SUSE-IU-2022:479-1: Security update of suse-sles-15-sp3-chost-byos-v20220411-hvm-ssd-x86_64

sle-security-updates at sle-security-updates at
Tue Apr 12 07:03:02 UTC 2022

SUSE Image Update Advisory: suse-sles-15-sp3-chost-byos-v20220411-hvm-ssd-x86_64
Image Advisory ID : SUSE-IU-2022:479-1
Image Tags        : suse-sles-15-sp3-chost-byos-v20220411-hvm-ssd-x86_64:20220411
Image Release     : 
Severity          : important
Type              : security
References        : 1027519 1082318 1099272 1115529 1121227 1121230 1122004 1122021
                        1128846 1162964 1172113 1172427 1173277 1174075 1174911 1176447
                        1176774 1177460 1178134 1179060 1179439 1180689 1181147 1181826
                        1182959 1186819 1187906 1189028 1189923 1190315 1190926 1190943
                        1191096 1191428 1191668 1191794 1192273 1193204 1193446 1193531
                        1193731 1193732 1193787 1193864 1193868 1194220 1194229 1194267
                        1194463 1194516 1194561 1194642 1194642 1194883 1194943 1195051
                        1195149 1195211 1195254 1195258 1195353 1195403 1195468 1195612
                        1195614 1195656 1195792 1195797 1195856 1195897 1195905 1195939
                        1195949 1195987 1196025 1196079 1196093 1196095 1196130 1196132
                        1196155 1196275 1196282 1196299 1196301 1196406 1196433 1196468
                        1196472 1196488 1196627 1196723 1196779 1196784 1196830 1196836
                        1196866 1196868 1196915 1196956 1196959 1197004 1197024 1197069
                        1197135 1197297 1197459 1197788 CVE-2018-20573 CVE-2018-20574
                        CVE-2018-25032 CVE-2019-6285 CVE-2019-6292 CVE-2020-14367 CVE-2021-0920
                        CVE-2021-22570 CVE-2021-25220 CVE-2021-26401 CVE-2021-3572 CVE-2021-39657
                        CVE-2021-39698 CVE-2021-44879 CVE-2021-45402 CVE-2022-0001 CVE-2022-0002
                        CVE-2022-0487 CVE-2022-0617 CVE-2022-0644 CVE-2022-23036 CVE-2022-23037
                        CVE-2022-23038 CVE-2022-23039 CVE-2022-23040 CVE-2022-23041 CVE-2022-23042
                        CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25236 CVE-2022-25258
                        CVE-2022-25636 CVE-2022-26490 CVE-2022-26966 

The container suse-sles-15-sp3-chost-byos-v20220411-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

Advisory ID: SUSE-RU-2022:808-1
Released:    Fri Mar 11 06:07:58 2022
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1195468
This update for procps fixes the following issues:

- Stop registering signal handler for SIGURG, to avoid `ps` failure if
  someone sends such signal. Without the signal handler, SIGURG will
  just be ignored. (bsc#1195468)

Advisory ID: SUSE-RU-2022:833-1
Released:    Mon Mar 14 18:51:58 2022
Summary:     Recommended update for open-iscsi
Type:        recommended
Severity:    moderate
References:  1195656
This update for open-iscsi fixes the following issue:

- Update to latest upstream, including test cleanup, minor
  bug fixes (cosmetic), and fixing iscsi-init (bsc#1195656).

Advisory ID: SUSE-SU-2022:844-1
Released:    Tue Mar 15 11:33:57 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1196025,1196784,CVE-2022-25236
This update for expat fixes the following issues:

- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

Advisory ID: SUSE-SU-2022:845-1
Released:    Tue Mar 15 11:40:52 2022
Summary:     Security update for chrony
Type:        security
Severity:    moderate
References:  1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367
This update for chrony fixes the following issues:

Chrony was updated to 4.1, bringing features and bugfixes.

Update to 4.1

  * Add support for NTS servers specified by IP address (matching
    Subject Alternative Name in server certificate)
  * Add source-specific configuration of trusted certificates
  * Allow multiple files and directories with trusted certificates
  * Allow multiple pairs of server keys and certificates
  * Add copy option to server/pool directive
  * Increase PPS lock limit to 40% of pulse interval
  * Perform source selection immediately after loading dump files
  * Reload dump files for addresses negotiated by NTS-KE server
  * Update seccomp filter and add less restrictive level
  * Restart ongoing name resolution on online command
  * Fix dump files to not include uncorrected offset
  * Fix initstepslew to accept time from own NTP clients
  * Reset NTP address and port when no longer negotiated by NTS-KE

- Ensure the correct pool packages are installed for openSUSE
  and SLE (bsc#1180689).
- Fix pool package dependencies, so that SLE prefers chrony-pool-suse
  over chrony-pool-empty. (bsc#1194229)

- Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0

  - Enhancements

    - Add support for Network Time Security (NTS) authentication
    - Add support for AES-CMAC keys (AES128, AES256) with Nettle
    - Add authselectmode directive to control selection of
      unauthenticated sources
    - Add binddevice, bindacqdevice, bindcmddevice directives
    - Add confdir directive to better support fragmented
    - Add sourcedir directive and 'reload sources' command to
      support dynamic NTP sources specified in files
    - Add clockprecision directive
    - Add dscp directive to set Differentiated Services Code Point
    - Add -L option to limit log messages by severity
    - Add -p option to print whole configuration with included
    - Add -U option to allow start under non-root user
    - Allow maxsamples to be set to 1 for faster update with -q/-Q
    - Avoid replacing NTP sources with sources that have
      unreachable address
    - Improve pools to repeat name resolution to get 'maxsources'
    - Improve source selection with trusted sources
    - Improve NTP loop test to prevent synchronisation to itself
    - Repeat iburst when NTP source is switched from offline state
      to online
    - Update clock synchronisation status and leap status more
    - Update seccomp filter
    - Add 'add pool' command
    - Add 'reset sources' command to drop all measurements
    - Add authdata command to print details about NTP
    - Add selectdata command to print details about source
    - Add -N option and sourcename command to print original names
      of sources
    - Add -a option to some commands to print also unresolved
    - Add -k, -p, -r options to clients command to select, limit,
      reset data

  - Bug fixes

    - Don’t set interface for NTP responses to allow asymmetric
    - Handle RTCs that don’t support interrupts
    - Respond to command requests with correct address on
      multihomed hosts
  - Removed features
    - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
    - Drop support for long (non-standard) MACs in NTPv4 packets
      (chrony 2.x clients using non-MD5/SHA1 keys need to use
      option 'version 3')
    - Drop support for line editing with GNU Readline

- By default we don't write log files but log to journald, so
  only recommend logrotate.

- Adjust and rename the sysconfig file, so that it matches the
  expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:

  * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- Use iburst in the default pool statements to speed up initial
  synchronisation (bsc#1172113).

Update to 3.5:

+ Add support for more accurate reading of PHC on Linux 5.0
+ Add support for hardware timestamping on interfaces with read-only timestamping configuration
+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
+ Update seccomp filter to work on more architectures
+ Validate refclock driver options
+ Fix bindaddress directive on FreeBSD
+ Fix transposition of hardware RX timestamp on Linux 4.13 and later
+ Fix building on non-glibc systems

- Fix location of helper script in chrony-dnssrv at .service

- Read runtime servers from /var/run/netconfig/chrony.servers to
  fix bsc#1099272.
- Move chrony-helper to /usr/lib/chrony/helper, because there
  should be no executables in /usr/share.

Update to version 3.4

  * Enhancements

    + Add filter option to server/pool/peer directive
    + Add minsamples and maxsamples options to hwtimestamp directive
    + Add support for faster frequency adjustments in Linux 4.19
    + Change default pidfile to /var/run/chrony/ to allow chronyd 
      without root privileges to remove it on exit
    + Disable sub-second polling intervals for distant NTP sources
    + Extend range of supported sub-second polling intervals
    + Get/set IPv4 destination/source address of NTP packets on FreeBSD
    + Make burst options and command useful with short polling intervals
    + Modify auto_offline option to activate when sending request failed
    + Respond from interface that received NTP request if possible
    + Add onoffline command to switch between online and offline state 
      according to current system network configuration
    + Improve example NetworkManager dispatcher script

  * Bug fixes

    + Avoid waiting in Linux getrandom system call
    + Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

  * Enhancements:

    + Add burst option to server/pool directive
    + Add stratum and tai options to refclock directive
    + Add support for Nettle crypto library
    + Add workaround for missing kernel receive timestamps on Linux
    + Wait for late hardware transmit timestamps
    + Improve source selection with unreachable sources
    + Improve protection against replay attacks on symmetric mode
    + Allow PHC refclock to use socket in /var/run/chrony
    + Add shutdown command to stop chronyd
    + Simplify format of response to manual list command
    + Improve handling of unknown responses in chronyc

  * Bug fixes:

    + Respond to NTPv1 client requests with zero mode
    + Fix -x option to not require CAP_SYS_TIME under non-root user
    + Fix acquisitionport directive to work with privilege separation
    + Fix handling of socket errors on Linux to avoid high CPU usage
    + Fix chronyc to not get stuck in infinite loop after clock step
Advisory ID: SUSE-RU-2022:861-1
Released:    Tue Mar 15 23:30:48 2022
Summary:     Recommended update for openssl-1_1 
Type:        recommended
Severity:    moderate
References:  1182959,1195149,1195792,1195856
This update for openssl-1_1 fixes the following issues:


- Fix PAC pointer authentication in ARM (bsc#1195856)
- Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
- FIPS: Fix function and reason error codes (bsc#1182959)
- Enable zlib compression support (bsc#1195149)

- Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1

- Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1


- Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1


- Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

Advisory ID: SUSE-RU-2022:874-1
Released:    Wed Mar 16 10:40:52 2022
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1197004
This update for openldap2 fixes the following issue:

- Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004)

Advisory ID: SUSE-RU-2022:884-1
Released:    Thu Mar 17 09:47:28 2022
Summary:     Recommended update for python-jsonschema, python-rfc3987, python-strict-rfc3339
Type:        recommended
Severity:    moderate
References:  1082318
This update for python-jsonschema, python-rfc3987, python-strict-rfc3339 fixes the following issues:

- Add patch to fix build with new webcolors.

- update to version 3.2.0 (jsc#SLE-18756):
  * Added a format_nongpl setuptools extra, which installs only format
    dependencies that are non-GPL (#619).

- specfile:
  * require python-importlib-metadata
- update to version 3.1.1:
  * Temporarily revert the switch to js-regex until #611 and #612 are
- changes from version 3.1.0:
  - Regular expressions throughout schemas now respect the ECMA 262
    dialect, as recommended by the specification (#609).

- Activate more of the test suite
- Remove tests and benchmarking from the runtime package
- Update to v3.0.2
  - Fixed a bug where 0 and False were considered equal by
    const and enum
- from v3.0.1
  - Fixed a bug where extending validators did not preserve their 
    notion of which validator property contains $id information.

- Update to 3.0.1:
  - Support for Draft 6 and Draft 7
  - Draft 7 is now the default
  - New TypeChecker object for more complex type definitions (and overrides)
  - Falling back to isodate for the date-time format checker is no longer attempted, in accordance with the specification

- Use %license instead of %doc (bsc#1082318)

- Remove hashbang from runtime module
- Replace PyPI URL with
- Activate doctests

- Add missing runtime dependency on timezone
- Replace dead link with GitHub URL
- Activate test suite

- Trim bias from descriptions.

- Initial commit, needed by flex
Advisory ID: SUSE-RU-2022:888-1
Released:    Thu Mar 17 10:56:42 2022
Summary:     Recommended update for avahi
Type:        recommended
Severity:    moderate
References:  1179060,1194561,1195614,1196282
This update for avahi fixes the following issues:

- Change python3-Twisted to a soft dependency. It is not available
  on SLED or PackageHub, and it is only needed by avahi-bookmarks
- Fix warning when Twisted is not available
- Have python3-avahi require python3-dbus-python, not the
  python 2 dbus-1-python package (bsc#1195614)
- Ensure that NetworkManager or wicked have already started before 
  initializing (bsc#1194561)
- Move sftp-ssh and ssh services to the doc directory. They allow
  a host's up/down status to be easily discovered and should not
  be enabled by default (bsc#1179060)

Advisory ID: SUSE-RU-2022:905-1
Released:    Mon Mar 21 08:46:09 2022
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    important
References:  1172427,1194642
This update for util-linux fixes the following issues:

- Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)
- Make uuidd lock state file usable and time based UUIDs safer. (bsc#1194642)
- Fix `su -s` bash completion. (bsc#1172427)

Advisory ID: SUSE-RU-2022:936-1
Released:    Tue Mar 22 18:10:17 2022
Summary:     Recommended update for filesystem and systemd-rpm-macros
Type:        recommended
Severity:    moderate
References:  1196275,1196406
This update for filesystem and systemd-rpm-macros fixes the following issues:


- Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)


- Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

Advisory ID: SUSE-SU-2022:940-1
Released:    Wed Mar 23 10:41:16 2022
Summary:     Security update for xen
Type:        security
Severity:    important
References:  1027519,1191668,1194267,1196915,CVE-2021-26401,CVE-2022-0001,CVE-2022-0002
This update for xen fixes the following issues:

Update Xen to version 4.14.4 (bsc#1027519)

Transient execution side-channel attacks attacking the Branch History Buffer (BHB),
named 'Branch Target Injection' and 'Intra-Mode Branch History Injection' are now mitigated.

Security issues fixed:

- CVE-2022-0001, CVE-2022-0002, CVE-2021-26401: BHB speculation issues (bsc#1196915).

Non-security issues fixed:

- Fixed issue around xl and virsh operation - virsh list not giving any output (bsc#1191668).

Advisory ID: SUSE-SU-2022:942-1
Released:    Thu Mar 24 10:30:15 2022
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1186819,CVE-2021-3572
This update for python3 fixes the following issues:

- CVE-2021-3572: Fixed an improper handling of unicode characters in pip (bsc#1186819).

Advisory ID: SUSE-SU-2022:945-1
Released:    Thu Mar 24 12:53:37 2022
Summary:     Security update for bind
Type:        security
Severity:    important
References:  1197135,CVE-2021-25220
This update for bind fixes the following issues:

- CVE-2021-25220: Fixed a DNS cache poisoning vulnerability due to loose
  caching rules (bsc#1197135).

Advisory ID: SUSE-RU-2022:948-1
Released:    Fri Mar 25 12:46:42 2022
Summary:     Recommended update for sudo
Type:        recommended
Severity:    moderate
References:  1193446
This update for sudo fixes the following issues:

- Fix user set timeout not being honored (bsc#1193446)

Advisory ID: SUSE-RU-2022:1028-1
Released:    Tue Mar 29 16:37:33 2022
Summary:     Recommended update for chrony
Type:        recommended
Severity:    moderate
References:  1194220
This update for chrony fixes the following issues:

- Disable 'ntsdumpdir' in default config, because augeas-lenses
  cannot parse it during installation of SUSE Linux Enterprise Micro 5.1
  and openSUSE Leap 15.3 (bsc#1194220).

Advisory ID: SUSE-SU-2022:1039-1
Released:    Wed Mar 30 09:38:11 2022
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1176447,1176774,1178134,1179439,1181147,1191428,1192273,1193731,1193787,1193864,1194463,1194516,1194943,1195051,1195211,1195254,1195353,1195403,1195612,1195897,1195905,1195939,1195949,1195987,1196079,1196095,1196130,1196132,1196155,1196299,1196301,1196433,1196468,1196472,1196488,1196627,1196723,1196779,1196830,1196836,1196866,1196868,1196956,1196959,CVE-2021-0920,CVE-2021-39657,CVE-2021-39698,CVE-2021-44879,CVE-2021-45402,CVE-2022-0487,CVE-2022-0617,CVE-2022-0644,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-24448,CVE-2022-24958,CVE-2022-24959,CVE-2022-25258,CVE-2022-25636,CVE-2022-26490,CVE-2022-26966
The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2022-25636: Fixed an issue which allowed a local users to gain privileges because of a heap out-of-bounds write in nf_dup_netdev.c, related to nf_tables_offload (bsc#1196299).
- CVE-2022-26490: Fixed a buffer overflow in the st21nfca driver. An attacker with adjacent NFC access could trigger crash the system or corrupt system memory (bsc#1196830).
- CVE-2022-0487: A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove() in drivers/memstick/host/rtsx_usb_ms.c (bsc#1194516).
- CVE-2022-24448: Fixed an issue if an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should have occured, but the server instead returned uninitialized data in the file descriptor (bsc#1195612).
- CVE-2022-0617: Fixed a null pointer dereference in UDF file system functionality. A local user could crash the system by triggering udf_file_write_iter() via a malicious UDF image. (bsc#1196079)
- CVE-2022-0644: Fixed a denial of service by a local user. A assertion failure could be triggered in kernel_read_file_from_fd(). (bsc#1196155)
- CVE-2022-25258: The USB Gadget subsystem lacked certain validation of interface OS descriptor requests, which could have lead to memory corruption (bsc#1196096).
- CVE-2022-24958: drivers/usb/gadget/legacy/inode.c mishandled dev->buf release (bsc#1195905).
- CVE-2022-24959: Fixed a memory leak in yam_siocdevprivate() in drivers/net/hamradio/yam.c (bsc#1195897).
- CVE-2021-44879: In gc_data_segment() in fs/f2fs/gc.c, special files were not considered, which lead to a move_data_page NULL pointer dereference (bsc#1195987).
- CVE-2021-0920: Fixed a local privilege escalation due to a use-after-free vulnerability in unix_scm_to_skb of af_unix (bsc#1193731).
- CVE-2021-39657: Fixed an information leak in the Universal Flash Storage subsystem (bsc#1193864).
- CVE-2022-26966: Fixed an issue in drivers/net/usb/sr9700.c, which allowed attackers to obtain sensitive information from heap memory via crafted frame lengths from a device (bsc#1196836).
- CVE-2021-39698: Fixed a possible memory corruption due to a use after free in aio_poll_complete_work. This could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1196956)
- CVE-2021-45402: The check_alu_op function in kernel/bpf/verifier.c did not properly update bounds while handling the mov32 instruction, which allowed local users to obtain potentially sensitive address information (bsc#1196130).
- CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042: Fixed multiple issues which could have lead to read/write access to memory pages or denial of service. These issues are related to the Xen PV device frontend drivers. (bsc#1196488)

The following non-security bugs were fixed:

- ALSA: intel_hdmi: Fix reference to PCM buffer address (git-fixes).
- ARM: 9182/1: mmu: fix returns from early_param() and __setup() functions (git-fixes).
- ARM: Fix kgdb breakpoint for Thumb2 (git-fixes).
- ASoC: cs4265: Fix the duplicated control name (git-fixes).
- ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min (git-fixes).
- ASoC: rt5668: do not block workqueue if card is unbound (git-fixes).
- ASoC: rt5682: do not block workqueue if card is unbound (git-fixes).
- Bluetooth: btusb: Add missing Chicony device for Realtek RTL8723BE (bsc#1196779).
- EDAC/altera: Fix deferred probing (bsc#1178134).
- EDAC: Fix calculation of returned address and next offset in edac_align_ptr() (bsc#1178134).
- HID: add mapping for KEY_ALL_APPLICATIONS (git-fixes).
- HID: add mapping for KEY_DICTATE (git-fixes).
- Hand over the maintainership to SLE15-SP3 maintainers
- IB/hfi1: Correct guard on eager buffer deallocation (git-fixes).
- IB/hfi1: Fix early init panic (git-fixes).
- IB/hfi1: Fix leak of rcvhdrtail_dummy_kvaddr (git-fixes).
- IB/hfi1: Insure use of smp_processor_id() is preempt disabled (git-fixes).
- IB/rdmavt: Validate remote_addr during loopback atomic tests (git-fixes).
- Input: clear BTN_RIGHT/MIDDLE on buttonpads (git-fixes).
- Input: elan_i2c - fix regulator enable count imbalance after suspend/resume (git-fixes).
- Input: elan_i2c - move regulator_[en|dis]able() out of elan_[en|dis]able_power() (git-fixes).
- NFC: port100: fix use-after-free in port100_send_complete (git-fixes).
- RDMA/bnxt_re: Scan the whole bitmap when checking if 'disabling RCFW with pending cmd-bit' (git-fixes).
- RDMA/cma: Do not change route.addr.src_addr outside state checks (bsc#1181147).
- RDMA/cma: Let cma_resolve_ib_dev() continue search even after empty entry (git-fixes).
- RDMA/cma: Remove open coding of overflow checking for private_data_len (git-fixes).
- RDMA/core: Do not infoleak GRH fields (git-fixes).
- RDMA/core: Let ib_find_gid() continue search even after empty entry (git-fixes).
- RDMA/cxgb4: Set queue pair state when being queried (git-fixes).
- RDMA/hns: Validate the pkey index (git-fixes).
- RDMA/ib_srp: Fix a deadlock (git-fixes).
- RDMA/mlx4: Do not continue event handler after memory allocation failure (git-fixes).
- RDMA/rtrs-clt: Fix possible double free in error case (jsc#SLE-15176).
- RDMA/rxe: Fix a typo in opcode name (git-fixes).
- RDMA/siw: Fix broken RDMA Read Fence/Resume logic (git-fixes).
- RDMA/uverbs: Check for null return of kmalloc_array (git-fixes).
- RDMA/uverbs: Remove the unnecessary assignment (git-fixes).
- Revert 'USB: serial: ch341: add new Product ID for CH341A' (git-fixes).
- SUNRPC: avoid race between mod_timer() and del_timer_sync() (bnc#1195403).
- USB: gadget: validate endpoint index for xilinx udc (git-fixes).
- USB: gadget: validate interface OS descriptor requests (git-fixes).
- USB: hub: Clean up use of port initialization schemes and retries (git-fixes).
- USB: serial: option: add Telit LE910R1 compositions (git-fixes).
- USB: serial: option: add support for DW5829e (git-fixes).
- USB: zaurus: support another broken Zaurus (git-fixes).
- arm64: dts: rockchip: Switch RK3399-Gru DP to SPDIF output (git-fixes).
- asix: fix uninit-value in asix_mdio_read() (git-fixes).
- ata: pata_hpt37x: disable primary channel on HPT371 (git-fixes).
- ax25: Fix NULL pointer dereference in ax25_kill_by_device (git-fixes).
- batman-adv: Do not expect inter-netns unique iflink indices (git-fixes).
- batman-adv: Request iflink once in batadv-on-batadv check (git-fixes).
- batman-adv: Request iflink once in batadv_get_real_netdevice (git-fixes).
- blk-mq: do not free tags if the tag_set is used by other device in queue initialztion (bsc#1193787).
- bnxt_en: Fix active FEC reporting to ethtool (jsc#SLE-16649).
- bnxt_en: Fix incorrect multicast rx mask setting when not requested (git-fixes).
- bnxt_en: Fix occasional ethtool -t loopback test failures (git-fixes).
- bnxt_en: Fix offline ethtool selftest with RDMA enabled (git-fixes).
- bonding: force carrier update when releasing slave (git-fixes).
- build initrd without systemd This reduces the size of the initrd by over 25%, which improves startup time of the virtual machine by 0.5-0.6s on very fast machines, more on slower ones.
- can: gs_usb: change active_channels's type from atomic_t to u8 (git-fixes).
- cgroup-v1: Correct privileges check in release_agent writes (bsc#1196723).
- cgroup/cpuset: Fix 'suspicious RCU usage' lockdep warning (bsc#1196868).
- clk: jz4725b: fix mmc0 clock gating (git-fixes).
- constraints: Also adjust disk requirement for x86 and s390.
- constraints: Increase disk space for aarch64
- cpufreq: schedutil: Use kobject release() method to free (git-fixes)
- cpuset: Fix the bug that subpart_cpus updated wrongly in update_cpumask() (bsc#1196866).
- cputime, cpuacct: Include guest time in user time in (git-fixes)
- dma-direct: Fix potential NULL pointer dereference (bsc#1196472 ltc#192278).
- dma-mapping: Allow mixing bypass and mapped DMA operation (bsc#1196472 ltc#192278).
- dmaengine: shdma: Fix runtime PM imbalance on error (git-fixes).
- drm/amdgpu: disable MMHUB PG for Picasso (git-fixes).
- drm/edid: Always set RGB444 (git-fixes).
- drm/i915/dg1: Wait for pcode/uncore handshake at startup (bsc#1195211).
- drm/i915/gen11+: Only load DRAM information from pcode (bsc#1195211).
- drm/i915: Nuke not needed members of dram_info (bsc#1195211).
- drm/i915: Remove memory frequency calculation (bsc#1195211).
- drm/i915: Rename is_16gb_dimm to wm_lv_0_adjust_needed (bsc#1195211).
- drm/sun4i: mixer: Fix P010 and P210 format numbers (git-fixes).
- efivars: Respect 'block' flag in efivar_entry_set_safe() (git-fixes).
- exfat: fix i_blocks for files truncated over 4 GiB (git-fixes).
- exfat: fix incorrect loading of i_blocks for large files (git-fixes).
- firmware: arm_scmi: Remove space in MODULE_ALIAS name (git-fixes).
- fix rpm build warning tumbleweed rpm is adding these warnings to the log: It's not recommended to have unversioned Obsoletes: Obsoletes:   microcode_ctl
- gianfar: ethtool: Fix refcount leak in gfar_get_ts_info (git-fixes).
- gpio: rockchip: Reset int_bothedge when changing trigger (git-fixes).
- gpio: tegra186: Fix chip_data type confusion (git-fixes).
- gpio: ts4900: Do not set DAT and OE together (git-fixes).
- gpiolib: acpi: Convert ACPI value of debounce to microseconds (git-fixes).
- gtp: remove useless rcu_read_lock() (git-fixes).
- hamradio: fix macro redefine warning (git-fixes).
- i2c: bcm2835: Avoid clock stretching timeouts (git-fixes).
- iavf: Fix missing check for running netdev (git-fixes).
- ice: initialize local variable 'tlv' (jsc#SLE-12878).
- igc: igc_read_phy_reg_gpy: drop premature return (git-fixes).
- igc: igc_write_phy_reg_gpy: drop premature return (git-fixes).
- iio: Fix error handling for PM (git-fixes).
- iio: adc: ad7124: fix mask used for setting AIN_BUFP & AIN_BUFM bits (git-fixes).
- iio: adc: men_z188_adc: Fix a resource leak in an error handling path (git-fixes).
- ixgbe: xsk: change !netif_carrier_ok() handling in ixgbe_xmit_zc() (git-fixes).
- Move 20-kernel-default-extra.conf to the correctr directory (bsc#1195051).
- kernel-binary.spec: Also exclude the kernel signing key from devel package. There is a check in OBS that fails when it is included. Also the key is not reproducible. Fixes: bb988d4625a3 ('kernel-binary: Do not include sourcedir in certificate path.')
- kernel-binary.spec: Do not use the default certificate path (bsc#1194943). Using the the default path is broken since Linux 5.17
- kernel-binary: Do not include sourcedir in certificate path. The certs macro runs before build directory is set up so it creates the aggregate of supplied certificates in the source directory. Using this file directly as the certificate in kernel config works but embeds the source directory path in the kernel config. To avoid this symlink the certificate to the build directory and use relative path to refer to it. Also fabricate a certificate in the same location in build directory when none is provided.
- kernel-obs-build: include 9p (boo#1195353) To be able to share files between host and the qemu vm of the build script, the 9p and 9p_virtio kernel modules need to be included in the initrd of kernel-obs-build.
- mac80211: fix forwarded mesh frames AC & queue selection (git-fixes).
- mac80211_hwsim: initialize ieee80211_tx_info at hw_scan_work (git-fixes).
- mac80211_hwsim: report NOACK frames in tx_status (git-fixes).
- mask out added spinlock in rndis_params (git-fixes).
- mmc: meson: Fix usage of meson_mmc_post_req() (git-fixes).
- net/mlx5: Fix possible deadlock on rule deletion (git-fixes).
- net/mlx5: Fix wrong limitation of metadata match on ecpf (git-fixes).
- net/mlx5: Update the list of the PCI supported devices (git-fixes).
- net/mlx5: Update the list of the PCI supported devices (git-fixes).
- net/mlx5e: Fix modify header actions memory leak (git-fixes).
- net/mlx5e: Fix page DMA map/unmap attributes (bsc#1196468).
- net/mlx5e: Fix wrong return value on ioctl EEPROM query failure (git-fixes).
- net/mlx5e: TC, Reject rules with drop and modify hdr action (git-fixes).
- net/mlx5e: TC, Reject rules with forward and drop actions (git-fixes).
- net/mlx5e: kTLS, Use CHECKSUM_UNNECESSARY for device-offloaded packets (jsc#SLE-15172).
- net/sched: act_ct: Fix flow table lookup after ct clear or switching zones (jsc#SLE-15172).
- net: dsa: mv88e6xxx: MV88E6097 does not support jumbo configuration (git-fixes).
- net: ethernet: ti: cpsw: disable PTPv1 hw timestamping advertisement (git-fixes).
- net: fix up skbs delta_truesize in UDP GRO frag_list (bsc#1176447).
- net: hns3: Clear the CMDQ registers before unmapping BAR region (git-fixes).
- net: phy: DP83822: clear MISR2 register to disable interrupts (git-fixes).
- net: sfc: Replace in_interrupt() usage (git-fixes).
- net: tipc: validate domain record count on input (bsc#1195254).
- net: usb: cdc_mbim: avoid altsetting toggling for Telit FN990 (git-fixes).
- netfilter: nf_tables: fix memory leak during stateful obj update (bsc#1176447).
- netsec: ignore 'phy-mode' device property on ACPI systems (git-fixes).
- nfp: flower: Fix a potential leak in nfp_tunnel_add_shared_mac() (git-fixes).
- nl80211: Handle nla_memdup failures in handle_nan_filter (git-fixes).
- ntb: intel: fix port config status offset for SPR (git-fixes).
- nvme-multipath: use vmalloc for ANA log buffer (bsc#1193787).
- nvme-rdma: fix possible use-after-free in transport error_recovery work (git-fixes).
- nvme-tcp: fix possible use-after-free in transport error_recovery work (git-fixes).
- nvme: fix a possible use-after-free in controller reset during load (git-fixes).
- powerpc/dma: Fallback to dma_ops when persistent memory present (bsc#1196472 ltc#192278). Update config files.
- powerpc/fadump: register for fadump as early as possible (bsc#1179439 ltc#190038).
- powerpc/mm: Remove dcache flush from memory remove (bsc#1196433 ltc#196449).
- powerpc/powernv/memtrace: Fix dcache flushing (bsc#1196433 ltc#196449).
- powerpc/pseries/iommu: Fix window size for direct mapping with pmem (bsc#1196472 ltc#192278).
- rpm/* Use https:// urls
- rpm/arch-symbols,guards,*driver: Replace Novell with SUSE.
- rpm/check-for-config-changes: Ignore PAHOLE_VERSION.
- rpm/ use %%license for license declarations Limited to SLE15+ to avoid compatibility nightmares.
- rpm/ call fdupes per subpackage It is a waste of time to do a global fdupes when we have subpackages.
- rpm: SC2006: Use $(...) notation instead of legacy backticked `...`.
- sched/core: Mitigate race (git-fixes)
- scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() (git-fixes).
- scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe (git-fixes).
- scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write() (git-fixes).
- scsi: nsp_cs: Check of ioremap return value (git-fixes).
- scsi: qedf: Fix potential dereference of NULL pointer (git-fixes).
- scsi: smartpqi: Add PCI IDs (bsc#1196627).
- scsi: ufs: Fix race conditions related to driver data (git-fixes).
- selftests: mlxsw: tc_police_scale: Make test more robust (bsc#1176774).
- soc: fsl: Correct MAINTAINERS database (QUICC ENGINE LIBRARY) (git-fixes).
- soc: fsl: Correct MAINTAINERS database (SOC) (git-fixes).
- soc: fsl: qe: Check of ioremap return value (git-fixes).
- spi: spi-zynq-qspi: Fix a NULL pointer dereference in zynq_qspi_exec_mem_op() (git-fixes).
- sr9700: sanity check for packet length (bsc#1196836).
- staging: gdm724x: fix use after free in gdm_lte_rx() (git-fixes).
- tracing: Fix return value of __setup handlers (git-fixes).
- tty: n_gsm: fix encoding of control signal octet bit DV (git-fixes).
- tty: n_gsm: fix proper link termination after failed open (git-fixes).
- usb: dwc2: Fix Stalling a Non-Isochronous OUT EP (git-fixes).
- usb: dwc2: gadget: Fix GOUTNAK flow for Slave mode (git-fixes).
- usb: dwc2: gadget: Fix kill_all_requests race (git-fixes).
- usb: dwc2: use well defined macros for power_down (git-fixes).
- usb: dwc3: gadget: Let the interrupt handler disable bottom halves (git-fixes).
- usb: dwc3: meson-g12a: Disable the regulator in the error handling path of the probe (git-fixes).
- usb: dwc3: pci: Fix Bay Trail phy GPIO mappings (git-fixes).
- usb: gadget: rndis: add spinlock for rndis response list (git-fixes).
- usb: host: xen-hcd: add missing unlock in error path (git-fixes).
- usb: hub: Fix locking issues with address0_mutex (git-fixes).
- usb: hub: Fix usb enumeration issue due to address0 race (git-fixes).
- vrf: Fix fast path output packet handling with async Netfilter rules (git-fixes).
- xen/usb: do not use gnttab_end_foreign_access() in xenhcd_gnttab_done() (bsc#1196488, XSA-396).
- xhci: Prevent futile URB re-submissions due to incorrect return value (git-fixes).
- xhci: re-initialize the HC during resume if HCE was set (git-fixes).

Advisory ID: SUSE-SU-2022:1040-1
Released:    Wed Mar 30 09:40:58 2022
Summary:     Security update for protobuf
Type:        security
Severity:    moderate
References:  1195258,CVE-2021-22570
This update for protobuf fixes the following issues:

- CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258).

Advisory ID: SUSE-RU-2022:1047-1
Released:    Wed Mar 30 16:20:56 2022
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1196093,1197024
This update for pam fixes the following issues:

- Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
- Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. 
  This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

Advisory ID: SUSE-SU-2022:1061-1
Released:    Wed Mar 30 18:27:06 2022
Summary:     Security update for zlib
Type:        security
Severity:    important
References:  1197459,CVE-2018-25032
This update for zlib fixes the following issues:

- CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

Advisory ID: SUSE-SU-2022:1073-1
Released:    Fri Apr  1 11:45:01 2022
Summary:     Security update for yaml-cpp
Type:        security
Severity:    moderate
References:  1121227,1121230,1122004,1122021,CVE-2018-20573,CVE-2018-20574,CVE-2019-6285,CVE-2019-6292
This update for yaml-cpp fixes the following issues:

- CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227).
- CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230).
- CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004).
- CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021).

Advisory ID: SUSE-RU-2022:1074-1
Released:    Fri Apr  1 13:27:00 2022
Summary:     Recommended update for cloud-init
Type:        recommended
Severity:    moderate
References:  1193531
This update for cloud-init contains the following fixes:

- Enable broader systemctl location. (bsc#1193531)

- Remove unneeded BuildRequires on python3-nose.

Advisory ID: SUSE-RU-2022:1099-1
Released:    Mon Apr  4 12:53:05 2022
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1194883
This update for aaa_base fixes the following issues:

- Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883)
- Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8
  multi byte characters as well as support the vi mode of readline library

Advisory ID: SUSE-RU-2022:1107-1
Released:    Mon Apr  4 17:49:17 2022
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1194642
This update for util-linux fixes the following issue:

- Improve throughput and reduce clock sequence increments for high load situation with time based 
  version 1 uuids. (bsc#1194642)

Advisory ID: SUSE-RU-2022:1118-1
Released:    Tue Apr  5 18:34:06 2022
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

- timezone update 2022a (bsc#1177460):
  * Palestine will spring forward on 2022-03-27, not on 03-26
  * `zdump -v` now outputs better failure indications
  * Bug fixes for code that reads corrupted TZif data

Advisory ID: SUSE-RU-2022:1119-1
Released:    Wed Apr  6 09:16:06 2022
Summary:     Recommended update for supportutils
Type:        recommended
Severity:    moderate
References:  1189028,1190315,1190943,1191096,1191794,1193204,1193732,1193868,1195797
This update for supportutils fixes the following issues:

- Add command `blkid`
- Add email.txt based on OPTION_EMAIL (bsc#1189028)
- Add rpcinfo -p output #116
- Add s390x specific files and output
- Add shared memory as a log directory for emergency use (bsc#1190943)
- Fix cron package for RPM validation (bsc#1190315)
- Fix for invalid argument during updates (bsc#1193204)
- Fix iscsi initiator name (bsc#1195797)
- Improve `lsblk` readability with `--ascsi` option
- Include 'multipath -t' output in mpio.txt
- Include /etc/sssd/conf.d configuration files
- Include udev rules in /lib/udev/rules.d/
- Made /proc directory and network names spaces configurable (bsc#1193868)
- Prepare future installation of binaries to /usr/sbin instead of /sbin. This does not affect 
  SUSE Linux Enterprise 15 Serivce Pack 3 and 4 (bsc#1191096)
- Move localmessage/warm logs out of messages.txt to new localwarn.txt
- Optimize configuration files
- Remove chronyc DNS lookups with -n switch (bsc#1193732)
- Remove duplicate commands in network.txt
- Remove duplicate firewalld status output
- getappcore identifies compressed core files (bsc#1191794)

Advisory ID: SUSE-RU-2022:1126-1
Released:    Thu Apr  7 14:05:02 2022
Summary:     Recommended update for nfs-utils
Type:        recommended
Severity:    moderate
References:  1197297,1197788
This update for nfs-utils fixes the following issues:

- Ensure `sloppy` is added correctly for newer kernels. (bsc#1197297)
  * This is required for kernels since 5.6 (like in SUSE Linux Enterprise 15 SP4), and it's safe for all kernels.
- Fix the source build with new `glibc` like in SUSE Linux Enterprise 15 SP4. (bsc#1197788)

Advisory ID: SUSE-RU-2022:1132-1
Released:    Fri Apr  8 13:11:16 2022
Summary:     Recommended update for kdump
Type:        recommended
Severity:    moderate
References:  1189923,1197069
This update for kdump fixes the following issues:

- Fix return code when no watchdog sysfs entry is found (bsc#1197069)
- Add watchdog modules to kdump initrd to ensure kernel crash dumps are properly collected
  before a machine is rebooted by a watchdog (bsc#1189923)

The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-3.57.1 updated
- bind-utils-9.16.6-150300.22.16.1 updated
- chrony-pool-suse-4.1-150300.16.9.1 updated
- chrony-4.1-150300.16.9.1 updated
- cloud-init-config-suse-21.2-8.54.2 updated
- cloud-init-21.2-8.54.2 updated
- filesystem-15.0-11.8.1 updated
- glibc-locale-base-2.31-150300.20.7 updated
- glibc-locale-2.31-150300.20.7 updated
- glibc-2.31-150300.20.7 updated
- kdump-0.9.0-150300.18.8.1 updated
- kernel-default-5.3.18-150300.59.60.4 updated
- libaugeas0-1.10.1-3.9.1 updated
- libavahi-client3-0.7-3.18.1 updated
- libavahi-common3-0.7-3.18.1 updated
- libbind9-1600-9.16.6-150300.22.16.1 updated
- libblkid1-2.36.2-150300.4.20.1 updated
- libcrypt1-4.4.15-150300.4.2.41 updated
- libdns1605-9.16.6-150300.22.16.1 updated
- libexpat1-2.2.5-3.19.1 updated
- libfdisk1-2.36.2-150300.4.20.1 updated
- libirs1601-9.16.6-150300.22.16.1 updated
- libisc1606-9.16.6-150300.22.16.1 updated
- libisccc1600-9.16.6-150300.22.16.1 updated
- libisccfg1600-9.16.6-150300.22.16.1 updated
- libldap-2_4-2-2.4.46-9.64.1 updated
- libldap-data-2.4.46-9.64.1 updated
- libmount1-2.36.2-150300.4.20.1 updated
- libns1604-9.16.6-150300.22.16.1 updated
- libopeniscsiusr0_2_0-2.1.6-150300.32.15.1 updated
- libopenssl1_1-1.1.1d-11.43.1 updated
- libprocps7-3.3.15-7.22.1 updated
- libprotobuf-lite20-3.9.2-4.12.1 updated
- libpython3_6m1_0-3.6.15-150300.10.21.1 updated
- libsmartcols1-2.36.2-150300.4.20.1 updated
- libuuid1-2.36.2-150300.4.20.1 updated
- libyaml-cpp0_6-0.6.1-4.5.1 updated
- libz1-1.2.11-150000.3.30.1 updated
- nfs-client-2.1.1-150100.10.24.1 updated
- open-iscsi-2.1.6-150300.32.15.1 updated
- openssl-1_1-1.1.1d-11.43.1 updated
- pam-1.3.0-150000.6.55.3 updated
- procps-3.3.15-7.22.1 updated
- python3-attrs-19.3.0-3.4.1 added
- python3-base-3.6.15-150300.10.21.1 updated
- python3-bind-9.16.6-150300.22.16.1 updated
- python3-importlib-metadata-1.5.0-3.3.5 added
- python3-jsonschema-3.2.0-9.3.1 updated
- python3-more-itertools-4.2.0-3.2.3 added
- python3-pyrsistent-0.14.4-3.2.1 added
- python3-six-1.14.0-12.1 updated
- python3-zipp-0.6.0-3.3.5 added
- python3-3.6.15-150300.10.21.1 updated
- sudo-1.9.5p2-150300.3.6.1 updated
- supportutils-3.1.20-150300. updated
- timezone-2022a-150000.75.7.1 updated
- util-linux-systemd-2.36.2-150300.4.20.1 updated
- util-linux-2.36.2-150300.4.20.1 updated
- xen-libs-4.14.4_02-150300.3.21.1 updated
- xen-tools-domU-4.14.4_02-150300.3.21.1 updated
- libfreebl3-3.68.2-3.64.2 removed

More information about the sle-security-updates mailing list