SUSE-IU-2023:603-1: Security update of suse-sles-15-sp4-chost-byos-v20230901-hvm-ssd-x86_64

sle-security-updates at sle-security-updates at
Tue Sep 5 07:02:27 UTC 2023

SUSE Image Update Advisory: suse-sles-15-sp4-chost-byos-v20230901-hvm-ssd-x86_64
Image Advisory ID : SUSE-IU-2023:603-1
Image Tags        : suse-sles-15-sp4-chost-byos-v20230901-hvm-ssd-x86_64:20230901
Image Release     : 
Severity          : critical
Type              : security
References        : 1027519 1118088 1158763 1179534 1182142 1184177 1184758 1186606
                        1193412 1193752 1194038 1194609 1194900 1201253 1201519 1204844
                        1206418 1206627 1207129 1207805 1208194 1208574 1209741 1210070
                        1210273 1210323 1210419 1210627 1210702 1210740 1210780 1211079
                        1211131 1211461 1211576 1211738 1211757 1212434 1212502 1212604
                        1212879 1212901 1212928 1213049 1213167 1213185 1213189 1213212
                        1213231 1213272 1213287 1213304 1213443 1213472 1213514 1213517
                        1213557 1213575 1213582 1213585 1213586 1213588 1213616 1213620
                        1213653 1213673 1213713 1213715 1213747 1213756 1213759 1213777
                        1213810 1213812 1213842 1213853 1213856 1213857 1213863 1213867
                        1213870 1213871 1213873 1213951 1214025 1214054 1214071 1214082
                        1214083 1214248 1214290 CVE-2018-19787 CVE-2020-27783 CVE-2021-28957
                        CVE-2021-30560 CVE-2021-3429 CVE-2021-43818 CVE-2022-2309 CVE-2022-40982
                        CVE-2022-40982 CVE-2022-41409 CVE-2022-48468 CVE-2023-0459 CVE-2023-1786
                        CVE-2023-2004 CVE-2023-20569 CVE-2023-20569 CVE-2023-20593 CVE-2023-21400
                        CVE-2023-2156 CVE-2023-2166 CVE-2023-26112 CVE-2023-31083 CVE-2023-3268
                        CVE-2023-33460 CVE-2023-3567 CVE-2023-36054 CVE-2023-3609 CVE-2023-3611
                        CVE-2023-3776 CVE-2023-3817 CVE-2023-4004 CVE-2023-4016 CVE-2023-4156

The container suse-sles-15-sp4-chost-byos-v20230901-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

Advisory ID: SUSE-SU-2022:803-1
Released:    Thu Mar 10 17:35:53 2022
Summary:     Security update for python-lxml
Type:        security
Severity:    important
References:  1118088,1179534,1184177,1193752,CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-43818
This update for python-lxml fixes the following issues:

- CVE-2018-19787: Fixed XSS vulnerability via unescaped URL (bsc#1118088).
- CVE-2021-28957: Fixed XSS vulnerability ia HTML5 attributes unescaped (bsc#1184177).
- CVE-2021-43818: Fixed XSS vulnerability via script content in SVG images using data URIs (bnc#1193752).
- CVE-2020-27783: Fixed mutation XSS with improper parser use (bnc#1179534).

Advisory ID: SUSE-RU-2022:2548-1
Released:    Tue Jul 26 13:48:28 2022
Summary:     Critical update for python-cssselect
Type:        recommended
Severity:    critical
This update for python-cssselect implements packages to the unrestrictied repository.
Advisory ID: SUSE-SU-2022:2908-1
Released:    Fri Aug 26 11:36:03 2022
Summary:     Security update for python-lxml
Type:        security
Severity:    important
References:  1201253,CVE-2022-2309
This update for python-lxml fixes the following issues:

- CVE-2022-2309: Fixed NULL pointer dereference due to state leak between parser runs (bsc#1201253).

Advisory ID: SUSE-SU-2023:557-1
Released:    Tue Feb 28 09:29:15 2023
Summary:     Security update for libxslt
Type:        security
Severity:    important
References:  1208574,CVE-2021-30560
This update for libxslt fixes the following issues:

- CVE-2021-30560: Fixing a use after free vulnerability in Blink XSLT (bsc#1208574).

Advisory ID: SUSE-SU-2023:2143-1
Released:    Tue May  9 14:49:45 2023
Summary:     Security update for protobuf-c
Type:        security
Severity:    important
References:  1210323,CVE-2022-48468
This update for protobuf-c fixes the following issues:

- CVE-2022-48468: Fixed an unsigned integer overflow. (bsc#1210323)

Advisory ID: SUSE-feature-2023:2898-1
Released:    Thu Jul 20 09:15:33 2023
Summary:     Recommended update for python-instance-billing-flavor-check
Type:        feature
Severity:    critical
This update for python-instance-billing-flavor-check fixes the following issues:

- Include PAYG checker package in SLE (jsc#PED-4791) 
Advisory ID: SUSE-RU-2023:2905-1
Released:    Thu Jul 20 10:17:54 2023
Summary:     Recommended update for fstrm
Type:        recommended
Severity:    moderate
This update for fstrm fixes the following issues:

- Update to 0.6.1:

  - fstrm_capture: ignore SIGPIPE, which will cause the
    interrupted connections to generate an EPIPE instead.
  - Fix truncation in snprintf calls in argument processing.
  - fstrm_capture: Fix output printf format. 

- Update to 0.6.0 

  It adds a new feature for fstrm_capture. It can perform output
  file rotation when a SIGUSR1 signal is received by fstrm_capture.
  (See the --gmtime or --localtime options.) This allows
  fstrm_capture's output file to be rotated by logrotate or a
  similar external utility. (Output rotation is suppressed if
  fstrm_capture is writing to stdout.)

Update to 0.5.0

- Change license to modern MIT license for compatibility with
  GPLv2 software. Contact software at for
  alternate licensing.
- src/fstrm_replay.c: For OpenBSD and Posix portability include
  netinet/in.h and sys/socket.h to get struct sockaddr_in and the
  AF_* defines respectively.
- Fix various compiler warnings.

Update to 0.4.0

The C implementation of the Frame Streams data transport
protocol, fstrm version 0.4.0, was released. It adds TCP support,
a new tool, new documentation, and several improvements.

- Added manual pages for fstrm_capture and fstrm_dump.
- Added new tool, fstrm_replay, for replaying saved Frame Streams
  data to a socket connection.
- Adds TCP support. Add tcp_writer to the core library which
  implements a bi-directional Frame Streams writer as a TCP
  socket client. Introduces new developer API:
  fstrm_tcp_writer_init, fstrm_tcp_writer_options_init,
  fstrm_tcp_writer_options_set_socket_address, and
- fstrm_capture: new options for reading from TCP socket.
- fstrm_capture: add '-c' / '--connections' option to limit the
  number of concurrent connections it will accept.
- fstrm_capture: add '-b / --buffer-size' option to set the read
  buffer size (effectively the maximum frame size) to a value
  other than the default 256 KiB.
- fstrm_capture: skip oversize messages to fix stalled
  connections caused by messages larger than the read highwater
  mark of the input buffer. Discarded messages are logged for the
  purposes of tuning the input buffer size.
- fstrm_capture: complete sending of FINISH frame before closing
- Various test additions and improvements.

Advisory ID: SUSE-RU-2023:3196-1
Released:    Fri Aug  4 10:02:04 2023
Summary:     Recommended update for protobuf-c
Type:        recommended
Severity:    moderate
References:  1213443
This update for protobuf-c fixes the following issues:

- Include executables required to generate Protocol Buffers glue code in the devel subpackage (bsc#1213443)

Advisory ID: SUSE-RU-2023:3217-1
Released:    Mon Aug  7 16:51:10 2023
Summary:     Recommended update for cryptsetup
Type:        recommended
Severity:    moderate
References:  1211079
This update for cryptsetup fixes the following issues:

- Handle system with low memory and no swap space (bsc#1211079)

Advisory ID: SUSE-RU-2023:3270-1
Released:    Thu Aug 10 19:34:35 2023
Summary:     Recommended update for vim
Type:        recommended
Severity:    moderate
References:  1211461
This update for vim fixes the following issues:

- Calling vim on xterm leads to missing first character of the command prompt (bsc#1211461)

Advisory ID: SUSE-RU-2023:3275-1
Released:    Fri Aug 11 10:19:36 2023
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1213472
This update for apparmor fixes the following issues:

- Add pam_apparmor README (bsc#1213472)

Advisory ID: SUSE-RU-2023:3282-1
Released:    Fri Aug 11 10:26:23 2023
Summary:     Recommended update for blog
Type:        recommended
Severity:    moderate
This update for blog fixes the following issues:

- Fix big endian cast problems to be able to read commands and ansers as well as passphrases

Advisory ID: SUSE-feature-2023:3283-1
Released:    Fri Aug 11 10:28:34 2023
Summary:     Feature update for cloud-init
Type:        feature
Severity:    moderate
References:  1184758,1210273,1212879,CVE-2021-3429,CVE-2023-1786
This update for cloud-init fixes the following issues:

- Default route is not configured (bsc#1212879)
- cloud-final service failing in powerVS (bsc#1210273)
- Randomly generated passwords logged in clear-text to world-readable file (bsc#1184758, CVE-2021-3429)

Advisory ID: SUSE-RU-2023:3285-1
Released:    Fri Aug 11 10:30:38 2023
Summary:     Recommended update for shadow
Type:        recommended
Severity:    moderate
References:  1206627,1213189
This update for shadow fixes the following issues:

- Prevent lock files from remaining after power interruptions (bsc#1213189)
- Add --prefix support to passwd, chpasswd and chage (bsc#1206627)

Advisory ID: SUSE-RU-2023:3286-1
Released:    Fri Aug 11 10:32:03 2023
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    moderate
References:  1194038,1194900
This update for util-linux fixes the following issues:

- Fix blkid for floppy drives (bsc#1194900)
- Fix rpmbuild %checks fail when @ in the directory path (bsc#1194038)

Advisory ID: SUSE-RU-2023:3288-1
Released:    Fri Aug 11 12:30:14 2023
Summary:     Recommended update for python-apipkg
Type:        recommended
Severity:    moderate
References:  1213582

This update for python-apipkg provides python3-apipkg to SUSE Linux Enterprise Micro 5.2. 

Advisory ID: SUSE-SU-2023:3301-1
Released:    Mon Aug 14 07:24:59 2023
Summary:     Security update for libyajl
Type:        security
Severity:    moderate
References:  1212928,CVE-2023-33460
This update for libyajl fixes the following issues:

  - CVE-2023-33460: Fixed memory leak which could cause out-of-memory in server (bsc#1212928).

Advisory ID: SUSE-SU-2023:3313-1
Released:    Mon Aug 14 17:34:46 2023
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1206418,1207129,1210627,1210780,1211131,1211738,1212502,1212604,1212901,1213167,1213272,1213287,1213304,1213585,1213586,1213588,1213620,1213653,1213713,1213715,1213747,1213756,1213759,1213777,1213810,1213812,1213842,1213856,1213857,1213863,1213867,1213870,1213871,CVE-2022-40982,CVE-2023-0459,CVE-2023-20569,CVE-2023-21400,CVE-2023-2156,CVE-2023-2166,CVE-2023-31083,CVE-2023-3268,CVE-2023-3567,CVE-2023-3609,CVE-2023-3611,CVE-2023-3776,CVE-2023-4004

The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2022-40982: Fixed transient execution attack called 'Gather Data Sampling' (bsc#1206418).
- CVE-2023-0459: Fixed information leak in __uaccess_begin_nospec (bsc#1211738).
- CVE-2023-20569: Fixed side channel attack ‘Inception’ or ‘RAS Poisoning’ (bsc#1213287).
- CVE-2023-21400: Fixed several memory corruptions due to improper locking in io_uring (bsc#1213272).
- CVE-2023-2156: Fixed a flaw in the networking subsystem within the handling of the RPL protocol (bsc#1211131).
- CVE-2023-2166: Fixed NULL pointer dereference in can_rcv_filter (bsc#1210627).
- CVE-2023-31083: Fixed race condition in hci_uart_tty_ioctl (bsc#1210780).
- CVE-2023-3268: Fixed an out of bounds memory access flaw in relay_file_read_start_pos in the relayfs (bsc#1212502).
- CVE-2023-3567: Fixed a use-after-free in vcs_read in drivers/tty/vt/vc_screen.c (bsc#1213167).
- CVE-2023-3609: Fixed reference counter leak leading to  overflow in net/sched (bsc#1213586).
- CVE-2023-3611: Fixed an out-of-bounds write in net/sched sch_qfq(bsc#1213585).
- CVE-2023-3776: Fixed improper refcount update in  cls_fw leads to use-after-free (bsc#1213588).
- CVE-2023-4004: Fixed improper element removal netfilter nft_set_pipapo (bsc#1213812).

The following non-security bugs were fixed:

- afs: Fix access after dec in put functions (git-fixes).
- afs: Fix afs_getattr() to refetch file status if callback break occurred (git-fixes).
- afs: Fix dynamic root getattr (git-fixes).
- afs: Fix fileserver probe RTT handling (git-fixes).
- afs: Fix infinite loop found by xfstest generic/676 (git-fixes).
- afs: Fix lost servers_outstanding count (git-fixes).
- afs: Fix server->active leak in afs_put_server (git-fixes).
- afs: Fix setting of mtime when creating a file/dir/symlink (git-fixes).
- afs: Fix updating of i_size with dv jump from server (git-fixes).
- afs: Fix vlserver probe RTT handling (git-fixes).
- afs: Return -EAGAIN, not -EREMOTEIO, when a file already locked (git-fixes).
- afs: Use refcount_t rather than atomic_t (git-fixes).
- afs: Use the operation issue time instead of the reply time for callbacks (git-fixes).
- afs: adjust ack interpretation to try and cope with nat (git-fixes).
- alsa: emu10k1: roll up loops in dsp setup code for audigy (git-fixes).
- alsa: hda/realtek: support asus g713pv laptop (git-fixes).
- alsa: hda/relatek: enable mute led on hp 250 g8 (git-fixes).
- alsa: usb-audio: add quirk for microsoft modern wireless headset (bsc#1207129).
- alsa: usb-audio: update for native dsd support quirks (git-fixes).
- asoc: atmel: fix the 8k sample parameter in i2sc master (git-fixes).
- asoc: codecs: es8316: fix dmic config (git-fixes).
- asoc: da7219: check for failure reading aad irq events (git-fixes).
- asoc: da7219: flush pending aad irq when suspending (git-fixes).
- asoc: fsl_sai: disable bit clock with transmitter (git-fixes).
- asoc: fsl_spdif: silence output on stop (git-fixes).
- asoc: rt5682-sdw: fix for jd event handling in clockstop mode0 (git-fixes).
- asoc: rt711-sdca: fix for jd event handling in clockstop mode0 (git-fixes).
- asoc: rt711: fix for jd event handling in clockstop mode0 (git-fixes).
- asoc: wm8904: fill the cache for wm8904_adc_test_0 register (git-fixes).
- ata: pata_ns87415: mark ns87560_tf_read static (git-fixes).
- block, bfq: Fix division by zero error on zero wsum (bsc#1213653).
- block: Fix a source code comment in include/uapi/linux/blkzoned.h (git-fixes).
- can: gs_usb: gs_can_close(): add missing set of CAN state to CAN_STATE_STOPPED (git-fixes).
- ceph: do not let check_caps skip sending responses for revoke msgs (bsc#1213856).
- coda: Avoid partial allocation of sig_inputArgs (git-fixes).
- dlm: fix missing lkb refcount handling (git-fixes).
- dlm: fix plock invalid read (git-fixes).
- documentation: devices.txt: reconcile serial/ucc_uart minor numers (git-fixes).
- drm/amd/display: Disable MPC split by default on special asic (git-fixes).
- drm/amd/display: Keep PHY active for DP displays on DCN31 (git-fixes).
- drm/client: Fix memory leak in drm_client_modeset_probe (git-fixes).
- drm/msm/adreno: Fix snapshot BINDLESS_DATA size (git-fixes).
- drm/msm/dpu: drop enum dpu_core_perf_data_bus_id (git-fixes).
- drm/msm: Fix IS_ERR_OR_NULL() vs NULL check in a5xx_submit_in_rb() (git-fixes).
- drm/radeon: Fix integer overflow in radeon_cs_parser_init (git-fixes).
- file: always lock position for FMODE_ATOMIC_POS (bsc#1213759).
- fs: dlm: add midcomms init/start functions (git-fixes).
- fs: dlm: do not set stop rx flag after node reset (git-fixes).
- fs: dlm: filter user dlm messages for kernel locks (git-fixes).
- fs: dlm: fix log of lowcomms vs midcomms (git-fixes).
- fs: dlm: fix race between test_bit() and queue_work() (git-fixes).
- fs: dlm: fix race in lowcomms (git-fixes).
- fs: dlm: handle -EBUSY first in lock arg validation (git-fixes).
- fs: dlm: move sending fin message into state change handling (git-fixes).
- fs: dlm: retry accept() until -EAGAIN or error returns (git-fixes).
- fs: dlm: return positive pid value for F_GETLK (git-fixes).
- fs: dlm: start midcomms before scand (git-fixes).
- fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() (git-fixes).
- fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev (git-fixes).
- fs: jfs: check for read-only mounted filesystem in txbegin (git-fixes).
- fs: jfs: fix null-ptr-deref read in txbegin (git-fixes).
- gve: Set default duplex configuration to full (git-fixes).
- gve: unify driver name usage (git-fixes).
- hwmon: (k10temp) Enable AMD3255 Proc to show negative temperature (git-fixes).
- hwmon: (nct7802) Fix for temp6 (PECI1) processed even if PECI1 disabled (git-fixes).
- iavf: Fix out-of-bounds when setting channels on remove (git-fixes).
- iavf: Fix use-after-free in free_netdev (git-fixes).
- iavf: use internal state to free traffic IRQs (git-fixes).
- igc: Check if hardware TX timestamping is enabled earlier (git-fixes).
- igc: Enable and fix RX hash usage by netstack (git-fixes).
- igc: Fix Kernel Panic during ndo_tx_timeout callback (git-fixes).
- igc: Fix inserting of empty frame for launchtime (git-fixes).
- igc: Fix launchtime before start of cycle (git-fixes).
- igc: Fix race condition in PTP tx code (git-fixes).
- igc: Handle PPS start time programming for past time values (git-fixes).
- igc: Prevent garbled TX queue with XDP ZEROCOPY (git-fixes).
- igc: Remove delay during TX ring configuration (git-fixes).
- igc: Work around HW bug causing missing timestamps (git-fixes).
- igc: set TP bit in 'supported' and 'advertising' fields of ethtool_link_ksettings (git-fixes).
- input: i8042 - add clevo pcx0dx to i8042 quirk table (git-fixes).
- input: iqs269a - do not poll during ati (git-fixes).
- input: iqs269a - do not poll during suspend or resume (git-fixes).
- jffs2: GC deadlock reading a page that is used in jffs2_write_begin() (git-fixes).
- jffs2: fix memory leak in jffs2_do_fill_super (git-fixes).
- jffs2: fix memory leak in jffs2_do_mount_fs (git-fixes).
- jffs2: fix memory leak in jffs2_scan_medium (git-fixes).
- jffs2: fix use-after-free in jffs2_clear_xattr_subsystem (git-fixes).
- jffs2: reduce stack usage in jffs2_build_xattr_subsystem() (git-fixes).
- jfs: jfs_dmap: Validate db_l2nbperpage while mounting (git-fixes).
- kvm: arm64: do not read a hw interrupt pending state in user context (git-fixes)
- kvm: arm64: warn if accessing timer pending state outside of vcpu (bsc#1213620)
- kvm: do not null dereference ops->destroy (git-fixes)
- kvm: downgrade two bug_ons to warn_on_once (git-fixes)
- kvm: initialize debugfs_dentry when a vm is created to avoid null (git-fixes)
- kvm: s390: pv: fix index value of replaced asce (git-fixes bsc#1213867).
- kvm: vmx: inject #gp on encls if vcpu has paging disabled ( (git-fixes).
- kvm: vmx: inject #gp, not #ud, if sgx2 encls leafs are unsupported (git-fixes).
- kvm: vmx: restore vmx_vmexit alignment (git-fixes).
- kvm: x86: account fastpath-only vm-exits in vcpu stats (git-fixes).
- libceph: harden msgr2.1 frame segment length checks (bsc#1213857).
- media: staging: atomisp: select V4L2_FWNODE (git-fixes).
- net/sched: sch_qfq: refactor parsing of netlink parameters (bsc#1213585).
- net/sched: sch_qfq: reintroduce lmax bound check for MTU (bsc#1213585).
- net: ena: fix shift-out-of-bounds in exponential backoff (git-fixes).
- net: mana: Batch ringing RX queue doorbell on receiving packets (bsc#1212901).
- net: mana: Use the correct WQE count for ringing RQ doorbell (bsc#1212901).
- net: phy: marvell10g: fix 88x3310 power up (git-fixes).
- nfsd: add encoding of op_recall flag for write delegation (git-fixes).
- nfsd: fix double fget() bug in __write_ports_addfd() (git-fixes).
- nfsd: fix sparse warning (git-fixes).
- nfsd: remove open coding of string copy (git-fixes).
- nfsv4.1: always send a reclaim_complete after establishing lease (git-fixes).
- nfsv4.1: freeze the session table upon receiving nfs4err_badsession (git-fixes).
- nvme-pci: fix DMA direction of unmapping integrity data (git-fixes).
- nvme-pci: remove nvme_queue from nvme_iod (git-fixes).
- octeontx-af: fix hardware timestamp configuration (git-fixes).
- octeontx2-af: Move validation of ptp pointer before its usage (git-fixes).
- octeontx2-pf: Add additional check for MCAM rules (git-fixes).
- phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe() (git-fixes).
- pinctrl: amd: Do not show `Invalid config param` errors (git-fixes).
- pinctrl: amd: Use amd_pinconf_set() for all config options (git-fixes).
- platform/x86: msi-laptop: Fix rfkill out-of-sync on MSI Wind U100 (git-fixes).
- rdma/bnxt_re: fix hang during driver unload (git-fixes)
- rdma/bnxt_re: prevent handling any completions after qp destroy (git-fixes)
- rdma/core: update cma destination address on rdma_resolve_addr (git-fixes)
- rdma/irdma: add missing read barriers (git-fixes)
- rdma/irdma: fix data race on cqp completion stats (git-fixes)
- rdma/irdma: fix data race on cqp request done (git-fixes)
- rdma/irdma: fix op_type reporting in cqes (git-fixes)
- rdma/irdma: report correct wc error (git-fixes)
- rdma/mlx4: make check for invalid flags stricter (git-fixes)
- rdma/mthca: fix crash when polling cq for shared qps (git-fixes)
- regmap: Account for register length in SMBus I/O limits (git-fixes).
- regmap: Drop initial version of maximum transfer length fixes (git-fixes).
- revert 'debugfs, coccinelle: check for obsolete define_simple_attribute() usage' (git-fixes).
- revert 'nfsv4: retry lock on old_stateid during delegation return' (git-fixes).
- revert 'usb: dwc3: core: enable autoretry feature in the controller' (git-fixes).
- revert 'usb: gadget: tegra-xudc: fix error check in tegra_xudc_powerdomain_init()' (git-fixes).
- revert 'usb: xhci: tegra: fix error check' (git-fixes).
- revert 'xhci: add quirk for host controllers that do not update endpoint dcs' (git-fixes).
- rxrpc, afs: Fix selection of abort codes (git-fixes).
- s390/bpf: Add expoline to tail calls (git-fixes bsc#1213870).
- s390/dasd: fix hanging device after quiesce/resume (git-fixes bsc#1213810).
- s390/decompressor: specify __decompress() buf len to avoid overflow (git-fixes bsc#1213863).
- s390/ipl: add missing intersection check to ipl_report handling (git-fixes bsc#1213871).
- s390/qeth: Fix vipa deletion (git-fixes bsc#1213713).
- s390/vmem: fix empty page tables cleanup under KASAN (git-fixes bsc#1213715).
- s390: introduce nospec_uses_trampoline() (git-fixes bsc#1213870).
- scftorture: Count reschedule IPIs (git-fixes).
- scsi: lpfc: Abort outstanding ELS cmds when mailbox timeout error is detected (bsc#1213756).
- scsi: lpfc: Avoid -Wstringop-overflow warning (bsc#1213756).
- scsi: lpfc: Clean up SLI-4 sysfs resource reporting (bsc#1213756).
- scsi: lpfc: Copyright updates for patches (bsc#1213756).
- scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan() (bsc#1213756).
- scsi: lpfc: Fix incorrect big endian type assignment in bsg loopback path (bsc#1213756).
- scsi: lpfc: Fix incorrect big endian type assignments in FDMI and VMID paths (bsc#1213756).
- scsi: lpfc: Fix lpfc_name struct packing (bsc#1213756).
- scsi: lpfc: Make fabric zone discovery more robust when handling unsolicited LOGO (bsc#1213756).
- scsi: lpfc: Pull out fw diagnostic dump log message from driver's trace buffer (bsc#1213756).
- scsi: lpfc: Qualify ndlp discovery state when processing RSCN (bsc#1213756).
- scsi: lpfc: Refactor cpu affinity assignment paths (bsc#1213756).
- scsi: lpfc: Remove extra ndlp kref decrement in FLOGI cmpl for loop topology (bsc#1213756).
- scsi: lpfc: Replace all non-returning strlcpy() with strscpy() (bsc#1213756).
- scsi: lpfc: Replace one-element array with flexible-array member (bsc#1213756).
- scsi: lpfc: Revise ndlp kref handling for dev_loss_tmo_callbk and lpfc_drop_node (bsc#1213756).
- scsi: lpfc: Set Establish Image Pair service parameter only for Target Functions (bsc#1213756).
- scsi: lpfc: Simplify fcp_abort transport callback log message (bsc#1213756).
- scsi: lpfc: Update lpfc version to (bsc#1213756).
- scsi: lpfc: Use struct_size() helper (bsc#1213756).
- scsi: qla2xxx: Adjust IOCB resource on qpair create (bsc#1213747).
- scsi: qla2xxx: Array index may go out of bound (bsc#1213747).
- scsi: qla2xxx: Avoid fcport pointer dereference (bsc#1213747).
- scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport() (bsc#1213747).
- scsi: qla2xxx: Correct the index of array (bsc#1213747).
- scsi: qla2xxx: Drop useless LIST_HEAD (bsc#1213747).
- scsi: qla2xxx: Fix NULL pointer dereference in target mode (bsc#1213747).
- scsi: qla2xxx: Fix TMF leak through (bsc#1213747).
- scsi: qla2xxx: Fix buffer overrun (bsc#1213747).
- scsi: qla2xxx: Fix command flush during TMF (bsc#1213747).
- scsi: qla2xxx: Fix deletion race condition (bsc#1213747).
- scsi: qla2xxx: Fix end of loop test (bsc#1213747).
- scsi: qla2xxx: Fix erroneous link up failure (bsc#1213747).
- scsi: qla2xxx: Fix error code in qla2x00_start_sp() (bsc#1213747).
- scsi: qla2xxx: Fix potential NULL pointer dereference (bsc#1213747).
- scsi: qla2xxx: Fix session hang in gnl (bsc#1213747).
- scsi: qla2xxx: Limit TMF to 8 per function (bsc#1213747).
- scsi: qla2xxx: Pointer may be dereferenced (bsc#1213747).
- scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue (bsc#1213747).
- scsi: qla2xxx: Replace one-element array with DECLARE_FLEX_ARRAY() helper (bsc#1213747).
- scsi: qla2xxx: Silence a static checker warning (bsc#1213747).
- scsi: qla2xxx: Turn off noisy message log (bsc#1213747).
- scsi: qla2xxx: Update version to (bsc#1213747).
- scsi: qla2xxx: Update version to (bsc#1213747).
- scsi: qla2xxx: Use vmalloc_array() and vcalloc() (bsc#1213747).
- scsi: qla2xxx: fix inconsistent TMF timeout (bsc#1213747).
- serial: qcom-geni: drop bogus runtime pm state update (git-fixes).
- serial: sifive: Fix sifive_serial_console_setup() section (git-fixes).
- soundwire: qcom: update status correctly with mask (git-fixes).
- staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext() (git-fixes).
- staging: r8712: Fix memory leak in _r8712_init_xmit_priv() (git-fixes).
- sunrpc: always free ctxt when freeing deferred request (git-fixes).
- sunrpc: double free xprt_ctxt while still in use (git-fixes).
- sunrpc: fix trace_svc_register() call site (git-fixes).
- sunrpc: fix uaf in svc_tcp_listen_data_ready() (git-fixes).
- sunrpc: remove dead code in svc_tcp_release_rqst() (git-fixes).
- sunrpc: remove the maximum number of retries in call_bind_status (git-fixes).
- svcrdma: Prevent page release when nothing was received (git-fixes).
- tpm_tis: Explicitly check for error code (git-fixes).
- tty: n_gsm: fix UAF in gsm_cleanup_mux (git-fixes).
- ubifs: Add missing iput if do_tmpfile() failed in rename whiteout (git-fixes).
- ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers (git-fixes).
- ubifs: Fix 'ui->dirty' race between do_tmpfile() and writeback work (git-fixes).
- ubifs: Fix AA deadlock when setting xattr for encrypted file (git-fixes).
- ubifs: Fix build errors as symbol undefined (git-fixes).
- ubifs: Fix deadlock in concurrent rename whiteout and inode writeback (git-fixes).
- ubifs: Fix memory leak in alloc_wbufs() (git-fixes).
- ubifs: Fix memory leak in do_rename (git-fixes).
- ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock() (git-fixes).
- ubifs: Fix to add refcount once page is set private (git-fixes).
- ubifs: Fix wrong dirty space budget for dirty inode (git-fixes).
- ubifs: Free memory for tmpfile name (git-fixes).
- ubifs: Rectify space amount budget for mkdir/tmpfile operations (git-fixes).
- ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted (git-fixes).
- ubifs: Rectify space budget for ubifs_xrename() (git-fixes).
- ubifs: Rename whiteout atomically (git-fixes).
- ubifs: Reserve one leb for each journal head while doing budget (git-fixes).
- ubifs: do_rename: Fix wrong space budget when target inode's nlink > 1 (git-fixes).
- ubifs: rename_whiteout: Fix double free for whiteout_ui->data (git-fixes).
- ubifs: rename_whiteout: correct old_dir size computing (git-fixes).
- ubifs: setflags: Make dirtied_ino_d 8 bytes aligned (git-fixes).
- ubifs: ubifs_writepage: Mark page dirty after writing inode failed (git-fixes).
- usb: dwc3: do not reset device side if dwc3 was configured as host-only (git-fixes).
- usb: dwc3: pci: skip BYT GPIO lookup table for hardwired phy (git-fixes).
- usb: gadget: core: remove unbalanced mutex_unlock in usb_gadget_activate (git-fixes).
- usb: xhci-mtk: set the dma max_seg_size (git-fixes).
- vhost: support PACKED when setting-getting vring_base (git-fixes).
- vhost_net: revert upend_idx only on retriable error (git-fixes).
- virtio-net: Maintain reverse cleanup order (git-fixes).
- virtio_net: Fix error unwinding of XDP initialization (git-fixes).
- x86/PVH: obtain VGA console info in Dom0 (git-fixes).
- xen/blkfront: Only check REQ_FUA for writes (git-fixes).
- xen/pvcalls-back: fix double frees with pvcalls_new_active_socket() (git-fixes).

Advisory ID: SUSE-SU-2023:3327-1
Released:    Wed Aug 16 08:45:25 2023
Summary:     Security update for pcre2
Type:        security
Severity:    moderate
References:  1213514,CVE-2022-41409
This update for pcre2 fixes the following issues:

  - CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514).

Advisory ID: SUSE-RU-2023:3330-1
Released:    Wed Aug 16 08:59:33 2023
Summary:     Recommended update for python-pyasn1
Type:        recommended
Severity:    important
References:  1207805
This update for python-pyasn1 fixes the following issues:

- To avoid users of this package having to recompile bytecode
  files, change the mtime of any (bsc#1207805)

Advisory ID: SUSE-SU-2023:3363-1
Released:    Fri Aug 18 14:54:16 2023
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1214054,CVE-2023-36054
This update for krb5 fixes the following issues:

- CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remote user. (bsc#1214054)

Advisory ID: SUSE-SU-2023:3369-1
Released:    Tue Aug 22 11:12:02 2023
Summary:     Security update for python-configobj
Type:        security
Severity:    low
References:  1210070,CVE-2023-26112
This update for python-configobj fixes the following issues:
- CVE-2023-26112: Fixed regular expression denial of service vulnerability in (bsc#1210070).

Advisory ID: SUSE-RU-2023:3371-1
Released:    Tue Aug 22 13:30:18 2023
Summary:     Recommended update for liblognorm
Type:        recommended
Severity:    moderate
This update for liblognorm fixes the following issues:

- Update to liblognorm v2.0.6 (jsc#PED-4883)

Advisory ID: SUSE-RU-2023:3372-1
Released:    Tue Aug 22 13:44:38 2023
Summary:     Recommended update for rsyslog
Type:        recommended
Severity:    moderate
References:  1211757,1213212
This update for rsyslog fixes the following issues:

- Fix removal of imfile state files (bsc#1213212)
- Fix segfaults in modExit() of imklog.c (bsc#1211757)

Advisory ID: SUSE-SU-2023:3395-1
Released:    Wed Aug 23 18:09:24 2023
Summary:     Security update for xen
Type:        security
Severity:    moderate
References:  1027519,1213616,1214082,1214083,CVE-2022-40982,CVE-2023-20569,CVE-2023-20593
This update for xen fixes the following issues:

- CVE-2023-20569: Fixed side channel attack Inception or RAS Poisoning. (bsc#1214082, XSA-434)
- CVE-2022-40982: Fixed transient execution attack called 'Gather Data Sampling'. (bsc#1214083, XSA-435)
- CVE-2023-20593: Fixed a ZenBleed issue in 'Zen 2' CPUs that could allow an attacker to potentially access sensitive information. (bsc#1213616, XSA-433)

Advisory ID: SUSE-SU-2023:3397-1
Released:    Wed Aug 23 18:35:56 2023
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1213517,1213853,CVE-2023-3817
This update for openssl-1_1 fixes the following issues:

- CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853)
- Don't pass zero length input to EVP_Cipher because s390x assembler optimized AES cannot handle zero size. (bsc#1213517)

Advisory ID: SUSE-RU-2023:3410-1
Released:    Thu Aug 24 06:56:32 2023
Summary:     Recommended update for audit
Type:        recommended
Severity:    moderate
References:  1201519,1204844
This update for audit fixes the following issues:

- Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
- Fix rules not loaded when restarting auditd.service (bsc#1204844)

Advisory ID: SUSE-SU-2023:3440-1
Released:    Mon Aug 28 08:57:10 2023
Summary:     Security update for gawk
Type:        security
Severity:    low
References:  1214025,CVE-2023-4156
This update for gawk fixes the following issues:

- CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025)

Advisory ID: SUSE-RU-2023:3451-1
Released:    Mon Aug 28 12:15:22 2023
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1186606,1194609,1208194,1209741,1210702,1211576,1212434,1213185,1213575,1213873
This update for systemd fixes the following issues:

- Fix reboot and shutdown issues by getting only active MD arrays (bsc#1211576, bsc#1212434, bsc#1213575)
- Decrease devlink priority for iso disks (bsc#1213185)
- Do not ignore mount point paths longer than 255 characters (bsc#1208194)
- Refuse hibernation if there's no possible way to resume (bsc#1186606)
- Update 'korean' and 'arabic' keyboard layouts (bsc#1210702)
- Drop some entries no longer needed by YaST (bsc#1194609)
- The 'systemd --user' instances get their own session keyring instead of the user default one (bsc#1209741)
- Dynamically allocate receive buffer to handle large amount of mounts (bsc#1213873)

Advisory ID: SUSE-RU-2023:3452-1
Released:    Mon Aug 28 12:41:11 2023
Summary:     Recommended update for supportutils-plugin-suse-public-cloud
Type:        recommended
Severity:    moderate
References:  1213951
This update for supportutils-plugin-suse-public-cloud fixes the following issues:

- Update from version 1.0.7 to 1.0.8 (bsc#1213951)
  - Capture CSP billing adapter config and log
  - Accept upper case Amazon string in DMI table

Advisory ID: SUSE-SU-2023:3454-1
Released:    Mon Aug 28 13:43:18 2023
Summary:     Security update for ca-certificates-mozilla
Type:        security
Severity:    important
References:  1214248
This update for ca-certificates-mozilla fixes the following issues:

- Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248)
  - Atos TrustedRoot Root CA ECC G2 2020
  - Atos TrustedRoot Root CA ECC TLS 2021
  - Atos TrustedRoot Root CA RSA G2 2020
  - Atos TrustedRoot Root CA RSA TLS 2021
  - BJCA Global Root CA1
  - BJCA Global Root CA2
  - LAWtrust Root CA2 (4096)
  - Sectigo Public Email Protection Root E46
  - Sectigo Public Email Protection Root R46
  - Sectigo Public Server Authentication Root E46
  - Sectigo Public Server Authentication Root R46
  - Client ECC Root CA 2022
  - Client RSA Root CA 2022
  - TLS ECC Root CA 2022
  - TLS RSA Root CA 2022
  Removed CAs:
  - Chambers of Commerce Root
  - E-Tugra Certification Authority
  - E-Tugra Global Root CA ECC v3
  - E-Tugra Global Root CA RSA v3
  - Hongkong Post Root CA 1

Advisory ID: SUSE-SU-2023:3461-1
Released:    Mon Aug 28 17:25:09 2023
Summary:     Security update for freetype2
Type:        security
Severity:    moderate
References:  1210419,CVE-2023-2004
This update for freetype2 fixes the following issues:

- CVE-2023-2004: Fixed integer overflow in tt_hvadvance_adjust (bsc#1210419).

Advisory ID: SUSE-RU-2023:3468-1
Released:    Tue Aug 29 09:22:18 2023
Summary:     Recommended update for python3
Type:        recommended
Severity:    low
This update for python3 fixes the following issue:

- Rename sources in preparation of python3.11 (jsc#PED-68)

Advisory ID: SUSE-RU-2023:3470-1
Released:    Tue Aug 29 10:49:33 2023
Summary:     Recommended update for parted
Type:        recommended
Severity:    low
References:  1182142,1193412
This update for parted fixes the following issues:

- fix null pointer dereference (bsc#1193412)
- update mkpart options in manpage (bsc#1182142)

Advisory ID: SUSE-SU-2023:3472-1
Released:    Tue Aug 29 10:55:16 2023
Summary:     Security update for procps
Type:        security
Severity:    low
References:  1214290,CVE-2023-4016
This update for procps fixes the following issues:

  - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290).

Advisory ID: SUSE-feature-2023:3484-1
Released:    Tue Aug 29 13:49:29 2023
Summary:     Feature update for bind
Type:        feature
Severity:    moderate
References:  1213049
This update for bind fixes the following issues:

- Add dnstap support (jsc#PED-4852, jsc#PED-4853)
- Log named-checkconf output (bsc#1213049)
- Update to release 9.16.43

Advisory ID: SUSE-RU-2023:3486-1
Released:    Tue Aug 29 14:25:23 2023
Summary:     Recommended update for lvm2
Type:        recommended
Severity:    moderate
References:  1214071
This update for lvm2 fixes the following issues:

- blkdeactivate calls wrong mountpoint cmd (bsc#1214071)

Advisory ID: SUSE-RU-2023:3514-1
Released:    Fri Sep  1 15:48:52 2023
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1158763,1210740,1213231,1213557,1213673
This update for libzypp, zypper fixes the following issues:

- Fix occasional isue with downloading very small files (bsc#1213673)
- Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231)
- Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763)
- Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740)
- Revised explanation of --force-resolution in man page (bsc#1213557)
- Print summary hint if policies were violated due to --force-resolution (bsc#1213557)

The following package changes have been done:

- apparmor-abstractions-3.0.4-150400.5.6.1 updated
- apparmor-parser-3.0.4-150400.5.6.1 updated
- audit-3.0.6-150400.4.13.1 updated
- bind-utils-9.16.43-150400.5.34.1 updated
- blog-2.26-150300.4.6.1 updated
- ca-certificates-mozilla-2.62-150200.30.1 updated
- cloud-init-config-suse-23.1-150100.8.66.1 updated
- cloud-init-23.1-150100.8.66.1 updated
- gawk-4.2.1-150000.3.3.1 updated
- kernel-default-5.14.21-150400.24.81.1 updated
- krb5-1.19.2-150400.3.6.1 updated
- libapparmor1-3.0.4-150400.5.6.1 updated
- libaudit1-3.0.6-150400.4.13.1 updated
- libauparse0-3.0.6-150400.4.13.1 updated
- libblkid1-2.37.2-150400.8.20.1 updated
- libblogger2-2.26-150300.4.6.1 updated
- libcryptsetup12-2.4.3-150400.3.3.1 updated
- libdevmapper1_03-2.03.05_1.02.163-150400.188.1 updated
- libfdisk1-2.37.2-150400.8.20.1 updated
- libfreetype6-2.10.4-150000.4.15.1 updated
- libfstrm0-0.6.1-150300.9.3.1 added
- liblognorm5-2.0.6-150000.3.3.1 updated
- libmount1-2.37.2-150400.8.20.1 updated
- libopenssl1_1-1.1.1l-150400.7.53.1 updated
- libparted0-3.2-150300.21.3.1 updated
- libpcre2-8-0-10.39-150400.4.9.1 updated
- libprocps7-3.3.15-150000.7.34.1 updated
- libprotobuf-c1-1.3.2-150200.3.6.1 added
- libsmartcols1-2.37.2-150400.8.20.1 updated
- libsystemd0-249.16-150400.8.33.1 updated
- libudev1-249.16-150400.8.33.1 updated
- libuuid1-2.37.2-150400.8.20.1 updated
- libxslt1-1.1.34-150400.3.3.1 added
- libyajl2-2.1.0-150000.4.6.1 updated
- libzypp-17.31.20-150400.3.40.1 updated
- login_defs-4.8.1-150400.10.9.1 updated
- openssl-1_1-1.1.1l-150400.7.53.1 updated
- parted-3.2-150300.21.3.1 updated
- procps-3.3.15-150000.7.34.1 updated
- python-instance-billing-flavor-check-0.0.2-150000.1.3.1 added
- python3-apipkg-1.4-150000.3.6.1 updated
- python3-bind-9.16.43-150400.5.34.1 updated
- python3-configobj-5.0.6-150000.3.3.1 updated
- python3-cssselect-1.0.3-150000.3.3.1 added
- python3-lxml-4.7.1-150200.3.10.1 added
- python3-more-itertools-8.10.0-150400.5.69 updated
- python3-ordered-set-4.0.2-150400.8.34 updated
- python3-pyOpenSSL-21.0.0-150400.7.62 updated
- python3-pyasn1-0.4.2-150000.3.5.1 updated
- rsyslog-module-relp-8.2306.0-150400.5.18.1 updated
- rsyslog-8.2306.0-150400.5.18.1 updated
- shadow-4.8.1-150400.10.9.1 updated
- supportutils-plugin-suse-public-cloud-1.0.8-150000.3.17.1 updated
- system-group-audit-3.0.6-150400.4.13.1 updated
- systemd-sysvinit-249.16-150400.8.33.1 updated
- systemd-249.16-150400.8.33.1 updated
- udev-249.16-150400.8.33.1 updated
- util-linux-systemd-2.37.2-150400.8.20.1 updated
- util-linux-2.37.2-150400.8.20.1 updated
- vim-data-common-9.0.1572-150000.5.49.1 updated
- vim-9.0.1572-150000.5.49.1 updated
- xen-libs-4.16.5_02-150400.4.31.1 updated
- xen-tools-domU-4.16.5_02-150400.4.31.1 updated
- zypper-1.14.63-150400.3.29.1 updated

More information about the sle-security-updates mailing list