SUSE-IU-2021:412-1: Security update of suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Wed Mar 10 11:41:20 UTC 2021


SUSE Image Update Advisory: suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2021:412-1
Image Tags        : suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64:20210304
Image Release     : 
Severity          : important
Type              : security
References        : 1046305 1046306 1046540 1046542 1046648 1050242 1050244 1050536
                        1050538 1050545 1056653 1056657 1056787 1064802 1066129 1073513
                        1074220 1075020 1086282 1086301 1086313 1086314 1098633 1103990
                        1103991 1103992 1104270 1104277 1104279 1104353 1104427 1104742
                        1104745 1109837 1111981 1112178 1112374 1113956 1119113 1126206
                        1126390 1127354 1127371 1129770 1136348 1149032 1170671 1174075
                        1174206 1175570 1175970 1176262 1176708 1176711 1176831 1176846
                        1177460 1177883 1178036 1178049 1178386 1178801 1178801 1178900
                        1178969 1179093 1179142 1179264 1179265 1179508 1179509 1179563
                        1179573 1179575 1179691 1179694 1179721 1179756 1179878 1180038
                        1180130 1180176 1180243 1180401 1180401 1180403 1180501 1180520
                        1180603 1180603 1180686 1180765 1180812 1180827 1180891 1180912
                        1180933 1181018 1181126 1181170 1181230 1181231 1181260 1181349
                        1181425 1181504 1181505 1181730 1181732 1181809 1181944 1182057
                        1182066 1182117 1182168 1182244 1182246 1182262 1182263 1182471
                        CVE-2019-20916 CVE-2019-25013 CVE-2019-8842 CVE-2020-10001 CVE-2020-14372
                        CVE-2020-15257 CVE-2020-25632 CVE-2020-25639 CVE-2020-25647 CVE-2020-27618
                        CVE-2020-27749 CVE-2020-27779 CVE-2020-27835 CVE-2020-28493 CVE-2020-29562
                        CVE-2020-29568 CVE-2020-29569 CVE-2020-29573 CVE-2020-36242 CVE-2020-8625
                        CVE-2021-0342 CVE-2021-20177 CVE-2021-20225 CVE-2021-20233 CVE-2021-21284
                        CVE-2021-21285 CVE-2021-26720 CVE-2021-3177 CVE-2021-3326 CVE-2021-3347
                        CVE-2021-3348 
-----------------------------------------------------------------

The container suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:285-1
Released:    Tue Feb  2 13:08:54 2021
Summary:     Security update for cups
Type:        security
Severity:    moderate
References:  1170671,1180520,CVE-2019-8842,CVE-2020-10001
This update for cups fixes the following issues:

- CVE-2020-10001: Fixed an out-of-bounds read in the ippReadIO function (bsc#1180520).
- CVE-2019-8842: Fixed an out-of-bounds read in an extension field (bsc#1170671).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:293-1
Released:    Wed Feb  3 12:52:34 2021
Summary:     Recommended update for gmp
Type:        recommended
Severity:    moderate
References:  1180603
This update for gmp fixes the following issues:

- correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:301-1
Released:    Thu Feb  4 08:46:27 2021
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

- timezone update 2021a (bsc#1177460)
  * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

- timezone update 2021a (bsc#1177460)
  * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:304-1
Released:    Thu Feb  4 13:19:43 2021
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    important
References:  1179691
This update for lvm2 fixes the following issues:

- lvm2 will no longer use external_device_info_source='udev' as default because it introduced a
  regression (bsc#1179691).

  If this behavior is still wanted, please change this manually in the lvm.conf

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:307-1
Released:    Fri Feb  5 05:30:34 2021
Summary:     Recommended update for libselinux
Type:        recommended
Severity:    low
References:  1180603
This update for libselinux fixes the following issues:

- Corrected the license to public domain (bsc#1180603)

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:339-1
Released:    Mon Feb  8 13:16:07 2021
Summary:     Optional update for pam
Type:        optional
Severity:    low
References:  
This update for pam fixes the following issues:

- Added rpm macros for this package, so that other packages can make use of it

This patch is optional to be installed - it doesn't fix any bugs.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:435-1
Released:    Thu Feb 11 14:47:25 2021
Summary:     Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork
Type:        security
Severity:    important
References:  1174075,1176708,1178801,1178969,1180243,1180401,1181730,1181732,CVE-2020-15257,CVE-2021-21284,CVE-2021-21285
This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:

Security issues fixed:

- CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969).
- CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732)
- CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730)

Non-security issues fixed:

- Update Docker to 19.03.15-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for
  bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285).

- Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE.
  It appears that SLES doesn't like the patch. (bsc#1180401)

- Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and
  fixes CVE-2020-15257. bsc#1180243

- Update to containerd v1.3.7, which is required for Docker 19.03.13-ce.
  bsc#1176708

- Update to Docker 19.03.14-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243
  https://github.com/docker/docker-ce/releases/tag/v19.03.14

- Enable fish-completion

- Add a patch which makes Docker compatible with firewalld with
  nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
  (bsc#1178801, SLE-16460)

- Update to Docker 19.03.13-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- Emergency fix: %requires_eq does not work with provide symbols,
  only effective package names. Convert back to regular Requires.

- Update to Docker 19.03.12-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md.
- Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of
  spurrious errors due to Go returning -EINTR from I/O syscalls much more often
  (due to Go 1.14's pre-emptive goroutine support).
- Add BuildRequires for all -git dependencies so that we catch missing
  dependencies much more quickly.

- Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce.
  bsc#1180243

- Add patch which makes libnetwork compatible with firewalld with
  nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
  (bsc#1178801, SLE-16460)

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:441-1
Released:    Thu Feb 11 16:35:04 2021
Summary:     Optional update for python3-jsonschema
Type:        optional
Severity:    low
References:  1180403
This update provides the python3 variant of the jsonschema module to the
SUSE Linux Enterprise 15 SP2 Basesystem module.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:502-1
Released:    Thu Feb 18 05:33:06 2021
Summary:     Recommended update for openssh
Type:        recommended
Severity:    moderate
References:  1180501
This update for openssh fixes the following issues:

- Fixed a crash which sometimes occured on connection termination, caused
  by accessing freed memory (bsc#1180501)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:507-1
Released:    Thu Feb 18 09:34:49 2021
Summary:     Security update for bind
Type:        security
Severity:    important
References:  1182246,CVE-2020-8625
This update for bind fixes the following issues:

- CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy
  negotiation can be targeted by a buffer overflow attack [bsc#1182246]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:516-1
Released:    Thu Feb 18 14:42:51 2021
Summary:     Recommended update for docker, golang-github-docker-libnetwork
Type:        recommended
Severity:    moderate
References:  1178801,1180401,1182168
This update for docker, golang-github-docker-libnetwork fixes the following issues:

- A libnetwork firewalld integration enhancement was broken, disable it (bsc#1178801,bsc#1180401,bsc#1182168)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:529-1
Released:    Fri Feb 19 14:53:47 2021
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177
This update for python3 fixes the following issues:

- CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126).
- Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:532-1
Released:    Fri Feb 19 17:29:03 2021
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1046305,1046306,1046540,1046542,1046648,1050242,1050244,1050536,1050538,1050545,1056653,1056657,1056787,1064802,1066129,1073513,1074220,1075020,1086282,1086301,1086313,1086314,1098633,1103990,1103991,1103992,1104270,1104277,1104279,1104353,1104427,1104742,1104745,1109837,1111981,1112178,1112374,1113956,1119113,1126206,1126390,1127354,1127371,1129770,1136348,1149032,1174206,1176831,1176846,1178036,1178049,1178900,1179093,1179142,1179508,1179509,1179563,1179573,1179575,1179878,1180130,1180765,1180812,1180891,1180912,1181018,1181170,1181230,1181231,1181260,1181349,1181425,1181504,1181809,CVE-2020-25639,CVE-2020-27835,CVE-2020-29568,CVE-2020-29569,CVE-2021-0342,CVE-2021-20177,CVE-2021-3347,CVE-2021-3348
 The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).
- CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).
- CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).
- CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required. (bnc#1180812)
- CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).
- CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).
- CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).
- CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

The following non-security bugs were fixed:

- ACPI: scan: Harden acpi_device_add() against device ID overflows (git-fixes).
- ACPI: scan: Make acpi_bus_get_device() clear return pointer on error (git-fixes).
- ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI (git-fixes).
- ALSA: doc: Fix reference to mixart.rst (git-fixes).
- ALSA: fireface: Fix integer overflow in transmit_midi_msg() (git-fixes).
- ALSA: firewire-tascam: Fix integer overflow in midi_port_work() (git-fixes).
- ALSA: hda/via: Add minimum mute flag (git-fixes).
- ALSA: hda/via: Fix runtime PM for Clevo W35xSS (git-fixes).
- ALSA: pcm: Clear the full allocated memory at hw_params (git-fixes).
- ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info() (git-fixes).
- ASoC: Intel: haswell: Add missing pm_ops (git-fixes).
- ASoC: dapm: remove widget from dirty list on free (git-fixes).
- EDAC/amd64: Fix PCI component registration (bsc#1112178).
- IB/mlx5: Fix DEVX support for MLX5_CMD_OP_INIT2INIT_QP command (bsc#1103991).
- KVM: SVM: Initialize prev_ga_tag before use (bsc#1180912).
- KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages (bsc#1181230).
- NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock (git-fixes).
- NFS: nfs_igrab_and_active must first reference the superblock (git-fixes).
- NFS: switch nfsiod to be an UNBOUND workqueue (git-fixes).
- NFSv4.2: condition READDIR's mask for security label based on LSM state (git-fixes).
- RDMA/addr: Fix race with netevent_callback()/rdma_addr_cancel() (bsc#1103992).
- RDMA/bnxt_re: Do not add user qps to flushlist (bsc#1050244 ).
- RDMA/bnxt_re: Do not report transparent vlan from QP1 (bsc#1104742).
- RDMA/cma: Do not overwrite sgid_attr after device is released (bsc#1103992).
- RDMA/core: Ensure security pkey modify is not lost (bsc#1046306 ).
- RDMA/core: Fix pkey and port assignment in get_new_pps (bsc#1046306).
- RDMA/core: Fix protection fault in get_pkey_idx_qp_list (bsc#1046306).
- RDMA/core: Fix reported speed and width (bsc#1046306 ).
- RDMA/core: Fix return error value in _ib_modify_qp() to negative (bsc#1103992).
- RDMA/core: Fix use of logical OR in get_new_pps (bsc#1046306 ).
- RDMA/hns: Bugfix for memory window mtpt configuration (bsc#1104427).
- RDMA/hns: Bugfix for slab-out-of-bounds when unloading hip08 driver (bsc#1104427).
- RDMA/hns: Fix cmdq parameter of querying pf timer resource (bsc#1104427 bsc#1126206).
- RDMA/hns: Fix missing sq_sig_type when querying QP (bsc#1104427 ).
- RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver (bsc#1104427).
- RDMA/iw_cxgb4: Fix incorrect function parameters (bsc#1136348 jsc#SLE-4684).
- RDMA/iw_cxgb4: initiate CLOSE when entering TERM (bsc#1136348 jsc#SLE-4684).
- RDMA/mlx5: Add init2init as a modify command (bsc#1103991 ).
- RDMA/mlx5: Fix typo in enum name (bsc#1103991).
- RDMA/mlx5: Fix wrong free of blue flame register on error (bsc#1103991).
- RDMA/qedr: Fix inline size returned for iWARP (bsc#1050545 ).
- SUNRPC: cache: ignore timestamp written to 'flush' file (bsc#1178036).
- USB: ehci: fix an interrupt calltrace error (git-fixes).
- USB: gadget: legacy: fix return error code in acm_ms_bind() (git-fixes).
- USB: serial: iuu_phoenix: fix DMA from stack (git-fixes).
- USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set (git-fixes).
- USB: yurex: fix control-URB timeout handling (git-fixes).
- __netif_receive_skb_core: pass skb by reference (bsc#1109837).
- arm64: pgtable: Ensure dirty bit is preserved across pte_wrprotect() (bsc#1180130).
- arm64: pgtable: Fix pte_accessible() (bsc#1180130).
- bnxt_en: Do not query FW when netif_running() is false (bsc#1086282).
- bnxt_en: Fix accumulation of bp->net_stats_prev (bsc#1104745 ).
- bnxt_en: Improve stats context resource accounting with RDMA driver loaded (bsc#1104745).
- bnxt_en: Release PCI regions when DMA mask setup fails during probe (git-fixes).
- bnxt_en: Reset rings if ring reservation fails during open() (bsc#1086282).
- bnxt_en: fix HWRM error when querying VF temperature (bsc#1104745).
- bnxt_en: fix error return code in bnxt_init_board() (git-fixes).
- bnxt_en: fix error return code in bnxt_init_one() (bsc#1050242 ).
- bnxt_en: read EEPROM A2h address using page 0 (git-fixes).
- bnxt_en: return proper error codes in bnxt_show_temp (bsc#1104745).
- bonding: set dev->needed_headroom in bond_setup_by_slave() (git-fixes).
- btrfs: add a flag to iterate_inodes_from_logical to find all extent refs for uncompressed extents (bsc#1174206).
- btrfs: add a flags argument to LOGICAL_INO and call it LOGICAL_INO_V2 (bsc#1174206).
- btrfs: increase output size for LOGICAL_INO_V2 ioctl (bsc#1174206).
- btrfs: qgroup: do not try to wait flushing if we're already holding a transaction (bsc#1179575).
- caif: no need to check return value of debugfs_create functions (git-fixes).
- can: c_can: c_can_power_up(): fix error handling (git-fixes).
- can: dev: prevent potential information leak in can_fill_info() (git-fixes).
- can: vxcan: vxcan_xmit: fix use after free bug (git-fixes).
- chelsio/chtls: correct function return and return type (bsc#1104270).
- chelsio/chtls: correct netdevice for vlan interface (bsc#1104270 ).
- chelsio/chtls: fix a double free in chtls_setkey() (bsc#1104270 ).
- chelsio/chtls: fix always leaking ctrl_skb (bsc#1104270 ).
- chelsio/chtls: fix deadlock issue (bsc#1104270).
- chelsio/chtls: fix memory leaks caused by a race (bsc#1104270 ).
- chelsio/chtls: fix memory leaks in CPL handlers (bsc#1104270 ).
- chelsio/chtls: fix panic during unload reload chtls (bsc#1104270 ).
- chelsio/chtls: fix socket lock (bsc#1104270).
- chelsio/chtls: fix tls record info to user (bsc#1104270 ).
- chtls: Added a check to avoid NULL pointer dereference (bsc#1104270).
- chtls: Fix chtls resources release sequence (bsc#1104270 ).
- chtls: Fix hardware tid leak (bsc#1104270).
- chtls: Remove invalid set_tcb call (bsc#1104270).
- chtls: Replace skb_dequeue with skb_peek (bsc#1104270 ).
- cpumap: Avoid warning when CONFIG_DEBUG_PER_CPU_MAPS is enabled (bsc#1109837).
- cxgb3: fix error return code in t3_sge_alloc_qset() (git-fixes).
- cxgb4/cxgb4vf: fix flow control display for auto negotiation (bsc#1046540 bsc#1046542).
- cxgb4: fix SGE queue dump destination buffer context (bsc#1073513).
- cxgb4: fix adapter crash due to wrong MC size (bsc#1073513).
- cxgb4: fix all-mask IP address comparison (bsc#1064802 bsc#1066129).
- cxgb4: fix large delays in PTP synchronization (bsc#1046540 bsc#1046648).
- cxgb4: fix the panic caused by non smac rewrite (bsc#1064802 bsc#1066129).
- cxgb4: fix thermal zone device registration (bsc#1104279 bsc#1104277).
- cxgb4: fix throughput drop during Tx backpressure (bsc#1127354 bsc#1127371).
- cxgb4: move DCB version extern to header file (bsc#1104279 ).
- cxgb4: remove cast when saving IPv4 partial checksum (bsc#1074220).
- cxgb4: set up filter action after rewrites (bsc#1064802 bsc#1066129).
- cxgb4: use correct type for all-mask IP address comparison (bsc#1064802 bsc#1066129).
- cxgb4: use unaligned conversion for fetching timestamp (bsc#1046540 bsc#1046648).
- dm: avoid filesystem lookup in dm_get_dev_t() (bsc#1178049).
- dmaengine: xilinx_dma: check dma_async_device_register return value (git-fixes).
- dmaengine: xilinx_dma: fix mixed_enum_type coverity warning (git-fixes).
- docs: Fix reST markup when linking to sections (git-fixes).
- drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' (git-fixes).
- drm/amd/powerplay: fix a crash when overclocking Vega M (bsc#1113956)
- drm/amdkfd: Put ACPI table after using it (bsc#1129770) Backporting changes: 	* context changes
- drm/atomic: put state on error path (git-fixes).
- drm/i915: Check for all subplatform bits (git-fixes).
- drm/i915: Clear the repeater bit on HDCP disable (bsc#1112178)
- drm/i915: Fix sha_text population code (bsc#1112178)
- drm/msm: Avoid div-by-zero in dpu_crtc_atomic_check() (bsc#1129770)
- drm/msm: Fix WARN_ON() splat in _free_object() (bsc#1129770)
- drm/msm: Fix use-after-free in msm_gem with carveout (bsc#1129770)
- drm/nouveau/bios: fix issue shadowing expansion ROMs (git-fixes).
- drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields (git-fixes).
- drm/nouveau/privring: ack interrupts the same way as RM (git-fixes).
- drm/tve200: Fix handling of platform_get_irq() error (bsc#1129770)
- drm/vgem: Replace opencoded version of drm_gem_dumb_map_offset() (bsc#1112178)
- drm: sun4i: hdmi: Fix inverted HPD result (bsc#1112178)
- drm: sun4i: hdmi: Remove extra HPD polling (bsc#1112178)
- ehci: fix EHCI host controller initialization sequence (git-fixes).
- ethernet: ucc_geth: fix use-after-free in ucc_geth_remove() (git-fixes).
- floppy: reintroduce O_NDELAY fix (boo#1181018).
- futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#1149032).
- futex: Ensure the correct return value from futex_lock_pi() (bsc#1181349 bsc#1149032).
- futex: Fix incorrect should_fail_futex() handling (bsc#1181349).
- futex: Handle faults correctly for PI futexes (bsc#1181349 bsc#1149032).
- futex: Provide and use pi_state_update_owner() (bsc#1181349 bsc#1149032).
- futex: Replace pointless printk in fixup_owner() (bsc#1181349 bsc#1149032).
- futex: Simplify fixup_pi_state_owner() (bsc#1181349 bsc#1149032).
- futex: Use pi_state_update_owner() in put_pi_state() (bsc#1181349 bsc#1149032).
- i2c: octeon: check correct size of maximum RECV_LEN packet (git-fixes).
- i40e: Fix removing driver while bare-metal VFs pass traffic (git-fixes).
- i40e: avoid premature Rx buffer reuse (bsc#1111981).
- igb: Report speed and duplex as unknown when device is runtime suspended (git-fixes).
- igc: fix link speed advertising (jsc#SLE-4799).
- iio: ad5504: Fix setting power-down state (git-fixes).
- iommu/vt-d: Do not dereference iommu_device if IOMMU_API is not built (bsc#1181260, jsc#ECO-3191).
- iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1181260, jsc#ECO-3191).
- ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K (bsc#1109837).
- ixgbe: avoid premature Rx buffer reuse (bsc#1109837 ).
- kABI: Fix kABI for extended APIC-ID support (bsc#1181260, jsc#ECO-3191).
- kernfs: deal with kernfs_fill_super() failures (bsc#1181809).
- lockd: do not use interval-based rebinding over TCP (git-fixes).
- locking/futex: Allow low-level atomic operations to return -EAGAIN (bsc#1149032).
- md/raid10: initialize r10_bio->read_slot before use (git-fixes).
- md: fix a warning caused by a race between concurrent md_ioctl()s (git-fixes).
- media: gp8psk: initialize stats at power control logic (git-fixes).
- misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() (git-fixes).
- misdn: dsp: select CONFIG_BITREVERSE (git-fixes).
- mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() (git-fixes).
- mlxsw: destroy workqueue when trap_register in mlxsw_emad_init (bsc#1112374).
- mlxsw: spectrum: Do not modify cloned SKBs during xmit (git-fixes).
- mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails (bsc#1112374).
- mlxsw: switchx2: Do not modify cloned SKBs during xmit (git-fixes).
- mm, page_alloc: fix core hung in free_pcppages_bulk() (git fixes (mm/hotplug)).
- mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() (git fixes (mm/pgalloc)).
- mm/rmap: map_pte() was not handling private ZONE_DEVICE page properly (git fixes (mm/hmm)).
- mm/slab: use memzero_explicit() in kzfree() (git fixes (mm/slab)).
- mm: do not wake kswapd prematurely when watermark boosting is disabled (git fixes (mm/vmscan)).
- mm: hwpoison: disable memory error handling on 1GB hugepage (git fixes (mm/hwpoison)).
- mmc: sdhci-xenon: fix 1.8v regulator stabilization (git-fixes).
- nbd: Fix memory leak in nbd_add_socket (bsc#1181504).
- net/af_iucv: always register net_device notifier (git-fixes).
- net/af_iucv: fix null pointer dereference on shutdown (bsc#1179563 LTC#190108).
- net/af_iucv: set correct sk_protocol for child sockets (git-fixes).
- net/filter: Permit reading NET in load_bytes_relative when MAC not set (bsc#1109837).
- net/liquidio: Delete driver version assignment (git-fixes).
- net/liquidio: Delete non-working LIQUIDIO_PACKAGE check (git-fixes).
- net/mlx4_en: Avoid scheduling restart task if it is already running (git-fixes).
- net/mlx5: Add handling of port type in rule deletion (bsc#1103991).
- net/mlx5: Fix memory leak on flow table creation error flow (bsc#1046305).
- net/mlx5e: Fix VLAN cleanup flow (git-fixes).
- net/mlx5e: Fix VLAN create flow (git-fixes).
- net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups (git-fixes).
- net/mlx5e: Fix two double free cases (bsc#1046305).
- net/mlx5e: IPoIB, Drop multicast packets that this interface sent (bsc#1075020).
- net/mlx5e: TX, Fix consumer index of error cqe dump (bsc#1103990 ).
- net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq (bsc#1103990).
- net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels (bsc#1109837).
- net/smc: cancel event worker during device removal (git-fixes).
- net/smc: check for valid ib_client_data (git-fixes).
- net/smc: fix sleep bug in smc_pnet_find_roce_resource() (git-fixes).
- net/smc: receive pending data after RCV_SHUTDOWN (git-fixes).
- net/smc: receive returns without data (git-fixes).
- net/sonic: Add mutual exclusion for accessing shared state (git-fixes).
- net: atlantic: fix potential error handling (git-fixes).
- net: atlantic: fix use after free kasan warn (git-fixes).
- net: bcmgenet: keep MAC in reset until PHY is up (git-fixes).
- net: bcmgenet: reapply manual settings to the PHY (git-fixes).
- net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe() (git-fixes).
- net: cbs: Fix software cbs to consider packet sending time (bsc#1109837).
- net: dsa: LAN9303: select REGMAP when LAN9303 enable (git-fixes).
- net: dsa: b53: b53_arl_rw_op() needs to select IVL or SVL (git-fixes).
- net: ena: set initial DMA width to avoid intel iommu issue (git-fixes).
- net: ethernet: mlx4: Avoid assigning a value to ring_cons but not used it anymore in mlx4_en_xmit() (git-fixes).
- net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse() (git-fixes).
- net: freescale: fec: Fix ethtool -d runtime PM (git-fixes).
- net: hns3: add a missing uninit debugfs when unload driver (bsc#1104353).
- net: hns3: add compatible handling for command HCLGE_OPC_PF_RST_DONE (git-fixes).
- net: hns3: add management table after IMP reset (bsc#1104353 ).
- net: hns3: check reset interrupt status when reset fails (git-fixes).
- net: hns3: clear reset interrupt status in hclge_irq_handle() (git-fixes).
- net: hns3: fix a TX timeout issue (bsc#1104353).
- net: hns3: fix a wrong reset interrupt status mask (git-fixes).
- net: hns3: fix error VF index when setting VLAN offload (bsc#1104353).
- net: hns3: fix error handling for desc filling (bsc#1104353 ).
- net: hns3: fix for not calculating TX BD send size correctly (bsc#1126390).
- net: hns3: fix interrupt clearing error for VF (bsc#1104353 ).
- net: hns3: fix mis-counting IRQ vector numbers issue (bsc#1104353).
- net: hns3: fix shaper parameter algorithm (bsc#1104353 ).
- net: hns3: fix the number of queues actually used by ARQ (bsc#1104353).
- net: hns3: fix use-after-free when doing self test (bsc#1104353 ).
- net: hns3: reallocate SSU' buffer size when pfc_en changes (bsc#1104353).
- net: mvpp2: Fix GoP port 3 Networking Complex Control configurations (bsc#1098633).
- net: mvpp2: Fix error return code in mvpp2_open() (bsc#1119113 ).
- net: mvpp2: fix pkt coalescing int-threshold configuration (bsc#1098633).
- net: phy: Allow BCM54616S PHY to setup internal TX/RX clock delay (git-fixes).
- net: phy: broadcom: Fix RGMII delays configuration for BCM54210E (git-fixes).
- net: phy: micrel: Discern KSZ8051 and KSZ8795 PHYs (git-fixes).
- net: phy: micrel: make sure the factory test bit is cleared (git-fixes).
- net: qca_spi: Move reset_count to struct qcaspi (git-fixes).
- net: smc911x: Adjust indentation in smc911x_phy_configure (git-fixes).
- net: stmmac: 16KB buffer must be 16 byte aligned (git-fixes).
- net: stmmac: Do not accept invalid MTU values (git-fixes).
- net: stmmac: Enable 16KB buffer size (git-fixes).
- net: stmmac: RX buffer size must be 16 byte aligned (git-fixes).
- net: stmmac: dwmac-meson8b: Fix signedness bug in probe (git-fixes).
- net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes (git-fixes).
- net: stmmac: fix length of PTP clock's name string (git-fixes).
- net: stmmac: gmac4+: Not all Unicast addresses may be available (git-fixes).
- net: sunrpc: interpret the return value of kstrtou32 correctly (git-fixes).
- net: team: fix memory leak in __team_options_register (git-fixes).
- net: tulip: Adjust indentation in {dmfe, uli526x}_init_module (git-fixes).
- net: usb: lan78xx: Fix error message format specifier (git-fixes).
- net: vlan: avoid leaks on register_vlan_dev() failures (git-fixes).
- net_failover: fixed rollback in net_failover_open() (bsc#1109837).
- net_sched: let qdisc_put() accept NULL pointer (bsc#1056657 bsc#1056653 bsc#1056787).
- nfp: validate the return code from dev_queue_xmit() (git-fixes).
- nfs_common: need lock during iterate through the list (git-fixes).
- nfsd4: readdirplus shouldn't return parent of export (git-fixes).
- nfsd: Fix message level for normal termination (git-fixes).
- pNFS: Mark layout for return if return-on-close was not sent (git-fixes).
- page_frag: Recover from memory pressure (git fixes (mm/pgalloc)).
- powerpc/perf: Add generic compat mode pmu driver (bsc#1178900 ltc#189284).
- powerpc/perf: Fix crashes with generic_compat_pmu & BHRB (bsc#1178900 ltc#189284 git-fixes).
- powerpc/perf: init pmu from core-book3s (bsc#1178900 ltc#189284).
- qed: Fix race condition between scheduling and destroying the slowpath workqueue (bsc#1086314 bsc#1086313 bsc#1086301).
- qed: Fix use after free in qed_chain_free (bsc#1050536 bsc#1050538).
- r8152: Add Lenovo Powered USB-C Travel Hub (git-fixes).
- rtmutex: Remove unused argument from rt_mutex_proxy_unlock() (bsc#1181349 bsc#1149032).
- s390/cio: fix use-after-free in ccw_device_destroy_console (git-fixes).
- s390/dasd: fix list corruption of lcu list (bsc#1181170 LTC#190915).
- s390/dasd: fix list corruption of pavgroup group list (bsc#1181170 LTC#190915).
- s390/dasd: prevent inconsistent LCU device data (bsc#1181170 LTC#190915).
- s390/qeth: delay draining the TX buffers (git-fixes).
- s390/qeth: fix L2 header access in qeth_l3_osa_features_check() (git-fixes).
- s390/qeth: fix deadlock during recovery (git-fixes).
- s390/qeth: fix locking for discipline setup / removal (git-fixes).
- s390/smp: perform initial CPU reset also for SMT siblings (git-fixes).
- sched/fair: Fix enqueue_task_fair warning (bsc#1179093).
- sched/fair: Fix enqueue_task_fair() warning some more (bsc#1179093).
- sched/fair: Fix reordering of enqueue/dequeue_task_fair() (bsc#1179093).
- sched/fair: Fix unthrottle_cfs_rq() for leaf_cfs_rq list (bsc#1179093).
- sched/fair: Reorder enqueue/dequeue_task_fair path (bsc#1179093).
- scsi: core: Fix VPD LUN ID designator priorities (bsc#1178049, git-fixes).
- scsi: ibmvfc: Set default timeout to avoid crash during migration (bsc#1181425 ltc#188252).
- scsi: lpfc: Enhancements to LOG_TRACE_EVENT for better readability (bsc#1180891).
- scsi: lpfc: Fix FW reset action if I/Os are outstanding (bsc#1180891).
- scsi: lpfc: Fix NVMe recovery after mailbox timeout (bsc#1180891).
- scsi: lpfc: Fix PLOGI S_ID of 0 on pt2pt config (bsc#1180891).
- scsi: lpfc: Fix auto sli_mode and its effect on CONFIG_PORT for SLI3 (bsc#1180891).
- scsi: lpfc: Fix crash when a fabric node is released prematurely (bsc#1180891).
- scsi: lpfc: Fix error log messages being logged following SCSI task mgnt (bsc#1180891).
- scsi: lpfc: Fix target reset failing (bsc#1180891).
- scsi: lpfc: Fix vport create logging (bsc#1180891).
- scsi: lpfc: Implement health checking when aborting I/O (bsc#1180891).
- scsi: lpfc: Prevent duplicate requests to unregister with cpuhp framework (bsc#1180891).
- scsi: lpfc: Refresh ndlp when a new PRLI is received in the PRLI issue state (bsc#1180891).
- scsi: lpfc: Simplify bool comparison (bsc#1180891).
- scsi: lpfc: Update lpfc version to 12.8.0.7 (bsc#1180891).
- scsi: lpfc: Use the nvme-fc transport supplied timeout for LS requests (bsc#1180891).
- scsi: qla2xxx: Fix description for parameter ql2xenforce_iocb_limit (bsc#1179142).
- serial: mvebu-uart: fix tx lost characters at power off (git-fixes).
- spi: cadence: cache reference clock rate during probe (git-fixes).
- team: set dev->needed_headroom in team_setup_by_port() (git-fixes).
- tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS (bsc#1109837).
- usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data() (git-fixes).
- usb: dwc3: ulpi: Use VStsDone to detect PHY regs access completion (git-fixes).
- usb: gadget: configfs: Preserve function ordering after bind failure (git-fixes).
- usb: gadget: f_uac2: reset wMaxPacketSize (git-fixes).
- usb: gadget: select CONFIG_CRC32 (git-fixes).
- usb: udc: core: Use lock when write to soft_connect (git-fixes).
- veth: Adjust hard_start offset on redirect XDP frames (bsc#1109837).
- vfio iommu: Add dma available capability (bsc#1179573 LTC#190106).
- vfio-pci: Use io_remap_pfn_range() for PCI IO memory (bsc#1181231).
- vhost/vsock: fix vhost vsock cid hashing inconsistent (git-fixes).
- virtio_net: Keep vnet header zeroed if XDP is loaded for small buffer (git-fixes).
- wan: ds26522: select CONFIG_BITREVERSE (git-fixes).
- wil6210: select CONFIG_CRC32 (git-fixes).
- x86/apic: Fix x2apic enablement without interrupt remapping (bsc#1181260, jsc#ECO-3191).
- x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where available (bsc#1181260, jsc#ECO-3191).
- x86/hyperv: Fix kexec panic/hang issues (bsc#1176831).
- x86/i8259: Use printk_deferred() to prevent deadlock (bsc#1112178).
- x86/ioapic: Handle Extended Destination ID field in RTE (bsc#1181260, jsc#ECO-3191).
- x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181260, jsc#ECO-3191).
- x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181260, jsc#ECO-3191).
- x86/mm/numa: Remove uninitialized_var() usage (bsc#1112178).
- x86/mm: Fix leak of pmd ptlock (bsc#1112178).
- x86/msi: Only use high bits of MSI address for DMAR unit (bsc#1181260, jsc#ECO-3191).
- x86/mtrr: Correct the range check before performing MTRR type lookups (bsc#1112178).
- x86/resctrl: Do not move a task to the same resource group (bsc#1112178).
- x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR (bsc#1112178).
- xdp: Fix xsk_generic_xmit errno (bsc#1109837).
- xhci: make sure TRB is fully written before giving it to the controller (git-fixes).
- xhci: tegra: Delay for disabling LFPS detector (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:551-1
Released:    Tue Feb 23 09:31:53 2021
Summary:     Security update for avahi
Type:        security
Severity:    moderate
References:  1180827,CVE-2021-26720
This update for avahi fixes the following issues:

- CVE-2021-26720: drop privileges when invoking avahi-daemon-check-dns.sh (bsc#1180827)
- Update avahi-daemon-check-dns.sh from Debian. Our previous version relied on ifconfig, route, and init.d.
- Add sudo to requires: used to drop privileges.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:556-1
Released:    Tue Feb 23 11:17:20 2021
Summary:     Recommended update for open-lldp
Type:        recommended
Severity:    moderate
References:  1175570
This update for open-lldp fixes the following issue:

Update to version v1.0.1+65.f3b70663b55e
- Event interface: only set receive buffer size if too small (bsc#1175570)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:571-1
Released:    Tue Feb 23 16:11:33 2021
Summary:     Recommended update for cloud-init
Type:        recommended
Severity:    moderate
References:  1180176
This update for cloud-init contains the following fixes:

- Update cloud-init-write-routes.patch (bsc#1180176)
  + Follow up to previous changes. Fix order of operations
    error to make gateway comparison between subnet configuration and
    route configuration valuable rather than self-comparing.

- Add cloud-init-sle12-compat.patch (jsc#PM-2335)
  - Python 3.4 compatibility in setup.py
  - Disable some test for mock version compatibility

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:580-1
Released:    Wed Feb 24 11:16:42 2021
Summary:     Optional update for python-cffi
Type:        optional
Severity:    low
References:  1182471
This update for python-cffi fixes the following issues:

- Restored compatibility with Python 2.7 update (bsc#1182471)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:653-1
Released:    Fri Feb 26 19:53:43 2021
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326
This update for glibc fixes the following issues:

- Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973)
- x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649)
- gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
- iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224)
- iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923)
- Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:654-1
Released:    Fri Feb 26 20:01:10 2021
Summary:     Security update for python-Jinja2
Type:        security
Severity:    important
References:  1181944,1182244,CVE-2020-28493
This update for python-Jinja2 fixes the following issues:

- CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have 
  been called with untrusted user data (bsc#1181944).  

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:684-1
Released:    Tue Mar  2 19:05:30 2021
Summary:     Security update for grub2
Type:        security
Severity:    important
References:  1175970,1176711,1177883,1179264,1179265,1182057,1182262,1182263,CVE-2020-14372,CVE-2020-25632,CVE-2020-25647,CVE-2020-27749,CVE-2020-27779,CVE-2021-20225,CVE-2021-20233
This update for grub2 fixes the following issues:

grub2 now implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057)

Following security issues are fixed that can violate secure boot constraints:

- CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711)
- CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883)
- CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264)
- CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970)
- CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262)
- CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:689-1
Released:    Tue Mar  2 19:08:40 2021
Summary:     Security update for bind
Type:        security
Severity:    important
References:  1180933
This update for bind fixes the following issues:

- dnssec-keygen can no longer generate HMAC keys. Use tsig-keygen instead. [bsc#1180933]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:696-1
Released:    Wed Mar  3 18:17:53 2021
Summary:     Security update for python-cryptography
Type:        security
Severity:    important
References:  1182066,CVE-2020-36242
This update for python-cryptography fixes the following issues:

- CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte
  values could result in an integer overflow and buffer overflow (bsc#1182066).



More information about the sle-security-updates mailing list