SUSE-IU-2022:282-1: Security update of sles-15-sp3-chost-byos-v20220222

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon Feb 28 07:32:23 UTC 2022


SUSE Image Update Advisory: sles-15-sp3-chost-byos-v20220222
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2022:282-1
Image Tags        : sles-15-sp3-chost-byos-v20220222:20220222
Image Release     : 
Severity          : critical
Type              : security
References        : 1057592 1102408 1139519 1154353 1154488 1156395 1156920 1159205
                        1160634 1160654 1176447 1177599 1178357 1181163 1181812 1182227
                        1183405 1183407 1183495 1183572 1183574 1185377 1186506 1187428
                        1187723 1188019 1188571 1188605 1189152 1189560 1190395 1191015
                        1191057 1191121 1191227 1191334 1191434 1191532 1191826 1191881
                        1192164 1192311 1192353 1192637 1192652 1192653 1192684 1192685
                        1193007 1193086 1193096 1193257 1193258 1193273 1193488 1193506
                        1193690 1193767 1193802 1193861 1193864 1193867 1194048 1194178
                        1194227 1194265 1194291 1194392 1194522 1194576 1194581 1194588
                        1194597 1194640 1194661 1194716 1194768 1194770 1194785 1194859
                        1194880 1194898 1194968 1195009 1195048 1195054 1195062 1195065
                        1195073 1195142 1195183 1195184 1195217 1195254 1195267 1195293
                        1195371 1195476 1195477 1195478 1195479 1195480 1195481 1195482
                        954813 CVE-2020-27840 CVE-2020-28097 CVE-2021-20277 CVE-2021-20316
                        CVE-2021-22600 CVE-2021-36222 CVE-2021-39648 CVE-2021-39657 CVE-2021-39685
                        CVE-2021-3997 CVE-2021-3999 CVE-2021-41089 CVE-2021-41091 CVE-2021-41092
                        CVE-2021-41103 CVE-2021-41190 CVE-2021-43566 CVE-2021-44141 CVE-2021-44142
                        CVE-2021-44733 CVE-2021-45095 CVE-2022-0286 CVE-2022-0330 CVE-2022-0336
                        CVE-2022-0435 CVE-2022-22942 CVE-2022-23033 CVE-2022-23034 CVE-2022-23035
                        CVE-2022-23218 CVE-2022-23219 CVE-2022-23852 CVE-2022-23990 
-----------------------------------------------------------------

The container sles-15-sp3-chost-byos-v20220222 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:207-1
Released:    Thu Jan 27 09:24:49 2022
Summary:     Recommended update for glibc
Type:        recommended
Severity:    moderate
References:  
This update for glibc fixes the following issues:

- Add support for livepatches on x86_64 for SUSE Linux Enterprise 15 SP4 (jsc#SLE-20049).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:228-1
Released:    Mon Jan 31 06:07:52 2022
Summary:     Recommended update for boost
Type:        recommended
Severity:    moderate
References:  1194522
This update for boost fixes the following issues:

- Fix compilation errors (bsc#1194522)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:273-1
Released:    Tue Feb  1 14:15:21 2022
Summary:     Recommended update for google-guest-agent, google-guest-configs, google-guest-oslogin, google-osconfig-agent
Type:        recommended
Severity:    important
References:  1102408,1192652,1192653,1193257,1193258
This update for google-guest-agent, google-guest-configs, google-guest-oslogin, google-osconfig-agent contains the following fixes:

Changes in google-guest-agent:
- Update to version 20211116.00 (bsc#1193257, bsc#1193258)
  * dont duplicate logs (#146)
  * Add WantedBy network dependencies to google-guest-agent service (#136)
  * dont try dhcpv6 when not needed (#145)
  * Integration tests: instance setup (#143)
  * Integration test: test create and remove google user (#128)
  * handle comm errors in script runner (#140)
  * enforce script ordering (#138)
  * enable ipv6 on secondary interfaces (#133)
- from version 20211103.00
  * Integration tests: instance setup (#143)
- from version 20211027.00
  * Integration test: test create and remove google user (#128)

- Update to version 20211019.00
  * handle comm errors in script runner (#140)
- from version 20211015.00
  * enforce script ordering (#138)
- from version 20211014.00
  * enable ipv6 on secondary interfaces (#133)
- from version 20211013.00
  * dont open ssh tempfile exclusively (#137)
- from version 20211011.00
  * correct linux startup script order (#135)
  * Emit sshable attribute (#123)
- from version 20210908.1
  * restore line (#127)
- from version 20210908.00
  * New integ test (#124)
- from version 20210901.00
  * support enable-oslogin-sk key (#120)
  * match script logging to guest agent (#125)
- from version 20210804.00
  * Debug logging (#122)
- Refresh patches for new version
  * dont_overwrite_ifcfg.patch

- Build with go1.15 for reproducible build results (bsc#1102408)

- Update to version 20210707.00
  * Use IP address for calling the metadata server. (#116)
- from version 20210629.00
  * use IP for MDS (#115)

- Update to version 20210603.00
  * systemd-notify in agentInit (#113)
  * dont check status (#112)
- from version 20210524.00
  * more granular service restarts (#111)
- from version 20210414.00
  * (no functional changes)

Changes in google-guest-configs:
- Add missing pkg-config dependency to BuildRequires for SLE-12

- Install modprobe configuration files into /etc again on SLE-15-SP2 and
  older since that's stil the default location on these distributions
- Probe udev directory using the 'udevdir' pkg-config variable on SLE-15-SP2
  and older since the variable got renamed to 'udev_dir' in later versions
- Remove redundant pkgconfig(udev) from BuildRequires for SLE-12

- Update to version 20211116.00 (bsc#1193257, bsc#1193258)
  * GCE supports up to 24 NVMe local SSDs, but the regex in the PROGRAM field
    only looks for the last digit of the given string causing issues when there
    are >= 10  local SSDs. Changed REGEX to get the last number of the string
    instead to support the up to 24 local SSDs. (#30)
  * chmod+x google_nvme_id on EL (#31)
- Fix duplicate installation of google_optimize_local_ssd and google_set_multiqueue
- Install google_nvme_id into /usr/lib/udev (bsc#1192652, bsc#1192653)

- Update to version 20210916.00
  * Revert 'dont set IP in etc/hosts; remove rsyslog (#26)' (#28)
- from version 20210831.00
  * restore rsyslog (#27)
- from version 20210830.00
  * Fix NVMe partition names (#25)
- from version 20210824.00
  * dont set IP in etc/hosts; remove rsyslog (#26)
  * update OWNERS

- Use %_modprobedir for modprobe.d files (out of /etc)
- Use %_sysctldir for sysctl.d files (out of /etc)

- Update to version 20210702.00
  * use grep for hostname check (#23)
- from version 20210629.00
  * address set_hostname vuln (#22)
- from version 20210324.00
  * dracut.conf wants spaces around values (#19)

Changes in google-guest-oslogin:
- Update to version 20211013.00 (bsc#1193257, bsc#1193258)
  * remove deprecated binary (#79)
- from version 20211001.00
  * no message if no groups (#78)
- from version 20210907.00
  * use sigaction for signals (#76)
- from version 20210906.00
  * include cstdlib for exit (#75)
  * catch SIGPIPE in authorized_keys (#73)
- from version 20210805.00
  * fix double free in ParseJsonToKey (#70)
- from version 20210804.00
  * fix packaging for authorized_keys_sk (#68)
  * add authorized_keys_sk (#66)
- Add google_authorized_keys_sk to %files section
- Remove google_oslogin_control from %files section

Changes in google-osconfig-agent:
- Update to version 20211117.00 (bsc#1193257, bsc#1193258)
  * Add retry logic for RegisterAgent (#404)
- from version 20211111.01
  * e2e_test: drop ubuntu 1604 image as its EOL (#403)
- from version 20211111.00
  * e2e_test: move to V1 api for OSPolicies (#397)
- from version 20211102.00
  * Fix context logging and fix label names (#400)
- from version 20211028.00
  * Add cloudops example for gcloud (#399)

- Update to version 20211021.00
  * Added patch report logging for Zypper. (#395)
- from version 20211012.00
  * Replace deprecated instance filters with the new filters (#394)
- from version 20211006.00
  * Added patch report log messages for Yum and Apt (#392)
- from version 20210930.00
  * Config: Add package info caching (#391)
- from version 20210928.00
  * Fixed the runWithPty function to set ctty to child's filedesc (#389)
- from version 20210927.00
  * e2e_tests: fix a test output mismatch (#390)
- from version 20210924.00
  * Fix some e2e test failures (#388)
- from version 20210923.02
  * Correctly check for folder existance in package upgrade (#387)
- from version 20210923.01
  * ReportInventory: Fix bug in deb/rpm inventory, reduce calls to append (#386)
- from version 20210923.00
  * Deprecate old config directory in favor of new cache directory (#385)
- from version 20210922.02
  * Fix rpm/deb package formating for inventory reporting (#384)
- from version 20210922.01
  * Add centos stream rocky linux and available package tests (#383)
- from version 20210922.00
  * Add more info logs, actually cleanup unmanaged repos (#382)
- from version 20210901.00
  * Add E2E tests for Windows Application (#379)
  * Return lower-case package name (#377)
  * Update Terraform scripts for multi-project deployments tutorial. (#378)
- from version 20210811.00
  * Support Windows Application Inventory (#371)
- from version 20210723.00
  * Send basic inventory with RegisterAgent (#373)
- from version 20210722.1
  * e2e_tests: move to manually generated osconfig library (#372)
- from version 20210722.00
  * Create OWNERS file for examples directory (#368)
- from version 20210719.00
  * Update Zypper patch info parsing (#370)

- Build with go1.15 for reproducible build results (bsc#1102408)

- Update to version 20210712.1
  * Skip getting patch info when no patches are found. (#369)
- from version 20210712.00
  * Add Terraform scripts for multi-project deployments (#367)
- from version 20210709.00
  * Add examples/Terraform directory. (#366)
- from version 20210707.00
  * Fix bug in printing packages to update,
    return error for zypper patch (#365)
- from version 20210629.00
  * Add CloudOps examples for CentOS (#364)

- Update to version 20210621.00
  * chore: Fixing a comment. (#363)
- from version 20210617.00
  * Use exec.CommandContext so that canceling the context also
    kills any running processes (#362)
- from version 20210608.1
  * e2e_tests: point to official osconfig client library (#359)
- from version 20210608.00
  * e2e_tests: deflake tests (#358)
- from version 20210607.00
  * Fix build on some architectures (#357)
- from version 20210603.00
  * Create win-validation-powershell.yaml (#356)
- from version 20210602.00
  * Agent efficiency improvements/bugfixes/logging updates (#355)
  * e2e_tests: add tests for ExecResource output (#354)
- from version 20210525.00
  * Run fieldalignment on all structs (#353)
- from version 20210521.00
  * Config Task: add error message and ExecResource output recording (#350)
  * e2e_tests: remove Windows server 1909 and add server 20h2 (#352)
  * Added a method for logging structured data (#349)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:317-1
Released:    Thu Feb  3 10:06:59 2022
Summary:     Recommended update for wicked
Type:        recommended
Severity:    moderate
References:  1057592,1156920,1160654,1178357,1181163,1181812,1182227,1183407,1183495,1188019,1189560,1192164,1192311,1192353,1194392
This update for wicked fixes the following issues:

- Fix device rename issue when done via Yast2 (bsc#1194392)
- Prepare RPM packaging for migration of dbus configuration files from /etc to /usr, however 
  this change does not affect SUSE Linux Enterprise 15 Service Pack 3 (bsc#1183407,jsc#SLE-9750)
- Parse sysctl files in the correct order
- Fix sysctl values for loopback device (bsc#1181163, bsc#1178357)
- Add option for dhcp4 to set route pref-src to dhcp IP (bsc#1192353)
- Cleanup warnings, time calculations and add dhcp fixes to reduce resource usage (bsc#1188019)
- Avoid sysfs attribute read error when the kernel has already deleted the TUN/TAP interface (bsc#1192311)
- Fix warning in `ifstatus` about unexpected interface flag combination (bsc#1192164)
- Fix `ifstatus` not to show link as 'up' when interface is not running
- Make firewalld zone assignment permanent (bsc#1189560)
- Initial fixes for dracut integration and improved option handling (bsc#1182227)
- Fix `nanny` to identify node owner exit condition
- Add `ethtool --get-permanent-address` option in the client
- Reconnect on unexpected wpa_supplicant restart (bsc#1183495) 
- Migrate wireless to wpa-supplicant v1 DBus interface (bsc#1156920)
- Support multiple wireless networks configurations per interface
- Show wireless connection status and scan-results (bsc#1160654)
- Fix eap-tls,ttls cetificate handling and fix open vs. shared 
  wep,open,psk,eap-tls,ttls,peap parsing from ifcfg (bsc#1057592)
- Updated `man ifcfg-wireless` manual pages

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:322-1
Released:    Thu Feb  3 14:03:19 2022
Summary:     Recommended update for dracut
Type:        recommended
Severity:    moderate
References:  1192685,1194716
This update for dracut fixes the following issues:

- Fix(network): consistent use of '$gw' for gateway (bsc#1192685)
- Fix(install): handle builtin modules (bsc#1194716)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:330-1
Released:    Fri Feb  4 09:29:08 2022
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1194640,1194768,1194770,1194785,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219

This update for glibc fixes the following issues:

- CVE-2021-3999: Fixed incorrect errno in getcwd (bsc#1194640)
- CVE-2022-23219: Fixed buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
- CVE-2022-23218: Fixed buffer overflow in sunrpc svcunix_create (bsc#1194770)

Features added:

- IBM Power 10 string operation improvements (bsc#1194785, jsc#SLE-18195)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:333-1
Released:    Fri Feb  4 09:30:26 2022
Summary:     Security update for xen
Type:        security
Severity:    important
References:  1194576,1194581,1194588,CVE-2022-23033,CVE-2022-23034,CVE-2022-23035
This update for xen fixes the following issues:

- CVE-2022-23033: Fixed guest_physmap_remove_page not removing the p2m mappings. (XSA-393) (bsc#1194576)
- CVE-2022-23034: Fixed possible DoS by a PV guest Xen while unmapping a grant. (XSA-394) (bsc#1194581)
- CVE-2022-23035: Fixed insufficient cleanup of passed-through device IRQs. (XSA-395) (bsc#1194588)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:334-1
Released:    Fri Feb  4 09:30:58 2022
Summary:     Security update for containerd, docker
Type:        security
Severity:    moderate
References:  1191015,1191121,1191334,1191434,1193273,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190
This update for containerd, docker fixes the following issues:

- CVE-2021-41089: Fixed 'cp' can chmod host files (bsc#1191015).
- CVE-2021-41091: Fixed flaw that could lead to data directory traversal in moby (bsc#1191434).
- CVE-2021-41092: Fixed exposed user credentials with a misconfigured configuration file (bsc#1191334).
- CVE-2021-41103: Fixed file access to local users in containerd (bsc#1191121).
- CVE-2021-41190: Fixed OCI manifest and index parsing confusion (bsc#1193273).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:335-1
Released:    Fri Feb  4 10:24:02 2022
Summary:     Recommended update for coreutils
Type:        recommended
Severity:    moderate
References:  1189152
This update for coreutils fixes the following issues:

- Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:340-1
Released:    Mon Feb  7 13:08:14 2022
Summary:     Security update for the Linux Kernel
Type:        recommended
Severity:    moderate
References:  1195142


The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various a regression bugfix.

The following non-security bugs were fixed:

- drm/radeon: fix error handling in radeon_driver_open_kms that could lead to non-booting systems with Radeon cards (bsc#1195142).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:343-1
Released:    Mon Feb  7 15:16:58 2022
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1193086
This update for systemd fixes the following issues:

- disable DNSSEC until the following issue is solved: https://github.com/systemd/systemd/issues/10579
- disable fallback DNS servers and fail when no DNS server info could be obtained from the links.
- DNSSEC support requires openssl therefore document this build dependency in systemd-network sub-package.
- Improve warning messages (bsc#1193086).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:348-1
Released:    Tue Feb  8 13:02:20 2022
Summary:     Recommended update for libzypp
Type:        recommended
Severity:    important
References:  1193007,1193488,1194597,1194898,954813
This update for libzypp fixes the following issues:

- RepoManager: remember execution errors in exception history (bsc#1193007)
- Fix exception handling when reading or writing credentials (bsc#1194898)
- Fix install path for parser (bsc#1194597)
- Fix Legacy include (bsc#1194597)
- Public header files on older distros must use c++11 (bsc#1194597)
- Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488)
- Fix wrong encoding of URI compontents of ISO images (bsc#954813)
- When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible
- Introduce zypp-curl as a sublibrary for CURL related code
- zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set
- Save all signatures associated with a public key in its PublicKeyData

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:283-1
Released:    Tue Feb  8 16:10:39 2022
Summary:     Security update for samba
Type:        security
Severity:    critical
References:  1139519,1183572,1183574,1188571,1191227,1191532,1192684,1193690,1194859,1195048,CVE-2020-27840,CVE-2021-20277,CVE-2021-20316,CVE-2021-36222,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336


- CVE-2021-44141: Information leak via symlinks of existance of
  files or directories outside of the exported share; (bso#14911);
  (bsc#1193690);
- CVE-2021-44142: Out-of-bounds heap read/write vulnerability
  in VFS module vfs_fruit allows code execution; (bso#14914);
  (bsc#1194859);
- CVE-2022-0336: Samba AD users with permission to write to an
  account can impersonate arbitrary services; (bso#14950);
  (bsc#1195048);

samba was updated to 4.15.4 (jsc#SLE-23329);

* Duplicate SMB file_ids leading to Windows client cache
  poisoning; (bso#14928);
* Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
  NT_STATUS_BUFFER_TOO_SMALL; (bso#14932);
* kill_tcp_connections does not work; (bso#14934);
* Can't connect to Windows shares not requiring authentication
  using KDE/Gnome; (bso#14935);
* smbclient -L doesn't set 'client max protocol' to NT1 before
  calling the 'Reconnecting with SMB1 for workgroup listing'
  path; (bso#14939);
* Cross device copy of the crossrename module always fails;
  (bso#14940);
* symlinkat function from VFS cap module always fails with an
  error; (bso#14941);
* Fix possible fsp pointer deference; (bso#14942);
* Missing pop_sec_ctx() in error path inside close_directory();
  (bso#14944);
* 'smbd --build-options' no longer works without an smb.conf file;
  (bso#14945);

Samba was updated to version 4.15.3 

+ CVE-2021-43566: Symlink race error can allow directory creation
  outside of the exported share; (bsc#1139519);
+ CVE-2021-20316: Symlink race error can allow metadata read and
  modify outside of the exported share; (bsc#1191227);
- Reorganize libs packages. Split samba-libs into samba-client-libs,
  samba-libs, samba-winbind-libs and samba-ad-dc-libs, merging samba
  public libraries depending on internal samba libraries into these
  packages as there were dependency problems everytime one of these
  public libraries changed its version (bsc#1192684). The devel
  packages are merged into samba-devel.
- Rename package samba-core-devel to samba-devel
- Update the symlink create by samba-dsdb-modules to private samba
  ldb modules following libldb2 changes from /usr/lib64/ldb/samba to
  /usr/lib64/ldb2/modules/ldb/samba

krb5 was updated to 1.16.3 to 1.19.2

* Fix a denial of service attack against the KDC encrypted challenge code; (CVE-2021-36222);
* Fix a memory leak when gss_inquire_cred() is called without a credential handle.

Changes from 1.19.1:

* Fix a linking issue with Samba.
* Better support multiple pkinit_identities values by checking whether
  certificates can be loaded for each value.

Changes from 1.19

Administrator experience
  * When a client keytab is present, the GSSAPI krb5 mech will refresh
    credentials even if the current credentials were acquired manually.
  * It is now harder to accidentally delete the K/M entry from a KDB.
Developer experience
  * gss_acquire_cred_from() now supports the 'password' and 'verify'
    options, allowing credentials to be acquired via password and
    verified using a keytab key.
  * When an application accepts a GSS security context, the new
    GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
    both provided matching channel bindings.
  * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
    to identify the desired client principal by certificate.
  * PKINIT certauth modules can now cause the hw-authent flag to be set
    in issued tickets.
  * The krb5_init_creds_step() API will now issue the same password
    expiration warnings as krb5_get_init_creds_password().
Protocol evolution
  * Added client and KDC support for Microsoft's Resource-Based Constrained
    Delegation, which allows cross-realm S4U2Proxy requests. A third-party
    database module is required for KDC support.
  * kadmin/admin is now the preferred server principal name for kadmin
    connections, and the host-based form is no longer created by default.
    The client will still try the host-based form as a fallback.
  * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT
    extension, which causes channel bindings to be required for the
    initiator if the acceptor provided them. The client will send this
    option if the client_aware_gss_bindings profile option is set.
User experience
  * kinit will now issue a warning if the des3-cbc-sha1 encryption type is
    used in the reply. This encryption type will be deprecated and removed
    in future releases.
  * Added kvno flags --out-cache, --no-store, and --cached-only
    (inspired by Heimdal's kgetcred).

Changes from 1.18.3
* Fix a denial of service vulnerability when decoding Kerberos
  protocol messages.
* Fix a locking issue with the LMDB KDB module which could cause
  KDC and kadmind processes to lose access to the database.
* Fix an assertion failure when libgssapi_krb5 is repeatedly loaded
  and unloaded while libkrb5support remains loaded.

Changes from 1.18.2
* Fix a SPNEGO regression where an acceptor using the default credential
  would improperly filter mechanisms, causing a negotiation failure.
* Fix a bug where the KDC would fail to issue tickets if the local krbtgt
  principal's first key has a single-DES enctype.
* Add stub functions to allow old versions of OpenSSL libcrypto to link
  against libkrb5.
* Fix a NegoEx bug where the client name and delegated credential might
  not be reported.

Changes from 1.18.1
* Fix a crash when qualifying short hostnames when the system has
  no primary DNS domain.
* Fix a regression when an application imports 'service@' as a GSS
  host-based name for its acceptor credential handle.
* Fix KDC enforcement of auth indicators when they are modified by
  the KDB module.
* Fix removal of require_auth string attributes when the LDAP KDB
  module is used.
* Fix a compile error when building with musl libc on Linux.
* Fix a compile error when building with gcc 4.x.
* Change the KDC constrained delegation precedence order for consistency
  with Windows KDCs.

Changes from 1.18
Administrator experience:
  * Remove support for single-DES encryption types.
  * Change the replay cache format to be more efficient and robust.
    Replay cache filenames using the new format end with '.rcache2'
    by default.
  * setuid programs will automatically ignore environment variables
    that normally affect krb5 API functions, even if the caller does
    not use krb5_init_secure_context().
  * Add an 'enforce_ok_as_delegate' krb5.conf relation to disable
    credential forwarding during GSSAPI authentication unless the KDC
    sets the ok-as-delegate bit in the service ticket.
  * Use the permitted_enctypes krb5.conf setting as the default value
    for default_tkt_enctypes and default_tgs_enctypes.
Developer experience:
  * Implement krb5_cc_remove_cred() for all credential cache types.
  * Add the krb5_pac_get_client_info() API to get the client account
    name from a PAC.
Protocol evolution:
  * Add KDC support for S4U2Self requests where the user is identified
    by X.509 certificate. (Requires support for certificate lookup from
    a third-party KDB module.)
  * Remove support for an old ('draft 9') variant of PKINIT.
  * Add support for Microsoft NegoEx. (Requires one or more third-party
    GSS modules implementing NegoEx mechanisms.)
User experience:
  * Add support for 'dns_canonicalize_hostname=fallback', causing
    host-based principal names to be tried first without DNS
    canonicalization, and again with DNS canonicalization if the
    un-canonicalized server is not found.
  * Expand single-component hostnames in host-based principal names
    when DNS canonicalization is not used, adding the system's first DNS
    search path as a suffix. Add a 'qualify_shortname' krb5.conf relation
    to override this suffix or disable expansion.
  * Honor the transited-policy-checked ticket flag on application servers,
    eliminating the requirement to configure capaths on servers in some
    scenarios.
Code quality:
  * The libkrb5 serialization code (used to export and import krb5 GSS
    security contexts) has been simplified and made type-safe.
  * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
    messages has been revised to conform to current coding practices.
  * The test suite has been modified to work with macOS System Integrity
    Protection enabled.
  * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
    can always be tested.

Changes from 1.17.1
* Fix a bug preventing 'addprinc -randkey -kvno' from working in kadmin.
* Fix a bug preventing time skew correction from working when a KCM
  credential cache is used.

Changes from 1.17:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
  Database library (LMDB) has been added.  The LMDB KDB module should
  be more performant and more robust than the DB2 module, and may
  become the default module for new databases in a future release.
* 'kdb5_util dump' will no longer dump policy entries when specific
  principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
  salt, and string-to-key parameters from the KDC for a client
  principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
  principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
  log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
  perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported.  This
  mechanism protects against password dictionary attacks without
  requiring any additional infrastructure such as certificates.  SPAKE
  is enabled by default on clients, but must be manually enabled on
  the KDC for this release.
* PKINIT freshness tokens are now supported.  Freshness tokens can
  protect against scenarios where an attacker uses temporary access to
  a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
  spurious error messages about replays when a response packet is
  dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
  third-party KDB module such as Samba's.  The client code for
  cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
  from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
  within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
  environment variables that affect programs using the Kerberos
  library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
  easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
  with more recent versions of Visual Studio.  A large volume of
  unused Windows-specific code has been removed.  Visual Studio 2013
  or later is now required.

- Build with full Cyrus SASL support. Negotiating SASL credentials with
  an EXTERNAL bind mechanism requires interaction. Kerberos provides its
  own interaction function that skips all interaction, thus preventing the
  mechanism from working.
ldb was updated to version 2.4.1 (jsc#SLE-23329);

- Release 2.4.1

  + Corrected python behaviour for 'in' for LDAP attributes
    contained as part of ldb.Message; (bso#14845);
  + Fix memory handling in ldb.msg_diff; (bso#14836);

- Release 2.4.0

  + pyldb: Fix Message.items() for a message containing elements
  + pyldb: Add test for Message.items()
  + tests: Use ldbsearch '--scope instead of '-s'
  + Change page size of guidindexpackv1.ldb
  + Use a 1MiB lmdb so the test also passes on aarch64 CentOS stream
  + attrib_handler casefold: simplify space dropping
  + fix ldb_comparison_fold off-by-one overrun
  + CVE-2020-27840: pytests: move Dn.validate test to ldb
  + CVE-2020-27840 ldb_dn: avoid head corruption in ldb_dn_explode
  + CVE-2021-20277 ldb/attrib_handlers casefold: stay in bounds
  + CVE-2021-20277 ldb tests: ldb_match tests with extra spaces
  + improve comments for ldb_module_connect_backend()
  + test/ldb_tdb: correct introductory comments
  + ldb.h: remove undefined async_ctx function signatures
  + correct comments in attrib_handers val_to_int64
  + dn tests use cmocka print functions
  + ldb_match: remove redundant check
  + add tests for ldb_wildcard_compare
  + ldb_match: trailing chunk must match end of string
  + pyldb: catch potential overflow error in py_timestring
  + ldb: remove some 'if PY3's in tests

talloc was updated to 2.3.3:

+ various bugfixes
+ python: Ensure reference counts are properly incremented
+ Change pytalloc source to LGPL
+ Upgrade waf to 2.0.18 to fix a cross-compilation issue;
   (bso#13846).

tdb was updated to version 1.4.4:

+ various bugfixes

tevent was updated to version 0.11.0:

+ Add custom tag to events
+ Add event trace api

sssd was updated to:

- Fix tests test_copy_ccache & test_copy_keytab for later versions of krb5
- Update the private ldb modules installation following libldb2 
  changes from /usr/lib64/ldb/samba to /usr/lib64/ldb2/modules/ldb/samba

apparmor was updated to:

- Cater for changes to ldb packaging to allow parallel installation with libldb (bsc#1192684).
- add profile for samba-bgqd (bsc#1191532).


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:370-1
Released:    Fri Feb 11 08:35:29 2022
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    critical
References:  1154353,1154488,1156395,1160634,1176447,1177599,1183405,1185377,1187428,1187723,1188605,1191881,1193096,1193506,1193767,1193802,1193861,1193864,1193867,1194048,1194227,1194291,1194880,1195009,1195062,1195065,1195073,1195183,1195184,1195254,1195267,1195293,1195371,1195476,1195477,1195478,1195479,1195480,1195481,1195482,CVE-2020-28097,CVE-2021-22600,CVE-2021-39648,CVE-2021-39657,CVE-2021-39685,CVE-2021-44733,CVE-2021-45095,CVE-2022-0286,CVE-2022-0330,CVE-2022-0435,CVE-2022-22942

The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2022-0435: Fixed remote stack overflow in net/tipc module that validate domain record count on input (bsc#1195254).
- CVE-2022-0330: Fixed flush TLBs before releasing backing store (bsc#1194880).
- CVE-2022-0286: Fixed null pointer dereference in bond_ipsec_add_sa() that may have lead to local denial of service (bnc#1195371).
- CVE-2022-22942: Fixed stale file descriptors on failed usercopy (bsc#1195065).
- CVE-2021-45095: Fixed refcount leak in pep_sock_accept in net/phonet/pep.c (bnc#1193867).
- CVE-2021-44733: Fixed a use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem, that could have occured because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object (bnc#1193767).
- CVE-2021-39685: Fixed USB gadget buffer overflow caused by too large endpoint 0 requests (bsc#1193802).
- CVE-2021-39657: Fixed out of bounds read due to a missing bounds check in ufshcd_eh_device_reset_handler of ufshcd.c. This could lead to local information disclosure with System execution privileges needed (bnc#1193864).
- CVE-2021-39648: Fixed possible disclosure of kernel heap memory due to a race condition in gadget_dev_desc_UDC_show of configfs.c. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation (bnc#1193861).
- CVE-2021-22600: Fixed double free bug in packet_set_ring() in net/packet/af_packet.c that could have been exploited by a local user through crafted syscalls to escalate privileges or deny service (bnc#1195184).
- CVE-2020-28097: Fixed out-of-bounds read in vgacon subsystem that mishandled software scrollback (bnc#1187723).


The following non-security bugs were fixed:

- ACPI: battery: Add the ThinkPad 'Not Charging' quirk (git-fixes).
- ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R() (git-fixes).
- ACPICA: Fix wrong interpretation of PCC address (git-fixes).
- ACPICA: Hardware: Do not flush CPU cache when entering S4 and S5 (git-fixes).
- ACPICA: Utilities: Avoid deleting the same object twice in a row (git-fixes).
- ACPICA: actypes.h: Expand the ACPI_ACCESS_ definitions (git-fixes).
- ALSA: seq: Set upper limit of processed events (git-fixes).
- ALSA: usb-audio: Correct quirk for VF0770 (git-fixes).
- ALSA: usb-audio: initialize variables that could ignore errors (git-fixes).
- ASoC: cpcap: Check for NULL pointer after calling of_get_child_by_name (git-fixes).
- ASoC: fsl: Add missing error handling in pcm030_fabric_probe (git-fixes).
- ASoC: max9759: fix underflow in speaker_gain_control_put() (git-fixes).
- ASoC: mediatek: mt8173: fix device_node leak (git-fixes).
- ASoC: xilinx: xlnx_formatter_pcm: Make buffer bytes multiple of period bytes (git-fixes).
- Bluetooth: Fix debugfs entry leak in hci_register_dev() (git-fixes).
- Bluetooth: refactor malicious adv data check (git-fixes).
- Documentation: fix firewire.rst ABI file path error (git-fixes).
- HID: apple: Do not reset quirks when the Fn key is not found (git-fixes).
- HID: quirks: Allow inverting the absolute X/Y values (git-fixes).
- HID: uhid: Fix worker destroying device without any protection (git-fixes).
- HID: wacom: Reset expected and received contact counts at the same time (git-fixes).
- IB/cm: Avoid a loop when device has 255 ports (git-fixes)
- IB/hfi1: Fix error return code in parse_platform_config() (git-fixes)
- IB/hfi1: Use kzalloc() for mmu_rb_handler allocation (git-fixes)
- IB/isert: Fix a use after free in isert_connect_request (git-fixes)
- IB/mlx4: Separate tunnel and wire bufs parameters (git-fixes)
- IB/mlx5: Add missing error code (git-fixes)
- IB/mlx5: Add mutex destroy call to cap_mask_mutex mutex (git-fixes)
- IB/mlx5: Fix error unwinding when set_has_smi_cap fails (git-fixes)
- IB/mlx5: Return appropriate error code instead of ENOMEM (git-fixes)
- IB/umad: Return EIO in case of when device disassociated (git-fixes)
- IB/umad: Return EPOLLERR in case of when device disassociated (git-fixes)
- Input: wm97xx: Simplify resource management (git-fixes).
- NFS: Ensure the server had an up to date ctime before renaming (git-fixes).
- NFSv4: Handle case where the lookup of a directory fails (git-fixes).
- NFSv4: nfs_atomic_open() can race when looking up a non-regular file (git-fixes).
- PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller (git-fixes).
- PM: wakeup: simplify the output logic of pm_show_wakelocks() (git-fixes).
- RDMA/addr: Be strict with gid size (git-fixes)
- RDMA/bnxt_re: Fix a double free in bnxt_qplib_alloc_res (git-fixes)
- RDMA/bnxt_re: Fix error return code in bnxt_qplib_cq_process_terminal() (git-fixes)
- RDMA/bnxt_re: Set queue pair state when being queried (git-fixes)
- RDMA/cm: Fix an attempt to use non-valid pointer when cleaning timewait (git-fixes)
- RDMA/core: Clean up cq pool mechanism (jsc#SLE-15176).
- RDMA/core: Do not access cm_id after its destruction (git-fixes)
- RDMA/core: Do not indicate device ready when device enablement fails (git-fixes)
- RDMA/core: Fix corrupted SL on passive side (git-fixes)
- RDMA/core: Unify RoCE check and re-factor code (git-fixes)
- RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server (git-fixes)
- RDMA/cxgb4: Fix the reported max_recv_sge value (git-fixes)
- RDMA/cxgb4: Validate the number of CQEs (git-fixes)
- RDMA/cxgb4: add missing qpid increment (git-fixes)
- RDMA/hns: Add a check for current state before modifying QP (git-fixes)
- RDMA/hns: Remove the portn field in UD SQ WQE (git-fixes)
- RDMA/hns: Remove unnecessary access right set during INIT2INIT (git-fixes)
- RDMA/i40iw: Address an mmap handler exploit in i40iw (git-fixes)
- RDMA/i40iw: Fix error unwinding when i40iw_hmc_sd_one fails (git-fixes)
- RDMA/mlx5: Fix corruption of reg_pages in mlx5_ib_rereg_user_mr() (git-fixes)
- RDMA/mlx5: Fix potential race between destroy and CQE poll (git-fixes)
- RDMA/mlx5: Fix query DCT via DEVX (git-fixes)
- RDMA/mlx5: Fix type warning of sizeof in __mlx5_ib_alloc_counters() (git-fixes)
- RDMA/mlx5: Fix wrong free of blue flame register on error (git-fixes)
- RDMA/mlx5: Issue FW command to destroy SRQ on reentry (git-fixes)
- RDMA/mlx5: Recover from fatal event in dual port mode (git-fixes)
- RDMA/mlx5: Use the correct obj_id upon DEVX TIR creation (git-fixes)
- RDMA/ocrdma: Fix use after free in ocrdma_dealloc_ucontext_pd() (git-fixes)
- RDMA/rxe: Clear all QP fields if creation failed (git-fixes)
- RDMA/rxe: Compute PSN windows correctly (git-fixes)
- RDMA/rxe: Correct skb on loopback path (git-fixes)
- RDMA/rxe: Fix coding error in rxe_rcv_mcast_pkt (git-fixes)
- RDMA/rxe: Fix coding error in rxe_recv.c (git-fixes)
- RDMA/rxe: Fix missing kconfig dependency on CRYPTO (git-fixes)
- RDMA/rxe: Remove the unnecessary variable (jsc#SLE-15176).
- RDMA/rxe: Remove useless code in rxe_recv.c (git-fixes)
- RDMA/siw: Fix a use after free in siw_alloc_mr (git-fixes)
- RDMA/siw: Fix calculation of tx_valid_cpus size (git-fixes)
- RDMA/siw: Fix handling of zero-sized Read and Receive Queues. (git-fixes)
- RDMA/siw: Properly check send and receive CQ pointers (git-fixes)
- RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp (git-fixes)
- RDMA/uverbs: Fix a NULL vs IS_ERR() bug (git-fixes)
- RDMA/uverbs: Tidy input validation of ib_uverbs_rereg_mr() (git-fixes)
- RMDA/sw: Do not allow drivers using dma_virt_ops on highmem configs (git-fixes)
- USB: core: Fix hang in usb_kill_urb by adding memory barriers (git-fixes).
- USB: serial: mos7840: fix probe error handling (git-fixes).
- ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply (git-fixes).
- arm64: Kconfig: add a choice for endianness (jsc#SLE-23432).
- asix: fix wrong return value in asix_check_host_enable() (git-fixes).
- ata: pata_platform: Fix a NULL pointer dereference in __pata_platform_probe() (git-fixes).
- ath10k: Fix tx hanging (git-fixes).
- ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream (git-fixes).
- batman-adv: allow netlink usage in unprivileged containers (git-fixes).
- blk-cgroup: fix missing put device in error path from blkg_conf_pref() (bsc#1195481).
- blk-mq: introduce blk_mq_set_request_complete (git-fixes).
- bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds() (bsc#1194227).
- btrfs: tree-checker: Add EXTENT_ITEM and METADATA_ITEM check (bsc#1195009).
- btrfs: tree-checker: annotate all error branches as unlikely (bsc#1195009).
- btrfs: tree-checker: check for BTRFS_BLOCK_FLAG_FULL_BACKREF being set improperly (bsc#1195009).
- cgroup/cpuset: Fix a partition bug with hotplug (bsc#1194291).
- clk: si5341: Fix clock HW provider cleanup (git-fixes).
- crypto: qat - fix undetected PFVF timeout in ACK loop (git-fixes).
- dma-buf: heaps: Fix potential spectre v1 gadget (git-fixes).
- drm/amdgpu: fixup bad vram size on gmc v8 (git-fixes).
- drm/bridge: megachips: Ensure both bridges are probed before registration (git-fixes).
- drm/etnaviv: limit submit sizes (git-fixes).
- drm/etnaviv: relax submit size limits (git-fixes).
- drm/i915/overlay: Prevent divide by zero bugs in scaling (git-fixes).
- drm/lima: fix warning when CONFIG_DEBUG_SG=y & CONFIG_DMA_API_DEBUG=y (git-fixes).
- drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc (git-fixes).
- drm/msm/dsi: Fix missing put_device() call in dsi_get_phy (git-fixes).
- drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable (git-fixes).
- drm/msm/hdmi: Fix missing put_device() call in msm_hdmi_get_phy (git-fixes).
- drm/msm: Fix wrong size calculation (git-fixes).
- drm/nouveau/kms/nv04: use vzalloc for nv04_display (git-fixes).
- drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR (git-fixes).
- drm/nouveau: fix off by one in BIOS boundary checking (git-fixes).
- drm: panel-orientation-quirks: Add quirk for the Lenovo Yoga Book X91F/L (git-fixes).
- ext4: fix an use-after-free issue about data=journal writeback mode (bsc#1195482).
- ext4: make sure quota gets properly shutdown on error (bsc#1195480).
- ext4: set csum seed in tmp inode while migrating to extents (bsc#1195267).
- floppy: Add max size check for user space request (git-fixes).
- fsnotify: fix fsnotify hooks in pseudo filesystems (bsc#1195479).
- fsnotify: invalidate dcache before IN_DELETE event (bsc#1195478).
- gpio: aspeed: Convert aspeed_gpio.lock to raw_spinlock (git-fixes).
- gpiolib: acpi: Do not set the IRQ type if the IRQ is already in use (git-fixes).
- hv_netvsc: Set needed_headroom according to VF (bsc#1193506).
- hwmom: (lm90) Fix citical alarm status for MAX6680/MAX6681 (git-fixes).
- hwmon: (lm90) Mark alert as broken for MAX6646/6647/6649 (git-fixes).
- hwmon: (lm90) Mark alert as broken for MAX6654 (git-fixes).
- hwmon: (lm90) Mark alert as broken for MAX6680 (git-fixes).
- hwmon: (lm90) Reduce maximum conversion rate for G781 (git-fixes).
- i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters (git-fixes).
- i2c: i801: Do not silently correct invalid transfer size (git-fixes).
- i2c: mpc: Correct I2C reset procedure (git-fixes).
- i40iw: Add support to make destroy QP synchronous (git-fixes)
- ibmvnic: Allow extra failures before disabling (bsc#1195073 ltc#195713).
- ibmvnic: Update driver return codes (bsc#1195293 ltc#196198).
- ibmvnic: do not spin in tasklet (bsc#1195073 ltc#195713).
- ibmvnic: init ->running_cap_crqs early (bsc#1195073 ltc#195713).
- ibmvnic: remove unused ->wait_capability (bsc#1195073 ltc#195713).
- ibmvnic: remove unused defines (bsc#1195293 ltc#196198).
- igc: Fix TX timestamp support for non-MSI-X platforms (bsc#1160634).
- iwlwifi: fix leaks/bad data after failed firmware load (git-fixes).
- iwlwifi: mvm: Fix calculation of frame length (git-fixes).
- iwlwifi: mvm: Increase the scan timeout guard to 30 seconds (git-fixes).
- iwlwifi: mvm: synchronize with FW after multicast commands (git-fixes).
- iwlwifi: remove module loading failure message (git-fixes).
- lib82596: Fix IRQ check in sni_82596_probe (git-fixes).
- lightnvm: Remove lightnvm implemenation (bsc#1191881).
- mac80211: allow non-standard VHT MCS-10/11 (git-fixes).
- media: b2c2: Add missing check in flexcop_pci_isr: (git-fixes).
- media: coda/imx-vdoa: Handle dma_set_coherent_mask error codes (git-fixes).
- media: igorplugusb: receiver overflow should be reported (git-fixes).
- media: m920x: do not use stack on USB reads (git-fixes).
- media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() (git-fixes).
- media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() (git-fixes).
- media: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds (git-fixes).
- mlxsw: Only advertise link modes supported by both driver and device (bsc#1154488).
- mmc: core: Fixup storing of OCR for MMC_QUIRK_NONSTD_SDIO (git-fixes).
- mtd: nand: bbt: Fix corner case in bad block table handling (git-fixes).
- mtd: rawnand: gpmi: Add ERR007117 protection for nfc_apply_timings (git-fixes).
- mtd: rawnand: gpmi: Remove explicit default gpmi clock setting for i.MX6 (git-fixes).
- net, xdp: Introduce xdp_init_buff utility routine (bsc#1193506).
- net, xdp: Introduce xdp_prepare_buff utility routine (bsc#1193506).
- net/mlx5: DR, Proper handling of unsupported Connect-X6DX SW steering (jsc#SLE-8464).
- net/mlx5: E-Switch, fix changing vf VLANID (jsc#SLE-15172).
- net/mlx5e: Protect encap route dev from concurrent release (jsc#SLE-8464).
- net: allow retransmitting a TCP packet if original is still in queue (bsc#1188605 bsc#1187428).
- net: bonding: fix bond_xmit_broadcast return value error bug (bsc#1176447).
- net: bridge: vlan: fix memory leak in __allowed_ingress (bsc#1176447).
- net: bridge: vlan: fix single net device option dumping (bsc#1176447).
- net: mana: Add RX fencing (bsc#1193506).
- net: mana: Add XDP support (bsc#1193506).
- net: sch_generic: aviod concurrent reset and enqueue op for lockless qdisc (bsc#1183405).
- net: sched: add barrier to ensure correct ordering for lockless qdisc (bsc#1183405).
- net: sched: avoid unnecessary seqcount operation for lockless qdisc (bsc#1183405).
- net: sched: fix packet stuck problem for lockless qdisc (bsc#1183405).
- net: sched: fix tx action reschedule issue with stopped queue (bsc#1183405).
- net: sched: fix tx action rescheduling issue during deactivation (bsc#1183405).
- net: sched: replaced invalid qdisc tree flush helper in qdisc_replace (bsc#1183405).
- net: sfp: fix high power modules without diagnostic monitoring (bsc#1154353).
- netdevsim: set .owner to THIS_MODULE (bsc#1154353).
- nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind() (git-fixes).
- nvme-core: use list_add_tail_rcu instead of list_add_tail for nvme_init_ns_head (git-fixes).
- nvme-fabrics: avoid double completions in nvmf_fail_nonready_command (git-fixes).
- nvme-fabrics: ignore invalid fast_io_fail_tmo values (git-fixes).
- nvme-fabrics: remove superfluous nvmf_host_put in nvmf_parse_options (git-fixes).
- nvme-tcp: fix data digest pointer calculation (git-fixes).
- nvme-tcp: fix incorrect h2cdata pdu offset accounting (git-fixes).
- nvme-tcp: fix memory leak when freeing a queue (git-fixes).
- nvme-tcp: fix possible use-after-completion (git-fixes).
- nvme-tcp: validate R2T PDU in nvme_tcp_handle_r2t() (git-fixes).
- nvme: add 'iopolicy' module parameter (bsc#1177599 bsc#1193096).
- nvme: fix use after free when disconnecting a reconnecting ctrl (git-fixes).
- nvme: introduce a nvme_host_path_error helper (git-fixes).
- nvme: refactor ns->ctrl by request (git-fixes).
- phy: uniphier-usb3ss: fix unintended writing zeros to PHY register (git-fixes).
- phylib: fix potential use-after-free (git-fixes).
- pinctrl: bcm2835: Add support for wake-up interrupts (git-fixes).
- pinctrl: bcm2835: Match BCM7211 compatible string (git-fixes).
- pinctrl: intel: Fix a glitch when updating IRQ flags on a preconfigured line (git-fixes).
- pinctrl: intel: fix unexpected interrupt (git-fixes).
- powerpc/book3s64/radix: make tlb_single_page_flush_ceiling a debugfs entry (bsc#1195183 ltc#193865).
- powerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending (bsc#1156395).
- regulator: qcom_smd: Align probe function with rpmh-regulator (git-fixes).
- rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev (git-fixes).
- rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev (git-fixes).
- rsi: Fix use-after-free in rsi_rx_done_handler() (git-fixes).
- sched/fair: Fix detection of per-CPU kthreads waking a task (git fixes (sched/fair)).
- sched/numa: Fix is_core_idle() (git fixes (sched/numa)).
- scripts/dtc: dtx_diff: remove broken example from help text (git-fixes).
- scripts/dtc: only append to HOST_EXTRACFLAGS instead of overwriting (git-fixes).
- serial: 8250: of: Fix mapped region size when using reg-offset property (git-fixes).
- serial: Fix incorrect rs485 polarity on uart open (git-fixes).
- serial: amba-pl011: do not request memory region twice (git-fixes).
- serial: core: Keep mctrl register state and cached copy in sync (git-fixes).
- serial: pl010: Drop CR register reset on set_termios (git-fixes).
- serial: stm32: fix software flow control transfer (git-fixes).
- spi: bcm-qspi: check for valid cs before applying chip select (git-fixes).
- spi: mediatek: Avoid NULL pointer crash in interrupt (git-fixes).
- spi: meson-spicc: add IRQ check in meson_spicc_probe (git-fixes).
- supported.conf: mark rtw88 modules as supported (jsc#SLE-22690)
- tty: Add support for Brainboxes UC cards (git-fixes).
- tty: n_gsm: fix SW flow control encoding/handling (git-fixes).
- ucsi_ccg: Check DEV_INT bit only when starting CCG4 (git-fixes).
- udf: Fix NULL ptr deref when converting from inline format (bsc#1195476).
- udf: Restore i_lenAlloc when inode expansion fails (bsc#1195477).
- usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge (git-fixes).
- usb: common: ulpi: Fix crash in ulpi_match() (git-fixes).
- usb: gadget: f_fs: Use stream_open() for endpoint files (git-fixes).
- usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS (git-fixes).
- usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0 (git-fixes).
- usb: roles: fix include/linux/usb/role.h compile issue (git-fixes).
- usb: typec: tcpm: Do not disconnect while receiving VBUS off (git-fixes).
- usb: uhci: add aspeed ast2600 uhci support (git-fixes).
- vfio/iommu_type1: replace kfree with kvfree (git-fixes).
- video: hyperv_fb: Fix validation of screen resolution (git-fixes).
- vxlan: fix error return code in __vxlan_dev_create() (bsc#1154353).
- workqueue: Fix unbind_workers() VS wq_worker_running() race (bsc#1195062).
- x86/gpu: Reserve stolen memory for first integrated Intel GPU (git-fixes).
- xfrm: fix MTU regression (bsc#1185377, bsc#1194048).
- xhci-pci: Allow host runtime PM as default for Intel Alpine Ridge LP (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:383-1
Released:    Tue Feb 15 17:47:36 2022
Summary:     Recommended update for cyrus-sasl
Type:        recommended
Severity:    moderate
References:  1194265
This update for cyrus-sasl fixes the following issues:

- Fixed an issue when in postfix 'sasl' authentication with password fails. (bsc#1194265)
- Add config parameter '--with-dblib=gdbm'
- Avoid converting of '/etc/sasldb2 by every update. Convert '/etc/sasldb2' only if it is a Berkeley DB.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:476-1
Released:    Thu Feb 17 10:31:35 2022
Summary:     Recommended update for nfs-utils
Type:        recommended
Severity:    moderate
References:  1194661
This update for nfs-utils fixes the following issues:

- If an error or warning message is produced before closeall() is called, mountd doesn't work. (bsc#1194661)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:498-1
Released:    Fri Feb 18 10:46:56 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1195054,1195217,CVE-2022-23852,CVE-2022-23990
This update for expat fixes the following issues:

- CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).
- CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:513-1
Released:    Fri Feb 18 12:43:10 2022
Summary:     Recommended update for grub2
Type:        recommended
Severity:    moderate
References:  1159205,1190395
This update for grub2 fixes the following issues:

- Fix wrong default entry when booting snapshot (bsc#1159205).
- Improve support for SLE Micro 5.1 on s390x (bsc#1190395).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:520-1
Released:    Fri Feb 18 12:45:19 2022
Summary:     Recommended update for rpm
Type:        recommended
Severity:    moderate
References:  1194968
This update for rpm fixes the following issues:

- Revert unwanted /usr/bin/python to /usr/bin/python2 change we got with the update to 4.14.3 (bsc#1194968)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:539-1
Released:    Mon Feb 21 13:47:51 2022
Summary:     Security update for systemd
Type:        security
Severity:    moderate
References:  1191826,1192637,1194178,CVE-2021-3997
This update for systemd fixes the following issues:

- CVE-2021-3997: Fixed an uncontrolled recursion in systemd's systemd-tmpfiles (bsc#1194178).

The following non-security bugs were fixed:
- udev/net_id: don't generate slot based names if multiple devices might claim the same slot (bsc#1192637)
- localectl: don't omit keymaps files that are symlinks (bsc#1191826)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:548-1
Released:    Tue Feb 22 13:48:55 2022
Summary:     Recommended update for blog
Type:        recommended
Severity:    moderate
References:  1186506,1191057
This update for blog fixes the following issues:

- Update to version 2.26
  * On s390/x and PPC64 gcc misses unused arg0

- Update to version 2.24
  * Avoid install errror due missed directory

- Update to version 2.22
  * Avoid KillMode=none for newer systemd version as well as rework
    the systemd unit files of blog (bsc#1186506)

- Move to /usr for UsrMerge (bsc#1191057) 

- Update to version 2.21
  * Merge pull request #4 from samueldr/fix/makefile
    Fixup Makefile for better build system support
  * Silent new gcc compiler


The following package changes have been done:

- apparmor-abstractions-2.13.6-150300.3.11.2 updated
- apparmor-parser-2.13.6-150300.3.11.2 updated
- blog-2.26-150300.4.3.1 updated
- boost-license1_66_0-1.66.0-12.3.1 updated
- containerd-ctr-1.4.12-60.1 updated
- containerd-1.4.12-60.1 updated
- coreutils-8.32-150300.3.5.1 updated
- docker-20.10.12_ce-159.1 updated
- dracut-049.1+suse.228.g07676562-3.54.1 updated
- glibc-locale-base-2.31-150300.9.12.1 updated
- glibc-locale-2.31-150300.9.12.1 updated
- glibc-2.31-150300.9.12.1 updated
- google-guest-agent-20211116.00-1.23.1 updated
- google-guest-configs-20211116.00-1.16.1 updated
- google-guest-oslogin-20211013.00-1.24.1 updated
- google-osconfig-agent-20211117.00-1.14.1 updated
- grub2-i386-pc-2.04-150300.22.12.2 updated
- grub2-x86_64-efi-2.04-150300.22.12.2 updated
- grub2-2.04-150300.22.12.2 updated
- kernel-default-5.3.18-150300.59.49.1 updated
- krb5-1.19.2-150300.8.3.2 updated
- libapparmor1-2.13.6-150300.3.11.1 updated
- libblogger2-2.26-150300.4.3.1 updated
- libboost_system1_66_0-1.66.0-12.3.1 updated
- libboost_thread1_66_0-1.66.0-12.3.1 updated
- libexpat1-2.2.5-3.12.1 updated
- libldb2-2.4.1-150300.3.10.1 updated
- libsasl2-3-2.1.27-150300.4.3.1 updated
- libsystemd0-246.16-150300.7.39.1 updated
- libtalloc2-2.3.3-150300.3.3.2 updated
- libtdb1-1.4.4-150300.3.3.2 updated
- libtevent0-0.11.0-150300.3.3.2 updated
- libudev1-246.16-150300.7.39.1 updated
- libzypp-17.29.3-27.1 updated
- nfs-client-2.1.1-10.21.1 updated
- rpm-ndb-4.14.3-150300.46.1 updated
- samba-client-libs-4.15.4+git.324.8332acf1a63-150300.3.25.3 added
- systemd-sysvinit-246.16-150300.7.39.1 updated
- systemd-246.16-150300.7.39.1 updated
- udev-246.16-150300.7.39.1 updated
- wicked-service-0.6.68-150300.4.5.1 updated
- wicked-0.6.68-150300.4.5.1 updated
- xen-libs-4.14.3_06-150300.3.18.2 updated
- zypper-1.14.51-24.1 updated
- gamin-server-0.1.10-1.41 removed
- libdcerpc-binding0-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- libdcerpc0-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- libfam0-gamin-0.1.10-3.2.3 removed
- libndr-krb5pac0-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- libndr-nbt0-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- libndr-standard0-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- libndr1-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- libnetapi0-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- libsamba-credentials0-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- libsamba-errors0-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- libsamba-hostconfig0-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- libsamba-passdb0-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- libsamba-util0-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- libsamdb0-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- libsmbconf0-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- libsmbldap2-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- libtevent-util0-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- libwbclient0-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- python3-ldb-2.2.2-3.3.1 removed
- python3-talloc-2.3.1-1.40 removed
- samba-libs-4.13.13+git.539.fdbc44a8598-3.20.2 removed
- samba-libs-python3-4.13.13+git.539.fdbc44a8598-3.20.2 removed


More information about the sle-security-updates mailing list