SUSE-IU-2023:164-1: Security update of suse-sles-15-sp3-chost-byos-v20230313-x86_64-gen2

sle-security-updates at sle-security-updates at
Fri Mar 17 15:48:25 UTC 2023

SUSE Image Update Advisory: suse-sles-15-sp3-chost-byos-v20230313-x86_64-gen2
Image Advisory ID : SUSE-IU-2023:164-1
Image Tags        : suse-sles-15-sp3-chost-byos-v20230313-x86_64-gen2:20230313
Image Release     : 
Severity          : important
Type              : security
References        : 1027519 1065729 1065729 1071995 1103388 1104120 1106523 1121365
                        1121410 1151927 1156395 1156395 1157049 1168806 1170160 1170160
                        1177460 1178168 1180422 1180482 1182066 1182482 1182482 1183533
                        1184350 1185697 1186749 1187948 1189297 1190091 1190969 1191375
                        1192761 1194038 1194338 1195175 1196332 1196332 1198331 1198472
                        1199282 1199467 1199657 1200110 1200723 1200845 1201455 1201469
                        1201689 1202436 1202436 1203144 1203183 1203652 1203693 1203740
                        1203746 1203857 1203960 1204017 1204142 1204171 1204215 1204228
                        1204241 1204250 1204328 1204364 1204414 1204423 1204446 1204502
                        1204585 1204614 1204636 1204693 1204693 1204760 1204779 1204780
                        1204791 1204810 1204827 1204850 1204868 1204934 1204957 1204963
                        1204967 1204989 1205000 1205126 1205128 1205130 1205149 1205209
                        1205220 1205244 1205256 1205264 1205329 1205330 1205385 1205386
                        1205428 1205473 1205495 1205496 1205514 1205567 1205601 1205617
                        1205646 1205671 1205695 1205700 1205705 1205709 1205753 1205796
                        1205797 1205946 1205984 1205985 1205986 1205987 1205988 1205989
                        1206028 1206032 1206037 1206071 1206072 1206073 1206075 1206077
                        1206113 1206114 1206174 1206175 1206176 1206177 1206178 1206179
                        1206207 1206212 1206212 1206309 1206337 1206344 1206389 1206393
                        1206394 1206395 1206397 1206398 1206399 1206412 1206504 1206504
                        1206515 1206546 1206579 1206602 1206622 1206634 1206635 1206636
                        1206637 1206640 1206641 1206642 1206643 1206644 1206645 1206646
                        1206647 1206648 1206649 1206663 1206664 1206667 1206677 1206738
                        1206784 1206841 1206854 1206855 1206857 1206858 1206859 1206860
                        1206866 1206867 1206868 1206873 1206875 1206876 1206877 1206878
                        1206880 1206881 1206882 1206883 1206884 1206885 1206886 1206887
                        1206888 1206889 1206890 1206891 1206893 1206896 1206904 1207034
                        1207036 1207082 1207125 1207134 1207162 1207186 1207198 1207218
                        1207237 1207294 1207396 1207471 1207497 1207508 1207533 1207534
                        1207536 1207538 1207753 1207769 1207878 1208067 1208143 1208443
                        CVE-2019-19083 CVE-2020-25659 CVE-2020-36242 CVE-2021-20251 CVE-2021-28153
                        CVE-2022-23491 CVE-2022-23824 CVE-2022-2602 CVE-2022-28693 CVE-2022-29900
                        CVE-2022-29901 CVE-2022-3094 CVE-2022-3105 CVE-2022-3106 CVE-2022-3107
                        CVE-2022-3108 CVE-2022-3111 CVE-2022-3112 CVE-2022-3115 CVE-2022-3435
                        CVE-2022-3491 CVE-2022-3520 CVE-2022-3564 CVE-2022-3567 CVE-2022-3591
                        CVE-2022-3606 CVE-2022-3628 CVE-2022-3635 CVE-2022-3643 CVE-2022-3705
                        CVE-2022-3707 CVE-2022-37966 CVE-2022-37967 CVE-2022-38023 CVE-2022-38023
                        CVE-2022-3903 CVE-2022-40897 CVE-2022-4095 CVE-2022-4129 CVE-2022-4139
                        CVE-2022-4141 CVE-2022-41850 CVE-2022-41858 CVE-2022-42328 CVE-2022-42329
                        CVE-2022-42895 CVE-2022-42896 CVE-2022-42898 CVE-2022-4292 CVE-2022-4293
                        CVE-2022-42969 CVE-2022-4304 CVE-2022-43552 CVE-2022-4378 CVE-2022-43945
                        CVE-2022-4415 CVE-2022-4450 CVE-2022-45061 CVE-2022-45934 CVE-2022-4662
                        CVE-2022-46908 CVE-2022-47520 CVE-2022-47629 CVE-2022-47929 CVE-2022-48303
                        CVE-2022-4904 CVE-2023-0049 CVE-2023-0051 CVE-2023-0054 CVE-2023-0179
                        CVE-2023-0215 CVE-2023-0266 CVE-2023-0286 CVE-2023-0288 CVE-2023-0361
                        CVE-2023-0433 CVE-2023-22809 CVE-2023-23454 CVE-2023-23455 

The container suse-sles-15-sp3-chost-byos-v20230313-x86_64-gen2 was updated. The following patches have been included in this update:

Advisory ID: SUSE-RU-2018:2022-1
Released:    Wed Sep 26 09:48:09 2018
Summary:     Recommended update for SUSE Manager Client Tools
Type:        recommended
Severity:    moderate
References:  1103388,1104120,1106523
This update fixes the following issues:


- Update to version 0.314:
  + Updated pci, usb and vendor ids.


- Channels to be actually un-subscribed from the assigned systems when being removed
  using spacewalk-remove-channel tool. (bsc#1104120)
- Take only text files from /srv/salt to make spacewalk-debug smaller. (bsc#1103388)

Advisory ID: SUSE-RU-2019:1022-1
Released:    Wed Apr 24 13:46:51 2019
Summary:     Recommended update for hwdata
Type:        recommended
Severity:    moderate
References:  1121410
This update for hwdata fixes the following issues:

Update to version 0.320 (bsc#1121410):

- Updated the pci, usb and vendor ids vendor and product databases.

Advisory ID: SUSE-RU-2020:1261-1
Released:    Tue May 12 18:40:18 2020
Summary:     Recommended update for hwdata
Type:        recommended
Severity:    moderate
References:  1168806
This update for hwdata fixes the following issues:

Update from version 0.320 to version 0.324 (bsc#1168806)

- Updated pci, usb and vendor ids.
- Replace pciutils-ids package providing compatibility symbolic link

Advisory ID: SUSE-RU-2021:421-1
Released:    Wed Feb 10 12:05:23 2021
Summary:     Recommended update for hwdata
Type:        recommended
Severity:    low
References:  1180422,1180482
This update for hwdata fixes the following issues:

- Added to fully duplicate behavior of pciutils-ids (bsc#1180422, bsc#1180482)
- Updated pci, usb and vendor ids.

Advisory ID: SUSE-RU-2021:880-1
Released:    Fri Mar 19 04:14:38 2021
Summary:     Recommended update for hwdata
Type:        recommended
Severity:    low
References:  1170160,1182482
This update for hwdata fixes the following issues:

- Updated pci, usb and vendor ids (bsc#1182482, bsc#1170160, jsc#SLE-13791)

Advisory ID: SUSE-RU-2021:1950-1
Released:    Thu Jun 10 14:42:00 2021
Summary:     Recommended update for hwdata
Type:        recommended
Severity:    moderate
References:  1170160,1182482,1185697
This update for hwdata fixes the following issues:

- Update to version 0.347:
  + Updated pci, usb and vendor ids. (bsc#1185697)

- Update to version 0.346:
  + Updated pci, usb and vendor ids. (bsc#1182482, jsc#SLE-13791, bsc#1170160)

Advisory ID: SUSE-RU-2021:2447-1
Released:    Thu Jul 22 08:26:29 2021
Summary:     Recommended update for hwdata
Type:        recommended
Severity:    moderate
References:  1186749,1187948
This update for hwdata fixes the following issue:

- Version 0.349: Updated pci, usb and vendor ids (bsc#1187948).

Advisory ID: SUSE-RU-2021:2973-1
Released:    Tue Sep  7 16:56:08 2021
Summary:     Recommended update for hwdata
Type:        recommended
Severity:    moderate
References:  1190091
This update for hwdata fixes the following issue:

- Update pci, usb and vendor ids (bsc#1190091)
Advisory ID: SUSE-RU-2021:3832-1
Released:    Wed Dec  1 14:51:19 2021
Summary:     Recommended update for hwdata
Type:        recommended
Severity:    moderate
References:  1191375
This update for hwdata fixes the following issue:

- Update to version 0.353 (bsc#1191375)

Advisory ID: SUSE-RU-2022:100-1
Released:    Tue Jan 18 05:20:03 2022
Summary:     Recommended update for hwdata
Type:        recommended
Severity:    moderate
References:  1194338
This update for hwdata fixes the following issues:

- Update hwdata from version 0.353 to 0.355 which includes updated pci, usb 
  and vendor ids (bsc#1194338)

Advisory ID: SUSE-RU-2022:1204-1
Released:    Thu Apr 14 12:15:55 2022
Summary:     Recommended update for hwdata
Type:        recommended
Severity:    moderate
References:  1196332
This update for hwdata fixes the following issues:

-  Updated pci, usb and vendor ids (bsc#1196332)

Advisory ID: SUSE-RU-2022:1703-1
Released:    Tue May 17 12:13:36 2022
Summary:     Recommended update for hwdata
Type:        recommended
Severity:    important
References:  1196332
This update for hwdata fixes the following issues:

- Updated pci, usb and vendor ids (bsc#1196332)

Advisory ID: SUSE-RU-2022:3135-1
Released:    Wed Sep  7 08:39:31 2022
Summary:     Recommended update for hwdata
Type:        recommended
Severity:    low
References:  1200110
This update for hwdata fixes the following issue:

- Update pci, usb and vendor ids to version 0.360 (bsc#1200110)

Advisory ID: SUSE-RU-2022:4063-1
Released:    Fri Nov 18 09:07:50 2022
Summary:     Recommended update for hwdata
Type:        recommended
Severity:    moderate
This update for hwdata fixes the following issues:

- Updated pci, usb and vendor ids

Advisory ID: SUSE-SU-2022:4616-1
Released:    Fri Dec 23 10:55:46 2022
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1065729,1071995,1156395,1184350,1189297,1192761,1199657,1200845,1201455,1201469,1203144,1203746,1203960,1204017,1204142,1204215,1204228,1204241,1204328,1204414,1204446,1204636,1204693,1204780,1204791,1204810,1204827,1204850,1204868,1204934,1204957,1204963,1204967,1205128,1205130,1205220,1205264,1205329,1205330,1205428,1205473,1205514,1205567,1205617,1205671,1205700,1205705,1205709,1205753,1205796,1205984,1205985,1205986,1205987,1205988,1205989,1206032,1206037,1206207,CVE-2022-2602,CVE-2022-28693,CVE-2022-29900,CVE-2022-29901,CVE-2022-3567,CVE-2022-3628,CVE-2022-3635,CVE-2022-3707,CVE-2022-3903,CVE-2022-4095,CVE-2022-4129,CVE-2022-4139,CVE-2022-41850,CVE-2022-41858,CVE-2022-42895,CVE-2022-42896,CVE-2022-4378,CVE-2022-43945,CVE-2022-45934
The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2022-4378: Fixed stack overflow in __do_proc_dointvec (bsc#1206207).
- CVE-2022-3635: Fixed a use-after-free in the tst_timer() of the file drivers/atm/idt77252.c (bsc#1204631).
- CVE-2022-41850: Fixed a race condition in roccat_report_event() in drivers/hid/hid-roccat.c (bsc#1203960).
- CVE-2022-45934: Fixed a integer wraparound via L2CAP_CONF_REQ packets in l2cap_config_req in net/bluetooth/l2cap_core.c (bsc#1205796).
- CVE-2022-3628: Fixed potential buffer overflow in brcmf_fweh_event_worker() in wifi/brcmfmac (bsc#1204868).
- CVE-2022-3567: Fixed a to race condition in inet6_stream_ops()/inet6_dgram_ops() (bsc#1204414).
- CVE-2022-41858: Fixed a denial of service in sl_tx_timeout() in drivers/net/slip (bsc#1205671).
- CVE-2022-43945: Fixed a buffer overflow in the NFSD implementation (bsc#1205128).
- CVE-2022-4095: Fixed a use-after-free in rtl8712 driver (bsc#1205514).
- CVE-2022-3903: Fixed a denial of service with the Infrared Transceiver USB driver (bsc#1205220).
- CVE-2022-2602: Fixed a local privilege escalation vulnerability involving Unix socket Garbage Collection and io_uring (bsc#1204228).
- CVE-2022-4139: Fixed an issue with the i915 driver that allowed the GPU to access any physical memory (bsc#1205700).
- CVE-2022-4129: Fixed a denial of service with the Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. (bsc#1205711)
- CVE-2022-42895: Fixed an information leak in the net/bluetooth/l2cap_core.c's l2cap_parse_conf_req() which can be used to leak kernel pointers remotely (bsc#1205705).
- CVE-2022-42896: Fixed a use-after-free vulnerability in the net/bluetooth/l2cap_core.c's l2cap_connect() and l2cap_le_connect_req() which may have allowed code execution and leaking kernel memory (respectively) remotely via Bluetooth (bsc#1205709).
- CVE-2022-3707: Fixed a double free in the Intel GVT-g graphics driver (bsc#1204780).

The following non-security bugs were fixed:

- ALSA: hda/ca0132: add quirk for EVGA Z390 DARK (git-fixes).
- ALSA: hda: fix potential memleak in 'add_widget_node' (git-fixes).
- ALSA: usb-audio: Add DSD support for Accuphase DAC-60 (git-fixes).
- ALSA: usb-audio: Add quirk entry for M-Audio Micro (git-fixes).
- ALSA: usb-audio: Drop snd_BUG_ON() from snd_usbmidi_output_open() (git-fixes).
- ASoC: codecs: jz4725b: Fix spelling mistake 'Sourc' -> 'Source', 'Routee' -> 'Route' (git-fixes).
- ASoC: codecs: jz4725b: add missed Line In power control bit (git-fixes).
- ASoC: codecs: jz4725b: fix capture selector naming (git-fixes).
- ASoC: codecs: jz4725b: fix reported volume for Master ctl (git-fixes).
- ASoC: codecs: jz4725b: use right control for Capture Volume (git-fixes).
- ASoC: core: Fix use-after-free in snd_soc_exit() (git-fixes).
- ASoC: max98373: Add checks for devm_kcalloc (git-fixes).
- ASoC: soc-utils: Remove __exit for snd_soc_util_exit() (git-fixes).
- ASoC: wm5102: Revert 'ASoC: wm5102: Fix PM disable depth imbalance in wm5102_probe' (git-fixes).
- ASoC: wm5110: Revert 'ASoC: wm5110: Fix PM disable depth imbalance in wm5110_probe' (git-fixes).
- ASoC: wm8962: Add an event handler for TEMP_HP and TEMP_SPK (git-fixes).
- ASoC: wm8997: Revert 'ASoC: wm8997: Fix PM disable depth imbalance in wm8997_probe' (git-fixes).
- Bluetooth: L2CAP: Fix attempting to access uninitialized memory (git-fixes).
- Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm (git-fixes).
- Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu (git-fixes).
- Do not enable CONFIG_ATARI_PARTITION (jsc#PED-1573)
- Drivers: hv: vmbus: Add /sys/bus/vmbus/hibernation (git-fixes).
- Drivers: hv: vmbus: Add VMbus IMC device to unsupported list (git-fixes).
- Drivers: hv: vmbus: Add vmbus_requestor data structure for VMBus hardening (bsc#1204017).
- Drivers: hv: vmbus: Drop error message when 'No request id available' (bsc#1204017).
- Drivers: hv: vmbus: Fix duplicate CPU assignments within a device (git-fixes).
- Drivers: hv: vmbus: Fix handling of messages with transaction ID of zero (bsc#1204017).
- Drivers: hv: vmbus: Fix memory leak in vmbus_add_channel_kobj (git-fixes).
- Drivers: hv: vmbus: Fix potential crash on module unload (git-fixes).
- Drivers: hv: vmbus: Introduce vmbus_request_addr_match() (bsc#1204017).
- Drivers: hv: vmbus: Introduce vmbus_sendpacket_getid() (bsc#1204017).
- Drivers: hv: vmbus: Introduce {lock,unlock}_requestor() (bsc#1204017).
- Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer (git-fixes).
- Drivers: hv: vmbus: Remove unused linux/version.h header (git-fixes).
- Drivers: hv: vmbus: Replace smp_store_mb() with virt_store_mb() (git-fixes).
- Drivers: hv: vmbus: fix double free in the error path of vmbus_add_channel_work() (git-fixes).
- Drivers: hv: vmbus: fix possible memory leak in vmbus_device_register() (git-fixes).
- Drivers: hv: vmbus: remove unused function (git-fixes).
- HID: saitek: add madcatz variant of MMO7 mouse device ID (git-fixes).
- Input: i8042 - fix leaking of platform device on module removal (git-fixes).
- Input: iforce - invert valid length check when fetching device IDs (git-fixes).
- KVM: VMX: Always VMCLEAR in-use VMCSes during crash with kexec support (git-fixes).
- KVM: nVMX: Invalidate all EPTP contexts when emulating INVEPT for L1 (git-fixes).
- KVM: nVMX: Validate the EPTP when emulating INVEPT(EXTENT_CONTEXT) (git-fixes).
- KVM: nVMX: clear PIN_BASED_POSTED_INTR from nested pinbased_ctls only when apicv is globally disabled (git-fixes).
- KVM: s390: Add a routine for setting userspace CPU state (git-fixes).
- KVM: s390: Fix handle_sske page fault handling (git-fixes).
- KVM: s390: Simplify SIGP Set Arch handling (git-fixes).
- KVM: s390: get rid of register asm usage (git-fixes).
- KVM: s390: pv: avoid stalls when making pages secure (git-fixes).
- KVM: s390: pv: do not allow userspace to set the clock under PV (git-fixes).
- KVM: s390: pv: leak the topmost page table when destroy fails (git-fixes).
- KVM: s390: reduce number of IO pins to 1 (git-fixes).
- NFC: nci: fix memory leak in nci_rx_data_packet() (git-fixes).
- NFS: Refactor nfs_instantiate() for dentry referencing callers (bsc#1204215).
- NFSv3: use nfs_add_or_obtain() to create and reference inodes (bsc#1204215).
- PCI: hv: Add check for hyperv_initialized in init_hv_pci_drv() (bsc#1204446).
- PCI: hv: Add validation for untrusted Hyper-V values (git-fixes).
- PCI: hv: Drop msi_controller structure (bsc#1204446).
- PCI: hv: Fix a race condition when removing the device (bsc#1204446).
- PCI: hv: Fix sleep while in non-sleep context when removing child devices from the bus (bsc#1204446).
- PCI: hv: Fix synchronization between channel callback and hv_compose_msi_msg() (bsc#1204017).
- PCI: hv: Fix synchronization between channel callback and hv_pci_bus_exit() (bsc#1204017).
- PCI: hv: Fix the definition of vector in hv_compose_msi_msg() (bsc#1200845).
- PCI: hv: Fix typo (bsc#1204446).
- PCI: hv: Remove bus device removal unused refcount/functions (bsc#1204446).
- PCI: hv: Remove unnecessary use of %hx (bsc#1204446).
- PCI: hv: Support for create interrupt v3 (bsc#1204446).
- PCI: hv: Use PCI_ERROR_RESPONSE to identify config read errors (bsc#1204446).
- PCI: hv: Use vmbus_requestor to generate transaction IDs for VMbus hardening (bsc#1204017).
- RDMA/core/sa_query: Remove unused argument (git-fixes)
- RDMA/hns: Fix spelling mistakes of original (git-fixes)
- RDMA/qedr: Add support for user mode XRC-SRQ's (git-fixes)
- RDMA/qedr: Fix reporting max_{send/recv}_wr attrs (git-fixes)
- RDMA/qedr: Remove unsupported qedr_resize_cq callback (git-fixes)
- RDMA/rxe: Fix memory leak in error path code (git-fixes)
- SCSI: scsi_probe_lun: retry INQUIRY after timeout (bsc#1189297).
- USB: add RESET_RESUME quirk for NVIDIA Jetson devices in RCM (git-fixes).
- USB: serial: option: add Fibocom FM160 0x0111 composition (git-fixes).
- USB: serial: option: add Sierra Wireless EM9191 (git-fixes).
- USB: serial: option: add u-blox LARA-L6 modem (git-fixes).
- USB: serial: option: add u-blox LARA-R6 00B modem (git-fixes).
- USB: serial: option: remove old LARA-R6 PID (git-fixes).
- USB: serial: option: remove old LARA-R6 PID.
- Xen/gntdev: do not ignore kernel unmapping error (git-fixes).
- add another bug reference to some hyperv changes (bsc#1205617).
- arm/xen: Do not probe xenbus as part of an early initcall (git-fixes).
- arm64: dts: imx8mm: Fix NAND controller size-cells (git-fixes)
- arm64: dts: juno: Add thermal critical trip points (git-fixes)
- ata: libata-transport: fix double ata_host_put() in ata_tport_add() (git-fixes).
- ata: libata-transport: fix error handling in ata_tdev_add() (git-fixes).
- ata: libata-transport: fix error handling in ata_tlink_add() (git-fixes).
- ata: libata-transport: fix error handling in ata_tport_add() (git-fixes).
- ata: pata_legacy: fix pdc20230_set_piomode() (git-fixes).
- blk-crypto: fix check for too-large dun_bytes (git-fixes).
- blk-mq: Properly init requests from blk_mq_alloc_request_hctx() (git-fixes).
- blk-mq: do not create hctx debugfs dir until q->debugfs_dir is created (git-fixes).
- blk-wbt: call rq_qos_add() after wb_normal is initialized (git-fixes).
- blktrace: Trace remapped requests correctly (git-fixes).
- block-map: add __GFP_ZERO flag for alloc_page in function bio_copy_kern (git-fixes).
- block: Add a helper to validate the block size (git-fixes).
- block: assign bi_bdev for cloned bios in blk_rq_prep_clone (bsc#1204328).
- block: ataflop: fix breakage introduced at blk-mq refactoring (git-fixes).
- block: ataflop: more blk-mq refactoring fixes (git-fixes).
- block: fix infinite loop for invalid zone append (git-fixes).
- block: limit request dispatch loop duration (git-fixes).
- block: nbd: add sanity check for first_minor (git-fixes).
- block: use 'unsigned long' for blk_validate_block_size() (git-fixes).
- bus: sunxi-rsb: Support atomic transfers (git-fixes).
- can: cc770: cc770_isa_probe(): add missing free_cc770dev() (git-fixes).
- can: sja1000_isa: sja1000_isa_probe(): add missing free_sja1000dev() (git-fixes).
- capabilities: fix undefined behavior in bit shift for CAP_TO_MASK (git-fixes).
- ceph: allow ceph.dir.rctime xattr to be updatable (bsc#1205989).
- ceph: do not access the kiocb after aio requests (bsc#1205984).
- ceph: fix fscache invalidation (bsc#1205985).
- ceph: lockdep annotations for try_nonblocking_invalidate (bsc#1205988).
- ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty (bsc#1205986).
- ceph: request Fw caps before updating the mtime in ceph_write_iter (bsc#1205987).
- cifs: skip extra NULL byte in filenames (bsc#1204791).
- dm era: commit metadata in postsuspend after worker stops (git-fixes).
- dm integrity: set journal entry unused when shrinking device (git-fixes).
- dm mirror log: clear log bits up to BITS_PER_LONG boundary (git-fixes).
- dm mpath: only use ktime_get_ns() in historical selector (git-fixes).
- dm raid: fix accesses beyond end of raid member array (git-fixes).
- dm raid: fix address sanitizer warning in raid_resume (git-fixes).
- dm raid: fix address sanitizer warning in raid_status (git-fixes).
- dm thin: fix use-after-free crash in dm_sm_register_threshold_callback (git-fixes).
- dm verity fec: fix misaligned RS roots IO (git-fixes).
- dm writecache: fix writing beyond end of underlying device when shrinking (git-fixes).
- dm writecache: return the exact table values that were set (git-fixes).
- dm writecache: set a default MAX_WRITEBACK_JOBS (git-fixes).
- dm: fix request-based DM to not bounce through indirect dm_submit_bio (git-fixes).
- dm: remove special-casing of bio-based immutable singleton target on NVMe (git-fixes).
- dm: return early from dm_pr_call() if DM device is suspended (git-fixes).
- dma-buf: fix racing conflict of dma_heap_add() (git-fixes).
- dmaengine: at_hdmac: Check return code of dma_async_device_register (git-fixes).
- dmaengine: at_hdmac: Do not allow CPU to reorder channel enable (git-fixes).
- dmaengine: at_hdmac: Do not start transactions at tx_submit level (git-fixes).
- dmaengine: at_hdmac: Fix at_lli struct definition (git-fixes).
- dmaengine: at_hdmac: Fix completion of unissued descriptor in case of errors (git-fixes).
- dmaengine: at_hdmac: Fix impossible condition (git-fixes).
- dmaengine: mv_xor_v2: Fix a resource leak in mv_xor_v2_remove() (git-fixes).
- dmaengine: pxa_dma: use platform_get_irq_optional (git-fixes).
- drivers/hv: remove obsolete TODO and fix misleading typo in comment (git-fixes).
- drivers: hv: Fix EXPORT_SYMBOL and tab spaces issue (git-fixes).
- drivers: hv: Fix hyperv_record_panic_msg path on comment (git-fixes).
- drivers: hv: Fix missing error code in vmbus_connect() (git-fixes).
- drivers: hv: vmbus: Fix call msleep using < 20ms (git-fixes).
- drivers: hv: vmbus: Fix checkpatch LINE_SPACING (git-fixes).
- drivers: hv: vmbus: Fix checkpatch SPLIT_STRING (git-fixes).
- drivers: hv: vmbus: Replace symbolic permissions by octal permissions (git-fixes).
- drivers: net: slip: fix NPD bug in sl_tx_timeout() (git-fixes).
- drm/drv: Fix potential memory leak in drm_dev_init() (git-fixes).
- drm/i915/dmabuf: fix sg_table handling in map_dma_buf (git-fixes).
- drm/i915/sdvo: Filter out invalid outputs more sensibly (git-fixes).
- drm/i915/sdvo: Setup DDC fully before output init (git-fixes).
- drm/imx: imx-tve: Fix return type of imx_tve_connector_mode_valid (git-fixes).
- drm/panel: simple: set bpc field for logic technologies displays (git-fixes).
- drm/rockchip: dsi: Force synchronous probe (git-fixes).
- drm/vc4: Fix missing platform_unregister_drivers() call in vc4_drm_register() (git-fixes).
- drm: Fix potential null-ptr-deref in drm_vblank_destroy_worker() (git-fixes).
- fbdev: smscufx: Fix several use-after-free bugs (git-fixes).
- firmware: arm_scmi: Suppress the driver's bind attributes (git-fixes).
- ftrace: Fix char print issue in print_ip_ins() (git-fixes).
- ftrace: Fix null pointer dereference in ftrace_add_mod() (git-fixes).
- ftrace: Fix the possible incorrect kernel message (git-fixes).
- ftrace: Fix use-after-free for dynamic ftrace_ops (git-fixes).
- ftrace: Optimize the allocation for mcount entries (git-fixes).
- ftrace: Properly unset FTRACE_HASH_FL_MOD (git-fixes).
- fuse: add file_modified() to fallocate (bsc#1205330).
- fuse: fix readdir cache race (bsc#1205329).
- hamradio: fix issue of dev reference count leakage in bpq_device_event() (git-fixes).
- hv: hyperv.h: Remove unused inline functions (git-fixes).
- hv_netvsc: Add a comment clarifying batching logic (git-fixes).
- hv_netvsc: Add check for kvmalloc_array (git-fixes).
- hv_netvsc: Add error handling while switching data path (bsc#1204850).
- hv_netvsc: Allocate the recv_buf buffers after NVSP_MSG1_TYPE_SEND_RECV_BUF (git-fixes).
- hv_netvsc: Check VF datapath when sending traffic to VF (git-fixes).
- hv_netvsc: Fix potential dereference of NULL pointer (git-fixes).
- hv_netvsc: Fix race between VF offering and VF association message from host (bsc#1204850).
- hv_netvsc: Print value of invalid ID in netvsc_send_{completion,tx_complete}() (git-fixes).
- hv_netvsc: Process NETDEV_GOING_DOWN on VF hot remove (bsc#1204850).
- hv_netvsc: Use bitmap_zalloc() when applicable (git-fixes).
- hv_netvsc: Use vmbus_requestor to generate transaction IDs for VMBus hardening (bsc#1204017).
- hv_netvsc: Validate number of allocated sub-channels (git-fixes).
- hv_netvsc: Wait for completion on request SWITCH_DATA_PATH (bsc#1204017).
- hv_netvsc: use netif_is_bond_master() instead of open code (git-fixes).
- hv_utils: Fix passing zero to 'PTR_ERR' warning (git-fixes).
- hwmon: (coretemp) Check for null before removing sysfs attrs (git-fixes).
- hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() (git-fixes).
- hwmon: (i5500_temp) fix missing pci_disable_device() (git-fixes).
- hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails (git-fixes).
- i2c: i801: add lis3lv02d's I2C address for Vostro 5568 (git-fixes).
- ibmvnic: Free rwi on reset success (bsc#1184350 ltc#191533 git-fixes).
- iio: adc: at91_adc: fix possible memory leak in at91_adc_allocate_trigger() (git-fixes).
- iio: core: Fix entry not deleted when iio_register_sw_trigger_type() fails (git-fixes).
- iio: health: afe4403: Fix oob read in afe4403_read_raw (git-fixes).
- iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw (git-fixes).
- iio: light: apds9960: fix wrong register for gesture gain (git-fixes).
- iio: light: rpr0521: add missing Kconfig dependencies (git-fixes).
- iio: pressure: ms5611: changed hardcoded SPI speed to value limited (git-fixes).
- iio: trigger: sysfs: fix possible memory leak in iio_sysfs_trig_init() (git-fixes).
- isdn: mISDN: netjet: fix wrong check of device registration (git-fixes).
- iwlwifi: dbg: disable ini debug in 9000 family and below (git-fixes).
- kABI: Fix after adding trace_iterator.wait_index (git-fixes).
- kABI: remove new member of usbip_device (git-fixes).
- kabi: fix transport_add_device change (git-fixes).
- kexec: turn all kexec_mutex acquisitions into trylocks (git-fixes).
- kvm: nVMX: reflect MTF VM-exits if injected by L1 (git-fixes).
- livepatch: Add a missing newline character in klp_module_coming() (bsc#1071995).
- livepatch: fix race between fork and KLP transition (bsc#1071995).
- loop: Check for overflow while configuring loop (git-fixes).
- mISDN: fix misuse of put_device() in mISDN_register_device() (git-fixes).
- mISDN: fix possible memory leak in mISDN_dsp_element_register() (git-fixes).
- mISDN: fix possible memory leak in mISDN_register_device() (git-fixes).
- md/raid5: Ensure stripe_fill happens on non-read IO with journal (git-fixes).
- md: Replace snprintf with scnprintf (git-fixes).
- media: dvb-frontends/drxk: initialize err to 0 (git-fixes).
- media: meson: vdec: fix possible refcount leak in vdec_probe() (git-fixes).
- media: v4l2: Fix v4l2_i2c_subdev_set_name function documentation (git-fixes).
- media: venus: dec: Handle the case where find_format fails (git-fixes).
- media: vim2m: initialize the media device earlier (git-fixes).
- media: vivid: fix assignment of dev->fbuf_out_flags (git-fixes).
- misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram() (git-fixes).
- mmc: core: properly select voltage range without power cycle (git-fixes).
- mmc: cqhci: Provide helper for resetting both SDHCI and CQHCI (git-fixes).
- mmc: sdhci-of-arasan: Fix SDHCI_RESET_ALL for CQHCI (git-fixes).
- mmc: sdhci-pci-o2micro: fix card detect fail issue caused by CD# debounce timeout (git-fixes).
- mmc: sdhci-pci: Fix possible memory leak caused by missing pci_dev_put() (git-fixes).
- nbd: Fix use-after-free in pid_show (git-fixes).
- nbd: fix possible overflow for 'first_minor' in nbd_dev_add() (git-fixes).
- nbd: fix possible overflow on 'first_minor' in nbd_dev_add() (git-fixes).
- nbd: handle device refs for DESTROY_ON_DISCONNECT properly (git-fixes).
- net/x25: Fix skb leak in x25_lapb_receive_frame() (git-fixes).
- net: ethernet: nixge: fix NULL dereference (git-fixes).
- net: ethernet: renesas: ravb: Fix promiscuous mode after system resumed (git-fixes).
- net: hyperv: remove use of bpf_op_t (git-fixes).
- net: netvsc: remove break after return (git-fixes).
- net: phy: fix null-ptr-deref while probe() failed (git-fixes).
- net: thunderbolt: Fix error handling in tbnet_init() (git-fixes).
- net: usb: qmi_wwan: Set DTR quirk for MR400 (git-fixes).
- net: usb: qmi_wwan: restore mtu min/max values after raw_ip switch (git-fixes).
- nfc/nci: fix race with opening and closing (git-fixes).
- nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send() (git-fixes).
- nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send() (git-fixes).
- nfc: st-nci: fix incorrect validating logic in EVT_TRANSACTION (git-fixes).
- nfc: st-nci: fix memory leaks in EVT_TRANSACTION (git-fixes).
- nfsd: set the server_scope during service startup (bsc#1203746).
- null_blk: Fail zone append to conventional zones (git-fixes).
- null_blk: synchronization fix for zoned device (git-fixes).
- nvmem: core: Check input parameter for NULL in nvmem_unregister() (bsc#1204241).
- panic, kexec: make __crash_kexec() NMI safe (git-fixes).
- parport_pc: Avoid FIFO port location truncation (git-fixes).
- phy: stm32: fix an error code in probe (git-fixes).
- pinctrl: devicetree: fix null pointer dereferencing in pinctrl_dt_to_map (git-fixes).
- platform/x86: hp_wmi: Fix rfkill causing soft blocked wifi (git-fixes).
- powerpc/boot: Explicitly disable usage of SPE instructions (bsc#1156395).
- powerpc/kvm: Fix kvm_use_magic_page (bsc#1156395).
- printk: add missing memory barrier to wake_up_klogd() (bsc#1204934).
- printk: use atomic updates for klogd work (bsc#1204934).
- printk: wake waiters for safe and NMI contexts (bsc#1204934).
- r8152: Add MAC passthrough support to new device (git-fixes).
- r8152: add PID for the Lenovo OneLink+ Dock (git-fixes).
- r8152: use new helper tcp_v6_gso_csum_prep (git-fixes).
- rbd: fix possible memory leak in rbd_sysfs_init() (git-fixes).
- regulator: core: fix UAF in destroy_regulator() (git-fixes).
- regulator: core: fix kobject release warning and memory leak in regulator_register() (git-fixes).
- regulator: twl6030: re-add TWL6032_SUBCLASS (git-fixes).
- ring-buffer: Add ring_buffer_wake_waiters() (git-fixes).
- ring-buffer: Allow splice to read previous partially read pages (git-fixes).
- ring-buffer: Check for NULL cpu_buffer in ring_buffer_wake_waiters() (git-fixes).
- ring-buffer: Check pending waiters when doing wake ups as well (git-fixes).
- ring-buffer: Fix race between reset page and reading page (git-fixes).
- ring-buffer: Have the shortest_full queue be the shortest not longest (git-fixes).
- ring-buffer: Include dropped pages in counting dirty patches (git-fixes).
- ring_buffer: Do not deactivate non-existant pages (git-fixes).
- rndis_host: increase sleep time in the query-response loop (git-fixes).
- rtc: mt6397: fix alarm register overwrite (git-fixes).
- s390/boot: fix absolute zero lowcore corruption on boot (git-fixes).
- s390/cpcmd: fix inline assembly register clobbering (git-fixes).
- s390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup (git-fixes).
- s390/disassembler: increase ebpf disasm buffer size (git-fixes).
- s390/futex: add missing EX_TABLE entry to __futex_atomic_op() (bsc#1205428 LTC#200501).
- s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages (bsc#1203144 LTC#199881).
- s390/mm: use non-quiescing sske for KVM switch to keyed guest (git-fixes).
- s390/pci: add missing EX_TABLE entries to __pcistg_mio_inuser()/__pcilg_mio_inuser() (git-fixes).
- s390/ptrace: return -ENOSYS when invalid syscall is supplied (git-fixes).
- s390/uaccess: add missing EX_TABLE entries to __clear_user(), copy_in_user_mvcos(), copy_in_user_mvc(), clear_user_xc() and __strnlen_user() (bsc#1205428 LTC#200501).
- s390/vtime: fix inline assembly clobber list (git-fixes).
- s390/zcore: fix race when reading from hardware system area (git-fixes).
- s390/zcrypt: fix zcard and zqueue hot-unplug memleak (git-fixes).
- s390: Remove arch_has_random, arch_has_random_seed (git-fixes).
- s390: fix double free of GS and RI CBs on fork() failure (git-fixes).
- s390: fix nospec table alignments (git-fixes).
- s390: mark __cpacf_query() as __always_inline (git-fixes).
- scsi: bsg: Remove support for SCSI_IOCTL_SEND_COMMAND (git-fixes).
- scsi: drivers: base: Propagate errors through the transport component (git-fixes).
- scsi: drivers: base: Support atomic version of attribute_container_device_trigger (git-fixes).
- scsi: ibmvfc: Avoid path failures during live migration (bsc#1065729 bsc#1204810 ltc#200162).
- scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024 (bsc#1156395).
- scsi: lpfc: Create a sysfs entry called lpfc_xcvr_data for transceiver info (bsc#1204957).
- scsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs (bsc#1204957).
- scsi: lpfc: Fix memory leak in lpfc_create_port() (bsc#1204957).
- scsi: lpfc: Fix spelling mistake 'unsolicted' -> 'unsolicited' (bsc#1204957).
- scsi: lpfc: Log when congestion management limits are in effect (bsc#1204957).
- scsi: lpfc: Set sli4_param's cmf option to zero when CMF is turned off (bsc#1204957).
- scsi: lpfc: Update lpfc version to (bsc#1204957).
- scsi: lpfc: Update the obsolete adapter list (bsc#1204142).
- scsi: qla2xxx: Fix serialization of DCBX TLV data request (bsc#1204963).
- scsi: qla2xxx: Use transport-defined speed mask for supported_speeds (bsc#1204963).
- scsi: scsi_transport_sas: Fix error handling in sas_phy_add() (git-fixes).
- scsi: storvsc: Correctly handle multiple flags in srb_status (git-fixes).
- scsi: storvsc: Drop DID_TARGET_FAILURE use (git-fixes).
- scsi: storvsc: Fix handling of srb_status and capacity change events (git-fixes).
- scsi: storvsc: Fix max_outstanding_req_per_channel for Win8 and newer (bsc#1204017).
- scsi: storvsc: Fix validation for unsolicited incoming packets (bsc#1204017).
- scsi: storvsc: Log TEST_UNIT_READY errors as warnings (git-fixes).
- scsi: storvsc: Miscellaneous code cleanups (git-fixes).
- scsi: storvsc: Parameterize number hardware queues (git-fixes).
- scsi: storvsc: Remove WQ_MEM_RECLAIM from storvsc_error_wq (git-fixes).
- scsi: storvsc: Resolve data race in storvsc_probe() (bsc#1204017).
- scsi: storvsc: Return DID_ERROR for invalid commands (git-fixes).
- scsi: storvsc: Update error logging (git-fixes).
- scsi: storvsc: Use blk_mq_unique_tag() to generate requestIDs (bsc#1204017).
- scsi: storvsc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (git-fixes).
- scsi: storvsc: Use vmbus_requestor to generate transaction IDs for VMBus hardening (bsc#1204017).
- scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback() (bsc#1204017).
- scsi: zfcp: Fix double free of FSF request when qdio send fails (git-fixes).
- scsi: zfcp: Fix missing auto port scan and thus missing target ports (git-fixes).
- selftests/livepatch: better synchronize test_klp_callbacks_busy (bsc#1071995).
- serial: 8250: Fall back to non-DMA Rx if IIR_RDI occurs (git-fixes).
- serial: 8250: omap: Fix unpaired pm_runtime_put_sync() in omap8250_remove() (git-fixes).
- serial: 8250: omap: Flush PM QOS work on remove (git-fixes).
- serial: 8250_lpss: Configure DMA also w/o DMA filter (git-fixes).
- serial: 8250_omap: remove wait loop from Errata i202 workaround (git-fixes).
- serial: imx: Add missing .thaw_noirq hook (git-fixes).
- siox: fix possible memory leak in siox_device_add() (git-fixes).
- slimbus: stream: correct presence rate frequencies (git-fixes).
- spi: spi-imx: Fix spi_bus_clk if requested clock is higher than input clock (git-fixes).
- spi: stm32: Print summary 'callbacks suppressed' message (git-fixes).
- staging: greybus: light: fix a couple double frees (git-fixes).
- swiotlb-xen: use vmalloc_to_page on vmalloc virt addresses (git-fixes).
- tracing/ring-buffer: Have polling block on watermark (git-fixes).
- tracing: Add ioctl() to force ring buffer waiters to wake up (git-fixes).
- tracing: Disable interrupt or preemption before acquiring arch_spinlock_t (git-fixes).
- tracing: Do not free snapshot if tracer is on cmdline (git-fixes).
- tracing: Fix wild-memory-access in register_synth_event() (git-fixes).
- tracing: Simplify conditional compilation code in tracing_set_tracer() (git-fixes).
- tracing: Wake up ring buffer waiters on closing of the file (git-fixes).
- tracing: Wake up waiters when tracing is disabled (git-fixes).
- usb: add NO_LPM quirk for Realforce 87U Keyboard (git-fixes).
- usb: chipidea: fix deadlock in ci_otg_del_timer (git-fixes).
- usb: dwc3: exynos: Fix remove() function (git-fixes).
- usb: dwc3: fix PHY disable sequence (git-fixes).
- usb: dwc3: gadget: Clear ep descriptor last (git-fixes).
- usb: dwc3: gadget: Fix null pointer exception (git-fixes).
- usb: dwc3: qcom: fix runtime PM wakeup.
- usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup (git-fixes).
- usb: xhci: add XHCI_SPURIOUS_SUCCESS to ASM1042 despite being a V0.96 controller (git-fixes).
- usbip: add sysfs_lock to synchronize sysfs code paths (git-fixes).
- usbip: stub-dev synchronize sysfs code paths (git-fixes).
- usbip: stub_dev: remake locking for kABI (git-fixes).
- usbip: synchronize event handler with sysfs code paths (git-fixes).
- usbip: usbip_event: use global lock (git-fixes).
- usbip: vudc synchronize sysfs code paths (git-fixes).
- usbip: vudc_sysfs: use global lock (git-fixes).
- use __netdev_notify_peers in hyperv (git-fixes).
- v3 of 'PCI: hv: Only reuse existing IRTE allocation for Multi-MSI'
- v3 of 'PCI: hv: Only reuse existing IRTE allocation for Multi-MSI' (bsc#1200845)
- vfio/ccw: Do not change FSM state in subchannel event (git-fixes).
- virtio-blk: Do not use MAX_DISCARD_SEGMENTS if max_discard_seg is zero (git-fixes).
- virtio-blk: Use blk_validate_block_size() to validate block size (git-fixes).
- virtio_blk: eliminate anonymous module_init & module_exit (git-fixes).
- virtio_blk: fix the discard_granularity and discard_alignment queue limits (git-fixes).
- Fix placement of '.data..decrypted' section (git-fixes).
- wifi: cfg80211: fix buffer overflow in elem comparison (git-fixes).
- wifi: cfg80211: fix memory leak in query_regdb_file() (git-fixes).
- wifi: cfg80211: silence a sparse RCU warning (git-fixes).
- wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration (git-fixes).
- workqueue: do not skip lockdep work dependency in cancel_work_sync() (bsc#1204967).
- x86/bugs: Make sure MSR_SPEC_CTRL is updated properly upon resume from S3 (bsc#1206037).
- x86/cpu: Restore AMD's DE_CFG MSR after resume (bsc#1205473).
- x86/hyperv: Output host build info as normal Windows version number (git-fixes).
- x86/hyperv: check cpu mask after interrupt has been disabled (git-fixes).
- x86/kexec: Fix double-free of elf header buffer (bsc#1205567).
- x86/microcode/AMD: Apply the patch early on every logical thread (bsc#1205264).
- x86/xen: Add xen_no_vector_callback option to test PCI INTX delivery (git-fixes).
- x86/xen: Distribute switch variables for initialization (git-fixes).
- x86/xen: do not unbind uninitialized lock_kicker_irq (git-fixes).
- xen-blkback: prevent premature module unload (git-fixes).
- xen-netback: correct success/error reporting for the SKB-with-fraglist case (git-fixes).
- xen/balloon: fix balloon kthread freezing (git-fixes).
- xen/balloon: fix ballooned page accounting without hotplug enabled (git-fixes).
- xen/balloon: fix cancelled balloon action (git-fixes).
- xen/balloon: use a kernel thread instead a workqueue (git-fixes).
- xen/gntdev: Avoid blocking in unmap_grant_pages() (git-fixes).
- xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE (git-fixes).
- xen/gntdev: Prevent leaking grants (git-fixes).
- xen/pcpu: fix possible memory leak in register_pcpu() (git-fixes).
- xen/privcmd: Corrected error handling path (git-fixes).
- xen/privcmd: fix error exit of privcmd_ioctl_dm_op() (git-fixes).
- xen/xenbus: Fix granting of vmalloc'd memory (git-fixes).
- xen/xenbus: ensure xenbus_map_ring_valloc() returns proper grant status (git-fixes).
- xen: Fix XenStore initialisation for XS_LOCAL (git-fixes).
- xen: Fix event channel callback via INTX/GSI (git-fixes).
- xen: delay xen_hvm_init_time_ops() if kdump is boot on vcpu>=32 (git-fixes).
- xenbus: req->body should be updated before req->state (git-fixes).
- xenbus: req->err should be updated before req->state (git-fixes).
- xfs: Lower CIL flush limit for large logs (git-fixes).
- xfs: Throttle commits on delayed background CIL push (git-fixes).
- xfs: Use scnprintf() for avoiding potential buffer overflow (git-fixes).
- xfs: check owner of dir3 blocks (git-fixes).
- xfs: factor common AIL item deletion code (git-fixes).
- xfs: open code insert range extent split helper (git-fixes).
- xfs: rework collapse range into an atomic operation (git-fixes).
- xfs: rework insert range into an atomic operation (git-fixes).
- xfs: tail updates only need to occur when LSN changes (git-fixes).
- xfs: trylock underlying buffer on dquot flush (git-fixes).
- xfs: xfs_buf_corruption_error should take __this_address (git-fixes).
- xhci: Remove device endpoints from bandwidth list when freeing the device (git-fixes).

Advisory ID: SUSE-RU-2022:4618-1
Released:    Fri Dec 23 13:02:31 2022
Summary:     Recommended update for catatonit
Type:        recommended
Severity:    moderate
This update for catatonit fixes the following issues:

Update to catatonit v0.1.7:

- This release adds the ability for catatonit to be used as the only
  process in a pause container, by passing the -P flag (in this mode no
  subprocess is spawned and thus no signal forwarding is done). 

Update to catatonit v0.1.6:

- which fixes a few bugs -- mainly ones related to socket activation
  or features somewhat adjacent to socket activation (such as passing
  file descriptors).

Advisory ID: SUSE-SU-2022:4628-1
Released:    Wed Dec 28 09:23:13 2022
Summary:     Security update for sqlite3
Type:        security
Severity:    moderate
References:  1206337,CVE-2022-46908
This update for sqlite3 fixes the following issues:

- CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, 
  when relying on --safe for execution of an untrusted CLI script (bsc#1206337).

Advisory ID: SUSE-SU-2022:4630-1
Released:    Wed Dec 28 09:25:18 2022
Summary:     Security update for systemd
Type:        security
Severity:    important
References:  1200723,1203857,1204423,1205000,CVE-2022-4415
This update for systemd fixes the following issues:

- CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000).

Bug fixes:

- Support by-path devlink for multipath nvme block devices (bsc#1200723).
- Set SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon (bsc#1203857).
- Restrict cpu rule to x86_64, and also update the rule files to make use of the 'CONST{arch}' syntax (bsc#1204423).

Advisory ID: SUSE-SU-2022:4631-1
Released:    Wed Dec 28 09:29:15 2022
Summary:     Security update for vim
Type:        security
Severity:    important
References:  1204779,1205797,1206028,1206071,1206072,1206075,1206077,CVE-2022-3491,CVE-2022-3520,CVE-2022-3591,CVE-2022-3705,CVE-2022-4141,CVE-2022-4292,CVE-2022-4293
This update for vim fixes the following issues:

Updated to version 9.0.1040:

- CVE-2022-3491: vim: Heap-based Buffer Overflow prior to 9.0.0742 (bsc#1206028).
- CVE-2022-3520: vim: Heap-based Buffer Overflow (bsc#1206071).
- CVE-2022-3591: vim: Use After Free (bsc#1206072).
- CVE-2022-4292: vim: Use After Free in GitHub repository vim/vim prior to 9.0.0882 (bsc#1206075).
- CVE-2022-4293: vim: Floating Point Comparison with Incorrect Operator in GitHub repository vim/vim prior to 9.0.0804 (bsc#1206077).
- CVE-2022-4141: vim: heap-buffer-overflow in alloc.c 246:11 (bsc#1205797).
- CVE-2022-3705: vim: use after free in function qf_update_buffer of the file quickfix.c (bsc#1204779).

Advisory ID: SUSE-SU-2022:4633-1
Released:    Wed Dec 28 09:32:15 2022
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1206309,CVE-2022-43552
This update for curl fixes the following issues:

- CVE-2022-43552: HTTP Proxy deny use-after-free (bsc#1206309).

Advisory ID: SUSE-SU-2023:14-1
Released:    Mon Jan  2 19:06:03 2023
Summary:     Security update for samba
Type:        security
Severity:    important
References:  1205385,1205386,1205946,1206504,CVE-2022-37966,CVE-2022-37967,CVE-2022-38023
This update for samba fixes the following issues:

Update to 4.15.13

- CVE-2022-37966 rc4-hmac Kerberos session keys issued to modern servers (bsc#1205385).
- CVE-2022-37967 Kerberos constrained delegation ticket forgery possible against Samba AD DC (bsc#1205386).
- CVE-2022-38023 RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided (bsc#1206504).
- Fixed issue with bind start up (bsc#1205946).

Advisory ID: SUSE-RU-2023:25-1
Released:    Thu Jan  5 09:51:41 2023
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

Version update from 2022f to 2022g (bsc#1177460):

- In the Mexican state of Chihuahua:
  * The border strip near the US will change to agree with nearby US locations on 2022-11-30.
  * The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules,
    like El Paso, TX.
  * The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX.
  * A new Zone America/Ciudad_Juarez splits from America/Ojinaga.
- Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving
  time becomes standard time.
- Changes for pre-1996 northern Canada
- Update to past DST transition in Colombia (1993), Singapore (1981)
- 'timegm' is now supported by default

Advisory ID: SUSE-SU-2023:37-1
Released:    Fri Jan  6 15:35:49 2023
Summary:     Security update for ca-certificates-mozilla
Type:        security
Severity:    important
References:  1206212,1206622
This update for ca-certificates-mozilla fixes the following issues:

- Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622)
  Removed CAs:
  - Global Chambersign Root
  - EC-ACC
  - Network Solutions Certificate Authority
  - Staat der Nederlanden EV Root CA
  - SwissSign Platinum CA - G2
  Added CAs:
  - Security Communication ECC RootCA1
  - Security Communication RootCA3
  Changed trust:
  - TrustCor certificates only trusted up to Nov 30 (bsc#1206212)
- Removed CAs (bsc#1206212) as most code does not handle 'valid before nov 30 2022'
  and it is not clear how many certs were issued for SSL middleware by TrustCor:
  - TrustCor RootCert CA-1
  - TrustCor RootCert CA-2
  - TrustCor ECA-1

Advisory ID: SUSE-RU-2023:46-1
Released:    Mon Jan  9 10:35:21 2023
Summary:     Recommended update for hwdata
Type:        recommended
Severity:    moderate
This update for hwdata fixes the following issues:

-  Update pci, usb and vendor ids

Advisory ID: SUSE-RU-2023:48-1
Released:    Mon Jan  9 10:37:54 2023
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1199467
This update for libtirpc fixes the following issues:

- Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)

Advisory ID: SUSE-SU-2023:56-1
Released:    Mon Jan  9 11:13:43 2023
Summary:     Security update for libksba
Type:        security
Severity:    moderate
References:  1206579,CVE-2022-47629
This update for libksba fixes the following issues:

- CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL
  signature parser (bsc#1206579).

Advisory ID: SUSE-SU-2023:115-1
Released:    Fri Jan 20 10:23:51 2023
Summary:     Security update for sudo
Type:        security
Severity:    important
References:  1207082,CVE-2023-22809
This update for sudo fixes the following issues:

- CVE-2023-22809: Fixed an arbitrary file write issue that could be
  exploited by users with sudoedit permissions (bsc#1207082).

Advisory ID: SUSE-SU-2023:139-1
Released:    Wed Jan 25 14:41:55 2023
Summary:     Security update for python-certifi
Type:        security
Severity:    important
References:  1206212,CVE-2022-23491
This update for python-certifi fixes the following issues:

- remove all TrustCor CAs, as TrustCor issued multiple man-in-the-middle
  certs (bsc#1206212 CVE-2022-23491)
     - TrustCor RootCert CA-1
     - TrustCor RootCert CA-2
     - TrustCor ECA-1
- Add removeTrustCor.patch

Advisory ID: SUSE-RU-2023:143-1
Released:    Thu Jan 26 06:41:22 2023
Summary:     Recommended update for bind
Type:        recommended
Severity:    moderate
References:  1201689
This update for bind fixes the following issues:

- Add systemd drop-in directory for named service (bsc#1201689)

Advisory ID: SUSE-SU-2023:152-1
Released:    Thu Jan 26 11:37:27 2023
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1065729,1151927,1156395,1157049,1190969,1203183,1203693,1203740,1204171,1204250,1204614,1204693,1204760,1204989,1205149,1205256,1205495,1205496,1205601,1205695,1206073,1206113,1206114,1206174,1206175,1206176,1206177,1206178,1206179,1206344,1206389,1206393,1206394,1206395,1206397,1206398,1206399,1206515,1206602,1206634,1206635,1206636,1206637,1206640,1206641,1206642,1206643,1206644,1206645,1206646,1206647,1206648,1206649,1206663,1206664,1206784,1206841,1206854,1206855,1206857,1206858,1206859,1206860,1206873,1206875,1206876,1206877,1206878,1206880,1206881,1206882,1206883,1206884,1206885,1206886,1206887,1206888,1206889,1206890,1206891,1206893,1206896,1206904,1207036,1207125,1207134,1207186,1207198,1207218,1207237,CVE-2019-19083,CVE-2022-3105,CVE-2022-3106,CVE-2022-3107,CVE-2022-3108,CVE-2022-3111,CVE-2022-3112,CVE-2022-3115,CVE-2022-3435,CVE-2022-3564,CVE-2022-3643,CVE-2022-42328,CVE-2022-42329,CVE-2022-4662,CVE-2022-47520,CVE-2022-47929,CVE-2023-0266,CVE-2023-23454,CVE-202

The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2023-0266: Fixed a use-after-free bug led by a missing lock in ALSA. (bsc#1207134)
- CVE-2022-47929: Fixed a NULL pointer dereference bug in the traffic control subsystem which allowed an unprivileged user to trigger a denial of service via a crafted traffic control configuration. (bsc#1207237)
- CVE-2023-23454: Fixed a type-confusion in the CBQ network scheduler (bsc#1207036)
- CVE-2023-23455: Fixed a bug that could allow attackers to cause a denial of service because of type confusion in atm_tc_enqueue. (bsc#1207125)
- CVE-2022-3435: Fixed an out-of-bounds read in fib_nh_match() of the file net/ipv4/fib_semantics.c (bsc#1204171).
- CVE-2022-4662: Fixed a recursive locking violation in usb-storage that can cause the kernel to deadlock. (bsc#1206664)
- CVE-2022-3115: Fixed a null pointer dereference in malidp_crtc.c caused by a lack of checks of the return value of kzalloc. (bsc#1206393)
- CVE-2022-47520: Fixed an out-of-bounds read when parsing a Robust Security Network (RSN) information element from a Netlink packet. (bsc#1206515)
- CVE-2022-3112: Fixed a  null pointer dereference caused by lacks check of the return value of kzalloc() in vdec_helpers.c:amvdec_set_canvases. (bsc#1206399)
- CVE-2022-3564: Fixed a bug which could lead to use after free, it was found in the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. (bsc#1206073)
- CVE-2022-3108: Fixed a bug in kfd_parse_subtype_iolink in drivers/gpu/drm/amd/amdkfd/kfd_crat.c where a lack of check of the return value of kmemdup() could lead to a NULL pointer dereference. (bsc#1206389)
- CVE-2019-19083: Fixed a memory leaks in clock_source_create that could allow attackers to cause a denial of service (bsc#1157049).
- CVE-2022-42328: Fixed a bug which could allow guests to trigger denial of service via the netback driver (bsc#1206114).
- CVE-2022-42329: Fixed a bug which could allow guests to trigger denial of service via the netback driver (bsc#1206113).
- CVE-2022-3643: Fixed a bug which could allow guests to trigger NIC interface reset/abort/crash via netback driver (bsc#1206113).
- CVE-2022-3107: Fixed a null pointer dereference caused by a missing check of the return value of kvmalloc_array. (bsc#1206395)
- CVE-2022-3111: Fixed a missing release of resource after effective lifetime bug caused by a missing free of the WM8350_IRQ_CHG_FAST_RDY in wm8350_init_charger. (bsc#1206394)
- CVE-2022-3105: Fixed a null pointer dereference caused by a missing check of the return value of kmalloc_array. (bsc#1206398)
- CVE-2022-3106: Fixed a null pointer dereference caused by a missing check of the return value of kmalloc. (bsc#1206397)

The following non-security bugs were fixed:

- afs: Fix some tracing details (git-fixes).
- arm64: cpu_errata: Add Hisilicon TSV110 to spectre-v2 safe list (git-fixes)
- arm64: dts: allwinner: H5: Add PMU node (git-fixes)
- arm64: dts: allwinner: H6: Add PMU mode (git-fixes)
- arm64: dts: marvell: Add AP806-dual missing CPU clocks (git-fixes)
- arm64: dts: rockchip: add reg property to brcmf sub-nodes (git-fixes)
- arm64: dts: rockchip: fix dwmmc clock name for px30 (git-fixes)
- arm64: dts: rockchip: Fix NanoPC-T4 cooling maps (git-fixes)
- arm64: memory: Add missing brackets to untagged_addr() macro (git-fixes)
- arm64: psci: Reduce the waiting time for cpu_psci_cpu_kill() (git-fixes).
- arm64: tags: Preserve tags for addresses translated via TTBR1 (git-fixes)
- arm64: tegra: Fix 'active-low' warning for Jetson Xavier regulator (git-fixes)
- block: Do not reread partition table on exclusively open device (bsc#1190969).
- ceph: avoid putting the realm twice when decoding snaps fails (bsc#1207198).
- ceph: do not update snapshot context when there is no new snapshot (bsc#1207218).
- cuse: prevent clone (bsc#1206177).
- drbd: destroy workqueue when drbd device was freed (git-fixes).
- drbd: remove usage of list iterator variable after loop (git-fixes).
- drbd: use after free in drbd_create_device() (git-fixes).
- dt-bindings: clocks: imx8mp: Add ID for usb suspend clock (git-fixes).
- efi: Add iMac Pro 2017 to uefi skip cert quirk (git-fixes).
- ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h (bsc#1206878).
- ext4: avoid BUG_ON when creating xattrs (bsc#1205496).
- ext4: avoid crash when inline data creation follows DIO write (bsc#1206883).
- ext4: avoid race conditions when remounting with options that change dax (bsc#1206860).
- ext4: avoid resizing to a partial cluster size (bsc#1206880).
- ext4: choose hardlimit when softlimit is larger than hardlimit in ext4_statfs_project() (bsc#1206854).
- ext4: continue to expand file system when the target size does not reach (bsc#1206882).
- ext4: convert BUG_ON's to WARN_ON's in mballoc.c (bsc#1206859).
- ext4: correct max_inline_xattr_value_size computing (bsc#1206878).
- ext4: correct the error path of ext4_write_inline_data_end() (bsc#1206875).
- ext4: correct the misjudgment in ext4_iget_extra_inode (bsc#1206878).
- ext4: Detect already used quota file early (bsc#1206873).
- ext4: fix a data race at inode->i_disksize (bsc#1206855).
- ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0 (bsc#1206881).
- ext4: fix BUG_ON() when directory entry has invalid rec_len (bsc#1206886).
- ext4: fix corruption when online resizing a 1K bigalloc fs (bsc#1206891).
- ext4: fix extent status tree race in writeback error recovery path (bsc#1206877).
- ext4: fix null-ptr-deref in ext4_write_info (bsc#1206884).
- ext4: fix undefined behavior in bit shift for ext4_check_flag_values (bsc#1206890).
- ext4: fix uninititialized value in 'ext4_evict_inode' (bsc#1206893).
- ext4: fix use-after-free in ext4_ext_shift_extents (bsc#1206888).
- ext4: fix use-after-free in ext4_xattr_set_entry (bsc#1206878).
- ext4: fix warning in 'ext4_da_release_space' (bsc#1206887).
- ext4: Fixup pages without buffers (bsc#1205495).
- ext4: iomap that extends beyond EOF should be marked dirty (bsc#1206637).
- ext4: make ext4_lazyinit_thread freezable (bsc#1206885).
- ext4: mark block bitmap corrupted when found instead of BUGON (bsc#1206857).
- ext4: silence the warning when evicting inode with dioread_nolock (bsc#1206889).
- ext4: update s_overhead_clusters in the superblock during an on-line resize (bsc#1206876).
- ext4: use matching invalidatepage in ext4_writepage (bsc#1206858).
- fs: nfsd: fix kconfig dependency warning for NFSD_V4 (git-fixes).
- fuse: do not check refcount after stealing page (bsc#1206174).
- fuse: fix the ->direct_IO() treatment of iov_iter (bsc#1206176).
- fuse: fix use after free in fuse_read_interrupt() (bsc#1206178).
- fuse: lock inode unconditionally in fuse_fallocate() (bsc#1206179).
- fuse: update attr_version counter on fuse_notify_inval_inode() (bsc#1206175).
- HID: betop: check shape of output reports (git-fixes, bsc#1207186).
- HID: check empty report_list in bigben_probe() (git-fixes, bsc#1206784).
- HID: check empty report_list in hid_validate_values() (git-fixes, bsc#1206784).
- ibmveth: Always stop tx queues during close (bsc#1065729).
- ipv6: ping: fix wrong checksum for large frames (bsc#1203183).
- isofs: joliet: Fix iocharset=utf8 mount option (bsc#1206636).
- kbuild: Unify options for BTF generation for vmlinux and modules (bsc#1204693).
- lib/notifier-error-inject: fix error when writing -errno to debugfs file (bsc#1206634).
- libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value (bsc#1206634).
- lockd: lockd server-side shouldn't set fl_ops (git-fixes).
- memcg, kmem: further deprecate kmem.limit_in_bytes (bsc#1206896).
- memcg: Fix possible use-after-free in memcg_write_event_control() (bsc#1206344).
- mm, page_alloc: avoid expensive reclaim when compaction may not succeed (bsc#1204250).
- mm: fix race between MADV_FREE reclaim and blkdev direct IO read (bsc#1204989,bsc#1205601).
- mm/filemap.c: clear page error before actual read (bsc#1206635).
- mm/memcg: optimize memory.numa_stat like memory.stat (bsc#1206663).
- module: avoid *goto*s in module_sig_check() (git-fixes).
- module: lockdep: Suppress suspicious RCU usage warning (git-fixes).
- module: merge repetitive strings in module_sig_check() (git-fixes).
- module: Remove accidental change of module_enable_x() (git-fixes).
- module: set MODULE_STATE_GOING state when a module fails to load (git-fixes).
- net: mana: Fix race on per-CQ variable napi work_done (git-fixes).
- net: sched: atm: dont intepret cls results when asked to drop (bsc#1207036).
- net: sched: cbq: dont intepret cls results when asked to drop (bsc#1207036).
- net: sunrpc: Fix off-by-one issues in 'rpc_ntop6' (git-fixes).
- net: usb: cdc_ncm: do not spew notifications (git-fixes).
- net: usb: qmi_wwan: add u-blox 0x1342 composition (git-fixes).
- netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find() (bsc#1204614).
- NFS: direct.c: Fix memory leak of dreq when nfs_get_lock_context fails (git-fixes).
- NFS: Fix an Oops in nfs_d_automount() (git-fixes).
- NFS: Fix memory leaks (git-fixes).
- NFS: Fix memory leaks in nfs_pageio_stop_mirroring() (git-fixes).
- NFS: fix PNFS_FLEXFILE_LAYOUT Kconfig default (git-fixes).
- NFS: Handle missing attributes in OPEN reply (bsc#1203740).
- NFS: nfs_find_open_context() may only select open files (git-fixes).
- NFS: nfs_xdr_status should record the procedure name (git-fixes).
- NFS: nfs4clinet: check the return value of kstrdup() (git-fixes).
- NFS: we do not support removing system.nfs4_acl (git-fixes).
- NFS: Zero-stateid SETATTR should first return delegation (git-fixes).
- NFS4: Fix kmemleak when allocate slot failed (git-fixes).
- NFS4: Fix oops when copy_file_range is attempted with NFS4.0 source (git-fixes).
- NFSD: Clone should commit src file metadata too (git-fixes).
- NFSD: do not call nfsd_file_put from client states seqfile display (git-fixes).
- NFSD: fix error handling in NFSv4.0 callbacks (git-fixes).
- NFSD: Fix handling of oversized NFSv4 COMPOUND requests (git-fixes).
- NFSD: Fix svc_xprt refcnt leak when setup callback client failed (git-fixes).
- NFSD: Keep existing listeners on portlist error (git-fixes).
- NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data (git-fixes).
- NFSD: safer handling of corrupted c_type (git-fixes).
- NFSv4 expose nfs_parse_server_name function (git-fixes).
- NFSv4 only print the label when its queried (git-fixes).
- NFSv4 remove zero number of fs_locations entries error check (git-fixes).
- NFSv4: Do not hold the layoutget locks across multiple RPC calls (git-fixes).
- NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn (git-fixes).
- NFSv4: Fix a pNFS layout related use-after-free race when freeing the inode (git-fixes).
- NFSv4: Fix races between open and dentry revalidation (git-fixes).
- NFSv4: Protect the state recovery thread against direct reclaim (git-fixes).
- NFSv4: Retry LOCK on OLD_STATEID during delegation return (git-fixes).
- NFSv4.1 handle ERR_DELAY error reclaiming locking state on delegation recall (git-fixes).
- NFSv4.1: Fix uninitialised variable in devicenotify (git-fixes).
- NFSv4.1: Handle RECLAIM_COMPLETE trunking errors (git-fixes).
- NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot (git-fixes).
- NFSv4.2: Clear FATTR4_WORD2_SECURITY_LABEL when done decoding (git-fixes).
- NFSv4.2: error out when relink swapfile (git-fixes).
- NFSv4.2: Fix a memory stomp in decode_attr_security_label (git-fixes).
- NFSv4.2: Fix initialisation of struct nfs4_label (git-fixes).
- NFSv4.2: Fixup CLONE dest file size for zero-length count (git-fixes).
- NFSv4.x: Fail client initialisation if state manager thread can't run (git-fixes).
- NFSv4/pNFS: Always return layout stats on layout return for flexfiles (git-fixes).
- NFSv4/pNFS: Fix a use-after-free bug in open (git-fixes).
- NFSv4/pNFS: Try to return invalid layout in pnfs_layout_process() (git-fixes).
- powerpc: Ensure that swiotlb buffer is allocated from low memory (bsc#1156395).
- powerpc: Force inlining of cpu_has_feature() to avoid build failure (bsc#1065729).
- powerpc: improve handling of unrecoverable system reset (bsc#1065729).
- powerpc: sysdev: add missing iounmap() on error in mpic_msgr_probe() (bsc#1065729).
- powerpc/64: Init jump labels before parse_early_param() (bsc#1065729).
- powerpc/64s/pgtable: fix an undefined behaviour (bsc#1065729).
- powerpc/book3s/mm: Update Oops message to print the correct translation in use (bsc#1156395).
- powerpc/boot: Fixup device-tree on little endian (bsc#1065729).
- powerpc/crashkernel: Take 'mem=' option into account (bsc#1065729).
- powerpc/eeh: Only dump stack once if an MMIO loop is detected (bsc#1065729).
- powerpc/pci: Fix get_phb_number() locking (bsc#1065729).
- powerpc/perf: callchain validate kernel stack pointer bounds (bsc#1065729).
- powerpc/powernv: add missing of_node_put (bsc#1065729).
- powerpc/powernv: Avoid re-registration of imc debugfs directory (bsc#1156395).
- powerpc/powernv/iov: Ensure the pdn for VFs always contains a valid PE number (bsc#1065729).
- powerpc/powernv/smp: Fix spurious DBG() warning (bsc#1065729).
- powerpc/pseries: Stop calling printk in rtas_stop_self() (bsc#1065729).
- powerpc/pseries: unregister VPA when hot unplugging a CPU (bsc#1205695 ltc#200603).
- powerpc/pseries/cmm: Implement release() function for sysfs device (bsc#1065729).
- powerpc/pseries/eeh: use correct API for error log size (bsc#1065729).
- powerpc/rtas: avoid device tree lookups in rtas_os_term() (bsc#1065729).
- powerpc/rtas: avoid scheduling in rtas_os_term() (bsc#1065729).
- powerpc/sriov: Remove VF eeh_dev state when disabling SR-IOV (bsc#1065729).
- powerpc/xive: Add a check for memory allocation failure (git-fixes).
- powerpc/xive: add missing iounmap() in error path in xive_spapr_populate_irq_data() (git-fixes).
- powerpc/xive/spapr: correct bitmap allocation size (git-fixes).
- quota: Check next/prev free block number after reading from quota file (bsc#1206640).
- rpc: fix gss_svc_init cleanup on failure (git-fixes).
- rpc: fix NULL dereference on kmalloc failure (git-fixes).
- rtc: pcf85063: Fix reading alarm (git-fixes).
- s390/boot: add secure boot trailer (bsc#1205256 LTC#1205256).
- sbitmap: fix lockup while swapping (bsc#1206602).
- sched/psi: Fix sampling error and rare div0 crashes with cgroups and high uptime (bsc#1206841).
- scsi: lpfc: Correct bandwidth logging during receipt of congestion sync WCQE (jsc#PED-1445).
- scsi: lpfc: Fix crash involving race between FLOGI timeout and devloss handler (jsc#PED-1445).
- scsi: lpfc: Fix MI capability display in cmf_info sysfs attribute (jsc#PED-1445).
- scsi: lpfc: Fix WQ|CQ|EQ resource check (jsc#PED-1445).
- scsi: lpfc: Remove linux/msi.h include (jsc#PED-1445).
- scsi: lpfc: Remove redundant pointer 'lp' (jsc#PED-1445).
- scsi: lpfc: Update lpfc version to (jsc#PED-1445).
- scsi: lpfc: Use memset_startat() helper (jsc#PED-1445).
- scsi: qla2xxx: Fix crash when I/O abort times out (jsc#PED-568).
- scsi: qla2xxx: Fix set-but-not-used variable warnings (jsc#PED-568).
- scsi: qla2xxx: Initialize vha->unknown_atio_[list, work] for NPIV hosts (jsc#PED-568).
- scsi: qla2xxx: Remove duplicate of vha->iocb_work initialization (jsc#PED-568).
- scsi: qla2xxx: Remove unused variable 'found_devs' (jsc#PED-568).
- sctp: sysctl: make extra pointers netns aware (bsc#1204760).
- string.h: Introduce memset_startat() for wiping trailing members and padding (jsc#PED-1445).
- SUNRPC: check that domain table is empty at module unload (git-fixes).
- SUNRPC: Do not leak netobj memory when gss_read_proxy_verf() fails (git-fixes).
- SUNRPC: Do not start a timer on an already queued rpc task (git-fixes).
- SUNRPC: Fix missing release socket in rpc_sockname() (git-fixes).
- SUNRPC: Fix potential leaks in sunrpc_cache_unhash() (git-fixes).
- SUNRPC: Fix socket waits for write buffer space (git-fixes).
- SUNRPC: Handle 0 length opaque XDR object data properly (git-fixes).
- SUNRPC: Mitigate cond_resched() in xprt_transmit() (git-fixes).
- SUNRPC: Move simple_get_bytes and simple_get_netobj into private header (git-fixes).
- SUNRPC: stop printk reading past end of string (git-fixes).
- svcrdma: Fix another Receive buffer leak (git-fixes).
- svcrdma: Fix backchannel return code (git-fixes).
- tracing: Add tracing_reset_all_online_cpus_unlocked() function (git-fixes).
- tracing: Free buffers when a used dynamic event is removed (git-fixes).
- tracing: Verify if trace array exists before destroying it (git-fixes).
- tracing/dynevent: Delete all matched events (git-fixes).
- udf_get_extendedattr() had no boundary checks (bsc#1206648).
- udf: Avoid accessing uninitialized data on failed inode read (bsc#1206642).
- udf: Fix a slab-out-of-bounds write bug in udf_find_entry() (bsc#1206649).
- udf: Fix free space reporting for metadata and virtual partitions (bsc#1206641).
- udf: Fix iocharset=utf8 mount option (bsc#1206647).
- udf: Fix NULL pointer dereference in udf_symlink function (bsc#1206646).
- udf: fix silent AED tagLocation corruption (bsc#1206645).
- udf: fix the problem that the disc content is not displayed (bsc#1206644).
- udf: Limit sparing table size (bsc#1206643).
- usb: host: xhci-hub: fix extra endianness conversion (git-fixes).
- usbnet: move new members to end (git-fixes).
- xprtrdma: Fix regbuf data not freed in rpcrdma_req_create() (git-fixes).
- xprtrdma: treat all calls not a bcall when bc_serv is NULL (git-fixes).

Advisory ID: SUSE-RU-2023:157-1
Released:    Thu Jan 26 15:54:43 2023
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1194038,1205646
This update for util-linux fixes the following issues:

- libuuid continuous clock handling for time based UUIDs:
  Prevent use of the new libuuid ABI by uuidd %post before update
  of libuuid1 (bsc#1205646).
- Use chown --quiet to prevent error message if /var/lib/libuuid/clock.txt
  does not exist.
- Fix tests not passing when '@' character is in build path: 
  Fixes rpmbuild %checks fail when @ in the directory path (bsc#1194038).

Advisory ID: SUSE-SU-2023:161-1
Released:    Thu Jan 26 18:23:16 2023
Summary:     Security update for python-py
Type:        security
Severity:    moderate
References:  1204364,CVE-2022-42969
This update for python-py fixes the following issues:

- CVE-2022-42969: Fixed an excessive resource consumption that could
  be triggered when interacting with a Subversion repository
  containing crated data (bsc#1204364).

Advisory ID: SUSE-SU-2023:162-1
Released:    Thu Jan 26 18:24:19 2023
Summary:     Security update for samba
Type:        security
Severity:    important
References:  1206504,1206546,CVE-2021-20251,CVE-2022-38023
This update for samba fixes the following issues:

- CVE-2021-20251: Fixed an issue where the bad password count would
  not be properly incremented, which could allow attackers to brute
  force a user's password (bsc#1206546).

Advisory ID: SUSE-SU-2023:170-1
Released:    Thu Jan 26 18:30:17 2023
Summary:     Security update for xen
Type:        security
Severity:    important
References:  1027519,1205209,CVE-2022-23824
This update for xen fixes the following issues:

- CVE-2022-23824: Fixed multiple speculative security issues (bsc#1205209).

Advisory ID: SUSE-SU-2023:174-1
Released:    Thu Jan 26 20:52:38 2023
Summary:     Security update for glib2
Type:        security
Severity:    low
References:  1183533,CVE-2021-28153
This update for glib2 fixes the following issues:

- CVE-2021-28153: Fixed an issue where symlink targets would be incorrectly created as empty files (bsc#1183533).

Advisory ID: SUSE-RU-2023:176-1
Released:    Thu Jan 26 20:56:20 2023
Summary:     Recommended update for permissions
Type:        recommended
Severity:    moderate
References:  1206738
This update for permissions fixes the following issues:

Update to version 20181225:

* Backport postfix permissions to SLE 15 SP2 (bsc#1206738)

Advisory ID: SUSE-RU-2023:179-1
Released:    Thu Jan 26 21:54:30 2023
Summary:     Recommended update for tar
Type:        recommended
Severity:    low
References:  1202436
This update for tar fixes the following issue:

- Fix hang when unpacking test tarball (bsc#1202436)

Advisory ID: SUSE-RU-2023:181-1
Released:    Thu Jan 26 21:55:43 2023
Summary:     Recommended update for procps
Type:        recommended
Severity:    low
References:  1206412
This update for procps fixes the following issues:

- Improve memory handling/usage (bsc#1206412) 
- Make sure that correct library version is installed (bsc#1206412)

Advisory ID: SUSE-RU-2023:188-1
Released:    Fri Jan 27 12:07:19 2023
Summary:     Recommended update for zlib
Type:        recommended
Severity:    important
References:  1203652
This update for zlib fixes the following issues:

- Follow up fix for bug bsc#1203652 due to libxml2 issues

Advisory ID: SUSE-SU-2023:198-1
Released:    Fri Jan 27 14:26:54 2023
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1205126,CVE-2022-42898
This update for krb5 fixes the following issues:

- CVE-2022-42898: Fixed integer overflow in PAC parsing (bsc#1205126).

Advisory ID: SUSE-SU-2023:211-1
Released:    Mon Jan 30 17:26:10 2023
Summary:     Security update for vim
Type:        security
Severity:    moderate
References:  1206866,1206867,1206868,1207162,1207396,CVE-2023-0049,CVE-2023-0051,CVE-2023-0054,CVE-2023-0288,CVE-2023-0433
This update for vim fixes the following issues:

- Updated to version 9.0.1234:
  - CVE-2023-0433: Fixed an out of bounds memory access that could
    cause a crash (bsc#1207396).
  - CVE-2023-0288: Fixed an out of bounds memory access that could
    cause a crash (bsc#1207162).
  - CVE-2023-0054: Fixed an out of bounds memory write that could
    cause a crash or memory corruption (bsc#1206868).
  - CVE-2023-0051: Fixed an out of bounds memory access that could
    cause a crash (bsc#1206867).
  - CVE-2023-0049: Fixed an out of bounds memory access that could
    cause a crash (bsc#1206866).

Advisory ID: SUSE-SU-2023:223-1
Released:    Wed Feb  1 09:36:03 2023
Summary:     Security update for python-setuptools
Type:        security
Severity:    moderate
References:  1206667,CVE-2022-40897
This update for python-setuptools fixes the following issues:

- CVE-2022-40897: Fixed an excessive CPU usage that could be triggered
  by fetching a malicious HTML document (bsc#1206667).

Advisory ID: SUSE-SU-2023:310-1
Released:    Tue Feb  7 17:35:34 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1121365,1198472,1207533,1207534,1207536,1207538,CVE-2022-4304,CVE-2022-4450,CVE-2023-0215,CVE-2023-0286
This update for openssl-1_1 fixes the following issues:

- CVE-2023-0286: Fixed X.400 address type confusion in X.509 GENERAL_NAME_cmp for x400Address (bsc#1207533).
- CVE-2023-0215: Fixed use-after-free following BIO_new_NDEF() (bsc#1207536).
- CVE-2022-4450: Fixed double free after calling PEM_read_bio_ex() (bsc#1207538).
- CVE-2022-4304: Fixed timing Oracle in RSA Decryption (bsc#1207534).
- FIPS: list only FIPS approved public key algorithms (bsc#1121365, bsc#1198472)

Advisory ID: SUSE-RU-2023:335-1
Released:    Thu Feb  9 13:51:13 2023
Summary:     Recommended update for hyper-v
Type:        recommended
Severity:    moderate
This update for hyper-v fixes the following issues:
   - Provide the latest version for SLE-15-SP4 too.
Advisory ID: SUSE-SU-2023:409-1
Released:    Tue Feb 14 16:41:09 2023
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1195175,1204502,1206677,1207034,1207497,1207508,1207769,1207878,CVE-2022-3606,CVE-2023-0179
 The SUSE Linux Enterprise 15 SP3 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2022-3606: Fixed a null pointer dereference inside the function find_prog_by_sec_insn of the file tools/lib/bpf/libbpf.c of the component BPF (bnc#1204502).
- CVE-2023-0179: Fixed incorrect arithmetics when fetching VLAN header bits (bsc#1207034).

The following non-security bugs were fixed:

- KVM: VMX: fix crash cleanup when KVM wasn't used (bsc#1207508).
- RDMA/core: Fix ib block iterator counter overflow (bsc#1207878).
- bcache: fix set_at_max_writeback_rate() for multiple attached devices (git-fixes).
- blktrace: Fix output non-blktrace event when blk_classic option enabled (git-fixes).
- blktrace: ensure our debugfs dir exists (git-fixes).
- dm btree: add a defensive bounds check to insert_at() (git-fixes).
- dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort (git-fixes).
- dm cache: Fix UAF in destroy() (git-fixes).
- dm cache: set needs_check flag after aborting metadata (git-fixes).
- dm clone: Fix UAF in clone_dtr() (git-fixes).
- dm integrity: Fix UAF in dm_integrity_dtr() (git-fixes).
- dm integrity: fix flush with external metadata device (git-fixes).
- dm integrity: flush the journal on suspend (git-fixes).
- dm integrity: select CRYPTO_SKCIPHER (git-fixes).
- dm ioctl: fix misbehavior if list_versions races with module loading (git-fixes).
- dm ioctl: prevent potential spectre v1 gadget (git-fixes).
- dm space map common: add bounds check to sm_ll_lookup_bitmap() (git-fixes).
- dm space maps: do not reset space map allocation cursor when committing (git-fixes).
- dm table: Remove BUG_ON(in_interrupt()) (git-fixes).
- dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata (git-fixes).
- dm thin: Fix UAF in run_timer_softirq() (git-fixes).
- dm thin: Use last transaction's pmd->root when commit failed (git-fixes).
- dm thin: resume even if in FAIL mode (git-fixes).
- dm verity: fix require_signatures module_param permissions (git-fixes).
- dm verity: skip verity work if I/O error when system is shutting down (git-fixes).
- drivers:md:fix a potential use-after-free bug (git-fixes).
- kabi/severities: add mlx5 internal symbols
- loop: unset GENHD_FL_NO_PART_SCAN on LOOP_CONFIGURE (git-fixes).
- loop: use sysfs_emit() in the sysfs xxx show() (git-fixes).
- md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d (git-fixes).
- md: Flush workqueue md_rdev_misc_wq in md_alloc() (git-fixes).
- md: Notify sysfs sync_completed in md_reap_sync_thread() (git-fixes).
- md: protect md_unregister_thread from reentrancy (git-fixes).
- mm: /proc/pid/smaps_rollup: fix no vma's null-deref (bsc#1207769).
- nbd: Fix hung on disconnect request if socket is closed before (git-fixes).
- nbd: Fix hung when signal interrupts nbd_start_device_ioctl() (git-fixes).
- nbd: Fix incorrect error handle when first_minor is illegal in nbd_dev_add (git-fixes).
- nbd: call genl_unregister_family() first in nbd_cleanup() (git-fixes).
- nbd: fix io hung while disconnecting device (git-fixes).
- nbd: fix max value for 'first_minor' (git-fixes).
- nbd: fix race between nbd_alloc_config() and module removal (git-fixes).
- nbd: make the config put is called before the notifying the waiter (git-fixes).
- nbd: restore default timeout when setting it to zero (git-fixes).
- net/mlx5: Allocate individual capability (bsc#1195175).
- net/mlx5: Dynamically resize flow counters query buffer (bsc#1195175).
- net/mlx5: Fix flow counters SF bulk query len (bsc#1195175).
- net/mlx5: Reduce flow counters bulk query buffer size for SFs (bsc#1195175).
- net/mlx5: Reorganize current and maximal capabilities to be per-type (bsc#1195175).
- net/mlx5: Use order-0 allocations for EQs (bsc#1195175).
- null_blk: fix ida error handling in null_add_dev() (git-fixes).
- rbd: work around -Wuninitialized warning (git-fixes).
- scsi: 3w-9xxx: Avoid disabling device if failing to enable it (git-fixes).
- scsi: BusLogic: Fix 64-bit system enumeration error for Buslogic (git-fixes).
- scsi: NCR5380: Add disconnect_mask module parameter (git-fixes).
- scsi: Revert 'scsi: qla2xxx: Fix disk failure to rediscover' (git-fixes).
- scsi: advansys: Fix kernel pointer leak (git-fixes).
- scsi: aha152x: Fix aha152x_setup() __setup handler return value (git-fixes).
- scsi: aic7xxx: Adjust indentation in ahc_find_syncrate (git-fixes).
- scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8 (git-fixes).
- scsi: atari_scsi: sun3_scsi: Set sg_tablesize to 1 instead of SG_NONE (git-fixes).
- scsi: bfa: Replace snprintf() with sysfs_emit() (git-fixes).
- scsi: bnx2fc: Return failure if io_req is already in ABTS processing (git-fixes).
- scsi: core: Avoid printing an error if target_alloc() returns -ENXIO (git-fixes).
- scsi: core: Cap scsi_host cmd_per_lun at can_queue (git-fixes).
- scsi: core: Do not start concurrent async scan on same host (git-fixes).
- scsi: core: Fix a race between scsi_done() and scsi_timeout() (git-fixes).
- scsi: core: Fix capacity set to zero after offlinining device (git-fixes).
- scsi: core: Fix hang of freezing queue between blocking and running device (git-fixes).
- scsi: core: Fix shost->cmd_per_lun calculation in scsi_add_host_with_dma() (git-fixes).
- scsi: core: Restrict legal sdev_state transitions via sysfs (git-fixes).
- scsi: core: free sgtables in case command setup fails (git-fixes).
- scsi: core: sysfs: Fix hang when device state is set via sysfs (git-fixes).
- scsi: core: sysfs: Fix setting device state to SDEV_RUNNING (git-fixes).
- scsi: cxlflash: Fix error return code in cxlflash_probe() (git-fixes).
- scsi: fcoe: Fix possible name leak when device_register() fails (git-fixes).
- scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails (git-fixes).
- scsi: fnic: Fix memleak in vnic_dev_init_devcmd2 (git-fixes).
- scsi: fnic: fix use after free (git-fixes).
- scsi: hisi_sas: Check sas_port before using it (git-fixes).
- scsi: hisi_sas: Do not reset phy timer to wait for stray phy up (git-fixes).
- scsi: hisi_sas: Drop free_irq() of devm_request_irq() allocated irq (git-fixes).
- scsi: hisi_sas: Propagate errors in interrupt_init_v1_hw() (git-fixes).
- scsi: hisi_sas: Replace in_softirq() check in hisi_sas_task_exec() (git-fixes).
- scsi: hpsa: Fix error handling in hpsa_add_sas_host() (git-fixes).
- scsi: hpsa: Fix memory leak in hpsa_init_one() (git-fixes).
- scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() (git-fixes).
- scsi: hpsa: Fix possible memory leak in hpsa_init_one() (git-fixes).
- scsi: ipr: Fix WARNING in ipr_init() (git-fixes).
- scsi: ipr: Fix missing/incorrect resource cleanup in error case (git-fixes).
- scsi: iscsi: Add iscsi_cls_conn refcount helpers (git-fixes).
- scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func (git-fixes).
- scsi: iscsi: Do not destroy session if there are outstanding connections (git-fixes).
- scsi: iscsi: Do not put host in iscsi_set_flashnode_param() (git-fixes).
- scsi: iscsi: Do not send data to unbound connection (git-fixes).
- scsi: iscsi: Fix reference count leak in iscsi_boot_create_kobj (git-fixes).
- scsi: iscsi: Fix shost->max_id use (git-fixes).
- scsi: iscsi: Report unbind session event when the target has been removed (git-fixes).
- scsi: iscsi: Unblock session then wake up error handler (git-fixes).
- scsi: libfc: Fix a format specifier (git-fixes).
- scsi: libfc: Fix use after free in fc_exch_abts_resp() (git-fixes).
- scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown() (git-fixes).
- scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling (git-fixes).
- scsi: libsas: Add LUN number check in .slave_alloc callback (git-fixes).
- scsi: megaraid: Fix error check return value of register_chrdev() (git-fixes).
- scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry() (git-fixes).
- scsi: megaraid_sas: Fix double kfree() (git-fixes).
- scsi: megaraid_sas: Fix resource leak in case of probe failure (git-fixes).
- scsi: megaraid_sas: Handle missing interrupts while re-enabling IRQs (git-fixes).
- scsi: mpi3mr: Refer CONFIG_SCSI_MPI3MR in Makefile (git-fixes).
- scsi: mpt3sas: Block PCI config access from userspace during reset (git-fixes).
- scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add() (git-fixes).
- scsi: mpt3sas: Fix timeouts observed while reenabling IRQ (git-fixes).
- scsi: mpt3sas: Increase IOCInit request timeout to 30s (git-fixes).
- scsi: mvsas: Add PCI ID of RocketRaid 2640 (git-fixes).
- scsi: mvsas: Replace snprintf() with sysfs_emit() (git-fixes).
- scsi: mvumi: Fix error return in mvumi_io_attach() (git-fixes).
- scsi: myrb: Fix up null pointer access on myrb_cleanup() (git-fixes).
- scsi: myrs: Fix crash in error case (git-fixes).
- scsi: pm8001: Fix pm8001_mpi_task_abort_resp() (git-fixes).
- scsi: pm: Balance pm_only counter of request queue during system resume (git-fixes).
- scsi: pmcraid: Fix missing resource cleanup in error case (git-fixes).
- scsi: qedf: Add check to synchronize abort and flush (git-fixes).
- scsi: qedf: Fix a UAF bug in __qedf_probe() (git-fixes).
- scsi: qedf: Fix refcount issue when LOGO is received during TMF (git-fixes).
- scsi: qedf: Return SUCCESS if stale rport is encountered (git-fixes).
- scsi: qedi: Fix failed disconnect handling (git-fixes).
- scsi: qedi: Fix list_del corruption while removing active I/O (git-fixes).
- scsi: qedi: Fix null ref during abort handling (git-fixes).
- scsi: qedi: Protect active command list to avoid list corruption (git-fixes).
- scsi: scsi_debug: Fix a warning in resp_write_scat() (git-fixes).
- scsi: scsi_debug: Fix possible UAF in sdebug_add_host_helper() (git-fixes).
- scsi: scsi_debug: Fix possible name leak in sdebug_add_host_helper() (git-fixes).
- scsi: scsi_debug: num_tgts must be >= 0 (git-fixes).
- scsi: scsi_dh_alua: Check for negative result value (git-fixes).
- scsi: scsi_dh_alua: Fix signedness bug in alua_rtpg() (git-fixes).
- scsi: scsi_dh_alua: Remove check for ASC 24h in alua_rtpg() (git-fixes).
- scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach() (git-fixes).
- scsi: scsi_transport_spi: Fix function pointer check (git-fixes).
- scsi: scsi_transport_spi: Set RQF_PM for domain validation commands (git-fixes).
- scsi: sd: Free scsi_disk device via put_device() (git-fixes).
- scsi: sd: Suppress spurious errors when WRITE SAME is being disabled (git-fixes).
- scsi: ses: Fix unsigned comparison with less than zero (git-fixes).
- scsi: ses: Retry failed Send/Receive Diagnostic commands (git-fixes).
- scsi: snic: Fix possible UAF in snic_tgt_create() (git-fixes).
- scsi: sr: Do not use GFP_DMA (git-fixes).
- scsi: sr: Fix sr_probe() missing deallocate of device minor (git-fixes).
- scsi: sr: Return appropriate error code when disk is ejected (git-fixes).
- scsi: sr: Return correct event when media event code is 3 (git-fixes).
- scsi: st: Fix a use after free in st_open() (git-fixes).
- scsi: ufs-pci: Ensure UFS device is in PowerDown mode for suspend-to-disk ->poweroff() (git-fixes).
- scsi: ufs: Add DELAY_BEFORE_LPM quirk for Micron devices (git-fixes).
- scsi: ufs: Clean up completed request without interrupt notification (git-fixes).
- scsi: ufs: Fix a race condition in the tracing code (git-fixes).
- scsi: ufs: Fix error handing during hibern8 enter (git-fixes).
- scsi: ufs: Fix illegal offset in UPIU event trace (git-fixes).
- scsi: ufs: Fix interrupt error message for shared interrupts (git-fixes).
- scsi: ufs: Fix irq return code (git-fixes).
- scsi: ufs: Fix possible infinite loop in ufshcd_hold (git-fixes).
- scsi: ufs: Fix tm request when non-fatal error happens (git-fixes).
- scsi: ufs: Fix unbalanced scsi_block_reqs_cnt caused by ufshcd_hold() (git-fixes).
- scsi: ufs: Fix up auto hibern8 enablement (git-fixes).
- scsi: ufs: Fix wrong print message in dev_err() (git-fixes).
- scsi: ufs: Improve interrupt handling for shared interrupts (git-fixes).
- scsi: ufs: Make sure clk scaling happens only when HBA is runtime ACTIVE (git-fixes).
- scsi: ufs: Make ufshcd_add_command_trace() easier to read (git-fixes).
- scsi: ufs: fix potential bug which ends in system hang (git-fixes).
- scsi: ufs: ufs-qcom: Fix race conditions caused by ufs_qcom_testbus_config() (git-fixes).
- scsi: virtio_scsi: Fix spelling mistake 'Unsupport' -> 'Unsupported' (git-fixes).
- scsi: vmw_pvscsi: Expand vcpuHint to 16 bits (git-fixes).
- scsi: vmw_pvscsi: Set correct residual data length (git-fixes).
- scsi: vmw_pvscsi: Set residual data length conditionally (git-fixes).
- sctp: fail if no bound addresses can be used for a given scope (bsc#1206677).
- watchdog: diag288_wdt: do not use stack buffers for hardware data (bsc#1207497).
- watchdog: diag288_wdt: fix __diag288() inline assembly (bsc#1207497).

Advisory ID: SUSE-SU-2023:427-1
Released:    Wed Feb 15 17:40:08 2023
Summary:     Security update for bind
Type:        security
Severity:    important
References:  1207471,CVE-2022-3094
This update for bind fixes the following issues:

  - CVE-2022-3094: Fixed memory exhaustion due to UPDATE message flooding (bsc#1207471).

Advisory ID: SUSE-SU-2023:463-1
Released:    Mon Feb 20 16:33:39 2023
Summary:     Security update for tar
Type:        security
Severity:    moderate
References:  1202436,1207753,CVE-2022-48303
This update for tar fixes the following issues:

- CVE-2022-48303: Fixed a one-byte out-of-bounds read that resulted in use of uninitialized memory for a conditional jump (bsc#1207753). 

Bug fixes:

- Fix hang when unpacking test tarball (bsc#1202436).

Advisory ID: SUSE-SU-2023:486-1
Released:    Thu Feb 23 10:38:13 2023
Summary:     Security update for c-ares
Type:        security
Severity:    important
References:  1208067,CVE-2022-4904
This update for c-ares fixes the following issues:

  Updated to version 1.19.0:

  - CVE-2022-4904: Fixed missing string length check in config_sortlist() (bsc#1208067).

Advisory ID: SUSE-SU-2023:549-1
Released:    Mon Feb 27 17:35:07 2023
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1205244,1208443,CVE-2022-45061
This update for python3 fixes the following issues:

  - CVE-2022-45061: Fixed DoS when IDNA decodes extremely long domain names (bsc#1205244).


  - Fixed issue where replaces a non-existent header (bsc#1208443).

Advisory ID: SUSE-SU-2023:604-1
Released:    Thu Mar  2 15:51:55 2023
Summary:     Security update for python-cryptography, python-cryptography-vectors
Type:        security
Severity:    important
References:  1178168,1182066,1198331,1199282,CVE-2020-25659,CVE-2020-36242
This update for python-cryptography, python-cryptography-vectors fixes the following issues:

- Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629)

- CVE-2020-36242: Fixed a bug where certain sequences of update() calls could result in integer overflow (bsc#1182066).
- CVE-2020-25659: Fixed Bleichenbacher vulnerabilities (bsc#1178168).  

- update to 3.3.2 (bsc#1198331)
Advisory ID: SUSE-SU-2023:610-1
Released:    Fri Mar  3 12:06:49 2023
Summary:     Security update for gnutls
Type:        security
Severity:    moderate
References:  1208143,CVE-2023-0361
This update for gnutls fixes the following issues:

- CVE-2023-0361: Fixed a Bleichenbacher oracle in the TLS RSA key exchange (bsc#1208143).

Advisory ID: SUSE-RU-2023:676-1
Released:    Wed Mar  8 14:33:23 2023
Summary:     Recommended update for libxml2
Type:        recommended
Severity:    moderate
References:  1204585
This update for libxml2 fixes the following issues:

- Add W3C conformance tests to the testsuite (bsc#1204585):
  * Added file xmlts20080827.tar.gz 

Advisory ID: SUSE-RU-2023:713-1
Released:    Mon Mar 13 10:25:04 2023
Summary:     Recommended update for suse-build-key
Type:        recommended
Severity:    moderate
This update for suse-build-key fixes the following issues:

This update provides multiple new 4096 RSA keys for SUSE Linux Enterprise
15, SUSE Manager 4.2/4.3, Storage 7.1, SUSE Registry) that we will switch
to mid of 2023. (jsc#PED-2777)

- gpg-pubkey-3fa1d6ce-63c9481c.asc: new 4096 RSA signing key for SUSE Linux Enterprise (RPM and repositories).
- gpg-pubkey-d588dc46-63c939db.asc: new 4096 RSA reserve key for SUSE Linux Enterprise (RPM and repositories).
- suse_ptf_key_4096.asc: new 4096 RSA signing key for PTF packages.
- build-container-8fd6c337-63c94b45.asc/build-container-8fd6c337-63c94b45.pem:
  New RSA 4096 key for the SUSE registry, installed as
  suse-container-key-2023.pem and suse-container-key-2023.asc
- suse_ptf_containerkey_2023.asc suse_ptf_containerkey_2023.pem:
  New PTF container signing key for space.

Advisory ID: SUSE-RU-2023:714-1
Released:    Mon Mar 13 10:53:25 2023
Summary:     Recommended update for rpm
Type:        recommended
Severity:    important
References:  1207294
This update for rpm fixes the following issues:

- Fix missing python(abi) for 3.XX versions (bsc#1207294)

The following package changes have been done:

- bind-utils-9.16.6-150300.22.27.1 updated
- ca-certificates-mozilla-2.60-150200.27.1 updated
- catatonit-0.1.7-150300.10.3.1 updated
- curl-7.66.0-150200.4.45.1 updated
- hwdata-0.365-150000.3.54.1 added
- hyper-v-8-150200.14.8.1 updated
- kernel-default-5.3.18-150300.59.112.1 updated
- krb5-1.19.2-150300.10.1 updated
- libbind9-1600-9.16.6-150300.22.27.1 updated
- libblkid1-2.36.2-150300.4.32.1 updated
- libcares2-1.19.0-150000.3.20.1 updated
- libcurl4-7.66.0-150200.4.45.1 updated
- libdns1605-9.16.6-150300.22.27.1 updated
- libfdisk1-2.36.2-150300.4.32.1 updated
- libglib-2_0-0-2.62.6-150200.3.10.1 updated
- libgnutls30-3.6.7-150200.14.25.2 updated
- libirs1601-9.16.6-150300.22.27.1 updated
- libisc1606-9.16.6-150300.22.27.1 updated
- libisccc1600-9.16.6-150300.22.27.1 updated
- libisccfg1600-9.16.6-150300.22.27.1 updated
- libksba8-1.3.5-150000.4.6.1 updated
- libmount1-2.36.2-150300.4.32.1 updated
- libns1604-9.16.6-150300.22.27.1 updated
- libopenssl1_1-1.1.1d-150200.11.57.1 updated
- libprocps7-3.3.15-150000.7.28.1 updated
- libpython3_6m1_0-3.6.15-150300.10.40.1 updated
- librelp0-1.2.15-1.15 added
- libsmartcols1-2.36.2-150300.4.32.1 updated
- libsqlite3-0-3.39.3-150000.3.20.1 updated
- libsystemd0-246.16-150300.7.57.1 updated
- libtirpc-netconfig-1.2.6-150300.3.17.1 updated
- libtirpc3-1.2.6-150300.3.17.1 updated
- libudev1-246.16-150300.7.57.1 updated
- libuuid1-2.36.2-150300.4.32.1 updated
- libxml2-2-2.9.7-150000.3.54.1 updated
- libz1-1.2.11-150000.3.39.1 updated
- openssl-1_1-1.1.1d-150200.11.57.1 updated
- permissions-20181225-150200.23.23.1 updated
- procps-3.3.15-150000.7.28.1 updated
- python3-base-3.6.15-150300.10.40.1 updated
- python3-bind-9.16.6-150300.22.27.1 updated
- python3-certifi-2018.1.18-150000.3.3.1 updated
- python3-cryptography-3.3.2-150200.16.1 updated
- python3-py-1.10.0-150100.5.12.1 updated
- python3-setuptools-40.5.0-150100.6.6.1 updated
- python3-3.6.15-150300.10.40.1 updated
- rpm-ndb-4.14.3-150300.55.1 updated
- samba-client-libs-4.15.13+git.591.ab36624310c-150300.3.49.1 updated
- samba-libs-4.15.13+git.591.ab36624310c-150300.3.49.1 added
- sle-module-basesystem-release-15.3-47.1 added
- sle-module-containers-release-15.3-47.1 added
- sle-module-public-cloud-release-15.3-47.1 added
- sle-module-server-applications-release-15.3-47.1 added
- sudo-1.9.5p2-150300.3.19.1 updated
- suse-build-key-12.0-150000.8.31.1 updated
- systemd-sysvinit-246.16-150300.7.57.1 updated
- systemd-246.16-150300.7.57.1 updated
- tar-1.34-150000.3.31.1 updated
- timezone-2022g-150000.75.18.1 updated
- udev-246.16-150300.7.57.1 updated
- util-linux-systemd-2.36.2-150300.4.32.1 updated
- util-linux-2.36.2-150300.4.32.1 updated
- vim-data-common-9.0.1234-150000.5.34.1 updated
- vim-9.0.1234-150000.5.34.1 updated
- xen-libs-4.14.5_10-150300.3.45.1 updated
- klogd-1.4.1-11.2 removed
- pciutils-ids-20200324-3.6.1 removed
- vlan-1.9-1.27 removed

More information about the sle-security-updates mailing list