: stm32: properly handle 0 byte transfer (git-fixes). - squashfs: add more sanity checks in id lookup (git-fixes bsc#1182266). - squashfs: add more sanity checks in inode lookup (git-fixes bsc#1182267). - squashfs: add more sanity checks in xattr id lookup (git-fixes bsc#1182268). - staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory rules (git-fixes). - target: disallow emulate_legacy_capacity with RBD object-map (bsc#1177109). - team: set dev->needed_headroom in team_setup_by_port() (git-fixes). - tpm: Remove tpm_dev_wq_lock (git-fixes). - tpm_tis: Clean up locality release (git-fixes). - tpm_tis: Fix check_locality for correct locality acquisition (git-fixes). - tracing: Check length before giving out the filter buffer (git-fixes). - tracing: Do not count ftrace events in top level enable output (git-fixes). - tracing/kprobe: Fix to support kretprobe events on unloaded modules (git-fixes). - tracing/kprobes: Do the notrace functions check without kprobes on ftrace (git-fixes). - tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS (git-fixes). - ubifs: Fix error return code in ubifs_init_authentication() (bsc#1182459). - ubifs: Fix ubifs_tnc_lookup() usage in do_kill_orphans() (bsc#1182454). - ubifs: prevent creating duplicate encrypted filenames (bsc#1182457). - ubifs: ubifs_add_orphan: Fix a memory leak bug (bsc#1182456). - ubifs: ubifs_jnl_write_inode: Fix a memory leak bug (bsc#1182455). - ubifs: wbuf: Do not leak kernel memory to flash (bsc#1182458). - Update config files: activate CONFIG_CSD_LOCK_WAIT_DEBUG for x86 (bsc#1180846). - Update config files: Set ledtrig-default-on as builtin (bsc#1182128) - USB: dwc2: Abort transaction after errors with unknown reason (git-fixes). - USB: dwc2: Fix endpoint direction check in ep_from_windex (git-fixes). - USB: dwc2: Make "trimming xfer length" a debug message (git-fixes). - USB: dwc3: fix clock issue during resume in OTG mode (git-fixes). - USB: gadget: legacy: fix an error code in eth_bind() (git-fixes). - USB: gadget: u_audio: Free requests only after callback (git-fixes). - USB: mUSB: Fix runtime PM race in musb_queue_resume_work (git-fixes). - USB: quirks: add quirk to start video capture on ELMO L-12F document camera reliable (git-fixes). - USB: quirks: sort quirk entries (git-fixes). - USB: renesas_usbhs: Clear pipe running flag in usbhs_pkt_pop() (git-fixes). - USB: serial: cp210x: add new VID/PID for supporting Teraoka AD2000 (git-fixes). - USB: serial: cp210x: add pid/vid for WSDA-200-USB (git-fixes). - USB: serial: mos7720: fix error code in mos7720_write() (git-fixes). - USB: serial: mos7720: improve OOM-handling in read_mos_reg() (git-fixes). - USB: serial: mos7840: fix error code in mos7840_write() (git-fixes). - USB: serial: option: Adding support for Cinterion MV31 (git-fixes). - USB: usblp: do not call usb_set_interface if there's a single alt (git-fixes). - veth: Adjust hard_start offset on redirect XDP frames (git-fixes). - vfs: Convert squashfs to use the new mount API (git-fixes bsc#1182265). - virtio_net: Fix error code in probe() (git-fixes). - virtio_net: Fix recursive call to cpus_read_lock() (git-fixes). - virtio_net: Keep vnet header zeroed if XDP is loaded for small buffer (git-fixes). - virt: vbox: Do not use wait_event_interruptible when called from kernel context (git-fixes). - vmxnet3: Remove buf_info from device accessible structures (bsc#1181671). - vxlan: fix memleak of fdb (git-fixes). - writeback: Drop I_DIRTY_TIME_EXPIRE (bsc#1182460). - x86/alternatives: Sync bp_patching update for avoiding NULL pointer exception (bsc#1152489). - x86/apic: Add extra serialization for non-serializing MSRs (bsc#1152489). - x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where available (bsc#1181259, jsc#ECO-3191). - x86/ioapic: Handle Extended Destination ID field in RTE (bsc#1181259, jsc#ECO-3191). - x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181259, jsc#ECO-3191). - x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181259 jsc#ECO-3191). - x86/msi: Only use high bits of MSI address for DMAR unit (bsc#1181259, jsc#ECO-3191). - xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600). - xen/netback: fix spurious event detection for common event case (bsc#1182175). - xfs: ensure inobt record walks always make forward progress (git-fixes bsc#1182272). - xfs: fix an ABBA deadlock in xfs_rename (git-fixes bsc#1182558). - xfs: fix parent pointer scrubber bailing out on unallocated inodes (git-fixes bsc#1182276). - xfs: fix the forward progress assertion in xfs_iwalk_run_callbacks (git-fixes bsc#1182430). - xfs: fix the minrecs logic when dealing with inode root child blocks (git-fixes bsc#1182273). - xfs: ratelimit xfs_discard_page messages (bsc#1182283). - xfs: reduce quota reservation when doing a dax unwritten extent conversion (git-fixes bsc#1182561). - xfs: return corresponding errcode if xfs_initialize_perag() fail (git-fixes bsc#1182275). - xfs: scrub should mark a directory corrupt if any entries cannot be iget'd (git-fixes bsc#1182278). - xfs: strengthen rmap record flags checking (git-fixes bsc#1182271). - xhci: fix bounce buffer usage for non-sg list case (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Realtime 15-SP2: zypper in -t patch SUSE-SLE-Module-RT-15-SP2-2021-735=1 Package List: - SUSE Linux Enterprise Module for Realtime 15-SP2 (noarch): kernel-devel-rt-5.3.18-28.1 kernel-source-rt-5.3.18-28.1 - SUSE Linux Enterprise Module for Realtime 15-SP2 (x86_64): cluster-md-kmp-rt-5.3.18-28.1 cluster-md-kmp-rt-debuginfo-5.3.18-28.1 dlm-kmp-rt-5.3.18-28.1 dlm-kmp-rt-debuginfo-5.3.18-28.1 gfs2-kmp-rt-5.3.18-28.1 gfs2-kmp-rt-debuginfo-5.3.18-28.1 kernel-rt-5.3.18-28.1 kernel-rt-debuginfo-5.3.18-28.1 kernel-rt-debugsource-5.3.18-28.1 kernel-rt-devel-5.3.18-28.1 kernel-rt-devel-debuginfo-5.3.18-28.1 kernel-rt_debug-debuginfo-5.3.18-28.1 kernel-rt_debug-debugsource-5.3.18-28.1 kernel-rt_debug-devel-5.3.18-28.1 kernel-rt_debug-devel-debuginfo-5.3.18-28.1 kernel-syms-rt-5.3.18-28.1 ocfs2-kmp-rt-5.3.18-28.1 ocfs2-kmp-rt-debuginfo-5.3.18-28.1 References: https://www.suse.com/security/cve/CVE-2020-12362.html https://www.suse.com/security/cve/CVE-2020-12363.html https://www.suse.com/security/cve/CVE-2020-12364.html https://www.suse.com/security/cve/CVE-2020-12373.html https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2020-29374.html https://www.suse.com/security/cve/CVE-2021-26930.html https://www.suse.com/security/cve/CVE-2021-26931.html https://www.suse.com/security/cve/CVE-2021-26932.html https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1078720 https://bugzilla.suse.com/1081134 https://bugzilla.suse.com/1084610 https://bugzilla.suse.com/1132477 https://bugzilla.suse.com/1151927 https://bugzilla.suse.com/1152472 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154353 https://bugzilla.suse.com/1155518 https://bugzilla.suse.com/1156395 https://bugzilla.suse.com/1163776 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1170442 https://bugzilla.suse.com/1176248 https://bugzilla.suse.com/1176855 https://bugzilla.suse.com/1177109 https://bugzilla.suse.com/1177326 https://bugzilla.suse.com/1177440 https://bugzilla.suse.com/1177529 https://bugzilla.suse.com/1178142 https://bugzilla.suse.com/1179082 https://bugzilla.suse.com/1179137 https://bugzilla.suse.com/1179243 https://bugzilla.suse.com/1179428 https://bugzilla.suse.com/1179660 https://bugzilla.suse.com/1179929 https://bugzilla.suse.com/1180058 https://bugzilla.suse.com/1180846 https://bugzilla.suse.com/1180989 https://bugzilla.suse.com/1181133 https://bugzilla.suse.com/1181259 https://bugzilla.suse.com/1181574 https://bugzilla.suse.com/1181637 https://bugzilla.suse.com/1181655 https://bugzilla.suse.com/1181671 https://bugzilla.suse.com/1181674 https://bugzilla.suse.com/1181710 https://bugzilla.suse.com/1181720 https://bugzilla.suse.com/1181735 https://bugzilla.suse.com/1181736 https://bugzilla.suse.com/1181738 https://bugzilla.suse.com/1181747 https://bugzilla.suse.com/1181753 https://bugzilla.suse.com/1181818 https://bugzilla.suse.com/1181843 https://bugzilla.suse.com/1181854 https://bugzilla.suse.com/1181896 https://bugzilla.suse.com/1181958 https://bugzilla.suse.com/1181960 https://bugzilla.suse.com/1181985 https://bugzilla.suse.com/1182047 https://bugzilla.suse.com/1182118 https://bugzilla.suse.com/1182128 https://bugzilla.suse.com/1182140 https://bugzilla.suse.com/1182171 https://bugzilla.suse.com/1182175 https://bugzilla.suse.com/1182259 https://bugzilla.suse.com/1182265 https://bugzilla.suse.com/1182266 https://bugzilla.suse.com/1182267 https://bugzilla.suse.com/1182268 https://bugzilla.suse.com/1182271 https://bugzilla.suse.com/1182272 https://bugzilla.suse.com/1182273 https://bugzilla.suse.com/1182275 https://bugzilla.suse.com/1182276 https://bugzilla.suse.com/1182278 https://bugzilla.suse.com/1182283 https://bugzilla.suse.com/1182374 https://bugzilla.suse.com/1182380 https://bugzilla.suse.com/1182381 https://bugzilla.suse.com/1182406 https://bugzilla.suse.com/1182430 https://bugzilla.suse.com/1182439 https://bugzilla.suse.com/1182441 https://bugzilla.suse.com/1182442 https://bugzilla.suse.com/1182443 https://bugzilla.suse.com/1182444 https://bugzilla.suse.com/1182445 https://bugzilla.suse.com/1182446 https://bugzilla.suse.com/1182447 https://bugzilla.suse.com/1182449 https://bugzilla.suse.com/1182454 https://bugzilla.suse.com/1182455 https://bugzilla.suse.com/1182456 https://bugzilla.suse.com/1182457 https://bugzilla.suse.com/1182458 https://bugzilla.suse.com/1182459 https://bugzilla.suse.com/1182460 https://bugzilla.suse.com/1182461 https://bugzilla.suse.com/1182462 https://bugzilla.suse.com/1182463 https://bugzilla.suse.com/1182464 https://bugzilla.suse.com/1182465 https://bugzilla.suse.com/1182466 https://bugzilla.suse.com/1182485 https://bugzilla.suse.com/1182489 https://bugzilla.suse.com/1182490 https://bugzilla.suse.com/1182547 https://bugzilla.suse.com/1182558 https://bugzilla.suse.com/1182560 https://bugzilla.suse.com/1182561 https://bugzilla.suse.com/1182571 https://bugzilla.suse.com/1182599 https://bugzilla.suse.com/1182602 https://bugzilla.suse.com/1182626 https://bugzilla.suse.com/1182650 https://bugzilla.suse.com/1182672 https://bugzilla.suse.com/1182676 https://bugzilla.suse.com/1182683 https://bugzilla.suse.com/1182684 https://bugzilla.suse.com/1182686 https://bugzilla.suse.com/1182770 https://bugzilla.suse.com/1182798 https://bugzilla.suse.com/1182800 https://bugzilla.suse.com/1182801 https://bugzilla.suse.com/1182854 https://bugzilla.suse.com/1182856 https://bugzilla.suse.com/1183022 From sle-security-updates at lists.suse.com Tue Mar 9 21:03:29 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 22:03:29 +0100 (CET) Subject: SUSE-SU-2021:0745-1: important: Security update for wpa_supplicant Message-ID: <20210309210329.0F1E6FD17@maintenance.suse.de> SUSE Security Update: Security update for wpa_supplicant ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0745-1 Rating: important References: #1182805 Cross-References: CVE-2021-27803 CVSS scores: CVE-2021-27803 (NVD) : 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-27803 (SUSE): 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for wpa_supplicant fixes the following issues: - CVE-2021-27803: P2P provision discovery processing vulnerability (bsc#1182805) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-745=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-745=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-745=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-745=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-745=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-745=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-745=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-745=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-745=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-745=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-745=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-745=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-745=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-745=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): wpa_supplicant-2.6-15.16.1 wpa_supplicant-debuginfo-2.6-15.16.1 wpa_supplicant-debugsource-2.6-15.16.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): wpa_supplicant-2.6-15.16.1 wpa_supplicant-debuginfo-2.6-15.16.1 wpa_supplicant-debugsource-2.6-15.16.1 - SUSE OpenStack Cloud 9 (x86_64): wpa_supplicant-2.6-15.16.1 wpa_supplicant-debuginfo-2.6-15.16.1 wpa_supplicant-debugsource-2.6-15.16.1 - SUSE OpenStack Cloud 8 (x86_64): wpa_supplicant-2.6-15.16.1 wpa_supplicant-debuginfo-2.6-15.16.1 wpa_supplicant-debugsource-2.6-15.16.1 - SUSE OpenStack Cloud 7 (s390x x86_64): wpa_supplicant-2.6-15.16.1 wpa_supplicant-debuginfo-2.6-15.16.1 wpa_supplicant-debugsource-2.6-15.16.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): wpa_supplicant-2.6-15.16.1 wpa_supplicant-debuginfo-2.6-15.16.1 wpa_supplicant-debugsource-2.6-15.16.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): wpa_supplicant-2.6-15.16.1 wpa_supplicant-debuginfo-2.6-15.16.1 wpa_supplicant-debugsource-2.6-15.16.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): wpa_supplicant-2.6-15.16.1 wpa_supplicant-debuginfo-2.6-15.16.1 wpa_supplicant-debugsource-2.6-15.16.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): wpa_supplicant-2.6-15.16.1 wpa_supplicant-debuginfo-2.6-15.16.1 wpa_supplicant-debugsource-2.6-15.16.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): wpa_supplicant-2.6-15.16.1 wpa_supplicant-debuginfo-2.6-15.16.1 wpa_supplicant-debugsource-2.6-15.16.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): wpa_supplicant-2.6-15.16.1 wpa_supplicant-debuginfo-2.6-15.16.1 wpa_supplicant-debugsource-2.6-15.16.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): wpa_supplicant-2.6-15.16.1 wpa_supplicant-debuginfo-2.6-15.16.1 wpa_supplicant-debugsource-2.6-15.16.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): wpa_supplicant-2.6-15.16.1 wpa_supplicant-debuginfo-2.6-15.16.1 wpa_supplicant-debugsource-2.6-15.16.1 - HPE Helion Openstack 8 (x86_64): wpa_supplicant-2.6-15.16.1 wpa_supplicant-debuginfo-2.6-15.16.1 wpa_supplicant-debugsource-2.6-15.16.1 References: https://www.suse.com/security/cve/CVE-2021-27803.html https://bugzilla.suse.com/1182805 From sle-security-updates at lists.suse.com Tue Mar 9 21:04:39 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 22:04:39 +0100 (CET) Subject: SUSE-SU-2021:0741-1: important: Security update for the Linux Kernel Message-ID: <20210309210439.4F1AAFD17@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0741-1 Rating: important References: #1065600 #1065729 #1078720 #1081134 #1084610 #1132477 #1151927 #1152472 #1152489 #1154353 #1155518 #1156395 #1163776 #1169514 #1170442 #1176248 #1176855 #1177109 #1177326 #1177440 #1177529 #1178142 #1178995 #1179082 #1179137 #1179243 #1179428 #1179660 #1179929 #1180058 #1180846 #1180964 #1180989 #1181133 #1181259 #1181544 #1181574 #1181637 #1181655 #1181671 #1181674 #1181710 #1181720 #1181735 #1181736 #1181738 #1181747 #1181753 #1181818 #1181843 #1181854 #1181896 #1181958 #1181960 #1181985 #1182047 #1182110 #1182118 #1182128 #1182140 #1182171 #1182175 #1182259 #1182265 #1182266 #1182267 #1182268 #1182271 #1182272 #1182273 #1182275 #1182276 #1182278 #1182283 #1182341 #1182374 #1182380 #1182381 #1182406 #1182430 #1182439 #1182441 #1182442 #1182443 #1182444 #1182445 #1182446 #1182447 #1182449 #1182454 #1182455 #1182456 #1182457 #1182458 #1182459 #1182460 #1182461 #1182462 #1182463 #1182464 #1182465 #1182466 #1182485 #1182489 #1182490 #1182507 #1182547 #1182558 #1182560 #1182561 #1182571 #1182599 #1182602 #1182626 #1182650 #1182672 #1182676 #1182683 #1182684 #1182686 #1182770 #1182798 #1182800 #1182801 #1182854 #1182856 Cross-References: CVE-2020-12362 CVE-2020-12363 CVE-2020-12364 CVE-2020-12373 CVE-2020-29368 CVE-2020-29374 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVSS scores: CVE-2020-12362 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-12362 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-12363 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-12363 (SUSE): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-12364 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-12364 (SUSE): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-12373 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-12373 (SUSE): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (SUSE): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-26930 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-26930 (SUSE): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-26931 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26931 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-26932 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26932 (SUSE): 5.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Module for Live Patching 15-SP2 SUSE Linux Enterprise Module for Legacy Software 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Availability 15-SP2 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has 117 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843). - CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753). - CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372). - CVE-2020-12362: Fixed an integer overflow in the firmware which may have allowed a privileged user to potentially enable an escalation of privilege via local access (bsc#1181720). - CVE-2020-12363: Fixed an improper input validation which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181735). - CVE-2020-12364: Fixed a null pointer reference which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181736 ). - CVE-2020-12373: Fixed an expired pointer dereference which may have allowed a privileged user to potentially enable a denial of service via local access (bsc#1181738). - CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428). The following non-security bugs were fixed: - ACPI: configfs: add missing check after configfs_register_default_group() (git-fixes). - ACPI: property: Fix fwnode string properties matching (git-fixes). - ACPI: property: Satisfy kernel doc validator (part 1) (git-fixes). - ACPI: property: Satisfy kernel doc validator (part 2) (git-fixes). - ALSA: hda: Add another CometLake-H PCI ID (git-fixes). - ALSA: hda/hdmi: Drop bogus check at closing a stream (git-fixes). - ALSA: hda/realtek: modify EAPD in the ALC886 (git-fixes). - ALSA: pcm: Assure sync with the pending stop operation at suspend (git-fixes). - ALSA: pcm: Call sync_stop at disconnection (git-fixes). - ALSA: pcm: Do not call sync_stop if it hasn't been stopped (git-fixes). - ALSA: usb-audio: Add implicit fb quirk for BOSS GP-10 (git-fixes). - ALSA: usb-audio: Correct document for snd_usb_endpoint_free_all() (git-fixes). - ALSA: usb-audio: Do not avoid stopping the stream at disconnection (git-fixes). - ALSA: usb-audio: Fix PCM buffer allocation in non-vmalloc mode (git-fixes). - ALSA: usb-audio: Handle invalid running state at releasing EP (git-fixes). - ALSA: usb-audio: More strict state change in EP (git-fixes). - amba: Fix resource leak for drivers without .remove (git-fixes). - arm64: Update config file. Set CONFIG_WATCHDOG_SYSFS to true (bsc#1182560) - ASoC: cpcap: fix microphone timeslot mask (git-fixes). - ASoC: cs42l56: fix up error handling in probe (git-fixes). - ASoC: simple-card-utils: Fix device module clock (git-fixes). - ASoC: SOF: debug: Fix a potential issue on string buffer termination (git-fixes). - ata: ahci_brcm: Add back regulators management (git-fixes). - ata: sata_nv: Fix retrieving of active qcs (git-fixes). - ath10k: Fix error handling in case of CE pipe init failure (git-fixes). - ath9k: fix data bus crash when setting nf_override via debugfs (git-fixes). - bcache: fix overflow in offset_to_stripe() (git-fixes). - blk-mq: call commit_rqs while list empty but error happen (bsc#1182442). - blk-mq: insert request not through ->queue_rq into sw/scheduler queue (bsc#1182443). - blk-mq: move cancel of hctx->run_work to the front of blk_exit_queue (bsc#1182444). - block: fix inflight statistics of part0 (bsc#1182445). - block: respect queue limit of max discard segment (bsc#1182441). - block: virtio_blk: fix handling single range discard request (bsc#1182439). - Bluetooth: btqcomsmd: Fix a resource leak in error handling paths in the probe function (git-fixes). - Bluetooth: btusb: Fix memory leak in btusb_mtk_wmt_recv (git-fixes). - Bluetooth: drop HCI device reference before return (git-fixes). - Bluetooth: Fix initializing response id after clearing struct (git-fixes). - Bluetooth: hci_uart: Fix a race for write_work scheduling (git-fixes). - Bluetooth: Put HCI device if inquiry procedure interrupts (git-fixes). - bnxt_en: Fix accumulation of bp->net_stats_prev (git-fixes). - bnxt_en: fix error return code in bnxt_init_board() (git-fixes). - bnxt_en: fix error return code in bnxt_init_one() (git-fixes). - bnxt_en: Improve stats context resource accounting with RDMA driver loaded (git-fixes). - bnxt_en: read EEPROM A2h address using page 0 (git-fixes). - bnxt_en: Release PCI regions when DMA mask setup fails during probe (git-fixes). - bonding: Fix reference count leak in bond_sysfs_slave_add (git-fixes). - bonding: set dev->needed_headroom in bond_setup_by_slave() (git-fixes). - bonding: wait for sysfs kobject destruction before freeing struct slave (git-fixes). - bpf, cgroup: Fix optlen WARN_ON_ONCE toctou (bsc#1155518). - bpf, cgroup: Fix problematic bounds check (bsc#1155518). - btrfs: add assertion for empty list of transactions at late stage of umount (bsc#1182626). - btrfs: Cleanup try_flush_qgroup (bsc#1182047). - btrfs: Do not flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: Fix race between extent freeing/allocation when using bitmaps (bsc#1181574). - btrfs: fix race between RO remount and the cleaner task (bsc#1182626). - btrfs: fix transaction leak and crash after cleaning up orphans on RO mount (bsc#1182626). - btrfs: fix transaction leak and crash after RO remount caused by qgroup rescan (bsc#1182626). - btrfs: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: lift read-write mount setup from mount and remount (bsc#1182626). - btrfs: Remove btrfs_inode from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: run delayed iputs when remounting RO to avoid leaking them (bsc#1182626). - btrfs: Simplify code flow in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: Unlock extents in btrfs_zero_range in case of errors (bsc#1182047). - caif: no need to check return value of debugfs_create functions (git-fixes). - ceph: fix flush_snap logic after putting caps (bsc#1182854). - cgroup: Fix memory leak when parsing multiple source parameters (bsc#1182683). - cgroup: fix psi monitor for root cgroup (bsc#1182686). - cgroup-v1: add disabled controller check in cgroup1_parse_param() (bsc#1182684). - chelsio/chtls: correct function return and return type (git-fixes). - chelsio/chtls: correct netdevice for vlan interface (git-fixes). - chelsio/chtls: fix a double free in chtls_setkey() (git-fixes). - chelsio/chtls: fix always leaking ctrl_skb (git-fixes). - chelsio/chtls: fix deadlock issue (git-fixes). - chelsio/chtls: fix memory leaks caused by a race (git-fixes). - chelsio/chtls: fix memory leaks in CPL handlers (git-fixes). - chelsio/chtls: fix panic during unload reload chtls (git-fixes). - chelsio/chtls: fix socket lock (git-fixes). - chelsio/chtls: fix tls record info to user (git-fixes). - Cherry-pick ibmvnic patches from SP3 (jsc#SLE-17268). - chtls: Added a check to avoid NULL pointer dereference (git-fixes). - chtls: Fix chtls resources release sequence (git-fixes). - chtls: Fix hardware tid leak (git-fixes). - chtls: Fix panic when route to peer not configured (git-fixes). - chtls: Remove invalid set_tcb call (git-fixes). - chtls: Replace skb_dequeue with skb_peek (git-fixes). - cifs: check all path components in resolved dfs target (bsc#1181710). - cifs: fix nodfs mount option (bsc#1181710). - cifs: introduce helper for finding referral server (bsc#1181710). - cifs: report error instead of invalid when revalidating a dentry fails (bsc#1177440). - cirrus: cs89x0: remove set but not used variable 'lp' (git-fixes). - cirrus: cs89x0: use devm_platform_ioremap_resource() to simplify code (git-fixes). - clk: meson: clk-pll: fix initializing the old rate (fallback) for a PLL (git-fixes). - clk: meson: clk-pll: make "ret" a signed integer (git-fixes). - clk: meson: clk-pll: propagate the error from meson_clk_pll_set_rate() (git-fixes). - clk: qcom: gcc-msm8998: Fix Alpha PLL type for all GPLLs (git-fixes). - clk: sunxi-ng: h6: Fix CEC clock (git-fixes). - clk: sunxi-ng: h6: Fix clock divider range on some clocks (git-fixes). - clk: sunxi-ng: mp: fix parent rate change flag check (git-fixes). - clocksource/drivers/ixp4xx: Select TIMER_OF when needed (git-fixes). - cpufreq: brcmstb-avs-cpufreq: Fix resource leaks in ->remove() (git-fixes). - cpufreq: brcmstb-avs-cpufreq: Free resources in error path (git-fixes). - cpuset: fix race between hotplug work and later CPU offline (bsc#1182676). - crypto: ecdh_helper - Ensure 'len >= secret.len' in decode_key() (git-fixes). - crypto: talitos - Work around SEC6 ERRATA (AES-CTR mode data size error) (git-fixes). - cxgb3: fix error return code in t3_sge_alloc_qset() (git-fixes). - cxgb4: fix all-mask IP address comparison (git-fixes). - cxgb4: fix checks for max queues to allocate (git-fixes). - cxgb4: fix endian conversions for L4 ports in filters (git-fixes). - cxgb4: fix set but unused variable when DCB is disabled (git-fixes). - cxgb4: fix SGE queue dump destination buffer context (git-fixes). - cxgb4: fix the panic caused by non smac rewrite (git-fixes). - cxgb4: move DCB version extern to header file (git-fixes). - cxgb4: move handling L2T ARP failures to caller (git-fixes). - cxgb4: move PTP lock and unlock to caller in Tx path (git-fixes). - cxgb4: parse TC-U32 key values and masks natively (git-fixes). - cxgb4: remove cast when saving IPv4 partial checksum (git-fixes). - cxgb4: set up filter action after rewrites (git-fixes). - cxgb4: use correct type for all-mask IP address comparison (git-fixes). - cxgb4: use unaligned conversion for fetching timestamp (git-fixes). - dmaengine: fsldma: Fix a resource leak in an error handling path of the probe function (git-fixes). - dmaengine: fsldma: Fix a resource leak in the remove function (git-fixes). - dmaengine: hsu: disable spurious interrupt (git-fixes). - dmaengine: owl-dma: Fix a resource leak in the remove function (git-fixes). - dm crypt: avoid truncating the logical block size (git-fixes). - dm: fix bio splitting and its bio completion order for regular IO (git-fixes). - dm thin: fix use-after-free in metadata_pre_commit_callback (bsc#1177529). - dm thin metadata: Avoid returning cmd->bm wild pointer on error (bsc#1177529). - dm thin metadata: fix lockdep complaint (bsc#1177529). - dm thin metadata: Fix use-after-free in dm_bm_set_read_only (bsc#1177529). - dm: use noio when sending kobject event (bsc#1177529). - docs: filesystems: vfs: correct flag name (bsc#1182856). - dpaa2-eth: fix return codes used in ndo_setup_tc (git-fixes). - drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() (git-fixes). - drivers: net: davinci_mdio: fix potential NULL dereference in davinci_mdio_probe() (git-fixes). - drivers: soc: atmel: add null entry at the end of at91_soc_allowed_list[] (git-fixes). - drivers: soc: atmel: Avoid calling at91_soc_init on non AT91 SoCs (git-fixes). - drm/amd/display: Change function decide_dp_link_settings to avoid infinite looping (git-fixes). - drm/amd/display: Decrement refcount of dc_sink before reassignment (git-fixes). - drm/amd/display: Fix 10/12 bpc setup in DCE output bit depth reduction (git-fixes). - drm/amd/display: Fix dc_sink kref count in emulated_link_detect (git-fixes). - drm/amd/display: Fix HDMI deep color output for DCE 6-11 (git-fixes). - drm/amd/display: Free atomic state after drm_atomic_commit (git-fixes). - drm/amd/display: Revert "Fix EDID parsing after resume from suspend" (git-fixes). - drm/amdgpu: Fix macro name _AMDGPU_TRACE_H_ in preprocessor if condition (git-fixes). - drm/fb-helper: Add missed unlocks in setcmap_legacy() (git-fixes). - drm/gma500: Fix error return code in psb_driver_load() (git-fixes). - drm/meson: Unbind all connectors on module removal (bsc#1152472) - drm/sun4i: dw-hdmi: always set clock rate (bsc#1152472) - drm/sun4i: dw-hdmi: Fix max. frequency for H6 (bsc#1152472) - drm/sun4i: Fix H6 HDMI PHY configuration (bsc#1152472) - drm/sun4i: tcon: set sync polarity for tcon1 channel (bsc#1152472) - drm/vc4: hvs: Fix buffer overflow with the dlist handling (bsc#1152489) - Drop HID logitech patch that caused a regression (bsc#1182259) - exec: Always set cap_ambient in cap_bprm_set_creds (git-fixes). - exfat: Avoid allocating upcase table using kcalloc() (git-fixes). - ext4: do not remount read-only with errors=continue on reboot (bsc#1182464). - ext4: fix a memory leak of ext4_free_data (bsc#1182447). - ext4: fix bug for rename with RENAME_WHITEOUT (bsc#1182449). - ext4: fix deadlock with fs freezing and EA inodes (bsc#1182463). - ext4: fix superblock checksum failure when setting password salt (bsc#1182465). - ext4: prevent creating duplicate encrypted filenames (bsc#1182446). - fgraph: Initialize tracing_graph_pause at task creation (git-fixes). - firmware_loader: align .builtin_fw to 8 (git-fixes). - fscrypt: add fscrypt_is_nokey_name() (bsc#1182446). - fscrypt: rename DCACHE_ENCRYPTED_NAME to DCACHE_NOKEY_NAME (bsc#1182446). - fs: fix lazytime expiration handling in __writeback_single_inode() (bsc#1182466). - gma500: clean up error handling in init (git-fixes). - gpio: pcf857x: Fix missing first interrupt (git-fixes). - HID: core: detect and skip invalid inputs to snto32() (git-fixes). - HID: make arrays usage and value to be the same (git-fixes). - HID: wacom: Ignore attempts to overwrite the touch_max value from HID (git-fixes). - hwrng: timeriomem - Fix cooldown period calculation (git-fixes). - i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition (git-fixes). - i2c: iproc: handle only slave interrupts which are enabled (git-fixes). - i2c: mediatek: Move suspend and resume handling to NOIRQ phase (git-fixes). - i2c: stm32f7: fix configuration of the digital filter (git-fixes). - i3c: master: dw: Drop redundant disec call (git-fixes). - i40e: acquire VSI pointer only after VF is initialized (jsc#SLE-8025). - i40e: avoid premature Rx buffer reuse (git-fixes). - i40e: Fix Error I40E_AQ_RC_EINVAL when removing VFs (git-fixes). - i40e: Fix MAC address setting for a VF via Host/VM (git-fixes). - i40e: Fix removing driver while bare-metal VFs pass traffic (git-fixes). - i40e: Revert "i40e: do not report link up for a VF who hasn't enabled queues" (jsc#SLE-8025). - iavf: fix double-release of rtnl_lock (git-fixes). - iavf: fix error return code in iavf_init_get_resources() (git-fixes). - iavf: fix speed reporting over virtchnl (git-fixes). - iavf: Fix updating statistics (git-fixes). - ibmvnic: add memory barrier to protect long term buffer (bsc#1182485 ltc#191591). - ibmvnic: change IBMVNIC_MAX_IND_DESCS to 16 (bsc#1182485 ltc#191591). - ibmvnic: Clean up TX code and TX buffer data structure (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Clear failover_pending if unable to schedule (bsc#1181960 ltc#190997). - ibmvnic: compare adapter->init_done_rc with more readable ibmvnic_rc_codes (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Correctly re-enable interrupts in NAPI polling routine (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: create send_control_ip_offload (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: create send_query_ip_offload (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: device remove has higher precedence over reset (bsc#1065729). - ibmvnic: Do not replenish RX buffers after every polling loop (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Ensure that CRQ entry read are correctly ordered (bsc#1182485 ltc#191591). - ibmvnic: Ensure that device queue memory is cache-line aligned (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Ensure that SCRQ entry reads are correctly ordered (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: fix a race between open and reset (bsc#1176855 ltc#187293). - ibmvnic: fix login buffer memory leak (bsc#1081134 ltc#164631). - ibmvnic: fix NULL pointer dereference in ibmvic_reset_crq (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: fix rx buffer tracking and index management in replenish_rx_pool partial success (bsc#1179929 ltc#189960). - ibmvnic: Fix TX completion error handling (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Fix use-after-free of VNIC login response buffer (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: handle inconsistent login with reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Harden device Command Response Queue handshake (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: improve ibmvnic_init and ibmvnic_reset_init (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce batched RX buffer descriptor transmission (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce indirect subordinate Command Response Queue buffer (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Introduce xmit_more support using batched subCRQ hcalls (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: merge ibmvnic_reset_init and ibmvnic_init (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: no reset timeout for 5 seconds after reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: reduce wait for completion time (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: remove never executed if statement (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Remove send_subcrq function (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename ibmvnic_send_req_caps to send_request_cap (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename send_cap_queries to send_query_cap (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: rename send_map_query to send_query_map (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: send_login should check for crq errors (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: serialize access to work queue on remove (bsc#1065729). - ibmvnic: Set to CLOSED state even on error (bsc#1084610 ltc#165122 git-fixes). - ibmvnic: skip send_request_unmap for timeout reset (bsc#1182485 ltc#191591). - ibmvnic: skip tx timeout reset while in resetting (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: stop free_all_rwi on failed reset (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: store RX and TX subCRQ handle array in ibmvnic_adapter struct (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: track pending login (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: update MAINTAINERS (jsc#SLE-17043 bsc#1179243 ltc#189290). - ibmvnic: Use netdev_alloc_skb instead of alloc_skb to replenish RX buffers (jsc#SLE-17043 bsc#1179243 ltc#189290). - ice: Do not allow more channels than LAN MSI-X available (jsc#SLE-7926). - ice: Fix MSI-X vector fallback logic (jsc#SLE-7926). - igc: check return value of ret_val in igc_config_fc_after_link_up (git-fixes). - igc: fix link speed advertising (git-fixes). - igc: Fix returning wrong statistics (git-fixes). - igc: Report speed and duplex as unknown when device is runtime suspended (git-fixes). - igc: set the default return value to -IGC_ERR_NVM in igc_write_nvm_srwr (git-fixes). - include/linux/memremap.h: remove stale comments (git-fixes). - Input: elo - fix an error code in elo_connect() (git-fixes). - Input: i8042 - unbreak Pegatron C15B (git-fixes). - Input: joydev - prevent potential read overflow in ioctl (git-fixes). - Input: sur40 - fix an error code in sur40_probe() (git-fixes). - Input: xpad - sync supported devices with fork on GitHub (git-fixes). - iwlwifi: mvm: do not send RFH_QUEUE_CONFIG_CMD with no queues (git-fixes). - iwlwifi: mvm: guard against device removal in reprobe (git-fixes). - iwlwifi: mvm: invalidate IDs of internal stations at mvm start (git-fixes). - iwlwifi: mvm: skip power command when unbinding vif during CSA (git-fixes). - iwlwifi: mvm: take mutex for calling iwl_mvm_get_sync_time() (git-fixes). - iwlwifi: pcie: add a NULL check in iwl_pcie_txq_unmap (git-fixes). - iwlwifi: pcie: fix context info memory leak (git-fixes). - iwlwifi: pcie: reschedule in long-running memory reads (git-fixes). - iwlwifi: pcie: use jiffies for memory read spin time limit (git-fixes). - ixgbe: avoid premature Rx buffer reuse (git-fixes). - ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K (git-fixes). - kABI: Fix kABI after AMD SEV PCID fixes (bsc#1178995). - kABI: Fix kABI after modifying struct __call_single_data (bsc#1180846). - kABI: Fix kABI for extended APIC-ID support (bsc#1181259, jsc#ECO-3191). - kABI: repair, after "nVMX: Emulate MTF when performinginstruction emulation" kvm_x86_ops is part of kABI as it's used by LTTng. But it's only read and never allocated in there, so growing it (without altering existing members' offsets) is fine. - kernel-binary.spec: Add back initrd and image symlink ghosts to filelist (bsc#1182140). Fixes: 76a9256314c3 ("rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082).") - kernel/smp: add boot parameter for controlling CSD lock debugging (bsc#1180846). - kernel/smp: add more data to CSD lock debugging (bsc#1180846). - kernel/smp: prepare more CSD lock debugging (bsc#1180846). - kernel/smp: Provide CSD lock timeout diagnostics (bsc#1180846). - KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch (bsc#1181818). - KVM: arm64: Remove S1PTW check from kvm_vcpu_dabt_iswrite() (bsc#1181818). - KVM: nVMX: do not clear mtf_pending when nested events are blocked (bsc#1182489). - KVM: nVMX: Emulate MTF when performing instruction emulation (bsc#1182380). - KVM: nVMX: Handle pending #DB when injecting INIT VM-exit. Pulling in as a dependency of: "KVM: nVMX: Emulate MTF when performing instruction emulation" (bsc#1182380). - KVM: SVM: Update cr3_lm_rsvd_bits for AMD SEV guests (bsc#1178995). - KVM: tracing: Fix unmatched kvm_entry and kvm_exit events (bsc#1182770). - KVM: VMX: Condition ENCLS-exiting enabling on CPU support for SGX1 (bsc#1182798). - KVM: x86: Allocate new rmap and large page tracking when moving memslot (bsc#1182800). - KVM: x86: allow KVM_STATE_NESTED_MTF_PENDING in kvm_state flags (bsc#1182490). - KVM: x86: clear stale x86_emulate_ctxt->intercept value (bsc#1182381). - KVM: x86: do not notify userspace IOAPIC on edge-triggered interrupt EOI (bsc#1182374). - KVM: x86: Gracefully handle __vmalloc() failure during VM allocation (bsc#1182801). - KVM: x86: Introduce cr3_lm_rsvd_bits in kvm_vcpu_arch (bsc#1178995). - KVM: x86: remove stale comment from struct x86_emulate_ctxt (bsc#1182406). - libnvdimm/dimm: Avoid race between probe and available_slots_show() (bsc#1170442). - lib/vsprintf: no_hash_pointers prints all addresses as unhashed (bsc#1182599). - linux/clk.h: use correct kernel-doc notation for 2 functions (git-fixes). - mac80211: 160MHz with extended NSS BW in CSA (git-fixes). - mac80211: fix fast-rx encryption check (git-fixes). - mac80211: fix potential overflow when multiplying to u32 integers (git-fixes). - mac80211: pause TX while changing interface type (git-fixes). - macros.kernel-source: Use spec_install_pre for certificate installation (boo#1182672). Since rpm 4.16 files installed during build phase are lost. - MAINTAINERS: remove John Allen from ibmvnic (jsc#SLE-17043 bsc#1179243 ltc#189290). - matroxfb: avoid -Warray-bounds warning (bsc#1152472) - media: aspeed: fix error return code in aspeed_video_setup_video() (git-fixes). - media: camss: missing error code in msm_video_register() (git-fixes). - media: cx25821: Fix a bug when reallocating some dma memory (git-fixes). - media: em28xx: Fix use-after-free in em28xx_alloc_urbs (git-fixes). - media: i2c: ov5670: Fix PIXEL_RATE minimum value (git-fixes). - media: ipu3-cio2: Fix mbus_code processing in cio2_subdev_set_fmt() (git-fixes). - media: lmedm04: Fix misuse of comma (git-fixes). - media: media/pci: Fix memleak in empress_init (git-fixes). - media: mt9v111: Remove unneeded device-managed puts (git-fixes). - media: pwc: Use correct device for DMA (bsc#1181133). - media: pxa_camera: declare variable when DEBUG is defined (git-fixes). - media: qm1d1c0042: fix error return code in qm1d1c0042_init() (git-fixes). - media: software_node: Fix refcounts in software_node_get_next_child() (git-fixes). - media: tm6000: Fix memleak in tm6000_start_stream (git-fixes). - media: vsp1: Fix an error handling path in the probe function (git-fixes). - mei: hbm: call mei_set_devstate() on hbm stop response (git-fixes). - memory: ti-aemif: Drop child node when jumping out loop (git-fixes). - mfd: bd9571mwv: Use devm_mfd_add_devices() (git-fixes). - mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq() (git-fixes). - misc: eeprom_93xx46: Add module alias to avoid breaking support for non device tree users (git-fixes). - misc: eeprom_93xx46: Fix module alias to enable module autoprobe (git-fixes). - mlxsw: core: Add validation of transceiver temperature thresholds (git-fixes). - mlxsw: core: Fix memory leak on module removal (git-fixes). - mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() (git-fixes). - mlxsw: core: Free EMAD transactions using kfree_rcu() (git-fixes). - mlxsw: core: Increase critical threshold for ASIC thermal zone (git-fixes). - mlxsw: core: Increase scope of RCU read-side critical section (git-fixes). - mlxsw: core: Use variable timeout for EMAD retries (git-fixes). - mlxsw: spectrum_acl: Fix mlxsw_sp_acl_tcam_group_add()'s error path (git-fixes). - mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails (git-fixes). - mmc: core: Limit retries when analyse of SDIO tuples fails (git-fixes). - mmc: renesas_sdhi_internal_dmac: Fix DMA buffer alignment from 8 to 128-bytes (git-fixes). - mmc: sdhci-sprd: Fix some resource leaks in the remove function (git-fixes). - mmc: usdhi6rol0: Fix a resource leak in the error handling path of the probe (git-fixes). - mm/pmem: avoid inserting hugepage PTE entry with fsdax if hugepage support is disabled (bsc#1181896 ltc#191273). - mm: proc: Invalidate TLB after clearing soft-dirty page state (bsc#1163776 ltc#183929 git-fixes). - mm: thp: kABI: move the added flag to the end of enum (bsc#1181896 ltc#191273). - mt76: dma: fix a possible memory leak in mt76_add_fragment() (git-fixes). - net: ag71xx: add missed clk_disable_unprepare in error path of probe (git-fixes). - net: axienet: Fix error return code in axienet_probe() (git-fixes). - net: bcmgenet: Fix WoL with password after deep sleep (git-fixes). - net: bcmgenet: keep MAC in reset until PHY is up (git-fixes). - net: bcmgenet: re-remove bcmgenet_hfb_add_filter (git-fixes). - net: bcmgenet: set Rx mode before starting netif (git-fixes). - net: bcmgenet: use hardware padding of runt frames (git-fixes). - net: broadcom CNIC: requires MMU (git-fixes). - net: caif: Fix debugfs on 64-bit platforms (git-fixes). - net/cxgb4: Check the return from t4_query_params properly (git-fixes). - net: cxgb4: fix return error value in t4_prep_fw (git-fixes). - net: dsa: bcm_sf2: Fix overflow checks (git-fixes). - net: dsa: lantiq_gswip: fix and improve the unsupported interface error (git-fixes). - net: dsa: mt7530: Change the LINK bit to reflect the link status (git-fixes). - net: dsa: mt7530: set CPU port to fallback mode (git-fixes). - net: ena: set initial DMA width to avoid intel iommu issue (git-fixes). - net: ethernet: ave: Fix error returns in ave_init (git-fixes). - net: ethernet: mlx4: Avoid assigning a value to ring_cons but not used it anymore in mlx4_en_xmit() (git-fixes). - net: ethernet: ti: ale: fix allmulti for nu type ale (git-fixes). - net: ethernet: ti: ale: fix seeing unreg mcast packets with promisc and allmulti disabled (git-fixes). - net: ethernet: ti: ale: modify vlan/mdb api for switchdev (git-fixes). - net: ethernet: ti: cpsw: allow untagged traffic on host port (git-fixes). - net: ethernet: ti: fix some return value check of cpsw_ale_create() (git-fixes). - net: gemini: Fix missing clk_disable_unprepare() in error path of gemini_ethernet_port_probe() (git-fixes). - net: gro: do not keep too many GRO packets in napi->rx_list (bsc#1154353). - net: hns3: add a check for queue_id in hclge_reset_vf_queue() (git-fixes). - net: hns3: add a missing uninit debugfs when unload driver (git-fixes). - net: hns3: add reset check for VF updating port based VLAN (git-fixes). - net: hns3: clear port base VLAN when unload PF (git-fixes). - net: hns3: fix aRFS FD rules leftover after add a user FD rule (git-fixes). - net: hns3: fix a TX timeout issue (git-fixes). - net: hns3: fix desc filling bug when skb is expanded or lineared (git-fixes). - net: hns3: fix for mishandle of asserting VF reset fail (git-fixes). - net: hns3: fix for VLAN config when reset failed (git-fixes). - net: hns3: fix RSS config lost after VF reset (git-fixes). - net: hns3: fix set and get link ksettings issue (git-fixes). - net: hns3: fix "tc qdisc del" failed issue (git-fixes). - net: hns3: fix the number of queues actually used by ARQ (git-fixes). - net: hns3: fix use-after-free when doing self test (git-fixes). - net: hns3: fix VF VLAN table entries inconsistent issue (git-fixes). - net: hns: fix return value check in __lb_other_process() (git-fixes). - net: lpc-enet: fix error return code in lpc_mii_init() (git-fixes). - net: macb: fix call to pm_runtime in the suspend/resume functions (git-fixes). - net: macb: fix wakeup test in runtime suspend/resume routines (git-fixes). - net: macb: mark device wake capable when "magic-packet" property present (git-fixes). - net/mlx4_core: fix a memory leak bug (git-fixes). - net/mlx4_core: Fix init_hca fields offset (git-fixes). - net/mlx4_en: Avoid scheduling restart task if it is already running (bsc#1181854). - net/mlx4_en: Handle TX error CQE (bsc#1181854). - net/mlx5: Add handling of port type in rule deletion (git-fixes). - net/mlx5: Annotate mutex destroy for root ns (git-fixes). - net/mlx5: Clear LAG notifier pointer after unregister (git-fixes). - net/mlx5: Disable QoS when min_rates on all VFs are zero (git-fixes). - net/mlx5: Do not call timecounter cyc2time directly from 1PPS flow (git-fixes). - net/mlx5: Do not maintain a case of del_sw_func being null (git-fixes). - net/mlx5e: Correctly handle changing the number of queues when the interface is down (git-fixes). - net/mlx5e: Do not trigger IRQ multiple times on XSK wakeup to avoid WQ overruns (git-fixes). - net/mlx5e: en_accel, Add missing net/geneve.h include (git-fixes). - net/mlx5e: Encapsulate updating netdev queues into a function (git-fixes). - net/mlx5e: E-switch, Fix rate calculation for overflow (jsc#SLE-8464). - net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq (git-fixes). - net/mlx5e: Fix configuration of XPS cpumasks and netdev queues in corner cases (git-fixes). - net/mlx5e: Fix endianness handling in pedit mask (git-fixes). - net/mlx5e: Fix error path of device attach (git-fixes). - net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups (git-fixes). - net/mlx5e: Fix two double free cases (git-fixes). - net/mlx5e: Fix VLAN cleanup flow (git-fixes). - net/mlx5e: Fix VLAN create flow (git-fixes). - net/mlx5e: Get the latest values from counters in switchdev mode (git-fixes). - net/mlx5e: IPoIB, Drop multicast packets that this interface sent (git-fixes). - net/mlx5e: kTLS, Fix wrong value in record tracker enum (git-fixes). - net/mlx5e: Reduce tc unsupported key print level (git-fixes). - net/mlx5e: Rename hw_modify to preactivate (git-fixes). - net/mlx5e: Set of completion request bit should not clear other adjacent bits (git-fixes). - net/mlx5: E-switch, Destroy TSAR after reload interface (git-fixes). - net/mlx5: E-Switch, Hold mutex when querying drop counter in legacy mode (git-fixes). - net/mlx5: E-Switch, Use vport metadata matching by default (git-fixes). - net/mlx5: E-Switch, Use vport metadata matching only when mandatory (git-fixes). - net/mlx5e: Use preactivate hook to set the indirection table (git-fixes). - net/mlx5e: vxlan: Use RCU for vxlan table lookup (git-fixes). - net/mlx5: Fix a bug of using ptp channel index as pin index (git-fixes). - net/mlx5: Fix deletion of duplicate rules (git-fixes). - net/mlx5: Fix failing fw tracer allocation on s390 (git-fixes). - net/mlx5: Fix memory leak on flow table creation error flow (git-fixes). - net/mlx5: Fix request_irqs error flow (git-fixes). - net/mlx5: Fix wrong address reclaim when command interface is down (git-fixes). - net/mlx5: Query PPS pin operational status before registering it (git-fixes). - net/mlx5: Verify Hardware supports requested ptp function on a given pin (git-fixes). - net: moxa: Fix a potential double 'free_irq()' (git-fixes). - net: mscc: ocelot: ANA_AUTOAGE_AGE_PERIOD holds a value in seconds, not ms (git-fixes). - net: mscc: ocelot: fix address ageing time (again) (git-fixes). - net: mscc: ocelot: properly account for VLAN header length when setting MRU (git-fixes). - net: mvpp2: Add TCAM entry to drop flow control pause frames (git-fixes). - net: mvpp2: disable force link UP during port init procedure (git-fixes). - net: mvpp2: Fix error return code in mvpp2_open() (git-fixes). - net: mvpp2: Fix GoP port 3 Networking Complex Control configurations (git-fixes). - net: mvpp2: fix memory leak in mvpp2_rx (git-fixes). - net: mvpp2: fix pkt coalescing int-threshold configuration (git-fixes). - net: mvpp2: prs: fix PPPoE with ipv6 packet parse (git-fixes). - net: mvpp2: Remove Pause and Asym_Pause support (git-fixes). - net: mvpp2: TCAM entry enable should be written after SRAM data (git-fixes). - net: netsec: Correct dma sync for XDP_TX frames (git-fixes). - net: nixge: fix potential memory leak in nixge_probe() (git-fixes). - net: octeon: mgmt: Repair filling of RX ring (git-fixes). - net: phy: at803x: use operating parameters from PHY-specific status (git-fixes). - net: phy: extract link partner advertisement reading (git-fixes). - net: phy: extract pause mode (git-fixes). - net: phy: marvell10g: fix null pointer dereference (git-fixes). - net: phy: marvell10g: fix temperature sensor on 2110 (git-fixes). - net: phy: read MII_CTRL1000 in genphy_read_status only if needed (git-fixes). - net: qca_spi: fix receive buffer size check (git-fixes). - net: qca_spi: Move reset_count to struct qcaspi (git-fixes). - net: qede: fix PTP initialization on recovery (git-fixes). - net: qede: fix use-after-free on recovery and AER handling (git-fixes). - net: qede: stop adding events on an already destroyed workqueue (git-fixes). - net: qed: fix async event callbacks unregistering (git-fixes). - net: qed: fix excessive QM ILT lines consumption (git-fixes). - net: qed: fix "maybe uninitialized" warning (git-fixes). - net: qed: fix NVMe login fails over VFs (git-fixes). - net: qed: RDMA personality shouldn't fail VF load (git-fixes). - net: re-solve some conflicts after net -> net-next merge (bsc#1176855 ltc#187293). - net: rmnet: do not allow to add multiple bridge interfaces (git-fixes). - net: rmnet: do not allow to change mux id if mux id is duplicated (git-fixes). - net: rmnet: fix bridge mode bugs (git-fixes). - net: rmnet: fix lower interface leak (git-fixes). - net: rmnet: fix NULL pointer dereference in rmnet_changelink() (git-fixes). - net: rmnet: fix NULL pointer dereference in rmnet_newlink() (git-fixes). - net: rmnet: fix packet forwarding in rmnet bridge mode (git-fixes). - net: rmnet: fix suspicious RCU usage (git-fixes). - net: rmnet: print error message when command fails (git-fixes). - net: rmnet: remove rcu_read_lock in rmnet_force_unassociate_device() (git-fixes). - net: rmnet: use upper/lower device infrastructure (git-fixes). - net, sctp, filter: remap copy_from_user failure error (bsc#1181637). - net: smc91x: Fix possible memory leak in smc_drv_probe() (git-fixes). - net/sonic: Add mutual exclusion for accessing shared state (git-fixes). - net: stmmac: 16KB buffer must be 16 byte aligned (git-fixes). - net: stmmac: Always arm TX Timer at end of transmission start (git-fixes). - net: stmmac: Do not accept invalid MTU values (git-fixes). - net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes (git-fixes). - net: stmmac: Enable 16KB buffer size (git-fixes). - net: stmmac: fix disabling flexible PPS output (git-fixes). - net: stmmac: fix length of PTP clock's name string (git-fixes). - net: stmmac: Fix the TX IOC in xmit path (git-fixes). - net: stmmac: RX buffer size must be 16 byte aligned (git-fixes). - net: stmmac: selftests: Flow Control test can also run with ASYM Pause (git-fixes). - net: stmmac: selftests: Needs to check the number of Multicast regs (git-fixes). - net: stmmac: xgmac: Clear previous RX buffer size (git-fixes). - net: sun: fix missing release regions in cas_init_one() (git-fixes). - net: team: fix memory leak in __team_options_register (git-fixes). - net: thunderx: initialize VF's mailbox mutex before first usage (git-fixes). - net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family (git-fixes). - net: usb: qmi_wwan: Adding support for Cinterion MV31 (git-fixes). - nvme-hwmon: rework to avoid devm allocation (bsc#1177326). - nvme-multipath: Early exit if no path is available (bsc#1180964). - nvme: re-read ANA log on NS CHANGED AEN (bsc#1179137). - nvmet-tcp: Fix NULL dereference when a connect data comes in h2cdata pdu (bsc#1182547). - objtool: Do not fail on missing symbol table (bsc#1169514). - perf/x86/intel/uncore: Factor out uncore_pci_find_dev_pmu() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_get_dev_die_info() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_pmu_register() (bsc#1180989). - perf/x86/intel/uncore: Factor out uncore_pci_pmu_unregister() (bsc#1180989). - perf/x86/intel/uncore: Generic support for the PCI sub driver (bsc#1180989). - perf/x86/intel/uncore: Store the logical die id instead of the physical die id (bsc#1180989). - perf/x86/intel/uncore: With > 8 nodes, get pci bus die id from NUMA info (bsc#1180989). - phy: cpcap-usb: Fix warning for missing regulator_disable (git-fixes). - phy: rockchip-emmc: emmc_phy_init() always return 0 (git-fixes). - platform/x86: hp-wmi: Disable tablet-mode reporting by default (git-fixes). - platform/x86: intel-vbtn: Support for tablet mode on Dell Inspiron 7352 (git-fixes). - platform/x86: touchscreen_dmi: Add swap-x-y quirk for Goodix touchscreen on Estar Beauty HD tablet (git-fixes). - powerpc/book3s64/hash: Add cond_resched to avoid soft lockup warning (bsc#1182571 ltc#191345). - powerpc/boot: Delete unneeded .globl _zimage_start (bsc#1156395). - powerpc: Fix alignment bug within the init sections (bsc#1065729). - powerpc/fpu: Drop cvt_fd() and cvt_df() (bsc#1156395). - powerpc/hvcall: add token and codes for H_VASI_SIGNAL (bsc#1181674 ltc#189159). - powerpc: kABI: add back suspend_disable_cpu in machdep_calls (bsc#1181674 ltc#189159). - powerpc/machdep: remove suspend_disable_cpu() (bsc#1181674 ltc#189159). - powerpc/mm/pkeys: Make pkey access check work on execute_only_key (bsc#1181544 ltc#191080 git-fixes). - powerpc/numa: Fix build when CONFIG_NUMA=n (bsc#1132477 ltc#175530). - powerpc/numa: make vphn_enabled, prrn_enabled flags const (bsc#1181674 ltc#189159). - powerpc/numa: remove ability to enable topology updates (bsc#1181674 ltc#189159). - powerpc/numa: remove arch_update_cpu_topology (bsc#1181674 ltc#189159). - powerpc/numa: Remove late request for home node associativity (bsc#1181674 ltc#189159). - powerpc/numa: remove prrn_is_enabled() (bsc#1181674 ltc#189159). - powerpc/numa: remove start/stop_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove timed_topology_update() (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology timer code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology update code (bsc#1181674 ltc#189159). - powerpc/numa: remove unreachable topology workqueue code (bsc#1181674 ltc#189159). - powerpc/numa: remove vphn_enabled and prrn_enabled internal flags (bsc#1181674 ltc#189159). - powerpc/numa: stub out numa_update_cpu_topology() (bsc#1181674 ltc#189159). - powerpc/perf: Exclude kernel samples while counting events in user space (bsc#1065729). - powerpc/perf/hv-24x7: Dont create sysfs event files for dummy events (bsc#1182118 ltc#190624). - powerpc/pkeys: Avoid using lockless page table walk (bsc#1181544 ltc#191080). - powerpc/pkeys: Check vma before returning key fault error to the user (bsc#1181544 ltc#191080). - powerpc/powernv/memtrace: Do not leak kernel memory to user space (bsc#1156395). - powerpc/powernv/memtrace: Fix crashing the kernel when enabling concurrently (bsc#1156395). - powerpc/powernv/npu: Do not attempt NPU2 setup on POWER8NVL NPU (bsc#1156395). - powerpc/prom: Fix "ibm,arch-vec-5-platform-support" scan (bsc#1182602 ltc#190924). - powerpc/pseries/dlpar: handle ibm, configure-connector delay status (bsc#1181985 ltc#188074). - powerpc/pseries: Do not enforce MSI affinity with kdump (bsc#1181655 ltc#190855). - powerpc/pseries/eeh: Make pseries_pcibios_bus_add_device() static (bsc#1078720, git-fixes). - powerpc/pseries: extract host bridge from pci_bus prior to bus removal (bsc#1182171 ltc#190900). - powerpc/pseries/hibernation: drop pseries_suspend_begin() from suspend ops (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: pass stream id via function arguments (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: perform post-suspend fixups later (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove prepare_late() callback (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: remove pseries_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/pseries/hibernation: switch to rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: add missing break to default case (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Add pr_debug() for device tree changes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: do not error on absence of ibm, update-nodes (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: error message improvements (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: extract VASI session polling logic (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: refactor node lookup during DT update (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: retry partition suspend after error (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: Set pr_fmt() (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: signal suspend cancellation to platform (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use rtas_activate_firmware() on resume (bsc#1181674 ltc#189159). - powerpc/pseries/mobility: use stop_machine for join/suspend (bsc#1181674 ltc#189159). - powerpc/pseries/ras: Make init_ras_hotplug_IRQ() static (bsc#1065729. git-fixes). - powerpc/pseries: remove dlpar_cpu_readd() (bsc#1181674 ltc#189159). - powerpc/pseries: remove memory "re-add" implementation (bsc#1181674 ltc#189159). - powerpc/pseries: remove obsolete memory hotplug DT notifier code (bsc#1181674 ltc#189159). - powerpc/pseries: remove prrn special case from DT update path (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_activate_firmware() (bsc#1181674 ltc#189159). - powerpc/rtas: add rtas_ibm_suspend_me() (bsc#1181674 ltc#189159). - powerpc/rtas: complete ibm,suspend-me status codes (bsc#1181674 ltc#189159). - powerpc/rtas: dispatch partition migration requests to pseries (bsc#1181674 ltc#189159). - powerpc/rtasd: simplify handle_rtas_event(), emit message on events (bsc#1181674 ltc#189159). - powerpc/rtas: prevent suspend-related sys_rtas use on LE (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_ibm_suspend_me_unsafe() (bsc#1181674 ltc#189159). - powerpc/rtas: remove rtas_suspend_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_last_cpu() (bsc#1181674 ltc#189159). - powerpc/rtas: remove unused rtas_suspend_me_data (bsc#1181674 ltc#189159). - powerpc/rtas: rtas_ibm_suspend_me -> rtas_ibm_suspend_me_unsafe (bsc#1181674 ltc#189159). - power: reset: at91-sama5d2_shdwc: fix wkupdbc mask (git-fixes). - pseries/drmem: do not cache node id in drmem_lmb struct (bsc#1132477 ltc#175530). - pseries/hotplug-memory: hot-add: skip redundant LMB lookup (bsc#1132477 ltc#175530). - qed: fix error return code in qed_iwarp_ll2_start() (git-fixes). - qed: Fix race condition between scheduling and destroying the slowpath workqueue (git-fixes). - qed: Populate nvm-file attributes while reading nvm config partition (git-fixes). - qed: select CONFIG_CRC32 (git-fixes). - qlcnic: fix missing release in qlcnic_83xx_interrupt_test (git-fixes). - quota: Fix memory leak when handling corrupted quota file (bsc#1182650). - quota: Sanity-check quota file headers on load (bsc#1182461). - r8169: fix resuming from suspend on RTL8105e if machine runs on battery (git-fixes). - r8169: fix WoL on shutdown if CONFIG_DEBUG_SHIRQ is set (git-fixes). - rcu/nocb: Perform deferred wake up before last idle's (git-fixes) - rcu/nocb: Trigger self-IPI on late deferred wake up before (git-fixes) - rcu: Pull deferred rcuog wake up to rcu_eqs_enter() callers (git-fixes) - RDMA/efa: Add EFA 0xefa1 PCI ID (bsc#1176248). - RDMA/efa: Count admin commands errors (bsc#1176248). - RDMA/efa: Count mmap failures (bsc#1176248). - RDMA/efa: Do not delay freeing of DMA pages (bsc#1176248). - RDMA/efa: Drop double zeroing for sg_init_table() (bsc#1176248). - RDMA/efa: Expose maximum TX doorbell batch (bsc#1176248). - RDMA/efa: Expose minimum SQ size (bsc#1176248). - RDMA/efa: Fix setting of wrong bit in get/set_feature commands (bsc#1176248). - RDMA/efa: Properly document the interrupt mask register (bsc#1176248). - RDMA/efa: Remove redundant udata check from alloc ucontext response (bsc#1176248). - RDMA/efa: Report create CQ error counter (bsc#1176248). - RDMA/efa: Report host information to the device (bsc#1176248). - RDMA/efa: Unified getters/setters for device structs bitmask access (bsc#1176248). - RDMA/efa: Use in-kernel offsetofend() to check field availability (bsc#1176248). - RDMA/efa: User/kernel compatibility handshake mechanism (bsc#1176248). - RDMA/efa: Use the correct current and new states in modify QP (git-fixes). - regulator: axp20x: Fix reference cout leak (git-fixes). - regulator: core: Avoid debugfs: Directory ... already present! error (git-fixes). - regulator: core: avoid regulator_resolve_supply() race condition (git-fixes). - regulator: Fix lockdep warning resolving supplies (git-fixes). - regulator: s5m8767: Drop regulators OF node reference (git-fixes). - regulator: s5m8767: Fix reference count leak (git-fixes). - reiserfs: add check for an invalid ih_entry_count (bsc#1182462). - reset: hisilicon: correct vendor prefix (git-fixes). - Revert "ibmvnic: remove never executed if statement" (jsc#SLE-17043 bsc#1179243 ltc#189290). - Revert "net: bcmgenet: remove unused function in bcmgenet.c" (git-fixes). - Revert "platform/x86: ideapad-laptop: Switch touchpad attribute to be RO" (git-fixes). - Revert "RDMA/mlx5: Fix devlink deadlock on net namespace deletion" (jsc#SLE-8464). - rpm/kernel-subpackage-build: Workaround broken bot (https://github.com/openSUSE/openSUSE-release-tools/issues/2439) - rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058) - rtc: s5m: select REGMAP_I2C (git-fixes). - rxrpc: Fix memory leak in rxrpc_lookup_local (bsc#1154353 bnc#1151927 5.3.9). - s390/vfio-ap: clean up vfio_ap resources when KVM pointer invalidated (git-fixes). - s390/vfio-ap: No need to disable IRQ after queue reset (git-fixes). - sched: Reenable interrupts in do_sched_yield() (git-fixes) - scsi: lpfc: Fix EEH encountering oops with NVMe traffic (bsc#1181958). - sh_eth: check sh_eth_cpu_data::cexcr when dumping registers (git-fixes). - sh_eth: check sh_eth_cpu_data::no_tx_cntrs when dumping registers (git-fixes). - sh_eth: check sh_eth_cpu_data::no_xdfar when dumping registers (git-fixes). - smp: Add source and destination CPUs to __call_single_data (bsc#1180846). - smsc95xx: avoid memory leak in smsc95xx_bind (git-fixes). - smsc95xx: check return value of smsc95xx_reset (git-fixes). - soc: aspeed: snoop: Add clock control logic (git-fixes). - spi: atmel: Put allocated master before return (git-fixes). - spi: pxa2xx: Fix the controller numbering for Wildcat Point (git-fixes). - spi: spi-synquacer: fix set_cs handling (git-fixes). - spi: stm32: properly handle 0 byte transfer (git-fixes). - squashfs: add more sanity checks in id lookup (git-fixes bsc#1182266). - squashfs: add more sanity checks in inode lookup (git-fixes bsc#1182267). - squashfs: add more sanity checks in xattr id lookup (git-fixes bsc#1182268). - staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory rules (git-fixes). - target: disallow emulate_legacy_capacity with RBD object-map (bsc#1177109). - team: set dev->needed_headroom in team_setup_by_port() (git-fixes). - tpm: Remove tpm_dev_wq_lock (git-fixes). - tpm_tis: Clean up locality release (git-fixes). - tpm_tis: Fix check_locality for correct locality acquisition (git-fixes). - tracing: Check length before giving out the filter buffer (git-fixes). - tracing: Do not count ftrace events in top level enable output (git-fixes). - tracing/kprobe: Fix to support kretprobe events on unloaded modules (git-fixes). - tracing/kprobes: Do the notrace functions check without kprobes on ftrace (git-fixes). - tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS (git-fixes). - ubifs: Fix error return code in ubifs_init_authentication() (bsc#1182459). - ubifs: Fix ubifs_tnc_lookup() usage in do_kill_orphans() (bsc#1182454). - ubifs: prevent creating duplicate encrypted filenames (bsc#1182457). - ubifs: ubifs_add_orphan: Fix a memory leak bug (bsc#1182456). - ubifs: ubifs_jnl_write_inode: Fix a memory leak bug (bsc#1182455). - ubifs: wbuf: Do not leak kernel memory to flash (bsc#1182458). - Update config files: activate CONFIG_CSD_LOCK_WAIT_DEBUG for x86 (bsc#1180846). - Update config files: Set ledtrig-default-on as builtin (bsc#1182128) - USB: dwc2: Abort transaction after errors with unknown reason (git-fixes). - USB: dwc2: Fix endpoint direction check in ep_from_windex (git-fixes). - USB: dwc2: Make "trimming xfer length" a debug message (git-fixes). - USB: dwc3: fix clock issue during resume in OTG mode (git-fixes). - USB: gadget: legacy: fix an error code in eth_bind() (git-fixes). - USB: gadget: u_audio: Free requests only after callback (git-fixes). - USB: mUSB: Fix runtime PM race in musb_queue_resume_work (git-fixes). - USB: quirks: add quirk to start video capture on ELMO L-12F document camera reliable (git-fixes). - USB: quirks: sort quirk entries (git-fixes). - USB: renesas_usbhs: Clear pipe running flag in USBhs_pkt_pop() (git-fixes). - USB: serial: cp210x: add new VID/PID for supporting Teraoka AD2000 (git-fixes). - USB: serial: cp210x: add pid/vid for WSDA-200-USB (git-fixes). - USB: serial: mos7720: fix error code in mos7720_write() (git-fixes). - USB: serial: mos7720: improve OOM-handling in read_mos_reg() (git-fixes). - USB: serial: mos7840: fix error code in mos7840_write() (git-fixes). - USB: serial: option: Adding support for Cinterion MV31 (git-fixes). - USB: usblp: do not call usb_set_interface if there's a single alt (git-fixes). - veth: Adjust hard_start offset on redirect XDP frames (git-fixes). - vfs: Convert squashfs to use the new mount API (git-fixes bsc#1182265). - virtio_net: Fix error code in probe() (git-fixes). - virtio_net: Fix recursive call to cpus_read_lock() (git-fixes). - virtio_net: Keep vnet header zeroed if XDP is loaded for small buffer (git-fixes). - virt: vbox: Do not use wait_event_interruptible when called from kernel context (git-fixes). - vmxnet3: Remove buf_info from device accessible structures (bsc#1181671). - vxlan: fix memleak of fdb (git-fixes). - wext: fix NULL-ptr-dereference with cfg80211's lack of commit() (git-fixes). - writeback: Drop I_DIRTY_TIME_EXPIRE (bsc#1182460). - x86/alternatives: Sync bp_patching update for avoiding NULL pointer exception (bsc#1152489). - x86/apic: Add extra serialization for non-serializing MSRs (bsc#1152489). - x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where available (bsc#1181259, jsc#ECO-3191). - x86/ioapic: Handle Extended Destination ID field in RTE (bsc#1181259, jsc#ECO-3191). - x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181259, jsc#ECO-3191). - x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181259 jsc#ECO-3191). - x86/msi: Only use high bits of MSI address for DMAR unit (bsc#1181259, jsc#ECO-3191). - xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600). - xen/netback: fix spurious event detection for common event case (bsc#1182175). - xfs: ensure inobt record walks always make forward progress (git-fixes bsc#1182272). - xfs: fix an ABBA deadlock in xfs_rename (git-fixes bsc#1182558). - xfs: fix parent pointer scrubber bailing out on unallocated inodes (git-fixes bsc#1182276). - xfs: fix the forward progress assertion in xfs_iwalk_run_callbacks (git-fixes bsc#1182430). - xfs: fix the minrecs logic when dealing with inode root child blocks (git-fixes bsc#1182273). - xfs: ratelimit xfs_discard_page messages (bsc#1182283). - xfs: reduce quota reservation when doing a dax unwritten extent conversion (git-fixes bsc#1182561). - xfs: return corresponding errcode if xfs_initialize_perag() fail (git-fixes bsc#1182275). - xfs: scrub should mark a directory corrupt if any entries cannot be iget'd (git-fixes bsc#1182278). - xfs: strengthen rmap record flags checking (git-fixes bsc#1182271). - xhci: fix bounce buffer usage for non-sg list case (git-fixes). The kernel-default-base packaging was changed: - Added squashfs for kiwi installiso support (bsc#1182341) - Added fuse (bsc#1182507) - Added modules which got lost when migrating away from supported.conf (bsc#1182110): * am53c974 had a typo * cls_bpf, iscsi_ibft, libahci, libata, openvswitch, sch_ingress - Also added vport-* modules for Open vSwitch Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-741=1 - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-741=1 - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-741=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2021-741=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-741=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-741=1 - SUSE Linux Enterprise High Availability 15-SP2: zypper in -t patch SUSE-SLE-Product-HA-15-SP2-2021-741=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): kernel-default-5.3.18-24.52.1 kernel-default-base-5.3.18-24.52.1.9.24.1 kernel-default-debuginfo-5.3.18-24.52.1 kernel-default-debugsource-5.3.18-24.52.1 - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): kernel-default-debuginfo-5.3.18-24.52.1 kernel-default-debugsource-5.3.18-24.52.1 kernel-default-extra-5.3.18-24.52.1 kernel-default-extra-debuginfo-5.3.18-24.52.1 kernel-preempt-extra-5.3.18-24.52.1 kernel-preempt-extra-debuginfo-5.3.18-24.52.1 - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-24.52.1 kernel-default-debugsource-5.3.18-24.52.1 kernel-default-livepatch-5.3.18-24.52.1 kernel-default-livepatch-devel-5.3.18-24.52.1 kernel-livepatch-5_3_18-24_52-default-1-5.3.1 kernel-livepatch-5_3_18-24_52-default-debuginfo-1-5.3.1 kernel-livepatch-SLE15-SP2_Update_11-debugsource-1-5.3.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-24.52.1 kernel-default-debugsource-5.3.18-24.52.1 reiserfs-kmp-default-5.3.18-24.52.1 reiserfs-kmp-default-debuginfo-5.3.18-24.52.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-obs-build-5.3.18-24.52.1 kernel-obs-build-debugsource-5.3.18-24.52.1 kernel-syms-5.3.18-24.52.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 x86_64): kernel-preempt-debuginfo-5.3.18-24.52.1 kernel-preempt-debugsource-5.3.18-24.52.1 kernel-preempt-devel-5.3.18-24.52.1 kernel-preempt-devel-debuginfo-5.3.18-24.52.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): kernel-docs-5.3.18-24.52.1 kernel-source-5.3.18-24.52.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-default-5.3.18-24.52.1 kernel-default-base-5.3.18-24.52.1.9.24.1 kernel-default-debuginfo-5.3.18-24.52.1 kernel-default-debugsource-5.3.18-24.52.1 kernel-default-devel-5.3.18-24.52.1 kernel-default-devel-debuginfo-5.3.18-24.52.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 x86_64): kernel-preempt-5.3.18-24.52.1 kernel-preempt-debuginfo-5.3.18-24.52.1 kernel-preempt-debugsource-5.3.18-24.52.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): kernel-devel-5.3.18-24.52.1 kernel-macros-5.3.18-24.52.1 - SUSE Linux Enterprise High Availability 15-SP2 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-5.3.18-24.52.1 cluster-md-kmp-default-debuginfo-5.3.18-24.52.1 dlm-kmp-default-5.3.18-24.52.1 dlm-kmp-default-debuginfo-5.3.18-24.52.1 gfs2-kmp-default-5.3.18-24.52.1 gfs2-kmp-default-debuginfo-5.3.18-24.52.1 kernel-default-debuginfo-5.3.18-24.52.1 kernel-default-debugsource-5.3.18-24.52.1 ocfs2-kmp-default-5.3.18-24.52.1 ocfs2-kmp-default-debuginfo-5.3.18-24.52.1 References: https://www.suse.com/security/cve/CVE-2020-12362.html https://www.suse.com/security/cve/CVE-2020-12363.html https://www.suse.com/security/cve/CVE-2020-12364.html https://www.suse.com/security/cve/CVE-2020-12373.html https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2020-29374.html https://www.suse.com/security/cve/CVE-2021-26930.html https://www.suse.com/security/cve/CVE-2021-26931.html https://www.suse.com/security/cve/CVE-2021-26932.html https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1078720 https://bugzilla.suse.com/1081134 https://bugzilla.suse.com/1084610 https://bugzilla.suse.com/1132477 https://bugzilla.suse.com/1151927 https://bugzilla.suse.com/1152472 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154353 https://bugzilla.suse.com/1155518 https://bugzilla.suse.com/1156395 https://bugzilla.suse.com/1163776 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1170442 https://bugzilla.suse.com/1176248 https://bugzilla.suse.com/1176855 https://bugzilla.suse.com/1177109 https://bugzilla.suse.com/1177326 https://bugzilla.suse.com/1177440 https://bugzilla.suse.com/1177529 https://bugzilla.suse.com/1178142 https://bugzilla.suse.com/1178995 https://bugzilla.suse.com/1179082 https://bugzilla.suse.com/1179137 https://bugzilla.suse.com/1179243 https://bugzilla.suse.com/1179428 https://bugzilla.suse.com/1179660 https://bugzilla.suse.com/1179929 https://bugzilla.suse.com/1180058 https://bugzilla.suse.com/1180846 https://bugzilla.suse.com/1180964 https://bugzilla.suse.com/1180989 https://bugzilla.suse.com/1181133 https://bugzilla.suse.com/1181259 https://bugzilla.suse.com/1181544 https://bugzilla.suse.com/1181574 https://bugzilla.suse.com/1181637 https://bugzilla.suse.com/1181655 https://bugzilla.suse.com/1181671 https://bugzilla.suse.com/1181674 https://bugzilla.suse.com/1181710 https://bugzilla.suse.com/1181720 https://bugzilla.suse.com/1181735 https://bugzilla.suse.com/1181736 https://bugzilla.suse.com/1181738 https://bugzilla.suse.com/1181747 https://bugzilla.suse.com/1181753 https://bugzilla.suse.com/1181818 https://bugzilla.suse.com/1181843 https://bugzilla.suse.com/1181854 https://bugzilla.suse.com/1181896 https://bugzilla.suse.com/1181958 https://bugzilla.suse.com/1181960 https://bugzilla.suse.com/1181985 https://bugzilla.suse.com/1182047 https://bugzilla.suse.com/1182110 https://bugzilla.suse.com/1182118 https://bugzilla.suse.com/1182128 https://bugzilla.suse.com/1182140 https://bugzilla.suse.com/1182171 https://bugzilla.suse.com/1182175 https://bugzilla.suse.com/1182259 https://bugzilla.suse.com/1182265 https://bugzilla.suse.com/1182266 https://bugzilla.suse.com/1182267 https://bugzilla.suse.com/1182268 https://bugzilla.suse.com/1182271 https://bugzilla.suse.com/1182272 https://bugzilla.suse.com/1182273 https://bugzilla.suse.com/1182275 https://bugzilla.suse.com/1182276 https://bugzilla.suse.com/1182278 https://bugzilla.suse.com/1182283 https://bugzilla.suse.com/1182341 https://bugzilla.suse.com/1182374 https://bugzilla.suse.com/1182380 https://bugzilla.suse.com/1182381 https://bugzilla.suse.com/1182406 https://bugzilla.suse.com/1182430 https://bugzilla.suse.com/1182439 https://bugzilla.suse.com/1182441 https://bugzilla.suse.com/1182442 https://bugzilla.suse.com/1182443 https://bugzilla.suse.com/1182444 https://bugzilla.suse.com/1182445 https://bugzilla.suse.com/1182446 https://bugzilla.suse.com/1182447 https://bugzilla.suse.com/1182449 https://bugzilla.suse.com/1182454 https://bugzilla.suse.com/1182455 https://bugzilla.suse.com/1182456 https://bugzilla.suse.com/1182457 https://bugzilla.suse.com/1182458 https://bugzilla.suse.com/1182459 https://bugzilla.suse.com/1182460 https://bugzilla.suse.com/1182461 https://bugzilla.suse.com/1182462 https://bugzilla.suse.com/1182463 https://bugzilla.suse.com/1182464 https://bugzilla.suse.com/1182465 https://bugzilla.suse.com/1182466 https://bugzilla.suse.com/1182485 https://bugzilla.suse.com/1182489 https://bugzilla.suse.com/1182490 https://bugzilla.suse.com/1182507 https://bugzilla.suse.com/1182547 https://bugzilla.suse.com/1182558 https://bugzilla.suse.com/1182560 https://bugzilla.suse.com/1182561 https://bugzilla.suse.com/1182571 https://bugzilla.suse.com/1182599 https://bugzilla.suse.com/1182602 https://bugzilla.suse.com/1182626 https://bugzilla.suse.com/1182650 https://bugzilla.suse.com/1182672 https://bugzilla.suse.com/1182676 https://bugzilla.suse.com/1182683 https://bugzilla.suse.com/1182684 https://bugzilla.suse.com/1182686 https://bugzilla.suse.com/1182770 https://bugzilla.suse.com/1182798 https://bugzilla.suse.com/1182800 https://bugzilla.suse.com/1182801 https://bugzilla.suse.com/1182854 https://bugzilla.suse.com/1182856 From sle-security-updates at lists.suse.com Tue Mar 9 21:19:36 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 22:19:36 +0100 (CET) Subject: SUSE-SU-2021:0754-1: moderate: Security update for openssl-1_1 Message-ID: <20210309211936.5A37AFD17@maintenance.suse.de> SUSE Security Update: Security update for openssl-1_1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0754-1 Rating: moderate References: #1182331 #1182333 #1182959 Cross-References: CVE-2021-23840 CVE-2021-23841 CVSS scores: CVE-2021-23840 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23840 (SUSE): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2021-23841 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23841 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-754=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-754=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): libopenssl1_1-1.1.1d-11.17.1 libopenssl1_1-debuginfo-1.1.1d-11.17.1 openssl-1_1-1.1.1d-11.17.1 openssl-1_1-debuginfo-1.1.1d-11.17.1 openssl-1_1-debugsource-1.1.1d-11.17.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libopenssl-1_1-devel-1.1.1d-11.17.1 libopenssl1_1-1.1.1d-11.17.1 libopenssl1_1-debuginfo-1.1.1d-11.17.1 libopenssl1_1-hmac-1.1.1d-11.17.1 openssl-1_1-1.1.1d-11.17.1 openssl-1_1-debuginfo-1.1.1d-11.17.1 openssl-1_1-debugsource-1.1.1d-11.17.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libopenssl1_1-32bit-1.1.1d-11.17.1 libopenssl1_1-32bit-debuginfo-1.1.1d-11.17.1 libopenssl1_1-hmac-32bit-1.1.1d-11.17.1 References: https://www.suse.com/security/cve/CVE-2021-23840.html https://www.suse.com/security/cve/CVE-2021-23841.html https://bugzilla.suse.com/1182331 https://bugzilla.suse.com/1182333 https://bugzilla.suse.com/1182959 From sle-security-updates at lists.suse.com Tue Mar 9 21:20:59 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 22:20:59 +0100 (CET) Subject: SUSE-SU-2021:0736-1: important: Security update for the Linux Kernel Message-ID: <20210309212059.9495CFD17@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0736-1 Rating: important References: #1065600 #1163592 #1176831 #1178401 #1178762 #1179014 #1179015 #1179045 #1179082 #1179428 #1179660 #1180058 #1180906 #1181441 #1181747 #1181753 #1181843 #1182140 #1182175 Cross-References: CVE-2020-29368 CVE-2020-29374 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVSS scores: CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (SUSE): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-26930 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-26930 (SUSE): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-26931 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26931 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-26932 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26932 (SUSE): 5.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Live Patching 12-SP4 SUSE Linux Enterprise High Availability 12-SP4 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 14 fixes is now available. Description: The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843). - CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753). - CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372). - CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428). The following non-security bugs were fixed: - cifs: check all path components in resolved dfs target (bsc#1180906). - cifs: fix check of tcon dfs in smb1 (bsc#1180906). - cifs: fix nodfs mount option (bsc#1180906). - cifs: introduce helper for finding referral server (bsc#1180906). - kernel-{binary,source}.spec.in: do not create loop symlinks (bsc#1179082) - kernel-binary.spec: Add back initrd and image symlink ghosts to filelist (bsc#1182140). Fixes: 76a9256314c3 ("rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082).") - kernel-source.spec: Fix build with rpm 4.16 (boo#1179015). RPM_BUILD_ROOT is cleared before %%install. Do the unpack into RPM_BUILD_ROOT in %%install - rpm/kernel-binary.spec.in: avoid using barewords (bsc#1179014) - rpm/kernel-binary.spec.in: avoid using more barewords (bsc#1179014) %split_extra still contained two. - rpm/kernel-binary.spec.in: Fix compressed module handling for in-tree KMP (jsc#SLE-10886) - rpm/kernel-binary.spec.in: use grep -E instead of egrep (bsc#1179045) egrep is only a deprecated bash wrapper for "grep -E". So use the latter instead. - rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592) - rpm/kernel-obs-build.spec.in: Add -q option to modprobe calls (bsc#1178401) - rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082). - rpm/mkspec: do not build kernel-obs-build on x86_32 We want to use 64bit kernel due to various bugs (bsc#1178762 to name one). There is: ExportFilter: ^kernel-obs-build.*\.x86_64.rpm$ . i586 in Factory's prjconf now. No other actively maintained distro (i.e. merging packaging branch) builds a x86_32 kernel, hence pushing to packaging directly. - rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058) - scripts/lib/SUSE/MyBS.pm: properly close prjconf Macros: section - scsi: fc: add FPIN ELS definition (bsc#1181441). - scsi/fc: kABI fixes for new ELS_FPIN definition (bsc#1181441) - scsi: fc: Update Descriptor definition and add RDF and Link Integrity FPINs (bsc#1181441). - scsi: Fix trivial spelling (bsc#1181441). - scsi: qla2xxx: Add IOCB resource tracking (bsc#1181441). - scsi: qla2xxx: Add more BUILD_BUG_ON() statements (bsc#1181441). - scsi: qla2xxx: Address a set of sparse warnings (bsc#1181441). - scsi: qla2xxx: Add rport fields in debugfs (bsc#1181441). - scsi: qla2xxx: Add SLER and PI control support (bsc#1181441). - scsi: qla2xxx: Allow dev_loss_tmo setting for FC-NVMe devices (bsc#1181441). - scsi: qla2xxx: Allow ql2xextended_error_logging special value 1 to be set anytime (bsc#1181441). - scsi: qla2xxx: Cast explicitly to uint16_t / uint32_t (bsc#1181441). - scsi: qla2xxx: Change in PUREX to handle FPIN ELS requests (bsc#1181441). - scsi: qla2xxx: Change post del message from debug level to log level (bsc#1181441). - scsi: qla2xxx: Change {RD,WRT}_REG_*() function names from upper case into lower case (bsc#1181441). - scsi: qla2xxx: Change two hardcoded constants into offsetof() / sizeof() expressions (bsc#1181441). - scsi: qla2xxx: Check if FW supports MQ before enabling (bsc#1181441). - scsi: qla2xxx: Check the size of struct fcp_hdr at compile time (bsc#1181441). - scsi: qla2xxx: Correct the check for sscanf() return value (bsc#1181441). - scsi: qla2xxx: Do not check for fw_started while posting NVMe command (bsc#1181441). - scsi: qla2xxx: Drop TARGET_SCF_LOOKUP_LUN_FROM_TAG (bsc#1181441). - scsi: qla2xxx: Fix a condition in qla2x00_find_all_fabric_devs() (bsc#1181441). - scsi: qla2xxx: Fix a Coverity complaint in qla2100_fw_dump() (bsc#1181441). - scsi: qla2xxx: Fix buffer-buffer credit extraction error (bsc#1181441). - scsi: qla2xxx: Fix compilation issue in PPC systems (bsc#1181441). - scsi: qla2xxx: Fix crash during driver load on big endian machines (bsc#1181441). - scsi: qla2xxx: Fix crash on session cleanup with unload (bsc#1181441). - scsi: qla2xxx: Fix description for parameter ql2xenforce_iocb_limit (bsc#1181441). - scsi: qla2xxx: Fix device loss on 4G and older HBAs (bsc#1181441). - scsi: qla2xxx: Fix endianness annotations in header files (bsc#1181441). - scsi: qla2xxx: Fix endianness annotations in source files (bsc#1181441). - scsi: qla2xxx: Fix failure message in qlt_disable_vha() (bsc#1181441). - scsi: qla2xxx: Fix flash update in 28XX adapters on big endian machines (bsc#1181441). - scsi: qla2xxx: Fix FW initialization error on big endian machines (bsc#1181441). - scsi: qla2xxx: Fix inconsistent format argument type in qla_dbg.c (bsc#1181441). - scsi: qla2xxx: Fix inconsistent format argument type in qla_os.c (bsc#1181441). - scsi: qla2xxx: Fix inconsistent format argument type in tcm_qla2xxx.c (bsc#1181441). - scsi: qla2xxx: Fix I/O errors during LIP reset tests (bsc#1181441). - scsi: qla2xxx: Fix I/O failures during remote port toggle testing (bsc#1181441). - scsi: qla2xxx: Fix issue with adapter's stopping state (bsc#1181441). - scsi: qla2xxx: Fix login timeout (bsc#1181441). - scsi: qla2xxx: Fix memory size truncation (bsc#1181441). - scsi: qla2xxx: Fix MPI failure AEN (8200) handling (bsc#1181441). - scsi: qla2xxx: Fix MPI reset needed message (bsc#1181441). - scsi: qla2xxx: Fix N2N and NVMe connect retry failure (bsc#1181441). - scsi: qla2xxx: Fix null pointer access during disconnect from subsystem (bsc#1181441). - scsi: qla2xxx: Fix point-to-point (N2N) device discovery issue (bsc#1181441). - scsi: qla2xxx: Fix regression on sparc64 (bsc#1181441). - scsi: qla2xxx: Fix reset of MPI firmware (bsc#1181441). - scsi: qla2xxx: Fix return of uninitialized value in rval (bsc#1181441). - scsi: qla2xxx: Fix spelling of a variable name (bsc#1181441). - scsi: qla2xxx: Fix the call trace for flush workqueue (bsc#1181441). - scsi: qla2xxx: Fix the code that reads from mailbox registers (bsc#1181441). - scsi: qla2xxx: Fix the return value (bsc#1181441). - scsi: qla2xxx: Fix the size used in a 'dma_free_coherent()' call (bsc#1181441). - scsi: qla2xxx: Fix warning after FC target reset (bsc#1181441). - scsi: qla2xxx: Fix WARN_ON in qla_nvme_register_hba (bsc#1181441). - scsi: qla2xxx: Fix wrong return value in qla_nvme_register_hba() (bsc#1181441). - scsi: qla2xxx: Fix wrong return value in qlt_chk_unresolv_exchg() (bsc#1181441). - scsi: qla2xxx: Flush all sessions on zone disable (bsc#1181441). - scsi: qla2xxx: Flush I/O on zone disable (bsc#1181441). - scsi: qla2xxx: Handle aborts correctly for port undergoing deletion (bsc#1181441). - scsi: qla2xxx: Honor status qualifier in FCP_RSP per spec (bsc#1181441). - scsi: qla2xxx: If fcport is undergoing deletion complete I/O with retry (bsc#1181441). - scsi: qla2xxx: Increase the size of struct qla_fcp_prio_cfg to FCP_PRIO_CFG_SIZE (bsc#1181441). - scsi: qla2xxx: Indicate correct supported speeds for Mezz card (bsc#1181441). - scsi: qla2xxx: Initialize 'n' before using it (bsc#1181441). - scsi: qla2xxx: Initialize variable in qla8044_poll_reg() (bsc#1181441). - scsi: qla2xxx: Introduce a function for computing the debug message prefix (bsc#1181441). - scsi: qla2xxx: Keep initiator ports after RSCN (bsc#1181441). - scsi: qla2xxx: Limit interrupt vectors to number of CPUs (bsc#1181441). - scsi: qla2xxx: Log calling function name in qla2x00_get_sp_from_handle() (bsc#1181441). - scsi: qla2xxx: make 1-bit bit-fields unsigned int (bsc#1181441). - scsi: qla2xxx: Make a gap in struct qla2xxx_offld_chain explicit (bsc#1181441). - scsi: qla2xxx: Make __qla2x00_alloc_iocbs() initialize 32 bits of request_t.handle (bsc#1181441). - scsi: qla2xxx: Make qla2x00_restart_isp() easier to read (bsc#1181441). - scsi: qla2xxx: Make qla82xx_flash_wait_write_finish() easier to read (bsc#1181441). - scsi: qla2xxx: Make qlafx00_process_aen() return void (bsc#1181441). - scsi: qla2xxx: Make qla_set_ini_mode() return void (bsc#1181441). - scsi: qla2xxx: Make tgt_port_database available in initiator mode (bsc#1181441). - scsi: qla2xxx: Move sess cmd list/lock to driver (bsc#1181441). - scsi: qla2xxx: Performance tweak (bsc#1181441). - scsi: qla2xxx: Reduce duplicate code in reporting speed (bsc#1181441). - scsi: qla2xxx: Reduce noisy debug message (bsc#1181441). - scsi: qla2xxx: Remove an unused function (bsc#1181441). - scsi: qla2xxx: Remove a superfluous cast (bsc#1181441). - scsi: qla2xxx: remove incorrect sparse #ifdef (bsc#1181441). - scsi: qla2xxx: Remove in_interrupt() from qla82xx-specific code (bsc#1181441). - scsi: qla2xxx: Remove in_interrupt() from qla83xx-specific code (bsc#1181441). - scsi: qla2xxx: Remove pci-dma-compat wrapper API (bsc#1181441). - scsi: qla2xxx: Remove redundant variable initialization (bsc#1181441). - scsi: qla2xxx: Remove return value from qla_nvme_ls() (bsc#1181441). - scsi: qla2xxx: Remove superfluous memset() (bsc#1181441). - scsi: qla2xxx: Remove the __packed annotation from struct fcp_hdr and fcp_hdr_le (bsc#1181441). - scsi: qla2xxx: Remove trailing semicolon in macro definition (bsc#1181441). - scsi: qla2xxx: Remove unneeded variable 'rval' (bsc#1181441). - scsi: qla2xxx: Return EBUSY on fcport deletion (bsc#1181441). - scsi: qla2xxx: SAN congestion management implementation (bsc#1181441). - scsi: qla2xxx: Setup debugfs entries for remote ports (bsc#1181441). - scsi: qla2xxx: Simplify return value logic in qla2x00_get_sp_from_handle() (bsc#1181441). - scsi: qla2xxx: Simplify the functions for dumping firmware (bsc#1181441). - scsi: qla2xxx: Sort BUILD_BUG_ON() statements alphabetically (bsc#1181441). - scsi: qla2xxx: Split qla2x00_configure_local_loop() (bsc#1181441). - scsi: qla2xxx: Tear down session if FW say it is down (bsc#1181441). - scsi: qla2xxx: Update version to 10.02.00.102-k (bsc#1181441). - scsi: qla2xxx: Update version to 10.02.00.103-k (bsc#1181441). - scsi: qla2xxx: Update version to 10.02.00.104-k (bsc#1181441). - scsi: qla2xxx: Use ARRAY_SIZE() instead of open-coding it (bsc#1181441). - scsi: qla2xxx: Use constant when it is known (bsc#1181441). - scsi: qla2xxx: Use make_handle() instead of open-coding it (bsc#1181441). - scsi: qla2xxx: Use MBX_TOV_SECONDS for mailbox command timeout values (bsc#1181441). - scsi: qla2xxx: Use register names instead of register offsets (bsc#1181441). - scsi: qla2xxx: Use true, false for ha->fw_dumped (bsc#1181441). - scsi: qla2xxx: Use true, false for need_mpi_reset (bsc#1181441). - scsi: qla2xxx: Warn if done() or free() are called on an already freed srb (bsc#1181441). - scsi: scsi_transport_fc: Add FPIN fc event codes (bsc#1181441). - scsi: scsi_transport_fc: refactor event posting routines (bsc#1181441). - scsi: target: tcm_qla2xxx: Remove BUG_ON(in_interrupt()) (bsc#1181441). - x86/hyperv: Fix kexec panic/hang issues (bsc#1176831). - xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600). - xen/netback: fix spurious event detection for common event case (bsc#1182175). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-736=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-736=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-736=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-736=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2021-736=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2021-736=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): kernel-devel-4.12.14-95.71.1 kernel-macros-4.12.14-95.71.1 kernel-source-4.12.14-95.71.1 - SUSE OpenStack Cloud Crowbar 9 (x86_64): kernel-default-4.12.14-95.71.1 kernel-default-base-4.12.14-95.71.1 kernel-default-base-debuginfo-4.12.14-95.71.1 kernel-default-debuginfo-4.12.14-95.71.1 kernel-default-debugsource-4.12.14-95.71.1 kernel-default-devel-4.12.14-95.71.1 kernel-default-devel-debuginfo-4.12.14-95.71.1 kernel-syms-4.12.14-95.71.1 - SUSE OpenStack Cloud 9 (noarch): kernel-devel-4.12.14-95.71.1 kernel-macros-4.12.14-95.71.1 kernel-source-4.12.14-95.71.1 - SUSE OpenStack Cloud 9 (x86_64): kernel-default-4.12.14-95.71.1 kernel-default-base-4.12.14-95.71.1 kernel-default-base-debuginfo-4.12.14-95.71.1 kernel-default-debuginfo-4.12.14-95.71.1 kernel-default-debugsource-4.12.14-95.71.1 kernel-default-devel-4.12.14-95.71.1 kernel-default-devel-debuginfo-4.12.14-95.71.1 kernel-syms-4.12.14-95.71.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): kernel-default-4.12.14-95.71.1 kernel-default-base-4.12.14-95.71.1 kernel-default-base-debuginfo-4.12.14-95.71.1 kernel-default-debuginfo-4.12.14-95.71.1 kernel-default-debugsource-4.12.14-95.71.1 kernel-default-devel-4.12.14-95.71.1 kernel-syms-4.12.14-95.71.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): kernel-default-devel-debuginfo-4.12.14-95.71.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): kernel-devel-4.12.14-95.71.1 kernel-macros-4.12.14-95.71.1 kernel-source-4.12.14-95.71.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-95.71.1 kernel-default-base-4.12.14-95.71.1 kernel-default-base-debuginfo-4.12.14-95.71.1 kernel-default-debuginfo-4.12.14-95.71.1 kernel-default-debugsource-4.12.14-95.71.1 kernel-default-devel-4.12.14-95.71.1 kernel-syms-4.12.14-95.71.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): kernel-devel-4.12.14-95.71.1 kernel-macros-4.12.14-95.71.1 kernel-source-4.12.14-95.71.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (x86_64): kernel-default-devel-debuginfo-4.12.14-95.71.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x): kernel-default-man-4.12.14-95.71.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kernel-default-kgraft-4.12.14-95.71.1 kernel-default-kgraft-devel-4.12.14-95.71.1 kgraft-patch-4_12_14-95_71-default-1-6.3.1 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-95.71.1 cluster-md-kmp-default-debuginfo-4.12.14-95.71.1 dlm-kmp-default-4.12.14-95.71.1 dlm-kmp-default-debuginfo-4.12.14-95.71.1 gfs2-kmp-default-4.12.14-95.71.1 gfs2-kmp-default-debuginfo-4.12.14-95.71.1 kernel-default-debuginfo-4.12.14-95.71.1 kernel-default-debugsource-4.12.14-95.71.1 ocfs2-kmp-default-4.12.14-95.71.1 ocfs2-kmp-default-debuginfo-4.12.14-95.71.1 References: https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2020-29374.html https://www.suse.com/security/cve/CVE-2021-26930.html https://www.suse.com/security/cve/CVE-2021-26931.html https://www.suse.com/security/cve/CVE-2021-26932.html https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1163592 https://bugzilla.suse.com/1176831 https://bugzilla.suse.com/1178401 https://bugzilla.suse.com/1178762 https://bugzilla.suse.com/1179014 https://bugzilla.suse.com/1179015 https://bugzilla.suse.com/1179045 https://bugzilla.suse.com/1179082 https://bugzilla.suse.com/1179428 https://bugzilla.suse.com/1179660 https://bugzilla.suse.com/1180058 https://bugzilla.suse.com/1180906 https://bugzilla.suse.com/1181441 https://bugzilla.suse.com/1181747 https://bugzilla.suse.com/1181753 https://bugzilla.suse.com/1181843 https://bugzilla.suse.com/1182140 https://bugzilla.suse.com/1182175 From sle-security-updates at lists.suse.com Tue Mar 9 21:25:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 22:25:25 +0100 (CET) Subject: SUSE-SU-2021:0737-1: important: Security update for the Linux Kernel Message-ID: <20210309212525.A239BFD17@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0737-1 Rating: important References: #1065600 #1163617 #1170442 #1176855 #1179082 #1179428 #1179660 #1180058 #1180262 #1180964 #1181671 #1181747 #1181753 #1181843 #1181854 #1182047 #1182130 #1182140 #1182175 Cross-References: CVE-2020-29368 CVE-2020-29374 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVSS scores: CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (SUSE): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-26930 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-26930 (SUSE): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-26931 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26931 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-26932 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26932 (SUSE): 5.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Availability 15-SP1 SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 14 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 kernel was updated receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843). - CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753). - CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372). - CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428). The following non-security bugs were fixed: - btrfs: Cleanup try_flush_qgroup (bsc#1182047). - btrfs: Do not flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: fix data bytes_may_use underflow with fallocate due to failed quota reserve (bsc#1182130) - btrfs: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: Remove btrfs_inode from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: Simplify code flow in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - btrfs: Unlock extents in btrfs_zero_range in case of errors (bsc#1182047). - Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() (git-fixes). - ibmvnic: fix a race between open and reset (bsc#1176855 ltc#187293). - kernel-binary.spec: Add back initrd and image symlink ghosts to filelist (bsc#1182140). Fixes: 76a9256314c3 ("rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082).") - libnvdimm/dimm: Avoid race between probe and available_slots_show() (bsc#1170442). - net: bcmgenet: add support for ethtool rxnfc flows (git-fixes). - net: bcmgenet: code movement (git-fixes). - net: bcmgenet: fix mask check in bcmgenet_validate_flow() (git-fixes). - net: bcmgenet: Fix WoL with password after deep sleep (git-fixes). - net: bcmgenet: re-remove bcmgenet_hfb_add_filter (git-fixes). - net: bcmgenet: set Rx mode before starting netif (git-fixes). - net: bcmgenet: use __be16 for htons(ETH_P_IP) (git-fixes). - net: bcmgenet: Use correct I/O accessors (git-fixes). - net: lpc-enet: fix error return code in lpc_mii_init() (git-fixes). - net/mlx4_en: Handle TX error CQE (bsc#1181854). - net: moxa: Fix a potential double 'free_irq()' (git-fixes). - net: sun: fix missing release regions in cas_init_one() (git-fixes). - nvme-multipath: Early exit if no path is available (bsc#1180964). - rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058) - scsi: target: fix unmap_zeroes_data boolean initialisation (bsc#1163617). - usb: dwc2: Abort transaction after errors with unknown reason (bsc#1180262). - usb: dwc2: Do not update data length if it is 0 on inbound transfers (bsc#1180262). - usb: dwc2: Make "trimming xfer length" a debug message (bsc#1180262). - vmxnet3: Remove buf_info from device accessible structures (bsc#1181671). - xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600). - xen/netback: fix spurious event detection for common event case (bsc#1182175). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-737=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-737=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-737=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-737=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-737=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-737=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2021-737=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-737=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-737=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2021-737=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-737=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): kernel-default-4.12.14-197.86.1 kernel-default-base-4.12.14-197.86.1 kernel-default-base-debuginfo-4.12.14-197.86.1 kernel-default-debuginfo-4.12.14-197.86.1 kernel-default-debugsource-4.12.14-197.86.1 kernel-default-devel-4.12.14-197.86.1 kernel-default-devel-debuginfo-4.12.14-197.86.1 kernel-obs-build-4.12.14-197.86.1 kernel-obs-build-debugsource-4.12.14-197.86.1 kernel-syms-4.12.14-197.86.1 reiserfs-kmp-default-4.12.14-197.86.1 reiserfs-kmp-default-debuginfo-4.12.14-197.86.1 - SUSE Manager Server 4.0 (noarch): kernel-devel-4.12.14-197.86.1 kernel-docs-4.12.14-197.86.1 kernel-macros-4.12.14-197.86.1 kernel-source-4.12.14-197.86.1 - SUSE Manager Server 4.0 (s390x): kernel-default-man-4.12.14-197.86.1 kernel-zfcpdump-debuginfo-4.12.14-197.86.1 kernel-zfcpdump-debugsource-4.12.14-197.86.1 - SUSE Manager Retail Branch Server 4.0 (noarch): kernel-devel-4.12.14-197.86.1 kernel-docs-4.12.14-197.86.1 kernel-macros-4.12.14-197.86.1 kernel-source-4.12.14-197.86.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): kernel-default-4.12.14-197.86.1 kernel-default-base-4.12.14-197.86.1 kernel-default-base-debuginfo-4.12.14-197.86.1 kernel-default-debuginfo-4.12.14-197.86.1 kernel-default-debugsource-4.12.14-197.86.1 kernel-default-devel-4.12.14-197.86.1 kernel-default-devel-debuginfo-4.12.14-197.86.1 kernel-obs-build-4.12.14-197.86.1 kernel-obs-build-debugsource-4.12.14-197.86.1 kernel-syms-4.12.14-197.86.1 reiserfs-kmp-default-4.12.14-197.86.1 reiserfs-kmp-default-debuginfo-4.12.14-197.86.1 - SUSE Manager Proxy 4.0 (x86_64): kernel-default-4.12.14-197.86.1 kernel-default-base-4.12.14-197.86.1 kernel-default-base-debuginfo-4.12.14-197.86.1 kernel-default-debuginfo-4.12.14-197.86.1 kernel-default-debugsource-4.12.14-197.86.1 kernel-default-devel-4.12.14-197.86.1 kernel-default-devel-debuginfo-4.12.14-197.86.1 kernel-obs-build-4.12.14-197.86.1 kernel-obs-build-debugsource-4.12.14-197.86.1 kernel-syms-4.12.14-197.86.1 reiserfs-kmp-default-4.12.14-197.86.1 reiserfs-kmp-default-debuginfo-4.12.14-197.86.1 - SUSE Manager Proxy 4.0 (noarch): kernel-devel-4.12.14-197.86.1 kernel-docs-4.12.14-197.86.1 kernel-macros-4.12.14-197.86.1 kernel-source-4.12.14-197.86.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): kernel-default-4.12.14-197.86.1 kernel-default-base-4.12.14-197.86.1 kernel-default-base-debuginfo-4.12.14-197.86.1 kernel-default-debuginfo-4.12.14-197.86.1 kernel-default-debugsource-4.12.14-197.86.1 kernel-default-devel-4.12.14-197.86.1 kernel-default-devel-debuginfo-4.12.14-197.86.1 kernel-obs-build-4.12.14-197.86.1 kernel-obs-build-debugsource-4.12.14-197.86.1 kernel-syms-4.12.14-197.86.1 reiserfs-kmp-default-4.12.14-197.86.1 reiserfs-kmp-default-debuginfo-4.12.14-197.86.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): kernel-devel-4.12.14-197.86.1 kernel-docs-4.12.14-197.86.1 kernel-macros-4.12.14-197.86.1 kernel-source-4.12.14-197.86.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-197.86.1 kernel-default-base-4.12.14-197.86.1 kernel-default-base-debuginfo-4.12.14-197.86.1 kernel-default-debuginfo-4.12.14-197.86.1 kernel-default-debugsource-4.12.14-197.86.1 kernel-default-devel-4.12.14-197.86.1 kernel-default-devel-debuginfo-4.12.14-197.86.1 kernel-obs-build-4.12.14-197.86.1 kernel-obs-build-debugsource-4.12.14-197.86.1 kernel-syms-4.12.14-197.86.1 reiserfs-kmp-default-4.12.14-197.86.1 reiserfs-kmp-default-debuginfo-4.12.14-197.86.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): kernel-devel-4.12.14-197.86.1 kernel-docs-4.12.14-197.86.1 kernel-macros-4.12.14-197.86.1 kernel-source-4.12.14-197.86.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (s390x): kernel-default-man-4.12.14-197.86.1 kernel-zfcpdump-debuginfo-4.12.14-197.86.1 kernel-zfcpdump-debugsource-4.12.14-197.86.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): kernel-devel-4.12.14-197.86.1 kernel-docs-4.12.14-197.86.1 kernel-macros-4.12.14-197.86.1 kernel-source-4.12.14-197.86.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): kernel-default-4.12.14-197.86.1 kernel-default-base-4.12.14-197.86.1 kernel-default-base-debuginfo-4.12.14-197.86.1 kernel-default-debuginfo-4.12.14-197.86.1 kernel-default-debugsource-4.12.14-197.86.1 kernel-default-devel-4.12.14-197.86.1 kernel-default-devel-debuginfo-4.12.14-197.86.1 kernel-obs-build-4.12.14-197.86.1 kernel-obs-build-debugsource-4.12.14-197.86.1 kernel-syms-4.12.14-197.86.1 reiserfs-kmp-default-4.12.14-197.86.1 reiserfs-kmp-default-debuginfo-4.12.14-197.86.1 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-197.86.1 kernel-default-debugsource-4.12.14-197.86.1 kernel-default-livepatch-4.12.14-197.86.1 kernel-default-livepatch-devel-4.12.14-197.86.1 kernel-livepatch-4_12_14-197_86-default-1-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): kernel-default-4.12.14-197.86.1 kernel-default-base-4.12.14-197.86.1 kernel-default-base-debuginfo-4.12.14-197.86.1 kernel-default-debuginfo-4.12.14-197.86.1 kernel-default-debugsource-4.12.14-197.86.1 kernel-default-devel-4.12.14-197.86.1 kernel-default-devel-debuginfo-4.12.14-197.86.1 kernel-obs-build-4.12.14-197.86.1 kernel-obs-build-debugsource-4.12.14-197.86.1 kernel-syms-4.12.14-197.86.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): kernel-devel-4.12.14-197.86.1 kernel-docs-4.12.14-197.86.1 kernel-macros-4.12.14-197.86.1 kernel-source-4.12.14-197.86.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): kernel-default-4.12.14-197.86.1 kernel-default-base-4.12.14-197.86.1 kernel-default-base-debuginfo-4.12.14-197.86.1 kernel-default-debuginfo-4.12.14-197.86.1 kernel-default-debugsource-4.12.14-197.86.1 kernel-default-devel-4.12.14-197.86.1 kernel-default-devel-debuginfo-4.12.14-197.86.1 kernel-obs-build-4.12.14-197.86.1 kernel-obs-build-debugsource-4.12.14-197.86.1 kernel-syms-4.12.14-197.86.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): kernel-devel-4.12.14-197.86.1 kernel-docs-4.12.14-197.86.1 kernel-macros-4.12.14-197.86.1 kernel-source-4.12.14-197.86.1 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-197.86.1 cluster-md-kmp-default-debuginfo-4.12.14-197.86.1 dlm-kmp-default-4.12.14-197.86.1 dlm-kmp-default-debuginfo-4.12.14-197.86.1 gfs2-kmp-default-4.12.14-197.86.1 gfs2-kmp-default-debuginfo-4.12.14-197.86.1 kernel-default-debuginfo-4.12.14-197.86.1 kernel-default-debugsource-4.12.14-197.86.1 ocfs2-kmp-default-4.12.14-197.86.1 ocfs2-kmp-default-debuginfo-4.12.14-197.86.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): kernel-default-4.12.14-197.86.1 kernel-default-base-4.12.14-197.86.1 kernel-default-base-debuginfo-4.12.14-197.86.1 kernel-default-debuginfo-4.12.14-197.86.1 kernel-default-debugsource-4.12.14-197.86.1 kernel-default-devel-4.12.14-197.86.1 kernel-default-devel-debuginfo-4.12.14-197.86.1 kernel-obs-build-4.12.14-197.86.1 kernel-obs-build-debugsource-4.12.14-197.86.1 kernel-syms-4.12.14-197.86.1 reiserfs-kmp-default-4.12.14-197.86.1 reiserfs-kmp-default-debuginfo-4.12.14-197.86.1 - SUSE Enterprise Storage 6 (noarch): kernel-devel-4.12.14-197.86.1 kernel-docs-4.12.14-197.86.1 kernel-macros-4.12.14-197.86.1 kernel-source-4.12.14-197.86.1 - SUSE CaaS Platform 4.0 (noarch): kernel-devel-4.12.14-197.86.1 kernel-docs-4.12.14-197.86.1 kernel-macros-4.12.14-197.86.1 kernel-source-4.12.14-197.86.1 - SUSE CaaS Platform 4.0 (x86_64): kernel-default-4.12.14-197.86.1 kernel-default-base-4.12.14-197.86.1 kernel-default-base-debuginfo-4.12.14-197.86.1 kernel-default-debuginfo-4.12.14-197.86.1 kernel-default-debugsource-4.12.14-197.86.1 kernel-default-devel-4.12.14-197.86.1 kernel-default-devel-debuginfo-4.12.14-197.86.1 kernel-obs-build-4.12.14-197.86.1 kernel-obs-build-debugsource-4.12.14-197.86.1 kernel-syms-4.12.14-197.86.1 reiserfs-kmp-default-4.12.14-197.86.1 reiserfs-kmp-default-debuginfo-4.12.14-197.86.1 References: https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2020-29374.html https://www.suse.com/security/cve/CVE-2021-26930.html https://www.suse.com/security/cve/CVE-2021-26931.html https://www.suse.com/security/cve/CVE-2021-26932.html https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1163617 https://bugzilla.suse.com/1170442 https://bugzilla.suse.com/1176855 https://bugzilla.suse.com/1179082 https://bugzilla.suse.com/1179428 https://bugzilla.suse.com/1179660 https://bugzilla.suse.com/1180058 https://bugzilla.suse.com/1180262 https://bugzilla.suse.com/1180964 https://bugzilla.suse.com/1181671 https://bugzilla.suse.com/1181747 https://bugzilla.suse.com/1181753 https://bugzilla.suse.com/1181843 https://bugzilla.suse.com/1181854 https://bugzilla.suse.com/1182047 https://bugzilla.suse.com/1182130 https://bugzilla.suse.com/1182140 https://bugzilla.suse.com/1182175 From sle-security-updates at lists.suse.com Tue Mar 9 21:28:41 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 22:28:41 +0100 (CET) Subject: SUSE-SU-2021:0756-1: important: Security update for git Message-ID: <20210309212841.41578FD17@maintenance.suse.de> SUSE Security Update: Security update for git ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0756-1 Rating: important References: #1183026 Cross-References: CVE-2021-21300 CVSS scores: CVE-2021-21300 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for git fixes the following issues: - On case-insensitive filesystems, with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone. (bsc#1183026, CVE-2021-21300) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-756=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-756=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-756=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-756=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-756=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-756=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-756=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-756=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-756=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-756=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-756=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-756=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-756=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-756=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-756=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-756=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): git-2.26.2-27.43.1 git-core-2.26.2-27.43.1 git-core-debuginfo-2.26.2-27.43.1 git-cvs-2.26.2-27.43.1 git-daemon-2.26.2-27.43.1 git-daemon-debuginfo-2.26.2-27.43.1 git-debugsource-2.26.2-27.43.1 git-email-2.26.2-27.43.1 git-gui-2.26.2-27.43.1 git-svn-2.26.2-27.43.1 git-web-2.26.2-27.43.1 gitk-2.26.2-27.43.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): git-2.26.2-27.43.1 git-core-2.26.2-27.43.1 git-core-debuginfo-2.26.2-27.43.1 git-cvs-2.26.2-27.43.1 git-daemon-2.26.2-27.43.1 git-daemon-debuginfo-2.26.2-27.43.1 git-debugsource-2.26.2-27.43.1 git-email-2.26.2-27.43.1 git-gui-2.26.2-27.43.1 git-svn-2.26.2-27.43.1 git-web-2.26.2-27.43.1 gitk-2.26.2-27.43.1 - SUSE OpenStack Cloud 9 (x86_64): git-2.26.2-27.43.1 git-core-2.26.2-27.43.1 git-core-debuginfo-2.26.2-27.43.1 git-cvs-2.26.2-27.43.1 git-daemon-2.26.2-27.43.1 git-daemon-debuginfo-2.26.2-27.43.1 git-debugsource-2.26.2-27.43.1 git-email-2.26.2-27.43.1 git-gui-2.26.2-27.43.1 git-svn-2.26.2-27.43.1 git-web-2.26.2-27.43.1 gitk-2.26.2-27.43.1 - SUSE OpenStack Cloud 8 (x86_64): git-2.26.2-27.43.1 git-core-2.26.2-27.43.1 git-core-debuginfo-2.26.2-27.43.1 git-cvs-2.26.2-27.43.1 git-daemon-2.26.2-27.43.1 git-daemon-debuginfo-2.26.2-27.43.1 git-debugsource-2.26.2-27.43.1 git-email-2.26.2-27.43.1 git-gui-2.26.2-27.43.1 git-svn-2.26.2-27.43.1 git-web-2.26.2-27.43.1 gitk-2.26.2-27.43.1 - SUSE OpenStack Cloud 7 (s390x x86_64): git-2.26.2-27.43.1 git-core-2.26.2-27.43.1 git-core-debuginfo-2.26.2-27.43.1 git-cvs-2.26.2-27.43.1 git-daemon-2.26.2-27.43.1 git-daemon-debuginfo-2.26.2-27.43.1 git-debugsource-2.26.2-27.43.1 git-email-2.26.2-27.43.1 git-gui-2.26.2-27.43.1 git-svn-2.26.2-27.43.1 git-web-2.26.2-27.43.1 gitk-2.26.2-27.43.1 - SUSE OpenStack Cloud 7 (noarch): git-doc-2.26.2-27.43.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): git-2.26.2-27.43.1 git-arch-2.26.2-27.43.1 git-core-2.26.2-27.43.1 git-core-debuginfo-2.26.2-27.43.1 git-cvs-2.26.2-27.43.1 git-daemon-2.26.2-27.43.1 git-daemon-debuginfo-2.26.2-27.43.1 git-debugsource-2.26.2-27.43.1 git-email-2.26.2-27.43.1 git-gui-2.26.2-27.43.1 git-svn-2.26.2-27.43.1 git-svn-debuginfo-2.26.2-27.43.1 git-web-2.26.2-27.43.1 gitk-2.26.2-27.43.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): git-doc-2.26.2-27.43.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): git-2.26.2-27.43.1 git-core-2.26.2-27.43.1 git-core-debuginfo-2.26.2-27.43.1 git-cvs-2.26.2-27.43.1 git-daemon-2.26.2-27.43.1 git-daemon-debuginfo-2.26.2-27.43.1 git-debugsource-2.26.2-27.43.1 git-email-2.26.2-27.43.1 git-gui-2.26.2-27.43.1 git-svn-2.26.2-27.43.1 git-web-2.26.2-27.43.1 gitk-2.26.2-27.43.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): git-2.26.2-27.43.1 git-core-2.26.2-27.43.1 git-core-debuginfo-2.26.2-27.43.1 git-cvs-2.26.2-27.43.1 git-daemon-2.26.2-27.43.1 git-daemon-debuginfo-2.26.2-27.43.1 git-debugsource-2.26.2-27.43.1 git-email-2.26.2-27.43.1 git-gui-2.26.2-27.43.1 git-svn-2.26.2-27.43.1 git-web-2.26.2-27.43.1 gitk-2.26.2-27.43.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): git-2.26.2-27.43.1 git-core-2.26.2-27.43.1 git-core-debuginfo-2.26.2-27.43.1 git-cvs-2.26.2-27.43.1 git-daemon-2.26.2-27.43.1 git-daemon-debuginfo-2.26.2-27.43.1 git-debugsource-2.26.2-27.43.1 git-email-2.26.2-27.43.1 git-gui-2.26.2-27.43.1 git-svn-2.26.2-27.43.1 git-web-2.26.2-27.43.1 gitk-2.26.2-27.43.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): git-doc-2.26.2-27.43.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): git-2.26.2-27.43.1 git-core-2.26.2-27.43.1 git-core-debuginfo-2.26.2-27.43.1 git-cvs-2.26.2-27.43.1 git-daemon-2.26.2-27.43.1 git-daemon-debuginfo-2.26.2-27.43.1 git-debugsource-2.26.2-27.43.1 git-email-2.26.2-27.43.1 git-gui-2.26.2-27.43.1 git-svn-2.26.2-27.43.1 git-web-2.26.2-27.43.1 gitk-2.26.2-27.43.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): git-2.26.2-27.43.1 git-core-2.26.2-27.43.1 git-core-debuginfo-2.26.2-27.43.1 git-cvs-2.26.2-27.43.1 git-daemon-2.26.2-27.43.1 git-daemon-debuginfo-2.26.2-27.43.1 git-debugsource-2.26.2-27.43.1 git-email-2.26.2-27.43.1 git-gui-2.26.2-27.43.1 git-svn-2.26.2-27.43.1 git-web-2.26.2-27.43.1 gitk-2.26.2-27.43.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): git-2.26.2-27.43.1 git-core-2.26.2-27.43.1 git-core-debuginfo-2.26.2-27.43.1 git-cvs-2.26.2-27.43.1 git-daemon-2.26.2-27.43.1 git-daemon-debuginfo-2.26.2-27.43.1 git-debugsource-2.26.2-27.43.1 git-email-2.26.2-27.43.1 git-gui-2.26.2-27.43.1 git-svn-2.26.2-27.43.1 git-web-2.26.2-27.43.1 gitk-2.26.2-27.43.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): git-2.26.2-27.43.1 git-core-2.26.2-27.43.1 git-core-debuginfo-2.26.2-27.43.1 git-cvs-2.26.2-27.43.1 git-daemon-2.26.2-27.43.1 git-daemon-debuginfo-2.26.2-27.43.1 git-debugsource-2.26.2-27.43.1 git-email-2.26.2-27.43.1 git-gui-2.26.2-27.43.1 git-svn-2.26.2-27.43.1 git-web-2.26.2-27.43.1 gitk-2.26.2-27.43.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): git-2.26.2-27.43.1 git-core-2.26.2-27.43.1 git-core-debuginfo-2.26.2-27.43.1 git-cvs-2.26.2-27.43.1 git-daemon-2.26.2-27.43.1 git-daemon-debuginfo-2.26.2-27.43.1 git-debugsource-2.26.2-27.43.1 git-email-2.26.2-27.43.1 git-gui-2.26.2-27.43.1 git-svn-2.26.2-27.43.1 git-web-2.26.2-27.43.1 gitk-2.26.2-27.43.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): git-doc-2.26.2-27.43.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): git-2.26.2-27.43.1 git-core-2.26.2-27.43.1 git-core-debuginfo-2.26.2-27.43.1 git-cvs-2.26.2-27.43.1 git-daemon-2.26.2-27.43.1 git-daemon-debuginfo-2.26.2-27.43.1 git-debugsource-2.26.2-27.43.1 git-email-2.26.2-27.43.1 git-gui-2.26.2-27.43.1 git-svn-2.26.2-27.43.1 git-web-2.26.2-27.43.1 gitk-2.26.2-27.43.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): git-doc-2.26.2-27.43.1 - HPE Helion Openstack 8 (x86_64): git-2.26.2-27.43.1 git-core-2.26.2-27.43.1 git-core-debuginfo-2.26.2-27.43.1 git-cvs-2.26.2-27.43.1 git-daemon-2.26.2-27.43.1 git-daemon-debuginfo-2.26.2-27.43.1 git-debugsource-2.26.2-27.43.1 git-email-2.26.2-27.43.1 git-gui-2.26.2-27.43.1 git-svn-2.26.2-27.43.1 git-web-2.26.2-27.43.1 gitk-2.26.2-27.43.1 References: https://www.suse.com/security/cve/CVE-2021-21300.html https://bugzilla.suse.com/1183026 From sle-security-updates at lists.suse.com Tue Mar 9 21:29:59 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 22:29:59 +0100 (CET) Subject: SUSE-SU-2021:0752-1: moderate: Security update for openssl-1_1 Message-ID: <20210309212959.5C612FD17@maintenance.suse.de> SUSE Security Update: Security update for openssl-1_1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0752-1 Rating: moderate References: #1182331 #1182333 Cross-References: CVE-2021-23840 CVE-2021-23841 CVSS scores: CVE-2021-23840 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23840 (SUSE): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2021-23841 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23841 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-752=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-752=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-752=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-752=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-752=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-752=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libopenssl1_1-1.1.1d-2.30.1 libopenssl1_1-32bit-1.1.1d-2.30.1 libopenssl1_1-debuginfo-1.1.1d-2.30.1 libopenssl1_1-debuginfo-32bit-1.1.1d-2.30.1 openssl-1_1-1.1.1d-2.30.1 openssl-1_1-debuginfo-1.1.1d-2.30.1 openssl-1_1-debugsource-1.1.1d-2.30.1 - SUSE OpenStack Cloud 9 (x86_64): libopenssl1_1-1.1.1d-2.30.1 libopenssl1_1-32bit-1.1.1d-2.30.1 libopenssl1_1-debuginfo-1.1.1d-2.30.1 libopenssl1_1-debuginfo-32bit-1.1.1d-2.30.1 openssl-1_1-1.1.1d-2.30.1 openssl-1_1-debuginfo-1.1.1d-2.30.1 openssl-1_1-debugsource-1.1.1d-2.30.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libopenssl-1_1-devel-1.1.1d-2.30.1 openssl-1_1-debuginfo-1.1.1d-2.30.1 openssl-1_1-debugsource-1.1.1d-2.30.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (s390x x86_64): libopenssl-1_1-devel-32bit-1.1.1d-2.30.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libopenssl1_1-1.1.1d-2.30.1 libopenssl1_1-debuginfo-1.1.1d-2.30.1 openssl-1_1-1.1.1d-2.30.1 openssl-1_1-debuginfo-1.1.1d-2.30.1 openssl-1_1-debugsource-1.1.1d-2.30.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libopenssl1_1-32bit-1.1.1d-2.30.1 libopenssl1_1-debuginfo-32bit-1.1.1d-2.30.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libopenssl1_1-1.1.1d-2.30.1 libopenssl1_1-debuginfo-1.1.1d-2.30.1 openssl-1_1-1.1.1d-2.30.1 openssl-1_1-debuginfo-1.1.1d-2.30.1 openssl-1_1-debugsource-1.1.1d-2.30.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libopenssl1_1-32bit-1.1.1d-2.30.1 libopenssl1_1-debuginfo-32bit-1.1.1d-2.30.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libopenssl1_1-1.1.1d-2.30.1 libopenssl1_1-debuginfo-1.1.1d-2.30.1 openssl-1_1-1.1.1d-2.30.1 openssl-1_1-debuginfo-1.1.1d-2.30.1 openssl-1_1-debugsource-1.1.1d-2.30.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libopenssl1_1-32bit-1.1.1d-2.30.1 libopenssl1_1-debuginfo-32bit-1.1.1d-2.30.1 References: https://www.suse.com/security/cve/CVE-2021-23840.html https://www.suse.com/security/cve/CVE-2021-23841.html https://bugzilla.suse.com/1182331 https://bugzilla.suse.com/1182333 From sle-security-updates at lists.suse.com Tue Mar 9 21:31:09 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 22:31:09 +0100 (CET) Subject: SUSE-SU-2021:0740-1: important: Security update for the Linux Kernel Message-ID: <20210309213109.47544FD17@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0740-1 Rating: important References: #1065600 #1163592 #1178401 #1178762 #1179014 #1179015 #1179045 #1179082 #1179428 #1179660 #1180058 #1181747 #1181753 #1181843 #1182140 #1182175 Cross-References: CVE-2020-29368 CVE-2020-29374 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVSS scores: CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29374 (SUSE): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-26930 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-26930 (SUSE): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-26931 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26931 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2021-26932 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-26932 (SUSE): 5.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 11 fixes is now available. Description: The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843). - CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753). - CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747). by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372). - CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428). The following non-security bugs were fixed: - kernel-{binary,source}.spec.in: do not create loop symlinks (bsc#1179082) - kernel-source.spec: Fix build with rpm 4.16 (boo#1179015). - rpm/kernel-binary.spec.in: avoid using barewords (bsc#1179014) - rpm/kernel-binary.spec.in: avoid using more barewords (bsc#1179014) %split_extra still contained two. - rpm/kernel-binary.spec.in: Fix compressed module handling for in-tree KMP (jsc#SLE-10886) The in-tree KMP that is built with SLE kernels have a different scriptlet that is embedded in kernel-binary.spec.in rather than *.sh files. - rpm/kernel-binary.spec.in: use grep -E instead of egrep (bsc#1179045) egrep is only a deprecated bash wrapper for "grep -E". So use the latter instead. - rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592) - rpm/kernel-obs-build.spec.in: Add -q option to modprobe calls (bsc#1178401) - rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082). - rpm/mkspec: do not build kernel-obs-build on x86_32 We want to use 64bit kernel due to various bugs (bsc#1178762 to name one). - rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058) - xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600). - xen/netback: fix spurious event detection for common event case (bsc#1182175). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-740=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-740=1 - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2021-740=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-740=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-740=1 - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2021-740=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): kernel-default-4.12.14-150.69.1 kernel-default-base-4.12.14-150.69.1 kernel-default-debuginfo-4.12.14-150.69.1 kernel-default-debugsource-4.12.14-150.69.1 kernel-default-devel-4.12.14-150.69.1 kernel-default-devel-debuginfo-4.12.14-150.69.1 kernel-obs-build-4.12.14-150.69.1 kernel-obs-build-debugsource-4.12.14-150.69.1 kernel-syms-4.12.14-150.69.1 kernel-vanilla-base-4.12.14-150.69.1 kernel-vanilla-base-debuginfo-4.12.14-150.69.1 kernel-vanilla-debuginfo-4.12.14-150.69.1 kernel-vanilla-debugsource-4.12.14-150.69.1 reiserfs-kmp-default-4.12.14-150.69.1 reiserfs-kmp-default-debuginfo-4.12.14-150.69.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): kernel-devel-4.12.14-150.69.1 kernel-docs-4.12.14-150.69.1 kernel-macros-4.12.14-150.69.1 kernel-source-4.12.14-150.69.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): kernel-default-4.12.14-150.69.1 kernel-default-base-4.12.14-150.69.1 kernel-default-debuginfo-4.12.14-150.69.1 kernel-default-debugsource-4.12.14-150.69.1 kernel-default-devel-4.12.14-150.69.1 kernel-default-devel-debuginfo-4.12.14-150.69.1 kernel-obs-build-4.12.14-150.69.1 kernel-obs-build-debugsource-4.12.14-150.69.1 kernel-syms-4.12.14-150.69.1 kernel-vanilla-base-4.12.14-150.69.1 kernel-vanilla-base-debuginfo-4.12.14-150.69.1 kernel-vanilla-debuginfo-4.12.14-150.69.1 kernel-vanilla-debugsource-4.12.14-150.69.1 reiserfs-kmp-default-4.12.14-150.69.1 reiserfs-kmp-default-debuginfo-4.12.14-150.69.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): kernel-devel-4.12.14-150.69.1 kernel-docs-4.12.14-150.69.1 kernel-macros-4.12.14-150.69.1 kernel-source-4.12.14-150.69.1 - SUSE Linux Enterprise Server 15-LTSS (s390x): kernel-default-man-4.12.14-150.69.1 kernel-zfcpdump-debuginfo-4.12.14-150.69.1 kernel-zfcpdump-debugsource-4.12.14-150.69.1 - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-150.69.1 kernel-default-debugsource-4.12.14-150.69.1 kernel-default-livepatch-4.12.14-150.69.1 kernel-livepatch-4_12_14-150_69-default-1-1.3.1 kernel-livepatch-4_12_14-150_69-default-debuginfo-1-1.3.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): kernel-default-4.12.14-150.69.1 kernel-default-base-4.12.14-150.69.1 kernel-default-debuginfo-4.12.14-150.69.1 kernel-default-debugsource-4.12.14-150.69.1 kernel-default-devel-4.12.14-150.69.1 kernel-default-devel-debuginfo-4.12.14-150.69.1 kernel-obs-build-4.12.14-150.69.1 kernel-obs-build-debugsource-4.12.14-150.69.1 kernel-syms-4.12.14-150.69.1 kernel-vanilla-base-4.12.14-150.69.1 kernel-vanilla-base-debuginfo-4.12.14-150.69.1 kernel-vanilla-debuginfo-4.12.14-150.69.1 kernel-vanilla-debugsource-4.12.14-150.69.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): kernel-devel-4.12.14-150.69.1 kernel-docs-4.12.14-150.69.1 kernel-macros-4.12.14-150.69.1 kernel-source-4.12.14-150.69.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): kernel-default-4.12.14-150.69.1 kernel-default-base-4.12.14-150.69.1 kernel-default-debuginfo-4.12.14-150.69.1 kernel-default-debugsource-4.12.14-150.69.1 kernel-default-devel-4.12.14-150.69.1 kernel-default-devel-debuginfo-4.12.14-150.69.1 kernel-obs-build-4.12.14-150.69.1 kernel-obs-build-debugsource-4.12.14-150.69.1 kernel-syms-4.12.14-150.69.1 kernel-vanilla-base-4.12.14-150.69.1 kernel-vanilla-base-debuginfo-4.12.14-150.69.1 kernel-vanilla-debuginfo-4.12.14-150.69.1 kernel-vanilla-debugsource-4.12.14-150.69.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): kernel-devel-4.12.14-150.69.1 kernel-docs-4.12.14-150.69.1 kernel-macros-4.12.14-150.69.1 kernel-source-4.12.14-150.69.1 - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-150.69.1 cluster-md-kmp-default-debuginfo-4.12.14-150.69.1 dlm-kmp-default-4.12.14-150.69.1 dlm-kmp-default-debuginfo-4.12.14-150.69.1 gfs2-kmp-default-4.12.14-150.69.1 gfs2-kmp-default-debuginfo-4.12.14-150.69.1 kernel-default-debuginfo-4.12.14-150.69.1 kernel-default-debugsource-4.12.14-150.69.1 ocfs2-kmp-default-4.12.14-150.69.1 ocfs2-kmp-default-debuginfo-4.12.14-150.69.1 References: https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2020-29374.html https://www.suse.com/security/cve/CVE-2021-26930.html https://www.suse.com/security/cve/CVE-2021-26931.html https://www.suse.com/security/cve/CVE-2021-26932.html https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1163592 https://bugzilla.suse.com/1178401 https://bugzilla.suse.com/1178762 https://bugzilla.suse.com/1179014 https://bugzilla.suse.com/1179015 https://bugzilla.suse.com/1179045 https://bugzilla.suse.com/1179082 https://bugzilla.suse.com/1179428 https://bugzilla.suse.com/1179660 https://bugzilla.suse.com/1180058 https://bugzilla.suse.com/1181747 https://bugzilla.suse.com/1181753 https://bugzilla.suse.com/1181843 https://bugzilla.suse.com/1182140 https://bugzilla.suse.com/1182175 From sle-security-updates at lists.suse.com Tue Mar 9 21:33:51 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 22:33:51 +0100 (CET) Subject: SUSE-SU-2021:0755-1: moderate: Security update for openssl-1_1 Message-ID: <20210309213351.59EB6FD17@maintenance.suse.de> SUSE Security Update: Security update for openssl-1_1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0755-1 Rating: moderate References: #1182331 #1182333 Cross-References: CVE-2021-23840 CVE-2021-23841 CVSS scores: CVE-2021-23840 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23840 (SUSE): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2021-23841 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23841 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-755=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-755=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-755=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-755=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libopenssl-1_1-devel-1.1.0i-4.57.1 libopenssl1_1-1.1.0i-4.57.1 libopenssl1_1-debuginfo-1.1.0i-4.57.1 libopenssl1_1-hmac-1.1.0i-4.57.1 openssl-1_1-1.1.0i-4.57.1 openssl-1_1-debuginfo-1.1.0i-4.57.1 openssl-1_1-debugsource-1.1.0i-4.57.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libopenssl1_1-32bit-1.1.0i-4.57.1 libopenssl1_1-32bit-debuginfo-1.1.0i-4.57.1 libopenssl1_1-hmac-32bit-1.1.0i-4.57.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libopenssl-1_1-devel-1.1.0i-4.57.1 libopenssl1_1-1.1.0i-4.57.1 libopenssl1_1-debuginfo-1.1.0i-4.57.1 libopenssl1_1-hmac-1.1.0i-4.57.1 openssl-1_1-1.1.0i-4.57.1 openssl-1_1-debuginfo-1.1.0i-4.57.1 openssl-1_1-debugsource-1.1.0i-4.57.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libopenssl-1_1-devel-1.1.0i-4.57.1 libopenssl1_1-1.1.0i-4.57.1 libopenssl1_1-debuginfo-1.1.0i-4.57.1 libopenssl1_1-hmac-1.1.0i-4.57.1 openssl-1_1-1.1.0i-4.57.1 openssl-1_1-debuginfo-1.1.0i-4.57.1 openssl-1_1-debugsource-1.1.0i-4.57.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libopenssl1_1-32bit-1.1.0i-4.57.1 libopenssl1_1-32bit-debuginfo-1.1.0i-4.57.1 libopenssl1_1-hmac-32bit-1.1.0i-4.57.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libopenssl-1_1-devel-1.1.0i-4.57.1 libopenssl1_1-1.1.0i-4.57.1 libopenssl1_1-debuginfo-1.1.0i-4.57.1 libopenssl1_1-hmac-1.1.0i-4.57.1 openssl-1_1-1.1.0i-4.57.1 openssl-1_1-debuginfo-1.1.0i-4.57.1 openssl-1_1-debugsource-1.1.0i-4.57.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libopenssl1_1-32bit-1.1.0i-4.57.1 libopenssl1_1-32bit-debuginfo-1.1.0i-4.57.1 libopenssl1_1-hmac-32bit-1.1.0i-4.57.1 References: https://www.suse.com/security/cve/CVE-2021-23840.html https://www.suse.com/security/cve/CVE-2021-23841.html https://bugzilla.suse.com/1182331 https://bugzilla.suse.com/1182333 From sle-security-updates at lists.suse.com Tue Mar 9 21:34:54 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 9 Mar 2021 22:34:54 +0100 (CET) Subject: SUSE-SU-2021:0742-1: important: Security update for the Linux Kernel Message-ID: <20210309213454.9D3DCFD17@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0742-1 Rating: important References: #1065600 #1065729 #1078720 #1081134 #1084610 #1114648 #1163617 #1163930 #1169514 #1170442 #1176855 #1177440 #1178049 #1179082 #1179142 #1179612 #1179709 #1180058 #1181346 #1181504 #1181574 #1181671 #1181809 #1181854 #1181896 #1181931 #1181960 #1181985 #1181987 #1181996 #1181998 #1182038 #1182047 #1182118 #1182130 #1182140 #1182171 #1182173 #1182175 #1182182 #1182184 #1182195 #1182242 #1182243 #1182248 #1182269 #1182302 #1182307 #1182310 #1182438 #1182447 #1182448 #1182449 #1182460 #1182461 #1182462 #1182463 #1182464 #1182465 #1182466 #1182560 #1182561 #1182571 #1182590 #1182610 #1182612 #1182650 #1182652 Cross-References: CVE-2021-3348 CVSS scores: CVE-2021-3348 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3348 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise High Availability 12-SP5 ______________________________________________________________________________ An update that solves one vulnerability and has 67 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes. The following security bug was fixed: - CVE-2021-3348: Fixed a use-after-free read in nbd_queue_rq (bsc#1181504). The following non-security bugs were fixed: - ACPI: configfs: add missing check after configfs_register_default_group() (git-fixes). - ACPI: property: Fix fwnode string properties matching (git-fixes). - ACPI: property: Satisfy kernel doc validator (part 1) (git-fixes). - ALSA: usb-audio: Fix PCM buffer allocation in non-vmalloc mode (git-fixes). - arm64: Update config file. Set CONFIG_WATCHDOG_SYSFS to true (bsc#1182560) - ASoC: cs42l56: fix up error handling in probe (git-fixes). - ath9k: fix data bus crash when setting nf_override via debugfs (git-fixes). - block: fix use-after-free in disk_part_iter_next (bsc#1182610). - Bluetooth: btqcomsmd: Fix a resource leak in error handling paths in the probe function (git-fixes). - Bluetooth: drop HCI device reference before return (git-fixes). - Bluetooth: Fix initializing response id after clearing struct (git-fixes). - Bluetooth: Put HCI device if inquiry procedure interrupts (git-fixes). - bonding: Fix reference count leak in bond_sysfs_slave_add (git-fixes). - bonding: wait for sysfs kobject destruction before freeing struct slave (git-fixes). - BTRFS: Cleanup try_flush_qgroup (bsc#1182047). - BTRFS: correctly calculate item size used when item key collision happens (bsc#1181996). - BTRFS: correctly validate compression type (bsc#1182269). - BTRFS: delete the ordered isize update code (bsc#1181998). - BTRFS: Do not flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - BTRFS: do not set path->leave_spinning for truncate (bsc#1181998). - BTRFS: factor out extent dropping code from hole punch handler (bsc#1182038). - BTRFS: fix cloning range with a hole when using the NO_HOLES feature (bsc#1182038). - BTRFS: fix data bytes_may_use underflow with fallocate due to failed quota reserve (bsc#1182130) - BTRFS: fix ENOSPC errors, leading to transaction aborts, when cloning extents (bsc#1182038). - BTRFS: fix hole extent items with a zero size after range cloning (bsc#1182038). - BTRFS: fix lost i_size update after cloning inline extent (bsc#1181998). - BTRFS: fix mount failure caused by race with umount (bsc#1182248). - BTRFS: Fix race between extent freeing/allocation when using bitmaps (bsc#1181574). - BTRFS: fix unexpected cow in run_delalloc_nocow (bsc#1181987). - BTRFS: fix unexpected failure of nocow buffered writes after snapshotting when low on space (bsc#1181987). - BTRFS: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - BTRFS: incremental send, fix file corruption when no-holes feature is enabled (bsc#1182184). - BTRFS: Introduce extent_io_tree::owner to distinguish different io_trees (bsc#1181998). - BTRFS: introduce per-inode file extent tree (bsc#1181998). - BTRFS: prepare for extensions in compression options (bsc#1182269). - BTRFS: prop: fix vanished compression property after failed set (bsc#1182269). - BTRFS: prop: fix zstd compression parameter validation (bsc#1182269). - BTRFS: Remove btrfs_inode from btrfs_delayed_inode_reserve_metadata (bsc#1182047). - BTRFS: replace all uses of btrfs_ordered_update_i_size (bsc#1181998). - BTRFS: send, allow clone operations within the same file (bsc#1182173) - BTRFS: send, do not issue unnecessary truncate operations (bsc#1182173) - BTRFS: send, fix emission of invalid clone operations within the same file (bsc#1182173) - BTRFS: send, fix incorrect file layout after hole punching beyond eof (bsc#1182173). - BTRFS: send: fix invalid clone operations when cloning from the same file and root (bsc#1182173) - BTRFS: send, fix missing truncate for inode with prealloc extent past eof (bsc#1182173). - BTRFS: send, orphanize first all conflicting inodes when processing references (bsc#1182243 bsc#1182242). - BTRFS: send, recompute reference path after orphanization of a directory (bsc#1182243). - BTRFS: Simplify code flow in btrfs_delayed_inode_reserve_metadata (bsc#1182047). - BTRFS: transaction: Avoid deadlock due to bad initialization timing of fs_info::journal_info (bsc#1181931). - BTRFS: Unlock extents in btrfs_zero_range in case of errors (bsc#1182047). - BTRFS: Use bd_dev to generate index when dev_state_hashtable add items (bsc#1181931). - BTRFS: use btrfs_ordered_update_i_size in clone_finish_inode_update (bsc#1181998). - BTRFS: use the file extent tree infrastructure (bsc#1181998). - cifs: report error instead of invalid when revalidating a dentry fails (bsc#1177440). - dm: avoid filesystem lookup in dm_get_dev_t() (bsc#1178049). - Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() (git-fixes). - Exclude Symbols.list again. Removing the exclude builds vanilla/linux-next builds. Fixes: 55877625c800 ("kernel-binary.spec.in: Package the obj_install_dir as explicit filelist.") - ext4: do not remount read-only with errors=continue on reboot (bsc#1182464). - ext4: fix a memory leak of ext4_free_data (bsc#1182447). - ext4: fix bug for rename with RENAME_WHITEOUT (bsc#1182449). - ext4: fix deadlock with fs freezing and EA inodes (bsc#1182463). - ext4: fix superblock checksum failure when setting password salt (bsc#1182465). - fgraph: Initialize tracing_graph_pause at task creation (git-fixes). - firmware: imx: select SOC_BUS to fix firmware build (git-fixes). - Fix unsynchronized access to sev members through svm_register_enc_region (bsc#1114648). - fs: fix lazytime expiration handling in __writeback_single_inode() (bsc#1182466). - fs: move I_DIRTY_INODE to fs.h (bsc#1182612). - HID: core: detect and skip invalid inputs to snto32() (git-fixes). - HID: wacom: Ignore attempts to overwrite the touch_max value from HID (git-fixes). - hwrng: timeriomem - Fix cooldown period calculation (git-fixes). - ibmvnic: Clear failover_pending if unable to schedule (bsc#1181960 ltc#190997). - ibmvnic: device remove has higher precedence over reset (bsc#1065729). - ibmvnic: fix a race between open and reset (bsc#1176855 ltc#187293). - ibmvnic: fix login buffer memory leak (bsc#1081134 ltc#164631). - ibmvnic: serialize access to work queue on remove (bsc#1065729). - ibmvnic: Set to CLOSED state even on error (bsc#1084610 ltc#165122 git-fixes). - Input: elo - fix an error code in elo_connect() (git-fixes). - Input: joydev - prevent potential read overflow in ioctl (git-fixes). - iwlwifi: exclude GEO SAR support for 3168 (git-fixes). - kABI: Fix kABI for 12856e7acde4 PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY (bsc#1179612). - kernel-binary.spec: Add back initrd and image symlink ghosts to filelist (bsc#1182140). Fixes: 76a9256314c3 ("rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082).") - kernfs: deal with kernfs_fill_super() failures (bsc#1181809). - KVM: apic: Flush TLB after APIC mode/address change if VPIDs are in use (bsc#1182302). - KVM: Fix kABI for set_virtual_apic_mode (bsc#1182310). - KVM: Fix kABI for tlb_flush (bsc#1182195). - kvm-vmx-Basic-APIC-virtualization-controls-have-thre.patch: (bsc#1182310). - KVM: VMX: check for existence of secondary exec controls before accessing (bsc#1182438). - KVM: VMX: hide flexpriority from guest when disabled at the module level (bsc#1182448). - kvm-vmx-Introduce-lapic_mode-enumeration.patch: (bsc#1182307). - KVM: x86: emulate RDPID (bsc#1182182). - KVM: x86: emulating RDPID failure shall return #UD rather than - KVM: X86: introduce invalidate_gpa argument to tlb flush (bsc#1182195). - libfs: fix error cast of negative value in simple_attr_write() (bsc#1179709). - libnvdimm/dimm: Avoid race between probe and available_slots_show() (bsc#1170442). - mac80211: fix potential overflow when multiplying to u32 integers (git-fixes). - media: cx25821: Fix a bug when reallocating some dma memory (git-fixes). - media: media/pci: Fix memleak in empress_init (git-fixes). - media: pwc: Use correct device for DMA (git-fixes). - media: pxa_camera: declare variable when DEBUG is defined (git-fixes). - media: qm1d1c0042: fix error return code in qm1d1c0042_init() (git-fixes). - media: tm6000: Fix memleak in tm6000_start_stream (git-fixes). - media: vsp1: Fix an error handling path in the probe function (git-fixes). - mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq() (git-fixes). - misc: eeprom_93xx46: Add module alias to avoid breaking support for non device tree users (git-fixes). - misc: eeprom_93xx46: Fix module alias to enable module autoprobe (git-fixes). - mmc: usdhi6rol0: Fix a resource leak in the error handling path of the probe (git-fixes). - mm/pmem: avoid inserting hugepage PTE entry with fsdax if hugepage support is disabled (bsc#1181896 ltc#191273). - mm: thp: kABI: move the added flag to the end of enum (bsc#1181896 ltc#191273). - nbd: Fix memory leak in nbd_add_socket (bsc#1181504). - net: bcmgenet: add support for ethtool rxnfc flows (git-fixes). - net: bcmgenet: code movement (git-fixes). - net: bcmgenet: fix mask check in bcmgenet_validate_flow() (git-fixes). - net: bcmgenet: Fix WoL with password after deep sleep (git-fixes). - net: bcmgenet: re-remove bcmgenet_hfb_add_filter (git-fixes). - net: bcmgenet: set Rx mode before starting netif (git-fixes). - net: bcmgenet: use __be16 for htons(ETH_P_IP) (git-fixes). - net: bcmgenet: Use correct I/O accessors (git-fixes). - net: lpc-enet: fix error return code in lpc_mii_init() (git-fixes). - net/mlx4_en: Handle TX error CQE (bsc#1181854). - net: moxa: Fix a potential double 'free_irq()' (git-fixes). - net: sun: fix missing release regions in cas_init_one() (git-fixes). - nvme-multipath: Early exit if no path is available (git-fixes). - objtool: Do not fail on missing symbol table (bsc#1169514). - PCI/IOV: Mark VFs as not implementing PCI_COMMAND_MEMORY (bsc#1179612). - powerpc/book3s64/hash: Add cond_resched to avoid soft lockup warning (bsc#1182571 ltc#191345). - powerpc: Fix alignment bug within the init sections (bsc#1065729). - powerpc/perf: Exclude kernel samples while counting events in user space (bsc#1065729). - powerpc/perf/hv-24x7: Dont create sysfs event files for dummy events (bsc#1182118 ltc#190624). - powerpc/pseries/dlpar: handle ibm, configure-connector delay status (bsc#1181985 ltc#188074). - powerpc/pseries/eeh: Make pseries_pcibios_bus_add_device() static (bsc#1078720, git-fixes). - powerpc/pseries: extract host bridge from pci_bus prior to bus removal (bsc#1182171 ltc#190900). - powerpc/pseries/ras: Make init_ras_hotplug_IRQ() static (bsc#1065729. git-fixes). - power: reset: at91-sama5d2_shdwc: fix wkupdbc mask (git-fixes). - ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() (bsc#1163930). - ptrace: Set PF_SUPERPRIV when checking capability (bsc#1163930). - quota: Fix error codes in v2_read_file_info() (bsc#1182652). - quota: Fix memory leak when handling corrupted quota file (bsc#1182650). - quota: Sanity-check quota file headers on load (bsc#1182461). - regulator: axp20x: Fix reference cout leak (git-fixes). - reiserfs: add check for an invalid ih_entry_count (bsc#1182462). - reset: hisilicon: correct vendor prefix (git-fixes). - rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058) - s390/pci: adaptation of iommu to multifunction (bsc#1179612). - s390/pci: Mark all VFs as not implementing PCI_COMMAND_MEMORY (bsc#1179612). - scsi: qla2xxx: Fix description for parameter ql2xenforce_iocb_limit (bsc#1179142). - scsi: target: Fix truncated PR-in ReadKeys response (bsc#1182590). - scsi: target: fix unmap_zeroes_data boolean initialisation (bsc#1163617). - staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory rules (git-fixes). - tools lib traceevent: Fix "robust" test of do_generate_dynamic_list_file (git-fixes). - tpm_tis: Clean up locality release (git-fixes). - tpm_tis: Fix check_locality for correct locality acquisition (git-fixes). - tracing: Check length before giving out the filter buffer (git-fixes). - tracing: Do not count ftrace events in top level enable output (git-fixes). - USB: cdc-acm: blacklist another IR Droid device (git-fixes). - USB: dwc2: Abort transaction after errors with unknown reason (git-fixes). - USB: dwc2: Make "trimming xfer length" a debug message (git-fixes). - USB: musb: Fix runtime PM race in mUSB_queue_resume_work (git-fixes). - USB: serial: cp210x: add new VID/PID for supporting Teraoka AD2000 (git-fixes). - USB: serial: cp210x: add pid/vid for WSDA-200-USB (git-fixes). - USB: serial: mos7720: fix error code in mos7720_write() (git-fixes). - USB: serial: mos7720: improve OOM-handling in read_mos_reg() (git-fixes). - USB: serial: mos7840: fix error code in mos7840_write() (git-fixes). - USB: serial: option: Adding support for Cinterion MV31 (git-fixes). - USB: serial: option: add LongSung M5710 module support (git-fixes). - USB: uas: Add PNY USB Portable SSD to unusual_uas (git-fixes). - USB: usblp: fix DMA to stack (git-fixes). - vfio/pci: Decouple PCI_COMMAND_MEMORY bit checks from is_virtfn (bsc#1179612). - vmxnet3: Remove buf_info from device accessible structures (bsc#1181671). - writeback: Drop I_DIRTY_TIME_EXPIRE (bsc#1182460). - x86/apic: Add extra serialization for non-serializing MSRs (bsc#1114648). - x86/efistub: Disable paging at mixed mode entry (bsc#1114648). - x86/entry/64/compat: Fix "x86/entry/64/compat: Preserve r8-r11 in int $0x80" (bsc#1114648). - x86/entry/64/compat: Preserve r8-r11 in int $0x80 (bsc#1114648). - x86/resctrl: Fix incorrect local bandwidth when mba_sc is enabled (bsc#1114648). - x86/resctrl: Remove unused struct mbm_state::chunks_bw (bsc#1114648). - xen-blkfront: allow discard-* nodes to be optional (bsc#1181346). - xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600). - xen/netback: fix spurious event detection for common event case (bsc#1182175). - xfs: reduce quota reservation when doing a dax unwritten extent conversion (git-fixes bsc#1182561). - xhci: fix bounce buffer usage for non-sg list case (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2021-742=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-742=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-742=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-742=1 - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2021-742=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): kernel-default-debuginfo-4.12.14-122.63.1 kernel-default-debugsource-4.12.14-122.63.1 kernel-default-extra-4.12.14-122.63.1 kernel-default-extra-debuginfo-4.12.14-122.63.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-122.63.1 kernel-obs-build-debugsource-4.12.14-122.63.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): kernel-docs-4.12.14-122.63.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-122.63.1 kernel-default-base-4.12.14-122.63.1 kernel-default-base-debuginfo-4.12.14-122.63.1 kernel-default-debuginfo-4.12.14-122.63.1 kernel-default-debugsource-4.12.14-122.63.1 kernel-default-devel-4.12.14-122.63.1 kernel-syms-4.12.14-122.63.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-4.12.14-122.63.1 kernel-macros-4.12.14-122.63.1 kernel-source-4.12.14-122.63.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-default-devel-debuginfo-4.12.14-122.63.1 - SUSE Linux Enterprise Server 12-SP5 (s390x): kernel-default-man-4.12.14-122.63.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-122.63.1 kernel-default-debugsource-4.12.14-122.63.1 kernel-default-kgraft-4.12.14-122.63.1 kernel-default-kgraft-devel-4.12.14-122.63.1 kgraft-patch-4_12_14-122_63-default-1-8.3.1 - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-122.63.1 cluster-md-kmp-default-debuginfo-4.12.14-122.63.1 dlm-kmp-default-4.12.14-122.63.1 dlm-kmp-default-debuginfo-4.12.14-122.63.1 gfs2-kmp-default-4.12.14-122.63.1 gfs2-kmp-default-debuginfo-4.12.14-122.63.1 kernel-default-debuginfo-4.12.14-122.63.1 kernel-default-debugsource-4.12.14-122.63.1 ocfs2-kmp-default-4.12.14-122.63.1 ocfs2-kmp-default-debuginfo-4.12.14-122.63.1 References: https://www.suse.com/security/cve/CVE-2021-3348.html https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1078720 https://bugzilla.suse.com/1081134 https://bugzilla.suse.com/1084610 https://bugzilla.suse.com/1114648 https://bugzilla.suse.com/1163617 https://bugzilla.suse.com/1163930 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1170442 https://bugzilla.suse.com/1176855 https://bugzilla.suse.com/1177440 https://bugzilla.suse.com/1178049 https://bugzilla.suse.com/1179082 https://bugzilla.suse.com/1179142 https://bugzilla.suse.com/1179612 https://bugzilla.suse.com/1179709 https://bugzilla.suse.com/1180058 https://bugzilla.suse.com/1181346 https://bugzilla.suse.com/1181504 https://bugzilla.suse.com/1181574 https://bugzilla.suse.com/1181671 https://bugzilla.suse.com/1181809 https://bugzilla.suse.com/1181854 https://bugzilla.suse.com/1181896 https://bugzilla.suse.com/1181931 https://bugzilla.suse.com/1181960 https://bugzilla.suse.com/1181985 https://bugzilla.suse.com/1181987 https://bugzilla.suse.com/1181996 https://bugzilla.suse.com/1181998 https://bugzilla.suse.com/1182038 https://bugzilla.suse.com/1182047 https://bugzilla.suse.com/1182118 https://bugzilla.suse.com/1182130 https://bugzilla.suse.com/1182140 https://bugzilla.suse.com/1182171 https://bugzilla.suse.com/1182173 https://bugzilla.suse.com/1182175 https://bugzilla.suse.com/1182182 https://bugzilla.suse.com/1182184 https://bugzilla.suse.com/1182195 https://bugzilla.suse.com/1182242 https://bugzilla.suse.com/1182243 https://bugzilla.suse.com/1182248 https://bugzilla.suse.com/1182269 https://bugzilla.suse.com/1182302 https://bugzilla.suse.com/1182307 https://bugzilla.suse.com/1182310 https://bugzilla.suse.com/1182438 https://bugzilla.suse.com/1182447 https://bugzilla.suse.com/1182448 https://bugzilla.suse.com/1182449 https://bugzilla.suse.com/1182460 https://bugzilla.suse.com/1182461 https://bugzilla.suse.com/1182462 https://bugzilla.suse.com/1182463 https://bugzilla.suse.com/1182464 https://bugzilla.suse.com/1182465 https://bugzilla.suse.com/1182466 https://bugzilla.suse.com/1182560 https://bugzilla.suse.com/1182561 https://bugzilla.suse.com/1182571 https://bugzilla.suse.com/1182590 https://bugzilla.suse.com/1182610 https://bugzilla.suse.com/1182612 https://bugzilla.suse.com/1182650 https://bugzilla.suse.com/1182652 From sle-security-updates at lists.suse.com Tue Mar 9 23:16:30 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Mar 2021 00:16:30 +0100 (CET) Subject: SUSE-SU-2021:0757-1: important: Security update for git Message-ID: <20210309231630.ADA9CFD17@maintenance.suse.de> SUSE Security Update: Security update for git ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0757-1 Rating: important References: #1183026 Cross-References: CVE-2021-21300 CVSS scores: CVE-2021-21300 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for git fixes the following issues: - On case-insensitive filesystems, with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone. (bsc#1183026, CVE-2021-21300) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-757=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-757=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-757=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-757=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-757=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-757=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-757=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-757=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-757=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-757=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-757=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-757=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-757=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-757=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-757=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-757=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-757=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): git-2.26.2-3.31.1 git-arch-2.26.2-3.31.1 git-core-2.26.2-3.31.1 git-core-debuginfo-2.26.2-3.31.1 git-cvs-2.26.2-3.31.1 git-daemon-2.26.2-3.31.1 git-daemon-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 git-email-2.26.2-3.31.1 git-gui-2.26.2-3.31.1 git-svn-2.26.2-3.31.1 git-svn-debuginfo-2.26.2-3.31.1 git-web-2.26.2-3.31.1 gitk-2.26.2-3.31.1 - SUSE Manager Server 4.0 (noarch): git-doc-2.26.2-3.31.1 - SUSE Manager Retail Branch Server 4.0 (noarch): git-doc-2.26.2-3.31.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): git-2.26.2-3.31.1 git-arch-2.26.2-3.31.1 git-core-2.26.2-3.31.1 git-core-debuginfo-2.26.2-3.31.1 git-cvs-2.26.2-3.31.1 git-daemon-2.26.2-3.31.1 git-daemon-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 git-email-2.26.2-3.31.1 git-gui-2.26.2-3.31.1 git-svn-2.26.2-3.31.1 git-svn-debuginfo-2.26.2-3.31.1 git-web-2.26.2-3.31.1 gitk-2.26.2-3.31.1 - SUSE Manager Proxy 4.0 (x86_64): git-2.26.2-3.31.1 git-arch-2.26.2-3.31.1 git-core-2.26.2-3.31.1 git-core-debuginfo-2.26.2-3.31.1 git-cvs-2.26.2-3.31.1 git-daemon-2.26.2-3.31.1 git-daemon-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 git-email-2.26.2-3.31.1 git-gui-2.26.2-3.31.1 git-svn-2.26.2-3.31.1 git-svn-debuginfo-2.26.2-3.31.1 git-web-2.26.2-3.31.1 gitk-2.26.2-3.31.1 - SUSE Manager Proxy 4.0 (noarch): git-doc-2.26.2-3.31.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): git-2.26.2-3.31.1 git-arch-2.26.2-3.31.1 git-core-2.26.2-3.31.1 git-core-debuginfo-2.26.2-3.31.1 git-cvs-2.26.2-3.31.1 git-daemon-2.26.2-3.31.1 git-daemon-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 git-email-2.26.2-3.31.1 git-gui-2.26.2-3.31.1 git-svn-2.26.2-3.31.1 git-svn-debuginfo-2.26.2-3.31.1 git-web-2.26.2-3.31.1 gitk-2.26.2-3.31.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): git-doc-2.26.2-3.31.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): git-2.26.2-3.31.1 git-arch-2.26.2-3.31.1 git-core-2.26.2-3.31.1 git-core-debuginfo-2.26.2-3.31.1 git-cvs-2.26.2-3.31.1 git-daemon-2.26.2-3.31.1 git-daemon-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 git-email-2.26.2-3.31.1 git-gui-2.26.2-3.31.1 git-svn-2.26.2-3.31.1 git-svn-debuginfo-2.26.2-3.31.1 git-web-2.26.2-3.31.1 gitk-2.26.2-3.31.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): git-doc-2.26.2-3.31.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): git-2.26.2-3.31.1 git-arch-2.26.2-3.31.1 git-core-2.26.2-3.31.1 git-core-debuginfo-2.26.2-3.31.1 git-cvs-2.26.2-3.31.1 git-daemon-2.26.2-3.31.1 git-daemon-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 git-email-2.26.2-3.31.1 git-gui-2.26.2-3.31.1 git-svn-2.26.2-3.31.1 git-svn-debuginfo-2.26.2-3.31.1 git-web-2.26.2-3.31.1 gitk-2.26.2-3.31.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): git-doc-2.26.2-3.31.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): git-2.26.2-3.31.1 git-arch-2.26.2-3.31.1 git-core-2.26.2-3.31.1 git-core-debuginfo-2.26.2-3.31.1 git-cvs-2.26.2-3.31.1 git-daemon-2.26.2-3.31.1 git-daemon-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 git-email-2.26.2-3.31.1 git-gui-2.26.2-3.31.1 git-svn-2.26.2-3.31.1 git-svn-debuginfo-2.26.2-3.31.1 git-web-2.26.2-3.31.1 gitk-2.26.2-3.31.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): git-doc-2.26.2-3.31.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): git-2.26.2-3.31.1 git-arch-2.26.2-3.31.1 git-core-2.26.2-3.31.1 git-core-debuginfo-2.26.2-3.31.1 git-cvs-2.26.2-3.31.1 git-daemon-2.26.2-3.31.1 git-daemon-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 git-email-2.26.2-3.31.1 git-gui-2.26.2-3.31.1 git-svn-2.26.2-3.31.1 git-svn-debuginfo-2.26.2-3.31.1 git-web-2.26.2-3.31.1 gitk-2.26.2-3.31.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): git-doc-2.26.2-3.31.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): git-2.26.2-3.31.1 git-arch-2.26.2-3.31.1 git-cvs-2.26.2-3.31.1 git-daemon-2.26.2-3.31.1 git-daemon-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 git-email-2.26.2-3.31.1 git-gui-2.26.2-3.31.1 git-svn-2.26.2-3.31.1 git-svn-debuginfo-2.26.2-3.31.1 git-web-2.26.2-3.31.1 gitk-2.26.2-3.31.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (noarch): git-doc-2.26.2-3.31.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): git-2.26.2-3.31.1 git-arch-2.26.2-3.31.1 git-cvs-2.26.2-3.31.1 git-daemon-2.26.2-3.31.1 git-daemon-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 git-email-2.26.2-3.31.1 git-gui-2.26.2-3.31.1 git-svn-2.26.2-3.31.1 git-svn-debuginfo-2.26.2-3.31.1 git-web-2.26.2-3.31.1 gitk-2.26.2-3.31.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): git-doc-2.26.2-3.31.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): git-core-2.26.2-3.31.1 git-core-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): git-core-2.26.2-3.31.1 git-core-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): git-2.26.2-3.31.1 git-arch-2.26.2-3.31.1 git-core-2.26.2-3.31.1 git-core-debuginfo-2.26.2-3.31.1 git-cvs-2.26.2-3.31.1 git-daemon-2.26.2-3.31.1 git-daemon-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 git-email-2.26.2-3.31.1 git-gui-2.26.2-3.31.1 git-svn-2.26.2-3.31.1 git-svn-debuginfo-2.26.2-3.31.1 git-web-2.26.2-3.31.1 gitk-2.26.2-3.31.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): git-doc-2.26.2-3.31.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): git-2.26.2-3.31.1 git-arch-2.26.2-3.31.1 git-core-2.26.2-3.31.1 git-core-debuginfo-2.26.2-3.31.1 git-cvs-2.26.2-3.31.1 git-daemon-2.26.2-3.31.1 git-daemon-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 git-email-2.26.2-3.31.1 git-gui-2.26.2-3.31.1 git-svn-2.26.2-3.31.1 git-svn-debuginfo-2.26.2-3.31.1 git-web-2.26.2-3.31.1 gitk-2.26.2-3.31.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): git-doc-2.26.2-3.31.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): git-2.26.2-3.31.1 git-arch-2.26.2-3.31.1 git-core-2.26.2-3.31.1 git-core-debuginfo-2.26.2-3.31.1 git-cvs-2.26.2-3.31.1 git-daemon-2.26.2-3.31.1 git-daemon-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 git-email-2.26.2-3.31.1 git-gui-2.26.2-3.31.1 git-svn-2.26.2-3.31.1 git-svn-debuginfo-2.26.2-3.31.1 git-web-2.26.2-3.31.1 gitk-2.26.2-3.31.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): git-doc-2.26.2-3.31.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): git-2.26.2-3.31.1 git-arch-2.26.2-3.31.1 git-core-2.26.2-3.31.1 git-core-debuginfo-2.26.2-3.31.1 git-cvs-2.26.2-3.31.1 git-daemon-2.26.2-3.31.1 git-daemon-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 git-email-2.26.2-3.31.1 git-gui-2.26.2-3.31.1 git-svn-2.26.2-3.31.1 git-svn-debuginfo-2.26.2-3.31.1 git-web-2.26.2-3.31.1 gitk-2.26.2-3.31.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): git-doc-2.26.2-3.31.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): git-2.26.2-3.31.1 git-arch-2.26.2-3.31.1 git-core-2.26.2-3.31.1 git-core-debuginfo-2.26.2-3.31.1 git-cvs-2.26.2-3.31.1 git-daemon-2.26.2-3.31.1 git-daemon-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 git-email-2.26.2-3.31.1 git-gui-2.26.2-3.31.1 git-svn-2.26.2-3.31.1 git-svn-debuginfo-2.26.2-3.31.1 git-web-2.26.2-3.31.1 gitk-2.26.2-3.31.1 - SUSE Enterprise Storage 6 (noarch): git-doc-2.26.2-3.31.1 - SUSE CaaS Platform 4.0 (noarch): git-doc-2.26.2-3.31.1 - SUSE CaaS Platform 4.0 (x86_64): git-2.26.2-3.31.1 git-arch-2.26.2-3.31.1 git-core-2.26.2-3.31.1 git-core-debuginfo-2.26.2-3.31.1 git-cvs-2.26.2-3.31.1 git-daemon-2.26.2-3.31.1 git-daemon-debuginfo-2.26.2-3.31.1 git-debuginfo-2.26.2-3.31.1 git-debugsource-2.26.2-3.31.1 git-email-2.26.2-3.31.1 git-gui-2.26.2-3.31.1 git-svn-2.26.2-3.31.1 git-svn-debuginfo-2.26.2-3.31.1 git-web-2.26.2-3.31.1 gitk-2.26.2-3.31.1 References: https://www.suse.com/security/cve/CVE-2021-21300.html https://bugzilla.suse.com/1183026 From sle-security-updates at lists.suse.com Wed Mar 10 07:15:37 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Mar 2021 08:15:37 +0100 (CET) Subject: SUSE-CU-2021:65-1: Security update of suse/sle15 Message-ID: <20210310071537.17C76FFA5@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:65-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.354 Container Release : 4.22.354 Severity : moderate Type : security References : 1182331 1182333 CVE-2021-23840 CVE-2021-23841 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:755-1 Released: Tue Mar 9 17:11:22 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) From sle-security-updates at lists.suse.com Wed Mar 10 07:22:59 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Mar 2021 08:22:59 +0100 (CET) Subject: SUSE-CU-2021:66-1: Security update of suse/sle15 Message-ID: <20210310072259.7906AFFA5@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:66-1 Container Tags : suse/sle15:15.2 , suse/sle15:15.2.8.2.862 Container Release : 8.2.862 Severity : moderate Type : security References : 1182331 1182333 1182959 CVE-2021-23840 CVE-2021-23841 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). From sle-security-updates at lists.suse.com Wed Mar 10 11:37:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Mar 2021 12:37:25 +0100 (CET) Subject: SUSE-IU-2021:410-1: Security update of suse-sles-15-chost-byos-v20210304-hvm-ssd-x86_64 Message-ID: <20210310113725.80F9BFD17@maintenance.suse.de> SUSE Image Update Advisory: suse-sles-15-chost-byos-v20210304-hvm-ssd-x86_64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2021:410-1 Image Tags : suse-sles-15-chost-byos-v20210304-hvm-ssd-x86_64:20210304 Image Release : Severity : moderate Type : security References : 1177211 1177460 1180603 1181571 CVE-2020-26116 ----------------------------------------------------------------- The container suse-sles-15-chost-byos-v20210304-hvm-ssd-x86_64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:301-1 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:341-1 Released: Mon Feb 8 17:39:53 2021 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1177211,1181571,CVE-2020-26116 This update for python-urllib3 fixes the following issues: - CVE-2020-26116: Raise ValueError if method contains control characters and thus prevent CRLF injection into URLs (bsc#1177211). - Skip test for RECENT_DATE (bsc#1181571). From sle-security-updates at lists.suse.com Wed Mar 10 11:39:16 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Mar 2021 12:39:16 +0100 (CET) Subject: SUSE-IU-2021:411-1: Security update of suse-sles-15-sp1-chost-byos-v20210304-gen2 Message-ID: <20210310113916.D8FD6FD17@maintenance.suse.de> SUSE Image Update Advisory: suse-sles-15-sp1-chost-byos-v20210304-gen2 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2021:411-1 Image Tags : suse-sles-15-sp1-chost-byos-v20210304-gen2:20210304 Image Release : Severity : important Type : security References : 1046305 1046306 1046540 1046542 1046648 1050242 1050244 1050536 1050538 1050545 1056653 1056657 1056787 1064802 1066129 1073513 1074220 1075020 1086282 1086301 1086313 1086314 1098633 1103990 1103991 1103992 1104270 1104277 1104279 1104353 1104427 1104742 1104745 1109837 1111981 1112178 1112374 1113956 1119113 1126206 1126390 1127354 1127371 1129770 1136348 1149032 1170671 1174075 1174206 1175570 1175970 1176262 1176708 1176711 1176831 1176846 1177460 1177883 1178036 1178049 1178386 1178801 1178801 1178900 1178969 1179093 1179142 1179264 1179265 1179508 1179509 1179563 1179573 1179575 1179691 1179694 1179721 1179756 1179878 1180038 1180130 1180176 1180243 1180401 1180401 1180403 1180501 1180520 1180603 1180603 1180686 1180719 1180765 1180812 1180827 1180891 1180912 1180933 1181018 1181126 1181170 1181230 1181231 1181260 1181349 1181425 1181504 1181505 1181600 1181601 1181730 1181732 1181809 1181944 1182057 1182066 1182117 1182168 1182244 1182246 1182262 1182263 1182471 CVE-2019-20916 CVE-2019-25013 CVE-2019-8842 CVE-2020-10001 CVE-2020-14372 CVE-2020-15257 CVE-2020-25632 CVE-2020-25639 CVE-2020-25647 CVE-2020-27618 CVE-2020-27749 CVE-2020-27779 CVE-2020-27835 CVE-2020-28493 CVE-2020-29562 CVE-2020-29568 CVE-2020-29569 CVE-2020-29573 CVE-2020-36242 CVE-2020-8625 CVE-2021-0342 CVE-2021-20177 CVE-2021-20225 CVE-2021-20233 CVE-2021-21284 CVE-2021-21285 CVE-2021-26720 CVE-2021-3177 CVE-2021-3326 CVE-2021-3347 CVE-2021-3348 ----------------------------------------------------------------- The container suse-sles-15-sp1-chost-byos-v20210304-gen2 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:285-1 Released: Tue Feb 2 13:08:54 2021 Summary: Security update for cups Type: security Severity: moderate References: 1170671,1180520,CVE-2019-8842,CVE-2020-10001 This update for cups fixes the following issues: - CVE-2020-10001: Fixed an out-of-bounds read in the ippReadIO function (bsc#1180520). - CVE-2019-8842: Fixed an out-of-bounds read in an extension field (bsc#1170671). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:292-1 Released: Wed Feb 3 11:46:32 2021 Summary: Recommended update for python-azure-agent Type: recommended Severity: moderate References: 1180719,1181600,1181601 This update for python-azure-agent contains the following fix: - Added sysvinit-tools as dependency (bsc#1181600, bsc#1181601) - Recognise SLE_HPC as SLES and use the proper RDMA handler and distro specific initialization code (bsc#1180719) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:301-1 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:304-1 Released: Thu Feb 4 13:19:43 2021 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1179691 This update for lvm2 fixes the following issues: - lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691). If this behavior is still wanted, please change this manually in the lvm.conf ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:307-1 Released: Fri Feb 5 05:30:34 2021 Summary: Recommended update for libselinux Type: recommended Severity: low References: 1180603 This update for libselinux fixes the following issues: - Corrected the license to public domain (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:435-1 Released: Thu Feb 11 14:47:25 2021 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Type: security Severity: important References: 1174075,1176708,1178801,1178969,1180243,1180401,1181730,1181732,CVE-2020-15257,CVE-2021-21284,CVE-2021-21285 This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Security issues fixed: - CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969). - CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) - CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730) Non-security issues fixed: - Update Docker to 19.03.15-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285). - Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE. It appears that SLES doesn't like the patch. (bsc#1180401) - Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and fixes CVE-2020-15257. bsc#1180243 - Update to containerd v1.3.7, which is required for Docker 19.03.13-ce. bsc#1176708 - Update to Docker 19.03.14-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243 https://github.com/docker/docker-ce/releases/tag/v19.03.14 - Enable fish-completion - Add a patch which makes Docker compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) - Update to Docker 19.03.13-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708 - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Emergency fix: %requires_eq does not work with provide symbols, only effective package names. Convert back to regular Requires. - Update to Docker 19.03.12-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. - Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of spurrious errors due to Go returning -EINTR from I/O syscalls much more often (due to Go 1.14's pre-emptive goroutine support). - Add BuildRequires for all -git dependencies so that we catch missing dependencies much more quickly. - Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce. bsc#1180243 - Add patch which makes libnetwork compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:441-1 Released: Thu Feb 11 16:35:04 2021 Summary: Optional update for python3-jsonschema Type: optional Severity: low References: 1180403 This update provides the python3 variant of the jsonschema module to the SUSE Linux Enterprise 15 SP2 Basesystem module. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:502-1 Released: Thu Feb 18 05:33:06 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1180501 This update for openssh fixes the following issues: - Fixed a crash which sometimes occured on connection termination, caused by accessing freed memory (bsc#1180501) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:507-1 Released: Thu Feb 18 09:34:49 2021 Summary: Security update for bind Type: security Severity: important References: 1182246,CVE-2020-8625 This update for bind fixes the following issues: - CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack [bsc#1182246] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:516-1 Released: Thu Feb 18 14:42:51 2021 Summary: Recommended update for docker, golang-github-docker-libnetwork Type: recommended Severity: moderate References: 1178801,1180401,1182168 This update for docker, golang-github-docker-libnetwork fixes the following issues: - A libnetwork firewalld integration enhancement was broken, disable it (bsc#1178801,bsc#1180401,bsc#1182168) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:526-1 Released: Fri Feb 19 12:46:27 2021 Summary: Recommended update for python-distro Type: recommended Severity: moderate References: This update for python-distro fixes the following issues: Upgrade from version 1.2.0 to 1.5.0 (jsc#ECO-3212) - Backward compatibility: - Keep output as native string so we can compatible with python2 interface - Prefer the `VERSION_CODENAME` field of `os-release` to parsing it from `VERSION` - Bug Fixes: - Fix detection of RHEL 6 `ComputeNode` - Fix Oracle 4/5 `lsb_release` id and names - Ignore `/etc/plesk-release` file while parsing distribution - Return `_uname_info` from the `uname_info()` method - Fixed `CloudLinux` id discovery - Update Oracle matching - Warn about wrong locale. - Documentation: - Distro is the recommended replacement for `platform.linux_distribution` - Add Ansible reference implementation and fix arch-linux link - Add facter reference implementation ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:532-1 Released: Fri Feb 19 17:29:03 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1046305,1046306,1046540,1046542,1046648,1050242,1050244,1050536,1050538,1050545,1056653,1056657,1056787,1064802,1066129,1073513,1074220,1075020,1086282,1086301,1086313,1086314,1098633,1103990,1103991,1103992,1104270,1104277,1104279,1104353,1104427,1104742,1104745,1109837,1111981,1112178,1112374,1113956,1119113,1126206,1126390,1127354,1127371,1129770,1136348,1149032,1174206,1176831,1176846,1178036,1178049,1178900,1179093,1179142,1179508,1179509,1179563,1179573,1179575,1179878,1180130,1180765,1180812,1180891,1180912,1181018,1181170,1181230,1181231,1181260,1181349,1181425,1181504,1181809,CVE-2020-25639,CVE-2020-27835,CVE-2020-29568,CVE-2020-29569,CVE-2021-0342,CVE-2021-20177,CVE-2021-3347,CVE-2021-3348 The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349). - CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504). - CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765). - CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required. (bnc#1180812) - CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878). - CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846). - CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509). - CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508). The following non-security bugs were fixed: - ACPI: scan: Harden acpi_device_add() against device ID overflows (git-fixes). - ACPI: scan: Make acpi_bus_get_device() clear return pointer on error (git-fixes). - ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI (git-fixes). - ALSA: doc: Fix reference to mixart.rst (git-fixes). - ALSA: fireface: Fix integer overflow in transmit_midi_msg() (git-fixes). - ALSA: firewire-tascam: Fix integer overflow in midi_port_work() (git-fixes). - ALSA: hda/via: Add minimum mute flag (git-fixes). - ALSA: hda/via: Fix runtime PM for Clevo W35xSS (git-fixes). - ALSA: pcm: Clear the full allocated memory at hw_params (git-fixes). - ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info() (git-fixes). - ASoC: Intel: haswell: Add missing pm_ops (git-fixes). - ASoC: dapm: remove widget from dirty list on free (git-fixes). - EDAC/amd64: Fix PCI component registration (bsc#1112178). - IB/mlx5: Fix DEVX support for MLX5_CMD_OP_INIT2INIT_QP command (bsc#1103991). - KVM: SVM: Initialize prev_ga_tag before use (bsc#1180912). - KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages (bsc#1181230). - NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock (git-fixes). - NFS: nfs_igrab_and_active must first reference the superblock (git-fixes). - NFS: switch nfsiod to be an UNBOUND workqueue (git-fixes). - NFSv4.2: condition READDIR's mask for security label based on LSM state (git-fixes). - RDMA/addr: Fix race with netevent_callback()/rdma_addr_cancel() (bsc#1103992). - RDMA/bnxt_re: Do not add user qps to flushlist (bsc#1050244 ). - RDMA/bnxt_re: Do not report transparent vlan from QP1 (bsc#1104742). - RDMA/cma: Do not overwrite sgid_attr after device is released (bsc#1103992). - RDMA/core: Ensure security pkey modify is not lost (bsc#1046306 ). - RDMA/core: Fix pkey and port assignment in get_new_pps (bsc#1046306). - RDMA/core: Fix protection fault in get_pkey_idx_qp_list (bsc#1046306). - RDMA/core: Fix reported speed and width (bsc#1046306 ). - RDMA/core: Fix return error value in _ib_modify_qp() to negative (bsc#1103992). - RDMA/core: Fix use of logical OR in get_new_pps (bsc#1046306 ). - RDMA/hns: Bugfix for memory window mtpt configuration (bsc#1104427). - RDMA/hns: Bugfix for slab-out-of-bounds when unloading hip08 driver (bsc#1104427). - RDMA/hns: Fix cmdq parameter of querying pf timer resource (bsc#1104427 bsc#1126206). - RDMA/hns: Fix missing sq_sig_type when querying QP (bsc#1104427 ). - RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver (bsc#1104427). - RDMA/iw_cxgb4: Fix incorrect function parameters (bsc#1136348 jsc#SLE-4684). - RDMA/iw_cxgb4: initiate CLOSE when entering TERM (bsc#1136348 jsc#SLE-4684). - RDMA/mlx5: Add init2init as a modify command (bsc#1103991 ). - RDMA/mlx5: Fix typo in enum name (bsc#1103991). - RDMA/mlx5: Fix wrong free of blue flame register on error (bsc#1103991). - RDMA/qedr: Fix inline size returned for iWARP (bsc#1050545 ). - SUNRPC: cache: ignore timestamp written to 'flush' file (bsc#1178036). - USB: ehci: fix an interrupt calltrace error (git-fixes). - USB: gadget: legacy: fix return error code in acm_ms_bind() (git-fixes). - USB: serial: iuu_phoenix: fix DMA from stack (git-fixes). - USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set (git-fixes). - USB: yurex: fix control-URB timeout handling (git-fixes). - __netif_receive_skb_core: pass skb by reference (bsc#1109837). - arm64: pgtable: Ensure dirty bit is preserved across pte_wrprotect() (bsc#1180130). - arm64: pgtable: Fix pte_accessible() (bsc#1180130). - bnxt_en: Do not query FW when netif_running() is false (bsc#1086282). - bnxt_en: Fix accumulation of bp->net_stats_prev (bsc#1104745 ). - bnxt_en: Improve stats context resource accounting with RDMA driver loaded (bsc#1104745). - bnxt_en: Release PCI regions when DMA mask setup fails during probe (git-fixes). - bnxt_en: Reset rings if ring reservation fails during open() (bsc#1086282). - bnxt_en: fix HWRM error when querying VF temperature (bsc#1104745). - bnxt_en: fix error return code in bnxt_init_board() (git-fixes). - bnxt_en: fix error return code in bnxt_init_one() (bsc#1050242 ). - bnxt_en: read EEPROM A2h address using page 0 (git-fixes). - bnxt_en: return proper error codes in bnxt_show_temp (bsc#1104745). - bonding: set dev->needed_headroom in bond_setup_by_slave() (git-fixes). - btrfs: add a flag to iterate_inodes_from_logical to find all extent refs for uncompressed extents (bsc#1174206). - btrfs: add a flags argument to LOGICAL_INO and call it LOGICAL_INO_V2 (bsc#1174206). - btrfs: increase output size for LOGICAL_INO_V2 ioctl (bsc#1174206). - btrfs: qgroup: do not try to wait flushing if we're already holding a transaction (bsc#1179575). - caif: no need to check return value of debugfs_create functions (git-fixes). - can: c_can: c_can_power_up(): fix error handling (git-fixes). - can: dev: prevent potential information leak in can_fill_info() (git-fixes). - can: vxcan: vxcan_xmit: fix use after free bug (git-fixes). - chelsio/chtls: correct function return and return type (bsc#1104270). - chelsio/chtls: correct netdevice for vlan interface (bsc#1104270 ). - chelsio/chtls: fix a double free in chtls_setkey() (bsc#1104270 ). - chelsio/chtls: fix always leaking ctrl_skb (bsc#1104270 ). - chelsio/chtls: fix deadlock issue (bsc#1104270). - chelsio/chtls: fix memory leaks caused by a race (bsc#1104270 ). - chelsio/chtls: fix memory leaks in CPL handlers (bsc#1104270 ). - chelsio/chtls: fix panic during unload reload chtls (bsc#1104270 ). - chelsio/chtls: fix socket lock (bsc#1104270). - chelsio/chtls: fix tls record info to user (bsc#1104270 ). - chtls: Added a check to avoid NULL pointer dereference (bsc#1104270). - chtls: Fix chtls resources release sequence (bsc#1104270 ). - chtls: Fix hardware tid leak (bsc#1104270). - chtls: Remove invalid set_tcb call (bsc#1104270). - chtls: Replace skb_dequeue with skb_peek (bsc#1104270 ). - cpumap: Avoid warning when CONFIG_DEBUG_PER_CPU_MAPS is enabled (bsc#1109837). - cxgb3: fix error return code in t3_sge_alloc_qset() (git-fixes). - cxgb4/cxgb4vf: fix flow control display for auto negotiation (bsc#1046540 bsc#1046542). - cxgb4: fix SGE queue dump destination buffer context (bsc#1073513). - cxgb4: fix adapter crash due to wrong MC size (bsc#1073513). - cxgb4: fix all-mask IP address comparison (bsc#1064802 bsc#1066129). - cxgb4: fix large delays in PTP synchronization (bsc#1046540 bsc#1046648). - cxgb4: fix the panic caused by non smac rewrite (bsc#1064802 bsc#1066129). - cxgb4: fix thermal zone device registration (bsc#1104279 bsc#1104277). - cxgb4: fix throughput drop during Tx backpressure (bsc#1127354 bsc#1127371). - cxgb4: move DCB version extern to header file (bsc#1104279 ). - cxgb4: remove cast when saving IPv4 partial checksum (bsc#1074220). - cxgb4: set up filter action after rewrites (bsc#1064802 bsc#1066129). - cxgb4: use correct type for all-mask IP address comparison (bsc#1064802 bsc#1066129). - cxgb4: use unaligned conversion for fetching timestamp (bsc#1046540 bsc#1046648). - dm: avoid filesystem lookup in dm_get_dev_t() (bsc#1178049). - dmaengine: xilinx_dma: check dma_async_device_register return value (git-fixes). - dmaengine: xilinx_dma: fix mixed_enum_type coverity warning (git-fixes). - docs: Fix reST markup when linking to sections (git-fixes). - drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' (git-fixes). - drm/amd/powerplay: fix a crash when overclocking Vega M (bsc#1113956) - drm/amdkfd: Put ACPI table after using it (bsc#1129770) Backporting changes: * context changes - drm/atomic: put state on error path (git-fixes). - drm/i915: Check for all subplatform bits (git-fixes). - drm/i915: Clear the repeater bit on HDCP disable (bsc#1112178) - drm/i915: Fix sha_text population code (bsc#1112178) - drm/msm: Avoid div-by-zero in dpu_crtc_atomic_check() (bsc#1129770) - drm/msm: Fix WARN_ON() splat in _free_object() (bsc#1129770) - drm/msm: Fix use-after-free in msm_gem with carveout (bsc#1129770) - drm/nouveau/bios: fix issue shadowing expansion ROMs (git-fixes). - drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields (git-fixes). - drm/nouveau/privring: ack interrupts the same way as RM (git-fixes). - drm/tve200: Fix handling of platform_get_irq() error (bsc#1129770) - drm/vgem: Replace opencoded version of drm_gem_dumb_map_offset() (bsc#1112178) - drm: sun4i: hdmi: Fix inverted HPD result (bsc#1112178) - drm: sun4i: hdmi: Remove extra HPD polling (bsc#1112178) - ehci: fix EHCI host controller initialization sequence (git-fixes). - ethernet: ucc_geth: fix use-after-free in ucc_geth_remove() (git-fixes). - floppy: reintroduce O_NDELAY fix (boo#1181018). - futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#1149032). - futex: Ensure the correct return value from futex_lock_pi() (bsc#1181349 bsc#1149032). - futex: Fix incorrect should_fail_futex() handling (bsc#1181349). - futex: Handle faults correctly for PI futexes (bsc#1181349 bsc#1149032). - futex: Provide and use pi_state_update_owner() (bsc#1181349 bsc#1149032). - futex: Replace pointless printk in fixup_owner() (bsc#1181349 bsc#1149032). - futex: Simplify fixup_pi_state_owner() (bsc#1181349 bsc#1149032). - futex: Use pi_state_update_owner() in put_pi_state() (bsc#1181349 bsc#1149032). - i2c: octeon: check correct size of maximum RECV_LEN packet (git-fixes). - i40e: Fix removing driver while bare-metal VFs pass traffic (git-fixes). - i40e: avoid premature Rx buffer reuse (bsc#1111981). - igb: Report speed and duplex as unknown when device is runtime suspended (git-fixes). - igc: fix link speed advertising (jsc#SLE-4799). - iio: ad5504: Fix setting power-down state (git-fixes). - iommu/vt-d: Do not dereference iommu_device if IOMMU_API is not built (bsc#1181260, jsc#ECO-3191). - iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1181260, jsc#ECO-3191). - ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K (bsc#1109837). - ixgbe: avoid premature Rx buffer reuse (bsc#1109837 ). - kABI: Fix kABI for extended APIC-ID support (bsc#1181260, jsc#ECO-3191). - kernfs: deal with kernfs_fill_super() failures (bsc#1181809). - lockd: do not use interval-based rebinding over TCP (git-fixes). - locking/futex: Allow low-level atomic operations to return -EAGAIN (bsc#1149032). - md/raid10: initialize r10_bio->read_slot before use (git-fixes). - md: fix a warning caused by a race between concurrent md_ioctl()s (git-fixes). - media: gp8psk: initialize stats at power control logic (git-fixes). - misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() (git-fixes). - misdn: dsp: select CONFIG_BITREVERSE (git-fixes). - mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() (git-fixes). - mlxsw: destroy workqueue when trap_register in mlxsw_emad_init (bsc#1112374). - mlxsw: spectrum: Do not modify cloned SKBs during xmit (git-fixes). - mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails (bsc#1112374). - mlxsw: switchx2: Do not modify cloned SKBs during xmit (git-fixes). - mm, page_alloc: fix core hung in free_pcppages_bulk() (git fixes (mm/hotplug)). - mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() (git fixes (mm/pgalloc)). - mm/rmap: map_pte() was not handling private ZONE_DEVICE page properly (git fixes (mm/hmm)). - mm/slab: use memzero_explicit() in kzfree() (git fixes (mm/slab)). - mm: do not wake kswapd prematurely when watermark boosting is disabled (git fixes (mm/vmscan)). - mm: hwpoison: disable memory error handling on 1GB hugepage (git fixes (mm/hwpoison)). - mmc: sdhci-xenon: fix 1.8v regulator stabilization (git-fixes). - nbd: Fix memory leak in nbd_add_socket (bsc#1181504). - net/af_iucv: always register net_device notifier (git-fixes). - net/af_iucv: fix null pointer dereference on shutdown (bsc#1179563 LTC#190108). - net/af_iucv: set correct sk_protocol for child sockets (git-fixes). - net/filter: Permit reading NET in load_bytes_relative when MAC not set (bsc#1109837). - net/liquidio: Delete driver version assignment (git-fixes). - net/liquidio: Delete non-working LIQUIDIO_PACKAGE check (git-fixes). - net/mlx4_en: Avoid scheduling restart task if it is already running (git-fixes). - net/mlx5: Add handling of port type in rule deletion (bsc#1103991). - net/mlx5: Fix memory leak on flow table creation error flow (bsc#1046305). - net/mlx5e: Fix VLAN cleanup flow (git-fixes). - net/mlx5e: Fix VLAN create flow (git-fixes). - net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups (git-fixes). - net/mlx5e: Fix two double free cases (bsc#1046305). - net/mlx5e: IPoIB, Drop multicast packets that this interface sent (bsc#1075020). - net/mlx5e: TX, Fix consumer index of error cqe dump (bsc#1103990 ). - net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq (bsc#1103990). - net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels (bsc#1109837). - net/smc: cancel event worker during device removal (git-fixes). - net/smc: check for valid ib_client_data (git-fixes). - net/smc: fix sleep bug in smc_pnet_find_roce_resource() (git-fixes). - net/smc: receive pending data after RCV_SHUTDOWN (git-fixes). - net/smc: receive returns without data (git-fixes). - net/sonic: Add mutual exclusion for accessing shared state (git-fixes). - net: atlantic: fix potential error handling (git-fixes). - net: atlantic: fix use after free kasan warn (git-fixes). - net: bcmgenet: keep MAC in reset until PHY is up (git-fixes). - net: bcmgenet: reapply manual settings to the PHY (git-fixes). - net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe() (git-fixes). - net: cbs: Fix software cbs to consider packet sending time (bsc#1109837). - net: dsa: LAN9303: select REGMAP when LAN9303 enable (git-fixes). - net: dsa: b53: b53_arl_rw_op() needs to select IVL or SVL (git-fixes). - net: ena: set initial DMA width to avoid intel iommu issue (git-fixes). - net: ethernet: mlx4: Avoid assigning a value to ring_cons but not used it anymore in mlx4_en_xmit() (git-fixes). - net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse() (git-fixes). - net: freescale: fec: Fix ethtool -d runtime PM (git-fixes). - net: hns3: add a missing uninit debugfs when unload driver (bsc#1104353). - net: hns3: add compatible handling for command HCLGE_OPC_PF_RST_DONE (git-fixes). - net: hns3: add management table after IMP reset (bsc#1104353 ). - net: hns3: check reset interrupt status when reset fails (git-fixes). - net: hns3: clear reset interrupt status in hclge_irq_handle() (git-fixes). - net: hns3: fix a TX timeout issue (bsc#1104353). - net: hns3: fix a wrong reset interrupt status mask (git-fixes). - net: hns3: fix error VF index when setting VLAN offload (bsc#1104353). - net: hns3: fix error handling for desc filling (bsc#1104353 ). - net: hns3: fix for not calculating TX BD send size correctly (bsc#1126390). - net: hns3: fix interrupt clearing error for VF (bsc#1104353 ). - net: hns3: fix mis-counting IRQ vector numbers issue (bsc#1104353). - net: hns3: fix shaper parameter algorithm (bsc#1104353 ). - net: hns3: fix the number of queues actually used by ARQ (bsc#1104353). - net: hns3: fix use-after-free when doing self test (bsc#1104353 ). - net: hns3: reallocate SSU' buffer size when pfc_en changes (bsc#1104353). - net: mvpp2: Fix GoP port 3 Networking Complex Control configurations (bsc#1098633). - net: mvpp2: Fix error return code in mvpp2_open() (bsc#1119113 ). - net: mvpp2: fix pkt coalescing int-threshold configuration (bsc#1098633). - net: phy: Allow BCM54616S PHY to setup internal TX/RX clock delay (git-fixes). - net: phy: broadcom: Fix RGMII delays configuration for BCM54210E (git-fixes). - net: phy: micrel: Discern KSZ8051 and KSZ8795 PHYs (git-fixes). - net: phy: micrel: make sure the factory test bit is cleared (git-fixes). - net: qca_spi: Move reset_count to struct qcaspi (git-fixes). - net: smc911x: Adjust indentation in smc911x_phy_configure (git-fixes). - net: stmmac: 16KB buffer must be 16 byte aligned (git-fixes). - net: stmmac: Do not accept invalid MTU values (git-fixes). - net: stmmac: Enable 16KB buffer size (git-fixes). - net: stmmac: RX buffer size must be 16 byte aligned (git-fixes). - net: stmmac: dwmac-meson8b: Fix signedness bug in probe (git-fixes). - net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes (git-fixes). - net: stmmac: fix length of PTP clock's name string (git-fixes). - net: stmmac: gmac4+: Not all Unicast addresses may be available (git-fixes). - net: sunrpc: interpret the return value of kstrtou32 correctly (git-fixes). - net: team: fix memory leak in __team_options_register (git-fixes). - net: tulip: Adjust indentation in {dmfe, uli526x}_init_module (git-fixes). - net: usb: lan78xx: Fix error message format specifier (git-fixes). - net: vlan: avoid leaks on register_vlan_dev() failures (git-fixes). - net_failover: fixed rollback in net_failover_open() (bsc#1109837). - net_sched: let qdisc_put() accept NULL pointer (bsc#1056657 bsc#1056653 bsc#1056787). - nfp: validate the return code from dev_queue_xmit() (git-fixes). - nfs_common: need lock during iterate through the list (git-fixes). - nfsd4: readdirplus shouldn't return parent of export (git-fixes). - nfsd: Fix message level for normal termination (git-fixes). - pNFS: Mark layout for return if return-on-close was not sent (git-fixes). - page_frag: Recover from memory pressure (git fixes (mm/pgalloc)). - powerpc/perf: Add generic compat mode pmu driver (bsc#1178900 ltc#189284). - powerpc/perf: Fix crashes with generic_compat_pmu & BHRB (bsc#1178900 ltc#189284 git-fixes). - powerpc/perf: init pmu from core-book3s (bsc#1178900 ltc#189284). - qed: Fix race condition between scheduling and destroying the slowpath workqueue (bsc#1086314 bsc#1086313 bsc#1086301). - qed: Fix use after free in qed_chain_free (bsc#1050536 bsc#1050538). - r8152: Add Lenovo Powered USB-C Travel Hub (git-fixes). - rtmutex: Remove unused argument from rt_mutex_proxy_unlock() (bsc#1181349 bsc#1149032). - s390/cio: fix use-after-free in ccw_device_destroy_console (git-fixes). - s390/dasd: fix list corruption of lcu list (bsc#1181170 LTC#190915). - s390/dasd: fix list corruption of pavgroup group list (bsc#1181170 LTC#190915). - s390/dasd: prevent inconsistent LCU device data (bsc#1181170 LTC#190915). - s390/qeth: delay draining the TX buffers (git-fixes). - s390/qeth: fix L2 header access in qeth_l3_osa_features_check() (git-fixes). - s390/qeth: fix deadlock during recovery (git-fixes). - s390/qeth: fix locking for discipline setup / removal (git-fixes). - s390/smp: perform initial CPU reset also for SMT siblings (git-fixes). - sched/fair: Fix enqueue_task_fair warning (bsc#1179093). - sched/fair: Fix enqueue_task_fair() warning some more (bsc#1179093). - sched/fair: Fix reordering of enqueue/dequeue_task_fair() (bsc#1179093). - sched/fair: Fix unthrottle_cfs_rq() for leaf_cfs_rq list (bsc#1179093). - sched/fair: Reorder enqueue/dequeue_task_fair path (bsc#1179093). - scsi: core: Fix VPD LUN ID designator priorities (bsc#1178049, git-fixes). - scsi: ibmvfc: Set default timeout to avoid crash during migration (bsc#1181425 ltc#188252). - scsi: lpfc: Enhancements to LOG_TRACE_EVENT for better readability (bsc#1180891). - scsi: lpfc: Fix FW reset action if I/Os are outstanding (bsc#1180891). - scsi: lpfc: Fix NVMe recovery after mailbox timeout (bsc#1180891). - scsi: lpfc: Fix PLOGI S_ID of 0 on pt2pt config (bsc#1180891). - scsi: lpfc: Fix auto sli_mode and its effect on CONFIG_PORT for SLI3 (bsc#1180891). - scsi: lpfc: Fix crash when a fabric node is released prematurely (bsc#1180891). - scsi: lpfc: Fix error log messages being logged following SCSI task mgnt (bsc#1180891). - scsi: lpfc: Fix target reset failing (bsc#1180891). - scsi: lpfc: Fix vport create logging (bsc#1180891). - scsi: lpfc: Implement health checking when aborting I/O (bsc#1180891). - scsi: lpfc: Prevent duplicate requests to unregister with cpuhp framework (bsc#1180891). - scsi: lpfc: Refresh ndlp when a new PRLI is received in the PRLI issue state (bsc#1180891). - scsi: lpfc: Simplify bool comparison (bsc#1180891). - scsi: lpfc: Update lpfc version to 12.8.0.7 (bsc#1180891). - scsi: lpfc: Use the nvme-fc transport supplied timeout for LS requests (bsc#1180891). - scsi: qla2xxx: Fix description for parameter ql2xenforce_iocb_limit (bsc#1179142). - serial: mvebu-uart: fix tx lost characters at power off (git-fixes). - spi: cadence: cache reference clock rate during probe (git-fixes). - team: set dev->needed_headroom in team_setup_by_port() (git-fixes). - tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS (bsc#1109837). - usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data() (git-fixes). - usb: dwc3: ulpi: Use VStsDone to detect PHY regs access completion (git-fixes). - usb: gadget: configfs: Preserve function ordering after bind failure (git-fixes). - usb: gadget: f_uac2: reset wMaxPacketSize (git-fixes). - usb: gadget: select CONFIG_CRC32 (git-fixes). - usb: udc: core: Use lock when write to soft_connect (git-fixes). - veth: Adjust hard_start offset on redirect XDP frames (bsc#1109837). - vfio iommu: Add dma available capability (bsc#1179573 LTC#190106). - vfio-pci: Use io_remap_pfn_range() for PCI IO memory (bsc#1181231). - vhost/vsock: fix vhost vsock cid hashing inconsistent (git-fixes). - virtio_net: Keep vnet header zeroed if XDP is loaded for small buffer (git-fixes). - wan: ds26522: select CONFIG_BITREVERSE (git-fixes). - wil6210: select CONFIG_CRC32 (git-fixes). - x86/apic: Fix x2apic enablement without interrupt remapping (bsc#1181260, jsc#ECO-3191). - x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where available (bsc#1181260, jsc#ECO-3191). - x86/hyperv: Fix kexec panic/hang issues (bsc#1176831). - x86/i8259: Use printk_deferred() to prevent deadlock (bsc#1112178). - x86/ioapic: Handle Extended Destination ID field in RTE (bsc#1181260, jsc#ECO-3191). - x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181260, jsc#ECO-3191). - x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181260, jsc#ECO-3191). - x86/mm/numa: Remove uninitialized_var() usage (bsc#1112178). - x86/mm: Fix leak of pmd ptlock (bsc#1112178). - x86/msi: Only use high bits of MSI address for DMAR unit (bsc#1181260, jsc#ECO-3191). - x86/mtrr: Correct the range check before performing MTRR type lookups (bsc#1112178). - x86/resctrl: Do not move a task to the same resource group (bsc#1112178). - x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR (bsc#1112178). - xdp: Fix xsk_generic_xmit errno (bsc#1109837). - xhci: make sure TRB is fully written before giving it to the controller (git-fixes). - xhci: tegra: Delay for disabling LFPS detector (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:551-1 Released: Tue Feb 23 09:31:53 2021 Summary: Security update for avahi Type: security Severity: moderate References: 1180827,CVE-2021-26720 This update for avahi fixes the following issues: - CVE-2021-26720: drop privileges when invoking avahi-daemon-check-dns.sh (bsc#1180827) - Update avahi-daemon-check-dns.sh from Debian. Our previous version relied on ifconfig, route, and init.d. - Add sudo to requires: used to drop privileges. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:556-1 Released: Tue Feb 23 11:17:20 2021 Summary: Recommended update for open-lldp Type: recommended Severity: moderate References: 1175570 This update for open-lldp fixes the following issue: Update to version v1.0.1+65.f3b70663b55e - Event interface: only set receive buffer size if too small (bsc#1175570) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:571-1 Released: Tue Feb 23 16:11:33 2021 Summary: Recommended update for cloud-init Type: recommended Severity: moderate References: 1180176 This update for cloud-init contains the following fixes: - Update cloud-init-write-routes.patch (bsc#1180176) + Follow up to previous changes. Fix order of operations error to make gateway comparison between subnet configuration and route configuration valuable rather than self-comparing. - Add cloud-init-sle12-compat.patch (jsc#PM-2335) - Python 3.4 compatibility in setup.py - Disable some test for mock version compatibility ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:580-1 Released: Wed Feb 24 11:16:42 2021 Summary: Optional update for python-cffi Type: optional Severity: low References: 1182471 This update for python-cffi fixes the following issues: - Restored compatibility with Python 2.7 update (bsc#1182471) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:654-1 Released: Fri Feb 26 20:01:10 2021 Summary: Security update for python-Jinja2 Type: security Severity: important References: 1181944,1182244,CVE-2020-28493 This update for python-Jinja2 fixes the following issues: - CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have been called with untrusted user data (bsc#1181944). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:684-1 Released: Tue Mar 2 19:05:30 2021 Summary: Security update for grub2 Type: security Severity: important References: 1175970,1176711,1177883,1179264,1179265,1182057,1182262,1182263,CVE-2020-14372,CVE-2020-25632,CVE-2020-25647,CVE-2020-27749,CVE-2020-27779,CVE-2021-20225,CVE-2021-20233 This update for grub2 fixes the following issues: grub2 now implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057) Following security issues are fixed that can violate secure boot constraints: - CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711) - CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883) - CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264) - CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970) - CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262) - CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:689-1 Released: Tue Mar 2 19:08:40 2021 Summary: Security update for bind Type: security Severity: important References: 1180933 This update for bind fixes the following issues: - dnssec-keygen can no longer generate HMAC keys. Use tsig-keygen instead. [bsc#1180933] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:696-1 Released: Wed Mar 3 18:17:53 2021 Summary: Security update for python-cryptography Type: security Severity: important References: 1182066,CVE-2020-36242 This update for python-cryptography fixes the following issues: - CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte values could result in an integer overflow and buffer overflow (bsc#1182066). From sle-security-updates at lists.suse.com Wed Mar 10 11:41:20 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Mar 2021 12:41:20 +0100 (CET) Subject: SUSE-IU-2021:412-1: Security update of suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64 Message-ID: <20210310114120.71B89FD17@maintenance.suse.de> SUSE Image Update Advisory: suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2021:412-1 Image Tags : suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64:20210304 Image Release : Severity : important Type : security References : 1046305 1046306 1046540 1046542 1046648 1050242 1050244 1050536 1050538 1050545 1056653 1056657 1056787 1064802 1066129 1073513 1074220 1075020 1086282 1086301 1086313 1086314 1098633 1103990 1103991 1103992 1104270 1104277 1104279 1104353 1104427 1104742 1104745 1109837 1111981 1112178 1112374 1113956 1119113 1126206 1126390 1127354 1127371 1129770 1136348 1149032 1170671 1174075 1174206 1175570 1175970 1176262 1176708 1176711 1176831 1176846 1177460 1177883 1178036 1178049 1178386 1178801 1178801 1178900 1178969 1179093 1179142 1179264 1179265 1179508 1179509 1179563 1179573 1179575 1179691 1179694 1179721 1179756 1179878 1180038 1180130 1180176 1180243 1180401 1180401 1180403 1180501 1180520 1180603 1180603 1180686 1180765 1180812 1180827 1180891 1180912 1180933 1181018 1181126 1181170 1181230 1181231 1181260 1181349 1181425 1181504 1181505 1181730 1181732 1181809 1181944 1182057 1182066 1182117 1182168 1182244 1182246 1182262 1182263 1182471 CVE-2019-20916 CVE-2019-25013 CVE-2019-8842 CVE-2020-10001 CVE-2020-14372 CVE-2020-15257 CVE-2020-25632 CVE-2020-25639 CVE-2020-25647 CVE-2020-27618 CVE-2020-27749 CVE-2020-27779 CVE-2020-27835 CVE-2020-28493 CVE-2020-29562 CVE-2020-29568 CVE-2020-29569 CVE-2020-29573 CVE-2020-36242 CVE-2020-8625 CVE-2021-0342 CVE-2021-20177 CVE-2021-20225 CVE-2021-20233 CVE-2021-21284 CVE-2021-21285 CVE-2021-26720 CVE-2021-3177 CVE-2021-3326 CVE-2021-3347 CVE-2021-3348 ----------------------------------------------------------------- The container suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:285-1 Released: Tue Feb 2 13:08:54 2021 Summary: Security update for cups Type: security Severity: moderate References: 1170671,1180520,CVE-2019-8842,CVE-2020-10001 This update for cups fixes the following issues: - CVE-2020-10001: Fixed an out-of-bounds read in the ippReadIO function (bsc#1180520). - CVE-2019-8842: Fixed an out-of-bounds read in an extension field (bsc#1170671). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:301-1 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:304-1 Released: Thu Feb 4 13:19:43 2021 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1179691 This update for lvm2 fixes the following issues: - lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691). If this behavior is still wanted, please change this manually in the lvm.conf ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:307-1 Released: Fri Feb 5 05:30:34 2021 Summary: Recommended update for libselinux Type: recommended Severity: low References: 1180603 This update for libselinux fixes the following issues: - Corrected the license to public domain (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:435-1 Released: Thu Feb 11 14:47:25 2021 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Type: security Severity: important References: 1174075,1176708,1178801,1178969,1180243,1180401,1181730,1181732,CVE-2020-15257,CVE-2021-21284,CVE-2021-21285 This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Security issues fixed: - CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969). - CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) - CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730) Non-security issues fixed: - Update Docker to 19.03.15-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285). - Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE. It appears that SLES doesn't like the patch. (bsc#1180401) - Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and fixes CVE-2020-15257. bsc#1180243 - Update to containerd v1.3.7, which is required for Docker 19.03.13-ce. bsc#1176708 - Update to Docker 19.03.14-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243 https://github.com/docker/docker-ce/releases/tag/v19.03.14 - Enable fish-completion - Add a patch which makes Docker compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) - Update to Docker 19.03.13-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708 - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Emergency fix: %requires_eq does not work with provide symbols, only effective package names. Convert back to regular Requires. - Update to Docker 19.03.12-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. - Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of spurrious errors due to Go returning -EINTR from I/O syscalls much more often (due to Go 1.14's pre-emptive goroutine support). - Add BuildRequires for all -git dependencies so that we catch missing dependencies much more quickly. - Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce. bsc#1180243 - Add patch which makes libnetwork compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:441-1 Released: Thu Feb 11 16:35:04 2021 Summary: Optional update for python3-jsonschema Type: optional Severity: low References: 1180403 This update provides the python3 variant of the jsonschema module to the SUSE Linux Enterprise 15 SP2 Basesystem module. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:502-1 Released: Thu Feb 18 05:33:06 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1180501 This update for openssh fixes the following issues: - Fixed a crash which sometimes occured on connection termination, caused by accessing freed memory (bsc#1180501) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:507-1 Released: Thu Feb 18 09:34:49 2021 Summary: Security update for bind Type: security Severity: important References: 1182246,CVE-2020-8625 This update for bind fixes the following issues: - CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack [bsc#1182246] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:516-1 Released: Thu Feb 18 14:42:51 2021 Summary: Recommended update for docker, golang-github-docker-libnetwork Type: recommended Severity: moderate References: 1178801,1180401,1182168 This update for docker, golang-github-docker-libnetwork fixes the following issues: - A libnetwork firewalld integration enhancement was broken, disable it (bsc#1178801,bsc#1180401,bsc#1182168) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:532-1 Released: Fri Feb 19 17:29:03 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1046305,1046306,1046540,1046542,1046648,1050242,1050244,1050536,1050538,1050545,1056653,1056657,1056787,1064802,1066129,1073513,1074220,1075020,1086282,1086301,1086313,1086314,1098633,1103990,1103991,1103992,1104270,1104277,1104279,1104353,1104427,1104742,1104745,1109837,1111981,1112178,1112374,1113956,1119113,1126206,1126390,1127354,1127371,1129770,1136348,1149032,1174206,1176831,1176846,1178036,1178049,1178900,1179093,1179142,1179508,1179509,1179563,1179573,1179575,1179878,1180130,1180765,1180812,1180891,1180912,1181018,1181170,1181230,1181231,1181260,1181349,1181425,1181504,1181809,CVE-2020-25639,CVE-2020-27835,CVE-2020-29568,CVE-2020-29569,CVE-2021-0342,CVE-2021-20177,CVE-2021-3347,CVE-2021-3348 The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349). - CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504). - CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765). - CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required. (bnc#1180812) - CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878). - CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846). - CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509). - CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508). The following non-security bugs were fixed: - ACPI: scan: Harden acpi_device_add() against device ID overflows (git-fixes). - ACPI: scan: Make acpi_bus_get_device() clear return pointer on error (git-fixes). - ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI (git-fixes). - ALSA: doc: Fix reference to mixart.rst (git-fixes). - ALSA: fireface: Fix integer overflow in transmit_midi_msg() (git-fixes). - ALSA: firewire-tascam: Fix integer overflow in midi_port_work() (git-fixes). - ALSA: hda/via: Add minimum mute flag (git-fixes). - ALSA: hda/via: Fix runtime PM for Clevo W35xSS (git-fixes). - ALSA: pcm: Clear the full allocated memory at hw_params (git-fixes). - ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info() (git-fixes). - ASoC: Intel: haswell: Add missing pm_ops (git-fixes). - ASoC: dapm: remove widget from dirty list on free (git-fixes). - EDAC/amd64: Fix PCI component registration (bsc#1112178). - IB/mlx5: Fix DEVX support for MLX5_CMD_OP_INIT2INIT_QP command (bsc#1103991). - KVM: SVM: Initialize prev_ga_tag before use (bsc#1180912). - KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages (bsc#1181230). - NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock (git-fixes). - NFS: nfs_igrab_and_active must first reference the superblock (git-fixes). - NFS: switch nfsiod to be an UNBOUND workqueue (git-fixes). - NFSv4.2: condition READDIR's mask for security label based on LSM state (git-fixes). - RDMA/addr: Fix race with netevent_callback()/rdma_addr_cancel() (bsc#1103992). - RDMA/bnxt_re: Do not add user qps to flushlist (bsc#1050244 ). - RDMA/bnxt_re: Do not report transparent vlan from QP1 (bsc#1104742). - RDMA/cma: Do not overwrite sgid_attr after device is released (bsc#1103992). - RDMA/core: Ensure security pkey modify is not lost (bsc#1046306 ). - RDMA/core: Fix pkey and port assignment in get_new_pps (bsc#1046306). - RDMA/core: Fix protection fault in get_pkey_idx_qp_list (bsc#1046306). - RDMA/core: Fix reported speed and width (bsc#1046306 ). - RDMA/core: Fix return error value in _ib_modify_qp() to negative (bsc#1103992). - RDMA/core: Fix use of logical OR in get_new_pps (bsc#1046306 ). - RDMA/hns: Bugfix for memory window mtpt configuration (bsc#1104427). - RDMA/hns: Bugfix for slab-out-of-bounds when unloading hip08 driver (bsc#1104427). - RDMA/hns: Fix cmdq parameter of querying pf timer resource (bsc#1104427 bsc#1126206). - RDMA/hns: Fix missing sq_sig_type when querying QP (bsc#1104427 ). - RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver (bsc#1104427). - RDMA/iw_cxgb4: Fix incorrect function parameters (bsc#1136348 jsc#SLE-4684). - RDMA/iw_cxgb4: initiate CLOSE when entering TERM (bsc#1136348 jsc#SLE-4684). - RDMA/mlx5: Add init2init as a modify command (bsc#1103991 ). - RDMA/mlx5: Fix typo in enum name (bsc#1103991). - RDMA/mlx5: Fix wrong free of blue flame register on error (bsc#1103991). - RDMA/qedr: Fix inline size returned for iWARP (bsc#1050545 ). - SUNRPC: cache: ignore timestamp written to 'flush' file (bsc#1178036). - USB: ehci: fix an interrupt calltrace error (git-fixes). - USB: gadget: legacy: fix return error code in acm_ms_bind() (git-fixes). - USB: serial: iuu_phoenix: fix DMA from stack (git-fixes). - USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set (git-fixes). - USB: yurex: fix control-URB timeout handling (git-fixes). - __netif_receive_skb_core: pass skb by reference (bsc#1109837). - arm64: pgtable: Ensure dirty bit is preserved across pte_wrprotect() (bsc#1180130). - arm64: pgtable: Fix pte_accessible() (bsc#1180130). - bnxt_en: Do not query FW when netif_running() is false (bsc#1086282). - bnxt_en: Fix accumulation of bp->net_stats_prev (bsc#1104745 ). - bnxt_en: Improve stats context resource accounting with RDMA driver loaded (bsc#1104745). - bnxt_en: Release PCI regions when DMA mask setup fails during probe (git-fixes). - bnxt_en: Reset rings if ring reservation fails during open() (bsc#1086282). - bnxt_en: fix HWRM error when querying VF temperature (bsc#1104745). - bnxt_en: fix error return code in bnxt_init_board() (git-fixes). - bnxt_en: fix error return code in bnxt_init_one() (bsc#1050242 ). - bnxt_en: read EEPROM A2h address using page 0 (git-fixes). - bnxt_en: return proper error codes in bnxt_show_temp (bsc#1104745). - bonding: set dev->needed_headroom in bond_setup_by_slave() (git-fixes). - btrfs: add a flag to iterate_inodes_from_logical to find all extent refs for uncompressed extents (bsc#1174206). - btrfs: add a flags argument to LOGICAL_INO and call it LOGICAL_INO_V2 (bsc#1174206). - btrfs: increase output size for LOGICAL_INO_V2 ioctl (bsc#1174206). - btrfs: qgroup: do not try to wait flushing if we're already holding a transaction (bsc#1179575). - caif: no need to check return value of debugfs_create functions (git-fixes). - can: c_can: c_can_power_up(): fix error handling (git-fixes). - can: dev: prevent potential information leak in can_fill_info() (git-fixes). - can: vxcan: vxcan_xmit: fix use after free bug (git-fixes). - chelsio/chtls: correct function return and return type (bsc#1104270). - chelsio/chtls: correct netdevice for vlan interface (bsc#1104270 ). - chelsio/chtls: fix a double free in chtls_setkey() (bsc#1104270 ). - chelsio/chtls: fix always leaking ctrl_skb (bsc#1104270 ). - chelsio/chtls: fix deadlock issue (bsc#1104270). - chelsio/chtls: fix memory leaks caused by a race (bsc#1104270 ). - chelsio/chtls: fix memory leaks in CPL handlers (bsc#1104270 ). - chelsio/chtls: fix panic during unload reload chtls (bsc#1104270 ). - chelsio/chtls: fix socket lock (bsc#1104270). - chelsio/chtls: fix tls record info to user (bsc#1104270 ). - chtls: Added a check to avoid NULL pointer dereference (bsc#1104270). - chtls: Fix chtls resources release sequence (bsc#1104270 ). - chtls: Fix hardware tid leak (bsc#1104270). - chtls: Remove invalid set_tcb call (bsc#1104270). - chtls: Replace skb_dequeue with skb_peek (bsc#1104270 ). - cpumap: Avoid warning when CONFIG_DEBUG_PER_CPU_MAPS is enabled (bsc#1109837). - cxgb3: fix error return code in t3_sge_alloc_qset() (git-fixes). - cxgb4/cxgb4vf: fix flow control display for auto negotiation (bsc#1046540 bsc#1046542). - cxgb4: fix SGE queue dump destination buffer context (bsc#1073513). - cxgb4: fix adapter crash due to wrong MC size (bsc#1073513). - cxgb4: fix all-mask IP address comparison (bsc#1064802 bsc#1066129). - cxgb4: fix large delays in PTP synchronization (bsc#1046540 bsc#1046648). - cxgb4: fix the panic caused by non smac rewrite (bsc#1064802 bsc#1066129). - cxgb4: fix thermal zone device registration (bsc#1104279 bsc#1104277). - cxgb4: fix throughput drop during Tx backpressure (bsc#1127354 bsc#1127371). - cxgb4: move DCB version extern to header file (bsc#1104279 ). - cxgb4: remove cast when saving IPv4 partial checksum (bsc#1074220). - cxgb4: set up filter action after rewrites (bsc#1064802 bsc#1066129). - cxgb4: use correct type for all-mask IP address comparison (bsc#1064802 bsc#1066129). - cxgb4: use unaligned conversion for fetching timestamp (bsc#1046540 bsc#1046648). - dm: avoid filesystem lookup in dm_get_dev_t() (bsc#1178049). - dmaengine: xilinx_dma: check dma_async_device_register return value (git-fixes). - dmaengine: xilinx_dma: fix mixed_enum_type coverity warning (git-fixes). - docs: Fix reST markup when linking to sections (git-fixes). - drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' (git-fixes). - drm/amd/powerplay: fix a crash when overclocking Vega M (bsc#1113956) - drm/amdkfd: Put ACPI table after using it (bsc#1129770) Backporting changes: * context changes - drm/atomic: put state on error path (git-fixes). - drm/i915: Check for all subplatform bits (git-fixes). - drm/i915: Clear the repeater bit on HDCP disable (bsc#1112178) - drm/i915: Fix sha_text population code (bsc#1112178) - drm/msm: Avoid div-by-zero in dpu_crtc_atomic_check() (bsc#1129770) - drm/msm: Fix WARN_ON() splat in _free_object() (bsc#1129770) - drm/msm: Fix use-after-free in msm_gem with carveout (bsc#1129770) - drm/nouveau/bios: fix issue shadowing expansion ROMs (git-fixes). - drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields (git-fixes). - drm/nouveau/privring: ack interrupts the same way as RM (git-fixes). - drm/tve200: Fix handling of platform_get_irq() error (bsc#1129770) - drm/vgem: Replace opencoded version of drm_gem_dumb_map_offset() (bsc#1112178) - drm: sun4i: hdmi: Fix inverted HPD result (bsc#1112178) - drm: sun4i: hdmi: Remove extra HPD polling (bsc#1112178) - ehci: fix EHCI host controller initialization sequence (git-fixes). - ethernet: ucc_geth: fix use-after-free in ucc_geth_remove() (git-fixes). - floppy: reintroduce O_NDELAY fix (boo#1181018). - futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#1149032). - futex: Ensure the correct return value from futex_lock_pi() (bsc#1181349 bsc#1149032). - futex: Fix incorrect should_fail_futex() handling (bsc#1181349). - futex: Handle faults correctly for PI futexes (bsc#1181349 bsc#1149032). - futex: Provide and use pi_state_update_owner() (bsc#1181349 bsc#1149032). - futex: Replace pointless printk in fixup_owner() (bsc#1181349 bsc#1149032). - futex: Simplify fixup_pi_state_owner() (bsc#1181349 bsc#1149032). - futex: Use pi_state_update_owner() in put_pi_state() (bsc#1181349 bsc#1149032). - i2c: octeon: check correct size of maximum RECV_LEN packet (git-fixes). - i40e: Fix removing driver while bare-metal VFs pass traffic (git-fixes). - i40e: avoid premature Rx buffer reuse (bsc#1111981). - igb: Report speed and duplex as unknown when device is runtime suspended (git-fixes). - igc: fix link speed advertising (jsc#SLE-4799). - iio: ad5504: Fix setting power-down state (git-fixes). - iommu/vt-d: Do not dereference iommu_device if IOMMU_API is not built (bsc#1181260, jsc#ECO-3191). - iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1181260, jsc#ECO-3191). - ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K (bsc#1109837). - ixgbe: avoid premature Rx buffer reuse (bsc#1109837 ). - kABI: Fix kABI for extended APIC-ID support (bsc#1181260, jsc#ECO-3191). - kernfs: deal with kernfs_fill_super() failures (bsc#1181809). - lockd: do not use interval-based rebinding over TCP (git-fixes). - locking/futex: Allow low-level atomic operations to return -EAGAIN (bsc#1149032). - md/raid10: initialize r10_bio->read_slot before use (git-fixes). - md: fix a warning caused by a race between concurrent md_ioctl()s (git-fixes). - media: gp8psk: initialize stats at power control logic (git-fixes). - misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() (git-fixes). - misdn: dsp: select CONFIG_BITREVERSE (git-fixes). - mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() (git-fixes). - mlxsw: destroy workqueue when trap_register in mlxsw_emad_init (bsc#1112374). - mlxsw: spectrum: Do not modify cloned SKBs during xmit (git-fixes). - mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails (bsc#1112374). - mlxsw: switchx2: Do not modify cloned SKBs during xmit (git-fixes). - mm, page_alloc: fix core hung in free_pcppages_bulk() (git fixes (mm/hotplug)). - mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() (git fixes (mm/pgalloc)). - mm/rmap: map_pte() was not handling private ZONE_DEVICE page properly (git fixes (mm/hmm)). - mm/slab: use memzero_explicit() in kzfree() (git fixes (mm/slab)). - mm: do not wake kswapd prematurely when watermark boosting is disabled (git fixes (mm/vmscan)). - mm: hwpoison: disable memory error handling on 1GB hugepage (git fixes (mm/hwpoison)). - mmc: sdhci-xenon: fix 1.8v regulator stabilization (git-fixes). - nbd: Fix memory leak in nbd_add_socket (bsc#1181504). - net/af_iucv: always register net_device notifier (git-fixes). - net/af_iucv: fix null pointer dereference on shutdown (bsc#1179563 LTC#190108). - net/af_iucv: set correct sk_protocol for child sockets (git-fixes). - net/filter: Permit reading NET in load_bytes_relative when MAC not set (bsc#1109837). - net/liquidio: Delete driver version assignment (git-fixes). - net/liquidio: Delete non-working LIQUIDIO_PACKAGE check (git-fixes). - net/mlx4_en: Avoid scheduling restart task if it is already running (git-fixes). - net/mlx5: Add handling of port type in rule deletion (bsc#1103991). - net/mlx5: Fix memory leak on flow table creation error flow (bsc#1046305). - net/mlx5e: Fix VLAN cleanup flow (git-fixes). - net/mlx5e: Fix VLAN create flow (git-fixes). - net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups (git-fixes). - net/mlx5e: Fix two double free cases (bsc#1046305). - net/mlx5e: IPoIB, Drop multicast packets that this interface sent (bsc#1075020). - net/mlx5e: TX, Fix consumer index of error cqe dump (bsc#1103990 ). - net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq (bsc#1103990). - net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels (bsc#1109837). - net/smc: cancel event worker during device removal (git-fixes). - net/smc: check for valid ib_client_data (git-fixes). - net/smc: fix sleep bug in smc_pnet_find_roce_resource() (git-fixes). - net/smc: receive pending data after RCV_SHUTDOWN (git-fixes). - net/smc: receive returns without data (git-fixes). - net/sonic: Add mutual exclusion for accessing shared state (git-fixes). - net: atlantic: fix potential error handling (git-fixes). - net: atlantic: fix use after free kasan warn (git-fixes). - net: bcmgenet: keep MAC in reset until PHY is up (git-fixes). - net: bcmgenet: reapply manual settings to the PHY (git-fixes). - net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe() (git-fixes). - net: cbs: Fix software cbs to consider packet sending time (bsc#1109837). - net: dsa: LAN9303: select REGMAP when LAN9303 enable (git-fixes). - net: dsa: b53: b53_arl_rw_op() needs to select IVL or SVL (git-fixes). - net: ena: set initial DMA width to avoid intel iommu issue (git-fixes). - net: ethernet: mlx4: Avoid assigning a value to ring_cons but not used it anymore in mlx4_en_xmit() (git-fixes). - net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse() (git-fixes). - net: freescale: fec: Fix ethtool -d runtime PM (git-fixes). - net: hns3: add a missing uninit debugfs when unload driver (bsc#1104353). - net: hns3: add compatible handling for command HCLGE_OPC_PF_RST_DONE (git-fixes). - net: hns3: add management table after IMP reset (bsc#1104353 ). - net: hns3: check reset interrupt status when reset fails (git-fixes). - net: hns3: clear reset interrupt status in hclge_irq_handle() (git-fixes). - net: hns3: fix a TX timeout issue (bsc#1104353). - net: hns3: fix a wrong reset interrupt status mask (git-fixes). - net: hns3: fix error VF index when setting VLAN offload (bsc#1104353). - net: hns3: fix error handling for desc filling (bsc#1104353 ). - net: hns3: fix for not calculating TX BD send size correctly (bsc#1126390). - net: hns3: fix interrupt clearing error for VF (bsc#1104353 ). - net: hns3: fix mis-counting IRQ vector numbers issue (bsc#1104353). - net: hns3: fix shaper parameter algorithm (bsc#1104353 ). - net: hns3: fix the number of queues actually used by ARQ (bsc#1104353). - net: hns3: fix use-after-free when doing self test (bsc#1104353 ). - net: hns3: reallocate SSU' buffer size when pfc_en changes (bsc#1104353). - net: mvpp2: Fix GoP port 3 Networking Complex Control configurations (bsc#1098633). - net: mvpp2: Fix error return code in mvpp2_open() (bsc#1119113 ). - net: mvpp2: fix pkt coalescing int-threshold configuration (bsc#1098633). - net: phy: Allow BCM54616S PHY to setup internal TX/RX clock delay (git-fixes). - net: phy: broadcom: Fix RGMII delays configuration for BCM54210E (git-fixes). - net: phy: micrel: Discern KSZ8051 and KSZ8795 PHYs (git-fixes). - net: phy: micrel: make sure the factory test bit is cleared (git-fixes). - net: qca_spi: Move reset_count to struct qcaspi (git-fixes). - net: smc911x: Adjust indentation in smc911x_phy_configure (git-fixes). - net: stmmac: 16KB buffer must be 16 byte aligned (git-fixes). - net: stmmac: Do not accept invalid MTU values (git-fixes). - net: stmmac: Enable 16KB buffer size (git-fixes). - net: stmmac: RX buffer size must be 16 byte aligned (git-fixes). - net: stmmac: dwmac-meson8b: Fix signedness bug in probe (git-fixes). - net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes (git-fixes). - net: stmmac: fix length of PTP clock's name string (git-fixes). - net: stmmac: gmac4+: Not all Unicast addresses may be available (git-fixes). - net: sunrpc: interpret the return value of kstrtou32 correctly (git-fixes). - net: team: fix memory leak in __team_options_register (git-fixes). - net: tulip: Adjust indentation in {dmfe, uli526x}_init_module (git-fixes). - net: usb: lan78xx: Fix error message format specifier (git-fixes). - net: vlan: avoid leaks on register_vlan_dev() failures (git-fixes). - net_failover: fixed rollback in net_failover_open() (bsc#1109837). - net_sched: let qdisc_put() accept NULL pointer (bsc#1056657 bsc#1056653 bsc#1056787). - nfp: validate the return code from dev_queue_xmit() (git-fixes). - nfs_common: need lock during iterate through the list (git-fixes). - nfsd4: readdirplus shouldn't return parent of export (git-fixes). - nfsd: Fix message level for normal termination (git-fixes). - pNFS: Mark layout for return if return-on-close was not sent (git-fixes). - page_frag: Recover from memory pressure (git fixes (mm/pgalloc)). - powerpc/perf: Add generic compat mode pmu driver (bsc#1178900 ltc#189284). - powerpc/perf: Fix crashes with generic_compat_pmu & BHRB (bsc#1178900 ltc#189284 git-fixes). - powerpc/perf: init pmu from core-book3s (bsc#1178900 ltc#189284). - qed: Fix race condition between scheduling and destroying the slowpath workqueue (bsc#1086314 bsc#1086313 bsc#1086301). - qed: Fix use after free in qed_chain_free (bsc#1050536 bsc#1050538). - r8152: Add Lenovo Powered USB-C Travel Hub (git-fixes). - rtmutex: Remove unused argument from rt_mutex_proxy_unlock() (bsc#1181349 bsc#1149032). - s390/cio: fix use-after-free in ccw_device_destroy_console (git-fixes). - s390/dasd: fix list corruption of lcu list (bsc#1181170 LTC#190915). - s390/dasd: fix list corruption of pavgroup group list (bsc#1181170 LTC#190915). - s390/dasd: prevent inconsistent LCU device data (bsc#1181170 LTC#190915). - s390/qeth: delay draining the TX buffers (git-fixes). - s390/qeth: fix L2 header access in qeth_l3_osa_features_check() (git-fixes). - s390/qeth: fix deadlock during recovery (git-fixes). - s390/qeth: fix locking for discipline setup / removal (git-fixes). - s390/smp: perform initial CPU reset also for SMT siblings (git-fixes). - sched/fair: Fix enqueue_task_fair warning (bsc#1179093). - sched/fair: Fix enqueue_task_fair() warning some more (bsc#1179093). - sched/fair: Fix reordering of enqueue/dequeue_task_fair() (bsc#1179093). - sched/fair: Fix unthrottle_cfs_rq() for leaf_cfs_rq list (bsc#1179093). - sched/fair: Reorder enqueue/dequeue_task_fair path (bsc#1179093). - scsi: core: Fix VPD LUN ID designator priorities (bsc#1178049, git-fixes). - scsi: ibmvfc: Set default timeout to avoid crash during migration (bsc#1181425 ltc#188252). - scsi: lpfc: Enhancements to LOG_TRACE_EVENT for better readability (bsc#1180891). - scsi: lpfc: Fix FW reset action if I/Os are outstanding (bsc#1180891). - scsi: lpfc: Fix NVMe recovery after mailbox timeout (bsc#1180891). - scsi: lpfc: Fix PLOGI S_ID of 0 on pt2pt config (bsc#1180891). - scsi: lpfc: Fix auto sli_mode and its effect on CONFIG_PORT for SLI3 (bsc#1180891). - scsi: lpfc: Fix crash when a fabric node is released prematurely (bsc#1180891). - scsi: lpfc: Fix error log messages being logged following SCSI task mgnt (bsc#1180891). - scsi: lpfc: Fix target reset failing (bsc#1180891). - scsi: lpfc: Fix vport create logging (bsc#1180891). - scsi: lpfc: Implement health checking when aborting I/O (bsc#1180891). - scsi: lpfc: Prevent duplicate requests to unregister with cpuhp framework (bsc#1180891). - scsi: lpfc: Refresh ndlp when a new PRLI is received in the PRLI issue state (bsc#1180891). - scsi: lpfc: Simplify bool comparison (bsc#1180891). - scsi: lpfc: Update lpfc version to 12.8.0.7 (bsc#1180891). - scsi: lpfc: Use the nvme-fc transport supplied timeout for LS requests (bsc#1180891). - scsi: qla2xxx: Fix description for parameter ql2xenforce_iocb_limit (bsc#1179142). - serial: mvebu-uart: fix tx lost characters at power off (git-fixes). - spi: cadence: cache reference clock rate during probe (git-fixes). - team: set dev->needed_headroom in team_setup_by_port() (git-fixes). - tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS (bsc#1109837). - usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data() (git-fixes). - usb: dwc3: ulpi: Use VStsDone to detect PHY regs access completion (git-fixes). - usb: gadget: configfs: Preserve function ordering after bind failure (git-fixes). - usb: gadget: f_uac2: reset wMaxPacketSize (git-fixes). - usb: gadget: select CONFIG_CRC32 (git-fixes). - usb: udc: core: Use lock when write to soft_connect (git-fixes). - veth: Adjust hard_start offset on redirect XDP frames (bsc#1109837). - vfio iommu: Add dma available capability (bsc#1179573 LTC#190106). - vfio-pci: Use io_remap_pfn_range() for PCI IO memory (bsc#1181231). - vhost/vsock: fix vhost vsock cid hashing inconsistent (git-fixes). - virtio_net: Keep vnet header zeroed if XDP is loaded for small buffer (git-fixes). - wan: ds26522: select CONFIG_BITREVERSE (git-fixes). - wil6210: select CONFIG_CRC32 (git-fixes). - x86/apic: Fix x2apic enablement without interrupt remapping (bsc#1181260, jsc#ECO-3191). - x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where available (bsc#1181260, jsc#ECO-3191). - x86/hyperv: Fix kexec panic/hang issues (bsc#1176831). - x86/i8259: Use printk_deferred() to prevent deadlock (bsc#1112178). - x86/ioapic: Handle Extended Destination ID field in RTE (bsc#1181260, jsc#ECO-3191). - x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181260, jsc#ECO-3191). - x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181260, jsc#ECO-3191). - x86/mm/numa: Remove uninitialized_var() usage (bsc#1112178). - x86/mm: Fix leak of pmd ptlock (bsc#1112178). - x86/msi: Only use high bits of MSI address for DMAR unit (bsc#1181260, jsc#ECO-3191). - x86/mtrr: Correct the range check before performing MTRR type lookups (bsc#1112178). - x86/resctrl: Do not move a task to the same resource group (bsc#1112178). - x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR (bsc#1112178). - xdp: Fix xsk_generic_xmit errno (bsc#1109837). - xhci: make sure TRB is fully written before giving it to the controller (git-fixes). - xhci: tegra: Delay for disabling LFPS detector (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:551-1 Released: Tue Feb 23 09:31:53 2021 Summary: Security update for avahi Type: security Severity: moderate References: 1180827,CVE-2021-26720 This update for avahi fixes the following issues: - CVE-2021-26720: drop privileges when invoking avahi-daemon-check-dns.sh (bsc#1180827) - Update avahi-daemon-check-dns.sh from Debian. Our previous version relied on ifconfig, route, and init.d. - Add sudo to requires: used to drop privileges. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:556-1 Released: Tue Feb 23 11:17:20 2021 Summary: Recommended update for open-lldp Type: recommended Severity: moderate References: 1175570 This update for open-lldp fixes the following issue: Update to version v1.0.1+65.f3b70663b55e - Event interface: only set receive buffer size if too small (bsc#1175570) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:571-1 Released: Tue Feb 23 16:11:33 2021 Summary: Recommended update for cloud-init Type: recommended Severity: moderate References: 1180176 This update for cloud-init contains the following fixes: - Update cloud-init-write-routes.patch (bsc#1180176) + Follow up to previous changes. Fix order of operations error to make gateway comparison between subnet configuration and route configuration valuable rather than self-comparing. - Add cloud-init-sle12-compat.patch (jsc#PM-2335) - Python 3.4 compatibility in setup.py - Disable some test for mock version compatibility ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:580-1 Released: Wed Feb 24 11:16:42 2021 Summary: Optional update for python-cffi Type: optional Severity: low References: 1182471 This update for python-cffi fixes the following issues: - Restored compatibility with Python 2.7 update (bsc#1182471) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:654-1 Released: Fri Feb 26 20:01:10 2021 Summary: Security update for python-Jinja2 Type: security Severity: important References: 1181944,1182244,CVE-2020-28493 This update for python-Jinja2 fixes the following issues: - CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have been called with untrusted user data (bsc#1181944). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:684-1 Released: Tue Mar 2 19:05:30 2021 Summary: Security update for grub2 Type: security Severity: important References: 1175970,1176711,1177883,1179264,1179265,1182057,1182262,1182263,CVE-2020-14372,CVE-2020-25632,CVE-2020-25647,CVE-2020-27749,CVE-2020-27779,CVE-2021-20225,CVE-2021-20233 This update for grub2 fixes the following issues: grub2 now implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057) Following security issues are fixed that can violate secure boot constraints: - CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711) - CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883) - CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264) - CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970) - CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262) - CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:689-1 Released: Tue Mar 2 19:08:40 2021 Summary: Security update for bind Type: security Severity: important References: 1180933 This update for bind fixes the following issues: - dnssec-keygen can no longer generate HMAC keys. Use tsig-keygen instead. [bsc#1180933] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:696-1 Released: Wed Mar 3 18:17:53 2021 Summary: Security update for python-cryptography Type: security Severity: important References: 1182066,CVE-2020-36242 This update for python-cryptography fixes the following issues: - CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte values could result in an integer overflow and buffer overflow (bsc#1182066). From sle-security-updates at lists.suse.com Wed Mar 10 11:43:17 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Mar 2021 12:43:17 +0100 (CET) Subject: SUSE-IU-2021:413-1: Security update of sles-15-sp1-chost-byos-v20210304 Message-ID: <20210310114317.AE2FCFD17@maintenance.suse.de> SUSE Image Update Advisory: sles-15-sp1-chost-byos-v20210304 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2021:413-1 Image Tags : sles-15-sp1-chost-byos-v20210304:20210304 Image Release : Severity : important Type : security References : 1046305 1046306 1046540 1046542 1046648 1050242 1050244 1050536 1050538 1050545 1056653 1056657 1056787 1064802 1066129 1073513 1074220 1075020 1086282 1086301 1086313 1086314 1098633 1103990 1103991 1103992 1104270 1104277 1104279 1104353 1104427 1104742 1104745 1109837 1111981 1112178 1112374 1113956 1119113 1126206 1126390 1127354 1127371 1129770 1136348 1149032 1170671 1174075 1174206 1175570 1175970 1176262 1176708 1176711 1176831 1176846 1177460 1177883 1178036 1178049 1178386 1178801 1178801 1178900 1178969 1179093 1179142 1179264 1179265 1179508 1179509 1179563 1179573 1179575 1179691 1179694 1179721 1179756 1179878 1180038 1180130 1180243 1180401 1180401 1180501 1180520 1180603 1180603 1180686 1180765 1180812 1180827 1180891 1180912 1180933 1181018 1181126 1181170 1181230 1181231 1181260 1181349 1181425 1181504 1181505 1181730 1181732 1181809 1182057 1182117 1182168 1182246 1182262 1182263 CVE-2019-20916 CVE-2019-25013 CVE-2019-8842 CVE-2020-10001 CVE-2020-14372 CVE-2020-15257 CVE-2020-25632 CVE-2020-25639 CVE-2020-25647 CVE-2020-27618 CVE-2020-27749 CVE-2020-27779 CVE-2020-27835 CVE-2020-29562 CVE-2020-29568 CVE-2020-29569 CVE-2020-29573 CVE-2020-8625 CVE-2021-0342 CVE-2021-20177 CVE-2021-20225 CVE-2021-20233 CVE-2021-21284 CVE-2021-21285 CVE-2021-26720 CVE-2021-3177 CVE-2021-3326 CVE-2021-3347 CVE-2021-3348 ----------------------------------------------------------------- The container sles-15-sp1-chost-byos-v20210304 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:285-1 Released: Tue Feb 2 13:08:54 2021 Summary: Security update for cups Type: security Severity: moderate References: 1170671,1180520,CVE-2019-8842,CVE-2020-10001 This update for cups fixes the following issues: - CVE-2020-10001: Fixed an out-of-bounds read in the ippReadIO function (bsc#1180520). - CVE-2019-8842: Fixed an out-of-bounds read in an extension field (bsc#1170671). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:301-1 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:304-1 Released: Thu Feb 4 13:19:43 2021 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1179691 This update for lvm2 fixes the following issues: - lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691). If this behavior is still wanted, please change this manually in the lvm.conf ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:307-1 Released: Fri Feb 5 05:30:34 2021 Summary: Recommended update for libselinux Type: recommended Severity: low References: 1180603 This update for libselinux fixes the following issues: - Corrected the license to public domain (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:435-1 Released: Thu Feb 11 14:47:25 2021 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Type: security Severity: important References: 1174075,1176708,1178801,1178969,1180243,1180401,1181730,1181732,CVE-2020-15257,CVE-2021-21284,CVE-2021-21285 This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Security issues fixed: - CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969). - CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) - CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730) Non-security issues fixed: - Update Docker to 19.03.15-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285). - Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE. It appears that SLES doesn't like the patch. (bsc#1180401) - Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and fixes CVE-2020-15257. bsc#1180243 - Update to containerd v1.3.7, which is required for Docker 19.03.13-ce. bsc#1176708 - Update to Docker 19.03.14-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243 https://github.com/docker/docker-ce/releases/tag/v19.03.14 - Enable fish-completion - Add a patch which makes Docker compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) - Update to Docker 19.03.13-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708 - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Emergency fix: %requires_eq does not work with provide symbols, only effective package names. Convert back to regular Requires. - Update to Docker 19.03.12-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. - Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of spurrious errors due to Go returning -EINTR from I/O syscalls much more often (due to Go 1.14's pre-emptive goroutine support). - Add BuildRequires for all -git dependencies so that we catch missing dependencies much more quickly. - Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce. bsc#1180243 - Add patch which makes libnetwork compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:502-1 Released: Thu Feb 18 05:33:06 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1180501 This update for openssh fixes the following issues: - Fixed a crash which sometimes occured on connection termination, caused by accessing freed memory (bsc#1180501) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:507-1 Released: Thu Feb 18 09:34:49 2021 Summary: Security update for bind Type: security Severity: important References: 1182246,CVE-2020-8625 This update for bind fixes the following issues: - CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack [bsc#1182246] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:516-1 Released: Thu Feb 18 14:42:51 2021 Summary: Recommended update for docker, golang-github-docker-libnetwork Type: recommended Severity: moderate References: 1178801,1180401,1182168 This update for docker, golang-github-docker-libnetwork fixes the following issues: - A libnetwork firewalld integration enhancement was broken, disable it (bsc#1178801,bsc#1180401,bsc#1182168) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:532-1 Released: Fri Feb 19 17:29:03 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1046305,1046306,1046540,1046542,1046648,1050242,1050244,1050536,1050538,1050545,1056653,1056657,1056787,1064802,1066129,1073513,1074220,1075020,1086282,1086301,1086313,1086314,1098633,1103990,1103991,1103992,1104270,1104277,1104279,1104353,1104427,1104742,1104745,1109837,1111981,1112178,1112374,1113956,1119113,1126206,1126390,1127354,1127371,1129770,1136348,1149032,1174206,1176831,1176846,1178036,1178049,1178900,1179093,1179142,1179508,1179509,1179563,1179573,1179575,1179878,1180130,1180765,1180812,1180891,1180912,1181018,1181170,1181230,1181231,1181260,1181349,1181425,1181504,1181809,CVE-2020-25639,CVE-2020-27835,CVE-2020-29568,CVE-2020-29569,CVE-2021-0342,CVE-2021-20177,CVE-2021-3347,CVE-2021-3348 The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349). - CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504). - CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765). - CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required. (bnc#1180812) - CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878). - CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846). - CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509). - CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508). The following non-security bugs were fixed: - ACPI: scan: Harden acpi_device_add() against device ID overflows (git-fixes). - ACPI: scan: Make acpi_bus_get_device() clear return pointer on error (git-fixes). - ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI (git-fixes). - ALSA: doc: Fix reference to mixart.rst (git-fixes). - ALSA: fireface: Fix integer overflow in transmit_midi_msg() (git-fixes). - ALSA: firewire-tascam: Fix integer overflow in midi_port_work() (git-fixes). - ALSA: hda/via: Add minimum mute flag (git-fixes). - ALSA: hda/via: Fix runtime PM for Clevo W35xSS (git-fixes). - ALSA: pcm: Clear the full allocated memory at hw_params (git-fixes). - ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info() (git-fixes). - ASoC: Intel: haswell: Add missing pm_ops (git-fixes). - ASoC: dapm: remove widget from dirty list on free (git-fixes). - EDAC/amd64: Fix PCI component registration (bsc#1112178). - IB/mlx5: Fix DEVX support for MLX5_CMD_OP_INIT2INIT_QP command (bsc#1103991). - KVM: SVM: Initialize prev_ga_tag before use (bsc#1180912). - KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages (bsc#1181230). - NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock (git-fixes). - NFS: nfs_igrab_and_active must first reference the superblock (git-fixes). - NFS: switch nfsiod to be an UNBOUND workqueue (git-fixes). - NFSv4.2: condition READDIR's mask for security label based on LSM state (git-fixes). - RDMA/addr: Fix race with netevent_callback()/rdma_addr_cancel() (bsc#1103992). - RDMA/bnxt_re: Do not add user qps to flushlist (bsc#1050244 ). - RDMA/bnxt_re: Do not report transparent vlan from QP1 (bsc#1104742). - RDMA/cma: Do not overwrite sgid_attr after device is released (bsc#1103992). - RDMA/core: Ensure security pkey modify is not lost (bsc#1046306 ). - RDMA/core: Fix pkey and port assignment in get_new_pps (bsc#1046306). - RDMA/core: Fix protection fault in get_pkey_idx_qp_list (bsc#1046306). - RDMA/core: Fix reported speed and width (bsc#1046306 ). - RDMA/core: Fix return error value in _ib_modify_qp() to negative (bsc#1103992). - RDMA/core: Fix use of logical OR in get_new_pps (bsc#1046306 ). - RDMA/hns: Bugfix for memory window mtpt configuration (bsc#1104427). - RDMA/hns: Bugfix for slab-out-of-bounds when unloading hip08 driver (bsc#1104427). - RDMA/hns: Fix cmdq parameter of querying pf timer resource (bsc#1104427 bsc#1126206). - RDMA/hns: Fix missing sq_sig_type when querying QP (bsc#1104427 ). - RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver (bsc#1104427). - RDMA/iw_cxgb4: Fix incorrect function parameters (bsc#1136348 jsc#SLE-4684). - RDMA/iw_cxgb4: initiate CLOSE when entering TERM (bsc#1136348 jsc#SLE-4684). - RDMA/mlx5: Add init2init as a modify command (bsc#1103991 ). - RDMA/mlx5: Fix typo in enum name (bsc#1103991). - RDMA/mlx5: Fix wrong free of blue flame register on error (bsc#1103991). - RDMA/qedr: Fix inline size returned for iWARP (bsc#1050545 ). - SUNRPC: cache: ignore timestamp written to 'flush' file (bsc#1178036). - USB: ehci: fix an interrupt calltrace error (git-fixes). - USB: gadget: legacy: fix return error code in acm_ms_bind() (git-fixes). - USB: serial: iuu_phoenix: fix DMA from stack (git-fixes). - USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set (git-fixes). - USB: yurex: fix control-URB timeout handling (git-fixes). - __netif_receive_skb_core: pass skb by reference (bsc#1109837). - arm64: pgtable: Ensure dirty bit is preserved across pte_wrprotect() (bsc#1180130). - arm64: pgtable: Fix pte_accessible() (bsc#1180130). - bnxt_en: Do not query FW when netif_running() is false (bsc#1086282). - bnxt_en: Fix accumulation of bp->net_stats_prev (bsc#1104745 ). - bnxt_en: Improve stats context resource accounting with RDMA driver loaded (bsc#1104745). - bnxt_en: Release PCI regions when DMA mask setup fails during probe (git-fixes). - bnxt_en: Reset rings if ring reservation fails during open() (bsc#1086282). - bnxt_en: fix HWRM error when querying VF temperature (bsc#1104745). - bnxt_en: fix error return code in bnxt_init_board() (git-fixes). - bnxt_en: fix error return code in bnxt_init_one() (bsc#1050242 ). - bnxt_en: read EEPROM A2h address using page 0 (git-fixes). - bnxt_en: return proper error codes in bnxt_show_temp (bsc#1104745). - bonding: set dev->needed_headroom in bond_setup_by_slave() (git-fixes). - btrfs: add a flag to iterate_inodes_from_logical to find all extent refs for uncompressed extents (bsc#1174206). - btrfs: add a flags argument to LOGICAL_INO and call it LOGICAL_INO_V2 (bsc#1174206). - btrfs: increase output size for LOGICAL_INO_V2 ioctl (bsc#1174206). - btrfs: qgroup: do not try to wait flushing if we're already holding a transaction (bsc#1179575). - caif: no need to check return value of debugfs_create functions (git-fixes). - can: c_can: c_can_power_up(): fix error handling (git-fixes). - can: dev: prevent potential information leak in can_fill_info() (git-fixes). - can: vxcan: vxcan_xmit: fix use after free bug (git-fixes). - chelsio/chtls: correct function return and return type (bsc#1104270). - chelsio/chtls: correct netdevice for vlan interface (bsc#1104270 ). - chelsio/chtls: fix a double free in chtls_setkey() (bsc#1104270 ). - chelsio/chtls: fix always leaking ctrl_skb (bsc#1104270 ). - chelsio/chtls: fix deadlock issue (bsc#1104270). - chelsio/chtls: fix memory leaks caused by a race (bsc#1104270 ). - chelsio/chtls: fix memory leaks in CPL handlers (bsc#1104270 ). - chelsio/chtls: fix panic during unload reload chtls (bsc#1104270 ). - chelsio/chtls: fix socket lock (bsc#1104270). - chelsio/chtls: fix tls record info to user (bsc#1104270 ). - chtls: Added a check to avoid NULL pointer dereference (bsc#1104270). - chtls: Fix chtls resources release sequence (bsc#1104270 ). - chtls: Fix hardware tid leak (bsc#1104270). - chtls: Remove invalid set_tcb call (bsc#1104270). - chtls: Replace skb_dequeue with skb_peek (bsc#1104270 ). - cpumap: Avoid warning when CONFIG_DEBUG_PER_CPU_MAPS is enabled (bsc#1109837). - cxgb3: fix error return code in t3_sge_alloc_qset() (git-fixes). - cxgb4/cxgb4vf: fix flow control display for auto negotiation (bsc#1046540 bsc#1046542). - cxgb4: fix SGE queue dump destination buffer context (bsc#1073513). - cxgb4: fix adapter crash due to wrong MC size (bsc#1073513). - cxgb4: fix all-mask IP address comparison (bsc#1064802 bsc#1066129). - cxgb4: fix large delays in PTP synchronization (bsc#1046540 bsc#1046648). - cxgb4: fix the panic caused by non smac rewrite (bsc#1064802 bsc#1066129). - cxgb4: fix thermal zone device registration (bsc#1104279 bsc#1104277). - cxgb4: fix throughput drop during Tx backpressure (bsc#1127354 bsc#1127371). - cxgb4: move DCB version extern to header file (bsc#1104279 ). - cxgb4: remove cast when saving IPv4 partial checksum (bsc#1074220). - cxgb4: set up filter action after rewrites (bsc#1064802 bsc#1066129). - cxgb4: use correct type for all-mask IP address comparison (bsc#1064802 bsc#1066129). - cxgb4: use unaligned conversion for fetching timestamp (bsc#1046540 bsc#1046648). - dm: avoid filesystem lookup in dm_get_dev_t() (bsc#1178049). - dmaengine: xilinx_dma: check dma_async_device_register return value (git-fixes). - dmaengine: xilinx_dma: fix mixed_enum_type coverity warning (git-fixes). - docs: Fix reST markup when linking to sections (git-fixes). - drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' (git-fixes). - drm/amd/powerplay: fix a crash when overclocking Vega M (bsc#1113956) - drm/amdkfd: Put ACPI table after using it (bsc#1129770) Backporting changes: * context changes - drm/atomic: put state on error path (git-fixes). - drm/i915: Check for all subplatform bits (git-fixes). - drm/i915: Clear the repeater bit on HDCP disable (bsc#1112178) - drm/i915: Fix sha_text population code (bsc#1112178) - drm/msm: Avoid div-by-zero in dpu_crtc_atomic_check() (bsc#1129770) - drm/msm: Fix WARN_ON() splat in _free_object() (bsc#1129770) - drm/msm: Fix use-after-free in msm_gem with carveout (bsc#1129770) - drm/nouveau/bios: fix issue shadowing expansion ROMs (git-fixes). - drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields (git-fixes). - drm/nouveau/privring: ack interrupts the same way as RM (git-fixes). - drm/tve200: Fix handling of platform_get_irq() error (bsc#1129770) - drm/vgem: Replace opencoded version of drm_gem_dumb_map_offset() (bsc#1112178) - drm: sun4i: hdmi: Fix inverted HPD result (bsc#1112178) - drm: sun4i: hdmi: Remove extra HPD polling (bsc#1112178) - ehci: fix EHCI host controller initialization sequence (git-fixes). - ethernet: ucc_geth: fix use-after-free in ucc_geth_remove() (git-fixes). - floppy: reintroduce O_NDELAY fix (boo#1181018). - futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#1149032). - futex: Ensure the correct return value from futex_lock_pi() (bsc#1181349 bsc#1149032). - futex: Fix incorrect should_fail_futex() handling (bsc#1181349). - futex: Handle faults correctly for PI futexes (bsc#1181349 bsc#1149032). - futex: Provide and use pi_state_update_owner() (bsc#1181349 bsc#1149032). - futex: Replace pointless printk in fixup_owner() (bsc#1181349 bsc#1149032). - futex: Simplify fixup_pi_state_owner() (bsc#1181349 bsc#1149032). - futex: Use pi_state_update_owner() in put_pi_state() (bsc#1181349 bsc#1149032). - i2c: octeon: check correct size of maximum RECV_LEN packet (git-fixes). - i40e: Fix removing driver while bare-metal VFs pass traffic (git-fixes). - i40e: avoid premature Rx buffer reuse (bsc#1111981). - igb: Report speed and duplex as unknown when device is runtime suspended (git-fixes). - igc: fix link speed advertising (jsc#SLE-4799). - iio: ad5504: Fix setting power-down state (git-fixes). - iommu/vt-d: Do not dereference iommu_device if IOMMU_API is not built (bsc#1181260, jsc#ECO-3191). - iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1181260, jsc#ECO-3191). - ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K (bsc#1109837). - ixgbe: avoid premature Rx buffer reuse (bsc#1109837 ). - kABI: Fix kABI for extended APIC-ID support (bsc#1181260, jsc#ECO-3191). - kernfs: deal with kernfs_fill_super() failures (bsc#1181809). - lockd: do not use interval-based rebinding over TCP (git-fixes). - locking/futex: Allow low-level atomic operations to return -EAGAIN (bsc#1149032). - md/raid10: initialize r10_bio->read_slot before use (git-fixes). - md: fix a warning caused by a race between concurrent md_ioctl()s (git-fixes). - media: gp8psk: initialize stats at power control logic (git-fixes). - misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() (git-fixes). - misdn: dsp: select CONFIG_BITREVERSE (git-fixes). - mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() (git-fixes). - mlxsw: destroy workqueue when trap_register in mlxsw_emad_init (bsc#1112374). - mlxsw: spectrum: Do not modify cloned SKBs during xmit (git-fixes). - mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails (bsc#1112374). - mlxsw: switchx2: Do not modify cloned SKBs during xmit (git-fixes). - mm, page_alloc: fix core hung in free_pcppages_bulk() (git fixes (mm/hotplug)). - mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() (git fixes (mm/pgalloc)). - mm/rmap: map_pte() was not handling private ZONE_DEVICE page properly (git fixes (mm/hmm)). - mm/slab: use memzero_explicit() in kzfree() (git fixes (mm/slab)). - mm: do not wake kswapd prematurely when watermark boosting is disabled (git fixes (mm/vmscan)). - mm: hwpoison: disable memory error handling on 1GB hugepage (git fixes (mm/hwpoison)). - mmc: sdhci-xenon: fix 1.8v regulator stabilization (git-fixes). - nbd: Fix memory leak in nbd_add_socket (bsc#1181504). - net/af_iucv: always register net_device notifier (git-fixes). - net/af_iucv: fix null pointer dereference on shutdown (bsc#1179563 LTC#190108). - net/af_iucv: set correct sk_protocol for child sockets (git-fixes). - net/filter: Permit reading NET in load_bytes_relative when MAC not set (bsc#1109837). - net/liquidio: Delete driver version assignment (git-fixes). - net/liquidio: Delete non-working LIQUIDIO_PACKAGE check (git-fixes). - net/mlx4_en: Avoid scheduling restart task if it is already running (git-fixes). - net/mlx5: Add handling of port type in rule deletion (bsc#1103991). - net/mlx5: Fix memory leak on flow table creation error flow (bsc#1046305). - net/mlx5e: Fix VLAN cleanup flow (git-fixes). - net/mlx5e: Fix VLAN create flow (git-fixes). - net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups (git-fixes). - net/mlx5e: Fix two double free cases (bsc#1046305). - net/mlx5e: IPoIB, Drop multicast packets that this interface sent (bsc#1075020). - net/mlx5e: TX, Fix consumer index of error cqe dump (bsc#1103990 ). - net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq (bsc#1103990). - net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels (bsc#1109837). - net/smc: cancel event worker during device removal (git-fixes). - net/smc: check for valid ib_client_data (git-fixes). - net/smc: fix sleep bug in smc_pnet_find_roce_resource() (git-fixes). - net/smc: receive pending data after RCV_SHUTDOWN (git-fixes). - net/smc: receive returns without data (git-fixes). - net/sonic: Add mutual exclusion for accessing shared state (git-fixes). - net: atlantic: fix potential error handling (git-fixes). - net: atlantic: fix use after free kasan warn (git-fixes). - net: bcmgenet: keep MAC in reset until PHY is up (git-fixes). - net: bcmgenet: reapply manual settings to the PHY (git-fixes). - net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe() (git-fixes). - net: cbs: Fix software cbs to consider packet sending time (bsc#1109837). - net: dsa: LAN9303: select REGMAP when LAN9303 enable (git-fixes). - net: dsa: b53: b53_arl_rw_op() needs to select IVL or SVL (git-fixes). - net: ena: set initial DMA width to avoid intel iommu issue (git-fixes). - net: ethernet: mlx4: Avoid assigning a value to ring_cons but not used it anymore in mlx4_en_xmit() (git-fixes). - net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse() (git-fixes). - net: freescale: fec: Fix ethtool -d runtime PM (git-fixes). - net: hns3: add a missing uninit debugfs when unload driver (bsc#1104353). - net: hns3: add compatible handling for command HCLGE_OPC_PF_RST_DONE (git-fixes). - net: hns3: add management table after IMP reset (bsc#1104353 ). - net: hns3: check reset interrupt status when reset fails (git-fixes). - net: hns3: clear reset interrupt status in hclge_irq_handle() (git-fixes). - net: hns3: fix a TX timeout issue (bsc#1104353). - net: hns3: fix a wrong reset interrupt status mask (git-fixes). - net: hns3: fix error VF index when setting VLAN offload (bsc#1104353). - net: hns3: fix error handling for desc filling (bsc#1104353 ). - net: hns3: fix for not calculating TX BD send size correctly (bsc#1126390). - net: hns3: fix interrupt clearing error for VF (bsc#1104353 ). - net: hns3: fix mis-counting IRQ vector numbers issue (bsc#1104353). - net: hns3: fix shaper parameter algorithm (bsc#1104353 ). - net: hns3: fix the number of queues actually used by ARQ (bsc#1104353). - net: hns3: fix use-after-free when doing self test (bsc#1104353 ). - net: hns3: reallocate SSU' buffer size when pfc_en changes (bsc#1104353). - net: mvpp2: Fix GoP port 3 Networking Complex Control configurations (bsc#1098633). - net: mvpp2: Fix error return code in mvpp2_open() (bsc#1119113 ). - net: mvpp2: fix pkt coalescing int-threshold configuration (bsc#1098633). - net: phy: Allow BCM54616S PHY to setup internal TX/RX clock delay (git-fixes). - net: phy: broadcom: Fix RGMII delays configuration for BCM54210E (git-fixes). - net: phy: micrel: Discern KSZ8051 and KSZ8795 PHYs (git-fixes). - net: phy: micrel: make sure the factory test bit is cleared (git-fixes). - net: qca_spi: Move reset_count to struct qcaspi (git-fixes). - net: smc911x: Adjust indentation in smc911x_phy_configure (git-fixes). - net: stmmac: 16KB buffer must be 16 byte aligned (git-fixes). - net: stmmac: Do not accept invalid MTU values (git-fixes). - net: stmmac: Enable 16KB buffer size (git-fixes). - net: stmmac: RX buffer size must be 16 byte aligned (git-fixes). - net: stmmac: dwmac-meson8b: Fix signedness bug in probe (git-fixes). - net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes (git-fixes). - net: stmmac: fix length of PTP clock's name string (git-fixes). - net: stmmac: gmac4+: Not all Unicast addresses may be available (git-fixes). - net: sunrpc: interpret the return value of kstrtou32 correctly (git-fixes). - net: team: fix memory leak in __team_options_register (git-fixes). - net: tulip: Adjust indentation in {dmfe, uli526x}_init_module (git-fixes). - net: usb: lan78xx: Fix error message format specifier (git-fixes). - net: vlan: avoid leaks on register_vlan_dev() failures (git-fixes). - net_failover: fixed rollback in net_failover_open() (bsc#1109837). - net_sched: let qdisc_put() accept NULL pointer (bsc#1056657 bsc#1056653 bsc#1056787). - nfp: validate the return code from dev_queue_xmit() (git-fixes). - nfs_common: need lock during iterate through the list (git-fixes). - nfsd4: readdirplus shouldn't return parent of export (git-fixes). - nfsd: Fix message level for normal termination (git-fixes). - pNFS: Mark layout for return if return-on-close was not sent (git-fixes). - page_frag: Recover from memory pressure (git fixes (mm/pgalloc)). - powerpc/perf: Add generic compat mode pmu driver (bsc#1178900 ltc#189284). - powerpc/perf: Fix crashes with generic_compat_pmu & BHRB (bsc#1178900 ltc#189284 git-fixes). - powerpc/perf: init pmu from core-book3s (bsc#1178900 ltc#189284). - qed: Fix race condition between scheduling and destroying the slowpath workqueue (bsc#1086314 bsc#1086313 bsc#1086301). - qed: Fix use after free in qed_chain_free (bsc#1050536 bsc#1050538). - r8152: Add Lenovo Powered USB-C Travel Hub (git-fixes). - rtmutex: Remove unused argument from rt_mutex_proxy_unlock() (bsc#1181349 bsc#1149032). - s390/cio: fix use-after-free in ccw_device_destroy_console (git-fixes). - s390/dasd: fix list corruption of lcu list (bsc#1181170 LTC#190915). - s390/dasd: fix list corruption of pavgroup group list (bsc#1181170 LTC#190915). - s390/dasd: prevent inconsistent LCU device data (bsc#1181170 LTC#190915). - s390/qeth: delay draining the TX buffers (git-fixes). - s390/qeth: fix L2 header access in qeth_l3_osa_features_check() (git-fixes). - s390/qeth: fix deadlock during recovery (git-fixes). - s390/qeth: fix locking for discipline setup / removal (git-fixes). - s390/smp: perform initial CPU reset also for SMT siblings (git-fixes). - sched/fair: Fix enqueue_task_fair warning (bsc#1179093). - sched/fair: Fix enqueue_task_fair() warning some more (bsc#1179093). - sched/fair: Fix reordering of enqueue/dequeue_task_fair() (bsc#1179093). - sched/fair: Fix unthrottle_cfs_rq() for leaf_cfs_rq list (bsc#1179093). - sched/fair: Reorder enqueue/dequeue_task_fair path (bsc#1179093). - scsi: core: Fix VPD LUN ID designator priorities (bsc#1178049, git-fixes). - scsi: ibmvfc: Set default timeout to avoid crash during migration (bsc#1181425 ltc#188252). - scsi: lpfc: Enhancements to LOG_TRACE_EVENT for better readability (bsc#1180891). - scsi: lpfc: Fix FW reset action if I/Os are outstanding (bsc#1180891). - scsi: lpfc: Fix NVMe recovery after mailbox timeout (bsc#1180891). - scsi: lpfc: Fix PLOGI S_ID of 0 on pt2pt config (bsc#1180891). - scsi: lpfc: Fix auto sli_mode and its effect on CONFIG_PORT for SLI3 (bsc#1180891). - scsi: lpfc: Fix crash when a fabric node is released prematurely (bsc#1180891). - scsi: lpfc: Fix error log messages being logged following SCSI task mgnt (bsc#1180891). - scsi: lpfc: Fix target reset failing (bsc#1180891). - scsi: lpfc: Fix vport create logging (bsc#1180891). - scsi: lpfc: Implement health checking when aborting I/O (bsc#1180891). - scsi: lpfc: Prevent duplicate requests to unregister with cpuhp framework (bsc#1180891). - scsi: lpfc: Refresh ndlp when a new PRLI is received in the PRLI issue state (bsc#1180891). - scsi: lpfc: Simplify bool comparison (bsc#1180891). - scsi: lpfc: Update lpfc version to 12.8.0.7 (bsc#1180891). - scsi: lpfc: Use the nvme-fc transport supplied timeout for LS requests (bsc#1180891). - scsi: qla2xxx: Fix description for parameter ql2xenforce_iocb_limit (bsc#1179142). - serial: mvebu-uart: fix tx lost characters at power off (git-fixes). - spi: cadence: cache reference clock rate during probe (git-fixes). - team: set dev->needed_headroom in team_setup_by_port() (git-fixes). - tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS (bsc#1109837). - usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data() (git-fixes). - usb: dwc3: ulpi: Use VStsDone to detect PHY regs access completion (git-fixes). - usb: gadget: configfs: Preserve function ordering after bind failure (git-fixes). - usb: gadget: f_uac2: reset wMaxPacketSize (git-fixes). - usb: gadget: select CONFIG_CRC32 (git-fixes). - usb: udc: core: Use lock when write to soft_connect (git-fixes). - veth: Adjust hard_start offset on redirect XDP frames (bsc#1109837). - vfio iommu: Add dma available capability (bsc#1179573 LTC#190106). - vfio-pci: Use io_remap_pfn_range() for PCI IO memory (bsc#1181231). - vhost/vsock: fix vhost vsock cid hashing inconsistent (git-fixes). - virtio_net: Keep vnet header zeroed if XDP is loaded for small buffer (git-fixes). - wan: ds26522: select CONFIG_BITREVERSE (git-fixes). - wil6210: select CONFIG_CRC32 (git-fixes). - x86/apic: Fix x2apic enablement without interrupt remapping (bsc#1181260, jsc#ECO-3191). - x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where available (bsc#1181260, jsc#ECO-3191). - x86/hyperv: Fix kexec panic/hang issues (bsc#1176831). - x86/i8259: Use printk_deferred() to prevent deadlock (bsc#1112178). - x86/ioapic: Handle Extended Destination ID field in RTE (bsc#1181260, jsc#ECO-3191). - x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181260, jsc#ECO-3191). - x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181260, jsc#ECO-3191). - x86/mm/numa: Remove uninitialized_var() usage (bsc#1112178). - x86/mm: Fix leak of pmd ptlock (bsc#1112178). - x86/msi: Only use high bits of MSI address for DMAR unit (bsc#1181260, jsc#ECO-3191). - x86/mtrr: Correct the range check before performing MTRR type lookups (bsc#1112178). - x86/resctrl: Do not move a task to the same resource group (bsc#1112178). - x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR (bsc#1112178). - xdp: Fix xsk_generic_xmit errno (bsc#1109837). - xhci: make sure TRB is fully written before giving it to the controller (git-fixes). - xhci: tegra: Delay for disabling LFPS detector (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:551-1 Released: Tue Feb 23 09:31:53 2021 Summary: Security update for avahi Type: security Severity: moderate References: 1180827,CVE-2021-26720 This update for avahi fixes the following issues: - CVE-2021-26720: drop privileges when invoking avahi-daemon-check-dns.sh (bsc#1180827) - Update avahi-daemon-check-dns.sh from Debian. Our previous version relied on ifconfig, route, and init.d. - Add sudo to requires: used to drop privileges. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:556-1 Released: Tue Feb 23 11:17:20 2021 Summary: Recommended update for open-lldp Type: recommended Severity: moderate References: 1175570 This update for open-lldp fixes the following issue: Update to version v1.0.1+65.f3b70663b55e - Event interface: only set receive buffer size if too small (bsc#1175570) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:684-1 Released: Tue Mar 2 19:05:30 2021 Summary: Security update for grub2 Type: security Severity: important References: 1175970,1176711,1177883,1179264,1179265,1182057,1182262,1182263,CVE-2020-14372,CVE-2020-25632,CVE-2020-25647,CVE-2020-27749,CVE-2020-27779,CVE-2021-20225,CVE-2021-20233 This update for grub2 fixes the following issues: grub2 now implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057) Following security issues are fixed that can violate secure boot constraints: - CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711) - CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883) - CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264) - CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970) - CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262) - CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:689-1 Released: Tue Mar 2 19:08:40 2021 Summary: Security update for bind Type: security Severity: important References: 1180933 This update for bind fixes the following issues: - dnssec-keygen can no longer generate HMAC keys. Use tsig-keygen instead. [bsc#1180933] From sle-security-updates at lists.suse.com Wed Mar 10 11:44:56 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Mar 2021 12:44:56 +0100 (CET) Subject: SUSE-IU-2021:414-1: Security update of sles-15-sp2-chost-byos-v20210304 Message-ID: <20210310114456.3D411FD17@maintenance.suse.de> SUSE Image Update Advisory: sles-15-sp2-chost-byos-v20210304 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2021:414-1 Image Tags : sles-15-sp2-chost-byos-v20210304:20210304 Image Release : Severity : important Type : security References : 1170671 1177460 1179691 1180520 1180603 1181319 CVE-2019-8842 CVE-2020-10001 ----------------------------------------------------------------- The container sles-15-sp2-chost-byos-v20210304 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:278-1 Released: Tue Feb 2 09:43:08 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1181319 This update for lvm2 fixes the following issues: - Backport 'lvmlockd' to adopt orphan locks feature. (bsc#1181319) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:285-1 Released: Tue Feb 2 13:08:54 2021 Summary: Security update for cups Type: security Severity: moderate References: 1170671,1180520,CVE-2019-8842,CVE-2020-10001 This update for cups fixes the following issues: - CVE-2020-10001: Fixed an out-of-bounds read in the ippReadIO function (bsc#1180520). - CVE-2019-8842: Fixed an out-of-bounds read in an extension field (bsc#1170671). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:301-1 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:302-1 Released: Thu Feb 4 13:18:35 2021 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1179691 This update for lvm2 fixes the following issues: - lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691). If this behavior is still wanted, please change this manually in the lvm.conf ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. From sle-security-updates at lists.suse.com Wed Mar 10 11:46:55 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Mar 2021 12:46:55 +0100 (CET) Subject: SUSE-IU-2021:415-1: Security update of suse-sles-15-sp2-chost-byos-v20210304-gen2 Message-ID: <20210310114655.04DEAFD17@maintenance.suse.de> SUSE Image Update Advisory: suse-sles-15-sp2-chost-byos-v20210304-gen2 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2021:415-1 Image Tags : suse-sles-15-sp2-chost-byos-v20210304-gen2:20210304 Image Release : Severity : important Type : security References : 1065600 1149032 1152472 1152489 1153274 1154353 1155518 1163930 1165545 1167773 1170671 1172355 1174075 1175389 1175970 1176171 1176262 1176395 1176708 1176711 1176831 1176846 1177127 1177460 1177883 1178049 1178142 1178386 1178565 1178631 1178801 1178801 1178969 1179142 1179264 1179265 1179396 1179508 1179509 1179567 1179572 1179575 1179691 1179694 1179717 1179719 1179721 1179756 1179878 1180008 1180038 1180130 1180176 1180243 1180264 1180336 1180401 1180401 1180403 1180412 1180501 1180520 1180523 1180603 1180686 1180719 1180759 1180765 1180773 1180809 1180812 1180827 1180848 1180859 1180889 1180891 1180933 1180971 1181014 1181018 1181077 1181104 1181126 1181148 1181158 1181161 1181169 1181203 1181217 1181218 1181219 1181220 1181237 1181313 1181318 1181319 1181335 1181346 1181349 1181425 1181494 1181504 1181505 1181511 1181538 1181553 1181584 1181600 1181601 1181639 1181645 1181730 1181732 1181933 1181944 1182057 1182066 1182117 1182137 1182168 1182244 1182246 1182262 1182263 CVE-2019-20916 CVE-2019-25013 CVE-2019-8842 CVE-2020-10001 CVE-2020-11947 CVE-2020-14372 CVE-2020-15257 CVE-2020-25211 CVE-2020-25632 CVE-2020-25639 CVE-2020-25647 CVE-2020-27618 CVE-2020-27749 CVE-2020-27779 CVE-2020-27835 CVE-2020-28493 CVE-2020-29562 CVE-2020-29568 CVE-2020-29569 CVE-2020-29573 CVE-2020-36242 CVE-2020-8625 CVE-2021-0342 CVE-2021-20177 CVE-2021-20181 CVE-2021-20203 CVE-2021-20221 CVE-2021-20225 CVE-2021-20233 CVE-2021-21284 CVE-2021-21285 CVE-2021-26720 CVE-2021-3177 CVE-2021-3326 CVE-2021-3347 CVE-2021-3348 ----------------------------------------------------------------- The container suse-sles-15-sp2-chost-byos-v20210304-gen2 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:278-1 Released: Tue Feb 2 09:43:08 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1181319 This update for lvm2 fixes the following issues: - Backport 'lvmlockd' to adopt orphan locks feature. (bsc#1181319) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:285-1 Released: Tue Feb 2 13:08:54 2021 Summary: Security update for cups Type: security Severity: moderate References: 1170671,1180520,CVE-2019-8842,CVE-2020-10001 This update for cups fixes the following issues: - CVE-2020-10001: Fixed an out-of-bounds read in the ippReadIO function (bsc#1180520). - CVE-2019-8842: Fixed an out-of-bounds read in an extension field (bsc#1170671). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:292-1 Released: Wed Feb 3 11:46:32 2021 Summary: Recommended update for python-azure-agent Type: recommended Severity: moderate References: 1180719,1181600,1181601 This update for python-azure-agent contains the following fix: - Added sysvinit-tools as dependency (bsc#1181600, bsc#1181601) - Recognise SLE_HPC as SLES and use the proper RDMA handler and distro specific initialization code (bsc#1180719) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:301-1 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:302-1 Released: Thu Feb 4 13:18:35 2021 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1179691 This update for lvm2 fixes the following issues: - lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691). If this behavior is still wanted, please change this manually in the lvm.conf ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:354-1 Released: Tue Feb 9 16:38:54 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065600,1149032,1152472,1152489,1153274,1154353,1155518,1163930,1165545,1167773,1172355,1175389,1176395,1176831,1176846,1178142,1178631,1179142,1179396,1179508,1179509,1179567,1179572,1179575,1179878,1180008,1180130,1180264,1180412,1180759,1180765,1180773,1180809,1180812,1180848,1180859,1180889,1180891,1180971,1181014,1181018,1181077,1181104,1181148,1181158,1181161,1181169,1181203,1181217,1181218,1181219,1181220,1181237,1181318,1181335,1181346,1181349,1181425,1181494,1181504,1181511,1181538,1181553,1181584,1181645,CVE-2020-25211,CVE-2020-25639,CVE-2020-27835,CVE-2020-29568,CVE-2020-29569,CVE-2021-0342,CVE-2021-20177,CVE-2021-3347,CVE-2021-3348 The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349). - CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504). - CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765). - CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required. (bnc#1180812) - CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878). - CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846). - CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509). - CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508). - CVE-2020-25211: Fixed a flaw where a local attacker was able to inject conntrack netlink configuration that could cause a denial of service or trigger the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter (bnc#1176395). The following non-security bugs were fixed: - ACPI/IORT: Do not blindly trust DMA masks from firmware (git-fixes). - ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI (git-fixes). - ACPI: scan: Harden acpi_device_add() against device ID overflows (git-fixes). - ACPI: scan: Make acpi_bus_get_device() clear return pointer on error (git-fixes). - ACPI: sysfs: Prefer 'compatible' modalias (git-fixes). - ALSA: doc: Fix reference to mixart.rst (git-fixes). - ALSA: fireface: Fix integer overflow in transmit_midi_msg() (git-fixes). - ALSA: firewire-tascam: Fix integer overflow in midi_port_work() (git-fixes). - ALSA: hda: Add Cometlake-R PCI ID (git-fixes). - ALSA: hda/conexant: add a new hda codec CX11970 (git-fixes). - ALSA: hda/hdmi - enable runtime pm for CI AMD display audio (git-fixes). - ALSA: hda/realtek: Add mute LED quirk for more HP laptops (git-fixes). - ALSA: hda/realtek: Add two 'Intel Reference board' SSID in the ALC256 (git-fixes). - ALSA: hda/realtek: Enable headset of ASUS B1400CEPE with ALC256 (git-fixes). - ALSA: hda/realtek: Enable mute and micmute LED on HP EliteBook 850 G7 (git-fixes). - ALSA: hda/realtek: fix right sounds and mute/micmute LEDs for HP machines (git-fixes). - ALSA: hda/realtek - Fix speaker volume control on Lenovo C940 (git-fixes). - ALSA: hda/realtek - Limit int mic boost on Acer Aspire E5-575T (git-fixes). - ALSA: hda/realtek - Modify Dell platform name (git-fixes). - ALSA: hda/realtek: Remove dummy lineout on Acer TravelMate P648/P658 (git-fixes). - ALSA: hda/realtek - Supported Dell fixed type headset (git-fixes). - ALSA: hda/tegra: fix tegra-hda on tegra30 soc (git-fixes). - ALSA: hda/via: Add minimum mute flag (git-fixes). - ALSA: hda/via: Apply the workaround generically for Clevo machines (git-fixes). - ALSA: hda/via: Fix runtime PM for Clevo W35xSS (git-fixes). - ALSA: pcm: Clear the full allocated memory at hw_params (git-fixes). - ALSA: pcm: fix hw_rule deps kABI (bsc#1181014). - ALSA: pcm: One more dependency for hw constraints (bsc#1181014). - ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info() (git-fixes). - ALSA: usb-audio: Add quirk for BOSS AD-10 (git-fixes). - ALSA: usb-audio: Add quirk for RC-505 (git-fixes). - ALSA: usb-audio: Always apply the hw constraints for implicit fb sync (bsc#1181014). - ALSA: usb-audio: Annotate the endpoint index in audioformat (git-fixes). - ALSA: usb-audio: Avoid implicit feedback on Pioneer devices (bsc#1181014). - ALSA: usb-audio: Avoid unnecessary interface re-setup (git-fixes). - ALSA: usb-audio: Choose audioformat of a counter-part substream (git-fixes). - ALSA: usb-audio: Fix hw constraints dependencies (bsc#1181014). - ALSA: usb-audio: Fix implicit feedback sync setup for Pioneer devices (git-fixes). - ALSA: usb-audio: Fix the missing endpoints creations for quirks (git-fixes). - ALSA: usb-audio: Fix UAC1 rate setup for secondary endpoints (bsc#1181014). - ALSA: usb-audio: Fix UBSAN warnings for MIDI jacks (git-fixes). - ALSA: usb-audio: Set sample rate for all sharing EPs on UAC1 (bsc#1181014). - arch/x86/lib/usercopy_64.c: fix __copy_user_flushcache() cache writeback (bsc#1152489). - arm64: mm: Fix ARCH_LOW_ADDRESS_LIMIT when !CONFIG_ZONE_DMA (git-fixes). - arm64: pgtable: Ensure dirty bit is preserved across pte_wrprotect() (bsc#1180130). - arm64: pgtable: Fix pte_accessible() (bsc#1180130). - ASoC: ak4458: correct reset polarity (git-fixes). - ASoC: dapm: remove widget from dirty list on free (git-fixes). - ASoC: Intel: fix error code cnl_set_dsp_D0() (git-fixes). - ASoC: meson: axg-tdm-interface: fix loopback (git-fixes). - bitmap: remove unused function declaration (git-fixes). - Bluetooth: hci_h5: close serdev device and free hu in h5_close (git-fixes). - Bluetooth: revert: hci_h5: close serdev device and free hu in h5_close (git-fixes). - bnxt_en: Fix AER recovery (jsc#SLE-8371 bsc#1153274). - bpf: Do not leak memory in bpf getsockopt when optlen == 0 (bsc#1155518). - bpf: Fix helper bpf_map_peek_elem_proto pointing to wrong callback (bsc#1155518). - btrfs: fix missing delalloc new bit for new delalloc ranges (bsc#1180773). - btrfs: make btrfs_dirty_pages take btrfs_inode (bsc#1180773). - btrfs: make btrfs_set_extent_delalloc take btrfs_inode (bsc#1180773). - btrfs: send: fix invalid clone operations when cloning from the same file and root (bsc#1181511). - btrfs: send: fix wrong file path when there is an inode with a pending rmdir (bsc#1181237). - bus/fsl_mc: Do not rely on caller to provide non NULL mc_io (git-fixes). - cachefiles: Drop superfluous readpages aops NULL check (git-fixes). - can: dev: prevent potential information leak in can_fill_info() (git-fixes). - can: vxcan: vxcan_xmit: fix use after free bug (git-fixes). - CDC-NCM: remove 'connected' log message (git-fixes). - clk: tegra30: Add hda clock default rates to clock driver (git-fixes). - crypto: asym_tpm: correct zero out potential secrets (git-fixes). - crypto: ecdh - avoid buffer overflow in ecdh_set_secret() (git-fixes). - dmaengine: at_hdmac: add missing kfree() call in at_dma_xlate() (git-fixes). - dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate() (git-fixes). - dmaengine: at_hdmac: Substitute kzalloc with kmalloc (git-fixes). - dmaengine: dw-edma: Fix use after free in dw_edma_alloc_chunk() (git-fixes). - dmaengine: mediatek: mtk-hsdma: Fix a resource leak in the error handling path of the probe function (git-fixes). - dmaengine: xilinx_dma: check dma_async_device_register return value (git-fixes). - dmaengine: xilinx_dma: fix incompatible param warning in _child_probe() (git-fixes). - dmaengine: xilinx_dma: fix mixed_enum_type coverity warning (git-fixes). - drivers/base/memory.c: indicate all memory blocks as removable (bsc#1180264). - drivers/perf: Fix kernel panic when rmmod PMU modules during perf sampling (bsc#1180848). - drivers/perf: hisi: Permit modular builds of HiSilicon uncore drivers (bsc#1180848). - Update config files. - supported.conf: - drm: Added orientation quirk for ASUS tablet model T103HAF (git-fixes). - drm/amd/display: Add missing pflip irq for dcn2.0 (git-fixes). - drm/amd/display: Avoid MST manager resource leak (git-fixes). - drm/amd/display: dal_ddc_i2c_payloads_create can fail causing panic (git-fixes). - drm/amd/display: dchubbub p-state warning during surface planes switch (git-fixes). - drm/amd/display: Do not double-buffer DTO adjustments (git-fixes). - drm/amd/display: Do not invoke kgdb_breakpoint() unconditionally (git-fixes). - drm/amd/display: Fix memleak in amdgpu_dm_mode_config_init (git-fixes). - drm/amd/display: Free gamma after calculating legacy transfer function (git-fixes). - drm/amd/display: HDMI remote sink need mode validation for Linux (git-fixes). - drm/amd/display: Increase timeout for DP Disable (git-fixes). - drm/amd/display: Reject overlay plane configurations in multi-display scenarios (git-fixes). - drm/amd/display: remove useless if/else (git-fixes). - drm/amd/display: Retry AUX write when fail occurs (git-fixes). - drm/amd/display: Stop if retimer is not available (git-fixes). - drm/amd/display: update nv1x stutter latencies (git-fixes). - drm/amdgpu: add DID for navi10 blockchain SKU (git-fixes). - drm/amdgpu: correct the gpu reset handling for job != NULL case (git-fixes). - drm/amdgpu/dc: Require primary plane to be enabled whenever the CRTC is (git-fixes). - drm/amdgpu: do not map BO in reserved region (git-fixes). - drm/amdgpu: fix a GPU hang issue when remove device (git-fixes). - drm/amdgpu: Fix bug in reporting voltage for CIK (git-fixes). - drm/amdgpu: Fix bug where DPM is not enabled after hibernate and resume (git-fixes). - drm/amdgpu: fix build_coefficients() argument (git-fixes). - drm/amdgpu: fix calltrace during kmd unload(v3) (git-fixes). - drm/amdgpu: increase atombios cmd timeout (git-fixes). - drm/amdgpu: increase the reserved VM size to 2MB (git-fixes). - drm/amdgpu: perform srbm soft reset always on SDMA resume (git-fixes). - drm/amdgpu/powerplay: fix AVFS handling with custom powerplay table (git-fixes). - drm/amdgpu/powerplay/smu7: fix AVFS handling with custom powerplay table (git-fixes). - drm/amdgpu: prevent double kfree ttm->sg (git-fixes). - drm/amdgpu/psp: fix psp gfx ctrl cmds (git-fixes). - drm/amdgpu/sriov add amdgpu_amdkfd_pre_reset in gpu reset (git-fixes). - drm/amdkfd: fix a memory leak issue (git-fixes). - drm/amdkfd: Fix leak in dmabuf import (git-fixes). - drm/amdkfd: fix restore worker race condition (git-fixes). - drm/amdkfd: Use same SQ prefetch setting as amdgpu (git-fixes). - drm/amd/pm: avoid false alarm due to confusing softwareshutdowntemp setting (git-fixes). - drm/aspeed: Fix Kconfig warning & subsequent build errors (bsc#1152472) - drm/aspeed: Fix Kconfig warning & subsequent build errors (git-fixes). - drm/atomic: put state on error path (git-fixes). - drm: bridge: dw-hdmi: Avoid resetting force in the detect function (bsc#1152472) - drm/bridge/synopsys: dsi: add support for non-continuous HS clock (git-fixes). - drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working correctly (git-fixes). - drm/dp_aux_dev: check aux_dev before use in (bsc#1152472) - drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor() (git-fixes). - drm/etnaviv: always start/stop scheduler in timeout processing (git-fixes). - drm/exynos: dsi: Remove bridge node reference in error handling path in probe function (git-fixes). - drm/gma500: fix double free of gma_connector (bsc#1152472) Backporting notes: * context changes - drm/gma500: fix double free of gma_connector (git-fixes). - drm/gma500: Fix out-of-bounds access to struct drm_device.vblank[] (git-fixes). - drm/i915: Avoid memory leak with more than 16 workarounds on a list (git-fixes). - drm/i915: Break up error capture compression loops with cond_resched() (git-fixes). - drm/i915: Check for all subplatform bits (git-fixes). - drm/i915: clear the gpu reloc batch (git-fixes). - drm/i915: Correctly set SFC capability for video engines (bsc#1152489) Backporting notes: * context changes - drm/i915/display/dp: Compute the correct slice count for VDSC on DP (git-fixes). - drm/i915: Drop runtime-pm assert from vgpu io accessors (git-fixes). - drm/i915/dsi: Use unconditional msleep for the panel_on_delay when there is no reset-deassert MIPI-sequence (git-fixes). - drm/i915: Filter wake_flags passed to default_wake_function (git-fixes). - drm/i915: Fix mismatch between misplaced vma check and vma insert (git-fixes). - drm/i915: Force VT'd workarounds when running as a guest OS (git-fixes). - drm/i915/gt: Declare gen9 has 64 mocs entries! (git-fixes). - drm/i915/gt: Delay execlist processing for tgl (git-fixes). - drm/i915/gt: Free stale request on destroying the virtual engine (git-fixes). - drm/i915/gt: Prevent use of engine->wa_ctx after error (git-fixes). - drm/i915/gt: Program mocs:63 for cache eviction on gen9 (git-fixes). - drm/i915/gvt: return error when failing to take the module reference (git-fixes). - drm/i915/gvt: Set ENHANCED_FRAME_CAP bit (git-fixes). - drm/i915: Handle max_bpc==16 (git-fixes). - drm/i915/selftests: Avoid passing a random 0 into ilog2 (git-fixes). - drm/mcde: Fix handling of platform_get_irq() error (bsc#1152472) - drm/mcde: Fix handling of platform_get_irq() error (git-fixes). - drm/meson: dw-hdmi: Register a callback to disable the regulator (git-fixes). - drm/msm/a5xx: Always set an OPP supported hardware value (git-fixes). - drm/msm/a6xx: fix a potential overflow issue (git-fixes). - drm/msm/a6xx: fix gmu start on newer firmware (git-fixes). - drm/msm: add shutdown support for display platform_driver (git-fixes). - drm/msm: Disable preemption on all 5xx targets (git-fixes). - drm/msm/dpu: Add newline to printks (git-fixes). - drm/msm/dpu: Fix scale params in plane validation (git-fixes). - drm/msm/dsi_phy_10nm: implement PHY disabling (git-fixes). - drm/msm/dsi_pll_10nm: restore VCO rate during restore_state (git-fixes). - drm/msm: fix leaks if initialization fails (git-fixes). - drm/nouveau/bios: fix issue shadowing expansion ROMs (git-fixes). - drm/nouveau/debugfs: fix runtime pm imbalance on error (git-fixes). - drm/nouveau/dispnv50: fix runtime pm imbalance on error (git-fixes). - drm/nouveau: fix runtime pm imbalance on error (git-fixes). - drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields (git-fixes). - drm/nouveau/kms/nv50-: fix case where notifier buffer is at offset 0 (git-fixes). - drm/nouveau/mem: guard against NULL pointer access in mem_del (git-fixes). - drm/nouveau/mmu: fix vram heap sizing (git-fixes). - drm/nouveau/nouveau: fix the start/end range for migration (git-fixes). - drm/nouveau/privring: ack interrupts the same way as RM (git-fixes). - drm/nouveau/svm: fail NOUVEAU_SVM_INIT ioctl on unsupported devices (git-fixes). - drm/omap: dmm_tiler: fix return error code in omap_dmm_probe() (git-fixes). - drm/omap: dss: Cleanup DSS ports on initialisation failure (git-fixes). - drm/omap: fix incorrect lock state (git-fixes). - drm/omap: fix possible object reference leak (git-fixes). - drm/panfrost: add amlogic reset quirk callback (git-fixes). - drm: rcar-du: Set primary plane zpos immutably at initializing (git-fixes). - drm/rockchip: Avoid uninitialized use of endpoint id in LVDS (bsc#1152472) - drm/rockchip: Avoid uninitialized use of endpoint id in LVDS (git-fixes). - drm/scheduler: Avoid accessing freed bad job (git-fixes). - drm/sun4i: dw-hdmi: fix error return code in sun8i_dw_hdmi_bind() (bsc#1152472) - drm/sun4i: frontend: Fix the scaler phase on A33 (git-fixes). - drm/sun4i: frontend: Reuse the ch0 phase for RGB formats (git-fixes). - drm/sun4i: frontend: Rework a bit the phase data (git-fixes). - drm/sun4i: mixer: Extend regmap max_register (git-fixes). - drm/syncobj: Fix use-after-free (git-fixes). - drm/tegra: replace idr_init() by idr_init_base() (git-fixes). - drm/tegra: sor: Disable clocks on error in tegra_sor_init() (git-fixes). - drm/ttm: fix eviction valuable range check (git-fixes). - drm/tve200: Fix handling of platform_get_irq() error (bsc#1152472) - drm/tve200: Fix handling of platform_get_irq() error (git-fixes). - drm/tve200: Stabilize enable/disable (git-fixes). - drm/vc4: drv: Add error handding for bind (git-fixes). - e1000e: bump up timeout to wait when ME un-configures ULP mode (jsc#SLE-8100). - EDAC/amd64: Fix PCI component registration (bsc#1152489). - ehci: fix EHCI host controller initialization sequence (git-fixes). - ethernet: ucc_geth: fix use-after-free in ucc_geth_remove() (git-fixes). - Exclude Symbols.list again. Removing the exclude builds vanilla/linux-next builds. Fixes: 55877625c800 ('kernel-binary.spec.in: Package the obj_install_dir as explicit filelist.') - firmware: imx: select SOC_BUS to fix firmware build (git-fixes). - floppy: reintroduce O_NDELAY fix (boo#1181018). - futex: Ensure the correct return value from futex_lock_pi() (bsc#1181349 bsc#1149032). - futex: Handle faults correctly for PI futexes (bsc#1181349 bsc#1149032). - futex: Provide and use pi_state_update_owner() (bsc#1181349 bsc#1149032). - futex: Remove needless goto's (bsc#1149032). - futex: Remove unused empty compat_exit_robust_list() (bsc#1149032). - futex: Replace pointless printk in fixup_owner() (bsc#1181349 bsc#1149032). - futex: Simplify fixup_pi_state_owner() (bsc#1181349 bsc#1149032). - futex: Use pi_state_update_owner() in put_pi_state() (bsc#1181349 bsc#1149032). - HID: Ignore battery for Elan touchscreen on ASUS UX550 (git-fixes). - HID: logitech-dj: add the G602 receiver (git-fixes). - HID: multitouch: Apply MT_QUIRK_CONFIDENCE quirk for multi-input devices (git-fixes). - HID: multitouch: do not filter mice nodes (git-fixes). - HID: multitouch: Enable multi-input for Synaptics pointstick/touchpad device (git-fixes). - HID: multitouch: Remove MT_CLS_WIN_8_DUAL (git-fixes). - HID: wacom: Constify attribute_groups (git-fixes). - HID: wacom: Correct NULL dereference on AES pen proximity (git-fixes). - HID: wacom: do not call hid_set_drvdata(hdev, NULL) (git-fixes). - HID: wacom: Fix memory leakage caused by kfifo_alloc (git-fixes). - hwmon: (pwm-fan) Ensure that calculation does not discard big period values (git-fixes). - i2c: bpmp-tegra: Ignore unknown I2C_M flags (git-fixes). - i2c: i801: Fix the i2c-mux gpiod_lookup_table not being properly terminated (git-fixes). - i2c: octeon: check correct size of maximum RECV_LEN packet (git-fixes). - i2c: sprd: use a specific timeout to avoid system hang up issue (git-fixes). - i3c master: fix missing destroy_workqueue() on error in i3c_master_register (git-fixes). - IB/hfi1: Remove kobj from hfi1_devdata (bsc#1179878). - IB/hfi1: Remove module parameter for KDETH qpns (bsc#1179878). - ice: avoid premature Rx buffer reuse (jsc#SLE-7926). - ice, xsk: clear the status bits for the next_to_use descriptor (jsc#SLE-7926). - iio: ad5504: Fix setting power-down state (git-fixes). - iomap: fix WARN_ON_ONCE() from unprivileged users (bsc#1181494). - iommu/vt-d: Fix a bug for PDP check in prq_event_thread (bsc#1181217). - ionic: account for vlan tag len in rx buffer len (bsc#1167773). - kABI fixup for dwc3 introduction of DWC_usb32 (git-fixes). - kdb: Fix pager search for multi-line strings (git-fixes). - kgdb: Drop malformed kernel doc comment (git-fixes). - kprobes: tracing/kprobes: Fix to kill kprobes on initmem after boot (git fixes (kernel/kprobe)). - KVM: nVMX: Reload vmcs01 if getting vmcs12's pages fails (bsc#1181218). - KVM: s390: pv: Mark mm as protected after the set secure parameters and improve cleanup (jsc#SLE-7512 bsc#1165545). - KVM: SVM: Initialize prev_ga_tag before use (bsc#1180809). - leds: trigger: fix potential deadlock with libata (git-fixes). - lib/genalloc: fix the overflow when size is too big (git-fixes). - lib/string: remove unnecessary #undefs (git-fixes). - lockd: do not use interval-based rebinding over TCP (for-next). - mac80211: check if atf has been disabled in __ieee80211_schedule_txq (git-fixes). - mac80211: do not drop tx nulldata packets on encrypted links (git-fixes). - md: fix a warning caused by a race between concurrent md_ioctl()s (for-next). - media: dvb-usb: Fix memory leak at error in dvb_usb_device_init() (bsc#1181104). - media: dvb-usb: Fix use-after-free access (bsc#1181104). - media: gp8psk: initialize stats at power control logic (git-fixes). - media: rc: ensure that uevent can be read directly after rc device register (git-fixes). - misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() (git-fixes). - misdn: dsp: select CONFIG_BITREVERSE (git-fixes). - mmc: core: do not initialize block size from ext_csd if not present (git-fixes). - mmc: sdhci-xenon: fix 1.8v regulator stabilization (git-fixes). - mm: memcontrol: fix missing wakeup polling thread (bsc#1181584). - mm/vmalloc: Fix unlock order in s_stop() (git fixes (mm/vmalloc)). - module: delay kobject uevent until after module init call (bsc#1178631). - mt7601u: fix kernel crash unplugging the device (git-fixes). - mt7601u: fix rx buffer refcounting (git-fixes). - net/af_iucv: fix null pointer dereference on shutdown (bsc#1179567 LTC#190111). - net/af_iucv: set correct sk_protocol for child sockets (git-fixes). - net: fix proc_fs init handling in af_packet and tls (bsc#1154353). - net: hns3: fix a phy loopback fail issue (bsc#1154353). - net: hns3: remove a misused pragma packed (bsc#1154353). - net/mlx5e: ethtool, Fix restriction of autoneg with 56G (jsc#SLE-8464). - net: mscc: ocelot: allow offloading of bridge on top of LAG (git-fixes). - net/smc: cancel event worker during device removal (git-fixes). - net/smc: check for valid ib_client_data (git-fixes). - net/smc: fix cleanup for linkgroup setup failures (git-fixes). - net/smc: fix direct access to ib_gid_addr->ndev in smc_ib_determine_gid() (git-fixes). - net/smc: fix dmb buffer shortage (git-fixes). - net/smc: fix sleep bug in smc_pnet_find_roce_resource() (git-fixes). - net/smc: fix sock refcounting in case of termination (git-fixes). - net/smc: fix valid DMBE buffer sizes (git-fixes). - net/smc: no peer ID in CLC decline for SMCD (git-fixes). - net/smc: remove freed buffer from list (git-fixes). - net/smc: reset sndbuf_desc if freed (git-fixes). - net/smc: set rx_off for SMCR explicitly (git-fixes). - net/smc: switch smcd_dev_list spinlock to mutex (git-fixes). - net/smc: transfer fasync_list in case of fallback (git-fixes). - net: sunrpc: Fix 'snprintf' return value check in 'do_xprt_debugfs' (for-next). - net: sunrpc: interpret the return value of kstrtou32 correctly (for-next). - net: usb: qmi_wwan: add Quectel EM160R-GL (git-fixes). - net: vlan: avoid leaks on register_vlan_dev() failures (bsc#1154353). - NFC: fix possible resource leak (git-fixes). - NFC: fix resource leak when target index is invalid (git-fixes). - NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock (for-next). - nfs_common: need lock during iterate through the list (for-next). - nfsd4: readdirplus shouldn't return parent of export (git-fixes). - nfsd: Fix message level for normal termination (for-next). - NFS: nfs_delegation_find_inode_server must first reference the superblock (for-next). - NFS: nfs_igrab_and_active must first reference the superblock (for-next). - NFS/pNFS: Fix a leak of the layout 'plh_outstanding' counter (for-next). - NFS/pNFS: Fix a typo in ff_layout_resend_pnfs_read() (for-next). - NFS: switch nfsiod to be an UNBOUND workqueue (for-next). - NFSv4.2: condition READDIR's mask for security label based on LSM state (for-next). - NFSv4: Fix the alignment of page data in the getdeviceinfo reply (for-next). - nvme-multipath: fix bogus request queue reference put (bsc#1175389). - nvme-rdma: avoid request double completion for concurrent nvme_rdma_timeout (bsc#1181161). - nvme-tcp: avoid request double completion for concurrent nvme_tcp_timeout (bsc#1181161). - platform/x86: i2c-multi-instantiate: Do not create platform device for INT3515 ACPI nodes (git-fixes). - platform/x86: ideapad-laptop: Disable touchpad_switch for ELAN0634 (git-fixes). - platform/x86: intel-vbtn: Drop HP Stream x360 Convertible PC 11 from allow-list (git-fixes). - platform/x86: intel-vbtn: Fix SW_TABLET_MODE always reporting 1 on some HP x360 models (git-fixes). - PM: hibernate: flush swap writer after marking (git-fixes). - pNFS: Mark layout for return if return-on-close was not sent (git-fixes). - powerpc: Fix build error in paravirt.h (bsc#1181148 ltc#190702). - powerpc/paravirt: Use is_kvm_guest() in vcpu_is_preempted() (bsc#1181148 ltc#190702). - powerpc: Refactor is_kvm_guest() declaration to new header (bsc#1181148 ltc#190702). - powerpc: Reintroduce is_kvm_guest() as a fast-path check (bsc#1181148 ltc#190702). - powerpc: Rename is_kvm_guest() to check_kvm_guest() (bsc#1181148 ltc#190702). - power: vexpress: add suppress_bind_attrs to true (git-fixes). - prom_init: enable verbose prints (bsc#1178142 bsc#1180759). - ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() (bsc#1163930). - ptrace: Set PF_SUPERPRIV when checking capability (bsc#1163930). - r8152: Add Lenovo Powered USB-C Travel Hub (git-fixes). - r8169: work around power-saving bug on some chip versions (git-fixes). - regmap: debugfs: Fix a memory leak when calling regmap_attach_dev (git-fixes). - regmap: debugfs: Fix a reversed if statement in regmap_debugfs_init() (git-fixes). - Revive usb-audio Keep Interface mixer (bsc#1181014). - rtc: pl031: fix resource leak in pl031_probe (git-fixes). - rtc: sun6i: Fix memleak in sun6i_rtc_clk_init (git-fixes). - rtmutex: Remove unused argument from rt_mutex_proxy_unlock() (bsc#1181349 bsc#1149032). - s390/cio: fix use-after-free in ccw_device_destroy_console (git-fixes). - s390/dasd: fix hanging device offline processing (bsc#1181169 LTC#190914). - s390/dasd: fix list corruption of lcu list (git-fixes). - s390/dasd: fix list corruption of pavgroup group list (git-fixes). - s390/dasd: prevent inconsistent LCU device data (git-fixes). - s390/kexec_file: fix diag308 subcode when loading crash kernel (git-fixes). - s390/qeth: consolidate online/offline code (git-fixes). - s390/qeth: do not raise NETDEV_REBOOT event from L3 offline path (git-fixes). - s390/qeth: fix deadlock during recovery (git-fixes). - s390/qeth: fix L2 header access in qeth_l3_osa_features_check() (git-fixes). - s390/qeth: fix locking for discipline setup / removal (git-fixes). - s390/smp: perform initial CPU reset also for SMT siblings (git-fixes). - sched/fair: Check for idle core in wake_affine (git fixes (sched)). - scsi: ibmvfc: Set default timeout to avoid crash during migration (bsc#1181425 ltc#188252). - scsi: lpfc: Enhancements to LOG_TRACE_EVENT for better readability (bsc#1180891). - scsi: lpfc: Fix auto sli_mode and its effect on CONFIG_PORT for SLI3 (bsc#1180891). - scsi: lpfc: Fix crash when a fabric node is released prematurely (bsc#1180891). - scsi: lpfc: Fix crash when nvmet transport calls host_release (bsc#1180891). - scsi: lpfc: Fix error log messages being logged following SCSI task mgnt (bsc#1180891). - scsi: lpfc: Fix FW reset action if I/Os are outstanding (bsc#1180891). - scsi: lpfc: Fix NVMe recovery after mailbox timeout (bsc#1180891). - scsi: lpfc: Fix PLOGI S_ID of 0 on pt2pt config (bsc#1180891). - scsi: lpfc: Fix target reset failing (bsc#1180891). - scsi: lpfc: Fix vport create logging (bsc#1180891). - scsi: lpfc: Implement health checking when aborting I/O (bsc#1180891). - scsi: lpfc: Prevent duplicate requests to unregister with cpuhp framework (bsc#1180891). - scsi: lpfc: Refresh ndlp when a new PRLI is received in the PRLI issue state (bsc#1180891). - scsi: lpfc: Simplify bool comparison (bsc#1180891). - scsi: lpfc: Update lpfc version to 12.8.0.7 (bsc#1180891). - scsi: lpfc: Use the nvme-fc transport supplied timeout for LS requests (bsc#1180891). - scsi: qla2xxx: Fix description for parameter ql2xenforce_iocb_limit (bsc#1179142). - scsi: scsi_transport_srp: Do not block target in failfast state (bsc#1172355). - selftests/ftrace: Select an existing function in kprobe_eventname test (bsc#1179396 ltc#185738). - selftests: net: fib_tests: remove duplicate log test (git-fixes). - selftests/powerpc: Add a test of bad (out-of-range) accesses (bsc#1181158 ltc#190851). - selftests/powerpc: Add a test of spectre_v2 mitigations (bsc#1181158 ltc#190851). - selftests/powerpc: Ignore generated files (bsc#1181158 ltc#190851). - selftests/powerpc: Move Hash MMU check to utilities (bsc#1181158 ltc#190851). - selftests/powerpc: Move set_dscr() into rfi_flush.c (bsc#1181158 ltc#190851). - selftests/powerpc: Only test lwm/stmw on big endian (bsc#1180412 ltc#190579). - selftests/powerpc: spectre_v2 test must be built 64-bit (bsc#1181158 ltc#190851). - serial: mvebu-uart: fix tx lost characters at power off (git-fixes). - spi: cadence: cache reference clock rate during probe (git-fixes). - spi: stm32: FIFO threshold level - fix align packet size (git-fixes). - staging: mt7621-dma: Fix a resource leak in an error handling path (git-fixes). - staging: wlan-ng: fix out of bounds read in prism2sta_probe_usb() (git-fixes). - SUNRPC: Clean up the handling of page padding in rpc_prepare_reply_pages() (for-next). - sunrpc: fix xs_read_xdr_buf for partial pages receive (for-next). - SUNRPC: rpc_wake_up() should wake up tasks in the correct order (for-next). - swiotlb: fix 'x86: Do not panic if can not alloc buffer for swiotlb' (git-fixes). - swiotlb: using SIZE_MAX needs limits.h included (git-fixes). - timers: Preserve higher bits of expiration on index calculation (bsc#1181318). - timers: Use only bucket expiry for base->next_expiry value (bsc#1181318). - udp: Prevent reuseport_select_sock from reading uninitialized socks (git-fixes). - USB: cdc-acm: blacklist another IR Droid device (git-fixes). - USB: cdc-wdm: Fix use after free in service_outstanding_interrupt() (git-fixes). - usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data() (git-fixes). - USB: dummy-hcd: Fix uninitialized array use in init() (git-fixes). - usb: dwc3: Add support for DWC_usb32 IP (git-fixes). - usb: dwc3: core: Properly default unspecified speed (git-fixes). - usb: dwc3: ulpi: Use VStsDone to detect PHY regs access completion (git-fixes). - usb: dwc3: Update soft-reset wait polling rate (git-fixes). - USB: ehci: fix an interrupt calltrace error (git-fixes). - usb: gadget: aspeed: fix stop dma register setting (git-fixes). - usb: gadget: configfs: Fix use-after-free issue with udc_name (git-fixes). - usb: gadget: configfs: Preserve function ordering after bind failure (git-fixes). - usb: gadget: enable super speed plus (git-fixes). - usb: gadget: Fix spinlock lockup on usb_function_deactivate (git-fixes). - usb: gadget: f_uac2: reset wMaxPacketSize (git-fixes). - usb: gadget: function: printer: Fix a memory leak for interface descriptor (git-fixes). - USB: gadget: legacy: fix return error code in acm_ms_bind() (git-fixes). - usb: gadget: select CONFIG_CRC32 (git-fixes). - usb: gadget: u_ether: Fix MTU size mismatch with RX packet size (git-fixes). - USB: serial: iuu_phoenix: fix DMA from stack (git-fixes). - USB: serial: option: add LongSung M5710 module support (git-fixes). - USB: serial: option: add Quectel EM160R-GL (git-fixes). - usb: typec: Fix copy paste error for NVIDIA alt-mode description (git-fixes). - usb: uas: Add PNY USB Portable SSD to unusual_uas (git-fixes). - usb: udc: core: Use lock when write to soft_connect (git-fixes). - usb: usbip: vhci_hcd: protect shift size (git-fixes). - USB: usblp: fix DMA to stack (git-fixes). - USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set (git-fixes). - USB: yurex: fix control-URB timeout handling (git-fixes). - vfio iommu: Add dma available capability (bsc#1179572 LTC#190110). - vfio/pci: Implement ioeventfd thread handler for contended memory lock (bsc#1181219). - vfio-pci: Use io_remap_pfn_range() for PCI IO memory (bsc#1181220). - video: fbdev: atmel_lcdfb: fix return error code in atmel_lcdfb_of_init() (git-fixes). - video: fbdev: fix OOB read in vga_8planes_imageblit() (git-fixes). - video: fbdev: pvr2fb: initialize variables (git-fixes). - video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error (git-fixes). - wan: ds26522: select CONFIG_BITREVERSE (git-fixes). - wil6210: select CONFIG_CRC32 (git-fixes). - x86/apic: Fix x2apic enablement without interrupt remapping (bsc#1152489). - x86/cpu/amd: Call init_amd_zn() om Family 19h processors too (bsc#1181077). - x86/cpu/amd: Set __max_die_per_package on AMD (bsc#1152489). - x86/hyperv: Fix kexec panic/hang issues (bsc#1176831). - x86/kprobes: Restore BTF if the single-stepping is cancelled (bsc#1152489). - x86/mm: Fix leak of pmd ptlock (bsc#1152489). - x86/mm/numa: Remove uninitialized_var() usage (bsc#1152489). - x86/mtrr: Correct the range check before performing MTRR type lookups (bsc#1152489). - x86/resctrl: Do not move a task to the same resource group (bsc#1152489). - x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR (bsc#1152489). - x86/topology: Make __max_die_per_package available unconditionally (bsc#1152489). - x86/xen: avoid warning in Xen pv guest with CONFIG_AMD_MEM_ENCRYPT enabled (bsc#1181335). - xen-blkfront: allow discard-* nodes to be optional (bsc#1181346). - xen/privcmd: allow fetching resource sizes (bsc#1065600). - xfs: show the proper user quota options (bsc#1181538). - xhci: Give USB2 ports time to enter U3 in bus suspend (git-fixes). - xhci: make sure TRB is fully written before giving it to the controller (git-fixes). - xhci: tegra: Delay for disabling LFPS detector (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:419-1 Released: Wed Feb 10 12:03:33 2021 Summary: Recommended update for open-iscsi Type: recommended Severity: moderate References: 1181313 This update for open-iscsi fixes the following issues: - Fixes a segfault when exiting from iscsiadm (bsc#1181313) - Fix for several memory leaks in iscsiadm - Fix for a crash when function iscsi_rec_update_param() is invoked ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:435-1 Released: Thu Feb 11 14:47:25 2021 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Type: security Severity: important References: 1174075,1176708,1178801,1178969,1180243,1180401,1181730,1181732,CVE-2020-15257,CVE-2021-21284,CVE-2021-21285 This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Security issues fixed: - CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969). - CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) - CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730) Non-security issues fixed: - Update Docker to 19.03.15-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285). - Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE. It appears that SLES doesn't like the patch. (bsc#1180401) - Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and fixes CVE-2020-15257. bsc#1180243 - Update to containerd v1.3.7, which is required for Docker 19.03.13-ce. bsc#1176708 - Update to Docker 19.03.14-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243 https://github.com/docker/docker-ce/releases/tag/v19.03.14 - Enable fish-completion - Add a patch which makes Docker compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) - Update to Docker 19.03.13-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708 - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Emergency fix: %requires_eq does not work with provide symbols, only effective package names. Convert back to regular Requires. - Update to Docker 19.03.12-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. - Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of spurrious errors due to Go returning -EINTR from I/O syscalls much more often (due to Go 1.14's pre-emptive goroutine support). - Add BuildRequires for all -git dependencies so that we catch missing dependencies much more quickly. - Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce. bsc#1180243 - Add patch which makes libnetwork compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:441-1 Released: Thu Feb 11 16:35:04 2021 Summary: Optional update for python3-jsonschema Type: optional Severity: low References: 1180403 This update provides the python3 variant of the jsonschema module to the SUSE Linux Enterprise 15 SP2 Basesystem module. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:507-1 Released: Thu Feb 18 09:34:49 2021 Summary: Security update for bind Type: security Severity: important References: 1182246,CVE-2020-8625 This update for bind fixes the following issues: - CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack [bsc#1182246] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:516-1 Released: Thu Feb 18 14:42:51 2021 Summary: Recommended update for docker, golang-github-docker-libnetwork Type: recommended Severity: moderate References: 1178801,1180401,1182168 This update for docker, golang-github-docker-libnetwork fixes the following issues: - A libnetwork firewalld integration enhancement was broken, disable it (bsc#1178801,bsc#1180401,bsc#1182168) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:519-1 Released: Fri Feb 19 09:44:53 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1180501 This update for openssh fixes the following issues: - Fixed a crash which sometimes occured on connection termination, caused by accessing freed memory (bsc#1180501) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:521-1 Released: Fri Feb 19 11:00:33 2021 Summary: Security update for qemu Type: security Severity: important References: 1178049,1178565,1179717,1179719,1180523,1181639,1181933,1182137,CVE-2020-11947,CVE-2021-20181,CVE-2021-20203,CVE-2021-20221 This update for qemu fixes the following issues: - Fixed potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137) - Fixed out-of-bound access in iscsi (CVE-2020-11947 bsc#1180523) - Fixed out-of-bound access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639) - Fixed out-of-bound access in ARM interrupt handling (CVE-2021-20221 bsc#1181933) - Fixed vfio-pci device on s390 enters error state (bsc#1179717 bsc#1179719) - Fixed 'Failed to try-restart qemu-ga at .service' error while updating the qemu-guest-agent. (bsc#1178565) - Apply fixes to qemu scsi passthrough with respect to timeout and error conditions, including using more correct status codes. Add more qemu tracing which helped track down these issues (bsc#1178049) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:526-1 Released: Fri Feb 19 12:46:27 2021 Summary: Recommended update for python-distro Type: recommended Severity: moderate References: This update for python-distro fixes the following issues: Upgrade from version 1.2.0 to 1.5.0 (jsc#ECO-3212) - Backward compatibility: - Keep output as native string so we can compatible with python2 interface - Prefer the `VERSION_CODENAME` field of `os-release` to parsing it from `VERSION` - Bug Fixes: - Fix detection of RHEL 6 `ComputeNode` - Fix Oracle 4/5 `lsb_release` id and names - Ignore `/etc/plesk-release` file while parsing distribution - Return `_uname_info` from the `uname_info()` method - Fixed `CloudLinux` id discovery - Update Oracle matching - Warn about wrong locale. - Documentation: - Distro is the recommended replacement for `platform.linux_distribution` - Add Ansible reference implementation and fix arch-linux link - Add facter reference implementation ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:551-1 Released: Tue Feb 23 09:31:53 2021 Summary: Security update for avahi Type: security Severity: moderate References: 1180827,CVE-2021-26720 This update for avahi fixes the following issues: - CVE-2021-26720: drop privileges when invoking avahi-daemon-check-dns.sh (bsc#1180827) - Update avahi-daemon-check-dns.sh from Debian. Our previous version relied on ifconfig, route, and init.d. - Add sudo to requires: used to drop privileges. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:571-1 Released: Tue Feb 23 16:11:33 2021 Summary: Recommended update for cloud-init Type: recommended Severity: moderate References: 1180176 This update for cloud-init contains the following fixes: - Update cloud-init-write-routes.patch (bsc#1180176) + Follow up to previous changes. Fix order of operations error to make gateway comparison between subnet configuration and route configuration valuable rather than self-comparing. - Add cloud-init-sle12-compat.patch (jsc#PM-2335) - Python 3.4 compatibility in setup.py - Disable some test for mock version compatibility ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:573-1 Released: Wed Feb 24 09:58:38 2021 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1176171,1180336 This update for dracut fixes the following issues: - arm/arm64: Add reset controllers (bsc#1180336) - Prevent creating unexpected files on the host when running dracut (bsc#1176171) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:594-1 Released: Thu Feb 25 09:29:35 2021 Summary: Security update for python-cryptography Type: security Severity: important References: 1182066,CVE-2020-36242 This update for python-cryptography fixes the following issues: - CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte values could result in an integer overflow and buffer overflow (bsc#1182066). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:654-1 Released: Fri Feb 26 20:01:10 2021 Summary: Security update for python-Jinja2 Type: security Severity: important References: 1181944,1182244,CVE-2020-28493 This update for python-Jinja2 fixes the following issues: - CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have been called with untrusted user data (bsc#1181944). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:656-1 Released: Mon Mar 1 09:34:21 2021 Summary: Recommended update for protobuf Type: recommended Severity: moderate References: 1177127 This update for protobuf fixes the following issues: - Add missing dependency of python subpackages on python-six. (bsc#1177127) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:683-1 Released: Tue Mar 2 19:04:43 2021 Summary: Security update for grub2 Type: security Severity: important References: 1175970,1176711,1177883,1179264,1179265,1182057,1182262,1182263,CVE-2020-14372,CVE-2020-25632,CVE-2020-25647,CVE-2020-27749,CVE-2020-27779,CVE-2021-20225,CVE-2021-20233 This update for grub2 fixes the following issues: grub2 implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057) - CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711) - CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883) - CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264) - CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970) - CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262) - CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:689-1 Released: Tue Mar 2 19:08:40 2021 Summary: Security update for bind Type: security Severity: important References: 1180933 This update for bind fixes the following issues: - dnssec-keygen can no longer generate HMAC keys. Use tsig-keygen instead. [bsc#1180933] From sle-security-updates at lists.suse.com Wed Mar 10 11:48:46 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 10 Mar 2021 12:48:46 +0100 (CET) Subject: SUSE-IU-2021:416-1: Security update of suse-sles-15-sp2-chost-byos-v20210304-hvm-ssd-x86_64 Message-ID: <20210310114846.C8FB5FD17@maintenance.suse.de> SUSE Image Update Advisory: suse-sles-15-sp2-chost-byos-v20210304-hvm-ssd-x86_64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2021:416-1 Image Tags : suse-sles-15-sp2-chost-byos-v20210304-hvm-ssd-x86_64:20210304 Image Release : Severity : important Type : security References : 1065600 1149032 1152472 1152489 1153274 1154353 1155518 1163930 1165545 1167773 1170671 1172355 1174075 1175389 1175970 1176171 1176262 1176395 1176708 1176711 1176831 1176846 1177127 1177460 1177883 1178049 1178142 1178386 1178565 1178631 1178801 1178801 1178969 1179142 1179264 1179265 1179396 1179508 1179509 1179567 1179572 1179575 1179691 1179694 1179717 1179719 1179721 1179756 1179878 1180008 1180038 1180130 1180176 1180243 1180264 1180336 1180401 1180401 1180403 1180412 1180501 1180520 1180523 1180603 1180686 1180759 1180765 1180773 1180809 1180812 1180827 1180848 1180859 1180889 1180891 1180933 1180971 1181014 1181018 1181077 1181104 1181126 1181148 1181158 1181161 1181169 1181203 1181217 1181218 1181219 1181220 1181237 1181313 1181318 1181319 1181335 1181346 1181349 1181425 1181494 1181504 1181505 1181511 1181538 1181553 1181584 1181639 1181645 1181730 1181732 1181933 1181944 1182057 1182066 1182117 1182137 1182168 1182244 1182246 1182262 1182263 CVE-2019-20916 CVE-2019-25013 CVE-2019-8842 CVE-2020-10001 CVE-2020-11947 CVE-2020-14372 CVE-2020-15257 CVE-2020-25211 CVE-2020-25632 CVE-2020-25639 CVE-2020-25647 CVE-2020-27618 CVE-2020-27749 CVE-2020-27779 CVE-2020-27835 CVE-2020-28493 CVE-2020-29562 CVE-2020-29568 CVE-2020-29569 CVE-2020-29573 CVE-2020-36242 CVE-2020-8625 CVE-2021-0342 CVE-2021-20177 CVE-2021-20181 CVE-2021-20203 CVE-2021-20221 CVE-2021-20225 CVE-2021-20233 CVE-2021-21284 CVE-2021-21285 CVE-2021-26720 CVE-2021-3177 CVE-2021-3326 CVE-2021-3347 CVE-2021-3348 ----------------------------------------------------------------- The container suse-sles-15-sp2-chost-byos-v20210304-hvm-ssd-x86_64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:278-1 Released: Tue Feb 2 09:43:08 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1181319 This update for lvm2 fixes the following issues: - Backport 'lvmlockd' to adopt orphan locks feature. (bsc#1181319) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:285-1 Released: Tue Feb 2 13:08:54 2021 Summary: Security update for cups Type: security Severity: moderate References: 1170671,1180520,CVE-2019-8842,CVE-2020-10001 This update for cups fixes the following issues: - CVE-2020-10001: Fixed an out-of-bounds read in the ippReadIO function (bsc#1180520). - CVE-2019-8842: Fixed an out-of-bounds read in an extension field (bsc#1170671). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:301-1 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:302-1 Released: Thu Feb 4 13:18:35 2021 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1179691 This update for lvm2 fixes the following issues: - lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691). If this behavior is still wanted, please change this manually in the lvm.conf ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:354-1 Released: Tue Feb 9 16:38:54 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065600,1149032,1152472,1152489,1153274,1154353,1155518,1163930,1165545,1167773,1172355,1175389,1176395,1176831,1176846,1178142,1178631,1179142,1179396,1179508,1179509,1179567,1179572,1179575,1179878,1180008,1180130,1180264,1180412,1180759,1180765,1180773,1180809,1180812,1180848,1180859,1180889,1180891,1180971,1181014,1181018,1181077,1181104,1181148,1181158,1181161,1181169,1181203,1181217,1181218,1181219,1181220,1181237,1181318,1181335,1181346,1181349,1181425,1181494,1181504,1181511,1181538,1181553,1181584,1181645,CVE-2020-25211,CVE-2020-25639,CVE-2020-27835,CVE-2020-29568,CVE-2020-29569,CVE-2021-0342,CVE-2021-20177,CVE-2021-3347,CVE-2021-3348 The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349). - CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504). - CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765). - CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required. (bnc#1180812) - CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878). - CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846). - CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509). - CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508). - CVE-2020-25211: Fixed a flaw where a local attacker was able to inject conntrack netlink configuration that could cause a denial of service or trigger the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter (bnc#1176395). The following non-security bugs were fixed: - ACPI/IORT: Do not blindly trust DMA masks from firmware (git-fixes). - ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI (git-fixes). - ACPI: scan: Harden acpi_device_add() against device ID overflows (git-fixes). - ACPI: scan: Make acpi_bus_get_device() clear return pointer on error (git-fixes). - ACPI: sysfs: Prefer 'compatible' modalias (git-fixes). - ALSA: doc: Fix reference to mixart.rst (git-fixes). - ALSA: fireface: Fix integer overflow in transmit_midi_msg() (git-fixes). - ALSA: firewire-tascam: Fix integer overflow in midi_port_work() (git-fixes). - ALSA: hda: Add Cometlake-R PCI ID (git-fixes). - ALSA: hda/conexant: add a new hda codec CX11970 (git-fixes). - ALSA: hda/hdmi - enable runtime pm for CI AMD display audio (git-fixes). - ALSA: hda/realtek: Add mute LED quirk for more HP laptops (git-fixes). - ALSA: hda/realtek: Add two 'Intel Reference board' SSID in the ALC256 (git-fixes). - ALSA: hda/realtek: Enable headset of ASUS B1400CEPE with ALC256 (git-fixes). - ALSA: hda/realtek: Enable mute and micmute LED on HP EliteBook 850 G7 (git-fixes). - ALSA: hda/realtek: fix right sounds and mute/micmute LEDs for HP machines (git-fixes). - ALSA: hda/realtek - Fix speaker volume control on Lenovo C940 (git-fixes). - ALSA: hda/realtek - Limit int mic boost on Acer Aspire E5-575T (git-fixes). - ALSA: hda/realtek - Modify Dell platform name (git-fixes). - ALSA: hda/realtek: Remove dummy lineout on Acer TravelMate P648/P658 (git-fixes). - ALSA: hda/realtek - Supported Dell fixed type headset (git-fixes). - ALSA: hda/tegra: fix tegra-hda on tegra30 soc (git-fixes). - ALSA: hda/via: Add minimum mute flag (git-fixes). - ALSA: hda/via: Apply the workaround generically for Clevo machines (git-fixes). - ALSA: hda/via: Fix runtime PM for Clevo W35xSS (git-fixes). - ALSA: pcm: Clear the full allocated memory at hw_params (git-fixes). - ALSA: pcm: fix hw_rule deps kABI (bsc#1181014). - ALSA: pcm: One more dependency for hw constraints (bsc#1181014). - ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info() (git-fixes). - ALSA: usb-audio: Add quirk for BOSS AD-10 (git-fixes). - ALSA: usb-audio: Add quirk for RC-505 (git-fixes). - ALSA: usb-audio: Always apply the hw constraints for implicit fb sync (bsc#1181014). - ALSA: usb-audio: Annotate the endpoint index in audioformat (git-fixes). - ALSA: usb-audio: Avoid implicit feedback on Pioneer devices (bsc#1181014). - ALSA: usb-audio: Avoid unnecessary interface re-setup (git-fixes). - ALSA: usb-audio: Choose audioformat of a counter-part substream (git-fixes). - ALSA: usb-audio: Fix hw constraints dependencies (bsc#1181014). - ALSA: usb-audio: Fix implicit feedback sync setup for Pioneer devices (git-fixes). - ALSA: usb-audio: Fix the missing endpoints creations for quirks (git-fixes). - ALSA: usb-audio: Fix UAC1 rate setup for secondary endpoints (bsc#1181014). - ALSA: usb-audio: Fix UBSAN warnings for MIDI jacks (git-fixes). - ALSA: usb-audio: Set sample rate for all sharing EPs on UAC1 (bsc#1181014). - arch/x86/lib/usercopy_64.c: fix __copy_user_flushcache() cache writeback (bsc#1152489). - arm64: mm: Fix ARCH_LOW_ADDRESS_LIMIT when !CONFIG_ZONE_DMA (git-fixes). - arm64: pgtable: Ensure dirty bit is preserved across pte_wrprotect() (bsc#1180130). - arm64: pgtable: Fix pte_accessible() (bsc#1180130). - ASoC: ak4458: correct reset polarity (git-fixes). - ASoC: dapm: remove widget from dirty list on free (git-fixes). - ASoC: Intel: fix error code cnl_set_dsp_D0() (git-fixes). - ASoC: meson: axg-tdm-interface: fix loopback (git-fixes). - bitmap: remove unused function declaration (git-fixes). - Bluetooth: hci_h5: close serdev device and free hu in h5_close (git-fixes). - Bluetooth: revert: hci_h5: close serdev device and free hu in h5_close (git-fixes). - bnxt_en: Fix AER recovery (jsc#SLE-8371 bsc#1153274). - bpf: Do not leak memory in bpf getsockopt when optlen == 0 (bsc#1155518). - bpf: Fix helper bpf_map_peek_elem_proto pointing to wrong callback (bsc#1155518). - btrfs: fix missing delalloc new bit for new delalloc ranges (bsc#1180773). - btrfs: make btrfs_dirty_pages take btrfs_inode (bsc#1180773). - btrfs: make btrfs_set_extent_delalloc take btrfs_inode (bsc#1180773). - btrfs: send: fix invalid clone operations when cloning from the same file and root (bsc#1181511). - btrfs: send: fix wrong file path when there is an inode with a pending rmdir (bsc#1181237). - bus/fsl_mc: Do not rely on caller to provide non NULL mc_io (git-fixes). - cachefiles: Drop superfluous readpages aops NULL check (git-fixes). - can: dev: prevent potential information leak in can_fill_info() (git-fixes). - can: vxcan: vxcan_xmit: fix use after free bug (git-fixes). - CDC-NCM: remove 'connected' log message (git-fixes). - clk: tegra30: Add hda clock default rates to clock driver (git-fixes). - crypto: asym_tpm: correct zero out potential secrets (git-fixes). - crypto: ecdh - avoid buffer overflow in ecdh_set_secret() (git-fixes). - dmaengine: at_hdmac: add missing kfree() call in at_dma_xlate() (git-fixes). - dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate() (git-fixes). - dmaengine: at_hdmac: Substitute kzalloc with kmalloc (git-fixes). - dmaengine: dw-edma: Fix use after free in dw_edma_alloc_chunk() (git-fixes). - dmaengine: mediatek: mtk-hsdma: Fix a resource leak in the error handling path of the probe function (git-fixes). - dmaengine: xilinx_dma: check dma_async_device_register return value (git-fixes). - dmaengine: xilinx_dma: fix incompatible param warning in _child_probe() (git-fixes). - dmaengine: xilinx_dma: fix mixed_enum_type coverity warning (git-fixes). - drivers/base/memory.c: indicate all memory blocks as removable (bsc#1180264). - drivers/perf: Fix kernel panic when rmmod PMU modules during perf sampling (bsc#1180848). - drivers/perf: hisi: Permit modular builds of HiSilicon uncore drivers (bsc#1180848). - Update config files. - supported.conf: - drm: Added orientation quirk for ASUS tablet model T103HAF (git-fixes). - drm/amd/display: Add missing pflip irq for dcn2.0 (git-fixes). - drm/amd/display: Avoid MST manager resource leak (git-fixes). - drm/amd/display: dal_ddc_i2c_payloads_create can fail causing panic (git-fixes). - drm/amd/display: dchubbub p-state warning during surface planes switch (git-fixes). - drm/amd/display: Do not double-buffer DTO adjustments (git-fixes). - drm/amd/display: Do not invoke kgdb_breakpoint() unconditionally (git-fixes). - drm/amd/display: Fix memleak in amdgpu_dm_mode_config_init (git-fixes). - drm/amd/display: Free gamma after calculating legacy transfer function (git-fixes). - drm/amd/display: HDMI remote sink need mode validation for Linux (git-fixes). - drm/amd/display: Increase timeout for DP Disable (git-fixes). - drm/amd/display: Reject overlay plane configurations in multi-display scenarios (git-fixes). - drm/amd/display: remove useless if/else (git-fixes). - drm/amd/display: Retry AUX write when fail occurs (git-fixes). - drm/amd/display: Stop if retimer is not available (git-fixes). - drm/amd/display: update nv1x stutter latencies (git-fixes). - drm/amdgpu: add DID for navi10 blockchain SKU (git-fixes). - drm/amdgpu: correct the gpu reset handling for job != NULL case (git-fixes). - drm/amdgpu/dc: Require primary plane to be enabled whenever the CRTC is (git-fixes). - drm/amdgpu: do not map BO in reserved region (git-fixes). - drm/amdgpu: fix a GPU hang issue when remove device (git-fixes). - drm/amdgpu: Fix bug in reporting voltage for CIK (git-fixes). - drm/amdgpu: Fix bug where DPM is not enabled after hibernate and resume (git-fixes). - drm/amdgpu: fix build_coefficients() argument (git-fixes). - drm/amdgpu: fix calltrace during kmd unload(v3) (git-fixes). - drm/amdgpu: increase atombios cmd timeout (git-fixes). - drm/amdgpu: increase the reserved VM size to 2MB (git-fixes). - drm/amdgpu: perform srbm soft reset always on SDMA resume (git-fixes). - drm/amdgpu/powerplay: fix AVFS handling with custom powerplay table (git-fixes). - drm/amdgpu/powerplay/smu7: fix AVFS handling with custom powerplay table (git-fixes). - drm/amdgpu: prevent double kfree ttm->sg (git-fixes). - drm/amdgpu/psp: fix psp gfx ctrl cmds (git-fixes). - drm/amdgpu/sriov add amdgpu_amdkfd_pre_reset in gpu reset (git-fixes). - drm/amdkfd: fix a memory leak issue (git-fixes). - drm/amdkfd: Fix leak in dmabuf import (git-fixes). - drm/amdkfd: fix restore worker race condition (git-fixes). - drm/amdkfd: Use same SQ prefetch setting as amdgpu (git-fixes). - drm/amd/pm: avoid false alarm due to confusing softwareshutdowntemp setting (git-fixes). - drm/aspeed: Fix Kconfig warning & subsequent build errors (bsc#1152472) - drm/aspeed: Fix Kconfig warning & subsequent build errors (git-fixes). - drm/atomic: put state on error path (git-fixes). - drm: bridge: dw-hdmi: Avoid resetting force in the detect function (bsc#1152472) - drm/bridge/synopsys: dsi: add support for non-continuous HS clock (git-fixes). - drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working correctly (git-fixes). - drm/dp_aux_dev: check aux_dev before use in (bsc#1152472) - drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor() (git-fixes). - drm/etnaviv: always start/stop scheduler in timeout processing (git-fixes). - drm/exynos: dsi: Remove bridge node reference in error handling path in probe function (git-fixes). - drm/gma500: fix double free of gma_connector (bsc#1152472) Backporting notes: * context changes - drm/gma500: fix double free of gma_connector (git-fixes). - drm/gma500: Fix out-of-bounds access to struct drm_device.vblank[] (git-fixes). - drm/i915: Avoid memory leak with more than 16 workarounds on a list (git-fixes). - drm/i915: Break up error capture compression loops with cond_resched() (git-fixes). - drm/i915: Check for all subplatform bits (git-fixes). - drm/i915: clear the gpu reloc batch (git-fixes). - drm/i915: Correctly set SFC capability for video engines (bsc#1152489) Backporting notes: * context changes - drm/i915/display/dp: Compute the correct slice count for VDSC on DP (git-fixes). - drm/i915: Drop runtime-pm assert from vgpu io accessors (git-fixes). - drm/i915/dsi: Use unconditional msleep for the panel_on_delay when there is no reset-deassert MIPI-sequence (git-fixes). - drm/i915: Filter wake_flags passed to default_wake_function (git-fixes). - drm/i915: Fix mismatch between misplaced vma check and vma insert (git-fixes). - drm/i915: Force VT'd workarounds when running as a guest OS (git-fixes). - drm/i915/gt: Declare gen9 has 64 mocs entries! (git-fixes). - drm/i915/gt: Delay execlist processing for tgl (git-fixes). - drm/i915/gt: Free stale request on destroying the virtual engine (git-fixes). - drm/i915/gt: Prevent use of engine->wa_ctx after error (git-fixes). - drm/i915/gt: Program mocs:63 for cache eviction on gen9 (git-fixes). - drm/i915/gvt: return error when failing to take the module reference (git-fixes). - drm/i915/gvt: Set ENHANCED_FRAME_CAP bit (git-fixes). - drm/i915: Handle max_bpc==16 (git-fixes). - drm/i915/selftests: Avoid passing a random 0 into ilog2 (git-fixes). - drm/mcde: Fix handling of platform_get_irq() error (bsc#1152472) - drm/mcde: Fix handling of platform_get_irq() error (git-fixes). - drm/meson: dw-hdmi: Register a callback to disable the regulator (git-fixes). - drm/msm/a5xx: Always set an OPP supported hardware value (git-fixes). - drm/msm/a6xx: fix a potential overflow issue (git-fixes). - drm/msm/a6xx: fix gmu start on newer firmware (git-fixes). - drm/msm: add shutdown support for display platform_driver (git-fixes). - drm/msm: Disable preemption on all 5xx targets (git-fixes). - drm/msm/dpu: Add newline to printks (git-fixes). - drm/msm/dpu: Fix scale params in plane validation (git-fixes). - drm/msm/dsi_phy_10nm: implement PHY disabling (git-fixes). - drm/msm/dsi_pll_10nm: restore VCO rate during restore_state (git-fixes). - drm/msm: fix leaks if initialization fails (git-fixes). - drm/nouveau/bios: fix issue shadowing expansion ROMs (git-fixes). - drm/nouveau/debugfs: fix runtime pm imbalance on error (git-fixes). - drm/nouveau/dispnv50: fix runtime pm imbalance on error (git-fixes). - drm/nouveau: fix runtime pm imbalance on error (git-fixes). - drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields (git-fixes). - drm/nouveau/kms/nv50-: fix case where notifier buffer is at offset 0 (git-fixes). - drm/nouveau/mem: guard against NULL pointer access in mem_del (git-fixes). - drm/nouveau/mmu: fix vram heap sizing (git-fixes). - drm/nouveau/nouveau: fix the start/end range for migration (git-fixes). - drm/nouveau/privring: ack interrupts the same way as RM (git-fixes). - drm/nouveau/svm: fail NOUVEAU_SVM_INIT ioctl on unsupported devices (git-fixes). - drm/omap: dmm_tiler: fix return error code in omap_dmm_probe() (git-fixes). - drm/omap: dss: Cleanup DSS ports on initialisation failure (git-fixes). - drm/omap: fix incorrect lock state (git-fixes). - drm/omap: fix possible object reference leak (git-fixes). - drm/panfrost: add amlogic reset quirk callback (git-fixes). - drm: rcar-du: Set primary plane zpos immutably at initializing (git-fixes). - drm/rockchip: Avoid uninitialized use of endpoint id in LVDS (bsc#1152472) - drm/rockchip: Avoid uninitialized use of endpoint id in LVDS (git-fixes). - drm/scheduler: Avoid accessing freed bad job (git-fixes). - drm/sun4i: dw-hdmi: fix error return code in sun8i_dw_hdmi_bind() (bsc#1152472) - drm/sun4i: frontend: Fix the scaler phase on A33 (git-fixes). - drm/sun4i: frontend: Reuse the ch0 phase for RGB formats (git-fixes). - drm/sun4i: frontend: Rework a bit the phase data (git-fixes). - drm/sun4i: mixer: Extend regmap max_register (git-fixes). - drm/syncobj: Fix use-after-free (git-fixes). - drm/tegra: replace idr_init() by idr_init_base() (git-fixes). - drm/tegra: sor: Disable clocks on error in tegra_sor_init() (git-fixes). - drm/ttm: fix eviction valuable range check (git-fixes). - drm/tve200: Fix handling of platform_get_irq() error (bsc#1152472) - drm/tve200: Fix handling of platform_get_irq() error (git-fixes). - drm/tve200: Stabilize enable/disable (git-fixes). - drm/vc4: drv: Add error handding for bind (git-fixes). - e1000e: bump up timeout to wait when ME un-configures ULP mode (jsc#SLE-8100). - EDAC/amd64: Fix PCI component registration (bsc#1152489). - ehci: fix EHCI host controller initialization sequence (git-fixes). - ethernet: ucc_geth: fix use-after-free in ucc_geth_remove() (git-fixes). - Exclude Symbols.list again. Removing the exclude builds vanilla/linux-next builds. Fixes: 55877625c800 ('kernel-binary.spec.in: Package the obj_install_dir as explicit filelist.') - firmware: imx: select SOC_BUS to fix firmware build (git-fixes). - floppy: reintroduce O_NDELAY fix (boo#1181018). - futex: Ensure the correct return value from futex_lock_pi() (bsc#1181349 bsc#1149032). - futex: Handle faults correctly for PI futexes (bsc#1181349 bsc#1149032). - futex: Provide and use pi_state_update_owner() (bsc#1181349 bsc#1149032). - futex: Remove needless goto's (bsc#1149032). - futex: Remove unused empty compat_exit_robust_list() (bsc#1149032). - futex: Replace pointless printk in fixup_owner() (bsc#1181349 bsc#1149032). - futex: Simplify fixup_pi_state_owner() (bsc#1181349 bsc#1149032). - futex: Use pi_state_update_owner() in put_pi_state() (bsc#1181349 bsc#1149032). - HID: Ignore battery for Elan touchscreen on ASUS UX550 (git-fixes). - HID: logitech-dj: add the G602 receiver (git-fixes). - HID: multitouch: Apply MT_QUIRK_CONFIDENCE quirk for multi-input devices (git-fixes). - HID: multitouch: do not filter mice nodes (git-fixes). - HID: multitouch: Enable multi-input for Synaptics pointstick/touchpad device (git-fixes). - HID: multitouch: Remove MT_CLS_WIN_8_DUAL (git-fixes). - HID: wacom: Constify attribute_groups (git-fixes). - HID: wacom: Correct NULL dereference on AES pen proximity (git-fixes). - HID: wacom: do not call hid_set_drvdata(hdev, NULL) (git-fixes). - HID: wacom: Fix memory leakage caused by kfifo_alloc (git-fixes). - hwmon: (pwm-fan) Ensure that calculation does not discard big period values (git-fixes). - i2c: bpmp-tegra: Ignore unknown I2C_M flags (git-fixes). - i2c: i801: Fix the i2c-mux gpiod_lookup_table not being properly terminated (git-fixes). - i2c: octeon: check correct size of maximum RECV_LEN packet (git-fixes). - i2c: sprd: use a specific timeout to avoid system hang up issue (git-fixes). - i3c master: fix missing destroy_workqueue() on error in i3c_master_register (git-fixes). - IB/hfi1: Remove kobj from hfi1_devdata (bsc#1179878). - IB/hfi1: Remove module parameter for KDETH qpns (bsc#1179878). - ice: avoid premature Rx buffer reuse (jsc#SLE-7926). - ice, xsk: clear the status bits for the next_to_use descriptor (jsc#SLE-7926). - iio: ad5504: Fix setting power-down state (git-fixes). - iomap: fix WARN_ON_ONCE() from unprivileged users (bsc#1181494). - iommu/vt-d: Fix a bug for PDP check in prq_event_thread (bsc#1181217). - ionic: account for vlan tag len in rx buffer len (bsc#1167773). - kABI fixup for dwc3 introduction of DWC_usb32 (git-fixes). - kdb: Fix pager search for multi-line strings (git-fixes). - kgdb: Drop malformed kernel doc comment (git-fixes). - kprobes: tracing/kprobes: Fix to kill kprobes on initmem after boot (git fixes (kernel/kprobe)). - KVM: nVMX: Reload vmcs01 if getting vmcs12's pages fails (bsc#1181218). - KVM: s390: pv: Mark mm as protected after the set secure parameters and improve cleanup (jsc#SLE-7512 bsc#1165545). - KVM: SVM: Initialize prev_ga_tag before use (bsc#1180809). - leds: trigger: fix potential deadlock with libata (git-fixes). - lib/genalloc: fix the overflow when size is too big (git-fixes). - lib/string: remove unnecessary #undefs (git-fixes). - lockd: do not use interval-based rebinding over TCP (for-next). - mac80211: check if atf has been disabled in __ieee80211_schedule_txq (git-fixes). - mac80211: do not drop tx nulldata packets on encrypted links (git-fixes). - md: fix a warning caused by a race between concurrent md_ioctl()s (for-next). - media: dvb-usb: Fix memory leak at error in dvb_usb_device_init() (bsc#1181104). - media: dvb-usb: Fix use-after-free access (bsc#1181104). - media: gp8psk: initialize stats at power control logic (git-fixes). - media: rc: ensure that uevent can be read directly after rc device register (git-fixes). - misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() (git-fixes). - misdn: dsp: select CONFIG_BITREVERSE (git-fixes). - mmc: core: do not initialize block size from ext_csd if not present (git-fixes). - mmc: sdhci-xenon: fix 1.8v regulator stabilization (git-fixes). - mm: memcontrol: fix missing wakeup polling thread (bsc#1181584). - mm/vmalloc: Fix unlock order in s_stop() (git fixes (mm/vmalloc)). - module: delay kobject uevent until after module init call (bsc#1178631). - mt7601u: fix kernel crash unplugging the device (git-fixes). - mt7601u: fix rx buffer refcounting (git-fixes). - net/af_iucv: fix null pointer dereference on shutdown (bsc#1179567 LTC#190111). - net/af_iucv: set correct sk_protocol for child sockets (git-fixes). - net: fix proc_fs init handling in af_packet and tls (bsc#1154353). - net: hns3: fix a phy loopback fail issue (bsc#1154353). - net: hns3: remove a misused pragma packed (bsc#1154353). - net/mlx5e: ethtool, Fix restriction of autoneg with 56G (jsc#SLE-8464). - net: mscc: ocelot: allow offloading of bridge on top of LAG (git-fixes). - net/smc: cancel event worker during device removal (git-fixes). - net/smc: check for valid ib_client_data (git-fixes). - net/smc: fix cleanup for linkgroup setup failures (git-fixes). - net/smc: fix direct access to ib_gid_addr->ndev in smc_ib_determine_gid() (git-fixes). - net/smc: fix dmb buffer shortage (git-fixes). - net/smc: fix sleep bug in smc_pnet_find_roce_resource() (git-fixes). - net/smc: fix sock refcounting in case of termination (git-fixes). - net/smc: fix valid DMBE buffer sizes (git-fixes). - net/smc: no peer ID in CLC decline for SMCD (git-fixes). - net/smc: remove freed buffer from list (git-fixes). - net/smc: reset sndbuf_desc if freed (git-fixes). - net/smc: set rx_off for SMCR explicitly (git-fixes). - net/smc: switch smcd_dev_list spinlock to mutex (git-fixes). - net/smc: transfer fasync_list in case of fallback (git-fixes). - net: sunrpc: Fix 'snprintf' return value check in 'do_xprt_debugfs' (for-next). - net: sunrpc: interpret the return value of kstrtou32 correctly (for-next). - net: usb: qmi_wwan: add Quectel EM160R-GL (git-fixes). - net: vlan: avoid leaks on register_vlan_dev() failures (bsc#1154353). - NFC: fix possible resource leak (git-fixes). - NFC: fix resource leak when target index is invalid (git-fixes). - NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock (for-next). - nfs_common: need lock during iterate through the list (for-next). - nfsd4: readdirplus shouldn't return parent of export (git-fixes). - nfsd: Fix message level for normal termination (for-next). - NFS: nfs_delegation_find_inode_server must first reference the superblock (for-next). - NFS: nfs_igrab_and_active must first reference the superblock (for-next). - NFS/pNFS: Fix a leak of the layout 'plh_outstanding' counter (for-next). - NFS/pNFS: Fix a typo in ff_layout_resend_pnfs_read() (for-next). - NFS: switch nfsiod to be an UNBOUND workqueue (for-next). - NFSv4.2: condition READDIR's mask for security label based on LSM state (for-next). - NFSv4: Fix the alignment of page data in the getdeviceinfo reply (for-next). - nvme-multipath: fix bogus request queue reference put (bsc#1175389). - nvme-rdma: avoid request double completion for concurrent nvme_rdma_timeout (bsc#1181161). - nvme-tcp: avoid request double completion for concurrent nvme_tcp_timeout (bsc#1181161). - platform/x86: i2c-multi-instantiate: Do not create platform device for INT3515 ACPI nodes (git-fixes). - platform/x86: ideapad-laptop: Disable touchpad_switch for ELAN0634 (git-fixes). - platform/x86: intel-vbtn: Drop HP Stream x360 Convertible PC 11 from allow-list (git-fixes). - platform/x86: intel-vbtn: Fix SW_TABLET_MODE always reporting 1 on some HP x360 models (git-fixes). - PM: hibernate: flush swap writer after marking (git-fixes). - pNFS: Mark layout for return if return-on-close was not sent (git-fixes). - powerpc: Fix build error in paravirt.h (bsc#1181148 ltc#190702). - powerpc/paravirt: Use is_kvm_guest() in vcpu_is_preempted() (bsc#1181148 ltc#190702). - powerpc: Refactor is_kvm_guest() declaration to new header (bsc#1181148 ltc#190702). - powerpc: Reintroduce is_kvm_guest() as a fast-path check (bsc#1181148 ltc#190702). - powerpc: Rename is_kvm_guest() to check_kvm_guest() (bsc#1181148 ltc#190702). - power: vexpress: add suppress_bind_attrs to true (git-fixes). - prom_init: enable verbose prints (bsc#1178142 bsc#1180759). - ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() (bsc#1163930). - ptrace: Set PF_SUPERPRIV when checking capability (bsc#1163930). - r8152: Add Lenovo Powered USB-C Travel Hub (git-fixes). - r8169: work around power-saving bug on some chip versions (git-fixes). - regmap: debugfs: Fix a memory leak when calling regmap_attach_dev (git-fixes). - regmap: debugfs: Fix a reversed if statement in regmap_debugfs_init() (git-fixes). - Revive usb-audio Keep Interface mixer (bsc#1181014). - rtc: pl031: fix resource leak in pl031_probe (git-fixes). - rtc: sun6i: Fix memleak in sun6i_rtc_clk_init (git-fixes). - rtmutex: Remove unused argument from rt_mutex_proxy_unlock() (bsc#1181349 bsc#1149032). - s390/cio: fix use-after-free in ccw_device_destroy_console (git-fixes). - s390/dasd: fix hanging device offline processing (bsc#1181169 LTC#190914). - s390/dasd: fix list corruption of lcu list (git-fixes). - s390/dasd: fix list corruption of pavgroup group list (git-fixes). - s390/dasd: prevent inconsistent LCU device data (git-fixes). - s390/kexec_file: fix diag308 subcode when loading crash kernel (git-fixes). - s390/qeth: consolidate online/offline code (git-fixes). - s390/qeth: do not raise NETDEV_REBOOT event from L3 offline path (git-fixes). - s390/qeth: fix deadlock during recovery (git-fixes). - s390/qeth: fix L2 header access in qeth_l3_osa_features_check() (git-fixes). - s390/qeth: fix locking for discipline setup / removal (git-fixes). - s390/smp: perform initial CPU reset also for SMT siblings (git-fixes). - sched/fair: Check for idle core in wake_affine (git fixes (sched)). - scsi: ibmvfc: Set default timeout to avoid crash during migration (bsc#1181425 ltc#188252). - scsi: lpfc: Enhancements to LOG_TRACE_EVENT for better readability (bsc#1180891). - scsi: lpfc: Fix auto sli_mode and its effect on CONFIG_PORT for SLI3 (bsc#1180891). - scsi: lpfc: Fix crash when a fabric node is released prematurely (bsc#1180891). - scsi: lpfc: Fix crash when nvmet transport calls host_release (bsc#1180891). - scsi: lpfc: Fix error log messages being logged following SCSI task mgnt (bsc#1180891). - scsi: lpfc: Fix FW reset action if I/Os are outstanding (bsc#1180891). - scsi: lpfc: Fix NVMe recovery after mailbox timeout (bsc#1180891). - scsi: lpfc: Fix PLOGI S_ID of 0 on pt2pt config (bsc#1180891). - scsi: lpfc: Fix target reset failing (bsc#1180891). - scsi: lpfc: Fix vport create logging (bsc#1180891). - scsi: lpfc: Implement health checking when aborting I/O (bsc#1180891). - scsi: lpfc: Prevent duplicate requests to unregister with cpuhp framework (bsc#1180891). - scsi: lpfc: Refresh ndlp when a new PRLI is received in the PRLI issue state (bsc#1180891). - scsi: lpfc: Simplify bool comparison (bsc#1180891). - scsi: lpfc: Update lpfc version to 12.8.0.7 (bsc#1180891). - scsi: lpfc: Use the nvme-fc transport supplied timeout for LS requests (bsc#1180891). - scsi: qla2xxx: Fix description for parameter ql2xenforce_iocb_limit (bsc#1179142). - scsi: scsi_transport_srp: Do not block target in failfast state (bsc#1172355). - selftests/ftrace: Select an existing function in kprobe_eventname test (bsc#1179396 ltc#185738). - selftests: net: fib_tests: remove duplicate log test (git-fixes). - selftests/powerpc: Add a test of bad (out-of-range) accesses (bsc#1181158 ltc#190851). - selftests/powerpc: Add a test of spectre_v2 mitigations (bsc#1181158 ltc#190851). - selftests/powerpc: Ignore generated files (bsc#1181158 ltc#190851). - selftests/powerpc: Move Hash MMU check to utilities (bsc#1181158 ltc#190851). - selftests/powerpc: Move set_dscr() into rfi_flush.c (bsc#1181158 ltc#190851). - selftests/powerpc: Only test lwm/stmw on big endian (bsc#1180412 ltc#190579). - selftests/powerpc: spectre_v2 test must be built 64-bit (bsc#1181158 ltc#190851). - serial: mvebu-uart: fix tx lost characters at power off (git-fixes). - spi: cadence: cache reference clock rate during probe (git-fixes). - spi: stm32: FIFO threshold level - fix align packet size (git-fixes). - staging: mt7621-dma: Fix a resource leak in an error handling path (git-fixes). - staging: wlan-ng: fix out of bounds read in prism2sta_probe_usb() (git-fixes). - SUNRPC: Clean up the handling of page padding in rpc_prepare_reply_pages() (for-next). - sunrpc: fix xs_read_xdr_buf for partial pages receive (for-next). - SUNRPC: rpc_wake_up() should wake up tasks in the correct order (for-next). - swiotlb: fix 'x86: Do not panic if can not alloc buffer for swiotlb' (git-fixes). - swiotlb: using SIZE_MAX needs limits.h included (git-fixes). - timers: Preserve higher bits of expiration on index calculation (bsc#1181318). - timers: Use only bucket expiry for base->next_expiry value (bsc#1181318). - udp: Prevent reuseport_select_sock from reading uninitialized socks (git-fixes). - USB: cdc-acm: blacklist another IR Droid device (git-fixes). - USB: cdc-wdm: Fix use after free in service_outstanding_interrupt() (git-fixes). - usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data() (git-fixes). - USB: dummy-hcd: Fix uninitialized array use in init() (git-fixes). - usb: dwc3: Add support for DWC_usb32 IP (git-fixes). - usb: dwc3: core: Properly default unspecified speed (git-fixes). - usb: dwc3: ulpi: Use VStsDone to detect PHY regs access completion (git-fixes). - usb: dwc3: Update soft-reset wait polling rate (git-fixes). - USB: ehci: fix an interrupt calltrace error (git-fixes). - usb: gadget: aspeed: fix stop dma register setting (git-fixes). - usb: gadget: configfs: Fix use-after-free issue with udc_name (git-fixes). - usb: gadget: configfs: Preserve function ordering after bind failure (git-fixes). - usb: gadget: enable super speed plus (git-fixes). - usb: gadget: Fix spinlock lockup on usb_function_deactivate (git-fixes). - usb: gadget: f_uac2: reset wMaxPacketSize (git-fixes). - usb: gadget: function: printer: Fix a memory leak for interface descriptor (git-fixes). - USB: gadget: legacy: fix return error code in acm_ms_bind() (git-fixes). - usb: gadget: select CONFIG_CRC32 (git-fixes). - usb: gadget: u_ether: Fix MTU size mismatch with RX packet size (git-fixes). - USB: serial: iuu_phoenix: fix DMA from stack (git-fixes). - USB: serial: option: add LongSung M5710 module support (git-fixes). - USB: serial: option: add Quectel EM160R-GL (git-fixes). - usb: typec: Fix copy paste error for NVIDIA alt-mode description (git-fixes). - usb: uas: Add PNY USB Portable SSD to unusual_uas (git-fixes). - usb: udc: core: Use lock when write to soft_connect (git-fixes). - usb: usbip: vhci_hcd: protect shift size (git-fixes). - USB: usblp: fix DMA to stack (git-fixes). - USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set (git-fixes). - USB: yurex: fix control-URB timeout handling (git-fixes). - vfio iommu: Add dma available capability (bsc#1179572 LTC#190110). - vfio/pci: Implement ioeventfd thread handler for contended memory lock (bsc#1181219). - vfio-pci: Use io_remap_pfn_range() for PCI IO memory (bsc#1181220). - video: fbdev: atmel_lcdfb: fix return error code in atmel_lcdfb_of_init() (git-fixes). - video: fbdev: fix OOB read in vga_8planes_imageblit() (git-fixes). - video: fbdev: pvr2fb: initialize variables (git-fixes). - video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error (git-fixes). - wan: ds26522: select CONFIG_BITREVERSE (git-fixes). - wil6210: select CONFIG_CRC32 (git-fixes). - x86/apic: Fix x2apic enablement without interrupt remapping (bsc#1152489). - x86/cpu/amd: Call init_amd_zn() om Family 19h processors too (bsc#1181077). - x86/cpu/amd: Set __max_die_per_package on AMD (bsc#1152489). - x86/hyperv: Fix kexec panic/hang issues (bsc#1176831). - x86/kprobes: Restore BTF if the single-stepping is cancelled (bsc#1152489). - x86/mm: Fix leak of pmd ptlock (bsc#1152489). - x86/mm/numa: Remove uninitialized_var() usage (bsc#1152489). - x86/mtrr: Correct the range check before performing MTRR type lookups (bsc#1152489). - x86/resctrl: Do not move a task to the same resource group (bsc#1152489). - x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR (bsc#1152489). - x86/topology: Make __max_die_per_package available unconditionally (bsc#1152489). - x86/xen: avoid warning in Xen pv guest with CONFIG_AMD_MEM_ENCRYPT enabled (bsc#1181335). - xen-blkfront: allow discard-* nodes to be optional (bsc#1181346). - xen/privcmd: allow fetching resource sizes (bsc#1065600). - xfs: show the proper user quota options (bsc#1181538). - xhci: Give USB2 ports time to enter U3 in bus suspend (git-fixes). - xhci: make sure TRB is fully written before giving it to the controller (git-fixes). - xhci: tegra: Delay for disabling LFPS detector (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:419-1 Released: Wed Feb 10 12:03:33 2021 Summary: Recommended update for open-iscsi Type: recommended Severity: moderate References: 1181313 This update for open-iscsi fixes the following issues: - Fixes a segfault when exiting from iscsiadm (bsc#1181313) - Fix for several memory leaks in iscsiadm - Fix for a crash when function iscsi_rec_update_param() is invoked ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:435-1 Released: Thu Feb 11 14:47:25 2021 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Type: security Severity: important References: 1174075,1176708,1178801,1178969,1180243,1180401,1181730,1181732,CVE-2020-15257,CVE-2021-21284,CVE-2021-21285 This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Security issues fixed: - CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969). - CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) - CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730) Non-security issues fixed: - Update Docker to 19.03.15-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285). - Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE. It appears that SLES doesn't like the patch. (bsc#1180401) - Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and fixes CVE-2020-15257. bsc#1180243 - Update to containerd v1.3.7, which is required for Docker 19.03.13-ce. bsc#1176708 - Update to Docker 19.03.14-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243 https://github.com/docker/docker-ce/releases/tag/v19.03.14 - Enable fish-completion - Add a patch which makes Docker compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) - Update to Docker 19.03.13-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708 - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Emergency fix: %requires_eq does not work with provide symbols, only effective package names. Convert back to regular Requires. - Update to Docker 19.03.12-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. - Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of spurrious errors due to Go returning -EINTR from I/O syscalls much more often (due to Go 1.14's pre-emptive goroutine support). - Add BuildRequires for all -git dependencies so that we catch missing dependencies much more quickly. - Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce. bsc#1180243 - Add patch which makes libnetwork compatible with firewalld with nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548 (bsc#1178801, SLE-16460) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:441-1 Released: Thu Feb 11 16:35:04 2021 Summary: Optional update for python3-jsonschema Type: optional Severity: low References: 1180403 This update provides the python3 variant of the jsonschema module to the SUSE Linux Enterprise 15 SP2 Basesystem module. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:507-1 Released: Thu Feb 18 09:34:49 2021 Summary: Security update for bind Type: security Severity: important References: 1182246,CVE-2020-8625 This update for bind fixes the following issues: - CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack [bsc#1182246] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:516-1 Released: Thu Feb 18 14:42:51 2021 Summary: Recommended update for docker, golang-github-docker-libnetwork Type: recommended Severity: moderate References: 1178801,1180401,1182168 This update for docker, golang-github-docker-libnetwork fixes the following issues: - A libnetwork firewalld integration enhancement was broken, disable it (bsc#1178801,bsc#1180401,bsc#1182168) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:519-1 Released: Fri Feb 19 09:44:53 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1180501 This update for openssh fixes the following issues: - Fixed a crash which sometimes occured on connection termination, caused by accessing freed memory (bsc#1180501) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:521-1 Released: Fri Feb 19 11:00:33 2021 Summary: Security update for qemu Type: security Severity: important References: 1178049,1178565,1179717,1179719,1180523,1181639,1181933,1182137,CVE-2020-11947,CVE-2021-20181,CVE-2021-20203,CVE-2021-20221 This update for qemu fixes the following issues: - Fixed potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137) - Fixed out-of-bound access in iscsi (CVE-2020-11947 bsc#1180523) - Fixed out-of-bound access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639) - Fixed out-of-bound access in ARM interrupt handling (CVE-2021-20221 bsc#1181933) - Fixed vfio-pci device on s390 enters error state (bsc#1179717 bsc#1179719) - Fixed 'Failed to try-restart qemu-ga at .service' error while updating the qemu-guest-agent. (bsc#1178565) - Apply fixes to qemu scsi passthrough with respect to timeout and error conditions, including using more correct status codes. Add more qemu tracing which helped track down these issues (bsc#1178049) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:551-1 Released: Tue Feb 23 09:31:53 2021 Summary: Security update for avahi Type: security Severity: moderate References: 1180827,CVE-2021-26720 This update for avahi fixes the following issues: - CVE-2021-26720: drop privileges when invoking avahi-daemon-check-dns.sh (bsc#1180827) - Update avahi-daemon-check-dns.sh from Debian. Our previous version relied on ifconfig, route, and init.d. - Add sudo to requires: used to drop privileges. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:571-1 Released: Tue Feb 23 16:11:33 2021 Summary: Recommended update for cloud-init Type: recommended Severity: moderate References: 1180176 This update for cloud-init contains the following fixes: - Update cloud-init-write-routes.patch (bsc#1180176) + Follow up to previous changes. Fix order of operations error to make gateway comparison between subnet configuration and route configuration valuable rather than self-comparing. - Add cloud-init-sle12-compat.patch (jsc#PM-2335) - Python 3.4 compatibility in setup.py - Disable some test for mock version compatibility ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:573-1 Released: Wed Feb 24 09:58:38 2021 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1176171,1180336 This update for dracut fixes the following issues: - arm/arm64: Add reset controllers (bsc#1180336) - Prevent creating unexpected files on the host when running dracut (bsc#1176171) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:594-1 Released: Thu Feb 25 09:29:35 2021 Summary: Security update for python-cryptography Type: security Severity: important References: 1182066,CVE-2020-36242 This update for python-cryptography fixes the following issues: - CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte values could result in an integer overflow and buffer overflow (bsc#1182066). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:654-1 Released: Fri Feb 26 20:01:10 2021 Summary: Security update for python-Jinja2 Type: security Severity: important References: 1181944,1182244,CVE-2020-28493 This update for python-Jinja2 fixes the following issues: - CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have been called with untrusted user data (bsc#1181944). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:656-1 Released: Mon Mar 1 09:34:21 2021 Summary: Recommended update for protobuf Type: recommended Severity: moderate References: 1177127 This update for protobuf fixes the following issues: - Add missing dependency of python subpackages on python-six. (bsc#1177127) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:683-1 Released: Tue Mar 2 19:04:43 2021 Summary: Security update for grub2 Type: security Severity: important References: 1175970,1176711,1177883,1179264,1179265,1182057,1182262,1182263,CVE-2020-14372,CVE-2020-25632,CVE-2020-25647,CVE-2020-27749,CVE-2020-27779,CVE-2021-20225,CVE-2021-20233 This update for grub2 fixes the following issues: grub2 implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057) - CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711) - CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883) - CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264) - CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970) - CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262) - CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:689-1 Released: Tue Mar 2 19:08:40 2021 Summary: Security update for bind Type: security Severity: important References: 1180933 This update for bind fixes the following issues: - dnssec-keygen can no longer generate HMAC keys. Use tsig-keygen instead. [bsc#1180933] From sle-security-updates at lists.suse.com Thu Mar 11 07:05:47 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 11 Mar 2021 08:05:47 +0100 (CET) Subject: SUSE-CU-2021:67-1: Security update of suse/sle-micro/5.0/toolbox Message-ID: <20210311070547.6FF03FFA5@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:67-1 Container Tags : suse/sle-micro/5.0/toolbox:10.1 , suse/sle-micro/5.0/toolbox:10.1-4.5 , suse/sle-micro/5.0/toolbox:latest Container Release : 4.5 Severity : important Type : security References : 1173582 1176262 1177998 1178386 1179694 1179721 1179756 1180038 1180686 1181126 1181505 1182117 1182279 1182331 1182333 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182959 CVE-2019-20916 CVE-2019-25013 CVE-2020-27618 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2021-23840 CVE-2021-23841 CVE-2021-27212 CVE-2021-3177 CVE-2021-3326 ----------------------------------------------------------------- The container suse/sle-micro/5.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1989-1 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Type: recommended Severity: important References: 1173582 This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3294-1 Released: Wed Nov 11 12:28:46 2020 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1177998 This update for SLES-release fixes the following issue: - Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). From sle-security-updates at lists.suse.com Thu Mar 11 23:17:29 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 00:17:29 +0100 (CET) Subject: SUSE-SU-2021:0770-1: moderate: Security update for libsolv, libzypp, yast2-installation, zypper Message-ID: <20210311231729.A0D3CFD17@maintenance.suse.de> SUSE Security Update: Security update for libsolv, libzypp, yast2-installation, zypper ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0770-1 Rating: moderate References: #1050625 #1174016 #1177238 #1177275 #1177427 #1177583 #1178910 #1178966 #1179083 #1179222 #1179415 #1179847 #1179909 #1181328 #1181622 #1182629 Cross-References: CVE-2017-9271 CVSS scores: CVE-2017-9271 (NVD) : 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2017-9271 (SUSE): 4 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Installer 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves one vulnerability and has 15 fixes is now available. Description: This update for libsolv, libzypp, yast2-installation, zypper fixes the following issues: Update zypper to version 1.14.43: - doc: give more details about creating versioned package locks (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) - Fix source-download commnds help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) - Prefer /run over /var/run. Update libzypp to 17.25.8: - Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there. - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement). - Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'. - Commit: Fix rpmdb compat symlink in case rpm got removed. - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use. - BuildRequires: libsolv-devel >= 0.7.17. - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#1179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) Update yast2-installation to 4.0.77: - Do not cleanup the libzypp cache when the system has low memory, incomplete cache confuses libzypp later (bsc#1179415) Update libsolv to 0.7.17: - repo_write: fix handling of nested flexarray - improve choicerule generation a bit more to cover more cases - harden testcase parser against repos being added too late - support python-3.10 - check %_dbpath macro in rpmdb code - handle default/visible/langonly attributes in comps parser - support multiple collections in updateinfo parser - add '-D' option in rpmdb2solv to set the dbpath Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-770=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-770=1 - SUSE Linux Enterprise Installer 15: zypper in -t patch SUSE-SLE-INSTALLER-15-2021-770=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-770=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-770=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libsolv-debuginfo-0.7.17-3.40.1 libsolv-debugsource-0.7.17-3.40.1 libsolv-devel-0.7.17-3.40.1 libsolv-devel-debuginfo-0.7.17-3.40.1 libsolv-tools-0.7.17-3.40.1 libsolv-tools-debuginfo-0.7.17-3.40.1 libzypp-17.25.8-3.66.1 libzypp-debuginfo-17.25.8-3.66.1 libzypp-debugsource-17.25.8-3.66.1 libzypp-devel-17.25.8-3.66.1 perl-solv-0.7.17-3.40.1 perl-solv-debuginfo-0.7.17-3.40.1 python-solv-0.7.17-3.40.1 python-solv-debuginfo-0.7.17-3.40.1 python3-solv-0.7.17-3.40.1 python3-solv-debuginfo-0.7.17-3.40.1 ruby-solv-0.7.17-3.40.1 ruby-solv-debuginfo-0.7.17-3.40.1 zypper-1.14.43-3.49.1 zypper-debuginfo-1.14.43-3.49.1 zypper-debugsource-1.14.43-3.49.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): yast2-installation-4.0.77-3.22.5 zypper-log-1.14.43-3.49.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libsolv-debuginfo-0.7.17-3.40.1 libsolv-debugsource-0.7.17-3.40.1 libsolv-devel-0.7.17-3.40.1 libsolv-devel-debuginfo-0.7.17-3.40.1 libsolv-tools-0.7.17-3.40.1 libsolv-tools-debuginfo-0.7.17-3.40.1 libzypp-17.25.8-3.66.1 libzypp-debuginfo-17.25.8-3.66.1 libzypp-debugsource-17.25.8-3.66.1 libzypp-devel-17.25.8-3.66.1 perl-solv-0.7.17-3.40.1 perl-solv-debuginfo-0.7.17-3.40.1 python-solv-0.7.17-3.40.1 python-solv-debuginfo-0.7.17-3.40.1 python3-solv-0.7.17-3.40.1 python3-solv-debuginfo-0.7.17-3.40.1 ruby-solv-0.7.17-3.40.1 ruby-solv-debuginfo-0.7.17-3.40.1 zypper-1.14.43-3.49.1 zypper-debuginfo-1.14.43-3.49.1 zypper-debugsource-1.14.43-3.49.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): yast2-installation-4.0.77-3.22.5 zypper-log-1.14.43-3.49.1 - SUSE Linux Enterprise Installer 15 (aarch64 ppc64le s390x x86_64): libsolv-tools-0.7.17-3.40.1 libzypp-17.25.8-3.66.1 zypper-1.14.43-3.49.1 - SUSE Linux Enterprise Installer 15 (noarch): yast2-installation-4.0.77-3.22.5 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libsolv-debuginfo-0.7.17-3.40.1 libsolv-debugsource-0.7.17-3.40.1 libsolv-devel-0.7.17-3.40.1 libsolv-devel-debuginfo-0.7.17-3.40.1 libsolv-tools-0.7.17-3.40.1 libsolv-tools-debuginfo-0.7.17-3.40.1 libzypp-17.25.8-3.66.1 libzypp-debuginfo-17.25.8-3.66.1 libzypp-debugsource-17.25.8-3.66.1 libzypp-devel-17.25.8-3.66.1 perl-solv-0.7.17-3.40.1 perl-solv-debuginfo-0.7.17-3.40.1 python-solv-0.7.17-3.40.1 python-solv-debuginfo-0.7.17-3.40.1 python3-solv-0.7.17-3.40.1 python3-solv-debuginfo-0.7.17-3.40.1 ruby-solv-0.7.17-3.40.1 ruby-solv-debuginfo-0.7.17-3.40.1 zypper-1.14.43-3.49.1 zypper-debuginfo-1.14.43-3.49.1 zypper-debugsource-1.14.43-3.49.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): yast2-installation-4.0.77-3.22.5 zypper-log-1.14.43-3.49.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libsolv-debuginfo-0.7.17-3.40.1 libsolv-debugsource-0.7.17-3.40.1 libsolv-devel-0.7.17-3.40.1 libsolv-devel-debuginfo-0.7.17-3.40.1 libsolv-tools-0.7.17-3.40.1 libsolv-tools-debuginfo-0.7.17-3.40.1 libzypp-17.25.8-3.66.1 libzypp-debuginfo-17.25.8-3.66.1 libzypp-debugsource-17.25.8-3.66.1 libzypp-devel-17.25.8-3.66.1 perl-solv-0.7.17-3.40.1 perl-solv-debuginfo-0.7.17-3.40.1 python-solv-0.7.17-3.40.1 python-solv-debuginfo-0.7.17-3.40.1 python3-solv-0.7.17-3.40.1 python3-solv-debuginfo-0.7.17-3.40.1 ruby-solv-0.7.17-3.40.1 ruby-solv-debuginfo-0.7.17-3.40.1 zypper-1.14.43-3.49.1 zypper-debuginfo-1.14.43-3.49.1 zypper-debugsource-1.14.43-3.49.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): yast2-installation-4.0.77-3.22.5 zypper-log-1.14.43-3.49.1 References: https://www.suse.com/security/cve/CVE-2017-9271.html https://bugzilla.suse.com/1050625 https://bugzilla.suse.com/1174016 https://bugzilla.suse.com/1177238 https://bugzilla.suse.com/1177275 https://bugzilla.suse.com/1177427 https://bugzilla.suse.com/1177583 https://bugzilla.suse.com/1178910 https://bugzilla.suse.com/1178966 https://bugzilla.suse.com/1179083 https://bugzilla.suse.com/1179222 https://bugzilla.suse.com/1179415 https://bugzilla.suse.com/1179847 https://bugzilla.suse.com/1179909 https://bugzilla.suse.com/1181328 https://bugzilla.suse.com/1181622 https://bugzilla.suse.com/1182629 From sle-security-updates at lists.suse.com Thu Mar 11 23:20:21 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 00:20:21 +0100 (CET) Subject: SUSE-SU-2021:0769-1: moderate: Security update for openssl-1_0_0 Message-ID: <20210311232021.5FFD2FD17@maintenance.suse.de> SUSE Security Update: Security update for openssl-1_0_0 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0769-1 Rating: moderate References: #1182331 #1182333 Cross-References: CVE-2021-23840 CVE-2021-23841 CVSS scores: CVE-2021-23840 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23840 (SUSE): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2021-23841 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23841 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Legacy Software 15-SP3 SUSE Linux Enterprise Module for Legacy Software 15-SP2 SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for openssl-1_0_0 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-769=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-769=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-769=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-769=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-769=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-769=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-769=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-769=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP3-2021-769=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2021-769=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-769=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libopenssl-1_0_0-devel-1.0.2p-3.37.1 libopenssl1_0_0-1.0.2p-3.37.1 libopenssl1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-1.0.2p-3.37.1 openssl-1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-debugsource-1.0.2p-3.37.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libopenssl-1_0_0-devel-1.0.2p-3.37.1 libopenssl1_0_0-1.0.2p-3.37.1 libopenssl1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-1.0.2p-3.37.1 openssl-1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-debugsource-1.0.2p-3.37.1 - SUSE Manager Proxy 4.0 (x86_64): libopenssl-1_0_0-devel-1.0.2p-3.37.1 libopenssl1_0_0-1.0.2p-3.37.1 libopenssl1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-1.0.2p-3.37.1 openssl-1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-debugsource-1.0.2p-3.37.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libopenssl-1_0_0-devel-1.0.2p-3.37.1 libopenssl1_0_0-1.0.2p-3.37.1 libopenssl1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-1.0.2p-3.37.1 openssl-1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-debugsource-1.0.2p-3.37.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libopenssl-1_0_0-devel-1.0.2p-3.37.1 libopenssl1_0_0-1.0.2p-3.37.1 libopenssl1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-1.0.2p-3.37.1 openssl-1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-debugsource-1.0.2p-3.37.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libopenssl-1_0_0-devel-1.0.2p-3.37.1 libopenssl1_0_0-1.0.2p-3.37.1 libopenssl1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-1.0.2p-3.37.1 openssl-1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-debugsource-1.0.2p-3.37.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libopenssl-1_0_0-devel-1.0.2p-3.37.1 libopenssl1_0_0-1.0.2p-3.37.1 libopenssl1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-1.0.2p-3.37.1 openssl-1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-debugsource-1.0.2p-3.37.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libopenssl-1_0_0-devel-1.0.2p-3.37.1 libopenssl1_0_0-1.0.2p-3.37.1 libopenssl1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-1.0.2p-3.37.1 openssl-1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-debugsource-1.0.2p-3.37.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3 (aarch64 ppc64le s390x x86_64): libopenssl-1_0_0-devel-1.0.2p-3.37.1 libopenssl10-1.0.2p-3.37.1 libopenssl10-debuginfo-1.0.2p-3.37.1 libopenssl1_0_0-1.0.2p-3.37.1 libopenssl1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-1.0.2p-3.37.1 openssl-1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-debugsource-1.0.2p-3.37.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (aarch64 ppc64le s390x x86_64): libopenssl-1_0_0-devel-1.0.2p-3.37.1 libopenssl1_0_0-1.0.2p-3.37.1 libopenssl1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-1.0.2p-3.37.1 openssl-1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-debugsource-1.0.2p-3.37.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libopenssl-1_0_0-devel-1.0.2p-3.37.1 libopenssl1_0_0-1.0.2p-3.37.1 libopenssl1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-1.0.2p-3.37.1 openssl-1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-debugsource-1.0.2p-3.37.1 - SUSE CaaS Platform 4.0 (x86_64): libopenssl-1_0_0-devel-1.0.2p-3.37.1 libopenssl1_0_0-1.0.2p-3.37.1 libopenssl1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-1.0.2p-3.37.1 openssl-1_0_0-debuginfo-1.0.2p-3.37.1 openssl-1_0_0-debugsource-1.0.2p-3.37.1 References: https://www.suse.com/security/cve/CVE-2021-23840.html https://www.suse.com/security/cve/CVE-2021-23841.html https://bugzilla.suse.com/1182331 https://bugzilla.suse.com/1182333 From sle-security-updates at lists.suse.com Thu Mar 11 23:29:35 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 00:29:35 +0100 (CET) Subject: SUSE-SU-2021:0771-1: important: Security update for crmsh Message-ID: <20210311232935.5DEAFFD17@maintenance.suse.de> SUSE Security Update: Security update for crmsh ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0771-1 Rating: important References: #1154927 #1178454 #1178869 #1179999 #1180571 Cross-References: CVE-2020-35459 CVE-2021-3020 CVSS scores: CVE-2020-35459 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-35459 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3020 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise High Availability 12-SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has three fixes is now available. Description: This update for crmsh fixes the following issues: - Update to version 3.0.4+git.1614156978.4c1dc46d: * Fix: hb_report: walk through hb_report process under hacluster(CVE-2020-35459, bsc#1179999; CVE-2021-3020, bsc#1180571) * Fix: bootstrap: setup authorized ssh access for hacluster(CVE-2020-35459, bsc#1179999; CVE-2021-3020, bsc#1180571) * Dev: utils: change default file mod as 644 for str2file function * Dev: lock: give more specific error message when raise ClaimLockError * Dev: corosync: change the permission of corosync.conf to 644 * Fix: bootstrap: Use class Watchdog to simplify watchdog config(bsc#1154927, bsc#1178869) * Fix: bootstrap: make sure sbd device UUID was the same between nodes(bsc#1178454) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2021-771=1 Package List: - SUSE Linux Enterprise High Availability 12-SP3 (noarch): crmsh-3.0.4+git.1614156978.4c1dc46d-13.62.1 crmsh-scripts-3.0.4+git.1614156978.4c1dc46d-13.62.1 References: https://www.suse.com/security/cve/CVE-2020-35459.html https://www.suse.com/security/cve/CVE-2021-3020.html https://bugzilla.suse.com/1154927 https://bugzilla.suse.com/1178454 https://bugzilla.suse.com/1178869 https://bugzilla.suse.com/1179999 https://bugzilla.suse.com/1180571 From sle-security-updates at lists.suse.com Thu Mar 11 23:31:23 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 00:31:23 +0100 (CET) Subject: SUSE-SU-2021:0768-1: moderate: Security update for python Message-ID: <20210311233123.2DE8FFD17@maintenance.suse.de> SUSE Security Update: Security update for python ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0768-1 Rating: moderate References: #1182379 Cross-References: CVE-2021-23336 CVSS scores: CVE-2021-23336 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H CVE-2021-23336 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Python2 15-SP3 SUSE Linux Enterprise Module for Python2 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python fixes the following issues: - python27 was upgraded to 2.7.18 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-768=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-768=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-768=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-768=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-768=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-768=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-768=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-768=1 - SUSE Linux Enterprise Module for Python2 15-SP3: zypper in -t patch SUSE-SLE-Module-Python2-15-SP3-2021-768=1 - SUSE Linux Enterprise Module for Python2 15-SP2: zypper in -t patch SUSE-SLE-Module-Python2-15-SP2-2021-768=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-768=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-768=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-768=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-768=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-768=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-768=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-768=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-768=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-768=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libpython2_7-1_0-2.7.18-7.55.1 libpython2_7-1_0-debuginfo-2.7.18-7.55.1 python-2.7.18-7.55.1 python-base-2.7.18-7.55.1 python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-curses-2.7.18-7.55.1 python-curses-debuginfo-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-devel-2.7.18-7.55.1 python-gdbm-2.7.18-7.55.1 python-gdbm-debuginfo-2.7.18-7.55.1 python-tk-2.7.18-7.55.1 python-tk-debuginfo-2.7.18-7.55.1 python-xml-2.7.18-7.55.1 python-xml-debuginfo-2.7.18-7.55.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libpython2_7-1_0-2.7.18-7.55.1 libpython2_7-1_0-debuginfo-2.7.18-7.55.1 python-2.7.18-7.55.1 python-base-2.7.18-7.55.1 python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-curses-2.7.18-7.55.1 python-curses-debuginfo-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-devel-2.7.18-7.55.1 python-gdbm-2.7.18-7.55.1 python-gdbm-debuginfo-2.7.18-7.55.1 python-tk-2.7.18-7.55.1 python-tk-debuginfo-2.7.18-7.55.1 python-xml-2.7.18-7.55.1 python-xml-debuginfo-2.7.18-7.55.1 - SUSE Manager Proxy 4.0 (x86_64): libpython2_7-1_0-2.7.18-7.55.1 libpython2_7-1_0-debuginfo-2.7.18-7.55.1 python-2.7.18-7.55.1 python-base-2.7.18-7.55.1 python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-curses-2.7.18-7.55.1 python-curses-debuginfo-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-devel-2.7.18-7.55.1 python-gdbm-2.7.18-7.55.1 python-gdbm-debuginfo-2.7.18-7.55.1 python-tk-2.7.18-7.55.1 python-tk-debuginfo-2.7.18-7.55.1 python-xml-2.7.18-7.55.1 python-xml-debuginfo-2.7.18-7.55.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libpython2_7-1_0-2.7.18-7.55.1 libpython2_7-1_0-debuginfo-2.7.18-7.55.1 python-2.7.18-7.55.1 python-base-2.7.18-7.55.1 python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-curses-2.7.18-7.55.1 python-curses-debuginfo-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-devel-2.7.18-7.55.1 python-gdbm-2.7.18-7.55.1 python-gdbm-debuginfo-2.7.18-7.55.1 python-tk-2.7.18-7.55.1 python-tk-debuginfo-2.7.18-7.55.1 python-xml-2.7.18-7.55.1 python-xml-debuginfo-2.7.18-7.55.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libpython2_7-1_0-2.7.18-7.55.1 libpython2_7-1_0-debuginfo-2.7.18-7.55.1 python-2.7.18-7.55.1 python-base-2.7.18-7.55.1 python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-curses-2.7.18-7.55.1 python-curses-debuginfo-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-devel-2.7.18-7.55.1 python-gdbm-2.7.18-7.55.1 python-gdbm-debuginfo-2.7.18-7.55.1 python-tk-2.7.18-7.55.1 python-tk-debuginfo-2.7.18-7.55.1 python-xml-2.7.18-7.55.1 python-xml-debuginfo-2.7.18-7.55.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.18-7.55.1 libpython2_7-1_0-debuginfo-2.7.18-7.55.1 python-2.7.18-7.55.1 python-base-2.7.18-7.55.1 python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-curses-2.7.18-7.55.1 python-curses-debuginfo-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-devel-2.7.18-7.55.1 python-gdbm-2.7.18-7.55.1 python-gdbm-debuginfo-2.7.18-7.55.1 python-tk-2.7.18-7.55.1 python-tk-debuginfo-2.7.18-7.55.1 python-xml-2.7.18-7.55.1 python-xml-debuginfo-2.7.18-7.55.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libpython2_7-1_0-2.7.18-7.55.1 libpython2_7-1_0-debuginfo-2.7.18-7.55.1 python-2.7.18-7.55.1 python-base-2.7.18-7.55.1 python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-curses-2.7.18-7.55.1 python-curses-debuginfo-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-devel-2.7.18-7.55.1 python-gdbm-2.7.18-7.55.1 python-gdbm-debuginfo-2.7.18-7.55.1 python-tk-2.7.18-7.55.1 python-tk-debuginfo-2.7.18-7.55.1 python-xml-2.7.18-7.55.1 python-xml-debuginfo-2.7.18-7.55.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libpython2_7-1_0-2.7.18-7.55.1 libpython2_7-1_0-debuginfo-2.7.18-7.55.1 python-2.7.18-7.55.1 python-base-2.7.18-7.55.1 python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-curses-2.7.18-7.55.1 python-curses-debuginfo-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-devel-2.7.18-7.55.1 python-gdbm-2.7.18-7.55.1 python-gdbm-debuginfo-2.7.18-7.55.1 python-tk-2.7.18-7.55.1 python-tk-debuginfo-2.7.18-7.55.1 python-xml-2.7.18-7.55.1 python-xml-debuginfo-2.7.18-7.55.1 - SUSE Linux Enterprise Module for Python2 15-SP3 (aarch64 ppc64le s390x x86_64): python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-curses-2.7.18-7.55.1 python-curses-debuginfo-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-devel-2.7.18-7.55.1 python-gdbm-2.7.18-7.55.1 python-gdbm-debuginfo-2.7.18-7.55.1 python-xml-2.7.18-7.55.1 python-xml-debuginfo-2.7.18-7.55.1 - SUSE Linux Enterprise Module for Python2 15-SP2 (aarch64 ppc64le s390x x86_64): python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-curses-2.7.18-7.55.1 python-curses-debuginfo-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-devel-2.7.18-7.55.1 python-gdbm-2.7.18-7.55.1 python-gdbm-debuginfo-2.7.18-7.55.1 python-xml-2.7.18-7.55.1 python-xml-debuginfo-2.7.18-7.55.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-tk-2.7.18-7.55.1 python-tk-debuginfo-2.7.18-7.55.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-tk-2.7.18-7.55.1 python-tk-debuginfo-2.7.18-7.55.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.18-7.55.1 libpython2_7-1_0-debuginfo-2.7.18-7.55.1 python-2.7.18-7.55.1 python-base-2.7.18-7.55.1 python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.18-7.55.1 libpython2_7-1_0-debuginfo-2.7.18-7.55.1 python-2.7.18-7.55.1 python-base-2.7.18-7.55.1 python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libpython2_7-1_0-2.7.18-7.55.1 libpython2_7-1_0-debuginfo-2.7.18-7.55.1 python-2.7.18-7.55.1 python-base-2.7.18-7.55.1 python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-curses-2.7.18-7.55.1 python-curses-debuginfo-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-devel-2.7.18-7.55.1 python-gdbm-2.7.18-7.55.1 python-gdbm-debuginfo-2.7.18-7.55.1 python-tk-2.7.18-7.55.1 python-tk-debuginfo-2.7.18-7.55.1 python-xml-2.7.18-7.55.1 python-xml-debuginfo-2.7.18-7.55.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libpython2_7-1_0-2.7.18-7.55.1 libpython2_7-1_0-debuginfo-2.7.18-7.55.1 python-2.7.18-7.55.1 python-base-2.7.18-7.55.1 python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-curses-2.7.18-7.55.1 python-curses-debuginfo-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-devel-2.7.18-7.55.1 python-gdbm-2.7.18-7.55.1 python-gdbm-debuginfo-2.7.18-7.55.1 python-tk-2.7.18-7.55.1 python-tk-debuginfo-2.7.18-7.55.1 python-xml-2.7.18-7.55.1 python-xml-debuginfo-2.7.18-7.55.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libpython2_7-1_0-2.7.18-7.55.1 libpython2_7-1_0-debuginfo-2.7.18-7.55.1 python-2.7.18-7.55.1 python-base-2.7.18-7.55.1 python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-curses-2.7.18-7.55.1 python-curses-debuginfo-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-devel-2.7.18-7.55.1 python-gdbm-2.7.18-7.55.1 python-gdbm-debuginfo-2.7.18-7.55.1 python-tk-2.7.18-7.55.1 python-tk-debuginfo-2.7.18-7.55.1 python-xml-2.7.18-7.55.1 python-xml-debuginfo-2.7.18-7.55.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libpython2_7-1_0-2.7.18-7.55.1 libpython2_7-1_0-debuginfo-2.7.18-7.55.1 python-2.7.18-7.55.1 python-base-2.7.18-7.55.1 python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-curses-2.7.18-7.55.1 python-curses-debuginfo-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-devel-2.7.18-7.55.1 python-gdbm-2.7.18-7.55.1 python-gdbm-debuginfo-2.7.18-7.55.1 python-tk-2.7.18-7.55.1 python-tk-debuginfo-2.7.18-7.55.1 python-xml-2.7.18-7.55.1 python-xml-debuginfo-2.7.18-7.55.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libpython2_7-1_0-2.7.18-7.55.1 libpython2_7-1_0-debuginfo-2.7.18-7.55.1 python-2.7.18-7.55.1 python-base-2.7.18-7.55.1 python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-curses-2.7.18-7.55.1 python-curses-debuginfo-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-devel-2.7.18-7.55.1 python-gdbm-2.7.18-7.55.1 python-gdbm-debuginfo-2.7.18-7.55.1 python-tk-2.7.18-7.55.1 python-tk-debuginfo-2.7.18-7.55.1 python-xml-2.7.18-7.55.1 python-xml-debuginfo-2.7.18-7.55.1 - SUSE CaaS Platform 4.0 (x86_64): libpython2_7-1_0-2.7.18-7.55.1 libpython2_7-1_0-debuginfo-2.7.18-7.55.1 python-2.7.18-7.55.1 python-base-2.7.18-7.55.1 python-base-debuginfo-2.7.18-7.55.1 python-base-debugsource-2.7.18-7.55.1 python-curses-2.7.18-7.55.1 python-curses-debuginfo-2.7.18-7.55.1 python-debuginfo-2.7.18-7.55.1 python-debugsource-2.7.18-7.55.1 python-devel-2.7.18-7.55.1 python-gdbm-2.7.18-7.55.1 python-gdbm-debuginfo-2.7.18-7.55.1 python-tk-2.7.18-7.55.1 python-tk-debuginfo-2.7.18-7.55.1 python-xml-2.7.18-7.55.1 python-xml-debuginfo-2.7.18-7.55.1 References: https://www.suse.com/security/cve/CVE-2021-23336.html https://bugzilla.suse.com/1182379 From sle-security-updates at lists.suse.com Fri Mar 12 07:10:02 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 08:10:02 +0100 (CET) Subject: SUSE-CU-2021:69-1: Security update of ses/7/cephcsi/cephcsi Message-ID: <20210312071002.65A57FFA5@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/cephcsi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:69-1 Container Tags : ses/7/cephcsi/cephcsi:3.2.0 , ses/7/cephcsi/cephcsi:3.2.0.0.3.248 , ses/7/cephcsi/cephcsi:latest , ses/7/cephcsi/cephcsi:sle15.2.octopus , ses/7/cephcsi/cephcsi:v3.2.0 , ses/7/cephcsi/cephcsi:v3.2.0.0 Container Release : 3.248 Severity : important Type : security References : 1050625 1084671 1098449 1141597 1144793 1155094 1168771 1169006 1171883 1172695 1173513 1173582 1174016 1174091 1174436 1174571 1174701 1174942 1175458 1175514 1175623 1176262 1177120 1177127 1177211 1177238 1177275 1177427 1177460 1177460 1177490 1177533 1177583 1177658 1177998 1178009 1178346 1178386 1178554 1178775 1178823 1178825 1178860 1178909 1178910 1178966 1179016 1179083 1179193 1179222 1179363 1179398 1179399 1179415 1179452 1179491 1179503 1179526 1179593 1179630 1179691 1179691 1179694 1179721 1179738 1179756 1179816 1179824 1179909 1180038 1180077 1180107 1180138 1180155 1180225 1180377 1180501 1180603 1180603 1180663 1180676 1180684 1180685 1180686 1180687 1180721 1180885 1181090 1181126 1181319 1181505 1181944 1182066 1182117 1182244 1182279 1182331 1182333 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182959 CVE-2017-9271 CVE-2019-16935 CVE-2019-18348 CVE-2019-20907 CVE-2019-20916 CVE-2019-25013 CVE-2019-5010 CVE-2020-14145 CVE-2020-14422 CVE-2020-1971 CVE-2020-25709 CVE-2020-25710 CVE-2020-26116 CVE-2020-26137 CVE-2020-27618 CVE-2020-27619 CVE-2020-27781 CVE-2020-28493 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-36242 CVE-2020-8025 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2020-8492 CVE-2021-23239 CVE-2021-23240 CVE-2021-23840 CVE-2021-23841 CVE-2021-27212 CVE-2021-3139 CVE-2021-3156 CVE-2021-3177 CVE-2021-3326 ----------------------------------------------------------------- The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1989-1 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Type: recommended Severity: important References: 1173582 This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3294-1 Released: Wed Nov 11 12:28:46 2020 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1177998 This update for SLES-release fixes the following issue: - Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3721-1 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3723-1 Released: Wed Dec 9 13:37:55 2020 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1177120,CVE-2020-26137 This update for python-urllib3 fixes the following issues: - CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bsc#1177120). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3735-1 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3736-1 Released: Wed Dec 9 18:19:58 2020 Summary: Security update for openssh Type: security Severity: moderate References: 1173513,CVE-2020-14145 This update for openssh fixes the following issues: - CVE-2020-14145: Fixed a potential information leak during host key exchange (bsc#1173513). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3747-1 Released: Thu Dec 10 13:54:49 2020 Summary: Recommended update for ceph Type: recommended Severity: moderate References: 1179452,1179526 This update for ceph fixes the following issues: - Fixed an issue when reading a large 'RGW' object takes too long and can cause data loss. (bsc#1179526) - Fixed a build issue caused by missing nautilus module named 'six'. (bsc#1179452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3791-1 Released: Mon Dec 14 17:39:19 2020 Summary: Recommended update for gzip Type: recommended Severity: moderate References: This update for gzip fixes the following issue: - Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775) Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3809-1 Released: Tue Dec 15 13:46:05 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: Update from version 2.62.5 to version 2.62.6: - Support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) - Fix SOCKS5 username/password authentication. - Updated translations. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount ???a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3894-1 Released: Mon Dec 21 12:56:05 2020 Summary: Security update for ceph Type: security Severity: important References: 1178860,1179016,1180107,1180155,CVE-2020-27781 This update for ceph fixes the following issues: Security issue fixed: - CVE-2020-27781: Fixed a privilege escalation via the ceph_volume_client Python interface (bsc#1180155). Non-security issues fixed: - Update to 15.2.8-80-g1f4b6229ca: + Rebase on tip of upstream 'octopus' branch, SHA1 bdf3eebcd22d7d0b3dd4d5501bee5bac354d5b55 * upstream Octopus v15.2.8 release, see https://ceph.io/releases/v15-2-8-octopus-released/ - Update to 15.2.7-776-g343cd10fe5: + Rebase on tip of upstream 'octopus' branch, SHA1 1b8a634fdcd94dfb3ba650793fb1b6d09af65e05 * (bsc#1178860) mgr/dashboard: Disable TLS 1.0 and 1.1 + (bsc#1179016) rpm: require smartmontools on SUSE + (bsc#1180107) ceph-volume: pass --filter-for-batch from drive-group subcommand ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3921-1 Released: Tue Dec 22 15:19:17 2020 Summary: Recommended update for libpwquality Type: recommended Severity: low References: This update for libpwquality fixes the following issues: - Implement alignment with 'pam_cracklib'. (jsc#SLE-16720) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3930-1 Released: Wed Dec 23 18:19:39 2020 Summary: Security update for python3 Type: security Severity: important References: 1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630,CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492 This update for python3 fixes the following issues: - Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. - Change setuptools and pip version numbers according to new wheels - Handful of changes to make python36 compatible with SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738) - add triplets for mips-r6 and riscv - RISC-V needs CTYPES_PASS_BY_REF_HACK Update to 3.6.12 (bsc#1179193) * Ensure python3.dll is loaded from correct locations when Python is embedded * The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address). * Prevent http header injection by rejecting control characters in http.client.putrequest(???). * Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing. * Avoid infinite loop when reading specially crafted TAR files using the tarfile module - This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091). Update to 3.6.11: - Disallow CR or LF in email.headerregistry. Address arguments to guard against header injection attacks. - Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. (bsc#1155094) - CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3946-1 Released: Tue Dec 29 17:39:54 2020 Summary: Recommended update for python3 Type: recommended Severity: important References: 1180377 This update for python3 fixes the following issues: - A previous update inadvertently removed the 'PyFPE_jbuf' symbol from Python3, which caused regressions in several applications. (bsc#1180377) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:6-1 Released: Mon Jan 4 07:05:06 2021 Summary: Recommended update for libdlm Type: recommended Severity: moderate References: 1098449,1144793,1168771,1177533,1177658 This update for libdlm fixes the following issues: - Rework libdlm3 require with a shared library version tag instead so it propagates to all consuming packages.(bsc#1177658, bsc#1098449) - Add support for type 'uint64_t' to corosync ringid. (bsc#1168771) - Include some fixes/enhancements for dlm_controld. (bsc#1144793) - Fixed an issue where /boot logical volume was accidentally unmounted. (bsc#1177533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:109-1 Released: Wed Jan 13 10:13:24 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.41 Update libzypp to 17.25.4 - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) yast-installation was updated to 4.2.48: - Do not cleanup the libzypp cache when the system has low memory, incomplete cache confuses libzypp later (bsc#1179415) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:93-1 Released: Wed Jan 13 16:45:40 2021 Summary: Security update for tcmu-runner Type: security Severity: important References: 1180676,CVE-2021-3139 This update for tcmu-runner fixes the following issues: - CVE-2021-3139: Fixed a LIO security issue (bsc#1180676). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:152-1 Released: Fri Jan 15 17:04:47 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1179691,1179738 This update for lvm2 fixes the following issues: - Fix for lvm2 to use udev as external device by default. (bsc#1179691) - Fixed an issue in configuration for an item that is commented out by default. (bsc#1179738) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:169-1 Released: Tue Jan 19 16:18:46 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179816,1180077,1180663,1180721 This update for libsolv, libzypp, zypper fixes the following issues: libzypp was updated to 17.25.6: - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) zypper was updated to 1.14.42: - Fix source-download commnds help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) libsolv was updated to 0.7.16; - do not ask the namespace callback for splitprovides when writing a testcase - fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes - improve choicerule generation so that package updates are prefered in more cases ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:174-1 Released: Wed Jan 20 07:55:23 2021 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1172695 This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:179-1 Released: Wed Jan 20 13:38:51 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:197-1 Released: Fri Jan 22 15:17:42 2021 Summary: Security update for permissions Type: security Severity: moderate References: 1171883,CVE-2020-8025 This update for permissions fixes the following issues: - Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:227-1 Released: Tue Jan 26 19:22:14 2021 Summary: Security update for sudo Type: security Severity: important References: 1180684,1180685,1180687,1181090,CVE-2021-23239,CVE-2021-23240,CVE-2021-3156 This update for sudo fixes the following issues: - A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges [bsc#1181090,CVE-2021-3156] - It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit` [bsc#1180684,CVE-2021-23239] - A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685, CVE-2021-23240] - It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:278-1 Released: Tue Feb 2 09:43:08 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1181319 This update for lvm2 fixes the following issues: - Backport 'lvmlockd' to adopt orphan locks feature. (bsc#1181319) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:301-1 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:302-1 Released: Thu Feb 4 13:18:35 2021 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1179691 This update for lvm2 fixes the following issues: - lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691). If this behavior is still wanted, please change this manually in the lvm.conf ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:519-1 Released: Fri Feb 19 09:44:53 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1180501 This update for openssh fixes the following issues: - Fixed a crash which sometimes occured on connection termination, caused by accessing freed memory (bsc#1180501) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:594-1 Released: Thu Feb 25 09:29:35 2021 Summary: Security update for python-cryptography Type: security Severity: important References: 1182066,CVE-2020-36242 This update for python-cryptography fixes the following issues: - CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte values could result in an integer overflow and buffer overflow (bsc#1182066). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:654-1 Released: Fri Feb 26 20:01:10 2021 Summary: Security update for python-Jinja2 Type: security Severity: important References: 1181944,1182244,CVE-2020-28493 This update for python-Jinja2 fixes the following issues: - CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have been called with untrusted user data (bsc#1181944). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:656-1 Released: Mon Mar 1 09:34:21 2021 Summary: Recommended update for protobuf Type: recommended Severity: moderate References: 1177127 This update for protobuf fixes the following issues: - Add missing dependency of python subpackages on python-six. (bsc#1177127) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:764-1 Released: Thu Mar 11 13:17:18 2021 Summary: Recommended update for rook Type: recommended Severity: moderate References: This update for rook fixes the following issues: - updated rook to version 1.5.7 * CSI Troubleshooting Guide * Print device information in OSD prepare logs * Expose vault curl error in the OSD init container for KCS configurations * Prevent re-using a device to configure an OSD on PVC from a previous cluster * Remove crash collector if all Ceph pods moved off a node * Add helm annotation to keep CRDs in the helm chart during uninstall * Bind mgr modules to all interfaces instead of pod ip * Check for orchestration cancellation while waiting for all OSDs to start * Skip pdb reconcile on create and delete events * Silence harmless errors in log when the operator is still initializing * Add --extra-create-metadata flag to the CSI driver * Add deviceClass to the object store schema * Simplify the log-collector container name * Skip csi detection if CSI is disabled * Remove Rook pods stuck in terminating state on a failed node * Timeout for rgw configuration to prevent stuck object store when no healthy OSDs * Update lib bucket provisioner for OBCs From sle-security-updates at lists.suse.com Fri Mar 12 07:11:29 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 08:11:29 +0100 (CET) Subject: SUSE-CU-2021:71-1: Security update of ses/7/cephcsi/csi-attacher Message-ID: <20210312071129.BE35FFFA5@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/csi-attacher ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:71-1 Container Tags : ses/7/cephcsi/csi-attacher:v3.0.2 , ses/7/cephcsi/csi-attacher:v3.0.2-rev1 , ses/7/cephcsi/csi-attacher:v3.0.2-rev1-build3.213 Container Release : 3.213 Severity : important Type : security References : 1050625 1084671 1141597 1169006 1171883 1172695 1173582 1174016 1174436 1174942 1175458 1175514 1175623 1177238 1177275 1177427 1177490 1177583 1177998 1178346 1178386 1178554 1178775 1178823 1178825 1178909 1178910 1178966 1179083 1179222 1179363 1179398 1179399 1179415 1179491 1179503 1179593 1179694 1179721 1179816 1179824 1179909 1180038 1180077 1180138 1180225 1180603 1180603 1180663 1180721 1180885 1181505 1182117 1182279 1182331 1182333 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182959 CVE-2017-9271 CVE-2019-25013 CVE-2020-1971 CVE-2020-25709 CVE-2020-25710 CVE-2020-27618 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-8025 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2021-23840 CVE-2021-23841 CVE-2021-27212 CVE-2021-3326 ----------------------------------------------------------------- The container ses/7/cephcsi/csi-attacher was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1989-1 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Type: recommended Severity: important References: 1173582 This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3294-1 Released: Wed Nov 11 12:28:46 2020 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1177998 This update for SLES-release fixes the following issue: - Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3721-1 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3735-1 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3809-1 Released: Tue Dec 15 13:46:05 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: Update from version 2.62.5 to version 2.62.6: - Support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) - Fix SOCKS5 username/password authentication. - Updated translations. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount ???a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:109-1 Released: Wed Jan 13 10:13:24 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.41 Update libzypp to 17.25.4 - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) yast-installation was updated to 4.2.48: - Do not cleanup the libzypp cache when the system has low memory, incomplete cache confuses libzypp later (bsc#1179415) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:169-1 Released: Tue Jan 19 16:18:46 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179816,1180077,1180663,1180721 This update for libsolv, libzypp, zypper fixes the following issues: libzypp was updated to 17.25.6: - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) zypper was updated to 1.14.42: - Fix source-download commnds help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) libsolv was updated to 0.7.16; - do not ask the namespace callback for splitprovides when writing a testcase - fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes - improve choicerule generation so that package updates are prefered in more cases ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:174-1 Released: Wed Jan 20 07:55:23 2021 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1172695 This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:197-1 Released: Fri Jan 22 15:17:42 2021 Summary: Security update for permissions Type: security Severity: moderate References: 1171883,CVE-2020-8025 This update for permissions fixes the following issues: - Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:764-1 Released: Thu Mar 11 13:17:18 2021 Summary: Recommended update for rook Type: recommended Severity: moderate References: This update for rook fixes the following issues: - updated rook to version 1.5.7 * CSI Troubleshooting Guide * Print device information in OSD prepare logs * Expose vault curl error in the OSD init container for KCS configurations * Prevent re-using a device to configure an OSD on PVC from a previous cluster * Remove crash collector if all Ceph pods moved off a node * Add helm annotation to keep CRDs in the helm chart during uninstall * Bind mgr modules to all interfaces instead of pod ip * Check for orchestration cancellation while waiting for all OSDs to start * Skip pdb reconcile on create and delete events * Silence harmless errors in log when the operator is still initializing * Add --extra-create-metadata flag to the CSI driver * Add deviceClass to the object store schema * Simplify the log-collector container name * Skip csi detection if CSI is disabled * Remove Rook pods stuck in terminating state on a failed node * Timeout for rgw configuration to prevent stuck object store when no healthy OSDs * Update lib bucket provisioner for OBCs From sle-security-updates at lists.suse.com Fri Mar 12 07:12:37 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 08:12:37 +0100 (CET) Subject: SUSE-CU-2021:72-1: Security update of ses/7/cephcsi/csi-node-driver-registrar Message-ID: <20210312071237.53C80FFA5@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/csi-node-driver-registrar ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:72-1 Container Tags : ses/7/cephcsi/csi-node-driver-registrar:v2.0.1 , ses/7/cephcsi/csi-node-driver-registrar:v2.0.1-rev1 , ses/7/cephcsi/csi-node-driver-registrar:v2.0.1-rev1-build3.204 Container Release : 3.204 Severity : important Type : security References : 1050625 1084671 1141597 1169006 1171883 1172695 1173582 1174016 1174436 1174942 1175458 1175514 1175623 1177238 1177275 1177427 1177490 1177583 1177998 1178346 1178386 1178554 1178775 1178823 1178825 1178909 1178910 1178966 1179083 1179222 1179363 1179398 1179399 1179415 1179491 1179503 1179593 1179694 1179721 1179816 1179824 1179909 1180038 1180077 1180138 1180225 1180603 1180603 1180663 1180721 1180885 1181505 1182117 1182279 1182331 1182333 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182959 CVE-2017-9271 CVE-2019-25013 CVE-2020-1971 CVE-2020-25709 CVE-2020-25710 CVE-2020-27618 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-8025 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2021-23840 CVE-2021-23841 CVE-2021-27212 CVE-2021-3326 ----------------------------------------------------------------- The container ses/7/cephcsi/csi-node-driver-registrar was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1989-1 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Type: recommended Severity: important References: 1173582 This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3294-1 Released: Wed Nov 11 12:28:46 2020 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1177998 This update for SLES-release fixes the following issue: - Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3721-1 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3735-1 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3809-1 Released: Tue Dec 15 13:46:05 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: Update from version 2.62.5 to version 2.62.6: - Support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) - Fix SOCKS5 username/password authentication. - Updated translations. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount ???a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:109-1 Released: Wed Jan 13 10:13:24 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.41 Update libzypp to 17.25.4 - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) yast-installation was updated to 4.2.48: - Do not cleanup the libzypp cache when the system has low memory, incomplete cache confuses libzypp later (bsc#1179415) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:169-1 Released: Tue Jan 19 16:18:46 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179816,1180077,1180663,1180721 This update for libsolv, libzypp, zypper fixes the following issues: libzypp was updated to 17.25.6: - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) zypper was updated to 1.14.42: - Fix source-download commnds help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) libsolv was updated to 0.7.16; - do not ask the namespace callback for splitprovides when writing a testcase - fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes - improve choicerule generation so that package updates are prefered in more cases ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:174-1 Released: Wed Jan 20 07:55:23 2021 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1172695 This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:197-1 Released: Fri Jan 22 15:17:42 2021 Summary: Security update for permissions Type: security Severity: moderate References: 1171883,CVE-2020-8025 This update for permissions fixes the following issues: - Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:764-1 Released: Thu Mar 11 13:17:18 2021 Summary: Recommended update for rook Type: recommended Severity: moderate References: This update for rook fixes the following issues: - updated rook to version 1.5.7 * CSI Troubleshooting Guide * Print device information in OSD prepare logs * Expose vault curl error in the OSD init container for KCS configurations * Prevent re-using a device to configure an OSD on PVC from a previous cluster * Remove crash collector if all Ceph pods moved off a node * Add helm annotation to keep CRDs in the helm chart during uninstall * Bind mgr modules to all interfaces instead of pod ip * Check for orchestration cancellation while waiting for all OSDs to start * Skip pdb reconcile on create and delete events * Silence harmless errors in log when the operator is still initializing * Add --extra-create-metadata flag to the CSI driver * Add deviceClass to the object store schema * Simplify the log-collector container name * Skip csi detection if CSI is disabled * Remove Rook pods stuck in terminating state on a failed node * Timeout for rgw configuration to prevent stuck object store when no healthy OSDs * Update lib bucket provisioner for OBCs From sle-security-updates at lists.suse.com Fri Mar 12 07:13:46 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 08:13:46 +0100 (CET) Subject: SUSE-CU-2021:73-1: Security update of ses/7/cephcsi/csi-provisioner Message-ID: <20210312071346.16A17FFA5@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/csi-provisioner ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:73-1 Container Tags : ses/7/cephcsi/csi-provisioner:v2.0.4 , ses/7/cephcsi/csi-provisioner:v2.0.4-rev1 , ses/7/cephcsi/csi-provisioner:v2.0.4-rev1-build3.198 Container Release : 3.198 Severity : important Type : security References : 1050625 1084671 1141597 1169006 1171883 1172695 1173582 1174016 1174436 1174942 1175458 1175514 1175623 1177238 1177275 1177427 1177490 1177583 1177998 1178346 1178386 1178554 1178775 1178823 1178825 1178909 1178910 1178966 1179083 1179222 1179363 1179398 1179399 1179415 1179491 1179503 1179593 1179694 1179721 1179816 1179824 1179909 1180038 1180077 1180138 1180225 1180603 1180603 1180663 1180721 1180885 1181505 1182117 1182279 1182331 1182333 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182959 CVE-2017-9271 CVE-2019-25013 CVE-2020-1971 CVE-2020-25709 CVE-2020-25710 CVE-2020-27618 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-8025 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2021-23840 CVE-2021-23841 CVE-2021-27212 CVE-2021-3326 ----------------------------------------------------------------- The container ses/7/cephcsi/csi-provisioner was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1989-1 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Type: recommended Severity: important References: 1173582 This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3294-1 Released: Wed Nov 11 12:28:46 2020 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1177998 This update for SLES-release fixes the following issue: - Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3721-1 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3735-1 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3809-1 Released: Tue Dec 15 13:46:05 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: Update from version 2.62.5 to version 2.62.6: - Support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) - Fix SOCKS5 username/password authentication. - Updated translations. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount ???a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:109-1 Released: Wed Jan 13 10:13:24 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.41 Update libzypp to 17.25.4 - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) yast-installation was updated to 4.2.48: - Do not cleanup the libzypp cache when the system has low memory, incomplete cache confuses libzypp later (bsc#1179415) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:169-1 Released: Tue Jan 19 16:18:46 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179816,1180077,1180663,1180721 This update for libsolv, libzypp, zypper fixes the following issues: libzypp was updated to 17.25.6: - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) zypper was updated to 1.14.42: - Fix source-download commnds help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) libsolv was updated to 0.7.16; - do not ask the namespace callback for splitprovides when writing a testcase - fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes - improve choicerule generation so that package updates are prefered in more cases ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:174-1 Released: Wed Jan 20 07:55:23 2021 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1172695 This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:197-1 Released: Fri Jan 22 15:17:42 2021 Summary: Security update for permissions Type: security Severity: moderate References: 1171883,CVE-2020-8025 This update for permissions fixes the following issues: - Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:764-1 Released: Thu Mar 11 13:17:18 2021 Summary: Recommended update for rook Type: recommended Severity: moderate References: This update for rook fixes the following issues: - updated rook to version 1.5.7 * CSI Troubleshooting Guide * Print device information in OSD prepare logs * Expose vault curl error in the OSD init container for KCS configurations * Prevent re-using a device to configure an OSD on PVC from a previous cluster * Remove crash collector if all Ceph pods moved off a node * Add helm annotation to keep CRDs in the helm chart during uninstall * Bind mgr modules to all interfaces instead of pod ip * Check for orchestration cancellation while waiting for all OSDs to start * Skip pdb reconcile on create and delete events * Silence harmless errors in log when the operator is still initializing * Add --extra-create-metadata flag to the CSI driver * Add deviceClass to the object store schema * Simplify the log-collector container name * Skip csi detection if CSI is disabled * Remove Rook pods stuck in terminating state on a failed node * Timeout for rgw configuration to prevent stuck object store when no healthy OSDs * Update lib bucket provisioner for OBCs From sle-security-updates at lists.suse.com Fri Mar 12 07:14:52 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 08:14:52 +0100 (CET) Subject: SUSE-CU-2021:74-1: Security update of ses/7/cephcsi/csi-resizer Message-ID: <20210312071452.7D6FFFFA5@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/csi-resizer ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:74-1 Container Tags : ses/7/cephcsi/csi-resizer:v1.0.1 , ses/7/cephcsi/csi-resizer:v1.0.1-rev1 , ses/7/cephcsi/csi-resizer:v1.0.1-rev1-build3.196 Container Release : 3.196 Severity : important Type : security References : 1050625 1084671 1141597 1169006 1171883 1172695 1173582 1174016 1174436 1174942 1175458 1175514 1175623 1177238 1177275 1177427 1177490 1177583 1177998 1178346 1178386 1178554 1178775 1178823 1178825 1178909 1178910 1178966 1179083 1179222 1179363 1179398 1179399 1179415 1179491 1179503 1179593 1179694 1179721 1179816 1179824 1179909 1180038 1180077 1180138 1180225 1180603 1180603 1180663 1180721 1180885 1181505 1182117 1182279 1182331 1182333 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182959 CVE-2017-9271 CVE-2019-25013 CVE-2020-1971 CVE-2020-25709 CVE-2020-25710 CVE-2020-27618 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-8025 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2021-23840 CVE-2021-23841 CVE-2021-27212 CVE-2021-3326 ----------------------------------------------------------------- The container ses/7/cephcsi/csi-resizer was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1989-1 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Type: recommended Severity: important References: 1173582 This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3294-1 Released: Wed Nov 11 12:28:46 2020 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1177998 This update for SLES-release fixes the following issue: - Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3721-1 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3735-1 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3809-1 Released: Tue Dec 15 13:46:05 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: Update from version 2.62.5 to version 2.62.6: - Support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) - Fix SOCKS5 username/password authentication. - Updated translations. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount ???a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:109-1 Released: Wed Jan 13 10:13:24 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.41 Update libzypp to 17.25.4 - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) yast-installation was updated to 4.2.48: - Do not cleanup the libzypp cache when the system has low memory, incomplete cache confuses libzypp later (bsc#1179415) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:169-1 Released: Tue Jan 19 16:18:46 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179816,1180077,1180663,1180721 This update for libsolv, libzypp, zypper fixes the following issues: libzypp was updated to 17.25.6: - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) zypper was updated to 1.14.42: - Fix source-download commnds help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) libsolv was updated to 0.7.16; - do not ask the namespace callback for splitprovides when writing a testcase - fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes - improve choicerule generation so that package updates are prefered in more cases ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:174-1 Released: Wed Jan 20 07:55:23 2021 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1172695 This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:197-1 Released: Fri Jan 22 15:17:42 2021 Summary: Security update for permissions Type: security Severity: moderate References: 1171883,CVE-2020-8025 This update for permissions fixes the following issues: - Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:764-1 Released: Thu Mar 11 13:17:18 2021 Summary: Recommended update for rook Type: recommended Severity: moderate References: This update for rook fixes the following issues: - updated rook to version 1.5.7 * CSI Troubleshooting Guide * Print device information in OSD prepare logs * Expose vault curl error in the OSD init container for KCS configurations * Prevent re-using a device to configure an OSD on PVC from a previous cluster * Remove crash collector if all Ceph pods moved off a node * Add helm annotation to keep CRDs in the helm chart during uninstall * Bind mgr modules to all interfaces instead of pod ip * Check for orchestration cancellation while waiting for all OSDs to start * Skip pdb reconcile on create and delete events * Silence harmless errors in log when the operator is still initializing * Add --extra-create-metadata flag to the CSI driver * Add deviceClass to the object store schema * Simplify the log-collector container name * Skip csi detection if CSI is disabled * Remove Rook pods stuck in terminating state on a failed node * Timeout for rgw configuration to prevent stuck object store when no healthy OSDs * Update lib bucket provisioner for OBCs From sle-security-updates at lists.suse.com Fri Mar 12 07:16:03 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 08:16:03 +0100 (CET) Subject: SUSE-CU-2021:75-1: Security update of ses/7/cephcsi/csi-snapshotter Message-ID: <20210312071603.5830FFFA5@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/csi-snapshotter ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:75-1 Container Tags : ses/7/cephcsi/csi-snapshotter:v3.0.2 , ses/7/cephcsi/csi-snapshotter:v3.0.2-rev1 , ses/7/cephcsi/csi-snapshotter:v3.0.2-rev1-build3.195 Container Release : 3.195 Severity : important Type : security References : 1050625 1084671 1141597 1169006 1171883 1172695 1173582 1174016 1174436 1174942 1175458 1175514 1175623 1177238 1177275 1177427 1177490 1177583 1177998 1178346 1178386 1178554 1178775 1178823 1178825 1178909 1178910 1178966 1179083 1179222 1179363 1179398 1179399 1179415 1179491 1179503 1179593 1179694 1179721 1179816 1179824 1179909 1180038 1180077 1180138 1180225 1180603 1180603 1180663 1180721 1180885 1181505 1182117 1182279 1182331 1182333 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182959 CVE-2017-9271 CVE-2019-25013 CVE-2020-1971 CVE-2020-25709 CVE-2020-25710 CVE-2020-27618 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-8025 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2021-23840 CVE-2021-23841 CVE-2021-27212 CVE-2021-3326 ----------------------------------------------------------------- The container ses/7/cephcsi/csi-snapshotter was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1989-1 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Type: recommended Severity: important References: 1173582 This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3294-1 Released: Wed Nov 11 12:28:46 2020 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1177998 This update for SLES-release fixes the following issue: - Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3721-1 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3735-1 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3809-1 Released: Tue Dec 15 13:46:05 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: Update from version 2.62.5 to version 2.62.6: - Support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) - Fix SOCKS5 username/password authentication. - Updated translations. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount ???a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:109-1 Released: Wed Jan 13 10:13:24 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.41 Update libzypp to 17.25.4 - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) yast-installation was updated to 4.2.48: - Do not cleanup the libzypp cache when the system has low memory, incomplete cache confuses libzypp later (bsc#1179415) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:169-1 Released: Tue Jan 19 16:18:46 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179816,1180077,1180663,1180721 This update for libsolv, libzypp, zypper fixes the following issues: libzypp was updated to 17.25.6: - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) zypper was updated to 1.14.42: - Fix source-download commnds help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) libsolv was updated to 0.7.16; - do not ask the namespace callback for splitprovides when writing a testcase - fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes - improve choicerule generation so that package updates are prefered in more cases ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:174-1 Released: Wed Jan 20 07:55:23 2021 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1172695 This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:197-1 Released: Fri Jan 22 15:17:42 2021 Summary: Security update for permissions Type: security Severity: moderate References: 1171883,CVE-2020-8025 This update for permissions fixes the following issues: - Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:764-1 Released: Thu Mar 11 13:17:18 2021 Summary: Recommended update for rook Type: recommended Severity: moderate References: This update for rook fixes the following issues: - updated rook to version 1.5.7 * CSI Troubleshooting Guide * Print device information in OSD prepare logs * Expose vault curl error in the OSD init container for KCS configurations * Prevent re-using a device to configure an OSD on PVC from a previous cluster * Remove crash collector if all Ceph pods moved off a node * Add helm annotation to keep CRDs in the helm chart during uninstall * Bind mgr modules to all interfaces instead of pod ip * Check for orchestration cancellation while waiting for all OSDs to start * Skip pdb reconcile on create and delete events * Silence harmless errors in log when the operator is still initializing * Add --extra-create-metadata flag to the CSI driver * Add deviceClass to the object store schema * Simplify the log-collector container name * Skip csi detection if CSI is disabled * Remove Rook pods stuck in terminating state on a failed node * Timeout for rgw configuration to prevent stuck object store when no healthy OSDs * Update lib bucket provisioner for OBCs From sle-security-updates at lists.suse.com Fri Mar 12 07:19:02 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 08:19:02 +0100 (CET) Subject: SUSE-CU-2021:76-1: Security update of ses/7/rook/ceph Message-ID: <20210312071902.AA364FFA5@maintenance.suse.de> SUSE Container Update Advisory: ses/7/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:76-1 Container Tags : ses/7/rook/ceph:1.5.7 , ses/7/rook/ceph:1.5.7.4 , ses/7/rook/ceph:1.5.7.4.1.1512 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus Container Release : 1.1512 Severity : important Type : security References : 1050625 1084671 1098449 1141597 1144793 1155094 1168771 1169006 1171883 1172695 1173513 1173582 1174016 1174091 1174436 1174571 1174701 1174942 1175458 1175514 1175623 1176262 1177120 1177127 1177211 1177238 1177275 1177427 1177460 1177460 1177490 1177533 1177583 1177658 1177998 1178009 1178346 1178386 1178554 1178775 1178823 1178825 1178860 1178909 1178910 1178966 1179016 1179083 1179193 1179222 1179363 1179398 1179399 1179415 1179452 1179491 1179503 1179526 1179593 1179630 1179691 1179691 1179694 1179721 1179738 1179756 1179816 1179824 1179909 1180038 1180077 1180107 1180138 1180155 1180225 1180377 1180501 1180603 1180603 1180663 1180676 1180684 1180685 1180686 1180687 1180721 1180885 1181090 1181126 1181319 1181505 1181944 1182066 1182117 1182244 1182279 1182331 1182333 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182959 CVE-2017-9271 CVE-2019-16935 CVE-2019-18348 CVE-2019-20907 CVE-2019-20916 CVE-2019-25013 CVE-2019-5010 CVE-2020-14145 CVE-2020-14422 CVE-2020-1971 CVE-2020-25709 CVE-2020-25710 CVE-2020-26116 CVE-2020-26137 CVE-2020-27618 CVE-2020-27619 CVE-2020-27781 CVE-2020-28493 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-36242 CVE-2020-8025 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2020-8492 CVE-2021-23239 CVE-2021-23240 CVE-2021-23840 CVE-2021-23841 CVE-2021-27212 CVE-2021-3139 CVE-2021-3156 CVE-2021-3177 CVE-2021-3326 ----------------------------------------------------------------- The container ses/7/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1989-1 Released: Tue Jul 21 17:58:58 2020 Summary: Recommended update to SLES-releases Type: recommended Severity: important References: 1173582 This update of SLES-release provides the following fix: - Obsolete Leap 15.2 as well to allow migration from Leap to SLE. (bsc#1173582) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3294-1 Released: Wed Nov 11 12:28:46 2020 Summary: Recommended update for SLES-release Type: recommended Severity: moderate References: 1177998 This update for SLES-release fixes the following issue: - Obsolete Leap 15.2.1 (jump) to allow migration from Jump/Leap 15.2.1 to SLE 15 SP2. (bsc#1177998) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3721-1 Released: Wed Dec 9 13:36:46 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3723-1 Released: Wed Dec 9 13:37:55 2020 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1177120,CVE-2020-26137 This update for python-urllib3 fixes the following issues: - CVE-2020-26137: Fixed a CRLF injection via HTTP request method (bsc#1177120). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3735-1 Released: Wed Dec 9 18:19:24 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3736-1 Released: Wed Dec 9 18:19:58 2020 Summary: Security update for openssh Type: security Severity: moderate References: 1173513,CVE-2020-14145 This update for openssh fixes the following issues: - CVE-2020-14145: Fixed a potential information leak during host key exchange (bsc#1173513). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3747-1 Released: Thu Dec 10 13:54:49 2020 Summary: Recommended update for ceph Type: recommended Severity: moderate References: 1179452,1179526 This update for ceph fixes the following issues: - Fixed an issue when reading a large 'RGW' object takes too long and can cause data loss. (bsc#1179526) - Fixed a build issue caused by missing nautilus module named 'six'. (bsc#1179452) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3791-1 Released: Mon Dec 14 17:39:19 2020 Summary: Recommended update for gzip Type: recommended Severity: moderate References: This update for gzip fixes the following issue: - Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775) Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3809-1 Released: Tue Dec 15 13:46:05 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: Update from version 2.62.5 to version 2.62.6: - Support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) - Fix SOCKS5 username/password authentication. - Updated translations. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount ???a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3894-1 Released: Mon Dec 21 12:56:05 2020 Summary: Security update for ceph Type: security Severity: important References: 1178860,1179016,1180107,1180155,CVE-2020-27781 This update for ceph fixes the following issues: Security issue fixed: - CVE-2020-27781: Fixed a privilege escalation via the ceph_volume_client Python interface (bsc#1180155). Non-security issues fixed: - Update to 15.2.8-80-g1f4b6229ca: + Rebase on tip of upstream 'octopus' branch, SHA1 bdf3eebcd22d7d0b3dd4d5501bee5bac354d5b55 * upstream Octopus v15.2.8 release, see https://ceph.io/releases/v15-2-8-octopus-released/ - Update to 15.2.7-776-g343cd10fe5: + Rebase on tip of upstream 'octopus' branch, SHA1 1b8a634fdcd94dfb3ba650793fb1b6d09af65e05 * (bsc#1178860) mgr/dashboard: Disable TLS 1.0 and 1.1 + (bsc#1179016) rpm: require smartmontools on SUSE + (bsc#1180107) ceph-volume: pass --filter-for-batch from drive-group subcommand ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3921-1 Released: Tue Dec 22 15:19:17 2020 Summary: Recommended update for libpwquality Type: recommended Severity: low References: This update for libpwquality fixes the following issues: - Implement alignment with 'pam_cracklib'. (jsc#SLE-16720) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3930-1 Released: Wed Dec 23 18:19:39 2020 Summary: Security update for python3 Type: security Severity: important References: 1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630,CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492 This update for python3 fixes the following issues: - Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. - Change setuptools and pip version numbers according to new wheels - Handful of changes to make python36 compatible with SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738) - add triplets for mips-r6 and riscv - RISC-V needs CTYPES_PASS_BY_REF_HACK Update to 3.6.12 (bsc#1179193) * Ensure python3.dll is loaded from correct locations when Python is embedded * The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address). * Prevent http header injection by rejecting control characters in http.client.putrequest(???). * Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing. * Avoid infinite loop when reading specially crafted TAR files using the tarfile module - This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091). Update to 3.6.11: - Disallow CR or LF in email.headerregistry. Address arguments to guard against header injection attacks. - Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. (bsc#1155094) - CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3946-1 Released: Tue Dec 29 17:39:54 2020 Summary: Recommended update for python3 Type: recommended Severity: important References: 1180377 This update for python3 fixes the following issues: - A previous update inadvertently removed the 'PyFPE_jbuf' symbol from Python3, which caused regressions in several applications. (bsc#1180377) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:6-1 Released: Mon Jan 4 07:05:06 2021 Summary: Recommended update for libdlm Type: recommended Severity: moderate References: 1098449,1144793,1168771,1177533,1177658 This update for libdlm fixes the following issues: - Rework libdlm3 require with a shared library version tag instead so it propagates to all consuming packages.(bsc#1177658, bsc#1098449) - Add support for type 'uint64_t' to corosync ringid. (bsc#1168771) - Include some fixes/enhancements for dlm_controld. (bsc#1144793) - Fixed an issue where /boot logical volume was accidentally unmounted. (bsc#1177533) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:109-1 Released: Wed Jan 13 10:13:24 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179909,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.41 Update libzypp to 17.25.4 - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) yast-installation was updated to 4.2.48: - Do not cleanup the libzypp cache when the system has low memory, incomplete cache confuses libzypp later (bsc#1179415) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:93-1 Released: Wed Jan 13 16:45:40 2021 Summary: Security update for tcmu-runner Type: security Severity: important References: 1180676,CVE-2021-3139 This update for tcmu-runner fixes the following issues: - CVE-2021-3139: Fixed a LIO security issue (bsc#1180676). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:152-1 Released: Fri Jan 15 17:04:47 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1179691,1179738 This update for lvm2 fixes the following issues: - Fix for lvm2 to use udev as external device by default. (bsc#1179691) - Fixed an issue in configuration for an item that is commented out by default. (bsc#1179738) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:169-1 Released: Tue Jan 19 16:18:46 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179816,1180077,1180663,1180721 This update for libsolv, libzypp, zypper fixes the following issues: libzypp was updated to 17.25.6: - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) zypper was updated to 1.14.42: - Fix source-download commnds help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) libsolv was updated to 0.7.16; - do not ask the namespace callback for splitprovides when writing a testcase - fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes - improve choicerule generation so that package updates are prefered in more cases ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:174-1 Released: Wed Jan 20 07:55:23 2021 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1172695 This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:179-1 Released: Wed Jan 20 13:38:51 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. - timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug. - timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:197-1 Released: Fri Jan 22 15:17:42 2021 Summary: Security update for permissions Type: security Severity: moderate References: 1171883,CVE-2020-8025 This update for permissions fixes the following issues: - Update to version 20181224: * pcp: remove no longer needed / conflicting entries (bsc#1171883, CVE-2020-8025) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:208-1 Released: Mon Jan 25 16:17:09 2021 Summary: Recommended update for rook Type: recommended Severity: moderate References: This update for rook fixes the following issues: - Update to v1.4.8 * Ceph * Update base operator image and example manifests to Ceph v15.2.7 (#6690) * Merge custom labels properly with other labels in the spec (#6720) * Uninstall cleanup ignores ceph daemon pods that are in pending state (#6719) * Orchestration is aborted and restarted if the cluster CR is updated (#6693) * Restore mon clusterIP if the service is missing in disaster recovery scenarios (#6658) * Set the RGW deployment version label (#6610) * Add privileged securityContext to CephFS provisioner (#6561) - Fix registry URL to SUSE for remaining example yaml's. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:227-1 Released: Tue Jan 26 19:22:14 2021 Summary: Security update for sudo Type: security Severity: important References: 1180684,1180685,1180687,1181090,CVE-2021-23239,CVE-2021-23240,CVE-2021-3156 This update for sudo fixes the following issues: - A Heap-based buffer overflow in sudo could be exploited to allow a user to gain root privileges [bsc#1181090,CVE-2021-3156] - It was possible for a user to test for the existence of a directory due to a Race Condition in `sudoedit` [bsc#1180684,CVE-2021-23239] - A Possible Symlink Attack vector existed in `sudoedit` if SELinux was running in permissive mode [bsc#1180685, CVE-2021-23240] - It was possible for a User to enable Debug Settings not Intended for them [bsc#1180687] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:278-1 Released: Tue Feb 2 09:43:08 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1181319 This update for lvm2 fixes the following issues: - Backport 'lvmlockd' to adopt orphan locks feature. (bsc#1181319) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:301-1 Released: Thu Feb 4 08:46:27 2021 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. - timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:302-1 Released: Thu Feb 4 13:18:35 2021 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1179691 This update for lvm2 fixes the following issues: - lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691). If this behavior is still wanted, please change this manually in the lvm.conf ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:519-1 Released: Fri Feb 19 09:44:53 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1180501 This update for openssh fixes the following issues: - Fixed a crash which sometimes occured on connection termination, caused by accessing freed memory (bsc#1180501) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:594-1 Released: Thu Feb 25 09:29:35 2021 Summary: Security update for python-cryptography Type: security Severity: important References: 1182066,CVE-2020-36242 This update for python-cryptography fixes the following issues: - CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte values could result in an integer overflow and buffer overflow (bsc#1182066). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:654-1 Released: Fri Feb 26 20:01:10 2021 Summary: Security update for python-Jinja2 Type: security Severity: important References: 1181944,1182244,CVE-2020-28493 This update for python-Jinja2 fixes the following issues: - CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have been called with untrusted user data (bsc#1181944). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:656-1 Released: Mon Mar 1 09:34:21 2021 Summary: Recommended update for protobuf Type: recommended Severity: moderate References: 1177127 This update for protobuf fixes the following issues: - Add missing dependency of python subpackages on python-six. (bsc#1177127) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:764-1 Released: Thu Mar 11 13:17:18 2021 Summary: Recommended update for rook Type: recommended Severity: moderate References: This update for rook fixes the following issues: - updated rook to version 1.5.7 * CSI Troubleshooting Guide * Print device information in OSD prepare logs * Expose vault curl error in the OSD init container for KCS configurations * Prevent re-using a device to configure an OSD on PVC from a previous cluster * Remove crash collector if all Ceph pods moved off a node * Add helm annotation to keep CRDs in the helm chart during uninstall * Bind mgr modules to all interfaces instead of pod ip * Check for orchestration cancellation while waiting for all OSDs to start * Skip pdb reconcile on create and delete events * Silence harmless errors in log when the operator is still initializing * Add --extra-create-metadata flag to the CSI driver * Add deviceClass to the object store schema * Simplify the log-collector container name * Skip csi detection if CSI is disabled * Remove Rook pods stuck in terminating state on a failed node * Timeout for rgw configuration to prevent stuck object store when no healthy OSDs * Update lib bucket provisioner for OBCs From sle-security-updates at lists.suse.com Fri Mar 12 14:17:02 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 15:17:02 +0100 (CET) Subject: SUSE-SU-2021:0772-1: important: Security update for stunnel Message-ID: <20210312141702.83961FD17@maintenance.suse.de> SUSE Security Update: Security update for stunnel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0772-1 Rating: important References: #1177580 #1182529 Cross-References: CVE-2021-20230 CVSS scores: CVE-2021-20230 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-20230 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for stunnel fixes the following issues: - Security fix: [bsc#1177580, bsc#1182529, CVE-2021-20230] * "redirect" option does not properly handle "verifyChain = yes" Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-772=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): stunnel-5.57-3.11.1 stunnel-debuginfo-5.57-3.11.1 stunnel-debugsource-5.57-3.11.1 References: https://www.suse.com/security/cve/CVE-2021-20230.html https://bugzilla.suse.com/1177580 https://bugzilla.suse.com/1182529 From sle-security-updates at lists.suse.com Fri Mar 12 17:17:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 18:17:26 +0100 (CET) Subject: SUSE-SU-2021:0773-1: important: Security update for slurm_20_11 and pdsh Message-ID: <20210312171726.4F137FD17@maintenance.suse.de> SUSE Security Update: Security update for slurm_20_11 and pdsh ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0773-1 Rating: important References: #1018371 #1065697 #1085240 #1095508 #1123304 #1140709 #1155784 #1159692 #1172004 #1178890 #1178891 ECO-2412 Cross-References: CVE-2016-10030 CVE-2017-15566 CVE-2018-10995 CVE-2018-7033 CVE-2019-12838 CVE-2019-19727 CVE-2019-19728 CVE-2019-6438 CVE-2020-12693 CVE-2020-27745 CVE-2020-27746 CVSS scores: CVE-2016-10030 (NVD) : 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-15566 (NVD) : 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-10995 (NVD) : 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2018-10995 (SUSE): 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2018-7033 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-7033 (SUSE): 4.4 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2019-12838 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-12838 (SUSE): 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2019-19727 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2019-19728 (NVD) : 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2019-19728 (SUSE): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2019-6438 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-12693 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-12693 (SUSE): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-27745 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-27745 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-27746 (NVD) : 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2020-27746 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products: SUSE Linux Enterprise Module for HPC 12 ______________________________________________________________________________ An update that fixes 11 vulnerabilities, contains one feature is now available. Description: This update for pdsh fixes the following issues: - Preparing pdsh for Slurm 20.11 (jsc#ECO-2412) - Simplify convoluted condition. This update for slurm fixes the following issues: - Fix potential buffer overflows from use of unpackmem(). CVE-2020-27745 (bsc#1178890) - Fix potential leak of the magic cookie when sent as an argument to the xauth command. CVE-2020-27746 (bsc#1178891) - Add support for openPMIx also for Leap/SLE 15.0/1 (bsc#1173805). - Updated to 20.02.3 which fixes CVE-2020-12693 (bsc#1172004). - slurm-plugins will now also require pmix not only libpmix (bsc#1164326) - Removed autopatch as it doesn't work for the SLE-11-SP4 build. - Disable %arm builds as this is no longer supported. - pmix searches now also for libpmix.so.2 so that there is no dependency for devel package (bsc#1164386) - Update to version 20.02.0 (jsc#SLE-8491) * Fix minor memory leak in slurmd on reconfig. * Fix invalid ptr reference when rolling up data in the database. * Change shtml2html.py to require python3 for RHEL8 support, and match man2html.py. * slurm.spec - override "hardening" linker flags to ensure RHEL8 builds in a usable manner. * Fix type mismatches in the perl API. * Prevent use of uninitialized slurmctld_diag_stats. * Fixed various Coverity issues. * Only show warning about root-less topology in daemons. * Fix accounting of jobs in IGNORE_JOBS reservations. * Fix issue with batch steps state not loading correctly when upgrading from 19.05. * Deprecate max_depend_depth in SchedulerParameters and move it to DependencyParameters. * Silence erroneous error on slurmctld upgrade when loading federation state. * Break infinite loop in cons_tres dealing with incorrect tasks per tres request resulting in slurmctld hang. * Improve handling of --gpus-per-task to make sure appropriate number of GPUs is assigned to job. * Fix seg fault on cons_res when requesting --spread-job. - Move to python3 for everything but SLE-11-SP4 * For SLE-11-SP4 add a workaround to handle a python3 script (python2.7 compliant). * sbatch - fix segfault when no newline at the end of a burst buffer file. * Change scancel to only check job's base state when matching -t options. * Save job dependency list in state files. * cons_tres - allow jobs to be run on systems with root-less topologies. * Restore pre-20.02pre1 PrologSlurmctld synchonization behavior to avoid various race conditions, and ensure proper batch job launch. * Add new slurmrestd command/daemon which implements the Slurm REST API. - standard slurm.conf uses now also SlurmctldHost on all build targets (bsc#1162377) - start slurmdbd after mariadb (bsc#1161716) - Update to version 19.05.5 (jsc#SLE-8491) * Includes security fixes CVE-2019-19727, CVE-2019-19728, CVE-2019-12838. * Disable i586 builds as this is no longer supported. * Create libnss_slurm package to support user and group resolution thru slurmstepd. - Update to v18.08.9 for fixing CVE-2019-19728 (bsc#1159692). * Make Slurm compile on linux after sys/sysctl.h was deprecated. * Install slurmdbd.conf.example with 0600 permissions to encourage secure use. CVE-2019-19727. * srun - do not continue with job launch if --uid fails. CVE-2019-19728. - added pmix support jsc#SLE-10800 - Use --with-shared-libslurm to build slurm binaries using libslurm. - Make libslurm depend on slurm-config. - Fix ownership of /var/spool/slurm on new installations and upgrade (bsc#1158696). - Fix permissions of slurmdbd.conf (bsc#1155784, CVE-2019-19727). - Fix %posttrans macro _res_update to cope with added newline (bsc#1153259). - Add package slurm-webdoc which sets up a web server to provide the documentation for the version shipped. - Move srun from 'slurm' to 'slurm-node': srun is required on the nodes as well so sbatch will work. 'slurm-node' is a requirement when 'slurm' is installed (bsc#1153095). - Updated to 18.08.8 for fixing (CVE-2019-12838, bsc#1140709, jsc#SLE-7341, jsc#SLE-7342) * Update "xauth list" to use the same 10000ms timeout as the other xauth commands. * Fix issue in gres code to handle a gres cnt of 0. * Don't purge jobs if backfill is running. * Verify job is pending add/removing accrual time. * Don't abort when the job doesn't have an association that was removed before the job was able to make it to the database. * Set state_reason if select_nodes() fails job for QOS or Account. * Avoid seg_fault on referencing association without a valid_qos bitmap. * If Association/QOS is removed on a pending job set that job as ineligible. * When changing a jobs account/qos always make sure you remove the old limits. * Don't reset a FAIL_QOS or FAIL_ACCOUNT job reason until the qos or account changed. * Restore "sreport -T ALL" functionality. * Correctly typecast signals being sent through the api. * Properly initialize structures throughout Slurm. * Sync "numtask" squeue format option for jobs and steps to "numtasks". * Fix sacct -PD to avoid CA before start jobs. * Fix potential deadlock with backup slurmctld. * Fixed issue with jobs not appearing in sacct after dependency satisfied. * Fix showing non-eligible jobs when asking with -j and not -s. * Fix issue with backfill scheduler scheduling tasks of an array when not the head job. * accounting_storage/mysql - fix SIGABRT in the archive load logic. * accounting_storage/mysql - fix memory leak in the archive load logic. * Limit records per single SQL statement when loading archived data. * Fix unnecessary reloading of job submit plugins. * Allow job submit plugins to be turned on/off with a reconfigure. * Fix segfault when loading/unloading Lua job submit plugin multiple times. * Fix printing duplicate error messages of jobs rejected by job submit plugin. * Fix printing of job submit plugin messages of het jobs without pack id. * Fix memory leak in group_cache.c * Fix jobs stuck from FedJobLock when requeueing in a federation * Fix requeueing job in a federation of clusters with differing associations * sacctmgr - free memory before exiting in 'sacctmgr show runaway'. * Fix seff showing memory overflow when steps tres mem usage is 0. * Upon archive file name collision, create new archive file instead of overwriting the old one to prevent lost records. * Limit archive files to 50000 records per file so that archiving large databases will succeed. * Remove stray newlines in SPANK plugin error messages. * Fix archive loading events. * In select/cons_res: Only allocate 1 CPU per node with the --overcommit and --nodelist options. * Fix main scheduler from potentially not running through whole queue. * cons_res/job_test - prevent a job from overallocating a node memory. * cons_res/job_test - fix to consider a node's current allocated memory when testing a job's memory request. * Fix issue where multi-node job steps on cloud nodes wouldn't finish cleaning up until the end of the job (rather than the end of the step). * Fix issue with a 17.11 sbcast call to a 18.08 daemon. * Add new job bit_flags of JOB_DEPENDENT. * Make it so dependent jobs reset the AccrueTime and do not count against any AccrueTime limits. * Fix sacctmgr --parsable2 output for reservations and tres. * Prevent slurmctld from potential segfault after job_start_data() called for completing job. * Fix jobs getting on nodes with "scontrol reboot asap". * Record node reboot events to database. * Fix node reboot failure message getting to event table. * Don't write "(null)" to event table when no event reason exists. * Fix minor memory leak when clearing runaway jobs. * Avoid flooding slurmctld and logging when prolog complete RPC errors occur. * Fix GCC 9 compiler warnings. * Fix seff human readable memory string for values below a megabyte. * Fix dump/load of rejected heterogeneous jobs. * For heterogeneous jobs, do not count the each component against the QOS or association job limit multiple times. * slurmdbd - avoid reservation flag column corruption with the use of newer flags, instead preserve the older flag fields that we can still fit in the smallint field, and discard the rest. * Fix security issue in accounting_storage/mysql plugin on archive file loads by always escaping strings within the slurmdbd. CVE-2019-12838. * Fix underflow causing decay thread to exit. * Fix main scheduler not considering hetjobs when building the job queue. * Fix regression for sacct to display old jobs without a start time. * Fix setting correct number of gres topology bits. * Update hetjobs pending state reason when appropriate. * Fix accounting_storage/filetxt's understanding of TRES. * Set Accrue time when not enforcing limits. * Fix srun segfault when requesting a hetjob with test_exec or bcast options. * Hide multipart priorities log message behind Priority debug flag. * sched/backfill - Make hetjobs sensitive to bf_max_job_start. * Fix slurmctld segfault due to job's partition pointer NULL dereference. * Fix issue with OR'ed job dependencies. * Add new job's bit_flags of INVALID_DEPEND to prevent rebuilding a job's dependency string when it has at least one invalid and purged dependency. * Promote federation unsynced siblings log message from debug to info. * burst_buffer/cray - fix slurmctld SIGABRT due to illegal read/writes. * burst_buffer/cray - fix memory leak due to unfreed job script content. * node_features/knl_cray - fix script_argv use-after-free. * burst_buffer/cray - fix script_argv use-after-free. * Fix invalid reads of size 1 due to non null-terminated string reads. * Add extra debug2 logs to identify why BadConstraints reason is set. - Do not build hdf5 support where not available. - Add support for version updates on SLE: Update packages to a later version than the version supported originally on SLE will receive a version string in their package name. - added the hdf5 job data gathering plugin - Add backward compatibility with SLE-11 SP4 - Update to version 18.08.05: * Add mitigation for a potential heap overflow on 32-bit systems in xmalloc. (CVE-2019-6438, bsc#1123304) - Fix fallout from 750cc23ed for CVE-2019-6438. - Update to 18.08.04, with following highlights * Fix message sent to user to display preempted instead of time limit when a job is preempted. * Fix memory leak when a failure happens processing a nodes gres config. * Improve error message when failures happen processing a nodes gres config. * Don't skip jobs in scontrol hold. * Allow --cpu-bind=verbose to be used with SLURM_HINT environment variable. * Enhanced handling for runaway jobs * cons_res: Delay exiting cr_job_test until after cores/cpus are calculated and distributed. * Don't check existence of srun --prolog or --epilog executables when set to "none" and SLURM_TEST_EXEC is used. * Add "P" suffix support to job and step tres specifications. * Fix jobacct_gather/cgroup to work correctly when more than one task is started on a node. * salloc - set SLURM_NTASKS_PER_CORE and SLURM_NTASKS_PER_SOCKET in the environment if the corresponding command line options are used. * slurmd - fix handling of the -f flag to specify alternate config file locations. * Add SchedulerParameters option of bf_ignore_newly_avail_nodes to avoid scheduling lower priority jobs on resources that become available during the backfill scheduling cycle when bf_continue is enabled. * job_submit/lua: Add several slurmctld return codes and add user/group info * salloc/sbatch/srun - print warning if mutually exclusive options of --mem and --mem-per-cpu are both set. - restarting services on update only when activated - added rotation of logs - Added backported patches which harden the pam module pam_slurm_adopt. (BOO#1116758) - Moved config man pages to a separate package: This way, they won't get installed on compute nodes. - added correct link flags for perl bindings (bsc#1108671) * perl:Switch is required by slurm torque wrappers - Fix Requires(pre) and Requires(post) for slurm-config and slurm-node. This fixes issues with failing slurm user creation when installed during initial system installation. (bsc#1109373) - When using a remote shared StateSaveLocation, slurmctld needs to be started after remote filesystems have become available. Add 'remote-fs.target' to the 'After=' directive in slurmctld.service (bsc#1103561). - Update to 17.11.8 * Fix incomplete RESPONSE_[RESOURCE|JOB_PACK]_ALLOCATION building path. * Do not allocate nodes that were marked down due to the node not responding by ResumeTimeout. * task/cray plugin - search for "mems" cgroup information in the file "cpuset.mems" then fall back to the file "mems". * Fix ipmi profile debug uninitialized variable. * PMIx: fixed the direct connect inline msg sending. * MYSQL: Fix issue not handling all fields when loading an archive dump. * Allow a job_submit plugin to change the admin_comment field during job_submit_plugin_modify(). * job_submit/lua - fix access into reservation table. * MySQL - Prevent deadlock caused by archive logic locking reads. * Don't enforce MaxQueryTimeRange when requesting specific jobs. * Modify --test-only logic to properly support jobs submitted to more than one partition. * Prevent slurmctld from abort when attempting to set non-existing qos as def_qos_id. * Add new job dependency type of "afterburstbuffer". The pending job will be delayed until the first job completes execution and it's burst buffer stage-out is completed. * Reorder proctrack/task plugin load in the slurmstepd to match that of slurmd and avoid race condition calling task before proctrack can introduce. * Prevent reboot of a busy KNL node when requesting inactive features. * Revert to previous behavior when requesting memory per cpu/node introduced in 17.11.7. * Fix to reinitialize previously adjusted job members to their original value when validating the job memory in multi-partition requests. * Fix _step_signal() from always returning SLURM_SUCCESS. * Combine active and available node feature change logs on one line rather than one line per node for performance reasons. * Prevent occasionally leaking freezer cgroups. * Fix potential segfault when closing the mpi/pmi2 plugin. * Fix issues with --exclusive=[user|mcs] to work correctly with preemption or when job requests a specific list of hosts. * Make code compile with hdf5 1.10.2+ * mpi/pmix: Fixed the collectives canceling. * SlurmDBD: improve error message handling on archive load failure. * Fix incorrect locking when deleting reservations. * Fix incorrect locking when setting up the power save module. * Fix setting format output length for squeue when showing array jobs. * Add xstrstr function. * Fix printing out of --hint options in sbatch, salloc --help. * Prevent possible divide by zero in _validate_time_limit(). * Add Delegate=yes to the slurmd.service file to prevent systemd from interfering with the jobs' cgroup hierarchies. * Change the backlog argument to the listen() syscall within srun to 4096 to match elsewhere in the code, and avoid communication problems at scale. Fix race in the slurmctld backup controller which prevents it to clean up allocations on nodes properly after failing over (bsc#1084917). - Handled %license in a backward compatible manner. - Add a 'Recommends: slurm-munge' to slurm-slurmdbd. - Shield comments between script snippets with a %{!?nil:...} to avoid them being interpreted as scripts - in which case the update level is passed as argument (see chapter 'Shared libraries' in: https://en.opensuse.org/openSUSE:Packaging_scriptlet_snippets) (bsc#1100850). - Update from 17.11.5 to 17.11.7 - Fix security issue in handling of username and gid fields CVE-2018-10995 and bsc#1095508 what implied an update from 17.11.5 to 17.11.7 Highlights of 17.11.6: * CRAY - Add slurmsmwd to the contribs/cray dir * PMIX - Added the direct connect authentication. * Prevent the backup slurmctld from losing the active/available node features list on takeover. * Be able to force power_down of cloud node even if in power_save state. * Allow cloud nodes to be recognized in Slurm when booted out of band. * Numerous fixes - check 'NEWS' file. Highlights of 17.11.7: * Notify srun and ctld when unkillable stepd exits. * Numerous fixes - check 'NEWS' file. * Fixes daemoniziation in newly introduced slurmsmwd daemon. - Rename: * remain in sync with commit messages which introduced that file - Avoid running pretrans scripts when running in an instsys: there may be not much installed, yet. pretrans code should be done in lua, this way, it will be executed by the rpm-internal lua interpreter and not be passed to a shell which may not be around at the time this scriptlet is run (bsc#1090292). - Add requires for slurm-sql to the slurmdbd package. - Package READMEs for pam and pam_slurm_adopt. - Use the new %%license directive for COPYING file. Fix interaction with systemd: systemd expects that a daemonizing process doesn't go away until the PID file with it PID of the daemon has bee written (bsc#1084125). - Make sure systemd services get restarted only when all packages are in a consistent state, not in the middle of an 'update' transaction (bsc#1088693). Since the %postun scripts that run on update are from the old package they cannot be changed - thus we work around the restart breakage. - fixed wrong log file location in slurmdbd.conf and fixed pid location for slurmdbd and made slurm-slurmdbd depend on slurm config which provides the dir /var/run/slurm (bsc#1086859). - added comment for (bsc#1085606) - Fix security issue in accounting_storage/mysql plugin by always escaping strings within the slurmdbd. CVE-2018-7033 (bsc#1085240). - Update slurm to v17.11.5 (FATE#325451) Highlights of 17.11: * Support for federated clusters to manage a single work-flow across a set of clusters. * Support for heterogeneous job allocations (various processor types, memory sizes, etc. by job component). Support for heterogeneous job steps within a single MPI_COMM_WORLD is not yet supported for most configurations. * X11 support is now fully integrated with the main Slurm code. Remove any X11 plugin configured in your plugstack.conf file to avoid errors being logged about conflicting options. * Added new advanced reservation flag of "flex", which permits jobs requesting the reservation to begin prior to the reservation's start time and use resources inside or outside of the reservation. A typical use case is to prevent jobs not explicitly requesting the reservation from using those reserved resources rather than forcing jobs requesting the reservation to use those resources in the time frame reserved. * The sprio command has been modified to report a job's priority information for every partition the job has been submitted to. * Group ID lookup performed at job submit time to avoid lookup on all compute nodes. Enable with PrologFlags=SendGIDs configuration parameter. * Slurm commands and daemons dynamically link to libslurmfull.so instead of statically linking. This dramatically reduces the footprint of Slurm. * In switch plugin, added plugin_id symbol to plugins and wrapped switch_jobinfo_t with dynamic_plugin_data_t in interface calls in order to pass switch information between clusters with different switch types. * Changed default ProctrackType to cgroup. * Changed default sched_min_interval from 0 to 2 microseconds. * Added new 'scontrol write batch_script ' command to fetch a job's batch script. Removed the ability to see the script as part of the 'scontrol -dd show job' command. * Add new "billing" TRES which allows jobs to be limited based on the job's billable TRES calculated by the job's partition's TRESBillingWeights. * Regular user use of "scontrol top" command is now disabled. Use the configuration parameter "SchedulerParameters=enable_user_top" to enable that functionality. The configuration parameter "SchedulerParameters=disable_user_top" will be silently ignored. * Change default to let pending jobs run outside of reservation after reservation is gone to put jobs in held state. Added NO_HOLD_JOBS_AFTER_END reservation flag to use old default. Support for PMIx v2.0 as well as UCX support. * Remove plugins for obsolete MPI stacks: - lam - mpich1_p4 - mpich1_shmem - mvapich * Numerous fixes - check 'NEWS' file. Replaced by sed script. - Fix some rpmlint warnings. - moved config files to slurm-config package (FATE#324574). - Moved slurmstepd and man page into slurm-node due to slurmd dependency - Moved config files into slurm-node - Moved slurmd rc scripts into slurm-node - Made slurm-munge require slurm-plugins instead of slurm itself - slurm-node suggested slurm-munge, causing the whole slurm to be installed. The slurm-plugins seems to be a more base class (FATE#324574). - split up light wight slurm-node package for deployment on nodes (FATE#324574). - Package so-versioned libs separately. libslurm is expected to change more frequently and thus is packaged separately from libpmi. - Updated to 17.02.9 to fix CVE-2017-15566 (bsc#1065697). Changes in 17.0.9 * When resuming powered down nodes, mark DOWN nodes right after ResumeTimeout has been reached (previous logic would wait about one minute longer). * Fix sreport not showing full column name for TRES Count. * Fix slurmdb_reservations_get() giving wrong usage data when job's spanned reservation that was modified. * Fix sreport reservation utilization report showing bad data. * Show all TRES' on a reservation in sreport reservation utilization report by default. * Fix sacctmgr show reservation handling "end" parameter. * Work around issue with sysmacros.h and gcc7 / glibc 2.25. * Fix layouts code to only allow setting a boolean. * Fix sbatch --wait to keep waiting even if a message timeout occurs. * CRAY - If configured with NodeFeatures=knl_cray and there are non-KNL nodes which include no features the slurmctld will abort without this patch when attemping strtok_r(NULL). * Fix regression in 17.02.7 which would run the spank_task_privileged as part of the slurmstepd instead of it's child process. * Fix security issue in Prolog and Epilog by always prepending SPANK_ to all user-set environment variables. CVE-2017-15566. Changes in 17.0.8: * Add 'slurmdbd:' to the accounting plugin to notify message is from dbd instead of local. * mpi/mvapich - Buffer being only partially cleared. No failures observed. * Fix for job --switch option on dragonfly network. * In salloc with --uid option, drop supplementary groups before changing UID. * jobcomp/elasticsearch - strip any trailing slashes from JobCompLoc. * jobcomp/elasticsearch - fix memory leak when transferring generated buffer. * Prevent slurmstepd ABRT when parsing gres.conf CPUs. * Fix sbatch --signal to signal all MPI ranks in a step instead of just those on node 0. * Check multiple partition limits when scheduling a job that were previously only checked on submit. * Cray: Avoid running application/step Node Health Check on the external job step. * Optimization enhancements for partition based job preemption. * Address some build warnings from GCC 7.1, and one possible memory leak if /proc is inaccessible. * If creating/altering a core based reservation with scontrol/sview on a remote cluster correctly determine the select type. * Fix autoconf test for libcurl when clang is used. * Fix default location for cgroup_allowed_devices_file.conf to use correct default path. * Document NewName option to sacctmgr. * Reject a second PMI2_Init call within a single step to prevent slurmstepd from hanging. * Handle old 32bit values stored in the database for requested memory correctly in sacct. * Fix memory leaks in the task/cgroup plugin when constraining devices. * Make extremely verbose info messages debug2 messages in the task/cgroup plugin when constraining devices. * Fix issue that would deny the stepd access to /dev/null where GRES has a 'type' but no file defined. * Fix issue where the slurmstepd would fatal on job launch if you have no gres listed in your slurm.conf but some in gres.conf. * Fix validating time spec to correctly validate various time formats. * Make scontrol work correctly with job update timelimit [+|-]=. * Reduce the visibily of a number of warnings in _part_access_check. * Prevent segfault in sacctmgr if no association name is specified for an update command. * burst_buffer/cray plugin modified to work with changes in Cray UP05 software release. * Fix job reasons for jobs that are violating assoc MaxTRESPerNode limits. * Fix segfault when unpacking a 16.05 slurm_cred in a 17.02 daemon. * Fix setting TRES limits with case insensitive TRES names. * Add alias for xstrncmp() -- slurm_xstrncmp(). * Fix sorting of case insensitive strings when using xstrcasecmp(). * Gracefully handle race condition when reading /proc as process exits. * Avoid error on Cray duplicate setup of core specialization. * Skip over undefined (hidden in Slurm) nodes in pbsnodes. * Add empty hashes in perl api's slurm_load_node() for hidden nodes. * CRAY - Add rpath logic to work for the alpscomm libs. * Fixes for administrator extended TimeLimit (job reason & time limit reset). * Fix gres selection on systems running select/linear. * sview: Added window decorator for maximize,minimize,close buttons for all systems. * squeue: interpret negative length format specifiers as a request to delimit values with spaces. * Fix the torque pbsnodes wrapper script to parse a gres field with a type set correctly. - Fixed ABI version of libslurm. - Trim redundant wording in descriptions. - Updated to slurm 17-02-7-1 * Added python as BuildRequires * Removed sched-wiki package * Removed slurmdb-direct package * Obsoleted sched-wiki and slurmdb-direct packages * Removing Cray-specific files * Added /etc/slurm/layout.d files (new for this version) * Remove /etc/slurm/cgroup files from package * Added lib/slurm/mcs_account.so * Removed lib/slurm/jobacct_gather_aix.so * Removed lib/slurm/job_submit_cnode.so - Created slurm-sql package - Moved files from slurm-plugins to slurm-torque package - Moved creation of /usr/lib/tmpfiles.d/slurm.conf into slurm.spec * Removed tmpfiles.d-slurm.conf - Changed /var/run path for slurm daemons to /var/run/slurm (FATE#324026). - Made tmpfiles_create post-install macro SLE12 SP2 or greater - Directly calling systemd-tmpfiles --create for before SLE12 SP2 - Allows OpenSUSE Factory build as well - Removes unused .service files from project - Adds /var/run/slurm to /usr/lib/tmpfiles.d for boottime creation * Patches upstream .service files to allow for /var/run/slurm path * Modifies slurm.conf to allow for /var/run/slurm path - Move wrapper script mpiexec provided by slrum-torque to mpiexec.slurm to avoid conflicts. This file is normally provided by the MPI implementation (bsc#1041706). - Replace remaining ${RPM_BUILD_ROOT}s. - Improve description. - Fix up changelog. - Spec file: Replace "Requires : slurm-perlapi" by "Requires: perl-slurm = %{version}" (bsc#1031872). - Trim redundant parts of description. Fixup RPM groups. - Replace unnecessary %__ macro indirections; replace historic $RPM_* variables by macros. - Use %slurm_u and %slurm_g macros defined at the beginning of the spec file when adding the slurm user/group for consistency. - Define these macros to daemon,root for non-systemd. - For anything newer than Leap 42.1 or SLE-12-SP1 build OpenHPC compatible. - Updated to 16.05.8.1 * Remove StoragePass from being printed out in the slurmdbd log at debug2 level. * Defer PATH search for task program until launch in slurmstepd. * Modify regression test1.89 to avoid leaving vestigial job. Also reduce logging to reduce likelyhood of Expect buffer overflow. * Do not PATH search for mult-prog launches if LaunchParamters=test_exec is enabled. * Fix for possible infinite loop in select/cons_res plugin when trying to satisfy a job's ntasks_per_core or socket specification. * If job is held for bad constraints make it so once updated the job doesn't go into JobAdminHeld. * sched/backfill - Fix logic to reserve resources for jobs that require a node reboot (i.e. to change KNL mode) in order to start. * When unpacking a node or front_end record from state and the protocol version is lower than the min version, set it to the min. * Remove redundant lookup for part_ptr when updating a reservation's nodes. * Fix memory and file descriptor leaks in slurmd daemon's sbcast logic. * Do not allocate specialized cores to jobs using the --exclusive option. * Cancel interactive job if Prolog failure with "PrologFlags=contain" or "PrologFlags=alloc" configured. Send new error prolog failure message to the salloc or srun command as needed. * Prevent possible out-of-bounds read in slurmstepd on an invalid #! line. * Fix check for PluginDir within slurmctld to work with multiple directories. * Cancel interactive jobs automatically on communication error to launching srun/salloc process. * Fix security issue caused by insecure file path handling triggered by the failure of a Prolog script. To exploit this a user needs to anticipate or cause the Prolog to fail for their job. CVE-2016-10030 (bsc#1018371). - Replace group/user add macros with function calls. - Fix array initialzation and ensure strings are always NULL terminated in - pam_slurm.c (bsc#1007053). - Disable building with netloc support: the netloc API is part of the devel branch of hwloc. Since this devel branch was included accidentally and has been reversed since, we need to disable this for the time being. - Conditionalized architecture specific pieces to support non-x86 architectures better. - Remove: unneeded 'BuildRequires: python' - Add: BuildRequires: freeipmi-devel BuildRequires: libibmad-devel BuildRequires: libibumad-devel so they are picked up by the slurm build. - Enable modifications from openHPC Project. - Enable lua API package build. - Add a recommends for slurm-munge to the slurm package: This is way, the munge auth method is available and slurm works out of the box. - Create /var/lib/slurm as StateSaveLocation directory. /tmp is dangerous. - Create slurm user/group in preinstall script. - Keep %{_libdir}/libpmi* and %{_libdir}/mpi_pmi2* on SUSE. - Fix build with and without OHCP_BUILD define. - Fix build for systemd and non-systemd. - Updated to 16-05-5 - equvalent to OpenHPC 1.2. * Fix issue with resizing jobs and limits not be kept track of correctly. * BGQ - Remove redeclaration of job_read_lock. * BGQ - Tighter locks around structures when nodes/cables change state. * Make it possible to change CPUsPerTask with scontrol. * Make it so scontrol update part qos= will take away a partition QOS from a partition. * Backfill scheduling properly synchronized with Cray Node Health Check. Prior logic could result in highest priority job getting improperly postponed. * Make it so daemons also support TopologyParam=NoInAddrAny. * If scancel is operating on large number of jobs and RPC responses from slurmctld daemon are slow then introduce a delay in sending the cancel job requests from scancel in order to reduce load on slurmctld. * Remove redundant logic when updating a job's task count. * MySQL - Fix querying jobs with reservations when the id's have rolled. * Perl - Fix use of uninitialized variable in slurm_job_step_get_pids. * Launch batch job requsting --reboot after the boot completes. * Do not attempt to power down a node which has never responded if the slurmctld daemon restarts without state. * Fix for possible slurmstepd segfault on invalid user ID. * MySQL - Fix for possible race condition when archiving multiple clusters at the same time. * Add logic so that slurmstepd can be launched under valgrind. * Increase buffer size to read /proc/*/stat files. * Remove the SchedulerParameters option of "assoc_limit_continue", making it the default value. Add option of "assoc_limit_stop". If "assoc_limit_stop" is set and a job cannot start due to association limits, then do not attempt to initiate any lower priority jobs in that partition. Setting this can decrease system throughput and utlization, but avoid potentially starving larger jobs by preventing them from launching indefinitely. * Update a node's socket and cores per socket counts as needed after a node boot to reflect configuration changes which can occur on KNL processors. Note that the node's total core count must not change, only the distribution of cores across varying socket counts (KNL NUMA nodes treated as sockets by Slurm). * Rename partition configuration from "Shared" to "OverSubscribe". Rename salloc, sbatch, srun option from "--shared" to "--oversubscribe". The old options will continue to function. Output field names also changed in scontrol, sinfo, squeue and sview. * Add SLURM_UMASK environment variable to user job. * knl_conf: Added new configuration parameter of CapmcPollFreq. * Cleanup two minor Coverity warnings. * Make it so the tres units in a job's formatted string are converted like they are in a step. * Correct partition's MaxCPUsPerNode enforcement when nodes are shared by multiple partitions. * node_feature/knl_cray - Prevent slurmctld GRES errors for "hbm" references. * Display thread name instead of thread id and remove process name in stderr logging for "thread_id" LogTimeFormat. * Log IP address of bad incomming message to slurmctld. * If a user requests tasks, nodes and ntasks-per-node and tasks-per-node/nodes != tasks print warning and ignore ntasks-per-node. * Release CPU "owner" file locks. * Update seff to fix warnings with ncpus, and list slurm-perlapi dependency in spec file. * Allow QOS timelimit to override partition timelimit when EnforcePartLimits is set to all/any. * Make it so qsub will do a "basename" on a wrapped command for the output and error files. * Add logic so that slurmstepd can be launched under valgrind. * Increase buffer size to read /proc/*/stat files. * Prevent job stuck in configuring state if slurmctld daemon restarted while PrologSlurmctld is running. Also re-issue burst_buffer/pre-load operation as needed. * Move test for job wait reason value of BurstBufferResources and BurstBufferStageIn later in the scheduling logic. * Document which srun options apply to only job, only step, or job and step allocations. * Use more compatible function to get thread name (>= 2.6.11). * Make it so the extern step uses a reverse tree when cleaning up. * If extern step doesn't get added into the proctrack plugin make sure the sleep is killed. * Add web links to Slurm Diamond Collectors (from Harvard University) and collectd (from EDF). * Add job_submit plugin for the "reboot" field. * Make some more Slurm constants (INFINITE, NO_VAL64, etc.) available to job_submit/lua plugins. * Send in a -1 for a taskid into spank_task_post_fork for the extern_step. * MYSQL - Sightly better logic if a job completion comes in with an end time of 0. * task/cgroup plugin is configured with ConstrainRAMSpace=yes, then set soft memory limit to allocated memory limit (previously no soft limit was set). * Streamline when schedule() is called when running with message aggregation on batch script completes. * Fix incorrect casting when [un]packing derived_ec on slurmdb_job_rec_t. * Document that persistent burst buffers can not be created or destroyed using the salloc or srun --bb options. * Add support for setting the SLURM_JOB_ACCOUNT, SLURM_JOB_QOS and SLURM_JOB_RESERVAION environment variables are set for the salloc command. Document the same environment variables for the salloc, sbatch and srun commands in their man pages. * Fix issue where sacctmgr load cluster.cfg wouldn't load associations that had a partition in them. * Don't return the extern step from sstat by default. * In sstat print 'extern' instead of 4294967295 for the extern step. * Make advanced reservations work properly with core specialization. * slurmstepd modified to pre-load all relevant plugins at startup to avoid the possibility of modified plugins later resulting in inconsistent API or data structures and a failure of slurmstepd. * Export functions from parse_time.c in libslurm.so. * Export unit convert functions from slurm_protocol_api.c in libslurm.so. * Fix scancel to allow multiple steps from a job to be cancelled at once. * Update and expand upgrade guide (in Quick Start Administrator web page). * burst_buffer/cray: Requeue, but do not hold a job which fails the pre_run operation. * Insure reported expected job start time is not in the past for pending jobs. * Add support for PMIx v2. Required for FATE#316379. - Setting 'download_files' service to mode='localonly' and adding source tarball. (Required for Factory). - version 15.08.7.1 * Remove the 1024-character limit on lines in batch scripts. task/affinity: Disable core-level task binding if more CPUs required than available cores. * Preemption/gang scheduling: If a job is suspended at slurmctld restart or reconfiguration time, then leave it suspended rather than resume+suspend. * Don't use lower weight nodes for job allocation when topology/tree used. * Don't allow user specified reservation names to disrupt the normal reservation sequeuece numbering scheme. * Avoid hard-link/copy of script/environment files for job arrays. Use the master job record file for all tasks of the job array. NOTE: Job arrays submitted to Slurm version 15.08.6 or later will fail if the slurmctld daemon is downgraded to an earlier version of Slurm. * In slurmctld log file, log duplicate job ID found by slurmd. Previously was being logged as prolog/epilog failure. * If a job is requeued while in the process of being launch, remove it's job ID from slurmd's record of active jobs in order to avoid generating a duplicate job ID error when launched for the second time (which would drain the node). * Cleanup messages when handling job script and environment variables in older directory structure formats. * Prevent triggering gang scheduling within a partition if configured with PreemptType=partition_prio and PreemptMode=suspend,gang. * Decrease parallelism in job cancel request to prevent denial of service when cancelling huge numbers of jobs. * If all ephemeral ports are in use, try using other port numbers. * Prevent "scontrol update job" from updating jobs that have already finished. * Show requested TRES in "squeue -O tres" when job is pending. * Backfill scheduler: Test association and QOS node limits before reserving resources for pending job. * Many bug fixes. - Use source services to download package. - Fix code for new API of hwloc-2.0. - package netloc_to_topology where avialable. - Package documentation. - version 15.08.3 * Many new features and bug fixes. See NEWS file - update files list accordingly - fix wrong end of line in some files - version 14.11.8 * Many bug fixes. See NEWS file - update files list accordingly - add missing systemd requirements - add missing rclink - version 14.03.9 * Many bug fixes. See NEWS file - add systemd support - version 14.03.6 * Added support for native Slurm operation on Cray systems (without ALPS). * Added partition configuration parameters AllowAccounts, AllowQOS, DenyAccounts and DenyQOS to provide greater control over use. * Added the ability to perform load based scheduling. Allocating resources to jobs on the nodes with the largest number if idle CPUs. * Added support for reserving cores on a compute node for system services (core specialization) * Add mechanism for job_submit plugin to generate error message for srun, salloc or sbatch to stderr. * Support for Postgres database has long since been out of date and problematic, so it has been removed entirely. If you would like to use it the code still exists in <= 2.6, but will not be included in this and future versions of the code. * Added new structures and support for both server and cluster resources. * Significant performance improvements, especially with respect to job array support. - update files list - update to version 2.6.7 * Support for job arrays, which increases performance and ease of use for sets of similar jobs. * Job profiling capability added to record a wide variety of job characteristics for each task on a user configurable periodic basis. Data currently available includes CPU use, memory use, energy use, Infiniband network use, Lustre file system use, etc. * Support for MPICH2 using PMI2 communications interface with much greater scalability. * Prolog and epilog support for advanced reservations. * Much faster throughput for job step execution with --exclusive option. The srun process is notified when resources become available rather than periodic polling. * Support improved for Intel MIC (Many Integrated Core) processor. * Advanced reservations with hostname and core counts now supports asymmetric reservations (e.g. specific different core count for each node). * External sensor plugin infrastructure added to record power consumption, temperature, etc. * Improved performance for high-throughput computing. * MapReduce+ support (launches ~1000x faster, runs ~10x faster). * Added "MaxCPUsPerNode" partition configuration parameter. This can be especially useful to schedule GPUs. For example a node can be associated with two Slurm partitions (e.g. "cpu" and "gpu") and the partition/queue "cpu" could be limited to only a subset of the node's CPUs, insuring that one or more CPUs would be available to jobs in the "gpu" partition/queue. - version 2.5.7 * Fix for linking to the select/cray plugin to not give warning about undefined variable. * Add missing symbols to the xlator.h * Avoid placing pending jobs in AdminHold state due to backfill scheduler interactions with advanced reservation. * Accounting - make average by task not cpu. * POE - Correct logic to support poe option "-euidevice sn_all" and "-euidevice sn_single". * Accounting - Fix minor initialization error. * POE - Correct logic to support srun network instances count with POE. * POE - With the srun --launch-cmd option, report proper task count when the --cpus-per-task option is used without the --ntasks option. * POE - Fix logic binding tasks to CPUs. * sview - Fix race condition where new information could of slipped past the node tab and we didn't notice. * Accounting - Fix an invalid memory read when slurmctld sends data about start job to slurmdbd. * If a prolog or epilog failure occurs, drain the node rather than setting it down and killing all of its jobs. * Priority/multifactor - Avoid underflow in half-life calculation. * POE - pack missing variable to allow fanout (more than 32 nodes) * Prevent clearing reason field for pending jobs. This bug was introduced in v2.5.5 (see "Reject job at submit time ..."). * BGQ - Fix issue with preemption on sub-block jobs where a job would kill all preemptable jobs on the midplane instead of just the ones it needed to. * switch/nrt - Validate dynamic window allocation size. * BGQ - When --geo is requested do not impose the default conn_types. * RebootNode logic - Defers (rather than forgets) reboot request with job running on the node within a reservation. * switch/nrt - Correct network_id use logic. Correct support for user sn_all and sn_single options. * sched/backfill - Modify logic to reduce overhead under heavy load. * Fix job step allocation with --exclusive and --hostlist option. * Select/cons_res - Fix bug resulting in error of "cons_res: sync loop not progressing, holding job #" * checkpoint/blcr - Reset max_nodes from zero to NO_VAL on job restart. * launch/poe - Fix for hostlist file support with repeated host names. * priority/multifactor2 - Prevent possible divide by zero. -- srun - Don't check for executable if --test-only flag is used. * energy - On a single node only use the last task for gathering energy. Since we don't currently track energy usage per task (only per step). Otherwise we get double the energy. - version 2.5.4 * Support for Intel?? Many Integrated Core (MIC) processors. * User control over CPU frequency of each job step. * Recording power usage information for each job. * Advanced reservation of cores rather than whole nodes. * Integration with IBM's Parallel Environment including POE (Parallel Operating Environment) and NRT (Network Resource Table) API. * Highly optimized throughput for serial jobs in a new "select/serial" plugin. * CPU load is information available * Configurable number of CPUs available to jobs in each SLURM partition, which provides a mechanism to reserve CPUs for use with GPUs. - remore runlevel 4 from init script thanks to patch1 - fix self obsoletion of slurm-munge package - use fdupes to remove duplicates - spec file reformaing - put perl macro in a better within install section - enable numa on x86_64 arch only - add numa and hwloc support - fix perl module files list - use perl_process_packlist macro for the perl files cleanup - fix some summaries length - add cgoups directory and example the cgroup.release_common file - spec file cleanup - first package Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for HPC 12: zypper in -t patch SUSE-SLE-Module-HPC-12-2021-773=1 Package List: - SUSE Linux Enterprise Module for HPC 12 (aarch64 x86_64): libnss_slurm2_20_11-20.11.4-3.5.1 libnss_slurm2_20_11-debuginfo-20.11.4-3.5.1 libpmi0_20_11-20.11.4-3.5.1 libpmi0_20_11-debuginfo-20.11.4-3.5.1 libslurm36-20.11.4-3.5.1 libslurm36-debuginfo-20.11.4-3.5.1 pdsh-2.34-7.32.1 pdsh-debuginfo-2.34-7.32.1 pdsh-debugsource-2.34-7.32.1 pdsh-dshgroup-2.34-7.32.1 pdsh-dshgroup-debuginfo-2.34-7.32.1 pdsh-genders-2.34-7.32.1 pdsh-genders-debuginfo-2.34-7.32.1 pdsh-machines-2.34-7.32.1 pdsh-machines-debuginfo-2.34-7.32.1 pdsh-netgroup-2.34-7.32.1 pdsh-netgroup-debuginfo-2.34-7.32.1 pdsh-slurm-2.34-7.32.1 pdsh-slurm-debuginfo-2.34-7.32.1 pdsh-slurm_18_08-2.34-7.32.1 pdsh-slurm_18_08-debuginfo-2.34-7.32.1 pdsh-slurm_20_02-2.34-7.32.1 pdsh-slurm_20_02-debuginfo-2.34-7.32.1 pdsh-slurm_20_11-2.34-7.32.1 pdsh-slurm_20_11-debuginfo-2.34-7.32.1 pdsh_slurm_18_08-debugsource-2.34-7.32.1 pdsh_slurm_20_02-debugsource-2.34-7.32.1 pdsh_slurm_20_11-debugsource-2.34-7.32.1 perl-slurm_20_11-20.11.4-3.5.1 perl-slurm_20_11-debuginfo-20.11.4-3.5.1 slurm_20_11-20.11.4-3.5.1 slurm_20_11-auth-none-20.11.4-3.5.1 slurm_20_11-auth-none-debuginfo-20.11.4-3.5.1 slurm_20_11-config-20.11.4-3.5.1 slurm_20_11-config-man-20.11.4-3.5.1 slurm_20_11-debuginfo-20.11.4-3.5.1 slurm_20_11-debugsource-20.11.4-3.5.1 slurm_20_11-devel-20.11.4-3.5.1 slurm_20_11-doc-20.11.4-3.5.1 slurm_20_11-lua-20.11.4-3.5.1 slurm_20_11-lua-debuginfo-20.11.4-3.5.1 slurm_20_11-munge-20.11.4-3.5.1 slurm_20_11-munge-debuginfo-20.11.4-3.5.1 slurm_20_11-node-20.11.4-3.5.1 slurm_20_11-node-debuginfo-20.11.4-3.5.1 slurm_20_11-pam_slurm-20.11.4-3.5.1 slurm_20_11-pam_slurm-debuginfo-20.11.4-3.5.1 slurm_20_11-plugins-20.11.4-3.5.1 slurm_20_11-plugins-debuginfo-20.11.4-3.5.1 slurm_20_11-slurmdbd-20.11.4-3.5.1 slurm_20_11-slurmdbd-debuginfo-20.11.4-3.5.1 slurm_20_11-sql-20.11.4-3.5.1 slurm_20_11-sql-debuginfo-20.11.4-3.5.1 slurm_20_11-sview-20.11.4-3.5.1 slurm_20_11-sview-debuginfo-20.11.4-3.5.1 slurm_20_11-torque-20.11.4-3.5.1 slurm_20_11-torque-debuginfo-20.11.4-3.5.1 slurm_20_11-webdoc-20.11.4-3.5.1 References: https://www.suse.com/security/cve/CVE-2016-10030.html https://www.suse.com/security/cve/CVE-2017-15566.html https://www.suse.com/security/cve/CVE-2018-10995.html https://www.suse.com/security/cve/CVE-2018-7033.html https://www.suse.com/security/cve/CVE-2019-12838.html https://www.suse.com/security/cve/CVE-2019-19727.html https://www.suse.com/security/cve/CVE-2019-19728.html https://www.suse.com/security/cve/CVE-2019-6438.html https://www.suse.com/security/cve/CVE-2020-12693.html https://www.suse.com/security/cve/CVE-2020-27745.html https://www.suse.com/security/cve/CVE-2020-27746.html https://bugzilla.suse.com/1018371 https://bugzilla.suse.com/1065697 https://bugzilla.suse.com/1085240 https://bugzilla.suse.com/1095508 https://bugzilla.suse.com/1123304 https://bugzilla.suse.com/1140709 https://bugzilla.suse.com/1155784 https://bugzilla.suse.com/1159692 https://bugzilla.suse.com/1172004 https://bugzilla.suse.com/1178890 https://bugzilla.suse.com/1178891 From sle-security-updates at lists.suse.com Fri Mar 12 20:17:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 21:17:26 +0100 (CET) Subject: SUSE-SU-2021:0776-1: important: Security update for s390-tools Message-ID: <20210312201726.08921FD17@maintenance.suse.de> SUSE Security Update: Security update for s390-tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0776-1 Rating: important References: #1182777 #1182876 #1183041 Cross-References: CVE-2021-25316 CVSS scores: CVE-2021-25316 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for s390-tools fixes the following issues: - Fixed an issue where IPL was not working when bootloader was installed on a SCSI disk with 4k physical blocksize without using a devicemapper target (bsc#1183041). - CVE-2021-25316: Do not use predictable temporary file names (bsc#1182777). - Made the name of the temporary configuration file in /tmp/ unpredictable (bsc#1182876). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-776=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (s390x): osasnmpd-2.1.0-18.29.1 osasnmpd-debuginfo-2.1.0-18.29.1 s390-tools-2.1.0-18.29.1 s390-tools-debuginfo-2.1.0-18.29.1 s390-tools-debugsource-2.1.0-18.29.1 s390-tools-hmcdrvfs-2.1.0-18.29.1 s390-tools-hmcdrvfs-debuginfo-2.1.0-18.29.1 s390-tools-zdsfs-2.1.0-18.29.1 s390-tools-zdsfs-debuginfo-2.1.0-18.29.1 References: https://www.suse.com/security/cve/CVE-2021-25316.html https://bugzilla.suse.com/1182777 https://bugzilla.suse.com/1182876 https://bugzilla.suse.com/1183041 From sle-security-updates at lists.suse.com Fri Mar 12 20:18:46 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 21:18:46 +0100 (CET) Subject: SUSE-SU-2021:0778-1: important: Security update for glib2 Message-ID: <20210312201846.0D2F2FD17@maintenance.suse.de> SUSE Security Update: Security update for glib2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0778-1 Rating: important References: #1182328 #1182362 Cross-References: CVE-2021-27218 CVE-2021-27219 CVSS scores: CVE-2021-27218 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27218 (SUSE): 5 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N CVE-2021-27219 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27219 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-778=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-778=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-778=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): glib2-debugsource-2.62.6-3.6.1 glib2-tools-2.62.6-3.6.1 glib2-tools-debuginfo-2.62.6-3.6.1 libgio-2_0-0-2.62.6-3.6.1 libgio-2_0-0-debuginfo-2.62.6-3.6.1 libglib-2_0-0-2.62.6-3.6.1 libglib-2_0-0-debuginfo-2.62.6-3.6.1 libgmodule-2_0-0-2.62.6-3.6.1 libgmodule-2_0-0-debuginfo-2.62.6-3.6.1 libgobject-2_0-0-2.62.6-3.6.1 libgobject-2_0-0-debuginfo-2.62.6-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): glib2-debugsource-2.62.6-3.6.1 glib2-devel-2.62.6-3.6.1 glib2-devel-debuginfo-2.62.6-3.6.1 glib2-tools-2.62.6-3.6.1 glib2-tools-debuginfo-2.62.6-3.6.1 libgio-2_0-0-2.62.6-3.6.1 libgio-2_0-0-debuginfo-2.62.6-3.6.1 libglib-2_0-0-2.62.6-3.6.1 libglib-2_0-0-debuginfo-2.62.6-3.6.1 libgmodule-2_0-0-2.62.6-3.6.1 libgmodule-2_0-0-debuginfo-2.62.6-3.6.1 libgobject-2_0-0-2.62.6-3.6.1 libgobject-2_0-0-debuginfo-2.62.6-3.6.1 libgthread-2_0-0-2.62.6-3.6.1 libgthread-2_0-0-debuginfo-2.62.6-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): glib2-lang-2.62.6-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): libgio-2_0-0-32bit-2.62.6-3.6.1 libgio-2_0-0-32bit-debuginfo-2.62.6-3.6.1 libglib-2_0-0-32bit-2.62.6-3.6.1 libglib-2_0-0-32bit-debuginfo-2.62.6-3.6.1 libgmodule-2_0-0-32bit-2.62.6-3.6.1 libgmodule-2_0-0-32bit-debuginfo-2.62.6-3.6.1 libgobject-2_0-0-32bit-2.62.6-3.6.1 libgobject-2_0-0-32bit-debuginfo-2.62.6-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): glib2-debugsource-2.62.6-3.6.1 glib2-devel-2.62.6-3.6.1 glib2-devel-debuginfo-2.62.6-3.6.1 glib2-tools-2.62.6-3.6.1 glib2-tools-debuginfo-2.62.6-3.6.1 libgio-2_0-0-2.62.6-3.6.1 libgio-2_0-0-debuginfo-2.62.6-3.6.1 libglib-2_0-0-2.62.6-3.6.1 libglib-2_0-0-debuginfo-2.62.6-3.6.1 libgmodule-2_0-0-2.62.6-3.6.1 libgmodule-2_0-0-debuginfo-2.62.6-3.6.1 libgobject-2_0-0-2.62.6-3.6.1 libgobject-2_0-0-debuginfo-2.62.6-3.6.1 libgthread-2_0-0-2.62.6-3.6.1 libgthread-2_0-0-debuginfo-2.62.6-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libgio-2_0-0-32bit-2.62.6-3.6.1 libgio-2_0-0-32bit-debuginfo-2.62.6-3.6.1 libglib-2_0-0-32bit-2.62.6-3.6.1 libglib-2_0-0-32bit-debuginfo-2.62.6-3.6.1 libgmodule-2_0-0-32bit-2.62.6-3.6.1 libgmodule-2_0-0-32bit-debuginfo-2.62.6-3.6.1 libgobject-2_0-0-32bit-2.62.6-3.6.1 libgobject-2_0-0-32bit-debuginfo-2.62.6-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): glib2-lang-2.62.6-3.6.1 References: https://www.suse.com/security/cve/CVE-2021-27218.html https://www.suse.com/security/cve/CVE-2021-27219.html https://bugzilla.suse.com/1182328 https://bugzilla.suse.com/1182362 From sle-security-updates at lists.suse.com Fri Mar 12 20:20:02 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 21:20:02 +0100 (CET) Subject: SUSE-SU-2021:0782-1: important: Security update for crmsh Message-ID: <20210312202002.B8E34FD17@maintenance.suse.de> SUSE Security Update: Security update for crmsh ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0782-1 Rating: important References: #1154927 #1178454 #1178869 #1179999 #1180137 #1180571 #1180688 ECO-1658 Cross-References: CVE-2020-35459 CVE-2021-3020 CVSS scores: CVE-2020-35459 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-35459 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3020 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that solves two vulnerabilities, contains one feature and has 5 fixes is now available. Description: This update for crmsh fixes the following issues: - Update to version 4.3.0+20210219.5d1bf034: * Fix: hb_report: walk through hb_report process under hacluster(CVE-2020-35459, bsc#1179999; CVE-2021-3020, bsc#1180571) * Fix: bootstrap: setup authorized ssh access for hacluster(CVE-2020-35459, bsc#1179999; CVE-2021-3020, bsc#1180571) * Dev: analyze: Add analyze sublevel and put preflight_check in it(jsc#ECO-1658) * Dev: utils: change default file mod as 644 for str2file function * Dev: hb_report: Detect if any ocfs2 partitions exist * Dev: lock: give more specific error message when raise ClaimLockError * Fix: Replace mktemp() to mkstemp() for security * Fix: Remove the duplicate --cov-report html in tox. * Fix: fix some lint issues. * Fix: Replace utils.msg_info to task.info * Fix: Solve a circular import error of utils.py * Fix: hb_report: run lsof with specific ocfs2 device(bsc#1180688) * Dev: corosync: change the permission of corosync.conf to 644 * Fix: preflight_check: task: raise error when report_path isn't a directory * Fix: bootstrap: Use class Watchdog to simplify watchdog config(bsc#1154927, bsc#1178869) * Dev: Polish the sbd feature. * Dev: Replace -f with -c and run check when no parameter provide. * Fix: Fix the yes option not working * Fix: Remove useless import and show help when no input. * Dev: Correct SBD device id inconsistenc during ASR * Fix: completers: return complete start/stop resource id list correctly(bsc#1180137) * Dev: Makefile.am: change makefile to integrate preflight_check * Medium: integrate preflight_check into crmsh(jsc#ECO-1658) * Fix: bootstrap: make sure sbd device UUID was the same between nodes(bsc#1178454) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2021-782=1 Package List: - SUSE Linux Enterprise High Availability 15-SP1 (noarch): crmsh-4.3.0+20210219.5d1bf034-3.57.3 crmsh-scripts-4.3.0+20210219.5d1bf034-3.57.3 References: https://www.suse.com/security/cve/CVE-2020-35459.html https://www.suse.com/security/cve/CVE-2021-3020.html https://bugzilla.suse.com/1154927 https://bugzilla.suse.com/1178454 https://bugzilla.suse.com/1178869 https://bugzilla.suse.com/1179999 https://bugzilla.suse.com/1180137 https://bugzilla.suse.com/1180571 https://bugzilla.suse.com/1180688 From sle-security-updates at lists.suse.com Fri Mar 12 20:21:52 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 21:21:52 +0100 (CET) Subject: SUSE-SU-2021:0779-1: moderate: Security update for apache2 Message-ID: <20210312202152.453ACFD17@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0779-1 Rating: moderate References: #1145740 #1182703 Cross-References: CVE-2019-10092 CVSS scores: CVE-2019-10092 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2019-10092 (SUSE): 7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for apache2 fixes the following issues: - Fixed potential content spoofing with default error pages(bsc#118270) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-779=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-779=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): apache2-debuginfo-2.4.23-29.69.1 apache2-debugsource-2.4.23-29.69.1 apache2-devel-2.4.23-29.69.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): apache2-2.4.23-29.69.1 apache2-debuginfo-2.4.23-29.69.1 apache2-debugsource-2.4.23-29.69.1 apache2-example-pages-2.4.23-29.69.1 apache2-prefork-2.4.23-29.69.1 apache2-prefork-debuginfo-2.4.23-29.69.1 apache2-utils-2.4.23-29.69.1 apache2-utils-debuginfo-2.4.23-29.69.1 apache2-worker-2.4.23-29.69.1 apache2-worker-debuginfo-2.4.23-29.69.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): apache2-doc-2.4.23-29.69.1 References: https://www.suse.com/security/cve/CVE-2019-10092.html https://bugzilla.suse.com/1145740 https://bugzilla.suse.com/1182703 From sle-security-updates at lists.suse.com Fri Mar 12 20:23:05 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 21:23:05 +0100 (CET) Subject: SUSE-SU-2021:0781-1: important: Security update for crmsh Message-ID: <20210312202305.292C9FD17@maintenance.suse.de> SUSE Security Update: Security update for crmsh ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0781-1 Rating: important References: #1154927 #1178454 #1178869 #1179999 #1180126 #1180137 #1180571 #1180688 #1181415 ECO-1658 Cross-References: CVE-2020-35459 CVE-2021-3020 CVSS scores: CVE-2020-35459 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-35459 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3020 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise High Availability 15-SP2 ______________________________________________________________________________ An update that solves two vulnerabilities, contains one feature and has 7 fixes is now available. Description: This update for crmsh fixes the following issues: - Update to version 4.3.0+20210305.9db5c9a8: * Fix: bootstrap: Adjust qdevice configure/remove process to avoid race condition due to quorum lost(bsc#1181415) * Dev: cibconfig: remove related code about detecting crm_diff support --no-verion * Fix: ui_configure: raise error when params not exist(bsc#1180126) * Dev: doc: remove doc for crm node status * Dev: ui_node: remove status subcommand - Update to version 4.3.0+20210219.5d1bf034: * Fix: hb_report: walk through hb_report process under hacluster(CVE-2020-35459, bsc#1179999; CVE-2021-3020, bsc#1180571) * Fix: bootstrap: setup authorized ssh access for hacluster(CVE-2020-35459, bsc#1179999; CVE-2021-3020, bsc#1180571) * Dev: analyze: Add analyze sublevel and put preflight_check in it(jsc#ECO-1658) * Dev: utils: change default file mod as 644 for str2file function * Dev: hb_report: Detect if any ocfs2 partitions exist * Dev: lock: give more specific error message when raise ClaimLockError * Fix: Replace mktemp() to mkstemp() for security * Fix: Remove the duplicate --cov-report html in tox. * Fix: fix some lint issues. * Fix: Replace utils.msg_info to task.info * Fix: Solve a circular import error of utils.py * Fix: hb_report: run lsof with specific ocfs2 device(bsc#1180688) * Dev: corosync: change the permission of corosync.conf to 644 * Fix: preflight_check: task: raise error when report_path isn't a directory * Fix: bootstrap: Use class Watchdog to simplify watchdog config(bsc#1154927, bsc#1178869) * Dev: Polish the sbd feature. * Dev: Replace -f with -c and run check when no parameter provide. * Fix: Fix the yes option not working * Fix: Remove useless import and show help when no input. * Dev: Correct SBD device id inconsistenc during ASR * Fix: completers: return complete start/stop resource id list correctly(bsc#1180137) * Dev: Makefile.am: change makefile to integrate preflight_check * Medium: integrate preflight_check into crmsh(jsc#ECO-1658) * Fix: bootstrap: make sure sbd device UUID was the same between nodes(bsc#1178454) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15-SP2: zypper in -t patch SUSE-SLE-Product-HA-15-SP2-2021-781=1 Package List: - SUSE Linux Enterprise High Availability 15-SP2 (noarch): crmsh-4.3.0+20210305.9db5c9a8-5.42.1 crmsh-scripts-4.3.0+20210305.9db5c9a8-5.42.1 References: https://www.suse.com/security/cve/CVE-2020-35459.html https://www.suse.com/security/cve/CVE-2021-3020.html https://bugzilla.suse.com/1154927 https://bugzilla.suse.com/1178454 https://bugzilla.suse.com/1178869 https://bugzilla.suse.com/1179999 https://bugzilla.suse.com/1180126 https://bugzilla.suse.com/1180137 https://bugzilla.suse.com/1180571 https://bugzilla.suse.com/1180688 https://bugzilla.suse.com/1181415 From sle-security-updates at lists.suse.com Fri Mar 12 20:25:04 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 12 Mar 2021 21:25:04 +0100 (CET) Subject: SUSE-SU-2021:0777-1: important: Security update for s390-tools Message-ID: <20210312202504.8C3D2FD17@maintenance.suse.de> SUSE Security Update: Security update for s390-tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0777-1 Rating: important References: #1176574 #1182777 #1182876 #1183040 Cross-References: CVE-2021-25316 CVSS scores: CVE-2021-25316 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for s390-tools fixes the following issues: - Fixed an issue where IPL was not working when bootloader was installed on a SCSI disk with 4k physical blocksize without using a devicemapper target (bsc#1183041). - CVE-2021-25316: Do not use predictable temporary file names (bsc#1182777). - Made the name of the temporary configuration file in /tmp/ unpredictable (bsc#1182876). - Changing the scheduler from "deadline" to the newly created "mq-deadline" scheduler (bsc#1176574) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-777=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (s390x): osasnmpd-2.11.0-9.20.1 osasnmpd-debuginfo-2.11.0-9.20.1 s390-tools-2.11.0-9.20.1 s390-tools-debuginfo-2.11.0-9.20.1 s390-tools-debugsource-2.11.0-9.20.1 s390-tools-hmcdrvfs-2.11.0-9.20.1 s390-tools-hmcdrvfs-debuginfo-2.11.0-9.20.1 s390-tools-zdsfs-2.11.0-9.20.1 s390-tools-zdsfs-debuginfo-2.11.0-9.20.1 References: https://www.suse.com/security/cve/CVE-2021-25316.html https://bugzilla.suse.com/1176574 https://bugzilla.suse.com/1182777 https://bugzilla.suse.com/1182876 https://bugzilla.suse.com/1183040 From sle-security-updates at lists.suse.com Tue Mar 16 11:17:09 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 16 Mar 2021 12:17:09 +0100 (CET) Subject: SUSE-SU-2021:0794-1: moderate: Security update for python Message-ID: <20210316111709.2F77AFD17@maintenance.suse.de> SUSE Security Update: Security update for python ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0794-1 Rating: moderate References: #1182379 Cross-References: CVE-2019-18348 CVE-2021-23336 CVSS scores: CVE-2019-18348 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2019-18348 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-23336 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H CVE-2021-23336 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for python fixes the following issues: - python27 was upgraded to 2.7.18 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-794=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-794=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-794=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-794=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-794=1 - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2021-794=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-794=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-794=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-794=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-794=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-794=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-794=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-794=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-794=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-794=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-794=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libpython2_7-1_0-2.7.18-28.67.1 libpython2_7-1_0-32bit-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-32bit-2.7.18-28.67.1 python-2.7.18-28.67.1 python-32bit-2.7.18-28.67.1 python-base-2.7.18-28.67.1 python-base-32bit-2.7.18-28.67.1 python-base-debuginfo-2.7.18-28.67.1 python-base-debuginfo-32bit-2.7.18-28.67.1 python-base-debugsource-2.7.18-28.67.1 python-curses-2.7.18-28.67.1 python-curses-debuginfo-2.7.18-28.67.1 python-debuginfo-2.7.18-28.67.1 python-debuginfo-32bit-2.7.18-28.67.1 python-debugsource-2.7.18-28.67.1 python-demo-2.7.18-28.67.1 python-devel-2.7.18-28.67.1 python-gdbm-2.7.18-28.67.1 python-gdbm-debuginfo-2.7.18-28.67.1 python-idle-2.7.18-28.67.1 python-tk-2.7.18-28.67.1 python-tk-debuginfo-2.7.18-28.67.1 python-xml-2.7.18-28.67.1 python-xml-debuginfo-2.7.18-28.67.1 - SUSE OpenStack Cloud Crowbar 9 (noarch): python-doc-2.7.18-28.67.1 python-doc-pdf-2.7.18-28.67.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libpython2_7-1_0-2.7.18-28.67.1 libpython2_7-1_0-32bit-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-32bit-2.7.18-28.67.1 python-2.7.18-28.67.1 python-32bit-2.7.18-28.67.1 python-base-2.7.18-28.67.1 python-base-32bit-2.7.18-28.67.1 python-base-debuginfo-2.7.18-28.67.1 python-base-debuginfo-32bit-2.7.18-28.67.1 python-base-debugsource-2.7.18-28.67.1 python-curses-2.7.18-28.67.1 python-curses-debuginfo-2.7.18-28.67.1 python-debuginfo-2.7.18-28.67.1 python-debuginfo-32bit-2.7.18-28.67.1 python-debugsource-2.7.18-28.67.1 python-demo-2.7.18-28.67.1 python-devel-2.7.18-28.67.1 python-gdbm-2.7.18-28.67.1 python-gdbm-debuginfo-2.7.18-28.67.1 python-idle-2.7.18-28.67.1 python-tk-2.7.18-28.67.1 python-tk-debuginfo-2.7.18-28.67.1 python-xml-2.7.18-28.67.1 python-xml-debuginfo-2.7.18-28.67.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): python-doc-2.7.18-28.67.1 python-doc-pdf-2.7.18-28.67.1 - SUSE OpenStack Cloud 9 (x86_64): libpython2_7-1_0-2.7.18-28.67.1 libpython2_7-1_0-32bit-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-32bit-2.7.18-28.67.1 python-2.7.18-28.67.1 python-32bit-2.7.18-28.67.1 python-base-2.7.18-28.67.1 python-base-32bit-2.7.18-28.67.1 python-base-debuginfo-2.7.18-28.67.1 python-base-debuginfo-32bit-2.7.18-28.67.1 python-base-debugsource-2.7.18-28.67.1 python-curses-2.7.18-28.67.1 python-curses-debuginfo-2.7.18-28.67.1 python-debuginfo-2.7.18-28.67.1 python-debuginfo-32bit-2.7.18-28.67.1 python-debugsource-2.7.18-28.67.1 python-demo-2.7.18-28.67.1 python-devel-2.7.18-28.67.1 python-gdbm-2.7.18-28.67.1 python-gdbm-debuginfo-2.7.18-28.67.1 python-idle-2.7.18-28.67.1 python-tk-2.7.18-28.67.1 python-tk-debuginfo-2.7.18-28.67.1 python-xml-2.7.18-28.67.1 python-xml-debuginfo-2.7.18-28.67.1 - SUSE OpenStack Cloud 9 (noarch): python-doc-2.7.18-28.67.1 python-doc-pdf-2.7.18-28.67.1 - SUSE OpenStack Cloud 8 (x86_64): libpython2_7-1_0-2.7.18-28.67.1 libpython2_7-1_0-32bit-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-32bit-2.7.18-28.67.1 python-2.7.18-28.67.1 python-32bit-2.7.18-28.67.1 python-base-2.7.18-28.67.1 python-base-32bit-2.7.18-28.67.1 python-base-debuginfo-2.7.18-28.67.1 python-base-debuginfo-32bit-2.7.18-28.67.1 python-base-debugsource-2.7.18-28.67.1 python-curses-2.7.18-28.67.1 python-curses-debuginfo-2.7.18-28.67.1 python-debuginfo-2.7.18-28.67.1 python-debuginfo-32bit-2.7.18-28.67.1 python-debugsource-2.7.18-28.67.1 python-demo-2.7.18-28.67.1 python-devel-2.7.18-28.67.1 python-gdbm-2.7.18-28.67.1 python-gdbm-debuginfo-2.7.18-28.67.1 python-idle-2.7.18-28.67.1 python-tk-2.7.18-28.67.1 python-tk-debuginfo-2.7.18-28.67.1 python-xml-2.7.18-28.67.1 python-xml-debuginfo-2.7.18-28.67.1 - SUSE OpenStack Cloud 8 (noarch): python-doc-2.7.18-28.67.1 python-doc-pdf-2.7.18-28.67.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libpython2_7-1_0-2.7.18-28.67.1 libpython2_7-1_0-32bit-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-32bit-2.7.18-28.67.1 python-2.7.18-28.67.1 python-32bit-2.7.18-28.67.1 python-base-2.7.18-28.67.1 python-base-32bit-2.7.18-28.67.1 python-base-debuginfo-2.7.18-28.67.1 python-base-debuginfo-32bit-2.7.18-28.67.1 python-base-debugsource-2.7.18-28.67.1 python-curses-2.7.18-28.67.1 python-curses-debuginfo-2.7.18-28.67.1 python-debuginfo-2.7.18-28.67.1 python-debuginfo-32bit-2.7.18-28.67.1 python-debugsource-2.7.18-28.67.1 python-demo-2.7.18-28.67.1 python-devel-2.7.18-28.67.1 python-gdbm-2.7.18-28.67.1 python-gdbm-debuginfo-2.7.18-28.67.1 python-idle-2.7.18-28.67.1 python-tk-2.7.18-28.67.1 python-tk-debuginfo-2.7.18-28.67.1 python-xml-2.7.18-28.67.1 python-xml-debuginfo-2.7.18-28.67.1 - SUSE OpenStack Cloud 7 (noarch): python-doc-2.7.18-28.67.1 python-doc-pdf-2.7.18-28.67.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): python-base-debuginfo-2.7.18-28.67.1 python-base-debugsource-2.7.18-28.67.1 python-devel-2.7.18-28.67.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libpython2_7-1_0-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-2.7.18-28.67.1 python-2.7.18-28.67.1 python-base-2.7.18-28.67.1 python-base-debuginfo-2.7.18-28.67.1 python-base-debugsource-2.7.18-28.67.1 python-curses-2.7.18-28.67.1 python-curses-debuginfo-2.7.18-28.67.1 python-debuginfo-2.7.18-28.67.1 python-debugsource-2.7.18-28.67.1 python-demo-2.7.18-28.67.1 python-devel-2.7.18-28.67.1 python-gdbm-2.7.18-28.67.1 python-gdbm-debuginfo-2.7.18-28.67.1 python-idle-2.7.18-28.67.1 python-tk-2.7.18-28.67.1 python-tk-debuginfo-2.7.18-28.67.1 python-xml-2.7.18-28.67.1 python-xml-debuginfo-2.7.18-28.67.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): python-doc-2.7.18-28.67.1 python-doc-pdf-2.7.18-28.67.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libpython2_7-1_0-32bit-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-32bit-2.7.18-28.67.1 python-32bit-2.7.18-28.67.1 python-base-32bit-2.7.18-28.67.1 python-base-debuginfo-32bit-2.7.18-28.67.1 python-debuginfo-32bit-2.7.18-28.67.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libpython2_7-1_0-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-2.7.18-28.67.1 python-2.7.18-28.67.1 python-base-2.7.18-28.67.1 python-base-debuginfo-2.7.18-28.67.1 python-base-debugsource-2.7.18-28.67.1 python-curses-2.7.18-28.67.1 python-curses-debuginfo-2.7.18-28.67.1 python-debuginfo-2.7.18-28.67.1 python-debugsource-2.7.18-28.67.1 python-demo-2.7.18-28.67.1 python-devel-2.7.18-28.67.1 python-gdbm-2.7.18-28.67.1 python-gdbm-debuginfo-2.7.18-28.67.1 python-idle-2.7.18-28.67.1 python-tk-2.7.18-28.67.1 python-tk-debuginfo-2.7.18-28.67.1 python-xml-2.7.18-28.67.1 python-xml-debuginfo-2.7.18-28.67.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libpython2_7-1_0-32bit-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-32bit-2.7.18-28.67.1 python-32bit-2.7.18-28.67.1 python-base-32bit-2.7.18-28.67.1 python-base-debuginfo-32bit-2.7.18-28.67.1 python-debuginfo-32bit-2.7.18-28.67.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): python-doc-2.7.18-28.67.1 python-doc-pdf-2.7.18-28.67.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libpython2_7-1_0-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-2.7.18-28.67.1 python-2.7.18-28.67.1 python-base-2.7.18-28.67.1 python-base-debuginfo-2.7.18-28.67.1 python-base-debugsource-2.7.18-28.67.1 python-curses-2.7.18-28.67.1 python-curses-debuginfo-2.7.18-28.67.1 python-debuginfo-2.7.18-28.67.1 python-debugsource-2.7.18-28.67.1 python-demo-2.7.18-28.67.1 python-devel-2.7.18-28.67.1 python-gdbm-2.7.18-28.67.1 python-gdbm-debuginfo-2.7.18-28.67.1 python-idle-2.7.18-28.67.1 python-tk-2.7.18-28.67.1 python-tk-debuginfo-2.7.18-28.67.1 python-xml-2.7.18-28.67.1 python-xml-debuginfo-2.7.18-28.67.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libpython2_7-1_0-32bit-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-32bit-2.7.18-28.67.1 python-32bit-2.7.18-28.67.1 python-base-32bit-2.7.18-28.67.1 python-base-debuginfo-32bit-2.7.18-28.67.1 python-debuginfo-32bit-2.7.18-28.67.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): python-doc-2.7.18-28.67.1 python-doc-pdf-2.7.18-28.67.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-2.7.18-28.67.1 python-2.7.18-28.67.1 python-base-2.7.18-28.67.1 python-base-debuginfo-2.7.18-28.67.1 python-base-debugsource-2.7.18-28.67.1 python-curses-2.7.18-28.67.1 python-curses-debuginfo-2.7.18-28.67.1 python-debuginfo-2.7.18-28.67.1 python-debugsource-2.7.18-28.67.1 python-demo-2.7.18-28.67.1 python-devel-2.7.18-28.67.1 python-gdbm-2.7.18-28.67.1 python-gdbm-debuginfo-2.7.18-28.67.1 python-idle-2.7.18-28.67.1 python-tk-2.7.18-28.67.1 python-tk-debuginfo-2.7.18-28.67.1 python-xml-2.7.18-28.67.1 python-xml-debuginfo-2.7.18-28.67.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libpython2_7-1_0-32bit-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-32bit-2.7.18-28.67.1 python-32bit-2.7.18-28.67.1 python-base-32bit-2.7.18-28.67.1 python-base-debuginfo-32bit-2.7.18-28.67.1 python-debuginfo-32bit-2.7.18-28.67.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): python-doc-2.7.18-28.67.1 python-doc-pdf-2.7.18-28.67.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-2.7.18-28.67.1 python-2.7.18-28.67.1 python-base-2.7.18-28.67.1 python-base-debuginfo-2.7.18-28.67.1 python-base-debugsource-2.7.18-28.67.1 python-curses-2.7.18-28.67.1 python-curses-debuginfo-2.7.18-28.67.1 python-debuginfo-2.7.18-28.67.1 python-debugsource-2.7.18-28.67.1 python-demo-2.7.18-28.67.1 python-devel-2.7.18-28.67.1 python-gdbm-2.7.18-28.67.1 python-gdbm-debuginfo-2.7.18-28.67.1 python-idle-2.7.18-28.67.1 python-tk-2.7.18-28.67.1 python-tk-debuginfo-2.7.18-28.67.1 python-xml-2.7.18-28.67.1 python-xml-debuginfo-2.7.18-28.67.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libpython2_7-1_0-32bit-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-32bit-2.7.18-28.67.1 python-32bit-2.7.18-28.67.1 python-base-32bit-2.7.18-28.67.1 python-base-debuginfo-32bit-2.7.18-28.67.1 python-debuginfo-32bit-2.7.18-28.67.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): python-doc-2.7.18-28.67.1 python-doc-pdf-2.7.18-28.67.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-2.7.18-28.67.1 python-2.7.18-28.67.1 python-base-2.7.18-28.67.1 python-base-debuginfo-2.7.18-28.67.1 python-base-debugsource-2.7.18-28.67.1 python-curses-2.7.18-28.67.1 python-curses-debuginfo-2.7.18-28.67.1 python-debuginfo-2.7.18-28.67.1 python-debugsource-2.7.18-28.67.1 python-demo-2.7.18-28.67.1 python-devel-2.7.18-28.67.1 python-gdbm-2.7.18-28.67.1 python-gdbm-debuginfo-2.7.18-28.67.1 python-idle-2.7.18-28.67.1 python-tk-2.7.18-28.67.1 python-tk-debuginfo-2.7.18-28.67.1 python-xml-2.7.18-28.67.1 python-xml-debuginfo-2.7.18-28.67.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libpython2_7-1_0-32bit-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-32bit-2.7.18-28.67.1 python-32bit-2.7.18-28.67.1 python-base-32bit-2.7.18-28.67.1 python-base-debuginfo-32bit-2.7.18-28.67.1 python-debuginfo-32bit-2.7.18-28.67.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): python-doc-2.7.18-28.67.1 python-doc-pdf-2.7.18-28.67.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libpython2_7-1_0-2.7.18-28.67.1 libpython2_7-1_0-32bit-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-32bit-2.7.18-28.67.1 python-2.7.18-28.67.1 python-32bit-2.7.18-28.67.1 python-base-2.7.18-28.67.1 python-base-32bit-2.7.18-28.67.1 python-base-debuginfo-2.7.18-28.67.1 python-base-debuginfo-32bit-2.7.18-28.67.1 python-base-debugsource-2.7.18-28.67.1 python-curses-2.7.18-28.67.1 python-curses-debuginfo-2.7.18-28.67.1 python-debuginfo-2.7.18-28.67.1 python-debuginfo-32bit-2.7.18-28.67.1 python-debugsource-2.7.18-28.67.1 python-demo-2.7.18-28.67.1 python-devel-2.7.18-28.67.1 python-gdbm-2.7.18-28.67.1 python-gdbm-debuginfo-2.7.18-28.67.1 python-idle-2.7.18-28.67.1 python-tk-2.7.18-28.67.1 python-tk-debuginfo-2.7.18-28.67.1 python-xml-2.7.18-28.67.1 python-xml-debuginfo-2.7.18-28.67.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): python-doc-2.7.18-28.67.1 python-doc-pdf-2.7.18-28.67.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libpython2_7-1_0-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-2.7.18-28.67.1 python-2.7.18-28.67.1 python-base-2.7.18-28.67.1 python-base-debuginfo-2.7.18-28.67.1 python-base-debugsource-2.7.18-28.67.1 python-curses-2.7.18-28.67.1 python-curses-debuginfo-2.7.18-28.67.1 python-debuginfo-2.7.18-28.67.1 python-debugsource-2.7.18-28.67.1 python-demo-2.7.18-28.67.1 python-devel-2.7.18-28.67.1 python-gdbm-2.7.18-28.67.1 python-gdbm-debuginfo-2.7.18-28.67.1 python-idle-2.7.18-28.67.1 python-tk-2.7.18-28.67.1 python-tk-debuginfo-2.7.18-28.67.1 python-xml-2.7.18-28.67.1 python-xml-debuginfo-2.7.18-28.67.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libpython2_7-1_0-32bit-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-32bit-2.7.18-28.67.1 python-32bit-2.7.18-28.67.1 python-base-32bit-2.7.18-28.67.1 python-base-debuginfo-32bit-2.7.18-28.67.1 python-debuginfo-32bit-2.7.18-28.67.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): python-doc-2.7.18-28.67.1 python-doc-pdf-2.7.18-28.67.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): python-doc-2.7.18-28.67.1 python-doc-pdf-2.7.18-28.67.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libpython2_7-1_0-2.7.18-28.67.1 libpython2_7-1_0-32bit-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-32bit-2.7.18-28.67.1 python-2.7.18-28.67.1 python-32bit-2.7.18-28.67.1 python-base-2.7.18-28.67.1 python-base-32bit-2.7.18-28.67.1 python-base-debuginfo-2.7.18-28.67.1 python-base-debuginfo-32bit-2.7.18-28.67.1 python-base-debugsource-2.7.18-28.67.1 python-curses-2.7.18-28.67.1 python-curses-debuginfo-2.7.18-28.67.1 python-debuginfo-2.7.18-28.67.1 python-debuginfo-32bit-2.7.18-28.67.1 python-debugsource-2.7.18-28.67.1 python-demo-2.7.18-28.67.1 python-gdbm-2.7.18-28.67.1 python-gdbm-debuginfo-2.7.18-28.67.1 python-idle-2.7.18-28.67.1 python-tk-2.7.18-28.67.1 python-tk-debuginfo-2.7.18-28.67.1 python-xml-2.7.18-28.67.1 python-xml-debuginfo-2.7.18-28.67.1 - HPE Helion Openstack 8 (x86_64): libpython2_7-1_0-2.7.18-28.67.1 libpython2_7-1_0-32bit-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-2.7.18-28.67.1 libpython2_7-1_0-debuginfo-32bit-2.7.18-28.67.1 python-2.7.18-28.67.1 python-32bit-2.7.18-28.67.1 python-base-2.7.18-28.67.1 python-base-32bit-2.7.18-28.67.1 python-base-debuginfo-2.7.18-28.67.1 python-base-debuginfo-32bit-2.7.18-28.67.1 python-base-debugsource-2.7.18-28.67.1 python-curses-2.7.18-28.67.1 python-curses-debuginfo-2.7.18-28.67.1 python-debuginfo-2.7.18-28.67.1 python-debuginfo-32bit-2.7.18-28.67.1 python-debugsource-2.7.18-28.67.1 python-demo-2.7.18-28.67.1 python-devel-2.7.18-28.67.1 python-gdbm-2.7.18-28.67.1 python-gdbm-debuginfo-2.7.18-28.67.1 python-idle-2.7.18-28.67.1 python-tk-2.7.18-28.67.1 python-tk-debuginfo-2.7.18-28.67.1 python-xml-2.7.18-28.67.1 python-xml-debuginfo-2.7.18-28.67.1 - HPE Helion Openstack 8 (noarch): python-doc-2.7.18-28.67.1 python-doc-pdf-2.7.18-28.67.1 References: https://www.suse.com/security/cve/CVE-2019-18348.html https://www.suse.com/security/cve/CVE-2021-23336.html https://bugzilla.suse.com/1182379 From sle-security-updates at lists.suse.com Tue Mar 16 11:18:20 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 16 Mar 2021 12:18:20 +0100 (CET) Subject: SUSE-SU-2021:0793-1: moderate: Security update for compat-openssl098 Message-ID: <20210316111820.CCF8AFFA5@maintenance.suse.de> SUSE Security Update: Security update for compat-openssl098 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0793-1 Rating: moderate References: #1182331 #1182333 Cross-References: CVE-2021-23840 CVE-2021-23841 CVSS scores: CVE-2021-23840 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23840 (SUSE): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2021-23841 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23841 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server for SAP 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Module for Legacy Software 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for compat-openssl098 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP5: zypper in -t patch SUSE-SLE-SAP-12-SP5-2021-793=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-793=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-793=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-793=1 - SUSE Linux Enterprise Module for Legacy Software 12: zypper in -t patch SUSE-SLE-Module-Legacy-12-2021-793=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP5 (x86_64): compat-openssl098-debugsource-0.9.8j-106.24.1 libopenssl0_9_8-0.9.8j-106.24.1 libopenssl0_9_8-debuginfo-0.9.8j-106.24.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): compat-openssl098-debugsource-0.9.8j-106.24.1 libopenssl0_9_8-0.9.8j-106.24.1 libopenssl0_9_8-debuginfo-0.9.8j-106.24.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): compat-openssl098-debugsource-0.9.8j-106.24.1 libopenssl0_9_8-0.9.8j-106.24.1 libopenssl0_9_8-debuginfo-0.9.8j-106.24.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): compat-openssl098-debugsource-0.9.8j-106.24.1 libopenssl0_9_8-0.9.8j-106.24.1 libopenssl0_9_8-debuginfo-0.9.8j-106.24.1 - SUSE Linux Enterprise Module for Legacy Software 12 (s390x x86_64): compat-openssl098-debugsource-0.9.8j-106.24.1 libopenssl0_9_8-0.9.8j-106.24.1 libopenssl0_9_8-32bit-0.9.8j-106.24.1 libopenssl0_9_8-debuginfo-0.9.8j-106.24.1 libopenssl0_9_8-debuginfo-32bit-0.9.8j-106.24.1 References: https://www.suse.com/security/cve/CVE-2021-23840.html https://www.suse.com/security/cve/CVE-2021-23841.html https://bugzilla.suse.com/1182331 https://bugzilla.suse.com/1182333 From sle-security-updates at lists.suse.com Tue Mar 16 17:19:05 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 16 Mar 2021 18:19:05 +0100 (CET) Subject: SUSE-SU-2021:0801-1: important: Security update for glib2 Message-ID: <20210316171905.043C4FD17@maintenance.suse.de> SUSE Security Update: Security update for glib2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0801-1 Rating: important References: #1182328 #1182362 Cross-References: CVE-2021-27218 CVE-2021-27219 CVSS scores: CVE-2021-27218 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27218 (SUSE): 5 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N CVE-2021-27219 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27219 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-801=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-801=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-801=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-801=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-801=1 - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2021-801=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-801=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-801=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-801=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-801=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-801=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-801=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-801=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-801=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-801=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-801=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-801=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): glib2-debugsource-2.48.2-12.22.1 glib2-tools-2.48.2-12.22.1 glib2-tools-debuginfo-2.48.2-12.22.1 libgio-2_0-0-2.48.2-12.22.1 libgio-2_0-0-32bit-2.48.2-12.22.1 libgio-2_0-0-debuginfo-2.48.2-12.22.1 libgio-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libglib-2_0-0-2.48.2-12.22.1 libglib-2_0-0-32bit-2.48.2-12.22.1 libglib-2_0-0-debuginfo-2.48.2-12.22.1 libglib-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgmodule-2_0-0-2.48.2-12.22.1 libgmodule-2_0-0-32bit-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgobject-2_0-0-2.48.2-12.22.1 libgobject-2_0-0-32bit-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgthread-2_0-0-2.48.2-12.22.1 libgthread-2_0-0-32bit-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-32bit-2.48.2-12.22.1 - SUSE OpenStack Cloud Crowbar 9 (noarch): glib2-lang-2.48.2-12.22.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): glib2-lang-2.48.2-12.22.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): glib2-debugsource-2.48.2-12.22.1 glib2-tools-2.48.2-12.22.1 glib2-tools-debuginfo-2.48.2-12.22.1 libgio-2_0-0-2.48.2-12.22.1 libgio-2_0-0-32bit-2.48.2-12.22.1 libgio-2_0-0-debuginfo-2.48.2-12.22.1 libgio-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libglib-2_0-0-2.48.2-12.22.1 libglib-2_0-0-32bit-2.48.2-12.22.1 libglib-2_0-0-debuginfo-2.48.2-12.22.1 libglib-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgmodule-2_0-0-2.48.2-12.22.1 libgmodule-2_0-0-32bit-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgobject-2_0-0-2.48.2-12.22.1 libgobject-2_0-0-32bit-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgthread-2_0-0-2.48.2-12.22.1 libgthread-2_0-0-32bit-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-32bit-2.48.2-12.22.1 - SUSE OpenStack Cloud 9 (x86_64): glib2-debugsource-2.48.2-12.22.1 glib2-tools-2.48.2-12.22.1 glib2-tools-debuginfo-2.48.2-12.22.1 libgio-2_0-0-2.48.2-12.22.1 libgio-2_0-0-32bit-2.48.2-12.22.1 libgio-2_0-0-debuginfo-2.48.2-12.22.1 libgio-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libglib-2_0-0-2.48.2-12.22.1 libglib-2_0-0-32bit-2.48.2-12.22.1 libglib-2_0-0-debuginfo-2.48.2-12.22.1 libglib-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgmodule-2_0-0-2.48.2-12.22.1 libgmodule-2_0-0-32bit-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgobject-2_0-0-2.48.2-12.22.1 libgobject-2_0-0-32bit-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgthread-2_0-0-2.48.2-12.22.1 libgthread-2_0-0-32bit-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-32bit-2.48.2-12.22.1 - SUSE OpenStack Cloud 9 (noarch): glib2-lang-2.48.2-12.22.1 - SUSE OpenStack Cloud 8 (noarch): glib2-lang-2.48.2-12.22.1 - SUSE OpenStack Cloud 8 (x86_64): glib2-debugsource-2.48.2-12.22.1 glib2-tools-2.48.2-12.22.1 glib2-tools-debuginfo-2.48.2-12.22.1 libgio-2_0-0-2.48.2-12.22.1 libgio-2_0-0-32bit-2.48.2-12.22.1 libgio-2_0-0-debuginfo-2.48.2-12.22.1 libgio-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libglib-2_0-0-2.48.2-12.22.1 libglib-2_0-0-32bit-2.48.2-12.22.1 libglib-2_0-0-debuginfo-2.48.2-12.22.1 libglib-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgmodule-2_0-0-2.48.2-12.22.1 libgmodule-2_0-0-32bit-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgobject-2_0-0-2.48.2-12.22.1 libgobject-2_0-0-32bit-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgthread-2_0-0-2.48.2-12.22.1 libgthread-2_0-0-32bit-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-32bit-2.48.2-12.22.1 - SUSE OpenStack Cloud 7 (s390x x86_64): glib2-debugsource-2.48.2-12.22.1 glib2-tools-2.48.2-12.22.1 glib2-tools-debuginfo-2.48.2-12.22.1 libgio-2_0-0-2.48.2-12.22.1 libgio-2_0-0-32bit-2.48.2-12.22.1 libgio-2_0-0-debuginfo-2.48.2-12.22.1 libgio-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libglib-2_0-0-2.48.2-12.22.1 libglib-2_0-0-32bit-2.48.2-12.22.1 libglib-2_0-0-debuginfo-2.48.2-12.22.1 libglib-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgmodule-2_0-0-2.48.2-12.22.1 libgmodule-2_0-0-32bit-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgobject-2_0-0-2.48.2-12.22.1 libgobject-2_0-0-32bit-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgthread-2_0-0-2.48.2-12.22.1 libgthread-2_0-0-32bit-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-32bit-2.48.2-12.22.1 - SUSE OpenStack Cloud 7 (noarch): glib2-lang-2.48.2-12.22.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): glib2-debugsource-2.48.2-12.22.1 libgio-fam-2.48.2-12.22.1 libgio-fam-debuginfo-2.48.2-12.22.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): glib2-debugsource-2.48.2-12.22.1 glib2-devel-2.48.2-12.22.1 glib2-devel-debuginfo-2.48.2-12.22.1 glib2-devel-static-2.48.2-12.22.1 libgio-fam-2.48.2-12.22.1 libgio-fam-debuginfo-2.48.2-12.22.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): glib2-debugsource-2.48.2-12.22.1 glib2-tools-2.48.2-12.22.1 glib2-tools-debuginfo-2.48.2-12.22.1 libgio-2_0-0-2.48.2-12.22.1 libgio-2_0-0-debuginfo-2.48.2-12.22.1 libglib-2_0-0-2.48.2-12.22.1 libglib-2_0-0-debuginfo-2.48.2-12.22.1 libgmodule-2_0-0-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-2.48.2-12.22.1 libgobject-2_0-0-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-2.48.2-12.22.1 libgthread-2_0-0-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-2.48.2-12.22.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libgio-2_0-0-32bit-2.48.2-12.22.1 libgio-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libglib-2_0-0-32bit-2.48.2-12.22.1 libglib-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgmodule-2_0-0-32bit-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgobject-2_0-0-32bit-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgthread-2_0-0-32bit-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-32bit-2.48.2-12.22.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): glib2-lang-2.48.2-12.22.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): glib2-debugsource-2.48.2-12.22.1 glib2-tools-2.48.2-12.22.1 glib2-tools-debuginfo-2.48.2-12.22.1 libgio-2_0-0-2.48.2-12.22.1 libgio-2_0-0-debuginfo-2.48.2-12.22.1 libglib-2_0-0-2.48.2-12.22.1 libglib-2_0-0-debuginfo-2.48.2-12.22.1 libgmodule-2_0-0-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-2.48.2-12.22.1 libgobject-2_0-0-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-2.48.2-12.22.1 libgthread-2_0-0-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-2.48.2-12.22.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): glib2-lang-2.48.2-12.22.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libgio-2_0-0-32bit-2.48.2-12.22.1 libgio-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libglib-2_0-0-32bit-2.48.2-12.22.1 libglib-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgmodule-2_0-0-32bit-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgobject-2_0-0-32bit-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgthread-2_0-0-32bit-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-32bit-2.48.2-12.22.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): glib2-debugsource-2.48.2-12.22.1 glib2-tools-2.48.2-12.22.1 glib2-tools-debuginfo-2.48.2-12.22.1 libgio-2_0-0-2.48.2-12.22.1 libgio-2_0-0-debuginfo-2.48.2-12.22.1 libglib-2_0-0-2.48.2-12.22.1 libglib-2_0-0-debuginfo-2.48.2-12.22.1 libgmodule-2_0-0-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-2.48.2-12.22.1 libgobject-2_0-0-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-2.48.2-12.22.1 libgthread-2_0-0-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-2.48.2-12.22.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libgio-2_0-0-32bit-2.48.2-12.22.1 libgio-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libglib-2_0-0-32bit-2.48.2-12.22.1 libglib-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgmodule-2_0-0-32bit-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgobject-2_0-0-32bit-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgthread-2_0-0-32bit-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-32bit-2.48.2-12.22.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): glib2-lang-2.48.2-12.22.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): glib2-debugsource-2.48.2-12.22.1 glib2-tools-2.48.2-12.22.1 glib2-tools-debuginfo-2.48.2-12.22.1 libgio-2_0-0-2.48.2-12.22.1 libgio-2_0-0-debuginfo-2.48.2-12.22.1 libglib-2_0-0-2.48.2-12.22.1 libglib-2_0-0-debuginfo-2.48.2-12.22.1 libgmodule-2_0-0-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-2.48.2-12.22.1 libgobject-2_0-0-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-2.48.2-12.22.1 libgthread-2_0-0-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-2.48.2-12.22.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libgio-2_0-0-32bit-2.48.2-12.22.1 libgio-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libglib-2_0-0-32bit-2.48.2-12.22.1 libglib-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgmodule-2_0-0-32bit-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgobject-2_0-0-32bit-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgthread-2_0-0-32bit-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-32bit-2.48.2-12.22.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): glib2-lang-2.48.2-12.22.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): glib2-debugsource-2.48.2-12.22.1 glib2-tools-2.48.2-12.22.1 glib2-tools-debuginfo-2.48.2-12.22.1 libgio-2_0-0-2.48.2-12.22.1 libgio-2_0-0-debuginfo-2.48.2-12.22.1 libglib-2_0-0-2.48.2-12.22.1 libglib-2_0-0-debuginfo-2.48.2-12.22.1 libgmodule-2_0-0-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-2.48.2-12.22.1 libgobject-2_0-0-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-2.48.2-12.22.1 libgthread-2_0-0-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-2.48.2-12.22.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libgio-2_0-0-32bit-2.48.2-12.22.1 libgio-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libglib-2_0-0-32bit-2.48.2-12.22.1 libglib-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgmodule-2_0-0-32bit-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgobject-2_0-0-32bit-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgthread-2_0-0-32bit-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-32bit-2.48.2-12.22.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): glib2-lang-2.48.2-12.22.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): glib2-debugsource-2.48.2-12.22.1 glib2-tools-2.48.2-12.22.1 glib2-tools-debuginfo-2.48.2-12.22.1 libgio-2_0-0-2.48.2-12.22.1 libgio-2_0-0-debuginfo-2.48.2-12.22.1 libglib-2_0-0-2.48.2-12.22.1 libglib-2_0-0-debuginfo-2.48.2-12.22.1 libgmodule-2_0-0-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-2.48.2-12.22.1 libgobject-2_0-0-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-2.48.2-12.22.1 libgthread-2_0-0-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-2.48.2-12.22.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libgio-2_0-0-32bit-2.48.2-12.22.1 libgio-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libglib-2_0-0-32bit-2.48.2-12.22.1 libglib-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgmodule-2_0-0-32bit-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgobject-2_0-0-32bit-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgthread-2_0-0-32bit-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-32bit-2.48.2-12.22.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): glib2-lang-2.48.2-12.22.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): glib2-lang-2.48.2-12.22.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): glib2-debugsource-2.48.2-12.22.1 glib2-tools-2.48.2-12.22.1 glib2-tools-debuginfo-2.48.2-12.22.1 libgio-2_0-0-2.48.2-12.22.1 libgio-2_0-0-32bit-2.48.2-12.22.1 libgio-2_0-0-debuginfo-2.48.2-12.22.1 libgio-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libglib-2_0-0-2.48.2-12.22.1 libglib-2_0-0-32bit-2.48.2-12.22.1 libglib-2_0-0-debuginfo-2.48.2-12.22.1 libglib-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgmodule-2_0-0-2.48.2-12.22.1 libgmodule-2_0-0-32bit-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgobject-2_0-0-2.48.2-12.22.1 libgobject-2_0-0-32bit-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgthread-2_0-0-2.48.2-12.22.1 libgthread-2_0-0-32bit-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-32bit-2.48.2-12.22.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): glib2-debugsource-2.48.2-12.22.1 glib2-tools-2.48.2-12.22.1 glib2-tools-debuginfo-2.48.2-12.22.1 libgio-2_0-0-2.48.2-12.22.1 libgio-2_0-0-debuginfo-2.48.2-12.22.1 libglib-2_0-0-2.48.2-12.22.1 libglib-2_0-0-debuginfo-2.48.2-12.22.1 libgmodule-2_0-0-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-2.48.2-12.22.1 libgobject-2_0-0-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-2.48.2-12.22.1 libgthread-2_0-0-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-2.48.2-12.22.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libgio-2_0-0-32bit-2.48.2-12.22.1 libgio-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libglib-2_0-0-32bit-2.48.2-12.22.1 libglib-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgmodule-2_0-0-32bit-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgobject-2_0-0-32bit-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgthread-2_0-0-32bit-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-32bit-2.48.2-12.22.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): glib2-lang-2.48.2-12.22.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): glib2-debugsource-2.48.2-12.22.1 glib2-tools-2.48.2-12.22.1 glib2-tools-debuginfo-2.48.2-12.22.1 libgio-2_0-0-2.48.2-12.22.1 libgio-2_0-0-32bit-2.48.2-12.22.1 libgio-2_0-0-debuginfo-2.48.2-12.22.1 libgio-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libglib-2_0-0-2.48.2-12.22.1 libglib-2_0-0-32bit-2.48.2-12.22.1 libglib-2_0-0-debuginfo-2.48.2-12.22.1 libglib-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgmodule-2_0-0-2.48.2-12.22.1 libgmodule-2_0-0-32bit-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgobject-2_0-0-2.48.2-12.22.1 libgobject-2_0-0-32bit-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgthread-2_0-0-2.48.2-12.22.1 libgthread-2_0-0-32bit-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-32bit-2.48.2-12.22.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): glib2-lang-2.48.2-12.22.1 - HPE Helion Openstack 8 (x86_64): glib2-debugsource-2.48.2-12.22.1 glib2-tools-2.48.2-12.22.1 glib2-tools-debuginfo-2.48.2-12.22.1 libgio-2_0-0-2.48.2-12.22.1 libgio-2_0-0-32bit-2.48.2-12.22.1 libgio-2_0-0-debuginfo-2.48.2-12.22.1 libgio-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libglib-2_0-0-2.48.2-12.22.1 libglib-2_0-0-32bit-2.48.2-12.22.1 libglib-2_0-0-debuginfo-2.48.2-12.22.1 libglib-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgmodule-2_0-0-2.48.2-12.22.1 libgmodule-2_0-0-32bit-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-2.48.2-12.22.1 libgmodule-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgobject-2_0-0-2.48.2-12.22.1 libgobject-2_0-0-32bit-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-2.48.2-12.22.1 libgobject-2_0-0-debuginfo-32bit-2.48.2-12.22.1 libgthread-2_0-0-2.48.2-12.22.1 libgthread-2_0-0-32bit-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-2.48.2-12.22.1 libgthread-2_0-0-debuginfo-32bit-2.48.2-12.22.1 - HPE Helion Openstack 8 (noarch): glib2-lang-2.48.2-12.22.1 References: https://www.suse.com/security/cve/CVE-2021-27218.html https://www.suse.com/security/cve/CVE-2021-27219.html https://bugzilla.suse.com/1182328 https://bugzilla.suse.com/1182362 From sle-security-updates at lists.suse.com Tue Mar 16 17:20:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 16 Mar 2021 18:20:25 +0100 (CET) Subject: SUSE-SU-2021:0800-1: important: Security update for velocity Message-ID: <20210316172025.0C663FD17@maintenance.suse.de> SUSE Security Update: Security update for velocity ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0800-1 Rating: important References: #1183360 Cross-References: CVE-2020-13936 CVSS scores: CVE-2020-13936 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for velocity fixes the following issues: - CVE-2020-13936: Fixed an arbitrary code execution when attacker is able to modify templates (bsc#1183360). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-800=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): velocity-1.7-3.3.1 References: https://www.suse.com/security/cve/CVE-2020-13936.html https://bugzilla.suse.com/1183360 From sle-security-updates at lists.suse.com Wed Mar 17 20:17:51 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:17:51 +0100 (CET) Subject: SUSE-SU-2021:0835-1: important: Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP2) Message-ID: <20210317201751.07E50FFA5@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0835-1 Rating: important References: #1165631 #1176931 #1177513 #1178684 #1179616 Cross-References: CVE-2020-0429 CVE-2020-1749 CVE-2020-25645 CVE-2020-27786 CVE-2020-28374 CVSS scores: CVE-2020-0429 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-1749 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-25645 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-25645 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-27786 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-27786 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-28374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-28374 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP2-LTSS ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for the Linux Kernel 4.4.121-92_149 fixes several issues. The following security issues were fixed: - CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616). - CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684). - CVE-2020-25645: Fixed an issue where the traffic between two Geneve endpoints may have been unencrypted when IPsec was configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted (bsc#1177513). - CVE-2020-0429: Fixed a potential memory corruption due to a use after free which could have led local escalation of privilege with System execution privileges needed (bsc#1176931). - CVE-2020-1749: Fixed an issue in some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6 where the kernel was not correctly routing tunneled data over the encrypted link rather sending the data unencrypted (bsc#1165631). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-828=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-835=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-828=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-835=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_138-default-2-2.2 kgraft-patch-4_4_180-94_138-default-debuginfo-2-2.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kgraft-patch-4_4_121-92_149-default-2-2.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_138-default-2-2.2 kgraft-patch-4_4_180-94_138-default-debuginfo-2-2.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64): kgraft-patch-4_4_121-92_149-default-2-2.2 References: https://www.suse.com/security/cve/CVE-2020-0429.html https://www.suse.com/security/cve/CVE-2020-1749.html https://www.suse.com/security/cve/CVE-2020-25645.html https://www.suse.com/security/cve/CVE-2020-27786.html https://www.suse.com/security/cve/CVE-2020-28374.html https://bugzilla.suse.com/1165631 https://bugzilla.suse.com/1176931 https://bugzilla.suse.com/1177513 https://bugzilla.suse.com/1178684 https://bugzilla.suse.com/1179616 From sle-security-updates at lists.suse.com Wed Mar 17 20:19:36 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:19:36 +0100 (CET) Subject: SUSE-SU-2021:0842-1: important: Security update for the Linux Kernel (Live Patch 7 for SLE 15 SP2) Message-ID: <20210317201936.4BC24FFA5@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 7 for SLE 15 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0842-1 Rating: important References: #1178684 #1179664 #1181553 #1182468 Cross-References: CVE-2020-28374 CVE-2020-29368 CVE-2021-3347 CVSS scores: CVE-2020-28374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-28374 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP2 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 5.3.18-24_37 fixes several issues. The following security issues were fixed: - CVE-2020-29368: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179664). - Fixed an issue where NFS client filesystems got unmounted on fail-over (bsc#1182468). - CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553). - CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-842=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-843=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-844=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-845=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-846=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-847=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-848=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-24_12-default-6-2.2 kernel-livepatch-5_3_18-24_12-default-debuginfo-6-2.2 kernel-livepatch-5_3_18-24_15-default-6-2.2 kernel-livepatch-5_3_18-24_15-default-debuginfo-6-2.2 kernel-livepatch-5_3_18-24_24-default-6-2.2 kernel-livepatch-5_3_18-24_24-default-debuginfo-6-2.2 kernel-livepatch-5_3_18-24_29-default-4-2.2 kernel-livepatch-5_3_18-24_29-default-debuginfo-4-2.2 kernel-livepatch-5_3_18-24_34-default-4-2.2 kernel-livepatch-5_3_18-24_34-default-debuginfo-4-2.2 kernel-livepatch-5_3_18-24_37-default-4-2.2 kernel-livepatch-5_3_18-24_37-default-debuginfo-4-2.2 kernel-livepatch-5_3_18-24_9-default-7-2.2 kernel-livepatch-5_3_18-24_9-default-debuginfo-7-2.2 kernel-livepatch-SLE15-SP2_Update_1-debugsource-7-2.2 kernel-livepatch-SLE15-SP2_Update_2-debugsource-6-2.2 kernel-livepatch-SLE15-SP2_Update_3-debugsource-6-2.2 kernel-livepatch-SLE15-SP2_Update_4-debugsource-6-2.2 kernel-livepatch-SLE15-SP2_Update_5-debugsource-4-2.2 kernel-livepatch-SLE15-SP2_Update_6-debugsource-4-2.2 kernel-livepatch-SLE15-SP2_Update_7-debugsource-4-2.2 References: https://www.suse.com/security/cve/CVE-2020-28374.html https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2021-3347.html https://bugzilla.suse.com/1178684 https://bugzilla.suse.com/1179664 https://bugzilla.suse.com/1181553 https://bugzilla.suse.com/1182468 From sle-security-updates at lists.suse.com Wed Mar 17 20:21:22 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:21:22 +0100 (CET) Subject: SUSE-SU-2021:0870-1: important: Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP2) Message-ID: <20210317202122.8CD58FFA5@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0870-1 Rating: important References: #1178684 #1179616 #1181553 Cross-References: CVE-2020-27786 CVE-2020-28374 CVE-2021-3347 CVSS scores: CVE-2020-27786 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-27786 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-28374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-28374 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2021-3347 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP2-LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 4.4.121-92_138 fixes several issues. The following security issues were fixed: - CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553). - CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616). - CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-870=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-829=1 SUSE-SLE-SAP-12-SP3-2021-830=1 SUSE-SLE-SAP-12-SP3-2021-831=1 SUSE-SLE-SAP-12-SP3-2021-832=1 SUSE-SLE-SAP-12-SP3-2021-833=1 SUSE-SLE-SAP-12-SP3-2021-834=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-836=1 SUSE-SLE-SAP-12-SP2-2021-837=1 SUSE-SLE-SAP-12-SP2-2021-838=1 SUSE-SLE-SAP-12-SP2-2021-839=1 SUSE-SLE-SAP-12-SP2-2021-870=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-829=1 SUSE-SLE-SERVER-12-SP3-2021-830=1 SUSE-SLE-SERVER-12-SP3-2021-831=1 SUSE-SLE-SERVER-12-SP3-2021-832=1 SUSE-SLE-SERVER-12-SP3-2021-833=1 SUSE-SLE-SERVER-12-SP3-2021-834=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-836=1 SUSE-SLE-SERVER-12-SP2-2021-837=1 SUSE-SLE-SERVER-12-SP2-2021-838=1 SUSE-SLE-SERVER-12-SP2-2021-839=1 SUSE-SLE-SERVER-12-SP2-2021-870=1 Package List: - SUSE OpenStack Cloud 7 (x86_64): kgraft-patch-4_4_121-92_138-default-7-2.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_116-default-8-2.2 kgraft-patch-4_4_180-94_116-default-debuginfo-8-2.2 kgraft-patch-4_4_180-94_121-default-7-2.2 kgraft-patch-4_4_180-94_121-default-debuginfo-7-2.2 kgraft-patch-4_4_180-94_124-default-7-2.2 kgraft-patch-4_4_180-94_124-default-debuginfo-7-2.2 kgraft-patch-4_4_180-94_127-default-7-2.2 kgraft-patch-4_4_180-94_127-default-debuginfo-7-2.2 kgraft-patch-4_4_180-94_130-default-6-2.2 kgraft-patch-4_4_180-94_130-default-debuginfo-6-2.2 kgraft-patch-4_4_180-94_135-default-4-2.2 kgraft-patch-4_4_180-94_135-default-debuginfo-4-2.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kgraft-patch-4_4_121-92_129-default-9-2.2 kgraft-patch-4_4_121-92_135-default-7-2.2 kgraft-patch-4_4_121-92_138-default-7-2.2 kgraft-patch-4_4_121-92_141-default-6-2.2 kgraft-patch-4_4_121-92_146-default-4-2.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_116-default-8-2.2 kgraft-patch-4_4_180-94_116-default-debuginfo-8-2.2 kgraft-patch-4_4_180-94_121-default-7-2.2 kgraft-patch-4_4_180-94_121-default-debuginfo-7-2.2 kgraft-patch-4_4_180-94_124-default-7-2.2 kgraft-patch-4_4_180-94_124-default-debuginfo-7-2.2 kgraft-patch-4_4_180-94_127-default-7-2.2 kgraft-patch-4_4_180-94_127-default-debuginfo-7-2.2 kgraft-patch-4_4_180-94_130-default-6-2.2 kgraft-patch-4_4_180-94_130-default-debuginfo-6-2.2 kgraft-patch-4_4_180-94_135-default-4-2.2 kgraft-patch-4_4_180-94_135-default-debuginfo-4-2.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64): kgraft-patch-4_4_121-92_129-default-9-2.2 kgraft-patch-4_4_121-92_135-default-7-2.2 kgraft-patch-4_4_121-92_138-default-7-2.2 kgraft-patch-4_4_121-92_141-default-6-2.2 kgraft-patch-4_4_121-92_146-default-4-2.2 References: https://www.suse.com/security/cve/CVE-2020-27786.html https://www.suse.com/security/cve/CVE-2020-28374.html https://www.suse.com/security/cve/CVE-2021-3347.html https://bugzilla.suse.com/1178684 https://bugzilla.suse.com/1179616 https://bugzilla.suse.com/1181553 From sle-security-updates at lists.suse.com Wed Mar 17 20:22:56 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:22:56 +0100 (CET) Subject: SUSE-SU-2021:0849-1: important: Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP2) Message-ID: <20210317202256.907D8FFA5@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0849-1 Rating: important References: #1178684 #1179664 #1180859 #1181553 #1182468 Cross-References: CVE-2020-28374 CVE-2020-29368 CVE-2021-0342 CVE-2021-3347 CVSS scores: CVE-2020-28374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-28374 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-0342 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-0342 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP2 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 5.3.18-22 fixes several issues. The following security issues were fixed: - CVE-2020-29368: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179664). - Fixed an issue where NFS client filesystems got unmounted on fail-over (bsc#1182468). - CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553). - CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684). - CVE-2021-0342: Fixed a potential memory corruption due to a use after free which could have led to local escalation of privilege with System execution privileges required (bsc#1180859). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-849=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-22-default-8-5.2 kernel-livepatch-5_3_18-22-default-debuginfo-8-5.2 kernel-livepatch-SLE15-SP2_Update_0-debugsource-8-5.2 References: https://www.suse.com/security/cve/CVE-2020-28374.html https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2021-0342.html https://www.suse.com/security/cve/CVE-2021-3347.html https://bugzilla.suse.com/1178684 https://bugzilla.suse.com/1179664 https://bugzilla.suse.com/1180859 https://bugzilla.suse.com/1181553 https://bugzilla.suse.com/1182468 From sle-security-updates at lists.suse.com Wed Mar 17 20:24:41 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:24:41 +0100 (CET) Subject: SUSE-SU-2021:0853-1: important: Security update for the Linux Kernel (Live Patch 19 for SLE 15 SP1) Message-ID: <20210317202441.6FCECFFA5@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 19 for SLE 15 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0853-1 Rating: important References: #1178684 #1179616 #1179664 #1180859 #1181553 #1182468 Cross-References: CVE-2020-27786 CVE-2020-28374 CVE-2020-29368 CVE-2021-0342 CVE-2021-3347 CVSS scores: CVE-2020-27786 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-27786 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-28374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-28374 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-0342 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-0342 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 4.12.14-197_72 fixes several issues. The following security issues were fixed: - CVE-2020-29368: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179664). - Fixed an issue where NFS client filesystems got unmounted on fail-over (bsc#1182468). - CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553). - CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616). - CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684). - CVE-2021-0342: Fixed a potential memory corruption due to a use after free which could have led to local escalation of privilege with System execution privileges required (bsc#1180859). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2021-853=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-854=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-855=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-861=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-862=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-863=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_34-default-10-2.2 kernel-livepatch-4_12_14-197_37-default-10-2.2 kernel-livepatch-4_12_14-197_40-default-9-2.2 kernel-livepatch-4_12_14-197_64-default-4-2.2 kernel-livepatch-4_12_14-197_67-default-4-2.2 kernel-livepatch-4_12_14-197_72-default-3-2.2 References: https://www.suse.com/security/cve/CVE-2020-27786.html https://www.suse.com/security/cve/CVE-2020-28374.html https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2021-0342.html https://www.suse.com/security/cve/CVE-2021-3347.html https://bugzilla.suse.com/1178684 https://bugzilla.suse.com/1179616 https://bugzilla.suse.com/1179664 https://bugzilla.suse.com/1180859 https://bugzilla.suse.com/1181553 https://bugzilla.suse.com/1182468 From sle-security-updates at lists.suse.com Wed Mar 17 20:26:32 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:26:32 +0100 (CET) Subject: SUSE-SU-2021:0823-1: important: Security update for the Linux Kernel (Live Patch 16 for SLE 12 SP4) Message-ID: <20210317202632.B25ECFFA5@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 16 for SLE 12 SP4) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0823-1 Rating: important References: #1178684 #1179616 #1179664 #1181553 #1182108 #1182468 Cross-References: CVE-2020-27786 CVE-2020-28374 CVE-2020-29368 CVE-2021-3347 CVSS scores: CVE-2020-27786 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-27786 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-28374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-28374 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that solves four vulnerabilities and has two fixes is now available. Description: This update for the Linux Kernel 4.12.14-95_60 fixes several issues. The following security issues were fixed: - CVE-2020-29368: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179664). - Fixed an issue where NFS client filesystems got unmounted on fail-over (bsc#1182468). - Fixed an issue where NFS client hanged on write errors (bsc#1182108). - CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553). - CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616). - CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2021-823=1 SUSE-SLE-Live-Patching-12-SP4-2021-824=1 SUSE-SLE-Live-Patching-12-SP4-2021-825=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kgraft-patch-4_12_14-95_54-default-7-2.2 kgraft-patch-4_12_14-95_57-default-7-2.2 kgraft-patch-4_12_14-95_60-default-6-2.2 References: https://www.suse.com/security/cve/CVE-2020-27786.html https://www.suse.com/security/cve/CVE-2020-28374.html https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2021-3347.html https://bugzilla.suse.com/1178684 https://bugzilla.suse.com/1179616 https://bugzilla.suse.com/1179664 https://bugzilla.suse.com/1181553 https://bugzilla.suse.com/1182108 https://bugzilla.suse.com/1182468 From sle-security-updates at lists.suse.com Wed Mar 17 20:28:21 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:28:21 +0100 (CET) Subject: SUSE-SU-2021:0840-1: important: Security update for the Linux Kernel (Live Patch 9 for SLE 15 SP2) Message-ID: <20210317202821.48C4CFFA5@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 9 for SLE 15 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0840-1 Rating: important References: #1179664 #1181553 Cross-References: CVE-2020-29368 CVE-2021-3347 CVSS scores: CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 5.3.18-24_46 fixes several issues. The following security issues were fixed: - CVE-2020-29368: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179664). - CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-840=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-24_46-default-3-2.2 kernel-livepatch-5_3_18-24_46-default-debuginfo-3-2.2 kernel-livepatch-SLE15-SP2_Update_9-debugsource-3-2.2 References: https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2021-3347.html https://bugzilla.suse.com/1179664 https://bugzilla.suse.com/1181553 From sle-security-updates at lists.suse.com Wed Mar 17 20:29:42 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:29:42 +0100 (CET) Subject: SUSE-SU-2021:0859-1: important: Security update for the Linux Kernel (Live Patch 13 for SLE 15 SP1) Message-ID: <20210317202942.021C1FFA5@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 13 for SLE 15 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0859-1 Rating: important References: #1178684 #1179616 #1179664 #1180859 #1181553 #1182108 #1182468 Cross-References: CVE-2020-27786 CVE-2020-28374 CVE-2020-29368 CVE-2021-0342 CVE-2021-3347 CVSS scores: CVE-2020-27786 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-27786 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-28374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-28374 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-0342 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-0342 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has two fixes is now available. Description: This update for the Linux Kernel 4.12.14-197_48 fixes several issues. The following security issues were fixed: - CVE-2020-29368: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179664). - Fixed an issue where NFS client filesystems got unmounted on fail-over (bsc#1182468). - Fixed an issue where NFS client hanged on write errors (bsc#1182108). - CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553). - CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616). - CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684). - CVE-2021-0342: Fixed a potential memory corruption due to a use after free which could have led to local escalation of privilege with System execution privileges required (bsc#1180859). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2021-856=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-857=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-858=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-859=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-860=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_45-default-7-2.2 kernel-livepatch-4_12_14-197_48-default-7-2.2 kernel-livepatch-4_12_14-197_51-default-7-2.2 kernel-livepatch-4_12_14-197_56-default-6-2.2 kernel-livepatch-4_12_14-197_61-default-5-2.2 References: https://www.suse.com/security/cve/CVE-2020-27786.html https://www.suse.com/security/cve/CVE-2020-28374.html https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2021-0342.html https://www.suse.com/security/cve/CVE-2021-3347.html https://bugzilla.suse.com/1178684 https://bugzilla.suse.com/1179616 https://bugzilla.suse.com/1179664 https://bugzilla.suse.com/1180859 https://bugzilla.suse.com/1181553 https://bugzilla.suse.com/1182108 https://bugzilla.suse.com/1182468 From sle-security-updates at lists.suse.com Wed Mar 17 20:31:45 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:31:45 +0100 (CET) Subject: SUSE-SU-2021:0818-1: important: Security update for the Linux Kernel (Live Patch 5 for SLE 12 SP5) Message-ID: <20210317203145.63CD8FFA5@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 5 for SLE 12 SP5) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0818-1 Rating: important References: #1178684 #1179616 #1179664 #1180859 #1181553 Cross-References: CVE-2020-27786 CVE-2020-28374 CVE-2020-29368 CVE-2021-0342 CVE-2021-3347 CVSS scores: CVE-2020-27786 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-27786 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-28374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-28374 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-0342 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-0342 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Live Patching 12-SP5 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-122_23 fixes several issues. The following security issues were fixed: - CVE-2020-29368: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179664). - CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553). - CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616). - CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684). - CVE-2021-0342: Fixed a potential memory corruption due to a use after free which could have led to local escalation of privilege with System execution privileges required (bsc#1180859). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2021-852=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-810=1 SUSE-SLE-Live-Patching-12-SP5-2021-811=1 SUSE-SLE-Live-Patching-12-SP5-2021-812=1 SUSE-SLE-Live-Patching-12-SP5-2021-813=1 SUSE-SLE-Live-Patching-12-SP5-2021-814=1 SUSE-SLE-Live-Patching-12-SP5-2021-815=1 SUSE-SLE-Live-Patching-12-SP5-2021-816=1 SUSE-SLE-Live-Patching-12-SP5-2021-817=1 SUSE-SLE-Live-Patching-12-SP5-2021-818=1 SUSE-SLE-Live-Patching-12-SP5-2021-819=1 SUSE-SLE-Live-Patching-12-SP5-2021-820=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_75-default-3-2.2 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_17-default-11-2.2 kgraft-patch-4_12_14-122_20-default-10-2.2 kgraft-patch-4_12_14-122_23-default-9-2.2 kgraft-patch-4_12_14-122_26-default-9-2.2 kgraft-patch-4_12_14-122_29-default-9-2.2 kgraft-patch-4_12_14-122_32-default-9-2.2 kgraft-patch-4_12_14-122_37-default-8-2.2 kgraft-patch-4_12_14-122_41-default-7-2.2 kgraft-patch-4_12_14-122_46-default-5-2.2 kgraft-patch-4_12_14-122_51-default-5-2.2 kgraft-patch-4_12_14-122_54-default-3-2.2 References: https://www.suse.com/security/cve/CVE-2020-27786.html https://www.suse.com/security/cve/CVE-2020-28374.html https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2021-0342.html https://www.suse.com/security/cve/CVE-2021-3347.html https://bugzilla.suse.com/1178684 https://bugzilla.suse.com/1179616 https://bugzilla.suse.com/1179664 https://bugzilla.suse.com/1180859 https://bugzilla.suse.com/1181553 From sle-security-updates at lists.suse.com Wed Mar 17 20:33:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:33:27 +0100 (CET) Subject: SUSE-SU-2021:0808-1: important: Security update for the Linux Kernel (Live Patch 15 for SLE 12 SP5) Message-ID: <20210317203327.0F7F2FFA5@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 15 for SLE 12 SP5) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0808-1 Rating: important References: #1179616 #1179664 Cross-References: CVE-2020-27786 CVE-2020-29368 CVSS scores: CVE-2020-27786 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-27786 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Live Patching 12-SP5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-122_60 fixes several issues. The following security issues were fixed: - CVE-2020-29368: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179664). - CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-808=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_60-default-2-2.2 References: https://www.suse.com/security/cve/CVE-2020-27786.html https://www.suse.com/security/cve/CVE-2020-29368.html https://bugzilla.suse.com/1179616 https://bugzilla.suse.com/1179664 From sle-security-updates at lists.suse.com Wed Mar 17 20:34:35 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:34:35 +0100 (CET) Subject: SUSE-SU-2021:0864-1: important: Security update for the Linux Kernel (Live Patch 22 for SLE 15) Message-ID: <20210317203435.58A53FFA5@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 22 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0864-1 Rating: important References: #1179664 Cross-References: CVE-2020-29368 CVSS scores: CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.12.14-150_66 fixes one issue. The following security issue was fixed: - CVE-2020-29368: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179664). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2021-850=1 - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2021-864=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2021-821=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_83-default-2-2.2 - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_66-default-2-2.2 kernel-livepatch-4_12_14-150_66-default-debuginfo-2-2.2 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kgraft-patch-4_12_14-95_68-default-2-2.2 References: https://www.suse.com/security/cve/CVE-2020-29368.html https://bugzilla.suse.com/1179664 From sle-security-updates at lists.suse.com Wed Mar 17 20:35:38 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:35:38 +0100 (CET) Subject: SUSE-SU-2021:14667-1: moderate: Security update for openssl1 Message-ID: <20210317203538.866E5FFA5@maintenance.suse.de> SUSE Security Update: Security update for openssl1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14667-1 Rating: moderate References: #1182331 #1182333 Cross-References: CVE-2021-23840 CVE-2021-23841 CVSS scores: CVE-2021-23840 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23840 (SUSE): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2021-23841 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23841 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 11-SECURITY SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for openssl1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SECURITY: zypper in -t patch secsp3-openssl1-14667=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-openssl1-14667=1 Package List: - SUSE Linux Enterprise Server 11-SECURITY (i586 ia64 ppc64 s390x x86_64): libopenssl1-devel-1.0.1g-0.58.33.1 libopenssl1_0_0-1.0.1g-0.58.33.1 openssl1-1.0.1g-0.58.33.1 openssl1-doc-1.0.1g-0.58.33.1 - SUSE Linux Enterprise Server 11-SECURITY (ppc64 s390x x86_64): libopenssl1_0_0-32bit-1.0.1g-0.58.33.1 - SUSE Linux Enterprise Server 11-SECURITY (ia64): libopenssl1_0_0-x86-1.0.1g-0.58.33.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): openssl1-debuginfo-1.0.1g-0.58.33.1 openssl1-debugsource-1.0.1g-0.58.33.1 References: https://www.suse.com/security/cve/CVE-2021-23840.html https://www.suse.com/security/cve/CVE-2021-23841.html https://bugzilla.suse.com/1182331 https://bugzilla.suse.com/1182333 From sle-security-updates at lists.suse.com Wed Mar 17 20:36:47 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:36:47 +0100 (CET) Subject: SUSE-SU-2021:0869-1: important: Security update for the Linux Kernel (Live Patch 10 for SLE 15 SP2) Message-ID: <20210317203647.5FF9FFFA5@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 10 for SLE 15 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0869-1 Rating: important References: #1179664 #1179779 Cross-References: CVE-2020-29368 CVE-2020-29373 CVSS scores: CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29373 (SUSE): 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 5.3.18-24_49 fixes several issues. The following security issues were fixed: - CVE-2020-29368: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179664). - CVE-2020-29373: Fixed an issue where kernel unsafely handles the root directory during path lookups, and thus a process inside a mount namespace could escape to unintended filesystem locations (bsc#1179779). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-869=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-24_49-default-2-2.2 kernel-livepatch-5_3_18-24_49-default-debuginfo-2-2.2 kernel-livepatch-SLE15-SP2_Update_10-debugsource-2-2.2 References: https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2020-29373.html https://bugzilla.suse.com/1179664 https://bugzilla.suse.com/1179779 From sle-security-updates at lists.suse.com Wed Mar 17 20:37:59 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:37:59 +0100 (CET) Subject: SUSE-SU-2021:14668-1: important: Security update for php53 Message-ID: <20210317203759.0D220FFB4@maintenance.suse.de> SUSE Security Update: Security update for php53 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14668-1 Rating: important References: #1182049 Cross-References: CVE-2021-21702 CVSS scores: CVE-2021-21702 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-21702 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for php53 fixes the following issues: - CVE-2021-21702 [bsc#1182049]: NULL pointer dereference in SoapClient Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-php53-14668=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-php53-14668=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-php53-14668=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-php53-14668=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): apache2-mod_php53-5.3.17-112.99.2 php53-5.3.17-112.99.2 php53-bcmath-5.3.17-112.99.2 php53-bz2-5.3.17-112.99.2 php53-calendar-5.3.17-112.99.2 php53-ctype-5.3.17-112.99.2 php53-curl-5.3.17-112.99.2 php53-dba-5.3.17-112.99.2 php53-dom-5.3.17-112.99.2 php53-exif-5.3.17-112.99.2 php53-fastcgi-5.3.17-112.99.2 php53-fileinfo-5.3.17-112.99.2 php53-ftp-5.3.17-112.99.2 php53-gd-5.3.17-112.99.2 php53-gettext-5.3.17-112.99.2 php53-gmp-5.3.17-112.99.2 php53-iconv-5.3.17-112.99.2 php53-intl-5.3.17-112.99.2 php53-json-5.3.17-112.99.2 php53-ldap-5.3.17-112.99.2 php53-mbstring-5.3.17-112.99.2 php53-mcrypt-5.3.17-112.99.2 php53-mysql-5.3.17-112.99.2 php53-odbc-5.3.17-112.99.2 php53-openssl-5.3.17-112.99.2 php53-pcntl-5.3.17-112.99.2 php53-pdo-5.3.17-112.99.2 php53-pear-5.3.17-112.99.2 php53-pgsql-5.3.17-112.99.2 php53-pspell-5.3.17-112.99.2 php53-shmop-5.3.17-112.99.2 php53-snmp-5.3.17-112.99.2 php53-soap-5.3.17-112.99.2 php53-suhosin-5.3.17-112.99.2 php53-sysvmsg-5.3.17-112.99.2 php53-sysvsem-5.3.17-112.99.2 php53-sysvshm-5.3.17-112.99.2 php53-tokenizer-5.3.17-112.99.2 php53-wddx-5.3.17-112.99.2 php53-xmlreader-5.3.17-112.99.2 php53-xmlrpc-5.3.17-112.99.2 php53-xmlwriter-5.3.17-112.99.2 php53-xsl-5.3.17-112.99.2 php53-zip-5.3.17-112.99.2 php53-zlib-5.3.17-112.99.2 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): apache2-mod_php53-5.3.17-112.99.2 php53-5.3.17-112.99.2 php53-bcmath-5.3.17-112.99.2 php53-bz2-5.3.17-112.99.2 php53-calendar-5.3.17-112.99.2 php53-ctype-5.3.17-112.99.2 php53-curl-5.3.17-112.99.2 php53-dba-5.3.17-112.99.2 php53-dom-5.3.17-112.99.2 php53-exif-5.3.17-112.99.2 php53-fastcgi-5.3.17-112.99.2 php53-fileinfo-5.3.17-112.99.2 php53-ftp-5.3.17-112.99.2 php53-gd-5.3.17-112.99.2 php53-gettext-5.3.17-112.99.2 php53-gmp-5.3.17-112.99.2 php53-iconv-5.3.17-112.99.2 php53-intl-5.3.17-112.99.2 php53-json-5.3.17-112.99.2 php53-ldap-5.3.17-112.99.2 php53-mbstring-5.3.17-112.99.2 php53-mcrypt-5.3.17-112.99.2 php53-mysql-5.3.17-112.99.2 php53-odbc-5.3.17-112.99.2 php53-openssl-5.3.17-112.99.2 php53-pcntl-5.3.17-112.99.2 php53-pdo-5.3.17-112.99.2 php53-pear-5.3.17-112.99.2 php53-pgsql-5.3.17-112.99.2 php53-pspell-5.3.17-112.99.2 php53-shmop-5.3.17-112.99.2 php53-snmp-5.3.17-112.99.2 php53-soap-5.3.17-112.99.2 php53-suhosin-5.3.17-112.99.2 php53-sysvmsg-5.3.17-112.99.2 php53-sysvsem-5.3.17-112.99.2 php53-sysvshm-5.3.17-112.99.2 php53-tokenizer-5.3.17-112.99.2 php53-wddx-5.3.17-112.99.2 php53-xmlreader-5.3.17-112.99.2 php53-xmlrpc-5.3.17-112.99.2 php53-xmlwriter-5.3.17-112.99.2 php53-xsl-5.3.17-112.99.2 php53-zip-5.3.17-112.99.2 php53-zlib-5.3.17-112.99.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): php53-debuginfo-5.3.17-112.99.2 php53-debugsource-5.3.17-112.99.2 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): php53-debuginfo-5.3.17-112.99.2 php53-debugsource-5.3.17-112.99.2 References: https://www.suse.com/security/cve/CVE-2021-21702.html https://bugzilla.suse.com/1182049 From sle-security-updates at lists.suse.com Wed Mar 17 20:39:59 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:39:59 +0100 (CET) Subject: SUSE-SU-2021:0826-1: important: Security update for the Linux Kernel (Live Patch 13 for SLE 12 SP4) Message-ID: <20210317203959.9B349FFA5@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 13 for SLE 12 SP4) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0826-1 Rating: important References: #1178684 #1179616 #1179664 #1181553 #1182468 Cross-References: CVE-2020-27786 CVE-2020-28374 CVE-2020-29368 CVE-2021-3347 CVSS scores: CVE-2020-27786 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-27786 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-28374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-28374 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update for the Linux Kernel 4.12.14-95_51 fixes several issues. The following security issues were fixed: - CVE-2020-29368: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179664). - Fixed an issue where NFS client filesystems got unmounted on fail-over (bsc#1182468). - CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553). - CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616). - CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2021-826=1 SUSE-SLE-Live-Patching-12-SP4-2021-827=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kgraft-patch-4_12_14-95_51-default-9-2.2 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kgraft-patch-4_12_14-95_48-default-10-2.2 References: https://www.suse.com/security/cve/CVE-2020-27786.html https://www.suse.com/security/cve/CVE-2020-28374.html https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2021-3347.html https://bugzilla.suse.com/1178684 https://bugzilla.suse.com/1179616 https://bugzilla.suse.com/1179664 https://bugzilla.suse.com/1181553 https://bugzilla.suse.com/1182468 From sle-security-updates at lists.suse.com Wed Mar 17 20:41:33 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:41:33 +0100 (CET) Subject: SUSE-SU-2021:0841-1: important: Security update for the Linux Kernel (Live Patch 8 for SLE 15 SP2) Message-ID: <20210317204133.D82DEFFA5@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 8 for SLE 15 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0841-1 Rating: important References: #1178684 #1179664 #1181553 Cross-References: CVE-2020-28374 CVE-2020-29368 CVE-2021-3347 CVSS scores: CVE-2020-28374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-28374 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 5.3.18-24_43 fixes several issues. The following security issues were fixed: - CVE-2020-29368: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179664). - CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553). - CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-841=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-24_43-default-3-2.2 kernel-livepatch-5_3_18-24_43-default-debuginfo-3-2.2 kernel-livepatch-SLE15-SP2_Update_8-debugsource-3-2.2 References: https://www.suse.com/security/cve/CVE-2020-28374.html https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2021-3347.html https://bugzilla.suse.com/1178684 https://bugzilla.suse.com/1179664 https://bugzilla.suse.com/1181553 From sle-security-updates at lists.suse.com Wed Mar 17 20:45:21 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:45:21 +0100 (CET) Subject: SUSE-SU-2021:0806-1: important: Security update for crmsh Message-ID: <20210317204521.2C353FFA5@maintenance.suse.de> SUSE Security Update: Security update for crmsh ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0806-1 Rating: important References: #1154927 #1178454 #1178869 #1179999 #1180137 #1180571 #1180688 ECO-1658 Cross-References: CVE-2020-35459 CVE-2021-3020 CVSS scores: CVE-2020-35459 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-35459 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3020 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that solves two vulnerabilities, contains one feature and has 5 fixes is now available. Description: This update for crmsh fixes the following issues: - Update to version 4.3.0+20210219.5d1bf034: * Fix: hb_report: walk through hb_report process under hacluster(CVE-2020-35459, bsc#1179999; CVE-2021-3020, bsc#1180571) * Fix: bootstrap: setup authorized ssh access for hacluster(CVE-2020-35459, bsc#1179999; CVE-2021-3020, bsc#1180571) * Dev: analyze: Add analyze sublevel and put preflight_check in it(jsc#ECO-1658) * Dev: utils: change default file mod as 644 for str2file function * Dev: hb_report: Detect if any ocfs2 partitions exist * Dev: lock: give more specific error message when raise ClaimLockError * Fix: Replace mktemp() to mkstemp() for security * Fix: Remove the duplicate --cov-report html in tox. * Fix: fix some lint issues. * Fix: Replace utils.msg_info to task.info * Fix: Solve a circular import error of utils.py * Fix: hb_report: run lsof with specific ocfs2 device(bsc#1180688) * Dev: corosync: change the permission of corosync.conf to 644 * Fix: preflight_check: task: raise error when report_path isn't a directory * Fix: bootstrap: Use class Watchdog to simplify watchdog config(bsc#1154927, bsc#1178869) * Dev: Polish the sbd feature. * Dev: Replace -f with -c and run check when no parameter provide. * Fix: Fix the yes option not working * Fix: Remove useless import and show help when no input. * Dev: Correct SBD device id inconsistenc during ASR * Fix: completers: return complete start/stop resource id list correctly(bsc#1180137) * Dev: Makefile.am: change makefile to integrate preflight_check * Medium: integrate preflight_check into crmsh(jsc#ECO-1658) * Fix: bootstrap: make sure sbd device UUID was the same between nodes(bsc#1178454) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2021-806=1 Package List: - SUSE Linux Enterprise High Availability 15 (noarch): crmsh-4.3.0+20210219.5d1bf034-3.62.3 crmsh-scripts-4.3.0+20210219.5d1bf034-3.62.3 References: https://www.suse.com/security/cve/CVE-2020-35459.html https://www.suse.com/security/cve/CVE-2021-3020.html https://bugzilla.suse.com/1154927 https://bugzilla.suse.com/1178454 https://bugzilla.suse.com/1178869 https://bugzilla.suse.com/1179999 https://bugzilla.suse.com/1180137 https://bugzilla.suse.com/1180571 https://bugzilla.suse.com/1180688 From sle-security-updates at lists.suse.com Wed Mar 17 20:48:56 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:48:56 +0100 (CET) Subject: SUSE-SU-2021:0809-1: important: Security update for the Linux Kernel (Live Patch 14 for SLE 12 SP5) Message-ID: <20210317204856.4A331FFA5@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 14 for SLE 12 SP5) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0809-1 Rating: important References: #1179616 #1179664 #1180859 #1181553 Cross-References: CVE-2020-27786 CVE-2020-29368 CVE-2021-0342 CVE-2021-3347 CVSS scores: CVE-2020-27786 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-27786 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-0342 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-0342 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Live Patching 12-SP5 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-122_57 fixes several issues. The following security issues were fixed: - CVE-2020-29368: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179664). - CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553). - CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616). - CVE-2021-0342: Fixed a potential memory corruption due to a use after free which could have led to local escalation of privilege with System execution privileges required (bsc#1180859). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2021-851=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-809=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_78-default-3-2.2 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_57-default-3-2.2 References: https://www.suse.com/security/cve/CVE-2020-27786.html https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2021-0342.html https://www.suse.com/security/cve/CVE-2021-3347.html https://bugzilla.suse.com/1179616 https://bugzilla.suse.com/1179664 https://bugzilla.suse.com/1180859 https://bugzilla.suse.com/1181553 From sle-security-updates at lists.suse.com Wed Mar 17 20:50:24 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 17 Mar 2021 21:50:24 +0100 (CET) Subject: SUSE-SU-2021:0868-1: important: Security update for the Linux Kernel (Live Patch 18 for SLE 15) Message-ID: <20210317205024.151B6FFA5@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 18 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0868-1 Rating: important References: #1178684 #1179616 #1179664 #1181553 Cross-References: CVE-2020-27786 CVE-2020-28374 CVE-2020-29368 CVE-2021-3347 CVSS scores: CVE-2020-27786 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-27786 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-28374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-28374 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-29368 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-29368 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3347 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-150_52 fixes several issues. The following security issues were fixed: - CVE-2020-29368: Fixed an issue in copy-on-write implementation which could have granted unintended write access because of a race condition in a THP mapcount check (bsc#1179664). - CVE-2021-3347: Fixed a use-after-free in the PI futexes during fault handling, allowing local users to execute code in the kernel (bsc#1181553). - CVE-2020-27786: Fixed a potential user after free which could have led to memory corruption or privilege escalation (bsc#1179616). - CVE-2020-28374: Fixed insufficient identifier checking in the LIO SCSI target code which could have been used by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#1178684). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2021-865=1 SUSE-SLE-Module-Live-Patching-15-2021-866=1 SUSE-SLE-Module-Live-Patching-15-2021-867=1 SUSE-SLE-Module-Live-Patching-15-2021-868=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2021-822=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_52-default-7-2.2 kernel-livepatch-4_12_14-150_52-default-debuginfo-7-2.2 kernel-livepatch-4_12_14-150_55-default-7-2.2 kernel-livepatch-4_12_14-150_55-default-debuginfo-7-2.2 kernel-livepatch-4_12_14-150_58-default-6-2.2 kernel-livepatch-4_12_14-150_58-default-debuginfo-6-2.2 kernel-livepatch-4_12_14-150_63-default-4-2.2 kernel-livepatch-4_12_14-150_63-default-debuginfo-4-2.2 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kgraft-patch-4_12_14-95_65-default-3-2.2 References: https://www.suse.com/security/cve/CVE-2020-27786.html https://www.suse.com/security/cve/CVE-2020-28374.html https://www.suse.com/security/cve/CVE-2020-29368.html https://www.suse.com/security/cve/CVE-2021-3347.html https://bugzilla.suse.com/1178684 https://bugzilla.suse.com/1179616 https://bugzilla.suse.com/1179664 https://bugzilla.suse.com/1181553 From sle-security-updates at lists.suse.com Thu Mar 18 07:09:00 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 18 Mar 2021 08:09:00 +0100 (CET) Subject: SUSE-CU-2021:78-1: Security update of suse/sle-micro/5.0/toolbox Message-ID: <20210318070900.5E6E8FFA5@maintenance.suse.de> SUSE Container Update Advisory: suse/sle-micro/5.0/toolbox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:78-1 Container Tags : suse/sle-micro/5.0/toolbox:10.1 , suse/sle-micro/5.0/toolbox:10.1-4.12 , suse/sle-micro/5.0/toolbox:latest Container Release : 4.12 Severity : important Type : security References : 1182328 1182362 CVE-2021-27218 CVE-2021-27219 ----------------------------------------------------------------- The container suse/sle-micro/5.0/toolbox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) From sle-security-updates at lists.suse.com Fri Mar 19 07:13:17 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 08:13:17 +0100 (CET) Subject: SUSE-CU-2021:79-1: Security update of suse/sle15 Message-ID: <20210319071317.8A7E0FFA5@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:79-1 Container Tags : suse/sle15:15.3 , suse/sle15:15.3.13.2.213 Container Release : 13.2.213 Severity : important Type : security References : 1176201 1182279 1182328 1182331 1182333 1182362 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182959 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2021-23840 CVE-2021-23841 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:754-1 Released: Tue Mar 9 17:10:49 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,1182959,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) - Fixed unresolved error codes in FIPS (bsc#1182959). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) From sle-security-updates at lists.suse.com Fri Mar 19 20:29:07 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 21:29:07 +0100 (CET) Subject: SUSE-SU-2021:0913-1: moderate: Security Beta update for SUSE Manager Client Tools Message-ID: <20210319202907.A3553FFA5@maintenance.suse.de> SUSE Security Update: Security Beta update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0913-1 Rating: moderate References: #1099976 #1172110 #1174855 #1177474 #1179696 #1181347 #1181550 #1181556 #1181557 #1181558 #1181559 #1181560 #1181561 #1181562 #1181563 #1181564 #1181565 #1182382 #1182740 Cross-References: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-25281 CVE-2021-25282 CVE-2021-25283 CVE-2021-25284 CVE-2021-25315 CVE-2021-3144 CVE-2021-3148 CVE-2021-3197 CVSS scores: CVE-2020-28243 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-28243 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-28972 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-28972 (SUSE): 7.3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-35662 (NVD) : 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2020-35662 (SUSE): 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVE-2021-25281 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25281 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25282 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-25282 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25283 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25283 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25284 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVE-2021-25284 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-25315 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25315 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3144 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-3144 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-3148 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3148 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3197 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3197 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Debian 10-CLIENT-TOOLS-BETA ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 8 fixes is now available. Description: This update fixes the following issues: salt: - virt.network_update: handle missing ipv4 netmask attribute - Do not monkey patch yaml loaders: Prevent breaking Ansible filter modules (bsc#1177474) - Fix race conditions for corner cases when handling SIGTERM by minion (bsc#1172110) - Allow extra_filerefs as sanitized kwargs for SSH client - Fix regression on cmd.run when passing tuples as cmd (bsc#1182740) - Fix for multiple for security issues (CVE-2020-28243) (CVE-2020-28972) (CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144) (CVE-2021-25281) (CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197) (bsc#1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#1181560) (bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#1181565) - Implementation of suse_ip execution module to prevent issues with network.managed (bsc#1099976) - Add sleep on exception handling on minion connection attempt to the master (bsc#1174855) - Allows for the VMware provider to handle CPU and memory hot-add in newer versions of the software. (bsc#1181347) - Always require python-certifi (used by salt.ext.tornado) - Bring missing part of async batch implementation back (bsc#1182382) (CVE-2021-25315) - Master can read grains (bsc#1179696) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Debian 10-CLIENT-TOOLS-BETA: zypper in -t patch SUSE-Debian-10-CLIENT-TOOLS-BETA-x86_64-2021-913=1 Package List: - SUSE Manager Debian 10-CLIENT-TOOLS-BETA (all): salt-common-3002.2+ds-1+2.14.1 salt-minion-3002.2+ds-1+2.14.1 References: https://www.suse.com/security/cve/CVE-2020-28243.html https://www.suse.com/security/cve/CVE-2020-28972.html https://www.suse.com/security/cve/CVE-2020-35662.html https://www.suse.com/security/cve/CVE-2021-25281.html https://www.suse.com/security/cve/CVE-2021-25282.html https://www.suse.com/security/cve/CVE-2021-25283.html https://www.suse.com/security/cve/CVE-2021-25284.html https://www.suse.com/security/cve/CVE-2021-25315.html https://www.suse.com/security/cve/CVE-2021-3144.html https://www.suse.com/security/cve/CVE-2021-3148.html https://www.suse.com/security/cve/CVE-2021-3197.html https://bugzilla.suse.com/1099976 https://bugzilla.suse.com/1172110 https://bugzilla.suse.com/1174855 https://bugzilla.suse.com/1177474 https://bugzilla.suse.com/1179696 https://bugzilla.suse.com/1181347 https://bugzilla.suse.com/1181550 https://bugzilla.suse.com/1181556 https://bugzilla.suse.com/1181557 https://bugzilla.suse.com/1181558 https://bugzilla.suse.com/1181559 https://bugzilla.suse.com/1181560 https://bugzilla.suse.com/1181561 https://bugzilla.suse.com/1181562 https://bugzilla.suse.com/1181563 https://bugzilla.suse.com/1181564 https://bugzilla.suse.com/1181565 https://bugzilla.suse.com/1182382 https://bugzilla.suse.com/1182740 From sle-security-updates at lists.suse.com Fri Mar 19 20:32:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 21:32:26 +0100 (CET) Subject: SUSE-SU-2021:14679-1: moderate: Security Beta update for SUSE Manager Client Tools Message-ID: <20210319203226.1355AFD17@maintenance.suse.de> SUSE Security Update: Security Beta update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14679-1 Rating: moderate References: #1099976 #1172110 #1174855 #1179696 #1181347 #1181550 #1181556 #1181557 #1181558 #1181559 #1181560 #1181561 #1181562 #1181563 #1181564 #1181565 #1182382 #1182740 Cross-References: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-25281 CVE-2021-25282 CVE-2021-25283 CVE-2021-25284 CVE-2021-25315 CVE-2021-3144 CVE-2021-3148 CVE-2021-3197 CVSS scores: CVE-2020-28243 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-28243 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-28972 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-28972 (SUSE): 7.3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-35662 (NVD) : 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2020-35662 (SUSE): 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVE-2021-25281 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25281 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25282 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-25282 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25283 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25283 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25284 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVE-2021-25284 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-25315 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25315 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3144 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-3144 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-3148 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3148 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3197 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3197 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 7 fixes is now available. Description: This update fixes the following issues: salt: - Fix race conditions for corner cases when handling SIGTERM by minion (bsc#1172110) - Allow extra_filerefs as sanitized kwargs for SSH client - Fix regression on cmd.run when passing tuples as cmd (bsc#1182740) - Fix for multiple for security issues (CVE-2020-28243) (CVE-2020-28972) (CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144) (CVE-2021-25281) (CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197) (bsc#1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#1181560) (bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#1181565) - Implementation of suse_ip execution module to prevent issues with network.managed (bsc#1099976) - Add sleep on exception handling on minion connection attempt to the master (bsc#1174855) - Allows for the VMware provider to handle CPU and memory hot-add in newer versions of the software. (bsc#1181347) - Always require python-certifi (used by salt.ext.tornado) - Bring missing part of async batch implementation back (bsc#1182382) (CVE-2021-25315) - Master can read grains (bsc#1179696) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA: zypper in -t patch suse-ubu184ct-client-tools-beta-202103-14679=1 Package List: - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA (amd64): libopenscap-dev-1.2.15-1build1~uyuni1 libopenscap-perl-1.2.15-1build1~uyuni1 libopenscap8-1.2.15-1build1~uyuni1 libopenscap8-dbg-1.2.15-1build1~uyuni1 python-openscap-1.2.15-1build1~uyuni1 - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA (all): salt-common-3002.2+ds-1+27.34.1 salt-minion-3002.2+ds-1+27.34.1 References: https://www.suse.com/security/cve/CVE-2020-28243.html https://www.suse.com/security/cve/CVE-2020-28972.html https://www.suse.com/security/cve/CVE-2020-35662.html https://www.suse.com/security/cve/CVE-2021-25281.html https://www.suse.com/security/cve/CVE-2021-25282.html https://www.suse.com/security/cve/CVE-2021-25283.html https://www.suse.com/security/cve/CVE-2021-25284.html https://www.suse.com/security/cve/CVE-2021-25315.html https://www.suse.com/security/cve/CVE-2021-3144.html https://www.suse.com/security/cve/CVE-2021-3148.html https://www.suse.com/security/cve/CVE-2021-3197.html https://bugzilla.suse.com/1099976 https://bugzilla.suse.com/1172110 https://bugzilla.suse.com/1174855 https://bugzilla.suse.com/1179696 https://bugzilla.suse.com/1181347 https://bugzilla.suse.com/1181550 https://bugzilla.suse.com/1181556 https://bugzilla.suse.com/1181557 https://bugzilla.suse.com/1181558 https://bugzilla.suse.com/1181559 https://bugzilla.suse.com/1181560 https://bugzilla.suse.com/1181561 https://bugzilla.suse.com/1181562 https://bugzilla.suse.com/1181563 https://bugzilla.suse.com/1181564 https://bugzilla.suse.com/1181565 https://bugzilla.suse.com/1182382 https://bugzilla.suse.com/1182740 From sle-security-updates at lists.suse.com Fri Mar 19 20:35:32 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 21:35:32 +0100 (CET) Subject: SUSE-SU-2021:0914-1: moderate: Security Beta update for Salt Message-ID: <20210319203532.B7B66FD17@maintenance.suse.de> SUSE Security Update: Security Beta update for Salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0914-1 Rating: moderate References: #1099976 #1172110 #1174855 #1177474 #1179696 #1181347 #1181550 #1181556 #1181557 #1181558 #1181559 #1181560 #1181561 #1181562 #1181563 #1181564 #1181565 #1182382 #1182740 Cross-References: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-25281 CVE-2021-25282 CVE-2021-25283 CVE-2021-25284 CVE-2021-25315 CVE-2021-3144 CVE-2021-3148 CVE-2021-3197 CVSS scores: CVE-2020-28243 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-28243 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-28972 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-28972 (SUSE): 7.3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-35662 (NVD) : 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2020-35662 (SUSE): 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVE-2021-25281 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25281 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25282 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-25282 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25283 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25283 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25284 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVE-2021-25284 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-25315 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25315 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3144 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-3144 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-3148 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3148 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3197 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3197 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Tools 15-BETA ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 8 fixes is now available. Description: This update fixes the following issues: salt: - virt.network_update: handle missing ipv4 netmask attribute - Do not monkey patch yaml loaders: Prevent breaking Ansible filter modules (bsc#1177474) - Fix race conditions for corner cases when handling SIGTERM by minion (bsc#1172110) - Allow extra_filerefs as sanitized kwargs for SSH client - Fix regression on cmd.run when passing tuples as cmd (bsc#1182740) - Fix for multiple for security issues (CVE-2020-28243) (CVE-2020-28972) (CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144) (CVE-2021-25281) (CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197) (bsc#1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#1181560) (bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#1181565) - Implementation of suse_ip execution module to prevent issues with network.managed (bsc#1099976) - Add sleep on exception handling on minion connection attempt to the master (bsc#1174855) - Allows for the VMware provider to handle CPU and memory hot-add in newer versions of the software. (bsc#1181347) - Always require python-certifi (used by salt.ext.tornado) - Bring missing part of async batch implementation back (bsc#1182382) (CVE-2021-25315) - Master can read grains (bsc#1179696) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 15-BETA: zypper in -t patch SUSE-SLE-Manager-Tools-15-2021-914=1 Package List: - SUSE Manager Tools 15-BETA (aarch64 ppc64le s390x x86_64): python3-salt-3002.2-8.33.1 salt-3002.2-8.33.1 salt-api-3002.2-8.33.1 salt-cloud-3002.2-8.33.1 salt-doc-3002.2-8.33.1 salt-master-3002.2-8.33.1 salt-minion-3002.2-8.33.1 salt-proxy-3002.2-8.33.1 salt-ssh-3002.2-8.33.1 salt-standalone-formulas-configuration-3002.2-8.33.1 salt-syndic-3002.2-8.33.1 - SUSE Manager Tools 15-BETA (noarch): salt-bash-completion-3002.2-8.33.1 salt-fish-completion-3002.2-8.33.1 salt-zsh-completion-3002.2-8.33.1 References: https://www.suse.com/security/cve/CVE-2020-28243.html https://www.suse.com/security/cve/CVE-2020-28972.html https://www.suse.com/security/cve/CVE-2020-35662.html https://www.suse.com/security/cve/CVE-2021-25281.html https://www.suse.com/security/cve/CVE-2021-25282.html https://www.suse.com/security/cve/CVE-2021-25283.html https://www.suse.com/security/cve/CVE-2021-25284.html https://www.suse.com/security/cve/CVE-2021-25315.html https://www.suse.com/security/cve/CVE-2021-3144.html https://www.suse.com/security/cve/CVE-2021-3148.html https://www.suse.com/security/cve/CVE-2021-3197.html https://bugzilla.suse.com/1099976 https://bugzilla.suse.com/1172110 https://bugzilla.suse.com/1174855 https://bugzilla.suse.com/1177474 https://bugzilla.suse.com/1179696 https://bugzilla.suse.com/1181347 https://bugzilla.suse.com/1181550 https://bugzilla.suse.com/1181556 https://bugzilla.suse.com/1181557 https://bugzilla.suse.com/1181558 https://bugzilla.suse.com/1181559 https://bugzilla.suse.com/1181560 https://bugzilla.suse.com/1181561 https://bugzilla.suse.com/1181562 https://bugzilla.suse.com/1181563 https://bugzilla.suse.com/1181564 https://bugzilla.suse.com/1181565 https://bugzilla.suse.com/1182382 https://bugzilla.suse.com/1182740 From sle-security-updates at lists.suse.com Fri Mar 19 20:38:35 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 21:38:35 +0100 (CET) Subject: SUSE-SU-2021:14677-1: moderate: Security Beta update for SUSE Manager Client Tools Message-ID: <20210319203835.DBA97FFA5@maintenance.suse.de> SUSE Security Update: Security Beta update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14677-1 Rating: moderate References: #1099976 #1172110 #1174855 #1179696 #1180101 #1180818 #1181290 #1181347 #1181550 #1181556 #1181557 #1181558 #1181559 #1181560 #1181561 #1181562 #1181563 #1181564 #1181565 #1182740 Cross-References: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-25281 CVE-2021-25282 CVE-2021-25283 CVE-2021-25284 CVE-2021-3144 CVE-2021-3148 CVE-2021-3197 CVSS scores: CVE-2020-28243 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-28243 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-28972 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-28972 (SUSE): 7.3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-35662 (NVD) : 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2020-35662 (SUSE): 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVE-2021-25281 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25281 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25282 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-25282 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25283 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25283 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25284 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVE-2021-25284 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-3144 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-3144 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-3148 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3148 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3197 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3197 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Ubuntu 16.04-CLIENT-TOOLS-BETA ______________________________________________________________________________ An update that solves 10 vulnerabilities and has 10 fixes is now available. Description: This update fixes the following issues: salt: - Only require python-certifi for CentOS7 - Fix race conditions for corner cases when handling SIGTERM by minion (bsc#1172110) - Implementation of suse_ip execution module to prevent issues with network.managed (bsc#1099976) - Fix recursion false detection in payload (bsc#1180101) - Add sleep on exception handling on minion connection attempt to the master (bsc#1174855) - Allows for the VMware provider to handle CPU and memory hot-add in newer versions of the software. (bsc#1181347) - Always require python-certifi (used by salt.ext.tornado) - Exclude SLE 12 from requiring python-certifi - Do not crash when unexpected cmd output at listing patches (bsc#1181290) - Fix behavior for "onlyif/unless" when multiple conditions (bsc#1180818) - Fix regression on cmd.run when passing tuples as cmd (bsc#1182740) - Allow extra_filerefs as sanitized kwargs for SSH client - Fix errors with virt.update - Fix for multiple for security issues (CVE-2020-28243) (CVE-2020-28972) (CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144) (CVE-2021-25281) (CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197) (bsc#1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#1181560) (bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#1181565) - Virt: search for grub.xen path - Xen spicevmc, DNS SRV records backports: Fix virtual network generated DNS XML for SRV records Don't add spicevmc channel to xen VMs - Virt UEFI fix: virt.update when efi=True - Master can read grains (bsc#1179696) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 16.04-CLIENT-TOOLS-BETA: zypper in -t patch suse-ubu164ct-client-tools-beta-202103-14677=1 Package List: - SUSE Manager Ubuntu 16.04-CLIENT-TOOLS-BETA (all): salt-common-3000+ds-1+9.26.1 salt-minion-3000+ds-1+9.26.1 References: https://www.suse.com/security/cve/CVE-2020-28243.html https://www.suse.com/security/cve/CVE-2020-28972.html https://www.suse.com/security/cve/CVE-2020-35662.html https://www.suse.com/security/cve/CVE-2021-25281.html https://www.suse.com/security/cve/CVE-2021-25282.html https://www.suse.com/security/cve/CVE-2021-25283.html https://www.suse.com/security/cve/CVE-2021-25284.html https://www.suse.com/security/cve/CVE-2021-3144.html https://www.suse.com/security/cve/CVE-2021-3148.html https://www.suse.com/security/cve/CVE-2021-3197.html https://bugzilla.suse.com/1099976 https://bugzilla.suse.com/1172110 https://bugzilla.suse.com/1174855 https://bugzilla.suse.com/1179696 https://bugzilla.suse.com/1180101 https://bugzilla.suse.com/1180818 https://bugzilla.suse.com/1181290 https://bugzilla.suse.com/1181347 https://bugzilla.suse.com/1181550 https://bugzilla.suse.com/1181556 https://bugzilla.suse.com/1181557 https://bugzilla.suse.com/1181558 https://bugzilla.suse.com/1181559 https://bugzilla.suse.com/1181560 https://bugzilla.suse.com/1181561 https://bugzilla.suse.com/1181562 https://bugzilla.suse.com/1181563 https://bugzilla.suse.com/1181564 https://bugzilla.suse.com/1181565 https://bugzilla.suse.com/1182740 From sle-security-updates at lists.suse.com Fri Mar 19 20:44:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 21:44:27 +0100 (CET) Subject: SUSE-SU-2021:0886-1: moderate: Security update for python3 Message-ID: <20210319204427.56231FD17@maintenance.suse.de> SUSE Security Update: Security update for python3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0886-1 Rating: moderate References: #1182379 Cross-References: CVE-2021-23336 CVSS scores: CVE-2021-23336 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H CVE-2021-23336 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python3 fixes the following issues: - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-886=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-886=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2021-886=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): python3-base-debuginfo-3.4.10-25.66.1 python3-base-debugsource-3.4.10-25.66.1 python3-dbm-3.4.10-25.66.1 python3-dbm-debuginfo-3.4.10-25.66.1 python3-debuginfo-3.4.10-25.66.1 python3-debugsource-3.4.10-25.66.1 python3-devel-3.4.10-25.66.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (ppc64le s390x x86_64): python3-devel-debuginfo-3.4.10-25.66.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpython3_4m1_0-3.4.10-25.66.1 libpython3_4m1_0-debuginfo-3.4.10-25.66.1 python3-3.4.10-25.66.1 python3-base-3.4.10-25.66.1 python3-base-debuginfo-3.4.10-25.66.1 python3-base-debugsource-3.4.10-25.66.1 python3-curses-3.4.10-25.66.1 python3-curses-debuginfo-3.4.10-25.66.1 python3-debuginfo-3.4.10-25.66.1 python3-debugsource-3.4.10-25.66.1 python3-devel-3.4.10-25.66.1 python3-tk-3.4.10-25.66.1 python3-tk-debuginfo-3.4.10-25.66.1 - SUSE Linux Enterprise Server 12-SP5 (ppc64le s390x x86_64): python3-devel-debuginfo-3.4.10-25.66.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libpython3_4m1_0-32bit-3.4.10-25.66.1 libpython3_4m1_0-debuginfo-32bit-3.4.10-25.66.1 python3-base-debuginfo-32bit-3.4.10-25.66.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): libpython3_4m1_0-3.4.10-25.66.1 libpython3_4m1_0-debuginfo-3.4.10-25.66.1 python3-3.4.10-25.66.1 python3-base-3.4.10-25.66.1 python3-base-debuginfo-3.4.10-25.66.1 python3-base-debugsource-3.4.10-25.66.1 python3-curses-3.4.10-25.66.1 python3-debuginfo-3.4.10-25.66.1 python3-debugsource-3.4.10-25.66.1 References: https://www.suse.com/security/cve/CVE-2021-23336.html https://bugzilla.suse.com/1182379 From sle-security-updates at lists.suse.com Fri Mar 19 20:45:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 21:45:26 +0100 (CET) Subject: SUSE-SU-2021:14669-1: important: Security update for wavpack Message-ID: <20210319204526.8F95CFD17@maintenance.suse.de> SUSE Security Update: Security update for wavpack ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14669-1 Rating: important References: #1180414 Cross-References: CVE-2020-35738 CVSS scores: CVE-2020-35738 (NVD) : 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H CVE-2020-35738 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for wavpack fixes the following issues: - CVE-2020-35738: Fixed an out-of-bounds write in WavpackPackSamples (bsc#1180414). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-wavpack-14669=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-wavpack-14669=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-wavpack-14669=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-wavpack-14669=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): libwavpack1-4.50.1-1.33.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): libwavpack1-4.50.1-1.33.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): wavpack-debuginfo-4.50.1-1.33.1 wavpack-debugsource-4.50.1-1.33.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): wavpack-debuginfo-4.50.1-1.33.1 wavpack-debugsource-4.50.1-1.33.1 References: https://www.suse.com/security/cve/CVE-2020-35738.html https://bugzilla.suse.com/1180414 From sle-security-updates at lists.suse.com Fri Mar 19 20:48:18 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 21:48:18 +0100 (CET) Subject: SUSE-SU-2021:14682-1: moderate: Security Beta update for SUSE Manager Client Tools Message-ID: <20210319204818.5C63DFD17@maintenance.suse.de> SUSE Security Update: Security Beta update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14682-1 Rating: moderate References: #1181290 #1181550 #1181556 #1181557 #1181558 #1181559 #1181560 #1181561 #1181562 #1181563 #1181564 #1181565 #1181807 #1182339 #1182603 #1182740 Cross-References: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-25281 CVE-2021-25282 CVE-2021-25283 CVE-2021-25284 CVE-2021-3144 CVE-2021-3148 CVE-2021-3197 CVSS scores: CVE-2020-28243 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-28243 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-28972 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-28972 (SUSE): 7.3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-35662 (NVD) : 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2020-35662 (SUSE): 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVE-2021-25281 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25281 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25282 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-25282 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25283 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25283 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25284 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVE-2021-25284 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-3144 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-3144 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-3148 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3148 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3197 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3197 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS-BETA SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS-BETA ______________________________________________________________________________ An update that solves 10 vulnerabilities and has 6 fixes is now available. Description: This update fixes the following issues: mgr-osad: - Adapt to new SSL implementation of rhnlib (bsc#1181807) rhnlib: - Change SSL implementation to python ssl for better SAN and hostname matching support (bsc#1181807) salt: - Do not crash when unexpected cmd output at listing patches (bsc#1181290) - Fix regression on cmd.run when passing tuples as cmd (bsc#1182740) - Allow extra_filerefs as sanitized kwargs for SSH client - Fix for multiple for security issues (CVE-2020-28243) (CVE-2020-28972) (CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144) (CVE-2021-25281) (CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197) (bsc#1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#1181560) (bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#1181565) spacewalk-client-tools: - Fallback to sysfs when reading info from python-dmidecode fails (bsc#1182603) - Log an error when product detection failed (bsc#1182339) - Adapt to new SSL implementation of rhnlib (bsc#1181807) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS-BETA: zypper in -t patch slesctsp4-client-tools-beta-202103-14682=1 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS-BETA: zypper in -t patch slesctsp3-client-tools-beta-202103-14682=1 Package List: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS-BETA (i586 ia64 ppc64 s390x x86_64): mgr-osad-4.2.3-8.12.1 python2-mgr-osa-common-4.2.3-8.12.1 python2-mgr-osad-4.2.3-8.12.1 python2-rhnlib-4.2.2-15.12.1 python2-spacewalk-check-4.2.7-30.24.1 python2-spacewalk-client-setup-4.2.7-30.24.1 python2-spacewalk-client-tools-4.2.7-30.24.1 salt-2016.11.10-46.15.1 salt-doc-2016.11.10-46.15.1 salt-minion-2016.11.10-46.15.1 spacewalk-check-4.2.7-30.24.1 spacewalk-client-setup-4.2.7-30.24.1 spacewalk-client-tools-4.2.7-30.24.1 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS-BETA (i586 ia64 ppc64 s390x x86_64): mgr-osad-4.2.3-8.12.1 python2-mgr-osa-common-4.2.3-8.12.1 python2-mgr-osad-4.2.3-8.12.1 python2-rhnlib-4.2.2-15.12.1 python2-spacewalk-check-4.2.7-30.24.1 python2-spacewalk-client-setup-4.2.7-30.24.1 python2-spacewalk-client-tools-4.2.7-30.24.1 salt-2016.11.10-46.15.1 salt-doc-2016.11.10-46.15.1 salt-minion-2016.11.10-46.15.1 spacewalk-check-4.2.7-30.24.1 spacewalk-client-setup-4.2.7-30.24.1 spacewalk-client-tools-4.2.7-30.24.1 References: https://www.suse.com/security/cve/CVE-2020-28243.html https://www.suse.com/security/cve/CVE-2020-28972.html https://www.suse.com/security/cve/CVE-2020-35662.html https://www.suse.com/security/cve/CVE-2021-25281.html https://www.suse.com/security/cve/CVE-2021-25282.html https://www.suse.com/security/cve/CVE-2021-25283.html https://www.suse.com/security/cve/CVE-2021-25284.html https://www.suse.com/security/cve/CVE-2021-3144.html https://www.suse.com/security/cve/CVE-2021-3148.html https://www.suse.com/security/cve/CVE-2021-3197.html https://bugzilla.suse.com/1181290 https://bugzilla.suse.com/1181550 https://bugzilla.suse.com/1181556 https://bugzilla.suse.com/1181557 https://bugzilla.suse.com/1181558 https://bugzilla.suse.com/1181559 https://bugzilla.suse.com/1181560 https://bugzilla.suse.com/1181561 https://bugzilla.suse.com/1181562 https://bugzilla.suse.com/1181563 https://bugzilla.suse.com/1181564 https://bugzilla.suse.com/1181565 https://bugzilla.suse.com/1181807 https://bugzilla.suse.com/1182339 https://bugzilla.suse.com/1182603 https://bugzilla.suse.com/1182740 From sle-security-updates at lists.suse.com Fri Mar 19 20:51:14 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 21:51:14 +0100 (CET) Subject: SUSE-SU-2021:0910-1: moderate: Security Beta update for SUSE Manager Client Tools Message-ID: <20210319205114.49AFFFD17@maintenance.suse.de> SUSE Security Update: Security Beta update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0910-1 Rating: moderate References: #1099976 #1172110 #1174855 #1179696 #1180101 #1180818 #1181290 #1181347 #1181550 #1181556 #1181557 #1181558 #1181559 #1181560 #1181561 #1181562 #1181563 #1181564 #1181565 #1182740 Cross-References: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-25281 CVE-2021-25282 CVE-2021-25283 CVE-2021-25284 CVE-2021-3144 CVE-2021-3148 CVE-2021-3197 CVSS scores: CVE-2020-28243 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-28243 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-28972 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-28972 (SUSE): 7.3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-35662 (NVD) : 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2020-35662 (SUSE): 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVE-2021-25281 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25281 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25282 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-25282 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25283 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25283 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25284 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVE-2021-25284 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-3144 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-3144 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-3148 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3148 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3197 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3197 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Debian 9.0-CLIENT-TOOLS-BETA ______________________________________________________________________________ An update that solves 10 vulnerabilities and has 10 fixes is now available. Description: This update fixes the following issues: salt: - Only require python-certifi for CentOS7 - Fix race conditions for corner cases when handling SIGTERM by minion (bsc#1172110) - Implementation of suse_ip execution module to prevent issues with network.managed (bsc#1099976) - Fix recursion false detection in payload (bsc#1180101) - Add sleep on exception handling on minion connection attempt to the master (bsc#1174855) - Allows for the VMware provider to handle CPU and memory hot-add in newer versions of the software. (bsc#1181347) - Always require python-certifi (used by salt.ext.tornado) - Exclude SLE 12 from requiring python-certifi - Do not crash when unexpected cmd output at listing patches (bsc#1181290) - Fix behavior for "onlyif/unless" when multiple conditions (bsc#1180818) - Fix regression on cmd.run when passing tuples as cmd (bsc#1182740) - Allow extra_filerefs as sanitized kwargs for SSH client - Fix errors with virt.update - Fix for multiple for security issues (CVE-2020-28243) (CVE-2020-28972) (CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144) (CVE-2021-25281) (CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197) (bsc#1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#1181560) (bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#1181565) - Virt: search for grub.xen path - Xen spicevmc, DNS SRV records backports: Fix virtual network generated DNS XML for SRV records Don't add spicevmc channel to xen VMs - Virt UEFI fix: virt.update when efi=True - Master can read grains (bsc#1179696) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Debian 9.0-CLIENT-TOOLS-BETA: zypper in -t patch SUSE-Debian-9.0-CLIENT-TOOLS-BETA-x86_64-2021-910=1 Package List: - SUSE Manager Debian 9.0-CLIENT-TOOLS-BETA (all): salt-common-3000+ds-1+2.9.1 salt-minion-3000+ds-1+2.9.1 References: https://www.suse.com/security/cve/CVE-2020-28243.html https://www.suse.com/security/cve/CVE-2020-28972.html https://www.suse.com/security/cve/CVE-2020-35662.html https://www.suse.com/security/cve/CVE-2021-25281.html https://www.suse.com/security/cve/CVE-2021-25282.html https://www.suse.com/security/cve/CVE-2021-25283.html https://www.suse.com/security/cve/CVE-2021-25284.html https://www.suse.com/security/cve/CVE-2021-3144.html https://www.suse.com/security/cve/CVE-2021-3148.html https://www.suse.com/security/cve/CVE-2021-3197.html https://bugzilla.suse.com/1099976 https://bugzilla.suse.com/1172110 https://bugzilla.suse.com/1174855 https://bugzilla.suse.com/1179696 https://bugzilla.suse.com/1180101 https://bugzilla.suse.com/1180818 https://bugzilla.suse.com/1181290 https://bugzilla.suse.com/1181347 https://bugzilla.suse.com/1181550 https://bugzilla.suse.com/1181556 https://bugzilla.suse.com/1181557 https://bugzilla.suse.com/1181558 https://bugzilla.suse.com/1181559 https://bugzilla.suse.com/1181560 https://bugzilla.suse.com/1181561 https://bugzilla.suse.com/1181562 https://bugzilla.suse.com/1181563 https://bugzilla.suse.com/1181564 https://bugzilla.suse.com/1181565 https://bugzilla.suse.com/1182740 From sle-security-updates at lists.suse.com Fri Mar 19 20:55:59 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 21:55:59 +0100 (CET) Subject: SUSE-SU-2021:0906-1: moderate: Security update for SUSE Manager Proxy 4.1 Message-ID: <20210319205559.A81E3FD17@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Proxy 4.1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0906-1 Rating: moderate References: #1173893 #1177508 #1180558 #1181807 #1182006 #1182685 Cross-References: CVE-2020-28477 CVSS scores: CVE-2020-28477 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 ______________________________________________________________________________ An update that solves one vulnerability and has 5 fixes is now available. Description: This update fixes the following issues: mgr-osad: - Adapt to new SSL implementation of rhnlib (bsc#1181807) rhnlib: - Change SSL implementation to python ssl for better SAN and hostname matching support (bsc#1181807) spacewalk-backend: - Open repomd files as binary (bsc#1173893) - Fix requesting Release file in debian repos (bsc#1182006) - Reposync: Fixed Kickstart functionality. - Reposync: Fixed URLGrabber error handling. - Reposync: Fix modular data handling for cloned channels (bsc#1177508) spacewalk-client-tools: - Adapt to new SSL implementation of rhnlib (bsc#1181807) spacewalk-proxy: - Adapt to new SSL implementation of rhnlib (bsc#1181807) spacewalk-proxy-installer: - Adapt to new SSL implementation of rhnlib (bsc#1181807) spacewalk-web: - Replace CRLF in ssh priv key when bootstrapping (bsc#1182685) - Upgrade immer to fix CVE-2020-28477 - Default to preferred items per page in content lifecycle lists (bsc#1180558) - Fix sorting in content lifecycle projects and cluster tables (bsc#1180558) How to apply this update: 1. Log in as root user to the SUSE Manager proxy. 2. Stop the proxy service: spacewalk-proxy stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: spacewalk-proxy start Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.1-2021-906=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (noarch): mgr-osad-4.1.5-2.9.4 python3-mgr-osa-common-4.1.5-2.9.4 python3-mgr-osad-4.1.5-2.9.4 python3-rhnlib-4.1.3-4.3.2 python3-spacewalk-check-4.1.9-4.12.4 python3-spacewalk-client-setup-4.1.9-4.12.4 python3-spacewalk-client-tools-4.1.9-4.12.4 spacewalk-backend-4.1.21-4.22.7 spacewalk-base-minimal-4.1.23-3.18.6 spacewalk-base-minimal-config-4.1.23-3.18.6 spacewalk-check-4.1.9-4.12.4 spacewalk-client-setup-4.1.9-4.12.4 spacewalk-client-tools-4.1.9-4.12.4 spacewalk-proxy-broker-4.1.4-3.9.4 spacewalk-proxy-common-4.1.4-3.9.4 spacewalk-proxy-installer-4.1.6-3.3.2 spacewalk-proxy-management-4.1.4-3.9.4 spacewalk-proxy-package-manager-4.1.4-3.9.4 spacewalk-proxy-redirect-4.1.4-3.9.4 spacewalk-proxy-salt-4.1.4-3.9.4 References: https://www.suse.com/security/cve/CVE-2020-28477.html https://bugzilla.suse.com/1173893 https://bugzilla.suse.com/1177508 https://bugzilla.suse.com/1180558 https://bugzilla.suse.com/1181807 https://bugzilla.suse.com/1182006 https://bugzilla.suse.com/1182685 From sle-security-updates at lists.suse.com Fri Mar 19 20:59:01 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 21:59:01 +0100 (CET) Subject: SUSE-SU-2021:0891-1: moderate: Security update for evolution-data-server Message-ID: <20210319205901.D87C1FD17@maintenance.suse.de> SUSE Security Update: Security update for evolution-data-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0891-1 Rating: moderate References: #1173910 #1174712 #1182882 Cross-References: CVE-2020-14928 CVE-2020-16117 CVSS scores: CVE-2020-14928 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-14928 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2020-16117 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-16117 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for evolution-data-server fixes the following issues: - Fix buffer overrun when parsing base64 data (bsc#1182882). - CVE-2020-16117: Fix crash on malformed server response with minimal capabilities (bsc#1174712). - CVE-2020-14928: Response injection via STARTTLS in SMTP and POP3 (bsc#1173910). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2021-891=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-891=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): evolution-data-server-3.22.7-18.7.1 evolution-data-server-32bit-3.22.7-18.7.1 evolution-data-server-debuginfo-3.22.7-18.7.1 evolution-data-server-debuginfo-32bit-3.22.7-18.7.1 evolution-data-server-debugsource-3.22.7-18.7.1 libcamel-1_2-59-3.22.7-18.7.1 libcamel-1_2-59-32bit-3.22.7-18.7.1 libcamel-1_2-59-debuginfo-3.22.7-18.7.1 libcamel-1_2-59-debuginfo-32bit-3.22.7-18.7.1 libebackend-1_2-10-3.22.7-18.7.1 libebackend-1_2-10-32bit-3.22.7-18.7.1 libebackend-1_2-10-debuginfo-3.22.7-18.7.1 libebackend-1_2-10-debuginfo-32bit-3.22.7-18.7.1 libebook-1_2-16-3.22.7-18.7.1 libebook-1_2-16-32bit-3.22.7-18.7.1 libebook-1_2-16-debuginfo-3.22.7-18.7.1 libebook-1_2-16-debuginfo-32bit-3.22.7-18.7.1 libebook-contacts-1_2-2-3.22.7-18.7.1 libebook-contacts-1_2-2-32bit-3.22.7-18.7.1 libebook-contacts-1_2-2-debuginfo-3.22.7-18.7.1 libebook-contacts-1_2-2-debuginfo-32bit-3.22.7-18.7.1 libecal-1_2-19-3.22.7-18.7.1 libecal-1_2-19-32bit-3.22.7-18.7.1 libecal-1_2-19-debuginfo-3.22.7-18.7.1 libecal-1_2-19-debuginfo-32bit-3.22.7-18.7.1 libedata-book-1_2-25-3.22.7-18.7.1 libedata-book-1_2-25-32bit-3.22.7-18.7.1 libedata-book-1_2-25-debuginfo-3.22.7-18.7.1 libedata-book-1_2-25-debuginfo-32bit-3.22.7-18.7.1 libedata-cal-1_2-28-3.22.7-18.7.1 libedata-cal-1_2-28-32bit-3.22.7-18.7.1 libedata-cal-1_2-28-debuginfo-3.22.7-18.7.1 libedata-cal-1_2-28-debuginfo-32bit-3.22.7-18.7.1 libedataserver-1_2-22-3.22.7-18.7.1 libedataserver-1_2-22-32bit-3.22.7-18.7.1 libedataserver-1_2-22-debuginfo-3.22.7-18.7.1 libedataserver-1_2-22-debuginfo-32bit-3.22.7-18.7.1 libedataserverui-1_2-1-3.22.7-18.7.1 libedataserverui-1_2-1-debuginfo-3.22.7-18.7.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (noarch): evolution-data-server-lang-3.22.7-18.7.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): evolution-data-server-debuginfo-3.22.7-18.7.1 evolution-data-server-debugsource-3.22.7-18.7.1 evolution-data-server-devel-3.22.7-18.7.1 typelib-1_0-EBook-1_2-3.22.7-18.7.1 typelib-1_0-EBookContacts-1_2-3.22.7-18.7.1 typelib-1_0-EDataServer-1_2-3.22.7-18.7.1 References: https://www.suse.com/security/cve/CVE-2020-14928.html https://www.suse.com/security/cve/CVE-2020-16117.html https://bugzilla.suse.com/1173910 https://bugzilla.suse.com/1174712 https://bugzilla.suse.com/1182882 From sle-security-updates at lists.suse.com Fri Mar 19 21:02:05 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 22:02:05 +0100 (CET) Subject: SUSE-SU-2021:0906-1: moderate: Security update for SUSE Manager Server 4.1 Message-ID: <20210319210205.01D20FD17@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Server 4.1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0906-1 Rating: moderate References: #1157711 #1173893 #1175660 #1177508 #1179579 #1180145 #1180146 #1180224 #1180439 #1180547 #1180558 #1180757 #1180994 #1181048 #1181165 #1181228 #1181290 #1181416 #1181423 #1181635 #1181807 #1181814 #1182001 #1182006 #1182008 #1182071 #1182200 #1182492 #1182685 Cross-References: CVE-2020-26217 CVE-2020-26258 CVE-2020-26259 CVE-2020-28477 CVSS scores: CVE-2020-26217 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-26217 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-26258 (NVD) : 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2020-26258 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2020-26259 (NVD) : 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N CVE-2020-26259 (SUSE): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVE-2020-28477 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.1 SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 ______________________________________________________________________________ An update that solves four vulnerabilities and has 25 fixes is now available. Description: This update fixes the following issues: cobbler: - Fix string replacement for @@xyz@@ - Better performing string replacements grafana-formula: - Set `supported` to false for unsupported systems (bsc#1182001) - Add SLES 15 SP3 and openSUSE Leap 15.3 to supported versions mgr-libmod: - Fix 'list_modules' JSON serialization (bsc#1182492) mgr-osad: - Adapt to new SSL implementation of rhnlib (bsc#1181807) prometheus-exporters-formula: - Add Ubuntu support for Prometheus exporters' reverse proxy prometheus-formula: - Set server hostname from pillar data (bsc#1180439) py26-compat-salt: - Do not crash when unexpected cmd output at listing patches (bsc#1181290) rhnlib: - Change SSL implementation to python ssl for better SAN and hostname matching support (bsc#1181807) smdba: - Do not remove the database if there is no backup and deal with manifest spacewalk-backend: - Open repomd files as binary (bsc#1173893) - Fix requesting Release file in debian repos (bsc#1182006) - Reposync: Fixed Kickstart functionality. - Reposync: Fixed URLGrabber error handling. - Reposync: Fix modular data handling for cloned channels (bsc#1177508) spacewalk-client-tools: - Adapt to new SSL implementation of rhnlib (bsc#1181807) spacewalk-config: - Increase apache ssl logs to include response code and process time spacewalk-java: - Homogenizes style in filter buttons, facilitating testability - Cleanup sessions via SQL query instead of SQL function (bsc#1180224) - Rebuild and improve rendering of error pages 404 and 500 pages (bsc#1181228) - Fix user creation with pam auth and no password (bsc#1179579) - Fix action chains for saltssh minions (bsc#1182200) - FIX: Slow response of 'Software > Install' in Ubuntu minions (bsc#1181165) - Do not call page decorator in HEAD requests (bsc#1181228) - Add 'mgr_origin_server' to Salt pillar data (bsc#1180439) - Ensure new files are synced just after writing them (bsc#1175660) - Enable openscap auditing for salt systems in SSM (bsc#1157711) - Detect debian products (bsc#1181416) - Show packages from channels assigned to the targeted system (bsc#1181423) - Add an API endpoint to allow/disallow scheduling irrelevant patches (bsc#1180757) - Open raw output in new tab for ScriptRunAction (bsc#1180547) - Default to preferred items per page in content lifecycle lists (bsc#1180558) - Fix modular data handling for cloned channels (bsc#1177508) - Fix: login gets an ISE when SSO is enabled (bsc#1181048) spacewalk-utils: - Fix modular data handling for cloned channels (bsc#1177508) spacewalk-web: - Replace CRLF in ssh priv key when bootstrapping (bsc#1182685) - Upgrade immer to fix CVE-2020-28477 - Default to preferred items per page in content lifecycle lists (bsc#1180558) - Fix sorting in content lifecycle projects and cluster tables (bsc#1180558) susemanager: - Add SLE 15 SP3 bootstrap repository definitions (bsc#1182008) - Python3-dbus-python and dependencies not installed by default on JeOS SLE15 images, add them to the bootstrap repository list of packages for traditional (bsc#1182071) susemanager-doc-indexes: - Updated Command Line Registration with Salt section in the Client Configuration Guide for clarity. - Adds openSUSE Leap SP migration to the SP migration section of the Client Configuration Guide - Adds note that bootstrap procedure for selecting a parent channel is optional in Client Configuration Guide (bsc#1181635) - Adds note about checking for valid UUIDs in fstab when backing up (bsc#1181814) - Updated command for running configure proxy script when replacing a proxy - Fixed bad SUSE Customer Center URL susemanager-docs_en: - Updated Command Line Registration with Salt section in the Client Configuration Guide for clarity. - Adds openSUSE Leap SP migration to the SP migration section of the Client Configuration Guide - Adds note that bootstrap procedure for selecting a parent channel is optional in Client Configuration Guide (bsc#1181635) - Adds note about checking for valid UUIDs in fstab when backing up (bsc#1181814) - Updated command for running configure proxy script when replacing a proxy - Fixed bad SUSE Customer Center URL susemanager-schema: - Drop "pxt_session_cleanup" function (bsc#1180224) - Enable openscap auditing for salt systems in SSM (bsc#1157711) susemanager-sls: - Ubuntu 18 has version of apt which does not correctly support auth.conf.d directory. Detect the working version and use this feature only when we have a higher version installed xstream: Upgrade to 1.4.15 - fixes bsc#1180146, CVE-2020-26258 and bsc#1180145, CVE-2020-26259 - fixes bsc#1180994, CVE-2020-26217 subscription-matcher: - Update the xstream dependency to 1.4.15 How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-906=1 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.1-2021-906=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x x86_64): smdba-1.7.8-0.3.6.2 susemanager-4.1.24-3.20.2 susemanager-tools-4.1.24-3.20.2 - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch): cobbler-3.0.0+git20190806.32c4bae0-5.6.4 grafana-formula-0.4.0-3.6.2 mgr-libmod-4.1.7-3.16.2 mgr-osa-dispatcher-4.1.5-2.9.4 prometheus-exporters-formula-0.9.0-3.19.2 prometheus-formula-0.3.1-3.6.2 py26-compat-salt-2016.11.10-6.11.2 python3-mgr-osa-common-4.1.5-2.9.4 python3-mgr-osa-dispatcher-4.1.5-2.9.4 python3-rhnlib-4.1.3-4.3.2 python3-spacewalk-client-tools-4.1.9-4.12.4 spacewalk-backend-4.1.21-4.22.7 spacewalk-backend-app-4.1.21-4.22.7 spacewalk-backend-applet-4.1.21-4.22.7 spacewalk-backend-config-files-4.1.21-4.22.7 spacewalk-backend-config-files-common-4.1.21-4.22.7 spacewalk-backend-config-files-tool-4.1.21-4.22.7 spacewalk-backend-iss-4.1.21-4.22.7 spacewalk-backend-iss-export-4.1.21-4.22.7 spacewalk-backend-package-push-server-4.1.21-4.22.7 spacewalk-backend-server-4.1.21-4.22.7 spacewalk-backend-sql-4.1.21-4.22.7 spacewalk-backend-sql-postgresql-4.1.21-4.22.7 spacewalk-backend-tools-4.1.21-4.22.7 spacewalk-backend-xml-export-libs-4.1.21-4.22.7 spacewalk-backend-xmlrpc-4.1.21-4.22.7 spacewalk-base-4.1.23-3.18.6 spacewalk-base-minimal-4.1.23-3.18.6 spacewalk-base-minimal-config-4.1.23-3.18.6 spacewalk-client-tools-4.1.9-4.12.4 spacewalk-config-4.1.5-3.3.2 spacewalk-html-4.1.23-3.18.6 spacewalk-java-4.1.30-3.31.7 spacewalk-java-config-4.1.30-3.31.7 spacewalk-java-lib-4.1.30-3.31.7 spacewalk-java-postgresql-4.1.30-3.31.7 spacewalk-taskomatic-4.1.30-3.31.7 spacewalk-utils-4.1.14-3.12.2 spacewalk-utils-extras-4.1.14-3.12.2 subscription-matcher-0.26-3.6.2 susemanager-doc-indexes-4.1-11.28.4 susemanager-docs_en-4.1-11.28.2 susemanager-docs_en-pdf-4.1-11.28.2 susemanager-schema-4.1.19-3.24.4 susemanager-sls-4.1.21-3.26.2 susemanager-web-libs-4.1.23-3.18.6 uyuni-config-modules-4.1.21-3.26.2 xpp3-1.1.4c-11.2.2 xpp3-minimal-1.1.4c-11.2.2 xstream-1.4.15-3.5.2 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (noarch): mgr-osad-4.1.5-2.9.4 python3-mgr-osa-common-4.1.5-2.9.4 python3-mgr-osad-4.1.5-2.9.4 python3-rhnlib-4.1.3-4.3.2 python3-spacewalk-check-4.1.9-4.12.4 python3-spacewalk-client-setup-4.1.9-4.12.4 python3-spacewalk-client-tools-4.1.9-4.12.4 spacewalk-backend-4.1.21-4.22.7 spacewalk-base-minimal-4.1.23-3.18.6 spacewalk-base-minimal-config-4.1.23-3.18.6 spacewalk-check-4.1.9-4.12.4 spacewalk-client-setup-4.1.9-4.12.4 spacewalk-client-tools-4.1.9-4.12.4 spacewalk-proxy-broker-4.1.4-3.9.4 spacewalk-proxy-common-4.1.4-3.9.4 spacewalk-proxy-installer-4.1.6-3.3.2 spacewalk-proxy-management-4.1.4-3.9.4 spacewalk-proxy-package-manager-4.1.4-3.9.4 spacewalk-proxy-redirect-4.1.4-3.9.4 spacewalk-proxy-salt-4.1.4-3.9.4 References: https://www.suse.com/security/cve/CVE-2020-26217.html https://www.suse.com/security/cve/CVE-2020-26258.html https://www.suse.com/security/cve/CVE-2020-26259.html https://www.suse.com/security/cve/CVE-2020-28477.html https://bugzilla.suse.com/1157711 https://bugzilla.suse.com/1173893 https://bugzilla.suse.com/1175660 https://bugzilla.suse.com/1177508 https://bugzilla.suse.com/1179579 https://bugzilla.suse.com/1180145 https://bugzilla.suse.com/1180146 https://bugzilla.suse.com/1180224 https://bugzilla.suse.com/1180439 https://bugzilla.suse.com/1180547 https://bugzilla.suse.com/1180558 https://bugzilla.suse.com/1180757 https://bugzilla.suse.com/1180994 https://bugzilla.suse.com/1181048 https://bugzilla.suse.com/1181165 https://bugzilla.suse.com/1181228 https://bugzilla.suse.com/1181290 https://bugzilla.suse.com/1181416 https://bugzilla.suse.com/1181423 https://bugzilla.suse.com/1181635 https://bugzilla.suse.com/1181807 https://bugzilla.suse.com/1181814 https://bugzilla.suse.com/1182001 https://bugzilla.suse.com/1182006 https://bugzilla.suse.com/1182008 https://bugzilla.suse.com/1182071 https://bugzilla.suse.com/1182200 https://bugzilla.suse.com/1182492 https://bugzilla.suse.com/1182685 From sle-security-updates at lists.suse.com Fri Mar 19 21:06:33 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 22:06:33 +0100 (CET) Subject: SUSE-SU-2021:0885-1: moderate: Security update for evolution-data-server Message-ID: <20210319210633.CCE77FD17@maintenance.suse.de> SUSE Security Update: Security update for evolution-data-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0885-1 Rating: moderate References: #1173910 #1174712 #1182882 Cross-References: CVE-2020-14928 CVE-2020-16117 CVSS scores: CVE-2020-14928 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-14928 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2020-16117 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-16117 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for evolution-data-server fixes the following issues: - Fix buffer overrun when parsing base64 data (bsc#1182882). - CVE-2020-16117: Fix crash on malformed server response with minimal capabilities (bsc#1174712). - CVE-2020-14928: Response injection via STARTTLS in SMTP and POP3 (bsc#1173910). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2021-885=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): libcamel-1_2-57-3.20.6-17.3.1 libcamel-1_2-57-debuginfo-3.20.6-17.3.1 libedataserver-1_2-21-3.20.6-17.3.1 libedataserver-1_2-21-debuginfo-3.20.6-17.3.1 References: https://www.suse.com/security/cve/CVE-2020-14928.html https://www.suse.com/security/cve/CVE-2020-16117.html https://bugzilla.suse.com/1173910 https://bugzilla.suse.com/1174712 https://bugzilla.suse.com/1182882 From sle-security-updates at lists.suse.com Fri Mar 19 21:09:37 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 22:09:37 +0100 (CET) Subject: SUSE-SU-2021:14670-1: moderate: Security update for openssl Message-ID: <20210319210937.6EF8BFD17@maintenance.suse.de> SUSE Security Update: Security update for openssl ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14670-1 Rating: moderate References: #1182331 #1182333 Cross-References: CVE-2021-23840 CVE-2021-23841 CVSS scores: CVE-2021-23840 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23840 (SUSE): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2021-23841 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23841 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for openssl fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-openssl-14670=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-openssl-14670=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-openssl-14670=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-openssl-14670=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): libopenssl0_9_8-0.9.8j-0.106.37.1 libopenssl0_9_8-hmac-0.9.8j-0.106.37.1 openssl-0.9.8j-0.106.37.1 openssl-doc-0.9.8j-0.106.37.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): libopenssl0_9_8-32bit-0.9.8j-0.106.37.1 libopenssl0_9_8-hmac-32bit-0.9.8j-0.106.37.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): libopenssl-devel-0.9.8j-0.106.37.1 libopenssl0_9_8-0.9.8j-0.106.37.1 libopenssl0_9_8-hmac-0.9.8j-0.106.37.1 openssl-0.9.8j-0.106.37.1 openssl-doc-0.9.8j-0.106.37.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): openssl-debuginfo-0.9.8j-0.106.37.1 openssl-debugsource-0.9.8j-0.106.37.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): openssl-debuginfo-0.9.8j-0.106.37.1 openssl-debugsource-0.9.8j-0.106.37.1 References: https://www.suse.com/security/cve/CVE-2021-23840.html https://www.suse.com/security/cve/CVE-2021-23841.html https://bugzilla.suse.com/1182331 https://bugzilla.suse.com/1182333 From sle-security-updates at lists.suse.com Fri Mar 19 21:10:52 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 22:10:52 +0100 (CET) Subject: SUSE-SU-2021:14678-1: moderate: Security Beta update for SUSE Manager Client Tools Message-ID: <20210319211052.4A24BFD17@maintenance.suse.de> SUSE Security Update: Security Beta update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14678-1 Rating: moderate References: #1099976 #1172110 #1174855 #1177474 #1179696 #1181347 #1181550 #1181556 #1181557 #1181558 #1181559 #1181560 #1181561 #1181562 #1181563 #1181564 #1181565 #1182382 #1182740 Cross-References: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-25281 CVE-2021-25282 CVE-2021-25283 CVE-2021-25284 CVE-2021-25315 CVE-2021-3144 CVE-2021-3148 CVE-2021-3197 CVSS scores: CVE-2020-28243 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-28243 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-28972 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-28972 (SUSE): 7.3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-35662 (NVD) : 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2020-35662 (SUSE): 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVE-2021-25281 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25281 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25282 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-25282 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25283 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25283 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25284 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVE-2021-25284 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-25315 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25315 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3144 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-3144 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-3148 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3148 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3197 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3197 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Ubuntu 20.04-CLIENT-TOOLS-BETA ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 8 fixes is now available. Description: This update fixes the following issues: salt: - virt.network_update: handle missing ipv4 netmask attribute - Do not monkey patch yaml loaders: Prevent breaking Ansible filter modules (bsc#1177474) - Fix race conditions for corner cases when handling SIGTERM by minion (bsc#1172110) - Allow extra_filerefs as sanitized kwargs for SSH client - Fix regression on cmd.run when passing tuples as cmd (bsc#1182740) - Fix for multiple for security issues (CVE-2020-28243) (CVE-2020-28972) (CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144) (CVE-2021-25281) (CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197) (bsc#1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#1181560) (bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#1181565) - Implementation of suse_ip execution module to prevent issues with network.managed (bsc#1099976) - Add sleep on exception handling on minion connection attempt to the master (bsc#1174855) - Allows for the VMware provider to handle CPU and memory hot-add in newer versions of the software. (bsc#1181347) - Always require python-certifi (used by salt.ext.tornado) - Bring missing part of async batch implementation back (bsc#1182382) (CVE-2021-25315) - Master can read grains (bsc#1179696) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 20.04-CLIENT-TOOLS-BETA: zypper in -t patch suse-ubu204ct-client-tools-beta-202103-14678=1 Package List: - SUSE Manager Ubuntu 20.04-CLIENT-TOOLS-BETA (all): salt-common-3002.2+ds-1+2.19.1 salt-minion-3002.2+ds-1+2.19.1 References: https://www.suse.com/security/cve/CVE-2020-28243.html https://www.suse.com/security/cve/CVE-2020-28972.html https://www.suse.com/security/cve/CVE-2020-35662.html https://www.suse.com/security/cve/CVE-2021-25281.html https://www.suse.com/security/cve/CVE-2021-25282.html https://www.suse.com/security/cve/CVE-2021-25283.html https://www.suse.com/security/cve/CVE-2021-25284.html https://www.suse.com/security/cve/CVE-2021-25315.html https://www.suse.com/security/cve/CVE-2021-3144.html https://www.suse.com/security/cve/CVE-2021-3148.html https://www.suse.com/security/cve/CVE-2021-3197.html https://bugzilla.suse.com/1099976 https://bugzilla.suse.com/1172110 https://bugzilla.suse.com/1174855 https://bugzilla.suse.com/1177474 https://bugzilla.suse.com/1179696 https://bugzilla.suse.com/1181347 https://bugzilla.suse.com/1181550 https://bugzilla.suse.com/1181556 https://bugzilla.suse.com/1181557 https://bugzilla.suse.com/1181558 https://bugzilla.suse.com/1181559 https://bugzilla.suse.com/1181560 https://bugzilla.suse.com/1181561 https://bugzilla.suse.com/1181562 https://bugzilla.suse.com/1181563 https://bugzilla.suse.com/1181564 https://bugzilla.suse.com/1181565 https://bugzilla.suse.com/1182382 https://bugzilla.suse.com/1182740 From sle-security-updates at lists.suse.com Fri Mar 19 21:14:10 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 22:14:10 +0100 (CET) Subject: SUSE-SU-2021:0915-1: moderate: Security Beta update for Salt Message-ID: <20210319211410.1C403FD17@maintenance.suse.de> SUSE Security Update: Security Beta update for Salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0915-1 Rating: moderate References: #1099976 #1172110 #1174855 #1179696 #1180101 #1180818 #1181290 #1181347 #1181550 #1181556 #1181557 #1181558 #1181559 #1181560 #1181561 #1181562 #1181563 #1181564 #1181565 #1182740 Cross-References: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-25281 CVE-2021-25282 CVE-2021-25283 CVE-2021-25284 CVE-2021-3144 CVE-2021-3148 CVE-2021-3197 CVSS scores: CVE-2020-28243 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-28243 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2020-28972 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-28972 (SUSE): 7.3 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2020-35662 (NVD) : 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2020-35662 (SUSE): 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVE-2021-25281 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25281 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25282 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-25282 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25283 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25283 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25284 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVE-2021-25284 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-3144 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-3144 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-3148 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3148 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3197 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3197 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Tools 12-BETA ______________________________________________________________________________ An update that solves 10 vulnerabilities and has 10 fixes is now available. Description: This update fixes the following issues: salt: - Only require python-certifi for CentOS7 - Fix race conditions for corner cases when handling SIGTERM by minion (bsc#1172110) - Implementation of suse_ip execution module to prevent issues with network.managed (bsc#1099976) - Fix recursion false detection in payload (bsc#1180101) - Add sleep on exception handling on minion connection attempt to the master (bsc#1174855) - Allows for the VMware provider to handle CPU and memory hot-add in newer versions of the software. (bsc#1181347) - Always require python-certifi (used by salt.ext.tornado) - Exclude SLE 12 from requiring python-certifi - Do not crash when unexpected cmd output at listing patches (bsc#1181290) - Fix behavior for "onlyif/unless" when multiple conditions (bsc#1180818) - Fix regression on cmd.run when passing tuples as cmd (bsc#1182740) - Allow extra_filerefs as sanitized kwargs for SSH client - Fix errors with virt.update - Fix for multiple for security issues (CVE-2020-28243) (CVE-2020-28972) (CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144) (CVE-2021-25281) (CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197) (bsc#1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#1181560) (bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#1181565) - Virt: search for grub.xen path - Xen spicevmc, DNS SRV records backports: Fix virtual network generated DNS XML for SRV records Don't add spicevmc channel to xen VMs - Virt UEFI fix: virt.update when efi=True - Master can read grains (bsc#1179696) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 12-BETA: zypper in -t patch SUSE-SLE-Manager-Tools-12-2021-915=1 Package List: - SUSE Manager Tools 12-BETA (aarch64 ppc64le s390x x86_64): python2-salt-3000-49.29.1 python3-salt-3000-49.29.1 salt-3000-49.29.1 salt-doc-3000-49.29.1 salt-minion-3000-49.29.1 References: https://www.suse.com/security/cve/CVE-2020-28243.html https://www.suse.com/security/cve/CVE-2020-28972.html https://www.suse.com/security/cve/CVE-2020-35662.html https://www.suse.com/security/cve/CVE-2021-25281.html https://www.suse.com/security/cve/CVE-2021-25282.html https://www.suse.com/security/cve/CVE-2021-25283.html https://www.suse.com/security/cve/CVE-2021-25284.html https://www.suse.com/security/cve/CVE-2021-3144.html https://www.suse.com/security/cve/CVE-2021-3148.html https://www.suse.com/security/cve/CVE-2021-3197.html https://bugzilla.suse.com/1099976 https://bugzilla.suse.com/1172110 https://bugzilla.suse.com/1174855 https://bugzilla.suse.com/1179696 https://bugzilla.suse.com/1180101 https://bugzilla.suse.com/1180818 https://bugzilla.suse.com/1181290 https://bugzilla.suse.com/1181347 https://bugzilla.suse.com/1181550 https://bugzilla.suse.com/1181556 https://bugzilla.suse.com/1181557 https://bugzilla.suse.com/1181558 https://bugzilla.suse.com/1181559 https://bugzilla.suse.com/1181560 https://bugzilla.suse.com/1181561 https://bugzilla.suse.com/1181562 https://bugzilla.suse.com/1181563 https://bugzilla.suse.com/1181564 https://bugzilla.suse.com/1181565 https://bugzilla.suse.com/1182740 From sle-security-updates at lists.suse.com Fri Mar 19 21:17:32 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 22:17:32 +0100 (CET) Subject: SUSE-SU-2021:0887-1: moderate: Security update for python36 Message-ID: <20210319211732.75F50FD17@maintenance.suse.de> SUSE Security Update: Security update for python36 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0887-1 Rating: moderate References: #1179756 #1182379 Cross-References: CVE-2021-23336 CVSS scores: CVE-2021-23336 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H CVE-2021-23336 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for python36 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-887=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpython3_6m1_0-3.6.13-4.36.1 libpython3_6m1_0-debuginfo-3.6.13-4.36.1 python36-3.6.13-4.36.1 python36-base-3.6.13-4.36.1 python36-base-debuginfo-3.6.13-4.36.1 python36-debuginfo-3.6.13-4.36.1 python36-debugsource-3.6.13-4.36.1 References: https://www.suse.com/security/cve/CVE-2021-23336.html https://bugzilla.suse.com/1179756 https://bugzilla.suse.com/1182379 From sle-security-updates at lists.suse.com Fri Mar 19 21:20:47 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 19 Mar 2021 22:20:47 +0100 (CET) Subject: SUSE-SU-2021:0890-1: important: Security update for glib2 Message-ID: <20210319212047.49BB7FD17@maintenance.suse.de> SUSE Security Update: Security update for glib2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0890-1 Rating: important References: #1182328 #1182362 Cross-References: CVE-2021-27218 CVE-2021-27219 CVSS scores: CVE-2021-27218 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27218 (SUSE): 5 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N CVE-2021-27219 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27219 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-890=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-890=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-890=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-890=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-890=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-890=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-890=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-890=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-890=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-890=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-890=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-890=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-890=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): glib2-debugsource-2.54.3-4.24.1 glib2-devel-2.54.3-4.24.1 glib2-devel-debuginfo-2.54.3-4.24.1 glib2-tools-2.54.3-4.24.1 glib2-tools-debuginfo-2.54.3-4.24.1 libgio-2_0-0-2.54.3-4.24.1 libgio-2_0-0-debuginfo-2.54.3-4.24.1 libglib-2_0-0-2.54.3-4.24.1 libglib-2_0-0-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-2.54.3-4.24.1 libgmodule-2_0-0-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-2.54.3-4.24.1 libgobject-2_0-0-debuginfo-2.54.3-4.24.1 libgthread-2_0-0-2.54.3-4.24.1 libgthread-2_0-0-debuginfo-2.54.3-4.24.1 - SUSE Manager Server 4.0 (noarch): glib2-lang-2.54.3-4.24.1 - SUSE Manager Server 4.0 (x86_64): libgio-2_0-0-32bit-2.54.3-4.24.1 libgio-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libglib-2_0-0-32bit-2.54.3-4.24.1 libglib-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-32bit-2.54.3-4.24.1 libgmodule-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-32bit-2.54.3-4.24.1 libgobject-2_0-0-32bit-debuginfo-2.54.3-4.24.1 - SUSE Manager Retail Branch Server 4.0 (noarch): glib2-lang-2.54.3-4.24.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): glib2-debugsource-2.54.3-4.24.1 glib2-devel-2.54.3-4.24.1 glib2-devel-debuginfo-2.54.3-4.24.1 glib2-tools-2.54.3-4.24.1 glib2-tools-debuginfo-2.54.3-4.24.1 libgio-2_0-0-2.54.3-4.24.1 libgio-2_0-0-32bit-2.54.3-4.24.1 libgio-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgio-2_0-0-debuginfo-2.54.3-4.24.1 libglib-2_0-0-2.54.3-4.24.1 libglib-2_0-0-32bit-2.54.3-4.24.1 libglib-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libglib-2_0-0-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-2.54.3-4.24.1 libgmodule-2_0-0-32bit-2.54.3-4.24.1 libgmodule-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-2.54.3-4.24.1 libgobject-2_0-0-32bit-2.54.3-4.24.1 libgobject-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-debuginfo-2.54.3-4.24.1 libgthread-2_0-0-2.54.3-4.24.1 libgthread-2_0-0-debuginfo-2.54.3-4.24.1 - SUSE Manager Proxy 4.0 (noarch): glib2-lang-2.54.3-4.24.1 - SUSE Manager Proxy 4.0 (x86_64): glib2-debugsource-2.54.3-4.24.1 glib2-devel-2.54.3-4.24.1 glib2-devel-debuginfo-2.54.3-4.24.1 glib2-tools-2.54.3-4.24.1 glib2-tools-debuginfo-2.54.3-4.24.1 libgio-2_0-0-2.54.3-4.24.1 libgio-2_0-0-32bit-2.54.3-4.24.1 libgio-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgio-2_0-0-debuginfo-2.54.3-4.24.1 libglib-2_0-0-2.54.3-4.24.1 libglib-2_0-0-32bit-2.54.3-4.24.1 libglib-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libglib-2_0-0-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-2.54.3-4.24.1 libgmodule-2_0-0-32bit-2.54.3-4.24.1 libgmodule-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-2.54.3-4.24.1 libgobject-2_0-0-32bit-2.54.3-4.24.1 libgobject-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-debuginfo-2.54.3-4.24.1 libgthread-2_0-0-2.54.3-4.24.1 libgthread-2_0-0-debuginfo-2.54.3-4.24.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): glib2-debugsource-2.54.3-4.24.1 glib2-devel-2.54.3-4.24.1 glib2-devel-debuginfo-2.54.3-4.24.1 glib2-tools-2.54.3-4.24.1 glib2-tools-debuginfo-2.54.3-4.24.1 libgio-2_0-0-2.54.3-4.24.1 libgio-2_0-0-debuginfo-2.54.3-4.24.1 libglib-2_0-0-2.54.3-4.24.1 libglib-2_0-0-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-2.54.3-4.24.1 libgmodule-2_0-0-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-2.54.3-4.24.1 libgobject-2_0-0-debuginfo-2.54.3-4.24.1 libgthread-2_0-0-2.54.3-4.24.1 libgthread-2_0-0-debuginfo-2.54.3-4.24.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): glib2-lang-2.54.3-4.24.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): libgio-2_0-0-32bit-2.54.3-4.24.1 libgio-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libglib-2_0-0-32bit-2.54.3-4.24.1 libglib-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-32bit-2.54.3-4.24.1 libgmodule-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-32bit-2.54.3-4.24.1 libgobject-2_0-0-32bit-debuginfo-2.54.3-4.24.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): glib2-debugsource-2.54.3-4.24.1 glib2-devel-2.54.3-4.24.1 glib2-devel-debuginfo-2.54.3-4.24.1 glib2-tools-2.54.3-4.24.1 glib2-tools-debuginfo-2.54.3-4.24.1 libgio-2_0-0-2.54.3-4.24.1 libgio-2_0-0-debuginfo-2.54.3-4.24.1 libglib-2_0-0-2.54.3-4.24.1 libglib-2_0-0-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-2.54.3-4.24.1 libgmodule-2_0-0-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-2.54.3-4.24.1 libgobject-2_0-0-debuginfo-2.54.3-4.24.1 libgthread-2_0-0-2.54.3-4.24.1 libgthread-2_0-0-debuginfo-2.54.3-4.24.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libgio-2_0-0-32bit-2.54.3-4.24.1 libgio-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libglib-2_0-0-32bit-2.54.3-4.24.1 libglib-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-32bit-2.54.3-4.24.1 libgmodule-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-32bit-2.54.3-4.24.1 libgobject-2_0-0-32bit-debuginfo-2.54.3-4.24.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): glib2-lang-2.54.3-4.24.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): glib2-debugsource-2.54.3-4.24.1 glib2-devel-2.54.3-4.24.1 glib2-devel-debuginfo-2.54.3-4.24.1 glib2-tools-2.54.3-4.24.1 glib2-tools-debuginfo-2.54.3-4.24.1 libgio-2_0-0-2.54.3-4.24.1 libgio-2_0-0-debuginfo-2.54.3-4.24.1 libglib-2_0-0-2.54.3-4.24.1 libglib-2_0-0-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-2.54.3-4.24.1 libgmodule-2_0-0-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-2.54.3-4.24.1 libgobject-2_0-0-debuginfo-2.54.3-4.24.1 libgthread-2_0-0-2.54.3-4.24.1 libgthread-2_0-0-debuginfo-2.54.3-4.24.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): libgio-2_0-0-32bit-2.54.3-4.24.1 libgio-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libglib-2_0-0-32bit-2.54.3-4.24.1 libglib-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-32bit-2.54.3-4.24.1 libgmodule-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-32bit-2.54.3-4.24.1 libgobject-2_0-0-32bit-debuginfo-2.54.3-4.24.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): glib2-lang-2.54.3-4.24.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): glib2-lang-2.54.3-4.24.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): glib2-debugsource-2.54.3-4.24.1 glib2-devel-2.54.3-4.24.1 glib2-devel-debuginfo-2.54.3-4.24.1 glib2-tools-2.54.3-4.24.1 glib2-tools-debuginfo-2.54.3-4.24.1 libgio-2_0-0-2.54.3-4.24.1 libgio-2_0-0-32bit-2.54.3-4.24.1 libgio-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgio-2_0-0-debuginfo-2.54.3-4.24.1 libglib-2_0-0-2.54.3-4.24.1 libglib-2_0-0-32bit-2.54.3-4.24.1 libglib-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libglib-2_0-0-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-2.54.3-4.24.1 libgmodule-2_0-0-32bit-2.54.3-4.24.1 libgmodule-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-2.54.3-4.24.1 libgobject-2_0-0-32bit-2.54.3-4.24.1 libgobject-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-debuginfo-2.54.3-4.24.1 libgthread-2_0-0-2.54.3-4.24.1 libgthread-2_0-0-debuginfo-2.54.3-4.24.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): glib2-debugsource-2.54.3-4.24.1 glib2-devel-2.54.3-4.24.1 glib2-devel-debuginfo-2.54.3-4.24.1 glib2-tools-2.54.3-4.24.1 glib2-tools-debuginfo-2.54.3-4.24.1 libgio-2_0-0-2.54.3-4.24.1 libgio-2_0-0-debuginfo-2.54.3-4.24.1 libglib-2_0-0-2.54.3-4.24.1 libglib-2_0-0-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-2.54.3-4.24.1 libgmodule-2_0-0-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-2.54.3-4.24.1 libgobject-2_0-0-debuginfo-2.54.3-4.24.1 libgthread-2_0-0-2.54.3-4.24.1 libgthread-2_0-0-debuginfo-2.54.3-4.24.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): glib2-lang-2.54.3-4.24.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): glib2-debugsource-2.54.3-4.24.1 glib2-devel-2.54.3-4.24.1 glib2-devel-debuginfo-2.54.3-4.24.1 glib2-tools-2.54.3-4.24.1 glib2-tools-debuginfo-2.54.3-4.24.1 libgio-2_0-0-2.54.3-4.24.1 libgio-2_0-0-debuginfo-2.54.3-4.24.1 libglib-2_0-0-2.54.3-4.24.1 libglib-2_0-0-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-2.54.3-4.24.1 libgmodule-2_0-0-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-2.54.3-4.24.1 libgobject-2_0-0-debuginfo-2.54.3-4.24.1 libgthread-2_0-0-2.54.3-4.24.1 libgthread-2_0-0-debuginfo-2.54.3-4.24.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): glib2-lang-2.54.3-4.24.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): libgio-2_0-0-32bit-2.54.3-4.24.1 libgio-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libglib-2_0-0-32bit-2.54.3-4.24.1 libglib-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-32bit-2.54.3-4.24.1 libgmodule-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-32bit-2.54.3-4.24.1 libgobject-2_0-0-32bit-debuginfo-2.54.3-4.24.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): glib2-debugsource-2.54.3-4.24.1 glib2-devel-2.54.3-4.24.1 glib2-devel-debuginfo-2.54.3-4.24.1 glib2-tools-2.54.3-4.24.1 glib2-tools-debuginfo-2.54.3-4.24.1 libgio-2_0-0-2.54.3-4.24.1 libgio-2_0-0-debuginfo-2.54.3-4.24.1 libglib-2_0-0-2.54.3-4.24.1 libglib-2_0-0-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-2.54.3-4.24.1 libgmodule-2_0-0-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-2.54.3-4.24.1 libgobject-2_0-0-debuginfo-2.54.3-4.24.1 libgthread-2_0-0-2.54.3-4.24.1 libgthread-2_0-0-debuginfo-2.54.3-4.24.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): glib2-lang-2.54.3-4.24.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): libgio-2_0-0-32bit-2.54.3-4.24.1 libgio-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libglib-2_0-0-32bit-2.54.3-4.24.1 libglib-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-32bit-2.54.3-4.24.1 libgmodule-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-32bit-2.54.3-4.24.1 libgobject-2_0-0-32bit-debuginfo-2.54.3-4.24.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): glib2-debugsource-2.54.3-4.24.1 glib2-devel-2.54.3-4.24.1 glib2-devel-debuginfo-2.54.3-4.24.1 glib2-tools-2.54.3-4.24.1 glib2-tools-debuginfo-2.54.3-4.24.1 libgio-2_0-0-2.54.3-4.24.1 libgio-2_0-0-debuginfo-2.54.3-4.24.1 libglib-2_0-0-2.54.3-4.24.1 libglib-2_0-0-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-2.54.3-4.24.1 libgmodule-2_0-0-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-2.54.3-4.24.1 libgobject-2_0-0-debuginfo-2.54.3-4.24.1 libgthread-2_0-0-2.54.3-4.24.1 libgthread-2_0-0-debuginfo-2.54.3-4.24.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): glib2-lang-2.54.3-4.24.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libgio-2_0-0-32bit-2.54.3-4.24.1 libgio-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libglib-2_0-0-32bit-2.54.3-4.24.1 libglib-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-32bit-2.54.3-4.24.1 libgmodule-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-32bit-2.54.3-4.24.1 libgobject-2_0-0-32bit-debuginfo-2.54.3-4.24.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): glib2-debugsource-2.54.3-4.24.1 glib2-devel-2.54.3-4.24.1 glib2-devel-debuginfo-2.54.3-4.24.1 glib2-tools-2.54.3-4.24.1 glib2-tools-debuginfo-2.54.3-4.24.1 libgio-2_0-0-2.54.3-4.24.1 libgio-2_0-0-debuginfo-2.54.3-4.24.1 libglib-2_0-0-2.54.3-4.24.1 libglib-2_0-0-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-2.54.3-4.24.1 libgmodule-2_0-0-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-2.54.3-4.24.1 libgobject-2_0-0-debuginfo-2.54.3-4.24.1 libgthread-2_0-0-2.54.3-4.24.1 libgthread-2_0-0-debuginfo-2.54.3-4.24.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): glib2-lang-2.54.3-4.24.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libgio-2_0-0-32bit-2.54.3-4.24.1 libgio-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libglib-2_0-0-32bit-2.54.3-4.24.1 libglib-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-32bit-2.54.3-4.24.1 libgmodule-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-32bit-2.54.3-4.24.1 libgobject-2_0-0-32bit-debuginfo-2.54.3-4.24.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): glib2-debugsource-2.54.3-4.24.1 glib2-devel-2.54.3-4.24.1 glib2-devel-debuginfo-2.54.3-4.24.1 glib2-tools-2.54.3-4.24.1 glib2-tools-debuginfo-2.54.3-4.24.1 libgio-2_0-0-2.54.3-4.24.1 libgio-2_0-0-debuginfo-2.54.3-4.24.1 libglib-2_0-0-2.54.3-4.24.1 libglib-2_0-0-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-2.54.3-4.24.1 libgmodule-2_0-0-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-2.54.3-4.24.1 libgobject-2_0-0-debuginfo-2.54.3-4.24.1 libgthread-2_0-0-2.54.3-4.24.1 libgthread-2_0-0-debuginfo-2.54.3-4.24.1 - SUSE Enterprise Storage 6 (x86_64): libgio-2_0-0-32bit-2.54.3-4.24.1 libgio-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libglib-2_0-0-32bit-2.54.3-4.24.1 libglib-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-32bit-2.54.3-4.24.1 libgmodule-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-32bit-2.54.3-4.24.1 libgobject-2_0-0-32bit-debuginfo-2.54.3-4.24.1 - SUSE Enterprise Storage 6 (noarch): glib2-lang-2.54.3-4.24.1 - SUSE CaaS Platform 4.0 (x86_64): glib2-debugsource-2.54.3-4.24.1 glib2-devel-2.54.3-4.24.1 glib2-devel-debuginfo-2.54.3-4.24.1 glib2-tools-2.54.3-4.24.1 glib2-tools-debuginfo-2.54.3-4.24.1 libgio-2_0-0-2.54.3-4.24.1 libgio-2_0-0-32bit-2.54.3-4.24.1 libgio-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgio-2_0-0-debuginfo-2.54.3-4.24.1 libglib-2_0-0-2.54.3-4.24.1 libglib-2_0-0-32bit-2.54.3-4.24.1 libglib-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libglib-2_0-0-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-2.54.3-4.24.1 libgmodule-2_0-0-32bit-2.54.3-4.24.1 libgmodule-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgmodule-2_0-0-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-2.54.3-4.24.1 libgobject-2_0-0-32bit-2.54.3-4.24.1 libgobject-2_0-0-32bit-debuginfo-2.54.3-4.24.1 libgobject-2_0-0-debuginfo-2.54.3-4.24.1 libgthread-2_0-0-2.54.3-4.24.1 libgthread-2_0-0-debuginfo-2.54.3-4.24.1 - SUSE CaaS Platform 4.0 (noarch): glib2-lang-2.54.3-4.24.1 References: https://www.suse.com/security/cve/CVE-2021-27218.html https://www.suse.com/security/cve/CVE-2021-27219.html https://bugzilla.suse.com/1182328 https://bugzilla.suse.com/1182362 From sle-security-updates at lists.suse.com Tue Mar 23 07:04:39 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Mar 2021 08:04:39 +0100 (CET) Subject: SUSE-CU-2021:80-1: Security update of ses/7/cephcsi/csi-attacher Message-ID: <20210323070439.DEA89FFA5@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/csi-attacher ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:80-1 Container Tags : ses/7/cephcsi/csi-attacher:v3.0.0 , ses/7/cephcsi/csi-attacher:v3.0.0-rev1 , ses/7/cephcsi/csi-attacher:v3.0.0-rev1-build3.221 Container Release : 3.221 Severity : important Type : security References : 1176201 1179847 1181328 1181622 1182328 1182362 1182629 CVE-2021-27218 CVE-2021-27219 ----------------------------------------------------------------- The container ses/7/cephcsi/csi-attacher was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:874-1 Released: Thu Mar 18 09:41:54 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179847,1181328,1181622,1182629 This update for libsolv, libzypp, zypper fixes the following issues: - support multiple collections in updateinfo parser - Fixed an issue when some 'systemd' tools require '/proc' to be mounted and fail if it's not there. (bsc#1181328) - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names to allow to use the RH and SUSE patch category names synonymously. (bsc#1179847) - Fix '%posttrans' script execution. (fixes #265) - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location of the rpmdatabase to use. - doc: give more details about creating versioned package locks. (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) From sle-security-updates at lists.suse.com Tue Mar 23 07:05:54 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Mar 2021 08:05:54 +0100 (CET) Subject: SUSE-CU-2021:81-1: Security update of ses/7/cephcsi/csi-provisioner Message-ID: <20210323070554.47C5CFFA5@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/csi-provisioner ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:81-1 Container Tags : ses/7/cephcsi/csi-provisioner:v2.0.0 , ses/7/cephcsi/csi-provisioner:v2.0.0-rev1 , ses/7/cephcsi/csi-provisioner:v2.0.0-rev1-build3.206 Container Release : 3.206 Severity : important Type : security References : 1176201 1179847 1181328 1181622 1182328 1182362 1182629 CVE-2021-27218 CVE-2021-27219 ----------------------------------------------------------------- The container ses/7/cephcsi/csi-provisioner was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:874-1 Released: Thu Mar 18 09:41:54 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179847,1181328,1181622,1182629 This update for libsolv, libzypp, zypper fixes the following issues: - support multiple collections in updateinfo parser - Fixed an issue when some 'systemd' tools require '/proc' to be mounted and fail if it's not there. (bsc#1181328) - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names to allow to use the RH and SUSE patch category names synonymously. (bsc#1179847) - Fix '%posttrans' script execution. (fixes #265) - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location of the rpmdatabase to use. - doc: give more details about creating versioned package locks. (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) From sle-security-updates at lists.suse.com Tue Mar 23 07:07:05 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Mar 2021 08:07:05 +0100 (CET) Subject: SUSE-CU-2021:82-1: Security update of ses/7/cephcsi/csi-resizer Message-ID: <20210323070705.781EFFFA5@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/csi-resizer ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:82-1 Container Tags : ses/7/cephcsi/csi-resizer:v1.0.0 , ses/7/cephcsi/csi-resizer:v1.0.0-rev1 , ses/7/cephcsi/csi-resizer:v1.0.0-rev1-build3.204 Container Release : 3.204 Severity : important Type : security References : 1176201 1179847 1181328 1181622 1182328 1182362 1182629 CVE-2021-27218 CVE-2021-27219 ----------------------------------------------------------------- The container ses/7/cephcsi/csi-resizer was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:874-1 Released: Thu Mar 18 09:41:54 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179847,1181328,1181622,1182629 This update for libsolv, libzypp, zypper fixes the following issues: - support multiple collections in updateinfo parser - Fixed an issue when some 'systemd' tools require '/proc' to be mounted and fail if it's not there. (bsc#1181328) - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names to allow to use the RH and SUSE patch category names synonymously. (bsc#1179847) - Fix '%posttrans' script execution. (fixes #265) - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location of the rpmdatabase to use. - doc: give more details about creating versioned package locks. (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) From sle-security-updates at lists.suse.com Tue Mar 23 07:08:15 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 23 Mar 2021 08:08:15 +0100 (CET) Subject: SUSE-CU-2021:83-1: Security update of ses/7/cephcsi/csi-snapshotter Message-ID: <20210323070815.72462FFA5@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/csi-snapshotter ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:83-1 Container Tags : ses/7/cephcsi/csi-snapshotter:v3.0.0 , ses/7/cephcsi/csi-snapshotter:v3.0.0-rev1 , ses/7/cephcsi/csi-snapshotter:v3.0.0-rev1-build3.203 Container Release : 3.203 Severity : important Type : security References : 1176201 1179847 1181328 1181622 1182328 1182362 1182629 CVE-2021-27218 CVE-2021-27219 ----------------------------------------------------------------- The container ses/7/cephcsi/csi-snapshotter was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:874-1 Released: Thu Mar 18 09:41:54 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179847,1181328,1181622,1182629 This update for libsolv, libzypp, zypper fixes the following issues: - support multiple collections in updateinfo parser - Fixed an issue when some 'systemd' tools require '/proc' to be mounted and fail if it's not there. (bsc#1181328) - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names to allow to use the RH and SUSE patch category names synonymously. (bsc#1179847) - Fix '%posttrans' script execution. (fixes #265) - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location of the rpmdatabase to use. - doc: give more details about creating versioned package locks. (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) From sle-security-updates at lists.suse.com Wed Mar 24 14:18:04 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 15:18:04 +0100 (CET) Subject: SUSE-SU-2021:0929-1: important: Security update for wavpack Message-ID: <20210324141804.C2F1BFD17@maintenance.suse.de> SUSE Security Update: Security update for wavpack ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0929-1 Rating: important References: #1180414 Cross-References: CVE-2020-35738 CVSS scores: CVE-2020-35738 (NVD) : 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H CVE-2020-35738 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for wavpack fixes the following issues: - CVE-2020-35738: Fixed an out-of-bounds write in WavpackPackSamples (bsc#1180414). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-929=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-929=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-929=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-929=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-929=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-929=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-929=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-929=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-929=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-929=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-929=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-929=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-929=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-929=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-929=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-929=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libwavpack1-4.60.99-5.9.1 libwavpack1-debuginfo-4.60.99-5.9.1 wavpack-debuginfo-4.60.99-5.9.1 wavpack-debugsource-4.60.99-5.9.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libwavpack1-4.60.99-5.9.1 libwavpack1-debuginfo-4.60.99-5.9.1 wavpack-debuginfo-4.60.99-5.9.1 wavpack-debugsource-4.60.99-5.9.1 - SUSE OpenStack Cloud 9 (x86_64): libwavpack1-4.60.99-5.9.1 libwavpack1-debuginfo-4.60.99-5.9.1 wavpack-debuginfo-4.60.99-5.9.1 wavpack-debugsource-4.60.99-5.9.1 - SUSE OpenStack Cloud 8 (x86_64): libwavpack1-4.60.99-5.9.1 libwavpack1-debuginfo-4.60.99-5.9.1 wavpack-debuginfo-4.60.99-5.9.1 wavpack-debugsource-4.60.99-5.9.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libwavpack1-4.60.99-5.9.1 libwavpack1-debuginfo-4.60.99-5.9.1 wavpack-debuginfo-4.60.99-5.9.1 wavpack-debugsource-4.60.99-5.9.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): wavpack-4.60.99-5.9.1 wavpack-debuginfo-4.60.99-5.9.1 wavpack-debugsource-4.60.99-5.9.1 wavpack-devel-4.60.99-5.9.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libwavpack1-4.60.99-5.9.1 libwavpack1-debuginfo-4.60.99-5.9.1 wavpack-debuginfo-4.60.99-5.9.1 wavpack-debugsource-4.60.99-5.9.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libwavpack1-4.60.99-5.9.1 libwavpack1-debuginfo-4.60.99-5.9.1 wavpack-debuginfo-4.60.99-5.9.1 wavpack-debugsource-4.60.99-5.9.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libwavpack1-4.60.99-5.9.1 libwavpack1-debuginfo-4.60.99-5.9.1 wavpack-debuginfo-4.60.99-5.9.1 wavpack-debugsource-4.60.99-5.9.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libwavpack1-4.60.99-5.9.1 libwavpack1-debuginfo-4.60.99-5.9.1 wavpack-debuginfo-4.60.99-5.9.1 wavpack-debugsource-4.60.99-5.9.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libwavpack1-4.60.99-5.9.1 libwavpack1-debuginfo-4.60.99-5.9.1 wavpack-debuginfo-4.60.99-5.9.1 wavpack-debugsource-4.60.99-5.9.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libwavpack1-4.60.99-5.9.1 libwavpack1-debuginfo-4.60.99-5.9.1 wavpack-debuginfo-4.60.99-5.9.1 wavpack-debugsource-4.60.99-5.9.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libwavpack1-4.60.99-5.9.1 libwavpack1-debuginfo-4.60.99-5.9.1 wavpack-debuginfo-4.60.99-5.9.1 wavpack-debugsource-4.60.99-5.9.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libwavpack1-4.60.99-5.9.1 libwavpack1-debuginfo-4.60.99-5.9.1 wavpack-debuginfo-4.60.99-5.9.1 wavpack-debugsource-4.60.99-5.9.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libwavpack1-4.60.99-5.9.1 libwavpack1-debuginfo-4.60.99-5.9.1 wavpack-debuginfo-4.60.99-5.9.1 wavpack-debugsource-4.60.99-5.9.1 - HPE Helion Openstack 8 (x86_64): libwavpack1-4.60.99-5.9.1 libwavpack1-debuginfo-4.60.99-5.9.1 wavpack-debuginfo-4.60.99-5.9.1 wavpack-debugsource-4.60.99-5.9.1 References: https://www.suse.com/security/cve/CVE-2020-35738.html https://bugzilla.suse.com/1180414 From sle-security-updates at lists.suse.com Wed Mar 24 14:19:17 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 15:19:17 +0100 (CET) Subject: SUSE-SU-2021:0930-1: important: Security update for nghttp2 Message-ID: <20210324141917.3F8C8FD17@maintenance.suse.de> SUSE Security Update: Security update for nghttp2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0930-1 Rating: important References: #1172442 #1181358 Cross-References: CVE-2020-11080 CVSS scores: CVE-2020-11080 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-11080 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-930=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-930=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): libnghttp2-14-1.40.0-3.5.1 libnghttp2-14-debuginfo-1.40.0-3.5.1 nghttp2-debuginfo-1.40.0-3.5.1 nghttp2-debugsource-1.40.0-3.5.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libnghttp2-14-1.40.0-3.5.1 libnghttp2-14-debuginfo-1.40.0-3.5.1 libnghttp2-devel-1.40.0-3.5.1 libnghttp2_asio-devel-1.40.0-3.5.1 libnghttp2_asio1-1.40.0-3.5.1 libnghttp2_asio1-debuginfo-1.40.0-3.5.1 nghttp2-debuginfo-1.40.0-3.5.1 nghttp2-debugsource-1.40.0-3.5.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libnghttp2-14-32bit-1.40.0-3.5.1 libnghttp2-14-32bit-debuginfo-1.40.0-3.5.1 References: https://www.suse.com/security/cve/CVE-2020-11080.html https://bugzilla.suse.com/1172442 https://bugzilla.suse.com/1181358 From sle-security-updates at lists.suse.com Wed Mar 24 14:20:34 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 15:20:34 +0100 (CET) Subject: SUSE-SU-2021:0931-1: important: Security update for nghttp2 Message-ID: <20210324142034.8E118FD17@maintenance.suse.de> SUSE Security Update: Security update for nghttp2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0931-1 Rating: important References: #1172442 #1181358 Cross-References: CVE-2020-11080 CVSS scores: CVE-2020-11080 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-11080 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-931=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-931=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-931=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-931=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-931=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-931=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-931=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-931=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-931=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-931=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-931=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-931=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-931=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libnghttp2-14-1.40.0-3.11.1 libnghttp2-14-debuginfo-1.40.0-3.11.1 libnghttp2-devel-1.40.0-3.11.1 libnghttp2_asio-devel-1.40.0-3.11.1 libnghttp2_asio1-1.40.0-3.11.1 libnghttp2_asio1-debuginfo-1.40.0-3.11.1 nghttp2-debuginfo-1.40.0-3.11.1 nghttp2-debugsource-1.40.0-3.11.1 - SUSE Manager Server 4.0 (x86_64): libnghttp2-14-32bit-1.40.0-3.11.1 libnghttp2-14-32bit-debuginfo-1.40.0-3.11.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libnghttp2-14-1.40.0-3.11.1 libnghttp2-14-32bit-1.40.0-3.11.1 libnghttp2-14-32bit-debuginfo-1.40.0-3.11.1 libnghttp2-14-debuginfo-1.40.0-3.11.1 libnghttp2-devel-1.40.0-3.11.1 libnghttp2_asio-devel-1.40.0-3.11.1 libnghttp2_asio1-1.40.0-3.11.1 libnghttp2_asio1-debuginfo-1.40.0-3.11.1 nghttp2-debuginfo-1.40.0-3.11.1 nghttp2-debugsource-1.40.0-3.11.1 - SUSE Manager Proxy 4.0 (x86_64): libnghttp2-14-1.40.0-3.11.1 libnghttp2-14-32bit-1.40.0-3.11.1 libnghttp2-14-32bit-debuginfo-1.40.0-3.11.1 libnghttp2-14-debuginfo-1.40.0-3.11.1 libnghttp2-devel-1.40.0-3.11.1 libnghttp2_asio-devel-1.40.0-3.11.1 libnghttp2_asio1-1.40.0-3.11.1 libnghttp2_asio1-debuginfo-1.40.0-3.11.1 nghttp2-debuginfo-1.40.0-3.11.1 nghttp2-debugsource-1.40.0-3.11.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libnghttp2-14-1.40.0-3.11.1 libnghttp2-14-debuginfo-1.40.0-3.11.1 libnghttp2-devel-1.40.0-3.11.1 libnghttp2_asio-devel-1.40.0-3.11.1 libnghttp2_asio1-1.40.0-3.11.1 libnghttp2_asio1-debuginfo-1.40.0-3.11.1 nghttp2-debuginfo-1.40.0-3.11.1 nghttp2-debugsource-1.40.0-3.11.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): libnghttp2-14-32bit-1.40.0-3.11.1 libnghttp2-14-32bit-debuginfo-1.40.0-3.11.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libnghttp2-14-1.40.0-3.11.1 libnghttp2-14-debuginfo-1.40.0-3.11.1 libnghttp2-devel-1.40.0-3.11.1 libnghttp2_asio-devel-1.40.0-3.11.1 libnghttp2_asio1-1.40.0-3.11.1 libnghttp2_asio1-debuginfo-1.40.0-3.11.1 nghttp2-debuginfo-1.40.0-3.11.1 nghttp2-debugsource-1.40.0-3.11.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libnghttp2-14-32bit-1.40.0-3.11.1 libnghttp2-14-32bit-debuginfo-1.40.0-3.11.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libnghttp2-14-1.40.0-3.11.1 libnghttp2-14-debuginfo-1.40.0-3.11.1 libnghttp2-devel-1.40.0-3.11.1 libnghttp2_asio-devel-1.40.0-3.11.1 libnghttp2_asio1-1.40.0-3.11.1 libnghttp2_asio1-debuginfo-1.40.0-3.11.1 nghttp2-debuginfo-1.40.0-3.11.1 nghttp2-debugsource-1.40.0-3.11.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): libnghttp2-14-32bit-1.40.0-3.11.1 libnghttp2-14-32bit-debuginfo-1.40.0-3.11.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libnghttp2-14-1.40.0-3.11.1 libnghttp2-14-32bit-1.40.0-3.11.1 libnghttp2-14-32bit-debuginfo-1.40.0-3.11.1 libnghttp2-14-debuginfo-1.40.0-3.11.1 libnghttp2-devel-1.40.0-3.11.1 libnghttp2_asio-devel-1.40.0-3.11.1 libnghttp2_asio1-1.40.0-3.11.1 libnghttp2_asio1-debuginfo-1.40.0-3.11.1 nghttp2-debuginfo-1.40.0-3.11.1 nghttp2-debugsource-1.40.0-3.11.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libnghttp2-14-1.40.0-3.11.1 libnghttp2-14-debuginfo-1.40.0-3.11.1 libnghttp2-devel-1.40.0-3.11.1 libnghttp2_asio-devel-1.40.0-3.11.1 libnghttp2_asio1-1.40.0-3.11.1 libnghttp2_asio1-debuginfo-1.40.0-3.11.1 nghttp2-debuginfo-1.40.0-3.11.1 nghttp2-debugsource-1.40.0-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libnghttp2-14-1.40.0-3.11.1 libnghttp2-14-debuginfo-1.40.0-3.11.1 libnghttp2-devel-1.40.0-3.11.1 libnghttp2_asio-devel-1.40.0-3.11.1 libnghttp2_asio1-1.40.0-3.11.1 libnghttp2_asio1-debuginfo-1.40.0-3.11.1 nghttp2-debuginfo-1.40.0-3.11.1 nghttp2-debugsource-1.40.0-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): libnghttp2-14-32bit-1.40.0-3.11.1 libnghttp2-14-32bit-debuginfo-1.40.0-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libnghttp2-14-1.40.0-3.11.1 libnghttp2-14-debuginfo-1.40.0-3.11.1 libnghttp2-devel-1.40.0-3.11.1 libnghttp2_asio-devel-1.40.0-3.11.1 libnghttp2_asio1-1.40.0-3.11.1 libnghttp2_asio1-debuginfo-1.40.0-3.11.1 nghttp2-debuginfo-1.40.0-3.11.1 nghttp2-debugsource-1.40.0-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): libnghttp2-14-32bit-1.40.0-3.11.1 libnghttp2-14-32bit-debuginfo-1.40.0-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libnghttp2-14-1.40.0-3.11.1 libnghttp2-14-debuginfo-1.40.0-3.11.1 libnghttp2-devel-1.40.0-3.11.1 libnghttp2_asio-devel-1.40.0-3.11.1 libnghttp2_asio1-1.40.0-3.11.1 libnghttp2_asio1-debuginfo-1.40.0-3.11.1 nghttp2-debuginfo-1.40.0-3.11.1 nghttp2-debugsource-1.40.0-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libnghttp2-14-32bit-1.40.0-3.11.1 libnghttp2-14-32bit-debuginfo-1.40.0-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libnghttp2-14-1.40.0-3.11.1 libnghttp2-14-debuginfo-1.40.0-3.11.1 libnghttp2-devel-1.40.0-3.11.1 libnghttp2_asio-devel-1.40.0-3.11.1 libnghttp2_asio1-1.40.0-3.11.1 libnghttp2_asio1-debuginfo-1.40.0-3.11.1 nghttp2-debuginfo-1.40.0-3.11.1 nghttp2-debugsource-1.40.0-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libnghttp2-14-32bit-1.40.0-3.11.1 libnghttp2-14-32bit-debuginfo-1.40.0-3.11.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libnghttp2-14-1.40.0-3.11.1 libnghttp2-14-debuginfo-1.40.0-3.11.1 libnghttp2-devel-1.40.0-3.11.1 libnghttp2_asio-devel-1.40.0-3.11.1 libnghttp2_asio1-1.40.0-3.11.1 libnghttp2_asio1-debuginfo-1.40.0-3.11.1 nghttp2-debuginfo-1.40.0-3.11.1 nghttp2-debugsource-1.40.0-3.11.1 - SUSE Enterprise Storage 6 (x86_64): libnghttp2-14-32bit-1.40.0-3.11.1 libnghttp2-14-32bit-debuginfo-1.40.0-3.11.1 - SUSE CaaS Platform 4.0 (x86_64): libnghttp2-14-1.40.0-3.11.1 libnghttp2-14-32bit-1.40.0-3.11.1 libnghttp2-14-32bit-debuginfo-1.40.0-3.11.1 libnghttp2-14-debuginfo-1.40.0-3.11.1 libnghttp2-devel-1.40.0-3.11.1 libnghttp2_asio-devel-1.40.0-3.11.1 libnghttp2_asio1-1.40.0-3.11.1 libnghttp2_asio1-debuginfo-1.40.0-3.11.1 nghttp2-debuginfo-1.40.0-3.11.1 nghttp2-debugsource-1.40.0-3.11.1 References: https://www.suse.com/security/cve/CVE-2020-11080.html https://bugzilla.suse.com/1172442 https://bugzilla.suse.com/1181358 From sle-security-updates at lists.suse.com Wed Mar 24 14:21:52 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 15:21:52 +0100 (CET) Subject: SUSE-SU-2021:0928-1: important: Security update for sudo Message-ID: <20210324142152.38020FD17@maintenance.suse.de> SUSE Security Update: Security update for sudo ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0928-1 Rating: important References: #1181090 Cross-References: CVE-2021-3156 CVSS scores: CVE-2021-3156 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3156 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for sudo fixes the following issues: - Fixed a potential crash on exit as a result of the fix of CVE-2021-3156 [bsc#1181090] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-928=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-928=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-928=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-928=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): sudo-1.8.10p3-10.32.1 sudo-debuginfo-1.8.10p3-10.32.1 sudo-debugsource-1.8.10p3-10.32.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): sudo-1.8.10p3-10.32.1 sudo-debuginfo-1.8.10p3-10.32.1 sudo-debugsource-1.8.10p3-10.32.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): sudo-1.8.10p3-10.32.1 sudo-debuginfo-1.8.10p3-10.32.1 sudo-debugsource-1.8.10p3-10.32.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): sudo-1.8.10p3-10.32.1 sudo-debuginfo-1.8.10p3-10.32.1 sudo-debugsource-1.8.10p3-10.32.1 References: https://www.suse.com/security/cve/CVE-2021-3156.html https://bugzilla.suse.com/1181090 From sle-security-updates at lists.suse.com Wed Mar 24 14:23:04 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 15:23:04 +0100 (CET) Subject: SUSE-SU-2021:0932-1: important: Security update for nghttp2 Message-ID: <20210324142304.3AE5BFD17@maintenance.suse.de> SUSE Security Update: Security update for nghttp2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0932-1 Rating: important References: #1082318 #1088639 #1112438 #1125689 #1134616 #1146182 #1146184 #1181358 #962914 #964140 #966514 Cross-References: CVE-2016-1544 CVE-2018-1000168 CVE-2019-9511 CVE-2019-9513 CVE-2020-11080 CVSS scores: CVE-2016-1544 (NVD) : 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2018-1000168 (NVD) : 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-1000168 (SUSE): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-9511 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-9511 (SUSE): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-9513 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-9513 (SUSE): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-11080 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-11080 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 6 fixes is now available. Description: This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358). - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#1146182). - CVE-2018-1000168: Fixed ALTSVC frame client side denial of service (bsc#1088639). - CVE-2016-1544: Fixed out of memory due to unlimited incoming HTTP header fields (bsc#966514). Bug fixes and enhancements: - Packages must not mark license files as %doc (bsc#1082318) - Typo in description of libnghttp2_asio1 (bsc#962914) - Fixed mistake in spec file (bsc#1125689) - Fixed build issue with boost 1.70.0 (bsc#1134616) - Fixed build issue with GCC 6 (bsc#964140) - Feature: Add W&S module (FATE#326776, bsc#1112438) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-932=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-932=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-932=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-932=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-932=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-932=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-932=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-932=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-932=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-932=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-932=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-932=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-932=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-932=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-932=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libnghttp2-14-1.39.2-3.5.1 libnghttp2-14-32bit-1.39.2-3.5.1 libnghttp2-14-debuginfo-1.39.2-3.5.1 libnghttp2-14-debuginfo-32bit-1.39.2-3.5.1 nghttp2-debuginfo-1.39.2-3.5.1 nghttp2-debugsource-1.39.2-3.5.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libnghttp2-14-1.39.2-3.5.1 libnghttp2-14-debuginfo-1.39.2-3.5.1 nghttp2-debuginfo-1.39.2-3.5.1 nghttp2-debugsource-1.39.2-3.5.1 - SUSE OpenStack Cloud 9 (x86_64): libnghttp2-14-1.39.2-3.5.1 libnghttp2-14-32bit-1.39.2-3.5.1 libnghttp2-14-debuginfo-1.39.2-3.5.1 libnghttp2-14-debuginfo-32bit-1.39.2-3.5.1 nghttp2-debuginfo-1.39.2-3.5.1 nghttp2-debugsource-1.39.2-3.5.1 - SUSE OpenStack Cloud 8 (x86_64): libnghttp2-14-1.39.2-3.5.1 libnghttp2-14-debuginfo-1.39.2-3.5.1 nghttp2-debuginfo-1.39.2-3.5.1 nghttp2-debugsource-1.39.2-3.5.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libnghttp2-14-1.39.2-3.5.1 libnghttp2-14-debuginfo-1.39.2-3.5.1 nghttp2-debuginfo-1.39.2-3.5.1 nghttp2-debugsource-1.39.2-3.5.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libnghttp2-14-1.39.2-3.5.1 libnghttp2-14-debuginfo-1.39.2-3.5.1 nghttp2-debuginfo-1.39.2-3.5.1 nghttp2-debugsource-1.39.2-3.5.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libnghttp2-14-32bit-1.39.2-3.5.1 libnghttp2-14-debuginfo-32bit-1.39.2-3.5.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libnghttp2-14-1.39.2-3.5.1 libnghttp2-14-debuginfo-1.39.2-3.5.1 nghttp2-debuginfo-1.39.2-3.5.1 nghttp2-debugsource-1.39.2-3.5.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libnghttp2-14-1.39.2-3.5.1 libnghttp2-14-debuginfo-1.39.2-3.5.1 nghttp2-debuginfo-1.39.2-3.5.1 nghttp2-debugsource-1.39.2-3.5.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libnghttp2-14-1.39.2-3.5.1 libnghttp2-14-debuginfo-1.39.2-3.5.1 nghttp2-debuginfo-1.39.2-3.5.1 nghttp2-debugsource-1.39.2-3.5.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libnghttp2-14-32bit-1.39.2-3.5.1 libnghttp2-14-debuginfo-32bit-1.39.2-3.5.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libnghttp2-14-1.39.2-3.5.1 libnghttp2-14-debuginfo-1.39.2-3.5.1 nghttp2-debuginfo-1.39.2-3.5.1 nghttp2-debugsource-1.39.2-3.5.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libnghttp2-14-32bit-1.39.2-3.5.1 libnghttp2-14-debuginfo-32bit-1.39.2-3.5.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libnghttp2-14-1.39.2-3.5.1 libnghttp2-14-debuginfo-1.39.2-3.5.1 nghttp2-debuginfo-1.39.2-3.5.1 nghttp2-debugsource-1.39.2-3.5.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libnghttp2-14-1.39.2-3.5.1 libnghttp2-14-debuginfo-1.39.2-3.5.1 nghttp2-debuginfo-1.39.2-3.5.1 nghttp2-debugsource-1.39.2-3.5.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libnghttp2-14-1.39.2-3.5.1 libnghttp2-14-debuginfo-1.39.2-3.5.1 nghttp2-debuginfo-1.39.2-3.5.1 nghttp2-debugsource-1.39.2-3.5.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libnghttp2-14-1.39.2-3.5.1 libnghttp2-14-debuginfo-1.39.2-3.5.1 nghttp2-debuginfo-1.39.2-3.5.1 nghttp2-debugsource-1.39.2-3.5.1 - HPE Helion Openstack 8 (x86_64): libnghttp2-14-1.39.2-3.5.1 libnghttp2-14-debuginfo-1.39.2-3.5.1 nghttp2-debuginfo-1.39.2-3.5.1 nghttp2-debugsource-1.39.2-3.5.1 References: https://www.suse.com/security/cve/CVE-2016-1544.html https://www.suse.com/security/cve/CVE-2018-1000168.html https://www.suse.com/security/cve/CVE-2019-9511.html https://www.suse.com/security/cve/CVE-2019-9513.html https://www.suse.com/security/cve/CVE-2020-11080.html https://bugzilla.suse.com/1082318 https://bugzilla.suse.com/1088639 https://bugzilla.suse.com/1112438 https://bugzilla.suse.com/1125689 https://bugzilla.suse.com/1134616 https://bugzilla.suse.com/1146182 https://bugzilla.suse.com/1146184 https://bugzilla.suse.com/1181358 https://bugzilla.suse.com/962914 https://bugzilla.suse.com/964140 https://bugzilla.suse.com/966514 From sle-security-updates at lists.suse.com Wed Mar 24 14:25:33 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 15:25:33 +0100 (CET) Subject: SUSE-SU-2021:0938-1: moderate: Security update for go1.15 Message-ID: <20210324142533.6E33BFD17@maintenance.suse.de> SUSE Security Update: Security update for go1.15 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0938-1 Rating: moderate References: #1175132 #1183333 Cross-References: CVE-2021-27918 CVSS scores: CVE-2021-27918 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for go1.15 fixes the following issues: - go1.15.10 (released 2021-03-11) (bsc#1175132) - go1.15.9 (released 2021-03-10) (bsc#1175132) - CVE-2021-27918: Fixed an infinite loop when using xml.NewTokenDecoder with a custom TokenReader (bsc#1183333). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-938=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-938=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-938=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-938=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-938=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-938=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-938=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-938=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-938=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-938=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-938=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): go1.15-1.15.10-1.25.1 go1.15-doc-1.15.10-1.25.1 - SUSE Manager Server 4.0 (x86_64): go1.15-race-1.15.10-1.25.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): go1.15-1.15.10-1.25.1 go1.15-doc-1.15.10-1.25.1 go1.15-race-1.15.10-1.25.1 - SUSE Manager Proxy 4.0 (x86_64): go1.15-1.15.10-1.25.1 go1.15-doc-1.15.10-1.25.1 go1.15-race-1.15.10-1.25.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): go1.15-1.15.10-1.25.1 go1.15-doc-1.15.10-1.25.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): go1.15-race-1.15.10-1.25.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): go1.15-1.15.10-1.25.1 go1.15-doc-1.15.10-1.25.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 x86_64): go1.15-race-1.15.10-1.25.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): go1.15-1.15.10-1.25.1 go1.15-doc-1.15.10-1.25.1 go1.15-race-1.15.10-1.25.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): go1.15-1.15.10-1.25.1 go1.15-doc-1.15.10-1.25.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 x86_64): go1.15-race-1.15.10-1.25.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): go1.15-1.15.10-1.25.1 go1.15-doc-1.15.10-1.25.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 x86_64): go1.15-race-1.15.10-1.25.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): go1.15-1.15.10-1.25.1 go1.15-doc-1.15.10-1.25.1 go1.15-race-1.15.10-1.25.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): go1.15-1.15.10-1.25.1 go1.15-doc-1.15.10-1.25.1 go1.15-race-1.15.10-1.25.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): go1.15-1.15.10-1.25.1 go1.15-doc-1.15.10-1.25.1 go1.15-race-1.15.10-1.25.1 - SUSE CaaS Platform 4.0 (x86_64): go1.15-1.15.10-1.25.1 go1.15-doc-1.15.10-1.25.1 go1.15-race-1.15.10-1.25.1 References: https://www.suse.com/security/cve/CVE-2021-27918.html https://bugzilla.suse.com/1175132 https://bugzilla.suse.com/1183333 From sle-security-updates at lists.suse.com Wed Mar 24 14:26:50 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 15:26:50 +0100 (CET) Subject: SUSE-SU-2021:0941-1: important: Security update for hawk2 Message-ID: <20210324142650.17E0BFD17@maintenance.suse.de> SUSE Security Update: Security update for hawk2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0941-1 Rating: important References: #1179999 #1182165 #1182166 Cross-References: CVE-2020-35459 CVE-2021-25314 CVSS scores: CVE-2020-35459 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-35459 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25314 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise High Availability 15-SP2 SUSE Linux Enterprise High Availability 15-SP1 SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for hawk2 fixes the following issues: - Update to version 2.6.3: * Remove hawk_invoke and use capture3 instead of runas (bsc#1179999)(CVE-2020-35459) * Remove unnecessary chmod (bsc#1182166)(CVE-2021-25314) * Sanitize filename to contains whitelist of alphanumeric (bsc#1182165) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 15-SP2: zypper in -t patch SUSE-SLE-Product-HA-15-SP2-2021-941=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2021-941=1 - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2021-941=1 Package List: - SUSE Linux Enterprise High Availability 15-SP2 (aarch64 ppc64le s390x x86_64): hawk2-2.6.3+git.1614684118.af555ad9-3.27.1 hawk2-debuginfo-2.6.3+git.1614684118.af555ad9-3.27.1 hawk2-debugsource-2.6.3+git.1614684118.af555ad9-3.27.1 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): hawk2-2.6.3+git.1614684118.af555ad9-3.27.1 hawk2-debuginfo-2.6.3+git.1614684118.af555ad9-3.27.1 hawk2-debugsource-2.6.3+git.1614684118.af555ad9-3.27.1 - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): hawk2-2.6.3+git.1614684118.af555ad9-3.27.1 hawk2-debuginfo-2.6.3+git.1614684118.af555ad9-3.27.1 hawk2-debugsource-2.6.3+git.1614684118.af555ad9-3.27.1 References: https://www.suse.com/security/cve/CVE-2020-35459.html https://www.suse.com/security/cve/CVE-2021-25314.html https://bugzilla.suse.com/1179999 https://bugzilla.suse.com/1182165 https://bugzilla.suse.com/1182166 From sle-security-updates at lists.suse.com Wed Mar 24 14:28:09 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 15:28:09 +0100 (CET) Subject: SUSE-SU-2021:0942-1: important: Security update for hawk2 Message-ID: <20210324142809.EA931FD17@maintenance.suse.de> SUSE Security Update: Security update for hawk2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0942-1 Rating: important References: #1179999 #1182165 #1182166 Cross-References: CVE-2020-35459 CVE-2021-25314 CVSS scores: CVE-2020-35459 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-35459 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25314 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise High Availability 12-SP5 SUSE Linux Enterprise High Availability 12-SP4 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for hawk2 fixes the following issues: - Update to version 2.6.3: * Remove hawk_invoke and use capture3 instead of runas (bsc#1179999)(CVE-2020-35459) * Remove unnecessary chmod (bsc#1182166)(CVE-2021-25314) * Sanitize filename to contains whitelist of alphanumeric (bsc#1182165) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2021-942=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2021-942=1 Package List: - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 hawk2-debuginfo-2.6.3+git.1614685906.812c31e9-3.30.1 hawk2-debugsource-2.6.3+git.1614685906.812c31e9-3.30.1 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): hawk2-2.6.3+git.1614685906.812c31e9-3.30.1 hawk2-debuginfo-2.6.3+git.1614685906.812c31e9-3.30.1 hawk2-debugsource-2.6.3+git.1614685906.812c31e9-3.30.1 References: https://www.suse.com/security/cve/CVE-2020-35459.html https://www.suse.com/security/cve/CVE-2021-25314.html https://bugzilla.suse.com/1179999 https://bugzilla.suse.com/1182165 https://bugzilla.suse.com/1182166 From sle-security-updates at lists.suse.com Wed Mar 24 14:29:23 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 15:29:23 +0100 (CET) Subject: SUSE-SU-2021:0934-1: important: Security update for gnutls Message-ID: <20210324142923.35CCAFD17@maintenance.suse.de> SUSE Security Update: Security update for gnutls ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0934-1 Rating: important References: #1183456 #1183457 Cross-References: CVE-2021-20231 CVE-2021-20232 CVSS scores: CVE-2021-20231 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-20231 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-20232 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-20232 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-934=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-934=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-934=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-934=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-934=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-934=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-934=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-934=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-934=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-934=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-934=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-934=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-934=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): gnutls-3.6.7-6.40.2 gnutls-debuginfo-3.6.7-6.40.2 gnutls-debugsource-3.6.7-6.40.2 libgnutls-devel-3.6.7-6.40.2 libgnutls30-3.6.7-6.40.2 libgnutls30-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-3.6.7-6.40.2 libgnutlsxx-devel-3.6.7-6.40.2 libgnutlsxx28-3.6.7-6.40.2 libgnutlsxx28-debuginfo-3.6.7-6.40.2 - SUSE Manager Server 4.0 (x86_64): libgnutls30-32bit-3.6.7-6.40.2 libgnutls30-32bit-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-32bit-3.6.7-6.40.2 - SUSE Manager Retail Branch Server 4.0 (x86_64): gnutls-3.6.7-6.40.2 gnutls-debuginfo-3.6.7-6.40.2 gnutls-debugsource-3.6.7-6.40.2 libgnutls-devel-3.6.7-6.40.2 libgnutls30-3.6.7-6.40.2 libgnutls30-32bit-3.6.7-6.40.2 libgnutls30-32bit-debuginfo-3.6.7-6.40.2 libgnutls30-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-3.6.7-6.40.2 libgnutls30-hmac-32bit-3.6.7-6.40.2 libgnutlsxx-devel-3.6.7-6.40.2 libgnutlsxx28-3.6.7-6.40.2 libgnutlsxx28-debuginfo-3.6.7-6.40.2 - SUSE Manager Proxy 4.0 (x86_64): gnutls-3.6.7-6.40.2 gnutls-debuginfo-3.6.7-6.40.2 gnutls-debugsource-3.6.7-6.40.2 libgnutls-devel-3.6.7-6.40.2 libgnutls30-3.6.7-6.40.2 libgnutls30-32bit-3.6.7-6.40.2 libgnutls30-32bit-debuginfo-3.6.7-6.40.2 libgnutls30-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-3.6.7-6.40.2 libgnutls30-hmac-32bit-3.6.7-6.40.2 libgnutlsxx-devel-3.6.7-6.40.2 libgnutlsxx28-3.6.7-6.40.2 libgnutlsxx28-debuginfo-3.6.7-6.40.2 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): gnutls-3.6.7-6.40.2 gnutls-debuginfo-3.6.7-6.40.2 gnutls-debugsource-3.6.7-6.40.2 libgnutls-devel-3.6.7-6.40.2 libgnutls30-3.6.7-6.40.2 libgnutls30-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-3.6.7-6.40.2 libgnutlsxx-devel-3.6.7-6.40.2 libgnutlsxx28-3.6.7-6.40.2 libgnutlsxx28-debuginfo-3.6.7-6.40.2 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): libgnutls30-32bit-3.6.7-6.40.2 libgnutls30-32bit-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-32bit-3.6.7-6.40.2 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): gnutls-3.6.7-6.40.2 gnutls-debuginfo-3.6.7-6.40.2 gnutls-debugsource-3.6.7-6.40.2 libgnutls-devel-3.6.7-6.40.2 libgnutls30-3.6.7-6.40.2 libgnutls30-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-3.6.7-6.40.2 libgnutlsxx-devel-3.6.7-6.40.2 libgnutlsxx28-3.6.7-6.40.2 libgnutlsxx28-debuginfo-3.6.7-6.40.2 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libgnutls30-32bit-3.6.7-6.40.2 libgnutls30-32bit-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-32bit-3.6.7-6.40.2 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): gnutls-3.6.7-6.40.2 gnutls-debuginfo-3.6.7-6.40.2 gnutls-debugsource-3.6.7-6.40.2 libgnutls-devel-3.6.7-6.40.2 libgnutls30-3.6.7-6.40.2 libgnutls30-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-3.6.7-6.40.2 libgnutlsxx-devel-3.6.7-6.40.2 libgnutlsxx28-3.6.7-6.40.2 libgnutlsxx28-debuginfo-3.6.7-6.40.2 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): libgnutls30-32bit-3.6.7-6.40.2 libgnutls30-32bit-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-32bit-3.6.7-6.40.2 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): gnutls-3.6.7-6.40.2 gnutls-debuginfo-3.6.7-6.40.2 gnutls-debugsource-3.6.7-6.40.2 libgnutls-devel-3.6.7-6.40.2 libgnutls30-3.6.7-6.40.2 libgnutls30-32bit-3.6.7-6.40.2 libgnutls30-32bit-debuginfo-3.6.7-6.40.2 libgnutls30-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-3.6.7-6.40.2 libgnutls30-hmac-32bit-3.6.7-6.40.2 libgnutlsxx-devel-3.6.7-6.40.2 libgnutlsxx28-3.6.7-6.40.2 libgnutlsxx28-debuginfo-3.6.7-6.40.2 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): gnutls-3.6.7-6.40.2 gnutls-debuginfo-3.6.7-6.40.2 gnutls-debugsource-3.6.7-6.40.2 libgnutls-devel-3.6.7-6.40.2 libgnutls30-3.6.7-6.40.2 libgnutls30-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-3.6.7-6.40.2 libgnutlsxx-devel-3.6.7-6.40.2 libgnutlsxx28-3.6.7-6.40.2 libgnutlsxx28-debuginfo-3.6.7-6.40.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): gnutls-3.6.7-6.40.2 gnutls-debuginfo-3.6.7-6.40.2 gnutls-debugsource-3.6.7-6.40.2 libgnutls-devel-3.6.7-6.40.2 libgnutls30-3.6.7-6.40.2 libgnutls30-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-3.6.7-6.40.2 libgnutlsxx-devel-3.6.7-6.40.2 libgnutlsxx28-3.6.7-6.40.2 libgnutlsxx28-debuginfo-3.6.7-6.40.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): libgnutls30-32bit-3.6.7-6.40.2 libgnutls30-32bit-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-32bit-3.6.7-6.40.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): gnutls-3.6.7-6.40.2 gnutls-debuginfo-3.6.7-6.40.2 gnutls-debugsource-3.6.7-6.40.2 libgnutls-devel-3.6.7-6.40.2 libgnutls30-3.6.7-6.40.2 libgnutls30-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-3.6.7-6.40.2 libgnutlsxx-devel-3.6.7-6.40.2 libgnutlsxx28-3.6.7-6.40.2 libgnutlsxx28-debuginfo-3.6.7-6.40.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): libgnutls30-32bit-3.6.7-6.40.2 libgnutls30-32bit-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-32bit-3.6.7-6.40.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): gnutls-3.6.7-6.40.2 gnutls-debuginfo-3.6.7-6.40.2 gnutls-debugsource-3.6.7-6.40.2 libgnutls-devel-3.6.7-6.40.2 libgnutls30-3.6.7-6.40.2 libgnutls30-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-3.6.7-6.40.2 libgnutlsxx-devel-3.6.7-6.40.2 libgnutlsxx28-3.6.7-6.40.2 libgnutlsxx28-debuginfo-3.6.7-6.40.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libgnutls30-32bit-3.6.7-6.40.2 libgnutls30-32bit-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-32bit-3.6.7-6.40.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): gnutls-3.6.7-6.40.2 gnutls-debuginfo-3.6.7-6.40.2 gnutls-debugsource-3.6.7-6.40.2 libgnutls-devel-3.6.7-6.40.2 libgnutls30-3.6.7-6.40.2 libgnutls30-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-3.6.7-6.40.2 libgnutlsxx-devel-3.6.7-6.40.2 libgnutlsxx28-3.6.7-6.40.2 libgnutlsxx28-debuginfo-3.6.7-6.40.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libgnutls30-32bit-3.6.7-6.40.2 libgnutls30-32bit-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-32bit-3.6.7-6.40.2 - SUSE Enterprise Storage 6 (aarch64 x86_64): gnutls-3.6.7-6.40.2 gnutls-debuginfo-3.6.7-6.40.2 gnutls-debugsource-3.6.7-6.40.2 libgnutls-devel-3.6.7-6.40.2 libgnutls30-3.6.7-6.40.2 libgnutls30-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-3.6.7-6.40.2 libgnutlsxx-devel-3.6.7-6.40.2 libgnutlsxx28-3.6.7-6.40.2 libgnutlsxx28-debuginfo-3.6.7-6.40.2 - SUSE Enterprise Storage 6 (x86_64): libgnutls30-32bit-3.6.7-6.40.2 libgnutls30-32bit-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-32bit-3.6.7-6.40.2 - SUSE CaaS Platform 4.0 (x86_64): gnutls-3.6.7-6.40.2 gnutls-debuginfo-3.6.7-6.40.2 gnutls-debugsource-3.6.7-6.40.2 libgnutls-devel-3.6.7-6.40.2 libgnutls30-3.6.7-6.40.2 libgnutls30-32bit-3.6.7-6.40.2 libgnutls30-32bit-debuginfo-3.6.7-6.40.2 libgnutls30-debuginfo-3.6.7-6.40.2 libgnutls30-hmac-3.6.7-6.40.2 libgnutls30-hmac-32bit-3.6.7-6.40.2 libgnutlsxx-devel-3.6.7-6.40.2 libgnutlsxx28-3.6.7-6.40.2 libgnutlsxx28-debuginfo-3.6.7-6.40.2 References: https://www.suse.com/security/cve/CVE-2021-20231.html https://www.suse.com/security/cve/CVE-2021-20232.html https://bugzilla.suse.com/1183456 https://bugzilla.suse.com/1183457 From sle-security-updates at lists.suse.com Wed Mar 24 14:30:38 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 15:30:38 +0100 (CET) Subject: SUSE-SU-2021:0936-1: important: Security update for libass Message-ID: <20210324143038.1A42DFD17@maintenance.suse.de> SUSE Security Update: Security update for libass ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0936-1 Rating: important References: #1177862 Cross-References: CVE-2020-26682 CVSS scores: CVE-2020-26682 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-26682 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libass fixes the following issues: - CVE-2020-26682: Fixed a signed integer overflow in the call to outline_stroke() (bsc#1177862). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-936=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-936=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-936=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-936=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-936=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-936=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-936=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-936=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-936=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-936=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-936=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-936=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-936=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-936=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-936=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libass-debugsource-0.14.0-3.3.1 libass-devel-0.14.0-3.3.1 libass9-0.14.0-3.3.1 libass9-debuginfo-0.14.0-3.3.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libass-debugsource-0.14.0-3.3.1 libass-devel-0.14.0-3.3.1 libass9-0.14.0-3.3.1 libass9-debuginfo-0.14.0-3.3.1 - SUSE Manager Proxy 4.0 (x86_64): libass-debugsource-0.14.0-3.3.1 libass-devel-0.14.0-3.3.1 libass9-0.14.0-3.3.1 libass9-debuginfo-0.14.0-3.3.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libass-debugsource-0.14.0-3.3.1 libass-devel-0.14.0-3.3.1 libass9-0.14.0-3.3.1 libass9-debuginfo-0.14.0-3.3.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libass-debugsource-0.14.0-3.3.1 libass-devel-0.14.0-3.3.1 libass9-0.14.0-3.3.1 libass9-debuginfo-0.14.0-3.3.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libass-debugsource-0.14.0-3.3.1 libass-devel-0.14.0-3.3.1 libass9-0.14.0-3.3.1 libass9-debuginfo-0.14.0-3.3.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libass-debugsource-0.14.0-3.3.1 libass-devel-0.14.0-3.3.1 libass9-0.14.0-3.3.1 libass9-debuginfo-0.14.0-3.3.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libass-debugsource-0.14.0-3.3.1 libass-devel-0.14.0-3.3.1 libass9-0.14.0-3.3.1 libass9-debuginfo-0.14.0-3.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): libass-debugsource-0.14.0-3.3.1 libass-devel-0.14.0-3.3.1 libass9-0.14.0-3.3.1 libass9-debuginfo-0.14.0-3.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): libass-debugsource-0.14.0-3.3.1 libass-devel-0.14.0-3.3.1 libass9-0.14.0-3.3.1 libass9-debuginfo-0.14.0-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libass-debugsource-0.14.0-3.3.1 libass-devel-0.14.0-3.3.1 libass9-0.14.0-3.3.1 libass9-debuginfo-0.14.0-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libass-debugsource-0.14.0-3.3.1 libass-devel-0.14.0-3.3.1 libass9-0.14.0-3.3.1 libass9-debuginfo-0.14.0-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libass-debugsource-0.14.0-3.3.1 libass-devel-0.14.0-3.3.1 libass9-0.14.0-3.3.1 libass9-debuginfo-0.14.0-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libass-debugsource-0.14.0-3.3.1 libass-devel-0.14.0-3.3.1 libass9-0.14.0-3.3.1 libass9-debuginfo-0.14.0-3.3.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libass-debugsource-0.14.0-3.3.1 libass-devel-0.14.0-3.3.1 libass9-0.14.0-3.3.1 libass9-debuginfo-0.14.0-3.3.1 - SUSE CaaS Platform 4.0 (x86_64): libass-debugsource-0.14.0-3.3.1 libass-devel-0.14.0-3.3.1 libass9-0.14.0-3.3.1 libass9-debuginfo-0.14.0-3.3.1 References: https://www.suse.com/security/cve/CVE-2020-26682.html https://bugzilla.suse.com/1177862 From sle-security-updates at lists.suse.com Wed Mar 24 14:31:41 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 15:31:41 +0100 (CET) Subject: SUSE-SU-2021:0937-1: moderate: Security update for go1.16 Message-ID: <20210324143141.AA9F7FD17@maintenance.suse.de> SUSE Security Update: Security update for go1.16 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0937-1 Rating: moderate References: #1182345 #1183333 #1183334 Cross-References: CVE-2021-27918 CVE-2021-27919 CVSS scores: CVE-2021-27918 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-27919 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP2 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for go1.16 fixes the following issues: - go1.16.2 (released 2021-03-11) (bsc#1182345) - go1.16.1 (released 2021-03-10) (bsc#1182345) - CVE-2021-27918: Fixed an infinite loop when using xml.NewTokenDecoder with a custom TokenReader (bsc#1183333). - CVE-2021-27919: Fixed an issue where archive/zip: can panic when calling Reader.Open (bsc#1183334). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-937=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): go1.16-1.16.2-1.8.1 go1.16-doc-1.16.2-1.8.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 x86_64): go1.16-race-1.16.2-1.8.1 References: https://www.suse.com/security/cve/CVE-2021-27918.html https://www.suse.com/security/cve/CVE-2021-27919.html https://bugzilla.suse.com/1182345 https://bugzilla.suse.com/1183333 https://bugzilla.suse.com/1183334 From sle-security-updates at lists.suse.com Wed Mar 24 14:32:48 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 15:32:48 +0100 (CET) Subject: SUSE-SU-2021:0935-1: important: Security update for gnutls Message-ID: <20210324143248.B01F5FD17@maintenance.suse.de> SUSE Security Update: Security update for gnutls ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0935-1 Rating: important References: #1183456 #1183457 Cross-References: CVE-2021-20231 CVE-2021-20232 CVSS scores: CVE-2021-20231 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-20231 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H CVE-2021-20232 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-20232 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-935=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-935=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): gnutls-debuginfo-3.6.7-14.10.2 gnutls-debugsource-3.6.7-14.10.2 libgnutls30-3.6.7-14.10.2 libgnutls30-debuginfo-3.6.7-14.10.2 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): gnutls-3.6.7-14.10.2 gnutls-debuginfo-3.6.7-14.10.2 gnutls-debugsource-3.6.7-14.10.2 libgnutls-devel-3.6.7-14.10.2 libgnutls30-3.6.7-14.10.2 libgnutls30-debuginfo-3.6.7-14.10.2 libgnutls30-hmac-3.6.7-14.10.2 libgnutlsxx-devel-3.6.7-14.10.2 libgnutlsxx28-3.6.7-14.10.2 libgnutlsxx28-debuginfo-3.6.7-14.10.2 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libgnutls30-32bit-3.6.7-14.10.2 libgnutls30-32bit-debuginfo-3.6.7-14.10.2 libgnutls30-hmac-32bit-3.6.7-14.10.2 References: https://www.suse.com/security/cve/CVE-2021-20231.html https://www.suse.com/security/cve/CVE-2021-20232.html https://bugzilla.suse.com/1183456 https://bugzilla.suse.com/1183457 From sle-security-updates at lists.suse.com Wed Mar 24 14:33:57 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 15:33:57 +0100 (CET) Subject: SUSE-SU-2021:0933-1: important: Security update for ruby2.5 Message-ID: <20210324143357.C30A6FD17@maintenance.suse.de> SUSE Security Update: Security update for ruby2.5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0933-1 Rating: important References: #1177125 #1177222 Cross-References: CVE-2020-25613 CVSS scores: CVE-2020-25613 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-25613 (SUSE): 6.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N Affected Products: SUSE MicroOS 5.0 SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for ruby2.5 fixes the following issues: - CVE-2020-25613: Fixed a potential HTTP Request Smuggling in WEBrick (bsc#1177125). - Enable optimizations also on ARM64 (bsc#1177222) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-933=1 - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-933=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-933=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-933=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-933=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-933=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-933=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-933=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-933=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-933=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-933=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-933=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-933=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-933=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-933=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-933=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): libruby2_5-2_5-2.5.8-4.14.1 libruby2_5-2_5-debuginfo-2.5.8-4.14.1 ruby2.5-2.5.8-4.14.1 ruby2.5-debuginfo-2.5.8-4.14.1 ruby2.5-debugsource-2.5.8-4.14.1 ruby2.5-stdlib-2.5.8-4.14.1 ruby2.5-stdlib-debuginfo-2.5.8-4.14.1 - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libruby2_5-2_5-2.5.8-4.14.1 libruby2_5-2_5-debuginfo-2.5.8-4.14.1 ruby2.5-2.5.8-4.14.1 ruby2.5-debuginfo-2.5.8-4.14.1 ruby2.5-debugsource-2.5.8-4.14.1 ruby2.5-devel-2.5.8-4.14.1 ruby2.5-devel-extra-2.5.8-4.14.1 ruby2.5-stdlib-2.5.8-4.14.1 ruby2.5-stdlib-debuginfo-2.5.8-4.14.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libruby2_5-2_5-2.5.8-4.14.1 libruby2_5-2_5-debuginfo-2.5.8-4.14.1 ruby2.5-2.5.8-4.14.1 ruby2.5-debuginfo-2.5.8-4.14.1 ruby2.5-debugsource-2.5.8-4.14.1 ruby2.5-devel-2.5.8-4.14.1 ruby2.5-devel-extra-2.5.8-4.14.1 ruby2.5-stdlib-2.5.8-4.14.1 ruby2.5-stdlib-debuginfo-2.5.8-4.14.1 - SUSE Manager Proxy 4.0 (x86_64): libruby2_5-2_5-2.5.8-4.14.1 libruby2_5-2_5-debuginfo-2.5.8-4.14.1 ruby2.5-2.5.8-4.14.1 ruby2.5-debuginfo-2.5.8-4.14.1 ruby2.5-debugsource-2.5.8-4.14.1 ruby2.5-devel-2.5.8-4.14.1 ruby2.5-devel-extra-2.5.8-4.14.1 ruby2.5-stdlib-2.5.8-4.14.1 ruby2.5-stdlib-debuginfo-2.5.8-4.14.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libruby2_5-2_5-2.5.8-4.14.1 libruby2_5-2_5-debuginfo-2.5.8-4.14.1 ruby2.5-2.5.8-4.14.1 ruby2.5-debuginfo-2.5.8-4.14.1 ruby2.5-debugsource-2.5.8-4.14.1 ruby2.5-devel-2.5.8-4.14.1 ruby2.5-devel-extra-2.5.8-4.14.1 ruby2.5-stdlib-2.5.8-4.14.1 ruby2.5-stdlib-debuginfo-2.5.8-4.14.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libruby2_5-2_5-2.5.8-4.14.1 libruby2_5-2_5-debuginfo-2.5.8-4.14.1 ruby2.5-2.5.8-4.14.1 ruby2.5-debuginfo-2.5.8-4.14.1 ruby2.5-debugsource-2.5.8-4.14.1 ruby2.5-devel-2.5.8-4.14.1 ruby2.5-devel-extra-2.5.8-4.14.1 ruby2.5-stdlib-2.5.8-4.14.1 ruby2.5-stdlib-debuginfo-2.5.8-4.14.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libruby2_5-2_5-2.5.8-4.14.1 libruby2_5-2_5-debuginfo-2.5.8-4.14.1 ruby2.5-2.5.8-4.14.1 ruby2.5-debuginfo-2.5.8-4.14.1 ruby2.5-debugsource-2.5.8-4.14.1 ruby2.5-devel-2.5.8-4.14.1 ruby2.5-devel-extra-2.5.8-4.14.1 ruby2.5-stdlib-2.5.8-4.14.1 ruby2.5-stdlib-debuginfo-2.5.8-4.14.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libruby2_5-2_5-2.5.8-4.14.1 libruby2_5-2_5-debuginfo-2.5.8-4.14.1 ruby2.5-2.5.8-4.14.1 ruby2.5-debuginfo-2.5.8-4.14.1 ruby2.5-debugsource-2.5.8-4.14.1 ruby2.5-devel-2.5.8-4.14.1 ruby2.5-devel-extra-2.5.8-4.14.1 ruby2.5-stdlib-2.5.8-4.14.1 ruby2.5-stdlib-debuginfo-2.5.8-4.14.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libruby2_5-2_5-2.5.8-4.14.1 libruby2_5-2_5-debuginfo-2.5.8-4.14.1 ruby2.5-2.5.8-4.14.1 ruby2.5-debuginfo-2.5.8-4.14.1 ruby2.5-debugsource-2.5.8-4.14.1 ruby2.5-devel-2.5.8-4.14.1 ruby2.5-devel-extra-2.5.8-4.14.1 ruby2.5-stdlib-2.5.8-4.14.1 ruby2.5-stdlib-debuginfo-2.5.8-4.14.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libruby2_5-2_5-2.5.8-4.14.1 libruby2_5-2_5-debuginfo-2.5.8-4.14.1 ruby2.5-2.5.8-4.14.1 ruby2.5-debuginfo-2.5.8-4.14.1 ruby2.5-debugsource-2.5.8-4.14.1 ruby2.5-devel-2.5.8-4.14.1 ruby2.5-devel-extra-2.5.8-4.14.1 ruby2.5-stdlib-2.5.8-4.14.1 ruby2.5-stdlib-debuginfo-2.5.8-4.14.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libruby2_5-2_5-2.5.8-4.14.1 libruby2_5-2_5-debuginfo-2.5.8-4.14.1 ruby2.5-2.5.8-4.14.1 ruby2.5-debuginfo-2.5.8-4.14.1 ruby2.5-debugsource-2.5.8-4.14.1 ruby2.5-devel-2.5.8-4.14.1 ruby2.5-devel-extra-2.5.8-4.14.1 ruby2.5-stdlib-2.5.8-4.14.1 ruby2.5-stdlib-debuginfo-2.5.8-4.14.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libruby2_5-2_5-2.5.8-4.14.1 libruby2_5-2_5-debuginfo-2.5.8-4.14.1 ruby2.5-2.5.8-4.14.1 ruby2.5-debuginfo-2.5.8-4.14.1 ruby2.5-debugsource-2.5.8-4.14.1 ruby2.5-devel-2.5.8-4.14.1 ruby2.5-devel-extra-2.5.8-4.14.1 ruby2.5-stdlib-2.5.8-4.14.1 ruby2.5-stdlib-debuginfo-2.5.8-4.14.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libruby2_5-2_5-2.5.8-4.14.1 libruby2_5-2_5-debuginfo-2.5.8-4.14.1 ruby2.5-2.5.8-4.14.1 ruby2.5-debuginfo-2.5.8-4.14.1 ruby2.5-debugsource-2.5.8-4.14.1 ruby2.5-devel-2.5.8-4.14.1 ruby2.5-devel-extra-2.5.8-4.14.1 ruby2.5-stdlib-2.5.8-4.14.1 ruby2.5-stdlib-debuginfo-2.5.8-4.14.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libruby2_5-2_5-2.5.8-4.14.1 libruby2_5-2_5-debuginfo-2.5.8-4.14.1 ruby2.5-2.5.8-4.14.1 ruby2.5-debuginfo-2.5.8-4.14.1 ruby2.5-debugsource-2.5.8-4.14.1 ruby2.5-devel-2.5.8-4.14.1 ruby2.5-devel-extra-2.5.8-4.14.1 ruby2.5-stdlib-2.5.8-4.14.1 ruby2.5-stdlib-debuginfo-2.5.8-4.14.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libruby2_5-2_5-2.5.8-4.14.1 libruby2_5-2_5-debuginfo-2.5.8-4.14.1 ruby2.5-2.5.8-4.14.1 ruby2.5-debuginfo-2.5.8-4.14.1 ruby2.5-debugsource-2.5.8-4.14.1 ruby2.5-devel-2.5.8-4.14.1 ruby2.5-devel-extra-2.5.8-4.14.1 ruby2.5-stdlib-2.5.8-4.14.1 ruby2.5-stdlib-debuginfo-2.5.8-4.14.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libruby2_5-2_5-2.5.8-4.14.1 libruby2_5-2_5-debuginfo-2.5.8-4.14.1 ruby2.5-2.5.8-4.14.1 ruby2.5-debuginfo-2.5.8-4.14.1 ruby2.5-debugsource-2.5.8-4.14.1 ruby2.5-devel-2.5.8-4.14.1 ruby2.5-devel-extra-2.5.8-4.14.1 ruby2.5-stdlib-2.5.8-4.14.1 ruby2.5-stdlib-debuginfo-2.5.8-4.14.1 - SUSE CaaS Platform 4.0 (x86_64): libruby2_5-2_5-2.5.8-4.14.1 libruby2_5-2_5-debuginfo-2.5.8-4.14.1 ruby2.5-2.5.8-4.14.1 ruby2.5-debuginfo-2.5.8-4.14.1 ruby2.5-debugsource-2.5.8-4.14.1 ruby2.5-devel-2.5.8-4.14.1 ruby2.5-devel-extra-2.5.8-4.14.1 ruby2.5-stdlib-2.5.8-4.14.1 ruby2.5-stdlib-debuginfo-2.5.8-4.14.1 References: https://www.suse.com/security/cve/CVE-2020-25613.html https://bugzilla.suse.com/1177125 https://bugzilla.suse.com/1177222 From sle-security-updates at lists.suse.com Wed Mar 24 14:35:06 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 15:35:06 +0100 (CET) Subject: SUSE-SU-2021:0940-1: important: Security update for jetty-minimal Message-ID: <20210324143506.A6EB5FD17@maintenance.suse.de> SUSE Security Update: Security update for jetty-minimal ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0940-1 Rating: important References: #1182898 Cross-References: CVE-2020-27223 CVSS scores: CVE-2020-27223 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-27223 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for jetty-minimal fixes the following issues: - jetty-minimal was upgraded to version 9.4.38.v20210224 - CVE-2020-27223: Fixed an issue with Accept request header which might have led to Denial of Service (bsc#1182898). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-940=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): jetty-http-9.4.38-3.6.2 jetty-io-9.4.38-3.6.2 jetty-security-9.4.38-3.6.2 jetty-server-9.4.38-3.6.2 jetty-servlet-9.4.38-3.6.2 jetty-util-9.4.38-3.6.2 jetty-util-ajax-9.4.38-3.6.2 References: https://www.suse.com/security/cve/CVE-2020-27223.html https://bugzilla.suse.com/1182898 From sle-security-updates at lists.suse.com Wed Mar 24 14:36:04 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 15:36:04 +0100 (CET) Subject: SUSE-SU-2021:0939-1: moderate: Security update for openssl Message-ID: <20210324143604.DB839FD17@maintenance.suse.de> SUSE Security Update: Security update for openssl ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0939-1 Rating: moderate References: #1182331 #1182333 Cross-References: CVE-2021-23840 CVE-2021-23841 CVSS scores: CVE-2021-23840 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23840 (SUSE): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2021-23841 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-23841 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for openssl fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-939=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-939=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-939=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-939=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-939=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-939=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-939=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-939=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-939=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-939=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libopenssl-devel-1.0.2j-60.66.1 libopenssl1_0_0-1.0.2j-60.66.1 libopenssl1_0_0-32bit-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-32bit-1.0.2j-60.66.1 libopenssl1_0_0-hmac-1.0.2j-60.66.1 libopenssl1_0_0-hmac-32bit-1.0.2j-60.66.1 openssl-1.0.2j-60.66.1 openssl-debuginfo-1.0.2j-60.66.1 openssl-debugsource-1.0.2j-60.66.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): openssl-doc-1.0.2j-60.66.1 - SUSE OpenStack Cloud 8 (x86_64): libopenssl-devel-1.0.2j-60.66.1 libopenssl1_0_0-1.0.2j-60.66.1 libopenssl1_0_0-32bit-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-32bit-1.0.2j-60.66.1 libopenssl1_0_0-hmac-1.0.2j-60.66.1 libopenssl1_0_0-hmac-32bit-1.0.2j-60.66.1 openssl-1.0.2j-60.66.1 openssl-debuginfo-1.0.2j-60.66.1 openssl-debugsource-1.0.2j-60.66.1 - SUSE OpenStack Cloud 8 (noarch): openssl-doc-1.0.2j-60.66.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libopenssl-devel-1.0.2j-60.66.1 libopenssl1_0_0-1.0.2j-60.66.1 libopenssl1_0_0-32bit-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-32bit-1.0.2j-60.66.1 libopenssl1_0_0-hmac-1.0.2j-60.66.1 libopenssl1_0_0-hmac-32bit-1.0.2j-60.66.1 openssl-1.0.2j-60.66.1 openssl-debuginfo-1.0.2j-60.66.1 openssl-debugsource-1.0.2j-60.66.1 - SUSE OpenStack Cloud 7 (noarch): openssl-doc-1.0.2j-60.66.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libopenssl-devel-1.0.2j-60.66.1 libopenssl1_0_0-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-1.0.2j-60.66.1 libopenssl1_0_0-hmac-1.0.2j-60.66.1 openssl-1.0.2j-60.66.1 openssl-debuginfo-1.0.2j-60.66.1 openssl-debugsource-1.0.2j-60.66.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libopenssl1_0_0-32bit-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-32bit-1.0.2j-60.66.1 libopenssl1_0_0-hmac-32bit-1.0.2j-60.66.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): openssl-doc-1.0.2j-60.66.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libopenssl-devel-1.0.2j-60.66.1 libopenssl1_0_0-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-1.0.2j-60.66.1 libopenssl1_0_0-hmac-1.0.2j-60.66.1 openssl-1.0.2j-60.66.1 openssl-debuginfo-1.0.2j-60.66.1 openssl-debugsource-1.0.2j-60.66.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): openssl-doc-1.0.2j-60.66.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libopenssl1_0_0-32bit-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-32bit-1.0.2j-60.66.1 libopenssl1_0_0-hmac-32bit-1.0.2j-60.66.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libopenssl-devel-1.0.2j-60.66.1 libopenssl1_0_0-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-1.0.2j-60.66.1 libopenssl1_0_0-hmac-1.0.2j-60.66.1 openssl-1.0.2j-60.66.1 openssl-debuginfo-1.0.2j-60.66.1 openssl-debugsource-1.0.2j-60.66.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libopenssl1_0_0-32bit-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-32bit-1.0.2j-60.66.1 libopenssl1_0_0-hmac-32bit-1.0.2j-60.66.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): openssl-doc-1.0.2j-60.66.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libopenssl-devel-1.0.2j-60.66.1 libopenssl1_0_0-1.0.2j-60.66.1 libopenssl1_0_0-32bit-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-32bit-1.0.2j-60.66.1 libopenssl1_0_0-hmac-1.0.2j-60.66.1 libopenssl1_0_0-hmac-32bit-1.0.2j-60.66.1 openssl-1.0.2j-60.66.1 openssl-debuginfo-1.0.2j-60.66.1 openssl-debugsource-1.0.2j-60.66.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): openssl-doc-1.0.2j-60.66.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libopenssl-devel-1.0.2j-60.66.1 libopenssl1_0_0-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-1.0.2j-60.66.1 libopenssl1_0_0-hmac-1.0.2j-60.66.1 openssl-1.0.2j-60.66.1 openssl-debuginfo-1.0.2j-60.66.1 openssl-debugsource-1.0.2j-60.66.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libopenssl1_0_0-32bit-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-32bit-1.0.2j-60.66.1 libopenssl1_0_0-hmac-32bit-1.0.2j-60.66.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): openssl-doc-1.0.2j-60.66.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): openssl-doc-1.0.2j-60.66.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libopenssl-devel-1.0.2j-60.66.1 libopenssl1_0_0-1.0.2j-60.66.1 libopenssl1_0_0-32bit-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-32bit-1.0.2j-60.66.1 libopenssl1_0_0-hmac-1.0.2j-60.66.1 libopenssl1_0_0-hmac-32bit-1.0.2j-60.66.1 openssl-1.0.2j-60.66.1 openssl-debuginfo-1.0.2j-60.66.1 openssl-debugsource-1.0.2j-60.66.1 - HPE Helion Openstack 8 (noarch): openssl-doc-1.0.2j-60.66.1 - HPE Helion Openstack 8 (x86_64): libopenssl-devel-1.0.2j-60.66.1 libopenssl1_0_0-1.0.2j-60.66.1 libopenssl1_0_0-32bit-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-1.0.2j-60.66.1 libopenssl1_0_0-debuginfo-32bit-1.0.2j-60.66.1 libopenssl1_0_0-hmac-1.0.2j-60.66.1 libopenssl1_0_0-hmac-32bit-1.0.2j-60.66.1 openssl-1.0.2j-60.66.1 openssl-debuginfo-1.0.2j-60.66.1 openssl-debugsource-1.0.2j-60.66.1 References: https://www.suse.com/security/cve/CVE-2021-23840.html https://www.suse.com/security/cve/CVE-2021-23841.html https://bugzilla.suse.com/1182331 https://bugzilla.suse.com/1182333 From sle-security-updates at lists.suse.com Wed Mar 24 14:37:09 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 15:37:09 +0100 (CET) Subject: SUSE-SU-2021:0943-1: important: Security update for hawk2 Message-ID: <20210324143709.0B82AFD17@maintenance.suse.de> SUSE Security Update: Security update for hawk2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0943-1 Rating: important References: #1179999 #1182165 #1182166 Cross-References: CVE-2020-35459 CVE-2021-25314 CVSS scores: CVE-2020-35459 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-35459 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-25314 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise High Availability 12-SP3 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for hawk2 fixes the following issues: - Update to version 2.6.3: * Remove hawk_invoke and use capture3 instead of runas (bsc#1179999)(CVE-2020-35459) * Remove unnecessary chmod (bsc#1182166)(CVE-2021-25314) * Sanitize filename to contains whitelist of alphanumeric (bsc#1182165) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2021-943=1 Package List: - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): hawk2-2.6.3+git.1614685906.812c31e9-2.42.1 hawk2-debuginfo-2.6.3+git.1614685906.812c31e9-2.42.1 hawk2-debugsource-2.6.3+git.1614685906.812c31e9-2.42.1 References: https://www.suse.com/security/cve/CVE-2020-35459.html https://www.suse.com/security/cve/CVE-2021-25314.html https://bugzilla.suse.com/1179999 https://bugzilla.suse.com/1182165 https://bugzilla.suse.com/1182166 From sle-security-updates at lists.suse.com Wed Mar 24 17:16:48 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 18:16:48 +0100 (CET) Subject: SUSE-SU-2021:0948-1: moderate: Security update for zstd Message-ID: <20210324171648.B92DEFD17@maintenance.suse.de> SUSE Security Update: Security update for zstd ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0948-1 Rating: moderate References: #1183370 #1183371 Cross-References: CVE-2021-24031 CVE-2021-24032 CVSS scores: CVE-2021-24031 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-24031 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-24032 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-24032 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-948=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-948=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): libzstd1-1.4.4-1.6.1 libzstd1-debuginfo-1.4.4-1.6.1 zstd-debuginfo-1.4.4-1.6.1 zstd-debugsource-1.4.4-1.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libzstd-devel-1.4.4-1.6.1 libzstd1-1.4.4-1.6.1 libzstd1-debuginfo-1.4.4-1.6.1 zstd-1.4.4-1.6.1 zstd-debuginfo-1.4.4-1.6.1 zstd-debugsource-1.4.4-1.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libzstd1-32bit-1.4.4-1.6.1 libzstd1-32bit-debuginfo-1.4.4-1.6.1 References: https://www.suse.com/security/cve/CVE-2021-24031.html https://www.suse.com/security/cve/CVE-2021-24032.html https://bugzilla.suse.com/1183370 https://bugzilla.suse.com/1183371 From sle-security-updates at lists.suse.com Wed Mar 24 17:17:57 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 18:17:57 +0100 (CET) Subject: SUSE-SU-2021:0949-1: moderate: Security update for evolution-data-server Message-ID: <20210324171757.7121AFD17@maintenance.suse.de> SUSE Security Update: Security update for evolution-data-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0949-1 Rating: moderate References: #1173910 #1174712 #1182882 Cross-References: CVE-2020-14928 CVE-2020-16117 CVSS scores: CVE-2020-14928 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2020-14928 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2020-16117 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-16117 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP2 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for evolution-data-server fixes the following issues: - CVE-2020-16117: Fix crash on malformed server response with minimal capabilities (bsc#1174712). - CVE-2020-14928: Response injection via STARTTLS in SMTP and POP3 (bsc#1173910). - Fix buffer overrun when parsing base64 data (bsc#1182882). This update for evolution-ews fixes the following issue: - Fix buffer overrun when parsing base64 data (bsc#1182882). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-949=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): evolution-data-server-3.34.4-3.3.1 evolution-data-server-debuginfo-3.34.4-3.3.1 evolution-data-server-debugsource-3.34.4-3.3.1 evolution-data-server-devel-3.34.4-3.3.1 evolution-ews-3.34.4-3.3.1 evolution-ews-debuginfo-3.34.4-3.3.1 evolution-ews-debugsource-3.34.4-3.3.1 libcamel-1_2-62-3.34.4-3.3.1 libcamel-1_2-62-debuginfo-3.34.4-3.3.1 libebackend-1_2-10-3.34.4-3.3.1 libebackend-1_2-10-debuginfo-3.34.4-3.3.1 libebook-1_2-20-3.34.4-3.3.1 libebook-1_2-20-debuginfo-3.34.4-3.3.1 libebook-contacts-1_2-3-3.34.4-3.3.1 libebook-contacts-1_2-3-debuginfo-3.34.4-3.3.1 libecal-2_0-1-3.34.4-3.3.1 libecal-2_0-1-debuginfo-3.34.4-3.3.1 libedata-book-1_2-26-3.34.4-3.3.1 libedata-book-1_2-26-debuginfo-3.34.4-3.3.1 libedata-cal-2_0-1-3.34.4-3.3.1 libedata-cal-2_0-1-debuginfo-3.34.4-3.3.1 libedataserver-1_2-24-3.34.4-3.3.1 libedataserver-1_2-24-debuginfo-3.34.4-3.3.1 libedataserverui-1_2-2-3.34.4-3.3.1 libedataserverui-1_2-2-debuginfo-3.34.4-3.3.1 typelib-1_0-Camel-1_2-3.34.4-3.3.1 typelib-1_0-EBook-1_2-3.34.4-3.3.1 typelib-1_0-EBookContacts-1_2-3.34.4-3.3.1 typelib-1_0-ECal-2_0-3.34.4-3.3.1 typelib-1_0-EDataServer-1_2-3.34.4-3.3.1 typelib-1_0-EDataServerUI-1_2-3.34.4-3.3.1 - SUSE Linux Enterprise Workstation Extension 15-SP2 (noarch): evolution-data-server-lang-3.34.4-3.3.1 evolution-ews-lang-3.34.4-3.3.1 References: https://www.suse.com/security/cve/CVE-2020-14928.html https://www.suse.com/security/cve/CVE-2020-16117.html https://bugzilla.suse.com/1173910 https://bugzilla.suse.com/1174712 https://bugzilla.suse.com/1182882 From sle-security-updates at lists.suse.com Wed Mar 24 17:19:12 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 18:19:12 +0100 (CET) Subject: SUSE-SU-2021:0945-1: important: Security update for ldb Message-ID: <20210324171912.9237CFD17@maintenance.suse.de> SUSE Security Update: Security update for ldb ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0945-1 Rating: important References: #1183572 #1183574 Cross-References: CVE-2020-27840 CVE-2021-20277 CVSS scores: CVE-2020-27840 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-20277 (SUSE): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for ldb fixes the following issues: - CVE-2020-27840: Fixed an unauthenticated remote heap corruption via bad DNs (bsc#1183572). - CVE-2021-20277: Fixed an out of bounds read in ldb_handler_fold (bsc#1183574). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-945=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): ldb-debugsource-2.0.12-3.6.1 ldb-tools-2.0.12-3.6.1 ldb-tools-debuginfo-2.0.12-3.6.1 libldb-devel-2.0.12-3.6.1 libldb2-2.0.12-3.6.1 libldb2-debuginfo-2.0.12-3.6.1 python3-ldb-2.0.12-3.6.1 python3-ldb-debuginfo-2.0.12-3.6.1 python3-ldb-devel-2.0.12-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libldb2-32bit-2.0.12-3.6.1 libldb2-32bit-debuginfo-2.0.12-3.6.1 References: https://www.suse.com/security/cve/CVE-2020-27840.html https://www.suse.com/security/cve/CVE-2021-20277.html https://bugzilla.suse.com/1183572 https://bugzilla.suse.com/1183574 From sle-security-updates at lists.suse.com Wed Mar 24 17:20:23 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 18:20:23 +0100 (CET) Subject: SUSE-SU-2021:0947-1: moderate: Security update for python3 Message-ID: <20210324172023.67047FD17@maintenance.suse.de> SUSE Security Update: Security update for python3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0947-1 Rating: moderate References: #1182379 Cross-References: CVE-2021-23336 CVSS scores: CVE-2021-23336 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H CVE-2021-23336 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python3 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-947=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-947=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-947=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): libpython3_6m1_0-3.6.13-3.78.1 libpython3_6m1_0-debuginfo-3.6.13-3.78.1 python3-3.6.13-3.78.1 python3-base-3.6.13-3.78.1 python3-base-debuginfo-3.6.13-3.78.1 python3-core-debugsource-3.6.13-3.78.1 python3-debuginfo-3.6.13-3.78.1 python3-debugsource-3.6.13-3.78.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): python3-tools-3.6.13-3.78.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libpython3_6m1_0-3.6.13-3.78.1 libpython3_6m1_0-debuginfo-3.6.13-3.78.1 python3-3.6.13-3.78.1 python3-base-3.6.13-3.78.1 python3-curses-3.6.13-3.78.1 python3-curses-debuginfo-3.6.13-3.78.1 python3-dbm-3.6.13-3.78.1 python3-dbm-debuginfo-3.6.13-3.78.1 python3-debuginfo-3.6.13-3.78.1 python3-debugsource-3.6.13-3.78.1 python3-devel-3.6.13-3.78.1 python3-devel-debuginfo-3.6.13-3.78.1 python3-idle-3.6.13-3.78.1 python3-tk-3.6.13-3.78.1 python3-tk-debuginfo-3.6.13-3.78.1 References: https://www.suse.com/security/cve/CVE-2021-23336.html https://bugzilla.suse.com/1182379 From sle-security-updates at lists.suse.com Wed Mar 24 17:23:01 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 24 Mar 2021 18:23:01 +0100 (CET) Subject: SUSE-SU-2021:0944-1: important: Security update for ldb Message-ID: <20210324172301.6D9CCFD17@maintenance.suse.de> SUSE Security Update: Security update for ldb ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0944-1 Rating: important References: #1183572 #1183574 Cross-References: CVE-2020-27840 CVE-2021-20277 CVSS scores: CVE-2020-27840 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-20277 (SUSE): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Module for Python2 15-SP3 SUSE Linux Enterprise Module for Python2 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for ldb fixes the following issues: - CVE-2020-27840: Fixed an unauthenticated remote heap corruption via bad DNs (bsc#1183572). - CVE-2021-20277: Fixed an out of bounds read in ldb_handler_fold (bsc#1183574). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-944=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-944=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-944=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-944=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-944=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-944=1 - SUSE Linux Enterprise Module for Python2 15-SP3: zypper in -t patch SUSE-SLE-Module-Python2-15-SP3-2021-944=1 - SUSE Linux Enterprise Module for Python2 15-SP2: zypper in -t patch SUSE-SLE-Module-Python2-15-SP2-2021-944=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-944=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-944=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-944=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): ldb-debugsource-1.4.6-3.8.1 ldb-tools-1.4.6-3.8.1 ldb-tools-debuginfo-1.4.6-3.8.1 libldb-devel-1.4.6-3.8.1 libldb1-1.4.6-3.8.1 libldb1-debuginfo-1.4.6-3.8.1 python-ldb-1.4.6-3.8.1 python-ldb-debuginfo-1.4.6-3.8.1 python-ldb-devel-1.4.6-3.8.1 python3-ldb-1.4.6-3.8.1 python3-ldb-debuginfo-1.4.6-3.8.1 python3-ldb-devel-1.4.6-3.8.1 - SUSE Manager Server 4.0 (x86_64): libldb1-32bit-1.4.6-3.8.1 libldb1-32bit-debuginfo-1.4.6-3.8.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): ldb-debugsource-1.4.6-3.8.1 ldb-tools-1.4.6-3.8.1 ldb-tools-debuginfo-1.4.6-3.8.1 libldb-devel-1.4.6-3.8.1 libldb1-1.4.6-3.8.1 libldb1-32bit-1.4.6-3.8.1 libldb1-32bit-debuginfo-1.4.6-3.8.1 libldb1-debuginfo-1.4.6-3.8.1 python-ldb-1.4.6-3.8.1 python-ldb-debuginfo-1.4.6-3.8.1 python-ldb-devel-1.4.6-3.8.1 python3-ldb-1.4.6-3.8.1 python3-ldb-debuginfo-1.4.6-3.8.1 python3-ldb-devel-1.4.6-3.8.1 - SUSE Manager Proxy 4.0 (x86_64): ldb-debugsource-1.4.6-3.8.1 ldb-tools-1.4.6-3.8.1 ldb-tools-debuginfo-1.4.6-3.8.1 libldb-devel-1.4.6-3.8.1 libldb1-1.4.6-3.8.1 libldb1-32bit-1.4.6-3.8.1 libldb1-32bit-debuginfo-1.4.6-3.8.1 libldb1-debuginfo-1.4.6-3.8.1 python-ldb-1.4.6-3.8.1 python-ldb-debuginfo-1.4.6-3.8.1 python-ldb-devel-1.4.6-3.8.1 python3-ldb-1.4.6-3.8.1 python3-ldb-debuginfo-1.4.6-3.8.1 python3-ldb-devel-1.4.6-3.8.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): ldb-debugsource-1.4.6-3.8.1 ldb-tools-1.4.6-3.8.1 ldb-tools-debuginfo-1.4.6-3.8.1 libldb-devel-1.4.6-3.8.1 libldb1-1.4.6-3.8.1 libldb1-debuginfo-1.4.6-3.8.1 python-ldb-1.4.6-3.8.1 python-ldb-debuginfo-1.4.6-3.8.1 python-ldb-devel-1.4.6-3.8.1 python3-ldb-1.4.6-3.8.1 python3-ldb-debuginfo-1.4.6-3.8.1 python3-ldb-devel-1.4.6-3.8.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): libldb1-32bit-1.4.6-3.8.1 libldb1-32bit-debuginfo-1.4.6-3.8.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): ldb-debugsource-1.4.6-3.8.1 ldb-tools-1.4.6-3.8.1 ldb-tools-debuginfo-1.4.6-3.8.1 libldb-devel-1.4.6-3.8.1 libldb1-1.4.6-3.8.1 libldb1-debuginfo-1.4.6-3.8.1 python-ldb-1.4.6-3.8.1 python-ldb-debuginfo-1.4.6-3.8.1 python-ldb-devel-1.4.6-3.8.1 python3-ldb-1.4.6-3.8.1 python3-ldb-debuginfo-1.4.6-3.8.1 python3-ldb-devel-1.4.6-3.8.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): libldb1-32bit-1.4.6-3.8.1 libldb1-32bit-debuginfo-1.4.6-3.8.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): ldb-debugsource-1.4.6-3.8.1 ldb-tools-1.4.6-3.8.1 ldb-tools-debuginfo-1.4.6-3.8.1 libldb-devel-1.4.6-3.8.1 libldb1-1.4.6-3.8.1 libldb1-32bit-1.4.6-3.8.1 libldb1-32bit-debuginfo-1.4.6-3.8.1 libldb1-debuginfo-1.4.6-3.8.1 python-ldb-1.4.6-3.8.1 python-ldb-debuginfo-1.4.6-3.8.1 python-ldb-devel-1.4.6-3.8.1 python3-ldb-1.4.6-3.8.1 python3-ldb-debuginfo-1.4.6-3.8.1 python3-ldb-devel-1.4.6-3.8.1 - SUSE Linux Enterprise Module for Python2 15-SP3 (aarch64 ppc64le s390x x86_64): ldb-debugsource-1.4.6-3.8.1 libldb1-1.4.6-3.8.1 libldb1-debuginfo-1.4.6-3.8.1 python-ldb-1.4.6-3.8.1 python-ldb-debuginfo-1.4.6-3.8.1 - SUSE Linux Enterprise Module for Python2 15-SP2 (aarch64 ppc64le s390x x86_64): ldb-debugsource-1.4.6-3.8.1 libldb1-1.4.6-3.8.1 libldb1-debuginfo-1.4.6-3.8.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): ldb-debugsource-1.4.6-3.8.1 ldb-tools-1.4.6-3.8.1 ldb-tools-debuginfo-1.4.6-3.8.1 libldb-devel-1.4.6-3.8.1 libldb1-1.4.6-3.8.1 libldb1-debuginfo-1.4.6-3.8.1 python-ldb-1.4.6-3.8.1 python-ldb-debuginfo-1.4.6-3.8.1 python-ldb-devel-1.4.6-3.8.1 python3-ldb-1.4.6-3.8.1 python3-ldb-debuginfo-1.4.6-3.8.1 python3-ldb-devel-1.4.6-3.8.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): libldb1-32bit-1.4.6-3.8.1 libldb1-32bit-debuginfo-1.4.6-3.8.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): ldb-debugsource-1.4.6-3.8.1 ldb-tools-1.4.6-3.8.1 ldb-tools-debuginfo-1.4.6-3.8.1 libldb-devel-1.4.6-3.8.1 libldb1-1.4.6-3.8.1 libldb1-debuginfo-1.4.6-3.8.1 python-ldb-1.4.6-3.8.1 python-ldb-debuginfo-1.4.6-3.8.1 python-ldb-devel-1.4.6-3.8.1 python3-ldb-1.4.6-3.8.1 python3-ldb-debuginfo-1.4.6-3.8.1 python3-ldb-devel-1.4.6-3.8.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): libldb1-32bit-1.4.6-3.8.1 libldb1-32bit-debuginfo-1.4.6-3.8.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): ldb-debugsource-1.4.6-3.8.1 ldb-tools-1.4.6-3.8.1 ldb-tools-debuginfo-1.4.6-3.8.1 libldb-devel-1.4.6-3.8.1 libldb1-1.4.6-3.8.1 libldb1-debuginfo-1.4.6-3.8.1 python-ldb-1.4.6-3.8.1 python-ldb-debuginfo-1.4.6-3.8.1 python-ldb-devel-1.4.6-3.8.1 python3-ldb-1.4.6-3.8.1 python3-ldb-debuginfo-1.4.6-3.8.1 python3-ldb-devel-1.4.6-3.8.1 - SUSE Enterprise Storage 6 (x86_64): libldb1-32bit-1.4.6-3.8.1 libldb1-32bit-debuginfo-1.4.6-3.8.1 - SUSE CaaS Platform 4.0 (x86_64): ldb-debugsource-1.4.6-3.8.1 ldb-tools-1.4.6-3.8.1 ldb-tools-debuginfo-1.4.6-3.8.1 libldb-devel-1.4.6-3.8.1 libldb1-1.4.6-3.8.1 libldb1-32bit-1.4.6-3.8.1 libldb1-32bit-debuginfo-1.4.6-3.8.1 libldb1-debuginfo-1.4.6-3.8.1 python-ldb-1.4.6-3.8.1 python-ldb-debuginfo-1.4.6-3.8.1 python-ldb-devel-1.4.6-3.8.1 python3-ldb-1.4.6-3.8.1 python3-ldb-debuginfo-1.4.6-3.8.1 python3-ldb-devel-1.4.6-3.8.1 References: https://www.suse.com/security/cve/CVE-2020-27840.html https://www.suse.com/security/cve/CVE-2021-20277.html https://bugzilla.suse.com/1183572 https://bugzilla.suse.com/1183574 From sle-security-updates at lists.suse.com Thu Mar 25 20:16:35 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 25 Mar 2021 21:16:35 +0100 (CET) Subject: SUSE-SU-2021:0954-1: important: Security update for openssl-1_1 Message-ID: <20210325201635.C24DAFEDA@maintenance.suse.de> SUSE Security Update: Security update for openssl-1_1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0954-1 Rating: important References: #1183852 Cross-References: CVE-2021-3449 CVSS scores: CVE-2021-3449 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openssl-1_1 fixes the following security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-954=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-954=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-954=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-954=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-954=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-954=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): libopenssl1_1-1.1.1d-2.33.1 libopenssl1_1-32bit-1.1.1d-2.33.1 libopenssl1_1-debuginfo-1.1.1d-2.33.1 libopenssl1_1-debuginfo-32bit-1.1.1d-2.33.1 openssl-1_1-1.1.1d-2.33.1 openssl-1_1-debuginfo-1.1.1d-2.33.1 openssl-1_1-debugsource-1.1.1d-2.33.1 - SUSE OpenStack Cloud 9 (x86_64): libopenssl1_1-1.1.1d-2.33.1 libopenssl1_1-32bit-1.1.1d-2.33.1 libopenssl1_1-debuginfo-1.1.1d-2.33.1 libopenssl1_1-debuginfo-32bit-1.1.1d-2.33.1 openssl-1_1-1.1.1d-2.33.1 openssl-1_1-debuginfo-1.1.1d-2.33.1 openssl-1_1-debugsource-1.1.1d-2.33.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libopenssl-1_1-devel-1.1.1d-2.33.1 openssl-1_1-debuginfo-1.1.1d-2.33.1 openssl-1_1-debugsource-1.1.1d-2.33.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (s390x x86_64): libopenssl-1_1-devel-32bit-1.1.1d-2.33.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libopenssl1_1-1.1.1d-2.33.1 libopenssl1_1-debuginfo-1.1.1d-2.33.1 openssl-1_1-1.1.1d-2.33.1 openssl-1_1-debuginfo-1.1.1d-2.33.1 openssl-1_1-debugsource-1.1.1d-2.33.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libopenssl1_1-32bit-1.1.1d-2.33.1 libopenssl1_1-debuginfo-32bit-1.1.1d-2.33.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libopenssl1_1-1.1.1d-2.33.1 libopenssl1_1-debuginfo-1.1.1d-2.33.1 openssl-1_1-1.1.1d-2.33.1 openssl-1_1-debuginfo-1.1.1d-2.33.1 openssl-1_1-debugsource-1.1.1d-2.33.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libopenssl1_1-32bit-1.1.1d-2.33.1 libopenssl1_1-debuginfo-32bit-1.1.1d-2.33.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libopenssl1_1-1.1.1d-2.33.1 libopenssl1_1-debuginfo-1.1.1d-2.33.1 openssl-1_1-1.1.1d-2.33.1 openssl-1_1-debuginfo-1.1.1d-2.33.1 openssl-1_1-debugsource-1.1.1d-2.33.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libopenssl1_1-32bit-1.1.1d-2.33.1 libopenssl1_1-debuginfo-32bit-1.1.1d-2.33.1 References: https://www.suse.com/security/cve/CVE-2021-3449.html https://bugzilla.suse.com/1183852 From sle-security-updates at lists.suse.com Thu Mar 25 20:17:40 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 25 Mar 2021 21:17:40 +0100 (CET) Subject: SUSE-SU-2021:0955-1: important: Security update for openssl-1_1 Message-ID: <20210325201740.A760DFEDA@maintenance.suse.de> SUSE Security Update: Security update for openssl-1_1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0955-1 Rating: important References: #1183852 Cross-References: CVE-2021-3449 CVSS scores: CVE-2021-3449 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-955=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-955=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-955=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): libopenssl1_1-1.1.1d-11.20.1 libopenssl1_1-debuginfo-1.1.1d-11.20.1 openssl-1_1-1.1.1d-11.20.1 openssl-1_1-debuginfo-1.1.1d-11.20.1 openssl-1_1-debugsource-1.1.1d-11.20.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libopenssl-1_1-devel-1.1.1d-11.20.1 libopenssl1_1-1.1.1d-11.20.1 libopenssl1_1-debuginfo-1.1.1d-11.20.1 libopenssl1_1-hmac-1.1.1d-11.20.1 openssl-1_1-1.1.1d-11.20.1 openssl-1_1-debuginfo-1.1.1d-11.20.1 openssl-1_1-debugsource-1.1.1d-11.20.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): libopenssl1_1-32bit-1.1.1d-11.20.1 libopenssl1_1-32bit-debuginfo-1.1.1d-11.20.1 libopenssl1_1-hmac-32bit-1.1.1d-11.20.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libopenssl-1_1-devel-1.1.1d-11.20.1 libopenssl1_1-1.1.1d-11.20.1 libopenssl1_1-debuginfo-1.1.1d-11.20.1 libopenssl1_1-hmac-1.1.1d-11.20.1 openssl-1_1-1.1.1d-11.20.1 openssl-1_1-debuginfo-1.1.1d-11.20.1 openssl-1_1-debugsource-1.1.1d-11.20.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libopenssl1_1-32bit-1.1.1d-11.20.1 libopenssl1_1-32bit-debuginfo-1.1.1d-11.20.1 libopenssl1_1-hmac-32bit-1.1.1d-11.20.1 References: https://www.suse.com/security/cve/CVE-2021-3449.html https://bugzilla.suse.com/1183852 From sle-security-updates at lists.suse.com Thu Mar 25 23:16:45 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 26 Mar 2021 00:16:45 +0100 (CET) Subject: SUSE-SU-2021:0956-1: moderate: Security update for libzypp, zypper Message-ID: <20210325231645.951D1FEDA@maintenance.suse.de> SUSE Security Update: Security update for libzypp, zypper ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0956-1 Rating: moderate References: #1050625 #1174016 #1177238 #1177275 #1177427 #1177583 #1178910 #1178966 #1179083 #1179222 #1179816 #1179847 #1179909 #1180077 #1180663 #1180721 #1181328 #1181622 #1182629 SLE-8482 Cross-References: CVE-2017-9271 CVSS scores: CVE-2017-9271 (NVD) : 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2017-9271 (SUSE): 4 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products: SUSE Manager Server 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Proxy 4.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Installer 15-SP1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves one vulnerability, contains one feature and has 18 fixes is now available. Description: This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.43: - doc: give more details about creating versioned package locks (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) - Fix source-download commands help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) - Prefer /run over /var/run. Update libzypp to 17.25.8: - Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there. - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement). - Add missing includes for GCC 11 compatibility. - Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'. - Commit: Fix rpmdb compat symlink in case rpm got removed. - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use. - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#1179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-956=1 - SUSE Manager Retail Branch Server 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-956=1 - SUSE Manager Proxy 4.0: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-956=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-956=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-956=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-956=1 - SUSE Linux Enterprise Installer 15-SP1: zypper in -t patch SUSE-SLE-INSTALLER-15-SP1-2021-956=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-956=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-956=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-956=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.0 (ppc64le s390x x86_64): libsigc++2-debugsource-2.10.0-3.7.1 libsigc++2-devel-2.10.0-3.7.1 libsigc-2_0-0-2.10.0-3.7.1 libsigc-2_0-0-debuginfo-2.10.0-3.7.1 libsolv-debuginfo-0.7.17-3.32.1 libsolv-debugsource-0.7.17-3.32.1 libsolv-devel-0.7.17-3.32.1 libsolv-devel-debuginfo-0.7.17-3.32.1 libsolv-tools-0.7.17-3.32.1 libsolv-tools-debuginfo-0.7.17-3.32.1 libyui-ncurses-pkg-debugsource-2.48.9-7.7.1 libyui-ncurses-pkg-devel-2.48.9-7.7.1 libyui-ncurses-pkg9-2.48.9-7.7.1 libyui-ncurses-pkg9-debuginfo-2.48.9-7.7.1 libyui-qt-pkg-debugsource-2.45.28-3.10.1 libyui-qt-pkg-devel-2.45.28-3.10.1 libyui-qt-pkg9-2.45.28-3.10.1 libyui-qt-pkg9-debuginfo-2.45.28-3.10.1 libzypp-17.25.8-3.48.1 libzypp-debuginfo-17.25.8-3.48.1 libzypp-debugsource-17.25.8-3.48.1 libzypp-devel-17.25.8-3.48.1 perl-solv-0.7.17-3.32.1 perl-solv-debuginfo-0.7.17-3.32.1 python3-solv-0.7.17-3.32.1 python3-solv-debuginfo-0.7.17-3.32.1 ruby-solv-0.7.17-3.32.1 ruby-solv-debuginfo-0.7.17-3.32.1 yast2-pkg-bindings-4.1.3-3.10.3 yast2-pkg-bindings-debuginfo-4.1.3-3.10.3 yast2-pkg-bindings-debugsource-4.1.3-3.10.3 zypper-1.14.43-3.34.1 zypper-debuginfo-1.14.43-3.34.1 zypper-debugsource-1.14.43-3.34.1 - SUSE Manager Server 4.0 (noarch): libyui-ncurses-pkg-doc-2.48.9-7.7.1 libyui-qt-pkg-doc-2.45.28-3.10.1 zypper-log-1.14.43-3.34.1 zypper-needs-restarting-1.14.43-3.34.1 - SUSE Manager Retail Branch Server 4.0 (noarch): libyui-ncurses-pkg-doc-2.48.9-7.7.1 libyui-qt-pkg-doc-2.45.28-3.10.1 zypper-log-1.14.43-3.34.1 zypper-needs-restarting-1.14.43-3.34.1 - SUSE Manager Retail Branch Server 4.0 (x86_64): libsigc++2-debugsource-2.10.0-3.7.1 libsigc++2-devel-2.10.0-3.7.1 libsigc-2_0-0-2.10.0-3.7.1 libsigc-2_0-0-debuginfo-2.10.0-3.7.1 libsolv-debuginfo-0.7.17-3.32.1 libsolv-debugsource-0.7.17-3.32.1 libsolv-devel-0.7.17-3.32.1 libsolv-devel-debuginfo-0.7.17-3.32.1 libsolv-tools-0.7.17-3.32.1 libsolv-tools-debuginfo-0.7.17-3.32.1 libyui-ncurses-pkg-debugsource-2.48.9-7.7.1 libyui-ncurses-pkg-devel-2.48.9-7.7.1 libyui-ncurses-pkg9-2.48.9-7.7.1 libyui-ncurses-pkg9-debuginfo-2.48.9-7.7.1 libyui-qt-pkg-debugsource-2.45.28-3.10.1 libyui-qt-pkg-devel-2.45.28-3.10.1 libyui-qt-pkg9-2.45.28-3.10.1 libyui-qt-pkg9-debuginfo-2.45.28-3.10.1 libzypp-17.25.8-3.48.1 libzypp-debuginfo-17.25.8-3.48.1 libzypp-debugsource-17.25.8-3.48.1 libzypp-devel-17.25.8-3.48.1 perl-solv-0.7.17-3.32.1 perl-solv-debuginfo-0.7.17-3.32.1 python3-solv-0.7.17-3.32.1 python3-solv-debuginfo-0.7.17-3.32.1 ruby-solv-0.7.17-3.32.1 ruby-solv-debuginfo-0.7.17-3.32.1 yast2-pkg-bindings-4.1.3-3.10.3 yast2-pkg-bindings-debuginfo-4.1.3-3.10.3 yast2-pkg-bindings-debugsource-4.1.3-3.10.3 zypper-1.14.43-3.34.1 zypper-debuginfo-1.14.43-3.34.1 zypper-debugsource-1.14.43-3.34.1 - SUSE Manager Proxy 4.0 (noarch): libyui-ncurses-pkg-doc-2.48.9-7.7.1 libyui-qt-pkg-doc-2.45.28-3.10.1 zypper-log-1.14.43-3.34.1 zypper-needs-restarting-1.14.43-3.34.1 - SUSE Manager Proxy 4.0 (x86_64): libsigc++2-debugsource-2.10.0-3.7.1 libsigc++2-devel-2.10.0-3.7.1 libsigc-2_0-0-2.10.0-3.7.1 libsigc-2_0-0-debuginfo-2.10.0-3.7.1 libsolv-debuginfo-0.7.17-3.32.1 libsolv-debugsource-0.7.17-3.32.1 libsolv-devel-0.7.17-3.32.1 libsolv-devel-debuginfo-0.7.17-3.32.1 libsolv-tools-0.7.17-3.32.1 libsolv-tools-debuginfo-0.7.17-3.32.1 libyui-ncurses-pkg-debugsource-2.48.9-7.7.1 libyui-ncurses-pkg-devel-2.48.9-7.7.1 libyui-ncurses-pkg9-2.48.9-7.7.1 libyui-ncurses-pkg9-debuginfo-2.48.9-7.7.1 libyui-qt-pkg-debugsource-2.45.28-3.10.1 libyui-qt-pkg-devel-2.45.28-3.10.1 libyui-qt-pkg9-2.45.28-3.10.1 libyui-qt-pkg9-debuginfo-2.45.28-3.10.1 libzypp-17.25.8-3.48.1 libzypp-debuginfo-17.25.8-3.48.1 libzypp-debugsource-17.25.8-3.48.1 libzypp-devel-17.25.8-3.48.1 perl-solv-0.7.17-3.32.1 perl-solv-debuginfo-0.7.17-3.32.1 python3-solv-0.7.17-3.32.1 python3-solv-debuginfo-0.7.17-3.32.1 ruby-solv-0.7.17-3.32.1 ruby-solv-debuginfo-0.7.17-3.32.1 yast2-pkg-bindings-4.1.3-3.10.3 yast2-pkg-bindings-debuginfo-4.1.3-3.10.3 yast2-pkg-bindings-debugsource-4.1.3-3.10.3 zypper-1.14.43-3.34.1 zypper-debuginfo-1.14.43-3.34.1 zypper-debugsource-1.14.43-3.34.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libsigc++2-debugsource-2.10.0-3.7.1 libsigc++2-devel-2.10.0-3.7.1 libsigc-2_0-0-2.10.0-3.7.1 libsigc-2_0-0-debuginfo-2.10.0-3.7.1 libsolv-debuginfo-0.7.17-3.32.1 libsolv-debugsource-0.7.17-3.32.1 libsolv-devel-0.7.17-3.32.1 libsolv-devel-debuginfo-0.7.17-3.32.1 libsolv-tools-0.7.17-3.32.1 libsolv-tools-debuginfo-0.7.17-3.32.1 libyui-ncurses-pkg-debugsource-2.48.9-7.7.1 libyui-ncurses-pkg-devel-2.48.9-7.7.1 libyui-ncurses-pkg9-2.48.9-7.7.1 libyui-ncurses-pkg9-debuginfo-2.48.9-7.7.1 libyui-qt-pkg-debugsource-2.45.28-3.10.1 libyui-qt-pkg-devel-2.45.28-3.10.1 libyui-qt-pkg9-2.45.28-3.10.1 libyui-qt-pkg9-debuginfo-2.45.28-3.10.1 libzypp-17.25.8-3.48.1 libzypp-debuginfo-17.25.8-3.48.1 libzypp-debugsource-17.25.8-3.48.1 libzypp-devel-17.25.8-3.48.1 perl-solv-0.7.17-3.32.1 perl-solv-debuginfo-0.7.17-3.32.1 python3-solv-0.7.17-3.32.1 python3-solv-debuginfo-0.7.17-3.32.1 ruby-solv-0.7.17-3.32.1 ruby-solv-debuginfo-0.7.17-3.32.1 yast2-pkg-bindings-4.1.3-3.10.3 yast2-pkg-bindings-debuginfo-4.1.3-3.10.3 yast2-pkg-bindings-debugsource-4.1.3-3.10.3 zypper-1.14.43-3.34.1 zypper-debuginfo-1.14.43-3.34.1 zypper-debugsource-1.14.43-3.34.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): libyui-ncurses-pkg-doc-2.48.9-7.7.1 libyui-qt-pkg-doc-2.45.28-3.10.1 zypper-log-1.14.43-3.34.1 zypper-needs-restarting-1.14.43-3.34.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libsigc++2-debugsource-2.10.0-3.7.1 libsigc++2-devel-2.10.0-3.7.1 libsigc-2_0-0-2.10.0-3.7.1 libsigc-2_0-0-debuginfo-2.10.0-3.7.1 libsolv-debuginfo-0.7.17-3.32.1 libsolv-debugsource-0.7.17-3.32.1 libsolv-devel-0.7.17-3.32.1 libsolv-devel-debuginfo-0.7.17-3.32.1 libsolv-tools-0.7.17-3.32.1 libsolv-tools-debuginfo-0.7.17-3.32.1 libyui-ncurses-pkg-debugsource-2.48.9-7.7.1 libyui-ncurses-pkg-devel-2.48.9-7.7.1 libyui-ncurses-pkg9-2.48.9-7.7.1 libyui-ncurses-pkg9-debuginfo-2.48.9-7.7.1 libyui-qt-pkg-debugsource-2.45.28-3.10.1 libyui-qt-pkg-devel-2.45.28-3.10.1 libyui-qt-pkg9-2.45.28-3.10.1 libyui-qt-pkg9-debuginfo-2.45.28-3.10.1 libzypp-17.25.8-3.48.1 libzypp-debuginfo-17.25.8-3.48.1 libzypp-debugsource-17.25.8-3.48.1 libzypp-devel-17.25.8-3.48.1 perl-solv-0.7.17-3.32.1 perl-solv-debuginfo-0.7.17-3.32.1 python3-solv-0.7.17-3.32.1 python3-solv-debuginfo-0.7.17-3.32.1 ruby-solv-0.7.17-3.32.1 ruby-solv-debuginfo-0.7.17-3.32.1 yast2-pkg-bindings-4.1.3-3.10.3 yast2-pkg-bindings-debuginfo-4.1.3-3.10.3 yast2-pkg-bindings-debugsource-4.1.3-3.10.3 zypper-1.14.43-3.34.1 zypper-debuginfo-1.14.43-3.34.1 zypper-debugsource-1.14.43-3.34.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): libyui-ncurses-pkg-doc-2.48.9-7.7.1 libyui-qt-pkg-doc-2.45.28-3.10.1 zypper-log-1.14.43-3.34.1 zypper-needs-restarting-1.14.43-3.34.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libsigc++2-debugsource-2.10.0-3.7.1 libsigc++2-devel-2.10.0-3.7.1 libsigc-2_0-0-2.10.0-3.7.1 libsigc-2_0-0-debuginfo-2.10.0-3.7.1 libsolv-debuginfo-0.7.17-3.32.1 libsolv-debugsource-0.7.17-3.32.1 libsolv-devel-0.7.17-3.32.1 libsolv-devel-debuginfo-0.7.17-3.32.1 libsolv-tools-0.7.17-3.32.1 libsolv-tools-debuginfo-0.7.17-3.32.1 libyui-ncurses-pkg-debugsource-2.48.9-7.7.1 libyui-ncurses-pkg-devel-2.48.9-7.7.1 libyui-ncurses-pkg9-2.48.9-7.7.1 libyui-ncurses-pkg9-debuginfo-2.48.9-7.7.1 libyui-qt-pkg-debugsource-2.45.28-3.10.1 libyui-qt-pkg-devel-2.45.28-3.10.1 libyui-qt-pkg9-2.45.28-3.10.1 libyui-qt-pkg9-debuginfo-2.45.28-3.10.1 libzypp-17.25.8-3.48.1 libzypp-debuginfo-17.25.8-3.48.1 libzypp-debugsource-17.25.8-3.48.1 libzypp-devel-17.25.8-3.48.1 perl-solv-0.7.17-3.32.1 perl-solv-debuginfo-0.7.17-3.32.1 python3-solv-0.7.17-3.32.1 python3-solv-debuginfo-0.7.17-3.32.1 ruby-solv-0.7.17-3.32.1 ruby-solv-debuginfo-0.7.17-3.32.1 yast2-pkg-bindings-4.1.3-3.10.3 yast2-pkg-bindings-debuginfo-4.1.3-3.10.3 yast2-pkg-bindings-debugsource-4.1.3-3.10.3 zypper-1.14.43-3.34.1 zypper-debuginfo-1.14.43-3.34.1 zypper-debugsource-1.14.43-3.34.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): libyui-ncurses-pkg-doc-2.48.9-7.7.1 libyui-qt-pkg-doc-2.45.28-3.10.1 zypper-log-1.14.43-3.34.1 zypper-needs-restarting-1.14.43-3.34.1 - SUSE Linux Enterprise Installer 15-SP1 (aarch64 ppc64le s390x x86_64): libsigc-2_0-0-2.10.0-3.7.1 libsolv-tools-0.7.17-3.32.1 libyui-ncurses-pkg9-2.48.9-7.7.1 libyui-qt-pkg9-2.45.28-3.10.1 libzypp-17.25.8-3.48.1 yast2-pkg-bindings-4.1.3-3.10.3 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libsigc++2-debugsource-2.10.0-3.7.1 libsigc++2-devel-2.10.0-3.7.1 libsigc-2_0-0-2.10.0-3.7.1 libsigc-2_0-0-debuginfo-2.10.0-3.7.1 libsolv-debuginfo-0.7.17-3.32.1 libsolv-debugsource-0.7.17-3.32.1 libsolv-devel-0.7.17-3.32.1 libsolv-devel-debuginfo-0.7.17-3.32.1 libsolv-tools-0.7.17-3.32.1 libsolv-tools-debuginfo-0.7.17-3.32.1 libyui-ncurses-pkg-debugsource-2.48.9-7.7.1 libyui-ncurses-pkg-devel-2.48.9-7.7.1 libyui-ncurses-pkg9-2.48.9-7.7.1 libyui-ncurses-pkg9-debuginfo-2.48.9-7.7.1 libyui-qt-pkg-debugsource-2.45.28-3.10.1 libyui-qt-pkg-devel-2.45.28-3.10.1 libyui-qt-pkg9-2.45.28-3.10.1 libyui-qt-pkg9-debuginfo-2.45.28-3.10.1 libzypp-17.25.8-3.48.1 libzypp-debuginfo-17.25.8-3.48.1 libzypp-debugsource-17.25.8-3.48.1 libzypp-devel-17.25.8-3.48.1 perl-solv-0.7.17-3.32.1 perl-solv-debuginfo-0.7.17-3.32.1 python3-solv-0.7.17-3.32.1 python3-solv-debuginfo-0.7.17-3.32.1 ruby-solv-0.7.17-3.32.1 ruby-solv-debuginfo-0.7.17-3.32.1 yast2-pkg-bindings-4.1.3-3.10.3 yast2-pkg-bindings-debuginfo-4.1.3-3.10.3 yast2-pkg-bindings-debugsource-4.1.3-3.10.3 zypper-1.14.43-3.34.1 zypper-debuginfo-1.14.43-3.34.1 zypper-debugsource-1.14.43-3.34.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): libyui-ncurses-pkg-doc-2.48.9-7.7.1 libyui-qt-pkg-doc-2.45.28-3.10.1 zypper-log-1.14.43-3.34.1 zypper-needs-restarting-1.14.43-3.34.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libsigc++2-debugsource-2.10.0-3.7.1 libsigc++2-devel-2.10.0-3.7.1 libsigc-2_0-0-2.10.0-3.7.1 libsigc-2_0-0-debuginfo-2.10.0-3.7.1 libsolv-debuginfo-0.7.17-3.32.1 libsolv-debugsource-0.7.17-3.32.1 libsolv-devel-0.7.17-3.32.1 libsolv-devel-debuginfo-0.7.17-3.32.1 libsolv-tools-0.7.17-3.32.1 libsolv-tools-debuginfo-0.7.17-3.32.1 libyui-ncurses-pkg-debugsource-2.48.9-7.7.1 libyui-ncurses-pkg-devel-2.48.9-7.7.1 libyui-ncurses-pkg9-2.48.9-7.7.1 libyui-ncurses-pkg9-debuginfo-2.48.9-7.7.1 libyui-qt-pkg-debugsource-2.45.28-3.10.1 libyui-qt-pkg-devel-2.45.28-3.10.1 libyui-qt-pkg9-2.45.28-3.10.1 libyui-qt-pkg9-debuginfo-2.45.28-3.10.1 libzypp-17.25.8-3.48.1 libzypp-debuginfo-17.25.8-3.48.1 libzypp-debugsource-17.25.8-3.48.1 libzypp-devel-17.25.8-3.48.1 perl-solv-0.7.17-3.32.1 perl-solv-debuginfo-0.7.17-3.32.1 python3-solv-0.7.17-3.32.1 python3-solv-debuginfo-0.7.17-3.32.1 ruby-solv-0.7.17-3.32.1 ruby-solv-debuginfo-0.7.17-3.32.1 yast2-pkg-bindings-4.1.3-3.10.3 yast2-pkg-bindings-debuginfo-4.1.3-3.10.3 yast2-pkg-bindings-debugsource-4.1.3-3.10.3 zypper-1.14.43-3.34.1 zypper-debuginfo-1.14.43-3.34.1 zypper-debugsource-1.14.43-3.34.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): libyui-ncurses-pkg-doc-2.48.9-7.7.1 libyui-qt-pkg-doc-2.45.28-3.10.1 zypper-log-1.14.43-3.34.1 zypper-needs-restarting-1.14.43-3.34.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libsigc++2-debugsource-2.10.0-3.7.1 libsigc++2-devel-2.10.0-3.7.1 libsigc-2_0-0-2.10.0-3.7.1 libsigc-2_0-0-debuginfo-2.10.0-3.7.1 libsolv-debuginfo-0.7.17-3.32.1 libsolv-debugsource-0.7.17-3.32.1 libsolv-devel-0.7.17-3.32.1 libsolv-devel-debuginfo-0.7.17-3.32.1 libsolv-tools-0.7.17-3.32.1 libsolv-tools-debuginfo-0.7.17-3.32.1 libyui-ncurses-pkg-debugsource-2.48.9-7.7.1 libyui-ncurses-pkg-devel-2.48.9-7.7.1 libyui-ncurses-pkg9-2.48.9-7.7.1 libyui-ncurses-pkg9-debuginfo-2.48.9-7.7.1 libyui-qt-pkg-debugsource-2.45.28-3.10.1 libyui-qt-pkg-devel-2.45.28-3.10.1 libyui-qt-pkg9-2.45.28-3.10.1 libyui-qt-pkg9-debuginfo-2.45.28-3.10.1 libzypp-17.25.8-3.48.1 libzypp-debuginfo-17.25.8-3.48.1 libzypp-debugsource-17.25.8-3.48.1 libzypp-devel-17.25.8-3.48.1 perl-solv-0.7.17-3.32.1 perl-solv-debuginfo-0.7.17-3.32.1 python3-solv-0.7.17-3.32.1 python3-solv-debuginfo-0.7.17-3.32.1 ruby-solv-0.7.17-3.32.1 ruby-solv-debuginfo-0.7.17-3.32.1 yast2-pkg-bindings-4.1.3-3.10.3 yast2-pkg-bindings-debuginfo-4.1.3-3.10.3 yast2-pkg-bindings-debugsource-4.1.3-3.10.3 zypper-1.14.43-3.34.1 zypper-debuginfo-1.14.43-3.34.1 zypper-debugsource-1.14.43-3.34.1 - SUSE Enterprise Storage 6 (noarch): libyui-ncurses-pkg-doc-2.48.9-7.7.1 libyui-qt-pkg-doc-2.45.28-3.10.1 zypper-log-1.14.43-3.34.1 zypper-needs-restarting-1.14.43-3.34.1 - SUSE CaaS Platform 4.0 (noarch): libyui-ncurses-pkg-doc-2.48.9-7.7.1 libyui-qt-pkg-doc-2.45.28-3.10.1 zypper-log-1.14.43-3.34.1 zypper-needs-restarting-1.14.43-3.34.1 - SUSE CaaS Platform 4.0 (x86_64): libsigc++2-debugsource-2.10.0-3.7.1 libsigc++2-devel-2.10.0-3.7.1 libsigc-2_0-0-2.10.0-3.7.1 libsigc-2_0-0-debuginfo-2.10.0-3.7.1 libsolv-debuginfo-0.7.17-3.32.1 libsolv-debugsource-0.7.17-3.32.1 libsolv-devel-0.7.17-3.32.1 libsolv-devel-debuginfo-0.7.17-3.32.1 libsolv-tools-0.7.17-3.32.1 libsolv-tools-debuginfo-0.7.17-3.32.1 libyui-ncurses-pkg-debugsource-2.48.9-7.7.1 libyui-ncurses-pkg-devel-2.48.9-7.7.1 libyui-ncurses-pkg9-2.48.9-7.7.1 libyui-ncurses-pkg9-debuginfo-2.48.9-7.7.1 libyui-qt-pkg-debugsource-2.45.28-3.10.1 libyui-qt-pkg-devel-2.45.28-3.10.1 libyui-qt-pkg9-2.45.28-3.10.1 libyui-qt-pkg9-debuginfo-2.45.28-3.10.1 libzypp-17.25.8-3.48.1 libzypp-debuginfo-17.25.8-3.48.1 libzypp-debugsource-17.25.8-3.48.1 libzypp-devel-17.25.8-3.48.1 perl-solv-0.7.17-3.32.1 perl-solv-debuginfo-0.7.17-3.32.1 python3-solv-0.7.17-3.32.1 python3-solv-debuginfo-0.7.17-3.32.1 ruby-solv-0.7.17-3.32.1 ruby-solv-debuginfo-0.7.17-3.32.1 yast2-pkg-bindings-4.1.3-3.10.3 yast2-pkg-bindings-debuginfo-4.1.3-3.10.3 yast2-pkg-bindings-debugsource-4.1.3-3.10.3 zypper-1.14.43-3.34.1 zypper-debuginfo-1.14.43-3.34.1 zypper-debugsource-1.14.43-3.34.1 References: https://www.suse.com/security/cve/CVE-2017-9271.html https://bugzilla.suse.com/1050625 https://bugzilla.suse.com/1174016 https://bugzilla.suse.com/1177238 https://bugzilla.suse.com/1177275 https://bugzilla.suse.com/1177427 https://bugzilla.suse.com/1177583 https://bugzilla.suse.com/1178910 https://bugzilla.suse.com/1178966 https://bugzilla.suse.com/1179083 https://bugzilla.suse.com/1179222 https://bugzilla.suse.com/1179816 https://bugzilla.suse.com/1179847 https://bugzilla.suse.com/1179909 https://bugzilla.suse.com/1180077 https://bugzilla.suse.com/1180663 https://bugzilla.suse.com/1180721 https://bugzilla.suse.com/1181328 https://bugzilla.suse.com/1181622 https://bugzilla.suse.com/1182629 From sle-security-updates at lists.suse.com Mon Mar 29 16:17:18 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 29 Mar 2021 18:17:18 +0200 (CEST) Subject: SUSE-SU-2021:0966-1: important: Security update for MozillaFirefox Message-ID: <20210329161718.803ABFBB0@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0966-1 Rating: important References: #1183942 Cross-References: CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-966=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-966=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.9.0-8.35.1 MozillaFirefox-debuginfo-78.9.0-8.35.1 MozillaFirefox-debugsource-78.9.0-8.35.1 MozillaFirefox-translations-common-78.9.0-8.35.1 MozillaFirefox-translations-other-78.9.0-8.35.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le x86_64): MozillaFirefox-devel-78.9.0-8.35.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.9.0-8.35.1 MozillaFirefox-debuginfo-78.9.0-8.35.1 MozillaFirefox-debugsource-78.9.0-8.35.1 MozillaFirefox-devel-78.9.0-8.35.1 MozillaFirefox-translations-common-78.9.0-8.35.1 MozillaFirefox-translations-other-78.9.0-8.35.1 References: https://www.suse.com/security/cve/CVE-2021-23981.html https://www.suse.com/security/cve/CVE-2021-23982.html https://www.suse.com/security/cve/CVE-2021-23984.html https://www.suse.com/security/cve/CVE-2021-23987.html https://bugzilla.suse.com/1183942 From sle-security-updates at lists.suse.com Mon Mar 29 22:16:15 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Mar 2021 00:16:15 +0200 (CEST) Subject: SUSE-SU-2021:0972-1: moderate: Security update for ovmf Message-ID: <20210329221615.CB388FCFA@maintenance.suse.de> SUSE Security Update: Security update for ovmf ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0972-1 Rating: moderate References: #1183578 #1183579 Cross-References: CVE-2021-28210 CVE-2021-28211 CVSS scores: CVE-2021-28210 (SUSE): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H CVE-2021-28211 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for ovmf fixes the following issues: - CVE-2021-28211: ovmf: edk2: possible heap corruption with LzmaUefiDecompressGetInfo (bsc#1183578) - CVE-2021-28210: ovmf: unlimited FV recursion, round 2 (bsc#1183579) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-972=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 x86_64): ovmf-201911-7.11.1 ovmf-tools-201911-7.11.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): qemu-ovmf-x86_64-201911-7.11.1 qemu-uefi-aarch64-201911-7.11.1 References: https://www.suse.com/security/cve/CVE-2021-28210.html https://www.suse.com/security/cve/CVE-2021-28211.html https://bugzilla.suse.com/1183578 https://bugzilla.suse.com/1183579 From sle-security-updates at lists.suse.com Mon Mar 29 22:17:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Mar 2021 00:17:25 +0200 (CEST) Subject: SUSE-SU-2021:0974-1: Security update for tar Message-ID: <20210329221725.530C9FCFA@maintenance.suse.de> SUSE Security Update: Security update for tar ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0974-1 Rating: low References: #1181131 Cross-References: CVE-2021-20193 CVSS scores: CVE-2021-20193 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tar fixes the following issues: CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-974=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-974=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): tar-1.30-3.6.1 tar-debuginfo-1.30-3.6.1 tar-debugsource-1.30-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): tar-1.30-3.6.1 tar-debuginfo-1.30-3.6.1 tar-debugsource-1.30-3.6.1 tar-rmt-1.30-3.6.1 tar-rmt-debuginfo-1.30-3.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): tar-lang-1.30-3.6.1 References: https://www.suse.com/security/cve/CVE-2021-20193.html https://bugzilla.suse.com/1181131 From sle-security-updates at lists.suse.com Mon Mar 29 22:18:31 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Mar 2021 00:18:31 +0200 (CEST) Subject: SUSE-SU-2021:0975-1: Security update for tar Message-ID: <20210329221831.2D038FCFA@maintenance.suse.de> SUSE Security Update: Security update for tar ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0975-1 Rating: low References: #1181131 Cross-References: CVE-2021-20193 CVSS scores: CVE-2021-20193 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tar fixes the following issues: CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-975=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): tar-1.27.1-15.9.1 tar-debuginfo-1.27.1-15.9.1 tar-debugsource-1.27.1-15.9.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): tar-lang-1.27.1-15.9.1 References: https://www.suse.com/security/cve/CVE-2021-20193.html https://bugzilla.suse.com/1181131 From sle-security-updates at lists.suse.com Tue Mar 30 06:05:43 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Mar 2021 08:05:43 +0200 (CEST) Subject: SUSE-CU-2021:84-1: Security update of suse/sles12sp5 Message-ID: <20210330060543.6BA9CB462AC@westernhagen.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:84-1 Container Tags : suse/sles12sp5:6.5.151 , suse/sles12sp5:latest Container Release : 6.5.151 Severity : important Type : security References : 1082318 1088639 1112438 1125689 1134616 1146182 1146184 1176201 1181358 962914 964140 966514 CVE-2016-1544 CVE-2018-1000168 CVE-2019-9511 CVE-2019-9513 CVE-2020-11080 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:796-1 Released: Tue Mar 16 10:28:14 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:932-1 Released: Wed Mar 24 12:13:01 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1082318,1088639,1112438,1125689,1134616,1146182,1146184,1181358,962914,964140,966514,CVE-2016-1544,CVE-2018-1000168,CVE-2019-9511,CVE-2019-9513,CVE-2020-11080 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358). - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#1146182). - CVE-2018-1000168: Fixed ALTSVC frame client side denial of service (bsc#1088639). - CVE-2016-1544: Fixed out of memory due to unlimited incoming HTTP header fields (bsc#966514). Bug fixes and enhancements: - Packages must not mark license files as %doc (bsc#1082318) - Typo in description of libnghttp2_asio1 (bsc#962914) - Fixed mistake in spec file (bsc#1125689) - Fixed build issue with boost 1.70.0 (bsc#1134616) - Fixed build issue with GCC 6 (bsc#964140) - Feature: Add W&S module (FATE#326776, bsc#1112438) From sle-security-updates at lists.suse.com Tue Mar 30 06:20:46 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Mar 2021 08:20:46 +0200 (CEST) Subject: SUSE-CU-2021:85-1: Security update of suse/sle15 Message-ID: <20210330062046.BD766B462AC@westernhagen.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:85-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.366 Container Release : 4.22.366 Severity : important Type : security References : 1050625 1050625 1078466 1146705 1172442 1174016 1174016 1175519 1176201 1177238 1177238 1177275 1177275 1177427 1177427 1177583 1177583 1178775 1178910 1178910 1178966 1178966 1179083 1179083 1179222 1179222 1179415 1179816 1179847 1179847 1179909 1179909 1180020 1180077 1180083 1180596 1180663 1180721 1181011 1181328 1181328 1181358 1181622 1181622 1181831 1182328 1182362 1182629 1182629 1183094 1183370 1183371 1183456 1183457 CVE-2017-9271 CVE-2017-9271 CVE-2020-11080 CVE-2021-20231 CVE-2021-20232 CVE-2021-24031 CVE-2021-24032 CVE-2021-27218 CVE-2021-27219 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:770-1 Released: Thu Mar 11 20:24:05 2021 Summary: Security update for libsolv, libzypp, yast2-installation, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179415,1179847,1179909,1181328,1181622,1182629,CVE-2017-9271 This update for libsolv, libzypp, yast2-installation, zypper fixes the following issues: Update zypper to version 1.14.43: - doc: give more details about creating versioned package locks (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) - Fix source-download commnds help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) - Prefer /run over /var/run. Update libzypp to 17.25.8: - Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there. - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement). - Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'. - Commit: Fix rpmdb compat symlink in case rpm got removed. - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use. - BuildRequires: libsolv-devel >= 0.7.17. - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#1179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) Update yast2-installation to 4.0.77: - Do not cleanup the libzypp cache when the system has low memory, incomplete cache confuses libzypp later (bsc#1179415) Update libsolv to 0.7.17: - repo_write: fix handling of nested flexarray - improve choicerule generation a bit more to cover more cases - harden testcase parser against repos being added too late - support python-3.10 - check %_dbpath macro in rpmdb code - handle default/visible/langonly attributes in comps parser - support multiple collections in updateinfo parser - add '-D' option in rpmdb2solv to set the dbpath ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:890-1 Released: Fri Mar 19 15:51:41 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:931-1 Released: Wed Mar 24 12:10:41 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:934-1 Released: Wed Mar 24 12:18:21 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:956-1 Released: Thu Mar 25 19:19:04 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179816,1179847,1179909,1180077,1180663,1180721,1181328,1181622,1182629,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.43: - doc: give more details about creating versioned package locks (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) - Fix source-download commands help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) - Prefer /run over /var/run. Update libzypp to 17.25.8: - Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there. - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement). - Add missing includes for GCC 11 compatibility. - Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'. - Commit: Fix rpmdb compat symlink in case rpm got removed. - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use. - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#1179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) From sle-security-updates at lists.suse.com Tue Mar 30 06:33:10 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Mar 2021 08:33:10 +0200 (CEST) Subject: SUSE-CU-2021:86-1: Security update of suse/sle15 Message-ID: <20210330063310.A16E1B462AC@westernhagen.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:86-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.425 Container Release : 6.2.425 Severity : important Type : security References : 1050625 1078466 1146705 1172442 1174016 1175519 1176201 1177238 1177275 1177427 1177583 1178386 1178775 1178910 1178966 1179083 1179222 1179694 1179721 1179816 1179847 1179909 1180020 1180038 1180077 1180083 1180596 1180663 1180721 1181011 1181328 1181358 1181505 1181622 1181831 1182117 1182279 1182328 1182331 1182333 1182362 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182629 1183094 1183370 1183371 1183456 1183457 CVE-2017-9271 CVE-2019-25013 CVE-2020-11080 CVE-2020-27618 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2021-20231 CVE-2021-20232 CVE-2021-23840 CVE-2021-23841 CVE-2021-24031 CVE-2021-24032 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3326 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:753-1 Released: Tue Mar 9 17:09:57 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:890-1 Released: Fri Mar 19 15:51:41 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:931-1 Released: Wed Mar 24 12:10:41 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:934-1 Released: Wed Mar 24 12:18:21 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:956-1 Released: Thu Mar 25 19:19:04 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179816,1179847,1179909,1180077,1180663,1180721,1181328,1181622,1182629,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.43: - doc: give more details about creating versioned package locks (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) - Fix source-download commands help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) - Prefer /run over /var/run. Update libzypp to 17.25.8: - Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there. - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement). - Add missing includes for GCC 11 compatibility. - Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'. - Commit: Fix rpmdb compat symlink in case rpm got removed. - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use. - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#1179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) From sle-security-updates at lists.suse.com Tue Mar 30 06:39:45 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Mar 2021 08:39:45 +0200 (CEST) Subject: SUSE-CU-2021:87-1: Security update of suse/sle15 Message-ID: <20210330063945.885E1B462AC@westernhagen.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:87-1 Container Tags : suse/sle15:15.2 , suse/sle15:15.2.8.2.878 Container Release : 8.2.878 Severity : important Type : security References : 1078466 1146705 1172442 1175519 1176201 1178775 1179847 1180020 1180083 1180596 1181011 1181328 1181358 1181622 1181831 1182328 1182362 1182629 1183094 1183370 1183371 1183456 1183457 1183852 CVE-2020-11080 CVE-2021-20231 CVE-2021-20232 CVE-2021-24031 CVE-2021-24032 CVE-2021-27218 CVE-2021-27219 CVE-2021-3449 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:778-1 Released: Fri Mar 12 17:42:25 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:874-1 Released: Thu Mar 18 09:41:54 2021 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1179847,1181328,1181622,1182629 This update for libsolv, libzypp, zypper fixes the following issues: - support multiple collections in updateinfo parser - Fixed an issue when some 'systemd' tools require '/proc' to be mounted and fail if it's not there. (bsc#1181328) - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names to allow to use the RH and SUSE patch category names synonymously. (bsc#1179847) - Fix '%posttrans' script execution. (fixes #265) - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location of the rpmdatabase to use. - doc: give more details about creating versioned package locks. (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:930-1 Released: Wed Mar 24 12:09:23 2021 Summary: Security update for nghttp2 Type: security Severity: important References: 1172442,1181358,CVE-2020-11080 This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:935-1 Released: Wed Mar 24 12:19:10 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:955-1 Released: Thu Mar 25 16:11:48 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1183852,CVE-2021-3449 This update for openssl-1_1 fixes the security issue: * CVE-2021-3449: An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension but includes a signature_algorithms_cert extension, then a NULL pointer dereference will result, leading to a crash and a denial of service attack. OpenSSL TLS clients are not impacted by this issue. [bsc#1183852] From sle-security-updates at lists.suse.com Tue Mar 30 19:21:32 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Mar 2021 21:21:32 +0200 (CEST) Subject: SUSE-SU-2021:0988-1: important: Security update for tomcat Message-ID: <20210330192132.B94C0FCFA@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0988-1 Rating: important References: #1182909 #1182912 Cross-References: CVE-2021-25122 CVE-2021-25329 CVSS scores: CVE-2021-25122 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-25122 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-25329 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25329 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for tomcat fixes the following issues: - CVE-2021-25122: Apache Tomcat h2c request mix-up (bsc#1182912) - CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-988=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-988=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-988=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-988=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-988=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): tomcat-9.0.36-3.64.1 tomcat-admin-webapps-9.0.36-3.64.1 tomcat-docs-webapp-9.0.36-3.64.1 tomcat-el-3_0-api-9.0.36-3.64.1 tomcat-javadoc-9.0.36-3.64.1 tomcat-jsp-2_3-api-9.0.36-3.64.1 tomcat-lib-9.0.36-3.64.1 tomcat-servlet-4_0-api-9.0.36-3.64.1 tomcat-webapps-9.0.36-3.64.1 - SUSE OpenStack Cloud 9 (noarch): tomcat-9.0.36-3.64.1 tomcat-admin-webapps-9.0.36-3.64.1 tomcat-docs-webapp-9.0.36-3.64.1 tomcat-el-3_0-api-9.0.36-3.64.1 tomcat-javadoc-9.0.36-3.64.1 tomcat-jsp-2_3-api-9.0.36-3.64.1 tomcat-lib-9.0.36-3.64.1 tomcat-servlet-4_0-api-9.0.36-3.64.1 tomcat-webapps-9.0.36-3.64.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): tomcat-9.0.36-3.64.1 tomcat-admin-webapps-9.0.36-3.64.1 tomcat-docs-webapp-9.0.36-3.64.1 tomcat-el-3_0-api-9.0.36-3.64.1 tomcat-javadoc-9.0.36-3.64.1 tomcat-jsp-2_3-api-9.0.36-3.64.1 tomcat-lib-9.0.36-3.64.1 tomcat-servlet-4_0-api-9.0.36-3.64.1 tomcat-webapps-9.0.36-3.64.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): tomcat-9.0.36-3.64.1 tomcat-admin-webapps-9.0.36-3.64.1 tomcat-docs-webapp-9.0.36-3.64.1 tomcat-el-3_0-api-9.0.36-3.64.1 tomcat-javadoc-9.0.36-3.64.1 tomcat-jsp-2_3-api-9.0.36-3.64.1 tomcat-lib-9.0.36-3.64.1 tomcat-servlet-4_0-api-9.0.36-3.64.1 tomcat-webapps-9.0.36-3.64.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): tomcat-9.0.36-3.64.1 tomcat-admin-webapps-9.0.36-3.64.1 tomcat-docs-webapp-9.0.36-3.64.1 tomcat-el-3_0-api-9.0.36-3.64.1 tomcat-javadoc-9.0.36-3.64.1 tomcat-jsp-2_3-api-9.0.36-3.64.1 tomcat-lib-9.0.36-3.64.1 tomcat-servlet-4_0-api-9.0.36-3.64.1 tomcat-webapps-9.0.36-3.64.1 References: https://www.suse.com/security/cve/CVE-2021-25122.html https://www.suse.com/security/cve/CVE-2021-25329.html https://bugzilla.suse.com/1182909 https://bugzilla.suse.com/1182912 From sle-security-updates at lists.suse.com Tue Mar 30 19:22:46 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Mar 2021 21:22:46 +0200 (CEST) Subject: SUSE-SU-2021:0989-1: important: Security update for tomcat Message-ID: <20210330192246.D8A56FCFA@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0989-1 Rating: important References: #1180947 #1182909 #1182912 Cross-References: CVE-2021-24122 CVE-2021-25122 CVE-2021-25329 CVSS scores: CVE-2021-24122 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-24122 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-25122 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-25122 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-25329 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-25329 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for tomcat fixes the following issues: - Fixed CVEs: * CVE-2021-25122: Apache Tomcat h2c request mix-up (bsc#1182912) * CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909) - Log if file access is blocked due to symlinks: CVE-2021-24122 (bsc#1180947) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-989=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-989=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-989=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-989=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (noarch): tomcat-9.0.36-3.79.1 tomcat-admin-webapps-9.0.36-3.79.1 tomcat-el-3_0-api-9.0.36-3.79.1 tomcat-jsp-2_3-api-9.0.36-3.79.1 tomcat-lib-9.0.36-3.79.1 tomcat-servlet-4_0-api-9.0.36-3.79.1 tomcat-webapps-9.0.36-3.79.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): tomcat-9.0.36-3.79.1 tomcat-admin-webapps-9.0.36-3.79.1 tomcat-el-3_0-api-9.0.36-3.79.1 tomcat-jsp-2_3-api-9.0.36-3.79.1 tomcat-lib-9.0.36-3.79.1 tomcat-servlet-4_0-api-9.0.36-3.79.1 tomcat-webapps-9.0.36-3.79.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): tomcat-9.0.36-3.79.1 tomcat-admin-webapps-9.0.36-3.79.1 tomcat-el-3_0-api-9.0.36-3.79.1 tomcat-jsp-2_3-api-9.0.36-3.79.1 tomcat-lib-9.0.36-3.79.1 tomcat-servlet-4_0-api-9.0.36-3.79.1 tomcat-webapps-9.0.36-3.79.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): tomcat-9.0.36-3.79.1 tomcat-admin-webapps-9.0.36-3.79.1 tomcat-el-3_0-api-9.0.36-3.79.1 tomcat-jsp-2_3-api-9.0.36-3.79.1 tomcat-lib-9.0.36-3.79.1 tomcat-servlet-4_0-api-9.0.36-3.79.1 tomcat-webapps-9.0.36-3.79.1 References: https://www.suse.com/security/cve/CVE-2021-24122.html https://www.suse.com/security/cve/CVE-2021-25122.html https://www.suse.com/security/cve/CVE-2021-25329.html https://bugzilla.suse.com/1180947 https://bugzilla.suse.com/1182909 https://bugzilla.suse.com/1182912 From sle-security-updates at lists.suse.com Tue Mar 30 19:25:03 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Mar 2021 21:25:03 +0200 (CEST) Subject: SUSE-SU-2021:0990-1: moderate: Security update for zabbix Message-ID: <20210330192503.881ECFCFA@maintenance.suse.de> SUSE Security Update: Security update for zabbix ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0990-1 Rating: moderate References: #1158321 #1183014 Cross-References: CVE-2013-7484 CVE-2021-27927 CVSS scores: CVE-2013-7484 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for zabbix fixes the following issues: - CVE-2021-27927: Fixed an improper CSRF protection mechanism (bsc#1183014). - CVE-2013-7484: Fixed an issue where passwords in the users table were unsalted (bsc#1158321). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-990=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): zabbix-agent-4.0.12-4.12.1 zabbix-agent-debuginfo-4.0.12-4.12.1 zabbix-debugsource-4.0.12-4.12.1 References: https://www.suse.com/security/cve/CVE-2013-7484.html https://www.suse.com/security/cve/CVE-2021-27927.html https://bugzilla.suse.com/1158321 https://bugzilla.suse.com/1183014 From sle-security-updates at lists.suse.com Tue Mar 30 19:26:13 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 30 Mar 2021 21:26:13 +0200 (CEST) Subject: SUSE-SU-2021:0987-1: moderate: Security update for ovmf Message-ID: <20210330192613.7C4ECFCFA@maintenance.suse.de> SUSE Security Update: Security update for ovmf ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0987-1 Rating: moderate References: #1183578 #1183579 Cross-References: CVE-2021-28210 CVE-2021-28211 CVSS scores: CVE-2021-28210 (SUSE): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H CVE-2021-28211 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for ovmf fixes the following issues: - CVE-2021-28211: ovmf: edk2: possible heap corruption with LzmaUefiDecompressGetInfo (bsc#1183578) - CVE-2021-28210: ovmf: unlimited FV recursion, round 2 (bsc#1183579) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-987=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 x86_64): ovmf-2017+git1510945757.b2662641d5-3.35.1 ovmf-tools-2017+git1510945757.b2662641d5-3.35.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-3.35.1 qemu-uefi-aarch64-2017+git1510945757.b2662641d5-3.35.1 References: https://www.suse.com/security/cve/CVE-2021-28210.html https://www.suse.com/security/cve/CVE-2021-28211.html https://bugzilla.suse.com/1183578 https://bugzilla.suse.com/1183579 From sle-security-updates at lists.suse.com Wed Mar 31 19:15:52 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 31 Mar 2021 21:15:52 +0200 (CEST) Subject: SUSE-SU-2021:0999-1: important: Security update for MozillaFirefox Message-ID: <20210331191552.807BAF78E@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0999-1 Rating: important References: #1183942 Cross-References: CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-999=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-999=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-999=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-999=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2021-999=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-999=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-999=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-999=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2021-999=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-999=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-999=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-999=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-999=1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON: zypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-999=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2021-999=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-999=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-999=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): MozillaFirefox-78.9.0-112.54.1 MozillaFirefox-debuginfo-78.9.0-112.54.1 MozillaFirefox-debugsource-78.9.0-112.54.1 MozillaFirefox-devel-78.9.0-112.54.1 MozillaFirefox-translations-common-78.9.0-112.54.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): MozillaFirefox-78.9.0-112.54.1 MozillaFirefox-debuginfo-78.9.0-112.54.1 MozillaFirefox-debugsource-78.9.0-112.54.1 MozillaFirefox-devel-78.9.0-112.54.1 MozillaFirefox-translations-common-78.9.0-112.54.1 - SUSE OpenStack Cloud 9 (x86_64): MozillaFirefox-78.9.0-112.54.1 MozillaFirefox-debuginfo-78.9.0-112.54.1 MozillaFirefox-debugsource-78.9.0-112.54.1 MozillaFirefox-devel-78.9.0-112.54.1 MozillaFirefox-translations-common-78.9.0-112.54.1 - SUSE OpenStack Cloud 8 (x86_64): MozillaFirefox-78.9.0-112.54.1 MozillaFirefox-debuginfo-78.9.0-112.54.1 MozillaFirefox-debugsource-78.9.0-112.54.1 MozillaFirefox-devel-78.9.0-112.54.1 MozillaFirefox-translations-common-78.9.0-112.54.1 - SUSE OpenStack Cloud 7 (s390x x86_64): MozillaFirefox-78.9.0-112.54.1 MozillaFirefox-debuginfo-78.9.0-112.54.1 MozillaFirefox-debugsource-78.9.0-112.54.1 MozillaFirefox-devel-78.9.0-112.54.1 MozillaFirefox-translations-common-78.9.0-112.54.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-78.9.0-112.54.1 MozillaFirefox-debugsource-78.9.0-112.54.1 MozillaFirefox-devel-78.9.0-112.54.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): MozillaFirefox-78.9.0-112.54.1 MozillaFirefox-debuginfo-78.9.0-112.54.1 MozillaFirefox-debugsource-78.9.0-112.54.1 MozillaFirefox-devel-78.9.0-112.54.1 MozillaFirefox-translations-common-78.9.0-112.54.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): MozillaFirefox-78.9.0-112.54.1 MozillaFirefox-debuginfo-78.9.0-112.54.1 MozillaFirefox-debugsource-78.9.0-112.54.1 MozillaFirefox-devel-78.9.0-112.54.1 MozillaFirefox-translations-common-78.9.0-112.54.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): MozillaFirefox-78.9.0-112.54.1 MozillaFirefox-debuginfo-78.9.0-112.54.1 MozillaFirefox-debugsource-78.9.0-112.54.1 MozillaFirefox-devel-78.9.0-112.54.1 MozillaFirefox-translations-common-78.9.0-112.54.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.9.0-112.54.1 MozillaFirefox-debuginfo-78.9.0-112.54.1 MozillaFirefox-debugsource-78.9.0-112.54.1 MozillaFirefox-devel-78.9.0-112.54.1 MozillaFirefox-translations-common-78.9.0-112.54.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.9.0-112.54.1 MozillaFirefox-debuginfo-78.9.0-112.54.1 MozillaFirefox-debugsource-78.9.0-112.54.1 MozillaFirefox-devel-78.9.0-112.54.1 MozillaFirefox-translations-common-78.9.0-112.54.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-78.9.0-112.54.1 MozillaFirefox-debuginfo-78.9.0-112.54.1 MozillaFirefox-debugsource-78.9.0-112.54.1 MozillaFirefox-devel-78.9.0-112.54.1 MozillaFirefox-translations-common-78.9.0-112.54.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): MozillaFirefox-78.9.0-112.54.1 MozillaFirefox-debuginfo-78.9.0-112.54.1 MozillaFirefox-debugsource-78.9.0-112.54.1 MozillaFirefox-devel-78.9.0-112.54.1 MozillaFirefox-translations-common-78.9.0-112.54.1 - SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (x86_64): MozillaFirefox-78.9.0-112.54.1 MozillaFirefox-debuginfo-78.9.0-112.54.1 MozillaFirefox-debugsource-78.9.0-112.54.1 MozillaFirefox-devel-78.9.0-112.54.1 MozillaFirefox-translations-common-78.9.0-112.54.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): MozillaFirefox-78.9.0-112.54.1 MozillaFirefox-debuginfo-78.9.0-112.54.1 MozillaFirefox-debugsource-78.9.0-112.54.1 MozillaFirefox-devel-78.9.0-112.54.1 MozillaFirefox-translations-common-78.9.0-112.54.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): MozillaFirefox-78.9.0-112.54.1 MozillaFirefox-debuginfo-78.9.0-112.54.1 MozillaFirefox-debugsource-78.9.0-112.54.1 MozillaFirefox-devel-78.9.0-112.54.1 MozillaFirefox-translations-common-78.9.0-112.54.1 - HPE Helion Openstack 8 (x86_64): MozillaFirefox-78.9.0-112.54.1 MozillaFirefox-debuginfo-78.9.0-112.54.1 MozillaFirefox-debugsource-78.9.0-112.54.1 MozillaFirefox-devel-78.9.0-112.54.1 MozillaFirefox-translations-common-78.9.0-112.54.1 References: https://www.suse.com/security/cve/CVE-2021-23981.html https://www.suse.com/security/cve/CVE-2021-23982.html https://www.suse.com/security/cve/CVE-2021-23984.html https://www.suse.com/security/cve/CVE-2021-23987.html https://bugzilla.suse.com/1183942 From sle-security-updates at lists.suse.com Wed Mar 31 19:17:00 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 31 Mar 2021 21:17:00 +0200 (CEST) Subject: SUSE-SU-2021:0998-1: moderate: Security update for opensc Message-ID: <20210331191700.21C4AF78E@maintenance.suse.de> SUSE Security Update: Security update for opensc ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:0998-1 Rating: moderate References: #1149746 #1149747 #1158256 #1177364 #1177378 #1177380 Cross-References: CVE-2019-15945 CVE-2019-15946 CVE-2019-19479 CVE-2020-26570 CVE-2020-26571 CVE-2020-26572 CVSS scores: CVE-2019-15945 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-15945 (SUSE): 5.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2019-15946 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-15946 (SUSE): 5.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVE-2019-19479 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2019-19479 (SUSE): 4.3 CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2020-26570 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-26570 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26571 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-26571 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-26572 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-26572 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for opensc fixes the following issues: - CVE-2020-26571: gemsafe GPK smart card software driver stack-based buffer overflow (bsc#1177380) - CVE-2019-15946: out-of-bounds access of an ASN.1 Octet string in asn1_decode_entry (bsc#1149747) - CVE-2019-15945: out-of-bounds access of an ASN.1 Bitstring in decode_bit_string (bsc#1149746) - CVE-2019-19479: incorrect read operation during parsing of a SETCOS file attribute (bsc#1158256) - CVE-2020-26572: Prevent out of bounds write (bsc#1177378) - CVE-2020-26570: Fix buffer overflow in sc_oberthur_read_file (bsc#1177364) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-998=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): opensc-0.13.0-3.11.1 opensc-debuginfo-0.13.0-3.11.1 opensc-debugsource-0.13.0-3.11.1 References: https://www.suse.com/security/cve/CVE-2019-15945.html https://www.suse.com/security/cve/CVE-2019-15946.html https://www.suse.com/security/cve/CVE-2019-19479.html https://www.suse.com/security/cve/CVE-2020-26570.html https://www.suse.com/security/cve/CVE-2020-26571.html https://www.suse.com/security/cve/CVE-2020-26572.html https://bugzilla.suse.com/1149746 https://bugzilla.suse.com/1149747 https://bugzilla.suse.com/1158256 https://bugzilla.suse.com/1177364 https://bugzilla.suse.com/1177378 https://bugzilla.suse.com/1177380