From sle-security-updates at lists.suse.com Fri Oct 1 16:16:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 1 Oct 2021 18:16:27 +0200 (CEST) Subject: SUSE-SU-2021:14821-1: important: Security update for MozillaFirefox Message-ID: <20211001161627.F1E9DFCC9@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14821-1 Rating: important References: #1188891 #1189547 #1190269 #1190274 Cross-References: CVE-2021-29980 CVE-2021-29981 CVE-2021-29982 CVE-2021-29983 CVE-2021-29984 CVE-2021-29985 CVE-2021-29986 CVE-2021-29987 CVE-2021-29988 CVE-2021-29989 CVE-2021-29990 CVE-2021-29991 CVE-2021-38492 CVE-2021-38495 CVSS scores: CVE-2021-29980 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29984 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29985 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-29986 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29988 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29989 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29991 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2021-38492 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 14 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: This update contains the Firefox Extended Support Release 91.1.0 ESR. * Fixed: Various stability, functionality, and security fixes MFSA 2021-40 (bsc#1190269, bsc#1190274): * CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer * CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1 Firefox 91.0.1esr ESR * Fixed: Fixed an issue causing buttons on the tab bar to be resized when loading certain websites (bug 1704404) * Fixed: Fixed an issue which caused tabs from private windows to be visible in non-private windows when viewing switch-to- tab results in the address bar panel (bug 1720369) * Fixed: Various stability fixes * Fixed: Security fix MFSA 2021-37 (bsc#1189547) * CVE-2021-29991 (bmo#1724896) Header Splitting possible with HTTP/3 Responses Firefox Extended Support Release 91.0 ESR * New: Some of the highlights of the new Extended Support Release are: - A number of user interface changes. For more information, see the Firefox 89 release notes. - Firefox now supports logging into Microsoft, work, and school accounts using Windows single sign-on. Learn more - On Windows, updates can now be applied in the background while Firefox is not running. - Firefox for Windows now offers a new page about:third-party to help identify compatibility issues caused by third-party applications - Version 2 of Firefox's SmartBlock feature further improves private browsing. Third party Facebook scripts are blocked to prevent you from being tracked, but are now automatically loaded "just in time" if you decide to "Log in with Facebook" on any website. - Enhanced the privacy of the Firefox Browser's Private Browsing mode with Total Cookie Protection, which confines cookies to the site where they were created, preventing companis from using cookies to track your browsing across sites. This feature was originally launched in Firefox's ETP Strict mode. - PDF forms now support JavaScript embedded in PDF files. Some PDF forms use JavaScript for validation and other interactive features. - You'll encounter less website breakage in Private Browsing and Strict Enhanced Tracking Protection with SmartBlock, which provides stand-in scripts so that websites load properly. - Improved Print functionality with a cleaner design and better integration with your computer's printer settings. - Firefox now protects you from supercookies, a type of tracker that can stay hidden in your browser and track you online, even after you clear cookies. By isolating supercookies, Firefox prevents them from tracking your web browsing from one site to the next. - Firefox now remembers your preferred location for saved bookmarks, displays the bookmarks toolbar by default on new tabs, and gives you easy access to all of your bookmarks via a toolbar folder. - Native support for macOS devices built with Apple Silicon CPUs brings dramatic performance improvements over the non- native build that was shipped in Firefox 83: Firefox launches over 2.5 times faster and web apps are now twice as responsive (per the SpeedoMeter 2.0 test). If you are on a new Apple device, follow these steps to upgrade to the latest Firefox. - Pinch zooming will now be supported for our users with Windows touchscreen devices and touchpads on Mac devices. Firefox users may now use pinch to zoom on touch-capable devices to zoom in and out of webpages. - We???ve improved functionality and design for a number of Firefox search features: * Selecting a search engine at the bottom of the search panel now enters search mode for that engine, allowing you to see suggestions (if available) for your search terms. The old behavior (immediately performing a search) is available with a shift-click. * When Firefox autocompletes the URL of one of your search engines, you can now search with that engine directly in the address bar by selecting the shortcut in the address bar results. * We???ve added buttons at the bottom of the search panel to allow you to search your bookmarks, open tabs, and history. - Firefox supports AcroForm, which will allow you to fill in, print, and save supported PDF forms and the PDF viewer also has a new fresh look. - For our users in the US and Canada, Firefox can now save, manage, and auto-fill credit card information for you, making shopping on Firefox ever more convenient. - In addition to our default, dark and light themes, with this release, Firefox introduces the Alpenglow theme: a colorful appearance for buttons, menus, and windows. You can update your Firefox themes under settings or preferences. * Changed: Firefox no longer supports Adobe Flash. There is no setting available to re-enable Flash support. * Enterprise: Various bug fixes and new policies have been implemented in the latest version of Firefox. See more details in the Firefox for Enterprise 91 Release Notes. MFSA 2021-33 (bsc#1188891): * CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption * CVE-2021-29981: Live range splitting could have led to conflicting assignments in the JIT * CVE-2021-29988: Memory corruption as a result of incorrect style treatment * CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode * CVE-2021-29984: Incorrect instruction reordering during JIT optimization * CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption * CVE-2021-29987: Users could have been tricked into accepting unwanted permissions on Linux * CVE-2021-29985: Use-after-free media channels * CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and type confusion * CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13 * CVE-2021-29990: Memory safety bugs fixed in Firefox 91 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-MozillaFirefox-14821=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-MozillaFirefox-14821=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): MozillaFirefox-78.14.0-78.140.4 MozillaFirefox-translations-common-78.14.0-78.140.4 MozillaFirefox-translations-other-78.14.0-78.140.4 - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64): MozillaFirefox-debuginfo-78.14.0-78.140.4 References: https://www.suse.com/security/cve/CVE-2021-29980.html https://www.suse.com/security/cve/CVE-2021-29981.html https://www.suse.com/security/cve/CVE-2021-29982.html https://www.suse.com/security/cve/CVE-2021-29983.html https://www.suse.com/security/cve/CVE-2021-29984.html https://www.suse.com/security/cve/CVE-2021-29985.html https://www.suse.com/security/cve/CVE-2021-29986.html https://www.suse.com/security/cve/CVE-2021-29987.html https://www.suse.com/security/cve/CVE-2021-29988.html https://www.suse.com/security/cve/CVE-2021-29989.html https://www.suse.com/security/cve/CVE-2021-29990.html https://www.suse.com/security/cve/CVE-2021-29991.html https://www.suse.com/security/cve/CVE-2021-38492.html https://www.suse.com/security/cve/CVE-2021-38495.html https://bugzilla.suse.com/1188891 https://bugzilla.suse.com/1189547 https://bugzilla.suse.com/1190269 https://bugzilla.suse.com/1190274 From sle-security-updates at lists.suse.com Mon Oct 4 10:16:38 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 4 Oct 2021 12:16:38 +0200 (CEST) Subject: SUSE-SU-2021:3277-1: moderate: Security update for libvirt Message-ID: <20211004101638.45805FCC9@maintenance.suse.de> SUSE Security Update: Security update for libvirt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3277-1 Rating: moderate References: #1182783 #1184772 #1185081 #1188843 Cross-References: CVE-2021-3667 CVSS scores: CVE-2021-3667 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for libvirt fixes the following issues: - CVE-2021-3667: Fixed an improper locking on ACL failure in virStoragePoolLookupByTargetPath API. (bsc#1188843) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3277=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3277=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libvirt-debugsource-5.1.0-13.25.1 libvirt-devel-5.1.0-13.25.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libvirt-5.1.0-13.25.1 libvirt-admin-5.1.0-13.25.1 libvirt-admin-debuginfo-5.1.0-13.25.1 libvirt-client-5.1.0-13.25.1 libvirt-client-debuginfo-5.1.0-13.25.1 libvirt-daemon-5.1.0-13.25.1 libvirt-daemon-config-network-5.1.0-13.25.1 libvirt-daemon-config-nwfilter-5.1.0-13.25.1 libvirt-daemon-debuginfo-5.1.0-13.25.1 libvirt-daemon-driver-interface-5.1.0-13.25.1 libvirt-daemon-driver-interface-debuginfo-5.1.0-13.25.1 libvirt-daemon-driver-lxc-5.1.0-13.25.1 libvirt-daemon-driver-lxc-debuginfo-5.1.0-13.25.1 libvirt-daemon-driver-network-5.1.0-13.25.1 libvirt-daemon-driver-network-debuginfo-5.1.0-13.25.1 libvirt-daemon-driver-nodedev-5.1.0-13.25.1 libvirt-daemon-driver-nodedev-debuginfo-5.1.0-13.25.1 libvirt-daemon-driver-nwfilter-5.1.0-13.25.1 libvirt-daemon-driver-nwfilter-debuginfo-5.1.0-13.25.1 libvirt-daemon-driver-qemu-5.1.0-13.25.1 libvirt-daemon-driver-qemu-debuginfo-5.1.0-13.25.1 libvirt-daemon-driver-secret-5.1.0-13.25.1 libvirt-daemon-driver-secret-debuginfo-5.1.0-13.25.1 libvirt-daemon-driver-storage-5.1.0-13.25.1 libvirt-daemon-driver-storage-core-5.1.0-13.25.1 libvirt-daemon-driver-storage-core-debuginfo-5.1.0-13.25.1 libvirt-daemon-driver-storage-disk-5.1.0-13.25.1 libvirt-daemon-driver-storage-disk-debuginfo-5.1.0-13.25.1 libvirt-daemon-driver-storage-iscsi-5.1.0-13.25.1 libvirt-daemon-driver-storage-iscsi-debuginfo-5.1.0-13.25.1 libvirt-daemon-driver-storage-logical-5.1.0-13.25.1 libvirt-daemon-driver-storage-logical-debuginfo-5.1.0-13.25.1 libvirt-daemon-driver-storage-mpath-5.1.0-13.25.1 libvirt-daemon-driver-storage-mpath-debuginfo-5.1.0-13.25.1 libvirt-daemon-driver-storage-scsi-5.1.0-13.25.1 libvirt-daemon-driver-storage-scsi-debuginfo-5.1.0-13.25.1 libvirt-daemon-hooks-5.1.0-13.25.1 libvirt-daemon-lxc-5.1.0-13.25.1 libvirt-daemon-qemu-5.1.0-13.25.1 libvirt-debugsource-5.1.0-13.25.1 libvirt-doc-5.1.0-13.25.1 libvirt-libs-5.1.0-13.25.1 libvirt-libs-debuginfo-5.1.0-13.25.1 libvirt-lock-sanlock-5.1.0-13.25.1 libvirt-lock-sanlock-debuginfo-5.1.0-13.25.1 libvirt-nss-5.1.0-13.25.1 libvirt-nss-debuginfo-5.1.0-13.25.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 x86_64): libvirt-daemon-driver-storage-rbd-5.1.0-13.25.1 libvirt-daemon-driver-storage-rbd-debuginfo-5.1.0-13.25.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): libvirt-daemon-driver-libxl-5.1.0-13.25.1 libvirt-daemon-driver-libxl-debuginfo-5.1.0-13.25.1 libvirt-daemon-xen-5.1.0-13.25.1 References: https://www.suse.com/security/cve/CVE-2021-3667.html https://bugzilla.suse.com/1182783 https://bugzilla.suse.com/1184772 https://bugzilla.suse.com/1185081 https://bugzilla.suse.com/1188843 From sle-security-updates at lists.suse.com Mon Oct 4 19:16:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 4 Oct 2021 21:16:27 +0200 (CEST) Subject: SUSE-SU-2021:3282-1: important: Security update for webkit2gtk3 Message-ID: <20211004191627.68994FCC9@maintenance.suse.de> SUSE Security Update: Security update for webkit2gtk3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3282-1 Rating: important References: #1188697 #1190701 Cross-References: CVE-2021-21806 CVE-2021-30858 CVSS scores: CVE-2021-21806 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-21806 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-30858 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-30858 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for webkit2gtk3 fixes the following issues: - Update to version 2.32.4 - CVE-2021-30858: Fixed a security bug that could allow maliciously crafted web content to achieve arbitrary code execution. (bsc#1190701) - CVE-2021-21806: Fixed an exploitable use-after-free vulnerability via specially crafted HTML web page. (bsc#1188697) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-3282=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-3282=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-3282=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-3282=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-3282=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-3282=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-3282=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3282=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3282=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-3282=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libjavascriptcoregtk-4_0-18-2.32.4-3.82.1 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-3.82.1 libwebkit2gtk-4_0-37-2.32.4-3.82.1 libwebkit2gtk-4_0-37-debuginfo-2.32.4-3.82.1 typelib-1_0-JavaScriptCore-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-3.82.1 webkit2gtk3-debugsource-2.32.4-3.82.1 webkit2gtk3-devel-2.32.4-3.82.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): libwebkit2gtk3-lang-2.32.4-3.82.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libjavascriptcoregtk-4_0-18-2.32.4-3.82.1 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-3.82.1 libwebkit2gtk-4_0-37-2.32.4-3.82.1 libwebkit2gtk-4_0-37-debuginfo-2.32.4-3.82.1 typelib-1_0-JavaScriptCore-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-3.82.1 webkit2gtk3-debugsource-2.32.4-3.82.1 webkit2gtk3-devel-2.32.4-3.82.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): libwebkit2gtk3-lang-2.32.4-3.82.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.32.4-3.82.1 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-3.82.1 libwebkit2gtk-4_0-37-2.32.4-3.82.1 libwebkit2gtk-4_0-37-debuginfo-2.32.4-3.82.1 typelib-1_0-JavaScriptCore-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-3.82.1 webkit2gtk3-debugsource-2.32.4-3.82.1 webkit2gtk3-devel-2.32.4-3.82.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): libwebkit2gtk3-lang-2.32.4-3.82.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libjavascriptcoregtk-4_0-18-2.32.4-3.82.1 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-3.82.1 libwebkit2gtk-4_0-37-2.32.4-3.82.1 libwebkit2gtk-4_0-37-debuginfo-2.32.4-3.82.1 typelib-1_0-JavaScriptCore-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-3.82.1 webkit2gtk3-debugsource-2.32.4-3.82.1 webkit2gtk3-devel-2.32.4-3.82.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): libwebkit2gtk3-lang-2.32.4-3.82.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libjavascriptcoregtk-4_0-18-2.32.4-3.82.1 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-3.82.1 libwebkit2gtk-4_0-37-2.32.4-3.82.1 libwebkit2gtk-4_0-37-debuginfo-2.32.4-3.82.1 typelib-1_0-JavaScriptCore-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-3.82.1 webkit2gtk3-debugsource-2.32.4-3.82.1 webkit2gtk3-devel-2.32.4-3.82.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): libwebkit2gtk3-lang-2.32.4-3.82.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libjavascriptcoregtk-4_0-18-2.32.4-3.82.1 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-3.82.1 libwebkit2gtk-4_0-37-2.32.4-3.82.1 libwebkit2gtk-4_0-37-debuginfo-2.32.4-3.82.1 typelib-1_0-JavaScriptCore-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-3.82.1 webkit2gtk3-debugsource-2.32.4-3.82.1 webkit2gtk3-devel-2.32.4-3.82.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): libwebkit2gtk3-lang-2.32.4-3.82.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libjavascriptcoregtk-4_0-18-2.32.4-3.82.1 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-3.82.1 libwebkit2gtk-4_0-37-2.32.4-3.82.1 libwebkit2gtk-4_0-37-debuginfo-2.32.4-3.82.1 typelib-1_0-JavaScriptCore-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-3.82.1 webkit2gtk3-debugsource-2.32.4-3.82.1 webkit2gtk3-devel-2.32.4-3.82.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): libwebkit2gtk3-lang-2.32.4-3.82.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libjavascriptcoregtk-4_0-18-2.32.4-3.82.1 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-3.82.1 libwebkit2gtk-4_0-37-2.32.4-3.82.1 libwebkit2gtk-4_0-37-debuginfo-2.32.4-3.82.1 typelib-1_0-JavaScriptCore-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-3.82.1 webkit2gtk3-debugsource-2.32.4-3.82.1 webkit2gtk3-devel-2.32.4-3.82.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): libwebkit2gtk3-lang-2.32.4-3.82.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libjavascriptcoregtk-4_0-18-2.32.4-3.82.1 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-3.82.1 libwebkit2gtk-4_0-37-2.32.4-3.82.1 libwebkit2gtk-4_0-37-debuginfo-2.32.4-3.82.1 typelib-1_0-JavaScriptCore-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-3.82.1 webkit2gtk3-debugsource-2.32.4-3.82.1 webkit2gtk3-devel-2.32.4-3.82.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): libwebkit2gtk3-lang-2.32.4-3.82.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libjavascriptcoregtk-4_0-18-2.32.4-3.82.1 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-3.82.1 libwebkit2gtk-4_0-37-2.32.4-3.82.1 libwebkit2gtk-4_0-37-debuginfo-2.32.4-3.82.1 typelib-1_0-JavaScriptCore-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-3.82.1 webkit2gtk3-debugsource-2.32.4-3.82.1 webkit2gtk3-devel-2.32.4-3.82.1 - SUSE Enterprise Storage 6 (noarch): libwebkit2gtk3-lang-2.32.4-3.82.1 - SUSE CaaS Platform 4.0 (noarch): libwebkit2gtk3-lang-2.32.4-3.82.1 - SUSE CaaS Platform 4.0 (x86_64): libjavascriptcoregtk-4_0-18-2.32.4-3.82.1 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-3.82.1 libwebkit2gtk-4_0-37-2.32.4-3.82.1 libwebkit2gtk-4_0-37-debuginfo-2.32.4-3.82.1 typelib-1_0-JavaScriptCore-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2-4_0-2.32.4-3.82.1 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-2.32.4-3.82.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-3.82.1 webkit2gtk3-debugsource-2.32.4-3.82.1 webkit2gtk3-devel-2.32.4-3.82.1 References: https://www.suse.com/security/cve/CVE-2021-21806.html https://www.suse.com/security/cve/CVE-2021-30858.html https://bugzilla.suse.com/1188697 https://bugzilla.suse.com/1190701 From sle-security-updates at lists.suse.com Mon Oct 4 19:18:56 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 4 Oct 2021 21:18:56 +0200 (CEST) Subject: SUSE-SU-2021:14822-1: moderate: Security update for glibc Message-ID: <20211004191856.9B751FCC9@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14822-1 Rating: moderate References: #1186489 #1187911 Cross-References: CVE-2021-33574 CVE-2021-35942 CVSS scores: CVE-2021-33574 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33574 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-35942 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for glibc fixes the following issues: - CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489) - CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-glibc-14822=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-glibc-14822=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-glibc-14822=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-glibc-14822=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 i686 ppc64 s390x x86_64): glibc-2.11.3-17.110.37.1 glibc-devel-2.11.3-17.110.37.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): glibc-html-2.11.3-17.110.37.1 glibc-i18ndata-2.11.3-17.110.37.1 glibc-info-2.11.3-17.110.37.1 glibc-locale-2.11.3-17.110.37.1 glibc-profile-2.11.3-17.110.37.1 nscd-2.11.3-17.110.37.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): glibc-32bit-2.11.3-17.110.37.1 glibc-devel-32bit-2.11.3-17.110.37.1 glibc-locale-32bit-2.11.3-17.110.37.1 glibc-profile-32bit-2.11.3-17.110.37.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586 i686): glibc-2.11.3-17.110.37.1 glibc-devel-2.11.3-17.110.37.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): glibc-html-2.11.3-17.110.37.1 glibc-i18ndata-2.11.3-17.110.37.1 glibc-info-2.11.3-17.110.37.1 glibc-locale-2.11.3-17.110.37.1 glibc-profile-2.11.3-17.110.37.1 nscd-2.11.3-17.110.37.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 i686 ppc64 s390x x86_64): glibc-debuginfo-2.11.3-17.110.37.1 glibc-debugsource-2.11.3-17.110.37.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): glibc-debuginfo-32bit-2.11.3-17.110.37.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 i686 s390x x86_64): glibc-debuginfo-2.11.3-17.110.37.1 glibc-debugsource-2.11.3-17.110.37.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (s390x x86_64): glibc-debuginfo-32bit-2.11.3-17.110.37.1 References: https://www.suse.com/security/cve/CVE-2021-33574.html https://www.suse.com/security/cve/CVE-2021-35942.html https://bugzilla.suse.com/1186489 https://bugzilla.suse.com/1187911 From sle-security-updates at lists.suse.com Mon Oct 4 22:21:17 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 5 Oct 2021 00:21:17 +0200 (CEST) Subject: SUSE-SU-2021:3201-2: moderate: Security update for hivex Message-ID: <20211004222117.9B6C9FCC9@maintenance.suse.de> SUSE Security Update: Security update for hivex ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3201-2 Rating: moderate References: #1189060 Cross-References: CVE-2021-3622 CVSS scores: CVE-2021-3622 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Affected Products: SUSE MicroOS 5.1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for hivex fixes the following issues: - CVE-2021-3622: Fixed stack overflow due to recursive call of _get_children() (bsc#1189060). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3201=1 Package List: - SUSE MicroOS 5.1 (aarch64 s390x x86_64): hivex-debuginfo-1.3.14-5.6.1 hivex-debugsource-1.3.14-5.6.1 libhivex0-1.3.14-5.6.1 libhivex0-debuginfo-1.3.14-5.6.1 perl-Win-Hivex-1.3.14-5.6.1 perl-Win-Hivex-debuginfo-1.3.14-5.6.1 References: https://www.suse.com/security/cve/CVE-2021-3622.html https://bugzilla.suse.com/1189060 From sle-security-updates at lists.suse.com Wed Oct 6 19:23:50 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Oct 2021 21:23:50 +0200 (CEST) Subject: SUSE-SU-2021:3296-1: important: Security update for webkit2gtk3 Message-ID: <20211006192350.5E0C4FCC9@maintenance.suse.de> SUSE Security Update: Security update for webkit2gtk3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3296-1 Rating: important References: #1188697 #1190701 Cross-References: CVE-2021-21806 CVE-2021-30858 CVSS scores: CVE-2021-21806 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-21806 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-30858 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-30858 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for webkit2gtk3 fixes the following issues: - Update to version 2.32.4 - CVE-2021-30858: Fixed a security bug that could allow maliciously crafted web content to achieve arbitrary code execution. (bsc#1190701) - CVE-2021-21806: Fixed an exploitable use-after-free vulnerability via specially crafted HTML web page. (bsc#1188697) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-3296=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-3296=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-3296=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-3296=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3296=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-3296=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-3296=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3296=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-3296=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-3296=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-3296=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-3296=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-3296=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): libwebkit2gtk3-lang-2.32.4-2.71.2 - SUSE OpenStack Cloud Crowbar 9 (x86_64): libjavascriptcoregtk-4_0-18-2.32.4-2.71.2 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-2.71.2 libwebkit2gtk-4_0-37-2.32.4-2.71.2 libwebkit2gtk-4_0-37-debuginfo-2.32.4-2.71.2 typelib-1_0-JavaScriptCore-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-2.71.2 webkit2gtk3-debugsource-2.32.4-2.71.2 - SUSE OpenStack Cloud Crowbar 8 (noarch): libwebkit2gtk3-lang-2.32.4-2.71.2 - SUSE OpenStack Cloud Crowbar 8 (x86_64): libjavascriptcoregtk-4_0-18-2.32.4-2.71.2 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-2.71.2 libwebkit2gtk-4_0-37-2.32.4-2.71.2 libwebkit2gtk-4_0-37-debuginfo-2.32.4-2.71.2 typelib-1_0-JavaScriptCore-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-2.71.2 webkit2gtk3-debugsource-2.32.4-2.71.2 - SUSE OpenStack Cloud 9 (noarch): libwebkit2gtk3-lang-2.32.4-2.71.2 - SUSE OpenStack Cloud 9 (x86_64): libjavascriptcoregtk-4_0-18-2.32.4-2.71.2 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-2.71.2 libwebkit2gtk-4_0-37-2.32.4-2.71.2 libwebkit2gtk-4_0-37-debuginfo-2.32.4-2.71.2 typelib-1_0-JavaScriptCore-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-2.71.2 webkit2gtk3-debugsource-2.32.4-2.71.2 - SUSE OpenStack Cloud 8 (x86_64): libjavascriptcoregtk-4_0-18-2.32.4-2.71.2 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-2.71.2 libwebkit2gtk-4_0-37-2.32.4-2.71.2 libwebkit2gtk-4_0-37-debuginfo-2.32.4-2.71.2 typelib-1_0-JavaScriptCore-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-2.71.2 webkit2gtk3-debugsource-2.32.4-2.71.2 - SUSE OpenStack Cloud 8 (noarch): libwebkit2gtk3-lang-2.32.4-2.71.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): typelib-1_0-WebKit2WebExtension-4_0-2.32.4-2.71.2 webkit2gtk3-debugsource-2.32.4-2.71.2 webkit2gtk3-devel-2.32.4-2.71.2 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): libjavascriptcoregtk-4_0-18-2.32.4-2.71.2 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-2.71.2 libwebkit2gtk-4_0-37-2.32.4-2.71.2 libwebkit2gtk-4_0-37-debuginfo-2.32.4-2.71.2 typelib-1_0-JavaScriptCore-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-2.71.2 webkit2gtk3-debugsource-2.32.4-2.71.2 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): libwebkit2gtk3-lang-2.32.4-2.71.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libjavascriptcoregtk-4_0-18-2.32.4-2.71.2 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-2.71.2 libwebkit2gtk-4_0-37-2.32.4-2.71.2 libwebkit2gtk-4_0-37-debuginfo-2.32.4-2.71.2 typelib-1_0-JavaScriptCore-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-2.71.2 webkit2gtk3-debugsource-2.32.4-2.71.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): libwebkit2gtk3-lang-2.32.4-2.71.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.32.4-2.71.2 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-2.71.2 libwebkit2gtk-4_0-37-2.32.4-2.71.2 libwebkit2gtk-4_0-37-debuginfo-2.32.4-2.71.2 typelib-1_0-JavaScriptCore-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-2.71.2 webkit2gtk3-debugsource-2.32.4-2.71.2 - SUSE Linux Enterprise Server 12-SP5 (noarch): libwebkit2gtk3-lang-2.32.4-2.71.2 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.32.4-2.71.2 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-2.71.2 libwebkit2gtk-4_0-37-2.32.4-2.71.2 libwebkit2gtk-4_0-37-debuginfo-2.32.4-2.71.2 typelib-1_0-JavaScriptCore-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-2.71.2 webkit2gtk3-debugsource-2.32.4-2.71.2 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): libwebkit2gtk3-lang-2.32.4-2.71.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.32.4-2.71.2 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-2.71.2 libwebkit2gtk-4_0-37-2.32.4-2.71.2 libwebkit2gtk-4_0-37-debuginfo-2.32.4-2.71.2 typelib-1_0-JavaScriptCore-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-2.71.2 webkit2gtk3-debugsource-2.32.4-2.71.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): libwebkit2gtk3-lang-2.32.4-2.71.2 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libjavascriptcoregtk-4_0-18-2.32.4-2.71.2 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-2.71.2 libwebkit2gtk-4_0-37-2.32.4-2.71.2 libwebkit2gtk-4_0-37-debuginfo-2.32.4-2.71.2 typelib-1_0-JavaScriptCore-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2-4_0-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-2.71.2 webkit2gtk3-debugsource-2.32.4-2.71.2 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): libwebkit2gtk3-lang-2.32.4-2.71.2 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libjavascriptcoregtk-4_0-18-2.32.4-2.71.2 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-2.71.2 libwebkit2gtk-4_0-37-2.32.4-2.71.2 libwebkit2gtk-4_0-37-debuginfo-2.32.4-2.71.2 typelib-1_0-JavaScriptCore-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-2.71.2 webkit2gtk3-debugsource-2.32.4-2.71.2 webkit2gtk3-devel-2.32.4-2.71.2 - HPE Helion Openstack 8 (x86_64): libjavascriptcoregtk-4_0-18-2.32.4-2.71.2 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-2.71.2 libwebkit2gtk-4_0-37-2.32.4-2.71.2 libwebkit2gtk-4_0-37-debuginfo-2.32.4-2.71.2 typelib-1_0-JavaScriptCore-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2-4_0-2.32.4-2.71.2 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-2.32.4-2.71.2 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-2.71.2 webkit2gtk3-debugsource-2.32.4-2.71.2 - HPE Helion Openstack 8 (noarch): libwebkit2gtk3-lang-2.32.4-2.71.2 References: https://www.suse.com/security/cve/CVE-2021-21806.html https://www.suse.com/security/cve/CVE-2021-30858.html https://bugzilla.suse.com/1188697 https://bugzilla.suse.com/1190701 From sle-security-updates at lists.suse.com Wed Oct 6 19:26:18 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Oct 2021 21:26:18 +0200 (CEST) Subject: SUSE-SU-2021:3294-1: important: Security update for nodejs8 Message-ID: <20211006192618.E2FDEFCC9@maintenance.suse.de> SUSE Security Update: Security update for nodejs8 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3294-1 Rating: important References: #1188917 Cross-References: CVE-2021-22930 CVSS scores: CVE-2021-22930 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Affected Products: SUSE Linux Enterprise Module for Web Scripting 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: nodejs8 was updated to fix the following security issues: - CVE-2021-22930: http2: fixes use after free on close in stream canceling (bsc#1188917) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 15-SP2: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP2-2021-3294=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 15-SP2 (aarch64 ppc64le s390x x86_64): nodejs8-8.17.0-10.15.11 nodejs8-debuginfo-8.17.0-10.15.11 nodejs8-debugsource-8.17.0-10.15.11 nodejs8-devel-8.17.0-10.15.11 npm8-8.17.0-10.15.11 - SUSE Linux Enterprise Module for Web Scripting 15-SP2 (noarch): nodejs8-docs-8.17.0-10.15.11 References: https://www.suse.com/security/cve/CVE-2021-22930.html https://bugzilla.suse.com/1188917 From sle-security-updates at lists.suse.com Wed Oct 6 19:31:34 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Oct 2021 21:31:34 +0200 (CEST) Subject: SUSE-SU-2021:3295-1: important: Security update for grilo Message-ID: <20211006193134.46D53FCC9@maintenance.suse.de> SUSE Security Update: Security update for grilo ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3295-1 Rating: important References: #1189839 Cross-References: CVE-2021-39365 CVSS scores: CVE-2021-39365 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for grilo fixes the following issues: - CVE-2021-39365: Fixed missing TLS certificate verification (bsc#1189839). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-3295=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-3295=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-3295=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-3295=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-3295=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-3295=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-3295=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3295=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3295=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-3295=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): grilo-debuginfo-0.3.4-3.3.1 grilo-debugsource-0.3.4-3.3.1 grilo-devel-0.3.4-3.3.1 libgrilo-0_3-0-0.3.4-3.3.1 libgrilo-0_3-0-debuginfo-0.3.4-3.3.1 libgrlnet-0_3-0-0.3.4-3.3.1 libgrlnet-0_3-0-debuginfo-0.3.4-3.3.1 libgrlpls-0_3-0-0.3.4-3.3.1 libgrlpls-0_3-0-debuginfo-0.3.4-3.3.1 typelib-1_0-Grl-0_3-0.3.4-3.3.1 typelib-1_0-GrlNet-0_3-0.3.4-3.3.1 typelib-1_0-GrlPls-0_3-0.3.4-3.3.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): grilo-debuginfo-0.3.4-3.3.1 grilo-debugsource-0.3.4-3.3.1 grilo-devel-0.3.4-3.3.1 libgrilo-0_3-0-0.3.4-3.3.1 libgrilo-0_3-0-debuginfo-0.3.4-3.3.1 libgrlnet-0_3-0-0.3.4-3.3.1 libgrlnet-0_3-0-debuginfo-0.3.4-3.3.1 libgrlpls-0_3-0-0.3.4-3.3.1 libgrlpls-0_3-0-debuginfo-0.3.4-3.3.1 typelib-1_0-Grl-0_3-0.3.4-3.3.1 typelib-1_0-GrlNet-0_3-0.3.4-3.3.1 typelib-1_0-GrlPls-0_3-0.3.4-3.3.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): grilo-debuginfo-0.3.4-3.3.1 grilo-debugsource-0.3.4-3.3.1 grilo-devel-0.3.4-3.3.1 libgrilo-0_3-0-0.3.4-3.3.1 libgrilo-0_3-0-debuginfo-0.3.4-3.3.1 libgrlnet-0_3-0-0.3.4-3.3.1 libgrlnet-0_3-0-debuginfo-0.3.4-3.3.1 libgrlpls-0_3-0-0.3.4-3.3.1 libgrlpls-0_3-0-debuginfo-0.3.4-3.3.1 typelib-1_0-Grl-0_3-0.3.4-3.3.1 typelib-1_0-GrlNet-0_3-0.3.4-3.3.1 typelib-1_0-GrlPls-0_3-0.3.4-3.3.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): grilo-debuginfo-0.3.4-3.3.1 grilo-debugsource-0.3.4-3.3.1 grilo-devel-0.3.4-3.3.1 libgrilo-0_3-0-0.3.4-3.3.1 libgrilo-0_3-0-debuginfo-0.3.4-3.3.1 libgrlnet-0_3-0-0.3.4-3.3.1 libgrlnet-0_3-0-debuginfo-0.3.4-3.3.1 libgrlpls-0_3-0-0.3.4-3.3.1 libgrlpls-0_3-0-debuginfo-0.3.4-3.3.1 typelib-1_0-Grl-0_3-0.3.4-3.3.1 typelib-1_0-GrlNet-0_3-0.3.4-3.3.1 typelib-1_0-GrlPls-0_3-0.3.4-3.3.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): grilo-debuginfo-0.3.4-3.3.1 grilo-debugsource-0.3.4-3.3.1 grilo-devel-0.3.4-3.3.1 libgrilo-0_3-0-0.3.4-3.3.1 libgrilo-0_3-0-debuginfo-0.3.4-3.3.1 libgrlnet-0_3-0-0.3.4-3.3.1 libgrlnet-0_3-0-debuginfo-0.3.4-3.3.1 libgrlpls-0_3-0-0.3.4-3.3.1 libgrlpls-0_3-0-debuginfo-0.3.4-3.3.1 typelib-1_0-Grl-0_3-0.3.4-3.3.1 typelib-1_0-GrlNet-0_3-0.3.4-3.3.1 typelib-1_0-GrlPls-0_3-0.3.4-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): grilo-debuginfo-0.3.4-3.3.1 grilo-debugsource-0.3.4-3.3.1 grilo-devel-0.3.4-3.3.1 libgrilo-0_3-0-0.3.4-3.3.1 libgrilo-0_3-0-debuginfo-0.3.4-3.3.1 libgrlnet-0_3-0-0.3.4-3.3.1 libgrlnet-0_3-0-debuginfo-0.3.4-3.3.1 libgrlpls-0_3-0-0.3.4-3.3.1 libgrlpls-0_3-0-debuginfo-0.3.4-3.3.1 typelib-1_0-Grl-0_3-0.3.4-3.3.1 typelib-1_0-GrlNet-0_3-0.3.4-3.3.1 typelib-1_0-GrlPls-0_3-0.3.4-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): grilo-debuginfo-0.3.4-3.3.1 grilo-debugsource-0.3.4-3.3.1 grilo-devel-0.3.4-3.3.1 libgrilo-0_3-0-0.3.4-3.3.1 libgrilo-0_3-0-debuginfo-0.3.4-3.3.1 libgrlnet-0_3-0-0.3.4-3.3.1 libgrlnet-0_3-0-debuginfo-0.3.4-3.3.1 libgrlpls-0_3-0-0.3.4-3.3.1 libgrlpls-0_3-0-debuginfo-0.3.4-3.3.1 typelib-1_0-Grl-0_3-0.3.4-3.3.1 typelib-1_0-GrlNet-0_3-0.3.4-3.3.1 typelib-1_0-GrlPls-0_3-0.3.4-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): grilo-debuginfo-0.3.4-3.3.1 grilo-debugsource-0.3.4-3.3.1 grilo-devel-0.3.4-3.3.1 libgrilo-0_3-0-0.3.4-3.3.1 libgrilo-0_3-0-debuginfo-0.3.4-3.3.1 libgrlnet-0_3-0-0.3.4-3.3.1 libgrlnet-0_3-0-debuginfo-0.3.4-3.3.1 libgrlpls-0_3-0-0.3.4-3.3.1 libgrlpls-0_3-0-debuginfo-0.3.4-3.3.1 typelib-1_0-Grl-0_3-0.3.4-3.3.1 typelib-1_0-GrlNet-0_3-0.3.4-3.3.1 typelib-1_0-GrlPls-0_3-0.3.4-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): grilo-debuginfo-0.3.4-3.3.1 grilo-debugsource-0.3.4-3.3.1 grilo-devel-0.3.4-3.3.1 libgrilo-0_3-0-0.3.4-3.3.1 libgrilo-0_3-0-debuginfo-0.3.4-3.3.1 libgrlnet-0_3-0-0.3.4-3.3.1 libgrlnet-0_3-0-debuginfo-0.3.4-3.3.1 libgrlpls-0_3-0-0.3.4-3.3.1 libgrlpls-0_3-0-debuginfo-0.3.4-3.3.1 typelib-1_0-Grl-0_3-0.3.4-3.3.1 typelib-1_0-GrlNet-0_3-0.3.4-3.3.1 typelib-1_0-GrlPls-0_3-0.3.4-3.3.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): grilo-debuginfo-0.3.4-3.3.1 grilo-debugsource-0.3.4-3.3.1 grilo-devel-0.3.4-3.3.1 libgrilo-0_3-0-0.3.4-3.3.1 libgrilo-0_3-0-debuginfo-0.3.4-3.3.1 libgrlnet-0_3-0-0.3.4-3.3.1 libgrlnet-0_3-0-debuginfo-0.3.4-3.3.1 libgrlpls-0_3-0-0.3.4-3.3.1 libgrlpls-0_3-0-debuginfo-0.3.4-3.3.1 typelib-1_0-Grl-0_3-0.3.4-3.3.1 typelib-1_0-GrlNet-0_3-0.3.4-3.3.1 typelib-1_0-GrlPls-0_3-0.3.4-3.3.1 - SUSE CaaS Platform 4.0 (x86_64): grilo-debuginfo-0.3.4-3.3.1 grilo-debugsource-0.3.4-3.3.1 grilo-devel-0.3.4-3.3.1 libgrilo-0_3-0-0.3.4-3.3.1 libgrilo-0_3-0-debuginfo-0.3.4-3.3.1 libgrlnet-0_3-0-0.3.4-3.3.1 libgrlnet-0_3-0-debuginfo-0.3.4-3.3.1 libgrlpls-0_3-0-0.3.4-3.3.1 libgrlpls-0_3-0-debuginfo-0.3.4-3.3.1 typelib-1_0-Grl-0_3-0.3.4-3.3.1 typelib-1_0-GrlNet-0_3-0.3.4-3.3.1 typelib-1_0-GrlPls-0_3-0.3.4-3.3.1 References: https://www.suse.com/security/cve/CVE-2021-39365.html https://bugzilla.suse.com/1189839 From sle-security-updates at lists.suse.com Wed Oct 6 19:36:10 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Oct 2021 21:36:10 +0200 (CEST) Subject: SUSE-SU-2021:3299-1: important: Security update for apache2 Message-ID: <20211006193610.3C5EBFCC9@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3299-1 Rating: important References: #1190666 #1190669 #1190703 Cross-References: CVE-2021-34798 CVE-2021-39275 CVE-2021-40438 CVSS scores: CVE-2021-34798 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-39275 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-40438 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for apache2 fixes the following issues: - CVE-2021-40438: Fixed a SRF via a crafted request uri-path. (bsc#1190703) - CVE-2021-39275: Fixed an out-of-bounds write in ap_escape_quotes() via malicious input. (bsc#1190666) - CVE-2021-34798: Fixed a NULL pointer dereference via malformed requests. (bsc#1190669) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-3299=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-3299=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-3299=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-3299=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3299=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-3299=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-3299=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3299=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-3299=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-3299=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-3299=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-3299=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-3299=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): apache2-doc-2.4.23-29.80.1 - SUSE OpenStack Cloud Crowbar 9 (x86_64): apache2-2.4.23-29.80.1 apache2-debuginfo-2.4.23-29.80.1 apache2-debugsource-2.4.23-29.80.1 apache2-example-pages-2.4.23-29.80.1 apache2-prefork-2.4.23-29.80.1 apache2-prefork-debuginfo-2.4.23-29.80.1 apache2-utils-2.4.23-29.80.1 apache2-utils-debuginfo-2.4.23-29.80.1 apache2-worker-2.4.23-29.80.1 apache2-worker-debuginfo-2.4.23-29.80.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): apache2-doc-2.4.23-29.80.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): apache2-2.4.23-29.80.1 apache2-debuginfo-2.4.23-29.80.1 apache2-debugsource-2.4.23-29.80.1 apache2-example-pages-2.4.23-29.80.1 apache2-prefork-2.4.23-29.80.1 apache2-prefork-debuginfo-2.4.23-29.80.1 apache2-utils-2.4.23-29.80.1 apache2-utils-debuginfo-2.4.23-29.80.1 apache2-worker-2.4.23-29.80.1 apache2-worker-debuginfo-2.4.23-29.80.1 - SUSE OpenStack Cloud 9 (x86_64): apache2-2.4.23-29.80.1 apache2-debuginfo-2.4.23-29.80.1 apache2-debugsource-2.4.23-29.80.1 apache2-example-pages-2.4.23-29.80.1 apache2-prefork-2.4.23-29.80.1 apache2-prefork-debuginfo-2.4.23-29.80.1 apache2-utils-2.4.23-29.80.1 apache2-utils-debuginfo-2.4.23-29.80.1 apache2-worker-2.4.23-29.80.1 apache2-worker-debuginfo-2.4.23-29.80.1 - SUSE OpenStack Cloud 9 (noarch): apache2-doc-2.4.23-29.80.1 - SUSE OpenStack Cloud 8 (noarch): apache2-doc-2.4.23-29.80.1 - SUSE OpenStack Cloud 8 (x86_64): apache2-2.4.23-29.80.1 apache2-debuginfo-2.4.23-29.80.1 apache2-debugsource-2.4.23-29.80.1 apache2-example-pages-2.4.23-29.80.1 apache2-prefork-2.4.23-29.80.1 apache2-prefork-debuginfo-2.4.23-29.80.1 apache2-utils-2.4.23-29.80.1 apache2-utils-debuginfo-2.4.23-29.80.1 apache2-worker-2.4.23-29.80.1 apache2-worker-debuginfo-2.4.23-29.80.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): apache2-debuginfo-2.4.23-29.80.1 apache2-debugsource-2.4.23-29.80.1 apache2-devel-2.4.23-29.80.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): apache2-2.4.23-29.80.1 apache2-debuginfo-2.4.23-29.80.1 apache2-debugsource-2.4.23-29.80.1 apache2-example-pages-2.4.23-29.80.1 apache2-prefork-2.4.23-29.80.1 apache2-prefork-debuginfo-2.4.23-29.80.1 apache2-utils-2.4.23-29.80.1 apache2-utils-debuginfo-2.4.23-29.80.1 apache2-worker-2.4.23-29.80.1 apache2-worker-debuginfo-2.4.23-29.80.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): apache2-doc-2.4.23-29.80.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): apache2-2.4.23-29.80.1 apache2-debuginfo-2.4.23-29.80.1 apache2-debugsource-2.4.23-29.80.1 apache2-example-pages-2.4.23-29.80.1 apache2-prefork-2.4.23-29.80.1 apache2-prefork-debuginfo-2.4.23-29.80.1 apache2-utils-2.4.23-29.80.1 apache2-utils-debuginfo-2.4.23-29.80.1 apache2-worker-2.4.23-29.80.1 apache2-worker-debuginfo-2.4.23-29.80.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): apache2-doc-2.4.23-29.80.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): apache2-2.4.23-29.80.1 apache2-debuginfo-2.4.23-29.80.1 apache2-debugsource-2.4.23-29.80.1 apache2-example-pages-2.4.23-29.80.1 apache2-prefork-2.4.23-29.80.1 apache2-prefork-debuginfo-2.4.23-29.80.1 apache2-utils-2.4.23-29.80.1 apache2-utils-debuginfo-2.4.23-29.80.1 apache2-worker-2.4.23-29.80.1 apache2-worker-debuginfo-2.4.23-29.80.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): apache2-doc-2.4.23-29.80.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): apache2-2.4.23-29.80.1 apache2-debuginfo-2.4.23-29.80.1 apache2-debugsource-2.4.23-29.80.1 apache2-example-pages-2.4.23-29.80.1 apache2-prefork-2.4.23-29.80.1 apache2-prefork-debuginfo-2.4.23-29.80.1 apache2-utils-2.4.23-29.80.1 apache2-utils-debuginfo-2.4.23-29.80.1 apache2-worker-2.4.23-29.80.1 apache2-worker-debuginfo-2.4.23-29.80.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): apache2-doc-2.4.23-29.80.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): apache2-2.4.23-29.80.1 apache2-debuginfo-2.4.23-29.80.1 apache2-debugsource-2.4.23-29.80.1 apache2-example-pages-2.4.23-29.80.1 apache2-prefork-2.4.23-29.80.1 apache2-prefork-debuginfo-2.4.23-29.80.1 apache2-utils-2.4.23-29.80.1 apache2-utils-debuginfo-2.4.23-29.80.1 apache2-worker-2.4.23-29.80.1 apache2-worker-debuginfo-2.4.23-29.80.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): apache2-doc-2.4.23-29.80.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): apache2-2.4.23-29.80.1 apache2-debuginfo-2.4.23-29.80.1 apache2-debugsource-2.4.23-29.80.1 apache2-example-pages-2.4.23-29.80.1 apache2-prefork-2.4.23-29.80.1 apache2-prefork-debuginfo-2.4.23-29.80.1 apache2-utils-2.4.23-29.80.1 apache2-utils-debuginfo-2.4.23-29.80.1 apache2-worker-2.4.23-29.80.1 apache2-worker-debuginfo-2.4.23-29.80.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): apache2-doc-2.4.23-29.80.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): apache2-2.4.23-29.80.1 apache2-debuginfo-2.4.23-29.80.1 apache2-debugsource-2.4.23-29.80.1 apache2-example-pages-2.4.23-29.80.1 apache2-prefork-2.4.23-29.80.1 apache2-prefork-debuginfo-2.4.23-29.80.1 apache2-utils-2.4.23-29.80.1 apache2-utils-debuginfo-2.4.23-29.80.1 apache2-worker-2.4.23-29.80.1 apache2-worker-debuginfo-2.4.23-29.80.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): apache2-doc-2.4.23-29.80.1 - HPE Helion Openstack 8 (noarch): apache2-doc-2.4.23-29.80.1 - HPE Helion Openstack 8 (x86_64): apache2-2.4.23-29.80.1 apache2-debuginfo-2.4.23-29.80.1 apache2-debugsource-2.4.23-29.80.1 apache2-example-pages-2.4.23-29.80.1 apache2-prefork-2.4.23-29.80.1 apache2-prefork-debuginfo-2.4.23-29.80.1 apache2-utils-2.4.23-29.80.1 apache2-utils-debuginfo-2.4.23-29.80.1 apache2-worker-2.4.23-29.80.1 apache2-worker-debuginfo-2.4.23-29.80.1 References: https://www.suse.com/security/cve/CVE-2021-34798.html https://www.suse.com/security/cve/CVE-2021-39275.html https://www.suse.com/security/cve/CVE-2021-40438.html https://bugzilla.suse.com/1190666 https://bugzilla.suse.com/1190669 https://bugzilla.suse.com/1190703 From sle-security-updates at lists.suse.com Wed Oct 6 19:47:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Oct 2021 21:47:25 +0200 (CEST) Subject: SUSE-SU-2021:3298-1: moderate: Security update for curl Message-ID: <20211006194725.93087FCC9@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3298-1 Rating: moderate References: #1190373 #1190374 Cross-References: CVE-2021-22946 CVE-2021-22947 CVSS scores: CVE-2021-22946 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-22947 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Products: SUSE MicroOS 5.1 SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3298=1 - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-3298=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3298=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3298=1 Package List: - SUSE MicroOS 5.1 (aarch64 s390x x86_64): curl-7.66.0-4.27.1 curl-debuginfo-7.66.0-4.27.1 curl-debugsource-7.66.0-4.27.1 libcurl4-7.66.0-4.27.1 libcurl4-debuginfo-7.66.0-4.27.1 - SUSE MicroOS 5.0 (aarch64 x86_64): curl-7.66.0-4.27.1 curl-debuginfo-7.66.0-4.27.1 curl-debugsource-7.66.0-4.27.1 libcurl4-7.66.0-4.27.1 libcurl4-debuginfo-7.66.0-4.27.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): curl-7.66.0-4.27.1 curl-debuginfo-7.66.0-4.27.1 curl-debugsource-7.66.0-4.27.1 libcurl-devel-7.66.0-4.27.1 libcurl4-7.66.0-4.27.1 libcurl4-debuginfo-7.66.0-4.27.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): libcurl4-32bit-7.66.0-4.27.1 libcurl4-32bit-debuginfo-7.66.0-4.27.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): curl-7.66.0-4.27.1 curl-debuginfo-7.66.0-4.27.1 curl-debugsource-7.66.0-4.27.1 libcurl-devel-7.66.0-4.27.1 libcurl4-7.66.0-4.27.1 libcurl4-debuginfo-7.66.0-4.27.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libcurl4-32bit-7.66.0-4.27.1 libcurl4-32bit-debuginfo-7.66.0-4.27.1 References: https://www.suse.com/security/cve/CVE-2021-22946.html https://www.suse.com/security/cve/CVE-2021-22947.html https://bugzilla.suse.com/1190373 https://bugzilla.suse.com/1190374 From sle-security-updates at lists.suse.com Wed Oct 6 19:48:46 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Oct 2021 21:48:46 +0200 (CEST) Subject: SUSE-SU-2021:3291-1: moderate: Security update for glibc Message-ID: <20211006194846.2EF68FCC9@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3291-1 Rating: moderate References: #1186489 #1187911 Cross-References: CVE-2021-33574 CVE-2021-35942 CVSS scores: CVE-2021-33574 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33574 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-35942 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE MicroOS 5.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for glibc fixes the following issues: - CVE-2021-33574: Fixed use __pthread_attr_copy in mq_notify (bsc#1186489). - CVE-2021-35942: Fixed wordexp handle overflow in positional parameter number (bsc#1187911). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3291=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-3291=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3291=1 Package List: - SUSE MicroOS 5.1 (aarch64 s390x x86_64): glibc-2.31-9.3.2 glibc-debuginfo-2.31-9.3.2 glibc-debugsource-2.31-9.3.2 glibc-locale-2.31-9.3.2 glibc-locale-base-2.31-9.3.2 glibc-locale-base-debuginfo-2.31-9.3.2 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): glibc-debuginfo-2.31-9.3.2 glibc-debugsource-2.31-9.3.2 glibc-devel-static-2.31-9.3.2 glibc-utils-2.31-9.3.2 glibc-utils-debuginfo-2.31-9.3.2 glibc-utils-src-debugsource-2.31-9.3.2 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (x86_64): glibc-32bit-debuginfo-2.31-9.3.2 glibc-devel-32bit-2.31-9.3.2 glibc-devel-32bit-debuginfo-2.31-9.3.2 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): glibc-2.31-9.3.2 glibc-debuginfo-2.31-9.3.2 glibc-debugsource-2.31-9.3.2 glibc-devel-2.31-9.3.2 glibc-devel-debuginfo-2.31-9.3.2 glibc-extra-2.31-9.3.2 glibc-extra-debuginfo-2.31-9.3.2 glibc-locale-2.31-9.3.2 glibc-locale-base-2.31-9.3.2 glibc-locale-base-debuginfo-2.31-9.3.2 glibc-profile-2.31-9.3.2 nscd-2.31-9.3.2 nscd-debuginfo-2.31-9.3.2 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): glibc-32bit-2.31-9.3.2 glibc-32bit-debuginfo-2.31-9.3.2 glibc-locale-base-32bit-2.31-9.3.2 glibc-locale-base-32bit-debuginfo-2.31-9.3.2 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): glibc-i18ndata-2.31-9.3.2 glibc-info-2.31-9.3.2 glibc-lang-2.31-9.3.2 References: https://www.suse.com/security/cve/CVE-2021-33574.html https://www.suse.com/security/cve/CVE-2021-35942.html https://bugzilla.suse.com/1186489 https://bugzilla.suse.com/1187911 From sle-security-updates at lists.suse.com Wed Oct 6 19:51:35 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Oct 2021 21:51:35 +0200 (CEST) Subject: SUSE-SU-2021:3293-1: moderate: Security update for ffmpeg Message-ID: <20211006195135.A0D7BFCC9@maintenance.suse.de> SUSE Security Update: Security update for ffmpeg ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3293-1 Rating: moderate References: #1186761 Cross-References: CVE-2020-22042 CVSS scores: CVE-2020-22042 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22042 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ffmpeg fixes the following issues: - CVE-2020-22042: Fixed a denial of service vulnerability led by a memory leak in the link_filter_inouts function in libavfilter/graphparser.c. (bsc#1186761) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-3293=1 - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-3293=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-3293=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-3293=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-3293=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-3293=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64): ffmpeg-debuginfo-3.4.2-11.14.1 ffmpeg-debugsource-3.4.2-11.14.1 libavcodec-devel-3.4.2-11.14.1 libavformat-devel-3.4.2-11.14.1 libavresample-devel-3.4.2-11.14.1 libavresample3-3.4.2-11.14.1 libavresample3-debuginfo-3.4.2-11.14.1 - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): ffmpeg-debuginfo-3.4.2-11.14.1 ffmpeg-debugsource-3.4.2-11.14.1 libavcodec-devel-3.4.2-11.14.1 libavformat-devel-3.4.2-11.14.1 libavresample-devel-3.4.2-11.14.1 libavresample3-3.4.2-11.14.1 libavresample3-debuginfo-3.4.2-11.14.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (aarch64 ppc64le s390x x86_64): ffmpeg-3.4.2-11.14.1 ffmpeg-debuginfo-3.4.2-11.14.1 ffmpeg-debugsource-3.4.2-11.14.1 libavdevice57-3.4.2-11.14.1 libavdevice57-debuginfo-3.4.2-11.14.1 libavfilter6-3.4.2-11.14.1 libavfilter6-debuginfo-3.4.2-11.14.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (aarch64 ppc64le s390x x86_64): ffmpeg-3.4.2-11.14.1 ffmpeg-debuginfo-3.4.2-11.14.1 ffmpeg-debugsource-3.4.2-11.14.1 libavdevice57-3.4.2-11.14.1 libavdevice57-debuginfo-3.4.2-11.14.1 libavfilter6-3.4.2-11.14.1 libavfilter6-debuginfo-3.4.2-11.14.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): ffmpeg-debuginfo-3.4.2-11.14.1 ffmpeg-debugsource-3.4.2-11.14.1 libavcodec57-3.4.2-11.14.1 libavcodec57-debuginfo-3.4.2-11.14.1 libavformat57-3.4.2-11.14.1 libavformat57-debuginfo-3.4.2-11.14.1 libavresample-devel-3.4.2-11.14.1 libavresample3-3.4.2-11.14.1 libavresample3-debuginfo-3.4.2-11.14.1 libavutil-devel-3.4.2-11.14.1 libavutil55-3.4.2-11.14.1 libavutil55-debuginfo-3.4.2-11.14.1 libpostproc-devel-3.4.2-11.14.1 libpostproc54-3.4.2-11.14.1 libpostproc54-debuginfo-3.4.2-11.14.1 libswresample-devel-3.4.2-11.14.1 libswresample2-3.4.2-11.14.1 libswresample2-debuginfo-3.4.2-11.14.1 libswscale-devel-3.4.2-11.14.1 libswscale4-3.4.2-11.14.1 libswscale4-debuginfo-3.4.2-11.14.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64_ilp32): libavresample3-64bit-3.4.2-11.14.1 libavresample3-64bit-debuginfo-3.4.2-11.14.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 i586 ppc64le s390x x86_64): libavresample-devel-3.4.2-11.14.1 libavresample3-3.4.2-11.14.1 libavresample3-debuginfo-3.4.2-11.14.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): ffmpeg-debuginfo-3.4.2-11.14.1 ffmpeg-debugsource-3.4.2-11.14.1 libavcodec57-3.4.2-11.14.1 libavcodec57-debuginfo-3.4.2-11.14.1 libavformat57-3.4.2-11.14.1 libavformat57-debuginfo-3.4.2-11.14.1 libavutil-devel-3.4.2-11.14.1 libavutil55-3.4.2-11.14.1 libavutil55-debuginfo-3.4.2-11.14.1 libpostproc-devel-3.4.2-11.14.1 libpostproc54-3.4.2-11.14.1 libpostproc54-debuginfo-3.4.2-11.14.1 libswresample-devel-3.4.2-11.14.1 libswresample2-3.4.2-11.14.1 libswresample2-debuginfo-3.4.2-11.14.1 libswscale-devel-3.4.2-11.14.1 libswscale4-3.4.2-11.14.1 libswscale4-debuginfo-3.4.2-11.14.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (x86_64): libavresample3-32bit-3.4.2-11.14.1 libavresample3-32bit-debuginfo-3.4.2-11.14.1 References: https://www.suse.com/security/cve/CVE-2020-22042.html https://bugzilla.suse.com/1186761 From sle-security-updates at lists.suse.com Wed Oct 6 19:54:07 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Oct 2021 21:54:07 +0200 (CEST) Subject: SUSE-SU-2021:14823-1: important: Security update for transfig Message-ID: <20211006195407.1B937FCC9@maintenance.suse.de> SUSE Security Update: Security update for transfig ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14823-1 Rating: important References: #1136882 #1143650 #1159130 #1159293 #1161698 #1186329 #1189325 #1189343 #1189345 #1189346 Cross-References: CVE-2019-14275 CVE-2019-19555 CVE-2019-19746 CVE-2019-19797 CVE-2020-21680 CVE-2020-21681 CVE-2020-21682 CVE-2020-21683 CVE-2021-3561 CVSS scores: CVE-2019-14275 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2019-14275 (SUSE): 4.4 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L CVE-2019-19555 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2019-19555 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2019-19746 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2019-19746 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2019-19797 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2019-19797 (SUSE): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVE-2020-21680 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-21681 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-21682 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-21683 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-3561 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H CVE-2021-3561 (SUSE): 5.3 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves 9 vulnerabilities and has one errata is now available. Description: This update for transfig fixes the following issues: - CVE-2021-3561: Fixed global buffer overflow in fig2dev/read.c in function read_colordef() (bsc#1186329). - CVE-2019-19797: Fixed out-of-bounds write in read_colordef in read.c (bsc#1159293). - CVE-2019-19746: Fixed segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type (bsc#1159130). - CVE-2019-19555: Fixed stack-based buffer overflow because of an incorrect sscanf (bsc#1161698). - CVE-2019-14275: Fixed stack-based buffer overflow in the calc_arrow function in bound.c (bsc#1143650). - CVE-2020-21680: Fixed a stack-based buffer overflow in the put_arrow() component in genpict2e.c (bsc#1189343). - CVE-2020-21681: Fixed a global buffer overflow in the set_color component in genge.c (bsc#1189345). - CVE-2020-21682: Fixed a global buffer overflow in the set_fill component in genge.c (bsc#1189346). - CVE-2020-21683: Fixed a global buffer overflow in the shade_or_tint_name_after_declare_color in genpstricks.c (bsc#1189325). - Do hardening via compile and linker flags - Fixed last added upstream commit (boo#1136882) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-transfig-14823=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-transfig-14823=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-transfig-14823=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-transfig-14823=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): transfig-3.2.8a-1.160.13.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): transfig-3.2.8a-1.160.13.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): transfig-debuginfo-3.2.8a-1.160.13.1 transfig-debugsource-3.2.8a-1.160.13.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): transfig-debuginfo-3.2.8a-1.160.13.1 transfig-debugsource-3.2.8a-1.160.13.1 References: https://www.suse.com/security/cve/CVE-2019-14275.html https://www.suse.com/security/cve/CVE-2019-19555.html https://www.suse.com/security/cve/CVE-2019-19746.html https://www.suse.com/security/cve/CVE-2019-19797.html https://www.suse.com/security/cve/CVE-2020-21680.html https://www.suse.com/security/cve/CVE-2020-21681.html https://www.suse.com/security/cve/CVE-2020-21682.html https://www.suse.com/security/cve/CVE-2020-21683.html https://www.suse.com/security/cve/CVE-2021-3561.html https://bugzilla.suse.com/1136882 https://bugzilla.suse.com/1143650 https://bugzilla.suse.com/1159130 https://bugzilla.suse.com/1159293 https://bugzilla.suse.com/1161698 https://bugzilla.suse.com/1186329 https://bugzilla.suse.com/1189325 https://bugzilla.suse.com/1189343 https://bugzilla.suse.com/1189345 https://bugzilla.suse.com/1189346 From sle-security-updates at lists.suse.com Wed Oct 6 19:56:28 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Oct 2021 21:56:28 +0200 (CEST) Subject: SUSE-SU-2021:3297-1: moderate: Security update for curl Message-ID: <20211006195628.632EEFCC9@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3297-1 Rating: moderate References: #1190373 #1190374 Cross-References: CVE-2021-22946 CVE-2021-22947 CVSS scores: CVE-2021-22946 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-22947 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Products: SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-3297=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-3297=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-3297=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-3297=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-3297=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-3297=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-3297=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3297=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3297=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-3297=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): curl-7.60.0-25.1 curl-debuginfo-7.60.0-25.1 curl-debugsource-7.60.0-25.1 libcurl-devel-7.60.0-25.1 libcurl4-7.60.0-25.1 libcurl4-debuginfo-7.60.0-25.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): libcurl4-32bit-7.60.0-25.1 libcurl4-32bit-debuginfo-7.60.0-25.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): curl-7.60.0-25.1 curl-debuginfo-7.60.0-25.1 curl-debugsource-7.60.0-25.1 libcurl-devel-7.60.0-25.1 libcurl4-7.60.0-25.1 libcurl4-debuginfo-7.60.0-25.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libcurl4-32bit-7.60.0-25.1 libcurl4-32bit-debuginfo-7.60.0-25.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): curl-7.60.0-25.1 curl-debuginfo-7.60.0-25.1 curl-debugsource-7.60.0-25.1 libcurl-devel-7.60.0-25.1 libcurl4-7.60.0-25.1 libcurl4-debuginfo-7.60.0-25.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): libcurl4-32bit-7.60.0-25.1 libcurl4-32bit-debuginfo-7.60.0-25.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): curl-7.60.0-25.1 curl-debuginfo-7.60.0-25.1 curl-debugsource-7.60.0-25.1 libcurl-devel-7.60.0-25.1 libcurl4-32bit-7.60.0-25.1 libcurl4-32bit-debuginfo-7.60.0-25.1 libcurl4-7.60.0-25.1 libcurl4-debuginfo-7.60.0-25.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): curl-7.60.0-25.1 curl-debuginfo-7.60.0-25.1 curl-debugsource-7.60.0-25.1 libcurl-devel-7.60.0-25.1 libcurl4-7.60.0-25.1 libcurl4-debuginfo-7.60.0-25.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): curl-7.60.0-25.1 curl-debuginfo-7.60.0-25.1 curl-debugsource-7.60.0-25.1 libcurl-devel-7.60.0-25.1 libcurl4-7.60.0-25.1 libcurl4-debuginfo-7.60.0-25.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): libcurl4-32bit-7.60.0-25.1 libcurl4-32bit-debuginfo-7.60.0-25.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): curl-7.60.0-25.1 curl-debuginfo-7.60.0-25.1 curl-debugsource-7.60.0-25.1 libcurl-devel-7.60.0-25.1 libcurl4-7.60.0-25.1 libcurl4-debuginfo-7.60.0-25.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): libcurl4-32bit-7.60.0-25.1 libcurl4-32bit-debuginfo-7.60.0-25.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): curl-7.60.0-25.1 curl-debuginfo-7.60.0-25.1 curl-debugsource-7.60.0-25.1 libcurl-devel-7.60.0-25.1 libcurl4-7.60.0-25.1 libcurl4-debuginfo-7.60.0-25.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libcurl4-32bit-7.60.0-25.1 libcurl4-32bit-debuginfo-7.60.0-25.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): curl-7.60.0-25.1 curl-debuginfo-7.60.0-25.1 curl-debugsource-7.60.0-25.1 libcurl-devel-7.60.0-25.1 libcurl4-7.60.0-25.1 libcurl4-debuginfo-7.60.0-25.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libcurl4-32bit-7.60.0-25.1 libcurl4-32bit-debuginfo-7.60.0-25.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): curl-7.60.0-25.1 curl-debuginfo-7.60.0-25.1 curl-debugsource-7.60.0-25.1 libcurl-devel-7.60.0-25.1 libcurl4-7.60.0-25.1 libcurl4-debuginfo-7.60.0-25.1 - SUSE Enterprise Storage 6 (x86_64): libcurl4-32bit-7.60.0-25.1 libcurl4-32bit-debuginfo-7.60.0-25.1 - SUSE CaaS Platform 4.0 (x86_64): curl-7.60.0-25.1 curl-debuginfo-7.60.0-25.1 curl-debugsource-7.60.0-25.1 libcurl-devel-7.60.0-25.1 libcurl4-32bit-7.60.0-25.1 libcurl4-32bit-debuginfo-7.60.0-25.1 libcurl4-7.60.0-25.1 libcurl4-debuginfo-7.60.0-25.1 References: https://www.suse.com/security/cve/CVE-2021-22946.html https://www.suse.com/security/cve/CVE-2021-22947.html https://bugzilla.suse.com/1190373 https://bugzilla.suse.com/1190374 From sle-security-updates at lists.suse.com Wed Oct 6 19:58:56 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Oct 2021 21:58:56 +0200 (CEST) Subject: SUSE-SU-2021:3290-1: moderate: Security update for glibc Message-ID: <20211006195856.40BFFFCC9@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3290-1 Rating: moderate References: #1186489 Cross-References: CVE-2021-33574 CVSS scores: CVE-2021-33574 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33574 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for glibc fixes the following issues: - CVE-2021-33574: Fixed a use-after-free possibility in mq_notify() (bsc#1186489) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-3290=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-3290=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3290=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-3290=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3290=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-3290=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): glibc-2.22-114.15.1 glibc-32bit-2.22-114.15.1 glibc-debuginfo-2.22-114.15.1 glibc-debuginfo-32bit-2.22-114.15.1 glibc-debugsource-2.22-114.15.1 glibc-devel-2.22-114.15.1 glibc-devel-32bit-2.22-114.15.1 glibc-devel-debuginfo-2.22-114.15.1 glibc-devel-debuginfo-32bit-2.22-114.15.1 glibc-locale-2.22-114.15.1 glibc-locale-32bit-2.22-114.15.1 glibc-locale-debuginfo-2.22-114.15.1 glibc-locale-debuginfo-32bit-2.22-114.15.1 glibc-profile-2.22-114.15.1 glibc-profile-32bit-2.22-114.15.1 nscd-2.22-114.15.1 nscd-debuginfo-2.22-114.15.1 - SUSE OpenStack Cloud Crowbar 9 (noarch): glibc-html-2.22-114.15.1 glibc-i18ndata-2.22-114.15.1 glibc-info-2.22-114.15.1 - SUSE OpenStack Cloud 9 (x86_64): glibc-2.22-114.15.1 glibc-32bit-2.22-114.15.1 glibc-debuginfo-2.22-114.15.1 glibc-debuginfo-32bit-2.22-114.15.1 glibc-debugsource-2.22-114.15.1 glibc-devel-2.22-114.15.1 glibc-devel-32bit-2.22-114.15.1 glibc-devel-debuginfo-2.22-114.15.1 glibc-devel-debuginfo-32bit-2.22-114.15.1 glibc-locale-2.22-114.15.1 glibc-locale-32bit-2.22-114.15.1 glibc-locale-debuginfo-2.22-114.15.1 glibc-locale-debuginfo-32bit-2.22-114.15.1 glibc-profile-2.22-114.15.1 glibc-profile-32bit-2.22-114.15.1 nscd-2.22-114.15.1 nscd-debuginfo-2.22-114.15.1 - SUSE OpenStack Cloud 9 (noarch): glibc-html-2.22-114.15.1 glibc-i18ndata-2.22-114.15.1 glibc-info-2.22-114.15.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): glibc-debuginfo-2.22-114.15.1 glibc-debugsource-2.22-114.15.1 glibc-devel-static-2.22-114.15.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): glibc-info-2.22-114.15.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): glibc-2.22-114.15.1 glibc-debuginfo-2.22-114.15.1 glibc-debugsource-2.22-114.15.1 glibc-devel-2.22-114.15.1 glibc-devel-debuginfo-2.22-114.15.1 glibc-locale-2.22-114.15.1 glibc-locale-debuginfo-2.22-114.15.1 glibc-profile-2.22-114.15.1 nscd-2.22-114.15.1 nscd-debuginfo-2.22-114.15.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): glibc-32bit-2.22-114.15.1 glibc-debuginfo-32bit-2.22-114.15.1 glibc-devel-32bit-2.22-114.15.1 glibc-devel-debuginfo-32bit-2.22-114.15.1 glibc-locale-32bit-2.22-114.15.1 glibc-locale-debuginfo-32bit-2.22-114.15.1 glibc-profile-32bit-2.22-114.15.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): glibc-html-2.22-114.15.1 glibc-i18ndata-2.22-114.15.1 glibc-info-2.22-114.15.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): glibc-2.22-114.15.1 glibc-debuginfo-2.22-114.15.1 glibc-debugsource-2.22-114.15.1 glibc-devel-2.22-114.15.1 glibc-devel-debuginfo-2.22-114.15.1 glibc-locale-2.22-114.15.1 glibc-locale-debuginfo-2.22-114.15.1 glibc-profile-2.22-114.15.1 nscd-2.22-114.15.1 nscd-debuginfo-2.22-114.15.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): glibc-32bit-2.22-114.15.1 glibc-debuginfo-32bit-2.22-114.15.1 glibc-devel-32bit-2.22-114.15.1 glibc-devel-debuginfo-32bit-2.22-114.15.1 glibc-locale-32bit-2.22-114.15.1 glibc-locale-debuginfo-32bit-2.22-114.15.1 glibc-profile-32bit-2.22-114.15.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): glibc-html-2.22-114.15.1 glibc-i18ndata-2.22-114.15.1 glibc-info-2.22-114.15.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): glibc-2.22-114.15.1 glibc-debuginfo-2.22-114.15.1 glibc-debugsource-2.22-114.15.1 glibc-devel-2.22-114.15.1 glibc-devel-debuginfo-2.22-114.15.1 glibc-locale-2.22-114.15.1 glibc-locale-debuginfo-2.22-114.15.1 glibc-profile-2.22-114.15.1 nscd-2.22-114.15.1 nscd-debuginfo-2.22-114.15.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): glibc-32bit-2.22-114.15.1 glibc-debuginfo-32bit-2.22-114.15.1 glibc-devel-32bit-2.22-114.15.1 glibc-devel-debuginfo-32bit-2.22-114.15.1 glibc-locale-32bit-2.22-114.15.1 glibc-locale-debuginfo-32bit-2.22-114.15.1 glibc-profile-32bit-2.22-114.15.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): glibc-html-2.22-114.15.1 glibc-i18ndata-2.22-114.15.1 glibc-info-2.22-114.15.1 References: https://www.suse.com/security/cve/CVE-2021-33574.html https://bugzilla.suse.com/1186489 From sle-security-updates at lists.suse.com Wed Oct 6 20:06:32 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Oct 2021 22:06:32 +0200 (CEST) Subject: SUSE-SU-2021:3300-1: Security update for git Message-ID: <20211006200632.EA4ADFCC9@maintenance.suse.de> SUSE Security Update: Security update for git ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3300-1 Rating: low References: #1189992 Cross-References: CVE-2021-40330 CVSS scores: CVE-2021-40330 (SUSE): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for git fixes the following issues: - CVE-2021-40330: Fixed unexpected cross-protocol requests via newline character in git_connect_git repository path (bsc#1189992). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-3300=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3300=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): git-2.26.2-33.1 git-arch-2.26.2-33.1 git-cvs-2.26.2-33.1 git-daemon-2.26.2-33.1 git-daemon-debuginfo-2.26.2-33.1 git-debuginfo-2.26.2-33.1 git-debugsource-2.26.2-33.1 git-email-2.26.2-33.1 git-gui-2.26.2-33.1 git-svn-2.26.2-33.1 git-svn-debuginfo-2.26.2-33.1 git-web-2.26.2-33.1 gitk-2.26.2-33.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): git-doc-2.26.2-33.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): git-core-2.26.2-33.1 git-core-debuginfo-2.26.2-33.1 git-debuginfo-2.26.2-33.1 git-debugsource-2.26.2-33.1 References: https://www.suse.com/security/cve/CVE-2021-40330.html https://bugzilla.suse.com/1189992 From sle-security-updates at lists.suse.com Wed Oct 6 20:07:45 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Oct 2021 22:07:45 +0200 (CEST) Subject: SUSE-SU-2021:3292-1: important: Security update for go1.16 Message-ID: <20211006200745.5919BFCC9@maintenance.suse.de> SUSE Security Update: Security update for go1.16 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3292-1 Rating: important References: #1182345 #1190589 Cross-References: CVE-2021-39293 CVSS scores: CVE-2021-39293 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for go1.16 fixes the following issues: - Update to go 1.16.8 - CVE-2021-39293: Fixed a buffer overflow issue in preallocation check that can cause OOM panic. (bas#) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-3292=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-3292=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): go1.16-1.16.8-1.26.1 go1.16-doc-1.16.8-1.26.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 x86_64): go1.16-race-1.16.8-1.26.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): go1.16-1.16.8-1.26.1 go1.16-doc-1.16.8-1.26.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 x86_64): go1.16-race-1.16.8-1.26.1 References: https://www.suse.com/security/cve/CVE-2021-39293.html https://bugzilla.suse.com/1182345 https://bugzilla.suse.com/1190589 From sle-security-updates at lists.suse.com Wed Oct 6 20:09:05 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Oct 2021 22:09:05 +0200 (CEST) Subject: SUSE-SU-2021:3289-1: moderate: Security update for glibc Message-ID: <20211006200905.1EB97FCC9@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3289-1 Rating: moderate References: #1117993 #1186489 #1187911 Cross-References: CVE-2021-33574 CVE-2021-35942 CVSS scores: CVE-2021-33574 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33574 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-35942 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for glibc fixes the following issues: Security issues fixed: - CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911) - CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489) Also the following bug was fixed: - Avoid concurrency problem in ldconfig (bsc#1117993) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-3289=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-3289=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-3289=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-3289=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-3289=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-3289=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-3289=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): glibc-html-2.22-116.1 glibc-i18ndata-2.22-116.1 glibc-info-2.22-116.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): glibc-2.22-116.1 glibc-32bit-2.22-116.1 glibc-debuginfo-2.22-116.1 glibc-debuginfo-32bit-2.22-116.1 glibc-debugsource-2.22-116.1 glibc-devel-2.22-116.1 glibc-devel-32bit-2.22-116.1 glibc-devel-debuginfo-2.22-116.1 glibc-devel-debuginfo-32bit-2.22-116.1 glibc-locale-2.22-116.1 glibc-locale-32bit-2.22-116.1 glibc-locale-debuginfo-2.22-116.1 glibc-locale-debuginfo-32bit-2.22-116.1 glibc-profile-2.22-116.1 glibc-profile-32bit-2.22-116.1 nscd-2.22-116.1 nscd-debuginfo-2.22-116.1 - SUSE OpenStack Cloud 8 (x86_64): glibc-2.22-116.1 glibc-32bit-2.22-116.1 glibc-debuginfo-2.22-116.1 glibc-debuginfo-32bit-2.22-116.1 glibc-debugsource-2.22-116.1 glibc-devel-2.22-116.1 glibc-devel-32bit-2.22-116.1 glibc-devel-debuginfo-2.22-116.1 glibc-devel-debuginfo-32bit-2.22-116.1 glibc-locale-2.22-116.1 glibc-locale-32bit-2.22-116.1 glibc-locale-debuginfo-2.22-116.1 glibc-locale-debuginfo-32bit-2.22-116.1 glibc-profile-2.22-116.1 glibc-profile-32bit-2.22-116.1 nscd-2.22-116.1 nscd-debuginfo-2.22-116.1 - SUSE OpenStack Cloud 8 (noarch): glibc-html-2.22-116.1 glibc-i18ndata-2.22-116.1 glibc-info-2.22-116.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): glibc-2.22-116.1 glibc-debuginfo-2.22-116.1 glibc-debugsource-2.22-116.1 glibc-devel-2.22-116.1 glibc-devel-debuginfo-2.22-116.1 glibc-locale-2.22-116.1 glibc-locale-debuginfo-2.22-116.1 glibc-profile-2.22-116.1 nscd-2.22-116.1 nscd-debuginfo-2.22-116.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): glibc-32bit-2.22-116.1 glibc-debuginfo-32bit-2.22-116.1 glibc-devel-32bit-2.22-116.1 glibc-devel-debuginfo-32bit-2.22-116.1 glibc-locale-32bit-2.22-116.1 glibc-locale-debuginfo-32bit-2.22-116.1 glibc-profile-32bit-2.22-116.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): glibc-html-2.22-116.1 glibc-i18ndata-2.22-116.1 glibc-info-2.22-116.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): glibc-2.22-116.1 glibc-debuginfo-2.22-116.1 glibc-debugsource-2.22-116.1 glibc-devel-2.22-116.1 glibc-devel-debuginfo-2.22-116.1 glibc-locale-2.22-116.1 glibc-locale-debuginfo-2.22-116.1 glibc-profile-2.22-116.1 nscd-2.22-116.1 nscd-debuginfo-2.22-116.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): glibc-32bit-2.22-116.1 glibc-debuginfo-32bit-2.22-116.1 glibc-devel-32bit-2.22-116.1 glibc-devel-debuginfo-32bit-2.22-116.1 glibc-locale-32bit-2.22-116.1 glibc-locale-debuginfo-32bit-2.22-116.1 glibc-profile-32bit-2.22-116.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): glibc-html-2.22-116.1 glibc-i18ndata-2.22-116.1 glibc-info-2.22-116.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): glibc-2.22-116.1 glibc-32bit-2.22-116.1 glibc-debuginfo-2.22-116.1 glibc-debuginfo-32bit-2.22-116.1 glibc-debugsource-2.22-116.1 glibc-devel-2.22-116.1 glibc-devel-32bit-2.22-116.1 glibc-devel-debuginfo-2.22-116.1 glibc-devel-debuginfo-32bit-2.22-116.1 glibc-locale-2.22-116.1 glibc-locale-32bit-2.22-116.1 glibc-locale-debuginfo-2.22-116.1 glibc-locale-debuginfo-32bit-2.22-116.1 glibc-profile-2.22-116.1 glibc-profile-32bit-2.22-116.1 nscd-2.22-116.1 nscd-debuginfo-2.22-116.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): glibc-html-2.22-116.1 glibc-i18ndata-2.22-116.1 glibc-info-2.22-116.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): glibc-2.22-116.1 glibc-32bit-2.22-116.1 glibc-debuginfo-2.22-116.1 glibc-debuginfo-32bit-2.22-116.1 glibc-debugsource-2.22-116.1 glibc-devel-2.22-116.1 glibc-devel-32bit-2.22-116.1 glibc-devel-debuginfo-2.22-116.1 glibc-devel-debuginfo-32bit-2.22-116.1 glibc-locale-2.22-116.1 glibc-locale-32bit-2.22-116.1 glibc-locale-debuginfo-2.22-116.1 glibc-locale-debuginfo-32bit-2.22-116.1 glibc-profile-2.22-116.1 glibc-profile-32bit-2.22-116.1 nscd-2.22-116.1 nscd-debuginfo-2.22-116.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): glibc-html-2.22-116.1 glibc-i18ndata-2.22-116.1 glibc-info-2.22-116.1 - HPE Helion Openstack 8 (noarch): glibc-html-2.22-116.1 glibc-i18ndata-2.22-116.1 glibc-info-2.22-116.1 - HPE Helion Openstack 8 (x86_64): glibc-2.22-116.1 glibc-32bit-2.22-116.1 glibc-debuginfo-2.22-116.1 glibc-debuginfo-32bit-2.22-116.1 glibc-debugsource-2.22-116.1 glibc-devel-2.22-116.1 glibc-devel-32bit-2.22-116.1 glibc-devel-debuginfo-2.22-116.1 glibc-devel-debuginfo-32bit-2.22-116.1 glibc-locale-2.22-116.1 glibc-locale-32bit-2.22-116.1 glibc-locale-debuginfo-2.22-116.1 glibc-locale-debuginfo-32bit-2.22-116.1 glibc-profile-2.22-116.1 glibc-profile-32bit-2.22-116.1 nscd-2.22-116.1 nscd-debuginfo-2.22-116.1 References: https://www.suse.com/security/cve/CVE-2021-33574.html https://www.suse.com/security/cve/CVE-2021-35942.html https://bugzilla.suse.com/1117993 https://bugzilla.suse.com/1186489 https://bugzilla.suse.com/1187911 From sle-security-updates at lists.suse.com Wed Oct 6 20:12:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 6 Oct 2021 22:12:26 +0200 (CEST) Subject: SUSE-SU-2021:3301-1: moderate: Security update for libcryptopp Message-ID: <20211006201226.2DF2FFCC9@maintenance.suse.de> SUSE Security Update: Security update for libcryptopp ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3301-1 Rating: moderate References: #1015243 Cross-References: CVE-2016-9939 CVSS scores: CVE-2016-9939 (NVD) : 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libcryptopp fixes the following issues: - CVE-2016-9939: Fixed potential DoS in Crypto++ (libcryptopp) ASN.1 parser (bsc#1015243). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3301=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3301=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libcryptopp-debugsource-5.6.5-1.6.1 libcryptopp-devel-5.6.5-1.6.1 libcryptopp5_6_5-5.6.5-1.6.1 libcryptopp5_6_5-debuginfo-5.6.5-1.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libcryptopp-debugsource-5.6.5-1.6.1 libcryptopp-devel-5.6.5-1.6.1 libcryptopp5_6_5-5.6.5-1.6.1 libcryptopp5_6_5-debuginfo-5.6.5-1.6.1 References: https://www.suse.com/security/cve/CVE-2016-9939.html https://bugzilla.suse.com/1015243 From sle-security-updates at lists.suse.com Thu Oct 7 22:16:30 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 8 Oct 2021 00:16:30 +0200 (CEST) Subject: SUSE-SU-2021:3322-1: moderate: Security update for xen Message-ID: <20211007221630.37A08FE12@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3322-1 Rating: moderate References: #1182654 #1186429 #1186433 #1186434 #1187369 #1187376 #1187378 #1189373 #1189376 #1189378 #1189632 #1189882 Cross-References: CVE-2021-0089 CVE-2021-20255 CVE-2021-28690 CVE-2021-28692 CVE-2021-28694 CVE-2021-28695 CVE-2021-28696 CVE-2021-28697 CVE-2021-28698 CVE-2021-28701 CVE-2021-3592 CVE-2021-3594 CVE-2021-3595 CVSS scores: CVE-2021-0089 (NVD) : 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2021-20255 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-20255 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-28694 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-28695 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-28696 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-28697 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-28698 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-28701 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3592 (NVD) : 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2021-3592 (SUSE): 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2021-3594 (NVD) : 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2021-3594 (SUSE): 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2021-3595 (NVD) : 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2021-3595 (SUSE): 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N Affected Products: SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: This update for xen fixes the following issues: - CVE-2021-28701: Fixed race condition in XENMAPSPACE_grant_table handling (XSA-384) (bsc#1189632). - CVE-2021-28694,CVE-2021-28695,CVE-2021-28696: Fixed IOMMU page mapping issues on x86 (XSA-378)(bsc#1189373). - CVE-2021-28697: Fixed grant table v2 status pages that may remain accessible after de-allocation (XSA-379)(bsc#1189376). - CVE-2021-28698: Fixed long running loops in grant table handling (XSA-380)(bsc#1189378). - CVE-2021-20255: Fixed eepro100 stack overflow via infinite recursion (bsc#1182654). - CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187369). - CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187378). - CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187376). - CVE-2021-28692: Fixed inappropriate x86 IOMMU timeout detection / handling (XSA-373)(bsc#1186429). - CVE-2021-0089: Fixed Speculative Code Store Bypass (XSA-375)(bsc#1186433). - CVE-2021-28690: Fixed x86 TSX Async Abort protections not restored after S3 (XSA-377)(bsc#1186434). - Prevent superpage allocation in the LAPIC and ACPI_INFO range (bsc#1189882). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-3322=1 Package List: - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): xen-4.7.6_16-43.79.5 xen-debugsource-4.7.6_16-43.79.5 xen-doc-html-4.7.6_16-43.79.5 xen-libs-32bit-4.7.6_16-43.79.5 xen-libs-4.7.6_16-43.79.5 xen-libs-debuginfo-32bit-4.7.6_16-43.79.5 xen-libs-debuginfo-4.7.6_16-43.79.5 xen-tools-4.7.6_16-43.79.5 xen-tools-debuginfo-4.7.6_16-43.79.5 xen-tools-domU-4.7.6_16-43.79.5 xen-tools-domU-debuginfo-4.7.6_16-43.79.5 References: https://www.suse.com/security/cve/CVE-2021-0089.html https://www.suse.com/security/cve/CVE-2021-20255.html https://www.suse.com/security/cve/CVE-2021-28690.html https://www.suse.com/security/cve/CVE-2021-28692.html https://www.suse.com/security/cve/CVE-2021-28694.html https://www.suse.com/security/cve/CVE-2021-28695.html https://www.suse.com/security/cve/CVE-2021-28696.html https://www.suse.com/security/cve/CVE-2021-28697.html https://www.suse.com/security/cve/CVE-2021-28698.html https://www.suse.com/security/cve/CVE-2021-28701.html https://www.suse.com/security/cve/CVE-2021-3592.html https://www.suse.com/security/cve/CVE-2021-3594.html https://www.suse.com/security/cve/CVE-2021-3595.html https://bugzilla.suse.com/1182654 https://bugzilla.suse.com/1186429 https://bugzilla.suse.com/1186433 https://bugzilla.suse.com/1186434 https://bugzilla.suse.com/1187369 https://bugzilla.suse.com/1187376 https://bugzilla.suse.com/1187378 https://bugzilla.suse.com/1189373 https://bugzilla.suse.com/1189376 https://bugzilla.suse.com/1189378 https://bugzilla.suse.com/1189632 https://bugzilla.suse.com/1189882 From sle-security-updates at lists.suse.com Fri Oct 8 13:16:04 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 8 Oct 2021 15:16:04 +0200 (CEST) Subject: SUSE-SU-2021:3323-1: Includes a kubernetes update to 1.17.17 including a backport for CVE-2021-25741 Message-ID: <20211008131604.9735AFCC9@maintenance.suse.de> SUSE Security Update: Includes a kubernetes update to 1.17.17 including a backport for CVE-2021-25741 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3323-1 Rating: low References: #1189416 Cross-References: CVE-2021-25741 CVSS scores: CVE-2021-25741 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: == Kubernetes bsc#1189416 kubernetes issue is a backport of the upstream security fix (CVE-2021-25741): https://github.com/kubernetes/kubernetes/pull/104253 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform 4.0 (noarch): release-notes-caasp-4.2.20210929-4.71.2 skuba-update-1.4.13-3.56.2 - SUSE CaaS Platform 4.0 (x86_64): caasp-release-4.2.6-24.43.2 kubernetes-client-1.17.17-4.25.2 kubernetes-common-1.17.17-4.25.2 kubernetes-kubeadm-1.17.17-4.25.2 kubernetes-kubelet-1.17.17-4.25.2 skuba-1.4.13-3.56.2 References: https://www.suse.com/security/cve/CVE-2021-25741.html https://bugzilla.suse.com/1189416 From sle-security-updates at lists.suse.com Sat Oct 9 08:59:22 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 9 Oct 2021 10:59:22 +0200 (CEST) Subject: SUSE-CU-2021:375-1: Security update of suse/sles12sp3 Message-ID: <20211009085922.21A32FCC9@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp3 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:375-1 Container Tags : suse/sles12sp3:2.0.2 , suse/sles12sp3:24.310 , suse/sles12sp3:latest Container Release : 24.310 Severity : moderate Type : security References : 1117993 1186489 1187911 CVE-2021-33574 CVE-2021-35942 ----------------------------------------------------------------- The container suse/sles12sp3 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3289-1 Released: Wed Oct 6 16:43:33 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1186489,1187911,CVE-2021-33574,CVE-2021-35942 This update for glibc fixes the following issues: Security issues fixed: - CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911) - CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489) Also the following bug was fixed: - Avoid concurrency problem in ldconfig (bsc#1117993) From sle-security-updates at lists.suse.com Sat Oct 9 10:12:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 9 Oct 2021 12:12:26 +0200 (CEST) Subject: SUSE-CU-2021:382-1: Security update of suse/sle15 Message-ID: <20211009101226.49326FE12@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:382-1 Container Tags : suse/sle15:15.2 , suse/sle15:15.2.9.5.26 Container Release : 9.5.26 Severity : moderate Type : security References : 1190373 1190374 CVE-2021-22946 CVE-2021-22947 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3298-1 Released: Wed Oct 6 16:54:52 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). From sle-security-updates at lists.suse.com Sat Oct 9 10:17:41 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 9 Oct 2021 12:17:41 +0200 (CEST) Subject: SUSE-CU-2021:384-1: Security update of suse/sle15 Message-ID: <20211009101741.0506BFCC9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:384-1 Container Tags : suse/sle15:15.3 , suse/sle15:15.3.17.8.9 Container Release : 17.8.9 Severity : moderate Type : security References : 1134353 1184994 1186489 1187911 1188291 1188588 1188713 1189446 1189480 1190373 1190374 CVE-2021-22946 CVE-2021-22947 CVE-2021-33574 CVE-2021-35942 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3291-1 Released: Wed Oct 6 16:45:36 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 This update for glibc fixes the following issues: - CVE-2021-33574: Fixed use __pthread_attr_copy in mq_notify (bsc#1186489). - CVE-2021-35942: Fixed wordexp handle overflow in positional parameter number (bsc#1187911). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3298-1 Released: Wed Oct 6 16:54:52 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3310-1 Released: Wed Oct 6 18:12:41 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1134353,1184994,1188291,1188588,1188713,1189446,1189480 This update for systemd fixes the following issues: - Switch I/O scheduler from 'mq-deadline' to 'bfq' for rotating disks(HD's) (jsc#SLE-21032, bsc#1134353). - Multipath: Rules weren't applied to dm devices (bsc#1188713). - Ignore obsolete 'elevator' kernel parameter (bsc#1184994). - Remove kernel unsupported single-queue block I/O. - Make sure the versions of both udev and systemd packages are always the same (bsc#1189480). - Avoid error message when updating active udev on sockets restart (bsc#1188291). - Merge of v246.16, for a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/8d8f5fc31eece95644b299b784bbfb8f836d0108...f5c33d9f82d3d782d28938df9ff09484360c540d - Drop 1007-tmpfiles-follow-SUSE-policies.patch: Since most of the tmpfiles config files shipped by upstream are ignored (see previous commit 'Drop most of the tmpfiles that deal with generic paths'), this patch is no more relevant. Additional fixes: - core: make sure cgroup_oom_queue is flushed on manager exit. - cgroup: do 'catchup' for unit cgroup inotify watch files. - journalctl: never fail at flushing when the flushed flag is set (bsc#1188588). - manager: reexecute on SIGRTMIN+25, user instances only. - manager: fix HW watchdog when systemd starts before driver loaded (bsc#1189446). - pid1: watchdog modernizations. From sle-security-updates at lists.suse.com Sat Oct 9 10:21:14 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 9 Oct 2021 12:21:14 +0200 (CEST) Subject: SUSE-CU-2021:385-1: Security update of caasp/v4/hyperkube Message-ID: <20211009102114.914ADFCC9@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/hyperkube ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:385-1 Container Tags : caasp/v4/hyperkube:v1.17.17 , caasp/v4/hyperkube:v1.17.17-rev5 , caasp/v4/hyperkube:v1.17.17-rev5-build3.17.1 Container Release : 3.17.1 Severity : critical Type : security References : 1029961 1029961 1040589 1047218 1050625 1078466 1083473 1084671 1106014 1112500 1115408 1141597 1145463 1146705 1154935 1155094 1157818 1158812 1158958 1158959 1158960 1159491 1159715 1159847 1159850 1160309 1160438 1160439 1161268 1164719 1165780 1165780 1167471 1169006 1172091 1172115 1172234 1172236 1172240 1172308 1172505 1173641 1174016 1174091 1174436 1174466 1174571 1174697 1174701 1174942 1175086 1175448 1175449 1175458 1175514 1175519 1175623 1176201 1176206 1176262 1176934 1177200 1177211 1177238 1177275 1177427 1177490 1177533 1177583 1177976 1178009 1178219 1178235 1178386 1178554 1178561 1178577 1178624 1178675 1178775 1178775 1178823 1178825 1178837 1178837 1178860 1178905 1178909 1178910 1178966 1179083 1179139 1179193 1179222 1179326 1179363 1179382 1179452 1179503 1179630 1179691 1179691 1179694 1179721 1179738 1179756 1179802 1179816 1179824 1179847 1179909 1179997 1180020 1180038 1180073 1180077 1180083 1180118 1180118 1180138 1180155 1180225 1180377 1180594 1180596 1180603 1180603 1180603 1180663 1180686 1180721 1180851 1180885 1181011 1181126 1181328 1181378 1181443 1181505 1181622 1181831 1181874 1181976 1182016 1182117 1182279 1182328 1182331 1182333 1182362 1182379 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182604 1182629 1182791 1182936 1183012 1183064 1183074 1183094 1183370 1183371 1183374 1183456 1183457 1183487 1183628 1183760 1183791 1183797 1183933 1183942 1184136 1184358 1184401 1184435 1184517 1184614 1184614 1184690 1184761 1184967 1184994 1184997 1185046 1185049 1185163 1185239 1185331 1185408 1185408 1185409 1185409 1185410 1185410 1185417 1185438 1185540 1185562 1185619 1185698 1185807 1185910 1185958 1186015 1186020 1186021 1186049 1186114 1186561 1187060 1187105 1187210 1187212 1187292 1187400 1187584 1188063 1188217 1188218 1188219 1188220 1188571 1188891 1189206 1189416 1189465 1189465 1189521 1189521 1189683 1189996 1190373 1190374 928700 928701 CVE-2015-3414 CVE-2015-3415 CVE-2017-9271 CVE-2019-16935 CVE-2019-18348 CVE-2019-19244 CVE-2019-19317 CVE-2019-19603 CVE-2019-19645 CVE-2019-19646 CVE-2019-19880 CVE-2019-19923 CVE-2019-19924 CVE-2019-19925 CVE-2019-19926 CVE-2019-19959 CVE-2019-20218 CVE-2019-20907 CVE-2019-20916 CVE-2019-25013 CVE-2019-5010 CVE-2020-12049 CVE-2020-12400 CVE-2020-12401 CVE-2020-12403 CVE-2020-13434 CVE-2020-13435 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-14422 CVE-2020-15358 CVE-2020-24370 CVE-2020-24371 CVE-2020-25648 CVE-2020-25678 CVE-2020-25709 CVE-2020-25710 CVE-2020-26116 CVE-2020-27618 CVE-2020-27619 CVE-2020-27781 CVE-2020-27839 CVE-2020-29562 CVE-2020-29573 CVE-2020-35512 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-6829 CVE-2020-8492 CVE-2020-9327 CVE-2021-20231 CVE-2021-20232 CVE-2021-20288 CVE-2021-20305 CVE-2021-22876 CVE-2021-22898 CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-22925 CVE-2021-22946 CVE-2021-22947 CVE-2021-23336 CVE-2021-23840 CVE-2021-23841 CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987 CVE-2021-24031 CVE-2021-24032 CVE-2021-25741 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3177 CVE-2021-3326 CVE-2021-33560 CVE-2021-33910 CVE-2021-3426 CVE-2021-3509 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3524 CVE-2021-3531 CVE-2021-3537 CVE-2021-3541 CVE-2021-3580 CVE-2021-36222 CVE-2021-3712 CVE-2021-3712 CVE-2021-38185 CVE-2021-38185 ----------------------------------------------------------------- The container caasp/v4/hyperkube was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount ???a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3930-1 Released: Wed Dec 23 18:19:39 2020 Summary: Security update for python3 Type: security Severity: important References: 1155094,1174091,1174571,1174701,1177211,1178009,1179193,1179630,CVE-2019-16935,CVE-2019-18348,CVE-2019-20907,CVE-2019-5010,CVE-2020-14422,CVE-2020-26116,CVE-2020-27619,CVE-2020-8492 This update for python3 fixes the following issues: - Fixed CVE-2020-27619 (bsc#1178009), where Lib/test/multibytecodec_support calls eval() on content retrieved via HTTP. - Change setuptools and pip version numbers according to new wheels - Handful of changes to make python36 compatible with SLE15 and SLE12 (jsc#ECO-2799, jsc#SLE-13738) - add triplets for mips-r6 and riscv - RISC-V needs CTYPES_PASS_BY_REF_HACK Update to 3.6.12 (bsc#1179193) * Ensure python3.dll is loaded from correct locations when Python is embedded * The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address). * Prevent http header injection by rejecting control characters in http.client.putrequest(???). * Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing. * Avoid infinite loop when reading specially crafted TAR files using the tarfile module - This release also fixes CVE-2020-26116 (bsc#1177211) and CVE-2019-20907 (bsc#1174091). Update to 3.6.11: - Disallow CR or LF in email.headerregistry. Address arguments to guard against header injection attacks. - Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised. (bsc#1155094) - CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3946-1 Released: Tue Dec 29 17:39:54 2020 Summary: Recommended update for python3 Type: recommended Severity: important References: 1180377 This update for python3 fixes the following issues: - A previous update inadvertently removed the 'PyFPE_jbuf' symbol from Python3, which caused regressions in several applications. (bsc#1180377) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:23-1 Released: Tue Jan 5 11:01:54 2021 Summary: Security update for ceph Type: security Severity: moderate References: 1178837,1179139,1179452,1179802,1180118,1180155,CVE-2020-27781 This update for ceph fixes the following issues: Security issues fixed: - CVE-2020-27781: Fixed a privilege escalation via the ceph_volume_client Python interface (bsc#1179802 bsc#1180155). Non-security issues fixed: - Fixes an issue when check in legacy collection reaches end. (bsc#1179139) - Fixes an issue when storage service stops. (bsc#1178837) - Fix for failing test run due to missing module 'six'. (bsc#1179452) - Provide a different name for the fallback allocator in bluestore. (bsc#1180118) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:266-1 Released: Mon Feb 1 21:02:37 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1177533,1179326,1179691,1179738 This update for lvm2 fixes the following issue: - Fixes an issue when boot logical volume gets unmounted during patching. (bsc#1177533) - Fix for lvm2 to use 'external_device_info_source='udev'' by default. (bsc#1179691) - Fixed an issue in configuration for an item that is commented out by default. (bsc#1179738) - Fixed an issue when after storage migration major performance issues occurred on the system. (bsc#1179326) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:304-1 Released: Thu Feb 4 13:19:43 2021 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1179691 This update for lvm2 fixes the following issues: - lvm2 will no longer use external_device_info_source='udev' as default because it introduced a regression (bsc#1179691). If this behavior is still wanted, please change this manually in the lvm.conf ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:307-1 Released: Fri Feb 5 05:30:34 2021 Summary: Recommended update for libselinux Type: recommended Severity: low References: 1180603 This update for libselinux fixes the following issues: - Corrected the license to public domain (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:529-1 Released: Fri Feb 19 14:53:47 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177 This update for python3 fixes the following issues: - CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126). - Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:753-1 Released: Tue Mar 9 17:09:57 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:890-1 Released: Fri Mar 19 15:51:41 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:926-1 Released: Tue Mar 23 13:20:24 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1083473,1112500,1115408,1165780,1183012 This update for systemd-presets-common-SUSE fixes the following issues: - Add default user preset containing: - enable `pulseaudio.socket` (bsc#1083473) - enable `pipewire.socket` (bsc#1183012) - enable `pipewire-pulse.socket` (bsc#1183012) - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23) - Changes to the default preset: - enable `btrfsmaintenance-refresh.path`. - disable `btrfsmaintenance-refresh.service`. - enable `dnf-makecache.timer`. - enable `ignition-firstboot-complete.service`. - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500) - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408) - remove enable `updatedb.timer` - Avoid needless refresh on boot. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:934-1 Released: Wed Mar 24 12:18:21 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:947-1 Released: Wed Mar 24 14:30:58 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1182379,CVE-2021-23336 This update for python3 fixes the following issues: - python36 was updated to 3.6.13 - CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:956-1 Released: Thu Mar 25 19:19:04 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179816,1179847,1179909,1180077,1180663,1180721,1181328,1181622,1182629,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.43: - doc: give more details about creating versioned package locks (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) - Fix source-download commands help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) - Prefer /run over /var/run. Update libzypp to 17.25.8: - Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there. - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement). - Add missing includes for GCC 11 compatibility. - Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'. - Commit: Fix rpmdb compat symlink in case rpm got removed. - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use. - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#1179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1007-1 Released: Thu Apr 1 17:47:20 2021 Summary: Security update for MozillaFirefox Type: security Severity: important References: 1183942,CVE-2021-23981,CVE-2021-23982,CVE-2021-23984,CVE-2021-23987 This update for MozillaFirefox fixes the following issues: - Firefox was updated to 78.9.0 ESR (MFSA 2021-11, bsc#1183942) * CVE-2021-23981: Texture upload into an unbound backing buffer resulted in an out-of-bound read * CVE-2021-23982: Internal network hosts could have been probed by a malicious webpage * CVE-2021-23984: Malicious extensions could have spoofed popup information * CVE-2021-23987: Memory safety bugs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1141-1 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1182791 This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1169-1 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Type: recommended Severity: low References: 1181976 This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1295-1 Released: Wed Apr 21 14:08:19 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1184136 This update for systemd-presets-common-SUSE fixes the following issues: - Enabled hcn-init.service for HNV on POWER (bsc#1184136) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1296-1 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Type: optional Severity: low References: 1183791 This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1297-1 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178219 This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1412-1 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Type: security Severity: important References: 1184401,CVE-2021-20305 This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1449-1 Released: Fri Apr 30 08:08:25 2021 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1165780 This update for systemd-presets-branding-SLE fixes the following issues: - Don't enable 'btrfsmaintenance-refresh.service', 'btrfsmaintenance' is managed by systemd-presets-common-SUSE instead. (bsc#1165780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1473-1 Released: Tue May 4 08:58:02 2021 Summary: Security update for ceph Type: security Severity: important References: 1145463,1174466,1177200,1178235,1178837,1178860,1178905,1179997,1180118,1180594,1181378,1183074,1183487,CVE-2020-25678,CVE-2020-27839,CVE-2021-20288 This update for ceph fixes the following issues: - ceph was updated to 14.2.20-402-g6aa76c6815: * CVE-2021-20288: Fixed unauthorized global_id reuse (bsc#1183074). * CVE-2020-25678: Do not add sensitive information in Ceph log files (bsc#1178905). * CVE-2020-27839: Use secure cookies to store JWT Token (bsc#1179997). * mgr/dashboard: prometheus alerting: add some leeway for package drops and errors (bsc#1145463) * mon: have 'mon stat' output json as well (bsc#1174466) * rpm: ceph-mgr-dashboard recommends python3-saml on SUSE (bsc#1177200) * mgr/dashboard: Display a warning message in Dashboard when debug mode is enabled (bsc#1178235) * rgw: cls/user: set from_index for reset stats calls (bsc#1178837) * mgr/dashboard: Disable TLS 1.0 and 1.1 (bsc#1178860) * bluestore: provide a different name for fallback allocator (bsc#1180118) * test/run-cli-tests: use cram from github (bsc#1181378) * mgr/dashboard: fix 'Python2 Cookie module import fails on Python3' (bsc#1183487) * common: make ms_bind_msgr2 default to 'false' (bsc#1180594) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1557-1 Released: Tue May 11 09:50:00 2021 Summary: Security update for python3 Type: security Severity: moderate References: 1183374,CVE-2021-3426 This update for python3 fixes the following issues: - CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1602-1 Released: Thu May 13 16:35:19 2021 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libsolv and libzypp fixes the following issues: libsolv: Upgrade from version 0.7.17 to version 0.7.19 - Fix rare segfault in `resolve_jobrules()` that could happen if new rules are learned. - Fix memory leaks in error cases - Fix error handling in `solv_xfopen_fd()` - Fix regex code on win32 - fixed memory leak in choice rule generation - `repo_add_conda`: add a flag to skip version 2 packages. libzypp: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1773-1 Released: Wed May 26 17:22:21 2021 Summary: Recommended update for python3 Type: recommended Severity: low References: This update for python3 fixes the following issues: - Make sure to close the import_failed.map file after the exception has been raised in order to avoid ResourceWarnings when the failing import is part of a try...except block. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1809-1 Released: Mon May 31 16:24:59 2021 Summary: Security update for curl Type: security Severity: moderate References: 1177976,1183933,1186114,CVE-2021-22876,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933). - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976). - Allow partial chain verification (jsc#SLE-17956). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1835-1 Released: Wed Jun 2 15:38:17 2021 Summary: Security update for ceph Type: security Severity: important References: 1185619,1186020,1186021,CVE-2021-3509,CVE-2021-3524,CVE-2021-3531 This update for ceph fixes the following issues: - Update to 15.2.12-83-g528da226523: - (CVE-2021-3509) fix cookie injection issue (bsc#1186021) - (CVE-2021-3531) RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name (bsc#1186020) - (CVE-2021-3524) sanitize \r in s3 CORSConfiguration???s ExposeHeader (bsc#1185619) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1846-1 Released: Fri Jun 4 08:46:37 2021 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1185910 This update for mozilla-nss fixes the following issue: - Provide some missing binaries from `mozilla-nss` not added in `SLE-Module-Basesystem_15-SP3`. (bsc#1185910) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1953-1 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1161268,1172308 This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1992-1 Released: Thu Jun 17 10:34:41 2021 Summary: Recommended update for ceph Type: recommended Severity: important References: 1183760,1185049 This update for ceph fixes the following issues: - os/FileStore: don't propagate split/merge error to 'create'/'remove' (bsc#1183760) - os/FileStore: fix to handle readdir error correctly (bsc#1185049) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2143-1 Released: Wed Jun 23 16:27:04 2021 Summary: Security update for libnettle Type: security Severity: important References: 1187060,CVE-2021-3580 This update for libnettle fixes the following issues: - CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2157-1 Released: Thu Jun 24 15:40:14 2021 Summary: Security update for libgcrypt Type: security Severity: important References: 1187212,CVE-2021-33560 This update for libgcrypt fixes the following issues: - CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2173-1 Released: Mon Jun 28 14:59:45 2021 Summary: Recommended update for automake Type: recommended Severity: moderate References: 1040589,1047218,1182604,1185540,1186049 This update for automake fixes the following issues: - Implement generated autoconf makefiles reproducible (bsc#1182604) - Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848) - Avoid bashisms in test-driver script. (bsc#1185540) This update for pcre fixes the following issues: - Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589) This update for brp-check-suse fixes the following issues: - Add fixes to support reproducible builds. (bsc#1186049) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2178-1 Released: Mon Jun 28 15:56:15 2021 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1186561 This update for systemd-presets-common-SUSE fixes the following issues: When installing the systemd-presets-common-SUSE package for the first time in a new system, it might happen that some services are installed before systemd so the %systemd_pre/post macros would not work. This is handled by enabling all preset services in this package's %posttrans section but it wasn't enabling user services, just system services. Now it enables also the user services installed before this package (bsc#1186561) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2196-1 Released: Tue Jun 29 09:41:39 2021 Summary: Security update for lua53 Type: security Severity: moderate References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371 This update for lua53 fixes the following issues: Update to version 5.3.6: - CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449) - CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448) - Long brackets with a huge number of '=' overflow some internal buffer arithmetic. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2205-1 Released: Wed Jun 30 09:17:41 2021 Summary: Recommended update for openldap2 Type: recommended Severity: important References: 1187210 This update for openldap2 fixes the following issues: - Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2246-1 Released: Mon Jul 5 15:17:49 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1154935,1167471,1178561,1184761,1184967,1185046,1185331,1185807,1185958,1187292,1187400 This update for systemd fixes the following issues: cgroup: Parse infinity properly for memory protections. (bsc#1167471) cgroup: Make empty assignments reset to default. (bsc#1167471) cgroup: Support 0-value for memory protection directives. (bsc#1167471) core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935) bus-unit-util: Add proper 'MemorySwapMax' serialization. core: Accept MemorySwapMax= properties that are scaled. execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967) core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046) rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: Set execute bits. (bsc#1178561) udev: Rework network device renaming. Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available'' mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761) core: fix output (logging) for mount units (#7603) (bsc#1187400) udev requires systemd in its %post (bsc#1185958) cgroup: Parse infinity properly for memory protections (bsc#1167471) cgroup: Make empty assignments reset to default (bsc#1167471) cgroup: Support 0-value for memory protection directives (bsc#1167471) Create /run/lock/subsys again (bsc#1187292) The creation of this directory was mistakenly dropped when 'filesystem' package took the initialization of the generic paths over. Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2292-1 Released: Mon Jul 12 08:25:20 2021 Summary: Security update for dbus-1 Type: security Severity: important References: 1187105,CVE-2020-35512 This update for dbus-1 fixes the following issues: - CVE-2020-35512: Fixed a use-after-free or potential undefined behaviour caused by shared UID's (bsc#1187105) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2320-1 Released: Wed Jul 14 17:01:06 2021 Summary: Security update for sqlite3 Type: security Severity: important References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327 This update for sqlite3 fixes the following issues: - Update to version 3.36.0 - CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641) - CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719) - CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439) - CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438) - CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309) - CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850) - CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847) - CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715) - CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491) - CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960) - CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959) - CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958) - CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812) - CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818) - CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701) - CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700) - CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115) - CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow - CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236) - CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240) - CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2404-1 Released: Tue Jul 20 14:21:30 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1184994,1188063,CVE-2021-33910 This update for systemd fixes the following issues: - CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063) - Skip udev rules if 'elevator=' is used (bsc#1184994) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2440-1 Released: Wed Jul 21 13:48:24 2021 Summary: Security update for curl Type: security Severity: moderate References: 1188217,1188218,1188219,1188220,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 This update for curl fixes the following issues: - CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220) - CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219) - CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218) - CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2689-1 Released: Mon Aug 16 10:54:52 2021 Summary: Security update for cpio Type: security Severity: important References: 1189206,CVE-2021-38185 This update for cpio fixes the following issues: It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2763-1 Released: Tue Aug 17 17:16:22 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465 This update for cpio fixes the following issues: - A regression in last update would cause builds to hang on various architectures(bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2780-1 Released: Thu Aug 19 16:09:15 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465,CVE-2021-38185 This update for cpio fixes the following issues: - A regression in the previous update could lead to crashes (bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2800-1 Released: Fri Aug 20 10:43:04 2021 Summary: Security update for krb5 Type: security Severity: important References: 1188571,CVE-2021-36222 This update for krb5 fixes the following issues: - CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2810-1 Released: Mon Aug 23 12:14:30 2021 Summary: Security update for dbus-1 Type: security Severity: moderate References: 1172505,CVE-2020-12049 This update for dbus-1 fixes the following issues: - CVE-2020-12049: truncated messages lead to resource exhaustion. (bsc#1172505) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2819-1 Released: Tue Aug 24 10:38:13 2021 Summary: Recommended update for ceph Type: recommended Severity: moderate References: 1175086,1184517,1187584 This update for ceph fixes the following issues: - Update to 14.2.22-404-gf74e15c2e55: - Fix for an issue when scrub is not rescheduling. (bsc#1187584) - Update to 14.2.22-403-g54cdaf6e510: - Fixed and isshe when dashboard shows partially deleted RBDs. (bsc#1175086) - Look for plain entries in non-ascii plain namespace too. (bsc#1184517) - Fix monitoring menu item in downstream branding ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2831-1 Released: Tue Aug 24 16:20:45 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1189521,CVE-2021-3712 This update for openssl-1_1 fixes the following security issue: - CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2938-1 Released: Fri Sep 3 09:19:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - openldap2-contrib is shipped to the Legacy Module. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2968-1 Released: Tue Sep 7 09:53:00 2021 Summary: Security update for openssl-1_1 Type: security Severity: low References: 1189521,CVE-2021-3712 This update for openssl-1_1 fixes the following issues: - CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3001-1 Released: Thu Sep 9 15:08:13 2021 Summary: Recommended update for netcfg Type: recommended Severity: moderate References: 1189683 This update for netcfg fixes the following issues: - add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3115-1 Released: Thu Sep 16 14:04:26 2021 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1029961,1174697,1176206,1176934,1179382,1188891,CVE-2020-12400,CVE-2020-12401,CVE-2020-12403,CVE-2020-25648,CVE-2020-6829 This update for mozilla-nspr fixes the following issues: mozilla-nspr was updated to version 4.32: * implement new socket option PR_SockOpt_DontFrag * support larger DNS records by increasing the default buffer size for DNS queries * Lock access to PRCallOnceType members in PR_CallOnce* for thread safety bmo#1686138 * PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get information about the operating system build version. Mozilla NSS was updated to version 3.68: * bmo#1713562 - Fix test leak. * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32. * bmo#1693206 - Implement PKCS8 export of ECDSA keys. * bmo#1712883 - DTLS 1.3 draft-43. * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension. * bmo#1713562 - Validate ECH public names. * bmo#1717610 - Add function to get seconds from epoch from pkix::Time. update to NSS 3.67 * bmo#1683710 - Add a means to disable ALPN. * bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66). * bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja. * bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c. * bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte. update to NSS 3.66 * bmo#1710716 - Remove Expired Sonera Class2 CA from NSS. * bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority. * bmo#1708307 - Remove Trustis FPS Root CA from NSS. * bmo#1707097 - Add Certum Trusted Root CA to NSS. * bmo#1707097 - Add Certum EC-384 CA to NSS. * bmo#1703942 - Add ANF Secure Server Root CA to NSS. * bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS. * bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database. * bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler. * bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h. * bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators. * bmo#1709291 - Add VerifyCodeSigningCertificateChain. update to NSS 3.65 * bmo#1709654 - Update for NetBSD configuration. * bmo#1709750 - Disable HPKE test when fuzzing. * bmo#1566124 - Optimize AES-GCM for ppc64le. * bmo#1699021 - Add AES-256-GCM to HPKE. * bmo#1698419 - ECH -10 updates. * bmo#1692930 - Update HPKE to final version. * bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default. * bmo#1703936 - New coverity/cpp scanner errors. * bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards. * bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms. * bmo#1705119 - Deadlock when using GCM and non-thread safe tokens. update to NSS 3.64 * bmo#1705286 - Properly detect mips64. * bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx. * bmo#1698320 - replace __builtin_cpu_supports('vsx') with ppc_crypto_support() for clang. * bmo#1613235 - Add POWER ChaCha20 stream cipher vector acceleration. Fixed in 3.63 * bmo#1697380 - Make a clang-format run on top of helpful contributions. * bmo#1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication. * bmo#1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication. * bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683. * bmo#1694214 - tstclnt can't enable middlebox compat mode. * bmo#1694392 - NSS does not work with PKCS #11 modules not supporting profiles. * bmo#1685880 - Minor fix to prevent unused variable on early return. * bmo#1685880 - Fix for the gcc compiler version 7 to support setenv with nss build. * bmo#1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA list version 2.48. * bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's 'Chambers of Commerce' and 'Global Chambersign' roots. * bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER. * bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS. * bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS. * bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from NSS. * bmo#1687822 - Turn off Websites trust bit for the ???Staat der Nederlanden Root CA - G3??? root cert in NSS. * bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and 'Global Chambersign Root - 2008???. * bmo#1694291 - Tracing fixes for ECH. update to NSS 3.62 * bmo#1688374 - Fix parallel build NSS-3.61 with make * bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt 'cachedCertTable' * bmo#1690583 - Fix CH padding extension size calculation * bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail * bmo#1690421 - Install packaged libabigail in docker-builds image * bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing * bmo#1674819 - Fixup a51fae403328, enum type may be signed * bmo#1681585 - Add ECH support to selfserv * bmo#1681585 - Update ECH to Draft-09 * bmo#1678398 - Add Export/Import functions for HPKE context * bmo#1678398 - Update HPKE to draft-07 update to NSS 3.61 * bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key values under certain conditions. * bmo#1684300 - Fix default PBE iteration count when NSS is compiled with NSS_DISABLE_DBM. * bmo#1651411 - Improve constant-timeness in RSA operations. * bmo#1677207 - Upgrade Google Test version to latest release. * bmo#1654332 - Add aarch64-make target to nss-try. Update to NSS 3.60.1: Notable changes in NSS 3.60: * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bmo#1654332 for more information. * December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more information. Update to NSS 3.59.1: * bmo#1679290 - Fix potential deadlock with certain third-party PKCS11 modules Update to NSS 3.59: Notable changes: * Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData Bugfixes * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some test intermittents * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord (boo#1179382) * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP * bmo#1667989 - Fix gyp linking on Solaris * bmo#1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA * bmo#1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys when using NSS debug builds * bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS. update to NSS 3.58 Bugs fixed: * bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode. * bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni). * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions. * bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows. * bmo#1667153 - Add PK11_ImportDataKey for data object import. * bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value. update to NSS 3.57 * The following CA certificates were Added: bmo#1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 * The following CA certificates were Removed: bmo#1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3 * Trust settings for the following CA certificates were Modified: bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed. * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes update to NSS 3.56 Notable changes * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8 * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS. * bmo#1654142 - Add CPU feature detection for Intel SHA extension. * bmo#1648822 - Add stricter validation of DH keys in FIPS mode. * bmo#1656986 - Properly detect arm64 during GYP build architecture detection. * bmo#1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay. * bmo#1588941 - Send empty certificate message when scheme selection fails. * bmo#1652032 - Fix failure to build in Windows arm64 makefile cross-compilation. * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent. * bmo#1653975 - Fix 3.53 regression by setting 'all' as the default makefile target. * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert. * bmo#1659814 - Fix interop.sh failures with newer tls-interop commit and dependencies. * bmo#1656519 - NSPR dependency updated to 4.28 update to NSS 3.55 Notable changes * P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto [0] and ECCKiila [1]. * PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. (bmo#1649633) * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752) Relevant Bugfixes * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila. * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature. * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding. * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length. * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix). * bmo#1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED. * bmo#1646594 - Fix AVX2 detection in makefile builds. * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate. * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo. * bmo#1647752 - Update DTLS 1.3 implementation to draft-38. * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI. * bmo#1649226 - Add Wycheproof ECDSA tests. * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES. * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in RSA_CheckSignRecover. * bmo#1646324 - Advertise PKCS#1 schemes for certificates in the signature_algorithms extension. update to NSS 3.54 Notable changes * Support for TLS 1.3 external pre-shared keys (bmo#1603042). * Use ARM Cryptography Extension for SHA256, when available (bmo#1528113) * The following CA certificates were Added: bmo#1645186 - certSIGN Root CA G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root Certificate Authority 2017. * The following CA certificates were Removed: bmo#1645199 - AddTrust Class 1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 - LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA - G2. bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3. * A number of certificates had their Email trust bit disabled. See bmo#1618402 for a complete list. Bugs fixed * bmo#1528113 - Use ARM Cryptography Extension for SHA256. * bmo#1603042 - Add TLS 1.3 external PSK support. * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows. * bmo#1645186 - Add 'certSIGN Root CA G2' root certificate. * bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate. * bmo#1641716 - Add Microsoft's non-EV root certificates. * bmo1621151 - Disable email trust bit for 'O=Government Root Certification Authority; C=TW' root. * bmo#1645199 - Remove AddTrust root certificates. * bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate. * bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root certificate. * bmo#1618402 - Remove Symantec root certificates and disable email trust bit. * bmo#1640516 - NSS 3.54 should depend on NSPR 4.26. * bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c. * bmo#1642153 - Fix infinite recursion building NSS. * bmo#1642638 - Fix fuzzing assertion crash. * bmo#1642871 - Enable SSL_SendSessionTicket after resumption. * bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs. * bmo#1643557 - Fix numerous compile warnings in NSS. * bmo#1644774 - SSL gtests to use ClearServerCache when resetting self-encrypt keys. * bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c. * bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3182-1 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Type: recommended Severity: moderate References: 1189996 This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3297-1 Released: Wed Oct 6 16:53:29 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3323-1 Released: Fri Oct 8 11:39:07 2021 Summary: Includes a kubernetes update to 1.17.17 including a backport for CVE-2021-25741 Type: security Severity: low References: 1189416,CVE-2021-25741 == Kubernetes bsc#1189416 kubernetes issue is a backport of the upstream security fix (CVE-2021-25741): https://github.com/kubernetes/kubernetes/pull/104253 From sle-security-updates at lists.suse.com Sat Oct 9 10:22:01 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 9 Oct 2021 12:22:01 +0200 (CEST) Subject: SUSE-CU-2021:386-1: Security update of caasp/v4/kubernetes-client Message-ID: <20211009102201.AD318FCC9@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/kubernetes-client ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:386-1 Container Tags : caasp/v4/kubernetes-client:1.17.17 , caasp/v4/kubernetes-client:1.17.17-rev1 , caasp/v4/kubernetes-client:1.17.17-rev1-build1.10.1 Container Release : 1.10.1 Severity : critical Type : security References : 1029961 1040589 1047218 1050625 1078466 1084671 1106014 1141597 1146705 1154935 1157818 1158812 1158958 1158959 1158960 1159491 1159715 1159847 1159850 1160309 1160438 1160439 1161268 1164719 1167471 1169006 1172091 1172115 1172234 1172236 1172240 1172308 1173641 1174016 1174436 1174942 1175448 1175449 1175458 1175514 1175519 1175623 1176201 1177238 1177275 1177427 1177490 1177583 1177976 1178219 1178386 1178554 1178561 1178577 1178624 1178675 1178775 1178775 1178823 1178825 1178909 1178910 1178966 1179083 1179222 1179363 1179503 1179694 1179721 1179816 1179824 1179847 1179909 1180020 1180038 1180073 1180077 1180083 1180138 1180225 1180596 1180603 1180603 1180603 1180663 1180721 1180851 1180885 1181011 1181328 1181443 1181505 1181622 1181831 1181874 1181976 1182016 1182117 1182279 1182328 1182331 1182333 1182362 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182604 1182629 1182791 1182936 1183064 1183094 1183370 1183371 1183456 1183457 1183628 1183791 1183797 1183933 1184358 1184401 1184435 1184614 1184614 1184690 1184761 1184967 1184994 1184997 1185046 1185163 1185239 1185331 1185408 1185408 1185409 1185409 1185410 1185410 1185417 1185438 1185540 1185562 1185698 1185807 1185958 1186015 1186049 1186114 1187060 1187210 1187212 1187292 1187400 1188063 1188217 1188218 1188219 1188220 1188571 1189206 1189416 1189465 1189465 1189521 1189521 1189683 1189996 1190373 1190374 928700 928701 CVE-2015-3414 CVE-2015-3415 CVE-2017-9271 CVE-2019-19244 CVE-2019-19317 CVE-2019-19603 CVE-2019-19645 CVE-2019-19646 CVE-2019-19880 CVE-2019-19923 CVE-2019-19924 CVE-2019-19925 CVE-2019-19926 CVE-2019-19959 CVE-2019-20218 CVE-2019-25013 CVE-2020-13434 CVE-2020-13435 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-15358 CVE-2020-24370 CVE-2020-24371 CVE-2020-25709 CVE-2020-25710 CVE-2020-27618 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-9327 CVE-2021-20231 CVE-2021-20232 CVE-2021-20305 CVE-2021-22876 CVE-2021-22898 CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-22925 CVE-2021-22946 CVE-2021-22947 CVE-2021-23840 CVE-2021-23841 CVE-2021-24031 CVE-2021-24032 CVE-2021-25741 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3326 CVE-2021-33560 CVE-2021-33910 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 CVE-2021-3541 CVE-2021-3580 CVE-2021-36222 CVE-2021-3712 CVE-2021-3712 CVE-2021-38185 CVE-2021-38185 ----------------------------------------------------------------- The container caasp/v4/kubernetes-client was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount ???a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:307-1 Released: Fri Feb 5 05:30:34 2021 Summary: Recommended update for libselinux Type: recommended Severity: low References: 1180603 This update for libselinux fixes the following issues: - Corrected the license to public domain (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:753-1 Released: Tue Mar 9 17:09:57 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:890-1 Released: Fri Mar 19 15:51:41 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:934-1 Released: Wed Mar 24 12:18:21 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:956-1 Released: Thu Mar 25 19:19:04 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179816,1179847,1179909,1180077,1180663,1180721,1181328,1181622,1182629,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.43: - doc: give more details about creating versioned package locks (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) - Fix source-download commands help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) - Prefer /run over /var/run. Update libzypp to 17.25.8: - Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there. - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement). - Add missing includes for GCC 11 compatibility. - Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'. - Commit: Fix rpmdb compat symlink in case rpm got removed. - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use. - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#1179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1141-1 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1182791 This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1169-1 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Type: recommended Severity: low References: 1181976 This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1296-1 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Type: optional Severity: low References: 1183791 This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1297-1 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178219 This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1412-1 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Type: security Severity: important References: 1184401,CVE-2021-20305 This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1602-1 Released: Thu May 13 16:35:19 2021 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libsolv and libzypp fixes the following issues: libsolv: Upgrade from version 0.7.17 to version 0.7.19 - Fix rare segfault in `resolve_jobrules()` that could happen if new rules are learned. - Fix memory leaks in error cases - Fix error handling in `solv_xfopen_fd()` - Fix regex code on win32 - fixed memory leak in choice rule generation - `repo_add_conda`: add a flag to skip version 2 packages. libzypp: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1809-1 Released: Mon May 31 16:24:59 2021 Summary: Security update for curl Type: security Severity: moderate References: 1177976,1183933,1186114,CVE-2021-22876,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933). - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976). - Allow partial chain verification (jsc#SLE-17956). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1953-1 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1161268,1172308 This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2143-1 Released: Wed Jun 23 16:27:04 2021 Summary: Security update for libnettle Type: security Severity: important References: 1187060,CVE-2021-3580 This update for libnettle fixes the following issues: - CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2157-1 Released: Thu Jun 24 15:40:14 2021 Summary: Security update for libgcrypt Type: security Severity: important References: 1187212,CVE-2021-33560 This update for libgcrypt fixes the following issues: - CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2173-1 Released: Mon Jun 28 14:59:45 2021 Summary: Recommended update for automake Type: recommended Severity: moderate References: 1040589,1047218,1182604,1185540,1186049 This update for automake fixes the following issues: - Implement generated autoconf makefiles reproducible (bsc#1182604) - Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848) - Avoid bashisms in test-driver script. (bsc#1185540) This update for pcre fixes the following issues: - Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589) This update for brp-check-suse fixes the following issues: - Add fixes to support reproducible builds. (bsc#1186049) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2196-1 Released: Tue Jun 29 09:41:39 2021 Summary: Security update for lua53 Type: security Severity: moderate References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371 This update for lua53 fixes the following issues: Update to version 5.3.6: - CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449) - CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448) - Long brackets with a huge number of '=' overflow some internal buffer arithmetic. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2205-1 Released: Wed Jun 30 09:17:41 2021 Summary: Recommended update for openldap2 Type: recommended Severity: important References: 1187210 This update for openldap2 fixes the following issues: - Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2246-1 Released: Mon Jul 5 15:17:49 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1154935,1167471,1178561,1184761,1184967,1185046,1185331,1185807,1185958,1187292,1187400 This update for systemd fixes the following issues: cgroup: Parse infinity properly for memory protections. (bsc#1167471) cgroup: Make empty assignments reset to default. (bsc#1167471) cgroup: Support 0-value for memory protection directives. (bsc#1167471) core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935) bus-unit-util: Add proper 'MemorySwapMax' serialization. core: Accept MemorySwapMax= properties that are scaled. execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967) core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046) rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: Set execute bits. (bsc#1178561) udev: Rework network device renaming. Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available'' mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761) core: fix output (logging) for mount units (#7603) (bsc#1187400) udev requires systemd in its %post (bsc#1185958) cgroup: Parse infinity properly for memory protections (bsc#1167471) cgroup: Make empty assignments reset to default (bsc#1167471) cgroup: Support 0-value for memory protection directives (bsc#1167471) Create /run/lock/subsys again (bsc#1187292) The creation of this directory was mistakenly dropped when 'filesystem' package took the initialization of the generic paths over. Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2320-1 Released: Wed Jul 14 17:01:06 2021 Summary: Security update for sqlite3 Type: security Severity: important References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327 This update for sqlite3 fixes the following issues: - Update to version 3.36.0 - CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641) - CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719) - CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439) - CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438) - CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309) - CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850) - CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847) - CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715) - CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491) - CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960) - CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959) - CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958) - CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812) - CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818) - CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701) - CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700) - CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115) - CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow - CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236) - CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240) - CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2404-1 Released: Tue Jul 20 14:21:30 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1184994,1188063,CVE-2021-33910 This update for systemd fixes the following issues: - CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063) - Skip udev rules if 'elevator=' is used (bsc#1184994) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2440-1 Released: Wed Jul 21 13:48:24 2021 Summary: Security update for curl Type: security Severity: moderate References: 1188217,1188218,1188219,1188220,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 This update for curl fixes the following issues: - CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220) - CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219) - CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218) - CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2689-1 Released: Mon Aug 16 10:54:52 2021 Summary: Security update for cpio Type: security Severity: important References: 1189206,CVE-2021-38185 This update for cpio fixes the following issues: It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2763-1 Released: Tue Aug 17 17:16:22 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465 This update for cpio fixes the following issues: - A regression in last update would cause builds to hang on various architectures(bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2780-1 Released: Thu Aug 19 16:09:15 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465,CVE-2021-38185 This update for cpio fixes the following issues: - A regression in the previous update could lead to crashes (bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2800-1 Released: Fri Aug 20 10:43:04 2021 Summary: Security update for krb5 Type: security Severity: important References: 1188571,CVE-2021-36222 This update for krb5 fixes the following issues: - CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2831-1 Released: Tue Aug 24 16:20:45 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1189521,CVE-2021-3712 This update for openssl-1_1 fixes the following security issue: - CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2938-1 Released: Fri Sep 3 09:19:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - openldap2-contrib is shipped to the Legacy Module. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2968-1 Released: Tue Sep 7 09:53:00 2021 Summary: Security update for openssl-1_1 Type: security Severity: low References: 1189521,CVE-2021-3712 This update for openssl-1_1 fixes the following issues: - CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3001-1 Released: Thu Sep 9 15:08:13 2021 Summary: Recommended update for netcfg Type: recommended Severity: moderate References: 1189683 This update for netcfg fixes the following issues: - add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3182-1 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Type: recommended Severity: moderate References: 1189996 This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3297-1 Released: Wed Oct 6 16:53:29 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3323-1 Released: Fri Oct 8 11:39:07 2021 Summary: Includes a kubernetes update to 1.17.17 including a backport for CVE-2021-25741 Type: security Severity: low References: 1189416,CVE-2021-25741 == Kubernetes bsc#1189416 kubernetes issue is a backport of the upstream security fix (CVE-2021-25741): https://github.com/kubernetes/kubernetes/pull/104253 From sle-security-updates at lists.suse.com Sat Oct 9 10:22:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 9 Oct 2021 12:22:27 +0200 (CEST) Subject: SUSE-CU-2021:387-1: Security update of caasp/v4/kucero Message-ID: <20211009102227.1B2BBFCC9@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/kucero ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:387-1 Container Tags : caasp/v4/kucero:1.3.0 , caasp/v4/kucero:1.3.0-rev1 , caasp/v4/kucero:1.3.0-rev1-build1.8.1 Container Release : 1.8.1 Severity : critical Type : security References : 1029961 1040589 1047218 1050625 1078466 1084671 1106014 1141597 1146705 1154935 1157818 1158812 1158958 1158959 1158960 1159491 1159715 1159847 1159850 1160309 1160438 1160439 1161268 1164719 1167471 1169006 1172091 1172115 1172234 1172236 1172240 1172308 1173641 1174016 1174436 1174942 1175448 1175449 1175458 1175514 1175519 1175623 1176201 1177238 1177275 1177427 1177490 1177583 1177976 1178219 1178386 1178554 1178561 1178577 1178624 1178675 1178775 1178775 1178823 1178825 1178909 1178910 1178966 1179083 1179222 1179363 1179503 1179694 1179721 1179816 1179824 1179847 1179909 1180020 1180038 1180073 1180077 1180083 1180138 1180225 1180596 1180603 1180603 1180603 1180663 1180721 1180851 1180885 1181011 1181328 1181443 1181505 1181622 1181831 1181874 1181976 1182016 1182117 1182279 1182328 1182331 1182333 1182362 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182604 1182629 1182791 1182936 1183064 1183094 1183370 1183371 1183456 1183457 1183628 1183791 1183797 1183933 1184358 1184401 1184435 1184614 1184614 1184690 1184761 1184967 1184994 1184997 1185046 1185163 1185239 1185331 1185408 1185408 1185409 1185409 1185410 1185410 1185417 1185438 1185540 1185562 1185698 1185807 1185958 1186015 1186049 1186114 1187060 1187210 1187212 1187292 1187400 1188063 1188217 1188218 1188219 1188220 1188571 1189206 1189416 1189465 1189465 1189521 1189521 1189683 1189996 1190373 1190374 928700 928701 CVE-2015-3414 CVE-2015-3415 CVE-2017-9271 CVE-2019-19244 CVE-2019-19317 CVE-2019-19603 CVE-2019-19645 CVE-2019-19646 CVE-2019-19880 CVE-2019-19923 CVE-2019-19924 CVE-2019-19925 CVE-2019-19926 CVE-2019-19959 CVE-2019-20218 CVE-2019-25013 CVE-2020-13434 CVE-2020-13435 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-15358 CVE-2020-24370 CVE-2020-24371 CVE-2020-25709 CVE-2020-25710 CVE-2020-27618 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-9327 CVE-2021-20231 CVE-2021-20232 CVE-2021-20305 CVE-2021-22876 CVE-2021-22898 CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-22925 CVE-2021-22946 CVE-2021-22947 CVE-2021-23840 CVE-2021-23841 CVE-2021-24031 CVE-2021-24032 CVE-2021-25741 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3326 CVE-2021-33560 CVE-2021-33910 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 CVE-2021-3541 CVE-2021-3580 CVE-2021-36222 CVE-2021-3712 CVE-2021-3712 CVE-2021-38185 CVE-2021-38185 ----------------------------------------------------------------- The container caasp/v4/kucero was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount ???a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:307-1 Released: Fri Feb 5 05:30:34 2021 Summary: Recommended update for libselinux Type: recommended Severity: low References: 1180603 This update for libselinux fixes the following issues: - Corrected the license to public domain (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:753-1 Released: Tue Mar 9 17:09:57 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:890-1 Released: Fri Mar 19 15:51:41 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:934-1 Released: Wed Mar 24 12:18:21 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:956-1 Released: Thu Mar 25 19:19:04 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179816,1179847,1179909,1180077,1180663,1180721,1181328,1181622,1182629,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.43: - doc: give more details about creating versioned package locks (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) - Fix source-download commands help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) - Prefer /run over /var/run. Update libzypp to 17.25.8: - Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there. - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement). - Add missing includes for GCC 11 compatibility. - Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'. - Commit: Fix rpmdb compat symlink in case rpm got removed. - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use. - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#1179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1141-1 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1182791 This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1169-1 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Type: recommended Severity: low References: 1181976 This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1296-1 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Type: optional Severity: low References: 1183791 This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1297-1 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178219 This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1412-1 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Type: security Severity: important References: 1184401,CVE-2021-20305 This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1602-1 Released: Thu May 13 16:35:19 2021 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libsolv and libzypp fixes the following issues: libsolv: Upgrade from version 0.7.17 to version 0.7.19 - Fix rare segfault in `resolve_jobrules()` that could happen if new rules are learned. - Fix memory leaks in error cases - Fix error handling in `solv_xfopen_fd()` - Fix regex code on win32 - fixed memory leak in choice rule generation - `repo_add_conda`: add a flag to skip version 2 packages. libzypp: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1809-1 Released: Mon May 31 16:24:59 2021 Summary: Security update for curl Type: security Severity: moderate References: 1177976,1183933,1186114,CVE-2021-22876,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933). - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976). - Allow partial chain verification (jsc#SLE-17956). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1953-1 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1161268,1172308 This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2143-1 Released: Wed Jun 23 16:27:04 2021 Summary: Security update for libnettle Type: security Severity: important References: 1187060,CVE-2021-3580 This update for libnettle fixes the following issues: - CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2157-1 Released: Thu Jun 24 15:40:14 2021 Summary: Security update for libgcrypt Type: security Severity: important References: 1187212,CVE-2021-33560 This update for libgcrypt fixes the following issues: - CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2173-1 Released: Mon Jun 28 14:59:45 2021 Summary: Recommended update for automake Type: recommended Severity: moderate References: 1040589,1047218,1182604,1185540,1186049 This update for automake fixes the following issues: - Implement generated autoconf makefiles reproducible (bsc#1182604) - Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848) - Avoid bashisms in test-driver script. (bsc#1185540) This update for pcre fixes the following issues: - Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589) This update for brp-check-suse fixes the following issues: - Add fixes to support reproducible builds. (bsc#1186049) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2196-1 Released: Tue Jun 29 09:41:39 2021 Summary: Security update for lua53 Type: security Severity: moderate References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371 This update for lua53 fixes the following issues: Update to version 5.3.6: - CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449) - CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448) - Long brackets with a huge number of '=' overflow some internal buffer arithmetic. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2205-1 Released: Wed Jun 30 09:17:41 2021 Summary: Recommended update for openldap2 Type: recommended Severity: important References: 1187210 This update for openldap2 fixes the following issues: - Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2246-1 Released: Mon Jul 5 15:17:49 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1154935,1167471,1178561,1184761,1184967,1185046,1185331,1185807,1185958,1187292,1187400 This update for systemd fixes the following issues: cgroup: Parse infinity properly for memory protections. (bsc#1167471) cgroup: Make empty assignments reset to default. (bsc#1167471) cgroup: Support 0-value for memory protection directives. (bsc#1167471) core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935) bus-unit-util: Add proper 'MemorySwapMax' serialization. core: Accept MemorySwapMax= properties that are scaled. execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967) core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046) rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: Set execute bits. (bsc#1178561) udev: Rework network device renaming. Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available'' mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761) core: fix output (logging) for mount units (#7603) (bsc#1187400) udev requires systemd in its %post (bsc#1185958) cgroup: Parse infinity properly for memory protections (bsc#1167471) cgroup: Make empty assignments reset to default (bsc#1167471) cgroup: Support 0-value for memory protection directives (bsc#1167471) Create /run/lock/subsys again (bsc#1187292) The creation of this directory was mistakenly dropped when 'filesystem' package took the initialization of the generic paths over. Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2320-1 Released: Wed Jul 14 17:01:06 2021 Summary: Security update for sqlite3 Type: security Severity: important References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327 This update for sqlite3 fixes the following issues: - Update to version 3.36.0 - CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641) - CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719) - CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439) - CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438) - CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309) - CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850) - CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847) - CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715) - CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491) - CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960) - CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959) - CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958) - CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812) - CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818) - CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701) - CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700) - CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115) - CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow - CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236) - CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240) - CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2404-1 Released: Tue Jul 20 14:21:30 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1184994,1188063,CVE-2021-33910 This update for systemd fixes the following issues: - CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063) - Skip udev rules if 'elevator=' is used (bsc#1184994) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2440-1 Released: Wed Jul 21 13:48:24 2021 Summary: Security update for curl Type: security Severity: moderate References: 1188217,1188218,1188219,1188220,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 This update for curl fixes the following issues: - CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220) - CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219) - CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218) - CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2689-1 Released: Mon Aug 16 10:54:52 2021 Summary: Security update for cpio Type: security Severity: important References: 1189206,CVE-2021-38185 This update for cpio fixes the following issues: It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2763-1 Released: Tue Aug 17 17:16:22 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465 This update for cpio fixes the following issues: - A regression in last update would cause builds to hang on various architectures(bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2780-1 Released: Thu Aug 19 16:09:15 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465,CVE-2021-38185 This update for cpio fixes the following issues: - A regression in the previous update could lead to crashes (bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2800-1 Released: Fri Aug 20 10:43:04 2021 Summary: Security update for krb5 Type: security Severity: important References: 1188571,CVE-2021-36222 This update for krb5 fixes the following issues: - CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2831-1 Released: Tue Aug 24 16:20:45 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1189521,CVE-2021-3712 This update for openssl-1_1 fixes the following security issue: - CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2938-1 Released: Fri Sep 3 09:19:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - openldap2-contrib is shipped to the Legacy Module. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2968-1 Released: Tue Sep 7 09:53:00 2021 Summary: Security update for openssl-1_1 Type: security Severity: low References: 1189521,CVE-2021-3712 This update for openssl-1_1 fixes the following issues: - CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3001-1 Released: Thu Sep 9 15:08:13 2021 Summary: Recommended update for netcfg Type: recommended Severity: moderate References: 1189683 This update for netcfg fixes the following issues: - add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3182-1 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Type: recommended Severity: moderate References: 1189996 This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3297-1 Released: Wed Oct 6 16:53:29 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3323-1 Released: Fri Oct 8 11:39:07 2021 Summary: Includes a kubernetes update to 1.17.17 including a backport for CVE-2021-25741 Type: security Severity: low References: 1189416,CVE-2021-25741 == Kubernetes bsc#1189416 kubernetes issue is a backport of the upstream security fix (CVE-2021-25741): https://github.com/kubernetes/kubernetes/pull/104253 From sle-security-updates at lists.suse.com Sat Oct 9 10:25:05 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 9 Oct 2021 12:25:05 +0200 (CEST) Subject: SUSE-CU-2021:388-1: Security update of caasp/v4/kured Message-ID: <20211009102505.36996FCC9@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/kured ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:388-1 Container Tags : caasp/v4/kured:1.3.0 , caasp/v4/kured:1.3.0-rev4 , caasp/v4/kured:1.3.0-rev4-build3.14.1 Container Release : 3.14.1 Severity : critical Type : security References : 1029961 1040589 1047218 1050625 1078466 1084671 1106014 1141597 1146705 1154935 1157818 1158812 1158958 1158959 1158960 1159491 1159715 1159847 1159850 1160309 1160438 1160439 1161268 1164719 1167471 1169006 1172091 1172115 1172234 1172236 1172240 1172308 1173641 1174016 1174436 1174942 1175448 1175449 1175458 1175514 1175519 1175623 1176201 1177238 1177275 1177427 1177490 1177583 1177976 1178219 1178386 1178554 1178561 1178577 1178624 1178675 1178775 1178775 1178823 1178825 1178909 1178910 1178966 1179083 1179222 1179363 1179503 1179694 1179721 1179816 1179824 1179847 1179909 1180020 1180038 1180073 1180077 1180083 1180138 1180225 1180596 1180603 1180603 1180603 1180663 1180721 1180851 1180885 1181011 1181328 1181443 1181505 1181622 1181831 1181874 1181976 1182016 1182117 1182279 1182328 1182331 1182333 1182362 1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419 1182420 1182604 1182629 1182791 1182936 1183064 1183094 1183370 1183371 1183456 1183457 1183628 1183791 1183797 1183933 1184358 1184401 1184435 1184614 1184614 1184690 1184761 1184967 1184994 1184997 1185046 1185163 1185239 1185331 1185408 1185408 1185409 1185409 1185410 1185410 1185417 1185438 1185540 1185562 1185698 1185807 1185958 1186015 1186049 1186114 1187060 1187210 1187212 1187292 1187400 1188063 1188217 1188218 1188219 1188220 1188571 1189206 1189416 1189465 1189465 1189521 1189521 1189683 1189996 1190373 1190374 928700 928701 CVE-2015-3414 CVE-2015-3415 CVE-2017-9271 CVE-2019-19244 CVE-2019-19317 CVE-2019-19603 CVE-2019-19645 CVE-2019-19646 CVE-2019-19880 CVE-2019-19923 CVE-2019-19924 CVE-2019-19925 CVE-2019-19926 CVE-2019-19959 CVE-2019-20218 CVE-2019-25013 CVE-2020-13434 CVE-2020-13435 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-15358 CVE-2020-24370 CVE-2020-24371 CVE-2020-25709 CVE-2020-25710 CVE-2020-27618 CVE-2020-29562 CVE-2020-29573 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-9327 CVE-2021-20231 CVE-2021-20232 CVE-2021-20305 CVE-2021-22876 CVE-2021-22898 CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 CVE-2021-22925 CVE-2021-22946 CVE-2021-22947 CVE-2021-23840 CVE-2021-23841 CVE-2021-24031 CVE-2021-24032 CVE-2021-25741 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219 CVE-2021-3326 CVE-2021-33560 CVE-2021-33910 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517 CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 CVE-2021-3541 CVE-2021-3580 CVE-2021-36222 CVE-2021-3712 CVE-2021-3712 CVE-2021-38185 CVE-2021-38185 ----------------------------------------------------------------- The container caasp/v4/kured was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3853-1 Released: Wed Dec 16 12:27:27 2020 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1084671,1169006,1174942,1175514,1175623,1178554,1178825 This update for util-linux fixes the following issue: - Do not trigger the automatic close of CDROM. (bsc#1084671) - Try to automatically configure broken serial lines. (bsc#1175514) - Avoid `sulogin` failing on not existing or not functional console devices. (bsc#1175514) - Build with `libudev` support to support non-root users. (bsc#1169006) - Avoid memory errors on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix warning on mounts to `CIFS` with mount ???a. (bsc#1174942) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3942-1 Released: Tue Dec 29 12:22:01 2020 Summary: Recommended update for libidn2 Type: recommended Severity: moderate References: 1180138 This update for libidn2 fixes the following issues: - The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3943-1 Released: Tue Dec 29 12:24:45 2020 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1178823 This update for libxml2 fixes the following issues: Avoid quadratic checking of identity-constraints, speeding up XML validation (bsc#1178823) * key/unique/keyref schema attributes currently use quadratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). * This fix uses a hash table to avoid the quadratic behaviour. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:129-1 Released: Thu Jan 14 12:26:15 2021 Summary: Security update for openldap2 Type: security Severity: moderate References: 1178909,1179503,CVE-2020-25709,CVE-2020-25710 This update for openldap2 fixes the following issues: Security issues fixed: - CVE-2020-25709: Fixed a crash caused by specially crafted network traffic (bsc#1178909). - CVE-2020-25710: Fixed a crash caused by specially crafted network traffic (bsc#1178909). Non-security issue fixed: - Retry binds in the LDAP backend when the remote LDAP server disconnected the (idle) LDAP connection. (bsc#1179503) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:220-1 Released: Tue Jan 26 14:00:51 2021 Summary: Recommended update for keyutils Type: recommended Severity: moderate References: 1180603 This update for keyutils fixes the following issues: - Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:233-1 Released: Wed Jan 27 12:15:33 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1141597,1174436,1175458,1177490,1179363,1179824,1180225 This update for systemd fixes the following issues: - Added a timestamp to the output of the busctl monitor command (bsc#1180225) - Fixed a NULL pointer dereference bug when attempting to close the journal file handle (bsc#1179824) - Improved the caching of cgroups member mask (bsc#1175458) - Fixed the dependency definition of sound.target (bsc#1179363) - Fixed a bug that could lead to a potential error, when daemon-reload is called between StartTransientUnit and scope_start() (bsc#1174436) - time-util: treat /etc/localtime missing as UTC (bsc#1141597) - Removed mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:265-1 Released: Mon Feb 1 15:06:45 2021 Summary: Recommended update for systemd Type: recommended Severity: important References: 1178775,1180885 This update for systemd fixes the following issues: - Fix for udev creating '/dev/disk/by-label' symlink for 'LUKS2' to avoid mount issues. (bsc#1180885, #8998)) - Fix for an issue when container start causes interference in other containers. (bsc#1178775) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:293-1 Released: Wed Feb 3 12:52:34 2021 Summary: Recommended update for gmp Type: recommended Severity: moderate References: 1180603 This update for gmp fixes the following issues: - correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:307-1 Released: Fri Feb 5 05:30:34 2021 Summary: Recommended update for libselinux Type: recommended Severity: low References: 1180603 This update for libselinux fixes the following issues: - Corrected the license to public domain (bsc#1180603) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:339-1 Released: Mon Feb 8 13:16:07 2021 Summary: Optional update for pam Type: optional Severity: low References: This update for pam fixes the following issues: - Added rpm macros for this package, so that other packages can make use of it This patch is optional to be installed - it doesn't fix any bugs. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:653-1 Released: Fri Feb 26 19:53:43 2021 Summary: Security update for glibc Type: security Severity: important References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326 This update for glibc fixes the following issues: - Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973) - x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649) - gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256) - iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224) - iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923) - Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:723-1 Released: Mon Mar 8 16:45:27 2021 Summary: Security update for openldap2 Type: security Severity: important References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212 This update for openldap2 fixes the following issues: - bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service. - bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN parsing in ad_keystring, resulting in denial of service. - bsc#1182412 CVE-2020-36228 - integer underflow leading to crash in the Certificate List Exact Assertion processing, resulting in denial of service. - bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service. - bsc#1182416 CVE-2020-36225 - double free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service. - bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service. - bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck). - bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read). - bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:753-1 Released: Tue Mar 9 17:09:57 2021 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841 This update for openssl-1_1 fixes the following issues: - CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333) - CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:786-1 Released: Mon Mar 15 11:19:23 2021 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1176201 This update for zlib fixes the following issues: - Fixed hw compression on z15 (bsc#1176201) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:890-1 Released: Fri Mar 19 15:51:41 2021 Summary: Security update for glib2 Type: security Severity: important References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219 This update for glib2 fixes the following issues: - CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328) - CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:924-1 Released: Tue Mar 23 10:00:49 2021 Summary: Recommended update for filesystem Type: recommended Severity: moderate References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094 This update for filesystem the following issues: - Remove duplicate line due to merge error - Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) - Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705) - Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466) - Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519) This update for systemd fixes the following issues: - Fix for a possible memory leak. (bsc#1180020) - Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596) - Fixed an issue when starting a container conflicts with another one. (bsc#1178775) - Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831) - Don't use shell redirections when calling a rpm macro. (bsc#1183094) - 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:934-1 Released: Wed Mar 24 12:18:21 2021 Summary: Security update for gnutls Type: security Severity: important References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232 This update for gnutls fixes the following issues: - CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456). - CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:948-1 Released: Wed Mar 24 14:31:34 2021 Summary: Security update for zstd Type: security Severity: moderate References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032 This update for zstd fixes the following issues: - CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371). - CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:956-1 Released: Thu Mar 25 19:19:04 2021 Summary: Security update for libzypp, zypper Type: security Severity: moderate References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179816,1179847,1179909,1180077,1180663,1180721,1181328,1181622,1182629,CVE-2017-9271 This update for libzypp, zypper fixes the following issues: Update zypper to version 1.14.43: - doc: give more details about creating versioned package locks (bsc#1181622) - man: Document synonymously used patch categories (bsc#1179847) - Fix source-download commands help (bsc#1180663) - man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816) - Extend apt packagemap (fixes #366) - --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077) - Prefer /run over /var/run. Update libzypp to 17.25.8: - Try to provide a mounted /proc in --root installs (bsc#1181328) Some systemd tools require /proc to be mounted and fail if it's not there. - Enable release packages to request a releaxed suse/opensuse vendorcheck in dup when migrating. (bsc#1182629) - Patch: Identify well-known category names (bsc#1179847) This allows to use the RH and SUSE patch categrory names synonymously: (recommended = bugfix) and (optional = feature = enhancement). - Add missing includes for GCC 11 compatibility. - Fix %posttrans script execution (fixes #265) The scripts are execuable. No need to call them through 'sh -c'. - Commit: Fix rpmdb compat symlink in case rpm got removed. - Repo: Allow multiple baseurls specified on one line (fixes #285) - Regex: Fix memory leak and undefined behavior. - Add rpm buildrequires for test suite (fixes #279) - Use rpmdb2solv new -D switch to tell the location ob the rpmdatabase to use. - CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583) - RepoManager: Force refresh if repo url has changed (bsc#1174016) - RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966) - RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427). - RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910) - Fixed update of gpg keys with elongated expire date (bsc#1179222) - needreboot: remove udev from the list (bsc#1179083) - Fix lsof monitoring (bsc#1179909) - Rephrase solver problem descriptions (jsc#SLE-8482) - Adapt to changed gpg2/libgpgme behavior (bsc#1180721) - Multicurl backend breaks with with unknown filesize (fixes #277) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1004-1 Released: Thu Apr 1 15:07:09 2021 Summary: Recommended update for libcap Type: recommended Severity: moderate References: 1180073 This update for libcap fixes the following issues: - Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460) - Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1141-1 Released: Mon Apr 12 13:13:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1182791 This update for openldap2 fixes the following issues: - Improved the proxy connection timeout options to prune connections properly (bsc#1182791) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1169-1 Released: Tue Apr 13 15:01:42 2021 Summary: Recommended update for procps Type: recommended Severity: low References: 1181976 This update for procps fixes the following issues: - Corrected a statement in the man page about processor pinning via taskset (bsc#1181976) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1296-1 Released: Wed Apr 21 14:09:28 2021 Summary: Optional update for e2fsprogs Type: optional Severity: low References: 1183791 This update for e2fsprogs fixes the following issues: - Fixed an issue when building e2fsprogs (bsc#1183791) This patch does not fix any user visible issues and is therefore optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1297-1 Released: Wed Apr 21 14:10:10 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1178219 This update for systemd fixes the following issues: - Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot be stopped properly and would leave mount points mounted. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1407-1 Released: Wed Apr 28 15:49:02 2021 Summary: Recommended update for libcap Type: recommended Severity: important References: 1184690 This update for libcap fixes the following issues: - Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1412-1 Released: Wed Apr 28 17:09:28 2021 Summary: Security update for libnettle Type: security Severity: important References: 1184401,CVE-2021-20305 This update for libnettle fixes the following issues: - CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1523-1 Released: Wed May 5 18:24:20 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518 This update for libxml2 fixes the following issues: - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1527-1 Released: Thu May 6 08:58:53 2021 Summary: Recommended update for bash Type: recommended Severity: important References: 1183064 This update for bash fixes the following issues: - Fixed a segmentation fault that used to occur when bash read a history file that was malformed in a very specific way. (bsc#1183064) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1543-1 Released: Fri May 7 15:16:32 2021 Summary: Recommended update for patterns-microos Type: recommended Severity: moderate References: 1184435 This update for patterns-microos provides the following fix: - Require the libvirt-daemon-qemu package and include the needed dependencies in the product. (bsc#1184435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1549-1 Released: Mon May 10 13:48:00 2021 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1185417 This update for procps fixes the following issues: - Support up to 2048 CPU as well. (bsc#1185417) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1565-1 Released: Tue May 11 14:20:04 2021 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1185163 This update for krb5 fixes the following issues: - Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163); ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:1592-1 Released: Wed May 12 13:47:41 2021 Summary: Optional update for sed Type: optional Severity: low References: 1183797 This update for sed fixes the following issues: - Fixed a building issue with glibc-2.31 (bsc#1183797). This patch is optional to install. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1602-1 Released: Thu May 13 16:35:19 2021 Summary: Recommended update for libsolv, libzypp Type: recommended Severity: moderate References: 1180851,1181874,1182936,1183628,1184997,1185239 This update for libsolv and libzypp fixes the following issues: libsolv: Upgrade from version 0.7.17 to version 0.7.19 - Fix rare segfault in `resolve_jobrules()` that could happen if new rules are learned. - Fix memory leaks in error cases - Fix error handling in `solv_xfopen_fd()` - Fix regex code on win32 - fixed memory leak in choice rule generation - `repo_add_conda`: add a flag to skip version 2 packages. libzypp: Upgrade from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1612-1 Released: Fri May 14 17:09:39 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1643-1 Released: Wed May 19 13:51:48 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1181443,1184358,1185562 This update for pam fixes the following issues: - Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443) - Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358) - In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1647-1 Released: Wed May 19 13:59:12 2021 Summary: Security update for lz4 Type: security Severity: important References: 1185438,CVE-2021-3520 This update for lz4 fixes the following issues: - CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1654-1 Released: Wed May 19 16:43:36 2021 Summary: Security update for libxml2 Type: security Severity: important References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537 This update for libxml2 fixes the following issues: - CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698) - CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408). - CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410). - CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1809-1 Released: Mon May 31 16:24:59 2021 Summary: Security update for curl Type: security Severity: moderate References: 1177976,1183933,1186114,CVE-2021-22876,CVE-2021-22898 This update for curl fixes the following issues: - CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933). - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). - Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976). - Allow partial chain verification (jsc#SLE-17956). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1953-1 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1161268,1172308 This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2143-1 Released: Wed Jun 23 16:27:04 2021 Summary: Security update for libnettle Type: security Severity: important References: 1187060,CVE-2021-3580 This update for libnettle fixes the following issues: - CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2157-1 Released: Thu Jun 24 15:40:14 2021 Summary: Security update for libgcrypt Type: security Severity: important References: 1187212,CVE-2021-33560 This update for libgcrypt fixes the following issues: - CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2173-1 Released: Mon Jun 28 14:59:45 2021 Summary: Recommended update for automake Type: recommended Severity: moderate References: 1040589,1047218,1182604,1185540,1186049 This update for automake fixes the following issues: - Implement generated autoconf makefiles reproducible (bsc#1182604) - Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848) - Avoid bashisms in test-driver script. (bsc#1185540) This update for pcre fixes the following issues: - Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589) This update for brp-check-suse fixes the following issues: - Add fixes to support reproducible builds. (bsc#1186049) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2196-1 Released: Tue Jun 29 09:41:39 2021 Summary: Security update for lua53 Type: security Severity: moderate References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371 This update for lua53 fixes the following issues: Update to version 5.3.6: - CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449) - CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448) - Long brackets with a huge number of '=' overflow some internal buffer arithmetic. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2205-1 Released: Wed Jun 30 09:17:41 2021 Summary: Recommended update for openldap2 Type: recommended Severity: important References: 1187210 This update for openldap2 fixes the following issues: - Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2246-1 Released: Mon Jul 5 15:17:49 2021 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1154935,1167471,1178561,1184761,1184967,1185046,1185331,1185807,1185958,1187292,1187400 This update for systemd fixes the following issues: cgroup: Parse infinity properly for memory protections. (bsc#1167471) cgroup: Make empty assignments reset to default. (bsc#1167471) cgroup: Support 0-value for memory protection directives. (bsc#1167471) core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935) bus-unit-util: Add proper 'MemorySwapMax' serialization. core: Accept MemorySwapMax= properties that are scaled. execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967) core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331) Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046) rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561) write_net_rules: Set execute bits. (bsc#1178561) udev: Rework network device renaming. Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available'' mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761) core: fix output (logging) for mount units (#7603) (bsc#1187400) udev requires systemd in its %post (bsc#1185958) cgroup: Parse infinity properly for memory protections (bsc#1167471) cgroup: Make empty assignments reset to default (bsc#1167471) cgroup: Support 0-value for memory protection directives (bsc#1167471) Create /run/lock/subsys again (bsc#1187292) The creation of this directory was mistakenly dropped when 'filesystem' package took the initialization of the generic paths over. Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2320-1 Released: Wed Jul 14 17:01:06 2021 Summary: Security update for sqlite3 Type: security Severity: important References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327 This update for sqlite3 fixes the following issues: - Update to version 3.36.0 - CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641) - CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719) - CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439) - CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438) - CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309) - CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850) - CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847) - CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715) - CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491) - CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960) - CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959) - CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958) - CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812) - CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818) - CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701) - CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700) - CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115) - CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow - CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236) - CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240) - CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2404-1 Released: Tue Jul 20 14:21:30 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1184994,1188063,CVE-2021-33910 This update for systemd fixes the following issues: - CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063) - Skip udev rules if 'elevator=' is used (bsc#1184994) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2440-1 Released: Wed Jul 21 13:48:24 2021 Summary: Security update for curl Type: security Severity: moderate References: 1188217,1188218,1188219,1188220,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925 This update for curl fixes the following issues: - CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220) - CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219) - CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218) - CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2689-1 Released: Mon Aug 16 10:54:52 2021 Summary: Security update for cpio Type: security Severity: important References: 1189206,CVE-2021-38185 This update for cpio fixes the following issues: It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2763-1 Released: Tue Aug 17 17:16:22 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465 This update for cpio fixes the following issues: - A regression in last update would cause builds to hang on various architectures(bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2780-1 Released: Thu Aug 19 16:09:15 2021 Summary: Recommended update for cpio Type: recommended Severity: critical References: 1189465,CVE-2021-38185 This update for cpio fixes the following issues: - A regression in the previous update could lead to crashes (bsc#1189465) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2800-1 Released: Fri Aug 20 10:43:04 2021 Summary: Security update for krb5 Type: security Severity: important References: 1188571,CVE-2021-36222 This update for krb5 fixes the following issues: - CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2831-1 Released: Tue Aug 24 16:20:45 2021 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1189521,CVE-2021-3712 This update for openssl-1_1 fixes the following security issue: - CVE-2021-3712: a bug in the code for printing certificate details could lead to a buffer overrun that a malicious actor could exploit to crash the application, causing a denial-of-service attack. [bsc#1189521] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:2938-1 Released: Fri Sep 3 09:19:36 2021 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1184614 This update for openldap2 fixes the following issue: - openldap2-contrib is shipped to the Legacy Module. (bsc#1184614) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2968-1 Released: Tue Sep 7 09:53:00 2021 Summary: Security update for openssl-1_1 Type: security Severity: low References: 1189521,CVE-2021-3712 This update for openssl-1_1 fixes the following issues: - CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. Read buffer overruns processing ASN.1 strings (bsc#1189521). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3001-1 Released: Thu Sep 9 15:08:13 2021 Summary: Recommended update for netcfg Type: recommended Severity: moderate References: 1189683 This update for netcfg fixes the following issues: - add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3182-1 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Type: recommended Severity: moderate References: 1189996 This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3297-1 Released: Wed Oct 6 16:53:29 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3323-1 Released: Fri Oct 8 11:39:07 2021 Summary: Includes a kubernetes update to 1.17.17 including a backport for CVE-2021-25741 Type: security Severity: low References: 1189416,CVE-2021-25741 == Kubernetes bsc#1189416 kubernetes issue is a backport of the upstream security fix (CVE-2021-25741): https://github.com/kubernetes/kubernetes/pull/104253 From sle-security-updates at lists.suse.com Sat Oct 9 22:18:04 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sun, 10 Oct 2021 00:18:04 +0200 (CEST) Subject: SUSE-SU-2021:3325-1: moderate: Security update for rabbitmq-server Message-ID: <20211009221804.4E8ADFE12@maintenance.suse.de> SUSE Security Update: Security update for rabbitmq-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3325-1 Rating: moderate References: #1185075 #1186203 #1187818 #1187819 Cross-References: CVE-2021-22116 CVE-2021-32718 CVE-2021-32719 CVSS scores: CVE-2021-22116 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-22116 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-32718 (SUSE): 3.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N CVE-2021-32719 (SUSE): 3.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP3 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for rabbitmq-server fixes the following issues: - CVE-2021-32718: Fixed improper neutralization of script-related HTML tags in a web page (basic XSS) in management UI (bsc#1187818). - CVE-2021-32719: Fixed improper neutralization of script-related HTML tags in a web page (basic XSS) in federation management plugin (bsc#1187819). - CVE-2021-22116: Fixed improper input validation may lead to DoS (bsc#1186203). - Use /run instead of /var/run in tmpfiles.d configuration (bsc#1185075). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-3325=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): erlang-rabbitmq-client-3.8.11-3.3.3 rabbitmq-server-3.8.11-3.3.3 rabbitmq-server-plugins-3.8.11-3.3.3 References: https://www.suse.com/security/cve/CVE-2021-22116.html https://www.suse.com/security/cve/CVE-2021-32718.html https://www.suse.com/security/cve/CVE-2021-32719.html https://bugzilla.suse.com/1185075 https://bugzilla.suse.com/1186203 https://bugzilla.suse.com/1187818 https://bugzilla.suse.com/1187819 From sle-security-updates at lists.suse.com Mon Oct 11 19:16:57 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 11 Oct 2021 21:16:57 +0200 (CEST) Subject: SUSE-SU-2021:3333-1: moderate: Security update for libqt5-qtsvg Message-ID: <20211011191657.32713FE13@maintenance.suse.de> SUSE Security Update: Security update for libqt5-qtsvg ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3333-1 Rating: moderate References: #1184783 Cross-References: CVE-2021-3481 CVSS scores: CVE-2021-3481 (SUSE): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libqt5-qtsvg fixes the following issues: - CVE-2021-3481: Fixed an out of bounds read in function QRadialFetchSimd from crafted svg file. (bsc#1184783) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3333=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3333=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libqt5-qtsvg-debugsource-5.6.2-3.6.1 libqt5-qtsvg-devel-5.6.2-3.6.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): libqt5-qtsvg-private-headers-devel-5.6.2-3.6.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libQt5Svg5-5.6.2-3.6.1 libQt5Svg5-debuginfo-5.6.2-3.6.1 libqt5-qtsvg-debugsource-5.6.2-3.6.1 References: https://www.suse.com/security/cve/CVE-2021-3481.html https://bugzilla.suse.com/1184783 From sle-security-updates at lists.suse.com Mon Oct 11 19:20:46 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 11 Oct 2021 21:20:46 +0200 (CEST) Subject: SUSE-SU-2021:3334-1: moderate: Security update for squid Message-ID: <20211011192046.14B27FE13@maintenance.suse.de> SUSE Security Update: Security update for squid ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3334-1 Rating: moderate References: #1189403 Cross-References: CVE-2021-28116 CVSS scores: CVE-2021-28116 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-28116 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for squid fixes the following issues: Update to version 4.17: - CVE-2021-28116: Fixed a out-of-bounds read in the WCCP protocol (bsc#1189403). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3334=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): squid-4.17-4.21.1 squid-debuginfo-4.17-4.21.1 squid-debugsource-4.17-4.21.1 References: https://www.suse.com/security/cve/CVE-2021-28116.html https://bugzilla.suse.com/1189403 From sle-security-updates at lists.suse.com Mon Oct 11 19:26:01 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 11 Oct 2021 21:26:01 +0200 (CEST) Subject: SUSE-SU-2021:3332-1: moderate: Security update for curl Message-ID: <20211011192601.A5D65FE13@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3332-1 Rating: moderate References: #1190373 #1190374 Cross-References: CVE-2021-22946 CVE-2021-22947 CVSS scores: CVE-2021-22946 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-22947 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3332=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3332=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): curl-debuginfo-7.60.0-11.28.1 curl-debugsource-7.60.0-11.28.1 libcurl-devel-7.60.0-11.28.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): curl-7.60.0-11.28.1 curl-debuginfo-7.60.0-11.28.1 curl-debugsource-7.60.0-11.28.1 libcurl4-7.60.0-11.28.1 libcurl4-debuginfo-7.60.0-11.28.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libcurl4-32bit-7.60.0-11.28.1 libcurl4-debuginfo-32bit-7.60.0-11.28.1 References: https://www.suse.com/security/cve/CVE-2021-22946.html https://www.suse.com/security/cve/CVE-2021-22947.html https://bugzilla.suse.com/1190373 https://bugzilla.suse.com/1190374 From sle-security-updates at lists.suse.com Mon Oct 11 19:37:28 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 11 Oct 2021 21:37:28 +0200 (CEST) Subject: SUSE-SU-2021:3331-1: important: Security update for MozillaFirefox Message-ID: <20211011193728.704FCFE13@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3331-1 Rating: important References: #1188891 #1189547 #1190269 #1190274 #1190710 #1191332 Cross-References: CVE-2021-29980 CVE-2021-29981 CVE-2021-29982 CVE-2021-29983 CVE-2021-29984 CVE-2021-29985 CVE-2021-29986 CVE-2021-29987 CVE-2021-29988 CVE-2021-29989 CVE-2021-29990 CVE-2021-29991 CVE-2021-32810 CVE-2021-38492 CVE-2021-38495 CVE-2021-38496 CVE-2021-38497 CVE-2021-38498 CVE-2021-38500 CVE-2021-38501 CVSS scores: CVE-2021-29980 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29984 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29985 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-29986 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29988 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29989 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29991 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2021-32810 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-38492 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Affected Products: SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes 20 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: This update contains the Firefox Extended Support Release 91.2.0 ESR. Firefox Extended Support Release 91.2.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2021-45 (bsc#1191332) * CVE-2021-38496: Use-after-free in MessageTask * CVE-2021-38497: Validation message could have been overlaid on another origin * CVE-2021-38498: Use-after-free of nsLanguageAtomService object * CVE-2021-32810: Data race in crossbeam-deque https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-pqqp-xmh j-wgcw) * CVE-2021-38500 (bmo#1725854, bmo#1728321) Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 * CVE-2021-38501 (bmo#1685354, bmo#1715755, bmo#1723176) Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 - Fixed crash in FIPS mode (bsc#1190710) * Fixed: Various stability, functionality, and security fixes MFSA 2021-40 (bsc#1190269, bsc#1190274): * CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer * CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1 Firefox Extended Support Release 91.0.1 ESR * Fixed: Fixed an issue causing buttons on the tab bar to be resized when loading certain websites (bug 1704404) * Fixed: Fixed an issue which caused tabs from private windows to be visible in non-private windows when viewing switch-to- tab results in the address bar panel (bug 1720369) * Fixed: Various stability fixes * Fixed: Security fix MFSA 2021-37 (bsc#1189547) * CVE-2021-29991 (bmo#1724896) Header Splitting possible with HTTP/3 Responses Firefox Extended Support Release 91.0 ESR * New: Some of the highlights of the new Extended Support Release are: - A number of user interface changes. For more information, see the Firefox 89 release notes. - Firefox now supports logging into Microsoft, work, and school accounts using Windows single sign-on. Learn more - On Windows, updates can now be applied in the background while Firefox is not running. - Firefox for Windows now offers a new page about:third-party to help identify compatibility issues caused by third-party applications - Version 2 of Firefox's SmartBlock feature further improves private browsing. Third party Facebook scripts are blocked to prevent you from being tracked, but are now automatically loaded "just in time" if you decide to "Log in with Facebook" on any website. - Enhanced the privacy of the Firefox Browser's Private Browsing mode with Total Cookie Protection, which confines cookies to the site where they were created, preventing companis from using cookies to track your browsing across sites. This feature was originally launched in Firefox's ETP Strict mode. - PDF forms now support JavaScript embedded in PDF files. Some PDF forms use JavaScript for validation and other interactive features. - You'll encounter less website breakage in Private Browsing and Strict Enhanced Tracking Protection with SmartBlock, which provides stand-in scripts so that websites load properly. - Improved Print functionality with a cleaner design and better integration with your computer's printer settings. - Firefox now protects you from supercookies, a type of tracker that can stay hidden in your browser and track you online, even after you clear cookies. By isolating supercookies, Firefox prevents them from tracking your web browsing from one site to the next. - Firefox now remembers your preferred location for saved bookmarks, displays the bookmarks toolbar by default on new tabs, and gives you easy access to all of your bookmarks via a toolbar folder. - Native support for macOS devices built with Apple Silicon CPUs brings dramatic performance improvements over the non- native build that was shipped in Firefox 83: Firefox launches over 2.5 times faster and web apps are now twice as responsive (per the SpeedoMeter 2.0 test). If you are on a new Apple device, follow these steps to upgrade to the latest Firefox. - Pinch zooming will now be supported for our users with Windows touchscreen devices and touchpads on Mac devices. Firefox users may now use pinch to zoom on touch-capable devices to zoom in and out of webpages. - We???ve improved functionality and design for a number of Firefox search features: * Selecting a search engine at the bottom of the search panel now enters search mode for that engine, allowing you to see suggestions (if available) for your search terms. The old behavior (immediately performing a search) is available with a shift-click. * When Firefox autocompletes the URL of one of your search engines, you can now search with that engine directly in the address bar by selecting the shortcut in the address bar results. * We???ve added buttons at the bottom of the search panel to allow you to search your bookmarks, open tabs, and history. - Firefox supports AcroForm, which will allow you to fill in, print, and save supported PDF forms and the PDF viewer also has a new fresh look. - For our users in the US and Canada, Firefox can now save, manage, and auto-fill credit card information for you, making shopping on Firefox ever more convenient. - In addition to our default, dark and light themes, with this release, Firefox introduces the Alpenglow theme: a colorful appearance for buttons, menus, and windows. You can update your Firefox themes under settings or preferences. * Changed: Firefox no longer supports Adobe Flash. There is no setting available to re-enable Flash support. * Enterprise: Various bug fixes and new policies have been implemented in the latest version of Firefox. See more details in the Firefox for Enterprise 91 Release Notes. MFSA 2021-33 (bsc#1188891): * CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption * CVE-2021-29981: Live range splitting could have led to conflicting assignments in the JIT * CVE-2021-29988: Memory corruption as a result of incorrect style treatment * CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode * CVE-2021-29984: Incorrect instruction reordering during JIT optimization * CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption * CVE-2021-29987: Users could have been tricked into accepting unwanted permissions on Linux * CVE-2021-29985: Use-after-free media channels * CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and type confusion * CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13 * CVE-2021-29990: Memory safety bugs fixed in Firefox 91 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-3331=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-3331=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-3331=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-3331=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-3331=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-3331=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-3331=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3331=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3331=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-3331=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): MozillaFirefox-91.2.0-3.155.2 MozillaFirefox-branding-SLE-91-4.19.1 MozillaFirefox-debuginfo-91.2.0-3.155.2 MozillaFirefox-debugsource-91.2.0-3.155.2 MozillaFirefox-devel-91.2.0-3.155.2 MozillaFirefox-translations-common-91.2.0-3.155.2 MozillaFirefox-translations-other-91.2.0-3.155.2 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): MozillaFirefox-91.2.0-3.155.2 MozillaFirefox-branding-SLE-91-4.19.1 MozillaFirefox-debuginfo-91.2.0-3.155.2 MozillaFirefox-debugsource-91.2.0-3.155.2 MozillaFirefox-devel-91.2.0-3.155.2 MozillaFirefox-translations-common-91.2.0-3.155.2 MozillaFirefox-translations-other-91.2.0-3.155.2 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-91.2.0-3.155.2 MozillaFirefox-branding-SLE-91-4.19.1 MozillaFirefox-debuginfo-91.2.0-3.155.2 MozillaFirefox-debugsource-91.2.0-3.155.2 MozillaFirefox-devel-91.2.0-3.155.2 MozillaFirefox-translations-common-91.2.0-3.155.2 MozillaFirefox-translations-other-91.2.0-3.155.2 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): MozillaFirefox-91.2.0-3.155.2 MozillaFirefox-branding-SLE-91-4.19.1 MozillaFirefox-debuginfo-91.2.0-3.155.2 MozillaFirefox-debugsource-91.2.0-3.155.2 MozillaFirefox-devel-91.2.0-3.155.2 MozillaFirefox-translations-common-91.2.0-3.155.2 MozillaFirefox-translations-other-91.2.0-3.155.2 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): MozillaFirefox-91.2.0-3.155.2 MozillaFirefox-branding-SLE-91-4.19.1 MozillaFirefox-debuginfo-91.2.0-3.155.2 MozillaFirefox-debugsource-91.2.0-3.155.2 MozillaFirefox-devel-91.2.0-3.155.2 MozillaFirefox-translations-common-91.2.0-3.155.2 MozillaFirefox-translations-other-91.2.0-3.155.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): MozillaFirefox-91.2.0-3.155.2 MozillaFirefox-branding-SLE-91-4.19.1 MozillaFirefox-debuginfo-91.2.0-3.155.2 MozillaFirefox-debugsource-91.2.0-3.155.2 MozillaFirefox-devel-91.2.0-3.155.2 MozillaFirefox-translations-common-91.2.0-3.155.2 MozillaFirefox-translations-other-91.2.0-3.155.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): MozillaFirefox-91.2.0-3.155.2 MozillaFirefox-branding-SLE-91-4.19.1 MozillaFirefox-debuginfo-91.2.0-3.155.2 MozillaFirefox-debugsource-91.2.0-3.155.2 MozillaFirefox-devel-91.2.0-3.155.2 MozillaFirefox-translations-common-91.2.0-3.155.2 MozillaFirefox-translations-other-91.2.0-3.155.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): MozillaFirefox-91.2.0-3.155.2 MozillaFirefox-branding-SLE-91-4.19.1 MozillaFirefox-debuginfo-91.2.0-3.155.2 MozillaFirefox-debugsource-91.2.0-3.155.2 MozillaFirefox-devel-91.2.0-3.155.2 MozillaFirefox-translations-common-91.2.0-3.155.2 MozillaFirefox-translations-other-91.2.0-3.155.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): MozillaFirefox-91.2.0-3.155.2 MozillaFirefox-branding-SLE-91-4.19.1 MozillaFirefox-debuginfo-91.2.0-3.155.2 MozillaFirefox-debugsource-91.2.0-3.155.2 MozillaFirefox-devel-91.2.0-3.155.2 MozillaFirefox-translations-common-91.2.0-3.155.2 MozillaFirefox-translations-other-91.2.0-3.155.2 - SUSE Enterprise Storage 6 (aarch64 x86_64): MozillaFirefox-91.2.0-3.155.2 MozillaFirefox-branding-SLE-91-4.19.1 MozillaFirefox-debuginfo-91.2.0-3.155.2 MozillaFirefox-debugsource-91.2.0-3.155.2 MozillaFirefox-devel-91.2.0-3.155.2 MozillaFirefox-translations-common-91.2.0-3.155.2 MozillaFirefox-translations-other-91.2.0-3.155.2 - SUSE CaaS Platform 4.0 (x86_64): MozillaFirefox-91.2.0-3.155.2 MozillaFirefox-branding-SLE-91-4.19.1 MozillaFirefox-debuginfo-91.2.0-3.155.2 MozillaFirefox-debugsource-91.2.0-3.155.2 MozillaFirefox-devel-91.2.0-3.155.2 MozillaFirefox-translations-common-91.2.0-3.155.2 MozillaFirefox-translations-other-91.2.0-3.155.2 References: https://www.suse.com/security/cve/CVE-2021-29980.html https://www.suse.com/security/cve/CVE-2021-29981.html https://www.suse.com/security/cve/CVE-2021-29982.html https://www.suse.com/security/cve/CVE-2021-29983.html https://www.suse.com/security/cve/CVE-2021-29984.html https://www.suse.com/security/cve/CVE-2021-29985.html https://www.suse.com/security/cve/CVE-2021-29986.html https://www.suse.com/security/cve/CVE-2021-29987.html https://www.suse.com/security/cve/CVE-2021-29988.html https://www.suse.com/security/cve/CVE-2021-29989.html https://www.suse.com/security/cve/CVE-2021-29990.html https://www.suse.com/security/cve/CVE-2021-29991.html https://www.suse.com/security/cve/CVE-2021-32810.html https://www.suse.com/security/cve/CVE-2021-38492.html https://www.suse.com/security/cve/CVE-2021-38495.html https://www.suse.com/security/cve/CVE-2021-38496.html https://www.suse.com/security/cve/CVE-2021-38497.html https://www.suse.com/security/cve/CVE-2021-38498.html https://www.suse.com/security/cve/CVE-2021-38500.html https://www.suse.com/security/cve/CVE-2021-38501.html https://bugzilla.suse.com/1188891 https://bugzilla.suse.com/1189547 https://bugzilla.suse.com/1190269 https://bugzilla.suse.com/1190274 https://bugzilla.suse.com/1190710 https://bugzilla.suse.com/1191332 From sle-security-updates at lists.suse.com Tue Oct 12 07:03:36 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 09:03:36 +0200 (CEST) Subject: SUSE-CU-2021:390-1: Security update of suse/sles12sp4 Message-ID: <20211012070336.14BA3FE12@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:390-1 Container Tags : suse/sles12sp4:26.357 , suse/sles12sp4:latest Container Release : 26.357 Severity : moderate Type : security References : 1186489 1187153 1187273 1188623 CVE-2021-33574 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3290-1 Released: Wed Oct 6 16:44:45 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1186489,CVE-2021-33574 This update for glibc fixes the following issues: - CVE-2021-33574: Fixed a use-after-free possibility in mq_notify() (bsc#1186489) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3329-1 Released: Mon Oct 11 15:31:42 2021 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1187153,1187273,1188623 This update for gcc11 fixes the following issues: The additional GNU compiler collection GCC 11 is provided in the Toolchain module, and updated compiler base libraries (libgcc_s1, libstdc++6 and others) are being provided in the regular SUSE Linux Enterprise Server repositories. Changes done in GCC11 are documented on: https://gcc.gnu.org/gcc-11/changes.html This update ships the C, C++, Objective C, D, Fortran, GO, and ADA compiler. To select these compilers install the packages: - gcc11 - gcc-c++11 - and others with 11 prefix. to select them for building: - CC='gcc-11' - CXX='g++-11' From sle-security-updates at lists.suse.com Tue Oct 12 07:16:15 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 09:16:15 +0200 (CEST) Subject: SUSE-CU-2021:391-1: Security update of suse/sles12sp5 Message-ID: <20211012071615.E980BFE12@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:391-1 Container Tags : suse/sles12sp5:6.5.241 , suse/sles12sp5:latest Container Release : 6.5.241 Severity : moderate Type : security References : 1186489 1187153 1187273 1188623 1190373 1190374 CVE-2021-22946 CVE-2021-22947 CVE-2021-33574 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3290-1 Released: Wed Oct 6 16:44:45 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1186489,CVE-2021-33574 This update for glibc fixes the following issues: - CVE-2021-33574: Fixed a use-after-free possibility in mq_notify() (bsc#1186489) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3329-1 Released: Mon Oct 11 15:31:42 2021 Summary: Recommended update for gcc11 Type: recommended Severity: moderate References: 1187153,1187273,1188623 This update for gcc11 fixes the following issues: The additional GNU compiler collection GCC 11 is provided in the Toolchain module, and updated compiler base libraries (libgcc_s1, libstdc++6 and others) are being provided in the regular SUSE Linux Enterprise Server repositories. Changes done in GCC11 are documented on: https://gcc.gnu.org/gcc-11/changes.html This update ships the C, C++, Objective C, D, Fortran, GO, and ADA compiler. To select these compilers install the packages: - gcc11 - gcc-c++11 - and others with 11 prefix. to select them for building: - CC='gcc-11' - CXX='g++-11' ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3332-1 Released: Mon Oct 11 17:02:35 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). From sle-security-updates at lists.suse.com Tue Oct 12 10:16:57 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 12:16:57 +0200 (CEST) Subject: SUSE-SU-2021:3335-1: important: Security update for apache2 Message-ID: <20211012101657.78A87FE12@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3335-1 Rating: important References: #1189387 #1190666 #1190669 #1190702 #1190703 Cross-References: CVE-2021-33193 CVE-2021-34798 CVE-2021-36160 CVE-2021-39275 CVE-2021-40438 CVSS scores: CVE-2021-33193 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2021-34798 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-36160 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-39275 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-40438 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for apache2 fixes the following issues: - CVE-2021-40438: Fixed a SRF via a crafted request uri-path. (bsc#1190703) - CVE-2021-36160: Fixed an out-of-bounds read via a crafted request uri-path. (bsc#1190702) - CVE-2021-39275: Fixed an out-of-bounds write in ap_escape_quotes() via malicious input. (bsc#1190666) - CVE-2021-34798: Fixed a NULL pointer dereference via malformed requests. (bsc#1190669) - CVE-2021-33193: Fixed request splitting via HTTP/2 method injection and mod_proxy. (bsc#1189387) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-3335=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-3335=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-3335=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-3335=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-3335=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-3335=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-3335=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3335=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3335=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-3335=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): apache2-2.4.33-3.55.1 apache2-debuginfo-2.4.33-3.55.1 apache2-debugsource-2.4.33-3.55.1 apache2-devel-2.4.33-3.55.1 apache2-prefork-2.4.33-3.55.1 apache2-prefork-debuginfo-2.4.33-3.55.1 apache2-utils-2.4.33-3.55.1 apache2-utils-debuginfo-2.4.33-3.55.1 apache2-worker-2.4.33-3.55.1 apache2-worker-debuginfo-2.4.33-3.55.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): apache2-doc-2.4.33-3.55.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): apache2-2.4.33-3.55.1 apache2-debuginfo-2.4.33-3.55.1 apache2-debugsource-2.4.33-3.55.1 apache2-devel-2.4.33-3.55.1 apache2-prefork-2.4.33-3.55.1 apache2-prefork-debuginfo-2.4.33-3.55.1 apache2-utils-2.4.33-3.55.1 apache2-utils-debuginfo-2.4.33-3.55.1 apache2-worker-2.4.33-3.55.1 apache2-worker-debuginfo-2.4.33-3.55.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): apache2-doc-2.4.33-3.55.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): apache2-2.4.33-3.55.1 apache2-debuginfo-2.4.33-3.55.1 apache2-debugsource-2.4.33-3.55.1 apache2-devel-2.4.33-3.55.1 apache2-prefork-2.4.33-3.55.1 apache2-prefork-debuginfo-2.4.33-3.55.1 apache2-utils-2.4.33-3.55.1 apache2-utils-debuginfo-2.4.33-3.55.1 apache2-worker-2.4.33-3.55.1 apache2-worker-debuginfo-2.4.33-3.55.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): apache2-doc-2.4.33-3.55.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): apache2-doc-2.4.33-3.55.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): apache2-2.4.33-3.55.1 apache2-debuginfo-2.4.33-3.55.1 apache2-debugsource-2.4.33-3.55.1 apache2-devel-2.4.33-3.55.1 apache2-prefork-2.4.33-3.55.1 apache2-prefork-debuginfo-2.4.33-3.55.1 apache2-utils-2.4.33-3.55.1 apache2-utils-debuginfo-2.4.33-3.55.1 apache2-worker-2.4.33-3.55.1 apache2-worker-debuginfo-2.4.33-3.55.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): apache2-2.4.33-3.55.1 apache2-debuginfo-2.4.33-3.55.1 apache2-debugsource-2.4.33-3.55.1 apache2-devel-2.4.33-3.55.1 apache2-prefork-2.4.33-3.55.1 apache2-prefork-debuginfo-2.4.33-3.55.1 apache2-utils-2.4.33-3.55.1 apache2-utils-debuginfo-2.4.33-3.55.1 apache2-worker-2.4.33-3.55.1 apache2-worker-debuginfo-2.4.33-3.55.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): apache2-doc-2.4.33-3.55.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): apache2-2.4.33-3.55.1 apache2-debuginfo-2.4.33-3.55.1 apache2-debugsource-2.4.33-3.55.1 apache2-devel-2.4.33-3.55.1 apache2-prefork-2.4.33-3.55.1 apache2-prefork-debuginfo-2.4.33-3.55.1 apache2-utils-2.4.33-3.55.1 apache2-utils-debuginfo-2.4.33-3.55.1 apache2-worker-2.4.33-3.55.1 apache2-worker-debuginfo-2.4.33-3.55.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): apache2-doc-2.4.33-3.55.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): apache2-2.4.33-3.55.1 apache2-debuginfo-2.4.33-3.55.1 apache2-debugsource-2.4.33-3.55.1 apache2-devel-2.4.33-3.55.1 apache2-prefork-2.4.33-3.55.1 apache2-prefork-debuginfo-2.4.33-3.55.1 apache2-utils-2.4.33-3.55.1 apache2-utils-debuginfo-2.4.33-3.55.1 apache2-worker-2.4.33-3.55.1 apache2-worker-debuginfo-2.4.33-3.55.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): apache2-doc-2.4.33-3.55.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): apache2-2.4.33-3.55.1 apache2-debuginfo-2.4.33-3.55.1 apache2-debugsource-2.4.33-3.55.1 apache2-devel-2.4.33-3.55.1 apache2-prefork-2.4.33-3.55.1 apache2-prefork-debuginfo-2.4.33-3.55.1 apache2-utils-2.4.33-3.55.1 apache2-utils-debuginfo-2.4.33-3.55.1 apache2-worker-2.4.33-3.55.1 apache2-worker-debuginfo-2.4.33-3.55.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): apache2-doc-2.4.33-3.55.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): apache2-2.4.33-3.55.1 apache2-debuginfo-2.4.33-3.55.1 apache2-debugsource-2.4.33-3.55.1 apache2-devel-2.4.33-3.55.1 apache2-prefork-2.4.33-3.55.1 apache2-prefork-debuginfo-2.4.33-3.55.1 apache2-utils-2.4.33-3.55.1 apache2-utils-debuginfo-2.4.33-3.55.1 apache2-worker-2.4.33-3.55.1 apache2-worker-debuginfo-2.4.33-3.55.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): apache2-doc-2.4.33-3.55.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): apache2-2.4.33-3.55.1 apache2-debuginfo-2.4.33-3.55.1 apache2-debugsource-2.4.33-3.55.1 apache2-devel-2.4.33-3.55.1 apache2-prefork-2.4.33-3.55.1 apache2-prefork-debuginfo-2.4.33-3.55.1 apache2-utils-2.4.33-3.55.1 apache2-utils-debuginfo-2.4.33-3.55.1 apache2-worker-2.4.33-3.55.1 apache2-worker-debuginfo-2.4.33-3.55.1 - SUSE Enterprise Storage 6 (noarch): apache2-doc-2.4.33-3.55.1 - SUSE CaaS Platform 4.0 (x86_64): apache2-2.4.33-3.55.1 apache2-debuginfo-2.4.33-3.55.1 apache2-debugsource-2.4.33-3.55.1 apache2-devel-2.4.33-3.55.1 apache2-prefork-2.4.33-3.55.1 apache2-prefork-debuginfo-2.4.33-3.55.1 apache2-utils-2.4.33-3.55.1 apache2-utils-debuginfo-2.4.33-3.55.1 apache2-worker-2.4.33-3.55.1 apache2-worker-debuginfo-2.4.33-3.55.1 - SUSE CaaS Platform 4.0 (noarch): apache2-doc-2.4.33-3.55.1 References: https://www.suse.com/security/cve/CVE-2021-33193.html https://www.suse.com/security/cve/CVE-2021-34798.html https://www.suse.com/security/cve/CVE-2021-36160.html https://www.suse.com/security/cve/CVE-2021-39275.html https://www.suse.com/security/cve/CVE-2021-40438.html https://bugzilla.suse.com/1189387 https://bugzilla.suse.com/1190666 https://bugzilla.suse.com/1190669 https://bugzilla.suse.com/1190702 https://bugzilla.suse.com/1190703 From sle-security-updates at lists.suse.com Tue Oct 12 13:17:18 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 15:17:18 +0200 (CEST) Subject: SUSE-SU-2021:3338-1: important: Security update for the Linux Kernel Message-ID: <20211012131718.11AE5FE13@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3338-1 Rating: important References: #1065729 #1148868 #1152489 #1154353 #1159886 #1167773 #1170774 #1171688 #1173746 #1174003 #1176447 #1176940 #1177028 #1178134 #1184439 #1184804 #1185302 #1185550 #1185677 #1185726 #1185762 #1187211 #1188067 #1188418 #1188651 #1188986 #1189257 #1189297 #1189841 #1189884 #1190023 #1190062 #1190115 #1190138 #1190159 #1190358 #1190406 #1190432 #1190467 #1190523 #1190534 #1190543 #1190544 #1190561 #1190576 #1190595 #1190596 #1190598 #1190620 #1190626 #1190679 #1190705 #1190717 #1190746 #1190758 #1190784 #1190785 #1191172 #1191193 #1191292 Cross-References: CVE-2020-3702 CVE-2021-3669 CVE-2021-3744 CVE-2021-3752 CVE-2021-3764 CVE-2021-40490 CVSS scores: CVE-2020-3702 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-3702 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-3669 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3744 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3752 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3764 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-40490 (SUSE): 6.1 CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP3 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 54 fixes is now available. Description: The SUSE Linux Enterprise 15 SP3 kernel was updated. The following security bugs were fixed: - CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193) - CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023) - CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159) - CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884) - CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534) - CVE-2021-3669: Fixed a bug that doesn't allow /proc/sysvipc/shm to scale with large shared memory segment counts which could lead to resource exhaustion and DoS. (bsc#1188986) The following non-security bugs were fixed: - ALSA: firewire-motu: fix truncated bytes in message tracepoints (git-fixes). - apparmor: remove duplicate macro list_entry_is_head() (git-fixes). - ASoC: fsl_micfil: register platform component before registering cpu dai (git-fixes). - ASoC: Intel: Fix platform ID matching (git-fixes). - ASoC: mediatek: common: handle NULL case in suspend/resume function (git-fixes). - ASoC: rockchip: i2s: Fix regmap_ops hang (git-fixes). - ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B (git-fixes). - ASoC: rt5682: Implement remove callback (git-fixes). - ASoC: rt5682: Properly turn off regulators if wrong device ID (git-fixes). - ASoC: rt5682: Remove unused variable in rt5682_i2c_remove() (git-fixes). - ASoC: SOF: Fix DSP oops stack dump output contents (git-fixes). - ath9k: fix OOB read ar9300_eeprom_restore_internal (git-fixes). - ath9k: fix sleeping in atomic context (git-fixes). - backlight: pwm_bl: Improve bootloader/kernel device handover (git-fixes). - bareudp: Fix invalid read beyond skb's linear data (jsc#SLE-15172). - blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762). - blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762). - blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762). - blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762). - blk-mq: mark if one queue map uses managed irq (bsc#1185762). - blk-mq: mark if one queue map uses managed irq (bsc#1185762). - Bluetooth: skip invalid hci_sync_conn_complete_evt (git-fixes). - bnx2x: fix an error code in bnx2x_nic_load() (git-fixes). - bnxt_en: Add missing DMA memory barriers (git-fixes). - bnxt_en: Disable aRFS if running on 212 firmware (git-fixes). - bnxt_en: Do not enable legacy TX push on older firmware (git-fixes). - bnxt_en: Fix asic.rev in devlink dev info command (jsc#SLE-16649). - bnxt_en: fix stored FW_PSID version masks (jsc#SLE-16649). - bnxt_en: Store the running firmware version code (git-fixes). - bnxt: count Tx drops (git-fixes). - bnxt: disable napi before canceling DIM (git-fixes). - bnxt: do not lock the tx queue from napi poll (git-fixes). - bnxt: make sure xmit_more + errors does not miss doorbells (git-fixes). - bpf, samples: Add missing mprog-disable to xdp_redirect_cpu's optstring (git-fixes). - bpf: Fix ringbuf helper function compatibility (git-fixes). - bpftool: Add sock_release help info for cgroup attach/prog load command (bsc#1177028). - btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626). - clk: at91: clk-generated: Limit the requested rate to our range (git-fixes). - clk: at91: clk-generated: pass the id of changeable parent at registration (git-fixes). - console: consume APC, DM, DCS (git-fixes). - cpuidle: pseries: Do not cap the CEDE0 latency in fixup_cede0_latency() (bsc#1185550 ltc#192610 git-fixes jsc#SLE-18128). - cuse: fix broken release (bsc#1190596). - cxgb4: dont touch blocked freelist bitmap after free (git-fixes). - debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746). - devlink: Break parameter notification sequence to be before/after unload/load driver (bsc#1154353). - devlink: Clear whole devlink_flash_notify struct (bsc#1176447). - dma-buf: DMABUF_MOVE_NOTIFY should depend on DMA_SHARED_BUFFER (git-fixes). - dmaengine: ioat: depends on !UML (git-fixes). - dmaengine: sprd: Add missing MODULE_DEVICE_TABLE (git-fixes). - dmaengine: xilinx_dma: Set DMA mask for coherent APIs (git-fixes). - docs: Fix infiniband uverbs minor number (git-fixes). - drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps (git-fixes). - drm: avoid blocking in drm_clients_info's rcu section (git-fixes). - drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex (git-fixes). - drm/amd/display: Fix timer_per_pixel unit error (git-fixes). - drm/amdgpu: Fix BUG_ON assert (git-fixes). - drm/ast: Fix missing conversions to managed API (git-fixes). - drm/gma500: Fix end of loop tests for list_for_each_entry (git-fixes). - drm/i915: Allow the sysadmin to override security mitigations (git-fixes). - drm/i915/rkl: Remove require_force_probe protection (bsc#1189257). - drm/ingenic: Switch IPU plane to type OVERLAY (git-fixes). - drm/mgag200: Select clock in PLL update functions (git-fixes). - drm/msm/mdp4: move HW revision detection to earlier phase (git-fixes). - drm/msm/mdp4: refactor HW revision detection into read_mdp_hw_revision (git-fixes). - drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV (git-fixes). - drm/panfrost: Clamp lock region to Bifrost minimum (git-fixes). - drm/pl111: depend on CONFIG_VEXPRESS_CONFIG (git-fixes). - drm/rockchip: cdn-dp-core: Make cdn_dp_core_resume __maybe_unused (git-fixes). - e1000e: Do not take care about recovery NVM checksum (jsc#SLE-8100). - e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes). - EDAC/i10nm: Fix NVDIMM detection (bsc#1152489). - EDAC/mce_amd: Do not load edac_mce_amd module on guests (bsc#1190138). - EDAC/synopsys: Fix wrong value type assignment for edac_mode (bsc#1152489). - enetc: Fix uninitialized struct dim_sample field usage (git-fixes). - erofs: fix up erofs_lookup tracepoint (git-fixes). - fbmem: do not allow too huge resolutions (git-fixes). - fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() (git-fixes). - fpga: machxo2-spi: Return an error on failure (git-fixes). - fuse: flush extending writes (bsc#1190595). - fuse: truncate pagecache on atomic_o_trunc (bsc#1190705). - genirq: add device_has_managed_msi_irq (bsc#1185762). - genirq: add device_has_managed_msi_irq (bsc#1185762). - gpio: uniphier: Fix void functions to remove return value (git-fixes). - gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() (git-fixes). - gve: fix the wrong AdminQ buffer overflow check (bsc#1176940). - hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726). - hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726). - hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (git-fixes). - hwmon: (tmp421) fix rounding for negative values (git-fixes). - hwmon: (tmp421) report /PVLD condition as fault (git-fixes). - i40e: Add additional info to PHY type error (git-fixes). - i40e: Fix firmware LLDP agent related warning (git-fixes). - i40e: Fix log TC creation failure when max num of queues is exceeded (git-fixes). - i40e: Fix logic of disabling queues (git-fixes). - i40e: Fix queue-to-TC mapping on Tx (git-fixes). - i40e: improve locking of mac_filter_hash (jsc#SLE-13701). - iavf: Fix ping is lost after untrusted VF had tried to change MAC (jsc#SLE-7940). - iavf: Set RSS LUT and key in reset handle path (git-fixes). - IB/hfi1: Indicate DMA wait when txq is queued for wakeup (jsc#SLE-13208). - ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510). - ibmvnic: Consolidate code in replenish_rx_pool() (bsc#1190758 ltc#191943). - ibmvnic: Fix up some comments and messages (bsc#1190758 ltc#191943). - ibmvnic: init_tx_pools move loop-invariant code (bsc#1190758 ltc#191943). - ibmvnic: Reuse LTB when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse rx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse tx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Use bitmap for LTB map_ids (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_rx_pools (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_tx_pools (bsc#1190758 ltc#191943). - ice: do not abort devlink info if board identifier can't be found (jsc#SLE-12878). - ice: do not remove netdev->dev_addr from uc sync list (git-fixes). - ice: Prevent probing virtual functions (git-fixes). - igc: Use num_tx_queues when iterating over tx_ring queue (jsc#SLE-13533). - iio: dac: ad5624r: Fix incorrect handling of an optional regulator (git-fixes). - include/linux/list.h: add a macro to test if entry is pointing to the head (git-fixes). - iomap: Fix negative assignment to unsigned sis->pages in iomap_swapfile_activate (bsc#1190784). - ionic: cleanly release devlink instance (bsc#1167773). - ionic: cleanly release devlink instance (bsc#1167773). - ionic: count csum_none when offload enabled (bsc#1167773). - ionic: drop useless check of PCI driver data validity (bsc#1167773). - ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115). - ipc/util.c: use binary search for max_idx (bsc#1159886). - ipvs: allow connection reuse for unconfirmed conntrack (bsc#1190467). - ipvs: avoid expiring many connections from timer (bsc#1190467). - ipvs: Fix up kabi for expire_nodest_conn_work addition (bsc#1190467). - ipvs: queue delayed work to expire no destination connections if expire_nodest_conn=1 (bsc#1190467). - iwlwifi Add support for ax201 in Samsung Galaxy Book Flex2 Alpha (git-fixes). - iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed (git-fixes). - kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable. - kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs. - kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358). The script part for base package case is completely separate from the part for subpackages. Remove the part for subpackages from the base package script and use the KMP scripts for subpackages instead. - libata: fix ata_host_start() (git-fixes). - libbpf: Fix removal of inner map in bpf_object__create_map (git-fixes). - libbpf: Fix the possible memory leak on error (git-fixes). - mac80211-hwsim: fix late beacon hrtimer handling (git-fixes). - mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug (git-fixes). - mac80211: fix use-after-free in CCMP/GCMP RX (git-fixes). - mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap (git-fixes). - mac80211: mesh: fix potentially unaligned access (git-fixes). - media: cedrus: Fix SUNXI tile size calculation (git-fixes). - media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats (git-fixes). - media: dib8000: rewrite the init prbs logic (git-fixes). - media: imx258: Limit the max analogue gain to 480 (git-fixes). - media: imx258: Rectify mismatch of VTS value (git-fixes). - media: rc-loopback: return number of emitters rather than error (git-fixes). - media: TDA1997x: fix tda1997x_query_dv_timings() return value (git-fixes). - media: uvc: do not do DMA on stack (git-fixes). - media: v4l2-dv-timings.c: fix wrong condition in two for-loops (git-fixes). - mfd: Do not use irq_create_mapping() to resolve a mapping (git-fixes). - misc: sram: Only map reserved areas in Tegra SYSRAM (git-fixes). - misc: sram: use devm_platform_ioremap_resource_wc() (git-fixes). - mlx4: Fix missing error code in mlx4_load_one() (git-fixes). - mm: always have io_remap_pfn_range() set pgprot_decrypted() (git-fixes). - mm/swap: consider max pages in iomap_swapfile_add_extent (bsc#1190785). - mmc: core: Return correct emmc response in case of ioctl error (git-fixes). - mmc: rtsx_pci: Fix long reads when clock is prescaled (git-fixes). - mmc: sdhci-of-arasan: Check return value of non-void funtions (git-fixes). - mmc: sdhci: Fix issue with uninitialized dma_slave_config (git-fixes). - net: ethernet: ti: cpsw: fix min eth packet size for non-switch use-cases (git-fixes). - net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726). - net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726). - net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726). - net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726). - net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726). - net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726). - net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726). - net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726). - net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726). - net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726). - net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes). - net: sched: sch_teql: fix null-pointer dereference (bsc#1190717). - net/mlx5: E-Switch, handle devcom events only for ports on the same device (git-fixes). - net/mlx5: Fix flow table chaining (git-fixes). - net/mlx5: Fix missing return value in mlx5_devlink_eswitch_inline_mode_set() (jsc#SLE-15172). - net/mlx5: Fix return value from tracer initialization (git-fixes). - net/mlx5: Unload device upon firmware fatal error (git-fixes). - net/mlx5e: Avoid creating tunnel headers for local route (git-fixes). - net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() (git-fixes). - net/mlx5e: Prohibit inner indir TIRs in IPoIB (git-fixes). - netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (bsc#1190062). - nfp: update ethtool reporting of pauseframe control (git-fixes). - NFS: change nfs_access_get_cached to only report the mask (bsc#1190746). - NFS: do not store 'struct cred *' in struct nfs_access_entry (bsc#1190746). - NFS: pass cred explicitly for access tests (bsc#1190746). - nvme-multipath: revalidate paths during rescan (bsc#1187211). - nvme-tcp: Do not reset transport on data digest errors (bsc#1188418). - nvme: avoid race in shutdown namespace removal (bsc#1188067). - nvme: fix refcounting imbalance when all paths are down (bsc#1188067). - nvme: only call synchronize_srcu when clearing current path (bsc#1188067). - optee: Fix memory leak when failing to register shm pages (git-fixes). - parport: remove non-zero check on count (git-fixes). - PCI: aardvark: Fix checking for PIO status (git-fixes). - PCI: aardvark: Fix masking and unmasking legacy INTx interrupts (git-fixes). - PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response (git-fixes). - PCI: Add ACS quirks for Cavium multi-function devices (git-fixes). - PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms (git-fixes). - PCI: Add AMD GPU multi-function power dependencies (git-fixes). - PCI: ibmphp: Fix double unmap of io_mem (git-fixes). - PCI: of: Do not fail devm_pci_alloc_host_bridge() on missing 'ranges' (git-fixes). - PCI: pci-bridge-emul: Add PCIe Root Capabilities Register (git-fixes). - PCI: pci-bridge-emul: Fix array overruns, improve safety (git-fixes). - PCI: pci-bridge-emul: Fix big-endian support (git-fixes). - PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported (git-fixes). - PCI: Use pci_update_current_state() in pci_enable_device_flags() (git-fixes). - phy: tegra: xusb: Fix dangling pointer on probe failure (git-fixes). - PM: base: power: do not try to use non-existing RTC for storing data (git-fixes). - PM: EM: Increase energy calculation precision (git-fixes). - power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors (git-fixes). - power: supply: max17042_battery: fix typo in MAx17042_TOFF (git-fixes). - powercap: intel_rapl: add support for Sapphire Rapids (jsc#SLE-15289). - powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868). - powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523). - powerpc/numa: Consider the max NUMA node for migratable LPAR (bsc#1190544 ltc#194520). - powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729). - powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729). - powerpc/perf: Fix the check for SIAR value (bsc#1065729). - powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729). - powerpc/perf: Use stack siar instead of mfspr (bsc#1065729). - powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729). - powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729). - powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729). - powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498). - powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729). - pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523). - pwm: img: Do not modify HW state in .remove() callback (git-fixes). - pwm: rockchip: Do not modify HW state in .remove() callback (git-fixes). - pwm: stm32-lp: Do not modify HW state in .remove() callback (git-fixes). - qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes). - RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init() (bsc#1170774). - RDMA/hns: Fix QP's resp incomplete assignment (jsc#SLE-14777). - RDMA/mlx5: Delay emptying a cache entry when a new MR is added to it recently (jsc#SLE-15175). - RDMA/mlx5: Delete not-available udata check (jsc#SLE-15175). - RDMA/rtrs: Remove a useless kfree() (jsc#SLE-15176). - Re-enable UAS for LaCie Rugged USB3-FW with fk quirk (git-fixes). - regmap: fix page selection for noinc reads (git-fixes). - regmap: fix page selection for noinc writes (git-fixes). - regmap: fix the offset of register error log (git-fixes). - Restore kabi after NFS: pass cred explicitly for access tests (bsc#1190746). - rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools. This allows fixing bugs in the scriptlets as well as defining initrd regeneration policy independent of the kernel packages. - rpm/kernel-binary.spec: Use only non-empty certificates. - rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804). - rtc: rx8010: select REGMAP_I2C (git-fixes). - rtc: tps65910: Correct driver module alias (git-fixes). - s390/unwind: use current_frame_address() to unwind current task (bsc#1185677). - sch_cake: fix srchost/dsthost hashing mode (bsc#1176447). - sched/fair: Add ancestors of unthrottled undecayed cfs_rq (bsc#1191292). - scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576). - scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576). - scsi: fc: Add EDC ELS definition (bsc#1190576). - scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576). - scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576). - scsi: lpfc: Add cm statistics buffer support (bsc#1190576). - scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576). - scsi: lpfc: Add cmfsync WQE support (bsc#1190576). - scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576). - scsi: lpfc: Add EDC ELS support (bsc#1190576). - scsi: lpfc: Add MIB feature enablement support (bsc#1190576). - scsi: lpfc: Add rx monitoring statistics (bsc#1190576). - scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576). - scsi: lpfc: Add support for cm enablement buffer (bsc#1190576). - scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576). - scsi: lpfc: Add support for the CM framework (bsc#1190576). - scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576). - scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576). - scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576). - scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576). - scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576). - scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576). - scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576). - scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576). - scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576). - scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576). - scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576). - scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576). - scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576). - scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576). - scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576). - scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576). - scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576). - scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576). - scsi: lpfc: Remove unneeded variable (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576). - scsi: lpfc: Use correct scnprintf() limit (bsc#1190576). - scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576). - scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576). - scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576). - scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297). - scsi/fc: kABI fixes for new ELS_EDC, ELS_RDP definition (bsc#1171688 bsc#1174003 bsc#1190576). - selftests/bpf: Define string const as global for test_sysctl_prog.c (git-fixes). - selftests/bpf: Fix bpf-iter-tcp4 test to print correctly the dest IP (git-fixes). - selftests/bpf: Fix test_sysctl_loop{1, 2} failure due to clang change (git-fixes). - selftests/bpf: Whitelist test_progs.h from .gitignore (git-fixes). - serial: 8250_pci: make setup_port() parameters explicitly unsigned (git-fixes). - serial: 8250: Define RX trigger levels for OxSemi 950 devices (git-fixes). - serial: mvebu-uart: fix driver's tx_empty callback (git-fixes). - serial: sh-sci: fix break handling for sysrq (git-fixes). - spi: Fix tegra20 build with CONFIG_PM=n (git-fixes). - staging: board: Fix uninitialized spinlock when attaching genpd (git-fixes). - staging: ks7010: Fix the initialization of the 'sleep_status' structure (git-fixes). - staging: rts5208: Fix get_ms_information() heap buffer size (git-fixes). - thermal/core: Potential buffer overflow in thermal_build_list_of_policies() (git-fixes). - time: Handle negative seconds correctly in timespec64_to_ns() (git-fixes). - tools: bpf: Fix error in 'make -C tools/ bpf_install' (git-fixes). - tty: Fix data race between tiocsti() and flush_to_ldisc() (git-fixes). - tty: serial: jsm: hold port lock when reporting modem line changes (git-fixes). - tty: synclink_gt, drop unneeded forward declarations (git-fixes). - usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c (git-fixes). - usb: core: hcd: Add support for deferring roothub registration (git-fixes). - usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails (git-fixes). - usb: dwc2: Avoid leaving the error_debugfs label unused (git-fixes). - usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave (git-fixes). - usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA (git-fixes). - usb: EHCI: ehci-mv: improve error handling in mv_ehci_enable() (git-fixes). - usb: gadget: r8a66597: fix a loop in set_feature() (git-fixes). - usb: gadget: u_ether: fix a potential null pointer dereference (git-fixes). - usb: host: fotg210: fix the actual_length of an iso packet (git-fixes). - usb: host: fotg210: fix the endpoint's transactional opportunities calculation (git-fixes). - usb: musb: musb_dsps: request_irq() after initializing musb (git-fixes). - usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes). - usb: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter (git-fixes). - usb: serial: option: add device id for Foxconn T99W265 (git-fixes). - usb: serial: option: add Telit LN920 compositions (git-fixes). - usb: serial: option: remove duplicate USB device ID (git-fixes). - usbip: give back URBs for unsent unlink requests during cleanup (git-fixes). - usbip:vhci_hcd USB port can get stuck in the disabled state (git-fixes). - video: fbdev: asiliantfb: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: fix a DoS bug by restricting user input (git-fixes). - video: fbdev: riva: Error out if 'pixclock' equals zero (git-fixes). - vmxnet3: add support for 32 Tx/Rx queues (bsc#1190406). - vmxnet3: add support for ESP IPv6 RSS (bsc#1190406). - vmxnet3: increase maximum configurable mtu to 9190 (bsc#1190406). - vmxnet3: prepare for version 6 changes (bsc#1190406). - vmxnet3: remove power of 2 limitation on the queues (bsc#1190406). - vmxnet3: set correct hash type based on rss information (bsc#1190406). - vmxnet3: update to version 6 (bsc#1190406). - watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST (git-fixes). - x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1185302). - x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1190561). - x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439). - x86/asm: Fix SETZ size enqcmds() build failure (bsc#1178134). - x86/cpu: Fix core name for Sapphire Rapids (jsc#SLE-15289). - x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1152489). - x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1152489). - x86/resctrl: Fix default monitoring groups reporting (bsc#1152489). - xfs: allow mount/remount when stripe width alignment is zero (bsc#1188651). - xfs: sync lazy sb accounting on quiesce of read-only mounts (bsc#1190679). - xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes). - xhci: Set HCD flag to defer primary roothub registration (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP3: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2021-3338=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP3 (noarch): kernel-devel-azure-5.3.18-38.25.2 kernel-source-azure-5.3.18-38.25.2 - SUSE Linux Enterprise Module for Public Cloud 15-SP3 (x86_64): kernel-azure-5.3.18-38.25.2 kernel-azure-debuginfo-5.3.18-38.25.2 kernel-azure-debugsource-5.3.18-38.25.2 kernel-azure-devel-5.3.18-38.25.2 kernel-azure-devel-debuginfo-5.3.18-38.25.2 kernel-syms-azure-5.3.18-38.25.1 References: https://www.suse.com/security/cve/CVE-2020-3702.html https://www.suse.com/security/cve/CVE-2021-3669.html https://www.suse.com/security/cve/CVE-2021-3744.html https://www.suse.com/security/cve/CVE-2021-3752.html https://www.suse.com/security/cve/CVE-2021-3764.html https://www.suse.com/security/cve/CVE-2021-40490.html https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154353 https://bugzilla.suse.com/1159886 https://bugzilla.suse.com/1167773 https://bugzilla.suse.com/1170774 https://bugzilla.suse.com/1171688 https://bugzilla.suse.com/1173746 https://bugzilla.suse.com/1174003 https://bugzilla.suse.com/1176447 https://bugzilla.suse.com/1176940 https://bugzilla.suse.com/1177028 https://bugzilla.suse.com/1178134 https://bugzilla.suse.com/1184439 https://bugzilla.suse.com/1184804 https://bugzilla.suse.com/1185302 https://bugzilla.suse.com/1185550 https://bugzilla.suse.com/1185677 https://bugzilla.suse.com/1185726 https://bugzilla.suse.com/1185762 https://bugzilla.suse.com/1187211 https://bugzilla.suse.com/1188067 https://bugzilla.suse.com/1188418 https://bugzilla.suse.com/1188651 https://bugzilla.suse.com/1188986 https://bugzilla.suse.com/1189257 https://bugzilla.suse.com/1189297 https://bugzilla.suse.com/1189841 https://bugzilla.suse.com/1189884 https://bugzilla.suse.com/1190023 https://bugzilla.suse.com/1190062 https://bugzilla.suse.com/1190115 https://bugzilla.suse.com/1190138 https://bugzilla.suse.com/1190159 https://bugzilla.suse.com/1190358 https://bugzilla.suse.com/1190406 https://bugzilla.suse.com/1190432 https://bugzilla.suse.com/1190467 https://bugzilla.suse.com/1190523 https://bugzilla.suse.com/1190534 https://bugzilla.suse.com/1190543 https://bugzilla.suse.com/1190544 https://bugzilla.suse.com/1190561 https://bugzilla.suse.com/1190576 https://bugzilla.suse.com/1190595 https://bugzilla.suse.com/1190596 https://bugzilla.suse.com/1190598 https://bugzilla.suse.com/1190620 https://bugzilla.suse.com/1190626 https://bugzilla.suse.com/1190679 https://bugzilla.suse.com/1190705 https://bugzilla.suse.com/1190717 https://bugzilla.suse.com/1190746 https://bugzilla.suse.com/1190758 https://bugzilla.suse.com/1190784 https://bugzilla.suse.com/1190785 https://bugzilla.suse.com/1191172 https://bugzilla.suse.com/1191193 https://bugzilla.suse.com/1191292 From sle-security-updates at lists.suse.com Tue Oct 12 13:26:28 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 15:26:28 +0200 (CEST) Subject: SUSE-SU-2021:3336-1: important: Security update for containerd, docker, runc Message-ID: <20211012132628.A9CC2FE13@maintenance.suse.de> SUSE Security Update: Security update for containerd, docker, runc ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3336-1 Rating: important References: #1102408 #1185405 #1187704 #1188282 #1191015 #1191121 #1191334 #1191355 #1191434 Cross-References: CVE-2021-30465 CVE-2021-32760 CVE-2021-41089 CVE-2021-41091 CVE-2021-41092 CVE-2021-41103 CVSS scores: CVE-2021-30465 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-30465 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-32760 (NVD) : 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2021-32760 (SUSE): 3 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:L CVE-2021-41089 (NVD) : 2.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2021-41089 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-41091 (NVD) : 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVE-2021-41091 (SUSE): 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVE-2021-41092 (NVD) : 5.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N CVE-2021-41092 (SUSE): 5.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N CVE-2021-41103 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Containers 12 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has three fixes is now available. Description: This update for containerd, docker, runc fixes the following issues: Docker was updated to 20.10.9-ce. (bsc#1191355) See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103 container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355 - CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282) Update to runc v1.0.2. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.2 * Fixed a failure to set CPU quota period in some cases on cgroup v1. * Fixed the inability to start a container with the "adding seccomp filter rule for syscall ..." error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped. * Made release builds reproducible from now on. * Fixed a rare debug log race in runc init, which can result in occasional harmful "failed to decode ..." errors from runc run or exec. * Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working. Update to runc v1.0.1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.1 * Fixed occasional runc exec/run failure ("interrupted system call") on an Azure volume. * Fixed "unable to find groups ... token too long" error with /etc/group containing lines longer than 64K characters. * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes). * cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely. * cgroup/systemd/v2: don't freeze cgroup on Set. * cgroup/systemd/v1: avoid unnecessary freeze on Set. - fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704 Update to runc v1.0.0. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0 ! The usage of relative paths for mountpoints will now produce a warning (such configurations are outside of the spec, and in future runc will produce an error when given such configurations). * cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers). * cgroupv2: correctly convert "number of IOs" statistics in a cgroupv1-compatible way. * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures. * cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen. * cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94 * cgroups/systemd: fixed returning "unit already exists" error from a systemd cgroup manager (regression in rc94) + cgroupv2: support SkipDevices with systemd driver + cgroup/systemd: return, not ignore, stop unit error from Destroy + Make "runc --version" output sane even when built with go get or otherwise outside of our build scripts. + cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update). + cgroup1: blkio: support BFQ weights. + cgroupv2: set per-device io weights if BFQ IO scheduler is available. Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95 This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users). (bsc#1185405) Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94 Breaking Changes: * cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls. Regression Fixes: * seccomp: fix 32-bit compilation errors * runc init: fix a hang caused by deadlock in seccomp/ebpf loading code * runc start: fix "chdir to cwd: permission denied" for some setups Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Containers 12: zypper in -t patch SUSE-SLE-Module-Containers-12-2021-3336=1 Package List: - SUSE Linux Enterprise Module for Containers 12 (ppc64le s390x x86_64): containerd-1.4.11-16.45.1 docker-20.10.9_ce-98.72.1 docker-debuginfo-20.10.9_ce-98.72.1 runc-1.0.2-16.14.1 runc-debuginfo-1.0.2-16.14.1 References: https://www.suse.com/security/cve/CVE-2021-30465.html https://www.suse.com/security/cve/CVE-2021-32760.html https://www.suse.com/security/cve/CVE-2021-41089.html https://www.suse.com/security/cve/CVE-2021-41091.html https://www.suse.com/security/cve/CVE-2021-41092.html https://www.suse.com/security/cve/CVE-2021-41103.html https://bugzilla.suse.com/1102408 https://bugzilla.suse.com/1185405 https://bugzilla.suse.com/1187704 https://bugzilla.suse.com/1188282 https://bugzilla.suse.com/1191015 https://bugzilla.suse.com/1191121 https://bugzilla.suse.com/1191334 https://bugzilla.suse.com/1191355 https://bugzilla.suse.com/1191434 From sle-security-updates at lists.suse.com Tue Oct 12 13:39:55 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 15:39:55 +0200 (CEST) Subject: SUSE-SU-2021:3339-1: important: Security update for the Linux Kernel Message-ID: <20211012133955.221C0FE13@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3339-1 Rating: important References: #1065729 #1148868 #1152489 #1154353 #1159886 #1167773 #1170774 #1173746 #1176940 #1184439 #1184804 #1185302 #1185677 #1185726 #1185762 #1187167 #1188067 #1188651 #1188986 #1189297 #1189841 #1189884 #1190023 #1190062 #1190115 #1190159 #1190358 #1190406 #1190432 #1190467 #1190523 #1190534 #1190543 #1190576 #1190595 #1190596 #1190598 #1190620 #1190626 #1190679 #1190705 #1190717 #1190746 #1190758 #1190784 #1190785 #1191172 #1191193 #1191240 #1191292 Cross-References: CVE-2020-3702 CVE-2021-3669 CVE-2021-3744 CVE-2021-3752 CVE-2021-3764 CVE-2021-40490 CVSS scores: CVE-2020-3702 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-3702 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-3669 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3744 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3752 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3764 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-40490 (SUSE): 6.1 CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Realtime 15-SP2 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 44 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 kernel was updated to 3.12.31 to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193) - CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023) - CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159) - CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884) - CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534) - CVE-2021-3669: Fixed a bug that doesn't allow /proc/sysvipc/shm to scale with large shared memory segment counts which could lead to resource exhaustion and DoS. (bsc#1188986) The following non-security bugs were fixed: - ALSA: firewire-motu: fix truncated bytes in message tracepoints (git-fixes). - apparmor: remove duplicate macro list_entry_is_head() (git-fixes). - ASoC: fsl_micfil: register platform component before registering cpu dai (git-fixes). - ASoC: mediatek: common: handle NULL case in suspend/resume function (git-fixes). - ASoC: rockchip: i2s: Fix regmap_ops hang (git-fixes). - ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B (git-fixes). - ASoC: SOF: Fix DSP oops stack dump output contents (git-fixes). - ath9k: fix OOB read ar9300_eeprom_restore_internal (git-fixes). - ath9k: fix sleeping in atomic context (git-fixes). - backlight: pwm_bl: Improve bootloader/kernel device handover (git-fixes). - blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762). - blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762). - blk-mq: mark if one queue map uses managed irq (bsc#1185762). - Bluetooth: skip invalid hci_sync_conn_complete_evt (git-fixes). - bnx2x: fix an error code in bnx2x_nic_load() (git-fixes). - bnxt_en: Add missing DMA memory barriers (git-fixes). - bnxt_en: Disable aRFS if running on 212 firmware (git-fixes). - bnxt_en: Do not enable legacy TX push on older firmware (git-fixes). - bnxt_en: Store the running firmware version code (git-fixes). - bnxt: count Tx drops (git-fixes). - bnxt: disable napi before canceling DIM (git-fixes). - bnxt: do not lock the tx queue from napi poll (git-fixes). - bnxt: make sure xmit_more + errors does not miss doorbells (git-fixes). - btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626). - clk: at91: clk-generated: Limit the requested rate to our range (git-fixes). - clk: at91: clk-generated: pass the id of changeable parent at registration (git-fixes). - console: consume APC, DM, DCS (git-fixes). - cuse: fix broken release (bsc#1190596). - cxgb4: dont touch blocked freelist bitmap after free (git-fixes). - debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746). - devlink: Break parameter notification sequence to be before/after unload/load driver (bsc#1154353). - dmaengine: ioat: depends on !UML (git-fixes). - dmaengine: sprd: Add missing MODULE_DEVICE_TABLE (git-fixes). - dmaengine: xilinx_dma: Set DMA mask for coherent APIs (git-fixes). - docs: Fix infiniband uverbs minor number (git-fixes). - drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps (git-fixes). - drm: avoid blocking in drm_clients_info's rcu section (git-fixes). - drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex (git-fixes). - drm/amd/display: Fix timer_per_pixel unit error (git-fixes). - drm/amdgpu: Fix BUG_ON assert (git-fixes). - drm/gma500: Fix end of loop tests for list_for_each_entry (git-fixes). - drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV (git-fixes). - drm/panfrost: Clamp lock region to Bifrost minimum (git-fixes). - e1000e: Do not take care about recovery NVM checksum (jsc#SLE-8100). - e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes). - EDAC/i10nm: Fix NVDIMM detection (bsc#1152489). - EDAC/synopsys: Fix wrong value type assignment for edac_mode (bsc#1152489). - erofs: fix up erofs_lookup tracepoint (git-fixes). - fbmem: do not allow too huge resolutions (git-fixes). - fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() (git-fixes). - fpga: machxo2-spi: Return an error on failure (git-fixes). - fuse: flush extending writes (bsc#1190595). - fuse: truncate pagecache on atomic_o_trunc (bsc#1190705). - genirq: add device_has_managed_msi_irq (bsc#1185762). - gpio: uniphier: Fix void functions to remove return value (git-fixes). - gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() (git-fixes). - gve: fix the wrong AdminQ buffer overflow check (bsc#1176940). - hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726). - hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726). - hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (git-fixes). - hwmon: (tmp421) fix rounding for negative values (git-fixes). - hwmon: (tmp421) report /PVLD condition as fault (git-fixes). - i40e: Add additional info to PHY type error (git-fixes). - i40e: Fix firmware LLDP agent related warning (git-fixes). - i40e: Fix log TC creation failure when max num of queues is exceeded (git-fixes). - i40e: Fix logic of disabling queues (git-fixes). - i40e: Fix queue-to-TC mapping on Tx (git-fixes). - iavf: Fix ping is lost after untrusted VF had tried to change MAC (jsc#SLE-7940). - iavf: Set RSS LUT and key in reset handle path (git-fixes). - ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510). - ibmvnic: Consolidate code in replenish_rx_pool() (bsc#1190758 ltc#191943). - ibmvnic: Fix up some comments and messages (bsc#1190758 ltc#191943). - ibmvnic: init_tx_pools move loop-invariant code (bsc#1190758 ltc#191943). - ibmvnic: Reuse LTB when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse rx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse tx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Use bitmap for LTB map_ids (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_rx_pools (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_tx_pools (bsc#1190758 ltc#191943). - ice: Prevent probing virtual functions (git-fixes). - iio: dac: ad5624r: Fix incorrect handling of an optional regulator (git-fixes). - include/linux/list.h: add a macro to test if entry is pointing to the head (git-fixes). - iomap: Fix negative assignment to unsigned sis->pages in iomap_swapfile_activate (bsc#1190784). - ionic: cleanly release devlink instance (bsc#1167773). - ionic: count csum_none when offload enabled (bsc#1167773). - ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115). - ipc/util.c: use binary search for max_idx (bsc#1159886). - ipvs: allow connection reuse for unconfirmed conntrack (bsc#1190467). - ipvs: avoid expiring many connections from timer (bsc#1190467). - ipvs: Fix up kabi for expire_nodest_conn_work addition (bsc#1190467). - ipvs: queue delayed work to expire no destination connections if expire_nodest_conn=1 (bsc#1190467). - iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed (git-fixes). - kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable. - kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs. - kernel-binary.spec: Do not sign kernel when no key provided (bsc#1187167 bsc#1191240 ltc#194716). - kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358). The script part for base package case is completely separate from the part for subpackages. Remove the part for subpackages from the base package script and use the KMP scripts for subpackages instead. - libata: fix ata_host_start() (git-fixes). - mac80211-hwsim: fix late beacon hrtimer handling (git-fixes). - mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug (git-fixes). - mac80211: fix use-after-free in CCMP/GCMP RX (git-fixes). - mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap (git-fixes). - mac80211: mesh: fix potentially unaligned access (git-fixes). - media: cedrus: Fix SUNXI tile size calculation (git-fixes). - media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats (git-fixes). - media: dib8000: rewrite the init prbs logic (git-fixes). - media: imx258: Limit the max analogue gain to 480 (git-fixes). - media: imx258: Rectify mismatch of VTS value (git-fixes). - media: rc-loopback: return number of emitters rather than error (git-fixes). - media: TDA1997x: fix tda1997x_query_dv_timings() return value (git-fixes). - media: uvc: do not do DMA on stack (git-fixes). - media: v4l2-dv-timings.c: fix wrong condition in two for-loops (git-fixes). - mfd: Do not use irq_create_mapping() to resolve a mapping (git-fixes). - mlx4: Fix missing error code in mlx4_load_one() (git-fixes). - mm: always have io_remap_pfn_range() set pgprot_decrypted() (git-fixes). - mm/swap: consider max pages in iomap_swapfile_add_extent (bsc#1190785). - mmc: core: Return correct emmc response in case of ioctl error (git-fixes). - mmc: rtsx_pci: Fix long reads when clock is prescaled (git-fixes). - mmc: sdhci-of-arasan: Check return value of non-void funtions (git-fixes). - net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726). - net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726). - net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726). - net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726). - net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726). - net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726). - net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726). - net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726). - net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726). - net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726). - net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes). - net: sched: sch_teql: fix null-pointer dereference (bsc#1190717). - net/mlx5: E-Switch, handle devcom events only for ports on the same device (git-fixes). - net/mlx5: Fix flow table chaining (git-fixes). - net/mlx5: Fix return value from tracer initialization (git-fixes). - net/mlx5: Unload device upon firmware fatal error (git-fixes). - net/mlx5e: Avoid creating tunnel headers for local route (git-fixes). - net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() (git-fixes). - net/mlx5e: Prohibit inner indir TIRs in IPoIB (git-fixes). - netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (bsc#1190062). - nfp: update ethtool reporting of pauseframe control (git-fixes). - NFS: change nfs_access_get_cached to only report the mask (bsc#1190746). - NFS: do not store 'struct cred *' in struct nfs_access_entry (bsc#1190746). - NFS: pass cred explicitly for access tests (bsc#1190746). - nvme: avoid race in shutdown namespace removal (bsc#1188067). - nvme: fix refcounting imbalance when all paths are down (bsc#1188067). - parport: remove non-zero check on count (git-fixes). - PCI: aardvark: Fix checking for PIO status (git-fixes). - PCI: aardvark: Fix masking and unmasking legacy INTx interrupts (git-fixes). - PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response (git-fixes). - PCI: Add ACS quirks for Cavium multi-function devices (git-fixes). - PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms (git-fixes). - PCI: Add AMD GPU multi-function power dependencies (git-fixes). - PCI: ibmphp: Fix double unmap of io_mem (git-fixes). - PCI: pci-bridge-emul: Add PCIe Root Capabilities Register (git-fixes). - PCI: pci-bridge-emul: Fix array overruns, improve safety (git-fixes). - PCI: pci-bridge-emul: Fix big-endian support (git-fixes). - PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported (git-fixes). - PCI: Use pci_update_current_state() in pci_enable_device_flags() (git-fixes). - PM: base: power: do not try to use non-existing RTC for storing data (git-fixes). - PM: EM: Increase energy calculation precision (git-fixes). - power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors (git-fixes). - power: supply: max17042_battery: fix typo in MAx17042_TOFF (git-fixes). - powercap: intel_rapl: add support for Sapphire Rapids (jsc#SLE-15289). - powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868). - powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523). - powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729). - powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729). - powerpc/perf: Fix the check for SIAR value (bsc#1065729). - powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729). - powerpc/perf: Use stack siar instead of mfspr (bsc#1065729). - powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729). - powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729). - powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729). - powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498). - powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729). - pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523). - pwm: img: Do not modify HW state in .remove() callback (git-fixes). - pwm: rockchip: Do not modify HW state in .remove() callback (git-fixes). - pwm: stm32-lp: Do not modify HW state in .remove() callback (git-fixes). - qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes). - RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init() (bsc#1170774). - Re-enable UAS for LaCie Rugged USB3-FW with fk quirk (git-fixes). - regmap: fix page selection for noinc reads (git-fixes). - regmap: fix page selection for noinc writes (git-fixes). - regmap: fix the offset of register error log (git-fixes). - Restore kabi after NFS: pass cred explicitly for access tests (bsc#1190746). - rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools. This allows fixing bugs in the scriptlets as well as defining initrd regeneration policy independent of the kernel packages. - rpm/kernel-binary.spec: Use only non-empty certificates. - rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804). - rtc: rx8010: select REGMAP_I2C (git-fixes). - rtc: tps65910: Correct driver module alias (git-fixes). - s390/unwind: use current_frame_address() to unwind current task (bsc#1185677). - sched/fair: Add ancestors of unthrottled undecayed cfs_rq (bsc#1191292). - scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576). - scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576). - scsi: fc: Add EDC ELS definition (bsc#1190576). - scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576). - scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576). - scsi: lpfc: Add cm statistics buffer support (bsc#1190576). - scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576). - scsi: lpfc: Add cmfsync WQE support (bsc#1190576). - scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576). - scsi: lpfc: Add EDC ELS support (bsc#1190576). - scsi: lpfc: Add MIB feature enablement support (bsc#1190576). - scsi: lpfc: Add rx monitoring statistics (bsc#1190576). - scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576). - scsi: lpfc: Add support for cm enablement buffer (bsc#1190576). - scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576). - scsi: lpfc: Add support for the CM framework (bsc#1190576). - scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576). - scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576). - scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576). - scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576). - scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576). - scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576). - scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576). - scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576). - scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576). - scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576). - scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576). - scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576). - scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576). - scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576). - scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576). - scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576). - scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576). - scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576). - scsi: lpfc: Remove unneeded variable (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576). - scsi: lpfc: Use correct scnprintf() limit (bsc#1190576). - scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576). - scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576). - scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576). - scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297). - serial: 8250_pci: make setup_port() parameters explicitly unsigned (git-fixes). - serial: 8250: Define RX trigger levels for OxSemi 950 devices (git-fixes). - serial: mvebu-uart: fix driver's tx_empty callback (git-fixes). - serial: sh-sci: fix break handling for sysrq (git-fixes). - spi: Fix tegra20 build with CONFIG_PM=n (git-fixes). - staging: board: Fix uninitialized spinlock when attaching genpd (git-fixes). - staging: ks7010: Fix the initialization of the 'sleep_status' structure (git-fixes). - staging: rts5208: Fix get_ms_information() heap buffer size (git-fixes). - thermal/core: Potential buffer overflow in thermal_build_list_of_policies() (git-fixes). - time: Handle negative seconds correctly in timespec64_to_ns() (git-fixes). - tty: Fix data race between tiocsti() and flush_to_ldisc() (git-fixes). - tty: serial: jsm: hold port lock when reporting modem line changes (git-fixes). - tty: synclink_gt, drop unneeded forward declarations (git-fixes). - usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c (git-fixes). - usb: core: hcd: Add support for deferring roothub registration (git-fixes). - usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails (git-fixes). - usb: dwc2: Avoid leaving the error_debugfs label unused (git-fixes). - usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave (git-fixes). - usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA (git-fixes). - usb: EHCI: ehci-mv: improve error handling in mv_ehci_enable() (git-fixes). - usb: gadget: r8a66597: fix a loop in set_feature() (git-fixes). - usb: gadget: u_ether: fix a potential null pointer dereference (git-fixes). - usb: host: fotg210: fix the actual_length of an iso packet (git-fixes). - usb: host: fotg210: fix the endpoint's transactional opportunities calculation (git-fixes). - usb: musb: musb_dsps: request_irq() after initializing musb (git-fixes). - usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes). - usb: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter (git-fixes). - usb: serial: option: add device id for Foxconn T99W265 (git-fixes). - usb: serial: option: add Telit LN920 compositions (git-fixes). - usb: serial: option: remove duplicate USB device ID (git-fixes). - usbip: give back URBs for unsent unlink requests during cleanup (git-fixes). - usbip:vhci_hcd USB port can get stuck in the disabled state (git-fixes). - video: fbdev: asiliantfb: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: fix a DoS bug by restricting user input (git-fixes). - video: fbdev: riva: Error out if 'pixclock' equals zero (git-fixes). - vmxnet3: add support for 32 Tx/Rx queues (bsc#1190406). - vmxnet3: add support for ESP IPv6 RSS (bsc#1190406). - vmxnet3: increase maximum configurable mtu to 9190 (bsc#1190406). - vmxnet3: prepare for version 6 changes (bsc#1190406). - vmxnet3: remove power of 2 limitation on the queues (bsc#1190406). - vmxnet3: set correct hash type based on rss information (bsc#1190406). - vmxnet3: update to version 6 (bsc#1190406). - watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST (git-fixes). - x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1185302). - x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439). - x86/cpu: Fix core name for Sapphire Rapids (jsc#SLE-15289). - x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1152489). - x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1152489). - x86/resctrl: Fix default monitoring groups reporting (bsc#1152489). - xfs: allow mount/remount when stripe width alignment is zero (bsc#1188651). - xfs: sync lazy sb accounting on quiesce of read-only mounts (bsc#1190679). - xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes). - xhci: Set HCD flag to defer primary roothub registration (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-3339=1 - SUSE Linux Enterprise Module for Realtime 15-SP2: zypper in -t patch SUSE-SLE-Module-RT-15-SP2-2021-3339=1 Package List: - SUSE MicroOS 5.0 (x86_64): kernel-rt-5.3.18-54.1 kernel-rt-debuginfo-5.3.18-54.1 kernel-rt-debugsource-5.3.18-54.1 - SUSE Linux Enterprise Module for Realtime 15-SP2 (x86_64): cluster-md-kmp-rt-5.3.18-54.1 cluster-md-kmp-rt-debuginfo-5.3.18-54.1 dlm-kmp-rt-5.3.18-54.1 dlm-kmp-rt-debuginfo-5.3.18-54.1 gfs2-kmp-rt-5.3.18-54.1 gfs2-kmp-rt-debuginfo-5.3.18-54.1 kernel-rt-5.3.18-54.1 kernel-rt-debuginfo-5.3.18-54.1 kernel-rt-debugsource-5.3.18-54.1 kernel-rt-devel-5.3.18-54.1 kernel-rt-devel-debuginfo-5.3.18-54.1 kernel-rt_debug-5.3.18-54.1 kernel-rt_debug-debuginfo-5.3.18-54.1 kernel-rt_debug-debugsource-5.3.18-54.1 kernel-rt_debug-devel-5.3.18-54.1 kernel-rt_debug-devel-debuginfo-5.3.18-54.1 kernel-syms-rt-5.3.18-54.1 ocfs2-kmp-rt-5.3.18-54.1 ocfs2-kmp-rt-debuginfo-5.3.18-54.1 - SUSE Linux Enterprise Module for Realtime 15-SP2 (noarch): kernel-devel-rt-5.3.18-54.1 kernel-source-rt-5.3.18-54.1 References: https://www.suse.com/security/cve/CVE-2020-3702.html https://www.suse.com/security/cve/CVE-2021-3669.html https://www.suse.com/security/cve/CVE-2021-3744.html https://www.suse.com/security/cve/CVE-2021-3752.html https://www.suse.com/security/cve/CVE-2021-3764.html https://www.suse.com/security/cve/CVE-2021-40490.html https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154353 https://bugzilla.suse.com/1159886 https://bugzilla.suse.com/1167773 https://bugzilla.suse.com/1170774 https://bugzilla.suse.com/1173746 https://bugzilla.suse.com/1176940 https://bugzilla.suse.com/1184439 https://bugzilla.suse.com/1184804 https://bugzilla.suse.com/1185302 https://bugzilla.suse.com/1185677 https://bugzilla.suse.com/1185726 https://bugzilla.suse.com/1185762 https://bugzilla.suse.com/1187167 https://bugzilla.suse.com/1188067 https://bugzilla.suse.com/1188651 https://bugzilla.suse.com/1188986 https://bugzilla.suse.com/1189297 https://bugzilla.suse.com/1189841 https://bugzilla.suse.com/1189884 https://bugzilla.suse.com/1190023 https://bugzilla.suse.com/1190062 https://bugzilla.suse.com/1190115 https://bugzilla.suse.com/1190159 https://bugzilla.suse.com/1190358 https://bugzilla.suse.com/1190406 https://bugzilla.suse.com/1190432 https://bugzilla.suse.com/1190467 https://bugzilla.suse.com/1190523 https://bugzilla.suse.com/1190534 https://bugzilla.suse.com/1190543 https://bugzilla.suse.com/1190576 https://bugzilla.suse.com/1190595 https://bugzilla.suse.com/1190596 https://bugzilla.suse.com/1190598 https://bugzilla.suse.com/1190620 https://bugzilla.suse.com/1190626 https://bugzilla.suse.com/1190679 https://bugzilla.suse.com/1190705 https://bugzilla.suse.com/1190717 https://bugzilla.suse.com/1190746 https://bugzilla.suse.com/1190758 https://bugzilla.suse.com/1190784 https://bugzilla.suse.com/1190785 https://bugzilla.suse.com/1191172 https://bugzilla.suse.com/1191193 https://bugzilla.suse.com/1191240 https://bugzilla.suse.com/1191292 From sle-security-updates at lists.suse.com Tue Oct 12 13:49:40 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 15:49:40 +0200 (CEST) Subject: SUSE-SU-2021:3337-1: important: Security update for the Linux Kernel Message-ID: <20211012134940.572E5FE13@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3337-1 Rating: important References: #1065729 #1148868 #1152489 #1154353 #1159886 #1167773 #1170774 #1173746 #1176940 #1184439 #1184804 #1185302 #1185677 #1185726 #1185762 #1187167 #1188067 #1188651 #1188986 #1189297 #1189841 #1189884 #1190023 #1190062 #1190115 #1190159 #1190358 #1190406 #1190432 #1190467 #1190523 #1190534 #1190543 #1190576 #1190595 #1190596 #1190598 #1190620 #1190626 #1190679 #1190705 #1190717 #1190746 #1190758 #1190784 #1190785 #1191172 #1191193 #1191240 #1191292 Cross-References: CVE-2020-3702 CVE-2021-3669 CVE-2021-3744 CVE-2021-3752 CVE-2021-3764 CVE-2021-40490 CVSS scores: CVE-2020-3702 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-3702 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-3669 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3744 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3752 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3764 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-40490 (SUSE): 6.1 CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP2 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 44 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 kernel was updated. The following security bugs were fixed: - CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193) - CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023) - CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159) - CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884) - CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534) - CVE-2021-3669: Fixed a bug that doesn't allow /proc/sysvipc/shm to scale with large shared memory segment counts which could lead to resource exhaustion and DoS. (bsc#1188986) The following non-security bugs were fixed: - ALSA: firewire-motu: fix truncated bytes in message tracepoints (git-fixes). - apparmor: remove duplicate macro list_entry_is_head() (git-fixes). - ASoC: fsl_micfil: register platform component before registering cpu dai (git-fixes). - ASoC: mediatek: common: handle NULL case in suspend/resume function (git-fixes). - ASoC: rockchip: i2s: Fix regmap_ops hang (git-fixes). - ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B (git-fixes). - ASoC: SOF: Fix DSP oops stack dump output contents (git-fixes). - ath9k: fix OOB read ar9300_eeprom_restore_internal (git-fixes). - ath9k: fix sleeping in atomic context (git-fixes). - backlight: pwm_bl: Improve bootloader/kernel device handover (git-fixes). - blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762). - blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762). - blk-mq: mark if one queue map uses managed irq (bsc#1185762). - Bluetooth: skip invalid hci_sync_conn_complete_evt (git-fixes). - bnx2x: fix an error code in bnx2x_nic_load() (git-fixes). - bnxt_en: Add missing DMA memory barriers (git-fixes). - bnxt_en: Disable aRFS if running on 212 firmware (git-fixes). - bnxt_en: Do not enable legacy TX push on older firmware (git-fixes). - bnxt_en: Store the running firmware version code (git-fixes). - bnxt: count Tx drops (git-fixes). - bnxt: disable napi before canceling DIM (git-fixes). - bnxt: do not lock the tx queue from napi poll (git-fixes). - bnxt: make sure xmit_more + errors does not miss doorbells (git-fixes). - btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626). - clk: at91: clk-generated: Limit the requested rate to our range (git-fixes). - clk: at91: clk-generated: pass the id of changeable parent at registration (git-fixes). - console: consume APC, DM, DCS (git-fixes). - cuse: fix broken release (bsc#1190596). - cxgb4: dont touch blocked freelist bitmap after free (git-fixes). - debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746). - devlink: Break parameter notification sequence to be before/after unload/load driver (bsc#1154353). - dmaengine: ioat: depends on !UML (git-fixes). - dmaengine: sprd: Add missing MODULE_DEVICE_TABLE (git-fixes). - dmaengine: xilinx_dma: Set DMA mask for coherent APIs (git-fixes). - docs: Fix infiniband uverbs minor number (git-fixes). - drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps (git-fixes). - drm: avoid blocking in drm_clients_info's rcu section (git-fixes). - drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex (git-fixes). - drm/amd/display: Fix timer_per_pixel unit error (git-fixes). - drm/amdgpu: Fix BUG_ON assert (git-fixes). - drm/gma500: Fix end of loop tests for list_for_each_entry (git-fixes). - drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV (git-fixes). - drm/panfrost: Clamp lock region to Bifrost minimum (git-fixes). - e1000e: Do not take care about recovery NVM checksum (jsc#SLE-8100). - e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes). - EDAC/i10nm: Fix NVDIMM detection (bsc#1152489). - EDAC/synopsys: Fix wrong value type assignment for edac_mode (bsc#1152489). - erofs: fix up erofs_lookup tracepoint (git-fixes). - fbmem: do not allow too huge resolutions (git-fixes). - fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() (git-fixes). - fpga: machxo2-spi: Return an error on failure (git-fixes). - fuse: flush extending writes (bsc#1190595). - fuse: truncate pagecache on atomic_o_trunc (bsc#1190705). - genirq: add device_has_managed_msi_irq (bsc#1185762). - gpio: uniphier: Fix void functions to remove return value (git-fixes). - gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() (git-fixes). - gve: fix the wrong AdminQ buffer overflow check (bsc#1176940). - hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726). - hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726). - hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (git-fixes). - hwmon: (tmp421) fix rounding for negative values (git-fixes). - hwmon: (tmp421) report /PVLD condition as fault (git-fixes). - i40e: Add additional info to PHY type error (git-fixes). - i40e: Fix firmware LLDP agent related warning (git-fixes). - i40e: Fix log TC creation failure when max num of queues is exceeded (git-fixes). - i40e: Fix logic of disabling queues (git-fixes). - i40e: Fix queue-to-TC mapping on Tx (git-fixes). - iavf: Fix ping is lost after untrusted VF had tried to change MAC (jsc#SLE-7940). - iavf: Set RSS LUT and key in reset handle path (git-fixes). - ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510). - ibmvnic: Consolidate code in replenish_rx_pool() (bsc#1190758 ltc#191943). - ibmvnic: Fix up some comments and messages (bsc#1190758 ltc#191943). - ibmvnic: init_tx_pools move loop-invariant code (bsc#1190758 ltc#191943). - ibmvnic: Reuse LTB when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse rx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse tx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Use bitmap for LTB map_ids (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_rx_pools (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_tx_pools (bsc#1190758 ltc#191943). - ice: Prevent probing virtual functions (git-fixes). - iio: dac: ad5624r: Fix incorrect handling of an optional regulator (git-fixes). - include/linux/list.h: add a macro to test if entry is pointing to the head (git-fixes). - iomap: Fix negative assignment to unsigned sis->pages in iomap_swapfile_activate (bsc#1190784). - ionic: cleanly release devlink instance (bsc#1167773). - ionic: count csum_none when offload enabled (bsc#1167773). - ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115). - ipc/util.c: use binary search for max_idx (bsc#1159886). - ipvs: allow connection reuse for unconfirmed conntrack (bsc#1190467). - ipvs: avoid expiring many connections from timer (bsc#1190467). - ipvs: Fix up kabi for expire_nodest_conn_work addition (bsc#1190467). - ipvs: queue delayed work to expire no destination connections if expire_nodest_conn=1 (bsc#1190467). - iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed (git-fixes). - kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable. - kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs. - kernel-binary.spec: Do not sign kernel when no key provided (bsc#1187167 bsc#1191240 ltc#194716). - kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358). The script part for base package case is completely separate from the part for subpackages. Remove the part for subpackages from the base package script and use the KMP scripts for subpackages instead. - libata: fix ata_host_start() (git-fixes). - mac80211-hwsim: fix late beacon hrtimer handling (git-fixes). - mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug (git-fixes). - mac80211: fix use-after-free in CCMP/GCMP RX (git-fixes). - mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap (git-fixes). - mac80211: mesh: fix potentially unaligned access (git-fixes). - media: cedrus: Fix SUNXI tile size calculation (git-fixes). - media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats (git-fixes). - media: dib8000: rewrite the init prbs logic (git-fixes). - media: imx258: Limit the max analogue gain to 480 (git-fixes). - media: imx258: Rectify mismatch of VTS value (git-fixes). - media: rc-loopback: return number of emitters rather than error (git-fixes). - media: TDA1997x: fix tda1997x_query_dv_timings() return value (git-fixes). - media: uvc: do not do DMA on stack (git-fixes). - media: v4l2-dv-timings.c: fix wrong condition in two for-loops (git-fixes). - mfd: Do not use irq_create_mapping() to resolve a mapping (git-fixes). - mlx4: Fix missing error code in mlx4_load_one() (git-fixes). - mm: always have io_remap_pfn_range() set pgprot_decrypted() (git-fixes). - mm/swap: consider max pages in iomap_swapfile_add_extent (bsc#1190785). - mmc: core: Return correct emmc response in case of ioctl error (git-fixes). - mmc: rtsx_pci: Fix long reads when clock is prescaled (git-fixes). - mmc: sdhci-of-arasan: Check return value of non-void funtions (git-fixes). - net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726). - net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726). - net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726). - net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726). - net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726). - net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726). - net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726). - net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726). - net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726). - net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726). - net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes). - net: sched: sch_teql: fix null-pointer dereference (bsc#1190717). - net/mlx5: E-Switch, handle devcom events only for ports on the same device (git-fixes). - net/mlx5: Fix flow table chaining (git-fixes). - net/mlx5: Fix return value from tracer initialization (git-fixes). - net/mlx5: Unload device upon firmware fatal error (git-fixes). - net/mlx5e: Avoid creating tunnel headers for local route (git-fixes). - net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() (git-fixes). - net/mlx5e: Prohibit inner indir TIRs in IPoIB (git-fixes). - netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (bsc#1190062). - nfp: update ethtool reporting of pauseframe control (git-fixes). - NFS: change nfs_access_get_cached to only report the mask (bsc#1190746). - NFS: do not store 'struct cred *' in struct nfs_access_entry (bsc#1190746). - NFS: pass cred explicitly for access tests (bsc#1190746). - nvme: avoid race in shutdown namespace removal (bsc#1188067). - nvme: fix refcounting imbalance when all paths are down (bsc#1188067). - parport: remove non-zero check on count (git-fixes). - PCI: aardvark: Fix checking for PIO status (git-fixes). - PCI: aardvark: Fix masking and unmasking legacy INTx interrupts (git-fixes). - PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response (git-fixes). - PCI: Add ACS quirks for Cavium multi-function devices (git-fixes). - PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms (git-fixes). - PCI: Add AMD GPU multi-function power dependencies (git-fixes). - PCI: ibmphp: Fix double unmap of io_mem (git-fixes). - PCI: pci-bridge-emul: Add PCIe Root Capabilities Register (git-fixes). - PCI: pci-bridge-emul: Fix array overruns, improve safety (git-fixes). - PCI: pci-bridge-emul: Fix big-endian support (git-fixes). - PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported (git-fixes). - PCI: Use pci_update_current_state() in pci_enable_device_flags() (git-fixes). - PM: base: power: do not try to use non-existing RTC for storing data (git-fixes). - PM: EM: Increase energy calculation precision (git-fixes). - power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors (git-fixes). - power: supply: max17042_battery: fix typo in MAx17042_TOFF (git-fixes). - powercap: intel_rapl: add support for Sapphire Rapids (jsc#SLE-15289). - powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868). - powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523). - powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729). - powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729). - powerpc/perf: Fix the check for SIAR value (bsc#1065729). - powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729). - powerpc/perf: Use stack siar instead of mfspr (bsc#1065729). - powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729). - powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729). - powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729). - powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498). - powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729). - pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523). - pwm: img: Do not modify HW state in .remove() callback (git-fixes). - pwm: rockchip: Do not modify HW state in .remove() callback (git-fixes). - pwm: stm32-lp: Do not modify HW state in .remove() callback (git-fixes). - qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes). - RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init() (bsc#1170774). - Re-enable UAS for LaCie Rugged USB3-FW with fk quirk (git-fixes). - regmap: fix page selection for noinc reads (git-fixes). - regmap: fix page selection for noinc writes (git-fixes). - regmap: fix the offset of register error log (git-fixes). - Restore kabi after NFS: pass cred explicitly for access tests (bsc#1190746). - rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools. This allows fixing bugs in the scriptlets as well as defining initrd regeneration policy independent of the kernel packages. - rpm/kernel-binary.spec: Use only non-empty certificates. - rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804). - rtc: rx8010: select REGMAP_I2C (git-fixes). - rtc: tps65910: Correct driver module alias (git-fixes). - s390/unwind: use current_frame_address() to unwind current task (bsc#1185677). - sched/fair: Add ancestors of unthrottled undecayed cfs_rq (bsc#1191292). - scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576). - scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576). - scsi: fc: Add EDC ELS definition (bsc#1190576). - scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576). - scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576). - scsi: lpfc: Add cm statistics buffer support (bsc#1190576). - scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576). - scsi: lpfc: Add cmfsync WQE support (bsc#1190576). - scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576). - scsi: lpfc: Add EDC ELS support (bsc#1190576). - scsi: lpfc: Add MIB feature enablement support (bsc#1190576). - scsi: lpfc: Add rx monitoring statistics (bsc#1190576). - scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576). - scsi: lpfc: Add support for cm enablement buffer (bsc#1190576). - scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576). - scsi: lpfc: Add support for the CM framework (bsc#1190576). - scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576). - scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576). - scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576). - scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576). - scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576). - scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576). - scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576). - scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576). - scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576). - scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576). - scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576). - scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576). - scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576). - scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576). - scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576). - scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576). - scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576). - scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576). - scsi: lpfc: Remove unneeded variable (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576). - scsi: lpfc: Use correct scnprintf() limit (bsc#1190576). - scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576). - scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576). - scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576). - scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297). - serial: 8250_pci: make setup_port() parameters explicitly unsigned (git-fixes). - serial: 8250: Define RX trigger levels for OxSemi 950 devices (git-fixes). - serial: mvebu-uart: fix driver's tx_empty callback (git-fixes). - serial: sh-sci: fix break handling for sysrq (git-fixes). - spi: Fix tegra20 build with CONFIG_PM=n (git-fixes). - staging: board: Fix uninitialized spinlock when attaching genpd (git-fixes). - staging: ks7010: Fix the initialization of the 'sleep_status' structure (git-fixes). - staging: rts5208: Fix get_ms_information() heap buffer size (git-fixes). - thermal/core: Potential buffer overflow in thermal_build_list_of_policies() (git-fixes). - time: Handle negative seconds correctly in timespec64_to_ns() (git-fixes). - tty: Fix data race between tiocsti() and flush_to_ldisc() (git-fixes). - tty: serial: jsm: hold port lock when reporting modem line changes (git-fixes). - tty: synclink_gt, drop unneeded forward declarations (git-fixes). - Update kabi files. - usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c (git-fixes). - usb: core: hcd: Add support for deferring roothub registration (git-fixes). - usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails (git-fixes). - usb: dwc2: Avoid leaving the error_debugfs label unused (git-fixes). - usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave (git-fixes). - usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA (git-fixes). - usb: EHCI: ehci-mv: improve error handling in mv_ehci_enable() (git-fixes). - usb: gadget: r8a66597: fix a loop in set_feature() (git-fixes). - usb: gadget: u_ether: fix a potential null pointer dereference (git-fixes). - usb: host: fotg210: fix the actual_length of an iso packet (git-fixes). - usb: host: fotg210: fix the endpoint's transactional opportunities calculation (git-fixes). - usb: musb: musb_dsps: request_irq() after initializing musb (git-fixes). - usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes). - usb: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter (git-fixes). - usb: serial: option: add device id for Foxconn T99W265 (git-fixes). - usb: serial: option: add Telit LN920 compositions (git-fixes). - usb: serial: option: remove duplicate USB device ID (git-fixes). - usbip: give back URBs for unsent unlink requests during cleanup (git-fixes). - usbip:vhci_hcd USB port can get stuck in the disabled state (git-fixes). - video: fbdev: asiliantfb: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: fix a DoS bug by restricting user input (git-fixes). - video: fbdev: riva: Error out if 'pixclock' equals zero (git-fixes). - vmxnet3: add support for 32 Tx/Rx queues (bsc#1190406). - vmxnet3: add support for ESP IPv6 RSS (bsc#1190406). - vmxnet3: increase maximum configurable mtu to 9190 (bsc#1190406). - vmxnet3: prepare for version 6 changes (bsc#1190406). - vmxnet3: remove power of 2 limitation on the queues (bsc#1190406). - vmxnet3: set correct hash type based on rss information (bsc#1190406). - vmxnet3: update to version 6 (bsc#1190406). - watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST (git-fixes). - x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1185302). - x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439). - x86/cpu: Fix core name for Sapphire Rapids (jsc#SLE-15289). - x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1152489). - x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1152489). - x86/resctrl: Fix default monitoring groups reporting (bsc#1152489). - xfs: allow mount/remount when stripe width alignment is zero (bsc#1188651). - xfs: sync lazy sb accounting on quiesce of read-only mounts (bsc#1190679). - xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes). - xhci: Set HCD flag to defer primary roothub registration (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP2: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2021-3337=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP2 (x86_64): kernel-azure-5.3.18-18.69.1 kernel-azure-debuginfo-5.3.18-18.69.1 kernel-azure-debugsource-5.3.18-18.69.1 kernel-azure-devel-5.3.18-18.69.1 kernel-azure-devel-debuginfo-5.3.18-18.69.1 kernel-syms-azure-5.3.18-18.69.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP2 (noarch): kernel-devel-azure-5.3.18-18.69.1 kernel-source-azure-5.3.18-18.69.1 References: https://www.suse.com/security/cve/CVE-2020-3702.html https://www.suse.com/security/cve/CVE-2021-3669.html https://www.suse.com/security/cve/CVE-2021-3744.html https://www.suse.com/security/cve/CVE-2021-3752.html https://www.suse.com/security/cve/CVE-2021-3764.html https://www.suse.com/security/cve/CVE-2021-40490.html https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154353 https://bugzilla.suse.com/1159886 https://bugzilla.suse.com/1167773 https://bugzilla.suse.com/1170774 https://bugzilla.suse.com/1173746 https://bugzilla.suse.com/1176940 https://bugzilla.suse.com/1184439 https://bugzilla.suse.com/1184804 https://bugzilla.suse.com/1185302 https://bugzilla.suse.com/1185677 https://bugzilla.suse.com/1185726 https://bugzilla.suse.com/1185762 https://bugzilla.suse.com/1187167 https://bugzilla.suse.com/1188067 https://bugzilla.suse.com/1188651 https://bugzilla.suse.com/1188986 https://bugzilla.suse.com/1189297 https://bugzilla.suse.com/1189841 https://bugzilla.suse.com/1189884 https://bugzilla.suse.com/1190023 https://bugzilla.suse.com/1190062 https://bugzilla.suse.com/1190115 https://bugzilla.suse.com/1190159 https://bugzilla.suse.com/1190358 https://bugzilla.suse.com/1190406 https://bugzilla.suse.com/1190432 https://bugzilla.suse.com/1190467 https://bugzilla.suse.com/1190523 https://bugzilla.suse.com/1190534 https://bugzilla.suse.com/1190543 https://bugzilla.suse.com/1190576 https://bugzilla.suse.com/1190595 https://bugzilla.suse.com/1190596 https://bugzilla.suse.com/1190598 https://bugzilla.suse.com/1190620 https://bugzilla.suse.com/1190626 https://bugzilla.suse.com/1190679 https://bugzilla.suse.com/1190705 https://bugzilla.suse.com/1190717 https://bugzilla.suse.com/1190746 https://bugzilla.suse.com/1190758 https://bugzilla.suse.com/1190784 https://bugzilla.suse.com/1190785 https://bugzilla.suse.com/1191172 https://bugzilla.suse.com/1191193 https://bugzilla.suse.com/1191240 https://bugzilla.suse.com/1191292 From sle-security-updates at lists.suse.com Tue Oct 12 16:19:46 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 18:19:46 +0200 (CEST) Subject: SUSE-SU-2021:3350-1: Security update for libaom Message-ID: <20211012161946.BD2A8FE13@maintenance.suse.de> SUSE Security Update: Security update for libaom ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3350-1 Rating: low References: #1186799 Cross-References: CVE-2021-30474 CVSS scores: CVE-2021-30474 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-30474 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libaom fixes the following issues: - CVE-2021-30474: Fixed use-after-free in aom_dsp/grain_table.c (bsc#1186799). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-3350=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-3350=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): libaom-debugsource-1.0.0-3.6.1 libaom0-1.0.0-3.6.1 libaom0-debuginfo-1.0.0-3.6.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): libaom-debugsource-1.0.0-3.6.1 libaom0-1.0.0-3.6.1 libaom0-debuginfo-1.0.0-3.6.1 References: https://www.suse.com/security/cve/CVE-2021-30474.html https://bugzilla.suse.com/1186799 From sle-security-updates at lists.suse.com Tue Oct 12 16:23:31 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 18:23:31 +0200 (CEST) Subject: SUSE-SU-2021:3351-1: moderate: Security update for curl Message-ID: <20211012162331.97A2FFE13@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3351-1 Rating: moderate References: #1190373 #1190374 Cross-References: CVE-2021-22946 CVE-2021-22947 CVSS scores: CVE-2021-22946 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-22947 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server 12-SP4-LTSS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-3351=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-3351=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-3351=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-3351=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): curl-7.60.0-4.30.1 curl-debuginfo-7.60.0-4.30.1 curl-debugsource-7.60.0-4.30.1 libcurl4-32bit-7.60.0-4.30.1 libcurl4-7.60.0-4.30.1 libcurl4-debuginfo-32bit-7.60.0-4.30.1 libcurl4-debuginfo-7.60.0-4.30.1 - SUSE OpenStack Cloud 9 (x86_64): curl-7.60.0-4.30.1 curl-debuginfo-7.60.0-4.30.1 curl-debugsource-7.60.0-4.30.1 libcurl4-32bit-7.60.0-4.30.1 libcurl4-7.60.0-4.30.1 libcurl4-debuginfo-32bit-7.60.0-4.30.1 libcurl4-debuginfo-7.60.0-4.30.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): curl-7.60.0-4.30.1 curl-debuginfo-7.60.0-4.30.1 curl-debugsource-7.60.0-4.30.1 libcurl4-7.60.0-4.30.1 libcurl4-debuginfo-7.60.0-4.30.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libcurl4-32bit-7.60.0-4.30.1 libcurl4-debuginfo-32bit-7.60.0-4.30.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): curl-7.60.0-4.30.1 curl-debuginfo-7.60.0-4.30.1 curl-debugsource-7.60.0-4.30.1 libcurl4-7.60.0-4.30.1 libcurl4-debuginfo-7.60.0-4.30.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libcurl4-32bit-7.60.0-4.30.1 libcurl4-debuginfo-32bit-7.60.0-4.30.1 References: https://www.suse.com/security/cve/CVE-2021-22946.html https://www.suse.com/security/cve/CVE-2021-22947.html https://bugzilla.suse.com/1190373 https://bugzilla.suse.com/1190374 From sle-security-updates at lists.suse.com Tue Oct 12 16:25:06 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 18:25:06 +0200 (CEST) Subject: SUSE-SU-2021:3374-1: important: Security update for the Linux Kernel (Live Patch 21 for SLE 12 SP5) Message-ID: <20211012162506.21F24FE13@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 21 for SLE 12 SP5) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3374-1 Rating: important References: #1187054 #1188613 #1190118 Cross-References: CVE-2021-3573 CVE-2021-3640 CVE-2021-38160 CVSS scores: CVE-2021-3573 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3640 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-38160 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP3 SUSE Linux Enterprise Module for Live Patching 15-SP2 SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-122_80 fixes several issues. The following security issues were fixed: - CVE-2021-38160: Fixed a bug that could lead to a data corruption or loss. This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118) - CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613) - CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP3: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP3-2021-3356=1 SUSE-SLE-Module-Live-Patching-15-SP3-2021-3357=1 SUSE-SLE-Module-Live-Patching-15-SP3-2021-3358=1 SUSE-SLE-Module-Live-Patching-15-SP3-2021-3359=1 - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-3362=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-3363=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-3364=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-3365=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-3366=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-3367=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2021-3368=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-3369=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-3370=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-3374=1 SUSE-SLE-Live-Patching-12-SP5-2021-3375=1 SUSE-SLE-Live-Patching-12-SP5-2021-3376=1 SUSE-SLE-Live-Patching-12-SP5-2021-3377=1 SUSE-SLE-Live-Patching-12-SP5-2021-3378=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2021-3379=1 SUSE-SLE-Live-Patching-12-SP4-2021-3380=1 SUSE-SLE-Live-Patching-12-SP4-2021-3381=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP3 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-59_10-default-5-2.1 kernel-livepatch-5_3_18-59_10-default-debuginfo-5-2.1 kernel-livepatch-5_3_18-59_13-default-5-2.1 kernel-livepatch-5_3_18-59_13-default-debuginfo-5-2.1 kernel-livepatch-5_3_18-59_16-default-4-2.1 kernel-livepatch-5_3_18-59_16-default-debuginfo-4-2.1 kernel-livepatch-5_3_18-59_5-default-5-2.1 kernel-livepatch-5_3_18-59_5-default-debuginfo-5-2.1 kernel-livepatch-SLE15-SP3_Update_1-debugsource-5-2.1 kernel-livepatch-SLE15-SP3_Update_2-debugsource-5-2.1 kernel-livepatch-SLE15-SP3_Update_3-debugsource-5-2.1 kernel-livepatch-SLE15-SP3_Update_4-debugsource-4-2.1 - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-24_53_4-default-5-2.1 kernel-livepatch-5_3_18-24_53_4-default-debuginfo-5-2.1 kernel-livepatch-5_3_18-24_61-default-7-2.1 kernel-livepatch-5_3_18-24_61-default-debuginfo-7-2.1 kernel-livepatch-5_3_18-24_64-default-7-2.1 kernel-livepatch-5_3_18-24_64-default-debuginfo-7-2.1 kernel-livepatch-5_3_18-24_67-default-5-2.1 kernel-livepatch-5_3_18-24_67-default-debuginfo-5-2.1 kernel-livepatch-5_3_18-24_70-default-5-2.1 kernel-livepatch-5_3_18-24_70-default-debuginfo-5-2.1 kernel-livepatch-5_3_18-24_75-default-4-2.1 kernel-livepatch-5_3_18-24_75-default-debuginfo-4-2.1 kernel-livepatch-SLE15-SP2_Update_12-debugsource-7-2.1 kernel-livepatch-SLE15-SP2_Update_13-debugsource-7-2.1 kernel-livepatch-SLE15-SP2_Update_14-debugsource-5-2.1 kernel-livepatch-SLE15-SP2_Update_15-debugsource-5-2.1 kernel-livepatch-SLE15-SP2_Update_16-debugsource-5-2.1 kernel-livepatch-SLE15-SP2_Update_17-debugsource-4-2.1 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_89-default-7-2.1 kernel-livepatch-4_12_14-197_92-default-6-2.1 kernel-livepatch-4_12_14-197_99-default-4-2.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_66-default-8-2.1 kgraft-patch-4_12_14-122_71-default-7-2.1 kgraft-patch-4_12_14-122_74-default-5-2.1 kgraft-patch-4_12_14-122_77-default-5-2.1 kgraft-patch-4_12_14-122_80-default-4-2.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kgraft-patch-4_12_14-95_74-default-7-2.1 kgraft-patch-4_12_14-95_77-default-6-2.1 kgraft-patch-4_12_14-95_80-default-4-2.1 References: https://www.suse.com/security/cve/CVE-2021-3573.html https://www.suse.com/security/cve/CVE-2021-3640.html https://www.suse.com/security/cve/CVE-2021-38160.html https://bugzilla.suse.com/1187054 https://bugzilla.suse.com/1188613 https://bugzilla.suse.com/1190118 From sle-security-updates at lists.suse.com Tue Oct 12 16:33:15 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 18:33:15 +0200 (CEST) Subject: SUSE-SU-2021:3353-1: important: Security update for webkit2gtk3 Message-ID: <20211012163315.D7A74FE13@maintenance.suse.de> SUSE Security Update: Security update for webkit2gtk3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3353-1 Rating: important References: #1188697 #1190701 Cross-References: CVE-2021-21806 CVE-2021-30858 CVSS scores: CVE-2021-21806 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-21806 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-30858 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-30858 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for webkit2gtk3 fixes the following issues: - Update to version 2.32.4 - CVE-2021-30858: Fixed a security bug that could allow maliciously crafted web content to achieve arbitrary code execution. (bsc#1190701) - CVE-2021-21806: Fixed an exploitable use-after-free vulnerability via specially crafted HTML web page. (bsc#1188697) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-3353=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-3353=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3353=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3353=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): typelib-1_0-JavaScriptCore-4_0-2.32.4-12.3 typelib-1_0-WebKit2-4_0-2.32.4-12.3 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-12.3 webkit2gtk3-debugsource-2.32.4-12.3 webkit2gtk3-devel-2.32.4-12.3 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): typelib-1_0-JavaScriptCore-4_0-2.32.4-12.3 typelib-1_0-WebKit2-4_0-2.32.4-12.3 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-12.3 webkit2gtk3-debugsource-2.32.4-12.3 webkit2gtk3-devel-2.32.4-12.3 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.32.4-12.3 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-12.3 libwebkit2gtk-4_0-37-2.32.4-12.3 libwebkit2gtk-4_0-37-debuginfo-2.32.4-12.3 webkit2gtk-4_0-injected-bundles-2.32.4-12.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-12.3 webkit2gtk3-debugsource-2.32.4-12.3 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): libwebkit2gtk3-lang-2.32.4-12.3 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.32.4-12.3 libjavascriptcoregtk-4_0-18-debuginfo-2.32.4-12.3 libwebkit2gtk-4_0-37-2.32.4-12.3 libwebkit2gtk-4_0-37-debuginfo-2.32.4-12.3 webkit2gtk-4_0-injected-bundles-2.32.4-12.3 webkit2gtk-4_0-injected-bundles-debuginfo-2.32.4-12.3 webkit2gtk3-debugsource-2.32.4-12.3 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): libwebkit2gtk3-lang-2.32.4-12.3 References: https://www.suse.com/security/cve/CVE-2021-21806.html https://www.suse.com/security/cve/CVE-2021-30858.html https://bugzilla.suse.com/1188697 https://bugzilla.suse.com/1190701 From sle-security-updates at lists.suse.com Tue Oct 12 16:37:24 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 18:37:24 +0200 (CEST) Subject: SUSE-SU-2021:3371-1: important: Security update for the Linux Kernel (Live Patch 25 for SLE 15) Message-ID: <20211012163724.7F738FE13@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 25 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3371-1 Rating: important References: #1187054 #1188613 #1190118 #1190350 Cross-References: CVE-2021-3573 CVE-2021-3640 CVE-2021-3715 CVE-2021-38160 CVSS scores: CVE-2021-3573 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3640 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3715 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-38160 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-150_75 fixes several issues. The following security issues were fixed: - CVE-2021-3715: Fixed a user-after-free in the Linux kernel's Traffic Control networking subsystem which could lead to local privilege escalation. (bsc#1190350). - CVE-2021-38160: Fixed a bug that could lead to a data corruption or loss. This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118) - CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613) - CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2021-3371=1 SUSE-SLE-Module-Live-Patching-15-2021-3372=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_72-default-7-2.1 kernel-livepatch-4_12_14-150_72-default-debuginfo-7-2.1 kernel-livepatch-4_12_14-150_75-default-4-2.1 kernel-livepatch-4_12_14-150_75-default-debuginfo-4-2.1 References: https://www.suse.com/security/cve/CVE-2021-3573.html https://www.suse.com/security/cve/CVE-2021-3640.html https://www.suse.com/security/cve/CVE-2021-3715.html https://www.suse.com/security/cve/CVE-2021-38160.html https://bugzilla.suse.com/1187054 https://bugzilla.suse.com/1188613 https://bugzilla.suse.com/1190118 https://bugzilla.suse.com/1190350 From sle-security-updates at lists.suse.com Tue Oct 12 16:42:55 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 18:42:55 +0200 (CEST) Subject: SUSE-SU-2021:3361-1: important: Security update for the Linux Kernel (Live Patch 22 for SLE 12 SP5) Message-ID: <20211012164255.46E04FF25@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 22 for SLE 12 SP5) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3361-1 Rating: important References: #1187054 #1188613 Cross-References: CVE-2021-3573 CVE-2021-3640 CVSS scores: CVE-2021-3573 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3640 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP3 SUSE Linux Enterprise Module for Live Patching 15-SP2 SUSE Linux Enterprise Live Patching 12-SP5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-122_83 fixes several issues. The following security issues were fixed: - CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613) - CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP3: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP3-2021-3355=1 - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-3361=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-3373=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP3 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-59_19-default-3-2.1 kernel-livepatch-5_3_18-59_19-default-debuginfo-3-2.1 kernel-livepatch-SLE15-SP3_Update_5-debugsource-3-2.1 - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-24_78-default-3-2.1 kernel-livepatch-5_3_18-24_78-default-debuginfo-3-2.1 kernel-livepatch-SLE15-SP2_Update_18-debugsource-3-2.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_83-default-3-2.1 References: https://www.suse.com/security/cve/CVE-2021-3573.html https://www.suse.com/security/cve/CVE-2021-3640.html https://bugzilla.suse.com/1187054 https://bugzilla.suse.com/1188613 From sle-security-updates at lists.suse.com Tue Oct 12 16:44:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 18:44:27 +0200 (CEST) Subject: SUSE-SU-2021:3354-1: moderate: Security update for libqt5-qtsvg Message-ID: <20211012164427.CE5E4FE13@maintenance.suse.de> SUSE Security Update: Security update for libqt5-qtsvg ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3354-1 Rating: moderate References: #1184783 Cross-References: CVE-2021-3481 CVSS scores: CVE-2021-3481 (SUSE): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libqt5-qtsvg fixes the following issues: - CVE-2021-3481: Fixed an out of bounds read in function QRadialFetchSimd from crafted svg file. (bsc#1184783) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-3354=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-3354=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3354=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3354=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (noarch): libqt5-qtsvg-private-headers-devel-5.12.7-3.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (noarch): libqt5-qtsvg-private-headers-devel-5.12.7-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libQt5Svg5-5.12.7-3.3.1 libQt5Svg5-debuginfo-5.12.7-3.3.1 libqt5-qtsvg-debugsource-5.12.7-3.3.1 libqt5-qtsvg-devel-5.12.7-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libQt5Svg5-5.12.7-3.3.1 libQt5Svg5-debuginfo-5.12.7-3.3.1 libqt5-qtsvg-debugsource-5.12.7-3.3.1 libqt5-qtsvg-devel-5.12.7-3.3.1 References: https://www.suse.com/security/cve/CVE-2021-3481.html https://bugzilla.suse.com/1184783 From sle-security-updates at lists.suse.com Tue Oct 12 16:46:46 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 18:46:46 +0200 (CEST) Subject: SUSE-SU-2021:3352-1: moderate: Security update for apache2-mod_auth_openidc Message-ID: <20211012164646.CE636FE13@maintenance.suse.de> SUSE Security Update: Security update for apache2-mod_auth_openidc ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3352-1 Rating: moderate References: #1188638 #1188639 #1188848 #1188849 #1190223 Cross-References: CVE-2021-32785 CVE-2021-32786 CVE-2021-32791 CVE-2021-32792 CVE-2021-39191 CVSS scores: CVE-2021-32785 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-32786 (SUSE): 4.7 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N CVE-2021-32791 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-32792 (SUSE): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2021-39191 (NVD) : 4.7 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N CVE-2021-39191 (SUSE): 4.7 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for apache2-mod_auth_openidc fixes the following issues: - CVE-2021-32785: format string bug via hiredis (bsc#1188638) - CVE-2021-32786: open redirect in logout functionality (bsc#1188639) - CVE-2021-32791: Hardcoded static IV and AAD with a reused key in AES GCM encryption (bsc#1188849) - CVE-2021-32792: XSS when using OIDCPreservePost On (bsc#1188848) - CVE-2021-39191: open redirect issue in target_link_uri parameter (bsc#1190223) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3352=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): apache2-mod_auth_openidc-2.4.0-3.23.1 apache2-mod_auth_openidc-debuginfo-2.4.0-3.23.1 apache2-mod_auth_openidc-debugsource-2.4.0-3.23.1 References: https://www.suse.com/security/cve/CVE-2021-32785.html https://www.suse.com/security/cve/CVE-2021-32786.html https://www.suse.com/security/cve/CVE-2021-32791.html https://www.suse.com/security/cve/CVE-2021-32792.html https://www.suse.com/security/cve/CVE-2021-39191.html https://bugzilla.suse.com/1188638 https://bugzilla.suse.com/1188639 https://bugzilla.suse.com/1188848 https://bugzilla.suse.com/1188849 https://bugzilla.suse.com/1190223 From sle-security-updates at lists.suse.com Tue Oct 12 16:51:17 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 18:51:17 +0200 (CEST) Subject: SUSE-SU-2021:3348-1: moderate: Security update for systemd Message-ID: <20211012165117.05A9CFE13@maintenance.suse.de> SUSE Security Update: Security update for systemd ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3348-1 Rating: moderate References: #1134353 #1171962 #1184994 #1188018 #1188063 #1188291 #1188713 #1189480 #1190234 SLE-21032 Cross-References: CVE-2021-33910 CVSS scores: CVE-2021-33910 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-33910 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability, contains one feature and has 8 fixes is now available. Description: This update for systemd fixes the following issues: - CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063). - logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018). - Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353). - Rules weren't applied to dm devices (multipath) (bsc#1188713). - Ignore obsolete "elevator" kernel parameter (bsc#1184994, bsc#1190234). - Make sure the versions of both udev and systemd packages are always the same (bsc#1189480). - Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291). - Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3348=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libsystemd0-234-24.93.1 libsystemd0-debuginfo-234-24.93.1 libudev-devel-234-24.93.1 libudev1-234-24.93.1 libudev1-debuginfo-234-24.93.1 systemd-234-24.93.1 systemd-container-234-24.93.1 systemd-container-debuginfo-234-24.93.1 systemd-coredump-234-24.93.1 systemd-coredump-debuginfo-234-24.93.1 systemd-debuginfo-234-24.93.1 systemd-debugsource-234-24.93.1 systemd-devel-234-24.93.1 systemd-sysvinit-234-24.93.1 udev-234-24.93.1 udev-debuginfo-234-24.93.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libsystemd0-32bit-234-24.93.1 libsystemd0-32bit-debuginfo-234-24.93.1 libudev1-32bit-234-24.93.1 libudev1-32bit-debuginfo-234-24.93.1 systemd-32bit-234-24.93.1 systemd-32bit-debuginfo-234-24.93.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): systemd-bash-completion-234-24.93.1 References: https://www.suse.com/security/cve/CVE-2021-33910.html https://bugzilla.suse.com/1134353 https://bugzilla.suse.com/1171962 https://bugzilla.suse.com/1184994 https://bugzilla.suse.com/1188018 https://bugzilla.suse.com/1188063 https://bugzilla.suse.com/1188291 https://bugzilla.suse.com/1188713 https://bugzilla.suse.com/1189480 https://bugzilla.suse.com/1190234 From sle-security-updates at lists.suse.com Tue Oct 12 16:55:04 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 18:55:04 +0200 (CEST) Subject: SUSE-SU-2021:3360-1: important: Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP3) Message-ID: <20211012165504.A39A0FE13@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3360-1 Rating: important References: #1187054 #1188613 #1190118 #1190127 Cross-References: CVE-2021-31440 CVE-2021-3573 CVE-2021-3640 CVE-2021-38160 CVSS scores: CVE-2021-31440 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-31440 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3573 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3640 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-38160 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for the Linux Kernel 5.3.18-57 fixes several issues. The following security issues were fixed: - CVE-2021-31440: Fixed a lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. (bsc#1190127). - CVE-2021-38160: Fixed a bug that could lead to a data corruption or loss. This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118) - CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613) - CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP3: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP3-2021-3360=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP3 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-57-default-7-3.1 kernel-livepatch-5_3_18-57-default-debuginfo-7-3.1 kernel-livepatch-SLE15-SP3_Update_0-debugsource-7-3.1 References: https://www.suse.com/security/cve/CVE-2021-31440.html https://www.suse.com/security/cve/CVE-2021-3573.html https://www.suse.com/security/cve/CVE-2021-3640.html https://www.suse.com/security/cve/CVE-2021-38160.html https://bugzilla.suse.com/1187054 https://bugzilla.suse.com/1188613 https://bugzilla.suse.com/1190118 https://bugzilla.suse.com/1190127 From sle-security-updates at lists.suse.com Tue Oct 12 16:56:44 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 18:56:44 +0200 (CEST) Subject: SUSE-SU-2021:3385-1: moderate: Security update for glibc Message-ID: <20211012165644.8E78FFE13@maintenance.suse.de> SUSE Security Update: Security update for glibc ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3385-1 Rating: moderate References: #1186489 #1187911 Cross-References: CVE-2021-33574 CVE-2021-35942 CVSS scores: CVE-2021-33574 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-33574 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-35942 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for glibc fixes the following issues: - CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911) - CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-3385=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-3385=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-3385=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-3385=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-3385=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-3385=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-3385=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3385=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-3385=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-3385=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3385=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3385=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-3385=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): glibc-2.26-13.59.1 glibc-debuginfo-2.26-13.59.1 glibc-debugsource-2.26-13.59.1 glibc-locale-2.26-13.59.1 glibc-locale-base-2.26-13.59.1 glibc-locale-base-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): glibc-2.26-13.59.1 glibc-debuginfo-2.26-13.59.1 glibc-debugsource-2.26-13.59.1 glibc-devel-2.26-13.59.1 glibc-devel-debuginfo-2.26-13.59.1 glibc-devel-static-2.26-13.59.1 glibc-extra-2.26-13.59.1 glibc-extra-debuginfo-2.26-13.59.1 glibc-locale-2.26-13.59.1 glibc-locale-base-2.26-13.59.1 glibc-locale-base-debuginfo-2.26-13.59.1 glibc-profile-2.26-13.59.1 glibc-utils-2.26-13.59.1 glibc-utils-debuginfo-2.26-13.59.1 glibc-utils-src-debugsource-2.26-13.59.1 nscd-2.26-13.59.1 nscd-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): glibc-32bit-2.26-13.59.1 glibc-32bit-debuginfo-2.26-13.59.1 glibc-devel-32bit-2.26-13.59.1 glibc-devel-32bit-debuginfo-2.26-13.59.1 glibc-locale-base-32bit-2.26-13.59.1 glibc-locale-base-32bit-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): glibc-i18ndata-2.26-13.59.1 glibc-info-2.26-13.59.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): glibc-2.26-13.59.1 glibc-debuginfo-2.26-13.59.1 glibc-debugsource-2.26-13.59.1 glibc-devel-2.26-13.59.1 glibc-devel-debuginfo-2.26-13.59.1 glibc-devel-static-2.26-13.59.1 glibc-extra-2.26-13.59.1 glibc-extra-debuginfo-2.26-13.59.1 glibc-locale-2.26-13.59.1 glibc-locale-base-2.26-13.59.1 glibc-locale-base-debuginfo-2.26-13.59.1 glibc-profile-2.26-13.59.1 glibc-utils-2.26-13.59.1 glibc-utils-debuginfo-2.26-13.59.1 glibc-utils-src-debugsource-2.26-13.59.1 nscd-2.26-13.59.1 nscd-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): glibc-32bit-2.26-13.59.1 glibc-32bit-debuginfo-2.26-13.59.1 glibc-devel-32bit-2.26-13.59.1 glibc-devel-32bit-debuginfo-2.26-13.59.1 glibc-locale-base-32bit-2.26-13.59.1 glibc-locale-base-32bit-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): glibc-i18ndata-2.26-13.59.1 glibc-info-2.26-13.59.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): glibc-2.26-13.59.1 glibc-debuginfo-2.26-13.59.1 glibc-debugsource-2.26-13.59.1 glibc-devel-2.26-13.59.1 glibc-devel-debuginfo-2.26-13.59.1 glibc-devel-static-2.26-13.59.1 glibc-extra-2.26-13.59.1 glibc-extra-debuginfo-2.26-13.59.1 glibc-locale-2.26-13.59.1 glibc-locale-base-2.26-13.59.1 glibc-locale-base-debuginfo-2.26-13.59.1 glibc-profile-2.26-13.59.1 glibc-utils-2.26-13.59.1 glibc-utils-debuginfo-2.26-13.59.1 glibc-utils-src-debugsource-2.26-13.59.1 nscd-2.26-13.59.1 nscd-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): glibc-i18ndata-2.26-13.59.1 glibc-info-2.26-13.59.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): glibc-32bit-2.26-13.59.1 glibc-32bit-debuginfo-2.26-13.59.1 glibc-devel-32bit-2.26-13.59.1 glibc-devel-32bit-debuginfo-2.26-13.59.1 glibc-locale-base-32bit-2.26-13.59.1 glibc-locale-base-32bit-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): glibc-i18ndata-2.26-13.59.1 glibc-info-2.26-13.59.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): glibc-2.26-13.59.1 glibc-32bit-2.26-13.59.1 glibc-32bit-debuginfo-2.26-13.59.1 glibc-debuginfo-2.26-13.59.1 glibc-debugsource-2.26-13.59.1 glibc-devel-2.26-13.59.1 glibc-devel-32bit-2.26-13.59.1 glibc-devel-32bit-debuginfo-2.26-13.59.1 glibc-devel-debuginfo-2.26-13.59.1 glibc-devel-static-2.26-13.59.1 glibc-extra-2.26-13.59.1 glibc-extra-debuginfo-2.26-13.59.1 glibc-locale-2.26-13.59.1 glibc-locale-base-2.26-13.59.1 glibc-locale-base-32bit-2.26-13.59.1 glibc-locale-base-32bit-debuginfo-2.26-13.59.1 glibc-locale-base-debuginfo-2.26-13.59.1 glibc-profile-2.26-13.59.1 glibc-utils-2.26-13.59.1 glibc-utils-debuginfo-2.26-13.59.1 glibc-utils-src-debugsource-2.26-13.59.1 nscd-2.26-13.59.1 nscd-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): glibc-2.26-13.59.1 glibc-debuginfo-2.26-13.59.1 glibc-debugsource-2.26-13.59.1 glibc-devel-2.26-13.59.1 glibc-devel-debuginfo-2.26-13.59.1 glibc-devel-static-2.26-13.59.1 glibc-extra-2.26-13.59.1 glibc-extra-debuginfo-2.26-13.59.1 glibc-locale-2.26-13.59.1 glibc-locale-base-2.26-13.59.1 glibc-locale-base-debuginfo-2.26-13.59.1 glibc-profile-2.26-13.59.1 glibc-utils-2.26-13.59.1 glibc-utils-debuginfo-2.26-13.59.1 glibc-utils-src-debugsource-2.26-13.59.1 nscd-2.26-13.59.1 nscd-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): glibc-i18ndata-2.26-13.59.1 glibc-info-2.26-13.59.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): glibc-debuginfo-2.26-13.59.1 glibc-debugsource-2.26-13.59.1 glibc-devel-static-2.26-13.59.1 glibc-utils-2.26-13.59.1 glibc-utils-debuginfo-2.26-13.59.1 glibc-utils-src-debugsource-2.26-13.59.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (x86_64): glibc-32bit-debuginfo-2.26-13.59.1 glibc-devel-32bit-2.26-13.59.1 glibc-devel-32bit-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): glibc-2.26-13.59.1 glibc-debuginfo-2.26-13.59.1 glibc-debugsource-2.26-13.59.1 glibc-devel-2.26-13.59.1 glibc-devel-debuginfo-2.26-13.59.1 glibc-extra-2.26-13.59.1 glibc-extra-debuginfo-2.26-13.59.1 glibc-locale-2.26-13.59.1 glibc-locale-base-2.26-13.59.1 glibc-locale-base-debuginfo-2.26-13.59.1 glibc-profile-2.26-13.59.1 nscd-2.26-13.59.1 nscd-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): glibc-32bit-2.26-13.59.1 glibc-32bit-debuginfo-2.26-13.59.1 glibc-locale-base-32bit-2.26-13.59.1 glibc-locale-base-32bit-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): glibc-i18ndata-2.26-13.59.1 glibc-info-2.26-13.59.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): glibc-2.26-13.59.1 glibc-debuginfo-2.26-13.59.1 glibc-debugsource-2.26-13.59.1 glibc-devel-2.26-13.59.1 glibc-devel-debuginfo-2.26-13.59.1 glibc-devel-static-2.26-13.59.1 glibc-extra-2.26-13.59.1 glibc-extra-debuginfo-2.26-13.59.1 glibc-locale-2.26-13.59.1 glibc-locale-base-2.26-13.59.1 glibc-locale-base-debuginfo-2.26-13.59.1 glibc-profile-2.26-13.59.1 glibc-utils-2.26-13.59.1 glibc-utils-debuginfo-2.26-13.59.1 glibc-utils-src-debugsource-2.26-13.59.1 nscd-2.26-13.59.1 nscd-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): glibc-32bit-2.26-13.59.1 glibc-32bit-debuginfo-2.26-13.59.1 glibc-devel-32bit-2.26-13.59.1 glibc-devel-32bit-debuginfo-2.26-13.59.1 glibc-locale-base-32bit-2.26-13.59.1 glibc-locale-base-32bit-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): glibc-i18ndata-2.26-13.59.1 glibc-info-2.26-13.59.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): glibc-2.26-13.59.1 glibc-debuginfo-2.26-13.59.1 glibc-debugsource-2.26-13.59.1 glibc-devel-2.26-13.59.1 glibc-devel-debuginfo-2.26-13.59.1 glibc-devel-static-2.26-13.59.1 glibc-extra-2.26-13.59.1 glibc-extra-debuginfo-2.26-13.59.1 glibc-locale-2.26-13.59.1 glibc-locale-base-2.26-13.59.1 glibc-locale-base-debuginfo-2.26-13.59.1 glibc-profile-2.26-13.59.1 glibc-utils-2.26-13.59.1 glibc-utils-debuginfo-2.26-13.59.1 glibc-utils-src-debugsource-2.26-13.59.1 nscd-2.26-13.59.1 nscd-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): glibc-32bit-2.26-13.59.1 glibc-32bit-debuginfo-2.26-13.59.1 glibc-devel-32bit-2.26-13.59.1 glibc-devel-32bit-debuginfo-2.26-13.59.1 glibc-locale-base-32bit-2.26-13.59.1 glibc-locale-base-32bit-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): glibc-i18ndata-2.26-13.59.1 glibc-info-2.26-13.59.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): glibc-2.26-13.59.1 glibc-debuginfo-2.26-13.59.1 glibc-debugsource-2.26-13.59.1 glibc-devel-2.26-13.59.1 glibc-devel-debuginfo-2.26-13.59.1 glibc-devel-static-2.26-13.59.1 glibc-extra-2.26-13.59.1 glibc-extra-debuginfo-2.26-13.59.1 glibc-locale-2.26-13.59.1 glibc-locale-base-2.26-13.59.1 glibc-locale-base-debuginfo-2.26-13.59.1 glibc-profile-2.26-13.59.1 glibc-utils-2.26-13.59.1 glibc-utils-debuginfo-2.26-13.59.1 glibc-utils-src-debugsource-2.26-13.59.1 nscd-2.26-13.59.1 nscd-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): glibc-32bit-2.26-13.59.1 glibc-32bit-debuginfo-2.26-13.59.1 glibc-devel-32bit-2.26-13.59.1 glibc-devel-32bit-debuginfo-2.26-13.59.1 glibc-locale-base-32bit-2.26-13.59.1 glibc-locale-base-32bit-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): glibc-i18ndata-2.26-13.59.1 glibc-info-2.26-13.59.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): glibc-2.26-13.59.1 glibc-debuginfo-2.26-13.59.1 glibc-debugsource-2.26-13.59.1 glibc-devel-2.26-13.59.1 glibc-devel-debuginfo-2.26-13.59.1 glibc-devel-static-2.26-13.59.1 glibc-extra-2.26-13.59.1 glibc-extra-debuginfo-2.26-13.59.1 glibc-locale-2.26-13.59.1 glibc-locale-base-2.26-13.59.1 glibc-locale-base-debuginfo-2.26-13.59.1 glibc-profile-2.26-13.59.1 glibc-utils-2.26-13.59.1 glibc-utils-debuginfo-2.26-13.59.1 glibc-utils-src-debugsource-2.26-13.59.1 nscd-2.26-13.59.1 nscd-debuginfo-2.26-13.59.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): glibc-i18ndata-2.26-13.59.1 glibc-info-2.26-13.59.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): glibc-32bit-2.26-13.59.1 glibc-32bit-debuginfo-2.26-13.59.1 glibc-devel-32bit-2.26-13.59.1 glibc-devel-32bit-debuginfo-2.26-13.59.1 glibc-locale-base-32bit-2.26-13.59.1 glibc-locale-base-32bit-debuginfo-2.26-13.59.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): glibc-2.26-13.59.1 glibc-debuginfo-2.26-13.59.1 glibc-debugsource-2.26-13.59.1 glibc-devel-2.26-13.59.1 glibc-devel-debuginfo-2.26-13.59.1 glibc-devel-static-2.26-13.59.1 glibc-extra-2.26-13.59.1 glibc-extra-debuginfo-2.26-13.59.1 glibc-locale-2.26-13.59.1 glibc-locale-base-2.26-13.59.1 glibc-locale-base-debuginfo-2.26-13.59.1 glibc-profile-2.26-13.59.1 glibc-utils-2.26-13.59.1 glibc-utils-debuginfo-2.26-13.59.1 glibc-utils-src-debugsource-2.26-13.59.1 nscd-2.26-13.59.1 nscd-debuginfo-2.26-13.59.1 - SUSE Enterprise Storage 6 (x86_64): glibc-32bit-2.26-13.59.1 glibc-32bit-debuginfo-2.26-13.59.1 glibc-devel-32bit-2.26-13.59.1 glibc-devel-32bit-debuginfo-2.26-13.59.1 glibc-locale-base-32bit-2.26-13.59.1 glibc-locale-base-32bit-debuginfo-2.26-13.59.1 - SUSE Enterprise Storage 6 (noarch): glibc-i18ndata-2.26-13.59.1 glibc-info-2.26-13.59.1 - SUSE CaaS Platform 4.0 (x86_64): glibc-2.26-13.59.1 glibc-32bit-2.26-13.59.1 glibc-32bit-debuginfo-2.26-13.59.1 glibc-debuginfo-2.26-13.59.1 glibc-debugsource-2.26-13.59.1 glibc-devel-2.26-13.59.1 glibc-devel-32bit-2.26-13.59.1 glibc-devel-32bit-debuginfo-2.26-13.59.1 glibc-devel-debuginfo-2.26-13.59.1 glibc-devel-static-2.26-13.59.1 glibc-extra-2.26-13.59.1 glibc-extra-debuginfo-2.26-13.59.1 glibc-locale-2.26-13.59.1 glibc-locale-base-2.26-13.59.1 glibc-locale-base-32bit-2.26-13.59.1 glibc-locale-base-32bit-debuginfo-2.26-13.59.1 glibc-locale-base-debuginfo-2.26-13.59.1 glibc-profile-2.26-13.59.1 glibc-utils-2.26-13.59.1 glibc-utils-debuginfo-2.26-13.59.1 glibc-utils-src-debugsource-2.26-13.59.1 nscd-2.26-13.59.1 nscd-debuginfo-2.26-13.59.1 - SUSE CaaS Platform 4.0 (noarch): glibc-i18ndata-2.26-13.59.1 glibc-info-2.26-13.59.1 References: https://www.suse.com/security/cve/CVE-2021-33574.html https://www.suse.com/security/cve/CVE-2021-35942.html https://bugzilla.suse.com/1186489 https://bugzilla.suse.com/1187911 From sle-security-updates at lists.suse.com Tue Oct 12 19:17:13 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 21:17:13 +0200 (CEST) Subject: SUSE-SU-2021:3386-1: important: Security update for the Linux Kernel Message-ID: <20211012191713.8C345FE12@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3386-1 Rating: important References: #1050244 #1056653 #1056657 #1056787 #1065729 #1104745 #1109837 #1111981 #1114648 #1118661 #1129770 #1148868 #1158533 #1173746 #1176940 #1181193 #1184439 #1185677 #1185727 #1186785 #1189297 #1189407 #1189884 #1190023 #1190115 #1190159 #1190523 #1190534 #1190543 #1190576 #1190601 #1190620 #1190626 #1190717 #1190914 #1191051 #1191136 #1191193 Cross-References: CVE-2020-3702 CVE-2021-3744 CVE-2021-3752 CVE-2021-3764 CVE-2021-40490 CVSS scores: CVE-2020-3702 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-3702 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-3744 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3752 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3764 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-40490 (SUSE): 6.1 CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise High Availability 12-SP5 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 33 fixes is now available. Description: The SUSE Linux Enterprise 12 SP56 kernel was updated. The following security bugs were fixed: - CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193) - CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023) - CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159) - CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884) - CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534) The following non-security bugs were fixed: - be2net: Fix an error handling path in 'be_probe()' (git-fixes). - bnx2x: fix an error code in bnx2x_nic_load() (git-fixes). - bnxt: Add missing DMA memory barriers (git-fixes). - bnxt: do not disable an already disabled PCI device (git-fixes). - bnxt: disable napi before canceling DIM (bsc#1104745 ). - btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626). - clk: at91: clk-generated: Limit the requested rate to our range (git-fixes). - clk: kirkwood: Fix a clocking boot regression (git-fixes). - crypto: x86/aes-ni-xts - use direct calls to and 4-way stride (bsc#1114648). - cxgb4: fix IRQ free race during driver unload (git-fixes). - debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746). - docs: Fix infiniband uverbs minor number (git-fixes). - drm/gma500: Fix end of loop tests for list_for_each_entry (bsc#1129770) Backporting changes: * refresh - drm/imx: ipuv3-plane: Remove two unnecessary export symbols (bsc#1129770) Backporting changes: * refreshed - drm/mediatek: Add AAL output size configuration (bsc#1129770) Backporting changes: * adapted code to use writel() function - drm/msm: Small msm_gem_purge() fix (bsc#1129770) Backporting changes: * context changes in msm_gem_purge() * remove test for non-existant msm_gem_is_locked() - drm/msm/dsi: Fix some reference counted resource leaks (bsc#1129770) - drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper() (bsc#1186785). - drm/rockchip: cdn-dp: fix sign extension on an int multiply for a u64 (bsc#1129770) Backporting changes * context changes - dt-bindings: pwm: stm32: Add #pwm-cells (git-fixes). - e1000e: Do not take care about recovery NVM checksum (bsc#1158533). - e1000e: Fix an error handling path in 'e1000_probe()' (git-fixes). - e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes). - EDAC/i10nm: Fix NVDIMM detection (bsc#1114648). - fbmem: add margin check to fb_check_caps() (bsc#1129770) Backporting changes: * context chacnges in fb_set_var() - fm10k: Fix an error handling path in 'fm10k_probe()' (git-fixes). - fs/select: avoid clang stack usage warning (git-fixes). - fuse: truncate pagecache on atomic_o_trunc (bsc#1191051). - gve: fix the wrong AdminQ buffer overflow check (bsc#1176940). - hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185727). - hv: mana: adjust mana_select_queue to old API (jsc#SLE-18779, bsc#1185727). - hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185727). - i40e: Add additional info to PHY type error (git-fixes). - i40e: Fix autoneg disabling for non-10GBaseT links (git-fixes). - i40e: Fix error handling in i40e_vsi_open (git-fixes). - i40e: Fix log TC creation failure when max num of queues is exceeded (bsc#1109837 bsc#1111981). - i40e: Fix logic of disabling queues (git-fixes). - iavf: Fix an error handling path in 'iavf_probe()' (git-fixes). - iavf: Set RSS LUT and key in reset handle path (git-fixes). - ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510). - ice: Prevent probing virtual functions (bsc#1118661 ). - igb: Check if num of q_vectors is smaller than max before array access (git-fixes). - igb: Fix an error handling path in 'igb_probe()' (git-fixes). - igb: Fix use-after-free error during reset (git-fixes). - ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115). - irqchip/gic-v2: Reset APRn registers at boot time (bsc#1189407). - irqchip/gic-v3: Do not try to reset AP0Rn (bsc#1189407). - irqchip/gic-v3: Reset APgRn registers at boot time (bsc#1189407). - ixgbe: Fix an error handling path in 'ixgbe_probe()' (git-fixes). - kdb: do a sanity check on the cpu in kdb_per_cpu() (git-fixes). - KVM: x86: Use kernel's x86_phys_bits to handle reduced MAXPHYADDR (bsc#1114648). - liquidio: Fix unintentional sign extension issue on left shift of u16 (git-fixes). - mailbox: sti: quieten kernel-doc warnings (git-fixes). - mlx4: Fix missing error code in mlx4_load_one() (git-fixes). - net: linkwatch: fix failure to restore device state across suspend/resume (bsc#1109837). - net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185727). - net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185727). - net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185727). - net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185727). - net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185727). - net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185727). - net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185727). - net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185727). - net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185727). - net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185727). - net: pch_gbe: Propagate error from devm_gpio_request_one() (git-fixes). - net: qed: fix left elements count calculation (git-fixes). - net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes). - net: sched: cls_api: Fix the the wrong parameter (bsc#1109837). - net: sched: Fix qdisc_rate_table refcount leak when get tcf_block failed (bsc#1056657 bsc#1056653 bsc#1056787). - net: sched: sch_teql: fix null-pointer dereference (bsc#1190717). - pinctrl: samsung: Fix pinctrl bank pin count (git-fixes). - powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868). - powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523). - powerpc/mm: Fix section mismatch warning (bsc#1148868). - powerpc/mm: Fix section mismatch warning in early_check_vec5() (bsc#1148868). - powerpc/mm/radix: Free PUD table when freeing pagetable (bsc#1065729). - powerpc/numa: Early request for home node associativity (bsc#1190914). - powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729). - powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729). - powerpc/perf: Fix the check for SIAR value (bsc#1065729). - powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729). - powerpc/perf: Use stack siar instead of mfspr (bsc#1065729). - powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729). - powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729). - powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729). - powerpc/pseries: Move mm/book3s64/vphn.c under platforms/pseries/ (bsc#1190914). - powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498). - powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729). - profiling: fix shift-out-of-bounds bugs (git-fixes). - pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523). - qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes). - RDMA/bnxt_re: Add missing spin lock initialization (bsc#1050244 ). - RDMA/efa: Be consistent with modify QP bitmask (git-fixes) - RDMA/efa: Use the correct current and new states in modify QP (git-fixes) - resource: Fix find_next_iomem_res() iteration issue (bsc#1181193). - s390: bpf: implement jitting of BPF_ALU | BPF_ARSH | BPF_* (bsc#1190601). - s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (bsc#1190601). - s390/bpf: Fix branch shortening during codegen pass (bsc#1190601). - s390/bpf: Fix optimizing out zero-extensions (bsc#1190601). - s390/bpf: Wrap JIT macro parameter usages in parentheses (bsc#1190601). - s390/unwind: use current_frame_address() to unwind current task (bsc#1185677). - scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576). - scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576). - scsi: fc: Add EDC ELS definition (bsc#1190576). - scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576). - scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576). - scsi: lpfc: Add cm statistics buffer support (bsc#1190576). - scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576). - scsi: lpfc: Add cmfsync WQE support (bsc#1190576). - scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576). - scsi: lpfc: Add EDC ELS support (bsc#1190576). - scsi: lpfc: Add MIB feature enablement support (bsc#1190576). - scsi: lpfc: Add rx monitoring statistics (bsc#1190576). - scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576). - scsi: lpfc: Add support for cm enablement buffer (bsc#1190576). - scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576). - scsi: lpfc: Add support for the CM framework (bsc#1190576). - scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576). - scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576). - scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576). - scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576). - scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576). - scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576). - scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576). - scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576). - scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576). - scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576). - scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576). - scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576). - scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576). - scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576). - scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576). - scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576). - scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576). - scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576). - scsi: lpfc: Remove unneeded variable (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576). - scsi: lpfc: Use correct scnprintf() limit (bsc#1190576). - scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576). - scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576). - scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576). - scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297). - SUNRPC: Ensure to ratelimit the "server not responding" syslog messages (bsc#1191136). - USB: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes). - USB: serial: option: add new VID/PID to support Fibocom FG150 (git-fixes). - USB: serial: option: remove duplicate USB device ID (git-fixes). - video: fbdev: imxfb: Fix an error message (bsc#1129770) Backporting changes: * context changes in imxfb_probe() - x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439). - x86/crash: Add e820 reserved ranges to kdump kernel's e820 table (bsc#1181193). - x86/e820, ioport: Add a new I/O resource descriptor IORES_DESC_RESERVED (bsc#1181193). - x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1114648). - x86/mm: Rework ioremap resource mapping determination (bsc#1181193). - x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1114648). - x86/resctrl: Fix default monitoring groups reporting (bsc#1114648). - xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2021-3386=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3386=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3386=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-3386=1 - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2021-3386=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): kernel-default-debuginfo-4.12.14-122.91.2 kernel-default-debugsource-4.12.14-122.91.2 kernel-default-extra-4.12.14-122.91.2 kernel-default-extra-debuginfo-4.12.14-122.91.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-122.91.2 kernel-obs-build-debugsource-4.12.14-122.91.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): kernel-docs-4.12.14-122.91.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-122.91.2 kernel-default-base-4.12.14-122.91.2 kernel-default-base-debuginfo-4.12.14-122.91.2 kernel-default-debuginfo-4.12.14-122.91.2 kernel-default-debugsource-4.12.14-122.91.2 kernel-default-devel-4.12.14-122.91.2 kernel-syms-4.12.14-122.91.2 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-4.12.14-122.91.2 kernel-macros-4.12.14-122.91.2 kernel-source-4.12.14-122.91.2 - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-default-devel-debuginfo-4.12.14-122.91.2 - SUSE Linux Enterprise Server 12-SP5 (s390x): kernel-default-man-4.12.14-122.91.2 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-122.91.2 kernel-default-debugsource-4.12.14-122.91.2 kernel-default-kgraft-4.12.14-122.91.2 kernel-default-kgraft-devel-4.12.14-122.91.2 kgraft-patch-4_12_14-122_91-default-1-8.3.2 - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-122.91.2 cluster-md-kmp-default-debuginfo-4.12.14-122.91.2 dlm-kmp-default-4.12.14-122.91.2 dlm-kmp-default-debuginfo-4.12.14-122.91.2 gfs2-kmp-default-4.12.14-122.91.2 gfs2-kmp-default-debuginfo-4.12.14-122.91.2 kernel-default-debuginfo-4.12.14-122.91.2 kernel-default-debugsource-4.12.14-122.91.2 ocfs2-kmp-default-4.12.14-122.91.2 ocfs2-kmp-default-debuginfo-4.12.14-122.91.2 References: https://www.suse.com/security/cve/CVE-2020-3702.html https://www.suse.com/security/cve/CVE-2021-3744.html https://www.suse.com/security/cve/CVE-2021-3752.html https://www.suse.com/security/cve/CVE-2021-3764.html https://www.suse.com/security/cve/CVE-2021-40490.html https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1056653 https://bugzilla.suse.com/1056657 https://bugzilla.suse.com/1056787 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111981 https://bugzilla.suse.com/1114648 https://bugzilla.suse.com/1118661 https://bugzilla.suse.com/1129770 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1158533 https://bugzilla.suse.com/1173746 https://bugzilla.suse.com/1176940 https://bugzilla.suse.com/1181193 https://bugzilla.suse.com/1184439 https://bugzilla.suse.com/1185677 https://bugzilla.suse.com/1185727 https://bugzilla.suse.com/1186785 https://bugzilla.suse.com/1189297 https://bugzilla.suse.com/1189407 https://bugzilla.suse.com/1189884 https://bugzilla.suse.com/1190023 https://bugzilla.suse.com/1190115 https://bugzilla.suse.com/1190159 https://bugzilla.suse.com/1190523 https://bugzilla.suse.com/1190534 https://bugzilla.suse.com/1190543 https://bugzilla.suse.com/1190576 https://bugzilla.suse.com/1190601 https://bugzilla.suse.com/1190620 https://bugzilla.suse.com/1190626 https://bugzilla.suse.com/1190717 https://bugzilla.suse.com/1190914 https://bugzilla.suse.com/1191051 https://bugzilla.suse.com/1191136 https://bugzilla.suse.com/1191193 From sle-security-updates at lists.suse.com Tue Oct 12 19:34:09 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 21:34:09 +0200 (CEST) Subject: SUSE-SU-2021:3389-1: important: Security update for the Linux Kernel Message-ID: <20211012193409.BDDB7FE12@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3389-1 Rating: important References: #1050244 #1056653 #1056657 #1056787 #1065729 #1104745 #1109837 #1111981 #1114648 #1118661 #1129770 #1148868 #1158533 #1173746 #1176940 #1181193 #1184439 #1185677 #1185727 #1186785 #1189297 #1189407 #1189884 #1190023 #1190115 #1190159 #1190432 #1190523 #1190534 #1190543 #1190576 #1190601 #1190620 #1190626 #1190717 #1190914 #1191051 #1191136 #1191193 Cross-References: CVE-2020-3702 CVE-2021-3744 CVE-2021-3752 CVE-2021-3764 CVE-2021-40490 CVSS scores: CVE-2020-3702 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-3702 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-3744 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3752 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3764 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-40490 (SUSE): 6.1 CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 34 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel was updated. The following security bugs were fixed: - CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193) - CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023) - CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159) - CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884) - CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534) The following non-security bugs were fixed: - be2net: Fix an error handling path in 'be_probe()' (git-fixes). - bnx2x: fix an error code in bnx2x_nic_load() (git-fixes). - bnxt_en: Add missing DMA memory barriers (git-fixes). - bnxt_en: do not disable an already disabled PCI device (git-fixes). - bnxt: disable napi before canceling DIM (bsc#1104745 ). - btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626). - clk: at91: clk-generated: Limit the requested rate to our range (git-fixes). - clk: kirkwood: Fix a clocking boot regression (git-fixes). - crypto: x86/aes-ni-xts - use direct calls to and 4-way stride (bsc#1114648). - cxgb4: fix IRQ free race during driver unload (git-fixes). - debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746). - docs: Fix infiniband uverbs minor number (git-fixes). - drm/gma500: Fix end of loop tests for list_for_each_entry (bsc#1129770) Backporting changes: * refresh - drm/imx: ipuv3-plane: Remove two unnecessary export symbols (bsc#1129770) Backporting changes: * refreshed - drm/mediatek: Add AAL output size configuration (bsc#1129770) Backporting changes: * adapted code to use writel() function - drm/msm: Small msm_gem_purge() fix (bsc#1129770) Backporting changes: * context changes in msm_gem_purge() * remove test for non-existant msm_gem_is_locked() - drm/msm/dsi: Fix some reference counted resource leaks (bsc#1129770) - drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper() (bsc#1186785). - drm/rockchip: cdn-dp: fix sign extension on an int multiply for a u64 (bsc#1129770) Backporting changes * context changes - dt-bindings: pwm: stm32: Add #pwm-cells (git-fixes). - e1000e: Do not take care about recovery NVM checksum (bsc#1158533). - e1000e: Fix an error handling path in 'e1000_probe()' (git-fixes). - e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes). - EDAC/i10nm: Fix NVDIMM detection (bsc#1114648). - fbmem: add margin check to fb_check_caps() (bsc#1129770) Backporting changes: * context chacnges in fb_set_var() - Fix build warnings. Also align code location with later codestreams and improve bisectability. - fm10k: Fix an error handling path in 'fm10k_probe()' (git-fixes). - fs/select: avoid clang stack usage warning (git-fixes). - fuse: truncate pagecache on atomic_o_trunc (bsc#1191051). - gve: fix the wrong AdminQ buffer overflow check (bsc#1176940). - hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185727). - hv: mana: adjust mana_select_queue to old API (jsc#SLE-18779, bsc#1185727). - hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185727). - i40e: Add additional info to PHY type error (git-fixes). - i40e: Fix autoneg disabling for non-10GBaseT links (git-fixes). - i40e: Fix error handling in i40e_vsi_open (git-fixes). - i40e: Fix log TC creation failure when max num of queues is exceeded (bsc#1109837 bsc#1111981). - i40e: Fix logic of disabling queues (git-fixes). - iavf: Fix an error handling path in 'iavf_probe()' (git-fixes). - iavf: Set RSS LUT and key in reset handle path (git-fixes). - ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510). - ice: Prevent probing virtual functions (bsc#1118661 ). - igb: Check if num of q_vectors is smaller than max before array access (git-fixes). - igb: Fix an error handling path in 'igb_probe()' (git-fixes). - igb: Fix use-after-free error during reset (git-fixes). - ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115). - irqchip/gic-v2: Reset APRn registers at boot time (bsc#1189407). - irqchip/gic-v3: Do not try to reset AP0Rn (bsc#1189407). - irqchip/gic-v3: Reset APgRn registers at boot time (bsc#1189407). - ixgbe: Fix an error handling path in 'ixgbe_probe()' (git-fixes). - kdb: do a sanity check on the cpu in kdb_per_cpu() (git-fixes). - KVM: x86: Use kernel's x86_phys_bits to handle reduced MAXPHYADDR (bsc#1114648). - liquidio: Fix unintentional sign extension issue on left shift of u16 (git-fixes). - mailbox: sti: quieten kernel-doc warnings (git-fixes). - mlx4: Fix missing error code in mlx4_load_one() (git-fixes). - net: linkwatch: fix failure to restore device state across suspend/resume (bsc#1109837). - net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185727). - net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185727). - net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185727). - net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185727). - net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185727). - net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185727). - net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185727). - net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185727). - net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185727). - net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185727). - net: pch_gbe: Propagate error from devm_gpio_request_one() (git-fixes). - net: qed: fix left elements count calculation (git-fixes). - net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes). - net: sched: cls_api: Fix the the wrong parameter (bsc#1109837). - net: sched: Fix qdisc_rate_table refcount leak when get tcf_block failed (bsc#1056657 bsc#1056653 bsc#1056787). - net: sched: sch_teql: fix null-pointer dereference (bsc#1190717). - pinctrl: samsung: Fix pinctrl bank pin count (git-fixes). - powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868). - powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523). - powerpc/mm: Fix section mismatch warning (bsc#1148868). - powerpc/mm: Fix section mismatch warning in early_check_vec5() (bsc#1148868). - powerpc/mm/radix: Free PUD table when freeing pagetable (bsc#1065729). - powerpc/numa: Early request for home node associativity (bsc#1190914). - powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729). - powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729). - powerpc/perf: Fix the check for SIAR value (bsc#1065729). - powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729). - powerpc/perf: Use stack siar instead of mfspr (bsc#1065729). - powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729). - powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729). - powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729). - powerpc/pseries: Move mm/book3s64/vphn.c under platforms/pseries/ (bsc#1190914). - powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498). - powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729). - profiling: fix shift-out-of-bounds bugs (git-fixes). - pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523). - qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes). - RDMA/bnxt_re: Add missing spin lock initialization (bsc#1050244 ). - RDMA/efa: Be consistent with modify QP bitmask (git-fixes) - RDMA/efa: Use the correct current and new states in modify QP (git-fixes) - resource: Fix find_next_iomem_res() iteration issue (bsc#1181193). - s390: bpf: implement jitting of BPF_ALU | BPF_ARSH | BPF_* (bsc#1190601). - s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (bsc#1190601). - s390/bpf: Fix branch shortening during codegen pass (bsc#1190601). - s390/bpf: Fix optimizing out zero-extensions (bsc#1190601). - s390/bpf: Wrap JIT macro parameter usages in parentheses (bsc#1190601). - s390/unwind: use current_frame_address() to unwind current task (bsc#1185677). - scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576). - scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576). - scsi: fc: Add EDC ELS definition (bsc#1190576). - scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576). - scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576). - scsi: lpfc: Add cm statistics buffer support (bsc#1190576). - scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576). - scsi: lpfc: Add cmfsync WQE support (bsc#1190576). - scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576). - scsi: lpfc: Add EDC ELS support (bsc#1190576). - scsi: lpfc: Add MIB feature enablement support (bsc#1190576). - scsi: lpfc: Add rx monitoring statistics (bsc#1190576). - scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576). - scsi: lpfc: Add support for cm enablement buffer (bsc#1190576). - scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576). - scsi: lpfc: Add support for the CM framework (bsc#1190576). - scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576). - scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576). - scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576). - scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576). - scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576). - scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576). - scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576). - scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576). - scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576). - scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576). - scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576). - scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576). - scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576). - scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576). - scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576). - scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576). - scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576). - scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576). - scsi: lpfc: Remove unneeded variable (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576). - scsi: lpfc: Use correct scnprintf() limit (bsc#1190576). - scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576). - scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576). - scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576). - scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297). - SUNRPC: Ensure to ratelimit the "server not responding" syslog messages (bsc#1191136). - USB: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes). - USB: serial: option: add new VID/PID to support Fibocom FG150 (git-fixes). - USB: serial: option: remove duplicate USB device ID (git-fixes). - video: fbdev: imxfb: Fix an error message (bsc#1129770) Backporting changes: * context changes in imxfb_probe() - x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439). - x86/crash: Add e820 reserved ranges to kdump kernel's e820 table (bsc#1181193). - x86/e820, ioport: Add a new I/O resource descriptor IORES_DESC_RESERVED (bsc#1181193). - x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1114648). - x86/mm: Rework ioremap resource mapping determination (bsc#1181193). - x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1114648). - x86/resctrl: Fix default monitoring groups reporting (bsc#1114648). - xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3389=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-azure-4.12.14-16.76.2 kernel-source-azure-4.12.14-16.76.2 - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-azure-4.12.14-16.76.2 kernel-azure-base-4.12.14-16.76.2 kernel-azure-base-debuginfo-4.12.14-16.76.2 kernel-azure-debuginfo-4.12.14-16.76.2 kernel-azure-debugsource-4.12.14-16.76.2 kernel-azure-devel-4.12.14-16.76.2 kernel-syms-azure-4.12.14-16.76.2 References: https://www.suse.com/security/cve/CVE-2020-3702.html https://www.suse.com/security/cve/CVE-2021-3744.html https://www.suse.com/security/cve/CVE-2021-3752.html https://www.suse.com/security/cve/CVE-2021-3764.html https://www.suse.com/security/cve/CVE-2021-40490.html https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1056653 https://bugzilla.suse.com/1056657 https://bugzilla.suse.com/1056787 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111981 https://bugzilla.suse.com/1114648 https://bugzilla.suse.com/1118661 https://bugzilla.suse.com/1129770 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1158533 https://bugzilla.suse.com/1173746 https://bugzilla.suse.com/1176940 https://bugzilla.suse.com/1181193 https://bugzilla.suse.com/1184439 https://bugzilla.suse.com/1185677 https://bugzilla.suse.com/1185727 https://bugzilla.suse.com/1186785 https://bugzilla.suse.com/1189297 https://bugzilla.suse.com/1189407 https://bugzilla.suse.com/1189884 https://bugzilla.suse.com/1190023 https://bugzilla.suse.com/1190115 https://bugzilla.suse.com/1190159 https://bugzilla.suse.com/1190432 https://bugzilla.suse.com/1190523 https://bugzilla.suse.com/1190534 https://bugzilla.suse.com/1190543 https://bugzilla.suse.com/1190576 https://bugzilla.suse.com/1190601 https://bugzilla.suse.com/1190620 https://bugzilla.suse.com/1190626 https://bugzilla.suse.com/1190717 https://bugzilla.suse.com/1190914 https://bugzilla.suse.com/1191051 https://bugzilla.suse.com/1191136 https://bugzilla.suse.com/1191193 From sle-security-updates at lists.suse.com Tue Oct 12 19:40:34 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 21:40:34 +0200 (CEST) Subject: SUSE-SU-2021:3388-1: important: Security update for the Linux Kernel Message-ID: <20211012194034.697C3FE12@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3388-1 Rating: important References: #1050244 #1056653 #1056657 #1056787 #1065729 #1104745 #1109837 #1111981 #1114648 #1118661 #1129770 #1148868 #1158533 #1173746 #1176940 #1181193 #1184439 #1185677 #1185727 #1186785 #1189297 #1189407 #1189884 #1190023 #1190115 #1190159 #1190432 #1190523 #1190534 #1190543 #1190576 #1190601 #1190620 #1190626 #1190717 #1190914 #1191051 #1191136 #1191193 Cross-References: CVE-2020-3702 CVE-2021-3744 CVE-2021-3752 CVE-2021-3764 CVE-2021-40490 CVSS scores: CVE-2020-3702 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-3702 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-3744 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3752 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3764 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-40490 (SUSE): 6.1 CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Real Time Extension 12-SP5 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 34 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel was updated. The following security bugs were fixed: - CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193) - CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023) - CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159) - CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884) - CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534) The following non-security bugs were fixed: - be2net: Fix an error handling path in 'be_probe()' (git-fixes). - bnx2x: fix an error code in bnx2x_nic_load() (git-fixes). - bnxt_en: Add missing DMA memory barriers (git-fixes). - bnxt_en: do not disable an already disabled PCI device (git-fixes). - bnxt: disable napi before canceling DIM (bsc#1104745 ). - btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626). - clk: at91: clk-generated: Limit the requested rate to our range (git-fixes). - clk: kirkwood: Fix a clocking boot regression (git-fixes). - crypto: x86/aes-ni-xts - use direct calls to and 4-way stride (bsc#1114648). - cxgb4: fix IRQ free race during driver unload (git-fixes). - debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746). - docs: Fix infiniband uverbs minor number (git-fixes). - drm/gma500: Fix end of loop tests for list_for_each_entry (bsc#1129770) Backporting changes: * refresh - drm/imx: ipuv3-plane: Remove two unnecessary export symbols (bsc#1129770) Backporting changes: * refreshed - drm/mediatek: Add AAL output size configuration (bsc#1129770) Backporting changes: * adapted code to use writel() function - drm/msm: Small msm_gem_purge() fix (bsc#1129770) Backporting changes: * context changes in msm_gem_purge() * remove test for non-existant msm_gem_is_locked() - drm/msm/dsi: Fix some reference counted resource leaks (bsc#1129770) - drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper() (bsc#1186785). - drm/rockchip: cdn-dp: fix sign extension on an int multiply for a u64 (bsc#1129770) Backporting changes * context changes - dt-bindings: pwm: stm32: Add #pwm-cells (git-fixes). - e1000e: Do not take care about recovery NVM checksum (bsc#1158533). - e1000e: Fix an error handling path in 'e1000_probe()' (git-fixes). - e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes). - EDAC/i10nm: Fix NVDIMM detection (bsc#1114648). - fbmem: add margin check to fb_check_caps() (bsc#1129770) Backporting changes: * context chacnges in fb_set_var() - Fix build warnings. Also align code location with later codestreams and improve bisectability. - fm10k: Fix an error handling path in 'fm10k_probe()' (git-fixes). - fs/select: avoid clang stack usage warning (git-fixes). - fuse: truncate pagecache on atomic_o_trunc (bsc#1191051). - gve: fix the wrong AdminQ buffer overflow check (bsc#1176940). - hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185727). - hv: mana: adjust mana_select_queue to old API (jsc#SLE-18779, bsc#1185727). - hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185727). - i40e: Add additional info to PHY type error (git-fixes). - i40e: Fix autoneg disabling for non-10GBaseT links (git-fixes). - i40e: Fix error handling in i40e_vsi_open (git-fixes). - i40e: Fix log TC creation failure when max num of queues is exceeded (bsc#1109837 bsc#1111981). - i40e: Fix logic of disabling queues (git-fixes). - iavf: Fix an error handling path in 'iavf_probe()' (git-fixes). - iavf: Set RSS LUT and key in reset handle path (git-fixes). - ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510). - ice: Prevent probing virtual functions (bsc#1118661 ). - igb: Check if num of q_vectors is smaller than max before array access (git-fixes). - igb: Fix an error handling path in 'igb_probe()' (git-fixes). - igb: Fix use-after-free error during reset (git-fixes). - ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115). - irqchip/gic-v2: Reset APRn registers at boot time (bsc#1189407). - irqchip/gic-v3: Do not try to reset AP0Rn (bsc#1189407). - irqchip/gic-v3: Reset APgRn registers at boot time (bsc#1189407). - ixgbe: Fix an error handling path in 'ixgbe_probe()' (git-fixes). - kdb: do a sanity check on the cpu in kdb_per_cpu() (git-fixes). - KVM: x86: Use kernel's x86_phys_bits to handle reduced MAXPHYADDR (bsc#1114648). - liquidio: Fix unintentional sign extension issue on left shift of u16 (git-fixes). - mailbox: sti: quieten kernel-doc warnings (git-fixes). - mlx4: Fix missing error code in mlx4_load_one() (git-fixes). - net: linkwatch: fix failure to restore device state across suspend/resume (bsc#1109837). - net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185727). - net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185727). - net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185727). - net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185727). - net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185727). - net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185727). - net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185727). - net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185727). - net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185727). - net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185727). - net: pch_gbe: Propagate error from devm_gpio_request_one() (git-fixes). - net: qed: fix left elements count calculation (git-fixes). - net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes). - net: sched: cls_api: Fix the the wrong parameter (bsc#1109837). - net: sched: Fix qdisc_rate_table refcount leak when get tcf_block failed (bsc#1056657 bsc#1056653 bsc#1056787). - net: sched: sch_teql: fix null-pointer dereference (bsc#1190717). - nfp: update ethtool reporting of pauseframe control (git-fixes). - pinctrl: samsung: Fix pinctrl bank pin count (git-fixes). - powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868). - powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523). - powerpc/mm: Fix section mismatch warning (bsc#1148868). - powerpc/mm: Fix section mismatch warning in early_check_vec5() (bsc#1148868). - powerpc/mm/radix: Free PUD table when freeing pagetable (bsc#1065729). - powerpc/numa: Early request for home node associativity (bsc#1190914). - powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729). - powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729). - powerpc/perf: Fix the check for SIAR value (bsc#1065729). - powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729). - powerpc/perf: Use stack siar instead of mfspr (bsc#1065729). - powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729). - powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729). - powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729). - powerpc/pseries: Move mm/book3s64/vphn.c under platforms/pseries/ (bsc#1190914). - powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498). - powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729). - profiling: fix shift-out-of-bounds bugs (git-fixes). - pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523). - qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes). - RDMA/bnxt_re: Add missing spin lock initialization (bsc#1050244 ). - RDMA/efa: Be consistent with modify QP bitmask (git-fixes) - RDMA/efa: Use the correct current and new states in modify QP (git-fixes) - resource: Fix find_next_iomem_res() iteration issue (bsc#1181193). - s390: bpf: implement jitting of BPF_ALU | BPF_ARSH | BPF_* (bsc#1190601). - s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (bsc#1190601). - s390/bpf: Fix branch shortening during codegen pass (bsc#1190601). - s390/bpf: Fix optimizing out zero-extensions (bsc#1190601). - s390/bpf: Wrap JIT macro parameter usages in parentheses (bsc#1190601). - s390/unwind: use current_frame_address() to unwind current task (bsc#1185677). - scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576). - scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576). - scsi: fc: Add EDC ELS definition (bsc#1190576). - scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576). - scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576). - scsi: lpfc: Add cm statistics buffer support (bsc#1190576). - scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576). - scsi: lpfc: Add cmfsync WQE support (bsc#1190576). - scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576). - scsi: lpfc: Add EDC ELS support (bsc#1190576). - scsi: lpfc: Add MIB feature enablement support (bsc#1190576). - scsi: lpfc: Add rx monitoring statistics (bsc#1190576). - scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576). - scsi: lpfc: Add support for cm enablement buffer (bsc#1190576). - scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576). - scsi: lpfc: Add support for the CM framework (bsc#1190576). - scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576). - scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576). - scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576). - scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576). - scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576). - scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576). - scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576). - scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576). - scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576). - scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576). - scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576). - scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576). - scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576). - scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576). - scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576). - scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576). - scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576). - scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576). - scsi: lpfc: Remove unneeded variable (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576). - scsi: lpfc: Use correct scnprintf() limit (bsc#1190576). - scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576). - scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576). - scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576). - scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297). - SUNRPC: Ensure to ratelimit the "server not responding" syslog messages (bsc#1191136). - usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes). - usb: serial: option: add new VID/PID to support Fibocom FG150 (git-fixes). - usb: serial: option: remove duplicate USB device ID (git-fixes). - video: fbdev: imxfb: Fix an error message (bsc#1129770) Backporting changes: * context changes in imxfb_probe() - x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439). - x86/crash: Add e820 reserved ranges to kdump kernel's e820 table (bsc#1181193). - x86/e820, ioport: Add a new I/O resource descriptor IORES_DESC_RESERVED (bsc#1181193). - x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1114648). - x86/mm: Rework ioremap resource mapping determination (bsc#1181193). - x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1114648). - x86/resctrl: Fix default monitoring groups reporting (bsc#1114648). - xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Real Time Extension 12-SP5: zypper in -t patch SUSE-SLE-RT-12-SP5-2021-3388=1 Package List: - SUSE Linux Enterprise Real Time Extension 12-SP5 (noarch): kernel-devel-rt-4.12.14-10.60.1 kernel-source-rt-4.12.14-10.60.1 - SUSE Linux Enterprise Real Time Extension 12-SP5 (x86_64): cluster-md-kmp-rt-4.12.14-10.60.1 cluster-md-kmp-rt-debuginfo-4.12.14-10.60.1 dlm-kmp-rt-4.12.14-10.60.1 dlm-kmp-rt-debuginfo-4.12.14-10.60.1 gfs2-kmp-rt-4.12.14-10.60.1 gfs2-kmp-rt-debuginfo-4.12.14-10.60.1 kernel-rt-4.12.14-10.60.1 kernel-rt-base-4.12.14-10.60.1 kernel-rt-base-debuginfo-4.12.14-10.60.1 kernel-rt-debuginfo-4.12.14-10.60.1 kernel-rt-debugsource-4.12.14-10.60.1 kernel-rt-devel-4.12.14-10.60.1 kernel-rt-devel-debuginfo-4.12.14-10.60.1 kernel-rt_debug-4.12.14-10.60.1 kernel-rt_debug-debuginfo-4.12.14-10.60.1 kernel-rt_debug-debugsource-4.12.14-10.60.1 kernel-rt_debug-devel-4.12.14-10.60.1 kernel-rt_debug-devel-debuginfo-4.12.14-10.60.1 kernel-syms-rt-4.12.14-10.60.1 ocfs2-kmp-rt-4.12.14-10.60.1 ocfs2-kmp-rt-debuginfo-4.12.14-10.60.1 References: https://www.suse.com/security/cve/CVE-2020-3702.html https://www.suse.com/security/cve/CVE-2021-3744.html https://www.suse.com/security/cve/CVE-2021-3752.html https://www.suse.com/security/cve/CVE-2021-3764.html https://www.suse.com/security/cve/CVE-2021-40490.html https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1056653 https://bugzilla.suse.com/1056657 https://bugzilla.suse.com/1056787 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111981 https://bugzilla.suse.com/1114648 https://bugzilla.suse.com/1118661 https://bugzilla.suse.com/1129770 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1158533 https://bugzilla.suse.com/1173746 https://bugzilla.suse.com/1176940 https://bugzilla.suse.com/1181193 https://bugzilla.suse.com/1184439 https://bugzilla.suse.com/1185677 https://bugzilla.suse.com/1185727 https://bugzilla.suse.com/1186785 https://bugzilla.suse.com/1189297 https://bugzilla.suse.com/1189407 https://bugzilla.suse.com/1189884 https://bugzilla.suse.com/1190023 https://bugzilla.suse.com/1190115 https://bugzilla.suse.com/1190159 https://bugzilla.suse.com/1190432 https://bugzilla.suse.com/1190523 https://bugzilla.suse.com/1190534 https://bugzilla.suse.com/1190543 https://bugzilla.suse.com/1190576 https://bugzilla.suse.com/1190601 https://bugzilla.suse.com/1190620 https://bugzilla.suse.com/1190626 https://bugzilla.suse.com/1190717 https://bugzilla.suse.com/1190914 https://bugzilla.suse.com/1191051 https://bugzilla.suse.com/1191136 https://bugzilla.suse.com/1191193 From sle-security-updates at lists.suse.com Tue Oct 12 19:47:11 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 12 Oct 2021 21:47:11 +0200 (CEST) Subject: SUSE-SU-2021:3387-1: important: Security update for the Linux Kernel Message-ID: <20211012194711.2BF4AFE12@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3387-1 Rating: important References: #1065729 #1148868 #1152489 #1154353 #1159886 #1167773 #1170774 #1171688 #1173746 #1174003 #1176447 #1176940 #1177028 #1178134 #1184439 #1184804 #1185302 #1185550 #1185677 #1185726 #1185762 #1187211 #1188067 #1188418 #1188651 #1188986 #1189257 #1189297 #1189841 #1189884 #1190023 #1190062 #1190115 #1190138 #1190159 #1190358 #1190406 #1190432 #1190467 #1190523 #1190534 #1190543 #1190544 #1190561 #1190576 #1190595 #1190596 #1190598 #1190620 #1190626 #1190679 #1190705 #1190717 #1190746 #1190758 #1190784 #1190785 #1191172 #1191193 #1191292 Cross-References: CVE-2020-3702 CVE-2021-3669 CVE-2021-3744 CVE-2021-3752 CVE-2021-3759 CVE-2021-3764 CVE-2021-40490 CVSS scores: CVE-2020-3702 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-3702 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-3669 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3744 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3752 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3759 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-3764 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-40490 (SUSE): 6.1 CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE MicroOS 5.1 SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Linux Enterprise Module for Live Patching 15-SP3 SUSE Linux Enterprise Module for Legacy Software 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise High Availability 15-SP3 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has 53 fixes is now available. Description: The SUSE Linux Enterprise 15 SP3 kernel was updated. The following security bugs were fixed: - CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193) - CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023) - CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159) - CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884) - CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534) - CVE-2021-3669: Fixed a bug that doesn't allow /proc/sysvipc/shm to scale with large shared memory segment counts which could lead to resource exhaustion and DoS. (bsc#1188986) - CVE-2021-3759: Unaccounted ipc objects in Linux kernel could have lead to breaking memcg limits and DoS attacks (bsc#1190115). The following non-security bugs were fixed: - ALSA: firewire-motu: fix truncated bytes in message tracepoints (git-fixes). - apparmor: remove duplicate macro list_entry_is_head() (git-fixes). - ASoC: fsl_micfil: register platform component before registering cpu dai (git-fixes). - ASoC: Intel: Fix platform ID matching (git-fixes). - ASoC: mediatek: common: handle NULL case in suspend/resume function (git-fixes). - ASoC: rockchip: i2s: Fix regmap_ops hang (git-fixes). - ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B (git-fixes). - ASoC: rt5682: Implement remove callback (git-fixes). - ASoC: rt5682: Properly turn off regulators if wrong device ID (git-fixes). - ASoC: rt5682: Remove unused variable in rt5682_i2c_remove() (git-fixes). - ASoC: SOF: Fix DSP oops stack dump output contents (git-fixes). - ath9k: fix OOB read ar9300_eeprom_restore_internal (git-fixes). - ath9k: fix sleeping in atomic context (git-fixes). - backlight: pwm_bl: Improve bootloader/kernel device handover (git-fixes). - bareudp: Fix invalid read beyond skb's linear data (jsc#SLE-15172). - blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762). - blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762). - blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762). - blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762). - blk-mq: mark if one queue map uses managed irq (bsc#1185762). - blk-mq: mark if one queue map uses managed irq (bsc#1185762). - Bluetooth: skip invalid hci_sync_conn_complete_evt (git-fixes). - bnx2x: fix an error code in bnx2x_nic_load() (git-fixes). - bnxt_en: Add missing DMA memory barriers (git-fixes). - bnxt_en: Disable aRFS if running on 212 firmware (git-fixes). - bnxt_en: Do not enable legacy TX push on older firmware (git-fixes). - bnxt_en: Fix asic.rev in devlink dev info command (jsc#SLE-16649). - bnxt_en: fix stored FW_PSID version masks (jsc#SLE-16649). - bnxt_en: Store the running firmware version code (git-fixes). - bnxt: count Tx drops (git-fixes). - bnxt: disable napi before canceling DIM (git-fixes). - bnxt: do not lock the tx queue from napi poll (git-fixes). - bnxt: make sure xmit_more + errors does not miss doorbells (git-fixes). - bpf, samples: Add missing mprog-disable to xdp_redirect_cpu's optstring (git-fixes). - bpf: Fix ringbuf helper function compatibility (git-fixes). - bpftool: Add sock_release help info for cgroup attach/prog load command (bsc#1177028). - btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626). - clk: at91: clk-generated: Limit the requested rate to our range (git-fixes). - clk: at91: clk-generated: pass the id of changeable parent at registration (git-fixes). - console: consume APC, DM, DCS (git-fixes). - cpuidle: pseries: Do not cap the CEDE0 latency in fixup_cede0_latency() (bsc#1185550 ltc#192610 git-fixes jsc#SLE-18128). - cuse: fix broken release (bsc#1190596). - cxgb4: dont touch blocked freelist bitmap after free (git-fixes). - debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746). - devlink: Break parameter notification sequence to be before/after unload/load driver (bsc#1154353). - devlink: Clear whole devlink_flash_notify struct (bsc#1176447). - dma-buf: DMABUF_MOVE_NOTIFY should depend on DMA_SHARED_BUFFER (git-fixes). - dmaengine: ioat: depends on !UML (git-fixes). - dmaengine: sprd: Add missing MODULE_DEVICE_TABLE (git-fixes). - dmaengine: xilinx_dma: Set DMA mask for coherent APIs (git-fixes). - docs: Fix infiniband uverbs minor number (git-fixes). - drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps (git-fixes). - drm: avoid blocking in drm_clients_info's rcu section (git-fixes). - drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex (git-fixes). - drm/amd/display: Fix timer_per_pixel unit error (git-fixes). - drm/amdgpu: Fix BUG_ON assert (git-fixes). - drm/ast: Fix missing conversions to managed API (git-fixes). - drm/gma500: Fix end of loop tests for list_for_each_entry (git-fixes). - drm/i915: Allow the sysadmin to override security mitigations (git-fixes). - drm/i915/rkl: Remove require_force_probe protection (bsc#1189257). - drm/ingenic: Switch IPU plane to type OVERLAY (git-fixes). - drm/mgag200: Select clock in PLL update functions (git-fixes). - drm/msm/mdp4: move HW revision detection to earlier phase (git-fixes). - drm/msm/mdp4: refactor HW revision detection into read_mdp_hw_revision (git-fixes). - drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV (git-fixes). - drm/panfrost: Clamp lock region to Bifrost minimum (git-fixes). - drm/pl111: depend on CONFIG_VEXPRESS_CONFIG (git-fixes). - drm/rockchip: cdn-dp-core: Make cdn_dp_core_resume __maybe_unused (git-fixes). - e1000e: Do not take care about recovery NVM checksum (jsc#SLE-8100). - e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes). - EDAC/i10nm: Fix NVDIMM detection (bsc#1152489). - EDAC/mce_amd: Do not load edac_mce_amd module on guests (bsc#1190138). - EDAC/synopsys: Fix wrong value type assignment for edac_mode (bsc#1152489). - enetc: Fix uninitialized struct dim_sample field usage (git-fixes). - erofs: fix up erofs_lookup tracepoint (git-fixes). - fbmem: do not allow too huge resolutions (git-fixes). - fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() (git-fixes). - fpga: machxo2-spi: Return an error on failure (git-fixes). - fuse: flush extending writes (bsc#1190595). - fuse: truncate pagecache on atomic_o_trunc (bsc#1190705). - genirq: add device_has_managed_msi_irq (bsc#1185762). - genirq: add device_has_managed_msi_irq (bsc#1185762). - gpio: uniphier: Fix void functions to remove return value (git-fixes). - gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() (git-fixes). - gve: fix the wrong AdminQ buffer overflow check (bsc#1176940). - hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726). - hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726). - hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (git-fixes). - hwmon: (tmp421) fix rounding for negative values (git-fixes). - hwmon: (tmp421) report /PVLD condition as fault (git-fixes). - i40e: Add additional info to PHY type error (git-fixes). - i40e: Fix firmware LLDP agent related warning (git-fixes). - i40e: Fix log TC creation failure when max num of queues is exceeded (git-fixes). - i40e: Fix logic of disabling queues (git-fixes). - i40e: Fix queue-to-TC mapping on Tx (git-fixes). - i40e: improve locking of mac_filter_hash (jsc#SLE-13701). - iavf: Fix ping is lost after untrusted VF had tried to change MAC (jsc#SLE-7940). - iavf: Set RSS LUT and key in reset handle path (git-fixes). - IB/hfi1: Indicate DMA wait when txq is queued for wakeup (jsc#SLE-13208). - ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510). - ibmvnic: Consolidate code in replenish_rx_pool() (bsc#1190758 ltc#191943). - ibmvnic: Fix up some comments and messages (bsc#1190758 ltc#191943). - ibmvnic: init_tx_pools move loop-invariant code (bsc#1190758 ltc#191943). - ibmvnic: Reuse LTB when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse rx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse tx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Use bitmap for LTB map_ids (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_rx_pools (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_tx_pools (bsc#1190758 ltc#191943). - ice: do not abort devlink info if board identifier can't be found (jsc#SLE-12878). - ice: do not remove netdev->dev_addr from uc sync list (git-fixes). - ice: Prevent probing virtual functions (git-fixes). - igc: Use num_tx_queues when iterating over tx_ring queue (jsc#SLE-13533). - iio: dac: ad5624r: Fix incorrect handling of an optional regulator (git-fixes). - include/linux/list.h: add a macro to test if entry is pointing to the head (git-fixes). - iomap: Fix negative assignment to unsigned sis->pages in iomap_swapfile_activate (bsc#1190784). - ionic: cleanly release devlink instance (bsc#1167773). - ionic: cleanly release devlink instance (bsc#1167773). - ionic: count csum_none when offload enabled (bsc#1167773). - ionic: drop useless check of PCI driver data validity (bsc#1167773). - ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115). - ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115). - ipc/util.c: use binary search for max_idx (bsc#1159886). - ipvs: allow connection reuse for unconfirmed conntrack (bsc#1190467). - ipvs: avoid expiring many connections from timer (bsc#1190467). - ipvs: Fix up kabi for expire_nodest_conn_work addition (bsc#1190467). - ipvs: queue delayed work to expire no destination connections if expire_nodest_conn=1 (bsc#1190467). - iwlwifi Add support for ax201 in Samsung Galaxy Book Flex2 Alpha (git-fixes). - iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed (git-fixes). - kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable. - kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs. - kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358). The script part for base package case is completely separate from the part for subpackages. Remove the part for subpackages from the base package script and use the KMP scripts for subpackages instead. - libata: fix ata_host_start() (git-fixes). - libbpf: Fix removal of inner map in bpf_object__create_map (git-fixes). - libbpf: Fix the possible memory leak on error (git-fixes). - mac80211-hwsim: fix late beacon hrtimer handling (git-fixes). - mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug (git-fixes). - mac80211: fix use-after-free in CCMP/GCMP RX (git-fixes). - mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap (git-fixes). - mac80211: mesh: fix potentially unaligned access (git-fixes). - media: cedrus: Fix SUNXI tile size calculation (git-fixes). - media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats (git-fixes). - media: dib8000: rewrite the init prbs logic (git-fixes). - media: imx258: Limit the max analogue gain to 480 (git-fixes). - media: imx258: Rectify mismatch of VTS value (git-fixes). - media: rc-loopback: return number of emitters rather than error (git-fixes). - media: TDA1997x: fix tda1997x_query_dv_timings() return value (git-fixes). - media: uvc: do not do DMA on stack (git-fixes). - media: v4l2-dv-timings.c: fix wrong condition in two for-loops (git-fixes). - mfd: Do not use irq_create_mapping() to resolve a mapping (git-fixes). - misc: sram: Only map reserved areas in Tegra SYSRAM (git-fixes). - misc: sram: use devm_platform_ioremap_resource_wc() (git-fixes). - mlx4: Fix missing error code in mlx4_load_one() (git-fixes). - mm: always have io_remap_pfn_range() set pgprot_decrypted() (git-fixes). - mm/swap: consider max pages in iomap_swapfile_add_extent (bsc#1190785). - mmc: core: Return correct emmc response in case of ioctl error (git-fixes). - mmc: rtsx_pci: Fix long reads when clock is prescaled (git-fixes). - mmc: sdhci-of-arasan: Check return value of non-void funtions (git-fixes). - mmc: sdhci: Fix issue with uninitialized dma_slave_config (git-fixes). - net: ethernet: ti: cpsw: fix min eth packet size for non-switch use-cases (git-fixes). - net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726). - net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726). - net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726). - net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726). - net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726). - net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726). - net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726). - net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726). - net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726). - net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726). - net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes). - net: sched: sch_teql: fix null-pointer dereference (bsc#1190717). - net/mlx5: E-Switch, handle devcom events only for ports on the same device (git-fixes). - net/mlx5: Fix flow table chaining (git-fixes). - net/mlx5: Fix missing return value in mlx5_devlink_eswitch_inline_mode_set() (jsc#SLE-15172). - net/mlx5: Fix return value from tracer initialization (git-fixes). - net/mlx5: Unload device upon firmware fatal error (git-fixes). - net/mlx5e: Avoid creating tunnel headers for local route (git-fixes). - net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() (git-fixes). - net/mlx5e: Prohibit inner indir TIRs in IPoIB (git-fixes). - netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (bsc#1190062). - nfp: update ethtool reporting of pauseframe control (git-fixes). - NFS: change nfs_access_get_cached to only report the mask (bsc#1190746). - NFS: do not store 'struct cred *' in struct nfs_access_entry (bsc#1190746). - NFS: pass cred explicitly for access tests (bsc#1190746). - nvme-multipath: revalidate paths during rescan (bsc#1187211). - nvme-tcp: Do not reset transport on data digest errors (bsc#1188418). - nvme: avoid race in shutdown namespace removal (bsc#1188067). - nvme: fix refcounting imbalance when all paths are down (bsc#1188067). - nvme: only call synchronize_srcu when clearing current path (bsc#1188067). - optee: Fix memory leak when failing to register shm pages (git-fixes). - parport: remove non-zero check on count (git-fixes). - PCI: aardvark: Fix checking for PIO status (git-fixes). - PCI: aardvark: Fix masking and unmasking legacy INTx interrupts (git-fixes). - PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response (git-fixes). - PCI: Add ACS quirks for Cavium multi-function devices (git-fixes). - PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms (git-fixes). - PCI: Add AMD GPU multi-function power dependencies (git-fixes). - PCI: ibmphp: Fix double unmap of io_mem (git-fixes). - PCI: of: Do not fail devm_pci_alloc_host_bridge() on missing 'ranges' (git-fixes). - PCI: pci-bridge-emul: Add PCIe Root Capabilities Register (git-fixes). - PCI: pci-bridge-emul: Fix array overruns, improve safety (git-fixes). - PCI: pci-bridge-emul: Fix big-endian support (git-fixes). - PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported (git-fixes). - PCI: Use pci_update_current_state() in pci_enable_device_flags() (git-fixes). - phy: tegra: xusb: Fix dangling pointer on probe failure (git-fixes). - PM: base: power: do not try to use non-existing RTC for storing data (git-fixes). - PM: EM: Increase energy calculation precision (git-fixes). - power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors (git-fixes). - power: supply: max17042_battery: fix typo in MAx17042_TOFF (git-fixes). - powercap: intel_rapl: add support for Sapphire Rapids (jsc#SLE-15289). - powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868). - powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523). - powerpc/numa: Consider the max NUMA node for migratable LPAR (bsc#1190544 ltc#194520). - powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729). - powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729). - powerpc/perf: Fix the check for SIAR value (bsc#1065729). - powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729). - powerpc/perf: Use stack siar instead of mfspr (bsc#1065729). - powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729). - powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729). - powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729). - powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498). - powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729). - pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523). - pwm: img: Do not modify HW state in .remove() callback (git-fixes). - pwm: rockchip: Do not modify HW state in .remove() callback (git-fixes). - pwm: stm32-lp: Do not modify HW state in .remove() callback (git-fixes). - qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes). - RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init() (bsc#1170774). - RDMA/hns: Fix QP's resp incomplete assignment (jsc#SLE-14777). - RDMA/mlx5: Delay emptying a cache entry when a new MR is added to it recently (jsc#SLE-15175). - RDMA/mlx5: Delete not-available udata check (jsc#SLE-15175). - RDMA/rtrs: Remove a useless kfree() (jsc#SLE-15176). - Re-enable UAS for LaCie Rugged USB3-FW with fk quirk (git-fixes). - regmap: fix page selection for noinc reads (git-fixes). - regmap: fix page selection for noinc writes (git-fixes). - regmap: fix the offset of register error log (git-fixes). - Restore kabi after NFS: pass cred explicitly for access tests (bsc#1190746). - rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools. This allows fixing bugs in the scriptlets as well as defining initrd regeneration policy independent of the kernel packages. - rpm/kernel-binary.spec: Use only non-empty certificates. - rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804). - rtc: rx8010: select REGMAP_I2C (git-fixes). - rtc: tps65910: Correct driver module alias (git-fixes). - s390/unwind: use current_frame_address() to unwind current task (bsc#1185677). - sch_cake: fix srchost/dsthost hashing mode (bsc#1176447). - sched/fair: Add ancestors of unthrottled undecayed cfs_rq (bsc#1191292). - scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576). - scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576). - scsi: fc: Add EDC ELS definition (bsc#1190576). - scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576). - scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576). - scsi: lpfc: Add cm statistics buffer support (bsc#1190576). - scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576). - scsi: lpfc: Add cmfsync WQE support (bsc#1190576). - scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576). - scsi: lpfc: Add EDC ELS support (bsc#1190576). - scsi: lpfc: Add MIB feature enablement support (bsc#1190576). - scsi: lpfc: Add rx monitoring statistics (bsc#1190576). - scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576). - scsi: lpfc: Add support for cm enablement buffer (bsc#1190576). - scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576). - scsi: lpfc: Add support for the CM framework (bsc#1190576). - scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576). - scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576). - scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576). - scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576). - scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576). - scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576). - scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576). - scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576). - scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576). - scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576). - scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576). - scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576). - scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576). - scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576). - scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576). - scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576). - scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576). - scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576). - scsi: lpfc: Remove unneeded variable (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576). - scsi: lpfc: Use correct scnprintf() limit (bsc#1190576). - scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576). - scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576). - scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576). - scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297). - scsi/fc: kABI fixes for new ELS_EDC, ELS_RDP definition (bsc#1171688 bsc#1174003 bsc#1190576). - selftests/bpf: Define string const as global for test_sysctl_prog.c (git-fixes). - selftests/bpf: Fix bpf-iter-tcp4 test to print correctly the dest IP (git-fixes). - selftests/bpf: Fix test_sysctl_loop{1, 2} failure due to clang change (git-fixes). - selftests/bpf: Whitelist test_progs.h from .gitignore (git-fixes). - serial: 8250_pci: make setup_port() parameters explicitly unsigned (git-fixes). - serial: 8250: Define RX trigger levels for OxSemi 950 devices (git-fixes). - serial: mvebu-uart: fix driver's tx_empty callback (git-fixes). - serial: sh-sci: fix break handling for sysrq (git-fixes). - spi: Fix tegra20 build with CONFIG_PM=n (git-fixes). - staging: board: Fix uninitialized spinlock when attaching genpd (git-fixes). - staging: ks7010: Fix the initialization of the 'sleep_status' structure (git-fixes). - staging: rts5208: Fix get_ms_information() heap buffer size (git-fixes). - thermal/core: Potential buffer overflow in thermal_build_list_of_policies() (git-fixes). - time: Handle negative seconds correctly in timespec64_to_ns() (git-fixes). - tools: bpf: Fix error in 'make -C tools/ bpf_install' (git-fixes). - tty: Fix data race between tiocsti() and flush_to_ldisc() (git-fixes). - tty: serial: jsm: hold port lock when reporting modem line changes (git-fixes). - tty: synclink_gt, drop unneeded forward declarations (git-fixes). - usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c (git-fixes). - usb: core: hcd: Add support for deferring roothub registration (git-fixes). - usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails (git-fixes). - usb: dwc2: Avoid leaving the error_debugfs label unused (git-fixes). - usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave (git-fixes). - usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA (git-fixes). - usb: EHCI: ehci-mv: improve error handling in mv_ehci_enable() (git-fixes). - usb: gadget: r8a66597: fix a loop in set_feature() (git-fixes). - usb: gadget: u_ether: fix a potential null pointer dereference (git-fixes). - usb: host: fotg210: fix the actual_length of an iso packet (git-fixes). - usb: host: fotg210: fix the endpoint's transactional opportunities calculation (git-fixes). - usb: musb: musb_dsps: request_irq() after initializing musb (git-fixes). - usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes). - usb: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter (git-fixes). - usb: serial: option: add device id for Foxconn T99W265 (git-fixes). - usb: serial: option: add Telit LN920 compositions (git-fixes). - usb: serial: option: remove duplicate USB device ID (git-fixes). - usbip: give back URBs for unsent unlink requests during cleanup (git-fixes). - usbip:vhci_hcd USB port can get stuck in the disabled state (git-fixes). - video: fbdev: asiliantfb: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: fix a DoS bug by restricting user input (git-fixes). - video: fbdev: riva: Error out if 'pixclock' equals zero (git-fixes). - vmxnet3: add support for 32 Tx/Rx queues (bsc#1190406). - vmxnet3: add support for ESP IPv6 RSS (bsc#1190406). - vmxnet3: increase maximum configurable mtu to 9190 (bsc#1190406). - vmxnet3: prepare for version 6 changes (bsc#1190406). - vmxnet3: remove power of 2 limitation on the queues (bsc#1190406). - vmxnet3: set correct hash type based on rss information (bsc#1190406). - vmxnet3: update to version 6 (bsc#1190406). - watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST (git-fixes). - x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1185302). - x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1190561). - x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439). - x86/asm: Fix SETZ size enqcmds() build failure (bsc#1178134). - x86/cpu: Fix core name for Sapphire Rapids (jsc#SLE-15289). - x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1152489). - x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1152489). - x86/resctrl: Fix default monitoring groups reporting (bsc#1152489). - xfs: allow mount/remount when stripe width alignment is zero (bsc#1188651). - xfs: sync lazy sb accounting on quiesce of read-only mounts (bsc#1190679). - xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes). - xhci: Set HCD flag to defer primary roothub registration (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3387=1 - SUSE Linux Enterprise Workstation Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-3387=1 - SUSE Linux Enterprise Module for Live Patching 15-SP3: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP3-2021-3387=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP3-2021-3387=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-3387=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3387=1 - SUSE Linux Enterprise High Availability 15-SP3: zypper in -t patch SUSE-SLE-Product-HA-15-SP3-2021-3387=1 Package List: - SUSE MicroOS 5.1 (aarch64 s390x x86_64): kernel-default-5.3.18-59.27.1 kernel-default-base-5.3.18-59.27.1.18.15.1 kernel-default-debuginfo-5.3.18-59.27.1 kernel-default-debugsource-5.3.18-59.27.1 - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64): kernel-default-debuginfo-5.3.18-59.27.1 kernel-default-debugsource-5.3.18-59.27.1 kernel-default-extra-5.3.18-59.27.1 kernel-default-extra-debuginfo-5.3.18-59.27.1 kernel-preempt-debuginfo-5.3.18-59.27.1 kernel-preempt-debugsource-5.3.18-59.27.1 kernel-preempt-extra-5.3.18-59.27.1 kernel-preempt-extra-debuginfo-5.3.18-59.27.1 - SUSE Linux Enterprise Module for Live Patching 15-SP3 (ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-59.27.1 kernel-default-debugsource-5.3.18-59.27.1 kernel-default-livepatch-5.3.18-59.27.1 kernel-default-livepatch-devel-5.3.18-59.27.1 kernel-livepatch-5_3_18-59_27-default-1-7.3.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-59.27.1 kernel-default-debugsource-5.3.18-59.27.1 reiserfs-kmp-default-5.3.18-59.27.1 reiserfs-kmp-default-debuginfo-5.3.18-59.27.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): kernel-obs-build-5.3.18-59.27.1 kernel-obs-build-debugsource-5.3.18-59.27.1 kernel-syms-5.3.18-59.27.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 x86_64): kernel-preempt-debuginfo-5.3.18-59.27.1 kernel-preempt-debugsource-5.3.18-59.27.1 kernel-preempt-devel-5.3.18-59.27.1 kernel-preempt-devel-debuginfo-5.3.18-59.27.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (noarch): kernel-docs-5.3.18-59.27.1 kernel-source-5.3.18-59.27.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): kernel-default-5.3.18-59.27.1 kernel-default-base-5.3.18-59.27.1.18.15.1 kernel-default-debuginfo-5.3.18-59.27.1 kernel-default-debugsource-5.3.18-59.27.1 kernel-default-devel-5.3.18-59.27.1 kernel-default-devel-debuginfo-5.3.18-59.27.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 x86_64): kernel-preempt-5.3.18-59.27.1 kernel-preempt-debuginfo-5.3.18-59.27.1 kernel-preempt-debugsource-5.3.18-59.27.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64): kernel-64kb-5.3.18-59.27.1 kernel-64kb-debuginfo-5.3.18-59.27.1 kernel-64kb-debugsource-5.3.18-59.27.1 kernel-64kb-devel-5.3.18-59.27.1 kernel-64kb-devel-debuginfo-5.3.18-59.27.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): kernel-devel-5.3.18-59.27.1 kernel-macros-5.3.18-59.27.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (s390x): kernel-zfcpdump-5.3.18-59.27.1 kernel-zfcpdump-debuginfo-5.3.18-59.27.1 kernel-zfcpdump-debugsource-5.3.18-59.27.1 - SUSE Linux Enterprise High Availability 15-SP3 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-5.3.18-59.27.1 cluster-md-kmp-default-debuginfo-5.3.18-59.27.1 dlm-kmp-default-5.3.18-59.27.1 dlm-kmp-default-debuginfo-5.3.18-59.27.1 gfs2-kmp-default-5.3.18-59.27.1 gfs2-kmp-default-debuginfo-5.3.18-59.27.1 kernel-default-debuginfo-5.3.18-59.27.1 kernel-default-debugsource-5.3.18-59.27.1 ocfs2-kmp-default-5.3.18-59.27.1 ocfs2-kmp-default-debuginfo-5.3.18-59.27.1 References: https://www.suse.com/security/cve/CVE-2020-3702.html https://www.suse.com/security/cve/CVE-2021-3669.html https://www.suse.com/security/cve/CVE-2021-3744.html https://www.suse.com/security/cve/CVE-2021-3752.html https://www.suse.com/security/cve/CVE-2021-3759.html https://www.suse.com/security/cve/CVE-2021-3764.html https://www.suse.com/security/cve/CVE-2021-40490.html https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154353 https://bugzilla.suse.com/1159886 https://bugzilla.suse.com/1167773 https://bugzilla.suse.com/1170774 https://bugzilla.suse.com/1171688 https://bugzilla.suse.com/1173746 https://bugzilla.suse.com/1174003 https://bugzilla.suse.com/1176447 https://bugzilla.suse.com/1176940 https://bugzilla.suse.com/1177028 https://bugzilla.suse.com/1178134 https://bugzilla.suse.com/1184439 https://bugzilla.suse.com/1184804 https://bugzilla.suse.com/1185302 https://bugzilla.suse.com/1185550 https://bugzilla.suse.com/1185677 https://bugzilla.suse.com/1185726 https://bugzilla.suse.com/1185762 https://bugzilla.suse.com/1187211 https://bugzilla.suse.com/1188067 https://bugzilla.suse.com/1188418 https://bugzilla.suse.com/1188651 https://bugzilla.suse.com/1188986 https://bugzilla.suse.com/1189257 https://bugzilla.suse.com/1189297 https://bugzilla.suse.com/1189841 https://bugzilla.suse.com/1189884 https://bugzilla.suse.com/1190023 https://bugzilla.suse.com/1190062 https://bugzilla.suse.com/1190115 https://bugzilla.suse.com/1190138 https://bugzilla.suse.com/1190159 https://bugzilla.suse.com/1190358 https://bugzilla.suse.com/1190406 https://bugzilla.suse.com/1190432 https://bugzilla.suse.com/1190467 https://bugzilla.suse.com/1190523 https://bugzilla.suse.com/1190534 https://bugzilla.suse.com/1190543 https://bugzilla.suse.com/1190544 https://bugzilla.suse.com/1190561 https://bugzilla.suse.com/1190576 https://bugzilla.suse.com/1190595 https://bugzilla.suse.com/1190596 https://bugzilla.suse.com/1190598 https://bugzilla.suse.com/1190620 https://bugzilla.suse.com/1190626 https://bugzilla.suse.com/1190679 https://bugzilla.suse.com/1190705 https://bugzilla.suse.com/1190717 https://bugzilla.suse.com/1190746 https://bugzilla.suse.com/1190758 https://bugzilla.suse.com/1190784 https://bugzilla.suse.com/1190785 https://bugzilla.suse.com/1191172 https://bugzilla.suse.com/1191193 https://bugzilla.suse.com/1191292 From sle-security-updates at lists.suse.com Wed Oct 13 07:25:49 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Oct 2021 09:25:49 +0200 (CEST) Subject: SUSE-CU-2021:396-1: Security update of suse/sle15 Message-ID: <20211013072549.15097FD2D@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:396-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.458 Container Release : 4.22.458 Severity : moderate Type : security References : 1190373 1190374 CVE-2021-22946 CVE-2021-22947 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3297-1 Released: Wed Oct 6 16:53:29 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). From sle-security-updates at lists.suse.com Wed Oct 13 07:26:04 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Oct 2021 09:26:04 +0200 (CEST) Subject: SUSE-CU-2021:397-1: Security update of suse/sle15 Message-ID: <20211013072604.CB029FD2D@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:397-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.459 Container Release : 4.22.459 Severity : moderate Type : security References : 1134353 1171962 1184994 1186489 1187911 1188018 1188063 1188291 1188713 1189480 1190234 CVE-2021-33574 CVE-2021-33910 CVE-2021-35942 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3348-1 Released: Tue Oct 12 13:08:06 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1134353,1171962,1184994,1188018,1188063,1188291,1188713,1189480,1190234,CVE-2021-33910 This update for systemd fixes the following issues: - CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063). - logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018). - Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353). - Rules weren't applied to dm devices (multipath) (bsc#1188713). - Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234). - Make sure the versions of both udev and systemd packages are always the same (bsc#1189480). - Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291). - Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3385-1 Released: Tue Oct 12 15:54:31 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 This update for glibc fixes the following issues: - CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911) - CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489) From sle-security-updates at lists.suse.com Wed Oct 13 07:49:03 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Oct 2021 09:49:03 +0200 (CEST) Subject: SUSE-CU-2021:399-1: Security update of suse/sle15 Message-ID: <20211013074903.D58D6FFB1@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:399-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.513 Container Release : 6.2.513 Severity : moderate Type : security References : 1190373 1190374 CVE-2021-22946 CVE-2021-22947 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3297-1 Released: Wed Oct 6 16:53:29 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). From sle-security-updates at lists.suse.com Wed Oct 13 07:49:18 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Oct 2021 09:49:18 +0200 (CEST) Subject: SUSE-CU-2021:400-1: Security update of suse/sle15 Message-ID: <20211013074918.0FC0FFFB1@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:400-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.514 Container Release : 6.2.514 Severity : moderate Type : security References : 1134353 1171962 1184994 1186489 1187911 1188018 1188063 1188291 1188713 1189480 1190234 CVE-2021-33574 CVE-2021-33910 CVE-2021-35942 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3348-1 Released: Tue Oct 12 13:08:06 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1134353,1171962,1184994,1188018,1188063,1188291,1188713,1189480,1190234,CVE-2021-33910 This update for systemd fixes the following issues: - CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063). - logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018). - Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353). - Rules weren't applied to dm devices (multipath) (bsc#1188713). - Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234). - Make sure the versions of both udev and systemd packages are always the same (bsc#1189480). - Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291). - Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3385-1 Released: Tue Oct 12 15:54:31 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 This update for glibc fixes the following issues: - CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911) - CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489) From sle-security-updates at lists.suse.com Wed Oct 13 08:04:24 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Oct 2021 10:04:24 +0200 (CEST) Subject: SUSE-CU-2021:403-1: Security update of suse/sle15 Message-ID: <20211013080424.84C3DFD2D@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:403-1 Container Tags : suse/sle15:15.2 , suse/sle15:15.2.9.5.28 Container Release : 9.5.28 Severity : moderate Type : security References : 1134353 1171962 1184994 1186489 1187911 1188018 1188063 1188291 1188713 1189480 1190234 CVE-2021-33574 CVE-2021-33910 CVE-2021-35942 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3348-1 Released: Tue Oct 12 13:08:06 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1134353,1171962,1184994,1188018,1188063,1188291,1188713,1189480,1190234,CVE-2021-33910 This update for systemd fixes the following issues: - CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063). - logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018). - Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353). - Rules weren't applied to dm devices (multipath) (bsc#1188713). - Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234). - Make sure the versions of both udev and systemd packages are always the same (bsc#1189480). - Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291). - Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3382-1 Released: Tue Oct 12 14:30:17 2021 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: This update for ca-certificates-mozilla fixes the following issues: - A new sub-package for minimal base containers (jsc#SLE-22162) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3385-1 Released: Tue Oct 12 15:54:31 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 This update for glibc fixes the following issues: - CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911) - CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489) From sle-security-updates at lists.suse.com Wed Oct 13 10:18:52 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Oct 2021 12:18:52 +0200 (CEST) Subject: SUSE-SU-2021:3401-1: important: Security update for the Linux Kernel (Live Patch 23 for SLE 15) Message-ID: <20211013101852.A43B6FFB2@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 23 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3401-1 Rating: important References: #1187054 #1188613 #1190118 #1190350 Cross-References: CVE-2021-3573 CVE-2021-3640 CVE-2021-3715 CVE-2021-38160 CVSS scores: CVE-2021-3573 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3640 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3715 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-38160 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-150_69 fixes several issues. The following security issues were fixed: - CVE-2021-3715: Fixed a user-after-free in the Linux kernel's Traffic Control networking subsystem which could lead to local privilege escalation. (bsc#1190350). - CVE-2021-38160: Fixed a bug that could lead to a data corruption or loss. This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118) - CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613) - CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2021-3401=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_69-default-10-2.2 kernel-livepatch-4_12_14-150_69-default-debuginfo-10-2.2 References: https://www.suse.com/security/cve/CVE-2021-3573.html https://www.suse.com/security/cve/CVE-2021-3640.html https://www.suse.com/security/cve/CVE-2021-3715.html https://www.suse.com/security/cve/CVE-2021-38160.html https://bugzilla.suse.com/1187054 https://bugzilla.suse.com/1188613 https://bugzilla.suse.com/1190118 https://bugzilla.suse.com/1190350 From sle-security-updates at lists.suse.com Wed Oct 13 13:22:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Oct 2021 15:22:27 +0200 (CEST) Subject: SUSE-SU-2021:3205-2: important: Security update for the Linux Kernel Message-ID: <20211013132227.8A2BAFD2D@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3205-2 Rating: important References: #1040364 #1127650 #1135481 #1152489 #1160010 #1168202 #1171420 #1174969 #1175052 #1175543 #1177399 #1180100 #1180141 #1180347 #1181006 #1181148 #1181972 #1184180 #1185902 #1186264 #1186731 #1187211 #1187455 #1187468 #1187483 #1187619 #1187959 #1188067 #1188172 #1188231 #1188270 #1188412 #1188418 #1188616 #1188700 #1188780 #1188781 #1188782 #1188783 #1188784 #1188786 #1188787 #1188788 #1188790 #1188878 #1188885 #1188924 #1188982 #1188983 #1188985 #1189021 #1189057 #1189077 #1189153 #1189197 #1189209 #1189210 #1189212 #1189213 #1189214 #1189215 #1189216 #1189217 #1189218 #1189219 #1189220 #1189221 #1189222 #1189225 #1189229 #1189233 #1189262 #1189291 #1189292 #1189296 #1189298 #1189301 #1189305 #1189323 #1189384 #1189385 #1189392 #1189393 #1189399 #1189400 #1189427 #1189503 #1189504 #1189505 #1189506 #1189507 #1189562 #1189563 #1189564 #1189565 #1189566 #1189567 #1189568 #1189569 #1189573 #1189574 #1189575 #1189576 #1189577 #1189579 #1189581 #1189582 #1189583 #1189585 #1189586 #1189587 #1189706 #1189760 #1189762 #1189832 #1189841 #1189870 #1189872 #1189883 #1190022 #1190025 #1190115 #1190117 #1190412 #1190413 #1190428 Cross-References: CVE-2020-12770 CVE-2021-34556 CVE-2021-35477 CVE-2021-3640 CVE-2021-3653 CVE-2021-3656 CVE-2021-3679 CVE-2021-3732 CVE-2021-3739 CVE-2021-3743 CVE-2021-3753 CVE-2021-3759 CVE-2021-38160 CVE-2021-38166 CVE-2021-38198 CVE-2021-38204 CVE-2021-38205 CVE-2021-38206 CVE-2021-38207 CVE-2021-38209 CVSS scores: CVE-2020-12770 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-12770 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2021-34556 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-35477 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2021-3640 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3653 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3656 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3679 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3732 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-3739 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2021-3743 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-3753 (SUSE): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-3759 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-38160 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-38166 (SUSE): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-38198 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-38204 (SUSE): 4.2 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-38205 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-38206 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-38206 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-38207 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-38209 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Affected Products: SUSE MicroOS 5.1 ______________________________________________________________________________ An update that solves 20 vulnerabilities and has 106 fixes is now available. Description: The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-3640: Fixed a Use-After-Free vulnerability in function sco_sock_sendmsg() in the bluetooth stack (bsc#1188172). - CVE-2021-3653: Missing validation of the `int_ctl` VMCB field and allows a malicious L1 guest to enable AVIC support for the L2 guest. (bsc#1189399). - CVE-2021-3656: Missing validation of the the `virt_ext` VMCB field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS for the L2 guest (bsc#1189400). - CVE-2021-3679: A lack of CPU resource in tracing module functionality was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service (bnc#1189057). - CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files (bsc#1189706). - CVE-2021-3739: Fixed a NULL pointer dereference when deleting device by invalid id (bsc#1189832 ). - CVE-2021-3743: Fixed OOB Read in qrtr_endpoint_post (bsc#1189883). - CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling (bsc#1190025). - CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190117) - CVE-2021-38198: arch/x86/kvm/mmu/paging_tmpl.h incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault (bnc#1189262). - CVE-2021-38204: drivers/usb/host/max3421-hcd.c allowed physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations (bnc#1189291). - CVE-2021-38205: drivers/net/ethernet/xilinx/xilinx_emaclite.c made it easier for attackers to defeat an ASLR protection mechanism because it prints a kernel pointer (i.e., the real IOMEM pointer) (bnc#1189292). - CVE-2021-38207: drivers/net/ethernet/xilinx/ll_temac_main.c allowed remote attackers to cause a denial of service (buffer overflow and lockup) by sending heavy network traffic for about ten minutes (bnc#1189298). - CVE-2021-38166: Fixed an integer overflow and out-of-bounds write when many elements are placed in a single bucket in kernel/bpf/hashtab.c (bnc#1189233 ). - CVE-2021-38209: Fixed allowed observation of changes in any net namespace via net/netfilter/nf_conntrack_standalone.c (bnc#1189393). - CVE-2021-38206: Fixed NULL pointer dereference in the radiotap parser inside the mac80211 subsystem (bnc#1189296). - CVE-2021-34556: Fixed side-channel attack via a Speculative Store Bypass via unprivileged BPF program that could have obtain sensitive information from kernel memory (bsc#1188983). - CVE-2021-35477: Fixed BPF stack frame pointer which could have been abused to disclose content of arbitrary kernel memory (bsc#1188985). - CVE-2021-3759: Unaccounted ipc objects in Linux kernel could have lead to breaking memcg limits and DoS attacks (bsc#1190115). - CVE-2020-12770: Fixed sg_remove_request call in a certain failure cases (bsc#1171420). The following non-security bugs were fixed: - ACPI: NFIT: Fix support for virtual SPA ranges (git-fixes). - ACPI: processor: Clean up acpi_processor_evaluate_cst() (bsc#1175543) - ACPI: processor: Export acpi_processor_evaluate_cst() (bsc#1175543) - ACPI: processor: Export function to claim _CST control (bsc#1175543) - ACPI: processor: Introduce acpi_processor_evaluate_cst() (bsc#1175543) - ACPI: processor: Make ACPI_PROCESSOR_CSTATE depend on ACPI_PROCESSOR (bsc#1175543) - ALSA: hda - fix the 'Capture Switch' value change notifications (git-fixes). - ALSA: hda/hdmi: Add quirk to force pin connectivity on NUC10 (git-fixes). - ALSA: hda/hdmi: fix max DP-MST dev_num for Intel TGL+ platforms (git-fixes). - ALSA: hda/hdmi: let new platforms assign the pcm slot dynamically (git-fixes). - ALSA: hda/realtek - Add ALC285 HP init procedure (git-fixes). - ALSA: hda/realtek - Add type for ALC287 (git-fixes). - ALSA: hda/realtek: Change device names for quirks to barebone names (git-fixes). - ALSA: hda/realtek: Enable 4-speaker output for Dell XPS 15 9510 laptop (git-fixes). - ALSA: hda/realtek: Fix headset mic for Acer SWIFT SF314-56 (ALC256) (git-fixes). - ALSA: hda/realtek: Limit mic boost on HP ProBook 445 G8 (git-fixes). - ALSA: hda/realtek: add mic quirk for Acer SF314-42 (git-fixes). - ALSA: hda/realtek: fix mute led of the HP Pavilion 15-eh1xxx series (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 650 G8 Notebook PC (git-fixes). - ALSA: hda/via: Apply runtime PM workaround for ASUS B23E (git-fixes). - ALSA: hda: Add quirk for ASUS Flow x13 (git-fixes). - ALSA: hda: Fix hang during shutdown due to link reset (git-fixes). - ALSA: hda: Release controller display power during shutdown/reboot (git-fixes). - ALSA: pcm: Fix mmap breakage without explicit buffer setup (git-fixes). - ALSA: pcm: fix divide error in snd_pcm_lib_ioctl (git-fixes). - ALSA: seq: Fix racy deletion of subscriber (git-fixes). - ALSA: usb-audio: Add registration quirk for JBL Quantum 600 (git-fixes). - ALSA: usb-audio: Avoid unnecessary or invalid connector selection at resume (git-fixes). - ALSA: usb-audio: Fix regression on Sony WALKMAN NW-A45 DAC (git-fixes). - ALSA: usb-audio: Fix superfluous autosuspend recovery (git-fixes). - ALSA: usb-audio: fix incorrect clock source setting (git-fixes). - ASoC: Intel: Skylake: Fix module resource and format selection (git-fixes). - ASoC: Intel: Skylake: Leave data as is when invoking TLV IPCs (git-fixes). - ASoC: Intel: kbl_da7219_max98927: Fix format selection for max98373 (git-fixes). - ASoC: SOF: Intel: hda-ipc: fix reply size checking (git-fixes). - ASoC: amd: Fix reference to PCM buffer address (git-fixes). - ASoC: component: Remove misplaced prefix handling in pin control functions (git-fixes). - ASoC: cs42l42: Correct definition of ADC Volume control (git-fixes). - ASoC: cs42l42: Do not allow SND_SOC_DAIFMT_LEFT_J (git-fixes). - ASoC: cs42l42: Fix LRCLK frame start edge (git-fixes). - ASoC: cs42l42: Fix inversion of ADC Notch Switch control (git-fixes). - ASoC: cs42l42: Remove duplicate control for WNF filter frequency (git-fixes). - ASoC: intel: atom: Fix breakage for PCM buffer address setup (git-fixes). - ASoC: intel: atom: Fix reference to PCM buffer address (git-fixes). - ASoC: mediatek: mt8183: Fix Unbalanced pm_runtime_enable in mt8183_afe_pcm_dev_probe (git-fixes). - ASoC: rt5682: Adjust headset volume button threshold (git-fixes). - ASoC: rt5682: Adjust headset volume button threshold again (git-fixes). - ASoC: rt5682: Fix the issue of garbled recording after powerd_dbus_suspend (git-fixes). - ASoC: ti: j721e-evm: Check for not initialized parent_clk_id (git-fixes). - ASoC: ti: j721e-evm: Fix unbalanced domain activity tracking during startup (git-fixes). - ASoC: tlv320aic31xx: Fix jack detection after suspend (git-fixes). - ASoC: tlv320aic31xx: fix reversed bclk/wclk master bits (git-fixes). - ASoC: uniphier: Fix reference to PCM buffer address (git-fixes). - ASoC: wcd9335: Disable irq on slave ports in the remove function (git-fixes). - ASoC: wcd9335: Fix a double irq free in the remove function (git-fixes). - ASoC: wcd9335: Fix a memory leak in the error handling path of the probe function (git-fixes). - ASoC: xilinx: Fix reference to PCM buffer address (git-fixes). - Avoid double printing SUSE specific flags in mod->taint (bsc#1190413). - Bluetooth: add timeout sanity check to hci_inquiry (git-fixes). - Bluetooth: btusb: Fix a unspported condition to set available debug features (git-fixes). - Bluetooth: btusb: check conditions before enabling USB ALT 3 for WBS (git-fixes). - Bluetooth: defer cleanup of resources in hci_unregister_dev() (git-fixes). - Bluetooth: fix repeated calls to sco_sock_kill (git-fixes). - Bluetooth: hidp: use correct wait queue when removing ctrl_wait (git-fixes). - Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow (git-fixes). - Bluetooth: mgmt: Fix wrong opcode in the response for add_adv cmd (git-fixes). - Bluetooth: sco: prevent information leak in sco_conn_defer_accept() (git-fixes). - Drop two intel_int0002_vgpio patches that cause Oops (bsc#1190412) - KVM: VMX: Drop guest CPUID check for VMXE in vmx_set_cr4() (bsc#1188786). - KVM: VMX: Enable machine check support for 32bit targets (bsc#1188787). - KVM: VMX: Explicitly clear RFLAGS.CF and RFLAGS.ZF in VM-Exit RSB path (bsc#1188788). - KVM: VMX: Extend VMXs #AC interceptor to handle split lock #AC in guest (bsc#1187959). - KVM: nVMX: Handle split-lock #AC exceptions that happen in L2 (bsc#1187959). - KVM: nVMX: Really make emulated nested preemption timer pinned (bsc#1188780). - KVM: nVMX: Reset the segment cache when stuffing guest segs (bsc#1188781). - KVM: nVMX: Skip IBPB when switching between vmcs01 and vmcs02 (bsc#1188782). - KVM: nVMX: Sync unsync'd vmcs02 state to vmcs12 on migration (bsc#1188783). - KVM: nVMX: Truncate bits 63:32 of VMCS field on nested check in !64-bit (bsc#1188784). - KVM: x86: Emulate split-lock access as a write in emulator (bsc#1187959). - KVM: x86: bit 8 of non-leaf PDPEs is not reserved (bsc#1188790). - NFS: Correct size calculation for create reply length (bsc#1189870). - NFSv4.1: Do not rebind to the same source port when (bnc#1186264 bnc#1189021) - NFSv4/pNFS: Do not call _nfs4_pnfs_v3_ds_connect multiple times (git-fixes). - NFSv4: Initialise connection to the server in nfs4_alloc_client() (bsc#1040364). - PCI/MSI: Correct misleading comments (git-fixes). - PCI/MSI: Do not set invalid bits in MSI mask (git-fixes). - PCI/MSI: Enable and mask MSI-X early (git-fixes). - PCI/MSI: Enforce MSI[X] entry updates to be visible (git-fixes). - PCI/MSI: Enforce that MSI-X table entry is masked for update (git-fixes). - PCI/MSI: Mask all unused MSI-X entries (git-fixes). - PCI/MSI: Skip masking MSI-X on Xen PV (git-fixes). - PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() (git-fixes). - PCI: Increase D3 delay for AMD Renoir/Cezanne XHCI (git-fixes). - PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently (git-fixes). - PCI: PM: Enable PME if it can be signaled from D3cold (git-fixes). - RDMA/bnxt_re: Fix stats counters (bsc#1188231). - SUNRPC: 'Directory with parent 'rpc_clnt' already present!' (bsc#1168202 bsc#1188924). - SUNRPC: Fix the batch tasks count wraparound (git-fixes). - SUNRPC: Should wake up the privileged task firstly (git-fixes). - SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202 bsc#1188924). - SUNRPC: fix use-after-free in rpc_free_client_work() (bsc#1168202 bsc#1188924). - SUNRPC: improve error response to over-size gss credential (bsc#1190022). - SUNRPC: prevent port reuse on transports which do not request it (bnc#1186264 bnc#1189021). - USB: core: Avoid WARNings for 0-length descriptor requests (git-fixes). - USB: serial: ch341: fix character loss at high transfer rates (git-fixes). - USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 (git-fixes). - USB: serial: option: add Telit FD980 composition 0x1056 (git-fixes). - USB: usbtmc: Fix RCU stall warning (git-fixes). - USB:ehci:fix Kunpeng920 ehci hardware problem (git-fixes). - VMCI: fix NULL pointer dereference when unmapping queue pair (git-fixes). - ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() (git-fixes). - ath9k: Clear key cache explicitly on disabling hardware (git-fixes). - ath: Use safer key clearing with key cache entries (git-fixes). - bcma: Fix memory leak for internally-handled cores (git-fixes). - bdi: Do not use freezable workqueue (bsc#1189573). - blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit() (bsc#1189507). - blk-mq-sched: Fix blk_mq_sched_alloc_tags() error handling (bsc#1189506). - blk-wbt: introduce a new disable state to prevent false positive by rwb_enabled() (bsc#1189503). - blk-wbt: make sure throttle is enabled properly (bsc#1189504). - block: fix trace completion for chained bio (bsc#1189505). - bnxt_en: Validate vlan protocol ID on RX packets (jsc#SLE-15075). - brcmfmac: pcie: fix oops on failure to resume and reprobe (git-fixes). - btrfs: Rename __btrfs_alloc_chunk to btrfs_alloc_chunk (bsc#1189077). - btrfs: add a trace class for dumping the current ENOSPC state (bsc#1135481). - btrfs: add a trace point for reserve tickets (bsc#1135481). - btrfs: adjust the flush trace point to include the source (bsc#1135481). - btrfs: check reclaim_size in need_preemptive_reclaim (bsc#1135481). - btrfs: factor out create_chunk() (bsc#1189077). - btrfs: factor out decide_stripe_size() (bsc#1189077). - btrfs: factor out gather_device_info() (bsc#1189077). - btrfs: factor out init_alloc_chunk_ctl (bsc#1189077). - btrfs: fix btrfs_calc_reclaim_metadata_size calculation (bsc#1135481). - btrfs: fix deadlock with concurrent chunk allocations involving system chunks (bsc#1189077). - btrfs: handle invalid profile in chunk allocation (bsc#1189077). - btrfs: implement space clamping for preemptive flushing (bsc#1135481). - btrfs: improve preemptive background space flushing (bsc#1135481). - btrfs: introduce a FORCE_COMMIT_TRANS flush operation (bsc#1135481). - btrfs: introduce alloc_chunk_ctl (bsc#1189077). - btrfs: introduce chunk allocation policy (bsc#1189077). - btrfs: make flush_space take a enum btrfs_flush_state instead of int (bsc#1135481). - btrfs: move the chunk_mutex in btrfs_read_chunk_tree (bsc#1189077). - btrfs: parameterize dev_extent_min for chunk allocation (bsc#1189077). - btrfs: refactor find_free_dev_extent_start() (bsc#1189077). - btrfs: remove FLUSH_DELAYED_REFS from data ENOSPC flushing (bsc#1135481). - btrfs: rename need_do_async_reclaim (bsc#1135481). - btrfs: rework btrfs_calc_reclaim_metadata_size (bsc#1135481). - btrfs: rework chunk allocation to avoid exhaustion of the system chunk array (bsc#1189077). - btrfs: rip out btrfs_space_info::total_bytes_pinned (bsc#1135481). - btrfs: rip the first_ticket_bytes logic from fail_all_tickets (bsc#1135481). - btrfs: simplify the logic in need_preemptive_flushing (bsc#1135481). - btrfs: tracepoints: convert flush states to using EM macros (bsc#1135481). - btrfs: tracepoints: fix btrfs_trigger_flush symbolic string for flags (bsc#1135481). - can: ti_hecc: Fix memleak in ti_hecc_probe (git-fixes). - can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters (git-fixes). - ceph: clean up and optimize ceph_check_delayed_caps() (bsc#1187468). - ceph: reduce contention in ceph_check_delayed_caps() (bsc#1187468). - ceph: take snap_empty_lock atomically with snaprealm refcount change (bsc#1189427). - cfg80211: Fix possible memory leak in function cfg80211_bss_update (git-fixes). - cifs: Remove unused inline function is_sysvol_or_netlogon() (bsc#1185902). - cifs: avoid starvation when refreshing dfs cache (bsc#1185902). - cifs: constify get_normalized_path() properly (bsc#1185902). - cifs: do not cargo-cult strndup() (bsc#1185902). - cifs: do not send tree disconnect to ipc shares (bsc#1185902). - cifs: do not share tcp servers with dfs mounts (bsc#1185902). - cifs: do not share tcp sessions of dfs connections (bsc#1185902). - cifs: fix check of dfs interlinks (bsc#1185902). - cifs: fix path comparison and hash calc (bsc#1185902). - cifs: get rid of @noreq param in __dfs_cache_find() (bsc#1185902). - cifs: handle different charsets in dfs cache (bsc#1185902). - cifs: keep referral server sessions alive (bsc#1185902). - cifs: missing null pointer check in cifs_mount (bsc#1185902). - cifs: prevent NULL deref in cifs_compose_mount_options() (bsc#1185902). - cifs: set a minimum of 2 minutes for refreshing dfs cache (bsc#1185902). - clk: fix leak on devm_clk_bulk_get_all() unwind (git-fixes). - clk: stm32f4: fix post divisor setup for I2S/SAI PLLs (git-fixes). - cpuidle: Allow idle states to be disabled by default (bsc#1175543) - cpuidle: Consolidate disabled state checks (bsc#1175543) - cpuidle: Drop disabled field from struct cpuidle_state (bsc#1175543) - cpuidle: Fix cpuidle_driver_state_disabled() (bsc#1175543) - cpuidle: Introduce cpuidle_driver_state_disabled() for driver quirks (bsc#1175543) - crypto: ccp - Annotate SEV Firmware file names (bsc#1189212). - crypto: qat - use proper type for vf_mask (git-fixes). - crypto: x86/curve25519 - fix cpu feature checking logic in mod_exit (git-fixes). - device-dax: Fix default return code of range_parse() (git-fixes). - dm integrity: fix missing goto in bitmap_flush_interval error handling (git-fixes). - dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails (git-fixes). - dm verity: fix DM_VERITY_OPTS_MAX value (git-fixes). - dmaengine: idxd: fix setup sequence for MSIXPERM table (git-fixes). - dmaengine: imx-dma: configure the generic DMA type to make it work (git-fixes). - dmaengine: imx-dma: configure the generic DMA type to make it work (git-fixes). - dmaengine: imx-sdma: remove duplicated sdma_load_context (git-fixes). - dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available (git-fixes). - dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe() (git-fixes). - dmaengine: xilinx_dma: Fix read-after-free bug when terminating transfers (git-fixes). - drivers/block/null_blk/main: Fix a double free in null_init (git-fixes). - drm/amd/display: Fix Dynamic bpp issue with 8K30 with Navi 1X (git-fixes). - drm/amd/display: Fix comparison error in dcn21 DML (git-fixes). - drm/amd/display: Fix max vstartup calculation for modes with borders (git-fixes). - drm/amd/display: Remove invalid assert for ODM + MPC case (git-fixes). - drm/amd/display: use GFP_ATOMIC in amdgpu_dm_irq_schedule_work (git-fixes). - drm/amd/display: workaround for hard hang on HPD on native DP (git-fixes). - drm/amdgpu/acp: Make PM domain really work (git-fixes). - drm/amdgpu/display: fix DMUB firmware version info (git-fixes). - drm/amdgpu/display: only enable aux backlight control for OLED panels (git-fixes). - drm/amdgpu: do not enable baco on boco platforms in runpm (git-fixes). - drm/amdgpu: fix the doorbell missing when in CGPG issue for renoir (git-fixes). - drm/dp_mst: Fix return code on sideband message failure (git-fixes). - drm/i915/dg1: gmbus pin mapping (bsc#1188700). - drm/i915/dg1: provide port/phy mapping for vbt (bsc#1188700). - drm/i915/gen9_bc: Add W/A for missing STRAP config on TGP PCH + CML combos (bsc#1188700). - drm/i915/gen9_bc: Introduce HPD pin mappings for TGP PCH + CML combos (bsc#1188700). - drm/i915/gen9_bc: Introduce TGP PCH DDC pin mappings (bsc#1188700). - drm/i915/gen9_bc: Recognize TGP PCH + CML combos (bsc#1188700). - drm/i915/rkl: new rkl ddc map for different PCH (bsc#1188700). - drm/i915: Add VBT AUX CH H and I (bsc#1188700). - drm/i915: Add VBT DVO ports H and I (bsc#1188700). - drm/i915: Add more AUX CHs to the enum (bsc#1188700). - drm/i915: Configure GEN11_{TBT,TC}_HOTPLUG_CTL for ports TC5/6 (bsc#1188700). - drm/i915: Correct SFC_DONE register offset (git-fixes). - drm/i915: Introduce HPD_PORT_TC<n> (bsc#1188700). - drm/i915: Move hpd_pin setup to encoder init (bsc#1188700). - drm/i915: Nuke the redundant TC/TBT HPD bit defines (bsc#1188700). - drm/i915: Only access SFC_DONE when media domain is not fused off (git-fixes). - drm/meson: fix colour distortion from HDR set during vendor u-boot (git-fixes). - drm/msi/mdp4: populate priv->kms in mdp4_kms_init (git-fixes). - drm/msm/dpu: make dpu_hw_ctl_clear_all_blendstages clear necessary LMs (git-fixes). - drm/msm/dsi: Fix some reference counted resource leaks (git-fixes). - drm/msm: Fix error return code in msm_drm_init() (git-fixes). - drm/nouveau/kms/nv50: workaround EFI GOP window channel format differences (git-fixes). - drm/of: free the iterator object on failure (git-fixes). - drm/of: free the right object (git-fixes). - drm/panfrost: Fix missing clk_disable_unprepare() on error in panfrost_clk_init() (git-fixes). - drm/prime: fix comment on PRIME Helpers (git-fixes). - ext4: cleanup in-core orphan list if ext4_truncate() failed to get a transaction handle (bsc#1189568). - ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit (bsc#1189564). - ext4: fix avefreec in find_group_orlov (bsc#1189566). - ext4: fix kernel infoleak via ext4_extent_header (bsc#1189562). - ext4: fix potential htree corruption when growing large_dir directories (bsc#1189576). - ext4: remove check for zero nr_to_scan in ext4_es_scan() (bsc#1189565). - ext4: return error code when ext4_fill_flex_info() fails (bsc#1189563). - ext4: use ext4_grp_locked_error in mb_find_extent (bsc#1189567). - fanotify: fix copy_event_to_user() fid error clean up (bsc#1189574). - firmware_loader: fix use-after-free in firmware_fallback_sysfs (git-fixes). - firmware_loader: use -ETIMEDOUT instead of -EAGAIN in fw_load_sysfs_fallback (git-fixes). - fixup "rpm: support gz and zst compression methods" (bsc#1190358, bsc#1190428). - fpga: altera-freeze-bridge: Address warning about unused variable (git-fixes). - fpga: dfl: fme: Fix cpu hotplug issue in performance reporting (git-fixes). - fpga: dfl: fme: Fix cpu hotplug issue in performance reporting (git-fixes). - fpga: xiilnx-spi: Address warning about unused variable (git-fixes). - fpga: zynqmp-fpga: Address warning about unused variable (git-fixes). - gpio: eic-sprd: break loop when getting NULL device resource (git-fixes). - gpio: tqmx86: really make IRQ optional (git-fixes). - i2c: dev: zero out array used for i2c reads from userspace (git-fixes). - i2c: highlander: add IRQ check (git-fixes). - i2c: iop3xx: fix deferred probing (git-fixes). - i2c: mt65xx: fix IRQ check (git-fixes). - i2c: s3c2410: fix IRQ check (git-fixes). - iio: adc: Fix incorrect exit of for-loop (git-fixes). - iio: adc: ti-ads7950: Ensure CS is deasserted after reading channels (git-fixes). - iio: humidity: hdc100x: Add margin to the conversion time (git-fixes). - intel_idle: Add module parameter to prevent ACPI _CST from being used (bsc#1175543) - intel_idle: Allow ACPI _CST to be used for selected known processors (bsc#1175543) - intel_idle: Annotate init time data structures (bsc#1175543) - intel_idle: Customize IceLake server support (bsc#1175543) - intel_idle: Disable ACPI _CST on Haswell (bsc#1175543, bsc#1177399, bsc#1180347, bsc#1180141) - intel_idle: Fix max_cstate for processor models without C-state tables (bsc#1175543) - intel_idle: Ignore _CST if control cannot be taken from the platform (bsc#1175543) - intel_idle: Refactor intel_idle_cpuidle_driver_init() (bsc#1175543) - intel_idle: Use ACPI _CST for processor models without C-state tables (bsc#1175543) - iommu/amd: Fix extended features logging (bsc#1189213). - iommu/amd: Move Stoney Ridge check to detect_ivrs() (bsc#1189762). - iommu/arm-smmu-v3: Decrease the queue size of evtq and priq (bsc#1189210). - iommu/arm-smmu-v3: add bit field SFM into GERROR_ERR_MASK (bsc#1189209). - iommu/dma: Fix IOVA reserve dma ranges (bsc#1189214). - iommu/dma: Fix compile warning in 32-bit builds (bsc#1189229). - iommu/vt-d: Check for allocation failure in aux_detach_device() (bsc#1189215). - iommu/vt-d: Define counter explicitly as unsigned int (bsc#1189216). - iommu/vt-d: Do not set then clear private data in prq_event_thread() (bsc#1189217). - iommu/vt-d: Fix sysfs leak in alloc_iommu() (bsc#1189218). - iommu/vt-d: Force to flush iotlb before creating superpage (bsc#1189219). - iommu/vt-d: Global devTLB flush when present context entry changed (bsc#1189220). - iommu/vt-d: Invalidate PASID cache when root/context entry changed (bsc#1189221). - iommu/vt-d: Reject unsupported page request modes (bsc#1189222). - ionic: add handling of larger descriptors (jsc#SLE-16649). - ionic: add new queue features to interface (jsc#SLE-16649). - ionic: aggregate Tx byte counting calls (jsc#SLE-16649). - ionic: block actions during fw reset (jsc#SLE-16649). - ionic: change mtu after queues are stopped (jsc#SLE-16649). - ionic: check for link after netdev registration (jsc#SLE-16649). - ionic: code cleanup details (jsc#SLE-16649). - ionic: fix sizeof usage (jsc#SLE-16649). - ionic: fix unchecked reference (jsc#SLE-16649). - ionic: fix up dim accounting for tx and rx (jsc#SLE-16649). - ionic: generic tx skb mapping (jsc#SLE-16649). - ionic: implement Rx page reuse (jsc#SLE-16649). - ionic: make all rx_mode work threadsafe (jsc#SLE-16649). - ionic: move rx_page_alloc and free (jsc#SLE-16649). - ionic: optimize fastpath struct usage (jsc#SLE-16649). - ionic: protect adminq from early destroy (jsc#SLE-16649). - ionic: rebuild debugfs on qcq swap (jsc#SLE-16649). - ionic: remove intr coalesce update from napi (jsc#SLE-16649). - ionic: remove some unnecessary oom messages (jsc#SLE-16649). - ionic: simplify TSO descriptor mapping (jsc#SLE-16649). - ionic: simplify rx skb alloc (jsc#SLE-16649). - ionic: simplify the intr_index use in txq_init (jsc#SLE-16649). - ionic: simplify tx clean (jsc#SLE-16649). - ionic: simplify use of completion types (jsc#SLE-16649). - ionic: start queues before announcing link up (jsc#SLE-16649). - ionic: stop watchdog when in broken state (jsc#SLE-16649). - ionic: useful names for booleans (jsc#SLE-16649). - iwlwifi: pnvm: accept multiple HW-type TLVs (git-fixes). - iwlwifi: rs-fw: do not support stbc for HE 160 (git-fixes). - iwlwifi: skip first element in the WTAS ACPI table (git-fixes). - kABI fix of usb_dcd_config_params (git-fixes). - kABI: Fix kABI after fixing vcpu-id indexed arrays (git-fixes). - kabi fix for NFSv4.1: Do not rebind to the same source port when reconnecting to the server (bnc#1186264 bnc#1189021) - kabi fix for SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202 bsc#1188924). - kernel, fs: Introduce and use set_restart_fn() and arch_set_restart_data() (bsc#1189153). - kernel-cert-subpackage: Fix certificate location in scriptlets (bsc#1189841). - leds: trigger: audio: Add an activate callback to ensure the initial brightness is set (git-fixes). - lib/mpi: use kcalloc in mpi_resize (git-fixes). - lib: Add zstd support to decompress (bsc#1187483, jsc#SLE-18766). - libata: fix ata_pio_sector for CONFIG_HIGHMEM (git-fixes). - mac80211: Fix insufficient headroom issue for AMSDU (git-fixes). - md/raid10: properly indicate failure when ending a failed write request (git-fixes). - md: revert io stats accounting (git-fixes). - media: TDA1997x: enable EDID support (git-fixes). - media: cxd2880-spi: Fix an error handling path (git-fixes). - media: drivers/media/usb: fix memory leak in zr364xx_probe (git-fixes). - media: dvb-usb: Fix error handling in dvb_usb_i2c_init (git-fixes). - media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init (git-fixes). - media: dvb-usb: fix uninit-value in vp702x_read_mac_addr (git-fixes). - media: em28xx-input: fix refcount bug in em28xx_usb_disconnect (git-fixes). - media: go7007: fix memory leak in go7007_usb_probe (git-fixes). - media: go7007: remove redundant initialization (git-fixes). - media: rtl28xxu: fix zero-length control request (git-fixes). - media: stkwebcam: fix memory leak in stk_camera_probe (git-fixes). - media: venus: venc: Fix potential null pointer dereference on pointer fmt (git-fixes). - media: videobuf2-core: dequeue if start_streaming fails (git-fixes). - media: zr364xx: fix memory leaks in probe() (git-fixes). - media: zr364xx: propagate errors from zr364xx_start_readpipe() (git-fixes). - misc: atmel-ssc: lock with mutex instead of spinlock (git-fixes). - misc: rtsx: do not setting OC_POWER_DOWN reg in rtsx_pci_init_ocp() (git-fixes). - mm/thp: unmap_mapping_page() to fix THP truncate_cleanup_page() (bsc#1189569). - mm/vmscan: fix infinite loop in drop_slab_node (VM Functionality, bsc#1189301). - mm: fix memory_failure() handling of dax-namespace metadata (bsc#1189872). - mm: swap: properly update readahead statistics in unuse_pte_range() (bsc#1187619). - mmc: dw_mmc: Fix hang on data CRC error (git-fixes). - mmc: dw_mmc: Fix issue with uninitialized dma_slave_config (git-fixes). - mmc: moxart: Fix issue with uninitialized dma_slave_config (git-fixes). - mmc: sdhci-iproc: Cap min clock frequency on BCM2711 (git-fixes). - mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711 (git-fixes). - mtd: cfi_cmdset_0002: fix crash when erasing/writing AMD cards (git-fixes). - nbd: Aovid double completion of a request (git-fixes). - nbd: Fix NULL pointer in flush_workqueue (git-fixes). - net/mlx5: Add ts_cqe_to_dest_cqn related bits (bsc#1188412) - net/mlx5: Properly convey driver version to firmware (git-fixes). - net/mlx5e: Add missing capability check for uplink follow (bsc#1188412) - net: dsa: mv88e6xxx: Avoid VTU corruption on 6097 (git-fixes). - net: dsa: mv88e6xxx: also read STU state in mv88e6250_g1_vtu_getnext (git-fixes). - net: stmmac: free tx skb buffer in stmmac_resume() (git-fixes). - net: usb: lan78xx: do not modify phy_device state concurrently (bsc#1188270) - nfs: fix acl memory leak of posix_acl_create() (git-fixes). - nvme-multipath: revalidate paths during rescan (bsc#1187211) - nvme-pci: Use u32 for nvme_dev.q_depth and nvme_queue.q_depth (bsc#1181972). - nvme-pci: fix NULL req in completion handler (bsc#1181972). - nvme-pci: limit maximum queue depth to 4095 (bsc#1181972). - nvme-pci: use unsigned for io queue depth (bsc#1181972). - nvme-tcp: Do not reset transport on data digest errors (bsc#1188418). - nvme-tcp: do not check blk_mq_tag_to_rq when receiving pdu data (bsc#1181972). - nvme: avoid possible double fetch in handling CQE (bsc#1181972). - nvme: code command_id with a genctr for use-after-free validation (bsc#1181972). - nvme: only call synchronize_srcu when clearing current path (bsc#1188067). - nvmet: use NVMET_MAX_NAMESPACES to set nn value (bsc#1189384). - ocfs2: fix snprintf() checking (bsc#1189581). - ocfs2: fix zero out valid data (bsc#1189579). - ocfs2: initialize ip_next_orphan (bsc#1186731). - ocfs2: issue zeroout to EOF blocks (bsc#1189582). - ovl: allow upperdir inside lowerdir (bsc#1189323). - ovl: expand warning in ovl_d_real() (bsc#1189323). - ovl: fix missing revert_creds() on error path (bsc#1189323). - ovl: perform vfs_getxattr() with mounter creds (bsc#1189323). - ovl: skip getxattr of security labels (bsc#1189323). - params: lift param_set_uint_minmax to common code (bsc#1181972). - pcmcia: i82092: fix a null pointer dereference bug (git-fixes). - perf/x86/amd: Do not touch the AMD64_EVENTSEL_HOSTONLY bit inside the guest (bsc#1189225). - pinctrl: tigerlake: Fix GPIO mapping for newer version of software (git-fixes). - platform/x86: pcengines-apuv2: Add missing terminating entries to gpio-lookup tables (git-fixes). - post.sh: detect /usr mountpoint too - power: supply: max17042: handle fails of reading status register (git-fixes). - powerpc/cacheinfo: Improve diagnostics about malformed cache lists (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes). - powerpc/cacheinfo: Lookup cache by dt node and thread-group id (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes). - powerpc/cacheinfo: Remove the redundant get_shared_cpu_map() (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes). - powerpc/cacheinfo: Use name at unit instead of full DT path in debug messages (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes). - powerpc/papr_scm: Make 'perf_stats' invisible if perf-stats unavailable (bsc#1175052 jsc#SLE-13823 bsc#1174969 jsc#SLE-12769 git-fixes). - powerpc/papr_scm: Reduce error severity if nvdimm stats inaccessible (bsc#1189197 ltc#193906). - powerpc/pseries: Fix regression while building external modules (bsc#1160010 ltc#183046 git-fixes). This changes a GPL symbol to general symbol which is kABI change but not kABI break. - powerpc/pseries: Fix update of LPAR security flavor after LPM (bsc#1188885 ltc#193722 git-fixes). - powerpc/smp: Make some symbols static (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes). - powerpc/smp: Use existing L2 cache_map cpumask to find L3 cache siblings (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes). - powerpc: Fix is_kvm_guest() / kvm_para_available() (bsc#1181148 ltc#190702 git-fixes). - regulator: rt5033: Fix n_voltages settings for BUCK and LDO (git-fixes). - regulator: vctrl: Avoid lockdep warning in enable/disable ops (git-fixes). - regulator: vctrl: Use locked regulator_get_voltage in probe path (git-fixes). - rpm/kernel-binary.spec.in: Use kmod-zstd provide. This makes it possible to use kmod with ZSTD support on non-Tumbleweed. - rpm/kernel-obs-build.spec.in: make builds reproducible (bsc#1189305) - rpm/kernel-source.rpmlintrc: ignore new include/config files In 5.13, since 0e0345b77ac4, config files have no longer .h suffix. Adapt the zero-length check. Based on Martin Liska's change. - rq-qos: fix missed wake-ups in rq_qos_throttle try two (bsc#1189575). - rsi: fix an error code in rsi_probe() (git-fixes). - rsi: fix error code in rsi_load_9116_firmware() (git-fixes). - s390/ap: Fix hanging ioctl caused by wrong msg counter (bsc#1188982 LTC#193817). - s390/boot: fix use of expolines in the DMA code (bsc#1188878 ltc#193771). - scsi: blkcg: Add app identifier support for blkcg (bsc#1189385 jsc#SLE-18970). - scsi: blkcg: Fix application ID config options (bsc#1189385 jsc#SLE-18970). - scsi: cgroup: Add cgroup_get_from_id() (bsc#1189385 jsc#SLE-18970). - scsi: core: Add scsi_prot_ref_tag() helper (bsc#1189392). - scsi: ibmvfc: Do not wait for initial device scan (bsc#1127650). - scsi: libfc: Fix array index out of bound exception (bsc#1188616). - scsi: lpfc: Add 256 Gb link speed support (bsc#1189385). - scsi: lpfc: Add PCI ID support for LPe37000/LPe38000 series adapters (bsc#1189385). - scsi: lpfc: Call discovery state machine when handling PLOGI/ADISC completions (bsc#1189385). - scsi: lpfc: Clear outstanding active mailbox during PCI function reset (bsc#1189385). - scsi: lpfc: Copyright updates for 12.8.0.11 patches (bsc#1189385). - scsi: lpfc: Copyright updates for 14.0.0.0 patches (bsc#1189385). - scsi: lpfc: Delay unregistering from transport until GIDFT or ADISC completes (bsc#1189385). - scsi: lpfc: Discovery state machine fixes for LOGO handling (bsc#1189385). - scsi: lpfc: Enable adisc discovery after RSCN by default (bsc#1189385). - scsi: lpfc: Fix KASAN slab-out-of-bounds in lpfc_unreg_rpi() routine (bsc#1189385). - scsi: lpfc: Fix NULL ptr dereference with NPIV ports for RDF handling (bsc#1189385). - scsi: lpfc: Fix NVMe support reporting in log message (bsc#1189385). - scsi: lpfc: Fix build error in lpfc_scsi.c (bsc#1189385). - scsi: lpfc: Fix cq_id truncation in rq create (bsc#1189385). - scsi: lpfc: Fix function description comments for vmid routines (bsc#1189385). - scsi: lpfc: Fix memory leaks in error paths while issuing ELS RDF/SCR request (bsc#1189385). - scsi: lpfc: Fix possible ABBA deadlock in nvmet_xri_aborted() (bsc#1189385). - scsi: lpfc: Fix target reset handler from falsely returning FAILURE (bsc#1189385). - scsi: lpfc: Improve firmware download logging (bsc#1189385). - scsi: lpfc: Keep NDLP reference until after freeing the IOCB after ELS handling (bsc#1189385). - scsi: lpfc: Move initialization of phba->poll_list earlier to avoid crash (git-fixes). - scsi: lpfc: Remove REG_LOGIN check requirement to issue an ELS RDF (bsc#1189385). - scsi: lpfc: Remove redundant assignment to pointer pcmd (bsc#1189385). - scsi: lpfc: Remove redundant assignment to pointer temp_hdr (bsc#1189385). - scsi: lpfc: Remove use of kmalloc() in trace event logging (bsc#1189385). - scsi: lpfc: Revise Topology and RAS support checks for new adapters (bsc#1189385). - scsi: lpfc: Skip issuing ADISC when node is in NPR state (bsc#1189385). - scsi: lpfc: Skip reg_vpi when link is down for SLI3 in ADISC cmpl path (bsc#1189385). - scsi: lpfc: Update lpfc version to 12.8.0.11 (bsc#1189385). - scsi: lpfc: Update lpfc version to 14.0.0.0 (bsc#1189385). - scsi: lpfc: Use PBDE feature enabled bit to determine PBDE support (bsc#1189385). - scsi: lpfc: Use list_move_tail() instead of list_del()/list_add_tail() (bsc#1189385). - scsi: lpfc: vmid: Add QFPA and VMID timeout check in worker thread (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Add datastructure for supporting VMID in lpfc (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Add support for VMID in mailbox command (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Append the VMID to the wqe before sending (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Functions to manage VMIDs (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Implement CT commands for appid (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Implement ELS commands for appid (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Introduce VMID in I/O path (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Timeout implementation for VMID (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: VMID parameter initialization (bsc#1189385 jsc#SLE-18970). - scsi: mpt3sas: Fix ReplyPostFree pool allocation (bsc#1181006). - scsi: qla2xxx: Add heartbeat check (bsc#1189392). - scsi: qla2xxx: Fix error return code in qla82xx_write_flash_dword() (bsc#1189392). - scsi: qla2xxx: Fix spelling mistakes "allloc" -> "alloc" (bsc#1189392). - scsi: qla2xxx: Fix use after free in debug code (bsc#1189392). - scsi: qla2xxx: Log PCI address in qla_nvme_unregister_remote_port() (bsc#1189392). - scsi: qla2xxx: Remove duplicate declarations (bsc#1189392). - scsi: qla2xxx: Remove redundant assignment to rval (bsc#1189392). - scsi: qla2xxx: Remove redundant continue statement in a for-loop (bsc#1189392). - scsi: qla2xxx: Remove redundant initialization of variable num_cnt (bsc#1189392). - scsi: qla2xxx: Remove unused variable 'status' (bsc#1189392). - scsi: qla2xxx: Update version to 10.02.00.107-k (bsc#1189392). - scsi: qla2xxx: Use list_move_tail() instead of list_del()/list_add_tail() (bsc#1189392). - scsi: qla2xxx: Use the proper SCSI midlayer interfaces for PI (bsc#1189392). - scsi: qla2xxx: edif: Add authentication pass + fail bsgs (bsc#1189392). - scsi: qla2xxx: edif: Add detection of secure device (bsc#1189392). - scsi: qla2xxx: edif: Add doorbell notification for app (bsc#1189392). - scsi: qla2xxx: edif: Add encryption to I/O path (bsc#1189392). - scsi: qla2xxx: edif: Add extraction of auth_els from the wire (bsc#1189392). - scsi: qla2xxx: edif: Add getfcinfo and statistic bsgs (bsc#1189392). - scsi: qla2xxx: edif: Add key update (bsc#1189392). - scsi: qla2xxx: edif: Add send, receive, and accept for auth_els (bsc#1189392). - scsi: qla2xxx: edif: Add start + stop bsgs (bsc#1189392). - scsi: qla2xxx: edif: Increment command and completion counts (bsc#1189392). - scsi: scsi_transport_srp: Do not block target in SRP_PORT_LOST state (bsc#1184180). - scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal (bsc#1189392). - scsi: zfcp: Report port fc_security as unknown early during remote cable pull (git-fixes). - serial: 8250: Mask out floating 16/32-bit bus bits (git-fixes). - serial: 8250_mtk: fix uart corruption issue when rx power off (git-fixes). - serial: 8250_pci: Avoid irq sharing for MSI(-X) interrupts (git-fixes). - serial: 8250_pci: Enumerate Elkhart Lake UARTs via dedicated driver (git-fixes). - serial: tegra: Only print FIFO error message when an error occurs (git-fixes). - slimbus: messaging: check for valid transaction id (git-fixes). - slimbus: messaging: start transaction ids from 1 instead of zero (git-fixes). - slimbus: ngd: reset dma setup during runtime pm (git-fixes). - soc: aspeed: lpc-ctrl: Fix boundary check for mmap (git-fixes). - soc: aspeed: p2a-ctrl: Fix boundary check for mmap (git-fixes). - soc: ixp4xx/qmgr: fix invalid __iomem access (git-fixes). - soc: ixp4xx/qmgr: fix invalid __iomem access (git-fixes). - soc: ixp4xx: fix printing resources (git-fixes). - soc: ixp4xx: fix printing resources (git-fixes). - soc: qcom: rpmhpd: Use corner in power_off (git-fixes). - soc: qcom: smsm: Fix missed interrupts if state changes while masked (git-fixes). - spi: imx: mx51-ecspi: Fix CONFIGREG delay comment (git-fixes). - spi: imx: mx51-ecspi: Fix low-speed CONFIGREG delay calculation (git-fixes). - spi: imx: mx51-ecspi: Reinstate low-speed CONFIGREG delay (git-fixes). - spi: mediatek: Fix fifo transfer (git-fixes). - spi: meson-spicc: fix memory leak in meson_spicc_remove (git-fixes). - spi: spi-fsl-dspi: Fix issue with uninitialized dma_slave_config (git-fixes). - spi: spi-pic32: Fix issue with uninitialized dma_slave_config (git-fixes). - spi: sprd: Fix the wrong WDG_LOAD_VAL (git-fixes). - spi: stm32h7: fix full duplex irq handler handling (git-fixes). - staging: rtl8192u: Fix bitwise vs logical operator in TranslateRxSignalStuff819xUsb() (git-fixes). - staging: rtl8712: get rid of flush_scheduled_work (git-fixes). - staging: rtl8723bs: Fix a resource leak in sd_int_dpc (git-fixes). - staging: rtl8723bs: Fix a resource leak in sd_int_dpc (git-fixes). - tracing / histogram: Fix NULL pointer dereference on strcmp() on NULL event name (git-fixes). - tracing / histogram: Give calculation hist_fields a size (git-fixes). - tracing: Reject string operand in the histogram expression (git-fixes). - tty: serial: fsl_lpuart: fix the wrong mapbase value (git-fixes). - ubifs: Fix error return code in alloc_wbufs() (bsc#1189585). - ubifs: Fix memleak in ubifs_init_authentication (bsc#1189583). - ubifs: Only check replay with inode type to judge if inode linked (bsc#1187455). - ubifs: Set/Clear I_LINKABLE under i_lock for whiteout inode (bsc#1189587). - ubifs: journal: Fix error return code in ubifs_jnl_write_inode() (bsc#1189586). - usb: bdc: Fix an error handling path in 'bdc_probe()' when no suitable DMA config is available (git-fixes). - usb: dwc3: Disable phy suspend after power-on reset (git-fixes). - usb: dwc3: Separate field holding multiple properties (git-fixes). - usb: dwc3: Stop active transfers before halting the controller (git-fixes). - usb: dwc3: Use clk_bulk_prepare_enable() (git-fixes). - usb: dwc3: Use devres to get clocks (git-fixes). - usb: dwc3: core: do not do suspend for device mode if already suspended (git-fixes). - usb: dwc3: debug: Remove newline printout (git-fixes). - usb: dwc3: gadget: Check MPS of the request length (git-fixes). - usb: dwc3: gadget: Clear DCTL.ULSTCHNGREQ before set (git-fixes). - usb: dwc3: gadget: Clear DEP flags after stop transfers in ep disable (git-fixes). - usb: dwc3: gadget: Disable gadget IRQ during pullup disable (git-fixes). - usb: dwc3: gadget: Do not send unintended link state change (git-fixes). - usb: dwc3: gadget: Do not setup more than requested (git-fixes). - usb: dwc3: gadget: Fix dwc3_calc_trbs_left() (git-fixes). - usb: dwc3: gadget: Fix handling ZLP (git-fixes). - usb: dwc3: gadget: Give back staled requests (git-fixes). - usb: dwc3: gadget: Handle ZLP for sg requests (git-fixes). - usb: dwc3: gadget: Prevent EP queuing while stopping transfers (git-fixes). - usb: dwc3: gadget: Properly track pending and queued SG (git-fixes). - usb: dwc3: gadget: Restart DWC3 gadget when enabling pullup (git-fixes). - usb: dwc3: gadget: Set BESL config parameter (git-fixes). - usb: dwc3: gadget: Set link state to RX_Detect on disconnect (git-fixes). - usb: dwc3: gadget: Stop EP0 transfers during pullup disable (git-fixes). - usb: dwc3: gadget: Workaround Mirosoft's BESL check (git-fixes). - usb: dwc3: meson-g12a: add IRQ check (git-fixes). - usb: dwc3: meson-g12a: check return of dwc3_meson_g12a_usb_init (git-fixes). - usb: dwc3: of-simple: add a shutdown (git-fixes). - usb: dwc3: st: Add of_dev_put() in probe function (git-fixes). - usb: dwc3: st: Add of_node_put() before return in probe function (git-fixes). - usb: dwc3: support continuous runtime PM with dual role (git-fixes). - usb: ehci-orion: Handle errors of clk_prepare_enable() in probe (git-fixes). - usb: gadget: Export recommended BESL values (git-fixes). - usb: gadget: f_hid: added GET_IDLE and SET_IDLE handlers (git-fixes). - usb: gadget: f_hid: fixed NULL pointer dereference (git-fixes). - usb: gadget: f_hid: idle uses the highest byte for duration (git-fixes). - usb: gadget: mv_u3d: request_irq() after initializing UDC (git-fixes). - usb: gadget: udc: at91: add IRQ check (git-fixes). - usb: gadget: udc: renesas_usb3: Fix soc_device_match() abuse (git-fixes). - usb: host: ohci-tmio: add IRQ check (git-fixes). - usb: host: xhci-rcar: Do not reload firmware after the completion (git-fixes). - usb: mtu3: fix the wrong HS mult value (git-fixes). - usb: mtu3: use @mult for HS isoc or intr (git-fixes). - usb: phy: fsl-usb: add IRQ check (git-fixes). - usb: phy: tahvo: add IRQ check (git-fixes). - usb: phy: twl6030: add IRQ checks (git-fixes). - usr: Add support for zstd compressed initramfs (bsc#1187483, jsc#SLE-18766). - virt_wifi: fix error on connect (git-fixes). - wireguard: allowedips: allocate nodes in kmem_cache (git-fixes). - wireguard: allowedips: free empty intermediate nodes when removing single node (git-fixes). - wireguard: allowedips: remove nodes in O(1) (git-fixes). - writeback: fix obtain a reference to a freeing memcg css (bsc#1189577). - x86/fpu: Limit xstate copy size in xstateregs_set() (bsc#1152489). - x86/fpu: Make init_fpstate correct with optimized XSAVE (bsc#1152489). - x86/fpu: Reset state for all signal restore failures (bsc#1152489). - x86/kvm: fix vcpu-id indexed array sizes (git-fixes). - x86/sev: Make sure IRQs are disabled while GHCB is active (jsc#SLE-14337). - x86/sev: Split up runtime #VC handler for correct state tracking (jsc#SLE-14337). - x86/sev: Use "SEV: " prefix for messages from sev.c (jsc#SLE-14337). - x86/signal: Detect and prevent an alternate signal stack overflow (bsc#1152489). - x86/split_lock: Provide handle_guest_split_lock() (bsc#1187959). - xen/events: Fix race in set_evtchn_to_irq (git-fixes). - xprtrdma: Pad optimization, revisited (bsc#1189760). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3205=1 Package List: - SUSE MicroOS 5.1 (aarch64 s390x x86_64): kernel-default-5.3.18-59.24.1 kernel-default-base-5.3.18-59.24.1.18.12.1 kernel-default-debuginfo-5.3.18-59.24.1 kernel-default-debugsource-5.3.18-59.24.1 References: https://www.suse.com/security/cve/CVE-2020-12770.html https://www.suse.com/security/cve/CVE-2021-34556.html https://www.suse.com/security/cve/CVE-2021-35477.html https://www.suse.com/security/cve/CVE-2021-3640.html https://www.suse.com/security/cve/CVE-2021-3653.html https://www.suse.com/security/cve/CVE-2021-3656.html https://www.suse.com/security/cve/CVE-2021-3679.html https://www.suse.com/security/cve/CVE-2021-3732.html https://www.suse.com/security/cve/CVE-2021-3739.html https://www.suse.com/security/cve/CVE-2021-3743.html https://www.suse.com/security/cve/CVE-2021-3753.html https://www.suse.com/security/cve/CVE-2021-3759.html https://www.suse.com/security/cve/CVE-2021-38160.html https://www.suse.com/security/cve/CVE-2021-38166.html https://www.suse.com/security/cve/CVE-2021-38198.html https://www.suse.com/security/cve/CVE-2021-38204.html https://www.suse.com/security/cve/CVE-2021-38205.html https://www.suse.com/security/cve/CVE-2021-38206.html https://www.suse.com/security/cve/CVE-2021-38207.html https://www.suse.com/security/cve/CVE-2021-38209.html https://bugzilla.suse.com/1040364 https://bugzilla.suse.com/1127650 https://bugzilla.suse.com/1135481 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1160010 https://bugzilla.suse.com/1168202 https://bugzilla.suse.com/1171420 https://bugzilla.suse.com/1174969 https://bugzilla.suse.com/1175052 https://bugzilla.suse.com/1175543 https://bugzilla.suse.com/1177399 https://bugzilla.suse.com/1180100 https://bugzilla.suse.com/1180141 https://bugzilla.suse.com/1180347 https://bugzilla.suse.com/1181006 https://bugzilla.suse.com/1181148 https://bugzilla.suse.com/1181972 https://bugzilla.suse.com/1184180 https://bugzilla.suse.com/1185902 https://bugzilla.suse.com/1186264 https://bugzilla.suse.com/1186731 https://bugzilla.suse.com/1187211 https://bugzilla.suse.com/1187455 https://bugzilla.suse.com/1187468 https://bugzilla.suse.com/1187483 https://bugzilla.suse.com/1187619 https://bugzilla.suse.com/1187959 https://bugzilla.suse.com/1188067 https://bugzilla.suse.com/1188172 https://bugzilla.suse.com/1188231 https://bugzilla.suse.com/1188270 https://bugzilla.suse.com/1188412 https://bugzilla.suse.com/1188418 https://bugzilla.suse.com/1188616 https://bugzilla.suse.com/1188700 https://bugzilla.suse.com/1188780 https://bugzilla.suse.com/1188781 https://bugzilla.suse.com/1188782 https://bugzilla.suse.com/1188783 https://bugzilla.suse.com/1188784 https://bugzilla.suse.com/1188786 https://bugzilla.suse.com/1188787 https://bugzilla.suse.com/1188788 https://bugzilla.suse.com/1188790 https://bugzilla.suse.com/1188878 https://bugzilla.suse.com/1188885 https://bugzilla.suse.com/1188924 https://bugzilla.suse.com/1188982 https://bugzilla.suse.com/1188983 https://bugzilla.suse.com/1188985 https://bugzilla.suse.com/1189021 https://bugzilla.suse.com/1189057 https://bugzilla.suse.com/1189077 https://bugzilla.suse.com/1189153 https://bugzilla.suse.com/1189197 https://bugzilla.suse.com/1189209 https://bugzilla.suse.com/1189210 https://bugzilla.suse.com/1189212 https://bugzilla.suse.com/1189213 https://bugzilla.suse.com/1189214 https://bugzilla.suse.com/1189215 https://bugzilla.suse.com/1189216 https://bugzilla.suse.com/1189217 https://bugzilla.suse.com/1189218 https://bugzilla.suse.com/1189219 https://bugzilla.suse.com/1189220 https://bugzilla.suse.com/1189221 https://bugzilla.suse.com/1189222 https://bugzilla.suse.com/1189225 https://bugzilla.suse.com/1189229 https://bugzilla.suse.com/1189233 https://bugzilla.suse.com/1189262 https://bugzilla.suse.com/1189291 https://bugzilla.suse.com/1189292 https://bugzilla.suse.com/1189296 https://bugzilla.suse.com/1189298 https://bugzilla.suse.com/1189301 https://bugzilla.suse.com/1189305 https://bugzilla.suse.com/1189323 https://bugzilla.suse.com/1189384 https://bugzilla.suse.com/1189385 https://bugzilla.suse.com/1189392 https://bugzilla.suse.com/1189393 https://bugzilla.suse.com/1189399 https://bugzilla.suse.com/1189400 https://bugzilla.suse.com/1189427 https://bugzilla.suse.com/1189503 https://bugzilla.suse.com/1189504 https://bugzilla.suse.com/1189505 https://bugzilla.suse.com/1189506 https://bugzilla.suse.com/1189507 https://bugzilla.suse.com/1189562 https://bugzilla.suse.com/1189563 https://bugzilla.suse.com/1189564 https://bugzilla.suse.com/1189565 https://bugzilla.suse.com/1189566 https://bugzilla.suse.com/1189567 https://bugzilla.suse.com/1189568 https://bugzilla.suse.com/1189569 https://bugzilla.suse.com/1189573 https://bugzilla.suse.com/1189574 https://bugzilla.suse.com/1189575 https://bugzilla.suse.com/1189576 https://bugzilla.suse.com/1189577 https://bugzilla.suse.com/1189579 https://bugzilla.suse.com/1189581 https://bugzilla.suse.com/1189582 https://bugzilla.suse.com/1189583 https://bugzilla.suse.com/1189585 https://bugzilla.suse.com/1189586 https://bugzilla.suse.com/1189587 https://bugzilla.suse.com/1189706 https://bugzilla.suse.com/1189760 https://bugzilla.suse.com/1189762 https://bugzilla.suse.com/1189832 https://bugzilla.suse.com/1189841 https://bugzilla.suse.com/1189870 https://bugzilla.suse.com/1189872 https://bugzilla.suse.com/1189883 https://bugzilla.suse.com/1190022 https://bugzilla.suse.com/1190025 https://bugzilla.suse.com/1190115 https://bugzilla.suse.com/1190117 https://bugzilla.suse.com/1190412 https://bugzilla.suse.com/1190413 https://bugzilla.suse.com/1190428 From sle-security-updates at lists.suse.com Wed Oct 13 16:16:50 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 13 Oct 2021 18:16:50 +0200 (CEST) Subject: SUSE-SU-2021:3415-1: important: Security update for the Linux Kernel Message-ID: <20211013161650.A7BAAFD2D@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3415-1 Rating: important References: #1065729 #1124431 #1127650 #1135481 #1148868 #1152489 #1154353 #1159886 #1167032 #1167773 #1168202 #1170774 #1171420 #1171688 #1173746 #1174003 #1175543 #1176447 #1176940 #1177028 #1177399 #1178134 #1180141 #1180347 #1181006 #1181972 #1184114 #1184439 #1184611 #1184804 #1185302 #1185550 #1185675 #1185677 #1185726 #1185762 #1185898 #1187211 #1187455 #1187591 #1187619 #1188067 #1188172 #1188270 #1188412 #1188418 #1188439 #1188616 #1188651 #1188694 #1188700 #1188878 #1188924 #1188983 #1188985 #1188986 #1189153 #1189225 #1189257 #1189262 #1189297 #1189301 #1189399 #1189400 #1189503 #1189504 #1189505 #1189506 #1189507 #1189562 #1189563 #1189564 #1189565 #1189566 #1189567 #1189568 #1189569 #1189573 #1189574 #1189575 #1189576 #1189577 #1189579 #1189581 #1189582 #1189583 #1189585 #1189586 #1189587 #1189696 #1189706 #1189760 #1189762 #1189832 #1189841 #1189870 #1189872 #1189883 #1189884 #1190022 #1190023 #1190025 #1190062 #1190115 #1190117 #1190131 #1190138 #1190159 #1190181 #1190358 #1190406 #1190412 #1190413 #1190428 #1190467 #1190523 #1190534 #1190543 #1190544 #1190561 #1190576 #1190595 #1190596 #1190598 #1190620 #1190626 #1190679 #1190705 #1190717 #1190746 #1190758 #1190784 #1190785 #1191172 #1191193 #1191292 #859220 Cross-References: CVE-2020-12770 CVE-2020-3702 CVE-2021-34556 CVE-2021-35477 CVE-2021-3653 CVE-2021-3656 CVE-2021-3669 CVE-2021-3732 CVE-2021-3739 CVE-2021-3743 CVE-2021-3744 CVE-2021-3752 CVE-2021-3753 CVE-2021-3759 CVE-2021-3764 CVE-2021-38160 CVE-2021-38198 CVE-2021-40490 CVSS scores: CVE-2020-12770 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-12770 (SUSE): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVE-2020-3702 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-3702 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-34556 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-35477 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2021-3653 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3656 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-3669 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3732 (SUSE): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-3739 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2021-3743 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-3744 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3752 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3753 (SUSE): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-3759 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-3764 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-38160 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-38198 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-40490 (SUSE): 6.1 CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE MicroOS 5.1 SUSE Linux Enterprise Module for Realtime 15-SP3 ______________________________________________________________________________ An update that solves 18 vulnerabilities and has 119 fixes is now available. Description: The SUSE Linux Enterprise 15 SP3 kernel was updated. The following security bugs were fixed: - CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193) - CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023) - CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159) - CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884) - CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534) - CVE-2021-3669: Fixed a bug that doesn't allow /proc/sysvipc/shm to scale with large shared memory segment counts which could lead to resource exhaustion and DoS. (bsc#1188986) - CVE-2021-3759: Unaccounted ipc objects in Linux kernel could have lead to breaking memcg limits and DoS attacks (bsc#1190115). - CVE-2021-34556: Fixed side-channel attack via a Speculative Store Bypass via unprivileged BPF program that could have obtain sensitive information from kernel memory (bsc#1188983). - CVE-2021-35477: Fixed BPF stack frame pointer which could have been abused to disclose content of arbitrary kernel memory (bsc#1188985). - CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190117) - CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling (bsc#1190025). - CVE-2021-3743: Fixed OOB Read in qrtr_endpoint_post (bsc#1189883). - CVE-2021-3739: Fixed a NULL pointer dereference when deleting device by invalid id (bsc#1189832 ). - CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files (bsc#1189706). - CVE-2021-3653: Missing validation of the `int_ctl` VMCB field and allows a malicious L1 guest to enable AVIC support for the L2 guest. (bsc#1189399). - CVE-2021-3656: Missing validation of the the `virt_ext` VMCB field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS for the L2 guest (bsc#1189400). - CVE-2021-38198: arch/x86/kvm/mmu/paging_tmpl.h incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault (bnc#1189262). - CVE-2020-12770: Fixed sg_remove_request call in a certain failure cases (bsc#1171420). The following non-security bugs were fixed: - ACPI: processor: Clean up acpi_processor_evaluate_cst() (bsc#1175543) - ACPI: processor: Export acpi_processor_evaluate_cst() (bsc#1175543) - ACPI: processor: Export function to claim _CST control (bsc#1175543) - ACPI: processor: Introduce acpi_processor_evaluate_cst() (bsc#1175543) - ACPI: processor: Make ACPI_PROCESSOR_CSTATE depend on ACPI_PROCESSOR (bsc#1175543) - ALSA: firewire-motu: fix truncated bytes in message tracepoints (git-fixes). - ALSA: hda - fix the 'Capture Switch' value change notifications (git-fixes). - ALSA: hda/realtek: Enable 4-speaker output for Dell XPS 15 9510 laptop (git-fixes). - ALSA: hda/realtek: Limit mic boost on HP ProBook 445 G8 (git-fixes). - ALSA: hda/realtek: Quirk for HP Spectre x360 14 amp setup (git-fixes). - ALSA: hda/realtek: Workaround for conflicting SSID on ASUS ROG Strix G17 (git-fixes). - ALSA: hda/realtek: Workaround for conflicting SSID on ASUS ROG Strix G17 (git-fixes). - ALSA: hda/via: Apply runtime PM workaround for ASUS B23E (git-fixes). - ALSA: pcm: fix divide error in snd_pcm_lib_ioctl (git-fixes). - ALSA: usb-audio: Add registration quirk for JBL Quantum 800 (git-fixes). - ALSA: usb-audio: Fix regression on Sony WALKMAN NW-A45 DAC (git-fixes). - apparmor: remove duplicate macro list_entry_is_head() (git-fixes). - ASoC: component: Remove misplaced prefix handling in pin control functions (git-fixes). - ASoC: fsl_micfil: register platform component before registering cpu dai (git-fixes). - ASoC: intel: atom: Fix breakage for PCM buffer address setup (git-fixes). - ASoC: Intel: Fix platform ID matching (git-fixes). - ASoC: Intel: kbl_da7219_max98927: Fix format selection for max98373 (git-fixes). - ASoC: Intel: Skylake: Fix module resource and format selection (git-fixes). - ASoC: Intel: Skylake: Leave data as is when invoking TLV IPCs (git-fixes). - ASoC: mediatek: common: handle NULL case in suspend/resume function (git-fixes). - ASoC: mediatek: mt8183: Fix Unbalanced pm_runtime_enable in mt8183_afe_pcm_dev_probe (git-fixes). - ASoC: rockchip: i2s: Fix regmap_ops hang (git-fixes). - ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B (git-fixes). - ASoC: rt5682: Adjust headset volume button threshold (git-fixes). - ASoC: rt5682: Adjust headset volume button threshold again (git-fixes). - ASoC: rt5682: Implement remove callback (git-fixes). - ASoC: rt5682: Properly turn off regulators if wrong device ID (git-fixes). - ASoC: rt5682: Remove unused variable in rt5682_i2c_remove() (git-fixes). - ASoC: SOF: Fix DSP oops stack dump output contents (git-fixes). - ASoC: ti: delete some dead code in omap_abe_probe() (git-fixes). - ASoC: wcd9335: Disable irq on slave ports in the remove function (git-fixes). - ASoC: wcd9335: Fix a double irq free in the remove function (git-fixes). - ASoC: wcd9335: Fix a memory leak in the error handling path of the probe function (git-fixes). - ath: Use safer key clearing with key cache entries (git-fixes). - ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() (git-fixes). - ath9k: Clear key cache explicitly on disabling hardware (git-fixes). - ath9k: fix OOB read ar9300_eeprom_restore_internal (git-fixes). - ath9k: fix sleeping in atomic context (git-fixes). - Avoid double printing SUSE specific flags in mod->taint (bsc#1190413). - backlight: pwm_bl: Improve bootloader/kernel device handover (git-fixes). - bareudp: Fix invalid read beyond skb's linear data (jsc#SLE-15172). - bcma: Fix memory leak for internally-handled cores (git-fixes). - bdi: Do not use freezable workqueue (bsc#1189573). - blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit() (bsc#1189507). - blk-mq-sched: Fix blk_mq_sched_alloc_tags() error handling (bsc#1189506). - blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762). - blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762). - blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762). - blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762). - blk-mq: mark if one queue map uses managed irq (bsc#1185762). - blk-mq: mark if one queue map uses managed irq (bsc#1185762). - blk-wbt: introduce a new disable state to prevent false positive by rwb_enabled() (bsc#1189503). - blk-wbt: make sure throttle is enabled properly (bsc#1189504). - block: fix trace completion for chained bio (bsc#1189505). - Bluetooth: add timeout sanity check to hci_inquiry (git-fixes). - Bluetooth: btusb: check conditions before enabling USB ALT 3 for WBS (git-fixes). - Bluetooth: btusb: Fix a unspported condition to set available debug features (git-fixes). - Bluetooth: fix repeated calls to sco_sock_kill (git-fixes). - Bluetooth: hidp: use correct wait queue when removing ctrl_wait (git-fixes). - Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow (git-fixes). - Bluetooth: mgmt: Fix wrong opcode in the response for add_adv cmd (git-fixes). - Bluetooth: sco: prevent information leak in sco_conn_defer_accept() (git-fixes). - Bluetooth: skip invalid hci_sync_conn_complete_evt (git-fixes). - bnx2x: fix an error code in bnx2x_nic_load() (git-fixes). - bnxt_en: Add missing DMA memory barriers (git-fixes). - bnxt_en: Disable aRFS if running on 212 firmware (git-fixes). - bnxt_en: Do not enable legacy TX push on older firmware (git-fixes). - bnxt_en: Fix asic.rev in devlink dev info command (jsc#SLE-16649). - bnxt_en: fix stored FW_PSID version masks (jsc#SLE-16649). - bnxt_en: Store the running firmware version code (git-fixes). - bnxt: count Tx drops (git-fixes). - bnxt: disable napi before canceling DIM (git-fixes). - bnxt: do not lock the tx queue from napi poll (git-fixes). - bnxt: make sure xmit_more + errors does not miss doorbells (git-fixes). - bpf, samples: Add missing mprog-disable to xdp_redirect_cpu's optstring (git-fixes). - bpf: Fix ringbuf helper function compatibility (git-fixes). - bpftool: Add sock_release help info for cgroup attach/prog load command (bsc#1177028). - brcmfmac: pcie: fix oops on failure to resume and reprobe (git-fixes). - btrfs: account for new extents being deleted in total_bytes_pinned (bsc#1135481). - btrfs: add a comment explaining the data flush steps (bsc#1135481). - btrfs: add a trace class for dumping the current ENOSPC state (bsc#1135481). - btrfs: add a trace point for reserve tickets (bsc#1135481). - btrfs: add btrfs_reserve_data_bytes and use it (bsc#1135481). - btrfs: add flushing states for handling data reservations (bsc#1135481). - btrfs: add the data transaction commit logic into may_commit_transaction (bsc#1135481). - btrfs: adjust the flush trace point to include the source (bsc#1135481). - btrfs: call btrfs_try_granting_tickets when freeing reserved bytes (bsc#1135481). - btrfs: call btrfs_try_granting_tickets when reserving space (bsc#1135481). - btrfs: call btrfs_try_granting_tickets when unpinning anything (bsc#1135481). - btrfs: change nr to u64 in btrfs_start_delalloc_roots (bsc#1135481). - btrfs: check reclaim_size in need_preemptive_reclaim (bsc#1135481). - btrfs: check tickets after waiting on ordered extents (bsc#1135481). - btrfs: do async reclaim for data reservations (bsc#1135481). - btrfs: do not force commit if we are data (bsc#1135481). - btrfs: drop the commit_cycles stuff for data reservations (bsc#1135481). - btrfs: fix btrfs_calc_reclaim_metadata_size calculation (bsc#1135481). - btrfs: fix possible infinite loop in data async reclaim (bsc#1135481). - btrfs: flush delayed refs when trying to reserve data space (bsc#1135481). - btrfs: handle space_info::total_bytes_pinned inside the delayed ref itself (bsc#1135481). - btrfs: handle U64_MAX for shrink_delalloc (bsc#1135481). - btrfs: implement space clamping for preemptive flushing (bsc#1135481). - btrfs: improve preemptive background space flushing (bsc#1135481). - btrfs: introduce a FORCE_COMMIT_TRANS flush operation (bsc#1135481). - btrfs: make ALLOC_CHUNK use the space info flags (bsc#1135481). - btrfs: make flush_space take a enum btrfs_flush_state instead of int (bsc#1135481). - btrfs: make shrink_delalloc take space_info as an arg (bsc#1135481). - btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626). - btrfs: remove FLUSH_DELAYED_REFS from data ENOSPC flushing (bsc#1135481). - btrfs: remove orig from shrink_delalloc (bsc#1135481). - btrfs: rename need_do_async_reclaim (bsc#1135481). - btrfs: rework btrfs_calc_reclaim_metadata_size (bsc#1135481). - btrfs: rip out btrfs_space_info::total_bytes_pinned (bsc#1135481). - btrfs: rip out may_commit_transaction (bsc#1135481). - btrfs: rip the first_ticket_bytes logic from fail_all_tickets (bsc#1135481). - btrfs: run delayed iputs before committing the transaction for data (bsc#1135481). - btrfs: serialize data reservations if we are flushing (bsc#1135481). - btrfs: shrink delalloc pages instead of full inodes (bsc#1135481). - btrfs: simplify the logic in need_preemptive_flushing (bsc#1135481). - btrfs: tracepoints: convert flush states to using EM macros (bsc#1135481). - btrfs: tracepoints: fix btrfs_trigger_flush symbolic string for flags (bsc#1135481). - btrfs: track ordered bytes instead of just dio ordered bytes (bsc#1135481). - btrfs: use btrfs_start_delalloc_roots in shrink_delalloc (bsc#1135481). - btrfs: use the btrfs_space_info_free_bytes_may_use helper for delalloc (bsc#1135481). - btrfs: use the same helper for data and metadata reservations (bsc#1135481). - btrfs: use ticketing for data space reservations (bsc#1135481). - can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters (git-fixes). - cgroup: verify that source is a string (bsc#1190131). - cgroup1: fix leaked context root causing sporadic NULL deref in LTP (bsc#1190181). - clk: at91: clk-generated: Limit the requested rate to our range (git-fixes). - clk: at91: clk-generated: pass the id of changeable parent at registration (git-fixes). - clk: kirkwood: Fix a clocking boot regression (git-fixes). - console: consume APC, DM, DCS (git-fixes). - cpuidle: Allow idle states to be disabled by default (bsc#1175543) - cpuidle: Consolidate disabled state checks (bsc#1175543) - cpuidle: cpuidle_state kABI fix (bsc#1175543) - cpuidle: Drop disabled field from struct cpuidle_state (bsc#1175543) - cpuidle: Fix cpuidle_driver_state_disabled() (bsc#1175543) - cpuidle: Introduce cpuidle_driver_state_disabled() for driver quirks (bsc#1175543) - cpuidle: pseries: Do not cap the CEDE0 latency in fixup_cede0_latency() (bsc#1185550 ltc#192610 git-fixes jsc#SLE-18128). - crypto: qat - use proper type for vf_mask (git-fixes). - cuse: fix broken release (bsc#1190596). - cxgb4: dont touch blocked freelist bitmap after free (git-fixes). - debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746). - device-dax: Fix default return code of range_parse() (git-fixes). - devlink: Break parameter notification sequence to be before/after unload/load driver (bsc#1154353). - devlink: Clear whole devlink_flash_notify struct (bsc#1176447). - dm integrity: fix missing goto in bitmap_flush_interval error handling (git-fixes). - dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails (git-fixes). - dm verity: fix DM_VERITY_OPTS_MAX value (git-fixes). - dma-buf: DMABUF_MOVE_NOTIFY should depend on DMA_SHARED_BUFFER (git-fixes). - dmaengine: acpi: Avoid comparison GSI with Linux vIRQ (git-fixes). - dmaengine: idxd: clear block on fault flag when clear wq (git-fixes). - dmaengine: idxd: fix wq slot allocation index check (git-fixes). - dmaengine: imx-sdma: remove duplicated sdma_load_context (git-fixes). - dmaengine: ioat: depends on !UML (git-fixes). - dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available (git-fixes). - dmaengine: sprd: Add missing MODULE_DEVICE_TABLE (git-fixes). - dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe() (git-fixes). - dmaengine: xilinx_dma: Fix read-after-free bug when terminating transfers (git-fixes). - dmaengine: xilinx_dma: Set DMA mask for coherent APIs (git-fixes). - docs: Fix infiniband uverbs minor number (git-fixes). - Documentation: admin-guide: PM: Add intel_idle document (bsc#1175543) - drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps (git-fixes). - drivers/block/null_blk/main: Fix a double free in null_init (git-fixes). - drm: avoid blocking in drm_clients_info's rcu section (git-fixes). - drm: Copy drm_wait_vblank to user before returning (git-fixes). - drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex (git-fixes). - drm/amd/display: Fix Dynamic bpp issue with 8K30 with Navi 1X (git-fixes). - drm/amd/display: Fix timer_per_pixel unit error (git-fixes). - drm/amd/display: Remove invalid assert for ODM + MPC case (git-fixes). - drm/amd/display: use GFP_ATOMIC in amdgpu_dm_irq_schedule_work (git-fixes). - drm/amd/display: workaround for hard hang on HPD on native DP (git-fixes). - drm/amdgpu: do not enable baco on boco platforms in runpm (git-fixes). - drm/amdgpu: Fix BUG_ON assert (git-fixes). - drm/amdgpu: fix the doorbell missing when in CGPG issue for renoir (git-fixes). - drm/amdgpu/acp: Make PM domain really work (git-fixes). - drm/ast: Fix missing conversions to managed API (git-fixes). - drm/dp_mst: Fix return code on sideband message failure (git-fixes). - drm/gma500: Fix end of loop tests for list_for_each_entry (git-fixes). - drm/i915: Add more AUX CHs to the enum (bsc#1188700). - drm/i915: Add VBT AUX CH H and I (bsc#1188700). - drm/i915: Add VBT DVO ports H and I (bsc#1188700). - drm/i915: Allow the sysadmin to override security mitigations (git-fixes). - drm/i915: Configure GEN11_{TBT,TC}_HOTPLUG_CTL for ports TC5/6 (bsc#1188700). - drm/i915: Introduce HPD_PORT_TC (bsc#1188700). - drm/i915: Move hpd_pin setup to encoder init (bsc#1188700). - drm/i915: Nuke the redundant TC/TBT HPD bit defines (bsc#1188700). - drm/i915/dg1: gmbus pin mapping (bsc#1188700). - drm/i915/dg1: provide port/phy mapping for vbt (bsc#1188700). - drm/i915/gen9_bc: Add W/A for missing STRAP config on TGP PCH + CML combos (bsc#1188700). - drm/i915/gen9_bc: Introduce HPD pin mappings for TGP PCH + CML combos (bsc#1188700). - drm/i915/gen9_bc: Introduce TGP PCH DDC pin mappings (bsc#1188700). - drm/i915/gen9_bc: Recognize TGP PCH + CML combos (bsc#1188700). - drm/i915/rkl: new rkl ddc map for different PCH (bsc#1188700). - drm/i915/rkl: Remove require_force_probe protection (bsc#1189257). - drm/ingenic: Switch IPU plane to type OVERLAY (git-fixes). - drm/mgag200: Select clock in PLL update functions (git-fixes). - drm/msi/mdp4: populate priv->kms in mdp4_kms_init (git-fixes). - drm/msm: Fix error return code in msm_drm_init() (git-fixes). - drm/msm/dpu: make dpu_hw_ctl_clear_all_blendstages clear necessary LMs (git-fixes). - drm/msm/dsi: Fix some reference counted resource leaks (git-fixes). - drm/msm/mdp4: move HW revision detection to earlier phase (git-fixes). - drm/msm/mdp4: refactor HW revision detection into read_mdp_hw_revision (git-fixes). - drm/nouveau/disp: power down unused DP links during init (git-fixes). - drm/nouveau/kms/nv50: workaround EFI GOP window channel format differences (git-fixes). - drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV (git-fixes). - drm/of: free the iterator object on failure (git-fixes). - drm/of: free the right object (git-fixes). - drm/panfrost: Clamp lock region to Bifrost minimum (git-fixes). - drm/panfrost: Fix missing clk_disable_unprepare() on error in panfrost_clk_init() (git-fixes). - drm/panfrost: Simplify lock_region calculation (git-fixes). - drm/panfrost: Use u64 for size in lock_region (git-fixes). - drm/pl111: depend on CONFIG_VEXPRESS_CONFIG (git-fixes). - drm/prime: fix comment on PRIME Helpers (git-fixes). - drm/rockchip: cdn-dp-core: Make cdn_dp_core_resume __maybe_unused (git-fixes). - e1000e: Do not take care about recovery NVM checksum (jsc#SLE-8100). - e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes). - EDAC/i10nm: Fix NVDIMM detection (bsc#1152489). - EDAC/mce_amd: Do not load edac_mce_amd module on guests (bsc#1190138). - EDAC/synopsys: Fix wrong value type assignment for edac_mode (bsc#1152489). - enetc: Fix uninitialized struct dim_sample field usage (git-fixes). - erofs: fix up erofs_lookup tracepoint (git-fixes). - ext4: cleanup in-core orphan list if ext4_truncate() failed to get a transaction handle (bsc#1189568). - ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit (bsc#1189564). - ext4: fix avefreec in find_group_orlov (bsc#1189566). - ext4: fix kernel infoleak via ext4_extent_header (bsc#1189562). - ext4: fix potential htree corruption when growing large_dir directories (bsc#1189576). - ext4: remove check for zero nr_to_scan in ext4_es_scan() (bsc#1189565). - ext4: return error code when ext4_fill_flex_info() fails (bsc#1189563). - ext4: use ext4_grp_locked_error in mb_find_extent (bsc#1189567). - fanotify: fix copy_event_to_user() fid error clean up (bsc#1189574). - fbmem: do not allow too huge resolutions (git-fixes). - fpga: altera-freeze-bridge: Address warning about unused variable (git-fixes). - fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() (git-fixes). - fpga: machxo2-spi: Return an error on failure (git-fixes). - fpga: xiilnx-spi: Address warning about unused variable (git-fixes). - fpga: zynqmp-fpga: Address warning about unused variable (git-fixes). - fuse: flush extending writes (bsc#1190595). - fuse: truncate pagecache on atomic_o_trunc (bsc#1190705). - genirq: add device_has_managed_msi_irq (bsc#1185762). - genirq: add device_has_managed_msi_irq (bsc#1185762). - gpio: mpc8xxx: Fix a resources leak in the error handling path of 'mpc8xxx_probe()' (git-fixes). - gpio: uniphier: Fix void functions to remove return value (git-fixes). - gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() (git-fixes). - gpu: ipu-v3: Fix i.MX IPU-v3 offset calculations for (semi)planar U/V formats (git-fixes). - gpu: ipu-v3: Fix i.MX IPU-v3 offset calculations for (semi)planar U/V formats (git-fixes). - gve: fix the wrong AdminQ buffer overflow check (bsc#1176940). - HID: i2c-hid: Fix Elan touchpad regression (git-fixes). - HID: input: do not report stylus battery state as "full" (git-fixes). - hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726). - hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726). - hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (git-fixes). - hwmon: (tmp421) fix rounding for negative values (git-fixes). - hwmon: (tmp421) report /PVLD condition as fault (git-fixes). - i2c: dev: zero out array used for i2c reads from userspace (git-fixes). - i2c: highlander: add IRQ check (git-fixes). - i2c: iop3xx: fix deferred probing (git-fixes). - i2c: mt65xx: fix IRQ check (git-fixes). - i2c: s3c2410: fix IRQ check (git-fixes). - i40e: Add additional info to PHY type error (git-fixes). - i40e: Fix firmware LLDP agent related warning (git-fixes). - i40e: Fix log TC creation failure when max num of queues is exceeded (git-fixes). - i40e: Fix logic of disabling queues (git-fixes). - i40e: Fix queue-to-TC mapping on Tx (git-fixes). - i40e: improve locking of mac_filter_hash (jsc#SLE-13701). - iavf: Fix ping is lost after untrusted VF had tried to change MAC (jsc#SLE-7940). - iavf: Set RSS LUT and key in reset handle path (git-fixes). - IB/hfi1: Indicate DMA wait when txq is queued for wakeup (jsc#SLE-13208). - ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510). - ibmvnic: Consolidate code in replenish_rx_pool() (bsc#1190758 ltc#191943). - ibmvnic: Fix up some comments and messages (bsc#1190758 ltc#191943). - ibmvnic: init_tx_pools move loop-invariant code (bsc#1190758 ltc#191943). - ibmvnic: Reuse LTB when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse rx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse tx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Use bitmap for LTB map_ids (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_rx_pools (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_tx_pools (bsc#1190758 ltc#191943). - ice: do not abort devlink info if board identifier can't be found (jsc#SLE-12878). - ice: do not remove netdev->dev_addr from uc sync list (git-fixes). - ice: Prevent probing virtual functions (git-fixes). - igc: Use num_tx_queues when iterating over tx_ring queue (jsc#SLE-13533). - iio: dac: ad5624r: Fix incorrect handling of an optional regulator (git-fixes). - Improved the warning message. - include/linux/list.h: add a macro to test if entry is pointing to the head (git-fixes). - intel_idle: Add module parameter to prevent ACPI _CST from being used (bsc#1175543) - intel_idle: Allow ACPI _CST to be used for selected known processors (bsc#1175543) - intel_idle: Annotate init time data structures (bsc#1175543) - intel_idle: Customize IceLake server support (bsc#1175543) - intel_idle: Disable ACPI _CST on Haswell (bsc#1175543, bsc#1177399, bsc#1180347, bsc#1180141) - intel_idle: Fix max_cstate for processor models without C-state tables (bsc#1175543) - intel_idle: Ignore _CST if control cannot be taken from the platform (bsc#1175543) - intel_idle: Refactor intel_idle_cpuidle_driver_init() (bsc#1175543) - intel_idle: Use ACPI _CST for processor models without C-state tables (bsc#1175543) - intel_idle: Use ACPI _CST on server systems (bsc#1175543) - iomap: Fix negative assignment to unsigned sis->pages in iomap_swapfile_activate (bsc#1190784). - iommu/amd: Move Stoney Ridge check to detect_ivrs() (bsc#1189762). - ionic: cleanly release devlink instance (bsc#1167773). - ionic: cleanly release devlink instance (bsc#1167773). - ionic: count csum_none when offload enabled (bsc#1167773). - ionic: drop useless check of PCI driver data validity (bsc#1167773). - ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115). - ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115). - ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115). - ipc/util.c: use binary search for max_idx (bsc#1159886). - ipvs: allow connection reuse for unconfirmed conntrack (bsc#1190467). - ipvs: avoid expiring many connections from timer (bsc#1190467). - ipvs: Fix up kabi for expire_nodest_conn_work addition (bsc#1190467). - ipvs: queue delayed work to expire no destination connections if expire_nodest_conn=1 (bsc#1190467). - iwlwifi Add support for ax201 in Samsung Galaxy Book Flex2 Alpha (git-fixes). - iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed (git-fixes). - iwlwifi: pnvm: accept multiple HW-type TLVs (git-fixes). - iwlwifi: skip first element in the WTAS ACPI table (git-fixes). - kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable. - kernel-binary.spec: Define $image as rpm macro (bsc#1189841). - kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs. - kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358). The script part for base package case is completely separate from the part for subpackages. Remove the part for subpackages from the base package script and use the KMP scripts for subpackages instead. - kernel-binary.spec.in: add zstd to BuildRequires if used - kernel-binary.spec.in: make sure zstd is supported by kmod if used - kernel-cert-subpackage: Fix certificate location in scriptlets (bsc#1189841). Fixes: d9a1357edd73 ("rpm: Define $certs as rpm macro (bsc#1189841).") - kernel, fs: Introduce and use set_restart_fn() and arch_set_restart_data() (bsc#1189153). - leds: trigger: audio: Add an activate callback to ensure the initial brightness is set (git-fixes). - lib/mpi: use kcalloc in mpi_resize (git-fixes). - libata: add ATA_HORKAGE_NO_NCQ_TRIM for Samsung 860 and 870 SSDs (git-fixes). - libata: fix ata_host_start() (git-fixes). - libbpf: Fix removal of inner map in bpf_object__create_map (git-fixes). - libbpf: Fix the possible memory leak on error (git-fixes). - lockd: Fix invalid lockowner cast after vfs_test_lock (git-fixes). - mac80211-hwsim: fix late beacon hrtimer handling (git-fixes). - mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug (git-fixes). - mac80211: Fix insufficient headroom issue for AMSDU (git-fixes). - mac80211: fix use-after-free in CCMP/GCMP RX (git-fixes). - mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap (git-fixes). - mac80211: mesh: fix potentially unaligned access (git-fixes). - mailbox: sti: quieten kernel-doc warnings (git-fixes). - md: revert io stats accounting (git-fixes). - md/raid10: properly indicate failure when ending a failed write request (git-fixes). - media: cedrus: Fix SUNXI tile size calculation (git-fixes). - media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats (git-fixes). - media: cxd2880-spi: Fix an error handling path (git-fixes). - media: dib8000: rewrite the init prbs logic (git-fixes). - media: drivers/media/usb: fix memory leak in zr364xx_probe (git-fixes). - media: dvb-usb: Fix error handling in dvb_usb_i2c_init (git-fixes). - media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init (git-fixes). - media: dvb-usb: fix uninit-value in vp702x_read_mac_addr (git-fixes). - media: em28xx-input: fix refcount bug in em28xx_usb_disconnect (git-fixes). - media: go7007: fix memory leak in go7007_usb_probe (git-fixes). - media: go7007: remove redundant initialization (git-fixes). - media: imx258: Limit the max analogue gain to 480 (git-fixes). - media: imx258: Rectify mismatch of VTS value (git-fixes). - media: rc-loopback: return number of emitters rather than error (git-fixes). - media: stkwebcam: fix memory leak in stk_camera_probe (git-fixes). - media: TDA1997x: enable EDID support (git-fixes). - media: TDA1997x: fix tda1997x_query_dv_timings() return value (git-fixes). - media: uvc: do not do DMA on stack (git-fixes). - media: v4l2-dv-timings.c: fix wrong condition in two for-loops (git-fixes). - media: venus: venc: Fix potential null pointer dereference on pointer fmt (git-fixes). - media: zr364xx: fix memory leaks in probe() (git-fixes). - media: zr364xx: propagate errors from zr364xx_start_readpipe() (git-fixes). - memcg: enable accounting for file lock caches (bsc#1190115). - mfd: axp20x: Update AXP288 volatile ranges (git-fixes). - mfd: Do not use irq_create_mapping() to resolve a mapping (git-fixes). - mfd: lpc_sch: Rename GPIOBASE to prevent build error (git-fixes). - mfd: tqmx86: Clear GPIO IRQ resource when no IRQ is set (git-fixes). - misc: sram: Only map reserved areas in Tegra SYSRAM (git-fixes). - misc: sram: use devm_platform_ioremap_resource_wc() (git-fixes). - mlx4: Fix missing error code in mlx4_load_one() (git-fixes). - mm, vmscan: guarantee drop_slab_node() termination (VM Functionality, bsc#1189301). - mm: always have io_remap_pfn_range() set pgprot_decrypted() (git-fixes). - mm: fix memory_failure() handling of dax-namespace metadata (bsc#1189872). - mm: swap: properly update readahead statistics in unuse_pte_range() (bsc#1187619). - mm/swap: consider max pages in iomap_swapfile_add_extent (bsc#1190785). - mm/thp: unmap_mapping_page() to fix THP truncate_cleanup_page() (bsc#1189569). - mm/vmscan: fix infinite loop in drop_slab_node (VM Functionality, bsc#1189301). - mmc: core: Return correct emmc response in case of ioctl error (git-fixes). - mmc: dw_mmc: Fix hang on data CRC error (git-fixes). - mmc: dw_mmc: Fix issue with uninitialized dma_slave_config (git-fixes). - mmc: moxart: Fix issue with uninitialized dma_slave_config (git-fixes). - mmc: rtsx_pci: Fix long reads when clock is prescaled (git-fixes). - mmc: sdhci-iproc: Cap min clock frequency on BCM2711 (git-fixes). - mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711 (git-fixes). - mmc: sdhci-of-arasan: Check return value of non-void funtions (git-fixes). - mmc: sdhci: Fix issue with uninitialized dma_slave_config (git-fixes). - mtd: rawnand: cafe: Fix a resource leak in the error handling path of 'cafe_nand_probe()' (git-fixes). - nbd: Aovid double completion of a request (git-fixes). - nbd: do not update block size after device is started (git-fixes). - nbd: Fix NULL pointer in flush_workqueue (git-fixes). - net: ethernet: ti: cpsw: fix min eth packet size for non-switch use-cases (git-fixes). - net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726). - net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726). - net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726). - net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726). - net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726). - net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726). - net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726). - net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726). - net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726). - net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726). - net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes). - net: sched: sch_teql: fix null-pointer dereference (bsc#1190717). - net: usb: lan78xx: do not modify phy_device state concurrently (bsc#1188270) - net/mlx5: Add ts_cqe_to_dest_cqn related bits (bsc#1188412) - net/mlx5: E-Switch, handle devcom events only for ports on the same device (git-fixes). - net/mlx5: Fix flow table chaining (git-fixes). - net/mlx5: Fix missing return value in mlx5_devlink_eswitch_inline_mode_set() (jsc#SLE-15172). - net/mlx5: Fix return value from tracer initialization (git-fixes). - net/mlx5: Unload device upon firmware fatal error (git-fixes). - net/mlx5e: Add missing capability check for uplink follow (bsc#1188412) - net/mlx5e: Avoid creating tunnel headers for local route (git-fixes). - net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() (git-fixes). - net/mlx5e: Prohibit inner indir TIRs in IPoIB (git-fixes). - netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (bsc#1190062). - nfp: update ethtool reporting of pauseframe control (git-fixes). - NFS: change nfs_access_get_cached to only report the mask (bsc#1190746). - NFS: Correct size calculation for create reply length (bsc#1189870). - NFS: do not store 'struct cred *' in struct nfs_access_entry (bsc#1190746). - NFS: pass cred explicitly for access tests (bsc#1190746). - nfsd4: Fix forced-expiry locking (git-fixes). - NFSv4/pNFS: Fix a layoutget livelock loop (git-fixes). - nvme-multipath: revalidate paths during rescan (bsc#1187211) - nvme-multipath: revalidate paths during rescan (bsc#1187211). - nvme-pci: fix NULL req in completion handler (bsc#1181972). - nvme-pci: limit maximum queue depth to 4095 (bsc#1181972). - nvme-pci: Use u32 for nvme_dev.q_depth and nvme_queue.q_depth (bsc#1181972). - nvme-pci: use unsigned for io queue depth (bsc#1181972). - nvme-tcp: do not check blk_mq_tag_to_rq when receiving pdu data (bsc#1181972). - nvme-tcp: Do not reset transport on data digest errors (bsc#1188418). - nvme-tcp: Do not reset transport on data digest errors (bsc#1188418). - nvme: avoid possible double fetch in handling CQE (bsc#1181972). - nvme: avoid race in shutdown namespace removal (bsc#1188067). - nvme: code command_id with a genctr for use-after-free validation (bsc#1181972). - nvme: fix refcounting imbalance when all paths are down (bsc#1188067). - nvme: only call synchronize_srcu when clearing current path (bsc#1188067). - nvme: only call synchronize_srcu when clearing current path (bsc#1188067). - ocfs2: fix snprintf() checking (bsc#1189581). - ocfs2: fix zero out valid data (bsc#1189579). - ocfs2: issue zeroout to EOF blocks (bsc#1189582). - ocfs2: ocfs2_downconvert_lock failure results in deadlock (bsc#1188439). - optee: Fix memory leak when failing to register shm pages (git-fixes). - overflow: Correct check_shl_overflow() comment (git-fixes). - params: lift param_set_uint_minmax to common code (bsc#1181972). - parport: remove non-zero check on count (git-fixes). - PCI: aardvark: Fix checking for PIO status (git-fixes). - PCI: aardvark: Fix masking and unmasking legacy INTx interrupts (git-fixes). - PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response (git-fixes). - PCI: Add ACS quirks for Cavium multi-function devices (git-fixes). - PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms (git-fixes). - PCI: Add AMD GPU multi-function power dependencies (git-fixes). - PCI: Call Max Payload Size-related fixup quirks early (git-fixes). - PCI: Fix pci_dev_str_match_path() alloc while atomic bug (git-fixes). - PCI: ibmphp: Fix double unmap of io_mem (git-fixes). - PCI: Increase D3 delay for AMD Renoir/Cezanne XHCI (git-fixes). - PCI: iproc: Fix BCMA probe resource handling (git-fixes). - PCI: of: Do not fail devm_pci_alloc_host_bridge() on missing 'ranges' (git-fixes). - PCI: pci-bridge-emul: Add PCIe Root Capabilities Register (git-fixes). - PCI: pci-bridge-emul: Fix array overruns, improve safety (git-fixes). - PCI: pci-bridge-emul: Fix big-endian support (git-fixes). - PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently (git-fixes). - PCI: PM: Enable PME if it can be signaled from D3cold (git-fixes). - PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported (git-fixes). - PCI: Return ~0 data on pciconfig_read() CAP_SYS_ADMIN failure (git-fixes). - PCI: Use pci_update_current_state() in pci_enable_device_flags() (git-fixes). - PCI: xilinx-nwl: Enable the clock through CCF (git-fixes). - PCI/MSI: Correct misleading comments (git-fixes). - PCI/MSI: Enforce MSI[X] entry updates to be visible (git-fixes). - PCI/MSI: Enforce that MSI-X table entry is masked for update (git-fixes). - PCI/MSI: Mask all unused MSI-X entries (git-fixes). - PCI/MSI: Skip masking MSI-X on Xen PV (git-fixes). - PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() (git-fixes). - PCI/portdrv: Enable Bandwidth Notification only if port supports it (git-fixes). - perf/x86/amd: Do not touch the AMD64_EVENTSEL_HOSTONLY bit inside the guest (bsc#1189225). - phy: tegra: xusb: Fix dangling pointer on probe failure (git-fixes). - pinctrl: samsung: Fix pinctrl bank pin count (git-fixes). - pinctrl: single: Fix error return code in pcs_parse_bits_in_pinctrl_entry() (git-fixes). - pinctrl: stmfx: Fix hazardous u8[] to unsigned long cast (git-fixes). - PM: base: power: do not try to use non-existing RTC for storing data (git-fixes). - PM: EM: Increase energy calculation precision (git-fixes). - PM: sleep: core: Avoid setting power.must_resume to false (git-fixes). - post.sh: detect /usr mountpoint too - power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors (git-fixes). - power: supply: max17042_battery: fix typo in MAx17042_TOFF (git-fixes). - power: supply: max17042: handle fails of reading status register (git-fixes). - powercap: intel_rapl: add support for Sapphire Rapids (jsc#SLE-15289). - powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868). - powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523). - powerpc/numa: Consider the max NUMA node for migratable LPAR (bsc#1190544 ltc#194520). - powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729). - powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729). - powerpc/perf: Fix the check for SIAR value (bsc#1065729). - powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729). - powerpc/perf: Use stack siar instead of mfspr (bsc#1065729). - powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729). - powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729). - powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729). - powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498). - powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729). - pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523). - pwm: img: Do not modify HW state in .remove() callback (git-fixes). - pwm: lpc32xx: Do not modify HW state in .probe() after the PWM chip was registered (git-fixes). - pwm: rockchip: Do not modify HW state in .remove() callback (git-fixes). - pwm: stm32-lp: Do not modify HW state in .remove() callback (git-fixes). - qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes). - RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init() (bsc#1170774). - RDMA/hns: Fix QP's resp incomplete assignment (jsc#SLE-14777). - RDMA/mlx5: Delay emptying a cache entry when a new MR is added to it recently (jsc#SLE-15175). - RDMA/mlx5: Delete not-available udata check (jsc#SLE-15175). - RDMA/rtrs: Remove a useless kfree() (jsc#SLE-15176). - Re-enable UAS for LaCie Rugged USB3-FW with fk quirk (git-fixes). - regmap: fix page selection for noinc reads (git-fixes). - regmap: fix page selection for noinc writes (git-fixes). - regmap: fix the offset of register error log (git-fixes). - regulator: vctrl: Avoid lockdep warning in enable/disable ops (git-fixes). - regulator: vctrl: Use locked regulator_get_voltage in probe path (git-fixes). - reset: reset-zynqmp: Fixed the argument data type (git-fixes). - rpm: Abolish image suffix (bsc#1189841). This is used only with vanilla kernel which is not supported in any way. The only effect is has is that the image and initrd symlinks are created with this suffix. These symlinks are not used except on s390 where the unsuffixed symlinks are used by zipl. There is no reason why a vanilla kernel could not be used with zipl as well as it's quite unexpected to not be able to boot when only a vanilla kernel is installed. Finally we now have a backup zipl kernel so if the vanilla kernel is indeed unsuitable the backup kernel can be used. - rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools. This allows fixing bugs in the scriptlets as well as defining initrd regeneration policy independent of the kernel packages. - rpm: Define $certs as rpm macro (bsc#1189841). Also pass around only the shortened hash rather than full filename. As has been discussed in bsc#1124431 comment 51 https://bugzilla.suse.com/show_bug.cgi?id=1124431#c51 the placement of the certificates is an API which cannot be changed unless we can ensure that no two kernels that use different certificate location can be built with the same certificate. - rpm: Fold kernel-devel and kernel-source scriptlets into spec files (bsc#1189841). These are unchanged since 2011 when they were introduced. No need to track them separately. - rpm: support gz and zst compression methods Extend commit 18fcdff43a00 ("rpm: support compressed modules") for compression methods other than xz. - rpm/kernel-binary.spec: Use only non-empty certificates. - rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804). - rpm/kernel-binary.spec.in: Use kmod-zstd provide. This makes it possible to use kmod with ZSTD support on non-Tumbleweed. - rpm/kernel-source.spec.in: do some more for vanilla_only Make sure: * sources are NOT executable * env is not used as interpreter * timestamps are correct We do all this for normal kernel builds, but not for vanilla_only kernels (linux-next and vanilla). - rq-qos: fix missed wake-ups in rq_qos_throttle try two (bsc#1189575). - rsi: fix an error code in rsi_probe() (git-fixes). - rsi: fix error code in rsi_load_9116_firmware() (git-fixes). - rtc: rx8010: select REGMAP_I2C (git-fixes). - rtc: tps65910: Correct driver module alias (git-fixes). - s390/boot: fix use of expolines in the DMA code (bsc#1188878 ltc#193771). - s390/unwind: use current_frame_address() to unwind current task (bsc#1185677). - sch_cake: fix srchost/dsthost hashing mode (bsc#1176447). - sched/fair: Add ancestors of unthrottled undecayed cfs_rq (bsc#1191292). - sched/fair: Correctly insert cfs_rq's to list on unthrottle (git-fixes) - sched/fair: Ensure that the CFS parent is added after unthrottling (git-fixes). - sched/rt: Fix RT utilization tracking during policy change (git-fixes) - scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576). - scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576). - scsi: fc: Add EDC ELS definition (bsc#1190576). - scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576). - scsi: ibmvfc: Do not wait for initial device scan (bsc#1127650). - scsi: libfc: Fix array index out of bound exception (bsc#1188616). - scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576). - scsi: lpfc: Add cm statistics buffer support (bsc#1190576). - scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576). - scsi: lpfc: Add cmfsync WQE support (bsc#1190576). - scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576). - scsi: lpfc: Add EDC ELS support (bsc#1190576). - scsi: lpfc: Add MIB feature enablement support (bsc#1190576). - scsi: lpfc: Add rx monitoring statistics (bsc#1190576). - scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576). - scsi: lpfc: Add support for cm enablement buffer (bsc#1190576). - scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576). - scsi: lpfc: Add support for the CM framework (bsc#1190576). - scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576). - scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576). - scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576). - scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576). - scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576). - scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576). - scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576). - scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576). - scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576). - scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576). - scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576). - scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576). - scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576). - scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576). - scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576). - scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576). - scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576). - scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576). - scsi: lpfc: Move initialization of phba->poll_list earlier to avoid crash (git-fixes). - scsi: lpfc: Remove unneeded variable (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576). - scsi: lpfc: Use correct scnprintf() limit (bsc#1190576). - scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576). - scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576). - scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576). - scsi: mpt3sas: Fix ReplyPostFree pool allocation (bsc#1181006). - scsi: mpt3sas: Fix ReplyPostFree pool allocation (bsc#1181006). - scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297). - scsi: sg: add sg_remove_request in sg_write (bsc#1171420 CVE2020-12770). - scsi/fc: kABI fixes for new ELS_EDC, ELS_RDP definition (bsc#1171688 bsc#1174003 bsc#1190576). - selftests/bpf: Define string const as global for test_sysctl_prog.c (git-fixes). - selftests/bpf: Fix bpf-iter-tcp4 test to print correctly the dest IP (git-fixes). - selftests/bpf: Fix test_sysctl_loop{1, 2} failure due to clang change (git-fixes). - selftests/bpf: Whitelist test_progs.h from .gitignore (git-fixes). - serial: 8250_pci: make setup_port() parameters explicitly unsigned (git-fixes). - serial: 8250: Define RX trigger levels for OxSemi 950 devices (git-fixes). - serial: mvebu-uart: fix driver's tx_empty callback (git-fixes). - serial: sh-sci: fix break handling for sysrq (git-fixes). - slimbus: messaging: check for valid transaction id (git-fixes). - slimbus: messaging: start transaction ids from 1 instead of zero (git-fixes). - slimbus: ngd: reset dma setup during runtime pm (git-fixes). - soc: aspeed: lpc-ctrl: Fix boundary check for mmap (git-fixes). - soc: aspeed: p2a-ctrl: Fix boundary check for mmap (git-fixes). - soc: qcom: rpmhpd: Use corner in power_off (git-fixes). - soc: qcom: smsm: Fix missed interrupts if state changes while masked (git-fixes). - spi: Fix tegra20 build with CONFIG_PM=n (git-fixes). - spi: spi-fsl-dspi: Fix issue with uninitialized dma_slave_config (git-fixes). - spi: spi-pic32: Fix issue with uninitialized dma_slave_config (git-fixes). - spi: sprd: Fix the wrong WDG_LOAD_VAL (git-fixes). - staging: board: Fix uninitialized spinlock when attaching genpd (git-fixes). - staging: ks7010: Fix the initialization of the 'sleep_status' structure (git-fixes). - staging: rtl8192u: Fix bitwise vs logical operator in TranslateRxSignalStuff819xUsb() (git-fixes). - staging: rts5208: Fix get_ms_information() heap buffer size (git-fixes). - SUNRPC: 'Directory with parent 'rpc_clnt' already present!' (bsc#1168202 bsc#1188924). - SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202 bsc#1188924). - SUNRPC: Fix potential memory corruption (git-fixes). - SUNRPC: fix use-after-free in rpc_free_client_work() (bsc#1168202 bsc#1188924). - SUNRPC: improve error response to over-size gss credential (bsc#1190022). - SUNRPC: Simplify socket shutdown when not reusing TCP ports (git-fixes). - thermal/core: Potential buffer overflow in thermal_build_list_of_policies() (git-fixes). - thermal/drivers/exynos: Fix an error code in exynos_tmu_probe() (git-fixes). - time: Handle negative seconds correctly in timespec64_to_ns() (git-fixes). - tools: bpf: Fix error in 'make -C tools/ bpf_install' (git-fixes). - tracing / histogram: Fix NULL pointer dereference on strcmp() on NULL event name (git-fixes). - tty: Fix data race between tiocsti() and flush_to_ldisc() (git-fixes). - tty: serial: fsl_lpuart: fix the wrong mapbase value (git-fixes). - tty: serial: jsm: hold port lock when reporting modem line changes (git-fixes). - tty: synclink_gt, drop unneeded forward declarations (git-fixes). - ubifs: Fix error return code in alloc_wbufs() (bsc#1189585). - ubifs: Fix memleak in ubifs_init_authentication (bsc#1189583). - ubifs: journal: Fix error return code in ubifs_jnl_write_inode() (bsc#1189586). - ubifs: Only check replay with inode type to judge if inode linked (bsc#1187455). - ubifs: Set/Clear I_LINKABLE under i_lock for whiteout inode (bsc#1189587). - usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c (git-fixes). - usb: bdc: Fix an error handling path in 'bdc_probe()' when no suitable DMA config is available (git-fixes). - usb: core: Avoid WARNings for 0-length descriptor requests (git-fixes). - usb: core: hcd: Add support for deferring roothub registration (git-fixes). - usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails (git-fixes). - usb: dwc2: Avoid leaving the error_debugfs label unused (git-fixes). - usb: dwc2: Fix error path in gadget registration (git-fixes). - usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave (git-fixes). - usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA (git-fixes). - usb: dwc2: Postponed gadget registration to the udc class driver (git-fixes). - usb: dwc3: Add support for DWC_usb32 IP (git-fixes). - usb: dwc3: core: do not do suspend for device mode if already suspended (git-fixes). - usb: dwc3: core: Properly default unspecified speed (git-fixes). - usb: dwc3: debug: Remove newline printout (git-fixes). - usb: dwc3: Disable phy suspend after power-on reset (git-fixes). - usb: dwc3: gadget: Check MPS of the request length (git-fixes). - usb: dwc3: gadget: Clear DCTL.ULSTCHNGREQ before set (git-fixes). - usb: dwc3: gadget: Do not send unintended link state change (git-fixes). - usb: dwc3: gadget: Do not setup more than requested (git-fixes). - usb: dwc3: gadget: Fix dwc3_calc_trbs_left() (git-fixes). - usb: dwc3: gadget: Fix handling ZLP (git-fixes). - usb: dwc3: gadget: Give back staled requests (git-fixes). - usb: dwc3: gadget: Handle ZLP for sg requests (git-fixes). - usb: dwc3: gadget: Properly track pending and queued SG (git-fixes). - usb: dwc3: gadget: Set BESL config parameter (git-fixes). - usb: dwc3: gadget: Set link state to RX_Detect on disconnect (git-fixes). - usb: dwc3: gadget: Stop EP0 transfers during pullup disable (git-fixes). - usb: dwc3: gadget: Workaround Mirosoft's BESL check (git-fixes). - usb: dwc3: meson-g12a: add IRQ check (git-fixes). - usb: dwc3: meson-g12a: check return of dwc3_meson_g12a_usb_init (git-fixes). - usb: dwc3: of-simple: add a shutdown (git-fixes). - usb: dwc3: Separate field holding multiple properties (git-fixes). - usb: dwc3: support continuous runtime PM with dual role (git-fixes). - usb: ehci-orion: Handle errors of clk_prepare_enable() in probe (git-fixes). - usb: EHCI: ehci-mv: improve error handling in mv_ehci_enable() (git-fixes). - usb: gadget: Export recommended BESL values (git-fixes). - usb: gadget: mv_u3d: request_irq() after initializing UDC (git-fixes). - usb: gadget: r8a66597: fix a loop in set_feature() (git-fixes). - usb: gadget: u_ether: fix a potential null pointer dereference (git-fixes). - usb: gadget: udc: at91: add IRQ check (git-fixes). - usb: gadget: udc: renesas_usb3: Fix soc_device_match() abuse (git-fixes). - usb: host: fotg210: fix the actual_length of an iso packet (git-fixes). - usb: host: fotg210: fix the endpoint's transactional opportunities calculation (git-fixes). - usb: host: ohci-tmio: add IRQ check (git-fixes). - usb: host: xhci-rcar: Do not reload firmware after the completion (git-fixes). - usb: mtu3: fix the wrong HS mult value (git-fixes). - usb: mtu3: use @mult for HS isoc or intr (git-fixes). - usb: musb: musb_dsps: request_irq() after initializing musb (git-fixes). - usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes). - usb: phy: fsl-usb: add IRQ check (git-fixes). - usb: phy: tahvo: add IRQ check (git-fixes). - usb: phy: twl6030: add IRQ checks (git-fixes). - usb: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter (git-fixes). - usb: serial: option: add device id for Foxconn T99W265 (git-fixes). - usb: serial: option: add new VID/PID to support Fibocom FG150 (git-fixes). - usb: serial: option: add Telit LN920 compositions (git-fixes). - usb: serial: option: remove duplicate USB device ID (git-fixes). - usbip: give back URBs for unsent unlink requests during cleanup (git-fixes). - usbip:vhci_hcd USB port can get stuck in the disabled state (git-fixes). - video: fbdev: asiliantfb: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: fix a DoS bug by restricting user input (git-fixes). - video: fbdev: riva: Error out if 'pixclock' equals zero (git-fixes). - virtio_pci: Support surprise removal of virtio pci device (git-fixes). - VMCI: fix NULL pointer dereference when unmapping queue pair (git-fixes). - vmxnet3: add support for 32 Tx/Rx queues (bsc#1190406). - vmxnet3: add support for ESP IPv6 RSS (bsc#1190406). - vmxnet3: increase maximum configurable mtu to 9190 (bsc#1190406). - vmxnet3: prepare for version 6 changes (bsc#1190406). - vmxnet3: remove power of 2 limitation on the queues (bsc#1190406). - vmxnet3: set correct hash type based on rss information (bsc#1190406). - vmxnet3: update to version 6 (bsc#1190406). - watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST (git-fixes). - writeback: fix obtain a reference to a freeing memcg css (bsc#1189577). - x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1185302). - x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1190561). - x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439). - x86/asm: Fix SETZ size enqcmds() build failure (bsc#1178134). - x86/cpu: Fix core name for Sapphire Rapids (jsc#SLE-15289). - x86/fpu: Limit xstate copy size in xstateregs_set() (bsc#1152489). - x86/kvm: fix vcpu-id indexed array sizes (git-fixes). - x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1152489). - x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1152489). - x86/resctrl: Fix default monitoring groups reporting (bsc#1152489). - x86/sev: Make sure IRQs are disabled while GHCB is active (jsc#SLE-14337). - x86/sev: Split up runtime #VC handler for correct state tracking (jsc#SLE-14337). - x86/sev: Use "SEV: " prefix for messages from sev.c (jsc#SLE-14337). - x86/signal: Detect and prevent an alternate signal stack overflow (bsc#1152489). - xen/events: Fix race in set_evtchn_to_irq (git-fixes). - xfs: allow mount/remount when stripe width alignment is zero (bsc#1188651). - xfs: sync lazy sb accounting on quiesce of read-only mounts (bsc#1190679). - xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes). - xhci: Set HCD flag to defer primary roothub registration (git-fixes). - xprtrdma: Pad optimization, revisited (bsc#1189760). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3415=1 - SUSE Linux Enterprise Module for Realtime 15-SP3: zypper in -t patch SUSE-SLE-Module-RT-15-SP3-2021-3415=1 Package List: - SUSE MicroOS 5.1 (x86_64): kernel-rt-5.3.18-57.1 kernel-rt-debuginfo-5.3.18-57.1 kernel-rt-debugsource-5.3.18-57.1 - SUSE Linux Enterprise Module for Realtime 15-SP3 (noarch): kernel-devel-rt-5.3.18-57.1 kernel-source-rt-5.3.18-57.1 - SUSE Linux Enterprise Module for Realtime 15-SP3 (x86_64): cluster-md-kmp-rt-5.3.18-57.1 cluster-md-kmp-rt-debuginfo-5.3.18-57.1 dlm-kmp-rt-5.3.18-57.1 dlm-kmp-rt-debuginfo-5.3.18-57.1 gfs2-kmp-rt-5.3.18-57.1 gfs2-kmp-rt-debuginfo-5.3.18-57.1 kernel-rt-5.3.18-57.1 kernel-rt-debuginfo-5.3.18-57.1 kernel-rt-debugsource-5.3.18-57.1 kernel-rt-devel-5.3.18-57.1 kernel-rt-devel-debuginfo-5.3.18-57.1 kernel-rt_debug-debuginfo-5.3.18-57.1 kernel-rt_debug-debugsource-5.3.18-57.1 kernel-rt_debug-devel-5.3.18-57.1 kernel-rt_debug-devel-debuginfo-5.3.18-57.1 kernel-syms-rt-5.3.18-57.1 ocfs2-kmp-rt-5.3.18-57.1 ocfs2-kmp-rt-debuginfo-5.3.18-57.1 References: https://www.suse.com/security/cve/CVE-2020-12770.html https://www.suse.com/security/cve/CVE-2020-3702.html https://www.suse.com/security/cve/CVE-2021-34556.html https://www.suse.com/security/cve/CVE-2021-35477.html https://www.suse.com/security/cve/CVE-2021-3653.html https://www.suse.com/security/cve/CVE-2021-3656.html https://www.suse.com/security/cve/CVE-2021-3669.html https://www.suse.com/security/cve/CVE-2021-3732.html https://www.suse.com/security/cve/CVE-2021-3739.html https://www.suse.com/security/cve/CVE-2021-3743.html https://www.suse.com/security/cve/CVE-2021-3744.html https://www.suse.com/security/cve/CVE-2021-3752.html https://www.suse.com/security/cve/CVE-2021-3753.html https://www.suse.com/security/cve/CVE-2021-3759.html https://www.suse.com/security/cve/CVE-2021-3764.html https://www.suse.com/security/cve/CVE-2021-38160.html https://www.suse.com/security/cve/CVE-2021-38198.html https://www.suse.com/security/cve/CVE-2021-40490.html https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1124431 https://bugzilla.suse.com/1127650 https://bugzilla.suse.com/1135481 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154353 https://bugzilla.suse.com/1159886 https://bugzilla.suse.com/1167032 https://bugzilla.suse.com/1167773 https://bugzilla.suse.com/1168202 https://bugzilla.suse.com/1170774 https://bugzilla.suse.com/1171420 https://bugzilla.suse.com/1171688 https://bugzilla.suse.com/1173746 https://bugzilla.suse.com/1174003 https://bugzilla.suse.com/1175543 https://bugzilla.suse.com/1176447 https://bugzilla.suse.com/1176940 https://bugzilla.suse.com/1177028 https://bugzilla.suse.com/1177399 https://bugzilla.suse.com/1178134 https://bugzilla.suse.com/1180141 https://bugzilla.suse.com/1180347 https://bugzilla.suse.com/1181006 https://bugzilla.suse.com/1181972 https://bugzilla.suse.com/1184114 https://bugzilla.suse.com/1184439 https://bugzilla.suse.com/1184611 https://bugzilla.suse.com/1184804 https://bugzilla.suse.com/1185302 https://bugzilla.suse.com/1185550 https://bugzilla.suse.com/1185675 https://bugzilla.suse.com/1185677 https://bugzilla.suse.com/1185726 https://bugzilla.suse.com/1185762 https://bugzilla.suse.com/1185898 https://bugzilla.suse.com/1187211 https://bugzilla.suse.com/1187455 https://bugzilla.suse.com/1187591 https://bugzilla.suse.com/1187619 https://bugzilla.suse.com/1188067 https://bugzilla.suse.com/1188172 https://bugzilla.suse.com/1188270 https://bugzilla.suse.com/1188412 https://bugzilla.suse.com/1188418 https://bugzilla.suse.com/1188439 https://bugzilla.suse.com/1188616 https://bugzilla.suse.com/1188651 https://bugzilla.suse.com/1188694 https://bugzilla.suse.com/1188700 https://bugzilla.suse.com/1188878 https://bugzilla.suse.com/1188924 https://bugzilla.suse.com/1188983 https://bugzilla.suse.com/1188985 https://bugzilla.suse.com/1188986 https://bugzilla.suse.com/1189153 https://bugzilla.suse.com/1189225 https://bugzilla.suse.com/1189257 https://bugzilla.suse.com/1189262 https://bugzilla.suse.com/1189297 https://bugzilla.suse.com/1189301 https://bugzilla.suse.com/1189399 https://bugzilla.suse.com/1189400 https://bugzilla.suse.com/1189503 https://bugzilla.suse.com/1189504 https://bugzilla.suse.com/1189505 https://bugzilla.suse.com/1189506 https://bugzilla.suse.com/1189507 https://bugzilla.suse.com/1189562 https://bugzilla.suse.com/1189563 https://bugzilla.suse.com/1189564 https://bugzilla.suse.com/1189565 https://bugzilla.suse.com/1189566 https://bugzilla.suse.com/1189567 https://bugzilla.suse.com/1189568 https://bugzilla.suse.com/1189569 https://bugzilla.suse.com/1189573 https://bugzilla.suse.com/1189574 https://bugzilla.suse.com/1189575 https://bugzilla.suse.com/1189576 https://bugzilla.suse.com/1189577 https://bugzilla.suse.com/1189579 https://bugzilla.suse.com/1189581 https://bugzilla.suse.com/1189582 https://bugzilla.suse.com/1189583 https://bugzilla.suse.com/1189585 https://bugzilla.suse.com/1189586 https://bugzilla.suse.com/1189587 https://bugzilla.suse.com/1189696 https://bugzilla.suse.com/1189706 https://bugzilla.suse.com/1189760 https://bugzilla.suse.com/1189762 https://bugzilla.suse.com/1189832 https://bugzilla.suse.com/1189841 https://bugzilla.suse.com/1189870 https://bugzilla.suse.com/1189872 https://bugzilla.suse.com/1189883 https://bugzilla.suse.com/1189884 https://bugzilla.suse.com/1190022 https://bugzilla.suse.com/1190023 https://bugzilla.suse.com/1190025 https://bugzilla.suse.com/1190062 https://bugzilla.suse.com/1190115 https://bugzilla.suse.com/1190117 https://bugzilla.suse.com/1190131 https://bugzilla.suse.com/1190138 https://bugzilla.suse.com/1190159 https://bugzilla.suse.com/1190181 https://bugzilla.suse.com/1190358 https://bugzilla.suse.com/1190406 https://bugzilla.suse.com/1190412 https://bugzilla.suse.com/1190413 https://bugzilla.suse.com/1190428 https://bugzilla.suse.com/1190467 https://bugzilla.suse.com/1190523 https://bugzilla.suse.com/1190534 https://bugzilla.suse.com/1190543 https://bugzilla.suse.com/1190544 https://bugzilla.suse.com/1190561 https://bugzilla.suse.com/1190576 https://bugzilla.suse.com/1190595 https://bugzilla.suse.com/1190596 https://bugzilla.suse.com/1190598 https://bugzilla.suse.com/1190620 https://bugzilla.suse.com/1190626 https://bugzilla.suse.com/1190679 https://bugzilla.suse.com/1190705 https://bugzilla.suse.com/1190717 https://bugzilla.suse.com/1190746 https://bugzilla.suse.com/1190758 https://bugzilla.suse.com/1190784 https://bugzilla.suse.com/1190785 https://bugzilla.suse.com/1191172 https://bugzilla.suse.com/1191193 https://bugzilla.suse.com/1191292 https://bugzilla.suse.com/859220 From sle-security-updates at lists.suse.com Thu Oct 14 06:54:57 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 Oct 2021 08:54:57 +0200 (CEST) Subject: SUSE-CU-2021:407-1: Security update of suse/sles12sp4 Message-ID: <20211014065457.9C352FD2D@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:407-1 Container Tags : suse/sles12sp4:26.358 , suse/sles12sp4:latest Container Release : 26.358 Severity : moderate Type : security References : 1190373 1190374 CVE-2021-22946 CVE-2021-22947 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3351-1 Released: Tue Oct 12 13:22:51 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). From sle-security-updates at lists.suse.com Thu Oct 14 13:16:37 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 Oct 2021 15:16:37 +0200 (CEST) Subject: SUSE-SU-2021:3440-1: important: Security update for the Linux Kernel (Live Patch 22 for SLE 15) Message-ID: <20211014131637.9D8F2FFB1@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 22 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3440-1 Rating: important References: #1187054 #1188613 #1190118 #1190350 Cross-References: CVE-2021-3573 CVE-2021-3640 CVE-2021-3715 CVE-2021-38160 CVSS scores: CVE-2021-3573 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3640 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3715 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-38160 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-150_66 fixes several issues. The following security issues were fixed: - CVE-2021-3715: Fixed a user-after-free in the Linux kernel's Traffic Control networking subsystem which could lead to local privilege escalation. (bsc#1190350). - CVE-2021-38160: Fixed a bug that could lead to a data corruption or loss. This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118) - CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613) - CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2021-3426=1 SUSE-SLE-Module-Live-Patching-15-2021-3440=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_63-default-13-2.2 kernel-livepatch-4_12_14-150_63-default-debuginfo-13-2.2 kernel-livepatch-4_12_14-150_66-default-11-2.2 kernel-livepatch-4_12_14-150_66-default-debuginfo-11-2.2 References: https://www.suse.com/security/cve/CVE-2021-3573.html https://www.suse.com/security/cve/CVE-2021-3640.html https://www.suse.com/security/cve/CVE-2021-3715.html https://www.suse.com/security/cve/CVE-2021-38160.html https://bugzilla.suse.com/1187054 https://bugzilla.suse.com/1188613 https://bugzilla.suse.com/1190118 https://bugzilla.suse.com/1190350 From sle-security-updates at lists.suse.com Thu Oct 14 16:16:31 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 14 Oct 2021 18:16:31 +0200 (CEST) Subject: SUSE-SU-2021:3443-1: important: Security update for the Linux Kernel (Live Patch 22 for SLE 15 SP1) Message-ID: <20211014161631.6452DFFB2@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 22 for SLE 15 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3443-1 Rating: important References: #1187054 #1188613 #1190118 Cross-References: CVE-2021-3573 CVE-2021-3640 CVE-2021-38160 CVSS scores: CVE-2021-3573 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3640 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-38160 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP2 SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-197_83 fixes several issues. The following security issues were fixed: - CVE-2021-38160: Fixed a bug that could lead to a data corruption or loss. This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118) - CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613) - CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-3419=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-3420=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-3433=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-3434=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-3435=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-3436=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-3437=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-3443=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2021-3416=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-3421=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-3422=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-3423=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-3424=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-3425=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-3438=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-3439=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-3417=1 SUSE-SLE-Live-Patching-12-SP5-2021-3427=1 SUSE-SLE-Live-Patching-12-SP5-2021-3428=1 SUSE-SLE-Live-Patching-12-SP5-2021-3429=1 SUSE-SLE-Live-Patching-12-SP5-2021-3430=1 SUSE-SLE-Live-Patching-12-SP5-2021-3431=1 SUSE-SLE-Live-Patching-12-SP5-2021-3441=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2021-3418=1 SUSE-SLE-Live-Patching-12-SP4-2021-3432=1 SUSE-SLE-Live-Patching-12-SP4-2021-3442=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-24_24-default-15-2.2 kernel-livepatch-5_3_18-24_24-default-debuginfo-15-2.2 kernel-livepatch-5_3_18-24_29-default-13-2.2 kernel-livepatch-5_3_18-24_29-default-debuginfo-13-2.2 kernel-livepatch-5_3_18-24_34-default-13-2.2 kernel-livepatch-5_3_18-24_34-default-debuginfo-13-2.2 kernel-livepatch-5_3_18-24_37-default-13-2.2 kernel-livepatch-5_3_18-24_37-default-debuginfo-13-2.2 kernel-livepatch-5_3_18-24_43-default-12-2.2 kernel-livepatch-5_3_18-24_43-default-debuginfo-12-2.2 kernel-livepatch-5_3_18-24_46-default-12-2.2 kernel-livepatch-5_3_18-24_46-default-debuginfo-12-2.2 kernel-livepatch-5_3_18-24_49-default-11-2.2 kernel-livepatch-5_3_18-24_49-default-debuginfo-11-2.2 kernel-livepatch-5_3_18-24_52-default-10-2.2 kernel-livepatch-5_3_18-24_52-default-debuginfo-10-2.2 kernel-livepatch-SLE15-SP2_Update_10-debugsource-11-2.2 kernel-livepatch-SLE15-SP2_Update_11-debugsource-10-2.2 kernel-livepatch-SLE15-SP2_Update_4-debugsource-15-2.2 kernel-livepatch-SLE15-SP2_Update_5-debugsource-13-2.2 kernel-livepatch-SLE15-SP2_Update_6-debugsource-13-2.2 kernel-livepatch-SLE15-SP2_Update_7-debugsource-13-2.2 kernel-livepatch-SLE15-SP2_Update_8-debugsource-12-2.2 kernel-livepatch-SLE15-SP2_Update_9-debugsource-12-2.2 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_61-default-14-2.2 kernel-livepatch-4_12_14-197_64-default-13-2.2 kernel-livepatch-4_12_14-197_67-default-13-2.2 kernel-livepatch-4_12_14-197_72-default-12-2.2 kernel-livepatch-4_12_14-197_75-default-12-2.2 kernel-livepatch-4_12_14-197_78-default-12-2.2 kernel-livepatch-4_12_14-197_83-default-11-2.2 kernel-livepatch-4_12_14-197_86-default-10-2.2 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_41-default-16-2.2 kgraft-patch-4_12_14-122_46-default-14-2.2 kgraft-patch-4_12_14-122_51-default-14-2.2 kgraft-patch-4_12_14-122_54-default-12-2.2 kgraft-patch-4_12_14-122_57-default-12-2.2 kgraft-patch-4_12_14-122_60-default-11-2.2 kgraft-patch-4_12_14-122_63-default-10-2.2 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kgraft-patch-4_12_14-95_65-default-12-2.2 kgraft-patch-4_12_14-95_68-default-11-2.2 kgraft-patch-4_12_14-95_71-default-10-2.2 References: https://www.suse.com/security/cve/CVE-2021-3573.html https://www.suse.com/security/cve/CVE-2021-3640.html https://www.suse.com/security/cve/CVE-2021-38160.html https://bugzilla.suse.com/1187054 https://bugzilla.suse.com/1188613 https://bugzilla.suse.com/1190118 From sle-security-updates at lists.suse.com Fri Oct 15 10:19:39 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Oct 2021 12:19:39 +0200 (CEST) Subject: SUSE-SU-2021:3446-1: important: Security update for MozillaFirefox Message-ID: <20211015101939.1CD8AFD2D@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3446-1 Rating: important References: #1190710 #1191332 Cross-References: CVE-2021-32810 CVE-2021-38496 CVE-2021-38497 CVE-2021-38498 CVE-2021-38500 CVE-2021-38501 CVSS scores: CVE-2021-32810 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: Firefox Extended Support Release 91.2.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2021-45 (bsc#1191332) * CVE-2021-38496: Use-after-free in MessageTask * CVE-2021-38497: Validation message could have been overlaid on another origin * CVE-2021-38498: Use-after-free of nsLanguageAtomService object * CVE-2021-32810: Fixed Data race in crossbeam-deque * CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 * CVE-2021-38501: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 - Fixed crash in FIPS mode (bsc#1190710) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-3446=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-3446=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-3446=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-3446=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3446=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-3446=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-3446=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3446=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-3446=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-3446=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-3446=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-3446=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-3446=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): MozillaFirefox-91.2.0-112.74.1 MozillaFirefox-debuginfo-91.2.0-112.74.1 MozillaFirefox-debugsource-91.2.0-112.74.1 MozillaFirefox-devel-91.2.0-112.74.1 MozillaFirefox-translations-common-91.2.0-112.74.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): MozillaFirefox-91.2.0-112.74.1 MozillaFirefox-debuginfo-91.2.0-112.74.1 MozillaFirefox-debugsource-91.2.0-112.74.1 MozillaFirefox-devel-91.2.0-112.74.1 MozillaFirefox-translations-common-91.2.0-112.74.1 - SUSE OpenStack Cloud 9 (x86_64): MozillaFirefox-91.2.0-112.74.1 MozillaFirefox-debuginfo-91.2.0-112.74.1 MozillaFirefox-debugsource-91.2.0-112.74.1 MozillaFirefox-devel-91.2.0-112.74.1 MozillaFirefox-translations-common-91.2.0-112.74.1 - SUSE OpenStack Cloud 8 (x86_64): MozillaFirefox-91.2.0-112.74.1 MozillaFirefox-debuginfo-91.2.0-112.74.1 MozillaFirefox-debugsource-91.2.0-112.74.1 MozillaFirefox-devel-91.2.0-112.74.1 MozillaFirefox-translations-common-91.2.0-112.74.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-91.2.0-112.74.1 MozillaFirefox-debugsource-91.2.0-112.74.1 MozillaFirefox-devel-91.2.0-112.74.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): MozillaFirefox-91.2.0-112.74.1 MozillaFirefox-debuginfo-91.2.0-112.74.1 MozillaFirefox-debugsource-91.2.0-112.74.1 MozillaFirefox-devel-91.2.0-112.74.1 MozillaFirefox-translations-common-91.2.0-112.74.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): MozillaFirefox-91.2.0-112.74.1 MozillaFirefox-debuginfo-91.2.0-112.74.1 MozillaFirefox-debugsource-91.2.0-112.74.1 MozillaFirefox-devel-91.2.0-112.74.1 MozillaFirefox-translations-common-91.2.0-112.74.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-91.2.0-112.74.1 MozillaFirefox-debuginfo-91.2.0-112.74.1 MozillaFirefox-debugsource-91.2.0-112.74.1 MozillaFirefox-devel-91.2.0-112.74.1 MozillaFirefox-translations-common-91.2.0-112.74.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-91.2.0-112.74.1 MozillaFirefox-debuginfo-91.2.0-112.74.1 MozillaFirefox-debugsource-91.2.0-112.74.1 MozillaFirefox-devel-91.2.0-112.74.1 MozillaFirefox-translations-common-91.2.0-112.74.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-91.2.0-112.74.1 MozillaFirefox-debuginfo-91.2.0-112.74.1 MozillaFirefox-debugsource-91.2.0-112.74.1 MozillaFirefox-devel-91.2.0-112.74.1 MozillaFirefox-translations-common-91.2.0-112.74.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): MozillaFirefox-91.2.0-112.74.1 MozillaFirefox-debuginfo-91.2.0-112.74.1 MozillaFirefox-debugsource-91.2.0-112.74.1 MozillaFirefox-devel-91.2.0-112.74.1 MozillaFirefox-translations-common-91.2.0-112.74.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): MozillaFirefox-91.2.0-112.74.1 MozillaFirefox-debuginfo-91.2.0-112.74.1 MozillaFirefox-debugsource-91.2.0-112.74.1 MozillaFirefox-devel-91.2.0-112.74.1 MozillaFirefox-translations-common-91.2.0-112.74.1 - HPE Helion Openstack 8 (x86_64): MozillaFirefox-91.2.0-112.74.1 MozillaFirefox-debuginfo-91.2.0-112.74.1 MozillaFirefox-debugsource-91.2.0-112.74.1 MozillaFirefox-devel-91.2.0-112.74.1 MozillaFirefox-translations-common-91.2.0-112.74.1 References: https://www.suse.com/security/cve/CVE-2021-32810.html https://www.suse.com/security/cve/CVE-2021-38496.html https://www.suse.com/security/cve/CVE-2021-38497.html https://www.suse.com/security/cve/CVE-2021-38498.html https://www.suse.com/security/cve/CVE-2021-38500.html https://www.suse.com/security/cve/CVE-2021-38501.html https://bugzilla.suse.com/1190710 https://bugzilla.suse.com/1191332 From sle-security-updates at lists.suse.com Fri Oct 15 10:21:06 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Oct 2021 12:21:06 +0200 (CEST) Subject: SUSE-SU-2021:3445-1: important: Security update for rpm Message-ID: <20211015102106.61035FD2D@maintenance.suse.de> SUSE Security Update: Security update for rpm ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3445-1 Rating: important References: #1183659 #1185299 #1187670 #1188548 Affected Products: SUSE MicroOS 5.1 SUSE Linux Enterprise Module for SUSE Manager Server 4.2 SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 SUSE Linux Enterprise Module for Python2 15-SP3 SUSE Linux Enterprise Module for Public Cloud 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for rpm fixes the following issues: Security issues fixed: - PGP hardening changes (bsc#1185299) Maintaince issues fixed: - Fixed zstd detection (bsc#1187670) - Added ndb rofs support (bsc#1188548) - Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3445=1 - SUSE Linux Enterprise Module for SUSE Manager Server 4.2: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2021-3445=1 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.2-2021-3445=1 - SUSE Linux Enterprise Module for Python2 15-SP3: zypper in -t patch SUSE-SLE-Module-Python2-15-SP3-2021-3445=1 - SUSE Linux Enterprise Module for Public Cloud 15-SP3: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2021-3445=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-3445=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3445=1 Package List: - SUSE MicroOS 5.1 (aarch64 s390x x86_64): python-rpm-debugsource-4.14.3-40.1 python3-rpm-4.14.3-40.1 python3-rpm-debuginfo-4.14.3-40.1 rpm-4.14.3-40.1 rpm-debuginfo-4.14.3-40.1 rpm-debugsource-4.14.3-40.1 - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (aarch64 ppc64le s390x x86_64): rpm-build-4.14.3-40.1 rpm-build-debuginfo-4.14.3-40.1 rpm-debuginfo-4.14.3-40.1 rpm-debugsource-4.14.3-40.1 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 (aarch64 ppc64le s390x x86_64): rpm-build-4.14.3-40.1 rpm-build-debuginfo-4.14.3-40.1 rpm-debuginfo-4.14.3-40.1 rpm-debugsource-4.14.3-40.1 - SUSE Linux Enterprise Module for Python2 15-SP3 (aarch64 ppc64le s390x x86_64): python-rpm-debugsource-4.14.3-40.1 python2-rpm-4.14.3-40.1 python2-rpm-debuginfo-4.14.3-40.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP3 (aarch64 ppc64le s390x x86_64): rpm-ndb-4.14.3-40.1 rpm-ndb-debuginfo-4.14.3-40.1 rpm-ndb-debugsource-4.14.3-40.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): rpm-build-4.14.3-40.1 rpm-build-debuginfo-4.14.3-40.1 rpm-debuginfo-4.14.3-40.1 rpm-debugsource-4.14.3-40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): python-rpm-debugsource-4.14.3-40.1 python3-rpm-4.14.3-40.1 python3-rpm-debuginfo-4.14.3-40.1 rpm-4.14.3-40.1 rpm-debuginfo-4.14.3-40.1 rpm-debugsource-4.14.3-40.1 rpm-devel-4.14.3-40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): rpm-32bit-4.14.3-40.1 rpm-32bit-debuginfo-4.14.3-40.1 References: https://bugzilla.suse.com/1183659 https://bugzilla.suse.com/1185299 https://bugzilla.suse.com/1187670 https://bugzilla.suse.com/1188548 From sle-security-updates at lists.suse.com Fri Oct 15 10:22:55 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Oct 2021 12:22:55 +0200 (CEST) Subject: SUSE-SU-2021:3447-1: important: Security update for the Linux Kernel Message-ID: <20211015102255.6375DFD2D@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3447-1 Rating: important References: #1065729 #1148868 #1152489 #1154353 #1159886 #1167773 #1170774 #1173746 #1176940 #1184439 #1184804 #1185302 #1185677 #1185726 #1185762 #1187167 #1188067 #1188651 #1188986 #1189297 #1189841 #1189884 #1190023 #1190062 #1190115 #1190159 #1190358 #1190406 #1190432 #1190467 #1190523 #1190534 #1190543 #1190576 #1190595 #1190596 #1190598 #1190620 #1190626 #1190679 #1190705 #1190717 #1190746 #1190758 #1190784 #1190785 #1191172 #1191193 #1191240 #1191292 Cross-References: CVE-2020-3702 CVE-2021-3669 CVE-2021-3744 CVE-2021-3752 CVE-2021-3764 CVE-2021-40490 CVSS scores: CVE-2020-3702 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-3702 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-3669 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3744 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3752 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3764 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-40490 (SUSE): 6.1 CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Module for Live Patching 15-SP2 SUSE Linux Enterprise Module for Legacy Software 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Availability 15-SP2 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 44 fixes is now available. Description: The SUSE Linux Enterprise 15 SP2 kernel was updated. The following security bugs were fixed: - CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193) - CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023) - CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159) - CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884) - CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534) - CVE-2021-3669: Fixed a bug that doesn't allow /proc/sysvipc/shm to scale with large shared memory segment counts which could lead to resource exhaustion and DoS. (bsc#1188986) The following non-security bugs were fixed: - ALSA: firewire-motu: fix truncated bytes in message tracepoints (git-fixes). - apparmor: remove duplicate macro list_entry_is_head() (git-fixes). - ASoC: fsl_micfil: register platform component before registering cpu dai (git-fixes). - ASoC: mediatek: common: handle NULL case in suspend/resume function (git-fixes). - ASoC: rockchip: i2s: Fix regmap_ops hang (git-fixes). - ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B (git-fixes). - ASoC: SOF: Fix DSP oops stack dump output contents (git-fixes). - ath9k: fix OOB read ar9300_eeprom_restore_internal (git-fixes). - ath9k: fix sleeping in atomic context (git-fixes). - blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762). - blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762). - blk-mq: mark if one queue map uses managed irq (bsc#1185762). - Bluetooth: skip invalid hci_sync_conn_complete_evt (git-fixes). - bnx2x: fix an error code in bnx2x_nic_load() (git-fixes). - bnxt_en: Add missing DMA memory barriers (git-fixes). - bnxt_en: Disable aRFS if running on 212 firmware (git-fixes). - bnxt_en: Do not enable legacy TX push on older firmware (git-fixes). - bnxt_en: Store the running firmware version code (git-fixes). - bnxt: count Tx drops (git-fixes). - bnxt: disable napi before canceling DIM (git-fixes). - bnxt: do not lock the tx queue from napi poll (git-fixes). - bnxt: make sure xmit_more + errors does not miss doorbells (git-fixes). - btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626). - clk: at91: clk-generated: Limit the requested rate to our range (git-fixes). - clk: at91: clk-generated: pass the id of changeable parent at registration (git-fixes). - console: consume APC, DM, DCS (git-fixes). - cuse: fix broken release (bsc#1190596). - cxgb4: dont touch blocked freelist bitmap after free (git-fixes). - debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746). - devlink: Break parameter notification sequence to be before/after unload/load driver (bsc#1154353). - dmaengine: ioat: depends on !UML (git-fixes). - dmaengine: sprd: Add missing MODULE_DEVICE_TABLE (git-fixes). - dmaengine: xilinx_dma: Set DMA mask for coherent APIs (git-fixes). - docs: Fix infiniband uverbs minor number (git-fixes). - drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps (git-fixes). - drm: avoid blocking in drm_clients_info's rcu section (git-fixes). - drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex (git-fixes). - drm/amd/display: Fix timer_per_pixel unit error (git-fixes). - drm/amdgpu: Fix BUG_ON assert (git-fixes). - drm/gma500: Fix end of loop tests for list_for_each_entry (git-fixes). - drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV (git-fixes). - drm/panfrost: Clamp lock region to Bifrost minimum (git-fixes). - e1000e: Do not take care about recovery NVM checksum (jsc#SLE-8100). - e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes). - EDAC/i10nm: Fix NVDIMM detection (bsc#1152489). - EDAC/synopsys: Fix wrong value type assignment for edac_mode (bsc#1152489). - erofs: fix up erofs_lookup tracepoint (git-fixes). - fbmem: do not allow too huge resolutions (git-fixes). - fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() (git-fixes). - fpga: machxo2-spi: Return an error on failure (git-fixes). - fuse: flush extending writes (bsc#1190595). - fuse: truncate pagecache on atomic_o_trunc (bsc#1190705). - genirq: add device_has_managed_msi_irq (bsc#1185762). - gpio: uniphier: Fix void functions to remove return value (git-fixes). - gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() (git-fixes). - gve: fix the wrong AdminQ buffer overflow check (bsc#1176940). - hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726). - hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726). - hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (git-fixes). - hwmon: (tmp421) fix rounding for negative values (git-fixes). - hwmon: (tmp421) report /PVLD condition as fault (git-fixes). - i40e: Add additional info to PHY type error (git-fixes). - i40e: Fix firmware LLDP agent related warning (git-fixes). - i40e: Fix log TC creation failure when max num of queues is exceeded (git-fixes). - i40e: Fix logic of disabling queues (git-fixes). - i40e: Fix queue-to-TC mapping on Tx (git-fixes). - iavf: Fix ping is lost after untrusted VF had tried to change MAC (jsc#SLE-7940). - iavf: Set RSS LUT and key in reset handle path (git-fixes). - ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510). - ibmvnic: Consolidate code in replenish_rx_pool() (bsc#1190758 ltc#191943). - ibmvnic: Fix up some comments and messages (bsc#1190758 ltc#191943). - ibmvnic: init_tx_pools move loop-invariant code (bsc#1190758 ltc#191943). - ibmvnic: Reuse LTB when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse rx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse tx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Use bitmap for LTB map_ids (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_rx_pools (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_tx_pools (bsc#1190758 ltc#191943). - ice: Prevent probing virtual functions (git-fixes). - iio: dac: ad5624r: Fix incorrect handling of an optional regulator (git-fixes). - include/linux/list.h: add a macro to test if entry is pointing to the head (git-fixes). - iomap: Fix negative assignment to unsigned sis->pages in iomap_swapfile_activate (bsc#1190784). - ionic: cleanly release devlink instance (bsc#1167773). - ionic: count csum_none when offload enabled (bsc#1167773). - ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115). - ipc/util.c: use binary search for max_idx (bsc#1159886). - ipvs: allow connection reuse for unconfirmed conntrack (bsc#1190467). - ipvs: avoid expiring many connections from timer (bsc#1190467). - ipvs: Fix up kabi for expire_nodest_conn_work addition (bsc#1190467). - ipvs: queue delayed work to expire no destination connections if expire_nodest_conn=1 (bsc#1190467). - iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed (git-fixes). - kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable. - kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs. - kernel-binary.spec: Do not sign kernel when no key provided (bsc#1187167 bsc#1191240 ltc#194716). - kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358). The script part for base package case is completely separate from the part for subpackages. Remove the part for subpackages from the base package script and use the KMP scripts for subpackages instead. - libata: fix ata_host_start() (git-fixes). - mac80211-hwsim: fix late beacon hrtimer handling (git-fixes). - mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug (git-fixes). - mac80211: fix use-after-free in CCMP/GCMP RX (git-fixes). - mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap (git-fixes). - mac80211: mesh: fix potentially unaligned access (git-fixes). - media: cedrus: Fix SUNXI tile size calculation (git-fixes). - media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats (git-fixes). - media: dib8000: rewrite the init prbs logic (git-fixes). - media: imx258: Limit the max analogue gain to 480 (git-fixes). - media: imx258: Rectify mismatch of VTS value (git-fixes). - media: rc-loopback: return number of emitters rather than error (git-fixes). - media: TDA1997x: fix tda1997x_query_dv_timings() return value (git-fixes). - media: uvc: do not do DMA on stack (git-fixes). - media: v4l2-dv-timings.c: fix wrong condition in two for-loops (git-fixes). - mfd: Do not use irq_create_mapping() to resolve a mapping (git-fixes). - mlx4: Fix missing error code in mlx4_load_one() (git-fixes). - mm: always have io_remap_pfn_range() set pgprot_decrypted() (git-fixes). - mm/swap: consider max pages in iomap_swapfile_add_extent (bsc#1190785). - mmc: core: Return correct emmc response in case of ioctl error (git-fixes). - mmc: rtsx_pci: Fix long reads when clock is prescaled (git-fixes). - mmc: sdhci-of-arasan: Check return value of non-void funtions (git-fixes). - net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726). - net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726). - net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726). - net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726). - net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726). - net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726). - net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726). - net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726). - net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726). - net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726). - net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes). - net: sched: sch_teql: fix null-pointer dereference (bsc#1190717). - net/mlx5: E-Switch, handle devcom events only for ports on the same device (git-fixes). - net/mlx5: Fix flow table chaining (git-fixes). - net/mlx5: Fix return value from tracer initialization (git-fixes). - net/mlx5: Unload device upon firmware fatal error (git-fixes). - net/mlx5e: Avoid creating tunnel headers for local route (git-fixes). - net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() (git-fixes). - net/mlx5e: Prohibit inner indir TIRs in IPoIB (git-fixes). - netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (bsc#1190062). - nfp: update ethtool reporting of pauseframe control (git-fixes). - NFS: change nfs_access_get_cached to only report the mask (bsc#1190746). - NFS: do not store 'struct cred *' in struct nfs_access_entry (bsc#1190746). - NFS: pass cred explicitly for access tests (bsc#1190746). - nvme: avoid race in shutdown namespace removal (bsc#1188067). - nvme: fix refcounting imbalance when all paths are down (bsc#1188067). - parport: remove non-zero check on count (git-fixes). - PCI: aardvark: Fix checking for PIO status (git-fixes). - PCI: aardvark: Fix masking and unmasking legacy INTx interrupts (git-fixes). - PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response (git-fixes). - PCI: Add ACS quirks for Cavium multi-function devices (git-fixes). - PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms (git-fixes). - PCI: Add AMD GPU multi-function power dependencies (git-fixes). - PCI: ibmphp: Fix double unmap of io_mem (git-fixes). - PCI: pci-bridge-emul: Add PCIe Root Capabilities Register (git-fixes). - PCI: pci-bridge-emul: Fix array overruns, improve safety (git-fixes). - PCI: pci-bridge-emul: Fix big-endian support (git-fixes). - PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported (git-fixes). - PCI: Use pci_update_current_state() in pci_enable_device_flags() (git-fixes). - PM: base: power: do not try to use non-existing RTC for storing data (git-fixes). - PM: EM: Increase energy calculation precision (git-fixes). - power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors (git-fixes). - power: supply: max17042_battery: fix typo in MAx17042_TOFF (git-fixes). - powercap: intel_rapl: add support for Sapphire Rapids (jsc#SLE-15289). - powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868). - powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523). - powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729). - powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729). - powerpc/perf: Fix the check for SIAR value (bsc#1065729). - powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729). - powerpc/perf: Use stack siar instead of mfspr (bsc#1065729). - powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729). - powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729). - powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729). - powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498). - powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729). - pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523). - pwm: img: Do not modify HW state in .remove() callback (git-fixes). - pwm: rockchip: Do not modify HW state in .remove() callback (git-fixes). - pwm: stm32-lp: Do not modify HW state in .remove() callback (git-fixes). - qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes). - RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init() (bsc#1170774). - Re-enable UAS for LaCie Rugged USB3-FW with fk quirk (git-fixes). - regmap: fix page selection for noinc reads (git-fixes). - regmap: fix page selection for noinc writes (git-fixes). - regmap: fix the offset of register error log (git-fixes). - Restore kabi after NFS: pass cred explicitly for access tests (bsc#1190746). - rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools. This allows fixing bugs in the scriptlets as well as defining initrd regeneration policy independent of the kernel packages. - rpm/kernel-binary.spec: Use only non-empty certificates. - rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804). - rtc: rx8010: select REGMAP_I2C (git-fixes). - rtc: tps65910: Correct driver module alias (git-fixes). - s390/unwind: use current_frame_address() to unwind current task (bsc#1185677). - sched/fair: Add ancestors of unthrottled undecayed cfs_rq (bsc#1191292). - scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576). - scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576). - scsi: fc: Add EDC ELS definition (bsc#1190576). - scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576). - scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576). - scsi: lpfc: Add cm statistics buffer support (bsc#1190576). - scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576). - scsi: lpfc: Add cmfsync WQE support (bsc#1190576). - scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576). - scsi: lpfc: Add EDC ELS support (bsc#1190576). - scsi: lpfc: Add MIB feature enablement support (bsc#1190576). - scsi: lpfc: Add rx monitoring statistics (bsc#1190576). - scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576). - scsi: lpfc: Add support for cm enablement buffer (bsc#1190576). - scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576). - scsi: lpfc: Add support for the CM framework (bsc#1190576). - scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576). - scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576). - scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576). - scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576). - scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576). - scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576). - scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576). - scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576). - scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576). - scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576). - scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576). - scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576). - scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576). - scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576). - scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576). - scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576). - scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576). - scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576). - scsi: lpfc: Remove unneeded variable (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576). - scsi: lpfc: Use correct scnprintf() limit (bsc#1190576). - scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576). - scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576). - scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576). - scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297). - serial: 8250_pci: make setup_port() parameters explicitly unsigned (git-fixes). - serial: 8250: Define RX trigger levels for OxSemi 950 devices (git-fixes). - serial: mvebu-uart: fix driver's tx_empty callback (git-fixes). - serial: sh-sci: fix break handling for sysrq (git-fixes). - spi: Fix tegra20 build with CONFIG_PM=n (git-fixes). - staging: board: Fix uninitialized spinlock when attaching genpd (git-fixes). - staging: ks7010: Fix the initialization of the 'sleep_status' structure (git-fixes). - staging: rts5208: Fix get_ms_information() heap buffer size (git-fixes). - thermal/core: Potential buffer overflow in thermal_build_list_of_policies() (git-fixes). - time: Handle negative seconds correctly in timespec64_to_ns() (git-fixes). - tty: Fix data race between tiocsti() and flush_to_ldisc() (git-fixes). - tty: serial: jsm: hold port lock when reporting modem line changes (git-fixes). - tty: synclink_gt, drop unneeded forward declarations (git-fixes). - usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c (git-fixes). - usb: core: hcd: Add support for deferring roothub registration (git-fixes). - usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails (git-fixes). - usb: dwc2: Avoid leaving the error_debugfs label unused (git-fixes). - usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave (git-fixes). - usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA (git-fixes). - usb: EHCI: ehci-mv: improve error handling in mv_ehci_enable() (git-fixes). - usb: gadget: r8a66597: fix a loop in set_feature() (git-fixes). - usb: gadget: u_ether: fix a potential null pointer dereference (git-fixes). - usb: host: fotg210: fix the actual_length of an iso packet (git-fixes). - usb: host: fotg210: fix the endpoint's transactional opportunities calculation (git-fixes). - usb: musb: musb_dsps: request_irq() after initializing musb (git-fixes). - usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes). - usb: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter (git-fixes). - usb: serial: option: add device id for Foxconn T99W265 (git-fixes). - usb: serial: option: add Telit LN920 compositions (git-fixes). - usb: serial: option: remove duplicate USB device ID (git-fixes). - usbip: give back URBs for unsent unlink requests during cleanup (git-fixes). - usbip:vhci_hcd USB port can get stuck in the disabled state (git-fixes). - video: fbdev: asiliantfb: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: fix a DoS bug by restricting user input (git-fixes). - video: fbdev: riva: Error out if 'pixclock' equals zero (git-fixes). - vmxnet3: add support for 32 Tx/Rx queues (bsc#1190406). - vmxnet3: add support for ESP IPv6 RSS (bsc#1190406). - vmxnet3: increase maximum configurable mtu to 9190 (bsc#1190406). - vmxnet3: prepare for version 6 changes (bsc#1190406). - vmxnet3: remove power of 2 limitation on the queues (bsc#1190406). - vmxnet3: set correct hash type based on rss information (bsc#1190406). - vmxnet3: update to version 6 (bsc#1190406). - watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST (git-fixes). - x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1185302). - x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439). - x86/cpu: Fix core name for Sapphire Rapids (jsc#SLE-15289). - x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1152489). - x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1152489). - x86/resctrl: Fix default monitoring groups reporting (bsc#1152489). - xfs: allow mount/remount when stripe width alignment is zero (bsc#1188651). - xfs: sync lazy sb accounting on quiesce of read-only mounts (bsc#1190679). - xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes). - xhci: Set HCD flag to defer primary roothub registration (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-3447=1 - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-3447=1 - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-3447=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2021-3447=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-3447=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3447=1 - SUSE Linux Enterprise High Availability 15-SP2: zypper in -t patch SUSE-SLE-Product-HA-15-SP2-2021-3447=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): kernel-default-5.3.18-24.86.2 kernel-default-base-5.3.18-24.86.2.9.40.2 kernel-default-debuginfo-5.3.18-24.86.2 kernel-default-debugsource-5.3.18-24.86.2 kmod-25-6.10.1 kmod-compat-25-6.10.1 kmod-debuginfo-25-6.10.1 kmod-debugsource-25-6.10.1 libkmod2-25-6.10.1 libkmod2-debuginfo-25-6.10.1 perl-Bootloader-0.931-3.5.1 - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): kernel-default-debuginfo-5.3.18-24.86.2 kernel-default-debugsource-5.3.18-24.86.2 kernel-default-extra-5.3.18-24.86.2 kernel-default-extra-debuginfo-5.3.18-24.86.2 kernel-preempt-extra-5.3.18-24.86.2 kernel-preempt-extra-debuginfo-5.3.18-24.86.2 - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-24.86.2 kernel-default-debugsource-5.3.18-24.86.2 kernel-default-livepatch-5.3.18-24.86.2 kernel-default-livepatch-devel-5.3.18-24.86.2 kernel-livepatch-5_3_18-24_86-default-1-5.3.2 kernel-livepatch-5_3_18-24_86-default-debuginfo-1-5.3.2 kernel-livepatch-SLE15-SP2_Update_20-debugsource-1-5.3.2 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-5.3.18-24.86.2 kernel-default-debugsource-5.3.18-24.86.2 reiserfs-kmp-default-5.3.18-24.86.2 reiserfs-kmp-default-debuginfo-5.3.18-24.86.2 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-obs-build-5.3.18-24.86.2 kernel-obs-build-debugsource-5.3.18-24.86.2 kernel-syms-5.3.18-24.86.1 perl-Bootloader-YAML-0.931-3.5.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 x86_64): kernel-preempt-debuginfo-5.3.18-24.86.2 kernel-preempt-debugsource-5.3.18-24.86.2 kernel-preempt-devel-5.3.18-24.86.2 kernel-preempt-devel-debuginfo-5.3.18-24.86.2 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): kernel-docs-5.3.18-24.86.2 kernel-source-5.3.18-24.86.2 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): kernel-default-5.3.18-24.86.2 kernel-default-base-5.3.18-24.86.2.9.40.2 kernel-default-debuginfo-5.3.18-24.86.2 kernel-default-debugsource-5.3.18-24.86.2 kernel-default-devel-5.3.18-24.86.2 kernel-default-devel-debuginfo-5.3.18-24.86.2 kmod-25-6.10.1 kmod-compat-25-6.10.1 kmod-debuginfo-25-6.10.1 kmod-debugsource-25-6.10.1 libkmod-devel-25-6.10.1 libkmod2-25-6.10.1 libkmod2-debuginfo-25-6.10.1 perl-Bootloader-0.931-3.5.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 x86_64): kernel-preempt-5.3.18-24.86.2 kernel-preempt-debuginfo-5.3.18-24.86.2 kernel-preempt-debugsource-5.3.18-24.86.2 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): kernel-devel-5.3.18-24.86.2 kernel-macros-5.3.18-24.86.2 kmod-bash-completion-25-6.10.1 - SUSE Linux Enterprise High Availability 15-SP2 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-5.3.18-24.86.2 cluster-md-kmp-default-debuginfo-5.3.18-24.86.2 dlm-kmp-default-5.3.18-24.86.2 dlm-kmp-default-debuginfo-5.3.18-24.86.2 gfs2-kmp-default-5.3.18-24.86.2 gfs2-kmp-default-debuginfo-5.3.18-24.86.2 kernel-default-debuginfo-5.3.18-24.86.2 kernel-default-debugsource-5.3.18-24.86.2 ocfs2-kmp-default-5.3.18-24.86.2 ocfs2-kmp-default-debuginfo-5.3.18-24.86.2 References: https://www.suse.com/security/cve/CVE-2020-3702.html https://www.suse.com/security/cve/CVE-2021-3669.html https://www.suse.com/security/cve/CVE-2021-3744.html https://www.suse.com/security/cve/CVE-2021-3752.html https://www.suse.com/security/cve/CVE-2021-3764.html https://www.suse.com/security/cve/CVE-2021-40490.html https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154353 https://bugzilla.suse.com/1159886 https://bugzilla.suse.com/1167773 https://bugzilla.suse.com/1170774 https://bugzilla.suse.com/1173746 https://bugzilla.suse.com/1176940 https://bugzilla.suse.com/1184439 https://bugzilla.suse.com/1184804 https://bugzilla.suse.com/1185302 https://bugzilla.suse.com/1185677 https://bugzilla.suse.com/1185726 https://bugzilla.suse.com/1185762 https://bugzilla.suse.com/1187167 https://bugzilla.suse.com/1188067 https://bugzilla.suse.com/1188651 https://bugzilla.suse.com/1188986 https://bugzilla.suse.com/1189297 https://bugzilla.suse.com/1189841 https://bugzilla.suse.com/1189884 https://bugzilla.suse.com/1190023 https://bugzilla.suse.com/1190062 https://bugzilla.suse.com/1190115 https://bugzilla.suse.com/1190159 https://bugzilla.suse.com/1190358 https://bugzilla.suse.com/1190406 https://bugzilla.suse.com/1190432 https://bugzilla.suse.com/1190467 https://bugzilla.suse.com/1190523 https://bugzilla.suse.com/1190534 https://bugzilla.suse.com/1190543 https://bugzilla.suse.com/1190576 https://bugzilla.suse.com/1190595 https://bugzilla.suse.com/1190596 https://bugzilla.suse.com/1190598 https://bugzilla.suse.com/1190620 https://bugzilla.suse.com/1190626 https://bugzilla.suse.com/1190679 https://bugzilla.suse.com/1190705 https://bugzilla.suse.com/1190717 https://bugzilla.suse.com/1190746 https://bugzilla.suse.com/1190758 https://bugzilla.suse.com/1190784 https://bugzilla.suse.com/1190785 https://bugzilla.suse.com/1191172 https://bugzilla.suse.com/1191193 https://bugzilla.suse.com/1191240 https://bugzilla.suse.com/1191292 From sle-security-updates at lists.suse.com Fri Oct 15 10:39:28 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Oct 2021 12:39:28 +0200 (CEST) Subject: SUSE-SU-2021:3444-1: important: Security update for rpm Message-ID: <20211015103928.783FAFD2D@maintenance.suse.de> SUSE Security Update: Security update for rpm ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3444-1 Rating: important References: #1179416 #1183543 #1183545 #1183632 #1183659 #1185299 #1187670 #1188548 Cross-References: CVE-2021-20266 CVE-2021-20271 CVE-2021-3421 CVSS scores: CVE-2021-20266 (NVD) : 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2021-20266 (SUSE): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2021-20271 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-20271 (SUSE): 3.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L CVE-2021-3421 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2021-3421 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for SUSE Manager Server 4.1 SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 SUSE Linux Enterprise Module for Python2 15-SP2 SUSE Linux Enterprise Module for Public Cloud 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves three vulnerabilities and has 5 fixes is now available. Description: This update for rpm fixes the following issues: Security issues fixed: - CVE-2021-3421, CVE-2021-20271, CVE-2021-20266: Multiple header check improvements (bsc#1183543, bsc#1183545, bsc#1183632) - PGP hardening changes (bsc#1185299) - Fixed potential access of freed mem in ndb's glue code (bsc#1179416) Maintaince issues fixed: - Fixed zstd detection (bsc#1187670) - Added ndb rofs support (bsc#1188548) - Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-3444=1 - SUSE Linux Enterprise Module for SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-3444=1 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Proxy-4.1-2021-3444=1 - SUSE Linux Enterprise Module for Python2 15-SP2: zypper in -t patch SUSE-SLE-Module-Python2-15-SP2-2021-3444=1 - SUSE Linux Enterprise Module for Public Cloud 15-SP2: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2021-3444=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-3444=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3444=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): python-rpm-debugsource-4.14.1-22.4.1 python3-rpm-4.14.1-22.4.1 python3-rpm-debuginfo-4.14.1-22.4.1 rpm-4.14.1-22.4.2 rpm-debuginfo-4.14.1-22.4.2 rpm-debugsource-4.14.1-22.4.2 - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (aarch64 ppc64le s390x x86_64): rpm-build-4.14.1-22.4.2 rpm-build-debuginfo-4.14.1-22.4.2 rpm-debuginfo-4.14.1-22.4.2 rpm-debugsource-4.14.1-22.4.2 - SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (aarch64 ppc64le s390x x86_64): rpm-build-4.14.1-22.4.2 rpm-build-debuginfo-4.14.1-22.4.2 rpm-debuginfo-4.14.1-22.4.2 rpm-debugsource-4.14.1-22.4.2 - SUSE Linux Enterprise Module for Python2 15-SP2 (aarch64 ppc64le s390x x86_64): python-rpm-debugsource-4.14.1-22.4.1 python2-rpm-4.14.1-22.4.1 python2-rpm-debuginfo-4.14.1-22.4.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP2 (aarch64 ppc64le s390x x86_64): rpm-ndb-4.14.1-22.4.2 rpm-ndb-debuginfo-4.14.1-22.4.2 rpm-ndb-debugsource-4.14.1-22.4.2 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): rpm-build-4.14.1-22.4.2 rpm-build-debuginfo-4.14.1-22.4.2 rpm-debuginfo-4.14.1-22.4.2 rpm-debugsource-4.14.1-22.4.2 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): python-rpm-debugsource-4.14.1-22.4.1 python3-rpm-4.14.1-22.4.1 python3-rpm-debuginfo-4.14.1-22.4.1 rpm-4.14.1-22.4.2 rpm-debuginfo-4.14.1-22.4.2 rpm-debugsource-4.14.1-22.4.2 rpm-devel-4.14.1-22.4.2 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): rpm-32bit-4.14.1-22.4.2 rpm-32bit-debuginfo-4.14.1-22.4.2 References: https://www.suse.com/security/cve/CVE-2021-20266.html https://www.suse.com/security/cve/CVE-2021-20271.html https://www.suse.com/security/cve/CVE-2021-3421.html https://bugzilla.suse.com/1179416 https://bugzilla.suse.com/1183543 https://bugzilla.suse.com/1183545 https://bugzilla.suse.com/1183632 https://bugzilla.suse.com/1183659 https://bugzilla.suse.com/1185299 https://bugzilla.suse.com/1187670 https://bugzilla.suse.com/1188548 From sle-security-updates at lists.suse.com Fri Oct 15 16:16:09 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 15 Oct 2021 18:16:09 +0200 (CEST) Subject: SUSE-SU-2021:3450-1: important: Security update for javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags Message-ID: <20211015161609.8F5A9FD2D@maintenance.suse.de> SUSE Security Update: Security update for javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3450-1 Rating: important References: #1036025 #1133277 #1162343 SOC-11543 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that contains security fixes and contains one feature can now be installed. Description: This update for javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags contains the following fixes: Changes in mysql-connector-java: - Restrict license to GPL-2.0-only - Fix README adjustments - Depend on log4j rather than log4j-mini and adjust log4j dependencies to account for the lack of log4j12 Provides in some code streams. - Add missing Group tag - Update to 8.0.25 (SOC-11543) Changes in 8.0.25 * No functional changes: version alignment with MySQL Server 8.0.25. Changes in 8.0.24 * Bug#102188 (32526663), AccessControlException with AuthenticationLdapSaslClientPlugin. * Bug#22508715, SETSESSIONMAXROWS() CALL ON CLOSED CONNECTION RESULTS IN NPE. * Bug#102131 (32338451), UPDATABLERESULTSET NPE WHEN USING DERIVED QUERIES OR VIEWS. * Bug#101596 (32151143), GET THE 'HOST' PROPERTY ERROR AFTER CALLING TRANSFORMPROPERTIES() METHOD. * Bug#20391832, SETOBJECT() FOR TYPES.TIME RESULTS IN EXCEPTION WHEN VALUE HAS FRACTIONAL PART. * Bug#97730 (31699993), xdev api: ConcurrentModificationException at Session.close. * Bug#99708 (31510398), mysql-connector-java 8.0.20 ASSERTION FAILED: Unknown message type: 57 s.close. * Bug#32122553, EXTRA BYTE IN COM_STMT_EXECUTE. * Bug#101558 (32141210), NULLPOINTEREXCEPTION WHEN EXECUTING INVALID QUERY WITH USEUSAGEADVISOR ENABLED. * Bug#102076 (32329915), CONTRIBUTION: MYSQL JDBC DRIVER RESULTSET.GETLONG() THROWS NUMBEROUTOFRANGE. * Bug#31747910, BUG 30474158 FIX IMPROVES JDBC COMPLIANCE BUT CHANGES DEFAULT RESULTSETTYPE HANDLING. * Bug#102321 (32405590), CALLING RESULTSETMETADATA.GETCOLUMNCLASSNAME RETURNS WRONG VALUE FOR DATETIME. * WL#14453, Pluggable authentication: new default behavior & user-less authentications. * WL#14392, Improve timeout error messages [classic]. * WL#14202, XProtocol: Support connection close notification. Changes in 8.0.23 * Bug#21789378, FORCED TO SET SERVER TIMEZONE IN CONNECT STRING. * Bug#95644 (30573281), JDBC GETDATE/GETTIME/GETTIMESTAMP INTERFACE BEHAVIOR CHANGE AFTER UPGRADE 8.0. * Bug#94457 (29402209), CONNECTOR/J RESULTSET.GETOBJECT( ..., OFFSETDATETIME.CLASS ) THROWS. * Bug#76775 (20959249), FRACTIONAL SECONDS IN TIME VALUES ARE NOT AVAILABLE VIA JDBC. * Bug#99013 (31074051), AN EXTRA HOUR GETS ADDED TO THE TIMESTAMP WHEN SUBTRACTING INTERVAL 'N' DAYS. * Bug#98695 (30962953), EXECUTION OF "LOAD DATA LOCAL INFILE" COMMAND THROUGH JDBC FOR DATETIME COLUMN. * Bug#101413 (32099505), JAVA.TIME.LOCALDATETIME CANNOT BE CAST TO JAVA.SQL.TIMESTAMP. * Bug#101242 (32046007), CANNOT USE BYTEARRAYINPUTSTREAM AS ARGUMENTS IN PREPARED STATEMENTS AN MORE. * WL#14274, Support for authentication_ldap_sasl_client(SCRAM-SHA-256) authentication plugin. * WL#14206, Support for authentication_ldap_sasl_client(GSSAPI) authentication plugin. * WL#14207, Replace language in APIs and source code/docs. Changes in 8.0.22 * Bug#98667 (31711961), "All pipe instances are busy" exception on multiple connections to named Pipe. * Bug#96309 (31699357), MultiHost in loadbalance may lead to a TPS reduction during a quick switch. * Bug#99076 (31083755), Unclear exception/error when connecting with jdbc:mysql to a mysqlx port. * Bug#96870 (30304764), Contribution: Allow to disable AbandonedConnectionCleanupThread completely. * WL#14115, Support for authentication_ldap_sasl_client (SCRAM-SHA-1) authentication plugin. * WL#14096, Add option to specify LOAD DATA LOCAL allow list folder. * WL#13780, Skip system-wide trust and key stores (incl. X DevAPI client certs). * WL#14017, XProtocol -- support for configurable compression algorithms. * Bug#92903 (28834903), MySQL Connector/j should support wildcard names or alternative names. * Bug#99767 (31443178), Contribution: Check SubjectAlternativeName for TLS instead of commonName. * Bug#93444 (29015453), LOCALDATETIME PARAMETER VA UES ALTERED WHEN CLIENT AND SERVER TIMEZONES DIFFER. * WL#14052, Remove asynchronous variant of X Protocol. * Bug#99713 (31418928), NPE DURING COM.MYSQL.CJ.SERVERPREPAREDQUERYBINDVALUE.STOREDATE(). * WL#14068, Remove legacy integration with JBoss. Changes in 8.0.21 * WL#14051, Upgrade Protocol Buffers dependency to protobuf-java-3.11.4. * WL#14042, Upgrade testsuite to JUnit 5. * Bug#98237 (30911870), PREPAREDSTATEMENT.SETOBJECT(I, "FALSE", TYPES.BOOLEAN) ALWAYS SETS TRUE OR 1. * WL#13008, DevAPI: Add schema validation to create collection. Changes in 8.0.20 * Bug#30805426, IN CASE OF ISAUTHMETHODSWITCHREQUESTPACKET , TOSERVERS > 1 ARE IGNORED. * Bug#97714 (30570249), Contribution: Expose elapsed time for query interceptor * Bug#97724 (30570721), Contribution: Allow \'3.\' formatted numbers. * Bug#98536 (30877755), SIMPLEDATEFORMAT COULD CACHE A WRONG CALENDAR. Fix for Bug#91112 (28125069), AGAIN WRONG JAVA.SQL.DATE. * Bug#30474158, CONNECTOR/J 8 DOES NOT HONOR THE REQUESTED RESULTSETTYPE SCROLL_INSENSITIVE ETC. * Bug#98445 (30832513), Connection option clientInfoProvider=ClientInfoProviderSP causes NPE. * WL#12248, DevAPI: Connection compression. * Bug#30636056, ResultSetUtil.resultSetToMap() can be unsafe to use. * Bug#97757 (30584907), NULLPOINTEREXCEPTION WITH CACHERESULTSETMETADATA=TRUE AND EXECUTEQUERY OF "SET". Changes in 8.0.19 * WL#13346, Support for mult-host and failover. * Bug#97413 (30477722), DATABASEMETADATA IS BROKEN AFTER SERVER WL#13528. * WL#13367, DNS SRV support. * WL#12736, DevAPI: Specify TLS ciphers to be used by a client or session. * Bug#96383 (30119545) RS.GETTIMESTAMP() HAS * DIFFERENT RESULTS FOR TIME FIELDS WITH USECURSORFETCH=TRUE. * Bug#96059 (29999318), ERROR STREAMING MULTI RESULTSETS WITH MYSQL-CONNECTOR-JAVA 8.0.X. * Bug#96442 (30151808), INCORRECT DATE ERROR WHEN CALLING GETMETADATA ON PREPARED STATEMENT. Changes in 8.0.18 * WL#13347, Connectors should handle expired password sandbox without SET operations. * Bug#84098 (25223123), endless loop in LoadBalancedAutoCommitInterceptor. * Bug#23721537, MULTI-SELECT WITH EXECUTEASYNC() GIVES IMPROPER ERROR. * Bug#95741 (29898567), METADATA QUERY USES UPPER() AROUND NUMERIC EXPRESSION. * Bug#20913289, PSTMT.EXECUTEUPDATE() FAILS WHEN SQL MODE IS NO_BACKSLASH_ESCAPES. * Bug#80441 (22850444), SYNTAX ERROR ON RESULTSET.UPDATEROW() WITH SQL_MODE NO_BACKSLASH_ESCAPES. Changes in 8.0.17 * WL#13210, Generate Javadocs via ant. * WL#12247, DevAPI: indexing array fields. * WL#12726, DevAPI: Add overlaps and not_overlaps as operator. * Bug#95503 (29821029), Operator IN not mapping consistently to the right X Plugin operation. * WL#12942, Update README.md and add new CONTRIBUTING.md. * WL#13125, Support fully qualified hostnames longer than 60 characters. * Bug#95210 (29807741), ClassCastException in BlobFromLocator when connecting as jdbc:mysql:replication. * Bug#29591275, THE JAR FILE NEEDS TO CONTAIN A README AND LICENSE FILE. * WL#13124, Support new utf8mb4 bin collation. * WL#13009, DevAPI: Deprecate methods. * WL#11101, Remove de-cache and close of SSPSs on double call to close(). * Bug#89133 (27356869) CONTRIBUTION: UPDATE DA ABASEMETADATA.JAVA. * Bug#11891000, DABATASEMETADATA.GETTABLES() IGNORES THE SCHEMA_PATTERN ARGUMENT. * Bug#94101 (29277648), SETTING LOGSLOWQUERIES SHOULD NOT AUTOMATICALLY ENABLE PROFILESQL FOR QUERIES. * Bug#74690 (20010454), PROFILEREVENT HOSTNAME HAS NO GETTER(). * Bug#70677 (17640628), CONNECTOR J WITH PROFILESQL - LOG CONTAINS LOTS OF STACKTRACE DATA. * Bug#41172 (11750577), PROFILEREVENT.PACK() THROWS ARRAYINDEXOUTOFBOUNDSEXCEPTION. * Bug#27453692, CHARACTERS GET GARBLED IN CONCAT() IN PS WHEN USECURSORFETCH=TRUE. * Bug#94585 (29452669), GETTABLENAME() RETURNS NULL FOR A QUERY HAVING COUNT(*) WITH JDBC DRIVER V8.0.12. * Bug#94442 (29446059), RESULTSETIMPL.GETDOUBLE IS INEFFICIENT BECAUSE OF BIGDECIMAL (RE)CONSTRUCTIONS. Changes in 8.0.16 * WL#12825, Remove third-party libraries from sources and bundles. * Bug#93590 (29054329), javax.net.ssl.SSLException: closing inbound before receiving peer's close_notify. * Bug#94414 (29384853), Connector/J RPM package have version number in path. * Bug#27786499, REDUNDANT FILES IN DEBIAN PACKAGE FOR DEBIAN9(COMMUNITY PACKAGE) FOR CJAVA. * WL#12246, DevAPI: Prepared statement support. * WL#10839, Adjust c/J tests to the new "ON" default for explicit_defaults_for_timestamp. * Bug#29329326, PLEASE AVOID SHOW PROCESSLIST IF POSSIBLE. * WL#12460, DevAPI: Support new session reset functionality. * WL#12459, DevAPI: Support connection-attributes. * Bug#25650385, GETBYTE() RETURNS ERROR FOR BINARY() FLD. * Bug#27784363, MYSQL 8.0 JDBC DRIVER THROWS NUMBERFORMATEXCEPTION FOR TEXT DATA * Bug#93007 (28860051), LoadBalancedConnectionProxy.getGlobalBlacklist bug. * Bug#29186870, CONNECTOR/J REGRESSION: NOT RETURNING PRECISION GETPROCEDURECOLUMNS. * Bug#22038729, X DEVAPI: ANY API CALL AFTER A FAILED CALL PROC() RESULTS IN HANG. * Bug#29244101, ADD MAPPING FOR UTF8MB4_ZH_0900_AS_CS COLLATION. * Bug#92819 (28834959), EXPRPARSER THROWS WRONGARGUMENTEXCEPTION WHEN PARSING EMPTY JSON ARRAY. * Bug#21921956, X DEVAPI: EXPRESSION PARSE ERROR WITH UNARY OPERATOR. * Bug#94031 (29257922), WRONG JSON_UNQUOTE WORKAROUND. * Bug#22931700, BINDINGS.GETBOOLEAN() ALWAYS RETURNS FALSE. * Bug#25650912, ERROR MESSAGE NOT CLEAR WHEN WE PASS A CHAR DATA TO ANY TABLE API. * Bug#25642021, CHANGEUSER() FAILS WHEN ENABLEPACKETDEBUG=TRUE. Changes in 8.0.15 * Bug#94051 (29261254), Not recommended default for 'allowLoadLocalInfile'. Changes in 8.0.14 * WL#12298, Connectors: Expose metadata about source and binaries in unified way. * Bug#93111 (28894344), ConnectionUrl.java contains char U+00A7 (section sign). * WL#12621, DevAPI: Handling of Default Schema. * Bug#93340 (28970166), C/J BUILD SCRIPT IS TOO VERBOSE * WL#12462, DevAPI: Be prepared for initial notice on connection. * Bug#28924137, WL#12463:IF COLLECTION DOESN'T EXIST, COLL.COUNT() IS GIVING A WRONG ERROR MESSAGE. * WL#12463, DevAPI: Standardize count method. * Bug#92508 (28747636), mysql-connector in bootclasspath causing memory leak. * Bug#25650514, UPDATEROW() CALL FAILS WITH NPE WHEN SSPS=TRUE AND TABLE HAS MULTI-FLD KEY. * Bug#25650482, REFRESHROW() CALL AFTER UPDATEROW() API FAILS WHEN USESERVERPREPSTMTS=TRUE. * Bug#92536 (28692243), UPDATEING SERVER SIDE PREPSTMTS RESULTSET FAIL. * Bug#92625 (28731795), CONTRIBUTION: FIX OBSERVED NPE IN CLEARINPUTSTREAM. * Bug#23045642, ADDING NO-DOC (MYSQLCONNJ-696) RESULTS IN EXCEPTION. * Bug#91065 (28101003), ZERODATETIMEBEHAVIOR=CONVERT_TO_NULL SHOULD NOT APPLY TO 00:00:00 TIME COLUMNS. * Bug#92574 (28706219), WHEN CONVERTING FROM VARCHAR TO JAVA BOOLEAN, 'N' IS NOT SUPPORTED. * Bug#25642226, CHANGEUSER() NOT SETTING THE DATABASE PROPERLY WITH SHA USER. * Bug#28606708, NAMED PIPE CONNECTION FOR X PROTOCOL RETURNS NPE, EXPECTED PROPER ERROR MESSAGE. Changes in 8.0.13 * Bug#91317 (28207422), Wrong defaults on collation mappings. * WL#12245, DevAPI: Implement connect timeout. * Bug#21774249, UNIT TEST FAILS WITH ERROR " 'CEST' IS UNRECOGNIZED TIME ZONE". * WL#11857, DevAPI: Implement connection pooling for xprotocol. * Bug#91873 (28444461), REMOVE USEOLDUTF8BEHAVIOR CONNECTION PROPERTY. * Bug#92264 (28594434), JSONPARSER PUTS UNNECESSARY MAXIMUM LIMIT ON JSONNUMBER TO 10 DIGITS. * WL#12110, Extend PropertyDefinitions.PropertyKey usage. * Bug#81063 (23098159), w/ rewriteBatchedStatements, when 2 tables involved, the rewriting not correct. * Bug#84813 (25501750), rewriteBatchedStatements fails in INSERT. * Bug#81196 (23227334), CONNECTOR/J NOT FOLLOWING DATABASE CHARACTER SET. * Bug#72609 (18749544), SETDATE() NOT USING A PROLEPTIC GREGORIAN CALENDAR. * Bug#87534 (26730196), UNION ALL query fails when useServerPrepStmts=true on database connection. * Bug#89948 (27658489), Batched statements are not committed for useLocalTransactionState=true. * BUG#22305979, WRONG RECORD UPDATED IF SENDFRACTIONALSECONDS=FALSE AND SMT IS SCROLLABLE. * Bug#27102307, CHANGE USESSL AND VERIFYSERVERCERTIFICATE TO SSLMODE OPTION. * Bug#28150662, CONNECTOR/J 8 MALFORMED DATABASE URL EXCEPTION WHIT CORRECT URL STRING. * Bug#91421 (28246270), ALLOWED VALUES FOR ZERODATETIMEBEHAVIOR ARE INCOMPATIBLE WITH NETBEANS. * Bug#23045604, XSESSION.GETURI() RETURNS NPE. * Bug#21914769, NPE WHEN TRY TO EXECUTE INVALID JSON STRING. * Bug#BUG#90887 (28034570), DATABASEMETADATAUSINGINFOSCHEMA#GETTABLES FAILS IF METHOD ARGUMENTS ARE NULL. * Bug#28207088, C/JAVA: UPDATECLOB(INT COLUMNLABEL, JAVA.SQL.CLOB CLOB) IS FAILING. * Bug#27629553, NPE FROM GETSESSION() FOR SSL CONNECTION WHEN NO PASSWORD PASSED. Changes in 8.0.12 * Bug#28208000, MASTER : HANG IN ASYNCHRONOUS SELECT TEST. * WL#10544, Update MySQL 8.0 keywords list. * WL#11858, DevAPI: Core API v1 alignment. * Bug#27652379, NPE FROM GETSESSION(PROPERTIES) WHEN HOST PARAMETER IS GIVEN IN SMALL LETTER. * BUG#87600 (26724154), CONNECTOR THROWS 'MALFORMED DATABASE URL' ON NON MYSQL CONNECTION-URLS. * BUG#26089880, GETCONNECTION("MYSQLX://..") RETURNS NON-X PROTOCOL CONNECTION. * WL#11876, Improve connection properties design. * WL#11933, Connector/J 8.0 X DevAPI reference documentation update. * WL#11860, Ensure >= 75% code coverage. * Bug#90753 (27977617), WAIT_TIMEOUT EXCEEDED MESSAGE NOT TRIGGERED. * Bug#85941 (25924324), WASNULL NOT SET AFTER GETBYTES IS CALLED. * Bug#28066709, COLLECTION.CREATEINDEX() TEST IS BROKEN AFTER WL#11808 IMPLEMENTATION. * Bug#90872 (28027459), FILTERPARAMS CLASS IS NOT NEEDED. * Bug#27522054, POSSIBLE ASYNC XPROTOCOL MESSAGE HANDLING PERF ISSUE. The "xdevapi.useAsyncProtocol" connection property default value is changed to "false". Changes in 8.0.11 * WL#11293, DevAPI: Support new locking modes : NOWAIT and SKIP LOCKED. * Bug#90029 (27678308), FAILURE WHEN GETTING GEOMCOLLECTION COLUMN TYPE. * BUG#90024 (27677574), SOME TESTS FAILED AGAINST MYSQL 8.0.5 BECAUSE OF DEPRECATED FEATURES REMOVAL. * Bug#86741 (26314325), Multi-Host connection with autocommit=0 getAutoCommit maybe wrong. * Bug#27231383, PROVIDE MAVEN-FRIENDLY COMMERCIAL PACKAGES WITHOUT "-BIN". * Bug#26819691, SETTING PACKETDEBUGBUFFERSIZE=0 RESULTS IN CONNECTION FAILURE. * Bug#88227 (27029657), Connector/J 5.1.44 cannot be used against MySQL 5.7.20 without warnings. * Bug#27374581, CONNECTION FAILS WHEN GPL SERVER STARTED WITH TLS-VERSION=TLSV1.2. * WL#11419, DevAPI: New document _id generation support. * WL#11620, Change caching_sha2_password padding. * WL#11604, DevAPI: Add SHA256_MEMORY support. * BUG#86278 (26092824), SUPPORT CUSTOM CONSTRUCTION OF SSLSOCKET DURING CONNECTION ESTABLISHMENT. * BUG#27226293, JSONNUMBER.GETINTEGER() & NUMBERFORMATEXCEPTION. * WL#10527, Clean up Protocol and Session interfaces. Changes in 8.0.9 * WL#11469, Update license header in GPL packages. * BUG#27247349, WL#11208 : UNIQUE DOES NOT GIVE ERROR EVEN THOUGH IT IS NOT SUPPORTED. * WL#11208, DevAPI: Collection.createIndex. * WL#10156, Add setters/getters for connection properties to MysqlDataSource, MysqlXADataSource and MysqlConnectionPoolDataSource. * WL#11401, DevAPI: Remove configuration API. * WL#10619, Ensure compatibility with new data dictionary. * BUG#27217264, WL#10937: NULL POINTER EXCEPTION WHEN NULL IS PASSED AS _ID IN COLL.REPLACEONE. * WL#10937, DevAPI: ReplaceOne, AddOrReplaceOne, GetOne, RemoveOne. * Bug#26723646, JSON_MERGE() FUNCTION IS DEPRECATED IN MYSQL 8.0. * Bug#27185332, WL#11210:ERROR IS THROWN WHEN NESTED EMPTY DOCUMENTS ARE INSERTED TO COLLECTION. * Bug#27151601, WL#11210: DOCUMENT PATCH EXPRESSIONS ARE NOT SUPPORTED. * WL#11210, DevAPI: Modify/MergePatch. * Bug#79612 (22362474), CONNECTION ATTRIBUTES LOST WHEN CONNECTING WITHOUT DEFAULT DATABASE. * WL#10152, Enable TLSv1.2 on mysqlx. * Bug#27131768, NULL POINTER EXCEPTION IN CONNECTION. * Bug#88232 (27047676), c/J does not rollback transaction when autoReconnect=true. * Bug#88242 (27040063), autoReconnect and socketTimeout JDBC option makes wrong order of client packet. * Bug#88021 (26939943), High GC pressure when driver configured with serversideprepared statements. * Bug#26724085, CHARSET MAPPING TO BE UPDATED FOR MYSQL 8.0.3. * Bug#87704 (26771560), THE STREAM GETS THE RESULT SET ?THE DRIVER SIDE GET WRONG ABOUT GETLONG(). * Bug#24924097, SERVER GREETING ERROR ISN'T RECOGNIZED DURING HANDSHAKE. * Bug#26748909, MASTER : ERROR - NO OPERATIONS ALLOWED AFTER STATEMENT CLOSED FOR TOSTRING(). * Bug#26266731, CONCUR_UPDATABLE RESULTSET OPERATIONS FAIL AGAINST 8.0 FOR BOOLEAN COLUMN. * WL#11239, DevAPI: Remove create table implementation. * Bug#27131100, WL#11212 : SAVEPOINT CREATING WITH EMPTY STRING AND SPACE AS NAME. * WL#11212, DevAPI: transaction save-points. * WL#11060, Support new SHA-256 authentication system. * Bug#87826 (26846249), MYSQL JDBC CONNECTOR/J DATABASEMETADATA NULL PATTERN HANDLING IS NON-COMPLIANT. * WL#11163, Extract parameter setters, serverPrepare() and serverExecute() to core classes. * BUG#26995710, WL#11161 : NULL POINTER EXCEPTION IN EXECUTEBATCH() AND CLOSE(). * WL#11161, Unify query bindings. * WL#8469, Don't extract query text from packets when possible. Changes in 8.0.8 * BUG#26722030, TEST FAILING DUE TO BINARY LOGGING ENABLED BY DEFAULT IN MYSQL 8.0.3. * BUG#26722018, TESTS FAILING DUE TO CHANGE IN INFORMATION_SCHEMA.INNODB_SYS_* NAMING. * BUG#26750807, MASTER : NULL POINTER EXCEPTION IN SCHEMA.DROPVIEW(NULL). * BUG#26750705, MASTER : ERROR - UNSUPPORTED CONVERSION FROM TIME TO JAVA.SQL.DATE. * WL#10620, DevAPI: SHA256 Authentication support. * WL#10936, DevAPI: Row locking for Crud.Find. * WL#9868, DevAPI: Configuration handling interface. * WL#10935, DevAPI: Array or Object "contains" operator. * WL#9875, Prepare c/J 8.0 for DEB and RPM builds. * BUG#26259384, CALLABLE STATEMENT GIVES ERROR IN C/JAVA WHEN RUN AGAINST MYSQL 8.0. * Bug#26393132, NULLPOINTEREXCEPTION IS THROWN WHEN TRIED TO DROP A NULL COLLECTION. * WL#10532, DevAPI: Cleanup Drop APIs. * Bug#87429 (26633984), repeated close of ServerPreparedStatement causes memory leak. * Bug#87379 (26646676), Perform actual TLS capabilities check when restricting TLSv1.2. * Bug#85601 (25777822), Unit notation is missing in the description of the property involved in the time. * Bug#87153 (26501245), INCORRECT RESULT OF DBMD.GETVERSIONCOLUMNS() AGAINST MYSQL 8.0.2+. * Bug#78313 (21931572), proxies not handling Object.equals(Object) calls correctly. * Bug#85885 (25874048), resultSetConcurrency and resultSetType are swapped in call to prepareStatement. * Bug#74932 (20066806), ConnectionImp Doesn't Close Server Prepared Statement (PreparedStatement Leak). * WL#10536, Deprecating COM_SHUTDOWN. * Bug#25946965, UPDATE THE TIME ZONE MAPPINGS WITH LATEST TZ DATABASES. * Bug#20182108, INCLUDE CUSTOM LOAD BALANCING STRATEGY USING PLUGIN API. * Bug#26440544, CONNECTOR/J SHOULD NOT USE TX_{READ_ONLY,ISOLATION} WHICH IS PLANNED FOR REMOVAL. * Bug#26399958, UNABLE TO CONNECT TO MYSQL 8.0.3. * Bug#25650305, GETDATE(),GETTIME() AND GETTIMESTAMP() CALL WITH NULL CALENDAR RETURNS NPE. Changes in 8.0.7 * Bug#26227653, WL#10528 DIFF BEHAVIOUR WHEN SYSTEM PROP JAVAX.NET.SSL.TRUSTSTORETYPE IS SET. * WL#10528, DevAPI: Ensure all connectors are secure by default. * WL#8305, Remove internal dependency on connection objects. * Bug#22972057, X DEVAPI: CLIENT HANGS AFTER CONNECTION FAILURE. * Bug#26140577, GIS TESTS ARE FAILING WITH MYSQL 8.0.1. * WL#10765, DevAPI: Forbid modify() and remove() with no condition. * Bug#26090721, CONNECTION FAILING WHEN SERVER STARTED WITH COLLATION UTF8MB4_DE_PB_0900_AI_CI. * WL#10781, enum-based connection properties. * Bug#73775 (19531384), DBMD.getProcedureColumns()/.getFunctionColumns() fail to filter by columnPattern. * Bug#84324 (25321524), CallableStatement.extractProcedureName() not work when catalog name with dash. * Bug#79561 (22333996), NullPointerException when calling a fully qualified stored procedure. * Bug#84783 (25490163), query timeout is not working(thread hang). * Bug#70704 (17653733), Deadlock using UpdatableResultSet. * Bug#66430 (16714868), setCatalog on connection leaves ServerPreparedStatement cache for old catalog. * Bug#70808 (17757070), Set sessionVariables in a single query. * Bug#77192 (21170603), Description for the Property replicationConnetionGroup Missing from the Manual. * Bug#83834 (25101890), Typo in Connector/J error message. * WL#10531, Support utf8mb4 as default charset. * Bug#85555 (25757019), useConfigs Can't find configuration template named, in mysql-connector-java 6.x * WL#10529, Move version number to 8.0. * WL#10530, DevAPI: Remove XSession, rename NodeSession to Session. * Bug#23510958, CONCURRENT ASYNC OPERATIONS RESULT IN HANG. * Bug#23597281, GETNODESESSION() CALL WITH SSL PARAMETERS RETURNS CJCOMMUNICATIONSEXCEPTION. * Bug#25207784, C/J DOESN'T FOLLOW THE FINAL X DEVAPI MY-193 SPECIFICATION. * Bug#25494338, ENABLEDSSLCIPHERSUITES PARAMETER NOT WORKING AS EXPECTED WITH X-PLUGIN. * Bug#84084 (25215008), JAVA.LANG.ARRAYINDEXOUTOFBOUNDSEXCEPTION ON ATTEMPT TO GET VALUE FROM RESULTSET. * WL#10553, Add mapping for Japanese utf8mb4 collation. * Bug#25575103, NPE FROM CREATETABLE() WHEN SOME OF THE INPUTS ARE NULL. * Bug#25575156, NPE FROM CREATEVIEW() WHEN SOME OF THE INPUTS ARE NULL. * Bug#25636947, CONNECTION USING MYSQL CLIENT FAILS IF WE USE THE SSL CERTIFICATES FROM C/J SRC. * Bug#25687718, INCORRECT TIME ZONE IDENTIFIER IN STATEMENTREGRESSIONTEST. * Bug#25556597, RESULTSETTEST.TESTPADDING UNIT TEST IS FAILING IN 5.1.41 RELEASE PACKAGE. * Bug#25517837, CONNECT PERFORMNACE DEGRADED BY 10% IN 5.1.41. * Bug#25504578, CONNECT FAILS WHEN CONNECTIONCOLLATION=ISO-8859-13. * Bug#25438355, Improper automatic deserialization of binary data. * Bug#70785 (17756825), MySQL Connector/J inconsistent init state for autocommit. * Bug#66884: Property 'elideSetAutoCommits' temporarily defaults to 'false' until this bug is fixed. * Bug#75615 (21181249), Incorrect implementation of Connection.setNetworkTimeout(). * Bug#81706 (23535001), NullPointerException in driver. * Bug#83052 (25048543), static method in com.mysql.jdbc.Util relies on null object. * Bug#69526 (17035755), 'Abandoned connection cleanup thread' at mysql-connector-java-5.1.25. * Bug#82826 (24942672), Unneeded version requirement for javax.net.ssl Import-Package on OSGi MANIFEST.MF. Changes in 6.0.6 * Added Core TLS/SSL options for the mysqlx URI scheme. * Updated collations map. * Bug#24350526, UNEXPECTED BEHAVIOUR OF IS_NUMBER_SIGNED API IN C/JAVA. * Bug#82707 (24512766), WRONG MILLI SECOND VALUE RETURNED FROM TIMESTAMP COLUMN. * Bug#82005 (23702040), JDBCDATEVALUEFACTORY FAILS TO PARSE SOME DATES. * Bug#83725 (25056803), NPE IN XPROTOCOL.GETPLUGINVERSION() WITH MYSQL 5.7.17. * Bug#24525461, UPDATABLE RESULTSET FEATURE FAILS WHEN USESERVERPREPSTMTS=TRUE. * Bug#24527173, QUERY EXECUTION USING PREPARED STMT FAILS WHEN USECURSORFETCH=TRUE. * Bug#82964 (24658016), JSR-310 DATA TYPES CREATED THROUGH JAVA.SQL TYPES. * Bug#81202 (23188159), RESULTSETIMPL.GETOBJECT THROWS NULLPOINTEREXCEPTION WHEN FIELD IS NULL. * Bug#22931277, COLUMN.GETTYPE() RETURNS ERROR FOR VALID DATATYPES. * BUG#24471057, UPDATE FAILS WHEN THE NEW VALUE IS OF TYPE DBDOC WHICH HAS ARRAY IN IT. * Bug#81691 (23519211), GETLASTDOCUMENTIDS() DOESN'T REPORT IDS PROVIDED BY USER. * Bug#82826 (24942672), Unneeded version requirement for javax.net.ssl Import-Package on OSGi MANIFEST.MF. Changes in 6.0.5 * BUG#82896 (24613062), Unexpected behavior on attempt to connect to JDBC driver with unsupported URL. * Added client-side failover during XSession initialization for multi-router configuration. * Removed Extension interface. All extension classes now implement their specific interfaces. * Bug#22988922, GETLENGTH() RETURNS -1 FOR LONGBLOB AND LONGTEXT FIELDS. * Bug#24619829, NEW FAILURES IN C/JAVA UNITTESTS AGAINST MYSQL 8.0. * Bug#75209 (20212882), Set useLocalTransactionState may result in partially committed transaction. * Bug#48346 (11756431), Communications link failure when reading compressed data with compressed=true. * Bug#80631 (22891845), ResultSet.getString return garbled result with json type data. * Bug#64188 (13702433), MysqlXAConnection.MYSQL_ERROR_CODES_TO_XA_ERROR_CODES is missing XA error codes. * Bug#72632 (18759269), NullPointerException for invalid JDBC URL. * Bug#82115 (23743956), Some exceptions are intercepted twice or fail to set the init cause. * Bug#78685 (21938551), Wrong results when retrieving the value of a BIT column as an integer. * Bug#80615 (22954007), prepared statement leak when rewriteBatchedStatements=true and useServerPrepStmt. * Extended X DevAPI with flexible parameter lists. * Added a virtual NodeSession to X DevAPI. Changes in 6.0.4 * X DevAPI URL prefix changed from "mysql:x:" to "mysqlx:". * Bug#24301468 X DEVAPI SSL CONNECTION FAILS ON WINDOWS * The X DevAPI Table object now represents both database tables and views. * Added support for matching against pattern for X DevAPI list_objects calls. * Added Schema.getCollections(String pattern) and Schema.getTables(String pattern) interface methods. * Switched to "mysqlx" namespace for X DevAPI StmtExecute messages. This change is incompatible to MySQL server versions < 5.7.14. * Bug#82046 (23743947), MYSQL CONNECTOR JAVA OSGI METADATA BROKEN. * Bug#21690043, CONNECT FAILS WHEN PASSWORD IS BLANK. * Bug#22931433, GETTING VALUE OF BIT COLUMN RESULTS IN EXCEPTION. Changes in 6.0.3 * Bug#23535571, EXCESSIVE MEMORY USAGE WHEN ENABLEPACKETDEBUG=TRUE. * Bug#23212347, ALL API CALLS ON RESULTSET METADATA RESULTS IN NPE WHEN USESERVERPREPSTMTS=TRUE. * Bug#23201930, CLIENT HANG WHEN RSLT CUNCURRENCY=CONCUR_UPDATABLE AND RSLTSET TYPE=FORWARD_ONLY. * Bug#23188498, CLIENT HANG WHILE USING SERVERPREPSTMT WHEN PROFILESQL=TRUE AND USEIS=TRUE. * Bug#22678872, NPE DURING UPDATE WITH FABRIC. * Bug#71131 (18068303), Poor error message in CallableStatement.java. * Bug#59462 (16736619), ConcurrentModificationException inside ConnectionImpl.closeAllOpenStatements(). * Bug#22848249, LOADBALANCECONNECTIONGROUPMANAGER.REMOVEHOST() NOT WORKING AS EXPECTED. * Bug#22730682, ARRAYINDEXOUTOFBOUNDSEXCEPTION FROM CONNECTIONGROUPMANAGER.REMOVEHOST(). * Bug#77171 (21181466), On every connect getting sql_mode from server creates unnecessary exception. * Bug#79343 (22353759), NPE in TimeUtil.loadTimeZoneMappings causing server time zone value unrecognized. * Bug#22038729, X DevAPI: Any API call after a failed CALL PROC() results in hang * Replace Schema.drop(), Collection.drop() by X DevAPI's session.dropSchema() and session.dropCollection(). * Added session.dropTable(). * Bug#22932078, GETTIMESTAMP() RETURNS WRONG VALUE FOR FRACTIONAL PART * Extracted packet readers from MysqlaProtocol. * Bug#22972057, X protocol CLIENT HANGS AFTER CONNECTION FAILURE * Bug#23044312, NullPointerException in X protocol AsyncMessageReader due to race condition * Returned support for MySQL 5.5 and 5.6. Changes in 6.0.2 * Deprecate the EOF packet. * Bug#75956, Inserting timestamps using a server PreparedStatement and useLegacyDatetimeCode=false * Bug#22385172, CONNECTOR/J MANIFEST DOES NOT EXPOSE FABRIC (OSGi). * Bug#22598938, FABRICMYSQLDATASOURCE.GETCONNECTION() NPE AFTER SWITCHOVER. * Bug#21286268, CONNECTOR/J REPLICATION USE MASTER IF SLAVE IS UNAVAILABLE. * Bug#21296840 & Bug#17910835, Server information in a group from Fabric is not refreshed after expired TTL. * Bug#56122 (11763419), JDBC4 functionality failure when using replication connections. * Added support for TLSv1.1 and TLSv1.2 * Bug#78961 (22096981), Can't call MySQL procedure with InOut parameters in Fabric environment. * Bug#56100 (11763401), Replication driver routes DML statements to read-only slaves. * StandardSSLSocketFactory implements SocketMetadata. * Bug#21978216, GETTYPEINFO REPORT MAXIMUM PRECISION OF 255 FOR VARBINARY. * Bug#78706 (21947042), Prefer TLS where supported by MySQL Server. * Bug#21934573, FABRIC CODE INVOLVED IN THREAD DEADLOCK. * Bug#21876798, CONNECTOR/J WITH MYSQL FABRIC AND SPRING PRODUCES PROXY ERROR. Changes in 6.0.1 * Removed useJvmCharsetConverters connection property. JVM charset converters are now used in all cases. * Refactored value decoding and removed all date/time connection properties * Refactored connection properties * Assume existence of INFORMATION_SCHEMA.PARAMETERS (and thus MySQL 5.5) when preparing stored procedure calls. * Removed retainStatementAfterResultSetClose connection property. * Null-merge of Bug#54095 (11761585) fix. * Removed support code for MySQL server versions < 5.7. * Bug#76859 (20969312), DBMD getColumns using I_S doesn't have column IS_GENERATEDCOLUMN as per JDBC 4.1. * Added support for GENERATED COLUMNS. * Update Time Zone mappings with IANA Time Zone database tsdata2015f and Unicode CLDR v.28. * Update DatabaseMetaData SQL keywords. * Added tests for Optimizer hints syntax introduced in MySQL 5.7.7. * Bug#21860833, JSON DATA TYPE DOESN'T WORK WITH SSPS. * Added support for JSON data type. * Added support for JDBC 4.2 new features. * Bug#16634180, LOCK WAIT TIMEOUT EXCEEDED CAUSES SQLEXCEPTION, SHOULD CAUSE SQLTRANSIENTEXCEPTION * Bug#75849 (20536592), NPE in abortInternal() method on line 1358 of ConnectionImpl. * Bug#78106 (21648826), Potential memory leak with inflater. * Bug#78225 (21697684), DEFAULT NO_AUTO_CREATE_USER SQL_MODE BEHAVIOR BROKE SOME TESTS * Bug#77665 (21415165), JDBC fails to connect with MySQL 5.0. * Bug#77681 (21429909), rewrite replace sql like insert when rewriteBatchedStatements=true (contribution). * Bug#77449 (21304726) Add 'truncateFractionalSeconds=true|false' property (contribution). * Bug#50348 (11758179), mysql connector/j 5.1.10 render the wrong value for dateTime column in GMT DB. * Bug#75670 (20433047), Connection fails with "Public Key Retrieval is not allowed" for native auth. * Bug#76187 (20675539), getTypeInfo report maximum precision of 255 for varchar. * Add test for new syntax 'ALTER TABLE ... DISCARD|IMPORT PARTITION ...' introduced in MySQL 5.7.4. * Bug#20727196, GETPROCEDURECOLUMNS() RETURNS EXCEPTION FOR FUNCTION WHICH RETURNS ENUM/SET TYPE. * Bug#19803348, GETPROCEDURES() RETURNS INCORRECT OUTPUT WHEN USEINFORMATIONSCHEMA=FALSE. * Bug#21215151, DATABASEMETADATA.GETCATALOGS() FAILS TO SORT RESULTS. * Bug#72630 (18758686), NullPointerException during handshake in some situations * Bug#20825727, CONNECT FAILURE WHEN TRY TO CONNECT SHA USER WITH DIFFERENT CHARSET. * Flag RowDataDynamic.isInterrupted removed as it isn't needed. * Bug#20518653, XSL FILES IN PACKAGES * Bug#20804635, GETTIME() AND GETDATE() FUNCTIONS FAILS WHEN FRACTIONAL PART EXISTS * Bug#62452 (16444069), NPE thrown in JDBC4MySQLPooledException when statement is closed. * BUG#70927 (17810800), Connector/J COM_CHANGE_USER handling is broken * Bug#75335 (20283655), Maven artifact for Connector/J is missing source jar. * BUG#75592 (20408891), "SHOW VARIABLES WHERE" is expensive. * Bug#75113 (20821888), Fail in failover of the connection in MySQL fabric * Bug#72077 (18425861), Fabric connection with username to a server with disabled auth throws NPE * Add test for already fixed Bug#72546 (18719760), C/J Fabric createGroup() throws ClassCastException * Bug#77217 (21184949), ClassCastException when executing a streaming PreparedStatement with Fabric * Bug#19536760, GETSTRING() CALL AFTER RS.RELATIVE() RETURNS NULLPOINTEREXCEPTION * BUG#20453712, CLOB.SETSTRING() WITH VALID INPUT RETURNS EXCEPTION * BUG#20453671, CLOB.POSITION() API CALL WITH CLOB INPUT RETURNS EXCEPTION * Bug#20685022, SSL CONNECTION TO MYSQL 5.7.6 COMMUNITY SERVER FAILS. * Bug#20606107, TEST FAILURES WHEN RUNNING AGAINST 5.7.6 SERVER VERSION * Bug#20533907, BUG#20204783 FIX EXPOSES WRONG BEAHAVIORS IN FAILOVER CONNECTIONS. * Bug#20504139, GETFUNCTIONCOLUMNS() AND GETPROCEDURECOLUMNS() RETURNS ERROR FOR VALID INPUTS. * Expose PreparedStatment.ParseInfo for external usage, with no capture of the connection * Bug#75309 (20272931), mysql connector/J driver in streaming mode will in the blocking state. * New property 'readOnlyPropagatesToServer' controls the implicit propagation of read only transaction access mode to server. * Bug#54095 (11761585), Unnecessary call in newSetTimestampInternal. * Bug#67760 (15936413), Deadlock when concurrently executing prepared statements with Timestamp objects. * Bug#71084 (18028319), Wrong java.sql.Date stored if client and server time zones differ. * Bug#75080 (20217686), NullPointerException during setTimestamp on Fabric connection. * Bug#75168 (20204783), loadBalanceExceptionChecker interface cannot work using JDBC4/JDK7. * Bug#73595 (19465516), Replace usage of StringBuffer in JDBC driver. * Bug#18925727, SQL INJECTION IN MYSQL JDBC DRIVER. * Bug#74998 (20112694), readRemainingMultiPackets not computed correctly for rows larger than 16 MB. * Bug#73012 (19219158), Precedence between timezone options is unclear. * Implement support for connecting through SOCKS proxies (WL#8105). * Ant buildfile reworked to fix incompatibilities with latest Eclipse * Bug#18474141, TESTSUITE.FABRIC TEST CASES FAIL IF NO FABRIC.TESTSUITE PROPERTIES PROVIDED * Bug#19383371, CONNECT USING MYSQL_OLD_PASSWORD USER FAILS WHEN PWD IS BLANK * Bug#17441747, C/J DOESN'T SUPPORT XA RECOVER OUTPUT FORMAT CHANGED IN MYSQL 5.7. * Bug#19145408, Error messages may not be interpreted according to the proper character set * Bug#19505524, UNIT TEST SUITE DOES NOT CONSIDER ALL THE PARAMETERS PASSED TO BUILD.XML. * Bug#73474 (19365473), Invalid empty line in MANIFEST.MF * Bug#70436 (17527948), Incorrect mapping of windows timezone to Olson timezone. * Bug73163 (19171665), IndexOutOfBoundsException thrown preparing statement. * Added support for gb18030 character set * Bug#73663 (19479242), utf8mb4 does not work for connector/j >=5.1.13 * Bug#73594 (19450418), ClassCastException in MysqlXADataSource if pinGlobalTxToPhysicalConnection=true * Bug#19354014, changeUser() call results in "packets out of order" error when useCompression=true. * Bug#73577 (19443777), CHANGEUSER() CALL WITH USECOMPRESSION=TRUE COULD LEAD TO IO FREEZE * Bug#19172037, TEST FAILURES WHEN RUNNING AGAINST 5.6.20 SERVER VERSION * Bug#71923 (18344403), Incorrect generated keys if ON DUPLICATE KEY UPDATE not exact. * Bug#72502 (18691866), NullPointerException in isInterfaceJdbc() when using DynaTrace * Bug#72890 (18970520), Java jdbc driver returns incorrect return code when it's part of XA transaction. * Fabric client now supports Fabric 1.5. Older versions are no longer supported. * Bug#71672 (18232840), Every SQL statement is checked if it contains "ON DUPLICATE KEY UPDATE" or not. * Bug#73070 (19034681), Preparing a stored procedure call with Fabric results in an exception * Bug#73053 (19022745), Endless loop in MysqlIO.clearInputStream due to Linux kernel bug. * Bug#18869381, CHANGEUSER() FOR SHA USER RESULTS IN NULLPOINTEREXCEPTION * Bug#62577 (16722757), XA connection fails with ClassCastException * Bug#18852587, CONNECT WITH A USER CREATED USING SHA256_PASSWORD PLUGIN FAILS WHEN PWD IS BLANK * Bug#18852682, TEST TESTSHA256PASSWORDPLUGIN FAILS WHEN EXECUTE AGAINST COMMERCIAL SERVER * failing tests when running test suite with Java 6+. * Bug#72712 (18836319), No way to configure Connector JDBC to not do extra queries on connection - Adjust log4j/log4j-mini dependencies to account for the lack of log4j12/log4jmini12 Provides in some code streams. Changes in javapackages-tools: - Can't assume non-existence of python38 macros in Leap. gh#openSUSE/python-rpm-macros#107 Test for suse_version instead. Only Tumbleweed has and needs the python_subpackage_only support. - Fix typo in spec file sitearch -> sitelib - Fix the python subpackage generation gh#openSUSE/python-rpm-macros#79 - Support python subpackages for each flavor gh#openSUSE/python-rpm-macros#66 - Replace old nose with pytest gh#fedora-java/javapackages#86 - when building extra flavor, BuildRequire javapackages-filesystem: /etc/java is being cleaned out of the filesystems package. - Upgrade to version 5.3.1 - Define _rpmmacrodir for distributions that don't have it - Use %{_rpmmacrodir} instead of %{_libexecdir}/rpm/macros.d: this just happens to overlap in some distros. - Rename gradle-local and ivy-local to javapackages-gradle and javapackages-ivy and let them depend only on javapackages-tools and javapackages-local. These packages only install files produced during the javapackages-tools build. The dependencies will be pulled by gradle-local, ivy-local and maven-local meta-packages built in a separate spec file. - Split maven-local meta-package out of javapackages-tools spec file - Make the ivy-local and maven-local sub-packages depend on the right stuff, so that they actually can be used for building - Provide both com.sun:tools and sun.jdk:jconsole that are part of standard OpenJDK installation. These provides cannot be generated from metadata due to build sequence. + fix directories for eclipse.conf too - Make the javapackages-local package depend on java-devel. It is used for package building and this avoids each package to require java-devel itself. - Replace the occurences of /usr/lib by libdir in configuration files too - Update to version 5.3.0 - Modified patch: - Build the :extras flavour as noarch + we did not bump epoch of OpenJDK packages in SUSE + fix a potential generation of unresolvable requires + adapt the tests to not expect the epoch - Switch to multibuild layout - Update to version 5.2.0+git20180620.70fa2258: * Rename the async kwarg in call_script to wait (reverses the logic) * Actually bump version to 5.3.0 snapshot * Bump version in VERSION file * [man] s/Pacakge/Package/g * Fix typos in README * Fix configure-base.sh after filesystem macro split * Split filesystem macros to separate macro file * Introduce javapackages-filesystem package * [java-functions] extend ABRT Java agent options * change abrt-java-connector upstream URL * Remove resolverSettings/prefixes from XMvn config * Add macros to allow passing arbitrary options to XMvn * [spec] Bump package version to 5.1.0 * Allow specifying custom repo when calling xmvn-install - Update to version 5.0.0+git20180104.9367c8f6: * [java-functions] Avoid colons in jar names * Workaround for SCL enable scripts not working with -e * Second argument to pom_xpath_inject is mandatory * [mvn_artifact] Provide more helpful error messages * Fix traceback on corrupt zipfile * [test] Add reproducer for rhbz#1481005 * [spec] Fix default JRE path * [readme] Fix typo * Add initial content to README.md (#21) * Decouple JAVA_HOME setting from java command alternatives - Fix url to correct one https://github.com/fedora-java/javapackages - Split to python and non-python edition for smaller depgraph - Fix abs2rel shebang: - Fix Requires on subpackages to point to javapackages-tools proper - Update to version 4.7.0+git20170331.ef4057e7: * Reimplement abs2rel in Python * Don't expand {scl} in macro definitions * Install expanded rpmfc attr files * [spec] Avoid file conflicts between in SCL * Fix macros.d directory ownership * Make %ant macro enable SCL when needed * [spec] Fix file conflicts between SCL and non-SCL packages * Fix ownership of ivyxmldir * [test] Force locale for python processes * Don't include timestamp in generated pom.properties * We switch to /usr/lib/ location for macros - Try to reduce some dependencies bsc#1036025 - python-lxml 3.5.0 introduces validation for xml comments, and one of the comments created in this package were not valid. This patch fixes the problem. It backported from upstream and should be in the next release. https://github.com/mizdebsk/javapackages/commit/84211c0ee761e93ee507f5d37e9 fc80ec377e89d - Version update to 4.6.0: * various bugfixes for maven tooling * introduction to gradle-local package for gradle packaging - Drop dependency over source-highlight as it causes build cycle - Try to break buildcycle detected on Factory - Fix build on SLE11 - Use python-devel instead of pkgconfig to build on sle11 - Add python-javapackages as requirement for main package - Update requires on python packages to properly have all the needed dependencies on runtime - Install macros to /etc/rpm as we do in SUSE: - Cleanup with spec-cleaner - Fix rpmlint errors - Enable maven-local - Avoid unsatisfiable dependencies - Enable unit tests - Update to version 4.4.0 - create directories for java, so that ant build works - Add virtual provide jpackage-utils-java9 to be able to distinguish the presence of java9 compatibility - fix bashisms - SLES patch for ZipFile, having no attribute '__exit__' which was causing ecj build failures - set correct libxslt package when building for SLES Changes in javassist: + Add OSGi manifest to the javassist.jar - Allow building on systems that do not have java 9 or higher - Install and package the maven pom and metadata files - BuildRequire at least Java 9. This version uses APIs introduced in Java 9 - Replace old $RPM_* shell vars by macros. - Version update to 3.23.1: * 3.23.1 Github PR #171 * 3.23 Fix leaking file handlers in ClassPool and removed ClassPath.close(). Github issue #165 * 3.22 Java 9 supports. JIRA JASSIST-261. - Specify java target and source version 1.6 in order to allow building with jdk9 - fix javadoc errors that are fatal with jdk9 - Version update to 3.21.0: * various compiler settings * Require java >= 1.6 - Update to version 3.19.0 * Including a number of bug fixes and Java 8 supports. - Clean up specfile - Remove redundant %clean section - Build for java API 1.5 - Remove unzip requirement - Update home page and download source Urls Changes in protobuf: - Update to 3.17.3: C++ * Introduce FieldAccessListener. * Stop emitting boilerplate {Copy/Merge}From in each ProtoBuf class * Provide stable versions of SortAndUnique(). * Make sure to cache proto3 optional message fields when they are cleared. * Expose UnsafeArena methods to Reflection. * Use std::string::empty() rather than std::string::size() > 0. * [Protoc] C++ Resolved an issue where NO_DESTROY and CONSTINIT are in incorrect order (#8296) * Fix PROTOBUF_CONSTINIT macro redefinition (#8323) * Delete StringPiecePod (#8353) * Create a CMake option to control whether or not RTTI is enabled (#8347) * Make util::Status more similar to absl::Status (#8405) * The ::pb namespace is no longer exposed due to conflicts. * Allow MessageDifferencer::TreatAsSet() (and friends) to override previous calls instead of crashing. * Reduce the size of generated proto headers for protos with string or bytes fields. * Move arena() operation on uncommon path to out-of-line routine * For iterator-pair function parameter types, take both iterators by value. * Code-space savings and perhaps some modest performance improvements in * RepeatedPtrField. * Eliminate nullptr check from every tag parse. * Remove unused _$name$cached_byte_size fields. * Serialize extension ranges together when not broken by a proto field in the middle. * Do out-of-line allocation and deallocation of string object in ArenaString. * Streamline ParseContext::ParseMessage to avoid code bloat and improve performance. * New member functions RepeatedField::Assign, RepeatedPtrField::{Add, Assign}. on an error path. * util::DefaultFieldComparator will be final in a future version of protobuf. * Subclasses should inherit from SimpleFieldComparator instead. Kotlin * Introduce support for Kotlin protos (#8272) * Restrict extension setter and getter operators to non-nullable T. Java * Fixed parser to check that we are at a proper limit when a sub-message has finished parsing. * updating GSON and Guava to more recent versions (#8524) * Reduce the time spent evaluating isExtensionNumber by storing the extension ranges in a TreeMap for faster queries. This is particularly relevant for protos which define a large number of extension ranges, for example when each tag is defined as an extension. * Fix java bytecode estimation logic for optional fields. * Optimize Descriptor.isExtensionNumber. * deps: update JUnit and Truth (#8319) * Detect invalid overflow of byteLimit and return InvalidProtocolBufferException as documented. * Exceptions thrown while reading from an InputStream in parseFrom are now included as causes. * Support potentially more efficient proto parsing from RopeByteStrings. * Clarify runtime of ByteString.Output.toStringBuffer(). * Added UnsafeByteOperations to protobuf-lite (#8426) Python * Add MethodDescriptor.CopyToProto() (#8327) * Remove unused python_protobuf.{cc,h} (#8513) * Start publishing python aarch64 manylinux wheels normally (#8530) * Fix constness issue detected by MSVC standard conforming mode (#8568) * Make JSON parsing match C++ and Java when multiple fields from the same oneof are present and all but one is null. * Fix some constness / char literal issues being found by MSVC standard conforming mode (#8344) * Switch on "new" buffer API (#8339) * Enable crosscompiling aarch64 python wheels under dockcross manylinux docker image (#8280) * Fixed a bug in text format where a trailing colon was printed for repeated field. * When TextFormat encounters a duplicate message map key, replace the current one instead of merging. Ruby * Add support for proto3 json_name in compiler and field definitions (#8356) * Fixed memory leak of Ruby arena objects. (#8461) * Fix source gem compilation (#8471) * Fix various exceptions in Ruby on 64-bit Windows (#8563) * Fix crash when calculating Message hash values on 64-bit Windows (#8565) General * Support M1 (#8557) - Update to 3.15.8: - Fixed memory leak of Ruby arena objects (#8461) - update to 3.15.7: C++ * Remove the ::pb namespace (alias) (#8423) Ruby * Fix unbounded memory growth for Ruby <2.7 (#8429) * Fixed message equality in cases where the message type is different (#8434) - Can't assume non-existence of python38 macros in Leap. gh#openSUSE/python-rpm-macros#107 Test for suse_version instead. Only Tumbleweed has and needs the python_subpackage_only support. - update to 3.15.6: Ruby * Fixed bug in string comparison logic (#8386) * Fixed quadratic memory use in array append (#8379) * Fixed SEGV when users pass nil messages (#8363) * Fixed quadratic memory usage when appending to arrays (#8364) * Ruby <2.7 now uses WeakMap too, which prevents memory leaks. (#8341) * Fix for FieldDescriptor.get(msg) (#8330) * Bugfix for Message.[] for repeated or map fields (#8313) PHP * read_property() handler is not supposed to return NULL (#8362) Protocol Compiler * Optional fields for proto3 are enabled by default, and no longer require the --experimental_allow_proto3_optional flag. C++ * Do not disable RTTI by default in the CMake build (#8377) * Create a CMake option to control whether or not RTTI is enabled (#8361) * Fix PROTOBUF_CONSTINIT macro redefinition (#8323) * MessageDifferencer: fixed bug when using custom ignore with multiple unknown fields * Use init_seg in MSVC to push initialization to an earlier phase. * Runtime no longer triggers -Wsign-compare warnings. * Fixed -Wtautological-constant-out-of-range-compare warning. * DynamicCastToGenerated works for nullptr input for even if RTTI is disabled * Arena is refactored and optimized. * Clarified/specified that the exact value of Arena::SpaceAllocated() is an implementation detail users must not rely on. It should not be used in unit tests. * Change the signature of Any::PackFrom() to return false on error. * Add fast reflection getter API for strings. * Constant initialize the global message instances * Avoid potential for missed wakeup in UnknownFieldSet * Now Proto3 Oneof fields have "has" methods for checking their presence in C++. * Bugfix for NVCC * Return early in _InternalSerialize for empty maps. * Adding functionality for outputting map key values in proto path logging output (does not affect comparison logic) and stop printing 'value' in the path. The modified print functionality is in the MessageDifferencer::StreamReporter. * Fixed https://github.com/protocolbuffers/protobuf/issues/8129 * Ensure that null char symbol, package and file names do not result in a crash. * Constant initialize the global message instances * Pretty print 'max' instead of numeric values in reserved ranges. * Removed remaining instances of std::is_pod, which is deprecated in C++20. * Changes to reduce code size for unknown field handling by making uncommon cases out of line. * Fix std::is_pod deprecated in C++20 (#7180) * Fix some -Wunused-parameter warnings (#8053) * Fix detecting file as directory on zOS issue #8051 (#8052) * Don't include sys/param.h for _BYTE_ORDER (#8106) * remove CMAKE_THREAD_LIBS_INIT from pkgconfig CFLAGS (#8154) * Fix TextFormatMapTest.DynamicMessage issue#5136 (#8159) * Fix for compiler warning issue#8145 (#8160) * fix: support deprecated enums for GCC < 6 (#8164) * Fix some warning when compiling with Visual Studio 2019 on x64 target (#8125) Python * Provided an override for the reverse() method that will reverse the internal collection directly instead of using the other methods of the BaseContainer. * MessageFactory.CreateProtoype can be overridden to customize class creation. * Fix PyUnknownFields memory leak (#7928) * Add macOS big sur compatibility (#8126) JavaScript * Generate `getDescriptor` methods with `*` as their `this` type. * Enforce `let/const` for generated messages. * js/binary/utils.js: Fix jspb.utils.joinUnsignedDecimalString to work with negative bitsLow and low but non-zero bitsHigh parameter. (#8170) PHP * Added support for PHP 8. (#8105) * unregister INI entries and fix invalid read on shutdown (#8042) * Fix PhpDoc comments for message accessors to include "|null". (#8136) * fix: convert native PHP floats to single precision (#8187) * Fixed PHP to support field numbers >=2**28. (#8235) * feat: add support for deprecated fields to PHP compiler (#8223) * Protect against stack overflow if the user derives from Message. (#8248) * Fixed clone for Message, RepeatedField, and MapField. (#8245) * Updated upb to allow nonzero offset minutes in JSON timestamps. (#8258) Ruby * Added support for Ruby 3. (#8184) * Rewrote the data storage layer to be based on upb_msg objects from the upb library. This should lead to much better parsing performance, particularly for large messages. (#8184). * Fill out JRuby support (#7923) * [Ruby] Fix: (SIGSEGV) gRPC-Ruby issue on Windows. memory alloc infinite recursion/run out of memory (#8195) * Fix jruby support to handle messages nested more than 1 level deep (#8194) Java * Avoid possible UnsupportedOperationException when using CodedInputSteam with a direct ByteBuffer. * Make Durations.comparator() and Timestamps.comparator() Serializable. * Add more detailed error information for dynamic message field type validation failure * Removed declarations of functions declared in java_names.h from java_helpers.h. * Now Proto3 Oneof fields have "has" methods for checking their presence in Java. * Annotates Java proto generated *_FIELD_NUMBER constants. * Add -assumevalues to remove JvmMemoryAccessor on Android. C# * Fix parsing negative Int32Value that crosses segment boundary (#8035) * Change ByteString to use memory and support unsafe create without copy (#7645) * Optimize MapField serialization by removing MessageAdapter (#8143) * Allow FileDescriptors to be parsed with extension registries (#8220) * Optimize writing small strings (#8149) - Updated URL to https://github.com/protocolbuffers/protobuf - Update to v3.14.0 Protocol Compiler * The proto compiler no longer requires a .proto filename when it is not generating code. * Added flag `--deterministic_output` to `protoc --encode=...`. * Fixed deadlock when using google.protobuf.Any embedded in aggregate options. C++ * Arenas are now unconditionally enabled. cc_enable_arenas no longer has any effect. * Removed inlined string support, which is incompatible with arenas. * Fix a memory corruption bug in reflection when mixing optional and non-optional fields. * Make SpaceUsed() calculation more thorough for map fields. * Add stack overflow protection for text format with unknown field values. * FieldPath::FollowAll() now returns a bool to signal if an out-of-bounds error was encountered. * Performance improvements for Map. * Minor formatting fix when dumping a descriptor to .proto format with DebugString. * UBSAN fix in RepeatedField * When running under ASAN, skip a test that makes huge allocations. * Fixed a crash that could happen when creating more than 256 extensions in a single message. * Fix a crash in BuildFile when passing in invalid descriptor proto. * Parser security fix when operating with CodedInputStream. * Warn against the use of AllowUnknownExtension. * Migrated to C++11 for-range loops instead of index-based loops where possible. This fixes a lot of warnings when compiling with -Wsign-compare. * Fix segment fault for proto3 optional * Adds a CMake option to build `libprotoc` separately Java * Bugfix in mergeFrom() when a oneof has multiple message fields. * Fix RopeByteString.RopeInputStream.read() returning -1 when told to read 0 bytes when not at EOF. * Redefine remove(Object) on primitive repeated field Lists to avoid autoboxing. * Support "\u" escapes in textformat string literals. * Trailing empty spaces are no longer ignored for FieldMask. * Fix FieldMaskUtil.subtract to recursively remove mask. * Mark enums with `@java.lang.Deprecated` if the proto enum has option `deprecated = true;`. * Adding forgotten duration.proto to the lite library Python * Print google.protobuf.NullValue as null instead of "NULL_VALUE" when it is used outside WKT Value/Struct. * Fix bug occurring when attempting to deep copy an enum type in python 3. * Add a setuptools extension for generating Python protobufs * Remove uses of pkg_resources in non-namespace packages * [bazel/py] Omit google/__init__.py from the Protobuf runtime * Removed the unnecessary setuptools package dependency for Python package * Fix PyUnknownFields memory leak PHP * Added support for "==" to the PHP C extension * Added `==` operators for Map and Array * Native C well-known types * Optimized away hex2bin() call in generated code * New version of upb, and a new hash function wyhash in third_party * add missing hasOneof method to check presence of oneof fields Go: * Update go_package options to reference google.golang.org/protobuf module. C#: * annotate ByteString.CopyFrom(ReadOnlySpan) as SecuritySafeCritical * Fix C# optional field reflection when there are regular fields too * Fix parsing negative Int32Value that crosses segment boundary Javascript: * JS: parse (un)packed fields conditionally - from version 3.13.0 PHP: * The C extension is completely rewritten. The new C extension has significantly better parsing performance and fixes a handful of conformance issues. It will also make it easier to add support for more features like proto2 and proto3 presence. * The new C extension does not support PHP 5.x. PHP 5.x users can still use pure-PHP. C++: * Removed deprecated unsafe arena string accessors * Enabled heterogeneous lookup for std::string keys in maps. * Removed implicit conversion from StringPiece to std::string * Fix use-after-destroy bug when the Map is allocated in the arena. * Improved the randomness of map ordering * Added stack overflow protection for text format with unknown fields * Use std::hash for proto maps to help with portability. * Added more Windows macros to proto whitelist. * Arena constructors for map entry messages are now marked "explicit" (for regular messages they were already explicit). * Fix subtle aliasing bug in RepeatedField::Add * Fix mismatch between MapEntry ByteSize and Serialize with respect to unset fields. Python: * JSON format conformance fixes: * Reject lowercase t for Timestamp json format. * Print full_name directly for extensions (no camelCase). * Reject boolean values for integer fields. * Reject NaN, Infinity, -Infinity that is not quoted. * Base64 fixes for bytes fields: accept URL-safe base64 and missing padding. * Bugfix for fields/files named "async" or "await". * Improved the error message when AttributeError is returned from __getattr__ in EnumTypeWrapper. Java: * Fixed a bug where setting optional proto3 enums with setFooValue() would not mark the value as present. * Add Subtract function to FieldMaskUtil. C#: * Dropped support for netstandard1.0 (replaced by support for netstandard1.1). This was required to modernize the parsing stack to use the `Span` type internally * Add `ParseFrom(ReadOnlySequence)` method to enable GC friendly parsing with reduced allocations and buffer copies * Add support for serialization directly to a `IBufferWriter` or to a `Span` to enable GC friendly serialization. The new API is available as extension methods on the `IMessage` type * Add `GOOGLE_PROTOBUF_REFSTRUCT_COMPATIBILITY_MODE` define to make generated code compatible with old C# compilers (pre-roslyn compilers from .NET framework and old versions of mono) that do not support ref structs. Users that are still on a legacy stack that does not support C# 7.2 compiler might need to use the new define in their projects to be able to build the newly generated code * Due to the major overhaul of parsing and serialization internals, it is recommended to regenerate your generated code to achieve the best performance (the legacy generated code will still work, but might incur a slight performance penalty). - Fix the python subpackage generation gh#openSUSE/python-rpm-macros#79 - Support multiple python3 flavors gh#openSUSE/python-rpm-macros#66 - Update to version 3.12.3; notable changes since 3.11.4: Protocol Compiler * [experimental] Singular, non-message typed fields in proto3 now support presence tracking. This is enabled by adding the "optional" field label and passing the --experimental_allow_proto3_optional flag to protoc. * For usage info, see docs/field_presence.md. * During this experimental phase, code generators should update to support proto3 presence, see docs/implementing_proto3_presence.md for instructions. * Allow duplicate symbol names when multiple descriptor sets are passed on the command-line, to match the behavior when multiple .proto files are passed. * Deterministic `protoc --descriptor_set_out` (#7175) Objective-C * Tweak the union used for Extensions to support old generated code. #7573 * Fix for the :protobuf_objc target in the Bazel BUILD file. (#7538) if p['result'] == "FAIL": * [experimental] ObjC Proto3 optional support (#7421) * Block subclassing of generated classes (#7124) * Use references to Obj C classes instead of names in descriptors. (#7026) * Revisit how the WKTs are bundled with ObjC. (#7173) C++ * Simplified the template export macros to fix the build for mingw32. (#7539) * [experimental] Added proto3 presence support. * New descriptor APIs to support proto3 presence. * Enable Arenas by default on all .proto files. * Documented that users are not allowed to subclass Message or MessageLite. * Mark generated classes as final; inheriting from protos is strongly discouraged. * Add stack overflow protection for text format with unknown fields. * Add accessors for map key and value FieldDescriptors. * Add FieldMaskUtil::FromFieldNumbers(). * MessageDifferencer: use ParsePartial() on Any fields so the diff does not fail when there are missing required fields. * ReflectionOps::Merge(): lookup messages in the right factory, if it can. * Added Descriptor::WellKnownTypes enum and Descriptor::well_known_type() accessor as an easier way of determining if a message is a Well-Known Type. * Optimized RepeatedField::Add() when it is used in a loop. * Made proto move/swap more efficient. * De-virtualize the GetArena() method in MessageLite. * Improves performance of json_stream_parser.cc by factor 1000 (#7230) * bug: #7076 undefine Windows OUT and OPTIONAL macros (#7087) * Fixed a bug in FieldDescriptor::DebugString() that would erroneously print an "optional" label for a field in a oneof. * Fix bug in parsing bool extensions that assumed they are always 1 byte. * Fix off-by-one error in FieldOptions::ByteSize() when extensions are present. * Clarified the comments to show an example of the difference between Descriptor::extension and DescriptorPool::FindAllExtensions. * Add a compiler option 'code_size' to force optimize_for=code_size on all protos where this is possible. Ruby * Re-add binary gems for Ruby 2.3 and 2.4. These are EOL upstream, however many people still use them and dropping support will require more coordination. * [experimental] Implemented proto3 presence for Ruby. (#7406) * Stop building binary gems for ruby <2.5 (#7453) * Fix for wrappers with a zero value (#7195) * Fix for JSON serialization of 0/empty-valued wrapper types (#7198) * Call "Class#new" over rb_class_new_instance in decoding (#7352) * Build extensions for Ruby 2.7 (#7027) * assigning 'nil' to submessage should clear the field. (#7397) Java * [experimental] Added proto3 presence support. * Mark java enum _VALUE constants as @Deprecated if the enum field is deprecated * reduce size for enums with allow_alias set to true. * Sort map fields alphabetically by the field's key when printing textproto. * Fixed a bug in map sorting that appeared in -rc1 and -rc2 (#7508). * TextFormat.merge() handles Any as top level type. * Throw a descriptive IllegalArgumentException when calling getValueDescriptor() on enum special value UNRECOGNIZED instead of ArrayIndexOutOfBoundsException. * Fixed an issue with JsonFormat.printer() where setting printingEnumsAsInts() would override the configuration passed into includingDefaultValueFields(). * Implement overrides of indexOf() and contains() on primitive lists returned for repeated fields to avoid autoboxing the list contents. * Add overload to FieldMaskUtil.fromStringList that accepts a descriptor. * [bazel] Move Java runtime/toolchains into //java (#7190) Python * [experimental] Added proto3 presence support. * [experimental] fast import protobuf module, only works with cpp generated code linked in. * Truncate 'float' fields to 4 bytes of precision in setters for pure-Python implementation (C++ extension was already doing this). * Fixed a memory leak in C++ bindings. * Added a deprecation warning when code tries to create Descriptor objects directly. * Fix unintended comparison between bytes and string in descriptor.py. * Avoid printing excess digits for float fields in TextFormat. * Remove Python 2.5 syntax compatibility from the proto compiler generated _pb2.py module code. * Drop 3.3, 3.4 and use single version docker images for all python tests (#7396) JavaScript * Fix js message pivot selection (#6813) PHP * Persistent Descriptor Pool (#6899) * Implement lazy loading of php class for proto messages (#6911) * Correct @return in Any.unpack docblock (#7089) * Ignore unknown enum value when ignore_unknown specified (#7455) C# * [experimental] Add support for proto3 presence fields in C# (#7382) * Mark GetOption API as obsolete and expose the "GetOptions()" method on descriptors instead (#7491) * Remove Has/Clear members for C# message fields in proto2 (#7429) * Enforce recursion depth checking for unknown fields (#7132) * Fix conformance test failures for Google.Protobuf (#6910) * Cleanup various bits of Google.Protobuf (#6674) * Fix latest ArgumentException for C# extensions (#6938) * Remove unnecessary branch from ReadTag (#7289) Other * Add a proto_lang_toolchain for javalite (#6882) * [bazel] Update gtest and deprecate //external:{gtest,gtest_main} (#7237) * Add application note for explicit presence tracking. (#7390) * Howto doc for implementing proto3 presence in a code generator. (#7407) - Python: Add requirement on python-six - Update to version 3.11.4; notable changes since 3.9.2: * C++: Make serialization method naming consistent * C++: Moved ShutdownProtobufLibrary() to message_lite.h. For backward compatibility a declaration is still available in stubs/common.h, but users should prefer message_lite.h * C++: Removed non-namespace macro EXPECT_OK() * C++: Removed mathlimits.h from stubs in favor of using std::numeric_limits from C++11 * C++: Support direct pickling of nested messages * C++: Disable extension code gen for C# * C++: Switch the proto parser to the faster MOMI parser * C++: Unused imports of files defining descriptor extensions will now be reported * C++: Add proto2::util::RemoveSubranges to remove multiple subranges in linear time * C++: Support 32 bit values for ProtoStreamObjectWriter to Struct * C++: Removed the internal-only header coded_stream_inl.h and the internal-only methods defined there * C++: Enforced no SWIG wrapping of descriptor_database.h (other headers already had this restriction) * C++: Implementation of the equivalent of the MOMI parser for serialization. This removes one of the two serialization routines, by making the fast array serialization routine completely general. SerializeToCodedStream can now be implemented in terms of the much much faster array serialization. The array serialization regresses slightly, but when array serialization is not possible this wins big * C++: Add move constructor for Reflection's SetString * Java: Remove the usage of MethodHandle, so that Android users prior to API version 26 can use protobuf-java * Java: Publish ProGuard config for javalite * Java: Include unknown fields when merging proto3 messages in Java lite builders * Java: Have oneof enums implement a separate interface (other than EnumLite) for clarity * Java: Opensource Android Memory Accessors * Java: Change ProtobufArrayList to use Object[] instead of ArrayList for 5-10% faster parsing * Java: Make a copy of JsonFormat.TypeRegistry at the protobuf top level package. This will eventually replace JsonFormat.TypeRegistry * Java: Add Automatic-Module-Name entries to the Manifest * Python: Add float_precision option in json format printer * Python: Optionally print bytes fields as messages in unknown fields, if possible * Python: Experimental code gen (fast import protobuf module) which only work with cpp generated code linked in * Python: Add descriptor methods in descriptor_pool are deprecated * Python: Added delitem for Python extension dict * JavaScript: Remove guard for Symbol iterator for jspb.Map * JavaScript: Remove deprecated boolean option to getResultBase64String() * JavaScript: Change the parameter types of binaryReaderFn in ExtensionFieldBinaryInfo to (number, ?, ?) * JavaScript: Create dates.ts and time_of_days.ts to mirror Java versions. This is a near-identical conversion of c.g.type.util.{Dates,TimeOfDays} respectively * JavaScript: Migrate moneys to TypeScript * PHP: Increase php7.4 compatibility * PHP: Implement lazy loading of php class for proto messages * Ruby: Support hashes for struct initializers * C#: Experimental proto2 support is now officially available * C#: Change _Extensions property to normal body rather than expression * Objective C: Remove OSReadLittle* due to alignment requirements * Other: Override CocoaPods module to lowercase * further bugfixes and optimisations - Use tarball provided by upstream - Small package cleanup - Updated to version 3.9.2 (bsc#1162343) (Objective-C) * Remove OSReadLittle* due to alignment requirements. (#6678) * Don't use unions and instead use memcpy for the type swaps. (#6672) - Package also the protobuf-bom pom file - Update to new upstream release 3.9.1 * Optimized the implementation of RepeatedPtrFieldBase. * Added delimited parse and serialize util. * Added FieldDescriptor::PrintableNameForExtension() and DescriptorPool::FindExtensionByPrintableName(). The latter will replace Reflection::FindKnownExtensionByName(). * Created a new Add method in repeated field that allows adding a range of elements all at once. * Drop building wheel for Python 3.4. - Specify java source and target levels in order to build compatible protobuf-java binaries - Update to new upstream release 3.8.0 * Introduced new MOMI (maybe-outside-memory-interval) parser. * Added use of C++ override keyword where appropriate. * Always declare enums to be int-sized. * Append '_' to C++ reserved keywords for message, enum, extension. - Disable LTO (boo#1133277). - fixes build with Bazel 0.22.0. - Add protobuf-source package - some programs using gRPC and protobuf need protobuf definitions which are included inside the source code, but are not included in the devel package. - Add maven pom files to the protobuf-java package - update to version v3.6.1: * PHP namespaces for nested messages and enums (#4536) * Allows the json marshaller to be passed json marshal options (#4252) * Make sure to delete temporary maps used by FileDescriptorTables * fix python cpp kokoro build * Change C# reflection to avoid using expression trees * Updated checked-in generated code * Removed unused variables in repeated_scalar_container.cc * Removed unused code pertaining to shared_ptr * Include no_package.proto in Python test * Only check filenames when end with .py in _CalledFromGeneratedFile() (#4262) * Convert descriptortype to type for upb_msgval_sizeof (#4357) * Removed duplicate using statement from ReflectionUtil.cs * Add support for power ppc64le * Cat the test-suite.log on errors for presubits * Address review comments * Add third-party RPC implementation: raster - a network framework supports pbrpc by 'service' keyword. * Delete javanano kokoro build configs. * Updated Ruby conformance test failure list * Removed use of some type traits * Adopt php_metadata_namespace in php code generator (#4622) * Move to Xcode 9.3 which also means a High Sierra image. * Add protoc release script for Linux build. * protoc-artifacts: Avoid storing temporary files and use fewer layers * Rewrite go_benchmark * Add files to build ruby artifact for mac on kokoro (#4814) * Remove javanano. * Comment out unused command from release script. * Avoid direct check of class name (#4601) * The JsonParseOptions::ignore_unknown_fields option behavior treats * Fix php memory leak test (#4692) * Fix benchmark build * Add VS2017 optional component dependency details to the C# readme (#4128) * Fix initialization with Visual Studio * For windows, all python version should use /MT (#4468) * use brew install instead of easy_install in OSX (#4537) * Sync upb change (#4373) * Always add -std=c++11 for mac (#4684) * Add kokoro build status badges. * Removed unrecognized option from no_package.proto * Fixed up proto3_lite_unittest.cc * Update Xcode settings * Cleanup LICENSE file. * Remove js_embed binary. (#4709) * Fixed JS parsing of unspecified map keys * Update version number to 3.6.0 * Deliberately call simple code to avoid Unity linker pruning * Revert "Move `compiler/plugin.pb.cc` to libprotobuf with the other WKT sources." * protoc-artifacts: Use ENTRYPOINT to enable devtoolset-1.1 * MinGW build failed * Support using MSVC intrinsics in Log2FloorNonZero * Fix array constructor in c extension for compatibility (#4667) * Add space between class name and concat message (#4577) * fix python * Add performance.md and add instruction for linking tcmalloc * Add script for run and upload the benchmark result to bq * Add test for failing write of raw pointer to output stream * [objectivec] Fix memory leak of exceptions raised by RaiseException() (#4556) * Remove stray indent on normal imports. * Fix python ext build on kokoro (#4527) * Add compile test sources for to test include order. * Fixed a Visual Studio 2017 build error. (#4488) * fix linux kokoro build in docker * Fixes MSVC compiler warning C4800 "Forcing value to bool 'true' or 'false'" (#4350) * Updated Docker setup to use GCC 4.8 * Remove broken build status icons. * Run autogen.sh in release script. * Output *_pb2_grpc.py when use_grpc_plugin=True * Adopt ruby_package in ruby generated code. (#4627) * Cygwin build failed * Work around an "old runtime" issue with reflection * Added Kokoro protoc release build for OS X (#4770) * Updated change log for 3.6.1 release * Move methods out of class (#4697) * Fix to allow AOT compilers to play nicely with reflection * Update Makefile.am for Java lite files. * Added map_lite_test.proto to fix LiteTest * Introduce a compatiblity shim to support .NET 3.5 delegate creation * Revert "Removed mention of Buffer in byteSourceToUint8Array" * Add gogo benchmark * Set ext.no_native = true for non mac platform * Removed atomicops.h since it is no longer used * Rename a shadowed variable. * Add kokoro bazel configs for 3.6.x branch. * Deleted scoped_ptr.h * Check the message to be encoded is the wrong type. (#4885) (#4949) * protoc-artifacts: Avoid checking out protobuf code * Add conformance test for null value in list JSON * Build ruby gem on kokoro (#4819) * Try using a new version of Visual Studio on AppVeyor * Make ruby release configs consistent with protoc. * fix for API change in PHP 7.3 (#4898) * Add .proto files to extract_includes.bat * Update protoc build scripts. * Blacklist all WELL_KNOWN_PROTOS from Bazel C++ code generation. * Additional support for building and deploying ppcle_64 artifacts * Fix php tests * Cleanup + documentation for Java Lite runtime. * Added Kokoro Windows release build config for protoc (#4766) * typo * fix golang kokoro linux build * Fix spelling error of __GNUC_MINOR__ * Update code to work for Xcode 10b1 (#4729) * Added pyext/thread_unsafe_shared_ptr.h * Added missing .inc files to BUILD * js message support for jstype string on integers (#4332) * Improve error message when googletest is missing. * Make assertEquals pass for message (#4947) * Sync internal benchmark changes * Removed some unused C++ source files * Fix missing LIBPROTOC_EXPORT. * Added new test source files to Makefile.am * Update php version to 3.6.0 (#4736) * Fix RepeatedField#delete_if (#4292) * Merge branch (#4466) * Implement array constructor in php c extension. * protoc-artifacts: Update centos base from 6.6 to 6.9 * PHP array constructors for protobuf messages (#4530) * Fix problem: cmake build failed in c++11 by clang * Don't assume Windows builds use MSVC. * Use legacy name in php runtime (#4741) * Add file option php_metadata_namespace and ruby_package (#4609) * Fix cpp benchmark dependency on mac * Use the first enum value instead of 0 in DefaultValueObjectWriter::FindEnumDefault * Check return value on write of raw pointer * Delete unused directories. * Replace //:protoc and similar default macro arguments with * Add extra C# file to Makefile.am * includes the expected class in the exception, otherwise the error is harder to track down (#3371) * Update instructions about getting protobuf source. * Add cpp tests under release docker image. * fix java benchmark, fix dashboard build * `update_file_lists.sh` depends on Bash features, thus needs Bash sebang. * Rename build_artifacts.cfg to release.cfg (#4818) * Fix bug: whether always_print_enums_as_ints is true or false, it always print the default value of enums as strings * source code info for interpreted options; fix source code info for extension range options (#4342) * Updated version numbers to 3.6.1 * Trim imports for bundled generated protos. * Require C++11 and pass -std=c++11 * Remove the iOS Test App. * fix duplicate mkdir in update_file_lists.sh * Updated csharp/README.md to reflect testing changes * Fix bazel build of examples. * Add missing ruby/tests/test_ruby_package.proto * Fix cpp_distcheck * Updated the change log with changes for 3.6.0 * some fix * CMake: Update CXX Standard management * Add the files added in #4485. * Change to deal all messages in one loop * Fix php conformance test. * Add __init__.py files to compiler and util subpackages (#4117) * Updated .gitignore to exclude downloaded gmock/ directory * Fix error in Clang UndefinedBehaviorSanitizer * Work around MSVC issue with std::atomic initialization (#4777) * Updated conformance failure lists * Add back GeneratedClassName to public (#4686) * Add continuous test for ruby 2.3, 2.4 and 2.5 (#4829) * Throw error if user want to access message properties (#4603) * fix json_decode call parameters (#4381) * Move `compiler/plugin.pb.cc` to libprotobuf with the other WKT sources. * PHP: fixed typo in message.c * Add go benchmark * Allow list values to be null when parsing * Added instruction for existing ZLIB configuration * Fix 32bit php tests * Removed javanano from post_process_dist.sh * Don't generate imports for the WKTs unless generating the WKTs. * For encoding upb needs descriptor type instead of type. (#4354) * Include googletest as a submodule (#3993) * Write messages to backing field in generated C# cloning code (#4440) * Integrated internal changes from Google - bump soname version update to version v3.5.2: * Update release date * Disable pip cache when testing uploaded packages * Replace private timelib_update_ts with public date_timestamp_get * Remove py2.6 support. * Cherrypick for csharp, including: * Update changelog * Update changelog for 3.5.1 * Fix uploading binary wheel. * Fix memory leak when creating map field via array. * Update rake file to build of 2.1.6. * Avoid using php_date_get_date_ce() in case date extension is not * Update protoc-artfacts * Fix string::back() usage in googletest.cc * Fix memory leak in php7 * Support ruby2.5 * io_win32: support non-ASCII paths * Explicitly propagate the status of Flush(). * Add discard unknown API in ruby. (#3990) * Update version for 3.5.0.post1 * remove nullptr * Fix more memory leak for php c extension (#4211) * Bumping number to fix ruby 2.1 on mac * io_win32_unittest: remove incorrect error check * Fix memory leak when creating repeated field via array. * Update version number for php c extension (#3896) * Fix file permission for python package. * Create containing directory before generating well_known_types_embed.cc * Replace C++11 only method std::map::at * Recursively clear unknown fields in submessages. (#3982) * Update version number to 3.5.1 * io_win32_unittest: fix condition in GetCwdAsUtf8 * Add release log * io_win32_unittest: use CWD as last tempdir * Add PROTOBUF_ENABLE_TIMESTAMP to let user decide whether timestamp util * Add support for Windows ARM64 build * Add protobuf-all in post release * Use fully qualifed name for DescriptorPool in Any.php to avoid name (#3886) * Add _file_desc_by_toplevel_extension back * Fix setup.py for windows build. * io_win32_unittest: make //:win32_test run again * Provide discardUnknonwnFields API in php (#3976) * Update php c extension version number to 3.5.0.1 * Fix ruby gc_test in ruby 2.4 (#4011) * Remove duplicate typedef. (#3975) * Accept DatetimeInterface in fromDatetime * io_win32: add more encoding-related tests * Bump version number to 3.5.2 * Bump protoc-artifact version for a patch rebuild * Call php method via function name instead of calling directly. * Well known types are not initialized properly. (#4139) * Use matching enum type for IsPOD. * Fix several more memory leak * Fix for php5.5 * Add backslach to make class explict in global namespace * Fix compile error undefined reference to `google::protobuf::internal::Release_CompareAndSwap(long volatile*, long, long)' on s390x https://github.com/google/protobuf/issues/3937 - Conditionalize python2 and python3 in order to be able to build without python2 present in distribution * Use singlespec macros to simplify the logic - Run fdupes on python modules to avoid duplicates - Remove shebangs from import-only code - Update to new upstream release 3.5.0 * Proto3 messages are now preserving unknown fields by default. If you rely on unknowns fields being dropped, use DiscardUnknownFields() explicitly. * Deprecated the unsafe_arena_release_* and unsafe_arena_add_allocated_* methods for string fields. * Added move constructor and move assignment to RepeatedField, RepeatedPtrField and google::protobuf::Any. * Added perfect forwarding in Arena::CreateMessage. * In-progress experimental support for implicit weak fields with lite protos. This feature allows the linker to strip out more unused messages and reduce binary size. - Rename %soname to %sover to better reflect its use. - Install LICENSE - Update to 3.3.0 : * C++: * Fixed map fields serialization of DynamicMessage to correctly serialize both key and value regardless of their presence. * Parser now rejects field number 0 correctly. * New API Message::SpaceUsedLong() that???s equivalent to Message::SpaceUsed() but returns the value in size_t. * JSON support - New flag always_print_enums_as_ints in JsonPrintOptions. - New flag preserve_proto_field_names in JsonPrintOptions. It will instruct the JSON printer to use the original field name declared in the .proto file instead of converting them to lowerCamelCase when printing JSON. - JsonPrintOptions.always_print_primtive_fields now works for oneof message fields. - Fixed a bug that doesn???t allow different fields to set the same json_name value. - Fixed a performance bug that causes excessive memory copy when printing large messages. * Various performance optimizations. * Java: * Map field setters eagerly validate inputs and throw NullPointerExceptions as appropriate. * Added ByteBuffer overloads to the generated parsing methods and the Parser interface. * proto3 enum's getNumber() method now throws on UNRECOGNIZED values. * Output of JsonFormat is now locale independent. * Python: * Added FindServiceByName() in the pure-Python DescriptorPool. This works only for descriptors added with DescriptorPool.Add(). Generated descriptor_pool does not support this yet. * Added a descriptor_pool parameter for parsing Any in text_format.Parse(). * descriptor_pool.FindFileContainingSymbol() now is able to find nested extensions. * Extending empty [] to repeated field now sets parent message presence. - Update to 3.2.0 : * Added protoc version number to protoc plugin protocol. It can be used by protoc plugin to detect which version of protoc is used with the plugin and mitigate known problems in certain version of protoc. * C++: * The default parsing byte size limit has been raised from 64MB to 2GB. * Added rvalue setters for non-arena string fields. * Enabled debug logging for Android. * Fixed a double-free problem when using Reflection::SetAllocatedMessage() with extension fields. * Fixed several deterministic serialization bugs: * MessageLite::SerializeAsString() now respects the global deterministic serialization flag. * Extension fields are serialized deterministically as well. Fixed protocol compiler to correctly report importing-self as an error. * Fixed FileDescriptor::DebugString() to print custom options correctly. * Various performance/codesize optimizations and cleanups. * Java: * The default parsing byte size limit has been raised from 64MB to 2GB. * Added recursion limit when parsing JSON. * Fixed a bug that enumType.getDescriptor().getOptions() doesn't have custom options. * Fixed generated code to support field numbers up to 2^29-1. * Python: * You can now assign NumPy scalars/arrays (np.int32, np.int64) to protobuf fields, and assigning other numeric types has been optimized for performance. * Pure-Python: message types are now garbage-collectable. * Python/C++: a lot of internal cleanup/refactoring. - Increase soname to 13 - Generate python2-protobuf and python3-protobuf packages in Factory - Make the python2-protobuf package provide and obsolete python-protobuf to make the transition smooth in Tumbleweed - Fix an issue with setup.py where some files are built on the first invocation, but only copied on the second. This resulted in an incomplete protobuf-python package. - Update to protobuf v3.1.0. Protobuf v3.0.0 introduceced a new version of the protocol buffer language, proto3, which supersedes proto2. The protoc compiler is able to read old proto2 protocol definitions, and defaults to the proto2 syntax if a syntax is not specified, thus packages can be recompiled to link to the new library. For backwards compatibility, the old library version is available from the protobuf2 package. As the API for proto2 is not compatible to the proto3 API, proto3 should only be used for new Protocol Buffers, whereas current users are advised to keep using proto2. For a detailed list of changes, see https://github.com/google/protobuf/releases - Use py_sitedir for library installation with setup.py install - Drop protobuf-libs as it is just workaround for rpmlint issue - Cleanup specfile: * remove any conditionals for versions predating SLES 12/Leap 42.x * add Provides: protobuf-libs to fix rpmlint warning Changes in python-python-gflags: - Don't provide python2-gflags, singlespec packages should use correct name. - Provide python-gflags in the python2 package - Fix URL. - Update to version 3.1.1 * Added PEP8 style method/function aliases. - Update to version 3.1.0 * Python3 compatibility * Removed UnrecognizedFlag exception. * Replaced flags.DuplicateFlag with flags.DuplicateFlagError. * Moved the validators.Error class to exceptions.ValidationError. * Renamed IllegalFlagValue to IllegalFlagValueError. * Removed MutualExclusionValidator class, in favor of flags.MarkFlagsAsMutualExclusive. * Removed FlagValues.AddValidator method. * Removed _helpers.GetMainModule. * Use xml.dom.minidom to create XML strings, instead of manual crafting. * Declared PEP8-style names. * Added examples. - Update to version 3.0.7 * Removed the unused method ShortestUniquePrefixes. * Removed _GetCallingModule function alias. - Update to version 3.0.6 * Declared pypi package classifiers. * Added support for CLIF flag processing (not included in python-gflags repo yet). - Update to version 3.0.5 * Added a warning when FLAGS.SetDefault is used after flags were parsed. * Added new function: MarkFlagsAsRequired. - Update to version 3.0.4 * One more fix for setup.py - this time about third_party package. - Update to version 3.0.3 * Fixed setup.py. * --noflag if argument is given is no longer allowed. * Python3 compatibility: removed need for cgi import. * Disallowed unparsed flag usage after FLAGS.Reset() - Update to version 3.0.2 * Fix MANIFEST.in to include all relevant files. - Update to version 3.0.1 * Some changes for python3 compatibility. * Automatically generate ordering operations for Flag. * Add optional comma compatibility to whitespace-separated list flags. * A lot of potentially backwards incompatible changes since 2.0. * This version is NOT recommended to use in production. Some of the files and documentation has been lost during export; this will be fixed in next versions. - Fix source URL - Implement single-spec version Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-3450=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-3450=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-3450=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-3450=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3450=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-3450=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): mysql-connector-java-8.0.25-5.10.1 - SUSE OpenStack Cloud Crowbar 9 (x86_64): javapackages-filesystem-5.3.1-14.3.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): mysql-connector-java-8.0.25-5.10.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): javapackages-filesystem-5.3.1-14.3.1 - SUSE OpenStack Cloud 9 (x86_64): javapackages-filesystem-5.3.1-14.3.1 - SUSE OpenStack Cloud 9 (noarch): mysql-connector-java-8.0.25-5.10.1 - SUSE OpenStack Cloud 8 (noarch): mysql-connector-java-8.0.25-5.10.1 - SUSE OpenStack Cloud 8 (x86_64): javapackages-filesystem-5.3.1-14.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): javapackages-filesystem-5.3.1-14.3.1 protobuf-debugsource-3.17.3-7.6.1 protobuf-devel-3.17.3-7.6.1 protobuf-devel-debuginfo-3.17.3-7.6.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): mysql-connector-java-8.0.25-5.10.1 - HPE Helion Openstack 8 (noarch): mysql-connector-java-8.0.25-5.10.1 - HPE Helion Openstack 8 (x86_64): javapackages-filesystem-5.3.1-14.3.1 References: https://bugzilla.suse.com/1036025 https://bugzilla.suse.com/1133277 https://bugzilla.suse.com/1162343 From sle-security-updates at lists.suse.com Sat Oct 16 07:13:56 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 16 Oct 2021 09:13:56 +0200 (CEST) Subject: SUSE-CU-2021:411-1: Security update of suse/sle15 Message-ID: <20211016071356.09118FD2D@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:411-1 Container Tags : suse/sle15:15.2 , suse/sle15:15.2.9.5.30 Container Release : 9.5.30 Severity : important Type : security References : 1179416 1183543 1183545 1183632 1183659 1185299 1187670 1188548 CVE-2021-20266 CVE-2021-20271 CVE-2021-3421 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3444-1 Released: Fri Oct 15 09:03:07 2021 Summary: Security update for rpm Type: security Severity: important References: 1179416,1183543,1183545,1183632,1183659,1185299,1187670,1188548,CVE-2021-20266,CVE-2021-20271,CVE-2021-3421 This update for rpm fixes the following issues: Security issues fixed: - CVE-2021-3421, CVE-2021-20271, CVE-2021-20266: Multiple header check improvements (bsc#1183543, bsc#1183545, bsc#1183632) - PGP hardening changes (bsc#1185299) - Fixed potential access of freed mem in ndb's glue code (bsc#1179416) Maintaince issues fixed: - Fixed zstd detection (bsc#1187670) - Added ndb rofs support (bsc#1188548) - Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659) From sle-security-updates at lists.suse.com Sat Oct 16 07:19:24 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 16 Oct 2021 09:19:24 +0200 (CEST) Subject: SUSE-CU-2021:412-1: Security update of suse/sle15 Message-ID: <20211016071924.62D32FD2D@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:412-1 Container Tags : suse/sle15:15.3 , suse/sle15:15.3.17.8.13 Container Release : 17.8.13 Severity : important Type : security References : 1183659 1185299 1187670 1188548 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3445-1 Released: Fri Oct 15 09:03:39 2021 Summary: Security update for rpm Type: security Severity: important References: 1183659,1185299,1187670,1188548 This update for rpm fixes the following issues: Security issues fixed: - PGP hardening changes (bsc#1185299) Maintaince issues fixed: - Fixed zstd detection (bsc#1187670) - Added ndb rofs support (bsc#1188548) - Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659) From sle-security-updates at lists.suse.com Sat Oct 16 13:17:43 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Sat, 16 Oct 2021 15:17:43 +0200 (CEST) Subject: SUSE-SU-2021:3451-1: important: Security update for MozillaFirefox Message-ID: <20211016131743.21819FD2D@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3451-1 Rating: important References: #1188891 #1189547 #1190269 #1190274 #1190710 #1191332 Cross-References: CVE-2021-29980 CVE-2021-29981 CVE-2021-29982 CVE-2021-29983 CVE-2021-29984 CVE-2021-29985 CVE-2021-29986 CVE-2021-29987 CVE-2021-29988 CVE-2021-29989 CVE-2021-29990 CVE-2021-29991 CVE-2021-32810 CVE-2021-38492 CVE-2021-38495 CVE-2021-38496 CVE-2021-38497 CVE-2021-38498 CVE-2021-38500 CVE-2021-38501 CVSS scores: CVE-2021-29980 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29984 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29985 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-29986 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29988 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29989 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29991 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2021-32810 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-38492 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes 20 vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: This update contains the Firefox Extended Support Release 91.2.0 ESR. Release 91.2.0 ESR: * Fixed: Various stability, functionality, and security fixes MFSA 2021-45 (bsc#1191332): * CVE-2021-38496: Use-after-free in MessageTask * CVE-2021-38497: Validation message could have been overlaid on another origin * CVE-2021-38498: Use-after-free of nsLanguageAtomService object * CVE-2021-32810: Fixed Data race in crossbeam-deque * CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 * CVE-2021-38501: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 - Fixed crash in FIPS mode (bsc#1190710) Release 91.1.0 ESR: * Fixed: Various stability, functionality, and security fixes MFSA 2021-40 (bsc#1190269, bsc#1190274): * CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer * CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1 Release 91.0.1esr ESR: * Fixed: Fixed an issue causing buttons on the tab bar to be resized when loading certain websites (bug 1704404) * Fixed: Fixed an issue which caused tabs from private windows to be visible in non-private windows when viewing switch-to- tab results in the address bar panel (bug 1720369) * Fixed: Various stability fixes * Fixed: Security fix MFSA 2021-37 (bsc#1189547) * CVE-2021-29991 (bmo#1724896) Header Splitting possible with HTTP/3 Responses Firefox Extended Support Release 91.0 ESR * New: Some of the highlights of the new Extended Support Release are: - A number of user interface changes. For more information, see the Firefox 89 release notes. - Firefox now supports logging into Microsoft, work, and school accounts using Windows single sign-on. Learn more - On Windows, updates can now be applied in the background while Firefox is not running. - Firefox for Windows now offers a new page about:third-party to help identify compatibility issues caused by third-party applications - Version 2 of Firefox's SmartBlock feature further improves private browsing. Third party Facebook scripts are blocked to prevent you from being tracked, but are now automatically loaded "just in time" if you decide to "Log in with Facebook" on any website. - Enhanced the privacy of the Firefox Browser's Private Browsing mode with Total Cookie Protection, which confines cookies to the site where they were created, preventing companis from using cookies to track your browsing across sites. This feature was originally launched in Firefox's ETP Strict mode. - PDF forms now support JavaScript embedded in PDF files. Some PDF forms use JavaScript for validation and other interactive features. - You'll encounter less website breakage in Private Browsing and Strict Enhanced Tracking Protection with SmartBlock, which provides stand-in scripts so that websites load properly. - Improved Print functionality with a cleaner design and better integration with your computer's printer settings. - Firefox now protects you from supercookies, a type of tracker that can stay hidden in your browser and track you online, even after you clear cookies. By isolating supercookies, Firefox prevents them from tracking your web browsing from one site to the next. - Firefox now remembers your preferred location for saved bookmarks, displays the bookmarks toolbar by default on new tabs, and gives you easy access to all of your bookmarks via a toolbar folder. - Native support for macOS devices built with Apple Silicon CPUs brings dramatic performance improvements over the non- native build that was shipped in Firefox 83: Firefox launches over 2.5 times faster and web apps are now twice as responsive (per the SpeedoMeter 2.0 test). If you are on a new Apple device, follow these steps to upgrade to the latest Firefox. - Pinch zooming will now be supported for our users with Windows touchscreen devices and touchpads on Mac devices. Firefox users may now use pinch to zoom on touch-capable devices to zoom in and out of webpages. - We???ve improved functionality and design for a number of Firefox search features: * Selecting a search engine at the bottom of the search panel now enters search mode for that engine, allowing you to see suggestions (if available) for your search terms. The old behavior (immediately performing a search) is available with a shift-click. * When Firefox autocompletes the URL of one of your search engines, you can now search with that engine directly in the address bar by selecting the shortcut in the address bar results. * We???ve added buttons at the bottom of the search panel to allow you to search your bookmarks, open tabs, and history. - Firefox supports AcroForm, which will allow you to fill in, print, and save supported PDF forms and the PDF viewer also has a new fresh look. - For our users in the US and Canada, Firefox can now save, manage, and auto-fill credit card information for you, making shopping on Firefox ever more convenient. - In addition to our default, dark and light themes, with this release, Firefox introduces the Alpenglow theme: a colorful appearance for buttons, menus, and windows. You can update your Firefox themes under settings or preferences. * Changed: Firefox no longer supports Adobe Flash. There is no setting available to re-enable Flash support. * Enterprise: Various bug fixes and new policies have been implemented in the latest version of Firefox. See more details in the Firefox for Enterprise 91 Release Notes. MFSA 2021-33 (bsc#1188891): * CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption * CVE-2021-29981: Live range splitting could have led to conflicting assignments in the JIT * CVE-2021-29988: Memory corruption as a result of incorrect style treatment * CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode * CVE-2021-29984: Incorrect instruction reordering during JIT optimization * CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption * CVE-2021-29987: Users could have been tricked into accepting unwanted permissions on Linux * CVE-2021-29985: Use-after-free media channels * CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and type confusion * CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13 * CVE-2021-29990: Memory safety bugs fixed in Firefox 91 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-3451=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-3451=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): MozillaFirefox-91.2.0-8.54.1 MozillaFirefox-branding-SLE-91-9.5.1 MozillaFirefox-debuginfo-91.2.0-8.54.1 MozillaFirefox-debugsource-91.2.0-8.54.1 MozillaFirefox-translations-common-91.2.0-8.54.1 MozillaFirefox-translations-other-91.2.0-8.54.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le x86_64): MozillaFirefox-devel-91.2.0-8.54.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): MozillaFirefox-91.2.0-8.54.1 MozillaFirefox-branding-SLE-91-9.5.1 MozillaFirefox-debuginfo-91.2.0-8.54.1 MozillaFirefox-debugsource-91.2.0-8.54.1 MozillaFirefox-devel-91.2.0-8.54.1 MozillaFirefox-translations-common-91.2.0-8.54.1 MozillaFirefox-translations-other-91.2.0-8.54.1 References: https://www.suse.com/security/cve/CVE-2021-29980.html https://www.suse.com/security/cve/CVE-2021-29981.html https://www.suse.com/security/cve/CVE-2021-29982.html https://www.suse.com/security/cve/CVE-2021-29983.html https://www.suse.com/security/cve/CVE-2021-29984.html https://www.suse.com/security/cve/CVE-2021-29985.html https://www.suse.com/security/cve/CVE-2021-29986.html https://www.suse.com/security/cve/CVE-2021-29987.html https://www.suse.com/security/cve/CVE-2021-29988.html https://www.suse.com/security/cve/CVE-2021-29989.html https://www.suse.com/security/cve/CVE-2021-29990.html https://www.suse.com/security/cve/CVE-2021-29991.html https://www.suse.com/security/cve/CVE-2021-32810.html https://www.suse.com/security/cve/CVE-2021-38492.html https://www.suse.com/security/cve/CVE-2021-38495.html https://www.suse.com/security/cve/CVE-2021-38496.html https://www.suse.com/security/cve/CVE-2021-38497.html https://www.suse.com/security/cve/CVE-2021-38498.html https://www.suse.com/security/cve/CVE-2021-38500.html https://www.suse.com/security/cve/CVE-2021-38501.html https://bugzilla.suse.com/1188891 https://bugzilla.suse.com/1189547 https://bugzilla.suse.com/1190269 https://bugzilla.suse.com/1190274 https://bugzilla.suse.com/1190710 https://bugzilla.suse.com/1191332 From sle-security-updates at lists.suse.com Mon Oct 18 13:17:28 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 Oct 2021 15:17:28 +0200 (CEST) Subject: SUSE-SU-2021:3452-1: moderate: Security update for iproute2 Message-ID: <20211018131728.A6D99F476@maintenance.suse.de> SUSE Security Update: Security update for iproute2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3452-1 Rating: moderate References: #1085669 #1171452 Cross-References: CVE-2019-20795 CVSS scores: CVE-2019-20795 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2019-20795 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for iproute2 fixes the following issues: - CVE-2019-20795: Fixed a use-after-free vulnerability in get_netnsid_from_name. (bsc#1171452) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3452=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3452=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): iproute2-debuginfo-4.12-16.6.1 iproute2-debugsource-4.12-16.6.1 libnetlink-devel-4.12-16.6.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): iproute2-4.12-16.6.1 iproute2-debuginfo-4.12-16.6.1 iproute2-debugsource-4.12-16.6.1 References: https://www.suse.com/security/cve/CVE-2019-20795.html https://bugzilla.suse.com/1085669 https://bugzilla.suse.com/1171452 From sle-security-updates at lists.suse.com Mon Oct 18 13:18:59 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 Oct 2021 15:18:59 +0200 (CEST) Subject: SUSE-SU-2021:14826-1: important: Security update for MozillaFirefox, rust-cbindgen Message-ID: <20211018131859.59311F476@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox, rust-cbindgen ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14826-1 Rating: important References: #1188891 #1189547 #1190269 #1190274 #1190710 #1191332 SLE-18626 Cross-References: CVE-2021-29980 CVE-2021-29981 CVE-2021-29982 CVE-2021-29983 CVE-2021-29984 CVE-2021-29985 CVE-2021-29986 CVE-2021-29987 CVE-2021-29988 CVE-2021-29989 CVE-2021-29990 CVE-2021-29991 CVE-2021-32810 CVE-2021-38492 CVE-2021-38495 CVE-2021-38496 CVE-2021-38497 CVE-2021-38498 CVE-2021-38500 CVE-2021-38501 CVSS scores: CVE-2021-29980 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29984 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29985 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2021-29986 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29988 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29989 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-29991 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2021-32810 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-32810 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-38492 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes 20 vulnerabilities, contains one feature is now available. Description: This update for MozillaFirefox, rust-cbindgen fixes the following issues: MozillaFirefox was updated to Extended Support Release 91.2.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2021-45 (bsc#1191332) * CVE-2021-38496: Use-after-free in MessageTask * CVE-2021-38497: Validation message could have been overlaid on another origin * CVE-2021-38498: Use-after-free of nsLanguageAtomService object * CVE-2021-32810: Data race in crossbeam-deque * CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2 * CVE-2021-38501: Memory safety bugs fixed in Firefox 93 and Firefox ESR 91.2 - Fixed crash in FIPS mode (bsc#1190710) Firefox Extended Support Release 91.1.0 ESR * Fixed: Various stability, functionality, and security fixes MFSA 2021-40 (bsc#1190269, bsc#1190274) * CVE-2021-38492: Navigating to `mk:` URL scheme could load Internet Explorer * CVE-2021-38495: Memory safety bugs fixed in Firefox 92 and Firefox ESR 91.1 Firefox 91.0.1esr ESR * Fixed: Fixed an issue causing buttons on the tab bar to be resized when loading certain websites (bug 1704404) (bmo#1704404) * Fixed: Fixed an issue which caused tabs from private windows to be visible in non-private windows when viewing switch-to- tab results in the address bar panel (bug 1720369) (bmo#1720369) * Fixed: Various stability fixes * Fixed: Security fix MFSA 2021-37 (bsc#1189547) * CVE-2021-29991 (bmo#1724896) Header Splitting possible with HTTP/3 Responses Firefox Extended Support Release 91.0 ESR * New: Some of the highlights of the new Extended Support Release are: - A number of user interface changes. For more information, see the Firefox 89 release notes. - Firefox now supports logging into Microsoft, work, and school accounts using Windows single sign-on. Learn more - On Windows, updates can now be applied in the background while Firefox is not running. - Firefox for Windows now offers a new page about:third-party to help identify compatibility issues caused by third-party applications - Version 2 of Firefox's SmartBlock feature further improves private browsing. Third party Facebook scripts are blocked to prevent you from being tracked, but are now automatically loaded "just in time" if you decide to "Log in with Facebook" on any website. - Enhanced the privacy of the Firefox Browser's Private Browsing mode with Total Cookie Protection, which confines cookies to the site where they were created, preventing companis from using cookies to track your browsing across sites. This feature was originally launched in Firefox's ETP Strict mode. - PDF forms now support JavaScript embedded in PDF files. Some PDF forms use JavaScript for validation and other interactive features. - You'll encounter less website breakage in Private Browsing and Strict Enhanced Tracking Protection with SmartBlock, which provides stand-in scripts so that websites load properly. - Improved Print functionality with a cleaner design and better integration with your computer's printer settings. - Firefox now protects you from supercookies, a type of tracker that can stay hidden in your browser and track you online, even after you clear cookies. By isolating supercookies, Firefox prevents them from tracking your web browsing from one site to the next. - Firefox now remembers your preferred location for saved bookmarks, displays the bookmarks toolbar by default on new tabs, and gives you easy access to all of your bookmarks via a toolbar folder. - Native support for macOS devices built with Apple Silicon CPUs brings dramatic performance improvements over the non- native build that was shipped in Firefox 83: Firefox launches over 2.5 times faster and web apps are now twice as responsive (per the SpeedoMeter 2.0 test). If you are on a new Apple device, follow these steps to upgrade to the latest Firefox. - Pinch zooming will now be supported for our users with Windows touchscreen devices and touchpads on Mac devices. Firefox users may now use pinch to zoom on touch-capable devices to zoom in and out of webpages. - We???ve improved functionality and design for a number of Firefox search features: * Selecting a search engine at the bottom of the search panel now enters search mode for that engine, allowing you to see suggestions (if available) for your search terms. The old behavior (immediately performing a search) is available with a shift-click. * When Firefox autocompletes the URL of one of your search engines, you can now search with that engine directly in the address bar by selecting the shortcut in the address bar results. * We???ve added buttons at the bottom of the search panel to allow you to search your bookmarks, open tabs, and history. - Firefox supports AcroForm, which will allow you to fill in, print, and save supported PDF forms and the PDF viewer also has a new fresh look. - For our users in the US and Canada, Firefox can now save, manage, and auto-fill credit card information for you, making shopping on Firefox ever more convenient. - In addition to our default, dark and light themes, with this release, Firefox introduces the Alpenglow theme: a colorful appearance for buttons, menus, and windows. You can update your Firefox themes under settings or preferences. * Changed: Firefox no longer supports Adobe Flash. There is no setting available to re-enable Flash support. * Enterprise: Various bug fixes and new policies have been implemented in the latest version of Firefox. See more details in the Firefox for Enterprise 91 Release Notes. MFSA 2021-33 (bsc#1188891) * CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption * CVE-2021-29981: Live range splitting could have led to conflicting assignments in the JIT * CVE-2021-29988: Memory corruption as a result of incorrect style treatment * CVE-2021-29983: Firefox for Android could get stuck in fullscreen mode * CVE-2021-29984: Incorrect instruction reordering during JIT optimization * CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption * CVE-2021-29987: Users could have been tricked into accepting unwanted permissions on Linux * CVE-2021-29985: Use-after-free media channels * CVE-2021-29982: Single bit data leak due to incorrect JIT optimization and type confusion * CVE-2021-29989: Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13 * CVE-2021-29990: Memory safety bugs fixed in Firefox 91 rust-cbindgen was updated to 0.19.0. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-MozillaFirefox-91esr-14826=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-MozillaFirefox-91esr-14826=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): MozillaFirefox-91.2.0-78.143.1 MozillaFirefox-branding-SLED-91-21.18.1 MozillaFirefox-translations-common-91.2.0-78.143.1 MozillaFirefox-translations-other-91.2.0-78.143.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64): MozillaFirefox-debuginfo-91.2.0-78.143.1 References: https://www.suse.com/security/cve/CVE-2021-29980.html https://www.suse.com/security/cve/CVE-2021-29981.html https://www.suse.com/security/cve/CVE-2021-29982.html https://www.suse.com/security/cve/CVE-2021-29983.html https://www.suse.com/security/cve/CVE-2021-29984.html https://www.suse.com/security/cve/CVE-2021-29985.html https://www.suse.com/security/cve/CVE-2021-29986.html https://www.suse.com/security/cve/CVE-2021-29987.html https://www.suse.com/security/cve/CVE-2021-29988.html https://www.suse.com/security/cve/CVE-2021-29989.html https://www.suse.com/security/cve/CVE-2021-29990.html https://www.suse.com/security/cve/CVE-2021-29991.html https://www.suse.com/security/cve/CVE-2021-32810.html https://www.suse.com/security/cve/CVE-2021-38492.html https://www.suse.com/security/cve/CVE-2021-38495.html https://www.suse.com/security/cve/CVE-2021-38496.html https://www.suse.com/security/cve/CVE-2021-38497.html https://www.suse.com/security/cve/CVE-2021-38498.html https://www.suse.com/security/cve/CVE-2021-38500.html https://www.suse.com/security/cve/CVE-2021-38501.html https://bugzilla.suse.com/1188891 https://bugzilla.suse.com/1189547 https://bugzilla.suse.com/1190269 https://bugzilla.suse.com/1190274 https://bugzilla.suse.com/1190710 https://bugzilla.suse.com/1191332 From sle-security-updates at lists.suse.com Mon Oct 18 13:20:50 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 Oct 2021 15:20:50 +0200 (CEST) Subject: SUSE-SU-2021:3454-1: moderate: Security update for krb5 Message-ID: <20211018132050.40CFAF476@maintenance.suse.de> SUSE Security Update: Security update for krb5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3454-1 Rating: moderate References: #1189929 Cross-References: CVE-2021-37750 CVSS scores: CVE-2021-37750 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for krb5 fixes the following issues: - CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-3454=1 - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-3454=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-3454=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3454=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3454=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): krb5-1.16.3-3.24.1 krb5-debuginfo-1.16.3-3.24.1 krb5-debugsource-1.16.3-3.24.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): krb5-debuginfo-1.16.3-3.24.1 krb5-debugsource-1.16.3-3.24.1 krb5-plugin-kdb-ldap-1.16.3-3.24.1 krb5-plugin-kdb-ldap-debuginfo-1.16.3-3.24.1 krb5-server-1.16.3-3.24.1 krb5-server-debuginfo-1.16.3-3.24.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): krb5-debuginfo-1.16.3-3.24.1 krb5-debugsource-1.16.3-3.24.1 krb5-plugin-kdb-ldap-1.16.3-3.24.1 krb5-plugin-kdb-ldap-debuginfo-1.16.3-3.24.1 krb5-server-1.16.3-3.24.1 krb5-server-debuginfo-1.16.3-3.24.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): krb5-1.16.3-3.24.1 krb5-client-1.16.3-3.24.1 krb5-client-debuginfo-1.16.3-3.24.1 krb5-debuginfo-1.16.3-3.24.1 krb5-debugsource-1.16.3-3.24.1 krb5-devel-1.16.3-3.24.1 krb5-plugin-preauth-otp-1.16.3-3.24.1 krb5-plugin-preauth-otp-debuginfo-1.16.3-3.24.1 krb5-plugin-preauth-pkinit-1.16.3-3.24.1 krb5-plugin-preauth-pkinit-debuginfo-1.16.3-3.24.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): krb5-32bit-1.16.3-3.24.1 krb5-32bit-debuginfo-1.16.3-3.24.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): krb5-1.16.3-3.24.1 krb5-client-1.16.3-3.24.1 krb5-client-debuginfo-1.16.3-3.24.1 krb5-debuginfo-1.16.3-3.24.1 krb5-debugsource-1.16.3-3.24.1 krb5-devel-1.16.3-3.24.1 krb5-plugin-preauth-otp-1.16.3-3.24.1 krb5-plugin-preauth-otp-debuginfo-1.16.3-3.24.1 krb5-plugin-preauth-pkinit-1.16.3-3.24.1 krb5-plugin-preauth-pkinit-debuginfo-1.16.3-3.24.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): krb5-32bit-1.16.3-3.24.1 krb5-32bit-debuginfo-1.16.3-3.24.1 References: https://www.suse.com/security/cve/CVE-2021-37750.html https://bugzilla.suse.com/1189929 From sle-security-updates at lists.suse.com Mon Oct 18 19:31:38 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 18 Oct 2021 21:31:38 +0200 (CEST) Subject: SUSE-SU-2021:3459-1: important: Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) Message-ID: <20211018193138.17227FD2D@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3459-1 Rating: important References: #1187054 #1188613 #1190118 #1190350 Cross-References: CVE-2021-3573 CVE-2021-3640 CVE-2021-3715 CVE-2021-38160 CVSS scores: CVE-2021-3573 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3640 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3715 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-38160 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for the Linux Kernel 4.4.180-94_147 fixes several issues. The following security issues were fixed: - CVE-2021-3715: Fixed a user-after-free in the Linux kernel's Traffic Control networking subsystem which could lead to local privilege escalation. (bsc#1190350). - CVE-2021-38160: Fixed a bug that could lead to a data corruption or loss. This can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190118) - CVE-2021-3640: Fixed a user-after-free bug in the function sco_sock_sendmsg which could lead to local privilege escalation. (bsc#1188613) - CVE-2021-3573: Fixed a user-after-free bug in the function hci_sock_bound_ioctl which could lead to local privilege escalation. (bsc#1187054). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-3458=1 SUSE-SLE-SAP-12-SP3-2021-3459=1 SUSE-SLE-SAP-12-SP3-2021-3460=1 SUSE-SLE-SAP-12-SP3-2021-3461=1 SUSE-SLE-SAP-12-SP3-2021-3462=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-3458=1 SUSE-SLE-SERVER-12-SP3-2021-3459=1 SUSE-SLE-SERVER-12-SP3-2021-3460=1 SUSE-SLE-SERVER-12-SP3-2021-3461=1 SUSE-SLE-SERVER-12-SP3-2021-3462=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_135-default-13-2.2 kgraft-patch-4_4_180-94_135-default-debuginfo-13-2.2 kgraft-patch-4_4_180-94_138-default-11-2.2 kgraft-patch-4_4_180-94_138-default-debuginfo-11-2.2 kgraft-patch-4_4_180-94_141-default-10-2.2 kgraft-patch-4_4_180-94_141-default-debuginfo-10-2.2 kgraft-patch-4_4_180-94_144-default-7-2.1 kgraft-patch-4_4_180-94_144-default-debuginfo-7-2.1 kgraft-patch-4_4_180-94_147-default-4-2.1 kgraft-patch-4_4_180-94_147-default-debuginfo-4-2.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_135-default-13-2.2 kgraft-patch-4_4_180-94_135-default-debuginfo-13-2.2 kgraft-patch-4_4_180-94_138-default-11-2.2 kgraft-patch-4_4_180-94_138-default-debuginfo-11-2.2 kgraft-patch-4_4_180-94_141-default-10-2.2 kgraft-patch-4_4_180-94_141-default-debuginfo-10-2.2 kgraft-patch-4_4_180-94_144-default-7-2.1 kgraft-patch-4_4_180-94_144-default-debuginfo-7-2.1 kgraft-patch-4_4_180-94_147-default-4-2.1 kgraft-patch-4_4_180-94_147-default-debuginfo-4-2.1 References: https://www.suse.com/security/cve/CVE-2021-3573.html https://www.suse.com/security/cve/CVE-2021-3640.html https://www.suse.com/security/cve/CVE-2021-3715.html https://www.suse.com/security/cve/CVE-2021-38160.html https://bugzilla.suse.com/1187054 https://bugzilla.suse.com/1188613 https://bugzilla.suse.com/1190118 https://bugzilla.suse.com/1190350 From sle-security-updates at lists.suse.com Tue Oct 19 07:28:28 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 Oct 2021 09:28:28 +0200 (CEST) Subject: SUSE-CU-2021:415-1: Security update of suse/sle15 Message-ID: <20211019072828.36196F432@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:415-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.517 Container Release : 6.2.517 Severity : moderate Type : security References : 1189929 CVE-2021-37750 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3454-1 Released: Mon Oct 18 09:29:26 2021 Summary: Security update for krb5 Type: security Severity: moderate References: 1189929,CVE-2021-37750 This update for krb5 fixes the following issues: - CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929). From sle-security-updates at lists.suse.com Tue Oct 19 07:44:48 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 Oct 2021 09:44:48 +0200 (CEST) Subject: SUSE-CU-2021:417-1: Security update of suse/sle15 Message-ID: <20211019074448.32A2AF476@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:417-1 Container Tags : suse/sle15:15.2 , suse/sle15:15.2.9.5.31 Container Release : 9.5.31 Severity : moderate Type : security References : 1189929 CVE-2021-37750 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3454-1 Released: Mon Oct 18 09:29:26 2021 Summary: Security update for krb5 Type: security Severity: moderate References: 1189929,CVE-2021-37750 This update for krb5 fixes the following issues: - CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929). From sle-security-updates at lists.suse.com Tue Oct 19 07:50:48 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 Oct 2021 09:50:48 +0200 (CEST) Subject: SUSE-CU-2021:419-1: Security update of suse/sle15 Message-ID: <20211019075048.E8761F476@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:419-1 Container Tags : suse/sle15:15.3 , suse/sle15:15.3.17.8.15 Container Release : 17.8.15 Severity : moderate Type : security References : 1189929 CVE-2021-37750 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3454-1 Released: Mon Oct 18 09:29:26 2021 Summary: Security update for krb5 Type: security Severity: moderate References: 1189929,CVE-2021-37750 This update for krb5 fixes the following issues: - CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929). From sle-security-updates at lists.suse.com Tue Oct 19 13:16:37 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 Oct 2021 15:16:37 +0200 (CEST) Subject: SUSE-SU-2021:3463-1: moderate: Security update for util-linux Message-ID: <20211019131637.C1240F432@maintenance.suse.de> SUSE Security Update: Security update for util-linux ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3463-1 Rating: moderate References: #1081947 #1082293 #1084671 #1085196 #1106214 #1122417 #1125886 #1135534 #1135708 #1151708 #1168235 #1168389 #1169006 #1174942 #1175514 #1175623 #1178236 #1178554 #1178825 #1188921 Cross-References: CVE-2021-37600 CVSS scores: CVE-2021-37600 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-37600 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves one vulnerability and has 19 fixes is now available. Description: This update for util-linux fixes the following issues: - CVE-2021-37600: Fixed an integer overflow which could lead to buffer overflow in get_sem_elements. (bsc#1188921) - Prevent outdated pam files (bsc#1082293, bsc#1081947#c68). - Do not trim read-only volumes (bsc#1106214). - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Reload issue only if it is really needed (bsc#1085196) - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235) - nologin: Add support for -c to prevent error from su -c. (bsc#1151708) - Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389) - libblkid: Do not trigger CDROM autoclose. (bsc#1084671) - Avoid sulogin failing on not existing or not functional console devices. (bsc#1175514) - Build with libudev support to support non-root users. (bsc#1169006) - lscpu: avoid segfault on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix for warning on mounts to CIFS with mount. (SG#57988, bsc#1174942) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-3463=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-3463=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-3463=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-3463=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-3463=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-3463=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libblkid1-2.29.2-3.24.1 libblkid1-32bit-2.29.2-3.24.1 libblkid1-debuginfo-2.29.2-3.24.1 libblkid1-debuginfo-32bit-2.29.2-3.24.1 libfdisk1-2.29.2-3.24.1 libfdisk1-debuginfo-2.29.2-3.24.1 libmount1-2.29.2-3.24.1 libmount1-32bit-2.29.2-3.24.1 libmount1-debuginfo-2.29.2-3.24.1 libmount1-debuginfo-32bit-2.29.2-3.24.1 libsmartcols1-2.29.2-3.24.1 libsmartcols1-debuginfo-2.29.2-3.24.1 libuuid1-2.29.2-3.24.1 libuuid1-32bit-2.29.2-3.24.1 libuuid1-debuginfo-2.29.2-3.24.1 libuuid1-debuginfo-32bit-2.29.2-3.24.1 python-libmount-2.29.2-3.24.1 python-libmount-debuginfo-2.29.2-3.24.1 python-libmount-debugsource-2.29.2-3.24.1 util-linux-2.29.2-3.24.1 util-linux-debuginfo-2.29.2-3.24.1 util-linux-debugsource-2.29.2-3.24.1 util-linux-systemd-2.29.2-3.24.1 util-linux-systemd-debuginfo-2.29.2-3.24.1 util-linux-systemd-debugsource-2.29.2-3.24.1 uuidd-2.29.2-3.24.1 uuidd-debuginfo-2.29.2-3.24.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): util-linux-lang-2.29.2-3.24.1 - SUSE OpenStack Cloud 8 (noarch): util-linux-lang-2.29.2-3.24.1 - SUSE OpenStack Cloud 8 (x86_64): libblkid1-2.29.2-3.24.1 libblkid1-32bit-2.29.2-3.24.1 libblkid1-debuginfo-2.29.2-3.24.1 libblkid1-debuginfo-32bit-2.29.2-3.24.1 libfdisk1-2.29.2-3.24.1 libfdisk1-debuginfo-2.29.2-3.24.1 libmount1-2.29.2-3.24.1 libmount1-32bit-2.29.2-3.24.1 libmount1-debuginfo-2.29.2-3.24.1 libmount1-debuginfo-32bit-2.29.2-3.24.1 libsmartcols1-2.29.2-3.24.1 libsmartcols1-debuginfo-2.29.2-3.24.1 libuuid1-2.29.2-3.24.1 libuuid1-32bit-2.29.2-3.24.1 libuuid1-debuginfo-2.29.2-3.24.1 libuuid1-debuginfo-32bit-2.29.2-3.24.1 python-libmount-2.29.2-3.24.1 python-libmount-debuginfo-2.29.2-3.24.1 python-libmount-debugsource-2.29.2-3.24.1 util-linux-2.29.2-3.24.1 util-linux-debuginfo-2.29.2-3.24.1 util-linux-debugsource-2.29.2-3.24.1 util-linux-systemd-2.29.2-3.24.1 util-linux-systemd-debuginfo-2.29.2-3.24.1 util-linux-systemd-debugsource-2.29.2-3.24.1 uuidd-2.29.2-3.24.1 uuidd-debuginfo-2.29.2-3.24.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libblkid1-2.29.2-3.24.1 libblkid1-debuginfo-2.29.2-3.24.1 libfdisk1-2.29.2-3.24.1 libfdisk1-debuginfo-2.29.2-3.24.1 libmount1-2.29.2-3.24.1 libmount1-debuginfo-2.29.2-3.24.1 libsmartcols1-2.29.2-3.24.1 libsmartcols1-debuginfo-2.29.2-3.24.1 libuuid1-2.29.2-3.24.1 libuuid1-debuginfo-2.29.2-3.24.1 python-libmount-2.29.2-3.24.1 python-libmount-debuginfo-2.29.2-3.24.1 python-libmount-debugsource-2.29.2-3.24.1 util-linux-2.29.2-3.24.1 util-linux-debuginfo-2.29.2-3.24.1 util-linux-debugsource-2.29.2-3.24.1 util-linux-systemd-2.29.2-3.24.1 util-linux-systemd-debuginfo-2.29.2-3.24.1 util-linux-systemd-debugsource-2.29.2-3.24.1 uuidd-2.29.2-3.24.1 uuidd-debuginfo-2.29.2-3.24.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libblkid1-32bit-2.29.2-3.24.1 libblkid1-debuginfo-32bit-2.29.2-3.24.1 libmount1-32bit-2.29.2-3.24.1 libmount1-debuginfo-32bit-2.29.2-3.24.1 libuuid1-32bit-2.29.2-3.24.1 libuuid1-debuginfo-32bit-2.29.2-3.24.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): util-linux-lang-2.29.2-3.24.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libblkid1-2.29.2-3.24.1 libblkid1-debuginfo-2.29.2-3.24.1 libfdisk1-2.29.2-3.24.1 libfdisk1-debuginfo-2.29.2-3.24.1 libmount1-2.29.2-3.24.1 libmount1-debuginfo-2.29.2-3.24.1 libsmartcols1-2.29.2-3.24.1 libsmartcols1-debuginfo-2.29.2-3.24.1 libuuid1-2.29.2-3.24.1 libuuid1-debuginfo-2.29.2-3.24.1 python-libmount-2.29.2-3.24.1 python-libmount-debuginfo-2.29.2-3.24.1 python-libmount-debugsource-2.29.2-3.24.1 util-linux-2.29.2-3.24.1 util-linux-debuginfo-2.29.2-3.24.1 util-linux-debugsource-2.29.2-3.24.1 util-linux-systemd-2.29.2-3.24.1 util-linux-systemd-debuginfo-2.29.2-3.24.1 util-linux-systemd-debugsource-2.29.2-3.24.1 uuidd-2.29.2-3.24.1 uuidd-debuginfo-2.29.2-3.24.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libblkid1-32bit-2.29.2-3.24.1 libblkid1-debuginfo-32bit-2.29.2-3.24.1 libmount1-32bit-2.29.2-3.24.1 libmount1-debuginfo-32bit-2.29.2-3.24.1 libuuid1-32bit-2.29.2-3.24.1 libuuid1-debuginfo-32bit-2.29.2-3.24.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): util-linux-lang-2.29.2-3.24.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libblkid1-2.29.2-3.24.1 libblkid1-32bit-2.29.2-3.24.1 libblkid1-debuginfo-2.29.2-3.24.1 libblkid1-debuginfo-32bit-2.29.2-3.24.1 libfdisk1-2.29.2-3.24.1 libfdisk1-debuginfo-2.29.2-3.24.1 libmount1-2.29.2-3.24.1 libmount1-32bit-2.29.2-3.24.1 libmount1-debuginfo-2.29.2-3.24.1 libmount1-debuginfo-32bit-2.29.2-3.24.1 libsmartcols1-2.29.2-3.24.1 libsmartcols1-debuginfo-2.29.2-3.24.1 libuuid1-2.29.2-3.24.1 libuuid1-32bit-2.29.2-3.24.1 libuuid1-debuginfo-2.29.2-3.24.1 libuuid1-debuginfo-32bit-2.29.2-3.24.1 python-libmount-2.29.2-3.24.1 python-libmount-debuginfo-2.29.2-3.24.1 python-libmount-debugsource-2.29.2-3.24.1 util-linux-2.29.2-3.24.1 util-linux-debuginfo-2.29.2-3.24.1 util-linux-debugsource-2.29.2-3.24.1 util-linux-systemd-2.29.2-3.24.1 util-linux-systemd-debuginfo-2.29.2-3.24.1 util-linux-systemd-debugsource-2.29.2-3.24.1 uuidd-2.29.2-3.24.1 uuidd-debuginfo-2.29.2-3.24.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): util-linux-lang-2.29.2-3.24.1 - HPE Helion Openstack 8 (x86_64): libblkid1-2.29.2-3.24.1 libblkid1-32bit-2.29.2-3.24.1 libblkid1-debuginfo-2.29.2-3.24.1 libblkid1-debuginfo-32bit-2.29.2-3.24.1 libfdisk1-2.29.2-3.24.1 libfdisk1-debuginfo-2.29.2-3.24.1 libmount1-2.29.2-3.24.1 libmount1-32bit-2.29.2-3.24.1 libmount1-debuginfo-2.29.2-3.24.1 libmount1-debuginfo-32bit-2.29.2-3.24.1 libsmartcols1-2.29.2-3.24.1 libsmartcols1-debuginfo-2.29.2-3.24.1 libuuid1-2.29.2-3.24.1 libuuid1-32bit-2.29.2-3.24.1 libuuid1-debuginfo-2.29.2-3.24.1 libuuid1-debuginfo-32bit-2.29.2-3.24.1 python-libmount-2.29.2-3.24.1 python-libmount-debuginfo-2.29.2-3.24.1 python-libmount-debugsource-2.29.2-3.24.1 util-linux-2.29.2-3.24.1 util-linux-debuginfo-2.29.2-3.24.1 util-linux-debugsource-2.29.2-3.24.1 util-linux-systemd-2.29.2-3.24.1 util-linux-systemd-debuginfo-2.29.2-3.24.1 util-linux-systemd-debugsource-2.29.2-3.24.1 uuidd-2.29.2-3.24.1 uuidd-debuginfo-2.29.2-3.24.1 - HPE Helion Openstack 8 (noarch): util-linux-lang-2.29.2-3.24.1 References: https://www.suse.com/security/cve/CVE-2021-37600.html https://bugzilla.suse.com/1081947 https://bugzilla.suse.com/1082293 https://bugzilla.suse.com/1084671 https://bugzilla.suse.com/1085196 https://bugzilla.suse.com/1106214 https://bugzilla.suse.com/1122417 https://bugzilla.suse.com/1125886 https://bugzilla.suse.com/1135534 https://bugzilla.suse.com/1135708 https://bugzilla.suse.com/1151708 https://bugzilla.suse.com/1168235 https://bugzilla.suse.com/1168389 https://bugzilla.suse.com/1169006 https://bugzilla.suse.com/1174942 https://bugzilla.suse.com/1175514 https://bugzilla.suse.com/1175623 https://bugzilla.suse.com/1178236 https://bugzilla.suse.com/1178554 https://bugzilla.suse.com/1178825 https://bugzilla.suse.com/1188921 From sle-security-updates at lists.suse.com Tue Oct 19 16:17:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 Oct 2021 18:17:27 +0200 (CEST) Subject: SUSE-SU-2021:3468-1: important: Security update for strongswan Message-ID: <20211019161727.58372F432@maintenance.suse.de> SUSE Security Update: Security update for strongswan ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3468-1 Rating: important References: #1191435 Cross-References: CVE-2021-41991 CVSS scores: CVE-2021-41991 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for strongswan fixes the following issues: - CVE-2021-41991: Fixed an integer overflow when replacing certificates in cache. (bsc#1191435) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-3468=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-3468=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-3468=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-3468=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-3468=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-3468=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3468=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-3468=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-3468=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-3468=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-3468=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-3468=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): strongswan-doc-5.1.3-26.16.1 - SUSE OpenStack Cloud Crowbar 9 (x86_64): strongswan-5.1.3-26.16.1 strongswan-debugsource-5.1.3-26.16.1 strongswan-hmac-5.1.3-26.16.1 strongswan-ipsec-5.1.3-26.16.1 strongswan-ipsec-debuginfo-5.1.3-26.16.1 strongswan-libs0-5.1.3-26.16.1 strongswan-libs0-debuginfo-5.1.3-26.16.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): strongswan-5.1.3-26.16.1 strongswan-debugsource-5.1.3-26.16.1 strongswan-hmac-5.1.3-26.16.1 strongswan-ipsec-5.1.3-26.16.1 strongswan-ipsec-debuginfo-5.1.3-26.16.1 strongswan-libs0-5.1.3-26.16.1 strongswan-libs0-debuginfo-5.1.3-26.16.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): strongswan-doc-5.1.3-26.16.1 - SUSE OpenStack Cloud 9 (x86_64): strongswan-5.1.3-26.16.1 strongswan-debugsource-5.1.3-26.16.1 strongswan-hmac-5.1.3-26.16.1 strongswan-ipsec-5.1.3-26.16.1 strongswan-ipsec-debuginfo-5.1.3-26.16.1 strongswan-libs0-5.1.3-26.16.1 strongswan-libs0-debuginfo-5.1.3-26.16.1 - SUSE OpenStack Cloud 9 (noarch): strongswan-doc-5.1.3-26.16.1 - SUSE OpenStack Cloud 8 (noarch): strongswan-doc-5.1.3-26.16.1 - SUSE OpenStack Cloud 8 (x86_64): strongswan-5.1.3-26.16.1 strongswan-debugsource-5.1.3-26.16.1 strongswan-hmac-5.1.3-26.16.1 strongswan-ipsec-5.1.3-26.16.1 strongswan-ipsec-debuginfo-5.1.3-26.16.1 strongswan-libs0-5.1.3-26.16.1 strongswan-libs0-debuginfo-5.1.3-26.16.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): strongswan-5.1.3-26.16.1 strongswan-debugsource-5.1.3-26.16.1 strongswan-hmac-5.1.3-26.16.1 strongswan-ipsec-5.1.3-26.16.1 strongswan-ipsec-debuginfo-5.1.3-26.16.1 strongswan-libs0-5.1.3-26.16.1 strongswan-libs0-debuginfo-5.1.3-26.16.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): strongswan-doc-5.1.3-26.16.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): strongswan-5.1.3-26.16.1 strongswan-debugsource-5.1.3-26.16.1 strongswan-hmac-5.1.3-26.16.1 strongswan-ipsec-5.1.3-26.16.1 strongswan-ipsec-debuginfo-5.1.3-26.16.1 strongswan-libs0-5.1.3-26.16.1 strongswan-libs0-debuginfo-5.1.3-26.16.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): strongswan-doc-5.1.3-26.16.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): strongswan-5.1.3-26.16.1 strongswan-debugsource-5.1.3-26.16.1 strongswan-hmac-5.1.3-26.16.1 strongswan-ipsec-5.1.3-26.16.1 strongswan-ipsec-debuginfo-5.1.3-26.16.1 strongswan-libs0-5.1.3-26.16.1 strongswan-libs0-debuginfo-5.1.3-26.16.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): strongswan-doc-5.1.3-26.16.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): strongswan-5.1.3-26.16.1 strongswan-debugsource-5.1.3-26.16.1 strongswan-hmac-5.1.3-26.16.1 strongswan-ipsec-5.1.3-26.16.1 strongswan-ipsec-debuginfo-5.1.3-26.16.1 strongswan-libs0-5.1.3-26.16.1 strongswan-libs0-debuginfo-5.1.3-26.16.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): strongswan-doc-5.1.3-26.16.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): strongswan-5.1.3-26.16.1 strongswan-debugsource-5.1.3-26.16.1 strongswan-hmac-5.1.3-26.16.1 strongswan-ipsec-5.1.3-26.16.1 strongswan-ipsec-debuginfo-5.1.3-26.16.1 strongswan-libs0-5.1.3-26.16.1 strongswan-libs0-debuginfo-5.1.3-26.16.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): strongswan-doc-5.1.3-26.16.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): strongswan-doc-5.1.3-26.16.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): strongswan-5.1.3-26.16.1 strongswan-debugsource-5.1.3-26.16.1 strongswan-hmac-5.1.3-26.16.1 strongswan-ipsec-5.1.3-26.16.1 strongswan-ipsec-debuginfo-5.1.3-26.16.1 strongswan-libs0-5.1.3-26.16.1 strongswan-libs0-debuginfo-5.1.3-26.16.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): strongswan-5.1.3-26.16.1 strongswan-debugsource-5.1.3-26.16.1 strongswan-hmac-5.1.3-26.16.1 strongswan-ipsec-5.1.3-26.16.1 strongswan-ipsec-debuginfo-5.1.3-26.16.1 strongswan-libs0-5.1.3-26.16.1 strongswan-libs0-debuginfo-5.1.3-26.16.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): strongswan-doc-5.1.3-26.16.1 - HPE Helion Openstack 8 (noarch): strongswan-doc-5.1.3-26.16.1 - HPE Helion Openstack 8 (x86_64): strongswan-5.1.3-26.16.1 strongswan-debugsource-5.1.3-26.16.1 strongswan-hmac-5.1.3-26.16.1 strongswan-ipsec-5.1.3-26.16.1 strongswan-ipsec-debuginfo-5.1.3-26.16.1 strongswan-libs0-5.1.3-26.16.1 strongswan-libs0-debuginfo-5.1.3-26.16.1 References: https://www.suse.com/security/cve/CVE-2021-41991.html https://bugzilla.suse.com/1191435 From sle-security-updates at lists.suse.com Tue Oct 19 16:22:03 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 Oct 2021 18:22:03 +0200 (CEST) Subject: SUSE-SU-2021:14827-1: important: Security update for strongswan Message-ID: <20211019162203.53E0AF432@maintenance.suse.de> SUSE Security Update: Security update for strongswan ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14827-1 Rating: important References: #1191435 Cross-References: CVE-2021-41991 CVSS scores: CVE-2021-41991 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for strongswan fixes the following issues: - CVE-2021-41991: Fixed an integer overflow when replacing certificates in cache. (bsc#1191435) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-strongswan-14827=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-strongswan-14827=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-strongswan-14827=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-strongswan-14827=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): strongswan-4.4.0-6.36.9.1 strongswan-doc-4.4.0-6.36.9.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): strongswan-4.4.0-6.36.9.1 strongswan-doc-4.4.0-6.36.9.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): strongswan-debuginfo-4.4.0-6.36.9.1 strongswan-debugsource-4.4.0-6.36.9.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): strongswan-debuginfo-4.4.0-6.36.9.1 strongswan-debugsource-4.4.0-6.36.9.1 References: https://www.suse.com/security/cve/CVE-2021-41991.html https://bugzilla.suse.com/1191435 From sle-security-updates at lists.suse.com Tue Oct 19 16:23:16 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 Oct 2021 18:23:16 +0200 (CEST) Subject: SUSE-SU-2021:3467-1: important: Security update for strongswan Message-ID: <20211019162316.B8972F432@maintenance.suse.de> SUSE Security Update: Security update for strongswan ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3467-1 Rating: important References: #1191367 #1191435 SLE-20151 Cross-References: CVE-2021-41990 CVE-2021-41991 CVSS scores: CVE-2021-41990 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-41991 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities, contains one feature is now available. Description: This update for strongswan fixes the following issues: A feature was added: - Add auth_els plugin to support Marvell FC-SP encryption (jsc#SLE-20151) Security issues fixed: - CVE-2021-41991: Fixed an integer overflow when replacing certificates in cache. (bsc#1191435) - CVE-2021-41990: Fixed an integer Overflow in the gmp Plugin. (bsc#1191367) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-3467=1 - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-3467=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-3467=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-3467=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3467=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3467=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64): strongswan-debuginfo-5.8.2-11.21.1 strongswan-debugsource-5.8.2-11.21.1 strongswan-nm-5.8.2-11.21.1 strongswan-nm-debuginfo-5.8.2-11.21.1 - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): strongswan-debuginfo-5.8.2-11.21.1 strongswan-debugsource-5.8.2-11.21.1 strongswan-nm-5.8.2-11.21.1 strongswan-nm-debuginfo-5.8.2-11.21.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (aarch64 ppc64le s390x x86_64): strongswan-debuginfo-5.8.2-11.21.1 strongswan-debugsource-5.8.2-11.21.1 strongswan-nm-5.8.2-11.21.1 strongswan-nm-debuginfo-5.8.2-11.21.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (aarch64 ppc64le s390x x86_64): strongswan-debuginfo-5.8.2-11.21.1 strongswan-debugsource-5.8.2-11.21.1 strongswan-nm-5.8.2-11.21.1 strongswan-nm-debuginfo-5.8.2-11.21.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): strongswan-5.8.2-11.21.1 strongswan-debuginfo-5.8.2-11.21.1 strongswan-debugsource-5.8.2-11.21.1 strongswan-hmac-5.8.2-11.21.1 strongswan-ipsec-5.8.2-11.21.1 strongswan-ipsec-debuginfo-5.8.2-11.21.1 strongswan-libs0-5.8.2-11.21.1 strongswan-libs0-debuginfo-5.8.2-11.21.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): strongswan-doc-5.8.2-11.21.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): strongswan-5.8.2-11.21.1 strongswan-debuginfo-5.8.2-11.21.1 strongswan-debugsource-5.8.2-11.21.1 strongswan-hmac-5.8.2-11.21.1 strongswan-ipsec-5.8.2-11.21.1 strongswan-ipsec-debuginfo-5.8.2-11.21.1 strongswan-libs0-5.8.2-11.21.1 strongswan-libs0-debuginfo-5.8.2-11.21.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): strongswan-doc-5.8.2-11.21.1 References: https://www.suse.com/security/cve/CVE-2021-41990.html https://www.suse.com/security/cve/CVE-2021-41991.html https://bugzilla.suse.com/1191367 https://bugzilla.suse.com/1191435 From sle-security-updates at lists.suse.com Tue Oct 19 19:15:40 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 19 Oct 2021 21:15:40 +0200 (CEST) Subject: SUSE-SU-2021:3469-1: moderate: Security update for strongswan Message-ID: <20211019191540.7A0FEF432@maintenance.suse.de> SUSE Security Update: Security update for strongswan ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3469-1 Rating: moderate References: #1167880 #1191367 #1191435 Cross-References: CVE-2021-41990 CVE-2021-41991 CVSS scores: CVE-2021-41990 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-41991 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for strongswan fixes the following issues: - Fix trailing quotation mark missing from example in README. (bsc#1167880) - CVE-2021-41991: Fixed an integer overflow when replacing certificates in cache. (bsc#1191435) - CVE-2021-41990: Fixed an integer Overflow in the gmp Plugin. (bsc#1191367) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-3469=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-3469=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-3469=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-3469=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-3469=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-3469=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-3469=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3469=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3469=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-3469=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): strongswan-5.8.2-4.14.2 strongswan-debuginfo-5.8.2-4.14.2 strongswan-debugsource-5.8.2-4.14.2 strongswan-hmac-5.8.2-4.14.2 strongswan-ipsec-5.8.2-4.14.2 strongswan-ipsec-debuginfo-5.8.2-4.14.2 strongswan-libs0-5.8.2-4.14.2 strongswan-libs0-debuginfo-5.8.2-4.14.2 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): strongswan-doc-5.8.2-4.14.2 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): strongswan-5.8.2-4.14.2 strongswan-debuginfo-5.8.2-4.14.2 strongswan-debugsource-5.8.2-4.14.2 strongswan-hmac-5.8.2-4.14.2 strongswan-ipsec-5.8.2-4.14.2 strongswan-ipsec-debuginfo-5.8.2-4.14.2 strongswan-libs0-5.8.2-4.14.2 strongswan-libs0-debuginfo-5.8.2-4.14.2 - SUSE Linux Enterprise Server for SAP 15 (noarch): strongswan-doc-5.8.2-4.14.2 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): strongswan-5.8.2-4.14.2 strongswan-debuginfo-5.8.2-4.14.2 strongswan-debugsource-5.8.2-4.14.2 strongswan-hmac-5.8.2-4.14.2 strongswan-ipsec-5.8.2-4.14.2 strongswan-ipsec-debuginfo-5.8.2-4.14.2 strongswan-libs0-5.8.2-4.14.2 strongswan-libs0-debuginfo-5.8.2-4.14.2 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): strongswan-doc-5.8.2-4.14.2 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): strongswan-doc-5.8.2-4.14.2 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): strongswan-5.8.2-4.14.2 strongswan-debuginfo-5.8.2-4.14.2 strongswan-debugsource-5.8.2-4.14.2 strongswan-hmac-5.8.2-4.14.2 strongswan-ipsec-5.8.2-4.14.2 strongswan-ipsec-debuginfo-5.8.2-4.14.2 strongswan-libs0-5.8.2-4.14.2 strongswan-libs0-debuginfo-5.8.2-4.14.2 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): strongswan-5.8.2-4.14.2 strongswan-debuginfo-5.8.2-4.14.2 strongswan-debugsource-5.8.2-4.14.2 strongswan-hmac-5.8.2-4.14.2 strongswan-ipsec-5.8.2-4.14.2 strongswan-ipsec-debuginfo-5.8.2-4.14.2 strongswan-libs0-5.8.2-4.14.2 strongswan-libs0-debuginfo-5.8.2-4.14.2 - SUSE Linux Enterprise Server 15-LTSS (noarch): strongswan-doc-5.8.2-4.14.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): strongswan-5.8.2-4.14.2 strongswan-debuginfo-5.8.2-4.14.2 strongswan-debugsource-5.8.2-4.14.2 strongswan-hmac-5.8.2-4.14.2 strongswan-ipsec-5.8.2-4.14.2 strongswan-ipsec-debuginfo-5.8.2-4.14.2 strongswan-libs0-5.8.2-4.14.2 strongswan-libs0-debuginfo-5.8.2-4.14.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): strongswan-doc-5.8.2-4.14.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): strongswan-5.8.2-4.14.2 strongswan-debuginfo-5.8.2-4.14.2 strongswan-debugsource-5.8.2-4.14.2 strongswan-hmac-5.8.2-4.14.2 strongswan-ipsec-5.8.2-4.14.2 strongswan-ipsec-debuginfo-5.8.2-4.14.2 strongswan-libs0-5.8.2-4.14.2 strongswan-libs0-debuginfo-5.8.2-4.14.2 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): strongswan-doc-5.8.2-4.14.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): strongswan-5.8.2-4.14.2 strongswan-debuginfo-5.8.2-4.14.2 strongswan-debugsource-5.8.2-4.14.2 strongswan-hmac-5.8.2-4.14.2 strongswan-ipsec-5.8.2-4.14.2 strongswan-ipsec-debuginfo-5.8.2-4.14.2 strongswan-libs0-5.8.2-4.14.2 strongswan-libs0-debuginfo-5.8.2-4.14.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): strongswan-doc-5.8.2-4.14.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): strongswan-5.8.2-4.14.2 strongswan-debuginfo-5.8.2-4.14.2 strongswan-debugsource-5.8.2-4.14.2 strongswan-hmac-5.8.2-4.14.2 strongswan-ipsec-5.8.2-4.14.2 strongswan-ipsec-debuginfo-5.8.2-4.14.2 strongswan-libs0-5.8.2-4.14.2 strongswan-libs0-debuginfo-5.8.2-4.14.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): strongswan-doc-5.8.2-4.14.2 - SUSE Enterprise Storage 6 (aarch64 x86_64): strongswan-5.8.2-4.14.2 strongswan-debuginfo-5.8.2-4.14.2 strongswan-debugsource-5.8.2-4.14.2 strongswan-hmac-5.8.2-4.14.2 strongswan-ipsec-5.8.2-4.14.2 strongswan-ipsec-debuginfo-5.8.2-4.14.2 strongswan-libs0-5.8.2-4.14.2 strongswan-libs0-debuginfo-5.8.2-4.14.2 - SUSE Enterprise Storage 6 (noarch): strongswan-doc-5.8.2-4.14.2 - SUSE CaaS Platform 4.0 (x86_64): strongswan-5.8.2-4.14.2 strongswan-debuginfo-5.8.2-4.14.2 strongswan-debugsource-5.8.2-4.14.2 strongswan-hmac-5.8.2-4.14.2 strongswan-ipsec-5.8.2-4.14.2 strongswan-ipsec-debuginfo-5.8.2-4.14.2 strongswan-libs0-5.8.2-4.14.2 strongswan-libs0-debuginfo-5.8.2-4.14.2 - SUSE CaaS Platform 4.0 (noarch): strongswan-doc-5.8.2-4.14.2 References: https://www.suse.com/security/cve/CVE-2021-41990.html https://www.suse.com/security/cve/CVE-2021-41991.html https://bugzilla.suse.com/1167880 https://bugzilla.suse.com/1191367 https://bugzilla.suse.com/1191435 From sle-security-updates at lists.suse.com Wed Oct 20 06:44:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 08:44:27 +0200 (CEST) Subject: SUSE-CU-2021:420-1: Security update of suse/sles12sp3 Message-ID: <20211020064427.EECE0F432@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp3 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:420-1 Container Tags : suse/sles12sp3:2.0.2 , suse/sles12sp3:24.314 , suse/sles12sp3:latest Container Release : 24.314 Severity : moderate Type : security References : 1081947 1082293 1084671 1085196 1106214 1122417 1125886 1135534 1135708 1151708 1168235 1168389 1169006 1174942 1175514 1175623 1178236 1178554 1178825 1188921 CVE-2021-37600 ----------------------------------------------------------------- The container suse/sles12sp3 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3463-1 Released: Tue Oct 19 09:27:38 2021 Summary: Security update for util-linux Type: security Severity: moderate References: 1081947,1082293,1084671,1085196,1106214,1122417,1125886,1135534,1135708,1151708,1168235,1168389,1169006,1174942,1175514,1175623,1178236,1178554,1178825,1188921,CVE-2021-37600 This update for util-linux fixes the following issues: - CVE-2021-37600: Fixed an integer overflow which could lead to buffer overflow in get_sem_elements. (bsc#1188921) - Prevent outdated pam files (bsc#1082293, bsc#1081947#c68). - Do not trim read-only volumes (bsc#1106214). - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Reload issue only if it is really needed (bsc#1085196) - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - blockdev: Do not fail --report on kpartx-style partitions on multipath. (bsc#1168235) - nologin: Add support for -c to prevent error from su -c. (bsc#1151708) - Avoid triggering autofs in lookup_umount_fs_by_statfs. (bsc#1168389) - libblkid: Do not trigger CDROM autoclose. (bsc#1084671) - Avoid sulogin failing on not existing or not functional console devices. (bsc#1175514) - Build with libudev support to support non-root users. (bsc#1169006) - lscpu: avoid segfault on PowerPC systems with valid hardware configurations. (bsc#1175623, bsc#1178554, bsc#1178825) - Fix for warning on mounts to CIFS with mount. (SG#57988, bsc#1174942) From sle-security-updates at lists.suse.com Wed Oct 20 10:22:47 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 12:22:47 +0200 (CEST) Subject: SUSE-SU-2021:3473-1: important: Security update for python-Pygments Message-ID: <20211020102247.E306FF432@maintenance.suse.de> SUSE Security Update: Security update for python-Pygments ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3473-1 Rating: important References: #1183169 Cross-References: CVE-2021-20270 CVSS scores: CVE-2021-20270 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-20270 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-Pygments fixes the following issues: - CVE-2021-20270: Fixed an infinite loop in the SML lexer (bsc#1183169). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-3473=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-3473=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-3473=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3473=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-3473=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-3473=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-3473=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): python3-Pygments-2.6.1-7.7.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): python3-Pygments-2.6.1-7.7.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): python3-Pygments-2.6.1-7.7.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): python3-Pygments-2.6.1-7.7.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): python3-Pygments-2.6.1-7.7.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): python3-Pygments-2.6.1-7.7.1 - SUSE Enterprise Storage 6 (noarch): python3-Pygments-2.6.1-7.7.1 - SUSE CaaS Platform 4.0 (noarch): python3-Pygments-2.6.1-7.7.1 References: https://www.suse.com/security/cve/CVE-2021-20270.html https://bugzilla.suse.com/1183169 From sle-security-updates at lists.suse.com Wed Oct 20 10:24:16 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 12:24:16 +0200 (CEST) Subject: SUSE-SU-2021:3472-1: important: Security update for flatpak Message-ID: <20211020102416.8FDF5F432@maintenance.suse.de> SUSE Security Update: Security update for flatpak ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3472-1 Rating: important References: #1191507 Cross-References: CVE-2021-41133 CVSS scores: CVE-2021-41133 (SUSE): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for flatpak fixes the following issues: - Update to version 1.10.5: - CVE-2021-41133: Fixed a bug that could lead to sandbox bypass via recent VFS-manipulating syscalls. (bsc#1191507) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-3472=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-3472=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): flatpak-1.10.5-4.9.1 flatpak-debuginfo-1.10.5-4.9.1 flatpak-debugsource-1.10.5-4.9.1 flatpak-devel-1.10.5-4.9.1 flatpak-zsh-completion-1.10.5-4.9.1 libflatpak0-1.10.5-4.9.1 libflatpak0-debuginfo-1.10.5-4.9.1 system-user-flatpak-1.10.5-4.9.1 typelib-1_0-Flatpak-1_0-1.10.5-4.9.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): flatpak-1.10.5-4.9.1 flatpak-debuginfo-1.10.5-4.9.1 flatpak-debugsource-1.10.5-4.9.1 flatpak-devel-1.10.5-4.9.1 flatpak-zsh-completion-1.10.5-4.9.1 libflatpak0-1.10.5-4.9.1 libflatpak0-debuginfo-1.10.5-4.9.1 system-user-flatpak-1.10.5-4.9.1 typelib-1_0-Flatpak-1_0-1.10.5-4.9.1 References: https://www.suse.com/security/cve/CVE-2021-41133.html https://bugzilla.suse.com/1191507 From sle-security-updates at lists.suse.com Wed Oct 20 10:28:42 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 12:28:42 +0200 (CEST) Subject: SUSE-SU-2021:3477-1: moderate: Security update for python3 Message-ID: <20211020102842.78672F432@maintenance.suse.de> SUSE Security Update: Security update for python3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3477-1 Rating: moderate References: #1187668 #1189241 #1189287 Cross-References: CVE-2021-3733 CVE-2021-3737 CVSS scores: CVE-2021-3733 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-3737 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for python3 fixes the following issues: - CVE-2021-3737: Fixed http client infinite line reading (DoS) after a http 100. (bsc#1189241) - CVE-2021-3733: Fixed ReDoS in urllib.request. (bsc#1189287) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3477=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3477=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2021-3477=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): python3-base-debuginfo-3.4.10-25.80.2 python3-base-debugsource-3.4.10-25.80.2 python3-dbm-3.4.10-25.80.2 python3-dbm-debuginfo-3.4.10-25.80.2 python3-debuginfo-3.4.10-25.80.2 python3-debugsource-3.4.10-25.80.2 python3-devel-3.4.10-25.80.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (ppc64le s390x x86_64): python3-devel-debuginfo-3.4.10-25.80.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpython3_4m1_0-3.4.10-25.80.2 libpython3_4m1_0-debuginfo-3.4.10-25.80.2 python3-3.4.10-25.80.2 python3-base-3.4.10-25.80.2 python3-base-debuginfo-3.4.10-25.80.2 python3-base-debugsource-3.4.10-25.80.2 python3-curses-3.4.10-25.80.2 python3-curses-debuginfo-3.4.10-25.80.2 python3-debuginfo-3.4.10-25.80.2 python3-debugsource-3.4.10-25.80.2 python3-devel-3.4.10-25.80.2 python3-tk-3.4.10-25.80.2 python3-tk-debuginfo-3.4.10-25.80.2 - SUSE Linux Enterprise Server 12-SP5 (ppc64le s390x x86_64): python3-devel-debuginfo-3.4.10-25.80.2 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libpython3_4m1_0-32bit-3.4.10-25.80.2 libpython3_4m1_0-debuginfo-32bit-3.4.10-25.80.2 python3-base-debuginfo-32bit-3.4.10-25.80.2 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): libpython3_4m1_0-3.4.10-25.80.2 libpython3_4m1_0-debuginfo-3.4.10-25.80.2 python3-3.4.10-25.80.2 python3-base-3.4.10-25.80.2 python3-base-debuginfo-3.4.10-25.80.2 python3-base-debugsource-3.4.10-25.80.2 python3-curses-3.4.10-25.80.2 python3-debuginfo-3.4.10-25.80.2 python3-debugsource-3.4.10-25.80.2 References: https://www.suse.com/security/cve/CVE-2021-3733.html https://www.suse.com/security/cve/CVE-2021-3737.html https://bugzilla.suse.com/1187668 https://bugzilla.suse.com/1189241 https://bugzilla.suse.com/1189287 From sle-security-updates at lists.suse.com Wed Oct 20 10:31:51 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 12:31:51 +0200 (CEST) Subject: SUSE-SU-2021:3474-1: moderate: Security update for util-linux Message-ID: <20211020103151.0757FF432@maintenance.suse.de> SUSE Security Update: Security update for util-linux ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3474-1 Rating: moderate References: #1178236 #1188921 Cross-References: CVE-2021-37600 CVSS scores: CVE-2021-37600 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-37600 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.1 SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for util-linux fixes the following issues: - CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c. (bsc#1188921) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3474=1 - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-3474=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3474=1 Package List: - SUSE MicroOS 5.1 (aarch64 s390x x86_64): libblkid1-2.36.2-4.5.1 libblkid1-debuginfo-2.36.2-4.5.1 libfdisk1-2.36.2-4.5.1 libfdisk1-debuginfo-2.36.2-4.5.1 libmount1-2.36.2-4.5.1 libmount1-debuginfo-2.36.2-4.5.1 libsmartcols1-2.36.2-4.5.1 libsmartcols1-debuginfo-2.36.2-4.5.1 libuuid1-2.36.2-4.5.1 libuuid1-debuginfo-2.36.2-4.5.1 util-linux-2.36.2-4.5.1 util-linux-debuginfo-2.36.2-4.5.1 util-linux-debugsource-2.36.2-4.5.1 util-linux-systemd-2.36.2-4.5.1 util-linux-systemd-debuginfo-2.36.2-4.5.1 util-linux-systemd-debugsource-2.36.2-4.5.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): util-linux-systemd-debuginfo-2.36.2-4.5.1 util-linux-systemd-debugsource-2.36.2-4.5.1 uuidd-2.36.2-4.5.1 uuidd-debuginfo-2.36.2-4.5.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libblkid-devel-2.36.2-4.5.1 libblkid-devel-static-2.36.2-4.5.1 libblkid1-2.36.2-4.5.1 libblkid1-debuginfo-2.36.2-4.5.1 libfdisk-devel-2.36.2-4.5.1 libfdisk1-2.36.2-4.5.1 libfdisk1-debuginfo-2.36.2-4.5.1 libmount-devel-2.36.2-4.5.1 libmount1-2.36.2-4.5.1 libmount1-debuginfo-2.36.2-4.5.1 libsmartcols-devel-2.36.2-4.5.1 libsmartcols1-2.36.2-4.5.1 libsmartcols1-debuginfo-2.36.2-4.5.1 libuuid-devel-2.36.2-4.5.1 libuuid-devel-static-2.36.2-4.5.1 libuuid1-2.36.2-4.5.1 libuuid1-debuginfo-2.36.2-4.5.1 util-linux-2.36.2-4.5.1 util-linux-debuginfo-2.36.2-4.5.1 util-linux-debugsource-2.36.2-4.5.1 util-linux-systemd-2.36.2-4.5.1 util-linux-systemd-debuginfo-2.36.2-4.5.1 util-linux-systemd-debugsource-2.36.2-4.5.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): util-linux-lang-2.36.2-4.5.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): libblkid1-32bit-2.36.2-4.5.1 libblkid1-32bit-debuginfo-2.36.2-4.5.1 libmount1-32bit-2.36.2-4.5.1 libmount1-32bit-debuginfo-2.36.2-4.5.1 libuuid1-32bit-2.36.2-4.5.1 libuuid1-32bit-debuginfo-2.36.2-4.5.1 References: https://www.suse.com/security/cve/CVE-2021-37600.html https://bugzilla.suse.com/1178236 https://bugzilla.suse.com/1188921 From sle-security-updates at lists.suse.com Wed Oct 20 10:33:33 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 12:33:33 +0200 (CEST) Subject: SUSE-SU-2021:3476-1: important: Security update for xstream Message-ID: <20211020103333.B2FB0F432@maintenance.suse.de> SUSE Security Update: Security update for xstream ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3476-1 Rating: important References: #1189798 Cross-References: CVE-2021-39139 CVE-2021-39140 CVE-2021-39141 CVE-2021-39144 CVE-2021-39145 CVE-2021-39146 CVE-2021-39147 CVE-2021-39148 CVE-2021-39149 CVE-2021-39150 CVE-2021-39151 CVE-2021-39152 CVE-2021-39153 CVE-2021-39154 CVSS scores: CVE-2021-39139 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39139 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39140 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-39141 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39141 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39144 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39144 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39145 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39145 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39146 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39146 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39147 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39147 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39148 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39148 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39149 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39149 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39150 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39150 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-39151 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39151 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39152 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39152 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-39153 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39153 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-39154 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-39154 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.2 SUSE Linux Enterprise Module for SUSE Manager Server 4.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 ______________________________________________________________________________ An update that fixes 14 vulnerabilities is now available. Description: This update for xstream fixes the following issues: - Upgrade to 1.4.18 - CVE-2021-39139: Fixed an issue that allowed an attacker to execute arbitrary code execution by manipulating the processed input stream with type information. (bsc#1189798) - CVE-2021-39140: Fixed an issue that allowed an attacker to execute a DoS attack by manipulating the processed input stream. (bsc#1189798) - CVE-2021-39141: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39144: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39145: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39146: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39147: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39148: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39149: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39150: Fixed an issue that allowed an attacker to access protected resources hosted within the intranet or in the host itself. (bsc#1189798) - CVE-2021-39151: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39152: Fixed an issue that allowed an attacker to access protected resources hosted within the intranet or in the host itself. (bsc#1189798) - CVE-2021-39153: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) - CVE-2021-39154: Fixed an issue that allowed an attacker to achieve arbitrary code execution. (bsc#1189798) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2021-3476=1 - SUSE Linux Enterprise Module for SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-3476=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-3476=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-3476=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch): xstream-1.4.18-3.14.1 - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch): xstream-1.4.18-3.14.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (noarch): xstream-1.4.18-3.14.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): xstream-1.4.18-3.14.1 References: https://www.suse.com/security/cve/CVE-2021-39139.html https://www.suse.com/security/cve/CVE-2021-39140.html https://www.suse.com/security/cve/CVE-2021-39141.html https://www.suse.com/security/cve/CVE-2021-39144.html https://www.suse.com/security/cve/CVE-2021-39145.html https://www.suse.com/security/cve/CVE-2021-39146.html https://www.suse.com/security/cve/CVE-2021-39147.html https://www.suse.com/security/cve/CVE-2021-39148.html https://www.suse.com/security/cve/CVE-2021-39149.html https://www.suse.com/security/cve/CVE-2021-39150.html https://www.suse.com/security/cve/CVE-2021-39151.html https://www.suse.com/security/cve/CVE-2021-39152.html https://www.suse.com/security/cve/CVE-2021-39153.html https://www.suse.com/security/cve/CVE-2021-39154.html https://bugzilla.suse.com/1189798 From sle-security-updates at lists.suse.com Wed Oct 20 10:35:07 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 12:35:07 +0200 (CEST) Subject: SUSE-SU-2021:3475-1: moderate: Security update for util-linux Message-ID: <20211020103507.E7E3FF432@maintenance.suse.de> SUSE Security Update: Security update for util-linux ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3475-1 Rating: moderate References: #1178236 #1188921 Cross-References: CVE-2021-37600 CVSS scores: CVE-2021-37600 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-37600 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for util-linux fixes the following issues: - CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c. (bsc#1188921) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2021-3475=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3475=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3475=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): libuuid-devel-2.33.2-4.11.1 util-linux-debuginfo-2.33.2-4.11.1 util-linux-debugsource-2.33.2-4.11.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libblkid-devel-2.33.2-4.11.1 libmount-devel-2.33.2-4.11.1 libsmartcols-devel-2.33.2-4.11.1 libuuid-devel-2.33.2-4.11.1 util-linux-debuginfo-2.33.2-4.11.1 util-linux-debugsource-2.33.2-4.11.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libblkid1-2.33.2-4.11.1 libblkid1-debuginfo-2.33.2-4.11.1 libfdisk1-2.33.2-4.11.1 libfdisk1-debuginfo-2.33.2-4.11.1 libmount1-2.33.2-4.11.1 libmount1-debuginfo-2.33.2-4.11.1 libsmartcols1-2.33.2-4.11.1 libsmartcols1-debuginfo-2.33.2-4.11.1 libuuid1-2.33.2-4.11.1 libuuid1-debuginfo-2.33.2-4.11.1 python-libmount-2.33.2-4.11.1 python-libmount-debuginfo-2.33.2-4.11.1 python-libmount-debugsource-2.33.2-4.11.1 util-linux-2.33.2-4.11.1 util-linux-debuginfo-2.33.2-4.11.1 util-linux-debugsource-2.33.2-4.11.1 util-linux-systemd-2.33.2-4.11.1 util-linux-systemd-debuginfo-2.33.2-4.11.1 util-linux-systemd-debugsource-2.33.2-4.11.1 uuidd-2.33.2-4.11.1 uuidd-debuginfo-2.33.2-4.11.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libblkid1-32bit-2.33.2-4.11.1 libblkid1-debuginfo-32bit-2.33.2-4.11.1 libmount1-32bit-2.33.2-4.11.1 libmount1-debuginfo-32bit-2.33.2-4.11.1 libuuid1-32bit-2.33.2-4.11.1 libuuid1-debuginfo-32bit-2.33.2-4.11.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): util-linux-lang-2.33.2-4.11.1 References: https://www.suse.com/security/cve/CVE-2021-37600.html https://bugzilla.suse.com/1178236 https://bugzilla.suse.com/1188921 From sle-security-updates at lists.suse.com Wed Oct 20 16:19:55 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 18:19:55 +0200 (CEST) Subject: SUSE-SU-2021:3481-1: important: Security update for postgresql10 Message-ID: <20211020161955.CE7AEF476@maintenance.suse.de> SUSE Security Update: Security update for postgresql10 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3481-1 Rating: important References: #1178961 #1179765 #1179945 #1183118 #1183168 #1185924 #1185925 #1185952 #1187751 #1190177 Cross-References: CVE-2021-32027 CVE-2021-32028 CVSS scores: CVE-2021-32027 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32027 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-32028 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves two vulnerabilities and has 8 fixes is now available. Description: This update for postgresql10 fixes the following issues: - Fix for build with llvm12 on s390x. (bsc#1185952) - Re-enable 'icu' for PostgreSQL 10. (bsc#1179945) - Add postgresqlXX-server-devel as a dependency for postgresql13-server-devel. (bsc#1187751) - Upgrade to version 10.18. (bsc#1190177) Upgrade to version 10.17 (already released for SUSE Linux Enterprise 12 SP5): - CVE-2021-32027: Fixed integer overflows in array subscripting calculations (bsc#1185924). - CVE-2021-32028: Fixed mishandling of junk columns in INSERT ... ON CONFLICT ... UPDATE target lists (bsc#1185925). - Don't use %_stop_on_removal, because it was meant to be private and got removed from openSUSE. %_restart_on_update is also private, but still supported and needed for now (bsc#1183168). - Re-enable build of the llvmjit subpackage on SLE, but it will only be delivered on PackageHub for now (bsc#1183118). - Disable icu for PostgreSQL 10 (and older) on TW (bsc#1179945). - Fixed an issue droping irregular warning messages by removing the package. (bsc#1178961) - Fixed an issue when build does not build the requiements to avoid dangling symlinks in the devel package. (bsc#1179765) - Fix recently-added timetz test case so it works when the USA is not observing daylight savings time. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-3481=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-3481=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-3481=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-3481=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3481=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-3481=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-3481=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3481=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-3481=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-3481=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-3481=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-3481=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-3481=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): postgresql10-docs-10.18-4.19.6 - SUSE OpenStack Cloud Crowbar 9 (x86_64): postgresql10-10.18-4.19.6 postgresql10-contrib-10.18-4.19.6 postgresql10-contrib-debuginfo-10.18-4.19.6 postgresql10-debuginfo-10.18-4.19.6 postgresql10-debugsource-10.18-4.19.6 postgresql10-plperl-10.18-4.19.6 postgresql10-plperl-debuginfo-10.18-4.19.6 postgresql10-plpython-10.18-4.19.6 postgresql10-plpython-debuginfo-10.18-4.19.6 postgresql10-pltcl-10.18-4.19.6 postgresql10-pltcl-debuginfo-10.18-4.19.6 postgresql10-server-10.18-4.19.6 postgresql10-server-debuginfo-10.18-4.19.6 - SUSE OpenStack Cloud Crowbar 8 (x86_64): postgresql10-10.18-4.19.6 postgresql10-contrib-10.18-4.19.6 postgresql10-contrib-debuginfo-10.18-4.19.6 postgresql10-debuginfo-10.18-4.19.6 postgresql10-debugsource-10.18-4.19.6 postgresql10-plperl-10.18-4.19.6 postgresql10-plperl-debuginfo-10.18-4.19.6 postgresql10-plpython-10.18-4.19.6 postgresql10-plpython-debuginfo-10.18-4.19.6 postgresql10-pltcl-10.18-4.19.6 postgresql10-pltcl-debuginfo-10.18-4.19.6 postgresql10-server-10.18-4.19.6 postgresql10-server-debuginfo-10.18-4.19.6 - SUSE OpenStack Cloud Crowbar 8 (noarch): postgresql10-docs-10.18-4.19.6 - SUSE OpenStack Cloud 9 (noarch): postgresql10-docs-10.18-4.19.6 - SUSE OpenStack Cloud 9 (x86_64): postgresql10-10.18-4.19.6 postgresql10-contrib-10.18-4.19.6 postgresql10-contrib-debuginfo-10.18-4.19.6 postgresql10-debuginfo-10.18-4.19.6 postgresql10-debugsource-10.18-4.19.6 postgresql10-plperl-10.18-4.19.6 postgresql10-plperl-debuginfo-10.18-4.19.6 postgresql10-plpython-10.18-4.19.6 postgresql10-plpython-debuginfo-10.18-4.19.6 postgresql10-pltcl-10.18-4.19.6 postgresql10-pltcl-debuginfo-10.18-4.19.6 postgresql10-server-10.18-4.19.6 postgresql10-server-debuginfo-10.18-4.19.6 - SUSE OpenStack Cloud 8 (x86_64): postgresql10-10.18-4.19.6 postgresql10-contrib-10.18-4.19.6 postgresql10-contrib-debuginfo-10.18-4.19.6 postgresql10-debuginfo-10.18-4.19.6 postgresql10-debugsource-10.18-4.19.6 postgresql10-plperl-10.18-4.19.6 postgresql10-plperl-debuginfo-10.18-4.19.6 postgresql10-plpython-10.18-4.19.6 postgresql10-plpython-debuginfo-10.18-4.19.6 postgresql10-pltcl-10.18-4.19.6 postgresql10-pltcl-debuginfo-10.18-4.19.6 postgresql10-server-10.18-4.19.6 postgresql10-server-debuginfo-10.18-4.19.6 - SUSE OpenStack Cloud 8 (noarch): postgresql10-docs-10.18-4.19.6 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): postgresql10-debugsource-10.18-4.19.6 postgresql10-devel-10.18-4.19.6 postgresql10-devel-debuginfo-10.18-4.19.6 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): postgresql10-10.18-4.19.6 postgresql10-contrib-10.18-4.19.6 postgresql10-contrib-debuginfo-10.18-4.19.6 postgresql10-debuginfo-10.18-4.19.6 postgresql10-debugsource-10.18-4.19.6 postgresql10-plperl-10.18-4.19.6 postgresql10-plperl-debuginfo-10.18-4.19.6 postgresql10-plpython-10.18-4.19.6 postgresql10-plpython-debuginfo-10.18-4.19.6 postgresql10-pltcl-10.18-4.19.6 postgresql10-pltcl-debuginfo-10.18-4.19.6 postgresql10-server-10.18-4.19.6 postgresql10-server-debuginfo-10.18-4.19.6 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): postgresql10-docs-10.18-4.19.6 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): postgresql10-10.18-4.19.6 postgresql10-contrib-10.18-4.19.6 postgresql10-contrib-debuginfo-10.18-4.19.6 postgresql10-debuginfo-10.18-4.19.6 postgresql10-debugsource-10.18-4.19.6 postgresql10-plperl-10.18-4.19.6 postgresql10-plperl-debuginfo-10.18-4.19.6 postgresql10-plpython-10.18-4.19.6 postgresql10-plpython-debuginfo-10.18-4.19.6 postgresql10-pltcl-10.18-4.19.6 postgresql10-pltcl-debuginfo-10.18-4.19.6 postgresql10-server-10.18-4.19.6 postgresql10-server-debuginfo-10.18-4.19.6 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): postgresql10-docs-10.18-4.19.6 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): postgresql10-10.18-4.19.6 postgresql10-contrib-10.18-4.19.6 postgresql10-contrib-debuginfo-10.18-4.19.6 postgresql10-debuginfo-10.18-4.19.6 postgresql10-debugsource-10.18-4.19.6 postgresql10-plperl-10.18-4.19.6 postgresql10-plperl-debuginfo-10.18-4.19.6 postgresql10-plpython-10.18-4.19.6 postgresql10-plpython-debuginfo-10.18-4.19.6 postgresql10-pltcl-10.18-4.19.6 postgresql10-pltcl-debuginfo-10.18-4.19.6 postgresql10-server-10.18-4.19.6 postgresql10-server-debuginfo-10.18-4.19.6 - SUSE Linux Enterprise Server 12-SP5 (noarch): postgresql10-docs-10.18-4.19.6 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): postgresql10-10.18-4.19.6 postgresql10-contrib-10.18-4.19.6 postgresql10-contrib-debuginfo-10.18-4.19.6 postgresql10-debuginfo-10.18-4.19.6 postgresql10-debugsource-10.18-4.19.6 postgresql10-plperl-10.18-4.19.6 postgresql10-plperl-debuginfo-10.18-4.19.6 postgresql10-plpython-10.18-4.19.6 postgresql10-plpython-debuginfo-10.18-4.19.6 postgresql10-pltcl-10.18-4.19.6 postgresql10-pltcl-debuginfo-10.18-4.19.6 postgresql10-server-10.18-4.19.6 postgresql10-server-debuginfo-10.18-4.19.6 - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): postgresql10-docs-10.18-4.19.6 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): postgresql10-10.18-4.19.6 postgresql10-contrib-10.18-4.19.6 postgresql10-contrib-debuginfo-10.18-4.19.6 postgresql10-debuginfo-10.18-4.19.6 postgresql10-debugsource-10.18-4.19.6 postgresql10-plperl-10.18-4.19.6 postgresql10-plperl-debuginfo-10.18-4.19.6 postgresql10-plpython-10.18-4.19.6 postgresql10-plpython-debuginfo-10.18-4.19.6 postgresql10-pltcl-10.18-4.19.6 postgresql10-pltcl-debuginfo-10.18-4.19.6 postgresql10-server-10.18-4.19.6 postgresql10-server-debuginfo-10.18-4.19.6 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): postgresql10-docs-10.18-4.19.6 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): postgresql10-10.18-4.19.6 postgresql10-contrib-10.18-4.19.6 postgresql10-contrib-debuginfo-10.18-4.19.6 postgresql10-debuginfo-10.18-4.19.6 postgresql10-debugsource-10.18-4.19.6 postgresql10-plperl-10.18-4.19.6 postgresql10-plperl-debuginfo-10.18-4.19.6 postgresql10-plpython-10.18-4.19.6 postgresql10-plpython-debuginfo-10.18-4.19.6 postgresql10-pltcl-10.18-4.19.6 postgresql10-pltcl-debuginfo-10.18-4.19.6 postgresql10-server-10.18-4.19.6 postgresql10-server-debuginfo-10.18-4.19.6 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): postgresql10-docs-10.18-4.19.6 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): postgresql10-10.18-4.19.6 postgresql10-contrib-10.18-4.19.6 postgresql10-contrib-debuginfo-10.18-4.19.6 postgresql10-debuginfo-10.18-4.19.6 postgresql10-debugsource-10.18-4.19.6 postgresql10-plperl-10.18-4.19.6 postgresql10-plperl-debuginfo-10.18-4.19.6 postgresql10-plpython-10.18-4.19.6 postgresql10-plpython-debuginfo-10.18-4.19.6 postgresql10-pltcl-10.18-4.19.6 postgresql10-pltcl-debuginfo-10.18-4.19.6 postgresql10-server-10.18-4.19.6 postgresql10-server-debuginfo-10.18-4.19.6 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): postgresql10-docs-10.18-4.19.6 - HPE Helion Openstack 8 (x86_64): postgresql10-10.18-4.19.6 postgresql10-contrib-10.18-4.19.6 postgresql10-contrib-debuginfo-10.18-4.19.6 postgresql10-debuginfo-10.18-4.19.6 postgresql10-debugsource-10.18-4.19.6 postgresql10-plperl-10.18-4.19.6 postgresql10-plperl-debuginfo-10.18-4.19.6 postgresql10-plpython-10.18-4.19.6 postgresql10-plpython-debuginfo-10.18-4.19.6 postgresql10-pltcl-10.18-4.19.6 postgresql10-pltcl-debuginfo-10.18-4.19.6 postgresql10-server-10.18-4.19.6 postgresql10-server-debuginfo-10.18-4.19.6 - HPE Helion Openstack 8 (noarch): postgresql10-docs-10.18-4.19.6 References: https://www.suse.com/security/cve/CVE-2021-32027.html https://www.suse.com/security/cve/CVE-2021-32028.html https://bugzilla.suse.com/1178961 https://bugzilla.suse.com/1179765 https://bugzilla.suse.com/1179945 https://bugzilla.suse.com/1183118 https://bugzilla.suse.com/1183168 https://bugzilla.suse.com/1185924 https://bugzilla.suse.com/1185925 https://bugzilla.suse.com/1185952 https://bugzilla.suse.com/1187751 https://bugzilla.suse.com/1190177 From sle-security-updates at lists.suse.com Wed Oct 20 19:19:36 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 21:19:36 +0200 (CEST) Subject: SUSE-SU-2021:3485-1: moderate: Security update for squid Message-ID: <20211020191936.E6D3AF432@maintenance.suse.de> SUSE Security Update: Security update for squid ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3485-1 Rating: moderate References: #1189403 Cross-References: CVE-2021-28116 CVSS scores: CVE-2021-28116 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-28116 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Module for Server Applications 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for squid fixes the following issues: Update to version 4.17: - CVE-2021-28116: Fixed a out-of-bounds read in the WCCP protocol (bsc#1189403). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-3485=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-3485=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): squid-4.17-5.29.1 squid-debuginfo-4.17-5.29.1 squid-debugsource-4.17-5.29.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): squid-4.17-5.29.1 squid-debuginfo-4.17-5.29.1 squid-debugsource-4.17-5.29.1 References: https://www.suse.com/security/cve/CVE-2021-28116.html https://bugzilla.suse.com/1189403 From sle-security-updates at lists.suse.com Wed Oct 20 19:22:12 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 21:22:12 +0200 (CEST) Subject: SUSE-SU-2021:3487-1: moderate: Security update for go1.16 Message-ID: <20211020192212.48FADF432@maintenance.suse.de> SUSE Security Update: Security update for go1.16 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3487-1 Rating: moderate References: #1182345 #1191468 Cross-References: CVE-2021-38297 CVSS scores: CVE-2021-38297 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for go1.16 fixes the following issues: Update to go1.16.9 - CVE-2021-38297: misc/wasm, cmd/link: do not let command line args overwrite global data (bsc#1191468) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-3487=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-3487=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): go1.16-1.16.9-1.29.1 go1.16-doc-1.16.9-1.29.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 x86_64): go1.16-race-1.16.9-1.29.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): go1.16-1.16.9-1.29.1 go1.16-doc-1.16.9-1.29.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 x86_64): go1.16-race-1.16.9-1.29.1 References: https://www.suse.com/security/cve/CVE-2021-38297.html https://bugzilla.suse.com/1182345 https://bugzilla.suse.com/1191468 From sle-security-updates at lists.suse.com Wed Oct 20 19:26:45 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 21:26:45 +0200 (CEST) Subject: SUSE-SU-2021:3486-1: moderate: Security update for python36 Message-ID: <20211020192645.B6C58F476@maintenance.suse.de> SUSE Security Update: Security update for python36 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3486-1 Rating: moderate References: #1180125 #1183374 #1183858 #1185588 #1189241 #1189287 Cross-References: CVE-2021-3426 CVE-2021-3733 CVE-2021-3737 CVSS scores: CVE-2021-3426 (NVD) : 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-3426 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2021-3733 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-3737 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves three vulnerabilities and has three fixes is now available. Description: This update for python36 fixes the following issues: - Update to 3.6.15: - CVE-2021-3737: Fixed a DoS caused by infinitely reading potential HTTP headers after a 100 Continue status response from the server. (bsc#1189241) - CVE-2021-3426: Fixed an information disclosure via pydoc. (bsc#1183374) - CVE-2021-3733: Fixed a ReDoS in urllib.request. (bsc#1189287) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3486=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpython3_6m1_0-3.6.15-11.1 libpython3_6m1_0-debuginfo-3.6.15-11.1 python36-3.6.15-11.1 python36-base-3.6.15-11.1 python36-base-debuginfo-3.6.15-11.1 python36-debuginfo-3.6.15-11.1 python36-debugsource-3.6.15-11.1 References: https://www.suse.com/security/cve/CVE-2021-3426.html https://www.suse.com/security/cve/CVE-2021-3733.html https://www.suse.com/security/cve/CVE-2021-3737.html https://bugzilla.suse.com/1180125 https://bugzilla.suse.com/1183374 https://bugzilla.suse.com/1183858 https://bugzilla.suse.com/1185588 https://bugzilla.suse.com/1189241 https://bugzilla.suse.com/1189287 From sle-security-updates at lists.suse.com Wed Oct 20 19:33:00 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 21:33:00 +0200 (CEST) Subject: SUSE-SU-2021:3493-1: moderate: Security update for fetchmail Message-ID: <20211020193300.E0C6CF476@maintenance.suse.de> SUSE Security Update: Security update for fetchmail ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3493-1 Rating: moderate References: #1190069 Cross-References: CVE-2021-39272 CVSS scores: CVE-2021-39272 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for fetchmail fixes the following issues: - CVE-2021-39272: Fix failure to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH. (bsc#1190069) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-3493=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-3493=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3493=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3493=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): fetchmail-debuginfo-6.3.26-20.17.1 fetchmail-debugsource-6.3.26-20.17.1 fetchmailconf-6.3.26-20.17.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): fetchmail-debuginfo-6.3.26-20.17.1 fetchmail-debugsource-6.3.26-20.17.1 fetchmailconf-6.3.26-20.17.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): fetchmail-6.3.26-20.17.1 fetchmail-debuginfo-6.3.26-20.17.1 fetchmail-debugsource-6.3.26-20.17.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): fetchmail-6.3.26-20.17.1 fetchmail-debuginfo-6.3.26-20.17.1 fetchmail-debugsource-6.3.26-20.17.1 References: https://www.suse.com/security/cve/CVE-2021-39272.html https://bugzilla.suse.com/1190069 From sle-security-updates at lists.suse.com Wed Oct 20 19:37:17 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 21:37:17 +0200 (CEST) Subject: SUSE-SU-2021:3484-1: Security update for git Message-ID: <20211020193717.E2C9AF476@maintenance.suse.de> SUSE Security Update: Security update for git ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3484-1 Rating: low References: #1189992 Cross-References: CVE-2021-40330 CVSS scores: CVE-2021-40330 (SUSE): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Affected Products: SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for git fixes the following issues: - CVE-2021-40330: Fixed unexpected cross-protocol requests via newline character in git_connect_git repository path (bsc#1189992). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-3484=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3484=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3484=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-3484=1 Package List: - SUSE OpenStack Cloud 8 (x86_64): git-2.26.2-27.49.3 git-debugsource-2.26.2-27.49.3 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): git-2.26.2-27.49.3 git-arch-2.26.2-27.49.3 git-core-2.26.2-27.49.3 git-core-debuginfo-2.26.2-27.49.3 git-cvs-2.26.2-27.49.3 git-daemon-2.26.2-27.49.3 git-daemon-debuginfo-2.26.2-27.49.3 git-debugsource-2.26.2-27.49.3 git-email-2.26.2-27.49.3 git-gui-2.26.2-27.49.3 git-svn-2.26.2-27.49.3 git-svn-debuginfo-2.26.2-27.49.3 git-web-2.26.2-27.49.3 gitk-2.26.2-27.49.3 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): git-doc-2.26.2-27.49.3 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): git-2.26.2-27.49.3 git-core-2.26.2-27.49.3 git-core-debuginfo-2.26.2-27.49.3 git-cvs-2.26.2-27.49.3 git-daemon-2.26.2-27.49.3 git-daemon-debuginfo-2.26.2-27.49.3 git-debugsource-2.26.2-27.49.3 git-email-2.26.2-27.49.3 git-gui-2.26.2-27.49.3 git-svn-2.26.2-27.49.3 git-web-2.26.2-27.49.3 gitk-2.26.2-27.49.3 - HPE Helion Openstack 8 (x86_64): git-2.26.2-27.49.3 git-debugsource-2.26.2-27.49.3 References: https://www.suse.com/security/cve/CVE-2021-40330.html https://bugzilla.suse.com/1189992 From sle-security-updates at lists.suse.com Wed Oct 20 19:41:34 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 21:41:34 +0200 (CEST) Subject: SUSE-SU-2021:3489-1: moderate: Security update for python Message-ID: <20211020194134.7EE4CFD2D@maintenance.suse.de> SUSE Security Update: Security update for python ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3489-1 Rating: moderate References: #1189241 #1189287 Cross-References: CVE-2021-3733 CVE-2021-3737 CVSS scores: CVE-2021-3733 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-3737 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Module for Python2 15-SP3 SUSE Linux Enterprise Module for Python2 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for python fixes the following issues: - CVE-2021-3737: Fixed http client infinite line reading (DoS) after a http 100. (bsc#1189241) - CVE-2021-3733: Fixed ReDoS in urllib.request. (bsc#1189287) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Python2 15-SP3: zypper in -t patch SUSE-SLE-Module-Python2-15-SP3-2021-3489=1 - SUSE Linux Enterprise Module for Python2 15-SP2: zypper in -t patch SUSE-SLE-Module-Python2-15-SP2-2021-3489=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-3489=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-3489=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3489=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3489=1 Package List: - SUSE Linux Enterprise Module for Python2 15-SP3 (aarch64 ppc64le s390x x86_64): python-base-debuginfo-2.7.18-33.1 python-base-debugsource-2.7.18-33.1 python-curses-2.7.18-33.1 python-curses-debuginfo-2.7.18-33.1 python-debuginfo-2.7.18-33.1 python-debugsource-2.7.18-33.1 python-devel-2.7.18-33.1 python-gdbm-2.7.18-33.1 python-gdbm-debuginfo-2.7.18-33.1 python-xml-2.7.18-33.1 python-xml-debuginfo-2.7.18-33.1 - SUSE Linux Enterprise Module for Python2 15-SP2 (aarch64 ppc64le s390x x86_64): python-base-debuginfo-2.7.18-33.1 python-base-debugsource-2.7.18-33.1 python-curses-2.7.18-33.1 python-curses-debuginfo-2.7.18-33.1 python-debuginfo-2.7.18-33.1 python-debugsource-2.7.18-33.1 python-devel-2.7.18-33.1 python-gdbm-2.7.18-33.1 python-gdbm-debuginfo-2.7.18-33.1 python-xml-2.7.18-33.1 python-xml-debuginfo-2.7.18-33.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): python-debuginfo-2.7.18-33.1 python-debugsource-2.7.18-33.1 python-tk-2.7.18-33.1 python-tk-debuginfo-2.7.18-33.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): python-debuginfo-2.7.18-33.1 python-debugsource-2.7.18-33.1 python-tk-2.7.18-33.1 python-tk-debuginfo-2.7.18-33.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.18-33.1 libpython2_7-1_0-debuginfo-2.7.18-33.1 python-2.7.18-33.1 python-base-2.7.18-33.1 python-base-debuginfo-2.7.18-33.1 python-base-debugsource-2.7.18-33.1 python-debuginfo-2.7.18-33.1 python-debugsource-2.7.18-33.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.18-33.1 libpython2_7-1_0-debuginfo-2.7.18-33.1 python-2.7.18-33.1 python-base-2.7.18-33.1 python-base-debuginfo-2.7.18-33.1 python-base-debugsource-2.7.18-33.1 python-debuginfo-2.7.18-33.1 python-debugsource-2.7.18-33.1 References: https://www.suse.com/security/cve/CVE-2021-3733.html https://www.suse.com/security/cve/CVE-2021-3737.html https://bugzilla.suse.com/1189241 https://bugzilla.suse.com/1189287 From sle-security-updates at lists.suse.com Wed Oct 20 19:43:09 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 21:43:09 +0200 (CEST) Subject: SUSE-SU-2021:3492-1: moderate: Security update for fetchmail Message-ID: <20211020194309.46063F476@maintenance.suse.de> SUSE Security Update: Security update for fetchmail ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3492-1 Rating: moderate References: #1190069 Cross-References: CVE-2021-39272 CVSS scores: CVE-2021-39272 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for fetchmail fixes the following issues: - CVE-2021-39272: Fix failure to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH. (bsc#1190069) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3492=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): fetchmail-6.3.26-13.15.1 fetchmail-debuginfo-6.3.26-13.15.1 fetchmail-debugsource-6.3.26-13.15.1 fetchmailconf-6.3.26-13.15.1 References: https://www.suse.com/security/cve/CVE-2021-39272.html https://bugzilla.suse.com/1190069 From sle-security-updates at lists.suse.com Wed Oct 20 19:44:36 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 21:44:36 +0200 (CEST) Subject: SUSE-SU-2021:3490-1: moderate: Security update for ncurses Message-ID: <20211020194436.9DA02F476@maintenance.suse.de> SUSE Security Update: Security update for ncurses ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3490-1 Rating: moderate References: #1190793 Cross-References: CVE-2021-39537 CVSS scores: CVE-2021-39537 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.1 SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Legacy Software 15-SP3 SUSE Linux Enterprise Module for Legacy Software 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3490=1 - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-3490=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP3-2021-3490=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2021-3490=1 - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-3490=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-3490=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3490=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3490=1 Package List: - SUSE MicroOS 5.1 (aarch64 s390x x86_64): libncurses6-6.1-5.9.1 libncurses6-debuginfo-6.1-5.9.1 ncurses-debugsource-6.1-5.9.1 ncurses-utils-6.1-5.9.1 ncurses-utils-debuginfo-6.1-5.9.1 terminfo-6.1-5.9.1 terminfo-base-6.1-5.9.1 - SUSE MicroOS 5.0 (aarch64 x86_64): libncurses6-6.1-5.9.1 libncurses6-debuginfo-6.1-5.9.1 ncurses-debugsource-6.1-5.9.1 ncurses-utils-6.1-5.9.1 ncurses-utils-debuginfo-6.1-5.9.1 terminfo-6.1-5.9.1 terminfo-base-6.1-5.9.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3 (aarch64 ppc64le s390x x86_64): libncurses5-6.1-5.9.1 libncurses5-debuginfo-6.1-5.9.1 ncurses-debugsource-6.1-5.9.1 ncurses5-devel-6.1-5.9.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP3 (x86_64): libncurses5-32bit-6.1-5.9.1 libncurses5-32bit-debuginfo-6.1-5.9.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (aarch64 ppc64le s390x x86_64): libncurses5-6.1-5.9.1 libncurses5-debuginfo-6.1-5.9.1 ncurses-debugsource-6.1-5.9.1 ncurses5-devel-6.1-5.9.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (x86_64): libncurses5-32bit-6.1-5.9.1 libncurses5-32bit-debuginfo-6.1-5.9.1 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (x86_64): ncurses-debugsource-6.1-5.9.1 ncurses-devel-32bit-6.1-5.9.1 ncurses-devel-32bit-debuginfo-6.1-5.9.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (x86_64): ncurses-debugsource-6.1-5.9.1 ncurses-devel-32bit-6.1-5.9.1 ncurses-devel-32bit-debuginfo-6.1-5.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libncurses6-6.1-5.9.1 libncurses6-debuginfo-6.1-5.9.1 ncurses-debugsource-6.1-5.9.1 ncurses-devel-6.1-5.9.1 ncurses-devel-debuginfo-6.1-5.9.1 ncurses-utils-6.1-5.9.1 ncurses-utils-debuginfo-6.1-5.9.1 tack-6.1-5.9.1 tack-debuginfo-6.1-5.9.1 terminfo-6.1-5.9.1 terminfo-base-6.1-5.9.1 terminfo-iterm-6.1-5.9.1 terminfo-screen-6.1-5.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): libncurses6-32bit-6.1-5.9.1 libncurses6-32bit-debuginfo-6.1-5.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libncurses6-6.1-5.9.1 libncurses6-debuginfo-6.1-5.9.1 ncurses-debugsource-6.1-5.9.1 ncurses-devel-6.1-5.9.1 ncurses-devel-debuginfo-6.1-5.9.1 ncurses-utils-6.1-5.9.1 ncurses-utils-debuginfo-6.1-5.9.1 tack-6.1-5.9.1 tack-debuginfo-6.1-5.9.1 terminfo-6.1-5.9.1 terminfo-base-6.1-5.9.1 terminfo-iterm-6.1-5.9.1 terminfo-screen-6.1-5.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libncurses6-32bit-6.1-5.9.1 libncurses6-32bit-debuginfo-6.1-5.9.1 References: https://www.suse.com/security/cve/CVE-2021-39537.html https://bugzilla.suse.com/1190793 From sle-security-updates at lists.suse.com Wed Oct 20 19:50:29 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 21:50:29 +0200 (CEST) Subject: SUSE-SU-2021:3488-1: moderate: Security update for go1.17 Message-ID: <20211020195029.F1E88F476@maintenance.suse.de> SUSE Security Update: Security update for go1.17 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3488-1 Rating: moderate References: #1190649 #1191468 Cross-References: CVE-2021-38297 CVSS scores: CVE-2021-38297 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP3 SUSE Linux Enterprise Module for Development Tools 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for go1.17 fixes the following issues: Update to go1.17.2 - CVE-2021-38297: misc/wasm, cmd/link: do not let command line args overwrite global data (bsc#1191468) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP3: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2021-3488=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2021-3488=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 ppc64le s390x x86_64): go1.17-1.17.2-1.6.2 go1.17-doc-1.17.2-1.6.2 - SUSE Linux Enterprise Module for Development Tools 15-SP3 (aarch64 x86_64): go1.17-race-1.17.2-1.6.2 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 ppc64le s390x x86_64): go1.17-1.17.2-1.6.2 go1.17-doc-1.17.2-1.6.2 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (aarch64 x86_64): go1.17-race-1.17.2-1.6.2 References: https://www.suse.com/security/cve/CVE-2021-38297.html https://bugzilla.suse.com/1190649 https://bugzilla.suse.com/1191468 From sle-security-updates at lists.suse.com Wed Oct 20 19:56:50 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 20 Oct 2021 21:56:50 +0200 (CEST) Subject: SUSE-SU-2021:3491-1: moderate: Security update for ncurses Message-ID: <20211020195650.C72BAF476@maintenance.suse.de> SUSE Security Update: Security update for ncurses ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3491-1 Rating: moderate References: #1190793 Cross-References: CVE-2021-39537 CVSS scores: CVE-2021-39537 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3491=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3491=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): ncurses-debugsource-5.9-75.1 ncurses-devel-5.9-75.1 ncurses-devel-debuginfo-5.9-75.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libncurses5-5.9-75.1 libncurses5-debuginfo-5.9-75.1 libncurses6-5.9-75.1 libncurses6-debuginfo-5.9-75.1 ncurses-debugsource-5.9-75.1 ncurses-devel-5.9-75.1 ncurses-devel-debuginfo-5.9-75.1 ncurses-utils-5.9-75.1 ncurses-utils-debuginfo-5.9-75.1 tack-5.9-75.1 tack-debuginfo-5.9-75.1 terminfo-5.9-75.1 terminfo-base-5.9-75.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libncurses5-32bit-5.9-75.1 libncurses5-debuginfo-32bit-5.9-75.1 libncurses6-32bit-5.9-75.1 libncurses6-debuginfo-32bit-5.9-75.1 ncurses-devel-32bit-5.9-75.1 ncurses-devel-debuginfo-32bit-5.9-75.1 References: https://www.suse.com/security/cve/CVE-2021-39537.html https://bugzilla.suse.com/1190793 From sle-security-updates at lists.suse.com Thu Oct 21 07:01:22 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 21 Oct 2021 09:01:22 +0200 (CEST) Subject: SUSE-CU-2021:423-1: Security update of suse/sles12sp3 Message-ID: <20211021070122.6BB87FEA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp3 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:423-1 Container Tags : suse/sles12sp3:2.0.2 , suse/sles12sp3:24.315 , suse/sles12sp3:latest Container Release : 24.315 Severity : moderate Type : security References : 1190793 CVE-2021-39537 ----------------------------------------------------------------- The container suse/sles12sp3 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3491-1 Released: Wed Oct 20 16:37:15 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) From sle-security-updates at lists.suse.com Thu Oct 21 07:25:47 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 21 Oct 2021 09:25:47 +0200 (CEST) Subject: SUSE-CU-2021:427-1: Security update of suse/sles12sp4 Message-ID: <20211021072547.74AE5FEB7@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:427-1 Container Tags : suse/sles12sp4:26.362 , suse/sles12sp4:latest Container Release : 26.362 Severity : moderate Type : security References : 1190793 CVE-2021-39537 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3491-1 Released: Wed Oct 20 16:37:15 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) From sle-security-updates at lists.suse.com Thu Oct 21 07:44:11 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 21 Oct 2021 09:44:11 +0200 (CEST) Subject: SUSE-CU-2021:428-1: Security update of suse/sles12sp5 Message-ID: <20211021074411.712A3FEB4@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:428-1 Container Tags : suse/sles12sp5:6.5.244 , suse/sles12sp5:latest Container Release : 6.5.244 Severity : moderate Type : security References : 1178236 1188921 CVE-2021-37600 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3475-1 Released: Wed Oct 20 08:41:48 2021 Summary: Security update for util-linux Type: security Severity: moderate References: 1178236,1188921,CVE-2021-37600 This update for util-linux fixes the following issues: - CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c. (bsc#1188921) From sle-security-updates at lists.suse.com Thu Oct 21 07:44:25 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 21 Oct 2021 09:44:25 +0200 (CEST) Subject: SUSE-CU-2021:429-1: Security update of suse/sles12sp5 Message-ID: <20211021074425.B2A74FEB4@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:429-1 Container Tags : suse/sles12sp5:6.5.245 , suse/sles12sp5:latest Container Release : 6.5.245 Severity : moderate Type : security References : 1190793 CVE-2021-39537 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3491-1 Released: Wed Oct 20 16:37:15 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) From sle-security-updates at lists.suse.com Thu Oct 21 08:19:37 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 21 Oct 2021 10:19:37 +0200 (CEST) Subject: SUSE-CU-2021:431-1: Security update of suse/sle15 Message-ID: <20211021081937.70228FEA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:431-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.465 Container Release : 4.22.465 Severity : moderate Type : security References : 1190052 1190793 CVE-2021-39537 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3490-1 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3494-1 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1190052 This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) From sle-security-updates at lists.suse.com Thu Oct 21 08:47:37 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 21 Oct 2021 10:47:37 +0200 (CEST) Subject: SUSE-CU-2021:433-1: Security update of suse/sle15 Message-ID: <20211021084737.9F047FEA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:433-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.520 Container Release : 6.2.520 Severity : moderate Type : security References : 1190052 1190793 CVE-2021-39537 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3490-1 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3494-1 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1190052 This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) From sle-security-updates at lists.suse.com Thu Oct 21 09:06:51 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 21 Oct 2021 11:06:51 +0200 (CEST) Subject: SUSE-CU-2021:435-1: Security update of suse/sle15 Message-ID: <20211021090651.CD1DAFEA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:435-1 Container Tags : suse/sle15:15.2 , suse/sle15:15.2.9.5.34 Container Release : 9.5.34 Severity : moderate Type : security References : 1190052 1190793 CVE-2021-39537 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3490-1 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3494-1 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1190052 This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) From sle-security-updates at lists.suse.com Thu Oct 21 09:07:38 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 21 Oct 2021 11:07:38 +0200 (CEST) Subject: SUSE-CU-2021:437-1: Security update of bci/golang Message-ID: <20211021090738.BEF90FEA9@maintenance.suse.de> SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:437-1 Container Tags : bci/golang:1.16 Container Release : 4.7 Severity : moderate Type : security References : 1178236 1182345 1185016 1185524 1186910 1187270 1187512 1188344 1188921 1190052 1190645 1190739 1190793 1190915 1190933 1191468 CVE-2021-37600 CVE-2021-38297 CVE-2021-39537 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3474-1 Released: Wed Oct 20 08:41:31 2021 Summary: Security update for util-linux Type: security Severity: moderate References: 1178236,1188921,CVE-2021-37600 This update for util-linux fixes the following issues: - CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c. (bsc#1188921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3480-1 Released: Wed Oct 20 11:24:10 2021 Summary: Recommended update for yast2-network Type: recommended Severity: moderate References: 1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933 This update for yast2-network fixes the following issues: - Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915). - Fix the shown description using the interface friendly name when it is empty (bsc#1190933). - Consider aliases sections as case insensitive (bsc#1190739). - Display user defined device name in the devices overview (bnc#1190645). - Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344). - Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910). - Fix desktop file so the control center tooltip is translated (bsc#1187270). - Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016). - Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3487-1 Released: Wed Oct 20 16:18:28 2021 Summary: Security update for go1.16 Type: security Severity: moderate References: 1182345,1191468,CVE-2021-38297 This update for go1.16 fixes the following issues: Update to go1.16.9 - CVE-2021-38297: misc/wasm, cmd/link: do not let command line args overwrite global data (bsc#1191468) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3490-1 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3494-1 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1190052 This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) From sle-security-updates at lists.suse.com Thu Oct 21 09:16:19 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 21 Oct 2021 11:16:19 +0200 (CEST) Subject: SUSE-CU-2021:447-1: Security update of suse/sle15 Message-ID: <20211021091619.02110FEA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:447-1 Container Tags : suse/sle15:15.3 , suse/sle15:15.3.17.8.16 Container Release : 17.8.16 Severity : moderate Type : security References : 1178236 1188921 CVE-2021-37600 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3474-1 Released: Wed Oct 20 08:41:31 2021 Summary: Security update for util-linux Type: security Severity: moderate References: 1178236,1188921,CVE-2021-37600 This update for util-linux fixes the following issues: - CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c. (bsc#1188921) From sle-security-updates at lists.suse.com Thu Oct 21 09:16:42 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 21 Oct 2021 11:16:42 +0200 (CEST) Subject: SUSE-CU-2021:449-1: Security update of suse/sle15 Message-ID: <20211021091642.C4C01FEA9@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:449-1 Container Tags : suse/sle15:15.3 , suse/sle15:15.3.17.8.18 Container Release : 17.8.18 Severity : moderate Type : security References : 1190052 1190793 CVE-2021-39537 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3490-1 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3494-1 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1190052 This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) From sle-security-updates at lists.suse.com Thu Oct 21 19:17:56 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 21 Oct 2021 21:17:56 +0200 (CEST) Subject: SUSE-SU-2021:3140-2: moderate: Security update for xen Message-ID: <20211021191756.E448BFEA9@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3140-2 Rating: moderate References: #1027519 #1189632 Cross-References: CVE-2021-28701 CVSS scores: CVE-2021-28701 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE MicroOS 5.1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for xen fixes the following issues: - CVE-2021-28701: Fixed race condition in XENMAPSPACE_grant_table handling (XSA-384) (bsc#1189632). - Upstream bug fixes (bsc#1027519) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3140=1 Package List: - SUSE MicroOS 5.1 (x86_64): xen-debugsource-4.14.2_06-3.12.1 xen-libs-4.14.2_06-3.12.1 xen-libs-debuginfo-4.14.2_06-3.12.1 References: https://www.suse.com/security/cve/CVE-2021-28701.html https://bugzilla.suse.com/1027519 https://bugzilla.suse.com/1189632 From sle-security-updates at lists.suse.com Fri Oct 22 16:18:02 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 22 Oct 2021 18:18:02 +0200 (CEST) Subject: SUSE-SU-2021:3502-1: Security update for cairo Message-ID: <20211022161802.55017FEA9@maintenance.suse.de> SUSE Security Update: Security update for cairo ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3502-1 Rating: low References: #1122321 Cross-References: CVE-2019-6462 CVSS scores: CVE-2019-6462 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2019-6462 (SUSE): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for cairo fixes the following issues: - CVE-2019-6462: Fixed a potentially infinite loop (bsc#1122321). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3502=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3502=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): cairo-debugsource-1.15.2-25.6.2 cairo-devel-1.15.2-25.6.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): cairo-debugsource-1.15.2-25.6.2 libcairo-gobject2-1.15.2-25.6.2 libcairo-gobject2-debuginfo-1.15.2-25.6.2 libcairo-script-interpreter2-1.15.2-25.6.2 libcairo-script-interpreter2-debuginfo-1.15.2-25.6.2 libcairo2-1.15.2-25.6.2 libcairo2-debuginfo-1.15.2-25.6.2 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libcairo-gobject2-32bit-1.15.2-25.6.2 libcairo-gobject2-debuginfo-32bit-1.15.2-25.6.2 libcairo2-32bit-1.15.2-25.6.2 libcairo2-debuginfo-32bit-1.15.2-25.6.2 References: https://www.suse.com/security/cve/CVE-2019-6462.html https://bugzilla.suse.com/1122321 From sle-security-updates at lists.suse.com Mon Oct 25 13:19:37 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Mon, 25 Oct 2021 15:19:37 +0200 (CEST) Subject: SUSE-SU-2021:3506-1: important: Security update for containerd, docker, runc Message-ID: <20211025131937.52C3CFD0A@maintenance.suse.de> SUSE Security Update: Security update for containerd, docker, runc ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3506-1 Rating: important References: #1102408 #1185405 #1187704 #1188282 #1190826 #1191015 #1191121 #1191334 #1191355 #1191434 Cross-References: CVE-2021-30465 CVE-2021-32760 CVE-2021-41089 CVE-2021-41091 CVE-2021-41092 CVE-2021-41103 CVSS scores: CVE-2021-30465 (NVD) : 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-30465 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-32760 (NVD) : 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2021-32760 (SUSE): 3 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:L CVE-2021-41089 (NVD) : 2.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2021-41089 (SUSE): 3.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2021-41091 (NVD) : 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVE-2021-41091 (SUSE): 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L CVE-2021-41092 (NVD) : 5.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N CVE-2021-41092 (SUSE): 5.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N CVE-2021-41103 (SUSE): 5.9 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE MicroOS 5.1 SUSE MicroOS 5.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Containers 15-SP3 SUSE Linux Enterprise Module for Containers 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 7 SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves 6 vulnerabilities and has four fixes is now available. Description: This update for containerd, docker, runc fixes the following issues: Docker was updated to 20.10.9-ce. (bsc#1191355) See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103 container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355 - CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282) - Install systemd service file as well (bsc#1190826) Update to runc v1.0.2. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.2 * Fixed a failure to set CPU quota period in some cases on cgroup v1. * Fixed the inability to start a container with the "adding seccomp filter rule for syscall ..." error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped. * Made release builds reproducible from now on. * Fixed a rare debug log race in runc init, which can result in occasional harmful "failed to decode ..." errors from runc run or exec. * Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working. Update to runc v1.0.1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.1 * Fixed occasional runc exec/run failure ("interrupted system call") on an Azure volume. * Fixed "unable to find groups ... token too long" error with /etc/group containing lines longer than 64K characters. * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes). * cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely. * cgroup/systemd/v2: don't freeze cgroup on Set. * cgroup/systemd/v1: avoid unnecessary freeze on Set. - fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704 Update to runc v1.0.0. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0 ! The usage of relative paths for mountpoints will now produce a warning (such configurations are outside of the spec, and in future runc will produce an error when given such configurations). * cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers). * cgroupv2: correctly convert "number of IOs" statistics in a cgroupv1-compatible way. * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures. * cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen. * cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94 * cgroups/systemd: fixed returning "unit already exists" error from a systemd cgroup manager (regression in rc94) + cgroupv2: support SkipDevices with systemd driver + cgroup/systemd: return, not ignore, stop unit error from Destroy + Make "runc --version" output sane even when built with go get or otherwise outside of our build scripts. + cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update). + cgroup1: blkio: support BFQ weights. + cgroupv2: set per-device io weights if BFQ IO scheduler is available. Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95 This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users). (bsc#1185405) Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94 Breaking Changes: * cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls. Regression Fixes: * seccomp: fix 32-bit compilation errors * runc init: fix a hang caused by deadlock in seccomp/ebpf loading code * runc start: fix "chdir to cwd: permission denied" for some setups Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3506=1 - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-3506=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-3506=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-3506=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-3506=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-3506=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-3506=1 - SUSE Linux Enterprise Module for Containers 15-SP3: zypper in -t patch SUSE-SLE-Module-Containers-15-SP3-2021-3506=1 - SUSE Linux Enterprise Module for Containers 15-SP2: zypper in -t patch SUSE-SLE-Module-Containers-15-SP2-2021-3506=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-3506=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-3506=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3506=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3506=1 - SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2021-3506=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-3506=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE MicroOS 5.1 (aarch64 s390x x86_64): containerd-1.4.11-56.1 docker-20.10.9_ce-156.1 docker-debuginfo-20.10.9_ce-156.1 runc-1.0.2-23.1 runc-debuginfo-1.0.2-23.1 - SUSE MicroOS 5.0 (aarch64 x86_64): containerd-1.4.11-56.1 docker-20.10.9_ce-156.1 docker-debuginfo-20.10.9_ce-156.1 runc-1.0.2-23.1 runc-debuginfo-1.0.2-23.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): containerd-1.4.11-56.1 docker-20.10.9_ce-156.1 docker-debuginfo-20.10.9_ce-156.1 runc-1.0.2-23.1 runc-debuginfo-1.0.2-23.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): docker-bash-completion-20.10.9_ce-156.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): containerd-1.4.11-56.1 docker-20.10.9_ce-156.1 docker-debuginfo-20.10.9_ce-156.1 runc-1.0.2-23.1 runc-debuginfo-1.0.2-23.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): docker-bash-completion-20.10.9_ce-156.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): containerd-1.4.11-56.1 docker-20.10.9_ce-156.1 docker-debuginfo-20.10.9_ce-156.1 runc-1.0.2-23.1 runc-debuginfo-1.0.2-23.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): docker-bash-completion-20.10.9_ce-156.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): containerd-1.4.11-56.1 docker-20.10.9_ce-156.1 docker-debuginfo-20.10.9_ce-156.1 runc-1.0.2-23.1 runc-debuginfo-1.0.2-23.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): docker-bash-completion-20.10.9_ce-156.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): runc-1.0.2-23.1 runc-debuginfo-1.0.2-23.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): docker-bash-completion-20.10.9_ce-156.1 - SUSE Linux Enterprise Server 15-LTSS (s390x): containerd-1.4.11-56.1 docker-20.10.9_ce-156.1 docker-debuginfo-20.10.9_ce-156.1 - SUSE Linux Enterprise Module for Containers 15-SP3 (aarch64 ppc64le s390x x86_64): containerd-1.4.11-56.1 docker-20.10.9_ce-156.1 docker-debuginfo-20.10.9_ce-156.1 runc-1.0.2-23.1 runc-debuginfo-1.0.2-23.1 - SUSE Linux Enterprise Module for Containers 15-SP3 (noarch): docker-bash-completion-20.10.9_ce-156.1 docker-fish-completion-20.10.9_ce-156.1 - SUSE Linux Enterprise Module for Containers 15-SP2 (aarch64 ppc64le s390x x86_64): containerd-1.4.11-56.1 docker-20.10.9_ce-156.1 docker-debuginfo-20.10.9_ce-156.1 runc-1.0.2-23.1 runc-debuginfo-1.0.2-23.1 - SUSE Linux Enterprise Module for Containers 15-SP2 (noarch): docker-bash-completion-20.10.9_ce-156.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): containerd-1.4.11-56.1 docker-20.10.9_ce-156.1 docker-debuginfo-20.10.9_ce-156.1 runc-1.0.2-23.1 runc-debuginfo-1.0.2-23.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): docker-bash-completion-20.10.9_ce-156.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): containerd-1.4.11-56.1 docker-20.10.9_ce-156.1 docker-debuginfo-20.10.9_ce-156.1 runc-1.0.2-23.1 runc-debuginfo-1.0.2-23.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): docker-bash-completion-20.10.9_ce-156.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): docker-bash-completion-20.10.9_ce-156.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): containerd-1.4.11-56.1 docker-20.10.9_ce-156.1 docker-debuginfo-20.10.9_ce-156.1 runc-1.0.2-23.1 runc-debuginfo-1.0.2-23.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): docker-bash-completion-20.10.9_ce-156.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): containerd-1.4.11-56.1 docker-20.10.9_ce-156.1 docker-debuginfo-20.10.9_ce-156.1 - SUSE Enterprise Storage 7 (aarch64 x86_64): runc-1.0.2-23.1 runc-debuginfo-1.0.2-23.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): containerd-1.4.11-56.1 docker-20.10.9_ce-156.1 docker-debuginfo-20.10.9_ce-156.1 runc-1.0.2-23.1 runc-debuginfo-1.0.2-23.1 - SUSE Enterprise Storage 6 (noarch): docker-bash-completion-20.10.9_ce-156.1 - SUSE CaaS Platform 4.0 (noarch): docker-bash-completion-20.10.9_ce-156.1 - SUSE CaaS Platform 4.0 (x86_64): containerd-1.4.11-56.1 docker-20.10.9_ce-156.1 docker-debuginfo-20.10.9_ce-156.1 runc-1.0.2-23.1 runc-debuginfo-1.0.2-23.1 References: https://www.suse.com/security/cve/CVE-2021-30465.html https://www.suse.com/security/cve/CVE-2021-32760.html https://www.suse.com/security/cve/CVE-2021-41089.html https://www.suse.com/security/cve/CVE-2021-41091.html https://www.suse.com/security/cve/CVE-2021-41092.html https://www.suse.com/security/cve/CVE-2021-41103.html https://bugzilla.suse.com/1102408 https://bugzilla.suse.com/1185405 https://bugzilla.suse.com/1187704 https://bugzilla.suse.com/1188282 https://bugzilla.suse.com/1190826 https://bugzilla.suse.com/1191015 https://bugzilla.suse.com/1191121 https://bugzilla.suse.com/1191334 https://bugzilla.suse.com/1191355 https://bugzilla.suse.com/1191434 From sle-security-updates at lists.suse.com Tue Oct 26 19:17:20 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 Oct 2021 21:17:20 +0200 (CEST) Subject: SUSE-SU-2021:3522-1: important: Security update for apache2 Message-ID: <20211026191720.B4976FD0A@maintenance.suse.de> SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3522-1 Rating: important References: #1190666 #1190669 #1190702 #1190703 Cross-References: CVE-2021-34798 CVE-2021-36160 CVE-2021-39275 CVE-2021-40438 CVSS scores: CVE-2021-34798 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-36160 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-39275 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-40438 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for apache2 fixes the following issues: - CVE-2021-40438: Fixed a SRF via a crafted request uri-path. (bsc#1190703) - CVE-2021-36160: Fixed an out-of-bounds read via a crafted request uri-path. (bsc#1190702) - CVE-2021-39275: Fixed an out-of-bounds write in ap_escape_quotes() via malicious input. (bsc#1190666) - CVE-2021-34798: Fixed a NULL pointer dereference via malformed requests. (bsc#1190669) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-3522=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-3522=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-3522=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3522=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3522=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): apache2-debuginfo-2.4.43-3.32.1 apache2-debugsource-2.4.43-3.32.1 apache2-devel-2.4.43-3.32.1 apache2-worker-2.4.43-3.32.1 apache2-worker-debuginfo-2.4.43-3.32.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (noarch): apache2-doc-2.4.43-3.32.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): apache2-debuginfo-2.4.43-3.32.1 apache2-debugsource-2.4.43-3.32.1 apache2-devel-2.4.43-3.32.1 apache2-worker-2.4.43-3.32.1 apache2-worker-debuginfo-2.4.43-3.32.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): apache2-doc-2.4.43-3.32.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (aarch64 ppc64le s390x x86_64): apache2-debuginfo-2.4.43-3.32.1 apache2-debugsource-2.4.43-3.32.1 apache2-event-2.4.43-3.32.1 apache2-event-debuginfo-2.4.43-3.32.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): apache2-2.4.43-3.32.1 apache2-debuginfo-2.4.43-3.32.1 apache2-debugsource-2.4.43-3.32.1 apache2-prefork-2.4.43-3.32.1 apache2-prefork-debuginfo-2.4.43-3.32.1 apache2-utils-2.4.43-3.32.1 apache2-utils-debuginfo-2.4.43-3.32.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): apache2-2.4.43-3.32.1 apache2-debuginfo-2.4.43-3.32.1 apache2-debugsource-2.4.43-3.32.1 apache2-prefork-2.4.43-3.32.1 apache2-prefork-debuginfo-2.4.43-3.32.1 apache2-utils-2.4.43-3.32.1 apache2-utils-debuginfo-2.4.43-3.32.1 References: https://www.suse.com/security/cve/CVE-2021-34798.html https://www.suse.com/security/cve/CVE-2021-36160.html https://www.suse.com/security/cve/CVE-2021-39275.html https://www.suse.com/security/cve/CVE-2021-40438.html https://bugzilla.suse.com/1190666 https://bugzilla.suse.com/1190669 https://bugzilla.suse.com/1190702 https://bugzilla.suse.com/1190703 From sle-security-updates at lists.suse.com Tue Oct 26 19:19:00 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 Oct 2021 21:19:00 +0200 (CEST) Subject: SUSE-SU-2021:3519-1: important: Security update for qemu Message-ID: <20211026191900.81938FD0A@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3519-1 Rating: important References: #1189702 #1189938 Cross-References: CVE-2021-3713 CVE-2021-3748 CVSS scores: CVE-2021-3713 (SUSE): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2021-3748 (SUSE): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for qemu fixes the following issues: - CVE-2021-3713: Fix out-of-bounds write in UAS (USB Attached SCSI) device emulation (bsc#1189702) - CVE-2021-3748: Fix heap use-after-free in virtio_net_receive_rcu (bsc#1189938) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3519=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): qemu-3.1.1.1-60.2 qemu-audio-alsa-3.1.1.1-60.2 qemu-audio-alsa-debuginfo-3.1.1.1-60.2 qemu-audio-oss-3.1.1.1-60.2 qemu-audio-oss-debuginfo-3.1.1.1-60.2 qemu-audio-pa-3.1.1.1-60.2 qemu-audio-pa-debuginfo-3.1.1.1-60.2 qemu-audio-sdl-3.1.1.1-60.2 qemu-audio-sdl-debuginfo-3.1.1.1-60.2 qemu-block-curl-3.1.1.1-60.2 qemu-block-curl-debuginfo-3.1.1.1-60.2 qemu-block-iscsi-3.1.1.1-60.2 qemu-block-iscsi-debuginfo-3.1.1.1-60.2 qemu-block-ssh-3.1.1.1-60.2 qemu-block-ssh-debuginfo-3.1.1.1-60.2 qemu-debugsource-3.1.1.1-60.2 qemu-guest-agent-3.1.1.1-60.2 qemu-guest-agent-debuginfo-3.1.1.1-60.2 qemu-lang-3.1.1.1-60.2 qemu-tools-3.1.1.1-60.2 qemu-tools-debuginfo-3.1.1.1-60.2 qemu-ui-curses-3.1.1.1-60.2 qemu-ui-curses-debuginfo-3.1.1.1-60.2 qemu-ui-gtk-3.1.1.1-60.2 qemu-ui-gtk-debuginfo-3.1.1.1-60.2 qemu-ui-sdl-3.1.1.1-60.2 qemu-ui-sdl-debuginfo-3.1.1.1-60.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 x86_64): qemu-block-rbd-3.1.1.1-60.2 qemu-block-rbd-debuginfo-3.1.1.1-60.2 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): qemu-kvm-3.1.1.1-60.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64): qemu-arm-3.1.1.1-60.2 qemu-arm-debuginfo-3.1.1.1-60.2 - SUSE Linux Enterprise Server 12-SP5 (ppc64le): qemu-ppc-3.1.1.1-60.2 qemu-ppc-debuginfo-3.1.1.1-60.2 - SUSE Linux Enterprise Server 12-SP5 (x86_64): qemu-x86-3.1.1.1-60.2 - SUSE Linux Enterprise Server 12-SP5 (noarch): qemu-ipxe-1.0.0+-60.2 qemu-seabios-1.12.0_0_ga698c89-60.2 qemu-sgabios-8-60.2 qemu-vgabios-1.12.0_0_ga698c89-60.2 - SUSE Linux Enterprise Server 12-SP5 (s390x): qemu-s390-3.1.1.1-60.2 qemu-s390-debuginfo-3.1.1.1-60.2 References: https://www.suse.com/security/cve/CVE-2021-3713.html https://www.suse.com/security/cve/CVE-2021-3748.html https://bugzilla.suse.com/1189702 https://bugzilla.suse.com/1189938 From sle-security-updates at lists.suse.com Tue Oct 26 19:22:03 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 Oct 2021 21:22:03 +0200 (CEST) Subject: SUSE-SU-2021:3523-1: moderate: Security update for util-linux Message-ID: <20211026192203.0D1BFFD0A@maintenance.suse.de> SUSE Security Update: Security update for util-linux ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3523-1 Rating: moderate References: #1122417 #1125886 #1178236 #1188921 Cross-References: CVE-2021-37600 CVSS scores: CVE-2021-37600 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-37600 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for util-linux fixes the following issues: Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2: - CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c (bsc#1188921). - agetty: Fix 8-bit processing in get_logname() (bsc#1125886). - mount: Fix "mount" output for net file systems (bsc#1122417). - ipcs: Avoid overflows (bsc#1178236) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-3523=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-3523=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3523=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): libblkid1-2.33.2-4.16.1 libblkid1-debuginfo-2.33.2-4.16.1 libfdisk1-2.33.2-4.16.1 libfdisk1-debuginfo-2.33.2-4.16.1 libmount1-2.33.2-4.16.1 libmount1-debuginfo-2.33.2-4.16.1 libsmartcols1-2.33.2-4.16.1 libsmartcols1-debuginfo-2.33.2-4.16.1 libuuid1-2.33.2-4.16.1 libuuid1-debuginfo-2.33.2-4.16.1 util-linux-2.33.2-4.16.1 util-linux-debuginfo-2.33.2-4.16.1 util-linux-debugsource-2.33.2-4.16.1 util-linux-systemd-2.33.2-4.16.1 util-linux-systemd-debuginfo-2.33.2-4.16.1 util-linux-systemd-debugsource-2.33.2-4.16.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): util-linux-systemd-debuginfo-2.33.2-4.16.1 util-linux-systemd-debugsource-2.33.2-4.16.1 uuidd-2.33.2-4.16.1 uuidd-debuginfo-2.33.2-4.16.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libblkid-devel-2.33.2-4.16.1 libblkid-devel-static-2.33.2-4.16.1 libblkid1-2.33.2-4.16.1 libblkid1-debuginfo-2.33.2-4.16.1 libfdisk-devel-2.33.2-4.16.1 libfdisk1-2.33.2-4.16.1 libfdisk1-debuginfo-2.33.2-4.16.1 libmount-devel-2.33.2-4.16.1 libmount1-2.33.2-4.16.1 libmount1-debuginfo-2.33.2-4.16.1 libsmartcols-devel-2.33.2-4.16.1 libsmartcols1-2.33.2-4.16.1 libsmartcols1-debuginfo-2.33.2-4.16.1 libuuid-devel-2.33.2-4.16.1 libuuid-devel-static-2.33.2-4.16.1 libuuid1-2.33.2-4.16.1 libuuid1-debuginfo-2.33.2-4.16.1 util-linux-2.33.2-4.16.1 util-linux-debuginfo-2.33.2-4.16.1 util-linux-debugsource-2.33.2-4.16.1 util-linux-systemd-2.33.2-4.16.1 util-linux-systemd-debuginfo-2.33.2-4.16.1 util-linux-systemd-debugsource-2.33.2-4.16.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libblkid1-32bit-2.33.2-4.16.1 libblkid1-32bit-debuginfo-2.33.2-4.16.1 libmount1-32bit-2.33.2-4.16.1 libmount1-32bit-debuginfo-2.33.2-4.16.1 libuuid1-32bit-2.33.2-4.16.1 libuuid1-32bit-debuginfo-2.33.2-4.16.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): util-linux-lang-2.33.2-4.16.1 References: https://www.suse.com/security/cve/CVE-2021-37600.html https://bugzilla.suse.com/1122417 https://bugzilla.suse.com/1125886 https://bugzilla.suse.com/1178236 https://bugzilla.suse.com/1188921 From sle-security-updates at lists.suse.com Tue Oct 26 19:23:43 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 Oct 2021 21:23:43 +0200 (CEST) Subject: SUSE-SU-2021:3527-1: moderate: Security update for wireguard-tools Message-ID: <20211026192343.2BE5EFD0A@maintenance.suse.de> SUSE Security Update: Security update for wireguard-tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3527-1 Rating: moderate References: #1191224 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for wireguard-tools fixes the following issues: - Removed world-readable permissions from /etc/wireguard (bsc#1191224) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3527=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3527=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): wireguard-tools-1.0.20200827-5.9.1 wireguard-tools-debuginfo-1.0.20200827-5.9.1 wireguard-tools-debugsource-1.0.20200827-5.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): wireguard-tools-1.0.20200827-5.9.1 wireguard-tools-debuginfo-1.0.20200827-5.9.1 wireguard-tools-debugsource-1.0.20200827-5.9.1 References: https://bugzilla.suse.com/1191224 From sle-security-updates at lists.suse.com Tue Oct 26 19:25:07 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 Oct 2021 21:25:07 +0200 (CEST) Subject: SUSE-SU-2021:3521-1: moderate: Security update for ffmpeg Message-ID: <20211026192507.D1B3DFD0A@maintenance.suse.de> SUSE Security Update: Security update for ffmpeg ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3521-1 Rating: moderate References: #1186756 #1187852 #1189166 #1190718 #1190719 #1190722 #1190723 #1190726 #1190729 #1190733 #1190734 #1190735 Cross-References: CVE-2020-20891 CVE-2020-20892 CVE-2020-20895 CVE-2020-20896 CVE-2020-20899 CVE-2020-20902 CVE-2020-22037 CVE-2020-35965 CVE-2021-3566 CVE-2021-38092 CVE-2021-38093 CVE-2021-38094 CVSS scores: CVE-2020-20891 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-20892 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-20895 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-20896 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-20899 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-20902 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22037 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-22037 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-35965 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-35965 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-3566 (SUSE): 4.4 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N CVE-2021-38092 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-38093 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-38094 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Linux Enterprise Workstation Extension 15-SP2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. Description: This update for ffmpeg fixes the following issues: - CVE-2021-3566: Fixed information leak (bsc#1189166). - CVE-2021-38093: Fixed integer overflow vulnerability in filter_robert() (bsc#1190734) - CVE-2021-38092: Fixed integer overflow vulnerability in filter_prewitt() (bsc#1190733) - CVE-2021-38094: Fixed integer overflow vulnerability in filter_sobel() (bsc#1190735) - CVE-2020-22037: Fixed denial of service vulnerability caused by memory leak in avcodec_alloc_context3() (bsc#1186756) - CVE-2020-35965: Fixed out-of-bounds write in decode_frame() (bsc#1187852) - CVE-2020-20892: Fixed an issue with filter_frame() (bsc#1190719) - CVE-2020-20891: Fixed a buffer overflow vulnerability in config_input() (bsc#1190718) - CVE-2020-20895: Fixed a buffer overflow vulnerability in function filter_vertically_##name (bsc#1190722) - CVE-2020-20896: Fixed an issue with latm_write_packet() (bsc#1190723) - CVE-2020-20899: Fixed a buffer overflow vulnerability in config_props() (bsc#1190726) - CVE-2020-20902: Fixed an out-of-bounds read vulnerabilit long_term_filter() (bsc#1190729) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-3521=1 - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-3521=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2021-3521=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2021-3521=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP3-2021-3521=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2021-3521=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64): ffmpeg-debuginfo-3.4.2-11.17.1 ffmpeg-debugsource-3.4.2-11.17.1 libavcodec-devel-3.4.2-11.17.1 libavformat-devel-3.4.2-11.17.1 libavresample-devel-3.4.2-11.17.1 libavresample3-3.4.2-11.17.1 libavresample3-debuginfo-3.4.2-11.17.1 - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): ffmpeg-debuginfo-3.4.2-11.17.1 ffmpeg-debugsource-3.4.2-11.17.1 libavcodec-devel-3.4.2-11.17.1 libavformat-devel-3.4.2-11.17.1 libavresample-devel-3.4.2-11.17.1 libavresample3-3.4.2-11.17.1 libavresample3-debuginfo-3.4.2-11.17.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (aarch64 ppc64le s390x x86_64): ffmpeg-3.4.2-11.17.1 ffmpeg-debuginfo-3.4.2-11.17.1 ffmpeg-debugsource-3.4.2-11.17.1 libavdevice57-3.4.2-11.17.1 libavdevice57-debuginfo-3.4.2-11.17.1 libavfilter6-3.4.2-11.17.1 libavfilter6-debuginfo-3.4.2-11.17.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (aarch64 ppc64le s390x x86_64): ffmpeg-3.4.2-11.17.1 ffmpeg-debuginfo-3.4.2-11.17.1 ffmpeg-debugsource-3.4.2-11.17.1 libavdevice57-3.4.2-11.17.1 libavdevice57-debuginfo-3.4.2-11.17.1 libavfilter6-3.4.2-11.17.1 libavfilter6-debuginfo-3.4.2-11.17.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64 ppc64le s390x x86_64): ffmpeg-debuginfo-3.4.2-11.17.1 ffmpeg-debugsource-3.4.2-11.17.1 libavcodec57-3.4.2-11.17.1 libavcodec57-debuginfo-3.4.2-11.17.1 libavformat57-3.4.2-11.17.1 libavformat57-debuginfo-3.4.2-11.17.1 libavresample-devel-3.4.2-11.17.1 libavresample3-3.4.2-11.17.1 libavresample3-debuginfo-3.4.2-11.17.1 libavutil-devel-3.4.2-11.17.1 libavutil55-3.4.2-11.17.1 libavutil55-debuginfo-3.4.2-11.17.1 libpostproc-devel-3.4.2-11.17.1 libpostproc54-3.4.2-11.17.1 libpostproc54-debuginfo-3.4.2-11.17.1 libswresample-devel-3.4.2-11.17.1 libswresample2-3.4.2-11.17.1 libswresample2-debuginfo-3.4.2-11.17.1 libswscale-devel-3.4.2-11.17.1 libswscale4-3.4.2-11.17.1 libswscale4-debuginfo-3.4.2-11.17.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (aarch64_ilp32): libavresample3-64bit-3.4.2-11.17.1 libavresample3-64bit-debuginfo-3.4.2-11.17.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 i586 ppc64le s390x x86_64): libavresample-devel-3.4.2-11.17.1 libavresample3-3.4.2-11.17.1 libavresample3-debuginfo-3.4.2-11.17.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): ffmpeg-debuginfo-3.4.2-11.17.1 ffmpeg-debugsource-3.4.2-11.17.1 libavcodec57-3.4.2-11.17.1 libavcodec57-debuginfo-3.4.2-11.17.1 libavformat57-3.4.2-11.17.1 libavformat57-debuginfo-3.4.2-11.17.1 libavutil-devel-3.4.2-11.17.1 libavutil55-3.4.2-11.17.1 libavutil55-debuginfo-3.4.2-11.17.1 libpostproc-devel-3.4.2-11.17.1 libpostproc54-3.4.2-11.17.1 libpostproc54-debuginfo-3.4.2-11.17.1 libswresample-devel-3.4.2-11.17.1 libswresample2-3.4.2-11.17.1 libswresample2-debuginfo-3.4.2-11.17.1 libswscale-devel-3.4.2-11.17.1 libswscale4-3.4.2-11.17.1 libswscale4-debuginfo-3.4.2-11.17.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (x86_64): libavresample3-32bit-3.4.2-11.17.1 libavresample3-32bit-debuginfo-3.4.2-11.17.1 References: https://www.suse.com/security/cve/CVE-2020-20891.html https://www.suse.com/security/cve/CVE-2020-20892.html https://www.suse.com/security/cve/CVE-2020-20895.html https://www.suse.com/security/cve/CVE-2020-20896.html https://www.suse.com/security/cve/CVE-2020-20899.html https://www.suse.com/security/cve/CVE-2020-20902.html https://www.suse.com/security/cve/CVE-2020-22037.html https://www.suse.com/security/cve/CVE-2020-35965.html https://www.suse.com/security/cve/CVE-2021-3566.html https://www.suse.com/security/cve/CVE-2021-38092.html https://www.suse.com/security/cve/CVE-2021-38093.html https://www.suse.com/security/cve/CVE-2021-38094.html https://bugzilla.suse.com/1186756 https://bugzilla.suse.com/1187852 https://bugzilla.suse.com/1189166 https://bugzilla.suse.com/1190718 https://bugzilla.suse.com/1190719 https://bugzilla.suse.com/1190722 https://bugzilla.suse.com/1190723 https://bugzilla.suse.com/1190726 https://bugzilla.suse.com/1190729 https://bugzilla.suse.com/1190733 https://bugzilla.suse.com/1190734 https://bugzilla.suse.com/1190735 From sle-security-updates at lists.suse.com Tue Oct 26 19:27:57 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 Oct 2021 21:27:57 +0200 (CEST) Subject: SUSE-SU-2021:3524-1: moderate: Security update for python Message-ID: <20211026192757.47CDEFD0A@maintenance.suse.de> SUSE Security Update: Security update for python ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3524-1 Rating: moderate References: #1189241 #1189287 Cross-References: CVE-2021-3733 CVE-2021-3737 CVSS scores: CVE-2021-3733 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-3737 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for python fixes the following issues: - CVE-2021-3737: Fixed http client infinite line reading (DoS) after a http 100. (bsc#1189241) - CVE-2021-3733: Fixed ReDoS in urllib.request. (bsc#1189287) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2021-3524=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3524=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): python-base-debuginfo-2.7.18-28.74.2 python-base-debugsource-2.7.18-28.74.2 python-devel-2.7.18-28.74.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.18-28.74.2 libpython2_7-1_0-debuginfo-2.7.18-28.74.2 python-2.7.18-28.74.1 python-base-2.7.18-28.74.2 python-base-debuginfo-2.7.18-28.74.2 python-base-debugsource-2.7.18-28.74.2 python-curses-2.7.18-28.74.1 python-curses-debuginfo-2.7.18-28.74.1 python-debuginfo-2.7.18-28.74.1 python-debugsource-2.7.18-28.74.1 python-demo-2.7.18-28.74.1 python-devel-2.7.18-28.74.2 python-gdbm-2.7.18-28.74.1 python-gdbm-debuginfo-2.7.18-28.74.1 python-idle-2.7.18-28.74.1 python-tk-2.7.18-28.74.1 python-tk-debuginfo-2.7.18-28.74.1 python-xml-2.7.18-28.74.2 python-xml-debuginfo-2.7.18-28.74.2 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libpython2_7-1_0-32bit-2.7.18-28.74.2 libpython2_7-1_0-debuginfo-32bit-2.7.18-28.74.2 python-32bit-2.7.18-28.74.1 python-base-32bit-2.7.18-28.74.2 python-base-debuginfo-32bit-2.7.18-28.74.2 python-debuginfo-32bit-2.7.18-28.74.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): python-doc-2.7.18-28.74.1 python-doc-pdf-2.7.18-28.74.1 References: https://www.suse.com/security/cve/CVE-2021-3733.html https://www.suse.com/security/cve/CVE-2021-3737.html https://bugzilla.suse.com/1189241 https://bugzilla.suse.com/1189287 From sle-security-updates at lists.suse.com Tue Oct 26 19:32:08 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Tue, 26 Oct 2021 21:32:08 +0200 (CEST) Subject: SUSE-SU-2021:3520-1: moderate: Security update for open-lldp Message-ID: <20211026193208.4CA6FFD0A@maintenance.suse.de> SUSE Security Update: Security update for open-lldp ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3520-1 Rating: moderate References: #1104624 Cross-References: CVE-2018-10932 CVSS scores: CVE-2018-10932 (NVD) : 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2018-10932 (SUSE): 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for open-lldp fixes the following issues: - CVE-2018-10932: Fixed an improper sanitization of shell-escape codes. (bsc#1104624) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3520=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3520=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): open-lldp-debuginfo-0.9.46-7.3.1 open-lldp-debugsource-0.9.46-7.3.1 open-lldp-devel-0.9.46-7.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): liblldp_clif1-0.9.46-7.3.1 liblldp_clif1-debuginfo-0.9.46-7.3.1 open-lldp-0.9.46-7.3.1 open-lldp-debuginfo-0.9.46-7.3.1 open-lldp-debugsource-0.9.46-7.3.1 References: https://www.suse.com/security/cve/CVE-2018-10932.html https://bugzilla.suse.com/1104624 From sle-security-updates at lists.suse.com Wed Oct 27 06:27:27 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 08:27:27 +0200 (CEST) Subject: SUSE-IU-2021:741-1: Security update of suse-sles-15-sp2-chost-byos-v20211025-gen2 Message-ID: <20211027062727.30FFDFBB1@maintenance.suse.de> SUSE Image Update Advisory: suse-sles-15-sp2-chost-byos-v20211025-gen2 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2021:741-1 Image Tags : suse-sles-15-sp2-chost-byos-v20211025-gen2:20211025 Image Release : Severity : important Type : security References : 1027519 1029961 1040364 1065729 1085917 1102408 1127650 1134353 1135481 1148868 1152489 1152489 1154353 1159886 1160010 1167032 1167773 1168202 1170774 1171685 1171962 1172670 1173746 1174697 1174969 1175052 1175543 1176206 1176473 1176934 1176940 1177315 1177399 1177789 1179382 1179416 1180141 1180347 1181148 1181299 1181306 1181309 1181371 1181535 1181536 1181972 1182057 1182309 1183070 1183543 1183545 1183632 1183659 1184114 1184180 1184439 1184454 1184616 1184804 1184970 1184994 1185016 1185232 1185261 1185299 1185302 1185405 1185441 1185464 1185524 1185611 1185621 1185675 1185677 1185726 1185748 1185762 1185902 1185961 1186037 1186260 1186264 1186489 1186503 1186565 1186602 1186731 1186910 1186975 1187115 1187167 1187211 1187224 1187260 1187270 1187425 1187455 1187466 1187468 1187470 1187512 1187565 1187619 1187670 1187696 1187704 1187738 1187760 1187774 1187911 1188018 1188063 1188067 1188067 1188090 1188156 1188172 1188282 1188291 1188344 1188418 1188435 1188439 1188548 1188616 1188651 1188651 1188713 1188780 1188781 1188782 1188783 1188784 1188786 1188787 1188788 1188790 1188878 1188885 1188891 1188924 1188982 1188983 1188985 1188986 1189021 1189031 1189057 1189077 1189153 1189197 1189209 1189210 1189212 1189213 1189214 1189215 1189216 1189217 1189218 1189219 1189220 1189221 1189222 1189229 1189262 1189291 1189292 1189297 1189298 1189301 1189305 1189323 1189384 1189385 1189392 1189399 1189400 1189427 1189449 1189480 1189503 1189504 1189505 1189506 1189507 1189552 1189562 1189563 1189564 1189565 1189566 1189567 1189568 1189569 1189573 1189574 1189575 1189576 1189577 1189579 1189581 1189582 1189583 1189585 1189586 1189587 1189632 1189706 1189760 1189832 1189841 1189841 1189841 1189870 1189883 1189884 1189929 1189996 1190023 1190025 1190052 1190059 1190062 1190115 1190115 1190117 1190131 1190159 1190181 1190199 1190234 1190358 1190373 1190374 1190406 1190432 1190465 1190467 1190523 1190534 1190543 1190576 1190595 1190596 1190598 1190598 1190620 1190626 1190645 1190670 1190679 1190705 1190712 1190717 1190739 1190746 1190758 1190784 1190785 1190793 1190815 1190826 1190845 1190858 1190915 1190933 1191015 1191019 1191121 1191172 1191193 1191240 1191292 1191334 1191355 1191434 CVE-2020-12400 CVE-2020-12401 CVE-2020-12403 CVE-2020-12825 CVE-2020-25648 CVE-2020-3702 CVE-2020-6829 CVE-2021-20266 CVE-2021-20271 CVE-2021-22946 CVE-2021-22947 CVE-2021-28701 CVE-2021-30465 CVE-2021-32760 CVE-2021-33574 CVE-2021-33910 CVE-2021-3421 CVE-2021-34556 CVE-2021-35477 CVE-2021-35942 CVE-2021-3640 CVE-2021-3653 CVE-2021-3656 CVE-2021-3669 CVE-2021-3679 CVE-2021-3732 CVE-2021-3739 CVE-2021-3743 CVE-2021-3744 CVE-2021-3752 CVE-2021-3753 CVE-2021-3759 CVE-2021-3764 CVE-2021-37750 CVE-2021-38160 CVE-2021-38198 CVE-2021-38204 CVE-2021-38205 CVE-2021-38207 CVE-2021-39537 CVE-2021-40490 CVE-2021-41089 CVE-2021-41091 CVE-2021-41092 CVE-2021-41103 ----------------------------------------------------------------- The container suse-sles-15-sp2-chost-byos-v20211025-gen2 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-OU-2020:3026-1 Released: Fri Oct 23 15:35:49 2020 Summary: Optional update for the Public Cloud Module Type: optional Severity: moderate References: This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398). The following packages were included: - python3-grpcio - python3-protobuf - python3-google-api-core - python3-google-cloud-core - python3-google-cloud-storage - python3-google-resumable-media - python3-googleapis-common-protos - python3-grpcio-gcp - python3-mock (updated to version 3.0.5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:294-1 Released: Wed Feb 3 12:54:28 2021 Summary: Recommended update for libprotobuf Type: recommended Severity: moderate References: libprotobuf was updated to fix: - ship the libprotobuf-lite15 on the basesystem module and the INSTALLER channel. (jsc#ECO-2911) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3034-1 Released: Tue Sep 14 13:49:23 2021 Summary: Recommended update for python-pytz Type: recommended Severity: moderate References: 1185748 This update for python-pytz fixes the following issues: - Add %pyunittest shim for platforms where it is missing. - Remove real directory of %{python_sitelib}/pytz/zoneinfo when upgrading, before it is replaced by a symlink. (bsc#1185748) - update to 2021.1: * update to IANA 2021a timezone release - update to 2020.5: * update to IANA 2020e timezone release - update to 2020.4: * update to IANA 2020d timezone release - update to version 2020.1: * Test against Python 3.8 and Python 3.9 * Bump version numbers to 2020.1/2020a * use .rst extension name * Make FixedOffset part of public API - Update to 2019.3 * IANA 2019c - Add versioned dependency on timezone database to ensure the correct data is installed - Add a symlink to the system timezone database - update to 2019.2 * IANA 2019b * Defer generating case-insensitive lookups ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3115-1 Released: Thu Sep 16 14:04:26 2021 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1029961,1174697,1176206,1176934,1179382,1188891,CVE-2020-12400,CVE-2020-12401,CVE-2020-12403,CVE-2020-25648,CVE-2020-6829 This update for mozilla-nspr fixes the following issues: mozilla-nspr was updated to version 4.32: * implement new socket option PR_SockOpt_DontFrag * support larger DNS records by increasing the default buffer size for DNS queries * Lock access to PRCallOnceType members in PR_CallOnce* for thread safety bmo#1686138 * PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get information about the operating system build version. Mozilla NSS was updated to version 3.68: * bmo#1713562 - Fix test leak. * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32. * bmo#1693206 - Implement PKCS8 export of ECDSA keys. * bmo#1712883 - DTLS 1.3 draft-43. * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension. * bmo#1713562 - Validate ECH public names. * bmo#1717610 - Add function to get seconds from epoch from pkix::Time. update to NSS 3.67 * bmo#1683710 - Add a means to disable ALPN. * bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66). * bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja. * bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c. * bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte. update to NSS 3.66 * bmo#1710716 - Remove Expired Sonera Class2 CA from NSS. * bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority. * bmo#1708307 - Remove Trustis FPS Root CA from NSS. * bmo#1707097 - Add Certum Trusted Root CA to NSS. * bmo#1707097 - Add Certum EC-384 CA to NSS. * bmo#1703942 - Add ANF Secure Server Root CA to NSS. * bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS. * bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database. * bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler. * bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h. * bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators. * bmo#1709291 - Add VerifyCodeSigningCertificateChain. update to NSS 3.65 * bmo#1709654 - Update for NetBSD configuration. * bmo#1709750 - Disable HPKE test when fuzzing. * bmo#1566124 - Optimize AES-GCM for ppc64le. * bmo#1699021 - Add AES-256-GCM to HPKE. * bmo#1698419 - ECH -10 updates. * bmo#1692930 - Update HPKE to final version. * bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default. * bmo#1703936 - New coverity/cpp scanner errors. * bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards. * bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms. * bmo#1705119 - Deadlock when using GCM and non-thread safe tokens. update to NSS 3.64 * bmo#1705286 - Properly detect mips64. * bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx. * bmo#1698320 - replace __builtin_cpu_supports('vsx') with ppc_crypto_support() for clang. * bmo#1613235 - Add POWER ChaCha20 stream cipher vector acceleration. Fixed in 3.63 * bmo#1697380 - Make a clang-format run on top of helpful contributions. * bmo#1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication. * bmo#1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication. * bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683. * bmo#1694214 - tstclnt can't enable middlebox compat mode. * bmo#1694392 - NSS does not work with PKCS #11 modules not supporting profiles. * bmo#1685880 - Minor fix to prevent unused variable on early return. * bmo#1685880 - Fix for the gcc compiler version 7 to support setenv with nss build. * bmo#1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA list version 2.48. * bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's 'Chambers of Commerce' and 'Global Chambersign' roots. * bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER. * bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS. * bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS. * bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from NSS. * bmo#1687822 - Turn off Websites trust bit for the ???Staat der Nederlanden Root CA - G3??? root cert in NSS. * bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and 'Global Chambersign Root - 2008???. * bmo#1694291 - Tracing fixes for ECH. update to NSS 3.62 * bmo#1688374 - Fix parallel build NSS-3.61 with make * bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt 'cachedCertTable' * bmo#1690583 - Fix CH padding extension size calculation * bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail * bmo#1690421 - Install packaged libabigail in docker-builds image * bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing * bmo#1674819 - Fixup a51fae403328, enum type may be signed * bmo#1681585 - Add ECH support to selfserv * bmo#1681585 - Update ECH to Draft-09 * bmo#1678398 - Add Export/Import functions for HPKE context * bmo#1678398 - Update HPKE to draft-07 update to NSS 3.61 * bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key values under certain conditions. * bmo#1684300 - Fix default PBE iteration count when NSS is compiled with NSS_DISABLE_DBM. * bmo#1651411 - Improve constant-timeness in RSA operations. * bmo#1677207 - Upgrade Google Test version to latest release. * bmo#1654332 - Add aarch64-make target to nss-try. Update to NSS 3.60.1: Notable changes in NSS 3.60: * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bmo#1654332 for more information. * December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more information. Update to NSS 3.59.1: * bmo#1679290 - Fix potential deadlock with certain third-party PKCS11 modules Update to NSS 3.59: Notable changes: * Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData Bugfixes * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some test intermittents * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord (boo#1179382) * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP * bmo#1667989 - Fix gyp linking on Solaris * bmo#1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA * bmo#1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys when using NSS debug builds * bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS. update to NSS 3.58 Bugs fixed: * bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode. * bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni). * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions. * bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows. * bmo#1667153 - Add PK11_ImportDataKey for data object import. * bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value. update to NSS 3.57 * The following CA certificates were Added: bmo#1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 * The following CA certificates were Removed: bmo#1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3 * Trust settings for the following CA certificates were Modified: bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed. * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes update to NSS 3.56 Notable changes * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8 * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS. * bmo#1654142 - Add CPU feature detection for Intel SHA extension. * bmo#1648822 - Add stricter validation of DH keys in FIPS mode. * bmo#1656986 - Properly detect arm64 during GYP build architecture detection. * bmo#1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay. * bmo#1588941 - Send empty certificate message when scheme selection fails. * bmo#1652032 - Fix failure to build in Windows arm64 makefile cross-compilation. * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent. * bmo#1653975 - Fix 3.53 regression by setting 'all' as the default makefile target. * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert. * bmo#1659814 - Fix interop.sh failures with newer tls-interop commit and dependencies. * bmo#1656519 - NSPR dependency updated to 4.28 update to NSS 3.55 Notable changes * P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto [0] and ECCKiila [1]. * PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. (bmo#1649633) * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752) Relevant Bugfixes * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila. * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature. * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding. * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length. * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix). * bmo#1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED. * bmo#1646594 - Fix AVX2 detection in makefile builds. * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate. * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo. * bmo#1647752 - Update DTLS 1.3 implementation to draft-38. * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI. * bmo#1649226 - Add Wycheproof ECDSA tests. * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES. * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in RSA_CheckSignRecover. * bmo#1646324 - Advertise PKCS#1 schemes for certificates in the signature_algorithms extension. update to NSS 3.54 Notable changes * Support for TLS 1.3 external pre-shared keys (bmo#1603042). * Use ARM Cryptography Extension for SHA256, when available (bmo#1528113) * The following CA certificates were Added: bmo#1645186 - certSIGN Root CA G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root Certificate Authority 2017. * The following CA certificates were Removed: bmo#1645199 - AddTrust Class 1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 - LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA - G2. bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3. * A number of certificates had their Email trust bit disabled. See bmo#1618402 for a complete list. Bugs fixed * bmo#1528113 - Use ARM Cryptography Extension for SHA256. * bmo#1603042 - Add TLS 1.3 external PSK support. * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows. * bmo#1645186 - Add 'certSIGN Root CA G2' root certificate. * bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate. * bmo#1641716 - Add Microsoft's non-EV root certificates. * bmo1621151 - Disable email trust bit for 'O=Government Root Certification Authority; C=TW' root. * bmo#1645199 - Remove AddTrust root certificates. * bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate. * bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root certificate. * bmo#1618402 - Remove Symantec root certificates and disable email trust bit. * bmo#1640516 - NSS 3.54 should depend on NSPR 4.26. * bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c. * bmo#1642153 - Fix infinite recursion building NSS. * bmo#1642638 - Fix fuzzing assertion crash. * bmo#1642871 - Enable SSL_SendSessionTicket after resumption. * bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs. * bmo#1643557 - Fix numerous compile warnings in NSS. * bmo#1644774 - SSL gtests to use ClearServerCache when resetting self-encrypt keys. * bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c. * bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3123-1 Released: Thu Sep 16 19:45:05 2021 Summary: Security update for libcroco Type: security Severity: moderate References: 1171685,CVE-2020-12825 This update for libcroco fixes the following issues: - CVE-2020-12825: Fixed recursion issue in block and any productions (bsc#1171685). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3133-1 Released: Fri Sep 17 16:37:59 2021 Summary: Recommended update for grub2, efibootmgr Type: recommended Severity: moderate References: 1186565,1186975,1187565 This update for grub2, efibootmgr provides the following fixes: - Ship package grub2-arm64-efi and the required efibootmgr also to ppc64le, s390x and x86_64 (bsc#1186565) - Fix error gfxterm isn't found with multiple terminals (bsc#1187565) - Fix ocasional boot failure after kdump procedure when using XFS (bsc#1186975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3136-1 Released: Fri Sep 17 16:59:09 2021 Summary: Recommended update for SUSEConnect Type: recommended Severity: moderate References: 1185611 This update for SUSEConnect fixes the following issues: - Disallow registering via SUSEConnect if the system is managed by SUSE Manager. - Add subscription name to output of 'SUSEConnect --status'. - Send payload of GET requests as part of the url, not in the body. (bsc#1185611) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3141-1 Released: Sat Sep 18 14:37:39 2021 Summary: Security update for xen Type: security Severity: moderate References: 1027519,1189632,CVE-2021-28701 This update for xen fixes the following issues: - CVE-2021-28701: Fixed race condition in XENMAPSPACE_grant_table handling (XSA-384) (bsc#1189632). - Upstream bug fixes (bsc#1027519) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3182-1 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Type: recommended Severity: moderate References: 1189996 This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3207-1 Released: Thu Sep 23 16:18:52 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1040364,1127650,1135481,1152489,1160010,1167032,1168202,1174969,1175052,1175543,1177399,1180141,1180347,1181148,1181972,1184114,1184180,1185675,1185902,1186264,1186731,1187211,1187455,1187468,1187619,1188067,1188172,1188418,1188439,1188616,1188780,1188781,1188782,1188783,1188784,1188786,1188787,1188788,1188790,1188878,1188885,1188924,1188982,1188983,1188985,1189021,1189057,1189077,1189153,1189197,1189209,1189210,1189212,1189213,1189214,1189215,1189216,1189217,1189218,1189219,1189220,1189221,1189222,1189229,1189262,1189291,1189292,1189298,1189301,1189305,1189323,1189384,1189385,1189392,1189399,1189400,1189427,1189449,1189503,1189504,1189505,1189506,1189507,1189562,1189563,1189564,1189565,1189566,1189567,1189568,1189569,1189573,1189574,1189575,1189576,1189577,1189579,1189581,1189582,1189583,1189585,1189586,1189587,1189706,1189760,1189832,1189841,1189870,1189883,1190025,1190115,1190117,1190131,1190181,CVE-2021-34556,CVE-2021-35477,CVE-2021-3640,CVE-2021-3653,CVE-2021-3656,C VE-2021-3679,CVE-2021-3732,CVE-2021-3739,CVE-2021-3743,CVE-2021-3753,CVE-2021-3759,CVE-2021-38160,CVE-2021-38198,CVE-2021-38204,CVE-2021-38205,CVE-2021-38207 The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-3759: Unaccounted ipc objects in Linux kernel could have lead to breaking memcg limits and DoS attacks (bsc#1190115). - CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190117) - CVE-2021-3640: Fixed a Use-After-Free vulnerability in function sco_sock_sendmsg() in the bluetooth stack (bsc#1188172). - CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling (bsc#1190025). - CVE-2021-3743: Fixed OOB Read in qrtr_endpoint_post (bsc#1189883). - CVE-2021-3739: Fixed a NULL pointer dereference when deleting device by invalid id (bsc#1189832 ). - CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files (bsc#1189706). - CVE-2021-3653: Missing validation of the `int_ctl` VMCB field and allows a malicious L1 guest to enable AVIC support for the L2 guest. (bsc#1189399). - CVE-2021-3656: Missing validation of the the `virt_ext` VMCB field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS for the L2 guest (bsc#1189400). - CVE-2021-38198: arch/x86/kvm/mmu/paging_tmpl.h incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault (bnc#1189262). - CVE-2021-38207: drivers/net/ethernet/xilinx/ll_temac_main.c allowed remote attackers to cause a denial of service (buffer overflow and lockup) by sending heavy network traffic for about ten minutes (bnc#1189298). - CVE-2021-38205: drivers/net/ethernet/xilinx/xilinx_emaclite.c made it easier for attackers to defeat an ASLR protection mechanism because it prints a kernel pointer (i.e., the real IOMEM pointer) (bnc#1189292). - CVE-2021-38204: drivers/usb/host/max3421-hcd.c allowed physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations (bnc#1189291). - CVE-2021-3679: A lack of CPU resource in tracing module functionality was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service (bnc#1189057). - CVE-2021-34556: Fixed side-channel attack via a Speculative Store Bypass via unprivileged BPF program that could have obtain sensitive information from kernel memory (bsc#1188983). - CVE-2021-35477: Fixed BPF stack frame pointer which could have been abused to disclose content of arbitrary kernel memory (bsc#1188985). The following non-security bugs were fixed: - ACPI: NFIT: Fix support for virtual SPA ranges (git-fixes). - ACPI: processor: Clean up acpi_processor_evaluate_cst() (bsc#1175543) - ACPI: processor: Export acpi_processor_evaluate_cst() (bsc#1175543) - ACPI: processor: Export function to claim _CST control (bsc#1175543) - ACPI: processor: Introduce acpi_processor_evaluate_cst() (bsc#1175543) - ACPI: processor: Make ACPI_PROCESSOR_CSTATE depend on ACPI_PROCESSOR (bsc#1175543) - ALSA: hda - fix the 'Capture Switch' value change notifications (git-fixes). - ALSA: hda/realtek: Enable 4-speaker output for Dell XPS 15 9510 laptop (git-fixes). - ALSA: hda/realtek: Fix headset mic for Acer SWIFT SF314-56 (ALC256) (git-fixes). - ALSA: hda/realtek: add mic quirk for Acer SF314-42 (git-fixes). - ALSA: hda/via: Apply runtime PM workaround for ASUS B23E (git-fixes). - ALSA: hda: Add quirk for ASUS Flow x13 (git-fixes). - ALSA: pcm: fix divide error in snd_pcm_lib_ioctl (git-fixes). - ALSA: seq: Fix racy deletion of subscriber (git-fixes). - ALSA: usb-audio: Add registration quirk for JBL Quantum 600 (git-fixes). - ALSA: usb-audio: Fix regression on Sony WALKMAN NW-A45 DAC (git-fixes). - ALSA: usb-audio: Fix superfluous autosuspend recovery (git-fixes). - ALSA: usb-audio: fix incorrect clock source setting (git-fixes). - ASoC: Intel: Skylake: Leave data as is when invoking TLV IPCs (git-fixes). - ASoC: cs42l42: Correct definition of ADC Volume control (git-fixes). - ASoC: cs42l42: Do not allow SND_SOC_DAIFMT_LEFT_J (git-fixes). - ASoC: cs42l42: Fix LRCLK frame start edge (git-fixes). - ASoC: cs42l42: Fix inversion of ADC Notch Switch control (git-fixes). - ASoC: cs42l42: Remove duplicate control for WNF filter frequency (git-fixes). - ASoC: intel: atom: Fix breakage for PCM buffer address setup (git-fixes). - ASoC: intel: atom: Fix reference to PCM buffer address (git-fixes). - ASoC: ti: delete some dead code in omap_abe_probe() (git-fixes). - ASoC: tlv320aic31xx: Fix jack detection after suspend (git-fixes). - ASoC: tlv320aic31xx: fix reversed bclk/wclk master bits (git-fixes). - ASoC: wcd9335: Disable irq on slave ports in the remove function (git-fixes). - ASoC: wcd9335: Fix a double irq free in the remove function (git-fixes). - ASoC: wcd9335: Fix a memory leak in the error handling path of the probe function (git-fixes). - ASoC: xilinx: Fix reference to PCM buffer address (git-fixes). - Bluetooth: add timeout sanity check to hci_inquiry (git-fixes). - Bluetooth: defer cleanup of resources in hci_unregister_dev() (git-fixes). - Bluetooth: fix repeated calls to sco_sock_kill (git-fixes). - Bluetooth: hidp: use correct wait queue when removing ctrl_wait (git-fixes). - Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow (git-fixes). - Bluetooth: sco: prevent information leak in sco_conn_defer_accept() (git-fixes). - Documentation: admin-guide: PM: Add intel_idle document (bsc#1175543) - Drop watchdog iTCO_wdt patch that causes incompatible behavior (bsc#1189449) Also blacklisted - Fix breakage of swap over NFS (bsc#1188924). - Fix kabi of prepare_to_wait_exclusive() (bsc#1189575). - HID: i2c-hid: Fix Elan touchpad regression (git-fixes). - HID: input: do not report stylus battery state as 'full' (git-fixes). - KVM: VMX: Drop guest CPUID check for VMXE in vmx_set_cr4() (bsc#1188786). - KVM: VMX: Enable machine check support for 32bit targets (bsc#1188787). - KVM: VMX: Explicitly clear RFLAGS.CF and RFLAGS.ZF in VM-Exit RSB path (bsc#1188788). - KVM: nVMX: Really make emulated nested preemption timer pinned (bsc#1188780). - KVM: nVMX: Reset the segment cache when stuffing guest segs (bsc#1188781). - KVM: nVMX: Skip IBPB when switching between vmcs01 and vmcs02 (bsc#1188782). - KVM: nVMX: Sync unsync'd vmcs02 state to vmcs12 on migration (bsc#1188783). - KVM: nVMX: Truncate bits 63:32 of VMCS field on nested check in !64-bit (bsc#1188784). - KVM: x86: bit 8 of non-leaf PDPEs is not reserved (bsc#1188790). - Move upstreamed BT fixes into sorted section - NFS: Correct size calculation for create reply length (bsc#1189870). - NFSv4.1: Do not rebind to the same source port when (bnc#1186264 bnc#1189021) - NFSv4/pNFS: Do not call _nfs4_pnfs_v3_ds_connect multiple times (git-fixes). - NFSv4: Initialise connection to the server in nfs4_alloc_client() (bsc#1040364). - PCI/MSI: Correct misleading comments (git-fixes). - PCI/MSI: Do not set invalid bits in MSI mask (git-fixes). - PCI/MSI: Enable and mask MSI-X early (git-fixes). - PCI/MSI: Enforce MSI[X] entry updates to be visible (git-fixes). - PCI/MSI: Enforce that MSI-X table entry is masked for update (git-fixes). - PCI/MSI: Mask all unused MSI-X entries (git-fixes). - PCI/MSI: Skip masking MSI-X on Xen PV (git-fixes). - PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() (git-fixes). - PCI: Increase D3 delay for AMD Renoir/Cezanne XHCI (git-fixes). - PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently (git-fixes). - PCI: PM: Enable PME if it can be signaled from D3cold (git-fixes). - README: Modernize build instructions. - Revert 'ACPICA: Fix memory leak caused by _CID repair function' (git-fixes). - Revert 'USB: serial: ch341: fix character loss at high transfer rates' (git-fixes). - Revert 'dmaengine: imx-sdma: refine to load context only once' (git-fixes). - Revert 'gpio: eic-sprd: Use devm_platform_ioremap_resource()' (git-fixes). - Revert 'mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711' (git-fixes). - SUNRPC: 'Directory with parent 'rpc_clnt' already present!' (bsc#1168202 bsc#1188924). - SUNRPC: Fix the batch tasks count wraparound (git-fixes). - SUNRPC: Should wake up the privileged task firstly (git-fixes). - SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202 bsc#1188924). - SUNRPC: fix use-after-free in rpc_free_client_work() (bsc#1168202 bsc#1188924). - SUNRPC: prevent port reuse on transports which do not request it (bnc#1186264 bnc#1189021). - USB: core: Avoid WARNings for 0-length descriptor requests (git-fixes). - USB: serial: ch341: fix character loss at high transfer rates (git-fixes). - USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 (git-fixes). - USB: serial: option: add Telit FD980 composition 0x1056 (git-fixes). - USB: serial: option: add new VID/PID to support Fibocom FG150 (git-fixes). - USB: usbtmc: Fix RCU stall warning (git-fixes). - USB:ehci:fix Kunpeng920 ehci hardware problem (git-fixes). - Update patches.suse/ibmvnic-Allow-device-probe-if-the-device-is-not-read.patch (bsc#1167032 ltc#184087 bsc#1184114 ltc#192237). - VMCI: fix NULL pointer dereference when unmapping queue pair (git-fixes). - ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() (git-fixes). - ath9k: Clear key cache explicitly on disabling hardware (git-fixes). - ath: Use safer key clearing with key cache entries (git-fixes). - bcma: Fix memory leak for internally-handled cores (git-fixes). - bdi: Do not use freezable workqueue (bsc#1189573). - blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit() (bsc#1189507). - blk-mq-sched: Fix blk_mq_sched_alloc_tags() error handling (bsc#1189506). - blk-wbt: introduce a new disable state to prevent false positive by rwb_enabled() (bsc#1189503). - blk-wbt: make sure throttle is enabled properly (bsc#1189504). - block: fix trace completion for chained bio (bsc#1189505). - brcmfmac: pcie: fix oops on failure to resume and reprobe (git-fixes). - btrfs: Rename __btrfs_alloc_chunk to btrfs_alloc_chunk (bsc#1189077). - btrfs: account for new extents being deleted in total_bytes_pinned (bsc#1135481). - btrfs: add a comment explaining the data flush steps (bsc#1135481). - btrfs: add btrfs_reserve_data_bytes and use it (bsc#1135481). - btrfs: add flushing states for handling data reservations (bsc#1135481). - btrfs: add the data transaction commit logic into may_commit_transaction (bsc#1135481). - btrfs: call btrfs_try_granting_tickets when freeing reserved bytes (bsc#1135481). - btrfs: call btrfs_try_granting_tickets when reserving space (bsc#1135481). - btrfs: call btrfs_try_granting_tickets when unpinning anything (bsc#1135481). - btrfs: change nr to u64 in btrfs_start_delalloc_roots (bsc#1135481). - btrfs: check tickets after waiting on ordered extents (bsc#1135481). - btrfs: do async reclaim for data reservations (bsc#1135481). - btrfs: don't force commit if we are data (bsc#1135481). - btrfs: drop the commit_cycles stuff for data reservations (bsc#1135481). - btrfs: factor out create_chunk() (bsc#1189077). - btrfs: factor out decide_stripe_size() (bsc#1189077). - btrfs: factor out gather_device_info() (bsc#1189077). - btrfs: factor out init_alloc_chunk_ctl (bsc#1189077). - btrfs: fix deadlock with concurrent chunk allocations involving system chunks (bsc#1189077). - btrfs: fix possible infinite loop in data async reclaim (bsc#1135481). - btrfs: flush delayed refs when trying to reserve data space (bsc#1135481). - btrfs: handle U64_MAX for shrink_delalloc (bsc#1135481). - btrfs: handle invalid profile in chunk allocation (bsc#1189077). - btrfs: handle space_info::total_bytes_pinned inside the delayed ref itself (bsc#1135481). - btrfs: introduce alloc_chunk_ctl (bsc#1189077). - btrfs: introduce chunk allocation policy (bsc#1189077). - btrfs: make ALLOC_CHUNK use the space info flags (bsc#1135481). - btrfs: make shrink_delalloc take space_info as an arg (bsc#1135481). - btrfs: move the chunk_mutex in btrfs_read_chunk_tree (bsc#1189077). - btrfs: parameterize dev_extent_min for chunk allocation (bsc#1189077). - btrfs: refactor find_free_dev_extent_start() (bsc#1189077). - btrfs: remove orig from shrink_delalloc (bsc#1135481). - btrfs: rework chunk allocation to avoid exhaustion of the system chunk array (bsc#1189077). - btrfs: run delayed iputs before committing the transaction for data (bsc#1135481). - btrfs: serialize data reservations if we are flushing (bsc#1135481). - btrfs: shrink delalloc pages instead of full inodes (bsc#1135481). - btrfs: track ordered bytes instead of just dio ordered bytes (bsc#1135481). - btrfs: use btrfs_start_delalloc_roots in shrink_delalloc (bsc#1135481). - btrfs: use the btrfs_space_info_free_bytes_may_use helper for delalloc (bsc#1135481). - btrfs: use the same helper for data and metadata reservations (bsc#1135481). - btrfs: use ticketing for data space reservations (bsc#1135481). - can: ti_hecc: Fix memleak in ti_hecc_probe (git-fixes). - can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters (git-fixes). - ceph: clean up and optimize ceph_check_delayed_caps() (bsc#1187468). - ceph: reduce contention in ceph_check_delayed_caps() (bsc#1187468). - ceph: take snap_empty_lock atomically with snaprealm refcount change (bsc#1189427). - cfg80211: Fix possible memory leak in function cfg80211_bss_update (git-fixes). - cgroup1: fix leaked context root causing sporadic NULL deref in LTP (bsc#1190181). - cgroup: verify that source is a string (bsc#1190131). - cifs: Remove unused inline function is_sysvol_or_netlogon() (bsc#1185902). - cifs: avoid starvation when refreshing dfs cache (bsc#1185902). - cifs: constify get_normalized_path() properly (bsc#1185902). - cifs: do not cargo-cult strndup() (bsc#1185902). - cifs: do not send tree disconnect to ipc shares (bsc#1185902). - cifs: do not share tcp servers with dfs mounts (bsc#1185902). - cifs: do not share tcp sessions of dfs connections (bsc#1185902). - cifs: fix check of dfs interlinks (bsc#1185902). - cifs: fix path comparison and hash calc (bsc#1185902). - cifs: get rid of @noreq param in __dfs_cache_find() (bsc#1185902). - cifs: handle different charsets in dfs cache (bsc#1185902). - cifs: keep referral server sessions alive (bsc#1185902). - cifs: missing null pointer check in cifs_mount (bsc#1185902). - cifs: prevent NULL deref in cifs_compose_mount_options() (bsc#1185902). - cifs: set a minimum of 2 minutes for refreshing dfs cache (bsc#1185902). - clk: fix leak on devm_clk_bulk_get_all() unwind (git-fixes). - clk: kirkwood: Fix a clocking boot regression (git-fixes). - clk: stm32f4: fix post divisor setup for I2S/SAI PLLs (git-fixes). - cpuidle: Allow idle states to be disabled by default (bsc#1175543) - cpuidle: Consolidate disabled state checks (bsc#1175543) - cpuidle: Drop disabled field from struct cpuidle_state (bsc#1175543) - cpuidle: Fix cpuidle_driver_state_disabled() (bsc#1175543) - cpuidle: Introduce cpuidle_driver_state_disabled() for driver quirks (bsc#1175543) - cpuidle: cpuidle_state kABI fix (bsc#1175543) - crypto: ccp - Annotate SEV Firmware file names (bsc#1189212). - crypto: qat - use proper type for vf_mask (git-fixes). - crypto: x86/curve25519 - fix cpu feature checking logic in mod_exit (git-fixes). - dm integrity: fix missing goto in bitmap_flush_interval error handling (git-fixes). - dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails (git-fixes). - dm verity: fix DM_VERITY_OPTS_MAX value (git-fixes). - dmaengine: imx-dma: configure the generic DMA type to make it work (git-fixes). - dmaengine: imx-sdma: remove duplicated sdma_load_context (git-fixes). - dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available (git-fixes). - dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe() (git-fixes). - dmaengine: xilinx_dma: Fix read-after-free bug when terminating transfers (git-fixes). - drivers/block/null_blk/main: Fix a double free in null_init (git-fixes). - drm/amdgpu/acp: Make PM domain really work (git-fixes). - drm/msi/mdp4: populate priv->kms in mdp4_kms_init (git-fixes). - drm/msm/dpu: make dpu_hw_ctl_clear_all_blendstages clear necessary LMs (git-fixes). - drm/msm/dsi: Fix some reference counted resource leaks (git-fixes). - drm/nouveau/disp: power down unused DP links during init (git-fixes). - drm/panfrost: Fix missing clk_disable_unprepare() on error in panfrost_clk_init() (git-fixes). - drm: Copy drm_wait_vblank to user before returning (git-fixes). - ext4: cleanup in-core orphan list if ext4_truncate() failed to get a transaction handle (bsc#1189568). - ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit (bsc#1189564). - ext4: fix avefreec in find_group_orlov (bsc#1189566). - ext4: fix kernel infoleak via ext4_extent_header (bsc#1189562). - ext4: fix potential htree corruption when growing large_dir directories (bsc#1189576). - ext4: remove check for zero nr_to_scan in ext4_es_scan() (bsc#1189565). - ext4: return error code when ext4_fill_flex_info() fails (bsc#1189563). - ext4: use ext4_grp_locked_error in mb_find_extent (bsc#1189567). - fanotify: fix copy_event_to_user() fid error clean up (bsc#1189574). - firmware_loader: fix use-after-free in firmware_fallback_sysfs (git-fixes). - firmware_loader: use -ETIMEDOUT instead of -EAGAIN in fw_load_sysfs_fallback (git-fixes). - fpga: altera-freeze-bridge: Address warning about unused variable (git-fixes). - fpga: xiilnx-spi: Address warning about unused variable (git-fixes). - fpga: zynqmp-fpga: Address warning about unused variable (git-fixes). - gpio: eic-sprd: break loop when getting NULL device resource (git-fixes). - gpio: tqmx86: really make IRQ optional (git-fixes). - i2c: dev: zero out array used for i2c reads from userspace (git-fixes). - i2c: highlander: add IRQ check (git-fixes). - i2c: iop3xx: fix deferred probing (git-fixes). - i2c: mt65xx: fix IRQ check (git-fixes). - i2c: s3c2410: fix IRQ check (git-fixes). - iio: adc: Fix incorrect exit of for-loop (git-fixes). - iio: adc: ti-ads7950: Ensure CS is deasserted after reading channels (git-fixes). - iio: humidity: hdc100x: Add margin to the conversion time (git-fixes). - intel_idle: Add module parameter to prevent ACPI _CST from being used (bsc#1175543) - intel_idle: Allow ACPI _CST to be used for selected known processors (bsc#1175543) - intel_idle: Annotate init time data structures (bsc#1175543) - intel_idle: Customize IceLake server support (bsc#1175543) - intel_idle: Disable ACPI _CST on Haswell (bsc#1175543, bsc#1177399, bsc#1180347, bsc#1180141) - intel_idle: Fix max_cstate for processor models without C-state tables (bsc#1175543) - intel_idle: Ignore _CST if control cannot be taken from the platform (bsc#1175543) - intel_idle: Refactor intel_idle_cpuidle_driver_init() (bsc#1175543) - intel_idle: Use ACPI _CST for processor models without C-state tables (bsc#1175543) - intel_idle: Use ACPI _CST on server systems (bsc#1175543) - iommu/amd: Fix extended features logging (bsc#1189213). - iommu/arm-smmu-v3: Decrease the queue size of evtq and priq (bsc#1189210). - iommu/arm-smmu-v3: add bit field SFM into GERROR_ERR_MASK (bsc#1189209). - iommu/dma: Fix IOVA reserve dma ranges (bsc#1189214). - iommu/dma: Fix compile warning in 32-bit builds (bsc#1189229). - iommu/vt-d: Check for allocation failure in aux_detach_device() (bsc#1189215). - iommu/vt-d: Define counter explicitly as unsigned int (bsc#1189216). - iommu/vt-d: Do not set then clear private data in prq_event_thread() (bsc#1189217). - iommu/vt-d: Fix sysfs leak in alloc_iommu() (bsc#1189218). - iommu/vt-d: Force to flush iotlb before creating superpage (bsc#1189219). - iommu/vt-d: Global devTLB flush when present context entry changed (bsc#1189220). - iommu/vt-d: Invalidate PASID cache when root/context entry changed (bsc#1189221). - iommu/vt-d: Reject unsupported page request modes (bsc#1189222). - iwlwifi: rs-fw: do not support stbc for HE 160 (git-fixes). - kABI fix of usb_dcd_config_params (git-fixes). - kABI: Fix kABI after fixing vcpu-id indexed arrays (git-fixes). - kabi fix for NFSv4.1: Do not rebind to the same source port when reconnecting to the server (bnc#1186264 bnc#1189021) - kabi fix for SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202 bsc#1188924). - kernel, fs: Introduce and use set_restart_fn() and arch_set_restart_data() (bsc#1189153). - lib/mpi: use kcalloc in mpi_resize (git-fixes). - libata: fix ata_pio_sector for CONFIG_HIGHMEM (git-fixes). - mac80211: Fix insufficient headroom issue for AMSDU (git-fixes). - mailbox: sti: quieten kernel-doc warnings (git-fixes). - md/raid10: properly indicate failure when ending a failed write request (git-fixes). - media: TDA1997x: enable EDID support (git-fixes). - media: cxd2880-spi: Fix an error handling path (git-fixes). - media: drivers/media/usb: fix memory leak in zr364xx_probe (git-fixes). - media: dvb-usb: Fix error handling in dvb_usb_i2c_init (git-fixes). - media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init (git-fixes). - media: dvb-usb: fix uninit-value in vp702x_read_mac_addr (git-fixes). - media: em28xx-input: fix refcount bug in em28xx_usb_disconnect (git-fixes). - media: go7007: fix memory leak in go7007_usb_probe (git-fixes). - media: go7007: remove redundant initialization (git-fixes). - media: rtl28xxu: fix zero-length control request (git-fixes). - media: stkwebcam: fix memory leak in stk_camera_probe (git-fixes). - media: venus: venc: Fix potential null pointer dereference on pointer fmt (git-fixes). - media: videobuf2-core: dequeue if start_streaming fails (git-fixes). - media: zr364xx: fix memory leaks in probe() (git-fixes). - media: zr364xx: propagate errors from zr364xx_start_readpipe() (git-fixes). - memcg: enable accounting for file lock caches (bsc#1190115). - misc: atmel-ssc: lock with mutex instead of spinlock (git-fixes). - misc: rtsx: do not setting OC_POWER_DOWN reg in rtsx_pci_init_ocp() (git-fixes). - mm, vmscan: guarantee drop_slab_node() termination (VM Functionality, bsc#1189301). - mm/thp: unmap_mapping_page() to fix THP truncate_cleanup_page() (bsc#1189569). - mm: swap: properly update readahead statistics in unuse_pte_range() (bsc#1187619). - mmc: dw_mmc: Fix hang on data CRC error (git-fixes). - mmc: dw_mmc: Fix issue with uninitialized dma_slave_config (git-fixes). - mmc: moxart: Fix issue with uninitialized dma_slave_config (git-fixes). - mmc: sdhci-iproc: Cap min clock frequency on BCM2711 (git-fixes). - mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711 (git-fixes). - mtd: cfi_cmdset_0002: fix crash when erasing/writing AMD cards (git-fixes). - mtd: rawnand: cafe: Fix a resource leak in the error handling path of 'cafe_nand_probe()' (git-fixes). - nbd: Aovid double completion of a request (git-fixes). - nbd: Fix NULL pointer in flush_workqueue (git-fixes). - nbd: do not update block size after device is started (git-fixes). - net/mlx5: Properly convey driver version to firmware (git-fixes). - net: dsa: mv88e6xxx: Avoid VTU corruption on 6097 (git-fixes). - net: dsa: mv88e6xxx: also read STU state in mv88e6250_g1_vtu_getnext (git-fixes). - net: stmmac: free tx skb buffer in stmmac_resume() (git-fixes). - nfs: fix acl memory leak of posix_acl_create() (git-fixes). - nvme-multipath: revalidate paths during rescan (bsc#1187211) - nvme-pci: Use u32 for nvme_dev.q_depth and nvme_queue.q_depth (bsc#1181972). - nvme-pci: fix NULL req in completion handler (bsc#1181972). - nvme-pci: limit maximum queue depth to 4095 (bsc#1181972). - nvme-pci: use unsigned for io queue depth (bsc#1181972). - nvme-tcp: Do not reset transport on data digest errors (bsc#1188418). - nvme-tcp: do not check blk_mq_tag_to_rq when receiving pdu data (bsc#1181972). - nvme: avoid possible double fetch in handling CQE (bsc#1181972). - nvme: code command_id with a genctr for use-after-free validation (bsc#1181972). - nvme: only call synchronize_srcu when clearing current path (bsc#1188067). - nvmet: use NVMET_MAX_NAMESPACES to set nn value (bsc#1189384). - ocfs2: fix snprintf() checking (bsc#1189581). - ocfs2: fix zero out valid data (bsc#1189579). - ocfs2: initialize ip_next_orphan (bsc#1186731). - ocfs2: issue zeroout to EOF blocks (bsc#1189582). - ocfs2: ocfs2_downconvert_lock failure results in deadlock (bsc#1188439). - overflow: Correct check_shl_overflow() comment (git-fixes). - ovl: allow upperdir inside lowerdir (bsc#1189323). - ovl: expand warning in ovl_d_real() (bsc#1189323). - ovl: fix missing revert_creds() on error path (bsc#1189323). - ovl: perform vfs_getxattr() with mounter creds (bsc#1189323). - ovl: skip getxattr of security labels (bsc#1189323). - params: lift param_set_uint_minmax to common code (bsc#1181972). - pcmcia: i82092: fix a null pointer dereference bug (git-fixes). - pinctrl: samsung: Fix pinctrl bank pin count (git-fixes). - pinctrl: single: Fix error return code in pcs_parse_bits_in_pinctrl_entry() (git-fixes). - pinctrl: stmfx: Fix hazardous u8[] to unsigned long cast (git-fixes). - platform/x86: pcengines-apuv2: Add missing terminating entries to gpio-lookup tables (git-fixes). - power: supply: max17042: handle fails of reading status register (git-fixes). - powerpc/papr_scm: Make 'perf_stats' invisible if perf-stats unavailable (bsc#1175052 jsc#SLE-13823 bsc#1174969 jsc#SLE-12769 git-fixes). - powerpc/papr_scm: Reduce error severity if nvdimm stats inaccessible (bsc#1189197 ltc#193906). - powerpc/pseries: Fix regression while building external modules (bsc#1160010 ltc#183046 git-fixes). - powerpc/pseries: Fix update of LPAR security flavor after LPM (bsc#1188885 ltc#193722 git-fixes) - powerpc: Fix is_kvm_guest() / kvm_para_available() (bsc#1181148 ltc#190702 git-fixes). - regulator: rt5033: Fix n_voltages settings for BUCK and LDO (git-fixes). - regulator: vctrl: Avoid lockdep warning in enable/disable ops (git-fixes). - regulator: vctrl: Use locked regulator_get_voltage in probe path (git-fixes). - rpm/kernel-obs-build.spec.in: make builds reproducible (bsc#1189305) - rpm: Abolish image suffix (bsc#1189841). - rpm: Define $certs as rpm macro (bsc#1189841). - rpm: Fold kernel-devel and kernel-source scriptlets into spec files (bsc#1189841). - rpm: kernel-binary.spec: Define $image as rpm macro (bsc#1189841). - rpm: support gz and zst compression methods Extend commit 18fcdff43a00 ('rpm: support compressed modules') for compression methods other than xz. - rq-qos: fix missed wake-ups in rq_qos_throttle try two (bsc#1189575). - rsi: fix an error code in rsi_probe() (git-fixes). - rsi: fix error code in rsi_load_9116_firmware() (git-fixes). - s390/ap: Fix hanging ioctl caused by wrong msg counter (bsc#1188982 LTC#193817). - s390/boot: fix use of expolines in the DMA code (bsc#1188878 ltc#193771). - sched/fair: Correctly insert cfs_rq's to list on unthrottle (git-fixes) - sched/rt: Fix RT utilization tracking during policy change (git-fixes) - scsi: blkcg: Add app identifier support for blkcg (bsc#1189385 jsc#SLE-18970). - scsi: blkcg: Fix application ID config options (bsc#1189385 jsc#SLE-18970). - scsi: cgroup: Add cgroup_get_from_id() (bsc#1189385 jsc#SLE-18970). - scsi: core: Add scsi_prot_ref_tag() helper (bsc#1189392). - scsi: ibmvfc: Do not wait for initial device scan (bsc#1127650). - scsi: libfc: Fix array index out of bound exception (bsc#1188616). - scsi: lpfc: Add 256 Gb link speed support (bsc#1189385). - scsi: lpfc: Add PCI ID support for LPe37000/LPe38000 series adapters (bsc#1189385). - scsi: lpfc: Call discovery state machine when handling PLOGI/ADISC completions (bsc#1189385). - scsi: lpfc: Clear outstanding active mailbox during PCI function reset (bsc#1189385). - scsi: lpfc: Copyright updates for 12.8.0.11 patches (bsc#1189385). - scsi: lpfc: Copyright updates for 14.0.0.0 patches (bsc#1189385). - scsi: lpfc: Delay unregistering from transport until GIDFT or ADISC completes (bsc#1189385). - scsi: lpfc: Discovery state machine fixes for LOGO handling (bsc#1189385). - scsi: lpfc: Enable adisc discovery after RSCN by default (bsc#1189385). - scsi: lpfc: Fix KASAN slab-out-of-bounds in lpfc_unreg_rpi() routine (bsc#1189385). - scsi: lpfc: Fix NULL ptr dereference with NPIV ports for RDF handling (bsc#1189385). - scsi: lpfc: Fix NVMe support reporting in log message (bsc#1189385). - scsi: lpfc: Fix build error in lpfc_scsi.c (bsc#1189385). - scsi: lpfc: Fix cq_id truncation in rq create (bsc#1189385). - scsi: lpfc: Fix function description comments for vmid routines (bsc#1189385). - scsi: lpfc: Fix memory leaks in error paths while issuing ELS RDF/SCR request (bsc#1189385). - scsi: lpfc: Fix possible ABBA deadlock in nvmet_xri_aborted() (bsc#1189385). - scsi: lpfc: Fix target reset handler from falsely returning FAILURE (bsc#1189385). - scsi: lpfc: Improve firmware download logging (bsc#1189385). - scsi: lpfc: Keep NDLP reference until after freeing the IOCB after ELS handling (bsc#1189385). - scsi: lpfc: Move initialization of phba->poll_list earlier to avoid crash (git-fixes). - scsi: lpfc: Remove REG_LOGIN check requirement to issue an ELS RDF (bsc#1189385). - scsi: lpfc: Remove redundant assignment to pointer pcmd (bsc#1189385). - scsi: lpfc: Remove redundant assignment to pointer temp_hdr (bsc#1189385). - scsi: lpfc: Remove use of kmalloc() in trace event logging (bsc#1189385). - scsi: lpfc: Revise Topology and RAS support checks for new adapters (bsc#1189385). - scsi: lpfc: Skip issuing ADISC when node is in NPR state (bsc#1189385). - scsi: lpfc: Skip reg_vpi when link is down for SLI3 in ADISC cmpl path (bsc#1189385). - scsi: lpfc: Update lpfc version to 12.8.0.11 (bsc#1189385). - scsi: lpfc: Update lpfc version to 14.0.0.0 (bsc#1189385). - scsi: lpfc: Use PBDE feature enabled bit to determine PBDE support (bsc#1189385). - scsi: lpfc: Use list_move_tail() instead of list_del()/list_add_tail() (bsc#1189385). - scsi: lpfc: vmid: Add QFPA and VMID timeout check in worker thread (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Add datastructure for supporting VMID in lpfc (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Add support for VMID in mailbox command (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Append the VMID to the wqe before sending (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Functions to manage VMIDs (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Implement CT commands for appid (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Implement ELS commands for appid (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Introduce VMID in I/O path (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Timeout implementation for VMID (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: VMID parameter initialization (bsc#1189385 jsc#SLE-18970). - scsi: qla2xxx: Add heartbeat check (bsc#1189392). - scsi: qla2xxx: Fix error return code in qla82xx_write_flash_dword() (bsc#1189392). - scsi: qla2xxx: Fix spelling mistakes 'allloc' -> 'alloc' (bsc#1189392). - scsi: qla2xxx: Fix use after free in debug code (bsc#1189392). - scsi: qla2xxx: Log PCI address in qla_nvme_unregister_remote_port() (bsc#1189392). - scsi: qla2xxx: Remove duplicate declarations (bsc#1189392). - scsi: qla2xxx: Remove redundant assignment to rval (bsc#1189392). - scsi: qla2xxx: Remove redundant continue statement in a for-loop (bsc#1189392). - scsi: qla2xxx: Remove redundant initialization of variable num_cnt (bsc#1189392). - scsi: qla2xxx: Remove unused variable 'status' (bsc#1189392). - scsi: qla2xxx: Update version to 10.02.00.107-k (bsc#1189392). - scsi: qla2xxx: Use list_move_tail() instead of list_del()/list_add_tail() (bsc#1189392). - scsi: qla2xxx: Use the proper SCSI midlayer interfaces for PI (bsc#1189392). - scsi: qla2xxx: edif: Add authentication pass + fail bsgs (bsc#1189392). - scsi: qla2xxx: edif: Add detection of secure device (bsc#1189392). - scsi: qla2xxx: edif: Add doorbell notification for app (bsc#1189392). - scsi: qla2xxx: edif: Add encryption to I/O path (bsc#1189392). - scsi: qla2xxx: edif: Add extraction of auth_els from the wire (bsc#1189392). - scsi: qla2xxx: edif: Add getfcinfo and statistic bsgs (bsc#1189392). - scsi: qla2xxx: edif: Add key update (bsc#1189392). - scsi: qla2xxx: edif: Add send, receive, and accept for auth_els (bsc#1189392). - scsi: qla2xxx: edif: Add start + stop bsgs (bsc#1189392). - scsi: qla2xxx: edif: Increment command and completion counts (bsc#1189392). - scsi: scsi_transport_srp: Do not block target in SRP_PORT_LOST state (bsc#1184180). - scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal (bsc#1189392). - scsi: zfcp: Report port fc_security as unknown early during remote cable pull (git-fixes). - serial: 8250: Mask out floating 16/32-bit bus bits (git-fixes). - serial: 8250_mtk: fix uart corruption issue when rx power off (git-fixes). - serial: tegra: Only print FIFO error message when an error occurs (git-fixes). - slimbus: messaging: check for valid transaction id (git-fixes). - slimbus: messaging: start transaction ids from 1 instead of zero (git-fixes). - slimbus: ngd: reset dma setup during runtime pm (git-fixes). - soc: aspeed: lpc-ctrl: Fix boundary check for mmap (git-fixes). - soc: aspeed: p2a-ctrl: Fix boundary check for mmap (git-fixes). - soc: ixp4xx/qmgr: fix invalid __iomem access (git-fixes). - soc: ixp4xx: fix printing resources (git-fixes). - soc: qcom: rpmhpd: Use corner in power_off (git-fixes). - soc: qcom: smsm: Fix missed interrupts if state changes while masked (git-fixes). - spi: imx: mx51-ecspi: Fix CONFIGREG delay comment (git-fixes). - spi: imx: mx51-ecspi: Fix low-speed CONFIGREG delay calculation (git-fixes). - spi: imx: mx51-ecspi: Reinstate low-speed CONFIGREG delay (git-fixes). - spi: mediatek: Fix fifo transfer (git-fixes). - spi: meson-spicc: fix memory leak in meson_spicc_remove (git-fixes). - spi: spi-fsl-dspi: Fix issue with uninitialized dma_slave_config (git-fixes). - spi: spi-pic32: Fix issue with uninitialized dma_slave_config (git-fixes). - spi: sprd: Fix the wrong WDG_LOAD_VAL (git-fixes). - spi: stm32h7: fix full duplex irq handler handling (git-fixes). - staging: rtl8192u: Fix bitwise vs logical operator in TranslateRxSignalStuff819xUsb() (git-fixes). - staging: rtl8712: get rid of flush_scheduled_work (git-fixes). - staging: rtl8723bs: Fix a resource leak in sd_int_dpc (git-fixes). - tracing / histogram: Fix NULL pointer dereference on strcmp() on NULL event name (git-fixes). - tracing / histogram: Give calculation hist_fields a size (git-fixes). - tracing: Reject string operand in the histogram expression (git-fixes). - tty: serial: fsl_lpuart: fix the wrong mapbase value (git-fixes). - ubifs: Fix error return code in alloc_wbufs() (bsc#1189585). - ubifs: Fix memleak in ubifs_init_authentication (bsc#1189583). - ubifs: Only check replay with inode type to judge if inode linked (bsc#1187455). - ubifs: Set/Clear I_LINKABLE under i_lock for whiteout inode (bsc#1189587). - ubifs: journal: Fix error return code in ubifs_jnl_write_inode() (bsc#1189586). - usb: bdc: Fix an error handling path in 'bdc_probe()' when no suitable DMA config is available (git-fixes). - usb: dwc2: Postponed gadget registration to the udc class driver (git-fixes). - usb: dwc3: Add support for DWC_usb32 IP (git-fixes). - usb: dwc3: Disable phy suspend after power-on reset (git-fixes). - usb: dwc3: Separate field holding multiple properties (git-fixes). - usb: dwc3: Stop active transfers before halting the controller (git-fixes). - usb: dwc3: Use clk_bulk_prepare_enable() (git-fixes). - usb: dwc3: Use devres to get clocks (git-fixes). - usb: dwc3: core: Properly default unspecified speed (git-fixes). - usb: dwc3: core: do not do suspend for device mode if already suspended (git-fixes). - usb: dwc3: debug: Remove newline printout (git-fixes). - usb: dwc3: gadget: Check MPS of the request length (git-fixes). - usb: dwc3: gadget: Clear DCTL.ULSTCHNGREQ before set (git-fixes). - usb: dwc3: gadget: Clear DEP flags after stop transfers in ep disable (git-fixes). - usb: dwc3: gadget: Disable gadget IRQ during pullup disable (git-fixes). - usb: dwc3: gadget: Do not send unintended link state change (git-fixes). - usb: dwc3: gadget: Do not setup more than requested (git-fixes). - usb: dwc3: gadget: Fix dwc3_calc_trbs_left() (git-fixes). - usb: dwc3: gadget: Fix handling ZLP (git-fixes). - usb: dwc3: gadget: Give back staled requests (git-fixes). - usb: dwc3: gadget: Handle ZLP for sg requests (git-fixes). - usb: dwc3: gadget: Prevent EP queuing while stopping transfers (git-fixes). - usb: dwc3: gadget: Properly track pending and queued SG (git-fixes). - usb: dwc3: gadget: Restart DWC3 gadget when enabling pullup (git-fixes). - usb: dwc3: gadget: Set BESL config parameter (git-fixes). - usb: dwc3: gadget: Set link state to RX_Detect on disconnect (git-fixes). - usb: dwc3: gadget: Stop EP0 transfers during pullup disable (git-fixes). - usb: dwc3: gadget: Workaround Mirosoft's BESL check (git-fixes). - usb: dwc3: meson-g12a: add IRQ check (git-fixes). - usb: dwc3: meson-g12a: check return of dwc3_meson_g12a_usb_init (git-fixes). - usb: dwc3: of-simple: add a shutdown (git-fixes). - usb: dwc3: st: Add of_dev_put() in probe function (git-fixes). - usb: dwc3: st: Add of_node_put() before return in probe function (git-fixes). - usb: dwc3: support continuous runtime PM with dual role (git-fixes). - usb: ehci-orion: Handle errors of clk_prepare_enable() in probe (git-fixes). - usb: gadget: Export recommended BESL values (git-fixes). - usb: gadget: f_hid: added GET_IDLE and SET_IDLE handlers (git-fixes). - usb: gadget: f_hid: fixed NULL pointer dereference (git-fixes). - usb: gadget: f_hid: idle uses the highest byte for duration (git-fixes). - usb: gadget: mv_u3d: request_irq() after initializing UDC (git-fixes). - usb: gadget: udc: at91: add IRQ check (git-fixes). - usb: gadget: udc: renesas_usb3: Fix soc_device_match() abuse (git-fixes). - usb: host: ohci-tmio: add IRQ check (git-fixes). - usb: host: xhci-rcar: Do not reload firmware after the completion (git-fixes). - usb: mtu3: fix the wrong HS mult value (git-fixes). - usb: mtu3: use @mult for HS isoc or intr (git-fixes). - usb: phy: fsl-usb: add IRQ check (git-fixes). - usb: phy: tahvo: add IRQ check (git-fixes). - usb: phy: twl6030: add IRQ checks (git-fixes). - virt_wifi: fix error on connect (git-fixes). - virtio_pci: Support surprise removal of virtio pci device (git-fixes). - wireguard: allowedips: allocate nodes in kmem_cache (git-fixes). - wireguard: allowedips: free empty intermediate nodes when removing single node (git-fixes). - wireguard: allowedips: remove nodes in O(1) (git-fixes). - writeback: fix obtain a reference to a freeing memcg css (bsc#1189577). - x86/fpu: Limit xstate copy size in xstateregs_set() (bsc#1152489). - x86/fpu: Make init_fpstate correct with optimized XSAVE (bsc#1152489). - x86/fpu: Reset state for all signal restore failures (bsc#1152489). - x86/kvm: fix vcpu-id indexed array sizes (git-fixes). - x86/signal: Detect and prevent an alternate signal stack overflow (bsc#1152489). - xen/events: Fix race in set_evtchn_to_irq (git-fixes). - xprtrdma: Pad optimization, revisited (bsc#1189760). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3224-1 Released: Fri Sep 24 11:34:33 2021 Summary: Recommended update for shim-susesigned Type: recommended Severity: moderate References: 1177315,1177789,1182057,1184454,1185232,1185261,1185441,1185464,1185621,1185961,1187260,1187696 This update for shim-susesigned fixes the following issues: Sync with Microsoft signed shim to Thu Jul 15 08:13:26 UTC 2021. This update addresses the 'susesigned' shim component. shim was updated to 15.4 (bsc#1182057) - console: Move the countdown function to console.c - fallback: show a countdown menu before reset - MOK: Fix the missing vendor cert in MokListRT - mok: fix the mirroring of RT variables - Add the license change statement for errlog.c and mok.c - Remove a couple of incorrect license claims. - MokManager: Use CompareMem on MokListNode.Type instead of CompareGuid - Make EFI variable copying fatal only on secureboot enabled systems - Remove call to TPM2 get_event_log - tpm: Fix off-by-one error when calculating event size - tpm: Define EFI_VARIABLE_DATA_TREE as packed - tpm: Don't log duplicate identical events - VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls - OpenSSL: always provide OBJ_create() with name strings. - translate_slashes(): don't write to string literals - Fix a use of strlen() instead of Strlen() - shim: Update EFI_LOADED_IMAGE with the second stage loader file path - tpm: Include information about PE/COFF images in the TPM Event Log - Fix a broken tpm type - All newly released openSUSE kernels enable kernel lockdown and signature verification, so there is no need to add the prompt anymore. - Fix the NULL pointer dereference in AuthenticodeVerify() - Remove the build ID to make the binary reproducible when building with AArch64 container - Prevent the build id being added to the binary. That can cause issues with the signature - Allocate MOK config table as BootServicesData to avoid the error message from linux kernel - Handle ignore_db and user_insecure_mode correctly (bsc#1185441) - Relax the maximum variable size check for u-boot - Relax the check for import_mok_state() when Secure Boot is off - Relax the check for the LoadOptions length - Fix the size of rela* sections for AArch64 - Disable exporting vendor-dbx to MokListXRT - Don't call QueryVariableInfo() on EFI 1.10 machines - Avoid buffer overflow when copying the MOK config table - Avoid deleting the mirrored RT variables - Update to 15.3 for SBAT support (bsc#1182057) - Generate vender-specific SBAT metadata - Rename the SBAT variable and fix the self-check of SBAT - Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) - shim-install: reset def_shim_efi to 'shim.efi' if the given file doesn't exist - shim-install: instead of assuming 'removable' for Azure, remove fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot to make \EFI\Boot bootable and keep the boot option created by efibootmgr (bsc#1185464, bsc#1185961) - shim-install: always assume 'removable' for Azure to avoid the endless reset loop (bsc#1185464) - shim-install: Support changing default shim efi binary in /usr/etc/default/shim and /etc/default/shim (bsc#1177315) - Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys: + SLES-UEFI-SIGN-Certificate-2020-07.crt + openSUSE-UEFI-SIGN-Certificate-2020-07.crt ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3233-1 Released: Mon Sep 27 15:02:21 2021 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1085917,1181299,1181306,1181309,1181535,1181536,1188651,1189552 This update for xfsprogs fixes the following issues: - Fixes an issue when 'fstests' with 'xfs' fail. (bsc#1181309, bsc#1181299) - xfsprogs: Split 'libhandle1' into a separate package, since nothing within xfsprogs dynamically links against it. The shared library is still required by xfsdump as a runtime dependency. - mkfs.xfs: Fix 'ASSERT' on too-small device with stripe geometry. (bsc#1181536) - mkfs.xfs: If either 'sunit' or 'swidth' is not zero, the other must be as well. (bsc#1085917, bsc#1181535) - xfs_growfs: Refactor geometry reporting. (bsc#1181306) - xfs_growfs: Allow mounted device node as argument. (bsc#1181299) - xfs_repair: Rebuild directory when non-root leafn blocks claim block 0. (bsc#1181309) - xfs_repair: Check plausibility of root dir pointer before trashing it. (bsc#1188651) - xfs_bmap: Remove '-c' from manpage. (bsc#1189552) - xfs_bmap: Do not reject '-e'. (bsc#1189552) - Implement 'libhandle1' through ECO. (jsc#SLE-20360) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3245-1 Released: Tue Sep 28 13:54:31 2021 Summary: Recommended update for docker Type: recommended Severity: important References: 1190670 This update for docker fixes the following issues: - Return ENOSYS for clone3 in the seccomp profile to avoid breaking containers using glibc 2.34. - Add shell requires for the *-completion subpackages. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3274-1 Released: Fri Oct 1 10:34:17 2021 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1190858 This update for ca-certificates-mozilla fixes the following issues: - remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in openssl 1.0.2 and older. (bsc#1190858) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3298-1 Released: Wed Oct 6 16:54:52 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3303-1 Released: Wed Oct 6 18:11:24 2021 Summary: Recommended update for kdump Type: recommended Severity: moderate References: 1172670,1182309,1183070,1184616,1186037,1188090 This update for kdump fixes the following issues: - Do not iterate past end of string (bsc#1186037). - Query systemd network.service to find out if wicked is used (bsc#1182309). - Add 'bootdev=' to dracut command line (bsc#1182309). - Fix incorrect exit code checking after 'local' with assignment (bsc#1184616). - Do not add network-related dracut options if ip= is set explicitly (bsc#1182309, bsc#1188090). - Make sure that initrd.target.wants directory exists (bsc#1172670). - Install /etc/resolv.conf using its resolved path (bsc#1183070). - Avoid an endless loop when resolving a hostname fails with EAI_AGAIN (bsc#1183070). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3318-1 Released: Wed Oct 6 19:31:19 2021 Summary: Recommended update for sudo Type: recommended Severity: moderate References: 1176473,1181371 This update for sudo fixes the following issues: - Update to sudo 1.8.27 (jsc#SLE-17083). - Fixed special handling of ipa_hostname (bsc#1181371). - Restore sudo ldap behavior to ignore expire dates when SUDOERS_TIMED option is not set in /etc/ldap.conf (bsc#1176473). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3348-1 Released: Tue Oct 12 13:08:06 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1134353,1171962,1184994,1188018,1188063,1188291,1188713,1189480,1190234,CVE-2021-33910 This update for systemd fixes the following issues: - CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063). - logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018). - Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353). - Rules weren't applied to dm devices (multipath) (bsc#1188713). - Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234). - Make sure the versions of both udev and systemd packages are always the same (bsc#1189480). - Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291). - Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3382-1 Released: Tue Oct 12 14:30:17 2021 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: This update for ca-certificates-mozilla fixes the following issues: - A new sub-package for minimal base containers (jsc#SLE-22162) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3385-1 Released: Tue Oct 12 15:54:31 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 This update for glibc fixes the following issues: - CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911) - CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3411-1 Released: Wed Oct 13 10:42:25 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1191019 This update for lvm2 fixes the following issues: - Do not crash vgextend when extending VG with missing PV. (bsc#1191019) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3412-1 Released: Wed Oct 13 10:50:33 2021 Summary: Recommended update for suse-module-tools Type: recommended Severity: important References: 1189841,1190598 This update for suse-module-tools fixes the following issues: - Fixed an issue where the queuing of secure boot certificates did not happen (bsc#1189841, bsc#1190598) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3444-1 Released: Fri Oct 15 09:03:07 2021 Summary: Security update for rpm Type: security Severity: important References: 1179416,1183543,1183545,1183632,1183659,1185299,1187670,1188548,CVE-2021-20266,CVE-2021-20271,CVE-2021-3421 This update for rpm fixes the following issues: Security issues fixed: - CVE-2021-3421, CVE-2021-20271, CVE-2021-20266: Multiple header check improvements (bsc#1183543, bsc#1183545, bsc#1183632) - PGP hardening changes (bsc#1185299) - Fixed potential access of freed mem in ndb's glue code (bsc#1179416) Maintaince issues fixed: - Fixed zstd detection (bsc#1187670) - Added ndb rofs support (bsc#1188548) - Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3447-1 Released: Fri Oct 15 09:05:12 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1173746,1176940,1184439,1184804,1185302,1185677,1185726,1185762,1187167,1188067,1188651,1188986,1189297,1189841,1189884,1190023,1190062,1190115,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191240,1191292,CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490 The SUSE Linux Enterprise 15 SP2 kernel was updated. The following security bugs were fixed: - CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193) - CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023) - CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159) - CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884) - CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534) - CVE-2021-3669: Fixed a bug that doesn't allow /proc/sysvipc/shm to scale with large shared memory segment counts which could lead to resource exhaustion and DoS. (bsc#1188986) The following non-security bugs were fixed: - ALSA: firewire-motu: fix truncated bytes in message tracepoints (git-fixes). - apparmor: remove duplicate macro list_entry_is_head() (git-fixes). - ASoC: fsl_micfil: register platform component before registering cpu dai (git-fixes). - ASoC: mediatek: common: handle NULL case in suspend/resume function (git-fixes). - ASoC: rockchip: i2s: Fix regmap_ops hang (git-fixes). - ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B (git-fixes). - ASoC: SOF: Fix DSP oops stack dump output contents (git-fixes). - ath9k: fix OOB read ar9300_eeprom_restore_internal (git-fixes). - ath9k: fix sleeping in atomic context (git-fixes). - blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762). - blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762). - blk-mq: mark if one queue map uses managed irq (bsc#1185762). - Bluetooth: skip invalid hci_sync_conn_complete_evt (git-fixes). - bnx2x: fix an error code in bnx2x_nic_load() (git-fixes). - bnxt_en: Add missing DMA memory barriers (git-fixes). - bnxt_en: Disable aRFS if running on 212 firmware (git-fixes). - bnxt_en: Do not enable legacy TX push on older firmware (git-fixes). - bnxt_en: Store the running firmware version code (git-fixes). - bnxt: count Tx drops (git-fixes). - bnxt: disable napi before canceling DIM (git-fixes). - bnxt: do not lock the tx queue from napi poll (git-fixes). - bnxt: make sure xmit_more + errors does not miss doorbells (git-fixes). - btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626). - clk: at91: clk-generated: Limit the requested rate to our range (git-fixes). - clk: at91: clk-generated: pass the id of changeable parent at registration (git-fixes). - console: consume APC, DM, DCS (git-fixes). - cuse: fix broken release (bsc#1190596). - cxgb4: dont touch blocked freelist bitmap after free (git-fixes). - debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746). - devlink: Break parameter notification sequence to be before/after unload/load driver (bsc#1154353). - dmaengine: ioat: depends on !UML (git-fixes). - dmaengine: sprd: Add missing MODULE_DEVICE_TABLE (git-fixes). - dmaengine: xilinx_dma: Set DMA mask for coherent APIs (git-fixes). - docs: Fix infiniband uverbs minor number (git-fixes). - drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps (git-fixes). - drm: avoid blocking in drm_clients_info's rcu section (git-fixes). - drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex (git-fixes). - drm/amd/display: Fix timer_per_pixel unit error (git-fixes). - drm/amdgpu: Fix BUG_ON assert (git-fixes). - drm/gma500: Fix end of loop tests for list_for_each_entry (git-fixes). - drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV (git-fixes). - drm/panfrost: Clamp lock region to Bifrost minimum (git-fixes). - e1000e: Do not take care about recovery NVM checksum (jsc#SLE-8100). - e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes). - EDAC/i10nm: Fix NVDIMM detection (bsc#1152489). - EDAC/synopsys: Fix wrong value type assignment for edac_mode (bsc#1152489). - erofs: fix up erofs_lookup tracepoint (git-fixes). - fbmem: do not allow too huge resolutions (git-fixes). - fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() (git-fixes). - fpga: machxo2-spi: Return an error on failure (git-fixes). - fuse: flush extending writes (bsc#1190595). - fuse: truncate pagecache on atomic_o_trunc (bsc#1190705). - genirq: add device_has_managed_msi_irq (bsc#1185762). - gpio: uniphier: Fix void functions to remove return value (git-fixes). - gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() (git-fixes). - gve: fix the wrong AdminQ buffer overflow check (bsc#1176940). - hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726). - hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726). - hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (git-fixes). - hwmon: (tmp421) fix rounding for negative values (git-fixes). - hwmon: (tmp421) report /PVLD condition as fault (git-fixes). - i40e: Add additional info to PHY type error (git-fixes). - i40e: Fix firmware LLDP agent related warning (git-fixes). - i40e: Fix log TC creation failure when max num of queues is exceeded (git-fixes). - i40e: Fix logic of disabling queues (git-fixes). - i40e: Fix queue-to-TC mapping on Tx (git-fixes). - iavf: Fix ping is lost after untrusted VF had tried to change MAC (jsc#SLE-7940). - iavf: Set RSS LUT and key in reset handle path (git-fixes). - ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510). - ibmvnic: Consolidate code in replenish_rx_pool() (bsc#1190758 ltc#191943). - ibmvnic: Fix up some comments and messages (bsc#1190758 ltc#191943). - ibmvnic: init_tx_pools move loop-invariant code (bsc#1190758 ltc#191943). - ibmvnic: Reuse LTB when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse rx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse tx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Use bitmap for LTB map_ids (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_rx_pools (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_tx_pools (bsc#1190758 ltc#191943). - ice: Prevent probing virtual functions (git-fixes). - iio: dac: ad5624r: Fix incorrect handling of an optional regulator (git-fixes). - include/linux/list.h: add a macro to test if entry is pointing to the head (git-fixes). - iomap: Fix negative assignment to unsigned sis->pages in iomap_swapfile_activate (bsc#1190784). - ionic: cleanly release devlink instance (bsc#1167773). - ionic: count csum_none when offload enabled (bsc#1167773). - ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115). - ipc/util.c: use binary search for max_idx (bsc#1159886). - ipvs: allow connection reuse for unconfirmed conntrack (bsc#1190467). - ipvs: avoid expiring many connections from timer (bsc#1190467). - ipvs: Fix up kabi for expire_nodest_conn_work addition (bsc#1190467). - ipvs: queue delayed work to expire no destination connections if expire_nodest_conn=1 (bsc#1190467). - iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed (git-fixes). - kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable. - kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs. - kernel-binary.spec: Do not sign kernel when no key provided (bsc#1187167 bsc#1191240 ltc#194716). - kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358). The script part for base package case is completely separate from the part for subpackages. Remove the part for subpackages from the base package script and use the KMP scripts for subpackages instead. - libata: fix ata_host_start() (git-fixes). - mac80211-hwsim: fix late beacon hrtimer handling (git-fixes). - mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug (git-fixes). - mac80211: fix use-after-free in CCMP/GCMP RX (git-fixes). - mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap (git-fixes). - mac80211: mesh: fix potentially unaligned access (git-fixes). - media: cedrus: Fix SUNXI tile size calculation (git-fixes). - media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats (git-fixes). - media: dib8000: rewrite the init prbs logic (git-fixes). - media: imx258: Limit the max analogue gain to 480 (git-fixes). - media: imx258: Rectify mismatch of VTS value (git-fixes). - media: rc-loopback: return number of emitters rather than error (git-fixes). - media: TDA1997x: fix tda1997x_query_dv_timings() return value (git-fixes). - media: uvc: do not do DMA on stack (git-fixes). - media: v4l2-dv-timings.c: fix wrong condition in two for-loops (git-fixes). - mfd: Do not use irq_create_mapping() to resolve a mapping (git-fixes). - mlx4: Fix missing error code in mlx4_load_one() (git-fixes). - mm: always have io_remap_pfn_range() set pgprot_decrypted() (git-fixes). - mm/swap: consider max pages in iomap_swapfile_add_extent (bsc#1190785). - mmc: core: Return correct emmc response in case of ioctl error (git-fixes). - mmc: rtsx_pci: Fix long reads when clock is prescaled (git-fixes). - mmc: sdhci-of-arasan: Check return value of non-void funtions (git-fixes). - net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726). - net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726). - net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726). - net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726). - net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726). - net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726). - net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726). - net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726). - net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726). - net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726). - net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes). - net: sched: sch_teql: fix null-pointer dereference (bsc#1190717). - net/mlx5: E-Switch, handle devcom events only for ports on the same device (git-fixes). - net/mlx5: Fix flow table chaining (git-fixes). - net/mlx5: Fix return value from tracer initialization (git-fixes). - net/mlx5: Unload device upon firmware fatal error (git-fixes). - net/mlx5e: Avoid creating tunnel headers for local route (git-fixes). - net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() (git-fixes). - net/mlx5e: Prohibit inner indir TIRs in IPoIB (git-fixes). - netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (bsc#1190062). - nfp: update ethtool reporting of pauseframe control (git-fixes). - NFS: change nfs_access_get_cached to only report the mask (bsc#1190746). - NFS: do not store 'struct cred *' in struct nfs_access_entry (bsc#1190746). - NFS: pass cred explicitly for access tests (bsc#1190746). - nvme: avoid race in shutdown namespace removal (bsc#1188067). - nvme: fix refcounting imbalance when all paths are down (bsc#1188067). - parport: remove non-zero check on count (git-fixes). - PCI: aardvark: Fix checking for PIO status (git-fixes). - PCI: aardvark: Fix masking and unmasking legacy INTx interrupts (git-fixes). - PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response (git-fixes). - PCI: Add ACS quirks for Cavium multi-function devices (git-fixes). - PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms (git-fixes). - PCI: Add AMD GPU multi-function power dependencies (git-fixes). - PCI: ibmphp: Fix double unmap of io_mem (git-fixes). - PCI: pci-bridge-emul: Add PCIe Root Capabilities Register (git-fixes). - PCI: pci-bridge-emul: Fix array overruns, improve safety (git-fixes). - PCI: pci-bridge-emul: Fix big-endian support (git-fixes). - PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported (git-fixes). - PCI: Use pci_update_current_state() in pci_enable_device_flags() (git-fixes). - PM: base: power: do not try to use non-existing RTC for storing data (git-fixes). - PM: EM: Increase energy calculation precision (git-fixes). - power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors (git-fixes). - power: supply: max17042_battery: fix typo in MAx17042_TOFF (git-fixes). - powercap: intel_rapl: add support for Sapphire Rapids (jsc#SLE-15289). - powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868). - powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523). - powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729). - powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729). - powerpc/perf: Fix the check for SIAR value (bsc#1065729). - powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729). - powerpc/perf: Use stack siar instead of mfspr (bsc#1065729). - powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729). - powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729). - powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729). - powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498). - powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729). - pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523). - pwm: img: Do not modify HW state in .remove() callback (git-fixes). - pwm: rockchip: Do not modify HW state in .remove() callback (git-fixes). - pwm: stm32-lp: Do not modify HW state in .remove() callback (git-fixes). - qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes). - RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init() (bsc#1170774). - Re-enable UAS for LaCie Rugged USB3-FW with fk quirk (git-fixes). - regmap: fix page selection for noinc reads (git-fixes). - regmap: fix page selection for noinc writes (git-fixes). - regmap: fix the offset of register error log (git-fixes). - Restore kabi after NFS: pass cred explicitly for access tests (bsc#1190746). - rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools. This allows fixing bugs in the scriptlets as well as defining initrd regeneration policy independent of the kernel packages. - rpm/kernel-binary.spec: Use only non-empty certificates. - rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804). - rtc: rx8010: select REGMAP_I2C (git-fixes). - rtc: tps65910: Correct driver module alias (git-fixes). - s390/unwind: use current_frame_address() to unwind current task (bsc#1185677). - sched/fair: Add ancestors of unthrottled undecayed cfs_rq (bsc#1191292). - scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576). - scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576). - scsi: fc: Add EDC ELS definition (bsc#1190576). - scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576). - scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576). - scsi: lpfc: Add cm statistics buffer support (bsc#1190576). - scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576). - scsi: lpfc: Add cmfsync WQE support (bsc#1190576). - scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576). - scsi: lpfc: Add EDC ELS support (bsc#1190576). - scsi: lpfc: Add MIB feature enablement support (bsc#1190576). - scsi: lpfc: Add rx monitoring statistics (bsc#1190576). - scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576). - scsi: lpfc: Add support for cm enablement buffer (bsc#1190576). - scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576). - scsi: lpfc: Add support for the CM framework (bsc#1190576). - scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576). - scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576). - scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576). - scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576). - scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576). - scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576). - scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576). - scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576). - scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576). - scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576). - scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576). - scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576). - scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576). - scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576). - scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576). - scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576). - scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576). - scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576). - scsi: lpfc: Remove unneeded variable (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576). - scsi: lpfc: Use correct scnprintf() limit (bsc#1190576). - scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576). - scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576). - scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576). - scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297). - serial: 8250_pci: make setup_port() parameters explicitly unsigned (git-fixes). - serial: 8250: Define RX trigger levels for OxSemi 950 devices (git-fixes). - serial: mvebu-uart: fix driver's tx_empty callback (git-fixes). - serial: sh-sci: fix break handling for sysrq (git-fixes). - spi: Fix tegra20 build with CONFIG_PM=n (git-fixes). - staging: board: Fix uninitialized spinlock when attaching genpd (git-fixes). - staging: ks7010: Fix the initialization of the 'sleep_status' structure (git-fixes). - staging: rts5208: Fix get_ms_information() heap buffer size (git-fixes). - thermal/core: Potential buffer overflow in thermal_build_list_of_policies() (git-fixes). - time: Handle negative seconds correctly in timespec64_to_ns() (git-fixes). - tty: Fix data race between tiocsti() and flush_to_ldisc() (git-fixes). - tty: serial: jsm: hold port lock when reporting modem line changes (git-fixes). - tty: synclink_gt, drop unneeded forward declarations (git-fixes). - usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c (git-fixes). - usb: core: hcd: Add support for deferring roothub registration (git-fixes). - usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails (git-fixes). - usb: dwc2: Avoid leaving the error_debugfs label unused (git-fixes). - usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave (git-fixes). - usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA (git-fixes). - usb: EHCI: ehci-mv: improve error handling in mv_ehci_enable() (git-fixes). - usb: gadget: r8a66597: fix a loop in set_feature() (git-fixes). - usb: gadget: u_ether: fix a potential null pointer dereference (git-fixes). - usb: host: fotg210: fix the actual_length of an iso packet (git-fixes). - usb: host: fotg210: fix the endpoint's transactional opportunities calculation (git-fixes). - usb: musb: musb_dsps: request_irq() after initializing musb (git-fixes). - usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes). - usb: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter (git-fixes). - usb: serial: option: add device id for Foxconn T99W265 (git-fixes). - usb: serial: option: add Telit LN920 compositions (git-fixes). - usb: serial: option: remove duplicate USB device ID (git-fixes). - usbip: give back URBs for unsent unlink requests during cleanup (git-fixes). - usbip:vhci_hcd USB port can get stuck in the disabled state (git-fixes). - video: fbdev: asiliantfb: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: fix a DoS bug by restricting user input (git-fixes). - video: fbdev: riva: Error out if 'pixclock' equals zero (git-fixes). - vmxnet3: add support for 32 Tx/Rx queues (bsc#1190406). - vmxnet3: add support for ESP IPv6 RSS (bsc#1190406). - vmxnet3: increase maximum configurable mtu to 9190 (bsc#1190406). - vmxnet3: prepare for version 6 changes (bsc#1190406). - vmxnet3: remove power of 2 limitation on the queues (bsc#1190406). - vmxnet3: set correct hash type based on rss information (bsc#1190406). - vmxnet3: update to version 6 (bsc#1190406). - watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST (git-fixes). - x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1185302). - x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439). - x86/cpu: Fix core name for Sapphire Rapids (jsc#SLE-15289). - x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1152489). - x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1152489). - x86/resctrl: Fix default monitoring groups reporting (bsc#1152489). - xfs: allow mount/remount when stripe width alignment is zero (bsc#1188651). - xfs: sync lazy sb accounting on quiesce of read-only mounts (bsc#1190679). - xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes). - xhci: Set HCD flag to defer primary roothub registration (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3454-1 Released: Mon Oct 18 09:29:26 2021 Summary: Security update for krb5 Type: security Severity: moderate References: 1189929,CVE-2021-37750 This update for krb5 fixes the following issues: - CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3479-1 Released: Wed Oct 20 11:23:45 2021 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1184970,1186260,1187115,1187470,1187774,1190845 This update for dracut fixes the following issues: - Fix usage information for -f parameter. (bsc#1187470) - Fix obsolete reference to 96insmodpost in manpage. (bsc#1187774) - Remove references to INITRD_MODULES. (bsc#1187115) - Multipath FCoE configurations may not boot when using only one path. (bsc#1186260) - Adjust path for SUSE: /var/lib/nfs/statd/sm to /var/lib/nfs/sm. (bsc#1184970) - Systemd coredump unit files are missing in initrd. (1190845) - Use $kernel rather than $(uname -r). - Exclude modules that are built-in. - Restore INITRD_MODULES in mkinitrd script. - Call dracut_instmods with hostonly. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3480-1 Released: Wed Oct 20 11:24:08 2021 Summary: Recommended update for yast2-network Type: recommended Severity: moderate References: 1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933 This update for yast2-network fixes the following issues: - Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915). - Fix the shown description using the interface friendly name when it is empty (bsc#1190933). - Consider aliases sections as case insensitive (bsc#1190739). - Display user defined device name in the devices overview (bnc#1190645). - Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344). - Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910). - Fix desktop file so the control center tooltip is translated (bsc#1187270). - Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016). - Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3490-1 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3494-1 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1190052 This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3501-1 Released: Fri Oct 22 10:42:46 2021 Summary: Recommended update for libzypp, zypper, libsolv, protobuf Type: recommended Severity: moderate References: 1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815 This update for libzypp, zypper, libsolv and protobuf fixes the following issues: - Choice rules: treat orphaned packages as newest (bsc#1190465) - Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602) - Do not check of signatures and keys two times(redundant) (bsc#1190059) - Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760) - Show key fpr from signature when signature check fails (bsc#1187224) - Fix solver jobs for PTFs (bsc#1186503) - Fix purge-kernels fails (bsc#1187738) - Fix obs:// platform guessing for Leap (bsc#1187425) - Make sure to keep states alives while transitioning. (bsc#1190199) - Manpage: Improve description about patch updates(bsc#1187466) - Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested. - Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815) - Fix crashes in logging code when shutting down (bsc#1189031) - Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712) - Add need reboot/restart hint to XML install summary (bsc#1188435) - Prompt: choose exact match if prompt options are not prefix free (bsc#1188156) - Include libprotobuf-lite20 in products to enable parallel downloads. (jsc#ECO-2911, jsc#SLE-16862) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3506-1 Released: Mon Oct 25 10:20:22 2021 Summary: Security update for containerd, docker, runc Type: security Severity: important References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434,CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103 This update for containerd, docker, runc fixes the following issues: Docker was updated to 20.10.9-ce. (bsc#1191355) See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103 container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355 - CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282) - Install systemd service file as well (bsc#1190826) Update to runc v1.0.2. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.2 * Fixed a failure to set CPU quota period in some cases on cgroup v1. * Fixed the inability to start a container with the 'adding seccomp filter rule for syscall ...' error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped. * Made release builds reproducible from now on. * Fixed a rare debug log race in runc init, which can result in occasional harmful 'failed to decode ...' errors from runc run or exec. * Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working. Update to runc v1.0.1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.1 * Fixed occasional runc exec/run failure ('interrupted system call') on an Azure volume. * Fixed 'unable to find groups ... token too long' error with /etc/group containing lines longer than 64K characters. * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes). * cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely. * cgroup/systemd/v2: don't freeze cgroup on Set. * cgroup/systemd/v1: avoid unnecessary freeze on Set. - fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704 Update to runc v1.0.0. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0 ! The usage of relative paths for mountpoints will now produce a warning (such configurations are outside of the spec, and in future runc will produce an error when given such configurations). * cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers). * cgroupv2: correctly convert 'number of IOs' statistics in a cgroupv1-compatible way. * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures. * cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen. * cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94 * cgroups/systemd: fixed returning 'unit already exists' error from a systemd cgroup manager (regression in rc94) + cgroupv2: support SkipDevices with systemd driver + cgroup/systemd: return, not ignore, stop unit error from Destroy + Make 'runc --version' output sane even when built with go get or otherwise outside of our build scripts. + cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update). + cgroup1: blkio: support BFQ weights. + cgroupv2: set per-device io weights if BFQ IO scheduler is available. Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95 This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users). (bsc#1185405) Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94 Breaking Changes: * cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls. Regression Fixes: * seccomp: fix 32-bit compilation errors * runc init: fix a hang caused by deadlock in seccomp/ebpf loading code * runc start: fix 'chdir to cwd: permission denied' for some setups The following package changes have been done: - SUSEConnect-0.3.31-13.1 updated - ca-certificates-mozilla-2.44-21.1 updated - containerd-ctr-1.4.11-56.1 updated - containerd-1.4.11-56.1 updated - curl-7.66.0-4.27.1 updated - docker-20.10.9_ce-156.1 updated - dracut-049.1+suse.209.gebcf4f33-3.40.1 updated - efibootmgr-14-4.3.2 updated - file-magic-5.32-7.14.1 updated - file-5.32-7.14.1 updated - glibc-locale-base-2.26-13.59.1 updated - glibc-locale-2.26-13.59.1 updated - glibc-2.26-13.59.1 updated - grub2-i386-pc-2.04-9.49.3 updated - grub2-x86_64-efi-2.04-9.49.3 updated - grub2-2.04-9.49.3 updated - kdump-0.9.0-11.6.1 updated - kernel-default-5.3.18-24.86.2 updated - kmod-compat-25-6.10.1 updated - kmod-25-6.10.1 updated - krb5-1.16.3-3.24.1 updated - libaugeas0-1.10.1-3.3.1 updated - libcroco-0_6-3-0.6.13-3.3.1 updated - libcurl4-7.66.0-4.27.1 updated - libdevmapper1_03-1.02.163-8.36.1 updated - libfreebl3-3.68-3.56.1 updated - libkmod2-25-6.10.1 updated - libmagic1-5.32-7.14.1 updated - libncurses6-6.1-5.9.1 updated - libprotobuf-lite20-3.9.2-4.9.1 added - libsolv-tools-0.7.20-9.2 updated - libsystemd0-234-24.93.1 updated - libudev1-234-24.93.1 updated - libzypp-17.28.5-15.2 updated - ncurses-utils-6.1-5.9.1 updated - pam-1.3.0-6.47.1 updated - perl-Bootloader-0.931-3.5.1 updated - python3-pytz-2021.1-6.7.1 updated - rpm-ndb-4.14.1-22.4.2 updated - runc-1.0.2-23.1 updated - shim-15.4-3.32.1 updated - sudo-1.8.27-4.21.4 updated - suse-module-tools-15.2.13-4.6.1 updated - systemd-sysvinit-234-24.93.1 updated - systemd-234-24.93.1 updated - terminfo-base-6.1-5.9.1 updated - terminfo-6.1-5.9.1 updated - udev-234-24.93.1 updated - xen-libs-4.13.3_04-3.37.1 updated - xfsprogs-4.15.0-4.40.1 updated - zypper-1.14.49-16.1 updated From sle-security-updates at lists.suse.com Wed Oct 27 06:30:19 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 08:30:19 +0200 (CEST) Subject: SUSE-IU-2021:742-1: Security update of sles-15-sp2-chost-byos-v20211025 Message-ID: <20211027063019.47319FBB1@maintenance.suse.de> SUSE Image Update Advisory: sles-15-sp2-chost-byos-v20211025 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2021:742-1 Image Tags : sles-15-sp2-chost-byos-v20211025:20211025 Image Release : Severity : important Type : security References : 1027519 1029961 1040364 1065729 1085917 1102408 1127650 1134353 1135481 1148868 1152489 1152489 1154353 1159886 1160010 1167032 1167773 1168202 1170774 1171685 1171962 1172670 1173746 1174697 1174969 1175052 1175543 1176206 1176473 1176934 1176940 1177315 1177399 1177789 1179382 1179416 1180141 1180347 1181148 1181299 1181306 1181309 1181371 1181535 1181536 1181972 1182057 1182309 1183070 1183543 1183545 1183632 1183659 1184114 1184180 1184439 1184454 1184616 1184804 1184970 1184994 1185016 1185232 1185261 1185299 1185302 1185405 1185441 1185464 1185524 1185611 1185621 1185675 1185677 1185726 1185762 1185902 1185961 1186037 1186260 1186264 1186489 1186503 1186565 1186602 1186731 1186910 1186975 1187115 1187167 1187211 1187224 1187260 1187270 1187425 1187455 1187466 1187468 1187470 1187512 1187565 1187619 1187670 1187696 1187704 1187738 1187760 1187774 1187911 1188018 1188063 1188067 1188067 1188090 1188156 1188172 1188282 1188291 1188344 1188418 1188435 1188439 1188548 1188616 1188651 1188651 1188713 1188780 1188781 1188782 1188783 1188784 1188786 1188787 1188788 1188790 1188878 1188885 1188891 1188924 1188982 1188983 1188985 1188986 1188992 1189021 1189031 1189041 1189057 1189077 1189153 1189197 1189209 1189210 1189212 1189213 1189214 1189215 1189216 1189217 1189218 1189219 1189220 1189221 1189222 1189229 1189262 1189291 1189292 1189297 1189298 1189301 1189305 1189323 1189384 1189385 1189392 1189399 1189400 1189427 1189449 1189480 1189503 1189504 1189505 1189506 1189507 1189552 1189562 1189563 1189564 1189565 1189566 1189567 1189568 1189569 1189573 1189574 1189575 1189576 1189577 1189579 1189581 1189582 1189583 1189585 1189586 1189587 1189632 1189706 1189760 1189832 1189841 1189841 1189841 1189870 1189883 1189884 1189929 1189996 1190023 1190025 1190052 1190059 1190062 1190115 1190115 1190117 1190131 1190159 1190181 1190199 1190234 1190358 1190373 1190374 1190406 1190432 1190465 1190467 1190523 1190534 1190543 1190576 1190595 1190596 1190598 1190598 1190620 1190626 1190645 1190670 1190679 1190705 1190712 1190717 1190739 1190746 1190758 1190784 1190785 1190793 1190815 1190826 1190845 1190858 1190915 1190933 1191015 1191019 1191121 1191172 1191193 1191240 1191292 1191334 1191355 1191434 CVE-2020-12400 CVE-2020-12401 CVE-2020-12403 CVE-2020-12825 CVE-2020-25648 CVE-2020-3702 CVE-2020-6829 CVE-2021-20266 CVE-2021-20271 CVE-2021-22946 CVE-2021-22947 CVE-2021-28701 CVE-2021-30465 CVE-2021-32760 CVE-2021-33574 CVE-2021-33910 CVE-2021-3421 CVE-2021-34556 CVE-2021-35477 CVE-2021-35942 CVE-2021-3640 CVE-2021-3653 CVE-2021-3656 CVE-2021-3669 CVE-2021-3679 CVE-2021-3732 CVE-2021-3739 CVE-2021-3743 CVE-2021-3744 CVE-2021-3752 CVE-2021-3753 CVE-2021-3759 CVE-2021-3764 CVE-2021-37750 CVE-2021-38160 CVE-2021-38198 CVE-2021-38204 CVE-2021-38205 CVE-2021-38207 CVE-2021-39537 CVE-2021-40490 CVE-2021-41089 CVE-2021-41091 CVE-2021-41092 CVE-2021-41103 ----------------------------------------------------------------- The container sles-15-sp2-chost-byos-v20211025 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-OU-2020:3026-1 Released: Fri Oct 23 15:35:49 2020 Summary: Optional update for the Public Cloud Module Type: optional Severity: moderate References: This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398). The following packages were included: - python3-grpcio - python3-protobuf - python3-google-api-core - python3-google-cloud-core - python3-google-cloud-storage - python3-google-resumable-media - python3-googleapis-common-protos - python3-grpcio-gcp - python3-mock (updated to version 3.0.5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:294-1 Released: Wed Feb 3 12:54:28 2021 Summary: Recommended update for libprotobuf Type: recommended Severity: moderate References: libprotobuf was updated to fix: - ship the libprotobuf-lite15 on the basesystem module and the INSTALLER channel. (jsc#ECO-2911) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3115-1 Released: Thu Sep 16 14:04:26 2021 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1029961,1174697,1176206,1176934,1179382,1188891,CVE-2020-12400,CVE-2020-12401,CVE-2020-12403,CVE-2020-25648,CVE-2020-6829 This update for mozilla-nspr fixes the following issues: mozilla-nspr was updated to version 4.32: * implement new socket option PR_SockOpt_DontFrag * support larger DNS records by increasing the default buffer size for DNS queries * Lock access to PRCallOnceType members in PR_CallOnce* for thread safety bmo#1686138 * PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get information about the operating system build version. Mozilla NSS was updated to version 3.68: * bmo#1713562 - Fix test leak. * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32. * bmo#1693206 - Implement PKCS8 export of ECDSA keys. * bmo#1712883 - DTLS 1.3 draft-43. * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension. * bmo#1713562 - Validate ECH public names. * bmo#1717610 - Add function to get seconds from epoch from pkix::Time. update to NSS 3.67 * bmo#1683710 - Add a means to disable ALPN. * bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66). * bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja. * bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c. * bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte. update to NSS 3.66 * bmo#1710716 - Remove Expired Sonera Class2 CA from NSS. * bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority. * bmo#1708307 - Remove Trustis FPS Root CA from NSS. * bmo#1707097 - Add Certum Trusted Root CA to NSS. * bmo#1707097 - Add Certum EC-384 CA to NSS. * bmo#1703942 - Add ANF Secure Server Root CA to NSS. * bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS. * bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database. * bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler. * bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h. * bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators. * bmo#1709291 - Add VerifyCodeSigningCertificateChain. update to NSS 3.65 * bmo#1709654 - Update for NetBSD configuration. * bmo#1709750 - Disable HPKE test when fuzzing. * bmo#1566124 - Optimize AES-GCM for ppc64le. * bmo#1699021 - Add AES-256-GCM to HPKE. * bmo#1698419 - ECH -10 updates. * bmo#1692930 - Update HPKE to final version. * bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default. * bmo#1703936 - New coverity/cpp scanner errors. * bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards. * bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms. * bmo#1705119 - Deadlock when using GCM and non-thread safe tokens. update to NSS 3.64 * bmo#1705286 - Properly detect mips64. * bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx. * bmo#1698320 - replace __builtin_cpu_supports('vsx') with ppc_crypto_support() for clang. * bmo#1613235 - Add POWER ChaCha20 stream cipher vector acceleration. Fixed in 3.63 * bmo#1697380 - Make a clang-format run on top of helpful contributions. * bmo#1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication. * bmo#1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication. * bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683. * bmo#1694214 - tstclnt can't enable middlebox compat mode. * bmo#1694392 - NSS does not work with PKCS #11 modules not supporting profiles. * bmo#1685880 - Minor fix to prevent unused variable on early return. * bmo#1685880 - Fix for the gcc compiler version 7 to support setenv with nss build. * bmo#1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA list version 2.48. * bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's 'Chambers of Commerce' and 'Global Chambersign' roots. * bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER. * bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS. * bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS. * bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from NSS. * bmo#1687822 - Turn off Websites trust bit for the ???Staat der Nederlanden Root CA - G3??? root cert in NSS. * bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and 'Global Chambersign Root - 2008???. * bmo#1694291 - Tracing fixes for ECH. update to NSS 3.62 * bmo#1688374 - Fix parallel build NSS-3.61 with make * bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt 'cachedCertTable' * bmo#1690583 - Fix CH padding extension size calculation * bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail * bmo#1690421 - Install packaged libabigail in docker-builds image * bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing * bmo#1674819 - Fixup a51fae403328, enum type may be signed * bmo#1681585 - Add ECH support to selfserv * bmo#1681585 - Update ECH to Draft-09 * bmo#1678398 - Add Export/Import functions for HPKE context * bmo#1678398 - Update HPKE to draft-07 update to NSS 3.61 * bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key values under certain conditions. * bmo#1684300 - Fix default PBE iteration count when NSS is compiled with NSS_DISABLE_DBM. * bmo#1651411 - Improve constant-timeness in RSA operations. * bmo#1677207 - Upgrade Google Test version to latest release. * bmo#1654332 - Add aarch64-make target to nss-try. Update to NSS 3.60.1: Notable changes in NSS 3.60: * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bmo#1654332 for more information. * December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more information. Update to NSS 3.59.1: * bmo#1679290 - Fix potential deadlock with certain third-party PKCS11 modules Update to NSS 3.59: Notable changes: * Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData Bugfixes * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some test intermittents * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord (boo#1179382) * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP * bmo#1667989 - Fix gyp linking on Solaris * bmo#1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA * bmo#1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys when using NSS debug builds * bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS. update to NSS 3.58 Bugs fixed: * bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode. * bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni). * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions. * bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows. * bmo#1667153 - Add PK11_ImportDataKey for data object import. * bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value. update to NSS 3.57 * The following CA certificates were Added: bmo#1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 * The following CA certificates were Removed: bmo#1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3 * Trust settings for the following CA certificates were Modified: bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed. * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes update to NSS 3.56 Notable changes * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8 * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS. * bmo#1654142 - Add CPU feature detection for Intel SHA extension. * bmo#1648822 - Add stricter validation of DH keys in FIPS mode. * bmo#1656986 - Properly detect arm64 during GYP build architecture detection. * bmo#1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay. * bmo#1588941 - Send empty certificate message when scheme selection fails. * bmo#1652032 - Fix failure to build in Windows arm64 makefile cross-compilation. * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent. * bmo#1653975 - Fix 3.53 regression by setting 'all' as the default makefile target. * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert. * bmo#1659814 - Fix interop.sh failures with newer tls-interop commit and dependencies. * bmo#1656519 - NSPR dependency updated to 4.28 update to NSS 3.55 Notable changes * P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto [0] and ECCKiila [1]. * PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. (bmo#1649633) * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752) Relevant Bugfixes * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila. * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature. * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding. * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length. * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix). * bmo#1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED. * bmo#1646594 - Fix AVX2 detection in makefile builds. * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate. * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo. * bmo#1647752 - Update DTLS 1.3 implementation to draft-38. * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI. * bmo#1649226 - Add Wycheproof ECDSA tests. * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES. * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in RSA_CheckSignRecover. * bmo#1646324 - Advertise PKCS#1 schemes for certificates in the signature_algorithms extension. update to NSS 3.54 Notable changes * Support for TLS 1.3 external pre-shared keys (bmo#1603042). * Use ARM Cryptography Extension for SHA256, when available (bmo#1528113) * The following CA certificates were Added: bmo#1645186 - certSIGN Root CA G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root Certificate Authority 2017. * The following CA certificates were Removed: bmo#1645199 - AddTrust Class 1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 - LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA - G2. bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3. * A number of certificates had their Email trust bit disabled. See bmo#1618402 for a complete list. Bugs fixed * bmo#1528113 - Use ARM Cryptography Extension for SHA256. * bmo#1603042 - Add TLS 1.3 external PSK support. * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows. * bmo#1645186 - Add 'certSIGN Root CA G2' root certificate. * bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate. * bmo#1641716 - Add Microsoft's non-EV root certificates. * bmo1621151 - Disable email trust bit for 'O=Government Root Certification Authority; C=TW' root. * bmo#1645199 - Remove AddTrust root certificates. * bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate. * bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root certificate. * bmo#1618402 - Remove Symantec root certificates and disable email trust bit. * bmo#1640516 - NSS 3.54 should depend on NSPR 4.26. * bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c. * bmo#1642153 - Fix infinite recursion building NSS. * bmo#1642638 - Fix fuzzing assertion crash. * bmo#1642871 - Enable SSL_SendSessionTicket after resumption. * bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs. * bmo#1643557 - Fix numerous compile warnings in NSS. * bmo#1644774 - SSL gtests to use ClearServerCache when resetting self-encrypt keys. * bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c. * bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3123-1 Released: Thu Sep 16 19:45:05 2021 Summary: Security update for libcroco Type: security Severity: moderate References: 1171685,CVE-2020-12825 This update for libcroco fixes the following issues: - CVE-2020-12825: Fixed recursion issue in block and any productions (bsc#1171685). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3132-1 Released: Fri Sep 17 16:37:37 2021 Summary: Recommended update for google-guest-oslogin Type: recommended Severity: moderate References: 1188992,1189041 This update for google-guest-oslogin contains the following fixes: - Update to version 20210728.00 (bsc#1188992, bsc#1189041) * JSON object cleanup (#65) - Update to version 20210707.00 * throw exceptions in cache_refresh (#64) - from version 20210702.00 * Use IP address for calling the metadata server. (#63) - Update to version 20210618.00 * flush each group member write (#62) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3133-1 Released: Fri Sep 17 16:37:59 2021 Summary: Recommended update for grub2, efibootmgr Type: recommended Severity: moderate References: 1186565,1186975,1187565 This update for grub2, efibootmgr provides the following fixes: - Ship package grub2-arm64-efi and the required efibootmgr also to ppc64le, s390x and x86_64 (bsc#1186565) - Fix error gfxterm isn't found with multiple terminals (bsc#1187565) - Fix ocasional boot failure after kdump procedure when using XFS (bsc#1186975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3136-1 Released: Fri Sep 17 16:59:09 2021 Summary: Recommended update for SUSEConnect Type: recommended Severity: moderate References: 1185611 This update for SUSEConnect fixes the following issues: - Disallow registering via SUSEConnect if the system is managed by SUSE Manager. - Add subscription name to output of 'SUSEConnect --status'. - Send payload of GET requests as part of the url, not in the body. (bsc#1185611) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3141-1 Released: Sat Sep 18 14:37:39 2021 Summary: Security update for xen Type: security Severity: moderate References: 1027519,1189632,CVE-2021-28701 This update for xen fixes the following issues: - CVE-2021-28701: Fixed race condition in XENMAPSPACE_grant_table handling (XSA-384) (bsc#1189632). - Upstream bug fixes (bsc#1027519) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3182-1 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Type: recommended Severity: moderate References: 1189996 This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3207-1 Released: Thu Sep 23 16:18:52 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1040364,1127650,1135481,1152489,1160010,1167032,1168202,1174969,1175052,1175543,1177399,1180141,1180347,1181148,1181972,1184114,1184180,1185675,1185902,1186264,1186731,1187211,1187455,1187468,1187619,1188067,1188172,1188418,1188439,1188616,1188780,1188781,1188782,1188783,1188784,1188786,1188787,1188788,1188790,1188878,1188885,1188924,1188982,1188983,1188985,1189021,1189057,1189077,1189153,1189197,1189209,1189210,1189212,1189213,1189214,1189215,1189216,1189217,1189218,1189219,1189220,1189221,1189222,1189229,1189262,1189291,1189292,1189298,1189301,1189305,1189323,1189384,1189385,1189392,1189399,1189400,1189427,1189449,1189503,1189504,1189505,1189506,1189507,1189562,1189563,1189564,1189565,1189566,1189567,1189568,1189569,1189573,1189574,1189575,1189576,1189577,1189579,1189581,1189582,1189583,1189585,1189586,1189587,1189706,1189760,1189832,1189841,1189870,1189883,1190025,1190115,1190117,1190131,1190181,CVE-2021-34556,CVE-2021-35477,CVE-2021-3640,CVE-2021-3653,CVE-2021-3656,C VE-2021-3679,CVE-2021-3732,CVE-2021-3739,CVE-2021-3743,CVE-2021-3753,CVE-2021-3759,CVE-2021-38160,CVE-2021-38198,CVE-2021-38204,CVE-2021-38205,CVE-2021-38207 The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-3759: Unaccounted ipc objects in Linux kernel could have lead to breaking memcg limits and DoS attacks (bsc#1190115). - CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190117) - CVE-2021-3640: Fixed a Use-After-Free vulnerability in function sco_sock_sendmsg() in the bluetooth stack (bsc#1188172). - CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling (bsc#1190025). - CVE-2021-3743: Fixed OOB Read in qrtr_endpoint_post (bsc#1189883). - CVE-2021-3739: Fixed a NULL pointer dereference when deleting device by invalid id (bsc#1189832 ). - CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files (bsc#1189706). - CVE-2021-3653: Missing validation of the `int_ctl` VMCB field and allows a malicious L1 guest to enable AVIC support for the L2 guest. (bsc#1189399). - CVE-2021-3656: Missing validation of the the `virt_ext` VMCB field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS for the L2 guest (bsc#1189400). - CVE-2021-38198: arch/x86/kvm/mmu/paging_tmpl.h incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault (bnc#1189262). - CVE-2021-38207: drivers/net/ethernet/xilinx/ll_temac_main.c allowed remote attackers to cause a denial of service (buffer overflow and lockup) by sending heavy network traffic for about ten minutes (bnc#1189298). - CVE-2021-38205: drivers/net/ethernet/xilinx/xilinx_emaclite.c made it easier for attackers to defeat an ASLR protection mechanism because it prints a kernel pointer (i.e., the real IOMEM pointer) (bnc#1189292). - CVE-2021-38204: drivers/usb/host/max3421-hcd.c allowed physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations (bnc#1189291). - CVE-2021-3679: A lack of CPU resource in tracing module functionality was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service (bnc#1189057). - CVE-2021-34556: Fixed side-channel attack via a Speculative Store Bypass via unprivileged BPF program that could have obtain sensitive information from kernel memory (bsc#1188983). - CVE-2021-35477: Fixed BPF stack frame pointer which could have been abused to disclose content of arbitrary kernel memory (bsc#1188985). The following non-security bugs were fixed: - ACPI: NFIT: Fix support for virtual SPA ranges (git-fixes). - ACPI: processor: Clean up acpi_processor_evaluate_cst() (bsc#1175543) - ACPI: processor: Export acpi_processor_evaluate_cst() (bsc#1175543) - ACPI: processor: Export function to claim _CST control (bsc#1175543) - ACPI: processor: Introduce acpi_processor_evaluate_cst() (bsc#1175543) - ACPI: processor: Make ACPI_PROCESSOR_CSTATE depend on ACPI_PROCESSOR (bsc#1175543) - ALSA: hda - fix the 'Capture Switch' value change notifications (git-fixes). - ALSA: hda/realtek: Enable 4-speaker output for Dell XPS 15 9510 laptop (git-fixes). - ALSA: hda/realtek: Fix headset mic for Acer SWIFT SF314-56 (ALC256) (git-fixes). - ALSA: hda/realtek: add mic quirk for Acer SF314-42 (git-fixes). - ALSA: hda/via: Apply runtime PM workaround for ASUS B23E (git-fixes). - ALSA: hda: Add quirk for ASUS Flow x13 (git-fixes). - ALSA: pcm: fix divide error in snd_pcm_lib_ioctl (git-fixes). - ALSA: seq: Fix racy deletion of subscriber (git-fixes). - ALSA: usb-audio: Add registration quirk for JBL Quantum 600 (git-fixes). - ALSA: usb-audio: Fix regression on Sony WALKMAN NW-A45 DAC (git-fixes). - ALSA: usb-audio: Fix superfluous autosuspend recovery (git-fixes). - ALSA: usb-audio: fix incorrect clock source setting (git-fixes). - ASoC: Intel: Skylake: Leave data as is when invoking TLV IPCs (git-fixes). - ASoC: cs42l42: Correct definition of ADC Volume control (git-fixes). - ASoC: cs42l42: Do not allow SND_SOC_DAIFMT_LEFT_J (git-fixes). - ASoC: cs42l42: Fix LRCLK frame start edge (git-fixes). - ASoC: cs42l42: Fix inversion of ADC Notch Switch control (git-fixes). - ASoC: cs42l42: Remove duplicate control for WNF filter frequency (git-fixes). - ASoC: intel: atom: Fix breakage for PCM buffer address setup (git-fixes). - ASoC: intel: atom: Fix reference to PCM buffer address (git-fixes). - ASoC: ti: delete some dead code in omap_abe_probe() (git-fixes). - ASoC: tlv320aic31xx: Fix jack detection after suspend (git-fixes). - ASoC: tlv320aic31xx: fix reversed bclk/wclk master bits (git-fixes). - ASoC: wcd9335: Disable irq on slave ports in the remove function (git-fixes). - ASoC: wcd9335: Fix a double irq free in the remove function (git-fixes). - ASoC: wcd9335: Fix a memory leak in the error handling path of the probe function (git-fixes). - ASoC: xilinx: Fix reference to PCM buffer address (git-fixes). - Bluetooth: add timeout sanity check to hci_inquiry (git-fixes). - Bluetooth: defer cleanup of resources in hci_unregister_dev() (git-fixes). - Bluetooth: fix repeated calls to sco_sock_kill (git-fixes). - Bluetooth: hidp: use correct wait queue when removing ctrl_wait (git-fixes). - Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow (git-fixes). - Bluetooth: sco: prevent information leak in sco_conn_defer_accept() (git-fixes). - Documentation: admin-guide: PM: Add intel_idle document (bsc#1175543) - Drop watchdog iTCO_wdt patch that causes incompatible behavior (bsc#1189449) Also blacklisted - Fix breakage of swap over NFS (bsc#1188924). - Fix kabi of prepare_to_wait_exclusive() (bsc#1189575). - HID: i2c-hid: Fix Elan touchpad regression (git-fixes). - HID: input: do not report stylus battery state as 'full' (git-fixes). - KVM: VMX: Drop guest CPUID check for VMXE in vmx_set_cr4() (bsc#1188786). - KVM: VMX: Enable machine check support for 32bit targets (bsc#1188787). - KVM: VMX: Explicitly clear RFLAGS.CF and RFLAGS.ZF in VM-Exit RSB path (bsc#1188788). - KVM: nVMX: Really make emulated nested preemption timer pinned (bsc#1188780). - KVM: nVMX: Reset the segment cache when stuffing guest segs (bsc#1188781). - KVM: nVMX: Skip IBPB when switching between vmcs01 and vmcs02 (bsc#1188782). - KVM: nVMX: Sync unsync'd vmcs02 state to vmcs12 on migration (bsc#1188783). - KVM: nVMX: Truncate bits 63:32 of VMCS field on nested check in !64-bit (bsc#1188784). - KVM: x86: bit 8 of non-leaf PDPEs is not reserved (bsc#1188790). - Move upstreamed BT fixes into sorted section - NFS: Correct size calculation for create reply length (bsc#1189870). - NFSv4.1: Do not rebind to the same source port when (bnc#1186264 bnc#1189021) - NFSv4/pNFS: Do not call _nfs4_pnfs_v3_ds_connect multiple times (git-fixes). - NFSv4: Initialise connection to the server in nfs4_alloc_client() (bsc#1040364). - PCI/MSI: Correct misleading comments (git-fixes). - PCI/MSI: Do not set invalid bits in MSI mask (git-fixes). - PCI/MSI: Enable and mask MSI-X early (git-fixes). - PCI/MSI: Enforce MSI[X] entry updates to be visible (git-fixes). - PCI/MSI: Enforce that MSI-X table entry is masked for update (git-fixes). - PCI/MSI: Mask all unused MSI-X entries (git-fixes). - PCI/MSI: Skip masking MSI-X on Xen PV (git-fixes). - PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() (git-fixes). - PCI: Increase D3 delay for AMD Renoir/Cezanne XHCI (git-fixes). - PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently (git-fixes). - PCI: PM: Enable PME if it can be signaled from D3cold (git-fixes). - README: Modernize build instructions. - Revert 'ACPICA: Fix memory leak caused by _CID repair function' (git-fixes). - Revert 'USB: serial: ch341: fix character loss at high transfer rates' (git-fixes). - Revert 'dmaengine: imx-sdma: refine to load context only once' (git-fixes). - Revert 'gpio: eic-sprd: Use devm_platform_ioremap_resource()' (git-fixes). - Revert 'mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711' (git-fixes). - SUNRPC: 'Directory with parent 'rpc_clnt' already present!' (bsc#1168202 bsc#1188924). - SUNRPC: Fix the batch tasks count wraparound (git-fixes). - SUNRPC: Should wake up the privileged task firstly (git-fixes). - SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202 bsc#1188924). - SUNRPC: fix use-after-free in rpc_free_client_work() (bsc#1168202 bsc#1188924). - SUNRPC: prevent port reuse on transports which do not request it (bnc#1186264 bnc#1189021). - USB: core: Avoid WARNings for 0-length descriptor requests (git-fixes). - USB: serial: ch341: fix character loss at high transfer rates (git-fixes). - USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 (git-fixes). - USB: serial: option: add Telit FD980 composition 0x1056 (git-fixes). - USB: serial: option: add new VID/PID to support Fibocom FG150 (git-fixes). - USB: usbtmc: Fix RCU stall warning (git-fixes). - USB:ehci:fix Kunpeng920 ehci hardware problem (git-fixes). - Update patches.suse/ibmvnic-Allow-device-probe-if-the-device-is-not-read.patch (bsc#1167032 ltc#184087 bsc#1184114 ltc#192237). - VMCI: fix NULL pointer dereference when unmapping queue pair (git-fixes). - ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() (git-fixes). - ath9k: Clear key cache explicitly on disabling hardware (git-fixes). - ath: Use safer key clearing with key cache entries (git-fixes). - bcma: Fix memory leak for internally-handled cores (git-fixes). - bdi: Do not use freezable workqueue (bsc#1189573). - blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit() (bsc#1189507). - blk-mq-sched: Fix blk_mq_sched_alloc_tags() error handling (bsc#1189506). - blk-wbt: introduce a new disable state to prevent false positive by rwb_enabled() (bsc#1189503). - blk-wbt: make sure throttle is enabled properly (bsc#1189504). - block: fix trace completion for chained bio (bsc#1189505). - brcmfmac: pcie: fix oops on failure to resume and reprobe (git-fixes). - btrfs: Rename __btrfs_alloc_chunk to btrfs_alloc_chunk (bsc#1189077). - btrfs: account for new extents being deleted in total_bytes_pinned (bsc#1135481). - btrfs: add a comment explaining the data flush steps (bsc#1135481). - btrfs: add btrfs_reserve_data_bytes and use it (bsc#1135481). - btrfs: add flushing states for handling data reservations (bsc#1135481). - btrfs: add the data transaction commit logic into may_commit_transaction (bsc#1135481). - btrfs: call btrfs_try_granting_tickets when freeing reserved bytes (bsc#1135481). - btrfs: call btrfs_try_granting_tickets when reserving space (bsc#1135481). - btrfs: call btrfs_try_granting_tickets when unpinning anything (bsc#1135481). - btrfs: change nr to u64 in btrfs_start_delalloc_roots (bsc#1135481). - btrfs: check tickets after waiting on ordered extents (bsc#1135481). - btrfs: do async reclaim for data reservations (bsc#1135481). - btrfs: don't force commit if we are data (bsc#1135481). - btrfs: drop the commit_cycles stuff for data reservations (bsc#1135481). - btrfs: factor out create_chunk() (bsc#1189077). - btrfs: factor out decide_stripe_size() (bsc#1189077). - btrfs: factor out gather_device_info() (bsc#1189077). - btrfs: factor out init_alloc_chunk_ctl (bsc#1189077). - btrfs: fix deadlock with concurrent chunk allocations involving system chunks (bsc#1189077). - btrfs: fix possible infinite loop in data async reclaim (bsc#1135481). - btrfs: flush delayed refs when trying to reserve data space (bsc#1135481). - btrfs: handle U64_MAX for shrink_delalloc (bsc#1135481). - btrfs: handle invalid profile in chunk allocation (bsc#1189077). - btrfs: handle space_info::total_bytes_pinned inside the delayed ref itself (bsc#1135481). - btrfs: introduce alloc_chunk_ctl (bsc#1189077). - btrfs: introduce chunk allocation policy (bsc#1189077). - btrfs: make ALLOC_CHUNK use the space info flags (bsc#1135481). - btrfs: make shrink_delalloc take space_info as an arg (bsc#1135481). - btrfs: move the chunk_mutex in btrfs_read_chunk_tree (bsc#1189077). - btrfs: parameterize dev_extent_min for chunk allocation (bsc#1189077). - btrfs: refactor find_free_dev_extent_start() (bsc#1189077). - btrfs: remove orig from shrink_delalloc (bsc#1135481). - btrfs: rework chunk allocation to avoid exhaustion of the system chunk array (bsc#1189077). - btrfs: run delayed iputs before committing the transaction for data (bsc#1135481). - btrfs: serialize data reservations if we are flushing (bsc#1135481). - btrfs: shrink delalloc pages instead of full inodes (bsc#1135481). - btrfs: track ordered bytes instead of just dio ordered bytes (bsc#1135481). - btrfs: use btrfs_start_delalloc_roots in shrink_delalloc (bsc#1135481). - btrfs: use the btrfs_space_info_free_bytes_may_use helper for delalloc (bsc#1135481). - btrfs: use the same helper for data and metadata reservations (bsc#1135481). - btrfs: use ticketing for data space reservations (bsc#1135481). - can: ti_hecc: Fix memleak in ti_hecc_probe (git-fixes). - can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters (git-fixes). - ceph: clean up and optimize ceph_check_delayed_caps() (bsc#1187468). - ceph: reduce contention in ceph_check_delayed_caps() (bsc#1187468). - ceph: take snap_empty_lock atomically with snaprealm refcount change (bsc#1189427). - cfg80211: Fix possible memory leak in function cfg80211_bss_update (git-fixes). - cgroup1: fix leaked context root causing sporadic NULL deref in LTP (bsc#1190181). - cgroup: verify that source is a string (bsc#1190131). - cifs: Remove unused inline function is_sysvol_or_netlogon() (bsc#1185902). - cifs: avoid starvation when refreshing dfs cache (bsc#1185902). - cifs: constify get_normalized_path() properly (bsc#1185902). - cifs: do not cargo-cult strndup() (bsc#1185902). - cifs: do not send tree disconnect to ipc shares (bsc#1185902). - cifs: do not share tcp servers with dfs mounts (bsc#1185902). - cifs: do not share tcp sessions of dfs connections (bsc#1185902). - cifs: fix check of dfs interlinks (bsc#1185902). - cifs: fix path comparison and hash calc (bsc#1185902). - cifs: get rid of @noreq param in __dfs_cache_find() (bsc#1185902). - cifs: handle different charsets in dfs cache (bsc#1185902). - cifs: keep referral server sessions alive (bsc#1185902). - cifs: missing null pointer check in cifs_mount (bsc#1185902). - cifs: prevent NULL deref in cifs_compose_mount_options() (bsc#1185902). - cifs: set a minimum of 2 minutes for refreshing dfs cache (bsc#1185902). - clk: fix leak on devm_clk_bulk_get_all() unwind (git-fixes). - clk: kirkwood: Fix a clocking boot regression (git-fixes). - clk: stm32f4: fix post divisor setup for I2S/SAI PLLs (git-fixes). - cpuidle: Allow idle states to be disabled by default (bsc#1175543) - cpuidle: Consolidate disabled state checks (bsc#1175543) - cpuidle: Drop disabled field from struct cpuidle_state (bsc#1175543) - cpuidle: Fix cpuidle_driver_state_disabled() (bsc#1175543) - cpuidle: Introduce cpuidle_driver_state_disabled() for driver quirks (bsc#1175543) - cpuidle: cpuidle_state kABI fix (bsc#1175543) - crypto: ccp - Annotate SEV Firmware file names (bsc#1189212). - crypto: qat - use proper type for vf_mask (git-fixes). - crypto: x86/curve25519 - fix cpu feature checking logic in mod_exit (git-fixes). - dm integrity: fix missing goto in bitmap_flush_interval error handling (git-fixes). - dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails (git-fixes). - dm verity: fix DM_VERITY_OPTS_MAX value (git-fixes). - dmaengine: imx-dma: configure the generic DMA type to make it work (git-fixes). - dmaengine: imx-sdma: remove duplicated sdma_load_context (git-fixes). - dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available (git-fixes). - dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe() (git-fixes). - dmaengine: xilinx_dma: Fix read-after-free bug when terminating transfers (git-fixes). - drivers/block/null_blk/main: Fix a double free in null_init (git-fixes). - drm/amdgpu/acp: Make PM domain really work (git-fixes). - drm/msi/mdp4: populate priv->kms in mdp4_kms_init (git-fixes). - drm/msm/dpu: make dpu_hw_ctl_clear_all_blendstages clear necessary LMs (git-fixes). - drm/msm/dsi: Fix some reference counted resource leaks (git-fixes). - drm/nouveau/disp: power down unused DP links during init (git-fixes). - drm/panfrost: Fix missing clk_disable_unprepare() on error in panfrost_clk_init() (git-fixes). - drm: Copy drm_wait_vblank to user before returning (git-fixes). - ext4: cleanup in-core orphan list if ext4_truncate() failed to get a transaction handle (bsc#1189568). - ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit (bsc#1189564). - ext4: fix avefreec in find_group_orlov (bsc#1189566). - ext4: fix kernel infoleak via ext4_extent_header (bsc#1189562). - ext4: fix potential htree corruption when growing large_dir directories (bsc#1189576). - ext4: remove check for zero nr_to_scan in ext4_es_scan() (bsc#1189565). - ext4: return error code when ext4_fill_flex_info() fails (bsc#1189563). - ext4: use ext4_grp_locked_error in mb_find_extent (bsc#1189567). - fanotify: fix copy_event_to_user() fid error clean up (bsc#1189574). - firmware_loader: fix use-after-free in firmware_fallback_sysfs (git-fixes). - firmware_loader: use -ETIMEDOUT instead of -EAGAIN in fw_load_sysfs_fallback (git-fixes). - fpga: altera-freeze-bridge: Address warning about unused variable (git-fixes). - fpga: xiilnx-spi: Address warning about unused variable (git-fixes). - fpga: zynqmp-fpga: Address warning about unused variable (git-fixes). - gpio: eic-sprd: break loop when getting NULL device resource (git-fixes). - gpio: tqmx86: really make IRQ optional (git-fixes). - i2c: dev: zero out array used for i2c reads from userspace (git-fixes). - i2c: highlander: add IRQ check (git-fixes). - i2c: iop3xx: fix deferred probing (git-fixes). - i2c: mt65xx: fix IRQ check (git-fixes). - i2c: s3c2410: fix IRQ check (git-fixes). - iio: adc: Fix incorrect exit of for-loop (git-fixes). - iio: adc: ti-ads7950: Ensure CS is deasserted after reading channels (git-fixes). - iio: humidity: hdc100x: Add margin to the conversion time (git-fixes). - intel_idle: Add module parameter to prevent ACPI _CST from being used (bsc#1175543) - intel_idle: Allow ACPI _CST to be used for selected known processors (bsc#1175543) - intel_idle: Annotate init time data structures (bsc#1175543) - intel_idle: Customize IceLake server support (bsc#1175543) - intel_idle: Disable ACPI _CST on Haswell (bsc#1175543, bsc#1177399, bsc#1180347, bsc#1180141) - intel_idle: Fix max_cstate for processor models without C-state tables (bsc#1175543) - intel_idle: Ignore _CST if control cannot be taken from the platform (bsc#1175543) - intel_idle: Refactor intel_idle_cpuidle_driver_init() (bsc#1175543) - intel_idle: Use ACPI _CST for processor models without C-state tables (bsc#1175543) - intel_idle: Use ACPI _CST on server systems (bsc#1175543) - iommu/amd: Fix extended features logging (bsc#1189213). - iommu/arm-smmu-v3: Decrease the queue size of evtq and priq (bsc#1189210). - iommu/arm-smmu-v3: add bit field SFM into GERROR_ERR_MASK (bsc#1189209). - iommu/dma: Fix IOVA reserve dma ranges (bsc#1189214). - iommu/dma: Fix compile warning in 32-bit builds (bsc#1189229). - iommu/vt-d: Check for allocation failure in aux_detach_device() (bsc#1189215). - iommu/vt-d: Define counter explicitly as unsigned int (bsc#1189216). - iommu/vt-d: Do not set then clear private data in prq_event_thread() (bsc#1189217). - iommu/vt-d: Fix sysfs leak in alloc_iommu() (bsc#1189218). - iommu/vt-d: Force to flush iotlb before creating superpage (bsc#1189219). - iommu/vt-d: Global devTLB flush when present context entry changed (bsc#1189220). - iommu/vt-d: Invalidate PASID cache when root/context entry changed (bsc#1189221). - iommu/vt-d: Reject unsupported page request modes (bsc#1189222). - iwlwifi: rs-fw: do not support stbc for HE 160 (git-fixes). - kABI fix of usb_dcd_config_params (git-fixes). - kABI: Fix kABI after fixing vcpu-id indexed arrays (git-fixes). - kabi fix for NFSv4.1: Do not rebind to the same source port when reconnecting to the server (bnc#1186264 bnc#1189021) - kabi fix for SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202 bsc#1188924). - kernel, fs: Introduce and use set_restart_fn() and arch_set_restart_data() (bsc#1189153). - lib/mpi: use kcalloc in mpi_resize (git-fixes). - libata: fix ata_pio_sector for CONFIG_HIGHMEM (git-fixes). - mac80211: Fix insufficient headroom issue for AMSDU (git-fixes). - mailbox: sti: quieten kernel-doc warnings (git-fixes). - md/raid10: properly indicate failure when ending a failed write request (git-fixes). - media: TDA1997x: enable EDID support (git-fixes). - media: cxd2880-spi: Fix an error handling path (git-fixes). - media: drivers/media/usb: fix memory leak in zr364xx_probe (git-fixes). - media: dvb-usb: Fix error handling in dvb_usb_i2c_init (git-fixes). - media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init (git-fixes). - media: dvb-usb: fix uninit-value in vp702x_read_mac_addr (git-fixes). - media: em28xx-input: fix refcount bug in em28xx_usb_disconnect (git-fixes). - media: go7007: fix memory leak in go7007_usb_probe (git-fixes). - media: go7007: remove redundant initialization (git-fixes). - media: rtl28xxu: fix zero-length control request (git-fixes). - media: stkwebcam: fix memory leak in stk_camera_probe (git-fixes). - media: venus: venc: Fix potential null pointer dereference on pointer fmt (git-fixes). - media: videobuf2-core: dequeue if start_streaming fails (git-fixes). - media: zr364xx: fix memory leaks in probe() (git-fixes). - media: zr364xx: propagate errors from zr364xx_start_readpipe() (git-fixes). - memcg: enable accounting for file lock caches (bsc#1190115). - misc: atmel-ssc: lock with mutex instead of spinlock (git-fixes). - misc: rtsx: do not setting OC_POWER_DOWN reg in rtsx_pci_init_ocp() (git-fixes). - mm, vmscan: guarantee drop_slab_node() termination (VM Functionality, bsc#1189301). - mm/thp: unmap_mapping_page() to fix THP truncate_cleanup_page() (bsc#1189569). - mm: swap: properly update readahead statistics in unuse_pte_range() (bsc#1187619). - mmc: dw_mmc: Fix hang on data CRC error (git-fixes). - mmc: dw_mmc: Fix issue with uninitialized dma_slave_config (git-fixes). - mmc: moxart: Fix issue with uninitialized dma_slave_config (git-fixes). - mmc: sdhci-iproc: Cap min clock frequency on BCM2711 (git-fixes). - mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711 (git-fixes). - mtd: cfi_cmdset_0002: fix crash when erasing/writing AMD cards (git-fixes). - mtd: rawnand: cafe: Fix a resource leak in the error handling path of 'cafe_nand_probe()' (git-fixes). - nbd: Aovid double completion of a request (git-fixes). - nbd: Fix NULL pointer in flush_workqueue (git-fixes). - nbd: do not update block size after device is started (git-fixes). - net/mlx5: Properly convey driver version to firmware (git-fixes). - net: dsa: mv88e6xxx: Avoid VTU corruption on 6097 (git-fixes). - net: dsa: mv88e6xxx: also read STU state in mv88e6250_g1_vtu_getnext (git-fixes). - net: stmmac: free tx skb buffer in stmmac_resume() (git-fixes). - nfs: fix acl memory leak of posix_acl_create() (git-fixes). - nvme-multipath: revalidate paths during rescan (bsc#1187211) - nvme-pci: Use u32 for nvme_dev.q_depth and nvme_queue.q_depth (bsc#1181972). - nvme-pci: fix NULL req in completion handler (bsc#1181972). - nvme-pci: limit maximum queue depth to 4095 (bsc#1181972). - nvme-pci: use unsigned for io queue depth (bsc#1181972). - nvme-tcp: Do not reset transport on data digest errors (bsc#1188418). - nvme-tcp: do not check blk_mq_tag_to_rq when receiving pdu data (bsc#1181972). - nvme: avoid possible double fetch in handling CQE (bsc#1181972). - nvme: code command_id with a genctr for use-after-free validation (bsc#1181972). - nvme: only call synchronize_srcu when clearing current path (bsc#1188067). - nvmet: use NVMET_MAX_NAMESPACES to set nn value (bsc#1189384). - ocfs2: fix snprintf() checking (bsc#1189581). - ocfs2: fix zero out valid data (bsc#1189579). - ocfs2: initialize ip_next_orphan (bsc#1186731). - ocfs2: issue zeroout to EOF blocks (bsc#1189582). - ocfs2: ocfs2_downconvert_lock failure results in deadlock (bsc#1188439). - overflow: Correct check_shl_overflow() comment (git-fixes). - ovl: allow upperdir inside lowerdir (bsc#1189323). - ovl: expand warning in ovl_d_real() (bsc#1189323). - ovl: fix missing revert_creds() on error path (bsc#1189323). - ovl: perform vfs_getxattr() with mounter creds (bsc#1189323). - ovl: skip getxattr of security labels (bsc#1189323). - params: lift param_set_uint_minmax to common code (bsc#1181972). - pcmcia: i82092: fix a null pointer dereference bug (git-fixes). - pinctrl: samsung: Fix pinctrl bank pin count (git-fixes). - pinctrl: single: Fix error return code in pcs_parse_bits_in_pinctrl_entry() (git-fixes). - pinctrl: stmfx: Fix hazardous u8[] to unsigned long cast (git-fixes). - platform/x86: pcengines-apuv2: Add missing terminating entries to gpio-lookup tables (git-fixes). - power: supply: max17042: handle fails of reading status register (git-fixes). - powerpc/papr_scm: Make 'perf_stats' invisible if perf-stats unavailable (bsc#1175052 jsc#SLE-13823 bsc#1174969 jsc#SLE-12769 git-fixes). - powerpc/papr_scm: Reduce error severity if nvdimm stats inaccessible (bsc#1189197 ltc#193906). - powerpc/pseries: Fix regression while building external modules (bsc#1160010 ltc#183046 git-fixes). - powerpc/pseries: Fix update of LPAR security flavor after LPM (bsc#1188885 ltc#193722 git-fixes) - powerpc: Fix is_kvm_guest() / kvm_para_available() (bsc#1181148 ltc#190702 git-fixes). - regulator: rt5033: Fix n_voltages settings for BUCK and LDO (git-fixes). - regulator: vctrl: Avoid lockdep warning in enable/disable ops (git-fixes). - regulator: vctrl: Use locked regulator_get_voltage in probe path (git-fixes). - rpm/kernel-obs-build.spec.in: make builds reproducible (bsc#1189305) - rpm: Abolish image suffix (bsc#1189841). - rpm: Define $certs as rpm macro (bsc#1189841). - rpm: Fold kernel-devel and kernel-source scriptlets into spec files (bsc#1189841). - rpm: kernel-binary.spec: Define $image as rpm macro (bsc#1189841). - rpm: support gz and zst compression methods Extend commit 18fcdff43a00 ('rpm: support compressed modules') for compression methods other than xz. - rq-qos: fix missed wake-ups in rq_qos_throttle try two (bsc#1189575). - rsi: fix an error code in rsi_probe() (git-fixes). - rsi: fix error code in rsi_load_9116_firmware() (git-fixes). - s390/ap: Fix hanging ioctl caused by wrong msg counter (bsc#1188982 LTC#193817). - s390/boot: fix use of expolines in the DMA code (bsc#1188878 ltc#193771). - sched/fair: Correctly insert cfs_rq's to list on unthrottle (git-fixes) - sched/rt: Fix RT utilization tracking during policy change (git-fixes) - scsi: blkcg: Add app identifier support for blkcg (bsc#1189385 jsc#SLE-18970). - scsi: blkcg: Fix application ID config options (bsc#1189385 jsc#SLE-18970). - scsi: cgroup: Add cgroup_get_from_id() (bsc#1189385 jsc#SLE-18970). - scsi: core: Add scsi_prot_ref_tag() helper (bsc#1189392). - scsi: ibmvfc: Do not wait for initial device scan (bsc#1127650). - scsi: libfc: Fix array index out of bound exception (bsc#1188616). - scsi: lpfc: Add 256 Gb link speed support (bsc#1189385). - scsi: lpfc: Add PCI ID support for LPe37000/LPe38000 series adapters (bsc#1189385). - scsi: lpfc: Call discovery state machine when handling PLOGI/ADISC completions (bsc#1189385). - scsi: lpfc: Clear outstanding active mailbox during PCI function reset (bsc#1189385). - scsi: lpfc: Copyright updates for 12.8.0.11 patches (bsc#1189385). - scsi: lpfc: Copyright updates for 14.0.0.0 patches (bsc#1189385). - scsi: lpfc: Delay unregistering from transport until GIDFT or ADISC completes (bsc#1189385). - scsi: lpfc: Discovery state machine fixes for LOGO handling (bsc#1189385). - scsi: lpfc: Enable adisc discovery after RSCN by default (bsc#1189385). - scsi: lpfc: Fix KASAN slab-out-of-bounds in lpfc_unreg_rpi() routine (bsc#1189385). - scsi: lpfc: Fix NULL ptr dereference with NPIV ports for RDF handling (bsc#1189385). - scsi: lpfc: Fix NVMe support reporting in log message (bsc#1189385). - scsi: lpfc: Fix build error in lpfc_scsi.c (bsc#1189385). - scsi: lpfc: Fix cq_id truncation in rq create (bsc#1189385). - scsi: lpfc: Fix function description comments for vmid routines (bsc#1189385). - scsi: lpfc: Fix memory leaks in error paths while issuing ELS RDF/SCR request (bsc#1189385). - scsi: lpfc: Fix possible ABBA deadlock in nvmet_xri_aborted() (bsc#1189385). - scsi: lpfc: Fix target reset handler from falsely returning FAILURE (bsc#1189385). - scsi: lpfc: Improve firmware download logging (bsc#1189385). - scsi: lpfc: Keep NDLP reference until after freeing the IOCB after ELS handling (bsc#1189385). - scsi: lpfc: Move initialization of phba->poll_list earlier to avoid crash (git-fixes). - scsi: lpfc: Remove REG_LOGIN check requirement to issue an ELS RDF (bsc#1189385). - scsi: lpfc: Remove redundant assignment to pointer pcmd (bsc#1189385). - scsi: lpfc: Remove redundant assignment to pointer temp_hdr (bsc#1189385). - scsi: lpfc: Remove use of kmalloc() in trace event logging (bsc#1189385). - scsi: lpfc: Revise Topology and RAS support checks for new adapters (bsc#1189385). - scsi: lpfc: Skip issuing ADISC when node is in NPR state (bsc#1189385). - scsi: lpfc: Skip reg_vpi when link is down for SLI3 in ADISC cmpl path (bsc#1189385). - scsi: lpfc: Update lpfc version to 12.8.0.11 (bsc#1189385). - scsi: lpfc: Update lpfc version to 14.0.0.0 (bsc#1189385). - scsi: lpfc: Use PBDE feature enabled bit to determine PBDE support (bsc#1189385). - scsi: lpfc: Use list_move_tail() instead of list_del()/list_add_tail() (bsc#1189385). - scsi: lpfc: vmid: Add QFPA and VMID timeout check in worker thread (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Add datastructure for supporting VMID in lpfc (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Add support for VMID in mailbox command (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Append the VMID to the wqe before sending (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Functions to manage VMIDs (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Implement CT commands for appid (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Implement ELS commands for appid (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Introduce VMID in I/O path (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Timeout implementation for VMID (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: VMID parameter initialization (bsc#1189385 jsc#SLE-18970). - scsi: qla2xxx: Add heartbeat check (bsc#1189392). - scsi: qla2xxx: Fix error return code in qla82xx_write_flash_dword() (bsc#1189392). - scsi: qla2xxx: Fix spelling mistakes 'allloc' -> 'alloc' (bsc#1189392). - scsi: qla2xxx: Fix use after free in debug code (bsc#1189392). - scsi: qla2xxx: Log PCI address in qla_nvme_unregister_remote_port() (bsc#1189392). - scsi: qla2xxx: Remove duplicate declarations (bsc#1189392). - scsi: qla2xxx: Remove redundant assignment to rval (bsc#1189392). - scsi: qla2xxx: Remove redundant continue statement in a for-loop (bsc#1189392). - scsi: qla2xxx: Remove redundant initialization of variable num_cnt (bsc#1189392). - scsi: qla2xxx: Remove unused variable 'status' (bsc#1189392). - scsi: qla2xxx: Update version to 10.02.00.107-k (bsc#1189392). - scsi: qla2xxx: Use list_move_tail() instead of list_del()/list_add_tail() (bsc#1189392). - scsi: qla2xxx: Use the proper SCSI midlayer interfaces for PI (bsc#1189392). - scsi: qla2xxx: edif: Add authentication pass + fail bsgs (bsc#1189392). - scsi: qla2xxx: edif: Add detection of secure device (bsc#1189392). - scsi: qla2xxx: edif: Add doorbell notification for app (bsc#1189392). - scsi: qla2xxx: edif: Add encryption to I/O path (bsc#1189392). - scsi: qla2xxx: edif: Add extraction of auth_els from the wire (bsc#1189392). - scsi: qla2xxx: edif: Add getfcinfo and statistic bsgs (bsc#1189392). - scsi: qla2xxx: edif: Add key update (bsc#1189392). - scsi: qla2xxx: edif: Add send, receive, and accept for auth_els (bsc#1189392). - scsi: qla2xxx: edif: Add start + stop bsgs (bsc#1189392). - scsi: qla2xxx: edif: Increment command and completion counts (bsc#1189392). - scsi: scsi_transport_srp: Do not block target in SRP_PORT_LOST state (bsc#1184180). - scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal (bsc#1189392). - scsi: zfcp: Report port fc_security as unknown early during remote cable pull (git-fixes). - serial: 8250: Mask out floating 16/32-bit bus bits (git-fixes). - serial: 8250_mtk: fix uart corruption issue when rx power off (git-fixes). - serial: tegra: Only print FIFO error message when an error occurs (git-fixes). - slimbus: messaging: check for valid transaction id (git-fixes). - slimbus: messaging: start transaction ids from 1 instead of zero (git-fixes). - slimbus: ngd: reset dma setup during runtime pm (git-fixes). - soc: aspeed: lpc-ctrl: Fix boundary check for mmap (git-fixes). - soc: aspeed: p2a-ctrl: Fix boundary check for mmap (git-fixes). - soc: ixp4xx/qmgr: fix invalid __iomem access (git-fixes). - soc: ixp4xx: fix printing resources (git-fixes). - soc: qcom: rpmhpd: Use corner in power_off (git-fixes). - soc: qcom: smsm: Fix missed interrupts if state changes while masked (git-fixes). - spi: imx: mx51-ecspi: Fix CONFIGREG delay comment (git-fixes). - spi: imx: mx51-ecspi: Fix low-speed CONFIGREG delay calculation (git-fixes). - spi: imx: mx51-ecspi: Reinstate low-speed CONFIGREG delay (git-fixes). - spi: mediatek: Fix fifo transfer (git-fixes). - spi: meson-spicc: fix memory leak in meson_spicc_remove (git-fixes). - spi: spi-fsl-dspi: Fix issue with uninitialized dma_slave_config (git-fixes). - spi: spi-pic32: Fix issue with uninitialized dma_slave_config (git-fixes). - spi: sprd: Fix the wrong WDG_LOAD_VAL (git-fixes). - spi: stm32h7: fix full duplex irq handler handling (git-fixes). - staging: rtl8192u: Fix bitwise vs logical operator in TranslateRxSignalStuff819xUsb() (git-fixes). - staging: rtl8712: get rid of flush_scheduled_work (git-fixes). - staging: rtl8723bs: Fix a resource leak in sd_int_dpc (git-fixes). - tracing / histogram: Fix NULL pointer dereference on strcmp() on NULL event name (git-fixes). - tracing / histogram: Give calculation hist_fields a size (git-fixes). - tracing: Reject string operand in the histogram expression (git-fixes). - tty: serial: fsl_lpuart: fix the wrong mapbase value (git-fixes). - ubifs: Fix error return code in alloc_wbufs() (bsc#1189585). - ubifs: Fix memleak in ubifs_init_authentication (bsc#1189583). - ubifs: Only check replay with inode type to judge if inode linked (bsc#1187455). - ubifs: Set/Clear I_LINKABLE under i_lock for whiteout inode (bsc#1189587). - ubifs: journal: Fix error return code in ubifs_jnl_write_inode() (bsc#1189586). - usb: bdc: Fix an error handling path in 'bdc_probe()' when no suitable DMA config is available (git-fixes). - usb: dwc2: Postponed gadget registration to the udc class driver (git-fixes). - usb: dwc3: Add support for DWC_usb32 IP (git-fixes). - usb: dwc3: Disable phy suspend after power-on reset (git-fixes). - usb: dwc3: Separate field holding multiple properties (git-fixes). - usb: dwc3: Stop active transfers before halting the controller (git-fixes). - usb: dwc3: Use clk_bulk_prepare_enable() (git-fixes). - usb: dwc3: Use devres to get clocks (git-fixes). - usb: dwc3: core: Properly default unspecified speed (git-fixes). - usb: dwc3: core: do not do suspend for device mode if already suspended (git-fixes). - usb: dwc3: debug: Remove newline printout (git-fixes). - usb: dwc3: gadget: Check MPS of the request length (git-fixes). - usb: dwc3: gadget: Clear DCTL.ULSTCHNGREQ before set (git-fixes). - usb: dwc3: gadget: Clear DEP flags after stop transfers in ep disable (git-fixes). - usb: dwc3: gadget: Disable gadget IRQ during pullup disable (git-fixes). - usb: dwc3: gadget: Do not send unintended link state change (git-fixes). - usb: dwc3: gadget: Do not setup more than requested (git-fixes). - usb: dwc3: gadget: Fix dwc3_calc_trbs_left() (git-fixes). - usb: dwc3: gadget: Fix handling ZLP (git-fixes). - usb: dwc3: gadget: Give back staled requests (git-fixes). - usb: dwc3: gadget: Handle ZLP for sg requests (git-fixes). - usb: dwc3: gadget: Prevent EP queuing while stopping transfers (git-fixes). - usb: dwc3: gadget: Properly track pending and queued SG (git-fixes). - usb: dwc3: gadget: Restart DWC3 gadget when enabling pullup (git-fixes). - usb: dwc3: gadget: Set BESL config parameter (git-fixes). - usb: dwc3: gadget: Set link state to RX_Detect on disconnect (git-fixes). - usb: dwc3: gadget: Stop EP0 transfers during pullup disable (git-fixes). - usb: dwc3: gadget: Workaround Mirosoft's BESL check (git-fixes). - usb: dwc3: meson-g12a: add IRQ check (git-fixes). - usb: dwc3: meson-g12a: check return of dwc3_meson_g12a_usb_init (git-fixes). - usb: dwc3: of-simple: add a shutdown (git-fixes). - usb: dwc3: st: Add of_dev_put() in probe function (git-fixes). - usb: dwc3: st: Add of_node_put() before return in probe function (git-fixes). - usb: dwc3: support continuous runtime PM with dual role (git-fixes). - usb: ehci-orion: Handle errors of clk_prepare_enable() in probe (git-fixes). - usb: gadget: Export recommended BESL values (git-fixes). - usb: gadget: f_hid: added GET_IDLE and SET_IDLE handlers (git-fixes). - usb: gadget: f_hid: fixed NULL pointer dereference (git-fixes). - usb: gadget: f_hid: idle uses the highest byte for duration (git-fixes). - usb: gadget: mv_u3d: request_irq() after initializing UDC (git-fixes). - usb: gadget: udc: at91: add IRQ check (git-fixes). - usb: gadget: udc: renesas_usb3: Fix soc_device_match() abuse (git-fixes). - usb: host: ohci-tmio: add IRQ check (git-fixes). - usb: host: xhci-rcar: Do not reload firmware after the completion (git-fixes). - usb: mtu3: fix the wrong HS mult value (git-fixes). - usb: mtu3: use @mult for HS isoc or intr (git-fixes). - usb: phy: fsl-usb: add IRQ check (git-fixes). - usb: phy: tahvo: add IRQ check (git-fixes). - usb: phy: twl6030: add IRQ checks (git-fixes). - virt_wifi: fix error on connect (git-fixes). - virtio_pci: Support surprise removal of virtio pci device (git-fixes). - wireguard: allowedips: allocate nodes in kmem_cache (git-fixes). - wireguard: allowedips: free empty intermediate nodes when removing single node (git-fixes). - wireguard: allowedips: remove nodes in O(1) (git-fixes). - writeback: fix obtain a reference to a freeing memcg css (bsc#1189577). - x86/fpu: Limit xstate copy size in xstateregs_set() (bsc#1152489). - x86/fpu: Make init_fpstate correct with optimized XSAVE (bsc#1152489). - x86/fpu: Reset state for all signal restore failures (bsc#1152489). - x86/kvm: fix vcpu-id indexed array sizes (git-fixes). - x86/signal: Detect and prevent an alternate signal stack overflow (bsc#1152489). - xen/events: Fix race in set_evtchn_to_irq (git-fixes). - xprtrdma: Pad optimization, revisited (bsc#1189760). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3224-1 Released: Fri Sep 24 11:34:33 2021 Summary: Recommended update for shim-susesigned Type: recommended Severity: moderate References: 1177315,1177789,1182057,1184454,1185232,1185261,1185441,1185464,1185621,1185961,1187260,1187696 This update for shim-susesigned fixes the following issues: Sync with Microsoft signed shim to Thu Jul 15 08:13:26 UTC 2021. This update addresses the 'susesigned' shim component. shim was updated to 15.4 (bsc#1182057) - console: Move the countdown function to console.c - fallback: show a countdown menu before reset - MOK: Fix the missing vendor cert in MokListRT - mok: fix the mirroring of RT variables - Add the license change statement for errlog.c and mok.c - Remove a couple of incorrect license claims. - MokManager: Use CompareMem on MokListNode.Type instead of CompareGuid - Make EFI variable copying fatal only on secureboot enabled systems - Remove call to TPM2 get_event_log - tpm: Fix off-by-one error when calculating event size - tpm: Define EFI_VARIABLE_DATA_TREE as packed - tpm: Don't log duplicate identical events - VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls - OpenSSL: always provide OBJ_create() with name strings. - translate_slashes(): don't write to string literals - Fix a use of strlen() instead of Strlen() - shim: Update EFI_LOADED_IMAGE with the second stage loader file path - tpm: Include information about PE/COFF images in the TPM Event Log - Fix a broken tpm type - All newly released openSUSE kernels enable kernel lockdown and signature verification, so there is no need to add the prompt anymore. - Fix the NULL pointer dereference in AuthenticodeVerify() - Remove the build ID to make the binary reproducible when building with AArch64 container - Prevent the build id being added to the binary. That can cause issues with the signature - Allocate MOK config table as BootServicesData to avoid the error message from linux kernel - Handle ignore_db and user_insecure_mode correctly (bsc#1185441) - Relax the maximum variable size check for u-boot - Relax the check for import_mok_state() when Secure Boot is off - Relax the check for the LoadOptions length - Fix the size of rela* sections for AArch64 - Disable exporting vendor-dbx to MokListXRT - Don't call QueryVariableInfo() on EFI 1.10 machines - Avoid buffer overflow when copying the MOK config table - Avoid deleting the mirrored RT variables - Update to 15.3 for SBAT support (bsc#1182057) - Generate vender-specific SBAT metadata - Rename the SBAT variable and fix the self-check of SBAT - Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) - shim-install: reset def_shim_efi to 'shim.efi' if the given file doesn't exist - shim-install: instead of assuming 'removable' for Azure, remove fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot to make \EFI\Boot bootable and keep the boot option created by efibootmgr (bsc#1185464, bsc#1185961) - shim-install: always assume 'removable' for Azure to avoid the endless reset loop (bsc#1185464) - shim-install: Support changing default shim efi binary in /usr/etc/default/shim and /etc/default/shim (bsc#1177315) - Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys: + SLES-UEFI-SIGN-Certificate-2020-07.crt + openSUSE-UEFI-SIGN-Certificate-2020-07.crt ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3233-1 Released: Mon Sep 27 15:02:21 2021 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1085917,1181299,1181306,1181309,1181535,1181536,1188651,1189552 This update for xfsprogs fixes the following issues: - Fixes an issue when 'fstests' with 'xfs' fail. (bsc#1181309, bsc#1181299) - xfsprogs: Split 'libhandle1' into a separate package, since nothing within xfsprogs dynamically links against it. The shared library is still required by xfsdump as a runtime dependency. - mkfs.xfs: Fix 'ASSERT' on too-small device with stripe geometry. (bsc#1181536) - mkfs.xfs: If either 'sunit' or 'swidth' is not zero, the other must be as well. (bsc#1085917, bsc#1181535) - xfs_growfs: Refactor geometry reporting. (bsc#1181306) - xfs_growfs: Allow mounted device node as argument. (bsc#1181299) - xfs_repair: Rebuild directory when non-root leafn blocks claim block 0. (bsc#1181309) - xfs_repair: Check plausibility of root dir pointer before trashing it. (bsc#1188651) - xfs_bmap: Remove '-c' from manpage. (bsc#1189552) - xfs_bmap: Do not reject '-e'. (bsc#1189552) - Implement 'libhandle1' through ECO. (jsc#SLE-20360) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3245-1 Released: Tue Sep 28 13:54:31 2021 Summary: Recommended update for docker Type: recommended Severity: important References: 1190670 This update for docker fixes the following issues: - Return ENOSYS for clone3 in the seccomp profile to avoid breaking containers using glibc 2.34. - Add shell requires for the *-completion subpackages. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3274-1 Released: Fri Oct 1 10:34:17 2021 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1190858 This update for ca-certificates-mozilla fixes the following issues: - remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in openssl 1.0.2 and older. (bsc#1190858) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3298-1 Released: Wed Oct 6 16:54:52 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3303-1 Released: Wed Oct 6 18:11:24 2021 Summary: Recommended update for kdump Type: recommended Severity: moderate References: 1172670,1182309,1183070,1184616,1186037,1188090 This update for kdump fixes the following issues: - Do not iterate past end of string (bsc#1186037). - Query systemd network.service to find out if wicked is used (bsc#1182309). - Add 'bootdev=' to dracut command line (bsc#1182309). - Fix incorrect exit code checking after 'local' with assignment (bsc#1184616). - Do not add network-related dracut options if ip= is set explicitly (bsc#1182309, bsc#1188090). - Make sure that initrd.target.wants directory exists (bsc#1172670). - Install /etc/resolv.conf using its resolved path (bsc#1183070). - Avoid an endless loop when resolving a hostname fails with EAI_AGAIN (bsc#1183070). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3318-1 Released: Wed Oct 6 19:31:19 2021 Summary: Recommended update for sudo Type: recommended Severity: moderate References: 1176473,1181371 This update for sudo fixes the following issues: - Update to sudo 1.8.27 (jsc#SLE-17083). - Fixed special handling of ipa_hostname (bsc#1181371). - Restore sudo ldap behavior to ignore expire dates when SUDOERS_TIMED option is not set in /etc/ldap.conf (bsc#1176473). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3348-1 Released: Tue Oct 12 13:08:06 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1134353,1171962,1184994,1188018,1188063,1188291,1188713,1189480,1190234,CVE-2021-33910 This update for systemd fixes the following issues: - CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063). - logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018). - Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353). - Rules weren't applied to dm devices (multipath) (bsc#1188713). - Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234). - Make sure the versions of both udev and systemd packages are always the same (bsc#1189480). - Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291). - Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3382-1 Released: Tue Oct 12 14:30:17 2021 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: This update for ca-certificates-mozilla fixes the following issues: - A new sub-package for minimal base containers (jsc#SLE-22162) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3385-1 Released: Tue Oct 12 15:54:31 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 This update for glibc fixes the following issues: - CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911) - CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3411-1 Released: Wed Oct 13 10:42:25 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1191019 This update for lvm2 fixes the following issues: - Do not crash vgextend when extending VG with missing PV. (bsc#1191019) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3412-1 Released: Wed Oct 13 10:50:33 2021 Summary: Recommended update for suse-module-tools Type: recommended Severity: important References: 1189841,1190598 This update for suse-module-tools fixes the following issues: - Fixed an issue where the queuing of secure boot certificates did not happen (bsc#1189841, bsc#1190598) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3444-1 Released: Fri Oct 15 09:03:07 2021 Summary: Security update for rpm Type: security Severity: important References: 1179416,1183543,1183545,1183632,1183659,1185299,1187670,1188548,CVE-2021-20266,CVE-2021-20271,CVE-2021-3421 This update for rpm fixes the following issues: Security issues fixed: - CVE-2021-3421, CVE-2021-20271, CVE-2021-20266: Multiple header check improvements (bsc#1183543, bsc#1183545, bsc#1183632) - PGP hardening changes (bsc#1185299) - Fixed potential access of freed mem in ndb's glue code (bsc#1179416) Maintaince issues fixed: - Fixed zstd detection (bsc#1187670) - Added ndb rofs support (bsc#1188548) - Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3447-1 Released: Fri Oct 15 09:05:12 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1173746,1176940,1184439,1184804,1185302,1185677,1185726,1185762,1187167,1188067,1188651,1188986,1189297,1189841,1189884,1190023,1190062,1190115,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191240,1191292,CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490 The SUSE Linux Enterprise 15 SP2 kernel was updated. The following security bugs were fixed: - CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193) - CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023) - CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159) - CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884) - CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534) - CVE-2021-3669: Fixed a bug that doesn't allow /proc/sysvipc/shm to scale with large shared memory segment counts which could lead to resource exhaustion and DoS. (bsc#1188986) The following non-security bugs were fixed: - ALSA: firewire-motu: fix truncated bytes in message tracepoints (git-fixes). - apparmor: remove duplicate macro list_entry_is_head() (git-fixes). - ASoC: fsl_micfil: register platform component before registering cpu dai (git-fixes). - ASoC: mediatek: common: handle NULL case in suspend/resume function (git-fixes). - ASoC: rockchip: i2s: Fix regmap_ops hang (git-fixes). - ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B (git-fixes). - ASoC: SOF: Fix DSP oops stack dump output contents (git-fixes). - ath9k: fix OOB read ar9300_eeprom_restore_internal (git-fixes). - ath9k: fix sleeping in atomic context (git-fixes). - blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762). - blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762). - blk-mq: mark if one queue map uses managed irq (bsc#1185762). - Bluetooth: skip invalid hci_sync_conn_complete_evt (git-fixes). - bnx2x: fix an error code in bnx2x_nic_load() (git-fixes). - bnxt_en: Add missing DMA memory barriers (git-fixes). - bnxt_en: Disable aRFS if running on 212 firmware (git-fixes). - bnxt_en: Do not enable legacy TX push on older firmware (git-fixes). - bnxt_en: Store the running firmware version code (git-fixes). - bnxt: count Tx drops (git-fixes). - bnxt: disable napi before canceling DIM (git-fixes). - bnxt: do not lock the tx queue from napi poll (git-fixes). - bnxt: make sure xmit_more + errors does not miss doorbells (git-fixes). - btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626). - clk: at91: clk-generated: Limit the requested rate to our range (git-fixes). - clk: at91: clk-generated: pass the id of changeable parent at registration (git-fixes). - console: consume APC, DM, DCS (git-fixes). - cuse: fix broken release (bsc#1190596). - cxgb4: dont touch blocked freelist bitmap after free (git-fixes). - debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746). - devlink: Break parameter notification sequence to be before/after unload/load driver (bsc#1154353). - dmaengine: ioat: depends on !UML (git-fixes). - dmaengine: sprd: Add missing MODULE_DEVICE_TABLE (git-fixes). - dmaengine: xilinx_dma: Set DMA mask for coherent APIs (git-fixes). - docs: Fix infiniband uverbs minor number (git-fixes). - drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps (git-fixes). - drm: avoid blocking in drm_clients_info's rcu section (git-fixes). - drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex (git-fixes). - drm/amd/display: Fix timer_per_pixel unit error (git-fixes). - drm/amdgpu: Fix BUG_ON assert (git-fixes). - drm/gma500: Fix end of loop tests for list_for_each_entry (git-fixes). - drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV (git-fixes). - drm/panfrost: Clamp lock region to Bifrost minimum (git-fixes). - e1000e: Do not take care about recovery NVM checksum (jsc#SLE-8100). - e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes). - EDAC/i10nm: Fix NVDIMM detection (bsc#1152489). - EDAC/synopsys: Fix wrong value type assignment for edac_mode (bsc#1152489). - erofs: fix up erofs_lookup tracepoint (git-fixes). - fbmem: do not allow too huge resolutions (git-fixes). - fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() (git-fixes). - fpga: machxo2-spi: Return an error on failure (git-fixes). - fuse: flush extending writes (bsc#1190595). - fuse: truncate pagecache on atomic_o_trunc (bsc#1190705). - genirq: add device_has_managed_msi_irq (bsc#1185762). - gpio: uniphier: Fix void functions to remove return value (git-fixes). - gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() (git-fixes). - gve: fix the wrong AdminQ buffer overflow check (bsc#1176940). - hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726). - hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726). - hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (git-fixes). - hwmon: (tmp421) fix rounding for negative values (git-fixes). - hwmon: (tmp421) report /PVLD condition as fault (git-fixes). - i40e: Add additional info to PHY type error (git-fixes). - i40e: Fix firmware LLDP agent related warning (git-fixes). - i40e: Fix log TC creation failure when max num of queues is exceeded (git-fixes). - i40e: Fix logic of disabling queues (git-fixes). - i40e: Fix queue-to-TC mapping on Tx (git-fixes). - iavf: Fix ping is lost after untrusted VF had tried to change MAC (jsc#SLE-7940). - iavf: Set RSS LUT and key in reset handle path (git-fixes). - ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510). - ibmvnic: Consolidate code in replenish_rx_pool() (bsc#1190758 ltc#191943). - ibmvnic: Fix up some comments and messages (bsc#1190758 ltc#191943). - ibmvnic: init_tx_pools move loop-invariant code (bsc#1190758 ltc#191943). - ibmvnic: Reuse LTB when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse rx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse tx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Use bitmap for LTB map_ids (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_rx_pools (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_tx_pools (bsc#1190758 ltc#191943). - ice: Prevent probing virtual functions (git-fixes). - iio: dac: ad5624r: Fix incorrect handling of an optional regulator (git-fixes). - include/linux/list.h: add a macro to test if entry is pointing to the head (git-fixes). - iomap: Fix negative assignment to unsigned sis->pages in iomap_swapfile_activate (bsc#1190784). - ionic: cleanly release devlink instance (bsc#1167773). - ionic: count csum_none when offload enabled (bsc#1167773). - ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115). - ipc/util.c: use binary search for max_idx (bsc#1159886). - ipvs: allow connection reuse for unconfirmed conntrack (bsc#1190467). - ipvs: avoid expiring many connections from timer (bsc#1190467). - ipvs: Fix up kabi for expire_nodest_conn_work addition (bsc#1190467). - ipvs: queue delayed work to expire no destination connections if expire_nodest_conn=1 (bsc#1190467). - iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed (git-fixes). - kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable. - kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs. - kernel-binary.spec: Do not sign kernel when no key provided (bsc#1187167 bsc#1191240 ltc#194716). - kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358). The script part for base package case is completely separate from the part for subpackages. Remove the part for subpackages from the base package script and use the KMP scripts for subpackages instead. - libata: fix ata_host_start() (git-fixes). - mac80211-hwsim: fix late beacon hrtimer handling (git-fixes). - mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug (git-fixes). - mac80211: fix use-after-free in CCMP/GCMP RX (git-fixes). - mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap (git-fixes). - mac80211: mesh: fix potentially unaligned access (git-fixes). - media: cedrus: Fix SUNXI tile size calculation (git-fixes). - media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats (git-fixes). - media: dib8000: rewrite the init prbs logic (git-fixes). - media: imx258: Limit the max analogue gain to 480 (git-fixes). - media: imx258: Rectify mismatch of VTS value (git-fixes). - media: rc-loopback: return number of emitters rather than error (git-fixes). - media: TDA1997x: fix tda1997x_query_dv_timings() return value (git-fixes). - media: uvc: do not do DMA on stack (git-fixes). - media: v4l2-dv-timings.c: fix wrong condition in two for-loops (git-fixes). - mfd: Do not use irq_create_mapping() to resolve a mapping (git-fixes). - mlx4: Fix missing error code in mlx4_load_one() (git-fixes). - mm: always have io_remap_pfn_range() set pgprot_decrypted() (git-fixes). - mm/swap: consider max pages in iomap_swapfile_add_extent (bsc#1190785). - mmc: core: Return correct emmc response in case of ioctl error (git-fixes). - mmc: rtsx_pci: Fix long reads when clock is prescaled (git-fixes). - mmc: sdhci-of-arasan: Check return value of non-void funtions (git-fixes). - net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726). - net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726). - net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726). - net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726). - net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726). - net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726). - net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726). - net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726). - net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726). - net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726). - net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes). - net: sched: sch_teql: fix null-pointer dereference (bsc#1190717). - net/mlx5: E-Switch, handle devcom events only for ports on the same device (git-fixes). - net/mlx5: Fix flow table chaining (git-fixes). - net/mlx5: Fix return value from tracer initialization (git-fixes). - net/mlx5: Unload device upon firmware fatal error (git-fixes). - net/mlx5e: Avoid creating tunnel headers for local route (git-fixes). - net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() (git-fixes). - net/mlx5e: Prohibit inner indir TIRs in IPoIB (git-fixes). - netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (bsc#1190062). - nfp: update ethtool reporting of pauseframe control (git-fixes). - NFS: change nfs_access_get_cached to only report the mask (bsc#1190746). - NFS: do not store 'struct cred *' in struct nfs_access_entry (bsc#1190746). - NFS: pass cred explicitly for access tests (bsc#1190746). - nvme: avoid race in shutdown namespace removal (bsc#1188067). - nvme: fix refcounting imbalance when all paths are down (bsc#1188067). - parport: remove non-zero check on count (git-fixes). - PCI: aardvark: Fix checking for PIO status (git-fixes). - PCI: aardvark: Fix masking and unmasking legacy INTx interrupts (git-fixes). - PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response (git-fixes). - PCI: Add ACS quirks for Cavium multi-function devices (git-fixes). - PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms (git-fixes). - PCI: Add AMD GPU multi-function power dependencies (git-fixes). - PCI: ibmphp: Fix double unmap of io_mem (git-fixes). - PCI: pci-bridge-emul: Add PCIe Root Capabilities Register (git-fixes). - PCI: pci-bridge-emul: Fix array overruns, improve safety (git-fixes). - PCI: pci-bridge-emul: Fix big-endian support (git-fixes). - PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported (git-fixes). - PCI: Use pci_update_current_state() in pci_enable_device_flags() (git-fixes). - PM: base: power: do not try to use non-existing RTC for storing data (git-fixes). - PM: EM: Increase energy calculation precision (git-fixes). - power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors (git-fixes). - power: supply: max17042_battery: fix typo in MAx17042_TOFF (git-fixes). - powercap: intel_rapl: add support for Sapphire Rapids (jsc#SLE-15289). - powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868). - powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523). - powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729). - powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729). - powerpc/perf: Fix the check for SIAR value (bsc#1065729). - powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729). - powerpc/perf: Use stack siar instead of mfspr (bsc#1065729). - powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729). - powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729). - powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729). - powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498). - powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729). - pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523). - pwm: img: Do not modify HW state in .remove() callback (git-fixes). - pwm: rockchip: Do not modify HW state in .remove() callback (git-fixes). - pwm: stm32-lp: Do not modify HW state in .remove() callback (git-fixes). - qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes). - RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init() (bsc#1170774). - Re-enable UAS for LaCie Rugged USB3-FW with fk quirk (git-fixes). - regmap: fix page selection for noinc reads (git-fixes). - regmap: fix page selection for noinc writes (git-fixes). - regmap: fix the offset of register error log (git-fixes). - Restore kabi after NFS: pass cred explicitly for access tests (bsc#1190746). - rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools. This allows fixing bugs in the scriptlets as well as defining initrd regeneration policy independent of the kernel packages. - rpm/kernel-binary.spec: Use only non-empty certificates. - rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804). - rtc: rx8010: select REGMAP_I2C (git-fixes). - rtc: tps65910: Correct driver module alias (git-fixes). - s390/unwind: use current_frame_address() to unwind current task (bsc#1185677). - sched/fair: Add ancestors of unthrottled undecayed cfs_rq (bsc#1191292). - scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576). - scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576). - scsi: fc: Add EDC ELS definition (bsc#1190576). - scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576). - scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576). - scsi: lpfc: Add cm statistics buffer support (bsc#1190576). - scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576). - scsi: lpfc: Add cmfsync WQE support (bsc#1190576). - scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576). - scsi: lpfc: Add EDC ELS support (bsc#1190576). - scsi: lpfc: Add MIB feature enablement support (bsc#1190576). - scsi: lpfc: Add rx monitoring statistics (bsc#1190576). - scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576). - scsi: lpfc: Add support for cm enablement buffer (bsc#1190576). - scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576). - scsi: lpfc: Add support for the CM framework (bsc#1190576). - scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576). - scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576). - scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576). - scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576). - scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576). - scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576). - scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576). - scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576). - scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576). - scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576). - scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576). - scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576). - scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576). - scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576). - scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576). - scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576). - scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576). - scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576). - scsi: lpfc: Remove unneeded variable (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576). - scsi: lpfc: Use correct scnprintf() limit (bsc#1190576). - scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576). - scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576). - scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576). - scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297). - serial: 8250_pci: make setup_port() parameters explicitly unsigned (git-fixes). - serial: 8250: Define RX trigger levels for OxSemi 950 devices (git-fixes). - serial: mvebu-uart: fix driver's tx_empty callback (git-fixes). - serial: sh-sci: fix break handling for sysrq (git-fixes). - spi: Fix tegra20 build with CONFIG_PM=n (git-fixes). - staging: board: Fix uninitialized spinlock when attaching genpd (git-fixes). - staging: ks7010: Fix the initialization of the 'sleep_status' structure (git-fixes). - staging: rts5208: Fix get_ms_information() heap buffer size (git-fixes). - thermal/core: Potential buffer overflow in thermal_build_list_of_policies() (git-fixes). - time: Handle negative seconds correctly in timespec64_to_ns() (git-fixes). - tty: Fix data race between tiocsti() and flush_to_ldisc() (git-fixes). - tty: serial: jsm: hold port lock when reporting modem line changes (git-fixes). - tty: synclink_gt, drop unneeded forward declarations (git-fixes). - usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c (git-fixes). - usb: core: hcd: Add support for deferring roothub registration (git-fixes). - usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails (git-fixes). - usb: dwc2: Avoid leaving the error_debugfs label unused (git-fixes). - usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave (git-fixes). - usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA (git-fixes). - usb: EHCI: ehci-mv: improve error handling in mv_ehci_enable() (git-fixes). - usb: gadget: r8a66597: fix a loop in set_feature() (git-fixes). - usb: gadget: u_ether: fix a potential null pointer dereference (git-fixes). - usb: host: fotg210: fix the actual_length of an iso packet (git-fixes). - usb: host: fotg210: fix the endpoint's transactional opportunities calculation (git-fixes). - usb: musb: musb_dsps: request_irq() after initializing musb (git-fixes). - usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes). - usb: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter (git-fixes). - usb: serial: option: add device id for Foxconn T99W265 (git-fixes). - usb: serial: option: add Telit LN920 compositions (git-fixes). - usb: serial: option: remove duplicate USB device ID (git-fixes). - usbip: give back URBs for unsent unlink requests during cleanup (git-fixes). - usbip:vhci_hcd USB port can get stuck in the disabled state (git-fixes). - video: fbdev: asiliantfb: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: fix a DoS bug by restricting user input (git-fixes). - video: fbdev: riva: Error out if 'pixclock' equals zero (git-fixes). - vmxnet3: add support for 32 Tx/Rx queues (bsc#1190406). - vmxnet3: add support for ESP IPv6 RSS (bsc#1190406). - vmxnet3: increase maximum configurable mtu to 9190 (bsc#1190406). - vmxnet3: prepare for version 6 changes (bsc#1190406). - vmxnet3: remove power of 2 limitation on the queues (bsc#1190406). - vmxnet3: set correct hash type based on rss information (bsc#1190406). - vmxnet3: update to version 6 (bsc#1190406). - watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST (git-fixes). - x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1185302). - x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439). - x86/cpu: Fix core name for Sapphire Rapids (jsc#SLE-15289). - x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1152489). - x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1152489). - x86/resctrl: Fix default monitoring groups reporting (bsc#1152489). - xfs: allow mount/remount when stripe width alignment is zero (bsc#1188651). - xfs: sync lazy sb accounting on quiesce of read-only mounts (bsc#1190679). - xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes). - xhci: Set HCD flag to defer primary roothub registration (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3454-1 Released: Mon Oct 18 09:29:26 2021 Summary: Security update for krb5 Type: security Severity: moderate References: 1189929,CVE-2021-37750 This update for krb5 fixes the following issues: - CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3479-1 Released: Wed Oct 20 11:23:45 2021 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1184970,1186260,1187115,1187470,1187774,1190845 This update for dracut fixes the following issues: - Fix usage information for -f parameter. (bsc#1187470) - Fix obsolete reference to 96insmodpost in manpage. (bsc#1187774) - Remove references to INITRD_MODULES. (bsc#1187115) - Multipath FCoE configurations may not boot when using only one path. (bsc#1186260) - Adjust path for SUSE: /var/lib/nfs/statd/sm to /var/lib/nfs/sm. (bsc#1184970) - Systemd coredump unit files are missing in initrd. (1190845) - Use $kernel rather than $(uname -r). - Exclude modules that are built-in. - Restore INITRD_MODULES in mkinitrd script. - Call dracut_instmods with hostonly. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3480-1 Released: Wed Oct 20 11:24:08 2021 Summary: Recommended update for yast2-network Type: recommended Severity: moderate References: 1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933 This update for yast2-network fixes the following issues: - Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915). - Fix the shown description using the interface friendly name when it is empty (bsc#1190933). - Consider aliases sections as case insensitive (bsc#1190739). - Display user defined device name in the devices overview (bnc#1190645). - Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344). - Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910). - Fix desktop file so the control center tooltip is translated (bsc#1187270). - Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016). - Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3490-1 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3494-1 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1190052 This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3501-1 Released: Fri Oct 22 10:42:46 2021 Summary: Recommended update for libzypp, zypper, libsolv, protobuf Type: recommended Severity: moderate References: 1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815 This update for libzypp, zypper, libsolv and protobuf fixes the following issues: - Choice rules: treat orphaned packages as newest (bsc#1190465) - Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602) - Do not check of signatures and keys two times(redundant) (bsc#1190059) - Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760) - Show key fpr from signature when signature check fails (bsc#1187224) - Fix solver jobs for PTFs (bsc#1186503) - Fix purge-kernels fails (bsc#1187738) - Fix obs:// platform guessing for Leap (bsc#1187425) - Make sure to keep states alives while transitioning. (bsc#1190199) - Manpage: Improve description about patch updates(bsc#1187466) - Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested. - Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815) - Fix crashes in logging code when shutting down (bsc#1189031) - Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712) - Add need reboot/restart hint to XML install summary (bsc#1188435) - Prompt: choose exact match if prompt options are not prefix free (bsc#1188156) - Include libprotobuf-lite20 in products to enable parallel downloads. (jsc#ECO-2911, jsc#SLE-16862) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3506-1 Released: Mon Oct 25 10:20:22 2021 Summary: Security update for containerd, docker, runc Type: security Severity: important References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434,CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103 This update for containerd, docker, runc fixes the following issues: Docker was updated to 20.10.9-ce. (bsc#1191355) See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103 container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355 - CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282) - Install systemd service file as well (bsc#1190826) Update to runc v1.0.2. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.2 * Fixed a failure to set CPU quota period in some cases on cgroup v1. * Fixed the inability to start a container with the 'adding seccomp filter rule for syscall ...' error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped. * Made release builds reproducible from now on. * Fixed a rare debug log race in runc init, which can result in occasional harmful 'failed to decode ...' errors from runc run or exec. * Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working. Update to runc v1.0.1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.1 * Fixed occasional runc exec/run failure ('interrupted system call') on an Azure volume. * Fixed 'unable to find groups ... token too long' error with /etc/group containing lines longer than 64K characters. * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes). * cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely. * cgroup/systemd/v2: don't freeze cgroup on Set. * cgroup/systemd/v1: avoid unnecessary freeze on Set. - fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704 Update to runc v1.0.0. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0 ! The usage of relative paths for mountpoints will now produce a warning (such configurations are outside of the spec, and in future runc will produce an error when given such configurations). * cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers). * cgroupv2: correctly convert 'number of IOs' statistics in a cgroupv1-compatible way. * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures. * cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen. * cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94 * cgroups/systemd: fixed returning 'unit already exists' error from a systemd cgroup manager (regression in rc94) + cgroupv2: support SkipDevices with systemd driver + cgroup/systemd: return, not ignore, stop unit error from Destroy + Make 'runc --version' output sane even when built with go get or otherwise outside of our build scripts. + cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update). + cgroup1: blkio: support BFQ weights. + cgroupv2: set per-device io weights if BFQ IO scheduler is available. Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95 This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users). (bsc#1185405) Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94 Breaking Changes: * cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls. Regression Fixes: * seccomp: fix 32-bit compilation errors * runc init: fix a hang caused by deadlock in seccomp/ebpf loading code * runc start: fix 'chdir to cwd: permission denied' for some setups The following package changes have been done: - SUSEConnect-0.3.31-13.1 updated - ca-certificates-mozilla-2.44-21.1 updated - containerd-ctr-1.4.11-56.1 updated - containerd-1.4.11-56.1 updated - curl-7.66.0-4.27.1 updated - docker-20.10.9_ce-156.1 updated - dracut-049.1+suse.209.gebcf4f33-3.40.1 updated - efibootmgr-14-4.3.2 updated - file-magic-5.32-7.14.1 updated - file-5.32-7.14.1 updated - glibc-locale-base-2.26-13.59.1 updated - glibc-locale-2.26-13.59.1 updated - glibc-2.26-13.59.1 updated - google-guest-oslogin-20210728.00-1.21.1 updated - grub2-i386-pc-2.04-9.49.3 updated - grub2-x86_64-efi-2.04-9.49.3 updated - grub2-2.04-9.49.3 updated - kdump-0.9.0-11.6.1 updated - kernel-default-5.3.18-24.86.2 updated - kmod-compat-25-6.10.1 updated - kmod-25-6.10.1 updated - krb5-1.16.3-3.24.1 updated - libaugeas0-1.10.1-3.3.1 updated - libcroco-0_6-3-0.6.13-3.3.1 updated - libcurl4-7.66.0-4.27.1 updated - libdevmapper1_03-1.02.163-8.36.1 updated - libfreebl3-3.68-3.56.1 updated - libkmod2-25-6.10.1 updated - libmagic1-5.32-7.14.1 updated - libncurses6-6.1-5.9.1 updated - libprotobuf-lite20-3.9.2-4.9.1 added - libsolv-tools-0.7.20-9.2 updated - libsystemd0-234-24.93.1 updated - libudev1-234-24.93.1 updated - libzypp-17.28.5-15.2 updated - ncurses-utils-6.1-5.9.1 updated - pam-1.3.0-6.47.1 updated - perl-Bootloader-0.931-3.5.1 updated - rpm-ndb-4.14.1-22.4.2 updated - runc-1.0.2-23.1 updated - shim-15.4-3.32.1 updated - sudo-1.8.27-4.21.4 updated - suse-module-tools-15.2.13-4.6.1 updated - systemd-sysvinit-234-24.93.1 updated - systemd-234-24.93.1 updated - terminfo-base-6.1-5.9.1 updated - terminfo-6.1-5.9.1 updated - udev-234-24.93.1 updated - xen-libs-4.13.3_04-3.37.1 updated - xfsprogs-4.15.0-4.40.1 updated - zypper-1.14.49-16.1 updated From sle-security-updates at lists.suse.com Wed Oct 27 07:39:17 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 09:39:17 +0200 (CEST) Subject: SUSE-CU-2021:467-1: Security update of suse/sle15 Message-ID: <20211027073917.3368CFDAB@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:467-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.523 Container Release : 6.2.523 Severity : moderate Type : security References : 1122417 1125886 1178236 1188921 CVE-2021-37600 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3523-1 Released: Tue Oct 26 15:40:13 2021 Summary: Security update for util-linux Type: security Severity: moderate References: 1122417,1125886,1178236,1188921,CVE-2021-37600 This update for util-linux fixes the following issues: Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2: - CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c (bsc#1188921). - agetty: Fix 8-bit processing in get_logname() (bsc#1125886). - mount: Fix 'mount' output for net file systems (bsc#1122417). - ipcs: Avoid overflows (bsc#1178236) The following package changes have been done: - libblkid1-2.33.2-4.16.1 updated - libfdisk1-2.33.2-4.16.1 updated - libmount1-2.33.2-4.16.1 updated - libsmartcols1-2.33.2-4.16.1 updated - libuuid1-2.33.2-4.16.1 updated - util-linux-2.33.2-4.16.1 updated From sle-security-updates at lists.suse.com Wed Oct 27 07:52:55 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 09:52:55 +0200 (CEST) Subject: SUSE-CU-2021:469-1: Security update of suse/sle15 Message-ID: <20211027075255.2BF27FDAB@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:469-1 Container Tags : suse/sle15:15.2 , suse/sle15:15.2.9.5.38 Container Release : 9.5.38 Severity : moderate Type : security References : 1122417 1125886 1178236 1188921 CVE-2021-37600 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3523-1 Released: Tue Oct 26 15:40:13 2021 Summary: Security update for util-linux Type: security Severity: moderate References: 1122417,1125886,1178236,1188921,CVE-2021-37600 This update for util-linux fixes the following issues: Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2: - CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c (bsc#1188921). - agetty: Fix 8-bit processing in get_logname() (bsc#1125886). - mount: Fix 'mount' output for net file systems (bsc#1122417). - ipcs: Avoid overflows (bsc#1178236) The following package changes have been done: - libblkid1-2.33.2-4.16.1 updated - libfdisk1-2.33.2-4.16.1 updated - libmount1-2.33.2-4.16.1 updated - libsmartcols1-2.33.2-4.16.1 updated - libuuid1-2.33.2-4.16.1 updated - util-linux-2.33.2-4.16.1 updated From sle-security-updates at lists.suse.com Wed Oct 27 13:20:05 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 15:20:05 +0200 (CEST) Subject: SUSE-SU-2021:3528-1: important: Security update for java-11-openjdk Message-ID: <20211027132005.1FC61FBB1@maintenance.suse.de> SUSE Security Update: Security update for java-11-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3528-1 Rating: important References: #1191901 #1191903 #1191904 #1191906 #1191909 #1191910 #1191911 #1191912 #1191913 #1191914 Cross-References: CVE-2021-35550 CVE-2021-35556 CVE-2021-35559 CVE-2021-35561 CVE-2021-35564 CVE-2021-35565 CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 CVE-2021-35603 CVSS scores: CVE-2021-35550 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-35550 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-35556 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35556 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35559 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35561 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35561 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35564 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2021-35564 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2021-35565 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35565 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35567 (NVD) : 6.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CVE-2021-35578 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35578 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35586 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35586 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35603 (NVD) : 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-35603 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This update for java-11-openjdk fixes the following issues: Update to 11.0.13+8 (October 2021 CPU) - CVE-2021-35550, bsc#1191901: Update the default enabled cipher suites preference - CVE-2021-35565, bsc#1191909: com.sun.net.HttpsServer spins on TLS session close - CVE-2021-35556, bsc#1191910: Richer Text Editors - CVE-2021-35559, bsc#1191911: Enhanced style for RTF kit - CVE-2021-35561, bsc#1191912: Better hashing support - CVE-2021-35564, bsc#1191913: Improve Keystore integrity - CVE-2021-35567, bsc#1191903: More Constrained Delegation - CVE-2021-35578, bsc#1191904: Improve TLS client handshaking - CVE-2021-35586, bsc#1191914: Better BMP support - CVE-2021-35603, bsc#1191906: Better session identification - Improve Stream handling for SSL - Improve requests of certificates - Correct certificate requests - Enhance DTLS client handshake Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3528=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.13.0-3.33.2 java-11-openjdk-debugsource-11.0.13.0-3.33.2 java-11-openjdk-demo-11.0.13.0-3.33.2 java-11-openjdk-devel-11.0.13.0-3.33.2 java-11-openjdk-headless-11.0.13.0-3.33.2 References: https://www.suse.com/security/cve/CVE-2021-35550.html https://www.suse.com/security/cve/CVE-2021-35556.html https://www.suse.com/security/cve/CVE-2021-35559.html https://www.suse.com/security/cve/CVE-2021-35561.html https://www.suse.com/security/cve/CVE-2021-35564.html https://www.suse.com/security/cve/CVE-2021-35565.html https://www.suse.com/security/cve/CVE-2021-35567.html https://www.suse.com/security/cve/CVE-2021-35578.html https://www.suse.com/security/cve/CVE-2021-35586.html https://www.suse.com/security/cve/CVE-2021-35603.html https://bugzilla.suse.com/1191901 https://bugzilla.suse.com/1191903 https://bugzilla.suse.com/1191904 https://bugzilla.suse.com/1191906 https://bugzilla.suse.com/1191909 https://bugzilla.suse.com/1191910 https://bugzilla.suse.com/1191911 https://bugzilla.suse.com/1191912 https://bugzilla.suse.com/1191913 https://bugzilla.suse.com/1191914 From sle-security-updates at lists.suse.com Wed Oct 27 13:33:11 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 15:33:11 +0200 (CEST) Subject: SUSE-SU-2021:3531-1: important: Security update for busybox Message-ID: <20211027133311.88CC4FBB1@maintenance.suse.de> SUSE Security Update: Security update for busybox ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3531-1 Rating: important References: #1099260 #1099263 #1121426 #1184522 #951562 Cross-References: CVE-2011-5325 CVE-2018-1000500 CVE-2018-1000517 CVE-2018-20679 CVE-2021-28831 CVSS scores: CVE-2011-5325 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2018-1000500 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-1000500 (SUSE): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2018-1000517 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-1000517 (SUSE): 5.6 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2018-20679 (NVD) : 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2018-20679 (SUSE): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-28831 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-28831 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for busybox fixes the following issues: - CVE-2021-28831: Fixed invalid free or segmentation fault via malformed gzip data (bsc#1184522). - CVE-2018-20679: Fixed out of bounds read in udhcp (bsc#1121426). - CVE-2018-1000517: Fixed buffer overflow in the retrieve_file_data() (bsc#1099260). - CVE-2011-5325: Fixed a directory traversal related to 'tar' command (bsc#951562). - CVE-2018-1000500: Fixed missing SSL certificate validation related to the 'wget' command (bsc#1099263). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-3531=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-3531=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-3531=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-3531=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-3531=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3531=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3531=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-3531=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-3531=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3531=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3531=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-3531=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): busybox-1.26.2-4.5.1 busybox-static-1.26.2-4.5.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): busybox-1.26.2-4.5.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): busybox-1.26.2-4.5.1 busybox-static-1.26.2-4.5.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): busybox-1.26.2-4.5.1 busybox-static-1.26.2-4.5.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): busybox-1.26.2-4.5.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): busybox-1.26.2-4.5.1 busybox-static-1.26.2-4.5.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): busybox-1.26.2-4.5.1 busybox-static-1.26.2-4.5.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): busybox-1.26.2-4.5.1 busybox-static-1.26.2-4.5.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): busybox-1.26.2-4.5.1 busybox-static-1.26.2-4.5.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): busybox-1.26.2-4.5.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): busybox-1.26.2-4.5.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): busybox-1.26.2-4.5.1 busybox-static-1.26.2-4.5.1 - SUSE CaaS Platform 4.0 (x86_64): busybox-1.26.2-4.5.1 busybox-static-1.26.2-4.5.1 References: https://www.suse.com/security/cve/CVE-2011-5325.html https://www.suse.com/security/cve/CVE-2018-1000500.html https://www.suse.com/security/cve/CVE-2018-1000517.html https://www.suse.com/security/cve/CVE-2018-20679.html https://www.suse.com/security/cve/CVE-2021-28831.html https://bugzilla.suse.com/1099260 https://bugzilla.suse.com/1099263 https://bugzilla.suse.com/1121426 https://bugzilla.suse.com/1184522 https://bugzilla.suse.com/951562 From sle-security-updates at lists.suse.com Wed Oct 27 13:35:15 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 15:35:15 +0200 (CEST) Subject: SUSE-SU-2021:3529-1: moderate: Security update for pcre Message-ID: <20211027133515.E3BEBFBB1@maintenance.suse.de> SUSE Security Update: Security update for pcre ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3529-1 Rating: moderate References: #1172973 #1172974 Cross-References: CVE-2019-20838 CVE-2020-14155 CVSS scores: CVE-2019-20838 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-20838 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-14155 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2020-14155 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.1 SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3529=1 - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-3529=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3529=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3529=1 Package List: - SUSE MicroOS 5.1 (aarch64 s390x x86_64): libpcre1-8.45-20.10.1 libpcre1-debuginfo-8.45-20.10.1 pcre-debugsource-8.45-20.10.1 - SUSE MicroOS 5.0 (aarch64 x86_64): libpcre1-8.45-20.10.1 libpcre1-debuginfo-8.45-20.10.1 pcre-debugsource-8.45-20.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): libpcre1-8.45-20.10.1 libpcre1-debuginfo-8.45-20.10.1 libpcre16-0-8.45-20.10.1 libpcre16-0-debuginfo-8.45-20.10.1 libpcrecpp0-8.45-20.10.1 libpcrecpp0-debuginfo-8.45-20.10.1 libpcreposix0-8.45-20.10.1 libpcreposix0-debuginfo-8.45-20.10.1 pcre-debugsource-8.45-20.10.1 pcre-devel-8.45-20.10.1 pcre-tools-8.45-20.10.1 pcre-tools-debuginfo-8.45-20.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): libpcre1-32bit-8.45-20.10.1 libpcre1-32bit-debuginfo-8.45-20.10.1 libpcrecpp0-32bit-8.45-20.10.1 libpcrecpp0-32bit-debuginfo-8.45-20.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libpcre1-8.45-20.10.1 libpcre1-debuginfo-8.45-20.10.1 libpcre16-0-8.45-20.10.1 libpcre16-0-debuginfo-8.45-20.10.1 libpcrecpp0-8.45-20.10.1 libpcrecpp0-debuginfo-8.45-20.10.1 libpcreposix0-8.45-20.10.1 libpcreposix0-debuginfo-8.45-20.10.1 pcre-debugsource-8.45-20.10.1 pcre-devel-8.45-20.10.1 pcre-tools-8.45-20.10.1 pcre-tools-debuginfo-8.45-20.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libpcre1-32bit-8.45-20.10.1 libpcre1-32bit-debuginfo-8.45-20.10.1 libpcrecpp0-32bit-8.45-20.10.1 libpcrecpp0-32bit-debuginfo-8.45-20.10.1 References: https://www.suse.com/security/cve/CVE-2019-20838.html https://www.suse.com/security/cve/CVE-2020-14155.html https://bugzilla.suse.com/1172973 https://bugzilla.suse.com/1172974 From sle-security-updates at lists.suse.com Wed Oct 27 13:36:53 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 15:36:53 +0200 (CEST) Subject: SUSE-SU-2021:3530-1: moderate: Security update for dnsmasq Message-ID: <20211027133653.15D7FFBB1@maintenance.suse.de> SUSE Security Update: Security update for dnsmasq ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3530-1 Rating: moderate References: #1173646 #1180914 #1183709 SLE-17936 Cross-References: CVE-2020-14312 CVE-2021-3448 CVSS scores: CVE-2020-14312 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-14312 (SUSE): 4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L CVE-2021-3448 (NVD) : 4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N CVE-2021-3448 (SUSE): 4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N Affected Products: SUSE MicroOS 5.1 SUSE MicroOS 5.0 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves two vulnerabilities, contains one feature and has one errata is now available. Description: This update for dnsmasq fixes the following issues: Update to version 2.86 - CVE-2021-3448: fixed outgoing port used when --server is used with an interface name. (bsc#1183709) - CVE-2020-14312: Set --local-service by default (bsc#1173646). - Open inotify socket only when used (bsc#1180914). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3530=1 - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-3530=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-3530=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-3530=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-3530=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3530=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3530=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-3530=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-3530=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-3530=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE MicroOS 5.1 (aarch64 s390x x86_64): dnsmasq-2.86-7.14.1 dnsmasq-debuginfo-2.86-7.14.1 dnsmasq-debugsource-2.86-7.14.1 - SUSE MicroOS 5.0 (aarch64 x86_64): dnsmasq-2.86-7.14.1 dnsmasq-debuginfo-2.86-7.14.1 dnsmasq-debugsource-2.86-7.14.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): dnsmasq-2.86-7.14.1 dnsmasq-debuginfo-2.86-7.14.1 dnsmasq-debugsource-2.86-7.14.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): dnsmasq-2.86-7.14.1 dnsmasq-debuginfo-2.86-7.14.1 dnsmasq-debugsource-2.86-7.14.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): dnsmasq-2.86-7.14.1 dnsmasq-debuginfo-2.86-7.14.1 dnsmasq-debugsource-2.86-7.14.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): dnsmasq-2.86-7.14.1 dnsmasq-debuginfo-2.86-7.14.1 dnsmasq-debugsource-2.86-7.14.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): dnsmasq-2.86-7.14.1 dnsmasq-debuginfo-2.86-7.14.1 dnsmasq-debugsource-2.86-7.14.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): dnsmasq-2.86-7.14.1 dnsmasq-debuginfo-2.86-7.14.1 dnsmasq-debugsource-2.86-7.14.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): dnsmasq-2.86-7.14.1 dnsmasq-debuginfo-2.86-7.14.1 dnsmasq-debugsource-2.86-7.14.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): dnsmasq-2.86-7.14.1 dnsmasq-debuginfo-2.86-7.14.1 dnsmasq-debugsource-2.86-7.14.1 - SUSE CaaS Platform 4.0 (x86_64): dnsmasq-2.86-7.14.1 dnsmasq-debuginfo-2.86-7.14.1 dnsmasq-debugsource-2.86-7.14.1 References: https://www.suse.com/security/cve/CVE-2020-14312.html https://www.suse.com/security/cve/CVE-2021-3448.html https://bugzilla.suse.com/1173646 https://bugzilla.suse.com/1180914 https://bugzilla.suse.com/1183709 From sle-security-updates at lists.suse.com Wed Oct 27 13:48:20 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 15:48:20 +0200 (CEST) Subject: SUSE-SU-2021:3540-1: important: Security update for libvirt Message-ID: <20211027134820.CB53BFBB1@maintenance.suse.de> SUSE Security Update: Security update for libvirt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3540-1 Rating: important References: #1182783 #1184152 #1184772 #1185081 #1188843 #1190420 Cross-References: CVE-2021-3667 CVSS scores: CVE-2021-3667 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves one vulnerability and has 5 fixes is now available. Description: This update for libvirt fixes the following issues: Security issue fixed: - CVE-2021-3667: Fixed a DoS vulnerability in the libvirt virStoragePoolLookupByTargetPath API. (bsc#1188843) Non-security issues fixed: - resolved hangs/crashes on libvirtd shutdown (bsc#1182783) - qemu: Normalize MAC address in device conf on netdev hotplug (bsc#1184772) - libxl: Fix driver reload (bsc#1190420) - libxl: Add support for 'e820_host' settings (bsc#1185081) - libxl: Fix domain shutdown (bsc#1184152) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-3540=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-3540=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-3540=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-3540=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-3540=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-3540=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): libvirt-5.1.0-8.29.1 libvirt-admin-5.1.0-8.29.1 libvirt-admin-debuginfo-5.1.0-8.29.1 libvirt-client-5.1.0-8.29.1 libvirt-client-debuginfo-5.1.0-8.29.1 libvirt-daemon-5.1.0-8.29.1 libvirt-daemon-config-network-5.1.0-8.29.1 libvirt-daemon-config-nwfilter-5.1.0-8.29.1 libvirt-daemon-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-interface-5.1.0-8.29.1 libvirt-daemon-driver-interface-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-lxc-5.1.0-8.29.1 libvirt-daemon-driver-lxc-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-network-5.1.0-8.29.1 libvirt-daemon-driver-network-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-nodedev-5.1.0-8.29.1 libvirt-daemon-driver-nodedev-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-nwfilter-5.1.0-8.29.1 libvirt-daemon-driver-nwfilter-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-qemu-5.1.0-8.29.1 libvirt-daemon-driver-qemu-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-secret-5.1.0-8.29.1 libvirt-daemon-driver-secret-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-5.1.0-8.29.1 libvirt-daemon-driver-storage-core-5.1.0-8.29.1 libvirt-daemon-driver-storage-core-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-disk-5.1.0-8.29.1 libvirt-daemon-driver-storage-disk-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-iscsi-5.1.0-8.29.1 libvirt-daemon-driver-storage-iscsi-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-logical-5.1.0-8.29.1 libvirt-daemon-driver-storage-logical-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-mpath-5.1.0-8.29.1 libvirt-daemon-driver-storage-mpath-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-scsi-5.1.0-8.29.1 libvirt-daemon-driver-storage-scsi-debuginfo-5.1.0-8.29.1 libvirt-daemon-hooks-5.1.0-8.29.1 libvirt-daemon-lxc-5.1.0-8.29.1 libvirt-daemon-qemu-5.1.0-8.29.1 libvirt-debugsource-5.1.0-8.29.1 libvirt-devel-5.1.0-8.29.1 libvirt-libs-5.1.0-8.29.1 libvirt-libs-debuginfo-5.1.0-8.29.1 libvirt-lock-sanlock-5.1.0-8.29.1 libvirt-lock-sanlock-debuginfo-5.1.0-8.29.1 libvirt-nss-5.1.0-8.29.1 libvirt-nss-debuginfo-5.1.0-8.29.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): libvirt-bash-completion-5.1.0-8.29.1 libvirt-doc-5.1.0-8.29.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): libvirt-daemon-driver-libxl-5.1.0-8.29.1 libvirt-daemon-driver-libxl-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-rbd-5.1.0-8.29.1 libvirt-daemon-driver-storage-rbd-debuginfo-5.1.0-8.29.1 libvirt-daemon-xen-5.1.0-8.29.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): libvirt-5.1.0-8.29.1 libvirt-admin-5.1.0-8.29.1 libvirt-admin-debuginfo-5.1.0-8.29.1 libvirt-client-5.1.0-8.29.1 libvirt-client-debuginfo-5.1.0-8.29.1 libvirt-daemon-5.1.0-8.29.1 libvirt-daemon-config-network-5.1.0-8.29.1 libvirt-daemon-config-nwfilter-5.1.0-8.29.1 libvirt-daemon-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-interface-5.1.0-8.29.1 libvirt-daemon-driver-interface-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-lxc-5.1.0-8.29.1 libvirt-daemon-driver-lxc-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-network-5.1.0-8.29.1 libvirt-daemon-driver-network-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-nodedev-5.1.0-8.29.1 libvirt-daemon-driver-nodedev-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-nwfilter-5.1.0-8.29.1 libvirt-daemon-driver-nwfilter-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-qemu-5.1.0-8.29.1 libvirt-daemon-driver-qemu-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-secret-5.1.0-8.29.1 libvirt-daemon-driver-secret-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-5.1.0-8.29.1 libvirt-daemon-driver-storage-core-5.1.0-8.29.1 libvirt-daemon-driver-storage-core-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-disk-5.1.0-8.29.1 libvirt-daemon-driver-storage-disk-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-iscsi-5.1.0-8.29.1 libvirt-daemon-driver-storage-iscsi-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-logical-5.1.0-8.29.1 libvirt-daemon-driver-storage-logical-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-mpath-5.1.0-8.29.1 libvirt-daemon-driver-storage-mpath-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-scsi-5.1.0-8.29.1 libvirt-daemon-driver-storage-scsi-debuginfo-5.1.0-8.29.1 libvirt-daemon-hooks-5.1.0-8.29.1 libvirt-daemon-lxc-5.1.0-8.29.1 libvirt-daemon-qemu-5.1.0-8.29.1 libvirt-debugsource-5.1.0-8.29.1 libvirt-devel-5.1.0-8.29.1 libvirt-libs-5.1.0-8.29.1 libvirt-libs-debuginfo-5.1.0-8.29.1 libvirt-lock-sanlock-5.1.0-8.29.1 libvirt-lock-sanlock-debuginfo-5.1.0-8.29.1 libvirt-nss-5.1.0-8.29.1 libvirt-nss-debuginfo-5.1.0-8.29.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 x86_64): libvirt-daemon-driver-storage-rbd-5.1.0-8.29.1 libvirt-daemon-driver-storage-rbd-debuginfo-5.1.0-8.29.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): libvirt-daemon-driver-libxl-5.1.0-8.29.1 libvirt-daemon-driver-libxl-debuginfo-5.1.0-8.29.1 libvirt-daemon-xen-5.1.0-8.29.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): libvirt-bash-completion-5.1.0-8.29.1 libvirt-doc-5.1.0-8.29.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): libvirt-5.1.0-8.29.1 libvirt-admin-5.1.0-8.29.1 libvirt-admin-debuginfo-5.1.0-8.29.1 libvirt-client-5.1.0-8.29.1 libvirt-client-debuginfo-5.1.0-8.29.1 libvirt-daemon-5.1.0-8.29.1 libvirt-daemon-config-network-5.1.0-8.29.1 libvirt-daemon-config-nwfilter-5.1.0-8.29.1 libvirt-daemon-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-interface-5.1.0-8.29.1 libvirt-daemon-driver-interface-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-libxl-5.1.0-8.29.1 libvirt-daemon-driver-libxl-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-lxc-5.1.0-8.29.1 libvirt-daemon-driver-lxc-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-network-5.1.0-8.29.1 libvirt-daemon-driver-network-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-nodedev-5.1.0-8.29.1 libvirt-daemon-driver-nodedev-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-nwfilter-5.1.0-8.29.1 libvirt-daemon-driver-nwfilter-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-qemu-5.1.0-8.29.1 libvirt-daemon-driver-qemu-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-secret-5.1.0-8.29.1 libvirt-daemon-driver-secret-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-5.1.0-8.29.1 libvirt-daemon-driver-storage-core-5.1.0-8.29.1 libvirt-daemon-driver-storage-core-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-disk-5.1.0-8.29.1 libvirt-daemon-driver-storage-disk-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-iscsi-5.1.0-8.29.1 libvirt-daemon-driver-storage-iscsi-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-logical-5.1.0-8.29.1 libvirt-daemon-driver-storage-logical-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-mpath-5.1.0-8.29.1 libvirt-daemon-driver-storage-mpath-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-rbd-5.1.0-8.29.1 libvirt-daemon-driver-storage-rbd-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-scsi-5.1.0-8.29.1 libvirt-daemon-driver-storage-scsi-debuginfo-5.1.0-8.29.1 libvirt-daemon-hooks-5.1.0-8.29.1 libvirt-daemon-lxc-5.1.0-8.29.1 libvirt-daemon-qemu-5.1.0-8.29.1 libvirt-daemon-xen-5.1.0-8.29.1 libvirt-debugsource-5.1.0-8.29.1 libvirt-devel-5.1.0-8.29.1 libvirt-libs-5.1.0-8.29.1 libvirt-libs-debuginfo-5.1.0-8.29.1 libvirt-lock-sanlock-5.1.0-8.29.1 libvirt-lock-sanlock-debuginfo-5.1.0-8.29.1 libvirt-nss-5.1.0-8.29.1 libvirt-nss-debuginfo-5.1.0-8.29.1 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): libvirt-bash-completion-5.1.0-8.29.1 libvirt-doc-5.1.0-8.29.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): libvirt-5.1.0-8.29.1 libvirt-admin-5.1.0-8.29.1 libvirt-admin-debuginfo-5.1.0-8.29.1 libvirt-client-5.1.0-8.29.1 libvirt-client-debuginfo-5.1.0-8.29.1 libvirt-daemon-5.1.0-8.29.1 libvirt-daemon-config-network-5.1.0-8.29.1 libvirt-daemon-config-nwfilter-5.1.0-8.29.1 libvirt-daemon-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-interface-5.1.0-8.29.1 libvirt-daemon-driver-interface-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-lxc-5.1.0-8.29.1 libvirt-daemon-driver-lxc-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-network-5.1.0-8.29.1 libvirt-daemon-driver-network-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-nodedev-5.1.0-8.29.1 libvirt-daemon-driver-nodedev-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-nwfilter-5.1.0-8.29.1 libvirt-daemon-driver-nwfilter-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-qemu-5.1.0-8.29.1 libvirt-daemon-driver-qemu-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-secret-5.1.0-8.29.1 libvirt-daemon-driver-secret-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-5.1.0-8.29.1 libvirt-daemon-driver-storage-core-5.1.0-8.29.1 libvirt-daemon-driver-storage-core-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-disk-5.1.0-8.29.1 libvirt-daemon-driver-storage-disk-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-iscsi-5.1.0-8.29.1 libvirt-daemon-driver-storage-iscsi-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-logical-5.1.0-8.29.1 libvirt-daemon-driver-storage-logical-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-mpath-5.1.0-8.29.1 libvirt-daemon-driver-storage-mpath-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-rbd-5.1.0-8.29.1 libvirt-daemon-driver-storage-rbd-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-scsi-5.1.0-8.29.1 libvirt-daemon-driver-storage-scsi-debuginfo-5.1.0-8.29.1 libvirt-daemon-hooks-5.1.0-8.29.1 libvirt-daemon-lxc-5.1.0-8.29.1 libvirt-daemon-qemu-5.1.0-8.29.1 libvirt-debugsource-5.1.0-8.29.1 libvirt-devel-5.1.0-8.29.1 libvirt-libs-5.1.0-8.29.1 libvirt-libs-debuginfo-5.1.0-8.29.1 libvirt-lock-sanlock-5.1.0-8.29.1 libvirt-lock-sanlock-debuginfo-5.1.0-8.29.1 libvirt-nss-5.1.0-8.29.1 libvirt-nss-debuginfo-5.1.0-8.29.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): libvirt-daemon-driver-libxl-5.1.0-8.29.1 libvirt-daemon-driver-libxl-debuginfo-5.1.0-8.29.1 libvirt-daemon-xen-5.1.0-8.29.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): libvirt-bash-completion-5.1.0-8.29.1 libvirt-doc-5.1.0-8.29.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): libvirt-5.1.0-8.29.1 libvirt-admin-5.1.0-8.29.1 libvirt-admin-debuginfo-5.1.0-8.29.1 libvirt-client-5.1.0-8.29.1 libvirt-client-debuginfo-5.1.0-8.29.1 libvirt-daemon-5.1.0-8.29.1 libvirt-daemon-config-network-5.1.0-8.29.1 libvirt-daemon-config-nwfilter-5.1.0-8.29.1 libvirt-daemon-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-interface-5.1.0-8.29.1 libvirt-daemon-driver-interface-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-lxc-5.1.0-8.29.1 libvirt-daemon-driver-lxc-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-network-5.1.0-8.29.1 libvirt-daemon-driver-network-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-nodedev-5.1.0-8.29.1 libvirt-daemon-driver-nodedev-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-nwfilter-5.1.0-8.29.1 libvirt-daemon-driver-nwfilter-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-qemu-5.1.0-8.29.1 libvirt-daemon-driver-qemu-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-secret-5.1.0-8.29.1 libvirt-daemon-driver-secret-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-5.1.0-8.29.1 libvirt-daemon-driver-storage-core-5.1.0-8.29.1 libvirt-daemon-driver-storage-core-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-disk-5.1.0-8.29.1 libvirt-daemon-driver-storage-disk-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-iscsi-5.1.0-8.29.1 libvirt-daemon-driver-storage-iscsi-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-logical-5.1.0-8.29.1 libvirt-daemon-driver-storage-logical-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-mpath-5.1.0-8.29.1 libvirt-daemon-driver-storage-mpath-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-rbd-5.1.0-8.29.1 libvirt-daemon-driver-storage-rbd-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-scsi-5.1.0-8.29.1 libvirt-daemon-driver-storage-scsi-debuginfo-5.1.0-8.29.1 libvirt-daemon-hooks-5.1.0-8.29.1 libvirt-daemon-lxc-5.1.0-8.29.1 libvirt-daemon-qemu-5.1.0-8.29.1 libvirt-debugsource-5.1.0-8.29.1 libvirt-devel-5.1.0-8.29.1 libvirt-libs-5.1.0-8.29.1 libvirt-libs-debuginfo-5.1.0-8.29.1 libvirt-lock-sanlock-5.1.0-8.29.1 libvirt-lock-sanlock-debuginfo-5.1.0-8.29.1 libvirt-nss-5.1.0-8.29.1 libvirt-nss-debuginfo-5.1.0-8.29.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): libvirt-daemon-driver-libxl-5.1.0-8.29.1 libvirt-daemon-driver-libxl-debuginfo-5.1.0-8.29.1 libvirt-daemon-xen-5.1.0-8.29.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): libvirt-bash-completion-5.1.0-8.29.1 libvirt-doc-5.1.0-8.29.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): libvirt-5.1.0-8.29.1 libvirt-admin-5.1.0-8.29.1 libvirt-admin-debuginfo-5.1.0-8.29.1 libvirt-client-5.1.0-8.29.1 libvirt-client-debuginfo-5.1.0-8.29.1 libvirt-daemon-5.1.0-8.29.1 libvirt-daemon-config-network-5.1.0-8.29.1 libvirt-daemon-config-nwfilter-5.1.0-8.29.1 libvirt-daemon-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-interface-5.1.0-8.29.1 libvirt-daemon-driver-interface-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-lxc-5.1.0-8.29.1 libvirt-daemon-driver-lxc-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-network-5.1.0-8.29.1 libvirt-daemon-driver-network-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-nodedev-5.1.0-8.29.1 libvirt-daemon-driver-nodedev-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-nwfilter-5.1.0-8.29.1 libvirt-daemon-driver-nwfilter-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-qemu-5.1.0-8.29.1 libvirt-daemon-driver-qemu-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-secret-5.1.0-8.29.1 libvirt-daemon-driver-secret-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-5.1.0-8.29.1 libvirt-daemon-driver-storage-core-5.1.0-8.29.1 libvirt-daemon-driver-storage-core-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-disk-5.1.0-8.29.1 libvirt-daemon-driver-storage-disk-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-iscsi-5.1.0-8.29.1 libvirt-daemon-driver-storage-iscsi-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-logical-5.1.0-8.29.1 libvirt-daemon-driver-storage-logical-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-mpath-5.1.0-8.29.1 libvirt-daemon-driver-storage-mpath-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-rbd-5.1.0-8.29.1 libvirt-daemon-driver-storage-rbd-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-scsi-5.1.0-8.29.1 libvirt-daemon-driver-storage-scsi-debuginfo-5.1.0-8.29.1 libvirt-daemon-hooks-5.1.0-8.29.1 libvirt-daemon-lxc-5.1.0-8.29.1 libvirt-daemon-qemu-5.1.0-8.29.1 libvirt-debugsource-5.1.0-8.29.1 libvirt-devel-5.1.0-8.29.1 libvirt-libs-5.1.0-8.29.1 libvirt-libs-debuginfo-5.1.0-8.29.1 libvirt-lock-sanlock-5.1.0-8.29.1 libvirt-lock-sanlock-debuginfo-5.1.0-8.29.1 libvirt-nss-5.1.0-8.29.1 libvirt-nss-debuginfo-5.1.0-8.29.1 - SUSE Enterprise Storage 6 (noarch): libvirt-bash-completion-5.1.0-8.29.1 libvirt-doc-5.1.0-8.29.1 - SUSE Enterprise Storage 6 (x86_64): libvirt-daemon-driver-libxl-5.1.0-8.29.1 libvirt-daemon-driver-libxl-debuginfo-5.1.0-8.29.1 libvirt-daemon-xen-5.1.0-8.29.1 - SUSE CaaS Platform 4.0 (noarch): libvirt-bash-completion-5.1.0-8.29.1 libvirt-doc-5.1.0-8.29.1 - SUSE CaaS Platform 4.0 (x86_64): libvirt-5.1.0-8.29.1 libvirt-admin-5.1.0-8.29.1 libvirt-admin-debuginfo-5.1.0-8.29.1 libvirt-client-5.1.0-8.29.1 libvirt-client-debuginfo-5.1.0-8.29.1 libvirt-daemon-5.1.0-8.29.1 libvirt-daemon-config-network-5.1.0-8.29.1 libvirt-daemon-config-nwfilter-5.1.0-8.29.1 libvirt-daemon-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-interface-5.1.0-8.29.1 libvirt-daemon-driver-interface-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-libxl-5.1.0-8.29.1 libvirt-daemon-driver-libxl-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-lxc-5.1.0-8.29.1 libvirt-daemon-driver-lxc-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-network-5.1.0-8.29.1 libvirt-daemon-driver-network-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-nodedev-5.1.0-8.29.1 libvirt-daemon-driver-nodedev-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-nwfilter-5.1.0-8.29.1 libvirt-daemon-driver-nwfilter-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-qemu-5.1.0-8.29.1 libvirt-daemon-driver-qemu-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-secret-5.1.0-8.29.1 libvirt-daemon-driver-secret-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-5.1.0-8.29.1 libvirt-daemon-driver-storage-core-5.1.0-8.29.1 libvirt-daemon-driver-storage-core-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-disk-5.1.0-8.29.1 libvirt-daemon-driver-storage-disk-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-iscsi-5.1.0-8.29.1 libvirt-daemon-driver-storage-iscsi-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-logical-5.1.0-8.29.1 libvirt-daemon-driver-storage-logical-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-mpath-5.1.0-8.29.1 libvirt-daemon-driver-storage-mpath-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-rbd-5.1.0-8.29.1 libvirt-daemon-driver-storage-rbd-debuginfo-5.1.0-8.29.1 libvirt-daemon-driver-storage-scsi-5.1.0-8.29.1 libvirt-daemon-driver-storage-scsi-debuginfo-5.1.0-8.29.1 libvirt-daemon-hooks-5.1.0-8.29.1 libvirt-daemon-lxc-5.1.0-8.29.1 libvirt-daemon-qemu-5.1.0-8.29.1 libvirt-daemon-xen-5.1.0-8.29.1 libvirt-debugsource-5.1.0-8.29.1 libvirt-devel-5.1.0-8.29.1 libvirt-libs-5.1.0-8.29.1 libvirt-libs-debuginfo-5.1.0-8.29.1 libvirt-lock-sanlock-5.1.0-8.29.1 libvirt-lock-sanlock-debuginfo-5.1.0-8.29.1 libvirt-nss-5.1.0-8.29.1 libvirt-nss-debuginfo-5.1.0-8.29.1 References: https://www.suse.com/security/cve/CVE-2021-3667.html https://bugzilla.suse.com/1182783 https://bugzilla.suse.com/1184152 https://bugzilla.suse.com/1184772 https://bugzilla.suse.com/1185081 https://bugzilla.suse.com/1188843 https://bugzilla.suse.com/1190420 From sle-security-updates at lists.suse.com Wed Oct 27 19:18:07 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 21:18:07 +0200 (CEST) Subject: SUSE-SU-2021:3555-1: moderate: Security update for salt Message-ID: <20211027191807.45030FDAB@maintenance.suse.de> SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3555-1 Rating: moderate References: #1190265 Cross-References: CVE-2021-21996 CVSS scores: CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Enterprise Storage 6 SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for salt fixes the following issues: - Support querying for JSON data in external sql pillar. - Exclude the full path of a download URL to prevent injection of malicious code. (bsc#1190265, CVE-2021-21996) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-3555=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-3555=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-3555=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-3555=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-3555=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2021-3555=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): python3-salt-3002.2-48.4 salt-3002.2-48.4 salt-api-3002.2-48.4 salt-cloud-3002.2-48.4 salt-doc-3002.2-48.4 salt-master-3002.2-48.4 salt-minion-3002.2-48.4 salt-proxy-3002.2-48.4 salt-ssh-3002.2-48.4 salt-standalone-formulas-configuration-3002.2-48.4 salt-syndic-3002.2-48.4 salt-transactional-update-3002.2-48.4 - SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): salt-bash-completion-3002.2-48.4 salt-fish-completion-3002.2-48.4 salt-zsh-completion-3002.2-48.4 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): python3-salt-3002.2-48.4 salt-3002.2-48.4 salt-api-3002.2-48.4 salt-cloud-3002.2-48.4 salt-doc-3002.2-48.4 salt-master-3002.2-48.4 salt-minion-3002.2-48.4 salt-proxy-3002.2-48.4 salt-ssh-3002.2-48.4 salt-standalone-formulas-configuration-3002.2-48.4 salt-syndic-3002.2-48.4 salt-transactional-update-3002.2-48.4 - SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): salt-bash-completion-3002.2-48.4 salt-fish-completion-3002.2-48.4 salt-zsh-completion-3002.2-48.4 - SUSE Linux Enterprise Server 15-SP1-BCL (noarch): salt-bash-completion-3002.2-48.4 salt-fish-completion-3002.2-48.4 salt-zsh-completion-3002.2-48.4 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): python3-salt-3002.2-48.4 salt-3002.2-48.4 salt-api-3002.2-48.4 salt-cloud-3002.2-48.4 salt-doc-3002.2-48.4 salt-master-3002.2-48.4 salt-minion-3002.2-48.4 salt-proxy-3002.2-48.4 salt-ssh-3002.2-48.4 salt-standalone-formulas-configuration-3002.2-48.4 salt-syndic-3002.2-48.4 salt-transactional-update-3002.2-48.4 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): python3-salt-3002.2-48.4 salt-3002.2-48.4 salt-api-3002.2-48.4 salt-cloud-3002.2-48.4 salt-doc-3002.2-48.4 salt-master-3002.2-48.4 salt-minion-3002.2-48.4 salt-proxy-3002.2-48.4 salt-ssh-3002.2-48.4 salt-standalone-formulas-configuration-3002.2-48.4 salt-syndic-3002.2-48.4 salt-transactional-update-3002.2-48.4 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): salt-bash-completion-3002.2-48.4 salt-fish-completion-3002.2-48.4 salt-zsh-completion-3002.2-48.4 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): python3-salt-3002.2-48.4 salt-3002.2-48.4 salt-api-3002.2-48.4 salt-cloud-3002.2-48.4 salt-doc-3002.2-48.4 salt-master-3002.2-48.4 salt-minion-3002.2-48.4 salt-proxy-3002.2-48.4 salt-ssh-3002.2-48.4 salt-standalone-formulas-configuration-3002.2-48.4 salt-syndic-3002.2-48.4 salt-transactional-update-3002.2-48.4 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): salt-bash-completion-3002.2-48.4 salt-fish-completion-3002.2-48.4 salt-zsh-completion-3002.2-48.4 - SUSE Enterprise Storage 6 (aarch64 x86_64): python3-salt-3002.2-48.4 salt-3002.2-48.4 salt-api-3002.2-48.4 salt-cloud-3002.2-48.4 salt-doc-3002.2-48.4 salt-master-3002.2-48.4 salt-minion-3002.2-48.4 salt-proxy-3002.2-48.4 salt-ssh-3002.2-48.4 salt-standalone-formulas-configuration-3002.2-48.4 salt-syndic-3002.2-48.4 salt-transactional-update-3002.2-48.4 - SUSE Enterprise Storage 6 (noarch): salt-bash-completion-3002.2-48.4 salt-fish-completion-3002.2-48.4 salt-zsh-completion-3002.2-48.4 - SUSE CaaS Platform 4.0 (noarch): salt-bash-completion-3002.2-48.4 salt-fish-completion-3002.2-48.4 salt-zsh-completion-3002.2-48.4 - SUSE CaaS Platform 4.0 (x86_64): python3-salt-3002.2-48.4 salt-3002.2-48.4 salt-api-3002.2-48.4 salt-cloud-3002.2-48.4 salt-doc-3002.2-48.4 salt-master-3002.2-48.4 salt-minion-3002.2-48.4 salt-proxy-3002.2-48.4 salt-ssh-3002.2-48.4 salt-standalone-formulas-configuration-3002.2-48.4 salt-syndic-3002.2-48.4 salt-transactional-update-3002.2-48.4 References: https://www.suse.com/security/cve/CVE-2021-21996.html https://bugzilla.suse.com/1190265 From sle-security-updates at lists.suse.com Wed Oct 27 19:20:46 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 21:20:46 +0200 (CEST) Subject: SUSE-SU-2021:3549-1: moderate: Security update for SUSE Manager Client Tools Message-ID: <20211027192046.D0E78FDAB@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3549-1 Rating: moderate References: #1181223 #1188977 #1190265 #1190512 ECO-3319 Cross-References: CVE-2021-21996 CVSS scores: CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE Manager Debian 10-CLIENT-TOOLS ______________________________________________________________________________ An update that solves one vulnerability, contains one feature and has three fixes is now available. Description: This update fixes the following issues: salt: - Support querying for JSON data in external sql pillar - Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265, CVE-2021-21996) - Fix wrong relative paths resolution with Jinja renderer when importing subdirectories scap-security-guide: - Updated to 0.1.57 release (jsc#ECO-3319) - CIS profile for RHEL 7 is updated - initial CIS profiles for Ubuntu 20.04 - Major improvement of RHEL 9 content - new release process implemented using Github actions spacecmd: - Version 4.2.13-1 * Update translation strings * configchannel_updatefile handles directory properly (bsc#1190512) * Add schedule_archivecompleted to mass archive actions (bsc#1181223) * Remove whoami from the list of unauthenticated commands (bsc#1188977) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Debian 10-CLIENT-TOOLS: zypper in -t patch SUSE-Debian-10-CLIENT-TOOLS-x86_64-2021-3549=1 Package List: - SUSE Manager Debian 10-CLIENT-TOOLS (all): salt-common-3002.2+ds-1+2.36.1 salt-minion-3002.2+ds-1+2.36.1 scap-security-guide-debian-0.1.57-2.9.1 spacecmd-4.2.13-2.18.1 References: https://www.suse.com/security/cve/CVE-2021-21996.html https://bugzilla.suse.com/1181223 https://bugzilla.suse.com/1188977 https://bugzilla.suse.com/1190265 https://bugzilla.suse.com/1190512 From sle-security-updates at lists.suse.com Wed Oct 27 19:24:08 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 21:24:08 +0200 (CEST) Subject: SUSE-SU-2021:14832-1: moderate: Security update for SUSE Manager Client Tools Message-ID: <20211027192408.74132FDAB@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14832-1 Rating: moderate References: #1181223 #1188977 #1190265 #1190512 ECO-3319 Cross-References: CVE-2021-21996 CVSS scores: CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE Manager Ubuntu 18.04-CLIENT-TOOLS ______________________________________________________________________________ An update that solves one vulnerability, contains one feature and has three fixes is now available. Description: This update fixes the following issues: salt: - Support querying for JSON data in external sql pillar - Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265, CVE-2021-21996) - Fix wrong relative paths resolution with Jinja renderer when importing subdirectories scap-security-guide: - Updated to 0.1.57 release (jsc#ECO-3319) - CIS profile for RHEL 7 is updated - initial CIS profiles for Ubuntu 20.04 - Major improvement of RHEL 9 content - new release process implemented using Github actions spacecmd: - Version 4.2.13-1 * Update translation strings * configchannel_updatefile handles directory properly (bsc#1190512) * Add schedule_archivecompleted to mass archive actions (bsc#1181223) * Remove whoami from the list of unauthenticated commands (bsc#1188977) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS: zypper in -t patch suse-ubu184ct-client-tools-202110-14832=1 Package List: - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS (all): salt-common-3002.2+ds-1+98.1 salt-minion-3002.2+ds-1+98.1 scap-security-guide-ubuntu-0.1.57-8.1 spacecmd-4.2.13-35.1 References: https://www.suse.com/security/cve/CVE-2021-21996.html https://bugzilla.suse.com/1181223 https://bugzilla.suse.com/1188977 https://bugzilla.suse.com/1190265 https://bugzilla.suse.com/1190512 From sle-security-updates at lists.suse.com Wed Oct 27 19:27:11 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 21:27:11 +0200 (CEST) Subject: SUSE-SU-2021:3553-1: moderate: Security update for Salt Message-ID: <20211027192711.0BB3EFDAB@maintenance.suse.de> SUSE Security Update: Security update for Salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3553-1 Rating: moderate References: #1190265 Cross-References: CVE-2021-21996 CVSS scores: CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update fixes the following issues: salt: - Support querying for JSON data in external sql pillar - Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265, CVE-2021-21996) - Fix wrong relative paths resolution with Jinja renderer when importing subdirectories Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-3553=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2021-3553=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3553=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2021-3553=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): python3-salt-3002.2-8.41.17.1 salt-3002.2-8.41.17.1 salt-api-3002.2-8.41.17.1 salt-cloud-3002.2-8.41.17.1 salt-doc-3002.2-8.41.17.1 salt-master-3002.2-8.41.17.1 salt-minion-3002.2-8.41.17.1 salt-proxy-3002.2-8.41.17.1 salt-ssh-3002.2-8.41.17.1 salt-standalone-formulas-configuration-3002.2-8.41.17.1 salt-syndic-3002.2-8.41.17.1 salt-transactional-update-3002.2-8.41.17.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): salt-bash-completion-3002.2-8.41.17.1 salt-fish-completion-3002.2-8.41.17.1 salt-zsh-completion-3002.2-8.41.17.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): python3-salt-3002.2-8.41.17.1 salt-3002.2-8.41.17.1 salt-api-3002.2-8.41.17.1 salt-cloud-3002.2-8.41.17.1 salt-doc-3002.2-8.41.17.1 salt-master-3002.2-8.41.17.1 salt-minion-3002.2-8.41.17.1 salt-proxy-3002.2-8.41.17.1 salt-ssh-3002.2-8.41.17.1 salt-standalone-formulas-configuration-3002.2-8.41.17.1 salt-syndic-3002.2-8.41.17.1 salt-transactional-update-3002.2-8.41.17.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): salt-bash-completion-3002.2-8.41.17.1 salt-fish-completion-3002.2-8.41.17.1 salt-zsh-completion-3002.2-8.41.17.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): python3-salt-3002.2-8.41.17.1 salt-3002.2-8.41.17.1 salt-api-3002.2-8.41.17.1 salt-cloud-3002.2-8.41.17.1 salt-doc-3002.2-8.41.17.1 salt-master-3002.2-8.41.17.1 salt-minion-3002.2-8.41.17.1 salt-proxy-3002.2-8.41.17.1 salt-ssh-3002.2-8.41.17.1 salt-standalone-formulas-configuration-3002.2-8.41.17.1 salt-syndic-3002.2-8.41.17.1 salt-transactional-update-3002.2-8.41.17.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): salt-bash-completion-3002.2-8.41.17.1 salt-fish-completion-3002.2-8.41.17.1 salt-zsh-completion-3002.2-8.41.17.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): python3-salt-3002.2-8.41.17.1 salt-3002.2-8.41.17.1 salt-api-3002.2-8.41.17.1 salt-cloud-3002.2-8.41.17.1 salt-doc-3002.2-8.41.17.1 salt-master-3002.2-8.41.17.1 salt-minion-3002.2-8.41.17.1 salt-proxy-3002.2-8.41.17.1 salt-ssh-3002.2-8.41.17.1 salt-standalone-formulas-configuration-3002.2-8.41.17.1 salt-syndic-3002.2-8.41.17.1 salt-transactional-update-3002.2-8.41.17.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): salt-bash-completion-3002.2-8.41.17.1 salt-fish-completion-3002.2-8.41.17.1 salt-zsh-completion-3002.2-8.41.17.1 References: https://www.suse.com/security/cve/CVE-2021-21996.html https://bugzilla.suse.com/1190265 From sle-security-updates at lists.suse.com Wed Oct 27 19:32:43 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 21:32:43 +0200 (CEST) Subject: SUSE-SU-2021:3547-1: moderate: Security update for SUSE Manager Client Tools Message-ID: <20211027193243.EDF85FDAB@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3547-1 Rating: moderate References: #1181223 #1188977 #1190265 #1190512 ECO-3319 Cross-References: CVE-2021-21996 CVSS scores: CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE Manager Debian 9.0-CLIENT-TOOLS ______________________________________________________________________________ An update that solves one vulnerability, contains one feature and has three fixes is now available. Description: This update fixes the following issues: salt: - Fix the regression of 'docker_container' state module - Support querying for JSON data in external sql pillar - Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265, CVE-2021-21996) - Fix wrong relative paths resolution with Jinja renderer when importing subdirectories scap-security-guide: - Updated to 0.1.57 release (jsc#ECO-3319) - CIS profile for RHEL 7 is updated - initial CIS profiles for Ubuntu 20.04 - Major improvement of RHEL 9 content - new release process implemented using Github actions spacecmd: - Version 4.2.13-1 * Update translation strings * configchannel_updatefile handles directory properly (bsc#1190512) * Add schedule_archivecompleted to mass archive actions (bsc#1181223) * Remove whoami from the list of unauthenticated commands (bsc#1188977) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Debian 9.0-CLIENT-TOOLS: zypper in -t patch SUSE-Debian-9.0-CLIENT-TOOLS-x86_64-2021-3547=1 Package List: - SUSE Manager Debian 9.0-CLIENT-TOOLS (all): salt-common-3000+ds-1+2.32.1 salt-minion-3000+ds-1+2.32.1 scap-security-guide-debian-0.1.57-2.9.1 spacecmd-4.2.13-2.19.1 References: https://www.suse.com/security/cve/CVE-2021-21996.html https://bugzilla.suse.com/1181223 https://bugzilla.suse.com/1188977 https://bugzilla.suse.com/1190265 https://bugzilla.suse.com/1190512 From sle-security-updates at lists.suse.com Wed Oct 27 19:34:26 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 21:34:26 +0200 (CEST) Subject: SUSE-SU-2021:3561-1: moderate: Security update for SUSE Manager Server 4.2 Message-ID: <20211027193426.C71F0FDAB@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Server 4.2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3561-1 Rating: moderate References: #1171520 #1181223 #1187572 #1187998 #1188315 #1188977 #1189260 #1189422 #1189609 #1189799 #1189818 #1189933 #1190040 #1190123 #1190151 #1190164 #1190166 #1190265 #1190275 #1190276 #1190300 #1190396 #1190405 #1190455 #1190512 #1190602 #1190751 #1190820 #1191123 #1191139 #1191348 #1191551 #1191898 PM-2644 SUMA-61 Cross-References: CVE-2021-21996 CVE-2021-40348 CVSS scores: CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L CVE-2021-40348 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.2 ______________________________________________________________________________ An update that solves two vulnerabilities, contains two features and has 31 fixes is now available. Description: This update fixes the following issues: cobbler: - Fixed modify_setting test to complete successfully hub-xmlrpc-api: - Use rpm systemd macro to restart service in replace of systemctl patterns-suse-manager: - Virtualization-host-formula was renamed to virtualization-formulas py26-compat-salt: - Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265, CVE-2021-21996) py26-compat-tornado: - Added compatibility to Enterprise Linux 8 py27-compat-salt: - Fix the regression of docker_container state module - Support querying for JSON data in external sql pillar - Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265, CVE-2021-21996) - Fix wrong relative paths resolution with Jinja renderer when importing subdirectories spacecmd: - Version 4.2.13-1 * Update translation strings * configchannel_updatefile handles directory properly (bsc#1190512) * Add schedule_archivecompleted to mass archive actions (bsc#1181223) * Remove whoami from the list of unauthenticated commands (bsc#1188977) spacewalk-admin: - Version 4.2.9-1 * Fix setup with rhn-config-satellite (bsc#1190300) * Allow admins to modify only spacewalk config files with rhn-config-satellite.pl (bsc#1190040) (CVE-2021-40348) spacewalk-backend: - Version 4.2.17-1 * Update translations strings * handle download of metadata filesnames with checksums (bsc#1188315) * Sanitize cached filename for custom SSL certs used by reposync (bsc#1190751) spacewalk-certs-tools: - Version 4.2.13-1 * add GPG keys using apt-key on debian machines (bsc#1187998) spacewalk-client-tools: - Version 4.2.14-1 * Update translation strings spacewalk-java: - Version 4.2.30-1 * Fix datetime format parsing with moment (bsc#1191348) - Version 4.2.29-1 * Update translation strings * fix logging of the spark framework and map requests to media.1 directory in the download controller (bsc#1189933) * Add 'Last build date' column to CLM project list (jsc#PM-2644) (jsc#SUMA-61) * Improve exception handling and logging for mgr-libmod calls * Add checksums to repository metadata filenames (bsc#1188315) * Fix ISE in product migration if base product is missing (bsc#1190151) * use TLSv1.3 if it is a supported Protocol * Adapt auto errata update to respect maintenance windows * Adapt auto errata update to skip during CLM build (bsc#1189609) * add CentOS 7/8 aarch64 * add Oracle Linux 7/8 aarch64 * add Rocky Linux 8 aarch64 * add AlmaLinux 8 aarch64 * add Amazon Linux 2 aarch64 * Add new endpoints to saltkeys API: acceptedList, pendingList, rejectedList, deniedList, accept and reject * fix ISE in SSM when scheduling patches on multiple systems (bsc#1190396, bsc#1190275) * Add 'Flush cache' option to Ansible playbook execution (bsc#1190405) * Update kernel live patch version on minion startup (bsc#1190276) * Allow getting all completed actions via XMLRPC without display limit (bsc#1181223) * Support syncing patches with advisory status 'pending' (bsc#1190455) * Add XMLRPC API to force refreshing pillar data (bsc#1190123) * Add missing string on XCCDF scan results (bsc#1190164) * Ignore duplicates in 'pkg.installed' result when applying patches (bsc#1187572) * Improved timezone support * implement package locking for salt minions spacewalk-utils: - Version 4.2.14-1 * When renaming: don't regenerate CA, allow using third-party certificate and trigger pillar refresh (bsc#1190123) spacewalk-web: - Version 4.2.23-1 * Fix datetime format parsing with moment (bsc#1191348) - Version 4.2.22-1 * Add 'Last build date' column to CLM project list (jsc#PM-2644) (jsc#SUMA-61) * Fix 'Type' input in CLM source edit form (bsc#1190820) * Add 'Flush cache' checkbox to Ansible playbook execution page (bsc#1190405) * Fix the VM creation and editing submit button action (bsc#1190602) * Improved timezone support * Enhance the default base channel help message (bsc#1171520) subscription-matcher: - Version 0.27 * update subscription rules for new SKUs (bsc#1189818) supportutils-plugin-susemanager: - Version 4.2.3-1 * detect broken symlinks in tomcat, taskomatic and search daemon susemanager: - Version 4.2.25-1 * Add python-mako, python-gnupg and gnupg1 to the Debian 9 bootstrap repository so bootstrapping without any enabled repositories is possible (bsc#1191898) * Fix syntax error on migration script (bsc#1191551) * Add aarch64 bootstrap repositories for CentOS 7/8, Oracle Linux 7/8, Rocky Linux8, AlmaLinux8, Amazon Linux 2 and openSUSE Leap 15.3 * Add the gnupg package for ubuntu which is then needed by apt-key (bsc#1187998) * Add SLE 15 SAP Product ID to SLE15 bootstrap repositories, as it is required to get python3-M2Crypto (bsc#1189422) susemanager-doc-indexes: - Added aarch64 support for selection of clients in the Installation Guide and Client Configuration Guide - Documented Amazon Web Services permissions for Virtual Host Manager in the Virtual Host Manager and Amazon Web Service chapters in the Client Configuration Guide - Fixed unpublished patches note in the server update chapter of the Upgrade Guide - Updated Proxy installation screenshots to reflect SUSE Manager 4.2 version in the Installation Guide - Updated migration instructions to help avoid migration from Proxy 4.0 to 4.1 if 4.2 is already available to the Upgrade Guide - Fixed mgr-cfg-* issues in appendix of the Reference Guide. Run the commands on the client (bsc#1190166) - Removed Portus and CaaSP references from the image management chapter of the Administration Guide - Documented package lock as a supported feature for some Salt clients in the Client Configuration Guide. susemanager-docs_en: - Added aarch64 support for selection of clients in the Installation Guide and Client Configuration Guide - Documented Amazon Web Services permissions for Virtual Host Manager in the Virtual Host Manager and Amazon Web Service chapters in the Client Configuration Guide - Fixed unpublished patches note in the server update chapter of the Upgrade Guide - Updated Proxy installation screenshots to reflect SUSE Manager 4.2 version in the Installation Guide - Updated migration instructions to help avoid migration from Proxy 4.0 to 4.1 if 4.2 is already available to the Upgrade Guide - Fixed mgr-cfg-* issues in appendix of the Reference Guide. Run the commands on the client (bsc#1190166) - Removed Portus and CaaSP references from the image management chapter of the Administration Guide - Documented package lock as a supported feature for some Salt clients in the Client Configuration Guide. susemanager-schema: - Version 4.2.18-1 * create unique index on package details action id (bsc#1190396, bsc#1190275) * Add 'flush_cache' flag to Ansible playbook execution action (bsc#1190405) * Support syncing patches with advisory status 'pending' (bsc#1190455) * allow Ansible Control Node entitlement for aarch64, ppc64le and s390x (bsc#1189799) * implement package locking for salt minions susemanager-sls: - Version 4.2.18-1 * Fix cpuinfo grain and virt_utils state python2 compatibility (bsc#1191139, bsc#1191123) * deploy certificate on SLE Micro 5.1 * Realign pkgset cookie path for Salt Bundle changes * Fix pkgset beacon to work with salt-minion 2016.11.10 (bsc#1189260) * Fix virt grain python2 compatibility * Fix mgrcompat state module to work with Salt 3003 and 3004 * Add 'flush_cache' flag to 'ansible.playbooks' call (bsc#1190405) * Update kernel live patch version on minion startup (bsc#1190276) * don't use libvirt API to get its version for the virt features grain * implement package locking for salt minions susemanager-sync-data: - Version 4.2.9-1 * add CentOS 7/8 aarch64 * add Oracle Linux 7/8 aarch64 * add Rocky Linux 8 aarch64 * add AlmaLinux 8 aarch64 * add Amazon Linux 2 aarch64 How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.2-2021-3561=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (ppc64le s390x x86_64): hub-xmlrpc-api-0.7-3.3.3 hub-xmlrpc-api-debuginfo-0.7-3.3.3 inter-server-sync-0.0.5-8.6.3 inter-server-sync-debuginfo-0.0.5-8.6.3 patterns-suma_retail-4.2-4.3.1 patterns-suma_server-4.2-4.3.1 py26-compat-tornado-4.2.1-3.3.1 py26-compat-tornado-debuginfo-4.2.1-3.3.1 py26-compat-tornado-debugsource-4.2.1-3.3.1 susemanager-4.2.25-3.13.1 susemanager-tools-4.2.25-3.13.1 - SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (noarch): cobbler-3.1.2-5.11.1 py26-compat-salt-2016.11.10-11.28.9.1 py27-compat-salt-3000.3-7.7.11.1 python3-spacewalk-certs-tools-4.2.13-3.9.2 python3-spacewalk-client-tools-4.2.14-4.9.3 spacecmd-4.2.13-4.9.1 spacewalk-admin-4.2.9-3.6.2 spacewalk-backend-4.2.17-4.9.3 spacewalk-backend-app-4.2.17-4.9.3 spacewalk-backend-applet-4.2.17-4.9.3 spacewalk-backend-config-files-4.2.17-4.9.3 spacewalk-backend-config-files-common-4.2.17-4.9.3 spacewalk-backend-config-files-tool-4.2.17-4.9.3 spacewalk-backend-iss-4.2.17-4.9.3 spacewalk-backend-iss-export-4.2.17-4.9.3 spacewalk-backend-package-push-server-4.2.17-4.9.3 spacewalk-backend-server-4.2.17-4.9.3 spacewalk-backend-sql-4.2.17-4.9.3 spacewalk-backend-sql-postgresql-4.2.17-4.9.3 spacewalk-backend-tools-4.2.17-4.9.3 spacewalk-backend-xml-export-libs-4.2.17-4.9.3 spacewalk-backend-xmlrpc-4.2.17-4.9.3 spacewalk-base-4.2.23-3.9.3 spacewalk-base-minimal-4.2.23-3.9.3 spacewalk-base-minimal-config-4.2.23-3.9.3 spacewalk-certs-tools-4.2.13-3.9.2 spacewalk-client-tools-4.2.14-4.9.3 spacewalk-html-4.2.23-3.9.3 spacewalk-java-4.2.30-3.14.4 spacewalk-java-config-4.2.30-3.14.4 spacewalk-java-lib-4.2.30-3.14.4 spacewalk-java-postgresql-4.2.30-3.14.4 spacewalk-taskomatic-4.2.30-3.14.4 spacewalk-utils-4.2.14-3.9.3 spacewalk-utils-extras-4.2.14-3.9.3 subscription-matcher-0.27-6.3.1 supportutils-plugin-susemanager-4.2.3-3.3.2 susemanager-doc-indexes-4.2-12.11.3 susemanager-docs_en-4.2-12.11.1 susemanager-docs_en-pdf-4.2-12.11.1 susemanager-schema-4.2.18-3.9.3 susemanager-sls-4.2.18-3.11.1 susemanager-sync-data-4.2.9-3.9.1 susemanager-web-libs-4.2.23-3.9.3 uyuni-config-modules-4.2.18-3.11.1 virtualization-formulas-0.6.1-8.3.1 References: https://www.suse.com/security/cve/CVE-2021-21996.html https://www.suse.com/security/cve/CVE-2021-40348.html https://bugzilla.suse.com/1171520 https://bugzilla.suse.com/1181223 https://bugzilla.suse.com/1187572 https://bugzilla.suse.com/1187998 https://bugzilla.suse.com/1188315 https://bugzilla.suse.com/1188977 https://bugzilla.suse.com/1189260 https://bugzilla.suse.com/1189422 https://bugzilla.suse.com/1189609 https://bugzilla.suse.com/1189799 https://bugzilla.suse.com/1189818 https://bugzilla.suse.com/1189933 https://bugzilla.suse.com/1190040 https://bugzilla.suse.com/1190123 https://bugzilla.suse.com/1190151 https://bugzilla.suse.com/1190164 https://bugzilla.suse.com/1190166 https://bugzilla.suse.com/1190265 https://bugzilla.suse.com/1190275 https://bugzilla.suse.com/1190276 https://bugzilla.suse.com/1190300 https://bugzilla.suse.com/1190396 https://bugzilla.suse.com/1190405 https://bugzilla.suse.com/1190455 https://bugzilla.suse.com/1190512 https://bugzilla.suse.com/1190602 https://bugzilla.suse.com/1190751 https://bugzilla.suse.com/1190820 https://bugzilla.suse.com/1191123 https://bugzilla.suse.com/1191139 https://bugzilla.suse.com/1191348 https://bugzilla.suse.com/1191551 https://bugzilla.suse.com/1191898 From sle-security-updates at lists.suse.com Wed Oct 27 19:39:57 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 21:39:57 +0200 (CEST) Subject: SUSE-SU-2021:14831-1: moderate: Security update for SUSE Manager Client Tools Message-ID: <20211027193957.91484FDAB@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14831-1 Rating: moderate References: #1181223 #1188977 #1190265 #1190512 ECO-3319 Cross-References: CVE-2021-21996 CVSS scores: CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE Manager Ubuntu 20.04-CLIENT-TOOLS ______________________________________________________________________________ An update that solves one vulnerability, contains one feature and has three fixes is now available. Description: This update fixes the following issues: salt: - Support querying for JSON data in external sql pillar - Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265) (CVE-2021-21996) - Fix wrong relative paths resolution with Jinja renderer when importing subdirectories scap-security-guide: - Updated to 0.1.57 release (jsc#ECO-3319) - CIS profile for RHEL 7 is updated - initial CIS profiles for Ubuntu 20.04 - Major improvement of RHEL 9 content - new release process implemented using Github actions spacecmd: - Version 4.2.13-1 * Update translation strings * configchannel_updatefile handles directory properly (bsc#1190512) * Add schedule_archivecompleted to mass archive actions (bsc#1181223) * Remove whoami from the list of unauthenticated commands (bsc#1188977) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 20.04-CLIENT-TOOLS: zypper in -t patch suse-ubu204ct-client-tools-202110-14831=1 Package List: - SUSE Manager Ubuntu 20.04-CLIENT-TOOLS (all): salt-common-3002.2+ds-1+2.57.1 salt-minion-3002.2+ds-1+2.57.1 scap-security-guide-ubuntu-0.1.57-2.9.1 spacecmd-4.2.13-2.33.1 References: https://www.suse.com/security/cve/CVE-2021-21996.html https://bugzilla.suse.com/1181223 https://bugzilla.suse.com/1188977 https://bugzilla.suse.com/1190265 https://bugzilla.suse.com/1190512 From sle-security-updates at lists.suse.com Wed Oct 27 19:41:42 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 21:41:42 +0200 (CEST) Subject: SUSE-SU-2021:3550-1: moderate: Security update for Salt Message-ID: <20211027194142.93521FE07@maintenance.suse.de> SUSE Security Update: Security update for Salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3550-1 Rating: moderate References: #1190265 Cross-References: CVE-2021-21996 CVSS scores: CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE Manager Tools 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update fixes the following issues: salt: - Fix the regression of docker_container state module - Support querying for JSON data in external sql pillar - Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265) (CVE-2021-21996) - Fix wrong relative paths resolution with Jinja renderer when importing subdirectories Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 12: zypper in -t patch SUSE-SLE-Manager-Tools-12-2021-3550=1 - SUSE Linux Enterprise Module for Advanced Systems Management 12: zypper in -t patch SUSE-SLE-Module-Adv-Systems-Management-12-2021-3550=1 Package List: - SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64): python2-salt-3000-46.151.2 python3-salt-3000-46.151.2 salt-3000-46.151.2 salt-doc-3000-46.151.2 salt-minion-3000-46.151.2 - SUSE Linux Enterprise Module for Advanced Systems Management 12 (ppc64le s390x x86_64): python2-salt-3000-46.151.2 salt-3000-46.151.2 salt-api-3000-46.151.2 salt-cloud-3000-46.151.2 salt-doc-3000-46.151.2 salt-master-3000-46.151.2 salt-minion-3000-46.151.2 salt-proxy-3000-46.151.2 salt-ssh-3000-46.151.2 salt-standalone-formulas-configuration-3000-46.151.2 salt-syndic-3000-46.151.2 - SUSE Linux Enterprise Module for Advanced Systems Management 12 (noarch): salt-bash-completion-3000-46.151.2 salt-zsh-completion-3000-46.151.2 References: https://www.suse.com/security/cve/CVE-2021-21996.html https://bugzilla.suse.com/1190265 From sle-security-updates at lists.suse.com Wed Oct 27 19:48:21 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 21:48:21 +0200 (CEST) Subject: SUSE-SU-2021:14833-1: moderate: Security update for SUSE Manager Client Tools Message-ID: <20211027194821.15579FDAB@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14833-1 Rating: moderate References: #1181223 #1188977 #1190265 #1190512 Cross-References: CVE-2021-21996 CVSS scores: CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update fixes the following issues: salt: - Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265) (CVE-2021-21996) spacecmd: - Version 4.2.13-1 * Update translation strings * configchannel_updatefile handles directory properly (bsc#1190512) * Add schedule_archivecompleted to mass archive actions (bsc#1181223) * Remove whoami from the list of unauthenticated commands (bsc#1188977) spacewalk-client-tools: - Version 4.2.14-1 * Update translation strings Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS: zypper in -t patch slesctsp4-client-tools-202110-14833=1 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS: zypper in -t patch slesctsp3-client-tools-202110-14833=1 Package List: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS (i586 ia64 ppc64 s390x x86_64): python2-spacewalk-check-4.2.14-27.59.1 python2-spacewalk-client-setup-4.2.14-27.59.1 python2-spacewalk-client-tools-4.2.14-27.59.1 salt-2016.11.10-43.84.1 salt-doc-2016.11.10-43.84.1 salt-minion-2016.11.10-43.84.1 spacecmd-4.2.13-18.93.1 spacewalk-check-4.2.14-27.59.1 spacewalk-client-setup-4.2.14-27.59.1 spacewalk-client-tools-4.2.14-27.59.1 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS (i586 ia64 ppc64 s390x x86_64): python2-spacewalk-check-4.2.14-27.59.1 python2-spacewalk-client-setup-4.2.14-27.59.1 python2-spacewalk-client-tools-4.2.14-27.59.1 salt-2016.11.10-43.84.1 salt-doc-2016.11.10-43.84.1 salt-minion-2016.11.10-43.84.1 spacecmd-4.2.13-18.93.1 spacewalk-check-4.2.14-27.59.1 spacewalk-client-setup-4.2.14-27.59.1 spacewalk-client-tools-4.2.14-27.59.1 References: https://www.suse.com/security/cve/CVE-2021-21996.html https://bugzilla.suse.com/1181223 https://bugzilla.suse.com/1188977 https://bugzilla.suse.com/1190265 https://bugzilla.suse.com/1190512 From sle-security-updates at lists.suse.com Wed Oct 27 19:51:15 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 21:51:15 +0200 (CEST) Subject: SUSE-SU-2021:3562-1: moderate: Security update for SUSE Manager Server 4.1 Message-ID: <20211027195115.9A252FDAB@maintenance.suse.de> SUSE Security Update: Security update for SUSE Manager Server 4.1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3562-1 Rating: moderate References: #1190040 #1190300 Cross-References: CVE-2021-40348 CVSS scores: CVE-2021-40348 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.1 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update fixes the following issues: spacewalk-admin: - Version 4.1.10-1 * Fix setup with rhn-config-satellite (bsc#1190300) * Allow admins to modify only spacewalk config files with rhn-config-satellite.pl (bsc#1190040) (CVE-2021-40348) How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-3562=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch): spacewalk-admin-4.1.10-3.15.1 References: https://www.suse.com/security/cve/CVE-2021-40348.html https://bugzilla.suse.com/1190040 https://bugzilla.suse.com/1190300 From sle-security-updates at lists.suse.com Wed Oct 27 19:54:24 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 21:54:24 +0200 (CEST) Subject: SUSE-SU-2021:3557-1: moderate: Security update for salt Message-ID: <20211027195424.231AFFDAB@maintenance.suse.de> SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3557-1 Rating: moderate References: #1190265 Cross-References: CVE-2021-21996 CVSS scores: CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE MicroOS 5.1 SUSE Linux Enterprise Module for Transactional Server 15-SP3 SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for salt fixes the following issues: - CVE-2021-21996: Exclude the full path of a download URL to prevent injection of malicious code. (bsc#1190265) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3557=1 - SUSE Linux Enterprise Module for Transactional Server 15-SP3: zypper in -t patch SUSE-SLE-Module-Transactional-Server-15-SP3-2021-3557=1 - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2021-3557=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3557=1 Package List: - SUSE MicroOS 5.1 (aarch64 s390x x86_64): python3-salt-3002.2-50.1.15.1 salt-3002.2-50.1.15.1 salt-minion-3002.2-50.1.15.1 salt-transactional-update-3002.2-50.1.15.1 - SUSE Linux Enterprise Module for Transactional Server 15-SP3 (aarch64 ppc64le s390x x86_64): salt-transactional-update-3002.2-50.1.15.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): salt-api-3002.2-50.1.15.1 salt-cloud-3002.2-50.1.15.1 salt-master-3002.2-50.1.15.1 salt-proxy-3002.2-50.1.15.1 salt-ssh-3002.2-50.1.15.1 salt-standalone-formulas-configuration-3002.2-50.1.15.1 salt-syndic-3002.2-50.1.15.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (noarch): salt-fish-completion-3002.2-50.1.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): python3-salt-3002.2-50.1.15.1 salt-3002.2-50.1.15.1 salt-doc-3002.2-50.1.15.1 salt-minion-3002.2-50.1.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): salt-bash-completion-3002.2-50.1.15.1 salt-zsh-completion-3002.2-50.1.15.1 References: https://www.suse.com/security/cve/CVE-2021-21996.html https://bugzilla.suse.com/1190265 From sle-security-updates at lists.suse.com Wed Oct 27 19:55:44 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Wed, 27 Oct 2021 21:55:44 +0200 (CEST) Subject: SUSE-SU-2021:3556-1: moderate: Security update for salt Message-ID: <20211027195544.D54F3FDAB@maintenance.suse.de> SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3556-1 Rating: moderate References: #1190265 Cross-References: CVE-2021-21996 CVSS scores: CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Transactional Server 15-SP2 SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for salt fixes the following issues: - Support querying for JSON data in external sql pillar. - Exclude the full path of a download URL to prevent injection of malicious code. (bsc#1190265, CVE-2021-21996) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-3556=1 - SUSE Linux Enterprise Module for Transactional Server 15-SP2: zypper in -t patch SUSE-SLE-Module-Transactional-Server-15-SP2-2021-3556=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-3556=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3556=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): python3-salt-3002.2-49.2 salt-3002.2-49.2 salt-minion-3002.2-49.2 salt-transactional-update-3002.2-49.2 - SUSE Linux Enterprise Module for Transactional Server 15-SP2 (aarch64 ppc64le s390x x86_64): salt-transactional-update-3002.2-49.2 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): salt-api-3002.2-49.2 salt-cloud-3002.2-49.2 salt-master-3002.2-49.2 salt-proxy-3002.2-49.2 salt-ssh-3002.2-49.2 salt-standalone-formulas-configuration-3002.2-49.2 salt-syndic-3002.2-49.2 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): salt-fish-completion-3002.2-49.2 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): python3-salt-3002.2-49.2 salt-3002.2-49.2 salt-doc-3002.2-49.2 salt-minion-3002.2-49.2 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): salt-bash-completion-3002.2-49.2 salt-zsh-completion-3002.2-49.2 References: https://www.suse.com/security/cve/CVE-2021-21996.html https://bugzilla.suse.com/1190265 From sle-security-updates at lists.suse.com Thu Oct 28 06:28:53 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Oct 2021 08:28:53 +0200 (CEST) Subject: SUSE-IU-2021:747-1: Security update of suse-sles-15-sp2-chost-byos-v20211025-hvm-ssd-x86_64 Message-ID: <20211028062853.C3227FBB1@maintenance.suse.de> SUSE Image Update Advisory: suse-sles-15-sp2-chost-byos-v20211025-hvm-ssd-x86_64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2021:747-1 Image Tags : suse-sles-15-sp2-chost-byos-v20211025-hvm-ssd-x86_64:20211025 Image Release : Severity : important Type : security References : 1027519 1029961 1040364 1065729 1085917 1102408 1127650 1134353 1135481 1148868 1152489 1152489 1154353 1159886 1160010 1167032 1167773 1168202 1170774 1171685 1171962 1172670 1173746 1174697 1174969 1175052 1175543 1176206 1176473 1176934 1176940 1177399 1179382 1179416 1180141 1180347 1181148 1181299 1181306 1181309 1181371 1181535 1181536 1181972 1182309 1183070 1183543 1183545 1183632 1183659 1184114 1184180 1184439 1184616 1184804 1184970 1184994 1185016 1185299 1185302 1185405 1185524 1185611 1185675 1185677 1185726 1185748 1185762 1185902 1186037 1186260 1186264 1186489 1186503 1186565 1186602 1186731 1186910 1186975 1187115 1187167 1187211 1187224 1187270 1187425 1187455 1187466 1187468 1187470 1187512 1187565 1187619 1187670 1187704 1187738 1187760 1187774 1187911 1188018 1188063 1188067 1188067 1188090 1188156 1188172 1188282 1188291 1188344 1188418 1188435 1188439 1188548 1188616 1188651 1188651 1188713 1188780 1188781 1188782 1188783 1188784 1188786 1188787 1188788 1188790 1188878 1188885 1188891 1188924 1188982 1188983 1188985 1188986 1189021 1189031 1189057 1189077 1189153 1189197 1189209 1189210 1189212 1189213 1189214 1189215 1189216 1189217 1189218 1189219 1189220 1189221 1189222 1189229 1189262 1189291 1189292 1189297 1189298 1189301 1189305 1189323 1189384 1189385 1189392 1189399 1189400 1189427 1189449 1189480 1189503 1189504 1189505 1189506 1189507 1189552 1189562 1189563 1189564 1189565 1189566 1189567 1189568 1189569 1189573 1189574 1189575 1189576 1189577 1189579 1189581 1189582 1189583 1189585 1189586 1189587 1189632 1189706 1189760 1189832 1189841 1189841 1189841 1189870 1189883 1189884 1189929 1189996 1190023 1190025 1190052 1190059 1190062 1190115 1190115 1190117 1190131 1190159 1190181 1190199 1190234 1190358 1190373 1190374 1190406 1190432 1190465 1190467 1190523 1190534 1190543 1190576 1190595 1190596 1190598 1190598 1190620 1190626 1190645 1190670 1190679 1190705 1190712 1190717 1190739 1190746 1190758 1190784 1190785 1190793 1190815 1190826 1190845 1190858 1190915 1190933 1191015 1191019 1191121 1191172 1191193 1191240 1191292 1191334 1191355 1191434 CVE-2020-12400 CVE-2020-12401 CVE-2020-12403 CVE-2020-12825 CVE-2020-25648 CVE-2020-3702 CVE-2020-6829 CVE-2021-20266 CVE-2021-20271 CVE-2021-22946 CVE-2021-22947 CVE-2021-28701 CVE-2021-30465 CVE-2021-32760 CVE-2021-33574 CVE-2021-33910 CVE-2021-3421 CVE-2021-34556 CVE-2021-35477 CVE-2021-35942 CVE-2021-3640 CVE-2021-3653 CVE-2021-3656 CVE-2021-3669 CVE-2021-3679 CVE-2021-3732 CVE-2021-3739 CVE-2021-3743 CVE-2021-3744 CVE-2021-3752 CVE-2021-3753 CVE-2021-3759 CVE-2021-3764 CVE-2021-37750 CVE-2021-38160 CVE-2021-38198 CVE-2021-38204 CVE-2021-38205 CVE-2021-38207 CVE-2021-39537 CVE-2021-40490 CVE-2021-41089 CVE-2021-41091 CVE-2021-41092 CVE-2021-41103 ----------------------------------------------------------------- The container suse-sles-15-sp2-chost-byos-v20211025-hvm-ssd-x86_64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-OU-2020:3026-1 Released: Fri Oct 23 15:35:49 2020 Summary: Optional update for the Public Cloud Module Type: optional Severity: moderate References: This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398). The following packages were included: - python3-grpcio - python3-protobuf - python3-google-api-core - python3-google-cloud-core - python3-google-cloud-storage - python3-google-resumable-media - python3-googleapis-common-protos - python3-grpcio-gcp - python3-mock (updated to version 3.0.5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:294-1 Released: Wed Feb 3 12:54:28 2021 Summary: Recommended update for libprotobuf Type: recommended Severity: moderate References: libprotobuf was updated to fix: - ship the libprotobuf-lite15 on the basesystem module and the INSTALLER channel. (jsc#ECO-2911) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3034-1 Released: Tue Sep 14 13:49:23 2021 Summary: Recommended update for python-pytz Type: recommended Severity: moderate References: 1185748 This update for python-pytz fixes the following issues: - Add %pyunittest shim for platforms where it is missing. - Remove real directory of %{python_sitelib}/pytz/zoneinfo when upgrading, before it is replaced by a symlink. (bsc#1185748) - update to 2021.1: * update to IANA 2021a timezone release - update to 2020.5: * update to IANA 2020e timezone release - update to 2020.4: * update to IANA 2020d timezone release - update to version 2020.1: * Test against Python 3.8 and Python 3.9 * Bump version numbers to 2020.1/2020a * use .rst extension name * Make FixedOffset part of public API - Update to 2019.3 * IANA 2019c - Add versioned dependency on timezone database to ensure the correct data is installed - Add a symlink to the system timezone database - update to 2019.2 * IANA 2019b * Defer generating case-insensitive lookups ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3115-1 Released: Thu Sep 16 14:04:26 2021 Summary: Recommended update for mozilla-nspr, mozilla-nss Type: recommended Severity: moderate References: 1029961,1174697,1176206,1176934,1179382,1188891,CVE-2020-12400,CVE-2020-12401,CVE-2020-12403,CVE-2020-25648,CVE-2020-6829 This update for mozilla-nspr fixes the following issues: mozilla-nspr was updated to version 4.32: * implement new socket option PR_SockOpt_DontFrag * support larger DNS records by increasing the default buffer size for DNS queries * Lock access to PRCallOnceType members in PR_CallOnce* for thread safety bmo#1686138 * PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get information about the operating system build version. Mozilla NSS was updated to version 3.68: * bmo#1713562 - Fix test leak. * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32. * bmo#1693206 - Implement PKCS8 export of ECDSA keys. * bmo#1712883 - DTLS 1.3 draft-43. * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension. * bmo#1713562 - Validate ECH public names. * bmo#1717610 - Add function to get seconds from epoch from pkix::Time. update to NSS 3.67 * bmo#1683710 - Add a means to disable ALPN. * bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66). * bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja. * bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c. * bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte. update to NSS 3.66 * bmo#1710716 - Remove Expired Sonera Class2 CA from NSS. * bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority. * bmo#1708307 - Remove Trustis FPS Root CA from NSS. * bmo#1707097 - Add Certum Trusted Root CA to NSS. * bmo#1707097 - Add Certum EC-384 CA to NSS. * bmo#1703942 - Add ANF Secure Server Root CA to NSS. * bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS. * bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database. * bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler. * bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h. * bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators. * bmo#1709291 - Add VerifyCodeSigningCertificateChain. update to NSS 3.65 * bmo#1709654 - Update for NetBSD configuration. * bmo#1709750 - Disable HPKE test when fuzzing. * bmo#1566124 - Optimize AES-GCM for ppc64le. * bmo#1699021 - Add AES-256-GCM to HPKE. * bmo#1698419 - ECH -10 updates. * bmo#1692930 - Update HPKE to final version. * bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default. * bmo#1703936 - New coverity/cpp scanner errors. * bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards. * bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms. * bmo#1705119 - Deadlock when using GCM and non-thread safe tokens. update to NSS 3.64 * bmo#1705286 - Properly detect mips64. * bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx. * bmo#1698320 - replace __builtin_cpu_supports('vsx') with ppc_crypto_support() for clang. * bmo#1613235 - Add POWER ChaCha20 stream cipher vector acceleration. Fixed in 3.63 * bmo#1697380 - Make a clang-format run on top of helpful contributions. * bmo#1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication. * bmo#1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication. * bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683. * bmo#1694214 - tstclnt can't enable middlebox compat mode. * bmo#1694392 - NSS does not work with PKCS #11 modules not supporting profiles. * bmo#1685880 - Minor fix to prevent unused variable on early return. * bmo#1685880 - Fix for the gcc compiler version 7 to support setenv with nss build. * bmo#1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA list version 2.48. * bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's 'Chambers of Commerce' and 'Global Chambersign' roots. * bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER. * bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS. * bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS. * bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from NSS. * bmo#1687822 - Turn off Websites trust bit for the ???Staat der Nederlanden Root CA - G3??? root cert in NSS. * bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and 'Global Chambersign Root - 2008???. * bmo#1694291 - Tracing fixes for ECH. update to NSS 3.62 * bmo#1688374 - Fix parallel build NSS-3.61 with make * bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt 'cachedCertTable' * bmo#1690583 - Fix CH padding extension size calculation * bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail * bmo#1690421 - Install packaged libabigail in docker-builds image * bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing * bmo#1674819 - Fixup a51fae403328, enum type may be signed * bmo#1681585 - Add ECH support to selfserv * bmo#1681585 - Update ECH to Draft-09 * bmo#1678398 - Add Export/Import functions for HPKE context * bmo#1678398 - Update HPKE to draft-07 update to NSS 3.61 * bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key values under certain conditions. * bmo#1684300 - Fix default PBE iteration count when NSS is compiled with NSS_DISABLE_DBM. * bmo#1651411 - Improve constant-timeness in RSA operations. * bmo#1677207 - Upgrade Google Test version to latest release. * bmo#1654332 - Add aarch64-make target to nss-try. Update to NSS 3.60.1: Notable changes in NSS 3.60: * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bmo#1654332 for more information. * December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more information. Update to NSS 3.59.1: * bmo#1679290 - Fix potential deadlock with certain third-party PKCS11 modules Update to NSS 3.59: Notable changes: * Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData Bugfixes * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some test intermittents * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord (boo#1179382) * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP * bmo#1667989 - Fix gyp linking on Solaris * bmo#1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA * bmo#1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys when using NSS debug builds * bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS. update to NSS 3.58 Bugs fixed: * bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode. * bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni). * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions. * bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows. * bmo#1667153 - Add PK11_ImportDataKey for data object import. * bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value. update to NSS 3.57 * The following CA certificates were Added: bmo#1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 * The following CA certificates were Removed: bmo#1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3 * Trust settings for the following CA certificates were Modified: bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed. * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes update to NSS 3.56 Notable changes * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8 * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS. * bmo#1654142 - Add CPU feature detection for Intel SHA extension. * bmo#1648822 - Add stricter validation of DH keys in FIPS mode. * bmo#1656986 - Properly detect arm64 during GYP build architecture detection. * bmo#1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay. * bmo#1588941 - Send empty certificate message when scheme selection fails. * bmo#1652032 - Fix failure to build in Windows arm64 makefile cross-compilation. * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent. * bmo#1653975 - Fix 3.53 regression by setting 'all' as the default makefile target. * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert. * bmo#1659814 - Fix interop.sh failures with newer tls-interop commit and dependencies. * bmo#1656519 - NSPR dependency updated to 4.28 update to NSS 3.55 Notable changes * P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto [0] and ECCKiila [1]. * PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. (bmo#1649633) * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752) Relevant Bugfixes * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila. * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature. * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding. * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length. * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix). * bmo#1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED. * bmo#1646594 - Fix AVX2 detection in makefile builds. * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate. * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo. * bmo#1647752 - Update DTLS 1.3 implementation to draft-38. * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI. * bmo#1649226 - Add Wycheproof ECDSA tests. * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES. * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in RSA_CheckSignRecover. * bmo#1646324 - Advertise PKCS#1 schemes for certificates in the signature_algorithms extension. update to NSS 3.54 Notable changes * Support for TLS 1.3 external pre-shared keys (bmo#1603042). * Use ARM Cryptography Extension for SHA256, when available (bmo#1528113) * The following CA certificates were Added: bmo#1645186 - certSIGN Root CA G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root Certificate Authority 2017. * The following CA certificates were Removed: bmo#1645199 - AddTrust Class 1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 - LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA - G2. bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3. * A number of certificates had their Email trust bit disabled. See bmo#1618402 for a complete list. Bugs fixed * bmo#1528113 - Use ARM Cryptography Extension for SHA256. * bmo#1603042 - Add TLS 1.3 external PSK support. * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows. * bmo#1645186 - Add 'certSIGN Root CA G2' root certificate. * bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate. * bmo#1641716 - Add Microsoft's non-EV root certificates. * bmo1621151 - Disable email trust bit for 'O=Government Root Certification Authority; C=TW' root. * bmo#1645199 - Remove AddTrust root certificates. * bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate. * bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root certificate. * bmo#1618402 - Remove Symantec root certificates and disable email trust bit. * bmo#1640516 - NSS 3.54 should depend on NSPR 4.26. * bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c. * bmo#1642153 - Fix infinite recursion building NSS. * bmo#1642638 - Fix fuzzing assertion crash. * bmo#1642871 - Enable SSL_SendSessionTicket after resumption. * bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs. * bmo#1643557 - Fix numerous compile warnings in NSS. * bmo#1644774 - SSL gtests to use ClearServerCache when resetting self-encrypt keys. * bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c. * bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3123-1 Released: Thu Sep 16 19:45:05 2021 Summary: Security update for libcroco Type: security Severity: moderate References: 1171685,CVE-2020-12825 This update for libcroco fixes the following issues: - CVE-2020-12825: Fixed recursion issue in block and any productions (bsc#1171685). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3133-1 Released: Fri Sep 17 16:37:59 2021 Summary: Recommended update for grub2, efibootmgr Type: recommended Severity: moderate References: 1186565,1186975,1187565 This update for grub2, efibootmgr provides the following fixes: - Ship package grub2-arm64-efi and the required efibootmgr also to ppc64le, s390x and x86_64 (bsc#1186565) - Fix error gfxterm isn't found with multiple terminals (bsc#1187565) - Fix ocasional boot failure after kdump procedure when using XFS (bsc#1186975) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3136-1 Released: Fri Sep 17 16:59:09 2021 Summary: Recommended update for SUSEConnect Type: recommended Severity: moderate References: 1185611 This update for SUSEConnect fixes the following issues: - Disallow registering via SUSEConnect if the system is managed by SUSE Manager. - Add subscription name to output of 'SUSEConnect --status'. - Send payload of GET requests as part of the url, not in the body. (bsc#1185611) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3141-1 Released: Sat Sep 18 14:37:39 2021 Summary: Security update for xen Type: security Severity: moderate References: 1027519,1189632,CVE-2021-28701 This update for xen fixes the following issues: - CVE-2021-28701: Fixed race condition in XENMAPSPACE_grant_table handling (XSA-384) (bsc#1189632). - Upstream bug fixes (bsc#1027519) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3182-1 Released: Tue Sep 21 17:04:26 2021 Summary: Recommended update for file Type: recommended Severity: moderate References: 1189996 This update for file fixes the following issues: - Fixes exception thrown by memory allocation problem (bsc#1189996) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3207-1 Released: Thu Sep 23 16:18:52 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1040364,1127650,1135481,1152489,1160010,1167032,1168202,1174969,1175052,1175543,1177399,1180141,1180347,1181148,1181972,1184114,1184180,1185675,1185902,1186264,1186731,1187211,1187455,1187468,1187619,1188067,1188172,1188418,1188439,1188616,1188780,1188781,1188782,1188783,1188784,1188786,1188787,1188788,1188790,1188878,1188885,1188924,1188982,1188983,1188985,1189021,1189057,1189077,1189153,1189197,1189209,1189210,1189212,1189213,1189214,1189215,1189216,1189217,1189218,1189219,1189220,1189221,1189222,1189229,1189262,1189291,1189292,1189298,1189301,1189305,1189323,1189384,1189385,1189392,1189399,1189400,1189427,1189449,1189503,1189504,1189505,1189506,1189507,1189562,1189563,1189564,1189565,1189566,1189567,1189568,1189569,1189573,1189574,1189575,1189576,1189577,1189579,1189581,1189582,1189583,1189585,1189586,1189587,1189706,1189760,1189832,1189841,1189870,1189883,1190025,1190115,1190117,1190131,1190181,CVE-2021-34556,CVE-2021-35477,CVE-2021-3640,CVE-2021-3653,CVE-2021-3656,C VE-2021-3679,CVE-2021-3732,CVE-2021-3739,CVE-2021-3743,CVE-2021-3753,CVE-2021-3759,CVE-2021-38160,CVE-2021-38198,CVE-2021-38204,CVE-2021-38205,CVE-2021-38207 The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-3759: Unaccounted ipc objects in Linux kernel could have lead to breaking memcg limits and DoS attacks (bsc#1190115). - CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190117) - CVE-2021-3640: Fixed a Use-After-Free vulnerability in function sco_sock_sendmsg() in the bluetooth stack (bsc#1188172). - CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling (bsc#1190025). - CVE-2021-3743: Fixed OOB Read in qrtr_endpoint_post (bsc#1189883). - CVE-2021-3739: Fixed a NULL pointer dereference when deleting device by invalid id (bsc#1189832 ). - CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files (bsc#1189706). - CVE-2021-3653: Missing validation of the `int_ctl` VMCB field and allows a malicious L1 guest to enable AVIC support for the L2 guest. (bsc#1189399). - CVE-2021-3656: Missing validation of the the `virt_ext` VMCB field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS for the L2 guest (bsc#1189400). - CVE-2021-38198: arch/x86/kvm/mmu/paging_tmpl.h incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault (bnc#1189262). - CVE-2021-38207: drivers/net/ethernet/xilinx/ll_temac_main.c allowed remote attackers to cause a denial of service (buffer overflow and lockup) by sending heavy network traffic for about ten minutes (bnc#1189298). - CVE-2021-38205: drivers/net/ethernet/xilinx/xilinx_emaclite.c made it easier for attackers to defeat an ASLR protection mechanism because it prints a kernel pointer (i.e., the real IOMEM pointer) (bnc#1189292). - CVE-2021-38204: drivers/usb/host/max3421-hcd.c allowed physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations (bnc#1189291). - CVE-2021-3679: A lack of CPU resource in tracing module functionality was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service (bnc#1189057). - CVE-2021-34556: Fixed side-channel attack via a Speculative Store Bypass via unprivileged BPF program that could have obtain sensitive information from kernel memory (bsc#1188983). - CVE-2021-35477: Fixed BPF stack frame pointer which could have been abused to disclose content of arbitrary kernel memory (bsc#1188985). The following non-security bugs were fixed: - ACPI: NFIT: Fix support for virtual SPA ranges (git-fixes). - ACPI: processor: Clean up acpi_processor_evaluate_cst() (bsc#1175543) - ACPI: processor: Export acpi_processor_evaluate_cst() (bsc#1175543) - ACPI: processor: Export function to claim _CST control (bsc#1175543) - ACPI: processor: Introduce acpi_processor_evaluate_cst() (bsc#1175543) - ACPI: processor: Make ACPI_PROCESSOR_CSTATE depend on ACPI_PROCESSOR (bsc#1175543) - ALSA: hda - fix the 'Capture Switch' value change notifications (git-fixes). - ALSA: hda/realtek: Enable 4-speaker output for Dell XPS 15 9510 laptop (git-fixes). - ALSA: hda/realtek: Fix headset mic for Acer SWIFT SF314-56 (ALC256) (git-fixes). - ALSA: hda/realtek: add mic quirk for Acer SF314-42 (git-fixes). - ALSA: hda/via: Apply runtime PM workaround for ASUS B23E (git-fixes). - ALSA: hda: Add quirk for ASUS Flow x13 (git-fixes). - ALSA: pcm: fix divide error in snd_pcm_lib_ioctl (git-fixes). - ALSA: seq: Fix racy deletion of subscriber (git-fixes). - ALSA: usb-audio: Add registration quirk for JBL Quantum 600 (git-fixes). - ALSA: usb-audio: Fix regression on Sony WALKMAN NW-A45 DAC (git-fixes). - ALSA: usb-audio: Fix superfluous autosuspend recovery (git-fixes). - ALSA: usb-audio: fix incorrect clock source setting (git-fixes). - ASoC: Intel: Skylake: Leave data as is when invoking TLV IPCs (git-fixes). - ASoC: cs42l42: Correct definition of ADC Volume control (git-fixes). - ASoC: cs42l42: Do not allow SND_SOC_DAIFMT_LEFT_J (git-fixes). - ASoC: cs42l42: Fix LRCLK frame start edge (git-fixes). - ASoC: cs42l42: Fix inversion of ADC Notch Switch control (git-fixes). - ASoC: cs42l42: Remove duplicate control for WNF filter frequency (git-fixes). - ASoC: intel: atom: Fix breakage for PCM buffer address setup (git-fixes). - ASoC: intel: atom: Fix reference to PCM buffer address (git-fixes). - ASoC: ti: delete some dead code in omap_abe_probe() (git-fixes). - ASoC: tlv320aic31xx: Fix jack detection after suspend (git-fixes). - ASoC: tlv320aic31xx: fix reversed bclk/wclk master bits (git-fixes). - ASoC: wcd9335: Disable irq on slave ports in the remove function (git-fixes). - ASoC: wcd9335: Fix a double irq free in the remove function (git-fixes). - ASoC: wcd9335: Fix a memory leak in the error handling path of the probe function (git-fixes). - ASoC: xilinx: Fix reference to PCM buffer address (git-fixes). - Bluetooth: add timeout sanity check to hci_inquiry (git-fixes). - Bluetooth: defer cleanup of resources in hci_unregister_dev() (git-fixes). - Bluetooth: fix repeated calls to sco_sock_kill (git-fixes). - Bluetooth: hidp: use correct wait queue when removing ctrl_wait (git-fixes). - Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow (git-fixes). - Bluetooth: sco: prevent information leak in sco_conn_defer_accept() (git-fixes). - Documentation: admin-guide: PM: Add intel_idle document (bsc#1175543) - Drop watchdog iTCO_wdt patch that causes incompatible behavior (bsc#1189449) Also blacklisted - Fix breakage of swap over NFS (bsc#1188924). - Fix kabi of prepare_to_wait_exclusive() (bsc#1189575). - HID: i2c-hid: Fix Elan touchpad regression (git-fixes). - HID: input: do not report stylus battery state as 'full' (git-fixes). - KVM: VMX: Drop guest CPUID check for VMXE in vmx_set_cr4() (bsc#1188786). - KVM: VMX: Enable machine check support for 32bit targets (bsc#1188787). - KVM: VMX: Explicitly clear RFLAGS.CF and RFLAGS.ZF in VM-Exit RSB path (bsc#1188788). - KVM: nVMX: Really make emulated nested preemption timer pinned (bsc#1188780). - KVM: nVMX: Reset the segment cache when stuffing guest segs (bsc#1188781). - KVM: nVMX: Skip IBPB when switching between vmcs01 and vmcs02 (bsc#1188782). - KVM: nVMX: Sync unsync'd vmcs02 state to vmcs12 on migration (bsc#1188783). - KVM: nVMX: Truncate bits 63:32 of VMCS field on nested check in !64-bit (bsc#1188784). - KVM: x86: bit 8 of non-leaf PDPEs is not reserved (bsc#1188790). - Move upstreamed BT fixes into sorted section - NFS: Correct size calculation for create reply length (bsc#1189870). - NFSv4.1: Do not rebind to the same source port when (bnc#1186264 bnc#1189021) - NFSv4/pNFS: Do not call _nfs4_pnfs_v3_ds_connect multiple times (git-fixes). - NFSv4: Initialise connection to the server in nfs4_alloc_client() (bsc#1040364). - PCI/MSI: Correct misleading comments (git-fixes). - PCI/MSI: Do not set invalid bits in MSI mask (git-fixes). - PCI/MSI: Enable and mask MSI-X early (git-fixes). - PCI/MSI: Enforce MSI[X] entry updates to be visible (git-fixes). - PCI/MSI: Enforce that MSI-X table entry is masked for update (git-fixes). - PCI/MSI: Mask all unused MSI-X entries (git-fixes). - PCI/MSI: Skip masking MSI-X on Xen PV (git-fixes). - PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() (git-fixes). - PCI: Increase D3 delay for AMD Renoir/Cezanne XHCI (git-fixes). - PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently (git-fixes). - PCI: PM: Enable PME if it can be signaled from D3cold (git-fixes). - README: Modernize build instructions. - Revert 'ACPICA: Fix memory leak caused by _CID repair function' (git-fixes). - Revert 'USB: serial: ch341: fix character loss at high transfer rates' (git-fixes). - Revert 'dmaengine: imx-sdma: refine to load context only once' (git-fixes). - Revert 'gpio: eic-sprd: Use devm_platform_ioremap_resource()' (git-fixes). - Revert 'mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711' (git-fixes). - SUNRPC: 'Directory with parent 'rpc_clnt' already present!' (bsc#1168202 bsc#1188924). - SUNRPC: Fix the batch tasks count wraparound (git-fixes). - SUNRPC: Should wake up the privileged task firstly (git-fixes). - SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202 bsc#1188924). - SUNRPC: fix use-after-free in rpc_free_client_work() (bsc#1168202 bsc#1188924). - SUNRPC: prevent port reuse on transports which do not request it (bnc#1186264 bnc#1189021). - USB: core: Avoid WARNings for 0-length descriptor requests (git-fixes). - USB: serial: ch341: fix character loss at high transfer rates (git-fixes). - USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 (git-fixes). - USB: serial: option: add Telit FD980 composition 0x1056 (git-fixes). - USB: serial: option: add new VID/PID to support Fibocom FG150 (git-fixes). - USB: usbtmc: Fix RCU stall warning (git-fixes). - USB:ehci:fix Kunpeng920 ehci hardware problem (git-fixes). - Update patches.suse/ibmvnic-Allow-device-probe-if-the-device-is-not-read.patch (bsc#1167032 ltc#184087 bsc#1184114 ltc#192237). - VMCI: fix NULL pointer dereference when unmapping queue pair (git-fixes). - ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() (git-fixes). - ath9k: Clear key cache explicitly on disabling hardware (git-fixes). - ath: Use safer key clearing with key cache entries (git-fixes). - bcma: Fix memory leak for internally-handled cores (git-fixes). - bdi: Do not use freezable workqueue (bsc#1189573). - blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit() (bsc#1189507). - blk-mq-sched: Fix blk_mq_sched_alloc_tags() error handling (bsc#1189506). - blk-wbt: introduce a new disable state to prevent false positive by rwb_enabled() (bsc#1189503). - blk-wbt: make sure throttle is enabled properly (bsc#1189504). - block: fix trace completion for chained bio (bsc#1189505). - brcmfmac: pcie: fix oops on failure to resume and reprobe (git-fixes). - btrfs: Rename __btrfs_alloc_chunk to btrfs_alloc_chunk (bsc#1189077). - btrfs: account for new extents being deleted in total_bytes_pinned (bsc#1135481). - btrfs: add a comment explaining the data flush steps (bsc#1135481). - btrfs: add btrfs_reserve_data_bytes and use it (bsc#1135481). - btrfs: add flushing states for handling data reservations (bsc#1135481). - btrfs: add the data transaction commit logic into may_commit_transaction (bsc#1135481). - btrfs: call btrfs_try_granting_tickets when freeing reserved bytes (bsc#1135481). - btrfs: call btrfs_try_granting_tickets when reserving space (bsc#1135481). - btrfs: call btrfs_try_granting_tickets when unpinning anything (bsc#1135481). - btrfs: change nr to u64 in btrfs_start_delalloc_roots (bsc#1135481). - btrfs: check tickets after waiting on ordered extents (bsc#1135481). - btrfs: do async reclaim for data reservations (bsc#1135481). - btrfs: don't force commit if we are data (bsc#1135481). - btrfs: drop the commit_cycles stuff for data reservations (bsc#1135481). - btrfs: factor out create_chunk() (bsc#1189077). - btrfs: factor out decide_stripe_size() (bsc#1189077). - btrfs: factor out gather_device_info() (bsc#1189077). - btrfs: factor out init_alloc_chunk_ctl (bsc#1189077). - btrfs: fix deadlock with concurrent chunk allocations involving system chunks (bsc#1189077). - btrfs: fix possible infinite loop in data async reclaim (bsc#1135481). - btrfs: flush delayed refs when trying to reserve data space (bsc#1135481). - btrfs: handle U64_MAX for shrink_delalloc (bsc#1135481). - btrfs: handle invalid profile in chunk allocation (bsc#1189077). - btrfs: handle space_info::total_bytes_pinned inside the delayed ref itself (bsc#1135481). - btrfs: introduce alloc_chunk_ctl (bsc#1189077). - btrfs: introduce chunk allocation policy (bsc#1189077). - btrfs: make ALLOC_CHUNK use the space info flags (bsc#1135481). - btrfs: make shrink_delalloc take space_info as an arg (bsc#1135481). - btrfs: move the chunk_mutex in btrfs_read_chunk_tree (bsc#1189077). - btrfs: parameterize dev_extent_min for chunk allocation (bsc#1189077). - btrfs: refactor find_free_dev_extent_start() (bsc#1189077). - btrfs: remove orig from shrink_delalloc (bsc#1135481). - btrfs: rework chunk allocation to avoid exhaustion of the system chunk array (bsc#1189077). - btrfs: run delayed iputs before committing the transaction for data (bsc#1135481). - btrfs: serialize data reservations if we are flushing (bsc#1135481). - btrfs: shrink delalloc pages instead of full inodes (bsc#1135481). - btrfs: track ordered bytes instead of just dio ordered bytes (bsc#1135481). - btrfs: use btrfs_start_delalloc_roots in shrink_delalloc (bsc#1135481). - btrfs: use the btrfs_space_info_free_bytes_may_use helper for delalloc (bsc#1135481). - btrfs: use the same helper for data and metadata reservations (bsc#1135481). - btrfs: use ticketing for data space reservations (bsc#1135481). - can: ti_hecc: Fix memleak in ti_hecc_probe (git-fixes). - can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters (git-fixes). - ceph: clean up and optimize ceph_check_delayed_caps() (bsc#1187468). - ceph: reduce contention in ceph_check_delayed_caps() (bsc#1187468). - ceph: take snap_empty_lock atomically with snaprealm refcount change (bsc#1189427). - cfg80211: Fix possible memory leak in function cfg80211_bss_update (git-fixes). - cgroup1: fix leaked context root causing sporadic NULL deref in LTP (bsc#1190181). - cgroup: verify that source is a string (bsc#1190131). - cifs: Remove unused inline function is_sysvol_or_netlogon() (bsc#1185902). - cifs: avoid starvation when refreshing dfs cache (bsc#1185902). - cifs: constify get_normalized_path() properly (bsc#1185902). - cifs: do not cargo-cult strndup() (bsc#1185902). - cifs: do not send tree disconnect to ipc shares (bsc#1185902). - cifs: do not share tcp servers with dfs mounts (bsc#1185902). - cifs: do not share tcp sessions of dfs connections (bsc#1185902). - cifs: fix check of dfs interlinks (bsc#1185902). - cifs: fix path comparison and hash calc (bsc#1185902). - cifs: get rid of @noreq param in __dfs_cache_find() (bsc#1185902). - cifs: handle different charsets in dfs cache (bsc#1185902). - cifs: keep referral server sessions alive (bsc#1185902). - cifs: missing null pointer check in cifs_mount (bsc#1185902). - cifs: prevent NULL deref in cifs_compose_mount_options() (bsc#1185902). - cifs: set a minimum of 2 minutes for refreshing dfs cache (bsc#1185902). - clk: fix leak on devm_clk_bulk_get_all() unwind (git-fixes). - clk: kirkwood: Fix a clocking boot regression (git-fixes). - clk: stm32f4: fix post divisor setup for I2S/SAI PLLs (git-fixes). - cpuidle: Allow idle states to be disabled by default (bsc#1175543) - cpuidle: Consolidate disabled state checks (bsc#1175543) - cpuidle: Drop disabled field from struct cpuidle_state (bsc#1175543) - cpuidle: Fix cpuidle_driver_state_disabled() (bsc#1175543) - cpuidle: Introduce cpuidle_driver_state_disabled() for driver quirks (bsc#1175543) - cpuidle: cpuidle_state kABI fix (bsc#1175543) - crypto: ccp - Annotate SEV Firmware file names (bsc#1189212). - crypto: qat - use proper type for vf_mask (git-fixes). - crypto: x86/curve25519 - fix cpu feature checking logic in mod_exit (git-fixes). - dm integrity: fix missing goto in bitmap_flush_interval error handling (git-fixes). - dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails (git-fixes). - dm verity: fix DM_VERITY_OPTS_MAX value (git-fixes). - dmaengine: imx-dma: configure the generic DMA type to make it work (git-fixes). - dmaengine: imx-sdma: remove duplicated sdma_load_context (git-fixes). - dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available (git-fixes). - dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe() (git-fixes). - dmaengine: xilinx_dma: Fix read-after-free bug when terminating transfers (git-fixes). - drivers/block/null_blk/main: Fix a double free in null_init (git-fixes). - drm/amdgpu/acp: Make PM domain really work (git-fixes). - drm/msi/mdp4: populate priv->kms in mdp4_kms_init (git-fixes). - drm/msm/dpu: make dpu_hw_ctl_clear_all_blendstages clear necessary LMs (git-fixes). - drm/msm/dsi: Fix some reference counted resource leaks (git-fixes). - drm/nouveau/disp: power down unused DP links during init (git-fixes). - drm/panfrost: Fix missing clk_disable_unprepare() on error in panfrost_clk_init() (git-fixes). - drm: Copy drm_wait_vblank to user before returning (git-fixes). - ext4: cleanup in-core orphan list if ext4_truncate() failed to get a transaction handle (bsc#1189568). - ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit (bsc#1189564). - ext4: fix avefreec in find_group_orlov (bsc#1189566). - ext4: fix kernel infoleak via ext4_extent_header (bsc#1189562). - ext4: fix potential htree corruption when growing large_dir directories (bsc#1189576). - ext4: remove check for zero nr_to_scan in ext4_es_scan() (bsc#1189565). - ext4: return error code when ext4_fill_flex_info() fails (bsc#1189563). - ext4: use ext4_grp_locked_error in mb_find_extent (bsc#1189567). - fanotify: fix copy_event_to_user() fid error clean up (bsc#1189574). - firmware_loader: fix use-after-free in firmware_fallback_sysfs (git-fixes). - firmware_loader: use -ETIMEDOUT instead of -EAGAIN in fw_load_sysfs_fallback (git-fixes). - fpga: altera-freeze-bridge: Address warning about unused variable (git-fixes). - fpga: xiilnx-spi: Address warning about unused variable (git-fixes). - fpga: zynqmp-fpga: Address warning about unused variable (git-fixes). - gpio: eic-sprd: break loop when getting NULL device resource (git-fixes). - gpio: tqmx86: really make IRQ optional (git-fixes). - i2c: dev: zero out array used for i2c reads from userspace (git-fixes). - i2c: highlander: add IRQ check (git-fixes). - i2c: iop3xx: fix deferred probing (git-fixes). - i2c: mt65xx: fix IRQ check (git-fixes). - i2c: s3c2410: fix IRQ check (git-fixes). - iio: adc: Fix incorrect exit of for-loop (git-fixes). - iio: adc: ti-ads7950: Ensure CS is deasserted after reading channels (git-fixes). - iio: humidity: hdc100x: Add margin to the conversion time (git-fixes). - intel_idle: Add module parameter to prevent ACPI _CST from being used (bsc#1175543) - intel_idle: Allow ACPI _CST to be used for selected known processors (bsc#1175543) - intel_idle: Annotate init time data structures (bsc#1175543) - intel_idle: Customize IceLake server support (bsc#1175543) - intel_idle: Disable ACPI _CST on Haswell (bsc#1175543, bsc#1177399, bsc#1180347, bsc#1180141) - intel_idle: Fix max_cstate for processor models without C-state tables (bsc#1175543) - intel_idle: Ignore _CST if control cannot be taken from the platform (bsc#1175543) - intel_idle: Refactor intel_idle_cpuidle_driver_init() (bsc#1175543) - intel_idle: Use ACPI _CST for processor models without C-state tables (bsc#1175543) - intel_idle: Use ACPI _CST on server systems (bsc#1175543) - iommu/amd: Fix extended features logging (bsc#1189213). - iommu/arm-smmu-v3: Decrease the queue size of evtq and priq (bsc#1189210). - iommu/arm-smmu-v3: add bit field SFM into GERROR_ERR_MASK (bsc#1189209). - iommu/dma: Fix IOVA reserve dma ranges (bsc#1189214). - iommu/dma: Fix compile warning in 32-bit builds (bsc#1189229). - iommu/vt-d: Check for allocation failure in aux_detach_device() (bsc#1189215). - iommu/vt-d: Define counter explicitly as unsigned int (bsc#1189216). - iommu/vt-d: Do not set then clear private data in prq_event_thread() (bsc#1189217). - iommu/vt-d: Fix sysfs leak in alloc_iommu() (bsc#1189218). - iommu/vt-d: Force to flush iotlb before creating superpage (bsc#1189219). - iommu/vt-d: Global devTLB flush when present context entry changed (bsc#1189220). - iommu/vt-d: Invalidate PASID cache when root/context entry changed (bsc#1189221). - iommu/vt-d: Reject unsupported page request modes (bsc#1189222). - iwlwifi: rs-fw: do not support stbc for HE 160 (git-fixes). - kABI fix of usb_dcd_config_params (git-fixes). - kABI: Fix kABI after fixing vcpu-id indexed arrays (git-fixes). - kabi fix for NFSv4.1: Do not rebind to the same source port when reconnecting to the server (bnc#1186264 bnc#1189021) - kabi fix for SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202 bsc#1188924). - kernel, fs: Introduce and use set_restart_fn() and arch_set_restart_data() (bsc#1189153). - lib/mpi: use kcalloc in mpi_resize (git-fixes). - libata: fix ata_pio_sector for CONFIG_HIGHMEM (git-fixes). - mac80211: Fix insufficient headroom issue for AMSDU (git-fixes). - mailbox: sti: quieten kernel-doc warnings (git-fixes). - md/raid10: properly indicate failure when ending a failed write request (git-fixes). - media: TDA1997x: enable EDID support (git-fixes). - media: cxd2880-spi: Fix an error handling path (git-fixes). - media: drivers/media/usb: fix memory leak in zr364xx_probe (git-fixes). - media: dvb-usb: Fix error handling in dvb_usb_i2c_init (git-fixes). - media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init (git-fixes). - media: dvb-usb: fix uninit-value in vp702x_read_mac_addr (git-fixes). - media: em28xx-input: fix refcount bug in em28xx_usb_disconnect (git-fixes). - media: go7007: fix memory leak in go7007_usb_probe (git-fixes). - media: go7007: remove redundant initialization (git-fixes). - media: rtl28xxu: fix zero-length control request (git-fixes). - media: stkwebcam: fix memory leak in stk_camera_probe (git-fixes). - media: venus: venc: Fix potential null pointer dereference on pointer fmt (git-fixes). - media: videobuf2-core: dequeue if start_streaming fails (git-fixes). - media: zr364xx: fix memory leaks in probe() (git-fixes). - media: zr364xx: propagate errors from zr364xx_start_readpipe() (git-fixes). - memcg: enable accounting for file lock caches (bsc#1190115). - misc: atmel-ssc: lock with mutex instead of spinlock (git-fixes). - misc: rtsx: do not setting OC_POWER_DOWN reg in rtsx_pci_init_ocp() (git-fixes). - mm, vmscan: guarantee drop_slab_node() termination (VM Functionality, bsc#1189301). - mm/thp: unmap_mapping_page() to fix THP truncate_cleanup_page() (bsc#1189569). - mm: swap: properly update readahead statistics in unuse_pte_range() (bsc#1187619). - mmc: dw_mmc: Fix hang on data CRC error (git-fixes). - mmc: dw_mmc: Fix issue with uninitialized dma_slave_config (git-fixes). - mmc: moxart: Fix issue with uninitialized dma_slave_config (git-fixes). - mmc: sdhci-iproc: Cap min clock frequency on BCM2711 (git-fixes). - mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711 (git-fixes). - mtd: cfi_cmdset_0002: fix crash when erasing/writing AMD cards (git-fixes). - mtd: rawnand: cafe: Fix a resource leak in the error handling path of 'cafe_nand_probe()' (git-fixes). - nbd: Aovid double completion of a request (git-fixes). - nbd: Fix NULL pointer in flush_workqueue (git-fixes). - nbd: do not update block size after device is started (git-fixes). - net/mlx5: Properly convey driver version to firmware (git-fixes). - net: dsa: mv88e6xxx: Avoid VTU corruption on 6097 (git-fixes). - net: dsa: mv88e6xxx: also read STU state in mv88e6250_g1_vtu_getnext (git-fixes). - net: stmmac: free tx skb buffer in stmmac_resume() (git-fixes). - nfs: fix acl memory leak of posix_acl_create() (git-fixes). - nvme-multipath: revalidate paths during rescan (bsc#1187211) - nvme-pci: Use u32 for nvme_dev.q_depth and nvme_queue.q_depth (bsc#1181972). - nvme-pci: fix NULL req in completion handler (bsc#1181972). - nvme-pci: limit maximum queue depth to 4095 (bsc#1181972). - nvme-pci: use unsigned for io queue depth (bsc#1181972). - nvme-tcp: Do not reset transport on data digest errors (bsc#1188418). - nvme-tcp: do not check blk_mq_tag_to_rq when receiving pdu data (bsc#1181972). - nvme: avoid possible double fetch in handling CQE (bsc#1181972). - nvme: code command_id with a genctr for use-after-free validation (bsc#1181972). - nvme: only call synchronize_srcu when clearing current path (bsc#1188067). - nvmet: use NVMET_MAX_NAMESPACES to set nn value (bsc#1189384). - ocfs2: fix snprintf() checking (bsc#1189581). - ocfs2: fix zero out valid data (bsc#1189579). - ocfs2: initialize ip_next_orphan (bsc#1186731). - ocfs2: issue zeroout to EOF blocks (bsc#1189582). - ocfs2: ocfs2_downconvert_lock failure results in deadlock (bsc#1188439). - overflow: Correct check_shl_overflow() comment (git-fixes). - ovl: allow upperdir inside lowerdir (bsc#1189323). - ovl: expand warning in ovl_d_real() (bsc#1189323). - ovl: fix missing revert_creds() on error path (bsc#1189323). - ovl: perform vfs_getxattr() with mounter creds (bsc#1189323). - ovl: skip getxattr of security labels (bsc#1189323). - params: lift param_set_uint_minmax to common code (bsc#1181972). - pcmcia: i82092: fix a null pointer dereference bug (git-fixes). - pinctrl: samsung: Fix pinctrl bank pin count (git-fixes). - pinctrl: single: Fix error return code in pcs_parse_bits_in_pinctrl_entry() (git-fixes). - pinctrl: stmfx: Fix hazardous u8[] to unsigned long cast (git-fixes). - platform/x86: pcengines-apuv2: Add missing terminating entries to gpio-lookup tables (git-fixes). - power: supply: max17042: handle fails of reading status register (git-fixes). - powerpc/papr_scm: Make 'perf_stats' invisible if perf-stats unavailable (bsc#1175052 jsc#SLE-13823 bsc#1174969 jsc#SLE-12769 git-fixes). - powerpc/papr_scm: Reduce error severity if nvdimm stats inaccessible (bsc#1189197 ltc#193906). - powerpc/pseries: Fix regression while building external modules (bsc#1160010 ltc#183046 git-fixes). - powerpc/pseries: Fix update of LPAR security flavor after LPM (bsc#1188885 ltc#193722 git-fixes) - powerpc: Fix is_kvm_guest() / kvm_para_available() (bsc#1181148 ltc#190702 git-fixes). - regulator: rt5033: Fix n_voltages settings for BUCK and LDO (git-fixes). - regulator: vctrl: Avoid lockdep warning in enable/disable ops (git-fixes). - regulator: vctrl: Use locked regulator_get_voltage in probe path (git-fixes). - rpm/kernel-obs-build.spec.in: make builds reproducible (bsc#1189305) - rpm: Abolish image suffix (bsc#1189841). - rpm: Define $certs as rpm macro (bsc#1189841). - rpm: Fold kernel-devel and kernel-source scriptlets into spec files (bsc#1189841). - rpm: kernel-binary.spec: Define $image as rpm macro (bsc#1189841). - rpm: support gz and zst compression methods Extend commit 18fcdff43a00 ('rpm: support compressed modules') for compression methods other than xz. - rq-qos: fix missed wake-ups in rq_qos_throttle try two (bsc#1189575). - rsi: fix an error code in rsi_probe() (git-fixes). - rsi: fix error code in rsi_load_9116_firmware() (git-fixes). - s390/ap: Fix hanging ioctl caused by wrong msg counter (bsc#1188982 LTC#193817). - s390/boot: fix use of expolines in the DMA code (bsc#1188878 ltc#193771). - sched/fair: Correctly insert cfs_rq's to list on unthrottle (git-fixes) - sched/rt: Fix RT utilization tracking during policy change (git-fixes) - scsi: blkcg: Add app identifier support for blkcg (bsc#1189385 jsc#SLE-18970). - scsi: blkcg: Fix application ID config options (bsc#1189385 jsc#SLE-18970). - scsi: cgroup: Add cgroup_get_from_id() (bsc#1189385 jsc#SLE-18970). - scsi: core: Add scsi_prot_ref_tag() helper (bsc#1189392). - scsi: ibmvfc: Do not wait for initial device scan (bsc#1127650). - scsi: libfc: Fix array index out of bound exception (bsc#1188616). - scsi: lpfc: Add 256 Gb link speed support (bsc#1189385). - scsi: lpfc: Add PCI ID support for LPe37000/LPe38000 series adapters (bsc#1189385). - scsi: lpfc: Call discovery state machine when handling PLOGI/ADISC completions (bsc#1189385). - scsi: lpfc: Clear outstanding active mailbox during PCI function reset (bsc#1189385). - scsi: lpfc: Copyright updates for 12.8.0.11 patches (bsc#1189385). - scsi: lpfc: Copyright updates for 14.0.0.0 patches (bsc#1189385). - scsi: lpfc: Delay unregistering from transport until GIDFT or ADISC completes (bsc#1189385). - scsi: lpfc: Discovery state machine fixes for LOGO handling (bsc#1189385). - scsi: lpfc: Enable adisc discovery after RSCN by default (bsc#1189385). - scsi: lpfc: Fix KASAN slab-out-of-bounds in lpfc_unreg_rpi() routine (bsc#1189385). - scsi: lpfc: Fix NULL ptr dereference with NPIV ports for RDF handling (bsc#1189385). - scsi: lpfc: Fix NVMe support reporting in log message (bsc#1189385). - scsi: lpfc: Fix build error in lpfc_scsi.c (bsc#1189385). - scsi: lpfc: Fix cq_id truncation in rq create (bsc#1189385). - scsi: lpfc: Fix function description comments for vmid routines (bsc#1189385). - scsi: lpfc: Fix memory leaks in error paths while issuing ELS RDF/SCR request (bsc#1189385). - scsi: lpfc: Fix possible ABBA deadlock in nvmet_xri_aborted() (bsc#1189385). - scsi: lpfc: Fix target reset handler from falsely returning FAILURE (bsc#1189385). - scsi: lpfc: Improve firmware download logging (bsc#1189385). - scsi: lpfc: Keep NDLP reference until after freeing the IOCB after ELS handling (bsc#1189385). - scsi: lpfc: Move initialization of phba->poll_list earlier to avoid crash (git-fixes). - scsi: lpfc: Remove REG_LOGIN check requirement to issue an ELS RDF (bsc#1189385). - scsi: lpfc: Remove redundant assignment to pointer pcmd (bsc#1189385). - scsi: lpfc: Remove redundant assignment to pointer temp_hdr (bsc#1189385). - scsi: lpfc: Remove use of kmalloc() in trace event logging (bsc#1189385). - scsi: lpfc: Revise Topology and RAS support checks for new adapters (bsc#1189385). - scsi: lpfc: Skip issuing ADISC when node is in NPR state (bsc#1189385). - scsi: lpfc: Skip reg_vpi when link is down for SLI3 in ADISC cmpl path (bsc#1189385). - scsi: lpfc: Update lpfc version to 12.8.0.11 (bsc#1189385). - scsi: lpfc: Update lpfc version to 14.0.0.0 (bsc#1189385). - scsi: lpfc: Use PBDE feature enabled bit to determine PBDE support (bsc#1189385). - scsi: lpfc: Use list_move_tail() instead of list_del()/list_add_tail() (bsc#1189385). - scsi: lpfc: vmid: Add QFPA and VMID timeout check in worker thread (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Add datastructure for supporting VMID in lpfc (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Add support for VMID in mailbox command (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Append the VMID to the wqe before sending (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Functions to manage VMIDs (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Implement CT commands for appid (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Implement ELS commands for appid (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Introduce VMID in I/O path (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: Timeout implementation for VMID (bsc#1189385 jsc#SLE-18970). - scsi: lpfc: vmid: VMID parameter initialization (bsc#1189385 jsc#SLE-18970). - scsi: qla2xxx: Add heartbeat check (bsc#1189392). - scsi: qla2xxx: Fix error return code in qla82xx_write_flash_dword() (bsc#1189392). - scsi: qla2xxx: Fix spelling mistakes 'allloc' -> 'alloc' (bsc#1189392). - scsi: qla2xxx: Fix use after free in debug code (bsc#1189392). - scsi: qla2xxx: Log PCI address in qla_nvme_unregister_remote_port() (bsc#1189392). - scsi: qla2xxx: Remove duplicate declarations (bsc#1189392). - scsi: qla2xxx: Remove redundant assignment to rval (bsc#1189392). - scsi: qla2xxx: Remove redundant continue statement in a for-loop (bsc#1189392). - scsi: qla2xxx: Remove redundant initialization of variable num_cnt (bsc#1189392). - scsi: qla2xxx: Remove unused variable 'status' (bsc#1189392). - scsi: qla2xxx: Update version to 10.02.00.107-k (bsc#1189392). - scsi: qla2xxx: Use list_move_tail() instead of list_del()/list_add_tail() (bsc#1189392). - scsi: qla2xxx: Use the proper SCSI midlayer interfaces for PI (bsc#1189392). - scsi: qla2xxx: edif: Add authentication pass + fail bsgs (bsc#1189392). - scsi: qla2xxx: edif: Add detection of secure device (bsc#1189392). - scsi: qla2xxx: edif: Add doorbell notification for app (bsc#1189392). - scsi: qla2xxx: edif: Add encryption to I/O path (bsc#1189392). - scsi: qla2xxx: edif: Add extraction of auth_els from the wire (bsc#1189392). - scsi: qla2xxx: edif: Add getfcinfo and statistic bsgs (bsc#1189392). - scsi: qla2xxx: edif: Add key update (bsc#1189392). - scsi: qla2xxx: edif: Add send, receive, and accept for auth_els (bsc#1189392). - scsi: qla2xxx: edif: Add start + stop bsgs (bsc#1189392). - scsi: qla2xxx: edif: Increment command and completion counts (bsc#1189392). - scsi: scsi_transport_srp: Do not block target in SRP_PORT_LOST state (bsc#1184180). - scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal (bsc#1189392). - scsi: zfcp: Report port fc_security as unknown early during remote cable pull (git-fixes). - serial: 8250: Mask out floating 16/32-bit bus bits (git-fixes). - serial: 8250_mtk: fix uart corruption issue when rx power off (git-fixes). - serial: tegra: Only print FIFO error message when an error occurs (git-fixes). - slimbus: messaging: check for valid transaction id (git-fixes). - slimbus: messaging: start transaction ids from 1 instead of zero (git-fixes). - slimbus: ngd: reset dma setup during runtime pm (git-fixes). - soc: aspeed: lpc-ctrl: Fix boundary check for mmap (git-fixes). - soc: aspeed: p2a-ctrl: Fix boundary check for mmap (git-fixes). - soc: ixp4xx/qmgr: fix invalid __iomem access (git-fixes). - soc: ixp4xx: fix printing resources (git-fixes). - soc: qcom: rpmhpd: Use corner in power_off (git-fixes). - soc: qcom: smsm: Fix missed interrupts if state changes while masked (git-fixes). - spi: imx: mx51-ecspi: Fix CONFIGREG delay comment (git-fixes). - spi: imx: mx51-ecspi: Fix low-speed CONFIGREG delay calculation (git-fixes). - spi: imx: mx51-ecspi: Reinstate low-speed CONFIGREG delay (git-fixes). - spi: mediatek: Fix fifo transfer (git-fixes). - spi: meson-spicc: fix memory leak in meson_spicc_remove (git-fixes). - spi: spi-fsl-dspi: Fix issue with uninitialized dma_slave_config (git-fixes). - spi: spi-pic32: Fix issue with uninitialized dma_slave_config (git-fixes). - spi: sprd: Fix the wrong WDG_LOAD_VAL (git-fixes). - spi: stm32h7: fix full duplex irq handler handling (git-fixes). - staging: rtl8192u: Fix bitwise vs logical operator in TranslateRxSignalStuff819xUsb() (git-fixes). - staging: rtl8712: get rid of flush_scheduled_work (git-fixes). - staging: rtl8723bs: Fix a resource leak in sd_int_dpc (git-fixes). - tracing / histogram: Fix NULL pointer dereference on strcmp() on NULL event name (git-fixes). - tracing / histogram: Give calculation hist_fields a size (git-fixes). - tracing: Reject string operand in the histogram expression (git-fixes). - tty: serial: fsl_lpuart: fix the wrong mapbase value (git-fixes). - ubifs: Fix error return code in alloc_wbufs() (bsc#1189585). - ubifs: Fix memleak in ubifs_init_authentication (bsc#1189583). - ubifs: Only check replay with inode type to judge if inode linked (bsc#1187455). - ubifs: Set/Clear I_LINKABLE under i_lock for whiteout inode (bsc#1189587). - ubifs: journal: Fix error return code in ubifs_jnl_write_inode() (bsc#1189586). - usb: bdc: Fix an error handling path in 'bdc_probe()' when no suitable DMA config is available (git-fixes). - usb: dwc2: Postponed gadget registration to the udc class driver (git-fixes). - usb: dwc3: Add support for DWC_usb32 IP (git-fixes). - usb: dwc3: Disable phy suspend after power-on reset (git-fixes). - usb: dwc3: Separate field holding multiple properties (git-fixes). - usb: dwc3: Stop active transfers before halting the controller (git-fixes). - usb: dwc3: Use clk_bulk_prepare_enable() (git-fixes). - usb: dwc3: Use devres to get clocks (git-fixes). - usb: dwc3: core: Properly default unspecified speed (git-fixes). - usb: dwc3: core: do not do suspend for device mode if already suspended (git-fixes). - usb: dwc3: debug: Remove newline printout (git-fixes). - usb: dwc3: gadget: Check MPS of the request length (git-fixes). - usb: dwc3: gadget: Clear DCTL.ULSTCHNGREQ before set (git-fixes). - usb: dwc3: gadget: Clear DEP flags after stop transfers in ep disable (git-fixes). - usb: dwc3: gadget: Disable gadget IRQ during pullup disable (git-fixes). - usb: dwc3: gadget: Do not send unintended link state change (git-fixes). - usb: dwc3: gadget: Do not setup more than requested (git-fixes). - usb: dwc3: gadget: Fix dwc3_calc_trbs_left() (git-fixes). - usb: dwc3: gadget: Fix handling ZLP (git-fixes). - usb: dwc3: gadget: Give back staled requests (git-fixes). - usb: dwc3: gadget: Handle ZLP for sg requests (git-fixes). - usb: dwc3: gadget: Prevent EP queuing while stopping transfers (git-fixes). - usb: dwc3: gadget: Properly track pending and queued SG (git-fixes). - usb: dwc3: gadget: Restart DWC3 gadget when enabling pullup (git-fixes). - usb: dwc3: gadget: Set BESL config parameter (git-fixes). - usb: dwc3: gadget: Set link state to RX_Detect on disconnect (git-fixes). - usb: dwc3: gadget: Stop EP0 transfers during pullup disable (git-fixes). - usb: dwc3: gadget: Workaround Mirosoft's BESL check (git-fixes). - usb: dwc3: meson-g12a: add IRQ check (git-fixes). - usb: dwc3: meson-g12a: check return of dwc3_meson_g12a_usb_init (git-fixes). - usb: dwc3: of-simple: add a shutdown (git-fixes). - usb: dwc3: st: Add of_dev_put() in probe function (git-fixes). - usb: dwc3: st: Add of_node_put() before return in probe function (git-fixes). - usb: dwc3: support continuous runtime PM with dual role (git-fixes). - usb: ehci-orion: Handle errors of clk_prepare_enable() in probe (git-fixes). - usb: gadget: Export recommended BESL values (git-fixes). - usb: gadget: f_hid: added GET_IDLE and SET_IDLE handlers (git-fixes). - usb: gadget: f_hid: fixed NULL pointer dereference (git-fixes). - usb: gadget: f_hid: idle uses the highest byte for duration (git-fixes). - usb: gadget: mv_u3d: request_irq() after initializing UDC (git-fixes). - usb: gadget: udc: at91: add IRQ check (git-fixes). - usb: gadget: udc: renesas_usb3: Fix soc_device_match() abuse (git-fixes). - usb: host: ohci-tmio: add IRQ check (git-fixes). - usb: host: xhci-rcar: Do not reload firmware after the completion (git-fixes). - usb: mtu3: fix the wrong HS mult value (git-fixes). - usb: mtu3: use @mult for HS isoc or intr (git-fixes). - usb: phy: fsl-usb: add IRQ check (git-fixes). - usb: phy: tahvo: add IRQ check (git-fixes). - usb: phy: twl6030: add IRQ checks (git-fixes). - virt_wifi: fix error on connect (git-fixes). - virtio_pci: Support surprise removal of virtio pci device (git-fixes). - wireguard: allowedips: allocate nodes in kmem_cache (git-fixes). - wireguard: allowedips: free empty intermediate nodes when removing single node (git-fixes). - wireguard: allowedips: remove nodes in O(1) (git-fixes). - writeback: fix obtain a reference to a freeing memcg css (bsc#1189577). - x86/fpu: Limit xstate copy size in xstateregs_set() (bsc#1152489). - x86/fpu: Make init_fpstate correct with optimized XSAVE (bsc#1152489). - x86/fpu: Reset state for all signal restore failures (bsc#1152489). - x86/kvm: fix vcpu-id indexed array sizes (git-fixes). - x86/signal: Detect and prevent an alternate signal stack overflow (bsc#1152489). - xen/events: Fix race in set_evtchn_to_irq (git-fixes). - xprtrdma: Pad optimization, revisited (bsc#1189760). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3233-1 Released: Mon Sep 27 15:02:21 2021 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1085917,1181299,1181306,1181309,1181535,1181536,1188651,1189552 This update for xfsprogs fixes the following issues: - Fixes an issue when 'fstests' with 'xfs' fail. (bsc#1181309, bsc#1181299) - xfsprogs: Split 'libhandle1' into a separate package, since nothing within xfsprogs dynamically links against it. The shared library is still required by xfsdump as a runtime dependency. - mkfs.xfs: Fix 'ASSERT' on too-small device with stripe geometry. (bsc#1181536) - mkfs.xfs: If either 'sunit' or 'swidth' is not zero, the other must be as well. (bsc#1085917, bsc#1181535) - xfs_growfs: Refactor geometry reporting. (bsc#1181306) - xfs_growfs: Allow mounted device node as argument. (bsc#1181299) - xfs_repair: Rebuild directory when non-root leafn blocks claim block 0. (bsc#1181309) - xfs_repair: Check plausibility of root dir pointer before trashing it. (bsc#1188651) - xfs_bmap: Remove '-c' from manpage. (bsc#1189552) - xfs_bmap: Do not reject '-e'. (bsc#1189552) - Implement 'libhandle1' through ECO. (jsc#SLE-20360) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3245-1 Released: Tue Sep 28 13:54:31 2021 Summary: Recommended update for docker Type: recommended Severity: important References: 1190670 This update for docker fixes the following issues: - Return ENOSYS for clone3 in the seccomp profile to avoid breaking containers using glibc 2.34. - Add shell requires for the *-completion subpackages. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3274-1 Released: Fri Oct 1 10:34:17 2021 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1190858 This update for ca-certificates-mozilla fixes the following issues: - remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in openssl 1.0.2 and older. (bsc#1190858) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3298-1 Released: Wed Oct 6 16:54:52 2021 Summary: Security update for curl Type: security Severity: moderate References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947 This update for curl fixes the following issues: - CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374). - CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3303-1 Released: Wed Oct 6 18:11:24 2021 Summary: Recommended update for kdump Type: recommended Severity: moderate References: 1172670,1182309,1183070,1184616,1186037,1188090 This update for kdump fixes the following issues: - Do not iterate past end of string (bsc#1186037). - Query systemd network.service to find out if wicked is used (bsc#1182309). - Add 'bootdev=' to dracut command line (bsc#1182309). - Fix incorrect exit code checking after 'local' with assignment (bsc#1184616). - Do not add network-related dracut options if ip= is set explicitly (bsc#1182309, bsc#1188090). - Make sure that initrd.target.wants directory exists (bsc#1172670). - Install /etc/resolv.conf using its resolved path (bsc#1183070). - Avoid an endless loop when resolving a hostname fails with EAI_AGAIN (bsc#1183070). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3318-1 Released: Wed Oct 6 19:31:19 2021 Summary: Recommended update for sudo Type: recommended Severity: moderate References: 1176473,1181371 This update for sudo fixes the following issues: - Update to sudo 1.8.27 (jsc#SLE-17083). - Fixed special handling of ipa_hostname (bsc#1181371). - Restore sudo ldap behavior to ignore expire dates when SUDOERS_TIMED option is not set in /etc/ldap.conf (bsc#1176473). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3348-1 Released: Tue Oct 12 13:08:06 2021 Summary: Security update for systemd Type: security Severity: moderate References: 1134353,1171962,1184994,1188018,1188063,1188291,1188713,1189480,1190234,CVE-2021-33910 This update for systemd fixes the following issues: - CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063). - logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018). - Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353). - Rules weren't applied to dm devices (multipath) (bsc#1188713). - Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234). - Make sure the versions of both udev and systemd packages are always the same (bsc#1189480). - Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291). - Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3382-1 Released: Tue Oct 12 14:30:17 2021 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: This update for ca-certificates-mozilla fixes the following issues: - A new sub-package for minimal base containers (jsc#SLE-22162) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3385-1 Released: Tue Oct 12 15:54:31 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 This update for glibc fixes the following issues: - CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911) - CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3411-1 Released: Wed Oct 13 10:42:25 2021 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1191019 This update for lvm2 fixes the following issues: - Do not crash vgextend when extending VG with missing PV. (bsc#1191019) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3412-1 Released: Wed Oct 13 10:50:33 2021 Summary: Recommended update for suse-module-tools Type: recommended Severity: important References: 1189841,1190598 This update for suse-module-tools fixes the following issues: - Fixed an issue where the queuing of secure boot certificates did not happen (bsc#1189841, bsc#1190598) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3444-1 Released: Fri Oct 15 09:03:07 2021 Summary: Security update for rpm Type: security Severity: important References: 1179416,1183543,1183545,1183632,1183659,1185299,1187670,1188548,CVE-2021-20266,CVE-2021-20271,CVE-2021-3421 This update for rpm fixes the following issues: Security issues fixed: - CVE-2021-3421, CVE-2021-20271, CVE-2021-20266: Multiple header check improvements (bsc#1183543, bsc#1183545, bsc#1183632) - PGP hardening changes (bsc#1185299) - Fixed potential access of freed mem in ndb's glue code (bsc#1179416) Maintaince issues fixed: - Fixed zstd detection (bsc#1187670) - Added ndb rofs support (bsc#1188548) - Fixed deadlock when multiple rpm processes try tp acquire the database lock (bsc#1183659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3447-1 Released: Fri Oct 15 09:05:12 2021 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1173746,1176940,1184439,1184804,1185302,1185677,1185726,1185762,1187167,1188067,1188651,1188986,1189297,1189841,1189884,1190023,1190062,1190115,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191240,1191292,CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490 The SUSE Linux Enterprise 15 SP2 kernel was updated. The following security bugs were fixed: - CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193) - CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023) - CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159) - CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884) - CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534) - CVE-2021-3669: Fixed a bug that doesn't allow /proc/sysvipc/shm to scale with large shared memory segment counts which could lead to resource exhaustion and DoS. (bsc#1188986) The following non-security bugs were fixed: - ALSA: firewire-motu: fix truncated bytes in message tracepoints (git-fixes). - apparmor: remove duplicate macro list_entry_is_head() (git-fixes). - ASoC: fsl_micfil: register platform component before registering cpu dai (git-fixes). - ASoC: mediatek: common: handle NULL case in suspend/resume function (git-fixes). - ASoC: rockchip: i2s: Fix regmap_ops hang (git-fixes). - ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B (git-fixes). - ASoC: SOF: Fix DSP oops stack dump output contents (git-fixes). - ath9k: fix OOB read ar9300_eeprom_restore_internal (git-fixes). - ath9k: fix sleeping in atomic context (git-fixes). - blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762). - blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762). - blk-mq: mark if one queue map uses managed irq (bsc#1185762). - Bluetooth: skip invalid hci_sync_conn_complete_evt (git-fixes). - bnx2x: fix an error code in bnx2x_nic_load() (git-fixes). - bnxt_en: Add missing DMA memory barriers (git-fixes). - bnxt_en: Disable aRFS if running on 212 firmware (git-fixes). - bnxt_en: Do not enable legacy TX push on older firmware (git-fixes). - bnxt_en: Store the running firmware version code (git-fixes). - bnxt: count Tx drops (git-fixes). - bnxt: disable napi before canceling DIM (git-fixes). - bnxt: do not lock the tx queue from napi poll (git-fixes). - bnxt: make sure xmit_more + errors does not miss doorbells (git-fixes). - btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626). - clk: at91: clk-generated: Limit the requested rate to our range (git-fixes). - clk: at91: clk-generated: pass the id of changeable parent at registration (git-fixes). - console: consume APC, DM, DCS (git-fixes). - cuse: fix broken release (bsc#1190596). - cxgb4: dont touch blocked freelist bitmap after free (git-fixes). - debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746). - devlink: Break parameter notification sequence to be before/after unload/load driver (bsc#1154353). - dmaengine: ioat: depends on !UML (git-fixes). - dmaengine: sprd: Add missing MODULE_DEVICE_TABLE (git-fixes). - dmaengine: xilinx_dma: Set DMA mask for coherent APIs (git-fixes). - docs: Fix infiniband uverbs minor number (git-fixes). - drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps (git-fixes). - drm: avoid blocking in drm_clients_info's rcu section (git-fixes). - drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex (git-fixes). - drm/amd/display: Fix timer_per_pixel unit error (git-fixes). - drm/amdgpu: Fix BUG_ON assert (git-fixes). - drm/gma500: Fix end of loop tests for list_for_each_entry (git-fixes). - drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV (git-fixes). - drm/panfrost: Clamp lock region to Bifrost minimum (git-fixes). - e1000e: Do not take care about recovery NVM checksum (jsc#SLE-8100). - e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes). - EDAC/i10nm: Fix NVDIMM detection (bsc#1152489). - EDAC/synopsys: Fix wrong value type assignment for edac_mode (bsc#1152489). - erofs: fix up erofs_lookup tracepoint (git-fixes). - fbmem: do not allow too huge resolutions (git-fixes). - fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() (git-fixes). - fpga: machxo2-spi: Return an error on failure (git-fixes). - fuse: flush extending writes (bsc#1190595). - fuse: truncate pagecache on atomic_o_trunc (bsc#1190705). - genirq: add device_has_managed_msi_irq (bsc#1185762). - gpio: uniphier: Fix void functions to remove return value (git-fixes). - gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() (git-fixes). - gve: fix the wrong AdminQ buffer overflow check (bsc#1176940). - hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726). - hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726). - hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (git-fixes). - hwmon: (tmp421) fix rounding for negative values (git-fixes). - hwmon: (tmp421) report /PVLD condition as fault (git-fixes). - i40e: Add additional info to PHY type error (git-fixes). - i40e: Fix firmware LLDP agent related warning (git-fixes). - i40e: Fix log TC creation failure when max num of queues is exceeded (git-fixes). - i40e: Fix logic of disabling queues (git-fixes). - i40e: Fix queue-to-TC mapping on Tx (git-fixes). - iavf: Fix ping is lost after untrusted VF had tried to change MAC (jsc#SLE-7940). - iavf: Set RSS LUT and key in reset handle path (git-fixes). - ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510). - ibmvnic: Consolidate code in replenish_rx_pool() (bsc#1190758 ltc#191943). - ibmvnic: Fix up some comments and messages (bsc#1190758 ltc#191943). - ibmvnic: init_tx_pools move loop-invariant code (bsc#1190758 ltc#191943). - ibmvnic: Reuse LTB when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse rx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Reuse tx pools when possible (bsc#1190758 ltc#191943). - ibmvnic: Use bitmap for LTB map_ids (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_rx_pools (bsc#1190758 ltc#191943). - ibmvnic: Use/rename local vars in init_tx_pools (bsc#1190758 ltc#191943). - ice: Prevent probing virtual functions (git-fixes). - iio: dac: ad5624r: Fix incorrect handling of an optional regulator (git-fixes). - include/linux/list.h: add a macro to test if entry is pointing to the head (git-fixes). - iomap: Fix negative assignment to unsigned sis->pages in iomap_swapfile_activate (bsc#1190784). - ionic: cleanly release devlink instance (bsc#1167773). - ionic: count csum_none when offload enabled (bsc#1167773). - ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115). - ipc/util.c: use binary search for max_idx (bsc#1159886). - ipvs: allow connection reuse for unconfirmed conntrack (bsc#1190467). - ipvs: avoid expiring many connections from timer (bsc#1190467). - ipvs: Fix up kabi for expire_nodest_conn_work addition (bsc#1190467). - ipvs: queue delayed work to expire no destination connections if expire_nodest_conn=1 (bsc#1190467). - iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed (git-fixes). - kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable. - kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs. - kernel-binary.spec: Do not sign kernel when no key provided (bsc#1187167 bsc#1191240 ltc#194716). - kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358). The script part for base package case is completely separate from the part for subpackages. Remove the part for subpackages from the base package script and use the KMP scripts for subpackages instead. - libata: fix ata_host_start() (git-fixes). - mac80211-hwsim: fix late beacon hrtimer handling (git-fixes). - mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug (git-fixes). - mac80211: fix use-after-free in CCMP/GCMP RX (git-fixes). - mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap (git-fixes). - mac80211: mesh: fix potentially unaligned access (git-fixes). - media: cedrus: Fix SUNXI tile size calculation (git-fixes). - media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats (git-fixes). - media: dib8000: rewrite the init prbs logic (git-fixes). - media: imx258: Limit the max analogue gain to 480 (git-fixes). - media: imx258: Rectify mismatch of VTS value (git-fixes). - media: rc-loopback: return number of emitters rather than error (git-fixes). - media: TDA1997x: fix tda1997x_query_dv_timings() return value (git-fixes). - media: uvc: do not do DMA on stack (git-fixes). - media: v4l2-dv-timings.c: fix wrong condition in two for-loops (git-fixes). - mfd: Do not use irq_create_mapping() to resolve a mapping (git-fixes). - mlx4: Fix missing error code in mlx4_load_one() (git-fixes). - mm: always have io_remap_pfn_range() set pgprot_decrypted() (git-fixes). - mm/swap: consider max pages in iomap_swapfile_add_extent (bsc#1190785). - mmc: core: Return correct emmc response in case of ioctl error (git-fixes). - mmc: rtsx_pci: Fix long reads when clock is prescaled (git-fixes). - mmc: sdhci-of-arasan: Check return value of non-void funtions (git-fixes). - net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726). - net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726). - net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726). - net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726). - net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726). - net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726). - net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726). - net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726). - net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726). - net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726). - net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes). - net: sched: sch_teql: fix null-pointer dereference (bsc#1190717). - net/mlx5: E-Switch, handle devcom events only for ports on the same device (git-fixes). - net/mlx5: Fix flow table chaining (git-fixes). - net/mlx5: Fix return value from tracer initialization (git-fixes). - net/mlx5: Unload device upon firmware fatal error (git-fixes). - net/mlx5e: Avoid creating tunnel headers for local route (git-fixes). - net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() (git-fixes). - net/mlx5e: Prohibit inner indir TIRs in IPoIB (git-fixes). - netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (bsc#1190062). - nfp: update ethtool reporting of pauseframe control (git-fixes). - NFS: change nfs_access_get_cached to only report the mask (bsc#1190746). - NFS: do not store 'struct cred *' in struct nfs_access_entry (bsc#1190746). - NFS: pass cred explicitly for access tests (bsc#1190746). - nvme: avoid race in shutdown namespace removal (bsc#1188067). - nvme: fix refcounting imbalance when all paths are down (bsc#1188067). - parport: remove non-zero check on count (git-fixes). - PCI: aardvark: Fix checking for PIO status (git-fixes). - PCI: aardvark: Fix masking and unmasking legacy INTx interrupts (git-fixes). - PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response (git-fixes). - PCI: Add ACS quirks for Cavium multi-function devices (git-fixes). - PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms (git-fixes). - PCI: Add AMD GPU multi-function power dependencies (git-fixes). - PCI: ibmphp: Fix double unmap of io_mem (git-fixes). - PCI: pci-bridge-emul: Add PCIe Root Capabilities Register (git-fixes). - PCI: pci-bridge-emul: Fix array overruns, improve safety (git-fixes). - PCI: pci-bridge-emul: Fix big-endian support (git-fixes). - PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported (git-fixes). - PCI: Use pci_update_current_state() in pci_enable_device_flags() (git-fixes). - PM: base: power: do not try to use non-existing RTC for storing data (git-fixes). - PM: EM: Increase energy calculation precision (git-fixes). - power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors (git-fixes). - power: supply: max17042_battery: fix typo in MAx17042_TOFF (git-fixes). - powercap: intel_rapl: add support for Sapphire Rapids (jsc#SLE-15289). - powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868). - powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523). - powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729). - powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729). - powerpc/perf: Fix the check for SIAR value (bsc#1065729). - powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729). - powerpc/perf: Use stack siar instead of mfspr (bsc#1065729). - powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729). - powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729). - powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729). - powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498). - powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729). - pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523). - pwm: img: Do not modify HW state in .remove() callback (git-fixes). - pwm: rockchip: Do not modify HW state in .remove() callback (git-fixes). - pwm: stm32-lp: Do not modify HW state in .remove() callback (git-fixes). - qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes). - RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init() (bsc#1170774). - Re-enable UAS for LaCie Rugged USB3-FW with fk quirk (git-fixes). - regmap: fix page selection for noinc reads (git-fixes). - regmap: fix page selection for noinc writes (git-fixes). - regmap: fix the offset of register error log (git-fixes). - Restore kabi after NFS: pass cred explicitly for access tests (bsc#1190746). - rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools. This allows fixing bugs in the scriptlets as well as defining initrd regeneration policy independent of the kernel packages. - rpm/kernel-binary.spec: Use only non-empty certificates. - rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804). - rtc: rx8010: select REGMAP_I2C (git-fixes). - rtc: tps65910: Correct driver module alias (git-fixes). - s390/unwind: use current_frame_address() to unwind current task (bsc#1185677). - sched/fair: Add ancestors of unthrottled undecayed cfs_rq (bsc#1191292). - scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576). - scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576). - scsi: fc: Add EDC ELS definition (bsc#1190576). - scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576). - scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576). - scsi: lpfc: Add cm statistics buffer support (bsc#1190576). - scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576). - scsi: lpfc: Add cmfsync WQE support (bsc#1190576). - scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576). - scsi: lpfc: Add EDC ELS support (bsc#1190576). - scsi: lpfc: Add MIB feature enablement support (bsc#1190576). - scsi: lpfc: Add rx monitoring statistics (bsc#1190576). - scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576). - scsi: lpfc: Add support for cm enablement buffer (bsc#1190576). - scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576). - scsi: lpfc: Add support for the CM framework (bsc#1190576). - scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576). - scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576). - scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576). - scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576). - scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576). - scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576). - scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576). - scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576). - scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576). - scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576). - scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576). - scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576). - scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576). - scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576). - scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576). - scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576). - scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576). - scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576). - scsi: lpfc: Remove unneeded variable (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576). - scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576). - scsi: lpfc: Use correct scnprintf() limit (bsc#1190576). - scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576). - scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576). - scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576). - scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297). - serial: 8250_pci: make setup_port() parameters explicitly unsigned (git-fixes). - serial: 8250: Define RX trigger levels for OxSemi 950 devices (git-fixes). - serial: mvebu-uart: fix driver's tx_empty callback (git-fixes). - serial: sh-sci: fix break handling for sysrq (git-fixes). - spi: Fix tegra20 build with CONFIG_PM=n (git-fixes). - staging: board: Fix uninitialized spinlock when attaching genpd (git-fixes). - staging: ks7010: Fix the initialization of the 'sleep_status' structure (git-fixes). - staging: rts5208: Fix get_ms_information() heap buffer size (git-fixes). - thermal/core: Potential buffer overflow in thermal_build_list_of_policies() (git-fixes). - time: Handle negative seconds correctly in timespec64_to_ns() (git-fixes). - tty: Fix data race between tiocsti() and flush_to_ldisc() (git-fixes). - tty: serial: jsm: hold port lock when reporting modem line changes (git-fixes). - tty: synclink_gt, drop unneeded forward declarations (git-fixes). - usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c (git-fixes). - usb: core: hcd: Add support for deferring roothub registration (git-fixes). - usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails (git-fixes). - usb: dwc2: Avoid leaving the error_debugfs label unused (git-fixes). - usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave (git-fixes). - usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA (git-fixes). - usb: EHCI: ehci-mv: improve error handling in mv_ehci_enable() (git-fixes). - usb: gadget: r8a66597: fix a loop in set_feature() (git-fixes). - usb: gadget: u_ether: fix a potential null pointer dereference (git-fixes). - usb: host: fotg210: fix the actual_length of an iso packet (git-fixes). - usb: host: fotg210: fix the endpoint's transactional opportunities calculation (git-fixes). - usb: musb: musb_dsps: request_irq() after initializing musb (git-fixes). - usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes). - usb: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter (git-fixes). - usb: serial: option: add device id for Foxconn T99W265 (git-fixes). - usb: serial: option: add Telit LN920 compositions (git-fixes). - usb: serial: option: remove duplicate USB device ID (git-fixes). - usbip: give back URBs for unsent unlink requests during cleanup (git-fixes). - usbip:vhci_hcd USB port can get stuck in the disabled state (git-fixes). - video: fbdev: asiliantfb: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: Error out if 'pixclock' equals zero (git-fixes). - video: fbdev: kyro: fix a DoS bug by restricting user input (git-fixes). - video: fbdev: riva: Error out if 'pixclock' equals zero (git-fixes). - vmxnet3: add support for 32 Tx/Rx queues (bsc#1190406). - vmxnet3: add support for ESP IPv6 RSS (bsc#1190406). - vmxnet3: increase maximum configurable mtu to 9190 (bsc#1190406). - vmxnet3: prepare for version 6 changes (bsc#1190406). - vmxnet3: remove power of 2 limitation on the queues (bsc#1190406). - vmxnet3: set correct hash type based on rss information (bsc#1190406). - vmxnet3: update to version 6 (bsc#1190406). - watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST (git-fixes). - x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1185302). - x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439). - x86/cpu: Fix core name for Sapphire Rapids (jsc#SLE-15289). - x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1152489). - x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1152489). - x86/resctrl: Fix default monitoring groups reporting (bsc#1152489). - xfs: allow mount/remount when stripe width alignment is zero (bsc#1188651). - xfs: sync lazy sb accounting on quiesce of read-only mounts (bsc#1190679). - xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes). - xhci: Set HCD flag to defer primary roothub registration (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3454-1 Released: Mon Oct 18 09:29:26 2021 Summary: Security update for krb5 Type: security Severity: moderate References: 1189929,CVE-2021-37750 This update for krb5 fixes the following issues: - CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3479-1 Released: Wed Oct 20 11:23:45 2021 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1184970,1186260,1187115,1187470,1187774,1190845 This update for dracut fixes the following issues: - Fix usage information for -f parameter. (bsc#1187470) - Fix obsolete reference to 96insmodpost in manpage. (bsc#1187774) - Remove references to INITRD_MODULES. (bsc#1187115) - Multipath FCoE configurations may not boot when using only one path. (bsc#1186260) - Adjust path for SUSE: /var/lib/nfs/statd/sm to /var/lib/nfs/sm. (bsc#1184970) - Systemd coredump unit files are missing in initrd. (1190845) - Use $kernel rather than $(uname -r). - Exclude modules that are built-in. - Restore INITRD_MODULES in mkinitrd script. - Call dracut_instmods with hostonly. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3480-1 Released: Wed Oct 20 11:24:08 2021 Summary: Recommended update for yast2-network Type: recommended Severity: moderate References: 1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933 This update for yast2-network fixes the following issues: - Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915). - Fix the shown description using the interface friendly name when it is empty (bsc#1190933). - Consider aliases sections as case insensitive (bsc#1190739). - Display user defined device name in the devices overview (bnc#1190645). - Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344). - Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910). - Fix desktop file so the control center tooltip is translated (bsc#1187270). - Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016). - Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3490-1 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3494-1 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1190052 This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3501-1 Released: Fri Oct 22 10:42:46 2021 Summary: Recommended update for libzypp, zypper, libsolv, protobuf Type: recommended Severity: moderate References: 1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815 This update for libzypp, zypper, libsolv and protobuf fixes the following issues: - Choice rules: treat orphaned packages as newest (bsc#1190465) - Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602) - Do not check of signatures and keys two times(redundant) (bsc#1190059) - Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760) - Show key fpr from signature when signature check fails (bsc#1187224) - Fix solver jobs for PTFs (bsc#1186503) - Fix purge-kernels fails (bsc#1187738) - Fix obs:// platform guessing for Leap (bsc#1187425) - Make sure to keep states alives while transitioning. (bsc#1190199) - Manpage: Improve description about patch updates(bsc#1187466) - Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested. - Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815) - Fix crashes in logging code when shutting down (bsc#1189031) - Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712) - Add need reboot/restart hint to XML install summary (bsc#1188435) - Prompt: choose exact match if prompt options are not prefix free (bsc#1188156) - Include libprotobuf-lite20 in products to enable parallel downloads. (jsc#ECO-2911, jsc#SLE-16862) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3506-1 Released: Mon Oct 25 10:20:22 2021 Summary: Security update for containerd, docker, runc Type: security Severity: important References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434,CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103 This update for containerd, docker, runc fixes the following issues: Docker was updated to 20.10.9-ce. (bsc#1191355) See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103 container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355 - CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282) - Install systemd service file as well (bsc#1190826) Update to runc v1.0.2. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.2 * Fixed a failure to set CPU quota period in some cases on cgroup v1. * Fixed the inability to start a container with the 'adding seccomp filter rule for syscall ...' error, caused by redundant seccomp rules (i.e. those that has action equal to the default one). Such redundant rules are now skipped. * Made release builds reproducible from now on. * Fixed a rare debug log race in runc init, which can result in occasional harmful 'failed to decode ...' errors from runc run or exec. * Fixed the check in cgroup v1 systemd manager if a container needs to be frozen before Set, and add a setting to skip such freeze unconditionally. The previous fix for that issue, done in runc 1.0.1, was not working. Update to runc v1.0.1. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.1 * Fixed occasional runc exec/run failure ('interrupted system call') on an Azure volume. * Fixed 'unable to find groups ... token too long' error with /etc/group containing lines longer than 64K characters. * cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is frozen. This is a regression in 1.0.0, not affecting runc itself but some of libcontainer users (e.g Kubernetes). * cgroupv2: bpf: Ignore inaccessible existing programs in case of permission error when handling replacement of existing bpf cgroup programs. This fixes a regression in 1.0.0, where some SELinux policies would block runc from being able to run entirely. * cgroup/systemd/v2: don't freeze cgroup on Set. * cgroup/systemd/v1: avoid unnecessary freeze on Set. - fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704 Update to runc v1.0.0. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0 ! The usage of relative paths for mountpoints will now produce a warning (such configurations are outside of the spec, and in future runc will produce an error when given such configurations). * cgroupv2: devices: rework the filter generation to produce consistent results with cgroupv1, and always clobber any existing eBPF program(s) to fix runc update and avoid leaking eBPF programs (resulting in errors when managing containers). * cgroupv2: correctly convert 'number of IOs' statistics in a cgroupv1-compatible way. * cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures. * cgroupv2: wait for freeze to finish before returning from the freezing code, optimize the method for checking whether a cgroup is frozen. * cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94 * cgroups/systemd: fixed returning 'unit already exists' error from a systemd cgroup manager (regression in rc94) + cgroupv2: support SkipDevices with systemd driver + cgroup/systemd: return, not ignore, stop unit error from Destroy + Make 'runc --version' output sane even when built with go get or otherwise outside of our build scripts. + cgroups: set SkipDevices during runc update (so we don't modify cgroups at all during runc update). + cgroup1: blkio: support BFQ weights. + cgroupv2: set per-device io weights if BFQ IO scheduler is available. Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95 This release of runc contains a fix for CVE-2021-30465, and users are strongly recommended to update (especially if you are providing semi-limited access to spawn containers to untrusted users). (bsc#1185405) Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94 Breaking Changes: * cgroupv1: kernel memory limits are now always ignored, as kmemcg has been effectively deprecated by the kernel. Users should make use of regular memory cgroup controls. Regression Fixes: * seccomp: fix 32-bit compilation errors * runc init: fix a hang caused by deadlock in seccomp/ebpf loading code * runc start: fix 'chdir to cwd: permission denied' for some setups The following package changes have been done: - SUSEConnect-0.3.31-13.1 updated - ca-certificates-mozilla-2.44-21.1 updated - containerd-ctr-1.4.11-56.1 updated - containerd-1.4.11-56.1 updated - curl-7.66.0-4.27.1 updated - docker-20.10.9_ce-156.1 updated - dracut-049.1+suse.209.gebcf4f33-3.40.1 updated - efibootmgr-14-4.3.2 updated - file-magic-5.32-7.14.1 updated - file-5.32-7.14.1 updated - glibc-locale-base-2.26-13.59.1 updated - glibc-locale-2.26-13.59.1 updated - glibc-2.26-13.59.1 updated - grub2-i386-pc-2.04-9.49.3 updated - grub2-x86_64-efi-2.04-9.49.3 updated - grub2-x86_64-xen-2.04-9.49.3 updated - grub2-2.04-9.49.3 updated - kdump-0.9.0-11.6.1 updated - kernel-default-5.3.18-24.86.2 updated - kmod-compat-25-6.10.1 updated - kmod-25-6.10.1 updated - krb5-1.16.3-3.24.1 updated - libaugeas0-1.10.1-3.3.1 updated - libcroco-0_6-3-0.6.13-3.3.1 updated - libcurl4-7.66.0-4.27.1 updated - libdevmapper1_03-1.02.163-8.36.1 updated - libfreebl3-3.68-3.56.1 updated - libkmod2-25-6.10.1 updated - libmagic1-5.32-7.14.1 updated - libncurses6-6.1-5.9.1 updated - libprotobuf-lite20-3.9.2-4.9.1 added - libsolv-tools-0.7.20-9.2 updated - libsystemd0-234-24.93.1 updated - libudev1-234-24.93.1 updated - libzypp-17.28.5-15.2 updated - ncurses-utils-6.1-5.9.1 updated - pam-1.3.0-6.47.1 updated - perl-Bootloader-0.931-3.5.1 updated - python3-pytz-2021.1-6.7.1 updated - rpm-ndb-4.14.1-22.4.2 updated - runc-1.0.2-23.1 updated - sudo-1.8.27-4.21.4 updated - suse-module-tools-15.2.13-4.6.1 updated - systemd-sysvinit-234-24.93.1 updated - systemd-234-24.93.1 updated - terminfo-base-6.1-5.9.1 updated - terminfo-6.1-5.9.1 updated - udev-234-24.93.1 updated - xen-libs-4.13.3_04-3.37.1 updated - xen-tools-domU-4.13.3_04-3.37.1 updated - xfsprogs-4.15.0-4.40.1 updated - zypper-1.14.49-16.1 updated From sle-security-updates at lists.suse.com Thu Oct 28 06:53:13 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Oct 2021 08:53:13 +0200 (CEST) Subject: SUSE-CU-2021:472-1: Security update of suse/sle15 Message-ID: <20211028065313.209BEFBB1@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:472-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.468 Container Release : 4.22.468 Severity : moderate Type : security References : 1172973 1172974 CVE-2019-20838 CVE-2020-14155 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3529-1 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Type: security Severity: moderate References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155 This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973) The following package changes have been done: - libpcre1-8.45-20.10.1 updated From sle-security-updates at lists.suse.com Thu Oct 28 07:12:24 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Oct 2021 09:12:24 +0200 (CEST) Subject: SUSE-CU-2021:473-1: Security update of suse/sle15 Message-ID: <20211028071224.90386FBB1@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:473-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.524 Container Release : 6.2.524 Severity : moderate Type : security References : 1172973 1172974 CVE-2019-20838 CVE-2020-14155 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3529-1 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Type: security Severity: moderate References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155 This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973) The following package changes have been done: - libpcre1-8.45-20.10.1 updated From sle-security-updates at lists.suse.com Thu Oct 28 07:26:17 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Oct 2021 09:26:17 +0200 (CEST) Subject: SUSE-CU-2021:474-1: Security update of suse/sle15 Message-ID: <20211028072617.AA93AFBB1@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:474-1 Container Tags : suse/sle15:15.2 , suse/sle15:15.2.9.5.40 Container Release : 9.5.40 Severity : moderate Type : security References : 1172973 1172974 CVE-2019-20838 CVE-2020-14155 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3529-1 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Type: security Severity: moderate References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155 This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973) The following package changes have been done: - libpcre1-8.45-20.10.1 updated From sle-security-updates at lists.suse.com Thu Oct 28 07:32:23 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Oct 2021 09:32:23 +0200 (CEST) Subject: SUSE-CU-2021:476-1: Security update of suse/sle15 Message-ID: <20211028073223.5C1B8FDAB@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:476-1 Container Tags : suse/sle15:15.3 , suse/sle15:15.3.17.8.22 Container Release : 17.8.22 Severity : moderate Type : security References : 1172973 1172974 CVE-2019-20838 CVE-2020-14155 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3529-1 Released: Wed Oct 27 09:23:32 2021 Summary: Security update for pcre Type: security Severity: moderate References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155 This update for pcre fixes the following issues: Update pcre to version 8.45: - CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974). - CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973) The following package changes have been done: - libpcre1-8.45-20.10.1 updated From sle-security-updates at lists.suse.com Thu Oct 28 19:17:20 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Thu, 28 Oct 2021 21:17:20 +0200 (CEST) Subject: SUSE-SU-2021:3575-1: important: Security update for qemu Message-ID: <20211028191720.D6A46FBB1@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3575-1 Rating: important References: #1180432 #1180433 #1180434 #1180435 #1182651 #1186012 #1189145 Cross-References: CVE-2020-35503 CVE-2020-35504 CVE-2020-35505 CVE-2020-35506 CVE-2021-20255 CVE-2021-3527 CVE-2021-3682 CVSS scores: CVE-2020-35503 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-35503 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-35504 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H CVE-2020-35504 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-35505 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2020-35505 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2020-35506 (NVD) : 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-35506 (SUSE): 5.6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H CVE-2021-20255 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-20255 (SUSE): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2021-3527 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2021-3527 (SUSE): 3.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L CVE-2021-3682 (SUSE): 6 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L Affected Products: SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for qemu fixes the following issues: Security issues fixed: - usbredir: free call on invalid pointer in bufp_alloc (bsc#1189145, CVE-2021-3682) - NULL pointer dereference in ESP (bsc#1180433, CVE-2020-35504) (bsc#1180434, CVE-2020-35505) (bsc#1180435, CVE-2020-35506) - NULL pointer dereference issue in megasas-gen2 host bus adapter (bsc#1180432, CVE-2020-35503) - eepro100: stack overflow via infinite recursion (bsc#1182651, CVE-2021-20255) - usb: unbounded stack allocation in usbredir (bsc#1186012, CVE-2021-3527) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-3575=1 Package List: - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): qemu-2.6.2-41.73.1 qemu-block-curl-2.6.2-41.73.1 qemu-block-curl-debuginfo-2.6.2-41.73.1 qemu-block-rbd-2.6.2-41.73.1 qemu-block-rbd-debuginfo-2.6.2-41.73.1 qemu-block-ssh-2.6.2-41.73.1 qemu-block-ssh-debuginfo-2.6.2-41.73.1 qemu-debugsource-2.6.2-41.73.1 qemu-guest-agent-2.6.2-41.73.1 qemu-guest-agent-debuginfo-2.6.2-41.73.1 qemu-kvm-2.6.2-41.73.1 qemu-lang-2.6.2-41.73.1 qemu-tools-2.6.2-41.73.1 qemu-tools-debuginfo-2.6.2-41.73.1 qemu-x86-2.6.2-41.73.1 qemu-x86-debuginfo-2.6.2-41.73.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): qemu-ipxe-1.0.0-41.73.1 qemu-seabios-1.9.1_0_gb3ef39f-41.73.1 qemu-sgabios-8-41.73.1 qemu-vgabios-1.9.1_0_gb3ef39f-41.73.1 References: https://www.suse.com/security/cve/CVE-2020-35503.html https://www.suse.com/security/cve/CVE-2020-35504.html https://www.suse.com/security/cve/CVE-2020-35505.html https://www.suse.com/security/cve/CVE-2020-35506.html https://www.suse.com/security/cve/CVE-2021-20255.html https://www.suse.com/security/cve/CVE-2021-3527.html https://www.suse.com/security/cve/CVE-2021-3682.html https://bugzilla.suse.com/1180432 https://bugzilla.suse.com/1180433 https://bugzilla.suse.com/1180434 https://bugzilla.suse.com/1180435 https://bugzilla.suse.com/1182651 https://bugzilla.suse.com/1186012 https://bugzilla.suse.com/1189145 From sle-security-updates at lists.suse.com Fri Oct 29 06:55:34 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 29 Oct 2021 08:55:34 +0200 (CEST) Subject: SUSE-CU-2021:482-1: Security update of suse/sle15 Message-ID: <20211029065534.59D01FBBB@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:482-1 Container Tags : suse/sle15:15.4 , suse/sle15:15.4.21.5 Container Release : 21.5 Severity : important Type : security References : 1177127 1178236 1183154 1185016 1185524 1186489 1186503 1186602 1186910 1187224 1187270 1187425 1187466 1187512 1187738 1187760 1187911 1188156 1188344 1188435 1188921 1189031 1189454 1189550 1190052 1190059 1190199 1190465 1190645 1190712 1190739 1190793 1190815 1190858 1190915 1190933 1191987 CVE-2021-33574 CVE-2021-35942 CVE-2021-37600 CVE-2021-39537 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-OU-2020:3026-1 Released: Fri Oct 23 15:35:49 2020 Summary: Optional update for the Public Cloud Module Type: optional Severity: moderate References: This update adds the Google Cloud Storage packages to the Public Cloud module (jsc#ECO-2398). The following packages were included: - python3-grpcio - python3-protobuf - python3-google-api-core - python3-google-cloud-core - python3-google-cloud-storage - python3-google-resumable-media - python3-googleapis-common-protos - python3-grpcio-gcp - python3-mock (updated to version 3.0.5) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:294-1 Released: Wed Feb 3 12:54:28 2021 Summary: Recommended update for libprotobuf Type: recommended Severity: moderate References: libprotobuf was updated to fix: - ship the libprotobuf-lite15 on the basesystem module and the INSTALLER channel. (jsc#ECO-2911) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:656-1 Released: Mon Mar 1 09:34:21 2021 Summary: Recommended update for protobuf Type: recommended Severity: moderate References: 1177127 This update for protobuf fixes the following issues: - Add missing dependency of python subpackages on python-six. (bsc#1177127) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3013-1 Released: Thu Sep 9 16:55:40 2021 Summary: Recommended update for patterns-base, patterns-server-enterprise, sles15-image Type: recommended Severity: moderate References: 1183154,1189550 This update for patterns-base, patterns-server-enterprise, sles15-image fixes the following issues: - Add pattern to install necessary packages for FIPS (bsc#1183154) - Add patterns-base-fips to work also in FIPS environments (bsc#1183154) - Use the same icon in the fips pattern as the previous pattern had (bsc#1189550) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3274-1 Released: Fri Oct 1 10:34:17 2021 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1190858 This update for ca-certificates-mozilla fixes the following issues: - remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires September 30th 2021 and openssl certificate chain handling does not handle this correctly in openssl 1.0.2 and older. (bsc#1190858) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3291-1 Released: Wed Oct 6 16:45:36 2021 Summary: Security update for glibc Type: security Severity: moderate References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942 This update for glibc fixes the following issues: - CVE-2021-33574: Fixed use __pthread_attr_copy in mq_notify (bsc#1186489). - CVE-2021-35942: Fixed wordexp handle overflow in positional parameter number (bsc#1187911). ----------------------------------------------------------------- Advisory ID: SUSE-OU-2021:3327-1 Released: Mon Oct 11 11:44:50 2021 Summary: Optional update for coreutils Type: optional Severity: low References: 1189454 This optional update for coreutils fixes the following issue: - Provide coreutils documentation, 'coreutils-doc', with 'L2' support level. (bsc#1189454) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3382-1 Released: Tue Oct 12 14:30:17 2021 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: This update for ca-certificates-mozilla fixes the following issues: - A new sub-package for minimal base containers (jsc#SLE-22162) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3474-1 Released: Wed Oct 20 08:41:31 2021 Summary: Security update for util-linux Type: security Severity: moderate References: 1178236,1188921,CVE-2021-37600 This update for util-linux fixes the following issues: - CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c. (bsc#1188921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3480-1 Released: Wed Oct 20 11:24:10 2021 Summary: Recommended update for yast2-network Type: recommended Severity: moderate References: 1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933 This update for yast2-network fixes the following issues: - Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915). - Fix the shown description using the interface friendly name when it is empty (bsc#1190933). - Consider aliases sections as case insensitive (bsc#1190739). - Display user defined device name in the devices overview (bnc#1190645). - Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344). - Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910). - Fix desktop file so the control center tooltip is translated (bsc#1187270). - Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016). - Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:3490-1 Released: Wed Oct 20 16:31:55 2021 Summary: Security update for ncurses Type: security Severity: moderate References: 1190793,CVE-2021-39537 This update for ncurses fixes the following issues: - CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3494-1 Released: Wed Oct 20 16:48:46 2021 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1190052 This update for pam fixes the following issues: - Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638) - Added new file macros.pam on request of systemd. (bsc#1190052) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3501-1 Released: Fri Oct 22 10:42:46 2021 Summary: Recommended update for libzypp, zypper, libsolv, protobuf Type: recommended Severity: moderate References: 1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190465,1190712,1190815 This update for libzypp, zypper, libsolv and protobuf fixes the following issues: - Choice rules: treat orphaned packages as newest (bsc#1190465) - Avoid calling 'su' to detect a too restrictive sudo user umask (bsc#1186602) - Do not check of signatures and keys two times(redundant) (bsc#1190059) - Rephrase vendor conflict message in case 2 packages are involved (bsc#1187760) - Show key fpr from signature when signature check fails (bsc#1187224) - Fix solver jobs for PTFs (bsc#1186503) - Fix purge-kernels fails (bsc#1187738) - Fix obs:// platform guessing for Leap (bsc#1187425) - Make sure to keep states alives while transitioning. (bsc#1190199) - Manpage: Improve description about patch updates(bsc#1187466) - Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested. - Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815) - Fix crashes in logging code when shutting down (bsc#1189031) - Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712) - Add need reboot/restart hint to XML install summary (bsc#1188435) - Prompt: choose exact match if prompt options are not prefix free (bsc#1188156) - Include libprotobuf-lite20 in products to enable parallel downloads. (jsc#ECO-2911, jsc#SLE-16862) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:3510-1 Released: Tue Oct 26 11:22:15 2021 Summary: Recommended update for pam Type: recommended Severity: important References: 1191987 This update for pam fixes the following issues: - Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987) The following package changes have been done: - bash-4.4-23.16 updated - ca-certificates-mozilla-2.44-21.1 updated - coreutils-8.32-3.2.1 updated - glibc-2.31-9.3.2 updated - krb5-1.19.2-1.1 updated - libaugeas0-1.10.1-3.3.1 updated - libblkid1-2.36.2-4.5.1 updated - libbrotlicommon1-1.0.7-1.59 added - libbrotlidec1-1.0.7-1.59 added - libbz2-1-1.0.8-1.10 updated - libcurl4-7.79.1-1.2 updated - libdw1-0.185-2.10 updated - libelf1-0.185-2.10 updated - libfdisk1-2.36.2-4.5.1 updated - libgcrypt20-hmac-1.9.4-1.25 added - libgcrypt20-1.9.4-1.25 updated - libglib-2_0-0-2.68.3-1.2 updated - libgpg-error0-1.42-1.20 updated - libgpgme11-1.16.0-1.7 updated - libkeyutils1-1.6.3-1.26 updated - liblz4-1-1.9.3-1.1 updated - libmount1-2.36.2-4.5.1 updated - libncurses6-6.1-5.9.1 updated - libopenssl1_1-hmac-1.1.1l-1.15 added - libopenssl1_1-1.1.1l-1.15 updated - libp11-kit0-0.23.22-1.2 updated - libprotobuf-lite20-3.9.2-4.9.1 added - libreadline7-7.0-23.16 updated - libsmartcols1-2.36.2-4.5.1 updated - libsolv-tools-0.7.20-1.2 updated - libsystemd0-249.4-1.1 updated - libudev1-249.4-1.1 updated - libuuid1-2.36.2-4.5.1 updated - libxml2-2-2.9.12-1.1 updated - libyaml-cpp0_6-0.6.3-1.1 updated - libzstd1-1.4.9-1.4 updated - libzypp-17.28.5-1.2 updated - ncurses-utils-6.1-5.9.1 updated - openssl-1_1-1.1.1l-1.15 updated - p11-kit-tools-0.23.22-1.2 updated - p11-kit-0.23.22-1.2 updated - pam-1.3.0-6.50.1 updated - patterns-base-fips-20200124-10.5.1 added - rpm-config-SUSE-1-9.13 updated - rpm-ndb-4.14.3-41.2 updated - sles-release-15.4-19.1 updated - system-group-hardware-20170617-20.18 updated - terminfo-base-6.1-5.9.1 updated - util-linux-2.36.2-4.5.1 updated - zypper-1.14.49-1.1 updated From sle-security-updates at lists.suse.com Fri Oct 29 19:17:41 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 29 Oct 2021 21:17:41 +0200 (CEST) Subject: SUSE-SU-2021:14835-1: important: Security update for opensc Message-ID: <20211029191742.00607FBBB@maintenance.suse.de> SUSE Security Update: Security update for opensc ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14835-1 Rating: important References: #1191957 #1192005 Cross-References: CVE-2021-42780 CVE-2021-42782 CVSS scores: CVE-2021-42780 (SUSE): 2 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-42782 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for opensc fixes the following issues: - CVE-2021-42780: Fixed use after return in insert_pin() (bsc#1192005). - CVE-2021-42782: Stack buffer overflow issues in various places (bsc#1191957). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-opensc-14835=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-opensc-14835=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-opensc-14835=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-opensc-14835=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): libopensc2-0.11.6-5.27.14.1 opensc-0.11.6-5.27.14.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): libopensc2-32bit-0.11.6-5.27.14.1 opensc-32bit-0.11.6-5.27.14.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): libopensc2-0.11.6-5.27.14.1 opensc-0.11.6-5.27.14.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): opensc-debuginfo-0.11.6-5.27.14.1 opensc-debugsource-0.11.6-5.27.14.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): opensc-debuginfo-32bit-0.11.6-5.27.14.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): opensc-debuginfo-0.11.6-5.27.14.1 opensc-debugsource-0.11.6-5.27.14.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (s390x x86_64): opensc-debuginfo-32bit-0.11.6-5.27.14.1 References: https://www.suse.com/security/cve/CVE-2021-42780.html https://www.suse.com/security/cve/CVE-2021-42782.html https://bugzilla.suse.com/1191957 https://bugzilla.suse.com/1192005 From sle-security-updates at lists.suse.com Fri Oct 29 19:22:36 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 29 Oct 2021 21:22:36 +0200 (CEST) Subject: SUSE-SU-2021:3584-1: important: Security update for transfig Message-ID: <20211029192236.0D6A1FBBB@maintenance.suse.de> SUSE Security Update: Security update for transfig ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3584-1 Rating: important References: #1189325 #1189343 #1189345 #1189346 #1190607 #1190611 #1190612 #1190615 #1190616 #1190617 #1190618 #1192019 Cross-References: CVE-2020-21529 CVE-2020-21530 CVE-2020-21531 CVE-2020-21532 CVE-2020-21533 CVE-2020-21534 CVE-2020-21535 CVE-2020-21680 CVE-2020-21681 CVE-2020-21682 CVE-2020-21683 CVE-2021-32280 CVSS scores: CVE-2020-21529 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-21530 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-21531 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-21532 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-21533 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-21534 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-21535 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-21680 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-21681 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-21682 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-21683 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-32280 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Linux Enterprise Workstation Extension 15-SP2 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. Description: This update for transfig fixes the following issues: Update to fig2dev version 3.2.8 Patchlevel 8b (Aug 2021) - bsc#1190618, CVE-2020-21529: stack buffer overflow in the bezier_spline function in genepic.c. - bsc#1190615, CVE-2020-21530: segmentation fault in the read_objects function in read.c. - bsc#1190617, CVE-2020-21531: global buffer overflow in the conv_pattern_index function in gencgm.c. - bsc#1190616, CVE-2020-21532: global buffer overflow in the setfigfont function in genepic.c. - bsc#1190612, CVE-2020-21533: stack buffer overflow in the read_textobject function in read.c. - bsc#1190611, CVE-2020-21534: global buffer overflow in the get_line function in read.c. - bsc#1190607, CVE-2020-21535: segmentation fault in the gencgm_start function in gencgm.c. - bsc#1192019, CVE-2021-32280: NULL pointer dereference in compute_closed_spline() in trans_spline.c Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2021-3584=1 - SUSE Linux Enterprise Workstation Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-WE-15-SP2-2021-3584=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64): transfig-3.2.8b-4.15.1 transfig-debuginfo-3.2.8b-4.15.1 transfig-debugsource-3.2.8b-4.15.1 - SUSE Linux Enterprise Workstation Extension 15-SP2 (x86_64): transfig-3.2.8b-4.15.1 transfig-debuginfo-3.2.8b-4.15.1 transfig-debugsource-3.2.8b-4.15.1 References: https://www.suse.com/security/cve/CVE-2020-21529.html https://www.suse.com/security/cve/CVE-2020-21530.html https://www.suse.com/security/cve/CVE-2020-21531.html https://www.suse.com/security/cve/CVE-2020-21532.html https://www.suse.com/security/cve/CVE-2020-21533.html https://www.suse.com/security/cve/CVE-2020-21534.html https://www.suse.com/security/cve/CVE-2020-21535.html https://www.suse.com/security/cve/CVE-2020-21680.html https://www.suse.com/security/cve/CVE-2020-21681.html https://www.suse.com/security/cve/CVE-2020-21682.html https://www.suse.com/security/cve/CVE-2020-21683.html https://www.suse.com/security/cve/CVE-2021-32280.html https://bugzilla.suse.com/1189325 https://bugzilla.suse.com/1189343 https://bugzilla.suse.com/1189345 https://bugzilla.suse.com/1189346 https://bugzilla.suse.com/1190607 https://bugzilla.suse.com/1190611 https://bugzilla.suse.com/1190612 https://bugzilla.suse.com/1190615 https://bugzilla.suse.com/1190616 https://bugzilla.suse.com/1190617 https://bugzilla.suse.com/1190618 https://bugzilla.suse.com/1192019 From sle-security-updates at lists.suse.com Fri Oct 29 19:27:10 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 29 Oct 2021 21:27:10 +0200 (CEST) Subject: SUSE-SU-2021:3582-1: important: Security update for opensc Message-ID: <20211029192710.3F9C3FBBB@maintenance.suse.de> SUSE Security Update: Security update for opensc ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3582-1 Rating: important References: #1191957 #1191992 #1192000 #1192005 Cross-References: CVE-2021-42779 CVE-2021-42780 CVE-2021-42781 CVE-2021-42782 CVSS scores: CVE-2021-42779 (SUSE): 4.2 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-42780 (SUSE): 2 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-42781 (SUSE): 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVE-2021-42782 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for opensc fixes the following issues: - CVE-2021-42780: Fixed use after return in insert_pin() (bsc#1192005). - CVE-2021-42779: Fixed use after free in sc_file_valid() (bsc#1191992). - CVE-2021-42781: Fixed multiple heap buffer overflows in pkcs15-oberthur.c (bsc#1192000). - CVE-2021-42782: Stack buffer overflow issues in various places (bsc#1191957). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-3582=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-3582=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-3582=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-3582=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-3582=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-3582=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3582=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-3582=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-3582=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-3582=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-3582=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-3582=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): opensc-0.13.0-3.19.1 opensc-debuginfo-0.13.0-3.19.1 opensc-debugsource-0.13.0-3.19.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): opensc-0.13.0-3.19.1 opensc-debuginfo-0.13.0-3.19.1 opensc-debugsource-0.13.0-3.19.1 - SUSE OpenStack Cloud 9 (x86_64): opensc-0.13.0-3.19.1 opensc-debuginfo-0.13.0-3.19.1 opensc-debugsource-0.13.0-3.19.1 - SUSE OpenStack Cloud 8 (x86_64): opensc-0.13.0-3.19.1 opensc-debuginfo-0.13.0-3.19.1 opensc-debugsource-0.13.0-3.19.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): opensc-0.13.0-3.19.1 opensc-debuginfo-0.13.0-3.19.1 opensc-debugsource-0.13.0-3.19.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): opensc-0.13.0-3.19.1 opensc-debuginfo-0.13.0-3.19.1 opensc-debugsource-0.13.0-3.19.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): opensc-0.13.0-3.19.1 opensc-debuginfo-0.13.0-3.19.1 opensc-debugsource-0.13.0-3.19.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): opensc-0.13.0-3.19.1 opensc-debuginfo-0.13.0-3.19.1 opensc-debugsource-0.13.0-3.19.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): opensc-0.13.0-3.19.1 opensc-debuginfo-0.13.0-3.19.1 opensc-debugsource-0.13.0-3.19.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): opensc-0.13.0-3.19.1 opensc-debuginfo-0.13.0-3.19.1 opensc-debugsource-0.13.0-3.19.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): opensc-0.13.0-3.19.1 opensc-debuginfo-0.13.0-3.19.1 opensc-debugsource-0.13.0-3.19.1 - HPE Helion Openstack 8 (x86_64): opensc-0.13.0-3.19.1 opensc-debuginfo-0.13.0-3.19.1 opensc-debugsource-0.13.0-3.19.1 References: https://www.suse.com/security/cve/CVE-2021-42779.html https://www.suse.com/security/cve/CVE-2021-42780.html https://www.suse.com/security/cve/CVE-2021-42781.html https://www.suse.com/security/cve/CVE-2021-42782.html https://bugzilla.suse.com/1191957 https://bugzilla.suse.com/1191992 https://bugzilla.suse.com/1192000 https://bugzilla.suse.com/1192005 From sle-security-updates at lists.suse.com Fri Oct 29 19:29:58 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 29 Oct 2021 21:29:58 +0200 (CEST) Subject: SUSE-SU-2021:3586-1: moderate: Security update for libvirt Message-ID: <20211029192958.CA557FBBB@maintenance.suse.de> SUSE Security Update: Security update for libvirt ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3586-1 Rating: moderate References: #1177902 #1186398 #1188232 #1188843 #1190420 #1190693 #1190695 Cross-References: CVE-2021-3667 CVSS scores: CVE-2021-3667 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that solves one vulnerability and has 6 fixes is now available. Description: This update for libvirt fixes the following issues: - CVE-2021-3667: Fixed a DoS vulnerability in the libvirt virStoragePoolLookupByTargetPath API. (bsc#1188843) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-3586=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2021-3586=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3586=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): libvirt-daemon-6.0.0-13.21.1 libvirt-daemon-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-interface-6.0.0-13.21.1 libvirt-daemon-driver-interface-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-network-6.0.0-13.21.1 libvirt-daemon-driver-network-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-nodedev-6.0.0-13.21.1 libvirt-daemon-driver-nodedev-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-nwfilter-6.0.0-13.21.1 libvirt-daemon-driver-nwfilter-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-qemu-6.0.0-13.21.1 libvirt-daemon-driver-qemu-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-secret-6.0.0-13.21.1 libvirt-daemon-driver-secret-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-storage-6.0.0-13.21.1 libvirt-daemon-driver-storage-core-6.0.0-13.21.1 libvirt-daemon-driver-storage-core-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-storage-disk-6.0.0-13.21.1 libvirt-daemon-driver-storage-disk-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-storage-iscsi-6.0.0-13.21.1 libvirt-daemon-driver-storage-iscsi-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-storage-logical-6.0.0-13.21.1 libvirt-daemon-driver-storage-logical-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-storage-mpath-6.0.0-13.21.1 libvirt-daemon-driver-storage-mpath-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-storage-rbd-6.0.0-13.21.1 libvirt-daemon-driver-storage-rbd-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-storage-scsi-6.0.0-13.21.1 libvirt-daemon-driver-storage-scsi-debuginfo-6.0.0-13.21.1 libvirt-daemon-qemu-6.0.0-13.21.1 libvirt-debugsource-6.0.0-13.21.1 libvirt-libs-6.0.0-13.21.1 libvirt-libs-debuginfo-6.0.0-13.21.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): libvirt-6.0.0-13.21.1 libvirt-admin-6.0.0-13.21.1 libvirt-admin-debuginfo-6.0.0-13.21.1 libvirt-client-6.0.0-13.21.1 libvirt-client-debuginfo-6.0.0-13.21.1 libvirt-daemon-6.0.0-13.21.1 libvirt-daemon-config-network-6.0.0-13.21.1 libvirt-daemon-config-nwfilter-6.0.0-13.21.1 libvirt-daemon-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-interface-6.0.0-13.21.1 libvirt-daemon-driver-interface-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-lxc-6.0.0-13.21.1 libvirt-daemon-driver-lxc-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-network-6.0.0-13.21.1 libvirt-daemon-driver-network-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-nodedev-6.0.0-13.21.1 libvirt-daemon-driver-nodedev-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-nwfilter-6.0.0-13.21.1 libvirt-daemon-driver-nwfilter-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-qemu-6.0.0-13.21.1 libvirt-daemon-driver-qemu-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-secret-6.0.0-13.21.1 libvirt-daemon-driver-secret-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-storage-6.0.0-13.21.1 libvirt-daemon-driver-storage-core-6.0.0-13.21.1 libvirt-daemon-driver-storage-core-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-storage-disk-6.0.0-13.21.1 libvirt-daemon-driver-storage-disk-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-storage-iscsi-6.0.0-13.21.1 libvirt-daemon-driver-storage-iscsi-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-storage-logical-6.0.0-13.21.1 libvirt-daemon-driver-storage-logical-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-storage-mpath-6.0.0-13.21.1 libvirt-daemon-driver-storage-mpath-debuginfo-6.0.0-13.21.1 libvirt-daemon-driver-storage-scsi-6.0.0-13.21.1 libvirt-daemon-driver-storage-scsi-debuginfo-6.0.0-13.21.1 libvirt-daemon-hooks-6.0.0-13.21.1 libvirt-daemon-lxc-6.0.0-13.21.1 libvirt-daemon-qemu-6.0.0-13.21.1 libvirt-debugsource-6.0.0-13.21.1 libvirt-devel-6.0.0-13.21.1 libvirt-lock-sanlock-6.0.0-13.21.1 libvirt-lock-sanlock-debuginfo-6.0.0-13.21.1 libvirt-nss-6.0.0-13.21.1 libvirt-nss-debuginfo-6.0.0-13.21.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 x86_64): libvirt-daemon-driver-storage-rbd-6.0.0-13.21.1 libvirt-daemon-driver-storage-rbd-debuginfo-6.0.0-13.21.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (noarch): libvirt-bash-completion-6.0.0-13.21.1 libvirt-doc-6.0.0-13.21.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (x86_64): libvirt-daemon-driver-libxl-6.0.0-13.21.1 libvirt-daemon-driver-libxl-debuginfo-6.0.0-13.21.1 libvirt-daemon-xen-6.0.0-13.21.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libvirt-debugsource-6.0.0-13.21.1 libvirt-libs-6.0.0-13.21.1 libvirt-libs-debuginfo-6.0.0-13.21.1 References: https://www.suse.com/security/cve/CVE-2021-3667.html https://bugzilla.suse.com/1177902 https://bugzilla.suse.com/1186398 https://bugzilla.suse.com/1188232 https://bugzilla.suse.com/1188843 https://bugzilla.suse.com/1190420 https://bugzilla.suse.com/1190693 https://bugzilla.suse.com/1190695 From sle-security-updates at lists.suse.com Fri Oct 29 19:32:01 2021 From: sle-security-updates at lists.suse.com (sle-security-updates at lists.suse.com) Date: Fri, 29 Oct 2021 21:32:01 +0200 (CEST) Subject: SUSE-SU-2021:3585-1: important: Security update for transfig Message-ID: <20211029193201.D2AFFFBBB@maintenance.suse.de> SUSE Security Update: Security update for transfig ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3585-1 Rating: important References: #1190607 #1190611 #1190612 #1190615 #1190616 #1190617 #1190618 #1192019 Cross-References: CVE-2020-21529 CVE-2020-21530 CVE-2020-21531 CVE-2020-21532 CVE-2020-21533 CVE-2020-21534 CVE-2020-21535 CVE-2021-32280 CVSS scores: CVE-2020-21529 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-21530 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-21531 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2020-21532 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-21533 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-21534 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-21535 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-32280 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-BCL HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for transfig fixes the following issues: Update to fig2dev version 3.2.8 Patchlevel 8b (Aug 2021) - bsc#1190618, CVE-2020-21529: stack buffer overflow in the bezier_spline function in genepic.c. - bsc#1190615, CVE-2020-21530: segmentation fault in the read_objects function in read.c. - bsc#1190617, CVE-2020-21531: global buffer overflow in the conv_pattern_index function in gencgm.c. - bsc#1190616, CVE-2020-21532: global buffer overflow in the setfigfont function in genepic.c. - bsc#1190612, CVE-2020-21533: stack buffer overflow in the read_textobject function in read.c. - bsc#1190611, CVE-2020-21534: global buffer overflow in the get_line function in read.c. - bsc#1190607, CVE-2020-21535: segmentation fault in the gencgm_start function in gencgm.c. - bsc#1192019, CVE-2021-32280: NULL pointer dereference in compute_closed_spline() in trans_spline.c Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-3585=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-3585=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-3585=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-3585=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-3585=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-3585=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3585=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-3585=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-3585=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-3585=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-3585=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-3585=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): transfig-3.2.8b-2.20.1 transfig-debuginfo-3.2.8b-2.20.1 transfig-debugsource-3.2.8b-2.20.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): transfig-3.2.8b-2.20.1 transfig-debuginfo-3.2.8b-2.20.1 transfig-debugsource-3.2.8b-2.20.1 - SUSE OpenStack Cloud 9 (x86_64): transfig-3.2.8b-2.20.1 transfig-debuginfo-3.2.8b-2.20.1 transfig-debugsource-3.2.8b-2.20.1 - SUSE OpenStack Cloud 8 (x86_64): transfig-3.2.8b-2.20.1 transfig-debuginfo-3.2.8b-2.20.1 transfig-debugsource-3.2.8b-2.20.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): transfig-3.2.8b-2.20.1 transfig-debuginfo-3.2.8b-2.20.1 transfig-debugsource-3.2.8b-2.20.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): transfig-3.2.8b-2.20.1 transfig-debuginfo-3.2.8b-2.20.1 transfig-debugsource-3.2.8b-2.20.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): transfig-3.2.8b-2.20.1 transfig-debuginfo-3.2.8b-2.20.1 transfig-debugsource-3.2.8b-2.20.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): transfig-3.2.8b-2.20.1 transfig-debuginfo-3.2.8b-2.20.1 transfig-debugsource-3.2.8b-2.20.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): transfig-3.2.8b-2.20.1 transfig-debuginfo-3.2.8b-2.20.1 transfig-debugsource-3.2.8b-2.20.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): transfig-3.2.8b-2.20.1 transfig-debuginfo-3.2.8b-2.20.1 transfig-debugsource-3.2.8b-2.20.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): transfig-3.2.8b-2.20.1 transfig-debuginfo-3.2.8b-2.20.1 transfig-debugsource-3.2.8b-2.20.1 - HPE Helion Openstack 8 (x86_64): transfig-3.2.8b-2.20.1 transfig-debuginfo-3.2.8b-2.20.1 transfig-debugsource-3.2.8b-2.20.1 References: https://www.suse.com/security/cve/CVE-2020-21529.html https://www.suse.com/security/cve/CVE-2020-21530.html https://www.suse.com/security/cve/CVE-2020-21531.html https://www.suse.com/security/cve/CVE-2020-21532.html https://www.suse.com/security/cve/CVE-2020-21533.html https://www.suse.com/security/cve/CVE-2020-21534.html https://www.suse.com/security/cve/CVE-2020-21535.html https://www.suse.com/security/cve/CVE-2021-32280.html https://bugzilla.suse.com/1190607 https://bugzilla.suse.com/1190611 https://bugzilla.suse.com/1190612 https://bugzilla.suse.com/1190615 https://bugzilla.suse.com/1190616 https://bugzilla.suse.com/1190617 https://bugzilla.suse.com/1190618 https://bugzilla.suse.com/1192019