SUSE-IU-2021:727-1: Security update of suse-sles-15-sp3-chost-byos-v20210927-gen2

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Sep 30 06:14:42 UTC 2021


SUSE Image Update Advisory: suse-sles-15-sp3-chost-byos-v20210927-gen2
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2021:727-1
Image Tags        : suse-sles-15-sp3-chost-byos-v20210927-gen2:20210927
Image Release     : 
Severity          : critical
Type              : security
References        : 1027519 1027519 1029961 1040364 1085917 1127650 1135481 1152489
                        1153806 1160010 1160462 1168202 1171420 1174697 1174969 1175052
                        1175543 1176189 1176206 1176934 1177399 1179246 1179382 1180100
                        1180141 1180347 1181006 1181148 1181299 1181306 1181309 1181535
                        1181536 1181972 1182830 1183243 1183572 1183574 1183877 1183939
                        1184180 1184614 1184677 1184758 1185611 1185682 1185902 1185930
                        1186264 1186428 1186429 1186433 1186434 1186565 1186731 1186975
                        1186975 1187211 1187338 1187406 1187455 1187468 1187483 1187565
                        1187565 1187619 1187645 1187921 1187937 1187959 1188050 1188067
                        1188172 1188231 1188270 1188412 1188418 1188579 1188616 1188651
                        1188700 1188780 1188781 1188782 1188783 1188784 1188786 1188787
                        1188788 1188790 1188878 1188885 1188891 1188924 1188982 1188983
                        1188985 1189021 1189057 1189077 1189097 1189153 1189197 1189209
                        1189210 1189212 1189213 1189214 1189215 1189216 1189217 1189218
                        1189219 1189220 1189221 1189222 1189225 1189229 1189233 1189262
                        1189291 1189292 1189296 1189298 1189301 1189305 1189323 1189373
                        1189376 1189378 1189380 1189381 1189384 1189385 1189392 1189393
                        1189399 1189400 1189427 1189503 1189504 1189505 1189506 1189507
                        1189521 1189537 1189552 1189562 1189563 1189564 1189565 1189566
                        1189567 1189568 1189569 1189573 1189574 1189575 1189576 1189577
                        1189579 1189581 1189582 1189583 1189585 1189586 1189587 1189632
                        1189659 1189683 1189706 1189743 1189760 1189762 1189832 1189841
                        1189870 1189872 1189875 1189882 1189883 1189996 1190022 1190025
                        1190115 1190117 1190190 1190225 1190412 1190413 1190428 CVE-2019-19977
                        CVE-2020-12400 CVE-2020-12401 CVE-2020-12403 CVE-2020-12770 CVE-2020-25648
                        CVE-2020-27840 CVE-2020-6829 CVE-2021-0089 CVE-2021-20254 CVE-2021-20277
                        CVE-2021-28690 CVE-2021-28692 CVE-2021-28693 CVE-2021-28694 CVE-2021-28695
                        CVE-2021-28696 CVE-2021-28697 CVE-2021-28698 CVE-2021-28699 CVE-2021-28700
                        CVE-2021-28701 CVE-2021-34556 CVE-2021-35477 CVE-2021-3640 CVE-2021-3653
                        CVE-2021-3656 CVE-2021-3679 CVE-2021-3712 CVE-2021-3732 CVE-2021-3739
                        CVE-2021-3743 CVE-2021-3753 CVE-2021-3759 CVE-2021-38160 CVE-2021-38166
                        CVE-2021-38198 CVE-2021-38204 CVE-2021-38205 CVE-2021-38206 CVE-2021-38207
                        CVE-2021-38209 
-----------------------------------------------------------------

The container suse-sles-15-sp3-chost-byos-v20210927-gen2 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2886-1
Released:    Tue Aug 31 13:21:20 2021
Summary:     Recommended update for bind
Type:        recommended
Severity:    moderate
References:  1187921
This update for bind fixes the following issues:

- tsig-keygen is now used to generate DDNS keys (bsc#1187921)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2887-1
Released:    Tue Aug 31 13:31:19 2021
Summary:     Recommended update for cloud-init
Type:        recommended
Severity:    moderate
References:  1183939,1184758
This update for cloud-init contains the following:

- Change log file creation mode to 640. (bsc#1183939)
- Do not write the generated password to the log file. (bsc#1184758)
- Allow purging cache when Python when version change detected.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2898-1
Released:    Wed Sep  1 08:30:33 2021
Summary:     Recommended update for grub2
Type:        recommended
Severity:    moderate
References:  1186975,1187565,1187645
This update for grub2 fixes the following issues:

- Fix error not a btrfs filesystem on s390x (bsc#1187645)
- Fix error gfxterm isn't found with multiple terminals (bsc#1187565)
- Fix boot failure after kdump due to the content of grub.cfg is not completed with pending modificaton in xfs journal (bsc#1186975)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2923-1
Released:    Thu Sep  2 10:11:32 2021
Summary:     Security update for xen
Type:        security
Severity:    important
References:  1027519,1176189,1179246,1183243,1183877,1185682,1186428,1186429,1186433,1186434,1187406,1188050,1189373,1189376,1189378,1189380,1189381,1189882,CVE-2021-0089,CVE-2021-28690,CVE-2021-28692,CVE-2021-28693,CVE-2021-28694,CVE-2021-28695,CVE-2021-28696,CVE-2021-28697,CVE-2021-28698,CVE-2021-28699,CVE-2021-28700
This update for xen fixes the following issues:

Update to Xen 4.13.3 general bug fix release (bsc#1027519).

Security issues fixed:

- CVE-2021-28693: xen/arm: Boot modules are not scrubbed (bsc#1186428)
- CVE-2021-28692: xen: inappropriate x86 IOMMU timeout detection / handling (bsc#1186429)
- CVE-2021-0089: xen: Speculative Code Store Bypass (bsc#1186433)
- CVE-2021-28690: xen: x86: TSX Async Abort protections not restored after S3 (bsc#1186434)
- CVE-2021-28694,CVE-2021-28695,CVE-2021-28696: IOMMU page mapping issues on x86 (XSA-378)(bsc#1189373).
- CVE-2021-28697: grant table v2 status pages may remain accessible after de-allocation (XSA-379)(bsc#1189376).
- CVE-2021-28698: long running loops in grant table handling (XSA-380)(bsc#1189378).
- CVE-2021-28699: inadequate grant-v2 status frames array bounds check (XSA-382)(bsc#1189380).
- CVE-2021-28700: No memory limit for dom0less domUs (XSA-383)(bsc#1189381).

Other issues fixed:

- Fixed 'Panic on CPU 0: IO-APIC + timer doesn't work!' (bsc#1180491)
- Fixed an issue with xencommons, where file format expecations by fillup did not allign (bsc#1185682)
- Fixed shell macro expansion in the spec file, so that ExecStart=
  in xendomains-wait-disks.service is created correctly (bsc#1183877)
- Upstream bug fixes (bsc#1027519)
- Fixed Xen SLES11SP4 guest hangs on cluster (bsc#1188050).
- xl monitoring process exits during xl save -p|-c keep the monitoring process running to cleanup the domU during shutdown (bsc#1176189).
- Dom0 hangs when pinning CPUs for dom0 with HVM guest (bsc#1179246).
- Some long deprecated commands were finally removed in qemu6. Adjust libxl to use supported commands (bsc#1183243).
- Update logrotate.conf, move global options into per-file sections to prevent globbering of global state (bsc#1187406).
- Prevent superpage allocation in the LAPIC and ACPI_INFO range (bsc#1189882).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2937-1
Released:    Fri Sep  3 09:18:45 2021
Summary:     Security update for libesmtp
Type:        security
Severity:    important
References:  1160462,1189097,CVE-2019-19977
This update for libesmtp fixes the following issues:

- CVE-2019-19977: Fixed stack-based buffer over-read in ntlm/ntlmstruct.c (bsc#1160462).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2938-1
Released:    Fri Sep  3 09:19:36 2021
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1184614

This update for openldap2 fixes the following issue:

- openldap2-contrib is shipped to the Legacy Module. (bsc#1184614)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2945-1
Released:    Fri Sep  3 09:34:53 2021
Summary:     Recommended update for open-iscsi
Type:        recommended
Severity:    moderate
References:  1153806,1185930,1188579
This update for open-iscsi fixes the following issues:

- Update 'iscsi.service' so that it tries to logon to any 'onboot' and firmware targets, in case a target was offline when booted but back up when the service is started. (bsc#1153806)
- Merged with latest from upstream, which contains these fixes:
  * Add 'no wait' option to iscsiadm firmware login
  * Check for ISCSI_ERR_ISCSID_NOTCONN in iscsistart
  * Log proper error message when AUTH failure occurs
  * Support the 'qede' CMA-card driver. (bsc#1188579)
  * iscsistart: fix null pointer deref before exit
  * Set default 'startup' to 'onboot' for FW nodes. (bsc#1185930)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2950-1
Released:    Fri Sep  3 11:59:19 2021
Summary:     Recommended update for pcre2
Type:        recommended
Severity:    moderate
References:  1187937
This update for pcre2 fixes the following issue:

- Equalizes the result of a function that may have different output on s390x if compared to older (bsc#1187937)
PHP versions.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2962-1
Released:    Mon Sep  6 18:23:01 2021
Summary:     Recommended update for runc
Type:        recommended
Severity:    critical
References:  1189743
This update for runc fixes the following issues:

- Fixed an issue when toolbox container fails to start. (bsc#1189743)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2966-1
Released:    Tue Sep  7 09:49:14 2021
Summary:     Security update for openssl-1_1
Type:        security
Severity:    low
References:  1189521,CVE-2021-3712
This update for openssl-1_1 fixes the following issues:

- CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. 
  Read buffer overruns processing ASN.1 strings (bsc#1189521).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2997-1
Released:    Thu Sep  9 14:37:34 2021
Summary:     Recommended update for python3
Type:        recommended
Severity:    moderate
References:  1187338,1189659
This update for python3 fixes the following issues:

- Fixed an issue when the missing 'stropts.h' causing build errors for different python modules. (bsc#1187338)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3001-1
Released:    Thu Sep  9 15:08:13 2021
Summary:     Recommended update for netcfg
Type:        recommended
Severity:    moderate
References:  1189683
This update for netcfg fixes the following issues:

- add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3022-1
Released:    Mon Sep 13 10:48:16 2021
Summary:     Recommended update for c-ares
Type:        recommended
Severity:    important
References:  1190225
This update for c-ares fixes the following issue:

- Allow '_' as part of DNS response. (bsc#1190225)
  - 'c-ares' 1.17.2 introduced response validation to prevent a security issue, however it was not listing '_' as a 
    valid character for domain name responses which caused issues when a 'CNAME' referenced a 'SRV' record which 
    contained underscores.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3115-1
Released:    Thu Sep 16 14:04:26 2021
Summary:     Recommended update for mozilla-nspr, mozilla-nss
Type:        recommended
Severity:    moderate
References:  1029961,1174697,1176206,1176934,1179382,1188891,CVE-2020-12400,CVE-2020-12401,CVE-2020-12403,CVE-2020-25648,CVE-2020-6829
This update for mozilla-nspr fixes the following issues:

mozilla-nspr was updated to version 4.32:

* implement new socket option PR_SockOpt_DontFrag
* support larger DNS records by increasing the default buffer
  size for DNS queries 
* Lock access to PRCallOnceType members in PR_CallOnce* for
  thread safety bmo#1686138
* PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get
  information about the operating system build version.


Mozilla NSS was updated to version 3.68:

* bmo#1713562 - Fix test leak.
* bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
* bmo#1693206 - Implement PKCS8 export of ECDSA keys.
* bmo#1712883 - DTLS 1.3 draft-43.
* bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
* bmo#1713562 - Validate ECH public names.
* bmo#1717610 - Add function to get seconds from epoch from pkix::Time.

update to NSS 3.67

* bmo#1683710 - Add a means to disable ALPN.
* bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
* bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
* bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
* bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.

update to NSS 3.66

* bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
* bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
* bmo#1708307 - Remove Trustis FPS Root CA from NSS.
* bmo#1707097 - Add Certum Trusted Root CA to NSS.
* bmo#1707097 - Add Certum EC-384 CA to NSS.
* bmo#1703942 - Add ANF Secure Server Root CA to NSS.
* bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
* bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
* bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
* bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
* bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
* bmo#1709291 - Add VerifyCodeSigningCertificateChain.

update to NSS 3.65

* bmo#1709654 - Update for NetBSD configuration.
* bmo#1709750 - Disable HPKE test when fuzzing.
* bmo#1566124 - Optimize AES-GCM for ppc64le.
* bmo#1699021 - Add AES-256-GCM to HPKE.
* bmo#1698419 - ECH -10 updates.
* bmo#1692930 - Update HPKE to final version.
* bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
* bmo#1703936 - New coverity/cpp scanner errors.
* bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
* bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
* bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.

update to NSS 3.64

* bmo#1705286 - Properly detect mips64.
* bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and
		disable_crypto_vsx.
* bmo#1698320 - replace __builtin_cpu_supports('vsx') with
		ppc_crypto_support() for clang.
* bmo#1613235 - Add POWER ChaCha20 stream cipher vector
		acceleration.

Fixed in 3.63

* bmo#1697380 - Make a clang-format run on top of helpful contributions.
* bmo#1683520 - ECCKiila P384, change syntax of nested structs
		initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual
		scalar multiplication.
* bmo#1683520 - ECCKiila P521, change syntax of nested structs
		initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual
		scalar multiplication.
* bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683.
* bmo#1694214 - tstclnt can't enable middlebox compat mode.
* bmo#1694392 - NSS does not work with PKCS #11 modules not supporting
		profiles.
* bmo#1685880 - Minor fix to prevent unused variable on early return.
* bmo#1685880 - Fix for the gcc compiler version 7 to support setenv
		with nss build.
* bmo#1693217 - Increase nssckbi.h version number for March 2021 batch
		of root CA changes, CA list version 2.48.
* bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's
		'Chambers of Commerce' and 'Global Chambersign' roots.
* bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
* bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
* bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
* bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs
		from NSS.
* bmo#1687822 - Turn off Websites trust bit for the “Staat der
		Nederlanden Root CA - G3” root cert in NSS.
* bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce
		Root - 2008' and 'Global Chambersign Root - 2008’.
* bmo#1694291 - Tracing fixes for ECH.

update to NSS 3.62

* bmo#1688374 - Fix parallel build NSS-3.61 with make
* bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()
		can corrupt 'cachedCertTable'
* bmo#1690583 - Fix CH padding extension size calculation
* bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail
* bmo#1690421 - Install packaged libabigail in docker-builds image
* bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing
* bmo#1674819 - Fixup a51fae403328, enum type may be signed
* bmo#1681585 - Add ECH support to selfserv
* bmo#1681585 - Update ECH to Draft-09
* bmo#1678398 - Add Export/Import functions for HPKE context
* bmo#1678398 - Update HPKE to draft-07

update to NSS 3.61

* bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key
		values under certain conditions.
* bmo#1684300 - Fix default PBE iteration count when NSS is compiled
		with NSS_DISABLE_DBM.
* bmo#1651411 - Improve constant-timeness in RSA operations.
* bmo#1677207 - Upgrade Google Test version to latest release.
* bmo#1654332 - Add aarch64-make target to nss-try.

Update to NSS 3.60.1:

Notable changes in NSS 3.60:
* TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support
  has been added, replacing the previous ESNI (draft-ietf-tls-esni-01)
  implementation. See bmo#1654332 for more information.
* December 2020 batch of Root CA changes, builtins library updated
  to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769
  for more information.

Update to NSS 3.59.1:

* bmo#1679290 - Fix potential deadlock with certain third-party
		PKCS11 modules

Update to NSS 3.59:

Notable changes:

* Exported two existing functions from libnss:
  CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData

Bugfixes

* bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
* bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
* bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
		root certs when SHA1 signatures are disabled.
* bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
		solve some test intermittents
* bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
		our CVE-2020-25648 fix that broke purple-discord
		(boo#1179382)
* bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
* bmo#1667989 - Fix gyp linking on Solaris
* bmo#1668123 - Export CERT_AddCertToListHeadWithData and
		CERT_AddCertToListTailWithData from libnss
* bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* bmo#1663091 - Remove unnecessary assertions in the streaming
		ASN.1 decoder that affected decoding certain PKCS8
		private keys when using NSS debug builds
*  bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.

update to NSS 3.58

Bugs fixed:

* bmo#1641480 (CVE-2020-25648)
  Tighten CCS handling for middlebox compatibility mode.
* bmo#1631890 - Add support for Hybrid Public Key Encryption
  (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
  (draft-ietf-tls-esni).
* bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto
  extensions.
* bmo#1668328 - Handle spaces in the Python path name when using
  gyp on Windows.
* bmo#1667153 - Add PK11_ImportDataKey for data object import.
* bmo#1665715 - Pass the embedded SCT list extension (if present)
  to TrustDomain::CheckRevocation instead of the notBefore value.

update to NSS 3.57

* The following CA certificates were Added:
  bmo#1663049 - CN=Trustwave Global Certification Authority
      SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
  bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
      SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
  bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
      SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
* The following CA certificates were Removed:
  bmo#1651211 - CN=EE Certification Centre Root CA
      SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
  bmo#1656077 - O=Government Root Certification Authority; C=TW
      SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
* Trust settings for the following CA certificates were Modified:
  bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
      Websites (server authentication) trust bit removed.
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes

update to NSS 3.56

Notable changes

* bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
* bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
* bmo#1654142 - Add CPU feature detection for Intel SHA extension.
* bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
* bmo#1656986 - Properly detect arm64 during GYP build architecture
		detection.
* bmo#1652729 - Add build flag to disable RC2 and relocate to
		lib/freebl/deprecated.
* bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
* bmo#1588941 - Send empty certificate message when scheme selection
		fails.
* bmo#1652032 - Fix failure to build in Windows arm64 makefile
		cross-compilation.
* bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
* bmo#1653975 - Fix 3.53 regression by setting 'all' as the default
		makefile target.
* bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
* bmo#1659814 - Fix interop.sh failures with newer tls-interop
		commit and dependencies.
* bmo#1656519 - NSPR dependency updated to 4.28

update to NSS 3.55

Notable changes
* P384 and P521 elliptic curve implementations are replaced with
  verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
* PK11_FindCertInSlot is added. With this function, a given slot
  can be queried with a DER-Encoded certificate, providing performance
  and usability improvements over other mechanisms. (bmo#1649633)
* DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)

Relevant Bugfixes

* bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and
  P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
* bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
* bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
* bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part
  ChaCha20 (which was not functioning correctly) and more strictly
  enforce tag length.
* bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1653202 - Fix initialization bug in blapitest when compiled
  with NSS_DISABLE_DEPRECATED_SEED.
* bmo#1646594 - Fix AVX2 detection in makefile builds.
* bmo#1649633 - Add PK11_FindCertInSlot to search a given slot
  for a DER-encoded certificate.
* bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
* bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
* bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
* bmo#1649226 - Add Wycheproof ECDSA tests.
* bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
* bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in
  RSA_CheckSignRecover.
* bmo#1646324 - Advertise PKCS#1 schemes for certificates in the
  signature_algorithms extension.

update to NSS 3.54

Notable changes

* Support for TLS 1.3 external pre-shared keys (bmo#1603042).
* Use ARM Cryptography Extension for SHA256, when available
  (bmo#1528113)
* The following CA certificates were Added:
  bmo#1645186 - certSIGN Root CA G2.
  bmo#1645174 - e-Szigno Root CA 2017.
  bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
  bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
* The following CA certificates were Removed:
  bmo#1645199 - AddTrust Class 1 CA Root.
  bmo#1645199 - AddTrust External CA Root.
  bmo#1641718 - LuxTrust Global Root 2.
  bmo#1639987 - Staat der Nederlanden Root CA - G2.
  bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
  bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
  bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.

* A number of certificates had their Email trust bit disabled.
  See bmo#1618402 for a complete list.

Bugs fixed

* bmo#1528113 - Use ARM Cryptography Extension for SHA256.
* bmo#1603042 - Add TLS 1.3 external PSK support.
* bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
* bmo#1645186 - Add 'certSIGN Root CA G2' root certificate.
* bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate.
* bmo#1641716 - Add Microsoft's non-EV root certificates.
* bmo1621151 - Disable email trust bit for 'O=Government
	       Root Certification Authority; C=TW' root.
* bmo#1645199 - Remove AddTrust root certificates.
* bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate.
* bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root
		certificate.
* bmo#1618402 - Remove Symantec root certificates and disable email trust
		bit.
* bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
* bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c.
* bmo#1642153 - Fix infinite recursion building NSS.
* bmo#1642638 - Fix fuzzing assertion crash.
* bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
* bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
* bmo#1643557 - Fix numerous compile warnings in NSS.
* bmo#1644774 - SSL gtests to use ClearServerCache when resetting
		self-encrypt keys.
* bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c.
* bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3133-1
Released:    Fri Sep 17 16:37:59 2021
Summary:     Recommended update for grub2, efibootmgr
Type:        recommended
Severity:    moderate
References:  1186565,1186975,1187565
This update for grub2, efibootmgr provides the following fixes:

- Ship package grub2-arm64-efi and the required efibootmgr also to ppc64le, s390x and x86_64 (bsc#1186565)
- Fix error gfxterm isn't found with multiple terminals (bsc#1187565)
- Fix ocasional boot failure after kdump procedure when using XFS (bsc#1186975)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3136-1
Released:    Fri Sep 17 16:59:09 2021
Summary:     Recommended update for SUSEConnect
Type:        recommended
Severity:    moderate
References:  1185611
This update for SUSEConnect fixes the following issues:

- Disallow registering via SUSEConnect if the system is managed by SUSE Manager.
- Add subscription name to output of 'SUSEConnect --status'.
- Send payload of GET requests as part of the url, not in the body. (bsc#1185611)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3140-1
Released:    Sat Sep 18 14:37:16 2021
Summary:     Security update for xen
Type:        security
Severity:    moderate
References:  1027519,1189632,CVE-2021-28701
This update for xen fixes the following issues:

- CVE-2021-28701: Fixed race condition in XENMAPSPACE_grant_table handling (XSA-384) (bsc#1189632).

- Upstream bug fixes (bsc#1027519)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3182-1
Released:    Tue Sep 21 17:04:26 2021
Summary:     Recommended update for file
Type:        recommended
Severity:    moderate
References:  1189996
This update for file fixes the following issues:

- Fixes exception thrown by memory allocation problem (bsc#1189996)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3187-1
Released:    Wed Sep 22 15:09:23 2021
Summary:     Security update for samba
Type:        security
Severity:    important
References:  1182830,1183572,1183574,1184677,1189875,CVE-2020-27840,CVE-2021-20254,CVE-2021-20277
This update for samba fixes the following issues:

- CVE-2021-20277: Fixed an out of bounds read in ldb_handler_fold (bsc#1183574).
- CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677).
- CVE-2020-27840: Fixed an unauthenticated remote heap corruption via bad DNs (bsc#1183572).

- Spec file fixes around systemd and requires (bsc#1182830)
- Fix dependency problem upgrading from libndr0 to libndr1 (bsc#1189875)
- Fix dependency problem upgrading from libsmbldap0 to libsmbldap2 (bsc#1189875)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3203-1
Released:    Thu Sep 23 14:41:35 2021
Summary:     Recommended update for kmod
Type:        recommended
Severity:    moderate
References:  1189537,1190190
This update for kmod fixes the following issues:

- Use docbook 4 rather than docbook 5 for building man pages (bsc#1190190).
- Enable support for ZSTD compressed modules    
- Display module information even for modules built into the running kernel (bsc#1189537)
- '/usr/lib' should override '/lib' where both are available. Support '/usr/lib' for depmod.d as well.
- Remove test patches included in release 29

- Update to release 29
  * Fix `modinfo -F` not working for built-in modules and certain fields.
  * Fix a memory leak, overflow and double free on error path.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3205-1
Released:    Thu Sep 23 16:15:20 2021
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1040364,1127650,1135481,1152489,1160010,1168202,1171420,1174969,1175052,1175543,1177399,1180100,1180141,1180347,1181006,1181148,1181972,1184180,1185902,1186264,1186731,1187211,1187455,1187468,1187483,1187619,1187959,1188067,1188172,1188231,1188270,1188412,1188418,1188616,1188700,1188780,1188781,1188782,1188783,1188784,1188786,1188787,1188788,1188790,1188878,1188885,1188924,1188982,1188983,1188985,1189021,1189057,1189077,1189153,1189197,1189209,1189210,1189212,1189213,1189214,1189215,1189216,1189217,1189218,1189219,1189220,1189221,1189222,1189225,1189229,1189233,1189262,1189291,1189292,1189296,1189298,1189301,1189305,1189323,1189384,1189385,1189392,1189393,1189399,1189400,1189427,1189503,1189504,1189505,1189506,1189507,1189562,1189563,1189564,1189565,1189566,1189567,1189568,1189569,1189573,1189574,1189575,1189576,1189577,1189579,1189581,1189582,1189583,1189585,1189586,1189587,1189706,1189760,1189762,1189832,1189841,1189870,1189872,1189883,1190022,1190025,1190115,1190117,1
 190412,1190413,1190428,CVE-2020-12770,CVE-2021-34556,CVE-2021-35477,CVE-2021-3640,CVE-2021-3653,CVE-2021-3656,CVE-2021-3679,CVE-2021-3732,CVE-2021-3739,CVE-2021-3743,CVE-2021-3753,CVE-2021-3759,CVE-2021-38160,CVE-2021-38166,CVE-2021-38198,CVE-2021-38204,CVE-2021-38205,CVE-2021-38206,CVE-2021-38207,CVE-2021-38209
The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2021-3640: Fixed a Use-After-Free vulnerability in function sco_sock_sendmsg() in the bluetooth stack (bsc#1188172).
- CVE-2021-3653: Missing validation of the `int_ctl` VMCB field and allows a malicious L1 guest to enable AVIC support for the L2 guest. (bsc#1189399).
- CVE-2021-3656: Missing validation of the the `virt_ext` VMCB field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS for the L2 guest (bsc#1189400).
- CVE-2021-3679: A lack of CPU resource in tracing module functionality was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service (bnc#1189057).
- CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files (bsc#1189706).
- CVE-2021-3739: Fixed a NULL pointer dereference when deleting device by invalid id (bsc#1189832 ).
- CVE-2021-3743: Fixed OOB Read in qrtr_endpoint_post (bsc#1189883).
- CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling (bsc#1190025).
- CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190117)
- CVE-2021-38198: arch/x86/kvm/mmu/paging_tmpl.h incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault (bnc#1189262).
- CVE-2021-38204: drivers/usb/host/max3421-hcd.c allowed physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations (bnc#1189291).
- CVE-2021-38205: drivers/net/ethernet/xilinx/xilinx_emaclite.c made it easier for attackers to defeat an ASLR protection mechanism because it prints a kernel pointer (i.e., the real IOMEM pointer) (bnc#1189292).
- CVE-2021-38207: drivers/net/ethernet/xilinx/ll_temac_main.c allowed remote attackers to cause a denial of service (buffer overflow and lockup) by sending heavy network traffic for about ten minutes (bnc#1189298).
- CVE-2021-38166: Fixed an integer overflow and out-of-bounds write when many elements are placed in a single bucket in kernel/bpf/hashtab.c (bnc#1189233 ).
- CVE-2021-38209: Fixed allowed observation of changes in any net namespace via net/netfilter/nf_conntrack_standalone.c (bnc#1189393).
- CVE-2021-38206: Fixed NULL pointer dereference in the radiotap parser inside the mac80211 subsystem (bnc#1189296).
- CVE-2021-34556: Fixed side-channel attack via a Speculative Store Bypass via unprivileged BPF program that could have obtain sensitive information from kernel memory (bsc#1188983).
- CVE-2021-35477: Fixed BPF stack frame pointer which could have been abused to disclose content of arbitrary kernel memory (bsc#1188985).
- CVE-2021-3759: Unaccounted ipc objects in Linux kernel could have lead to breaking memcg limits and DoS attacks (bsc#1190115).
- CVE-2020-12770: Fixed sg_remove_request call in a certain failure cases (bsc#1171420).

The following non-security bugs were fixed:

- ACPI: NFIT: Fix support for virtual SPA ranges (git-fixes).
- ACPI: processor: Clean up acpi_processor_evaluate_cst() (bsc#1175543)
- ACPI: processor: Export acpi_processor_evaluate_cst() (bsc#1175543)
- ACPI: processor: Export function to claim _CST control (bsc#1175543)
- ACPI: processor: Introduce acpi_processor_evaluate_cst() (bsc#1175543)
- ACPI: processor: Make ACPI_PROCESSOR_CSTATE depend on ACPI_PROCESSOR (bsc#1175543)
- ALSA: hda - fix the 'Capture Switch' value change notifications (git-fixes).
- ALSA: hda/hdmi: Add quirk to force pin connectivity on NUC10 (git-fixes).
- ALSA: hda/hdmi: fix max DP-MST dev_num for Intel TGL+ platforms (git-fixes).
- ALSA: hda/hdmi: let new platforms assign the pcm slot dynamically (git-fixes).
- ALSA: hda/realtek - Add ALC285 HP init procedure (git-fixes).
- ALSA: hda/realtek - Add type for ALC287 (git-fixes).
- ALSA: hda/realtek: Change device names for quirks to barebone names (git-fixes).
- ALSA: hda/realtek: Enable 4-speaker output for Dell XPS 15 9510 laptop (git-fixes).
- ALSA: hda/realtek: Fix headset mic for Acer SWIFT SF314-56 (ALC256) (git-fixes).
- ALSA: hda/realtek: Limit mic boost on HP ProBook 445 G8 (git-fixes).
- ALSA: hda/realtek: add mic quirk for Acer SF314-42 (git-fixes).
- ALSA: hda/realtek: fix mute led of the HP Pavilion 15-eh1xxx series (git-fixes).
- ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 650 G8 Notebook PC (git-fixes).
- ALSA: hda/via: Apply runtime PM workaround for ASUS B23E (git-fixes).
- ALSA: hda: Add quirk for ASUS Flow x13 (git-fixes).
- ALSA: hda: Fix hang during shutdown due to link reset (git-fixes).
- ALSA: hda: Release controller display power during shutdown/reboot (git-fixes).
- ALSA: pcm: Fix mmap breakage without explicit buffer setup (git-fixes).
- ALSA: pcm: fix divide error in snd_pcm_lib_ioctl (git-fixes).
- ALSA: seq: Fix racy deletion of subscriber (git-fixes).
- ALSA: usb-audio: Add registration quirk for JBL Quantum 600 (git-fixes).
- ALSA: usb-audio: Avoid unnecessary or invalid connector selection at resume (git-fixes).
- ALSA: usb-audio: Fix regression on Sony WALKMAN NW-A45 DAC (git-fixes).
- ALSA: usb-audio: Fix superfluous autosuspend recovery (git-fixes).
- ALSA: usb-audio: fix incorrect clock source setting (git-fixes).
- ASoC: Intel: Skylake: Fix module resource and format selection (git-fixes).
- ASoC: Intel: Skylake: Leave data as is when invoking TLV IPCs (git-fixes).
- ASoC: Intel: kbl_da7219_max98927: Fix format selection for max98373 (git-fixes).
- ASoC: SOF: Intel: hda-ipc: fix reply size checking (git-fixes).
- ASoC: amd: Fix reference to PCM buffer address (git-fixes).
- ASoC: component: Remove misplaced prefix handling in pin control functions (git-fixes).
- ASoC: cs42l42: Correct definition of ADC Volume control (git-fixes).
- ASoC: cs42l42: Do not allow SND_SOC_DAIFMT_LEFT_J (git-fixes).
- ASoC: cs42l42: Fix LRCLK frame start edge (git-fixes).
- ASoC: cs42l42: Fix inversion of ADC Notch Switch control (git-fixes).
- ASoC: cs42l42: Remove duplicate control for WNF filter frequency (git-fixes).
- ASoC: intel: atom: Fix breakage for PCM buffer address setup (git-fixes).
- ASoC: intel: atom: Fix reference to PCM buffer address (git-fixes).
- ASoC: mediatek: mt8183: Fix Unbalanced pm_runtime_enable in mt8183_afe_pcm_dev_probe (git-fixes).
- ASoC: rt5682: Adjust headset volume button threshold (git-fixes).
- ASoC: rt5682: Adjust headset volume button threshold again (git-fixes).
- ASoC: rt5682: Fix the issue of garbled recording after powerd_dbus_suspend (git-fixes).
- ASoC: ti: j721e-evm: Check for not initialized parent_clk_id (git-fixes).
- ASoC: ti: j721e-evm: Fix unbalanced domain activity tracking during startup (git-fixes).
- ASoC: tlv320aic31xx: Fix jack detection after suspend (git-fixes).
- ASoC: tlv320aic31xx: fix reversed bclk/wclk master bits (git-fixes).
- ASoC: uniphier: Fix reference to PCM buffer address (git-fixes).
- ASoC: wcd9335: Disable irq on slave ports in the remove function (git-fixes).
- ASoC: wcd9335: Fix a double irq free in the remove function (git-fixes).
- ASoC: wcd9335: Fix a memory leak in the error handling path of the probe function (git-fixes).
- ASoC: xilinx: Fix reference to PCM buffer address (git-fixes).
- Avoid double printing SUSE specific flags in mod->taint (bsc#1190413).
- Bluetooth: add timeout sanity check to hci_inquiry (git-fixes).
- Bluetooth: btusb: Fix a unspported condition to set available debug features (git-fixes).
- Bluetooth: btusb: check conditions before enabling USB ALT 3 for WBS (git-fixes).
- Bluetooth: defer cleanup of resources in hci_unregister_dev() (git-fixes).
- Bluetooth: fix repeated calls to sco_sock_kill (git-fixes).
- Bluetooth: hidp: use correct wait queue when removing ctrl_wait (git-fixes).
- Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow (git-fixes).
- Bluetooth: mgmt: Fix wrong opcode in the response for add_adv cmd (git-fixes).
- Bluetooth: sco: prevent information leak in sco_conn_defer_accept() (git-fixes).
- Drop two intel_int0002_vgpio patches that cause Oops (bsc#1190412)
- KVM: VMX: Drop guest CPUID check for VMXE in vmx_set_cr4() (bsc#1188786).
- KVM: VMX: Enable machine check support for 32bit targets (bsc#1188787).
- KVM: VMX: Explicitly clear RFLAGS.CF and RFLAGS.ZF in VM-Exit RSB path (bsc#1188788).
- KVM: VMX: Extend VMXs #AC interceptor to handle split lock #AC in guest (bsc#1187959).
- KVM: nVMX: Handle split-lock #AC exceptions that happen in L2 (bsc#1187959).
- KVM: nVMX: Really make emulated nested preemption timer pinned (bsc#1188780).
- KVM: nVMX: Reset the segment cache when stuffing guest segs (bsc#1188781).
- KVM: nVMX: Skip IBPB when switching between vmcs01 and vmcs02 (bsc#1188782).
- KVM: nVMX: Sync unsync'd vmcs02 state to vmcs12 on migration (bsc#1188783).
- KVM: nVMX: Truncate bits 63:32 of VMCS field on nested check in !64-bit (bsc#1188784).
- KVM: x86: Emulate split-lock access as a write in emulator (bsc#1187959).
- KVM: x86: bit 8 of non-leaf PDPEs is not reserved (bsc#1188790).
- NFS: Correct size calculation for create reply length (bsc#1189870).
- NFSv4.1: Do not rebind to the same source port when (bnc#1186264 bnc#1189021)
- NFSv4/pNFS: Do not call _nfs4_pnfs_v3_ds_connect multiple times (git-fixes).
- NFSv4: Initialise connection to the server in nfs4_alloc_client() (bsc#1040364).
- PCI/MSI: Correct misleading comments (git-fixes).
- PCI/MSI: Do not set invalid bits in MSI mask (git-fixes).
- PCI/MSI: Enable and mask MSI-X early (git-fixes).
- PCI/MSI: Enforce MSI[X] entry updates to be visible (git-fixes).
- PCI/MSI: Enforce that MSI-X table entry is masked for update (git-fixes).
- PCI/MSI: Mask all unused MSI-X entries (git-fixes).
- PCI/MSI: Skip masking MSI-X on Xen PV (git-fixes).
- PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() (git-fixes).
- PCI: Increase D3 delay for AMD Renoir/Cezanne XHCI (git-fixes).
- PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently (git-fixes).
- PCI: PM: Enable PME if it can be signaled from D3cold (git-fixes).
- RDMA/bnxt_re: Fix stats counters (bsc#1188231).
- SUNRPC: 'Directory with parent 'rpc_clnt' already present!' (bsc#1168202 bsc#1188924).
- SUNRPC: Fix the batch tasks count wraparound (git-fixes).
- SUNRPC: Should wake up the privileged task firstly (git-fixes).
- SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202 bsc#1188924).
- SUNRPC: fix use-after-free in rpc_free_client_work() (bsc#1168202 bsc#1188924).
- SUNRPC: improve error response to over-size gss credential (bsc#1190022).
- SUNRPC: prevent port reuse on transports which do not request it (bnc#1186264 bnc#1189021).
- USB: core: Avoid WARNings for 0-length descriptor requests (git-fixes).
- USB: serial: ch341: fix character loss at high transfer rates (git-fixes).
- USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 (git-fixes).
- USB: serial: option: add Telit FD980 composition 0x1056 (git-fixes).
- USB: usbtmc: Fix RCU stall warning (git-fixes).
- USB:ehci:fix Kunpeng920 ehci hardware problem (git-fixes).
- VMCI: fix NULL pointer dereference when unmapping queue pair (git-fixes).
- ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() (git-fixes).
- ath9k: Clear key cache explicitly on disabling hardware (git-fixes).
- ath: Use safer key clearing with key cache entries (git-fixes).
- bcma: Fix memory leak for internally-handled cores (git-fixes).
- bdi: Do not use freezable workqueue (bsc#1189573).
- blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit() (bsc#1189507).
- blk-mq-sched: Fix blk_mq_sched_alloc_tags() error handling (bsc#1189506).
- blk-wbt: introduce a new disable state to prevent false positive by rwb_enabled() (bsc#1189503).
- blk-wbt: make sure throttle is enabled properly (bsc#1189504).
- block: fix trace completion for chained bio (bsc#1189505).
- bnxt_en: Validate vlan protocol ID on RX packets (jsc#SLE-15075).
- brcmfmac: pcie: fix oops on failure to resume and reprobe (git-fixes).
- btrfs: Rename __btrfs_alloc_chunk to btrfs_alloc_chunk (bsc#1189077).
- btrfs: add a trace class for dumping the current ENOSPC state (bsc#1135481).
- btrfs: add a trace point for reserve tickets (bsc#1135481).
- btrfs: adjust the flush trace point to include the source (bsc#1135481).
- btrfs: check reclaim_size in need_preemptive_reclaim (bsc#1135481).
- btrfs: factor out create_chunk() (bsc#1189077).
- btrfs: factor out decide_stripe_size() (bsc#1189077).
- btrfs: factor out gather_device_info() (bsc#1189077).
- btrfs: factor out init_alloc_chunk_ctl (bsc#1189077).
- btrfs: fix btrfs_calc_reclaim_metadata_size calculation (bsc#1135481).
- btrfs: fix deadlock with concurrent chunk allocations involving system chunks (bsc#1189077).
- btrfs: handle invalid profile in chunk allocation (bsc#1189077).
- btrfs: implement space clamping for preemptive flushing (bsc#1135481).
- btrfs: improve preemptive background space flushing (bsc#1135481).
- btrfs: introduce a FORCE_COMMIT_TRANS flush operation (bsc#1135481).
- btrfs: introduce alloc_chunk_ctl (bsc#1189077).
- btrfs: introduce chunk allocation policy (bsc#1189077).
- btrfs: make flush_space take a enum btrfs_flush_state instead of int (bsc#1135481).
- btrfs: move the chunk_mutex in btrfs_read_chunk_tree (bsc#1189077).
- btrfs: parameterize dev_extent_min for chunk allocation (bsc#1189077).
- btrfs: refactor find_free_dev_extent_start() (bsc#1189077).
- btrfs: remove FLUSH_DELAYED_REFS from data ENOSPC flushing (bsc#1135481).
- btrfs: rename need_do_async_reclaim (bsc#1135481).
- btrfs: rework btrfs_calc_reclaim_metadata_size (bsc#1135481).
- btrfs: rework chunk allocation to avoid exhaustion of the system chunk array (bsc#1189077).
- btrfs: rip out btrfs_space_info::total_bytes_pinned (bsc#1135481).
- btrfs: rip the first_ticket_bytes logic from fail_all_tickets (bsc#1135481).
- btrfs: simplify the logic in need_preemptive_flushing (bsc#1135481).
- btrfs: tracepoints: convert flush states to using EM macros (bsc#1135481).
- btrfs: tracepoints: fix btrfs_trigger_flush symbolic string for flags (bsc#1135481).
- can: ti_hecc: Fix memleak in ti_hecc_probe (git-fixes).
- can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters (git-fixes).
- ceph: clean up and optimize ceph_check_delayed_caps() (bsc#1187468).
- ceph: reduce contention in ceph_check_delayed_caps() (bsc#1187468).
- ceph: take snap_empty_lock atomically with snaprealm refcount change (bsc#1189427).
- cfg80211: Fix possible memory leak in function cfg80211_bss_update (git-fixes).
- cifs: Remove unused inline function is_sysvol_or_netlogon() (bsc#1185902).
- cifs: avoid starvation when refreshing dfs cache (bsc#1185902).
- cifs: constify get_normalized_path() properly (bsc#1185902).
- cifs: do not cargo-cult strndup() (bsc#1185902).
- cifs: do not send tree disconnect to ipc shares (bsc#1185902).
- cifs: do not share tcp servers with dfs mounts (bsc#1185902).
- cifs: do not share tcp sessions of dfs connections (bsc#1185902).
- cifs: fix check of dfs interlinks (bsc#1185902).
- cifs: fix path comparison and hash calc (bsc#1185902).
- cifs: get rid of @noreq param in __dfs_cache_find() (bsc#1185902).
- cifs: handle different charsets in dfs cache (bsc#1185902).
- cifs: keep referral server sessions alive (bsc#1185902).
- cifs: missing null pointer check in cifs_mount (bsc#1185902).
- cifs: prevent NULL deref in cifs_compose_mount_options() (bsc#1185902).
- cifs: set a minimum of 2 minutes for refreshing dfs cache (bsc#1185902).
- clk: fix leak on devm_clk_bulk_get_all() unwind (git-fixes).
- clk: stm32f4: fix post divisor setup for I2S/SAI PLLs (git-fixes).
- cpuidle: Allow idle states to be disabled by default (bsc#1175543)
- cpuidle: Consolidate disabled state checks (bsc#1175543) 
- cpuidle: Drop disabled field from struct cpuidle_state (bsc#1175543)
- cpuidle: Fix cpuidle_driver_state_disabled() (bsc#1175543)
- cpuidle: Introduce cpuidle_driver_state_disabled() for driver quirks (bsc#1175543)
- crypto: ccp - Annotate SEV Firmware file names (bsc#1189212).
- crypto: qat - use proper type for vf_mask (git-fixes).
- crypto: x86/curve25519 - fix cpu feature checking logic in mod_exit (git-fixes).
- device-dax: Fix default return code of range_parse() (git-fixes).
- dm integrity: fix missing goto in bitmap_flush_interval error handling (git-fixes).
- dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails (git-fixes).
- dm verity: fix DM_VERITY_OPTS_MAX value (git-fixes).
- dmaengine: idxd: fix setup sequence for MSIXPERM table (git-fixes).
- dmaengine: imx-dma: configure the generic DMA type to make it work (git-fixes).
- dmaengine: imx-dma: configure the generic DMA type to make it work (git-fixes).
- dmaengine: imx-sdma: remove duplicated sdma_load_context (git-fixes).
- dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available (git-fixes).
- dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe() (git-fixes).
- dmaengine: xilinx_dma: Fix read-after-free bug when terminating transfers (git-fixes).
- drivers/block/null_blk/main: Fix a double free in null_init (git-fixes).
- drm/amd/display: Fix Dynamic bpp issue with 8K30 with Navi 1X (git-fixes).
- drm/amd/display: Fix comparison error in dcn21 DML (git-fixes).
- drm/amd/display: Fix max vstartup calculation for modes with borders (git-fixes).
- drm/amd/display: Remove invalid assert for ODM + MPC case (git-fixes).
- drm/amd/display: use GFP_ATOMIC in amdgpu_dm_irq_schedule_work (git-fixes).
- drm/amd/display: workaround for hard hang on HPD on native DP (git-fixes).
- drm/amdgpu/acp: Make PM domain really work (git-fixes).
- drm/amdgpu/display: fix DMUB firmware version info (git-fixes).
- drm/amdgpu/display: only enable aux backlight control for OLED panels (git-fixes).
- drm/amdgpu: do not enable baco on boco platforms in runpm (git-fixes).
- drm/amdgpu: fix the doorbell missing when in CGPG issue for renoir (git-fixes).
- drm/dp_mst: Fix return code on sideband message failure (git-fixes).
- drm/i915/dg1: gmbus pin mapping (bsc#1188700).
- drm/i915/dg1: provide port/phy mapping for vbt (bsc#1188700).
- drm/i915/gen9_bc: Add W/A for missing STRAP config on TGP PCH + CML combos (bsc#1188700).
- drm/i915/gen9_bc: Introduce HPD pin mappings for TGP PCH + CML combos (bsc#1188700).
- drm/i915/gen9_bc: Introduce TGP PCH DDC pin mappings (bsc#1188700).
- drm/i915/gen9_bc: Recognize TGP PCH + CML combos (bsc#1188700).
- drm/i915/rkl: new rkl ddc map for different PCH (bsc#1188700).
- drm/i915: Add VBT AUX CH H and I (bsc#1188700).
- drm/i915: Add VBT DVO ports H and I (bsc#1188700).
- drm/i915: Add more AUX CHs to the enum (bsc#1188700).
- drm/i915: Configure GEN11_{TBT,TC}_HOTPLUG_CTL for ports TC5/6 (bsc#1188700).
- drm/i915: Correct SFC_DONE register offset (git-fixes).
- drm/i915: Introduce HPD_PORT_TC<n> (bsc#1188700).
- drm/i915: Move hpd_pin setup to encoder init (bsc#1188700).
- drm/i915: Nuke the redundant TC/TBT HPD bit defines (bsc#1188700).
- drm/i915: Only access SFC_DONE when media domain is not fused off (git-fixes).
- drm/meson: fix colour distortion from HDR set during vendor u-boot (git-fixes).
- drm/msi/mdp4: populate priv->kms in mdp4_kms_init (git-fixes).
- drm/msm/dpu: make dpu_hw_ctl_clear_all_blendstages clear necessary LMs (git-fixes).
- drm/msm/dsi: Fix some reference counted resource leaks (git-fixes).
- drm/msm: Fix error return code in msm_drm_init() (git-fixes).
- drm/nouveau/kms/nv50: workaround EFI GOP window channel format differences (git-fixes).
- drm/of: free the iterator object on failure (git-fixes).
- drm/of: free the right object (git-fixes).
- drm/panfrost: Fix missing clk_disable_unprepare() on error in panfrost_clk_init() (git-fixes).
- drm/prime: fix comment on PRIME Helpers (git-fixes).
- ext4: cleanup in-core orphan list if ext4_truncate() failed to get a transaction handle (bsc#1189568).
- ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit (bsc#1189564).
- ext4: fix avefreec in find_group_orlov (bsc#1189566).
- ext4: fix kernel infoleak via ext4_extent_header (bsc#1189562).
- ext4: fix potential htree corruption when growing large_dir directories (bsc#1189576).
- ext4: remove check for zero nr_to_scan in ext4_es_scan() (bsc#1189565).
- ext4: return error code when ext4_fill_flex_info() fails (bsc#1189563).
- ext4: use ext4_grp_locked_error in mb_find_extent (bsc#1189567).
- fanotify: fix copy_event_to_user() fid error clean up (bsc#1189574).
- firmware_loader: fix use-after-free in firmware_fallback_sysfs (git-fixes).
- firmware_loader: use -ETIMEDOUT instead of -EAGAIN in fw_load_sysfs_fallback (git-fixes).
- fixup 'rpm: support gz and zst compression methods' (bsc#1190358, bsc#1190428).
- fpga: altera-freeze-bridge: Address warning about unused variable (git-fixes).
- fpga: dfl: fme: Fix cpu hotplug issue in performance reporting (git-fixes).
- fpga: dfl: fme: Fix cpu hotplug issue in performance reporting (git-fixes).
- fpga: xiilnx-spi: Address warning about unused variable (git-fixes).
- fpga: zynqmp-fpga: Address warning about unused variable (git-fixes).
- gpio: eic-sprd: break loop when getting NULL device resource (git-fixes).
- gpio: tqmx86: really make IRQ optional (git-fixes).
- i2c: dev: zero out array used for i2c reads from userspace (git-fixes).
- i2c: highlander: add IRQ check (git-fixes).
- i2c: iop3xx: fix deferred probing (git-fixes).
- i2c: mt65xx: fix IRQ check (git-fixes).
- i2c: s3c2410: fix IRQ check (git-fixes).
- iio: adc: Fix incorrect exit of for-loop (git-fixes).
- iio: adc: ti-ads7950: Ensure CS is deasserted after reading channels (git-fixes).
- iio: humidity: hdc100x: Add margin to the conversion time (git-fixes).
- intel_idle: Add module parameter to prevent ACPI _CST from being used (bsc#1175543)
- intel_idle: Allow ACPI _CST to be used for selected known processors (bsc#1175543)
- intel_idle: Annotate init time data structures (bsc#1175543)
- intel_idle: Customize IceLake server support (bsc#1175543)
- intel_idle: Disable ACPI _CST on Haswell (bsc#1175543, bsc#1177399, bsc#1180347, bsc#1180141)
- intel_idle: Fix max_cstate for processor models without C-state tables (bsc#1175543)
- intel_idle: Ignore _CST if control cannot be taken from the platform (bsc#1175543)
- intel_idle: Refactor intel_idle_cpuidle_driver_init() (bsc#1175543)
- intel_idle: Use ACPI _CST for processor models without C-state tables (bsc#1175543)
- iommu/amd: Fix extended features logging (bsc#1189213).
- iommu/amd: Move Stoney Ridge check to detect_ivrs() (bsc#1189762).
- iommu/arm-smmu-v3: Decrease the queue size of evtq and priq (bsc#1189210).
- iommu/arm-smmu-v3: add bit field SFM into GERROR_ERR_MASK (bsc#1189209).
- iommu/dma: Fix IOVA reserve dma ranges (bsc#1189214).
- iommu/dma: Fix compile warning in 32-bit builds (bsc#1189229).
- iommu/vt-d: Check for allocation failure in aux_detach_device() (bsc#1189215).
- iommu/vt-d: Define counter explicitly as unsigned int (bsc#1189216).
- iommu/vt-d: Do not set then clear private data in prq_event_thread() (bsc#1189217).
- iommu/vt-d: Fix sysfs leak in alloc_iommu() (bsc#1189218).
- iommu/vt-d: Force to flush iotlb before creating superpage (bsc#1189219).
- iommu/vt-d: Global devTLB flush when present context entry changed (bsc#1189220).
- iommu/vt-d: Invalidate PASID cache when root/context entry changed (bsc#1189221).
- iommu/vt-d: Reject unsupported page request modes (bsc#1189222).
- ionic: add handling of larger descriptors (jsc#SLE-16649).
- ionic: add new queue features to interface (jsc#SLE-16649).
- ionic: aggregate Tx byte counting calls (jsc#SLE-16649).
- ionic: block actions during fw reset (jsc#SLE-16649).
- ionic: change mtu after queues are stopped (jsc#SLE-16649).
- ionic: check for link after netdev registration (jsc#SLE-16649).
- ionic: code cleanup details (jsc#SLE-16649).
- ionic: fix sizeof usage (jsc#SLE-16649).
- ionic: fix unchecked reference (jsc#SLE-16649).
- ionic: fix up dim accounting for tx and rx (jsc#SLE-16649).
- ionic: generic tx skb mapping (jsc#SLE-16649).
- ionic: implement Rx page reuse (jsc#SLE-16649).
- ionic: make all rx_mode work threadsafe (jsc#SLE-16649).
- ionic: move rx_page_alloc and free (jsc#SLE-16649).
- ionic: optimize fastpath struct usage (jsc#SLE-16649).
- ionic: protect adminq from early destroy (jsc#SLE-16649).
- ionic: rebuild debugfs on qcq swap (jsc#SLE-16649).
- ionic: remove intr coalesce update from napi (jsc#SLE-16649).
- ionic: remove some unnecessary oom messages (jsc#SLE-16649).
- ionic: simplify TSO descriptor mapping (jsc#SLE-16649).
- ionic: simplify rx skb alloc (jsc#SLE-16649).
- ionic: simplify the intr_index use in txq_init (jsc#SLE-16649).
- ionic: simplify tx clean (jsc#SLE-16649).
- ionic: simplify use of completion types (jsc#SLE-16649).
- ionic: start queues before announcing link up (jsc#SLE-16649).
- ionic: stop watchdog when in broken state (jsc#SLE-16649).
- ionic: useful names for booleans (jsc#SLE-16649).
- iwlwifi: pnvm: accept multiple HW-type TLVs (git-fixes).
- iwlwifi: rs-fw: do not support stbc for HE 160 (git-fixes).
- iwlwifi: skip first element in the WTAS ACPI table (git-fixes).
- kABI fix of usb_dcd_config_params (git-fixes).
- kABI: Fix kABI after fixing vcpu-id indexed arrays (git-fixes).
- kabi fix for NFSv4.1: Do not rebind to the same source port when reconnecting to the server (bnc#1186264 bnc#1189021)
- kabi fix for SUNRPC: defer slow parts of rpc_free_client() to a workqueue (bsc#1168202 bsc#1188924).
- kernel, fs: Introduce and use set_restart_fn() and arch_set_restart_data() (bsc#1189153).
- kernel-cert-subpackage: Fix certificate location in scriptlets (bsc#1189841).
- leds: trigger: audio: Add an activate callback to ensure the initial brightness is set (git-fixes).
- lib/mpi: use kcalloc in mpi_resize (git-fixes).
- lib: Add zstd support to decompress (bsc#1187483, jsc#SLE-18766).
- libata: fix ata_pio_sector for CONFIG_HIGHMEM (git-fixes).
- mac80211: Fix insufficient headroom issue for AMSDU (git-fixes).
- md/raid10: properly indicate failure when ending a failed write request (git-fixes).
- md: revert io stats accounting (git-fixes).
- media: TDA1997x: enable EDID support (git-fixes).
- media: cxd2880-spi: Fix an error handling path (git-fixes).
- media: drivers/media/usb: fix memory leak in zr364xx_probe (git-fixes).
- media: dvb-usb: Fix error handling in dvb_usb_i2c_init (git-fixes).
- media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init (git-fixes).
- media: dvb-usb: fix uninit-value in vp702x_read_mac_addr (git-fixes).
- media: em28xx-input: fix refcount bug in em28xx_usb_disconnect (git-fixes).
- media: go7007: fix memory leak in go7007_usb_probe (git-fixes).
- media: go7007: remove redundant initialization (git-fixes).
- media: rtl28xxu: fix zero-length control request (git-fixes).
- media: stkwebcam: fix memory leak in stk_camera_probe (git-fixes).
- media: venus: venc: Fix potential null pointer dereference on pointer fmt (git-fixes).
- media: videobuf2-core: dequeue if start_streaming fails (git-fixes).
- media: zr364xx: fix memory leaks in probe() (git-fixes).
- media: zr364xx: propagate errors from zr364xx_start_readpipe() (git-fixes).
- misc: atmel-ssc: lock with mutex instead of spinlock (git-fixes).
- misc: rtsx: do not setting OC_POWER_DOWN reg in rtsx_pci_init_ocp() (git-fixes).
- mm/thp: unmap_mapping_page() to fix THP truncate_cleanup_page() (bsc#1189569).
- mm/vmscan: fix infinite loop in drop_slab_node (VM Functionality, bsc#1189301).
- mm: fix memory_failure() handling of dax-namespace metadata (bsc#1189872).
- mm: swap: properly update readahead statistics in unuse_pte_range() (bsc#1187619).
- mmc: dw_mmc: Fix hang on data CRC error (git-fixes).
- mmc: dw_mmc: Fix issue with uninitialized dma_slave_config (git-fixes).
- mmc: moxart: Fix issue with uninitialized dma_slave_config (git-fixes).
- mmc: sdhci-iproc: Cap min clock frequency on BCM2711 (git-fixes).
- mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711 (git-fixes).
- mtd: cfi_cmdset_0002: fix crash when erasing/writing AMD cards (git-fixes).
- nbd: Aovid double completion of a request (git-fixes).
- nbd: Fix NULL pointer in flush_workqueue (git-fixes).
- net/mlx5: Add ts_cqe_to_dest_cqn related bits (bsc#1188412)
- net/mlx5: Properly convey driver version to firmware (git-fixes).
- net/mlx5e: Add missing capability check for uplink follow (bsc#1188412)
- net: dsa: mv88e6xxx: Avoid VTU corruption on 6097 (git-fixes).
- net: dsa: mv88e6xxx: also read STU state in mv88e6250_g1_vtu_getnext (git-fixes).
- net: stmmac: free tx skb buffer in stmmac_resume() (git-fixes).
- net: usb: lan78xx: do not modify phy_device state concurrently (bsc#1188270)
- nfs: fix acl memory leak of posix_acl_create() (git-fixes).
- nvme-multipath: revalidate paths during rescan (bsc#1187211)
- nvme-pci: Use u32 for nvme_dev.q_depth and nvme_queue.q_depth (bsc#1181972).
- nvme-pci: fix NULL req in completion handler (bsc#1181972).
- nvme-pci: limit maximum queue depth to 4095 (bsc#1181972).
- nvme-pci: use unsigned for io queue depth (bsc#1181972).
- nvme-tcp: Do not reset transport on data digest errors (bsc#1188418).
- nvme-tcp: do not check blk_mq_tag_to_rq when receiving pdu data (bsc#1181972).
- nvme: avoid possible double fetch in handling CQE (bsc#1181972).
- nvme: code command_id with a genctr for use-after-free validation (bsc#1181972).
- nvme: only call synchronize_srcu when clearing current path (bsc#1188067).
- nvmet: use NVMET_MAX_NAMESPACES to set nn value (bsc#1189384).
- ocfs2: fix snprintf() checking (bsc#1189581).
- ocfs2: fix zero out valid data (bsc#1189579).
- ocfs2: initialize ip_next_orphan (bsc#1186731).
- ocfs2: issue zeroout to EOF blocks (bsc#1189582).
- ovl: allow upperdir inside lowerdir (bsc#1189323).
- ovl: expand warning in ovl_d_real() (bsc#1189323).
- ovl: fix missing revert_creds() on error path (bsc#1189323).
- ovl: perform vfs_getxattr() with mounter creds (bsc#1189323).
- ovl: skip getxattr of security labels (bsc#1189323).
- params: lift param_set_uint_minmax to common code (bsc#1181972).
- pcmcia: i82092: fix a null pointer dereference bug (git-fixes).
- perf/x86/amd: Do not touch the AMD64_EVENTSEL_HOSTONLY bit inside the guest (bsc#1189225).
- pinctrl: tigerlake: Fix GPIO mapping for newer version of software (git-fixes).
- platform/x86: pcengines-apuv2: Add missing terminating entries to gpio-lookup tables (git-fixes).
- post.sh: detect /usr mountpoint too
- power: supply: max17042: handle fails of reading status register (git-fixes).
- powerpc/cacheinfo: Improve diagnostics about malformed cache lists (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes).
- powerpc/cacheinfo: Lookup cache by dt node and thread-group id (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes).
- powerpc/cacheinfo: Remove the redundant get_shared_cpu_map() (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes).
- powerpc/cacheinfo: Use name at unit instead of full DT path in debug messages (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes).
- powerpc/papr_scm: Make 'perf_stats' invisible if perf-stats unavailable (bsc#1175052 jsc#SLE-13823 bsc#1174969 jsc#SLE-12769 git-fixes).
- powerpc/papr_scm: Reduce error severity if nvdimm stats inaccessible (bsc#1189197 ltc#193906).
- powerpc/pseries: Fix regression while building external modules (bsc#1160010 ltc#183046 git-fixes). This changes a GPL symbol to general symbol which is kABI change but not kABI break.
- powerpc/pseries: Fix update of LPAR security flavor after LPM (bsc#1188885 ltc#193722 git-fixes).
- powerpc/smp: Make some symbols static (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes).
- powerpc/smp: Use existing L2 cache_map cpumask to find L3 cache siblings (jsc#SLE-13615 bsc#1180100 ltc#190257 git-fixes).
- powerpc: Fix is_kvm_guest() / kvm_para_available() (bsc#1181148 ltc#190702 git-fixes).
- regulator: rt5033: Fix n_voltages settings for BUCK and LDO (git-fixes).
- regulator: vctrl: Avoid lockdep warning in enable/disable ops (git-fixes).
- regulator: vctrl: Use locked regulator_get_voltage in probe path (git-fixes).
- rpm/kernel-binary.spec.in: Use kmod-zstd provide. This makes it possible to use kmod with ZSTD support on non-Tumbleweed.
- rpm/kernel-obs-build.spec.in: make builds reproducible (bsc#1189305)
- rpm/kernel-source.rpmlintrc: ignore new include/config files In 5.13, since 0e0345b77ac4, config files have no longer .h suffix. Adapt the zero-length check. Based on Martin Liska's change.
- rq-qos: fix missed wake-ups in rq_qos_throttle try two (bsc#1189575).
- rsi: fix an error code in rsi_probe() (git-fixes).
- rsi: fix error code in rsi_load_9116_firmware() (git-fixes).
- s390/ap: Fix hanging ioctl caused by wrong msg counter (bsc#1188982 LTC#193817).
- s390/boot: fix use of expolines in the DMA code (bsc#1188878 ltc#193771).
- scsi: blkcg: Add app identifier support for blkcg (bsc#1189385 jsc#SLE-18970).
- scsi: blkcg: Fix application ID config options (bsc#1189385 jsc#SLE-18970).
- scsi: cgroup: Add cgroup_get_from_id() (bsc#1189385 jsc#SLE-18970).
- scsi: core: Add scsi_prot_ref_tag() helper (bsc#1189392).
- scsi: ibmvfc: Do not wait for initial device scan (bsc#1127650).
- scsi: libfc: Fix array index out of bound exception (bsc#1188616).
- scsi: lpfc: Add 256 Gb link speed support (bsc#1189385).
- scsi: lpfc: Add PCI ID support for LPe37000/LPe38000 series adapters (bsc#1189385).
- scsi: lpfc: Call discovery state machine when handling PLOGI/ADISC completions (bsc#1189385).
- scsi: lpfc: Clear outstanding active mailbox during PCI function reset (bsc#1189385).
- scsi: lpfc: Copyright updates for 12.8.0.11 patches (bsc#1189385).
- scsi: lpfc: Copyright updates for 14.0.0.0 patches (bsc#1189385).
- scsi: lpfc: Delay unregistering from transport until GIDFT or ADISC completes (bsc#1189385).
- scsi: lpfc: Discovery state machine fixes for LOGO handling (bsc#1189385).
- scsi: lpfc: Enable adisc discovery after RSCN by default (bsc#1189385).
- scsi: lpfc: Fix KASAN slab-out-of-bounds in lpfc_unreg_rpi() routine (bsc#1189385).
- scsi: lpfc: Fix NULL ptr dereference with NPIV ports for RDF handling (bsc#1189385).
- scsi: lpfc: Fix NVMe support reporting in log message (bsc#1189385).
- scsi: lpfc: Fix build error in lpfc_scsi.c (bsc#1189385).
- scsi: lpfc: Fix cq_id truncation in rq create (bsc#1189385).
- scsi: lpfc: Fix function description comments for vmid routines (bsc#1189385).
- scsi: lpfc: Fix memory leaks in error paths while issuing ELS RDF/SCR request (bsc#1189385).
- scsi: lpfc: Fix possible ABBA deadlock in nvmet_xri_aborted() (bsc#1189385).
- scsi: lpfc: Fix target reset handler from falsely returning FAILURE (bsc#1189385).
- scsi: lpfc: Improve firmware download logging (bsc#1189385).
- scsi: lpfc: Keep NDLP reference until after freeing the IOCB after ELS handling (bsc#1189385).
- scsi: lpfc: Move initialization of phba->poll_list earlier to avoid crash (git-fixes).
- scsi: lpfc: Remove REG_LOGIN check requirement to issue an ELS RDF (bsc#1189385).
- scsi: lpfc: Remove redundant assignment to pointer pcmd (bsc#1189385).
- scsi: lpfc: Remove redundant assignment to pointer temp_hdr (bsc#1189385).
- scsi: lpfc: Remove use of kmalloc() in trace event logging (bsc#1189385).
- scsi: lpfc: Revise Topology and RAS support checks for new adapters (bsc#1189385).
- scsi: lpfc: Skip issuing ADISC when node is in NPR state (bsc#1189385).
- scsi: lpfc: Skip reg_vpi when link is down for SLI3 in ADISC cmpl path (bsc#1189385).
- scsi: lpfc: Update lpfc version to 12.8.0.11 (bsc#1189385).
- scsi: lpfc: Update lpfc version to 14.0.0.0 (bsc#1189385).
- scsi: lpfc: Use PBDE feature enabled bit to determine PBDE support (bsc#1189385).
- scsi: lpfc: Use list_move_tail() instead of list_del()/list_add_tail() (bsc#1189385).
- scsi: lpfc: vmid: Add QFPA and VMID timeout check in worker thread (bsc#1189385 jsc#SLE-18970).
- scsi: lpfc: vmid: Add datastructure for supporting VMID in lpfc (bsc#1189385 jsc#SLE-18970).
- scsi: lpfc: vmid: Add support for VMID in mailbox command (bsc#1189385 jsc#SLE-18970).
- scsi: lpfc: vmid: Append the VMID to the wqe before sending (bsc#1189385 jsc#SLE-18970).
- scsi: lpfc: vmid: Functions to manage VMIDs (bsc#1189385 jsc#SLE-18970).
- scsi: lpfc: vmid: Implement CT commands for appid (bsc#1189385 jsc#SLE-18970).
- scsi: lpfc: vmid: Implement ELS commands for appid (bsc#1189385 jsc#SLE-18970).
- scsi: lpfc: vmid: Introduce VMID in I/O path (bsc#1189385 jsc#SLE-18970).
- scsi: lpfc: vmid: Timeout implementation for VMID (bsc#1189385 jsc#SLE-18970).
- scsi: lpfc: vmid: VMID parameter initialization (bsc#1189385 jsc#SLE-18970).
- scsi: mpt3sas: Fix ReplyPostFree pool allocation (bsc#1181006).
- scsi: qla2xxx: Add heartbeat check (bsc#1189392).
- scsi: qla2xxx: Fix error return code in qla82xx_write_flash_dword() (bsc#1189392).
- scsi: qla2xxx: Fix spelling mistakes 'allloc' -> 'alloc' (bsc#1189392).
- scsi: qla2xxx: Fix use after free in debug code (bsc#1189392).
- scsi: qla2xxx: Log PCI address in qla_nvme_unregister_remote_port() (bsc#1189392).
- scsi: qla2xxx: Remove duplicate declarations (bsc#1189392).
- scsi: qla2xxx: Remove redundant assignment to rval (bsc#1189392).
- scsi: qla2xxx: Remove redundant continue statement in a for-loop (bsc#1189392).
- scsi: qla2xxx: Remove redundant initialization of variable num_cnt (bsc#1189392).
- scsi: qla2xxx: Remove unused variable 'status' (bsc#1189392).
- scsi: qla2xxx: Update version to 10.02.00.107-k (bsc#1189392).
- scsi: qla2xxx: Use list_move_tail() instead of list_del()/list_add_tail() (bsc#1189392).
- scsi: qla2xxx: Use the proper SCSI midlayer interfaces for PI (bsc#1189392).
- scsi: qla2xxx: edif: Add authentication pass + fail bsgs (bsc#1189392).
- scsi: qla2xxx: edif: Add detection of secure device (bsc#1189392).
- scsi: qla2xxx: edif: Add doorbell notification for app (bsc#1189392).
- scsi: qla2xxx: edif: Add encryption to I/O path (bsc#1189392).
- scsi: qla2xxx: edif: Add extraction of auth_els from the wire (bsc#1189392).
- scsi: qla2xxx: edif: Add getfcinfo and statistic bsgs (bsc#1189392).
- scsi: qla2xxx: edif: Add key update (bsc#1189392).
- scsi: qla2xxx: edif: Add send, receive, and accept for auth_els (bsc#1189392).
- scsi: qla2xxx: edif: Add start + stop bsgs (bsc#1189392).
- scsi: qla2xxx: edif: Increment command and completion counts (bsc#1189392).
- scsi: scsi_transport_srp: Do not block target in SRP_PORT_LOST state (bsc#1184180).
- scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal (bsc#1189392).
- scsi: zfcp: Report port fc_security as unknown early during remote cable pull (git-fixes).
- serial: 8250: Mask out floating 16/32-bit bus bits (git-fixes).
- serial: 8250_mtk: fix uart corruption issue when rx power off (git-fixes).
- serial: 8250_pci: Avoid irq sharing for MSI(-X) interrupts (git-fixes).
- serial: 8250_pci: Enumerate Elkhart Lake UARTs via dedicated driver (git-fixes).
- serial: tegra: Only print FIFO error message when an error occurs (git-fixes).
- slimbus: messaging: check for valid transaction id (git-fixes).
- slimbus: messaging: start transaction ids from 1 instead of zero (git-fixes).
- slimbus: ngd: reset dma setup during runtime pm (git-fixes).
- soc: aspeed: lpc-ctrl: Fix boundary check for mmap (git-fixes).
- soc: aspeed: p2a-ctrl: Fix boundary check for mmap (git-fixes).
- soc: ixp4xx/qmgr: fix invalid __iomem access (git-fixes).
- soc: ixp4xx/qmgr: fix invalid __iomem access (git-fixes).
- soc: ixp4xx: fix printing resources (git-fixes).
- soc: ixp4xx: fix printing resources (git-fixes).
- soc: qcom: rpmhpd: Use corner in power_off (git-fixes).
- soc: qcom: smsm: Fix missed interrupts if state changes while masked (git-fixes).
- spi: imx: mx51-ecspi: Fix CONFIGREG delay comment (git-fixes).
- spi: imx: mx51-ecspi: Fix low-speed CONFIGREG delay calculation (git-fixes).
- spi: imx: mx51-ecspi: Reinstate low-speed CONFIGREG delay (git-fixes).
- spi: mediatek: Fix fifo transfer (git-fixes).
- spi: meson-spicc: fix memory leak in meson_spicc_remove (git-fixes).
- spi: spi-fsl-dspi: Fix issue with uninitialized dma_slave_config (git-fixes).
- spi: spi-pic32: Fix issue with uninitialized dma_slave_config (git-fixes).
- spi: sprd: Fix the wrong WDG_LOAD_VAL (git-fixes).
- spi: stm32h7: fix full duplex irq handler handling (git-fixes).
- staging: rtl8192u: Fix bitwise vs logical operator in TranslateRxSignalStuff819xUsb() (git-fixes).
- staging: rtl8712: get rid of flush_scheduled_work (git-fixes).
- staging: rtl8723bs: Fix a resource leak in sd_int_dpc (git-fixes).
- staging: rtl8723bs: Fix a resource leak in sd_int_dpc (git-fixes).
- tracing / histogram: Fix NULL pointer dereference on strcmp() on NULL event name (git-fixes).
- tracing / histogram: Give calculation hist_fields a size (git-fixes).
- tracing: Reject string operand in the histogram expression (git-fixes).
- tty: serial: fsl_lpuart: fix the wrong mapbase value (git-fixes).
- ubifs: Fix error return code in alloc_wbufs() (bsc#1189585).
- ubifs: Fix memleak in ubifs_init_authentication (bsc#1189583).
- ubifs: Only check replay with inode type to judge if inode linked (bsc#1187455).
- ubifs: Set/Clear I_LINKABLE under i_lock for whiteout inode (bsc#1189587).
- ubifs: journal: Fix error return code in ubifs_jnl_write_inode() (bsc#1189586).
- usb: bdc: Fix an error handling path in 'bdc_probe()' when no suitable DMA config is available (git-fixes).
- usb: dwc3: Disable phy suspend after power-on reset (git-fixes).
- usb: dwc3: Separate field holding multiple properties (git-fixes).
- usb: dwc3: Stop active transfers before halting the controller (git-fixes).
- usb: dwc3: Use clk_bulk_prepare_enable() (git-fixes).
- usb: dwc3: Use devres to get clocks (git-fixes).
- usb: dwc3: core: do not do suspend for device mode if already suspended (git-fixes).
- usb: dwc3: debug: Remove newline printout (git-fixes).
- usb: dwc3: gadget: Check MPS of the request length (git-fixes).
- usb: dwc3: gadget: Clear DCTL.ULSTCHNGREQ before set (git-fixes).
- usb: dwc3: gadget: Clear DEP flags after stop transfers in ep disable (git-fixes).
- usb: dwc3: gadget: Disable gadget IRQ during pullup disable (git-fixes).
- usb: dwc3: gadget: Do not send unintended link state change (git-fixes).
- usb: dwc3: gadget: Do not setup more than requested (git-fixes).
- usb: dwc3: gadget: Fix dwc3_calc_trbs_left() (git-fixes).
- usb: dwc3: gadget: Fix handling ZLP (git-fixes).
- usb: dwc3: gadget: Give back staled requests (git-fixes).
- usb: dwc3: gadget: Handle ZLP for sg requests (git-fixes).
- usb: dwc3: gadget: Prevent EP queuing while stopping transfers (git-fixes).
- usb: dwc3: gadget: Properly track pending and queued SG (git-fixes).
- usb: dwc3: gadget: Restart DWC3 gadget when enabling pullup (git-fixes).
- usb: dwc3: gadget: Set BESL config parameter (git-fixes).
- usb: dwc3: gadget: Set link state to RX_Detect on disconnect (git-fixes).
- usb: dwc3: gadget: Stop EP0 transfers during pullup disable (git-fixes).
- usb: dwc3: gadget: Workaround Mirosoft's BESL check (git-fixes).
- usb: dwc3: meson-g12a: add IRQ check (git-fixes).
- usb: dwc3: meson-g12a: check return of dwc3_meson_g12a_usb_init (git-fixes).
- usb: dwc3: of-simple: add a shutdown (git-fixes).
- usb: dwc3: st: Add of_dev_put() in probe function (git-fixes).
- usb: dwc3: st: Add of_node_put() before return in probe function (git-fixes).
- usb: dwc3: support continuous runtime PM with dual role (git-fixes).
- usb: ehci-orion: Handle errors of clk_prepare_enable() in probe (git-fixes).
- usb: gadget: Export recommended BESL values (git-fixes).
- usb: gadget: f_hid: added GET_IDLE and SET_IDLE handlers (git-fixes).
- usb: gadget: f_hid: fixed NULL pointer dereference (git-fixes).
- usb: gadget: f_hid: idle uses the highest byte for duration (git-fixes).
- usb: gadget: mv_u3d: request_irq() after initializing UDC (git-fixes).
- usb: gadget: udc: at91: add IRQ check (git-fixes).
- usb: gadget: udc: renesas_usb3: Fix soc_device_match() abuse (git-fixes).
- usb: host: ohci-tmio: add IRQ check (git-fixes).
- usb: host: xhci-rcar: Do not reload firmware after the completion (git-fixes).
- usb: mtu3: fix the wrong HS mult value (git-fixes).
- usb: mtu3: use @mult for HS isoc or intr (git-fixes).
- usb: phy: fsl-usb: add IRQ check (git-fixes).
- usb: phy: tahvo: add IRQ check (git-fixes).
- usb: phy: twl6030: add IRQ checks (git-fixes).
- usr: Add support for zstd compressed initramfs (bsc#1187483, jsc#SLE-18766).
- virt_wifi: fix error on connect (git-fixes).
- wireguard: allowedips: allocate nodes in kmem_cache (git-fixes).
- wireguard: allowedips: free empty intermediate nodes when removing single node (git-fixes).
- wireguard: allowedips: remove nodes in O(1) (git-fixes).
- writeback: fix obtain a reference to a freeing memcg css (bsc#1189577).
- x86/fpu: Limit xstate copy size in xstateregs_set() (bsc#1152489).
- x86/fpu: Make init_fpstate correct with optimized XSAVE (bsc#1152489).
- x86/fpu: Reset state for all signal restore failures (bsc#1152489).
- x86/kvm: fix vcpu-id indexed array sizes (git-fixes).
- x86/sev: Make sure IRQs are disabled while GHCB is active (jsc#SLE-14337).
- x86/sev: Split up runtime #VC handler for correct state tracking (jsc#SLE-14337).
- x86/sev: Use 'SEV: ' prefix for messages from sev.c (jsc#SLE-14337).
- x86/signal: Detect and prevent an alternate signal stack overflow (bsc#1152489).
- x86/split_lock: Provide handle_guest_split_lock() (bsc#1187959).
- xen/events: Fix race in set_evtchn_to_irq (git-fixes).
- xprtrdma: Pad optimization, revisited (bsc#1189760).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3233-1
Released:    Mon Sep 27 15:02:21 2021
Summary:     Recommended update for xfsprogs
Type:        recommended
Severity:    moderate
References:  1085917,1181299,1181306,1181309,1181535,1181536,1188651,1189552
This update for xfsprogs fixes the following issues:

- Fixes an issue when 'fstests' with 'xfs' fail. (bsc#1181309, bsc#1181299)
- xfsprogs: Split 'libhandle1' into a separate package, since nothing within xfsprogs dynamically links against it. The shared library is still required by xfsdump as a runtime dependency.
- mkfs.xfs: Fix 'ASSERT' on too-small device with stripe geometry. (bsc#1181536)
- mkfs.xfs: If either 'sunit' or 'swidth' is not zero, the other must be as well. (bsc#1085917, bsc#1181535)
- xfs_growfs: Refactor geometry reporting. (bsc#1181306)
- xfs_growfs: Allow mounted device node as argument. (bsc#1181299)
- xfs_repair: Rebuild directory when non-root leafn blocks claim block 0. (bsc#1181309)
- xfs_repair: Check plausibility of root dir pointer before trashing it. (bsc#1188651)
- xfs_bmap: Remove '-c' from manpage. (bsc#1189552)
- xfs_bmap: Do not reject '-e'. (bsc#1189552)
- Implement 'libhandle1' through ECO. (jsc#SLE-20360)



More information about the sle-security-updates mailing list