From sle-updates at lists.suse.com Tue Jun 2 07:15:22 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 2 Jun 2020 15:15:22 +0200 (CEST) Subject: SUSE-SU-2020:1514-1: moderate: Security update for qemu Message-ID: <20200602131522.B54BFFCEC@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1514-1 Rating: moderate References: #1123156 #1146873 #1149811 #1161066 #1163018 #1166240 #1170940 Cross-References: CVE-2019-12068 CVE-2019-15890 CVE-2019-6778 CVE-2020-1711 CVE-2020-1983 CVE-2020-7039 CVE-2020-8608 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP1-LTSS ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for qemu fixes the following issues: Security issues fixed: - CVE-2020-1711: Fixed a potential OOB access in the iSCSI client code (bsc#1166240). - CVE-2019-12068: Fixed a potential DoS in the LSI SCSI controller emulation (bsc#1146873). - CVE-2020-1983: Fixed a use-after-free in the ip_reass function of slirp (bsc#1170940). - CVE-2020-8608: Fixed a potential OOB access in slirp (bsc#1163018). - CVE-2020-7039: Fixed a potential OOB access in slirp (bsc#1161066). - CVE-2019-15890: Fixed a use-after-free during packet reassembly in slirp (bsc#1149811). - Fixed multiple potential DoS issues in SLIRP, similar to CVE-2019-6778 (bsc#1123156). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-1514=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-1514=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): qemu-2.3.1-33.29.1 qemu-block-curl-2.3.1-33.29.1 qemu-block-curl-debuginfo-2.3.1-33.29.1 qemu-block-rbd-2.3.1-33.29.1 qemu-block-rbd-debuginfo-2.3.1-33.29.1 qemu-debugsource-2.3.1-33.29.1 qemu-guest-agent-2.3.1-33.29.1 qemu-guest-agent-debuginfo-2.3.1-33.29.1 qemu-kvm-2.3.1-33.29.1 qemu-lang-2.3.1-33.29.1 qemu-tools-2.3.1-33.29.1 qemu-tools-debuginfo-2.3.1-33.29.1 qemu-x86-2.3.1-33.29.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): qemu-ipxe-1.0.0-33.29.1 qemu-seabios-1.8.1-33.29.1 qemu-sgabios-8-33.29.1 qemu-vgabios-1.8.1-33.29.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): qemu-2.3.1-33.29.1 qemu-block-curl-2.3.1-33.29.1 qemu-block-curl-debuginfo-2.3.1-33.29.1 qemu-debugsource-2.3.1-33.29.1 qemu-guest-agent-2.3.1-33.29.1 qemu-guest-agent-debuginfo-2.3.1-33.29.1 qemu-lang-2.3.1-33.29.1 qemu-tools-2.3.1-33.29.1 qemu-tools-debuginfo-2.3.1-33.29.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): qemu-kvm-2.3.1-33.29.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le): qemu-ppc-2.3.1-33.29.1 qemu-ppc-debuginfo-2.3.1-33.29.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64): qemu-block-rbd-2.3.1-33.29.1 qemu-block-rbd-debuginfo-2.3.1-33.29.1 qemu-x86-2.3.1-33.29.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): qemu-ipxe-1.0.0-33.29.1 qemu-seabios-1.8.1-33.29.1 qemu-sgabios-8-33.29.1 qemu-vgabios-1.8.1-33.29.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x): qemu-s390-2.3.1-33.29.1 qemu-s390-debuginfo-2.3.1-33.29.1 References: https://www.suse.com/security/cve/CVE-2019-12068.html https://www.suse.com/security/cve/CVE-2019-15890.html https://www.suse.com/security/cve/CVE-2019-6778.html https://www.suse.com/security/cve/CVE-2020-1711.html https://www.suse.com/security/cve/CVE-2020-1983.html https://www.suse.com/security/cve/CVE-2020-7039.html https://www.suse.com/security/cve/CVE-2020-8608.html https://bugzilla.suse.com/1123156 https://bugzilla.suse.com/1146873 https://bugzilla.suse.com/1149811 https://bugzilla.suse.com/1161066 https://bugzilla.suse.com/1163018 https://bugzilla.suse.com/1166240 https://bugzilla.suse.com/1170940 From sle-updates at lists.suse.com Tue Jun 2 10:13:49 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 2 Jun 2020 18:13:49 +0200 (CEST) Subject: SUSE-SU-2020:1516-1: moderate: Security update for qemu Message-ID: <20200602161349.98439FCEC@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1516-1 Rating: moderate References: #1167816 #1170940 Cross-References: CVE-2020-1983 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for qemu fixes the following issues: Security issue fixed: - CVE-2020-1983: Fixed a use-after-free in the ip_reass function of slirp (bsc#1170940). Non-security issue fixed: - Fixed an issue where limiting the memory bandwidth was not possible (bsc#1167816). - Miscellaneous fixes to the in-package support documentation. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1516=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): qemu-3.1.1.1-3.14.1 qemu-audio-alsa-3.1.1.1-3.14.1 qemu-audio-alsa-debuginfo-3.1.1.1-3.14.1 qemu-audio-oss-3.1.1.1-3.14.1 qemu-audio-oss-debuginfo-3.1.1.1-3.14.1 qemu-audio-pa-3.1.1.1-3.14.1 qemu-audio-pa-debuginfo-3.1.1.1-3.14.1 qemu-audio-sdl-3.1.1.1-3.14.1 qemu-audio-sdl-debuginfo-3.1.1.1-3.14.1 qemu-block-curl-3.1.1.1-3.14.1 qemu-block-curl-debuginfo-3.1.1.1-3.14.1 qemu-block-iscsi-3.1.1.1-3.14.1 qemu-block-iscsi-debuginfo-3.1.1.1-3.14.1 qemu-block-ssh-3.1.1.1-3.14.1 qemu-block-ssh-debuginfo-3.1.1.1-3.14.1 qemu-debugsource-3.1.1.1-3.14.1 qemu-guest-agent-3.1.1.1-3.14.1 qemu-guest-agent-debuginfo-3.1.1.1-3.14.1 qemu-lang-3.1.1.1-3.14.1 qemu-tools-3.1.1.1-3.14.1 qemu-tools-debuginfo-3.1.1.1-3.14.1 qemu-ui-curses-3.1.1.1-3.14.1 qemu-ui-curses-debuginfo-3.1.1.1-3.14.1 qemu-ui-gtk-3.1.1.1-3.14.1 qemu-ui-gtk-debuginfo-3.1.1.1-3.14.1 qemu-ui-sdl-3.1.1.1-3.14.1 qemu-ui-sdl-debuginfo-3.1.1.1-3.14.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 x86_64): qemu-block-rbd-3.1.1.1-3.14.1 qemu-block-rbd-debuginfo-3.1.1.1-3.14.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): qemu-kvm-3.1.1.1-3.14.1 - SUSE Linux Enterprise Server 12-SP5 (ppc64le): qemu-ppc-3.1.1.1-3.14.1 qemu-ppc-debuginfo-3.1.1.1-3.14.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64): qemu-arm-3.1.1.1-3.14.1 qemu-arm-debuginfo-3.1.1.1-3.14.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): qemu-ipxe-1.0.0+-3.14.1 qemu-seabios-1.12.0-3.14.1 qemu-sgabios-8-3.14.1 qemu-vgabios-1.12.0-3.14.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): qemu-x86-3.1.1.1-3.14.1 - SUSE Linux Enterprise Server 12-SP5 (s390x): qemu-s390-3.1.1.1-3.14.1 qemu-s390-debuginfo-3.1.1.1-3.14.1 References: https://www.suse.com/security/cve/CVE-2020-1983.html https://bugzilla.suse.com/1167816 https://bugzilla.suse.com/1170940 From sle-updates at lists.suse.com Tue Jun 2 16:13:35 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 3 Jun 2020 00:13:35 +0200 (CEST) Subject: SUSE-RU-2020:1520-1: moderate: Recommended update for psqlODBC Message-ID: <20200602221335.81035FFCF@maintenance.suse.de> SUSE Recommended Update: Recommended update for psqlODBC ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1520-1 Rating: moderate References: #1166821 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for psqlODBC provides the following fixes: - Update to 12.01.0000: * Fix the bug that causes "Error : A parameter cannot be found that matches parameter name". + Enclose the command part * Find_VSDir $vc_ver * with parentheses so that the subsequent * -ne "" * isn't considered to be a parameter. * Cope with the removal of pg_class.relhasoids in PG12 correctly when retrieving updatable cursors. - Changes in 12.00.0000: * Fix the bug that SQLGetDescField() for Field SQL_DESC_COUNT returns SQLINTEGER value which should be of type SQLSMALLINT. * SQLGetTypeInfo() filters SQL_TYPE_DATE, SQL_TYPE_TIME and SQL_TYPE_TIMESTAMP for ODBC 2.x applications. * Added support for scalar functions TIMESTAMPADD(), TIMESTAMPDIFF() and EXTRACT(). * The macro IS_NOT_SPACE() is used for not pointers but integers. * Fix a crash bug when SQLProcedureColumns() handles satisfies_hash_partition(). The proargmodes column of satisfies_hash_partition()'s pg_proc entry is not null but the proallargtypes column is null. - Changes in 11.01.0000: * Correct the rgbInfoValue returned by SQLGetInfo(SQL_TIMEDATE_FUNCTIONS, ..). * Because the field 'relhasoids' was dropped in PG12, psqlodbc drivers would have some problems with PG12 servers. * Register drivers {PostgreSQL ANSI} and {PostgreSQL Unicode} during installation on 64bit Windows so that users could use the same connection strings in both x86 and x64 environments. * Correct the rgbInfoValue returned by SQLGetInfo(SQL_LIKE_ESCAPE_CLAUSE, ..). * Fix a typo in SQLForeignKeys-ResultSet-Column. 'deferrablity' should be 'DEFERRABILITY'. * Correct the rgbInfoValue returned by SQLGetInfo(.., SQL_NUMERIC_FUNCTIONS(SQL_SYSTEM_FUNCTIONS or SQL_STRING_FUNCTIONS, ..). * Bug fix: do not forget to set parameter numbers while handling escaped ODBC functions. * Fix test_connection() in setup.c so that settings of conn_settings and pqopt option are reflected properly. - Changes in 11.00.0000: * Remove obsolete maps pointed out. * Remove connSettings option and/or pqopt option from the OutConnectionString parameter of SQLDriverConnect() when each option doesn't exist in InConnectionString parameter. * The parameters should be cast because parameters of concat() function are variadic "any". * Add an alias DX of *Database* keyword for connection strings to aviod the use of "database" keyword which has a special meaning in some apps or middlewares. * Numeric items without precision are unlimited and there's no natural map between SQL data types. Add an option *Numeric(without precision) as* * Fix a bug that SQLSpecialColumns() returns oid/xmin incorrectly when a table does not exist. - Fix build with PostgreSQL 11 that does not have pg_config in the regular devel package anymore. (bsc#1166821) - Changes in 10.03.0000: * Put back the handling of lock_CC_for_rb variable. The variable lock_CC_for_rb should be held per connection. * Fix SQLGetTypeInfo() so that it filters SQL_TYPE_DATE, SQL_TYPE_TIME or SQL_TYPE_TIMESTAMP for ODBC 2.x applications. * Revise ConfigDSN() so that it handles the 4th parameter(lpszAttribues) correctly. * Fix a crash bug when handling error messages. Also modified some error messages. * Let SQLTables() or SQLTablePrivileges() show partition tables. * Fix build on Solaris defined(__SUNPRO_C) using Solaris Studio. * Reduce DB access to pg_class or pg_index by caching relhasoids, relhassubclass etc. It would improve the performance of SQLSetPos() or SQLBulkOperations() very much in some cases. - Changes in 10.02.0000: * It's safer to call setlocale(LC_CTYPE, "") than calling setlocale(LC_ALL, "") * Avoid replacing effective notice messages. * Handle MALLOC/REALLOC errors while fetching tuples more effectively. * Make SQLSetPos(SQL_DELETE/SQL_REFRESH) more effective. Because queries calling currtid(2) like select .. from .. where ctid=currtid2(.., ..) cause Seq Scan, their execution may be very slow. It is better to execute queries using subqueries like select .. from .. where ctid=(select currtid2(.., ..)) because they cause Tid Scan. * Fix a crash bug in AddDeleted(). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1520=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): psqlODBC-12.01.0000-3.6.1 psqlODBC-debuginfo-12.01.0000-3.6.1 psqlODBC-debugsource-12.01.0000-3.6.1 References: https://bugzilla.suse.com/1166821 From sle-updates at lists.suse.com Tue Jun 2 16:14:28 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 3 Jun 2020 00:14:28 +0200 (CEST) Subject: SUSE-RU-2020:1518-1: Recommended update for ipmctl Message-ID: <20200602221428.94723FFCF@maintenance.suse.de> SUSE Recommended Update: Recommended update for ipmctl ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1518-1 Rating: low References: #1158619 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for ipmctl adds man pages to this package. (bsc#1158619) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1518=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1518=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1518=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1518=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (x86_64): ipmctl-debuginfo-01.00.00.3440-3.11.1 ipmctl-debugsource-01.00.00.3440-3.11.1 ipmctl-devel-01.00.00.3440-3.11.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (x86_64): ipmctl-debuginfo-01.00.00.3440-3.11.1 ipmctl-debugsource-01.00.00.3440-3.11.1 ipmctl-devel-01.00.00.3440-3.11.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): ipmctl-01.00.00.3440-3.11.1 ipmctl-debuginfo-01.00.00.3440-3.11.1 ipmctl-debugsource-01.00.00.3440-3.11.1 ipmctl-monitor-01.00.00.3440-3.11.1 ipmctl-monitor-debuginfo-01.00.00.3440-3.11.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): ipmctl-01.00.00.3440-3.11.1 ipmctl-debuginfo-01.00.00.3440-3.11.1 ipmctl-debugsource-01.00.00.3440-3.11.1 ipmctl-monitor-01.00.00.3440-3.11.1 ipmctl-monitor-debuginfo-01.00.00.3440-3.11.1 References: https://bugzilla.suse.com/1158619 From sle-updates at lists.suse.com Tue Jun 2 16:15:20 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 3 Jun 2020 00:15:20 +0200 (CEST) Subject: SUSE-OU-2020:1519-1: moderate: Optional update for psqlODBC Message-ID: <20200602221520.E912EFFCF@maintenance.suse.de> SUSE Optional Update: Optional update for psqlODBC ______________________________________________________________________________ Announcement ID: SUSE-OU-2020:1519-1 Rating: moderate References: #1062860 #1166821 #420850 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that has three optional fixes can now be installed. Description: This update adds psqlODBC to the SUSE Linux Enterprise 12-SP5. (jsc#SLE-10749, jsc#ECO-671) Patch Instructions: To install this SUSE Optional Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1519=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): psqlODBC-12.01.0000-1.3.1 psqlODBC-debuginfo-12.01.0000-1.3.1 psqlODBC-debugsource-12.01.0000-1.3.1 References: https://bugzilla.suse.com/1062860 https://bugzilla.suse.com/1166821 https://bugzilla.suse.com/420850 From sle-updates at lists.suse.com Tue Jun 2 16:16:23 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 3 Jun 2020 00:16:23 +0200 (CEST) Subject: SUSE-RU-2020:1517-1: important: Recommended update for yast2-product-creator Message-ID: <20200602221623.ED499FFCF@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2-product-creator ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1517-1 Rating: important References: #1165247 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for yast2-product-creator fixes the following issues: - Removing incompatible language files before creating the image. (bsc#1165247) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1517=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1517=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): yast2-product-creator-3.2.3-4.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): yast2-product-creator-3.2.3-4.3.1 References: https://bugzilla.suse.com/1165247 From sle-updates at lists.suse.com Wed Jun 3 04:14:03 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 3 Jun 2020 12:14:03 +0200 (CEST) Subject: SUSE-RU-2020:1521-1: moderate: Recommended update for gstreamer Message-ID: <20200603101403.6478BFCEC@maintenance.suse.de> SUSE Recommended Update: Recommended update for gstreamer ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1521-1 Rating: moderate References: #1049452 #1172018 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for gstreamer fixes the following issues: - create separate gst-plugin-scanner- binaries, for multiarch use , like e.g. needed for Wine in openSUSE Leap 15.1 (bsc#1049452 bsc#1172018) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1521=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1521=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): gstreamer-debuginfo-1.12.5-3.11.1 gstreamer-debugsource-1.12.5-3.11.1 gstreamer-devel-1.12.5-3.11.1 gstreamer-utils-1.12.5-3.11.1 gstreamer-utils-debuginfo-1.12.5-3.11.1 typelib-1_0-Gst-1_0-1.12.5-3.11.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): gstreamer-1.12.5-3.11.1 gstreamer-debuginfo-1.12.5-3.11.1 gstreamer-debugsource-1.12.5-3.11.1 libgstreamer-1_0-0-1.12.5-3.11.1 libgstreamer-1_0-0-debuginfo-1.12.5-3.11.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): gstreamer-lang-1.12.5-3.11.1 References: https://bugzilla.suse.com/1049452 https://bugzilla.suse.com/1172018 From sle-updates at lists.suse.com Wed Jun 3 04:15:07 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 3 Jun 2020 12:15:07 +0200 (CEST) Subject: SUSE-SU-2020:1523-1: moderate: Security update for qemu Message-ID: <20200603101507.E5EE5FCEC@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1523-1 Rating: moderate References: #1123156 #1161066 #1163018 #1165776 #1166240 #1170940 Cross-References: CVE-2019-20382 CVE-2019-6778 CVE-2020-1711 CVE-2020-1983 CVE-2020-7039 CVE-2020-8608 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for qemu fixes the following issues: Security issues fixed: - CVE-2020-1983: Fixed a use-after-free in the ip_reass function of slirp (bsc#1170940). - CVE-2019-20382: Fixed a potential DoS due to a memory leak in VNC disconnect (bsc#1165776). - CVE-2020-1711: Fixed a potential OOB access in the iSCSI client code (bsc#1166240). - CVE-2020-8608: Fixed a potential OOB access in slirp (bsc#1163018). - CVE-2020-7039: Fixed a potential OOB access in slirp (bsc#1161066). - Fixed multiple potential DoS issues in SLIRP, similar to CVE-2019-6778 (bsc#1123156). Non-security issue fixed: - Miscellaneous fixes to the in-package support documentation. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1523=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1523=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1523=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1523=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): qemu-2.11.2-9.36.1 qemu-block-curl-2.11.2-9.36.1 qemu-block-curl-debuginfo-2.11.2-9.36.1 qemu-block-iscsi-2.11.2-9.36.1 qemu-block-iscsi-debuginfo-2.11.2-9.36.1 qemu-block-rbd-2.11.2-9.36.1 qemu-block-rbd-debuginfo-2.11.2-9.36.1 qemu-block-ssh-2.11.2-9.36.1 qemu-block-ssh-debuginfo-2.11.2-9.36.1 qemu-debuginfo-2.11.2-9.36.1 qemu-debugsource-2.11.2-9.36.1 qemu-guest-agent-2.11.2-9.36.1 qemu-guest-agent-debuginfo-2.11.2-9.36.1 qemu-lang-2.11.2-9.36.1 qemu-tools-2.11.2-9.36.1 qemu-tools-debuginfo-2.11.2-9.36.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le): qemu-ppc-2.11.2-9.36.1 qemu-ppc-debuginfo-2.11.2-9.36.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): qemu-ipxe-1.0.0+-9.36.1 qemu-seabios-1.11.0-9.36.1 qemu-sgabios-8-9.36.1 qemu-vgabios-1.11.0-9.36.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): qemu-kvm-2.11.2-9.36.1 qemu-x86-2.11.2-9.36.1 qemu-x86-debuginfo-2.11.2-9.36.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): qemu-2.11.2-9.36.1 qemu-block-curl-2.11.2-9.36.1 qemu-block-curl-debuginfo-2.11.2-9.36.1 qemu-block-iscsi-2.11.2-9.36.1 qemu-block-iscsi-debuginfo-2.11.2-9.36.1 qemu-block-rbd-2.11.2-9.36.1 qemu-block-rbd-debuginfo-2.11.2-9.36.1 qemu-block-ssh-2.11.2-9.36.1 qemu-block-ssh-debuginfo-2.11.2-9.36.1 qemu-debuginfo-2.11.2-9.36.1 qemu-debugsource-2.11.2-9.36.1 qemu-guest-agent-2.11.2-9.36.1 qemu-guest-agent-debuginfo-2.11.2-9.36.1 qemu-lang-2.11.2-9.36.1 qemu-tools-2.11.2-9.36.1 qemu-tools-debuginfo-2.11.2-9.36.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64): qemu-arm-2.11.2-9.36.1 qemu-arm-debuginfo-2.11.2-9.36.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): qemu-ipxe-1.0.0+-9.36.1 qemu-vgabios-1.11.0-9.36.1 - SUSE Linux Enterprise Server 15-LTSS (s390x): qemu-kvm-2.11.2-9.36.1 qemu-s390-2.11.2-9.36.1 qemu-s390-debuginfo-2.11.2-9.36.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): qemu-2.11.2-9.36.1 qemu-block-curl-2.11.2-9.36.1 qemu-block-curl-debuginfo-2.11.2-9.36.1 qemu-block-iscsi-2.11.2-9.36.1 qemu-block-iscsi-debuginfo-2.11.2-9.36.1 qemu-block-rbd-2.11.2-9.36.1 qemu-block-rbd-debuginfo-2.11.2-9.36.1 qemu-block-ssh-2.11.2-9.36.1 qemu-block-ssh-debuginfo-2.11.2-9.36.1 qemu-debuginfo-2.11.2-9.36.1 qemu-debugsource-2.11.2-9.36.1 qemu-guest-agent-2.11.2-9.36.1 qemu-guest-agent-debuginfo-2.11.2-9.36.1 qemu-lang-2.11.2-9.36.1 qemu-tools-2.11.2-9.36.1 qemu-tools-debuginfo-2.11.2-9.36.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64): qemu-arm-2.11.2-9.36.1 qemu-arm-debuginfo-2.11.2-9.36.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): qemu-kvm-2.11.2-9.36.1 qemu-x86-2.11.2-9.36.1 qemu-x86-debuginfo-2.11.2-9.36.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): qemu-ipxe-1.0.0+-9.36.1 qemu-seabios-1.11.0-9.36.1 qemu-sgabios-8-9.36.1 qemu-vgabios-1.11.0-9.36.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): qemu-2.11.2-9.36.1 qemu-block-curl-2.11.2-9.36.1 qemu-block-curl-debuginfo-2.11.2-9.36.1 qemu-block-iscsi-2.11.2-9.36.1 qemu-block-iscsi-debuginfo-2.11.2-9.36.1 qemu-block-rbd-2.11.2-9.36.1 qemu-block-rbd-debuginfo-2.11.2-9.36.1 qemu-block-ssh-2.11.2-9.36.1 qemu-block-ssh-debuginfo-2.11.2-9.36.1 qemu-debuginfo-2.11.2-9.36.1 qemu-debugsource-2.11.2-9.36.1 qemu-guest-agent-2.11.2-9.36.1 qemu-guest-agent-debuginfo-2.11.2-9.36.1 qemu-lang-2.11.2-9.36.1 qemu-tools-2.11.2-9.36.1 qemu-tools-debuginfo-2.11.2-9.36.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64): qemu-arm-2.11.2-9.36.1 qemu-arm-debuginfo-2.11.2-9.36.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): qemu-kvm-2.11.2-9.36.1 qemu-x86-2.11.2-9.36.1 qemu-x86-debuginfo-2.11.2-9.36.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): qemu-ipxe-1.0.0+-9.36.1 qemu-seabios-1.11.0-9.36.1 qemu-sgabios-8-9.36.1 qemu-vgabios-1.11.0-9.36.1 References: https://www.suse.com/security/cve/CVE-2019-20382.html https://www.suse.com/security/cve/CVE-2019-6778.html https://www.suse.com/security/cve/CVE-2020-1711.html https://www.suse.com/security/cve/CVE-2020-1983.html https://www.suse.com/security/cve/CVE-2020-7039.html https://www.suse.com/security/cve/CVE-2020-8608.html https://bugzilla.suse.com/1123156 https://bugzilla.suse.com/1161066 https://bugzilla.suse.com/1163018 https://bugzilla.suse.com/1165776 https://bugzilla.suse.com/1166240 https://bugzilla.suse.com/1170940 From sle-updates at lists.suse.com Wed Jun 3 04:16:36 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 3 Jun 2020 12:16:36 +0200 (CEST) Subject: SUSE-SU-2020:14382-1: moderate: Security update for w3m Message-ID: <20200603101636.08A68FCEC@maintenance.suse.de> SUSE Security Update: Security update for w3m ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14382-1 Rating: moderate References: #1077559 #1077568 #1077572 Cross-References: CVE-2018-6196 CVE-2018-6197 CVE-2018-6198 Affected Products: SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for w3m fixes several issues. These security issues were fixed: - CVE-2018-6196: Prevent infinite recursion in HTMLlineproc0 caused by the feed_table_block_tag function which did not prevent a negative indent value (bsc#1077559) - CVE-2018-6197: Prevent NULL pointer dereference in formUpdateBuffer (bsc#1077568) - CVE-2018-6198: w3m did not properly handle temporary files when the ~/.w3m directory is unwritable, which allowed a local attacker to craft a symlink attack to overwrite arbitrary files (bsc#1077572) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-w3m-14382=1 Package List: - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): w3m-debuginfo-0.5.3.git20161120-5.3.37 w3m-debugsource-0.5.3.git20161120-5.3.37 References: https://www.suse.com/security/cve/CVE-2018-6196.html https://www.suse.com/security/cve/CVE-2018-6197.html https://www.suse.com/security/cve/CVE-2018-6198.html https://bugzilla.suse.com/1077559 https://bugzilla.suse.com/1077568 https://bugzilla.suse.com/1077572 From sle-updates at lists.suse.com Wed Jun 3 07:13:45 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 3 Jun 2020 15:13:45 +0200 (CEST) Subject: SUSE-SU-2020:14383-1: moderate: Security update for evolution-data-server Message-ID: <20200603131345.113FCFCEC@maintenance.suse.de> SUSE Security Update: Security update for evolution-data-server ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14383-1 Rating: moderate References: #830491 Cross-References: CVE-2013-4166 Affected Products: SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for evolution-data-server fixes the following issue: - CVE-2013-4166: Enclose email addresses in brackets to ensure an exact match (bsc#830491). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-evolution-data-server-14383=1 Package List: - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): evolution-data-server-debuginfo-32bit-2.28.2-0.32.3.109 References: https://www.suse.com/security/cve/CVE-2013-4166.html https://bugzilla.suse.com/830491 From sle-updates at lists.suse.com Wed Jun 3 07:18:23 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 3 Jun 2020 15:18:23 +0200 (CEST) Subject: SUSE-SU-2020:1526-1: moderate: Security update for qemu Message-ID: <20200603131823.1909BFCEC@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1526-1 Rating: moderate References: #1123156 #1146873 #1149811 #1161066 #1163018 #1166240 #1170940 Cross-References: CVE-2019-12068 CVE-2019-15890 CVE-2019-6778 CVE-2020-1711 CVE-2020-1983 CVE-2020-7039 CVE-2020-8608 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for qemu fixes the following issues: Security issues fixed: - CVE-2020-1711: Fixed a potential OOB access in the iSCSI client code (bsc#1166240). - CVE-2019-12068: Fixed a potential DoS in the LSI SCSI controller emulation (bsc#1146873). - CVE-2020-1983: Fixed a use-after-free in the ip_reass function of slirp (bsc#1170940). - CVE-2020-8608: Fixed a potential OOB access in slirp (bsc#1163018). - CVE-2020-7039: Fixed a potential OOB access in slirp (bsc#1161066). - CVE-2019-15890: Fixed a use-after-free during packet reassembly in slirp (bsc#1149811). - Fixed multiple potential DoS issues in SLIRP, similar to CVE-2019-6778 (bsc#1123156). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1526=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1526=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1526=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1526=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): qemu-2.6.2-41.59.1 qemu-block-curl-2.6.2-41.59.1 qemu-block-curl-debuginfo-2.6.2-41.59.1 qemu-block-ssh-2.6.2-41.59.1 qemu-block-ssh-debuginfo-2.6.2-41.59.1 qemu-debugsource-2.6.2-41.59.1 qemu-guest-agent-2.6.2-41.59.1 qemu-guest-agent-debuginfo-2.6.2-41.59.1 qemu-kvm-2.6.2-41.59.1 qemu-lang-2.6.2-41.59.1 qemu-tools-2.6.2-41.59.1 qemu-tools-debuginfo-2.6.2-41.59.1 - SUSE OpenStack Cloud 7 (noarch): qemu-ipxe-1.0.0-41.59.1 qemu-seabios-1.9.1-41.59.1 qemu-sgabios-8-41.59.1 qemu-vgabios-1.9.1-41.59.1 - SUSE OpenStack Cloud 7 (x86_64): qemu-block-rbd-2.6.2-41.59.1 qemu-block-rbd-debuginfo-2.6.2-41.59.1 qemu-x86-2.6.2-41.59.1 qemu-x86-debuginfo-2.6.2-41.59.1 - SUSE OpenStack Cloud 7 (s390x): qemu-s390-2.6.2-41.59.1 qemu-s390-debuginfo-2.6.2-41.59.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): qemu-2.6.2-41.59.1 qemu-block-curl-2.6.2-41.59.1 qemu-block-curl-debuginfo-2.6.2-41.59.1 qemu-block-ssh-2.6.2-41.59.1 qemu-block-ssh-debuginfo-2.6.2-41.59.1 qemu-debugsource-2.6.2-41.59.1 qemu-guest-agent-2.6.2-41.59.1 qemu-guest-agent-debuginfo-2.6.2-41.59.1 qemu-lang-2.6.2-41.59.1 qemu-tools-2.6.2-41.59.1 qemu-tools-debuginfo-2.6.2-41.59.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le): qemu-ppc-2.6.2-41.59.1 qemu-ppc-debuginfo-2.6.2-41.59.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): qemu-block-rbd-2.6.2-41.59.1 qemu-block-rbd-debuginfo-2.6.2-41.59.1 qemu-kvm-2.6.2-41.59.1 qemu-x86-2.6.2-41.59.1 qemu-x86-debuginfo-2.6.2-41.59.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): qemu-ipxe-1.0.0-41.59.1 qemu-seabios-1.9.1-41.59.1 qemu-sgabios-8-41.59.1 qemu-vgabios-1.9.1-41.59.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): qemu-2.6.2-41.59.1 qemu-block-curl-2.6.2-41.59.1 qemu-block-curl-debuginfo-2.6.2-41.59.1 qemu-block-ssh-2.6.2-41.59.1 qemu-block-ssh-debuginfo-2.6.2-41.59.1 qemu-debugsource-2.6.2-41.59.1 qemu-guest-agent-2.6.2-41.59.1 qemu-guest-agent-debuginfo-2.6.2-41.59.1 qemu-lang-2.6.2-41.59.1 qemu-tools-2.6.2-41.59.1 qemu-tools-debuginfo-2.6.2-41.59.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): qemu-kvm-2.6.2-41.59.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le): qemu-ppc-2.6.2-41.59.1 qemu-ppc-debuginfo-2.6.2-41.59.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): qemu-ipxe-1.0.0-41.59.1 qemu-seabios-1.9.1-41.59.1 qemu-sgabios-8-41.59.1 qemu-vgabios-1.9.1-41.59.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): qemu-block-rbd-2.6.2-41.59.1 qemu-block-rbd-debuginfo-2.6.2-41.59.1 qemu-x86-2.6.2-41.59.1 qemu-x86-debuginfo-2.6.2-41.59.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x): qemu-s390-2.6.2-41.59.1 qemu-s390-debuginfo-2.6.2-41.59.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): qemu-ipxe-1.0.0-41.59.1 qemu-seabios-1.9.1-41.59.1 qemu-sgabios-8-41.59.1 qemu-vgabios-1.9.1-41.59.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): qemu-2.6.2-41.59.1 qemu-block-curl-2.6.2-41.59.1 qemu-block-curl-debuginfo-2.6.2-41.59.1 qemu-block-rbd-2.6.2-41.59.1 qemu-block-rbd-debuginfo-2.6.2-41.59.1 qemu-block-ssh-2.6.2-41.59.1 qemu-block-ssh-debuginfo-2.6.2-41.59.1 qemu-debugsource-2.6.2-41.59.1 qemu-guest-agent-2.6.2-41.59.1 qemu-guest-agent-debuginfo-2.6.2-41.59.1 qemu-kvm-2.6.2-41.59.1 qemu-lang-2.6.2-41.59.1 qemu-tools-2.6.2-41.59.1 qemu-tools-debuginfo-2.6.2-41.59.1 qemu-x86-2.6.2-41.59.1 qemu-x86-debuginfo-2.6.2-41.59.1 References: https://www.suse.com/security/cve/CVE-2019-12068.html https://www.suse.com/security/cve/CVE-2019-15890.html https://www.suse.com/security/cve/CVE-2019-6778.html https://www.suse.com/security/cve/CVE-2020-1711.html https://www.suse.com/security/cve/CVE-2020-1983.html https://www.suse.com/security/cve/CVE-2020-7039.html https://www.suse.com/security/cve/CVE-2020-8608.html https://bugzilla.suse.com/1123156 https://bugzilla.suse.com/1146873 https://bugzilla.suse.com/1149811 https://bugzilla.suse.com/1161066 https://bugzilla.suse.com/1163018 https://bugzilla.suse.com/1166240 https://bugzilla.suse.com/1170940 From sle-updates at lists.suse.com Wed Jun 3 07:20:40 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 3 Jun 2020 15:20:40 +0200 (CEST) Subject: SUSE-SU-2020:1524-1: moderate: Security update for python Message-ID: <20200603132040.76BFDFCEC@maintenance.suse.de> SUSE Security Update: Security update for python ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1524-1 Rating: moderate References: #1027282 #1041090 #1042670 #1073269 #1073748 #1078326 #1078485 #1081750 #1084650 #1086001 #1149792 #1153830 #1155094 #1159035 #1162224 #1162367 #1162825 #1165894 #1170411 #1171561 #945401 Cross-References: CVE-2019-18348 CVE-2019-9674 CVE-2020-8492 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves three vulnerabilities and has 18 fixes is now available. Description: This update for python to version 2.7.17 fixes the following issues: Syncing with lots of upstream bug fixes and security fixes. Bug fixes: - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). - CVE-2019-18348: Fixed a CRLF injection via the host part of the url passed to urlopen(). Now an InvalidURL exception is raised (bsc#1155094). - CVE-2020-8492: Fixed a regular expression in urllib that was prone to denial of service via HTTP (bsc#1162367). - Fixed mismatches between libpython and python-base versions (bsc#1162224). - Fixed segfault in libpython2.7.so.1 (bsc#1073748). - Unified packages among openSUSE:Factory and SLE versions (bsc#1159035). - Added idle.desktop and idle.appdata.xml to provide IDLE in menus (bsc#1153830). - Excluded tsl_check files from python-base to prevent file conflict with python-strict-tls-checks package (bsc#945401). - Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). Additionally a new "shared-python-startup" package is provided containing startup files. python-rpm-macros was updated to fix: - Do not write .pyc files for tests (bsc#1171561) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1524=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1524=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1524=1 - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1524=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1524=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1524=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1524=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1524=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1524=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-1524=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1524=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1524=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1524=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1524=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1524=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1524=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-1524=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1524=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1524=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libpython2_7-1_0-2.7.17-28.42.1 libpython2_7-1_0-32bit-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.42.1 python-2.7.17-28.42.1 python-32bit-2.7.17-28.42.1 python-base-2.7.17-28.42.1 python-base-32bit-2.7.17-28.42.1 python-base-debuginfo-2.7.17-28.42.1 python-base-debuginfo-32bit-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-curses-2.7.17-28.42.1 python-curses-debuginfo-2.7.17-28.42.1 python-debuginfo-2.7.17-28.42.1 python-debuginfo-32bit-2.7.17-28.42.1 python-debugsource-2.7.17-28.42.1 python-demo-2.7.17-28.42.1 python-devel-2.7.17-28.42.1 python-gdbm-2.7.17-28.42.1 python-gdbm-debuginfo-2.7.17-28.42.1 python-idle-2.7.17-28.42.1 python-tk-2.7.17-28.42.1 python-tk-debuginfo-2.7.17-28.42.1 python-xml-2.7.17-28.42.1 python-xml-debuginfo-2.7.17-28.42.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): python-doc-2.7.17-28.42.1 python-doc-pdf-2.7.17-28.42.1 python-rpm-macros-20200207.5feb6c1-3.19.1 shared-python-startup-0.1-1.3.1 - SUSE OpenStack Cloud 8 (x86_64): libpython2_7-1_0-2.7.17-28.42.1 libpython2_7-1_0-32bit-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.42.1 python-2.7.17-28.42.1 python-32bit-2.7.17-28.42.1 python-base-2.7.17-28.42.1 python-base-32bit-2.7.17-28.42.1 python-base-debuginfo-2.7.17-28.42.1 python-base-debuginfo-32bit-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-curses-2.7.17-28.42.1 python-curses-debuginfo-2.7.17-28.42.1 python-debuginfo-2.7.17-28.42.1 python-debuginfo-32bit-2.7.17-28.42.1 python-debugsource-2.7.17-28.42.1 python-demo-2.7.17-28.42.1 python-devel-2.7.17-28.42.1 python-gdbm-2.7.17-28.42.1 python-gdbm-debuginfo-2.7.17-28.42.1 python-idle-2.7.17-28.42.1 python-tk-2.7.17-28.42.1 python-tk-debuginfo-2.7.17-28.42.1 python-xml-2.7.17-28.42.1 python-xml-debuginfo-2.7.17-28.42.1 - SUSE OpenStack Cloud 8 (noarch): python-doc-2.7.17-28.42.1 python-doc-pdf-2.7.17-28.42.1 python-rpm-macros-20200207.5feb6c1-3.19.1 shared-python-startup-0.1-1.3.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libpython2_7-1_0-2.7.17-28.42.1 libpython2_7-1_0-32bit-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.42.1 python-2.7.17-28.42.1 python-32bit-2.7.17-28.42.1 python-base-2.7.17-28.42.1 python-base-32bit-2.7.17-28.42.1 python-base-debuginfo-2.7.17-28.42.1 python-base-debuginfo-32bit-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-curses-2.7.17-28.42.1 python-curses-debuginfo-2.7.17-28.42.1 python-debuginfo-2.7.17-28.42.1 python-debuginfo-32bit-2.7.17-28.42.1 python-debugsource-2.7.17-28.42.1 python-demo-2.7.17-28.42.1 python-devel-2.7.17-28.42.1 python-gdbm-2.7.17-28.42.1 python-gdbm-debuginfo-2.7.17-28.42.1 python-idle-2.7.17-28.42.1 python-tk-2.7.17-28.42.1 python-tk-debuginfo-2.7.17-28.42.1 python-xml-2.7.17-28.42.1 python-xml-debuginfo-2.7.17-28.42.1 - SUSE OpenStack Cloud 7 (noarch): python-doc-2.7.17-28.42.1 python-doc-pdf-2.7.17-28.42.1 python-rpm-macros-20200207.5feb6c1-3.19.1 shared-python-startup-0.1-1.3.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): python-base-debuginfo-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-devel-2.7.17-28.42.1 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): python-base-debuginfo-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-devel-2.7.17-28.42.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): python-rpm-macros-20200207.5feb6c1-3.19.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): python-base-debuginfo-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-devel-2.7.17-28.42.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): python-rpm-macros-20200207.5feb6c1-3.19.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libpython2_7-1_0-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-2.7.17-28.42.1 python-2.7.17-28.42.1 python-base-2.7.17-28.42.1 python-base-debuginfo-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-curses-2.7.17-28.42.1 python-curses-debuginfo-2.7.17-28.42.1 python-debuginfo-2.7.17-28.42.1 python-debugsource-2.7.17-28.42.1 python-demo-2.7.17-28.42.1 python-devel-2.7.17-28.42.1 python-gdbm-2.7.17-28.42.1 python-gdbm-debuginfo-2.7.17-28.42.1 python-idle-2.7.17-28.42.1 python-tk-2.7.17-28.42.1 python-tk-debuginfo-2.7.17-28.42.1 python-xml-2.7.17-28.42.1 python-xml-debuginfo-2.7.17-28.42.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libpython2_7-1_0-32bit-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.42.1 python-32bit-2.7.17-28.42.1 python-base-32bit-2.7.17-28.42.1 python-base-debuginfo-32bit-2.7.17-28.42.1 python-debuginfo-32bit-2.7.17-28.42.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): python-doc-2.7.17-28.42.1 python-doc-pdf-2.7.17-28.42.1 python-rpm-macros-20200207.5feb6c1-3.19.1 shared-python-startup-0.1-1.3.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libpython2_7-1_0-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-2.7.17-28.42.1 python-2.7.17-28.42.1 python-base-2.7.17-28.42.1 python-base-debuginfo-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-curses-2.7.17-28.42.1 python-curses-debuginfo-2.7.17-28.42.1 python-debuginfo-2.7.17-28.42.1 python-debugsource-2.7.17-28.42.1 python-demo-2.7.17-28.42.1 python-devel-2.7.17-28.42.1 python-gdbm-2.7.17-28.42.1 python-gdbm-debuginfo-2.7.17-28.42.1 python-idle-2.7.17-28.42.1 python-tk-2.7.17-28.42.1 python-tk-debuginfo-2.7.17-28.42.1 python-xml-2.7.17-28.42.1 python-xml-debuginfo-2.7.17-28.42.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): python-doc-2.7.17-28.42.1 python-doc-pdf-2.7.17-28.42.1 python-rpm-macros-20200207.5feb6c1-3.19.1 shared-python-startup-0.1-1.3.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libpython2_7-1_0-32bit-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.42.1 python-32bit-2.7.17-28.42.1 python-base-32bit-2.7.17-28.42.1 python-base-debuginfo-32bit-2.7.17-28.42.1 python-debuginfo-32bit-2.7.17-28.42.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): libpython2_7-1_0-2.7.17-28.42.1 libpython2_7-1_0-32bit-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.42.1 python-2.7.17-28.42.1 python-32bit-2.7.17-28.42.1 python-base-2.7.17-28.42.1 python-base-32bit-2.7.17-28.42.1 python-base-debuginfo-2.7.17-28.42.1 python-base-debuginfo-32bit-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-curses-2.7.17-28.42.1 python-curses-debuginfo-2.7.17-28.42.1 python-debuginfo-2.7.17-28.42.1 python-debuginfo-32bit-2.7.17-28.42.1 python-debugsource-2.7.17-28.42.1 python-demo-2.7.17-28.42.1 python-devel-2.7.17-28.42.1 python-gdbm-2.7.17-28.42.1 python-gdbm-debuginfo-2.7.17-28.42.1 python-idle-2.7.17-28.42.1 python-tk-2.7.17-28.42.1 python-tk-debuginfo-2.7.17-28.42.1 python-xml-2.7.17-28.42.1 python-xml-debuginfo-2.7.17-28.42.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (noarch): python-doc-2.7.17-28.42.1 python-doc-pdf-2.7.17-28.42.1 python-rpm-macros-20200207.5feb6c1-3.19.1 shared-python-startup-0.1-1.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-2.7.17-28.42.1 python-2.7.17-28.42.1 python-base-2.7.17-28.42.1 python-base-debuginfo-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-curses-2.7.17-28.42.1 python-curses-debuginfo-2.7.17-28.42.1 python-debuginfo-2.7.17-28.42.1 python-debugsource-2.7.17-28.42.1 python-demo-2.7.17-28.42.1 python-devel-2.7.17-28.42.1 python-gdbm-2.7.17-28.42.1 python-gdbm-debuginfo-2.7.17-28.42.1 python-idle-2.7.17-28.42.1 python-tk-2.7.17-28.42.1 python-tk-debuginfo-2.7.17-28.42.1 python-xml-2.7.17-28.42.1 python-xml-debuginfo-2.7.17-28.42.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libpython2_7-1_0-32bit-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.42.1 python-32bit-2.7.17-28.42.1 python-base-32bit-2.7.17-28.42.1 python-base-debuginfo-32bit-2.7.17-28.42.1 python-debuginfo-32bit-2.7.17-28.42.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): python-doc-2.7.17-28.42.1 python-doc-pdf-2.7.17-28.42.1 python-rpm-macros-20200207.5feb6c1-3.19.1 shared-python-startup-0.1-1.3.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-2.7.17-28.42.1 python-2.7.17-28.42.1 python-base-2.7.17-28.42.1 python-base-debuginfo-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-curses-2.7.17-28.42.1 python-curses-debuginfo-2.7.17-28.42.1 python-debuginfo-2.7.17-28.42.1 python-debugsource-2.7.17-28.42.1 python-demo-2.7.17-28.42.1 python-devel-2.7.17-28.42.1 python-gdbm-2.7.17-28.42.1 python-gdbm-debuginfo-2.7.17-28.42.1 python-idle-2.7.17-28.42.1 python-tk-2.7.17-28.42.1 python-tk-debuginfo-2.7.17-28.42.1 python-xml-2.7.17-28.42.1 python-xml-debuginfo-2.7.17-28.42.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libpython2_7-1_0-32bit-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.42.1 python-32bit-2.7.17-28.42.1 python-base-32bit-2.7.17-28.42.1 python-base-debuginfo-32bit-2.7.17-28.42.1 python-debuginfo-32bit-2.7.17-28.42.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): python-doc-2.7.17-28.42.1 python-doc-pdf-2.7.17-28.42.1 python-rpm-macros-20200207.5feb6c1-3.19.1 shared-python-startup-0.1-1.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-2.7.17-28.42.1 python-2.7.17-28.42.1 python-base-2.7.17-28.42.1 python-base-debuginfo-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-curses-2.7.17-28.42.1 python-curses-debuginfo-2.7.17-28.42.1 python-debuginfo-2.7.17-28.42.1 python-debugsource-2.7.17-28.42.1 python-demo-2.7.17-28.42.1 python-devel-2.7.17-28.42.1 python-gdbm-2.7.17-28.42.1 python-gdbm-debuginfo-2.7.17-28.42.1 python-idle-2.7.17-28.42.1 python-tk-2.7.17-28.42.1 python-tk-debuginfo-2.7.17-28.42.1 python-xml-2.7.17-28.42.1 python-xml-debuginfo-2.7.17-28.42.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libpython2_7-1_0-32bit-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.42.1 python-32bit-2.7.17-28.42.1 python-base-32bit-2.7.17-28.42.1 python-base-debuginfo-32bit-2.7.17-28.42.1 python-debuginfo-32bit-2.7.17-28.42.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): python-doc-2.7.17-28.42.1 python-doc-pdf-2.7.17-28.42.1 python-rpm-macros-20200207.5feb6c1-3.19.1 shared-python-startup-0.1-1.3.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libpython2_7-1_0-2.7.17-28.42.1 libpython2_7-1_0-32bit-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.42.1 python-2.7.17-28.42.1 python-32bit-2.7.17-28.42.1 python-base-2.7.17-28.42.1 python-base-32bit-2.7.17-28.42.1 python-base-debuginfo-2.7.17-28.42.1 python-base-debuginfo-32bit-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-curses-2.7.17-28.42.1 python-curses-debuginfo-2.7.17-28.42.1 python-debuginfo-2.7.17-28.42.1 python-debuginfo-32bit-2.7.17-28.42.1 python-debugsource-2.7.17-28.42.1 python-demo-2.7.17-28.42.1 python-devel-2.7.17-28.42.1 python-gdbm-2.7.17-28.42.1 python-gdbm-debuginfo-2.7.17-28.42.1 python-idle-2.7.17-28.42.1 python-tk-2.7.17-28.42.1 python-tk-debuginfo-2.7.17-28.42.1 python-xml-2.7.17-28.42.1 python-xml-debuginfo-2.7.17-28.42.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): python-doc-2.7.17-28.42.1 python-doc-pdf-2.7.17-28.42.1 python-rpm-macros-20200207.5feb6c1-3.19.1 shared-python-startup-0.1-1.3.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libpython2_7-1_0-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-2.7.17-28.42.1 python-2.7.17-28.42.1 python-base-2.7.17-28.42.1 python-base-debuginfo-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-curses-2.7.17-28.42.1 python-curses-debuginfo-2.7.17-28.42.1 python-debuginfo-2.7.17-28.42.1 python-debugsource-2.7.17-28.42.1 python-demo-2.7.17-28.42.1 python-devel-2.7.17-28.42.1 python-gdbm-2.7.17-28.42.1 python-gdbm-debuginfo-2.7.17-28.42.1 python-idle-2.7.17-28.42.1 python-tk-2.7.17-28.42.1 python-tk-debuginfo-2.7.17-28.42.1 python-xml-2.7.17-28.42.1 python-xml-debuginfo-2.7.17-28.42.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libpython2_7-1_0-32bit-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.42.1 python-32bit-2.7.17-28.42.1 python-base-32bit-2.7.17-28.42.1 python-base-debuginfo-32bit-2.7.17-28.42.1 python-debuginfo-32bit-2.7.17-28.42.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): python-doc-2.7.17-28.42.1 python-doc-pdf-2.7.17-28.42.1 python-rpm-macros-20200207.5feb6c1-3.19.1 shared-python-startup-0.1-1.3.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): python-doc-2.7.17-28.42.1 python-doc-pdf-2.7.17-28.42.1 python-rpm-macros-20200207.5feb6c1-3.19.1 shared-python-startup-0.1-1.3.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libpython2_7-1_0-2.7.17-28.42.1 libpython2_7-1_0-32bit-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.42.1 python-2.7.17-28.42.1 python-32bit-2.7.17-28.42.1 python-base-2.7.17-28.42.1 python-base-32bit-2.7.17-28.42.1 python-base-debuginfo-2.7.17-28.42.1 python-base-debuginfo-32bit-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-curses-2.7.17-28.42.1 python-curses-debuginfo-2.7.17-28.42.1 python-debuginfo-2.7.17-28.42.1 python-debuginfo-32bit-2.7.17-28.42.1 python-debugsource-2.7.17-28.42.1 python-demo-2.7.17-28.42.1 python-gdbm-2.7.17-28.42.1 python-gdbm-debuginfo-2.7.17-28.42.1 python-idle-2.7.17-28.42.1 python-tk-2.7.17-28.42.1 python-tk-debuginfo-2.7.17-28.42.1 python-xml-2.7.17-28.42.1 python-xml-debuginfo-2.7.17-28.42.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): libpython2_7-1_0-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-2.7.17-28.42.1 python-2.7.17-28.42.1 python-base-2.7.17-28.42.1 python-base-debuginfo-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-curses-2.7.17-28.42.1 python-curses-debuginfo-2.7.17-28.42.1 python-debuginfo-2.7.17-28.42.1 python-debugsource-2.7.17-28.42.1 python-demo-2.7.17-28.42.1 python-devel-2.7.17-28.42.1 python-gdbm-2.7.17-28.42.1 python-gdbm-debuginfo-2.7.17-28.42.1 python-idle-2.7.17-28.42.1 python-tk-2.7.17-28.42.1 python-tk-debuginfo-2.7.17-28.42.1 python-xml-2.7.17-28.42.1 python-xml-debuginfo-2.7.17-28.42.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): libpython2_7-1_0-32bit-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.42.1 python-32bit-2.7.17-28.42.1 python-base-32bit-2.7.17-28.42.1 python-base-debuginfo-32bit-2.7.17-28.42.1 python-debuginfo-32bit-2.7.17-28.42.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (noarch): python-doc-2.7.17-28.42.1 python-doc-pdf-2.7.17-28.42.1 python-rpm-macros-20200207.5feb6c1-3.19.1 shared-python-startup-0.1-1.3.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libpython2_7-1_0-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-2.7.17-28.42.1 python-2.7.17-28.42.1 python-base-2.7.17-28.42.1 python-base-debuginfo-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-curses-2.7.17-28.42.1 python-curses-debuginfo-2.7.17-28.42.1 python-debuginfo-2.7.17-28.42.1 python-debugsource-2.7.17-28.42.1 python-demo-2.7.17-28.42.1 python-devel-2.7.17-28.42.1 python-gdbm-2.7.17-28.42.1 python-gdbm-debuginfo-2.7.17-28.42.1 python-idle-2.7.17-28.42.1 python-strict-tls-check-2.7.17-28.42.1 python-tk-2.7.17-28.42.1 python-tk-debuginfo-2.7.17-28.42.1 python-xml-2.7.17-28.42.1 python-xml-debuginfo-2.7.17-28.42.1 - SUSE Enterprise Storage 5 (noarch): python-doc-2.7.17-28.42.1 python-doc-pdf-2.7.17-28.42.1 python-rpm-macros-20200207.5feb6c1-3.19.1 shared-python-startup-0.1-1.3.1 - SUSE Enterprise Storage 5 (x86_64): libpython2_7-1_0-32bit-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.42.1 python-32bit-2.7.17-28.42.1 python-base-32bit-2.7.17-28.42.1 python-base-debuginfo-32bit-2.7.17-28.42.1 python-debuginfo-32bit-2.7.17-28.42.1 - HPE Helion Openstack 8 (noarch): python-doc-2.7.17-28.42.1 python-doc-pdf-2.7.17-28.42.1 python-rpm-macros-20200207.5feb6c1-3.19.1 shared-python-startup-0.1-1.3.1 - HPE Helion Openstack 8 (x86_64): libpython2_7-1_0-2.7.17-28.42.1 libpython2_7-1_0-32bit-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-2.7.17-28.42.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.42.1 python-2.7.17-28.42.1 python-32bit-2.7.17-28.42.1 python-base-2.7.17-28.42.1 python-base-32bit-2.7.17-28.42.1 python-base-debuginfo-2.7.17-28.42.1 python-base-debuginfo-32bit-2.7.17-28.42.1 python-base-debugsource-2.7.17-28.42.1 python-curses-2.7.17-28.42.1 python-curses-debuginfo-2.7.17-28.42.1 python-debuginfo-2.7.17-28.42.1 python-debuginfo-32bit-2.7.17-28.42.1 python-debugsource-2.7.17-28.42.1 python-demo-2.7.17-28.42.1 python-devel-2.7.17-28.42.1 python-gdbm-2.7.17-28.42.1 python-gdbm-debuginfo-2.7.17-28.42.1 python-idle-2.7.17-28.42.1 python-tk-2.7.17-28.42.1 python-tk-debuginfo-2.7.17-28.42.1 python-xml-2.7.17-28.42.1 python-xml-debuginfo-2.7.17-28.42.1 References: https://www.suse.com/security/cve/CVE-2019-18348.html https://www.suse.com/security/cve/CVE-2019-9674.html https://www.suse.com/security/cve/CVE-2020-8492.html https://bugzilla.suse.com/1027282 https://bugzilla.suse.com/1041090 https://bugzilla.suse.com/1042670 https://bugzilla.suse.com/1073269 https://bugzilla.suse.com/1073748 https://bugzilla.suse.com/1078326 https://bugzilla.suse.com/1078485 https://bugzilla.suse.com/1081750 https://bugzilla.suse.com/1084650 https://bugzilla.suse.com/1086001 https://bugzilla.suse.com/1149792 https://bugzilla.suse.com/1153830 https://bugzilla.suse.com/1155094 https://bugzilla.suse.com/1159035 https://bugzilla.suse.com/1162224 https://bugzilla.suse.com/1162367 https://bugzilla.suse.com/1162825 https://bugzilla.suse.com/1165894 https://bugzilla.suse.com/1170411 https://bugzilla.suse.com/1171561 https://bugzilla.suse.com/945401 From sle-updates at lists.suse.com Wed Jun 3 10:13:15 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 3 Jun 2020 18:13:15 +0200 (CEST) Subject: SUSE-OU-2020:1527-1: Optional update for alsa-plugins Message-ID: <20200603161315.6B325FCEC@maintenance.suse.de> SUSE Optional Update: Optional update for alsa-plugins ______________________________________________________________________________ Announcement ID: SUSE-OU-2020:1527-1 Rating: low References: #1171586 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one optional fix can now be installed. Description: This update for alsa-plugins doesn't fix any user visible issues, but changes the way the package is being built. An installation is optional and not required. (bsc#1171586, jsc#SLE-11987) Patch Instructions: To install this SUSE Optional Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1527=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1527=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): alsa-plugins-debuginfo-1.1.5-3.3.1 alsa-plugins-debugsource-1.1.5-3.3.1 alsa-plugins-pulse-1.1.5-3.3.1 alsa-plugins-pulse-debuginfo-1.1.5-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): alsa-plugins-1.1.5-3.3.1 alsa-plugins-debuginfo-1.1.5-3.3.1 alsa-plugins-debugsource-1.1.5-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): alsa-plugins-32bit-1.1.5-3.3.1 alsa-plugins-32bit-debuginfo-1.1.5-3.3.1 References: https://bugzilla.suse.com/1171586 From sle-updates at lists.suse.com Wed Jun 3 10:14:09 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 3 Jun 2020 18:14:09 +0200 (CEST) Subject: SUSE-SU-2020:1528-1: moderate: Security update for osc Message-ID: <20200603161409.19FDDFCEC@maintenance.suse.de> SUSE Security Update: Security update for osc ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1528-1 Rating: moderate References: #1122675 Cross-References: CVE-2019-3681 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for osc fixes the following issues: Security issue fixed: - CVE-2019-3681: Fixed an insufficient validation of network-controlled filesystem paths (bsc#1122675). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1528=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1528=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): osc-0.162.1-15.9.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): osc-0.162.1-15.9.1 References: https://www.suse.com/security/cve/CVE-2019-3681.html https://bugzilla.suse.com/1122675 From sle-updates at lists.suse.com Wed Jun 3 13:12:49 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 3 Jun 2020 21:12:49 +0200 (CEST) Subject: SUSE-RU-2020:1529-1: moderate: Recommended update for ses-manual_en Message-ID: <20200603191249.CF863FCEC@maintenance.suse.de> SUSE Recommended Update: Recommended update for ses-manual_en ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1529-1 Rating: moderate References: #1067112 #1112917 #1112924 #1123896 #1126210 #1134444 #1140080 #1157612 Affected Products: SUSE Enterprise Storage 5 ______________________________________________________________________________ An update that has 8 recommended fixes can now be installed. Description: This update for ses-manual_en fixes the following issues: The documentation ses-manual_en has been updated to fix many documentation related issues. Please refer to the changelog for a detailed list. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1529=1 Package List: - SUSE Enterprise Storage 5 (noarch): ses-admin_en-pdf-5.5+git1407.4e2994e-22.31.2 ses-deployment_en-pdf-5.5+git1407.4e2994e-22.31.2 ses-manual_en-5.5+git1407.4e2994e-22.31.2 References: https://bugzilla.suse.com/1067112 https://bugzilla.suse.com/1112917 https://bugzilla.suse.com/1112924 https://bugzilla.suse.com/1123896 https://bugzilla.suse.com/1126210 https://bugzilla.suse.com/1134444 https://bugzilla.suse.com/1140080 https://bugzilla.suse.com/1157612 From sle-updates at lists.suse.com Thu Jun 4 07:08:42 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 4 Jun 2020 15:08:42 +0200 (CEST) Subject: SUSE-CU-2020:183-1: Recommended update of suse/sle15 Message-ID: <20200604130842.522DDFF46@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:183-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.241 Container Release : 6.2.241 Severity : moderate Type : recommended References : 1087982 1170527 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) From sle-updates at lists.suse.com Thu Jun 4 07:13:54 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 4 Jun 2020 15:13:54 +0200 (CEST) Subject: SUSE-SU-2020:1530-1: moderate: Security update for libreoffice Message-ID: <20200604131354.6F964FF46@maintenance.suse.de> SUSE Security Update: Security update for libreoffice ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1530-1 Rating: moderate References: #1160687 #1165870 #1167463 #1171997 Cross-References: CVE-2020-12801 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for libreoffice to 6.4.4.2 fixes the following issues: Security issue fixed: - CVE-2020-12801: Fixed an issue with encrypted MSOffice documents that could be accidentally saved unencrypted (bsc#1171997). Non-security issues fixed: - Elements on title page mixed up (bsc#1160687). - Image shadow that should be invisible shown as extraneous line below (bsc#1165870). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-1530=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): libreoffice-6.4.4.2-8.19.4 libreoffice-base-6.4.4.2-8.19.4 libreoffice-base-debuginfo-6.4.4.2-8.19.4 libreoffice-base-drivers-postgresql-6.4.4.2-8.19.4 libreoffice-base-drivers-postgresql-debuginfo-6.4.4.2-8.19.4 libreoffice-calc-6.4.4.2-8.19.4 libreoffice-calc-debuginfo-6.4.4.2-8.19.4 libreoffice-calc-extensions-6.4.4.2-8.19.4 libreoffice-debuginfo-6.4.4.2-8.19.4 libreoffice-debugsource-6.4.4.2-8.19.4 libreoffice-draw-6.4.4.2-8.19.4 libreoffice-draw-debuginfo-6.4.4.2-8.19.4 libreoffice-filters-optional-6.4.4.2-8.19.4 libreoffice-gnome-6.4.4.2-8.19.4 libreoffice-gnome-debuginfo-6.4.4.2-8.19.4 libreoffice-gtk3-6.4.4.2-8.19.4 libreoffice-gtk3-debuginfo-6.4.4.2-8.19.4 libreoffice-impress-6.4.4.2-8.19.4 libreoffice-impress-debuginfo-6.4.4.2-8.19.4 libreoffice-librelogo-6.4.4.2-8.19.4 libreoffice-mailmerge-6.4.4.2-8.19.4 libreoffice-math-6.4.4.2-8.19.4 libreoffice-math-debuginfo-6.4.4.2-8.19.4 libreoffice-officebean-6.4.4.2-8.19.4 libreoffice-officebean-debuginfo-6.4.4.2-8.19.4 libreoffice-pyuno-6.4.4.2-8.19.4 libreoffice-pyuno-debuginfo-6.4.4.2-8.19.4 libreoffice-writer-6.4.4.2-8.19.4 libreoffice-writer-debuginfo-6.4.4.2-8.19.4 libreoffice-writer-extensions-6.4.4.2-8.19.4 libreofficekit-6.4.4.2-8.19.4 - SUSE Linux Enterprise Workstation Extension 15-SP1 (noarch): libreoffice-branding-upstream-6.4.4.2-8.19.4 libreoffice-icon-themes-6.4.4.2-8.19.4 libreoffice-l10n-af-6.4.4.2-8.19.4 libreoffice-l10n-ar-6.4.4.2-8.19.4 libreoffice-l10n-as-6.4.4.2-8.19.4 libreoffice-l10n-bg-6.4.4.2-8.19.4 libreoffice-l10n-bn-6.4.4.2-8.19.4 libreoffice-l10n-br-6.4.4.2-8.19.4 libreoffice-l10n-ca-6.4.4.2-8.19.4 libreoffice-l10n-cs-6.4.4.2-8.19.4 libreoffice-l10n-cy-6.4.4.2-8.19.4 libreoffice-l10n-da-6.4.4.2-8.19.4 libreoffice-l10n-de-6.4.4.2-8.19.4 libreoffice-l10n-dz-6.4.4.2-8.19.4 libreoffice-l10n-el-6.4.4.2-8.19.4 libreoffice-l10n-en-6.4.4.2-8.19.4 libreoffice-l10n-eo-6.4.4.2-8.19.4 libreoffice-l10n-es-6.4.4.2-8.19.4 libreoffice-l10n-et-6.4.4.2-8.19.4 libreoffice-l10n-eu-6.4.4.2-8.19.4 libreoffice-l10n-fa-6.4.4.2-8.19.4 libreoffice-l10n-fi-6.4.4.2-8.19.4 libreoffice-l10n-fr-6.4.4.2-8.19.4 libreoffice-l10n-ga-6.4.4.2-8.19.4 libreoffice-l10n-gl-6.4.4.2-8.19.4 libreoffice-l10n-gu-6.4.4.2-8.19.4 libreoffice-l10n-he-6.4.4.2-8.19.4 libreoffice-l10n-hi-6.4.4.2-8.19.4 libreoffice-l10n-hr-6.4.4.2-8.19.4 libreoffice-l10n-hu-6.4.4.2-8.19.4 libreoffice-l10n-it-6.4.4.2-8.19.4 libreoffice-l10n-ja-6.4.4.2-8.19.4 libreoffice-l10n-kk-6.4.4.2-8.19.4 libreoffice-l10n-kn-6.4.4.2-8.19.4 libreoffice-l10n-ko-6.4.4.2-8.19.4 libreoffice-l10n-lt-6.4.4.2-8.19.4 libreoffice-l10n-lv-6.4.4.2-8.19.4 libreoffice-l10n-mai-6.4.4.2-8.19.4 libreoffice-l10n-ml-6.4.4.2-8.19.4 libreoffice-l10n-mr-6.4.4.2-8.19.4 libreoffice-l10n-nb-6.4.4.2-8.19.4 libreoffice-l10n-nl-6.4.4.2-8.19.4 libreoffice-l10n-nn-6.4.4.2-8.19.4 libreoffice-l10n-nr-6.4.4.2-8.19.4 libreoffice-l10n-nso-6.4.4.2-8.19.4 libreoffice-l10n-or-6.4.4.2-8.19.4 libreoffice-l10n-pa-6.4.4.2-8.19.4 libreoffice-l10n-pl-6.4.4.2-8.19.4 libreoffice-l10n-pt_BR-6.4.4.2-8.19.4 libreoffice-l10n-pt_PT-6.4.4.2-8.19.4 libreoffice-l10n-ro-6.4.4.2-8.19.4 libreoffice-l10n-ru-6.4.4.2-8.19.4 libreoffice-l10n-si-6.4.4.2-8.19.4 libreoffice-l10n-sk-6.4.4.2-8.19.4 libreoffice-l10n-sl-6.4.4.2-8.19.4 libreoffice-l10n-sr-6.4.4.2-8.19.4 libreoffice-l10n-ss-6.4.4.2-8.19.4 libreoffice-l10n-st-6.4.4.2-8.19.4 libreoffice-l10n-sv-6.4.4.2-8.19.4 libreoffice-l10n-ta-6.4.4.2-8.19.4 libreoffice-l10n-te-6.4.4.2-8.19.4 libreoffice-l10n-th-6.4.4.2-8.19.4 libreoffice-l10n-tn-6.4.4.2-8.19.4 libreoffice-l10n-tr-6.4.4.2-8.19.4 libreoffice-l10n-ts-6.4.4.2-8.19.4 libreoffice-l10n-uk-6.4.4.2-8.19.4 libreoffice-l10n-ve-6.4.4.2-8.19.4 libreoffice-l10n-xh-6.4.4.2-8.19.4 libreoffice-l10n-zh_CN-6.4.4.2-8.19.4 libreoffice-l10n-zh_TW-6.4.4.2-8.19.4 libreoffice-l10n-zu-6.4.4.2-8.19.4 References: https://www.suse.com/security/cve/CVE-2020-12801.html https://bugzilla.suse.com/1160687 https://bugzilla.suse.com/1165870 https://bugzilla.suse.com/1167463 https://bugzilla.suse.com/1171997 From sle-updates at lists.suse.com Thu Jun 4 07:15:05 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 4 Jun 2020 15:15:05 +0200 (CEST) Subject: SUSE-SU-2020:14384-1: Security update for transfig Message-ID: <20200604131505.BF930FF46@maintenance.suse.de> SUSE Security Update: Security update for transfig ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14384-1 Rating: low References: #1106531 Cross-References: CVE-2018-16140 Affected Products: SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for transfig fixes the following issues: Security issue fixed: - CVE-2018-16140: Fixed a buffer underwrite vulnerability in get_line() in read.c, which allowed an attacker to write prior to the beginning of the buffer via specially crafted .fig file (bsc#1106531) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-transfig-14384=1 Package List: - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): transfig-debuginfo-3.2.5-160.6.20 transfig-debugsource-3.2.5-160.6.20 References: https://www.suse.com/security/cve/CVE-2018-16140.html https://bugzilla.suse.com/1106531 From sle-updates at lists.suse.com Thu Jun 4 07:16:02 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 4 Jun 2020 15:16:02 +0200 (CEST) Subject: SUSE-SU-2020:1533-1: important: Security update for krb5-appl Message-ID: <20200604131602.3ECB9FF46@maintenance.suse.de> SUSE Security Update: Security update for krb5-appl ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1533-1 Rating: important References: #1165787 Cross-References: CVE-2020-10188 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for krb5-appl fixes the following issues: - CVE-2020-10188: Fixed a remote root execution (bsc#1165787). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1533=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1533=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1533=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1533=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1533=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1533=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1533=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1533=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1533=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1533=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1533=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1533=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1533=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): krb5-appl-clients-1.0.3-3.3.1 krb5-appl-clients-debuginfo-1.0.3-3.3.1 krb5-appl-debugsource-1.0.3-3.3.1 krb5-appl-servers-1.0.3-3.3.1 krb5-appl-servers-debuginfo-1.0.3-3.3.1 - SUSE OpenStack Cloud 8 (x86_64): krb5-appl-clients-1.0.3-3.3.1 krb5-appl-clients-debuginfo-1.0.3-3.3.1 krb5-appl-debugsource-1.0.3-3.3.1 krb5-appl-servers-1.0.3-3.3.1 krb5-appl-servers-debuginfo-1.0.3-3.3.1 - SUSE OpenStack Cloud 7 (s390x x86_64): krb5-appl-clients-1.0.3-3.3.1 krb5-appl-clients-debuginfo-1.0.3-3.3.1 krb5-appl-debugsource-1.0.3-3.3.1 krb5-appl-servers-1.0.3-3.3.1 krb5-appl-servers-debuginfo-1.0.3-3.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): krb5-appl-clients-1.0.3-3.3.1 krb5-appl-clients-debuginfo-1.0.3-3.3.1 krb5-appl-debugsource-1.0.3-3.3.1 krb5-appl-servers-1.0.3-3.3.1 krb5-appl-servers-debuginfo-1.0.3-3.3.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): krb5-appl-clients-1.0.3-3.3.1 krb5-appl-clients-debuginfo-1.0.3-3.3.1 krb5-appl-debugsource-1.0.3-3.3.1 krb5-appl-servers-1.0.3-3.3.1 krb5-appl-servers-debuginfo-1.0.3-3.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): krb5-appl-clients-1.0.3-3.3.1 krb5-appl-clients-debuginfo-1.0.3-3.3.1 krb5-appl-debugsource-1.0.3-3.3.1 krb5-appl-servers-1.0.3-3.3.1 krb5-appl-servers-debuginfo-1.0.3-3.3.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): krb5-appl-clients-1.0.3-3.3.1 krb5-appl-clients-debuginfo-1.0.3-3.3.1 krb5-appl-debugsource-1.0.3-3.3.1 krb5-appl-servers-1.0.3-3.3.1 krb5-appl-servers-debuginfo-1.0.3-3.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): krb5-appl-clients-1.0.3-3.3.1 krb5-appl-clients-debuginfo-1.0.3-3.3.1 krb5-appl-debugsource-1.0.3-3.3.1 krb5-appl-servers-1.0.3-3.3.1 krb5-appl-servers-debuginfo-1.0.3-3.3.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): krb5-appl-clients-1.0.3-3.3.1 krb5-appl-clients-debuginfo-1.0.3-3.3.1 krb5-appl-debugsource-1.0.3-3.3.1 krb5-appl-servers-1.0.3-3.3.1 krb5-appl-servers-debuginfo-1.0.3-3.3.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): krb5-appl-clients-1.0.3-3.3.1 krb5-appl-clients-debuginfo-1.0.3-3.3.1 krb5-appl-debugsource-1.0.3-3.3.1 krb5-appl-servers-1.0.3-3.3.1 krb5-appl-servers-debuginfo-1.0.3-3.3.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): krb5-appl-clients-1.0.3-3.3.1 krb5-appl-clients-debuginfo-1.0.3-3.3.1 krb5-appl-debugsource-1.0.3-3.3.1 krb5-appl-servers-1.0.3-3.3.1 krb5-appl-servers-debuginfo-1.0.3-3.3.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): krb5-appl-clients-1.0.3-3.3.1 krb5-appl-clients-debuginfo-1.0.3-3.3.1 krb5-appl-debugsource-1.0.3-3.3.1 krb5-appl-servers-1.0.3-3.3.1 krb5-appl-servers-debuginfo-1.0.3-3.3.1 - HPE Helion Openstack 8 (x86_64): krb5-appl-clients-1.0.3-3.3.1 krb5-appl-clients-debuginfo-1.0.3-3.3.1 krb5-appl-debugsource-1.0.3-3.3.1 krb5-appl-servers-1.0.3-3.3.1 krb5-appl-servers-debuginfo-1.0.3-3.3.1 References: https://www.suse.com/security/cve/CVE-2020-10188.html https://bugzilla.suse.com/1165787 From sle-updates at lists.suse.com Thu Jun 4 07:17:00 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 4 Jun 2020 15:17:00 +0200 (CEST) Subject: SUSE-SU-2020:1535-1: Security update for libcroco Message-ID: <20200604131700.92589FF46@maintenance.suse.de> SUSE Security Update: Security update for libcroco ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1535-1 Rating: low References: #1043898 #1043899 Cross-References: CVE-2017-8834 CVE-2017-8871 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for libcroco fixes the following issues: Security issues fixed: - CVE-2017-8834: Fixed denial of service (memory allocation error) via a crafted CSS file (bsc#1043898). - CVE-2017-8871: Fixed denial of service (infinite loop and CPU consumption) via a crafted CSS file (bsc#1043899). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1535=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libcroco-0.6.12-4.3.51 libcroco-0_6-3-0.6.12-4.3.51 libcroco-0_6-3-debuginfo-0.6.12-4.3.51 libcroco-debuginfo-0.6.12-4.3.51 libcroco-debugsource-0.6.12-4.3.51 libcroco-devel-0.6.12-4.3.51 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libcroco-0_6-3-32bit-0.6.12-4.3.51 libcroco-0_6-3-32bit-debuginfo-0.6.12-4.3.51 References: https://www.suse.com/security/cve/CVE-2017-8834.html https://www.suse.com/security/cve/CVE-2017-8871.html https://bugzilla.suse.com/1043898 https://bugzilla.suse.com/1043899 From sle-updates at lists.suse.com Thu Jun 4 07:18:08 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 4 Jun 2020 15:18:08 +0200 (CEST) Subject: SUSE-SU-2020:1534-1: moderate: Security update for libexif Message-ID: <20200604131808.6E11FFF46@maintenance.suse.de> SUSE Security Update: Security update for libexif ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1534-1 Rating: moderate References: #1055857 #1059893 #1120943 #1160770 #1171475 #1171847 #1172105 #1172116 #1172121 Cross-References: CVE-2016-6328 CVE-2017-7544 CVE-2018-20030 CVE-2019-9278 CVE-2020-0093 CVE-2020-12767 CVE-2020-13112 CVE-2020-13113 CVE-2020-13114 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: This update for libexif fixes the following issues: Security issues fixed: - CVE-2016-6328: Fixed an integer overflow in parsing MNOTE entry data of the input file (bsc#1055857). - CVE-2017-7544: Fixed an out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c (bsc#1059893). - CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943). - CVE-2019-9278: Fixed an integer overflow (bsc#1160770). - CVE-2020-0093: Fixed an out-of-bounds read in exif_data_save_data_entry (bsc#1171847). - CVE-2020-12767: Fixed a divide-by-zero error in exif_entry_get_value (bsc#1171475). - CVE-2020-13112: Fixed a time consumption DoS when parsing canon array markers (bsc#1172121). - CVE-2020-13113: Fixed a potential use of uninitialized memory (bsc#1172105). - CVE-2020-13114: Fixed various buffer overread fixes due to integer overflows in maker notes (bsc#1172116). Non-security issues fixed: - libexif was updated to version 0.6.22: * New translations: ms * Updated translations for most languages * Some useful EXIF 2.3 tag added: * EXIF_TAG_GAMMA * EXIF_TAG_COMPOSITE_IMAGE * EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE * EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE * EXIF_TAG_GPS_H_POSITIONING_ERROR * EXIF_TAG_CAMERA_OWNER_NAME * EXIF_TAG_BODY_SERIAL_NUMBER * EXIF_TAG_LENS_SPECIFICATION * EXIF_TAG_LENS_MAKE * EXIF_TAG_LENS_MODEL * EXIF_TAG_LENS_SERIAL_NUMBER Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1534=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1534=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1534=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1534=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1534=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1534=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1534=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-1534=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1534=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1534=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1534=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1534=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1534=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1534=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-1534=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1534=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1534=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libexif-debugsource-0.6.22-8.9.1 libexif12-0.6.22-8.9.1 libexif12-32bit-0.6.22-8.9.1 libexif12-debuginfo-0.6.22-8.9.1 libexif12-debuginfo-32bit-0.6.22-8.9.1 - SUSE OpenStack Cloud 8 (x86_64): libexif-debugsource-0.6.22-8.9.1 libexif12-0.6.22-8.9.1 libexif12-32bit-0.6.22-8.9.1 libexif12-debuginfo-0.6.22-8.9.1 libexif12-debuginfo-32bit-0.6.22-8.9.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libexif-debugsource-0.6.22-8.9.1 libexif12-0.6.22-8.9.1 libexif12-32bit-0.6.22-8.9.1 libexif12-debuginfo-0.6.22-8.9.1 libexif12-debuginfo-32bit-0.6.22-8.9.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libexif-debugsource-0.6.22-8.9.1 libexif-devel-0.6.22-8.9.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libexif-debugsource-0.6.22-8.9.1 libexif-devel-0.6.22-8.9.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libexif-debugsource-0.6.22-8.9.1 libexif12-0.6.22-8.9.1 libexif12-debuginfo-0.6.22-8.9.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libexif12-32bit-0.6.22-8.9.1 libexif12-debuginfo-32bit-0.6.22-8.9.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libexif-debugsource-0.6.22-8.9.1 libexif12-0.6.22-8.9.1 libexif12-debuginfo-0.6.22-8.9.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libexif12-32bit-0.6.22-8.9.1 libexif12-debuginfo-32bit-0.6.22-8.9.1 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): libexif-debugsource-0.6.22-8.9.1 libexif12-0.6.22-8.9.1 libexif12-32bit-0.6.22-8.9.1 libexif12-debuginfo-0.6.22-8.9.1 libexif12-debuginfo-32bit-0.6.22-8.9.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libexif-debugsource-0.6.22-8.9.1 libexif12-0.6.22-8.9.1 libexif12-debuginfo-0.6.22-8.9.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libexif12-32bit-0.6.22-8.9.1 libexif12-debuginfo-32bit-0.6.22-8.9.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libexif-debugsource-0.6.22-8.9.1 libexif12-0.6.22-8.9.1 libexif12-debuginfo-0.6.22-8.9.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libexif12-32bit-0.6.22-8.9.1 libexif12-debuginfo-32bit-0.6.22-8.9.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libexif-debugsource-0.6.22-8.9.1 libexif12-0.6.22-8.9.1 libexif12-debuginfo-0.6.22-8.9.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libexif12-32bit-0.6.22-8.9.1 libexif12-debuginfo-32bit-0.6.22-8.9.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libexif-debugsource-0.6.22-8.9.1 libexif12-0.6.22-8.9.1 libexif12-32bit-0.6.22-8.9.1 libexif12-debuginfo-0.6.22-8.9.1 libexif12-debuginfo-32bit-0.6.22-8.9.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libexif-debugsource-0.6.22-8.9.1 libexif12-0.6.22-8.9.1 libexif12-debuginfo-0.6.22-8.9.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libexif12-32bit-0.6.22-8.9.1 libexif12-debuginfo-32bit-0.6.22-8.9.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libexif-debugsource-0.6.22-8.9.1 libexif12-0.6.22-8.9.1 libexif12-32bit-0.6.22-8.9.1 libexif12-debuginfo-0.6.22-8.9.1 libexif12-debuginfo-32bit-0.6.22-8.9.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): libexif-debugsource-0.6.22-8.9.1 libexif12-0.6.22-8.9.1 libexif12-debuginfo-0.6.22-8.9.1 - SUSE Linux Enterprise Server 12-SP1-LTSS (s390x x86_64): libexif12-32bit-0.6.22-8.9.1 libexif12-debuginfo-32bit-0.6.22-8.9.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libexif-debugsource-0.6.22-8.9.1 libexif12-0.6.22-8.9.1 libexif12-debuginfo-0.6.22-8.9.1 - SUSE Enterprise Storage 5 (x86_64): libexif12-32bit-0.6.22-8.9.1 libexif12-debuginfo-32bit-0.6.22-8.9.1 - HPE Helion Openstack 8 (x86_64): libexif-debugsource-0.6.22-8.9.1 libexif12-0.6.22-8.9.1 libexif12-32bit-0.6.22-8.9.1 libexif12-debuginfo-0.6.22-8.9.1 libexif12-debuginfo-32bit-0.6.22-8.9.1 References: https://www.suse.com/security/cve/CVE-2016-6328.html https://www.suse.com/security/cve/CVE-2017-7544.html https://www.suse.com/security/cve/CVE-2018-20030.html https://www.suse.com/security/cve/CVE-2019-9278.html https://www.suse.com/security/cve/CVE-2020-0093.html https://www.suse.com/security/cve/CVE-2020-12767.html https://www.suse.com/security/cve/CVE-2020-13112.html https://www.suse.com/security/cve/CVE-2020-13113.html https://www.suse.com/security/cve/CVE-2020-13114.html https://bugzilla.suse.com/1055857 https://bugzilla.suse.com/1059893 https://bugzilla.suse.com/1120943 https://bugzilla.suse.com/1160770 https://bugzilla.suse.com/1171475 https://bugzilla.suse.com/1171847 https://bugzilla.suse.com/1172105 https://bugzilla.suse.com/1172116 https://bugzilla.suse.com/1172121 From sle-updates at lists.suse.com Thu Jun 4 07:20:03 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 4 Jun 2020 15:20:03 +0200 (CEST) Subject: SUSE-SU-2020:1532-1: moderate: Security update for libxml2 Message-ID: <20200604132003.E2C09FF46@maintenance.suse.de> SUSE Security Update: Security update for libxml2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1532-1 Rating: moderate References: #1172021 Cross-References: CVE-2019-19956 Affected Products: SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-1532=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1532=1 Package List: - SUSE Linux Enterprise Module for Python2 15-SP1 (aarch64 ppc64le s390x x86_64): python-libxml2-python-debugsource-2.9.7-3.22.1 python2-libxml2-python-2.9.7-3.22.1 python2-libxml2-python-debuginfo-2.9.7-3.22.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libxml2-2-2.9.7-3.22.1 libxml2-2-debuginfo-2.9.7-3.22.1 libxml2-debugsource-2.9.7-3.22.1 libxml2-devel-2.9.7-3.22.1 libxml2-tools-2.9.7-3.22.1 libxml2-tools-debuginfo-2.9.7-3.22.1 python-libxml2-python-debugsource-2.9.7-3.22.1 python3-libxml2-python-2.9.7-3.22.1 python3-libxml2-python-debuginfo-2.9.7-3.22.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libxml2-2-32bit-2.9.7-3.22.1 libxml2-2-32bit-debuginfo-2.9.7-3.22.1 References: https://www.suse.com/security/cve/CVE-2019-19956.html https://bugzilla.suse.com/1172021 From sle-updates at lists.suse.com Thu Jun 4 07:20:59 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 4 Jun 2020 15:20:59 +0200 (CEST) Subject: SUSE-RU-2020:1536-1: moderate: Recommended update for puppet Message-ID: <20200604132059.5FB35FF46@maintenance.suse.de> SUSE Recommended Update: Recommended update for puppet ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1536-1 Rating: moderate References: #1171711 Affected Products: SUSE Linux Enterprise Module for Advanced Systems Management 12 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for puppet fixes the following issues: - Fix for config tags to avoid overwrite the user defined configuration files during package updates. (bsc#1171711) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Advanced Systems Management 12: zypper in -t patch SUSE-SLE-Module-Adv-Systems-Management-12-2020-1536=1 Package List: - SUSE Linux Enterprise Module for Advanced Systems Management 12 (ppc64le s390x x86_64): puppet-3.8.5-15.15.1 puppet-server-3.8.5-15.15.1 References: https://bugzilla.suse.com/1171711 From sle-updates at lists.suse.com Thu Jun 4 10:14:05 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 4 Jun 2020 18:14:05 +0200 (CEST) Subject: SUSE-RU-2020:1539-1: Recommended update for release-notes-ses Message-ID: <20200604161405.AEF82FF46@maintenance.suse.de> SUSE Recommended Update: Recommended update for release-notes-ses ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1539-1 Rating: low References: #1172000 Affected Products: SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for release-notes-ses fixes the following issues: - Added note that Messenger protocol is supported (bsc#1172000) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2020-1539=1 Package List: - SUSE Enterprise Storage 6 (noarch): release-notes-ses-6.0.20200522-3.9.2 References: https://bugzilla.suse.com/1172000 From sle-updates at lists.suse.com Thu Jun 4 10:15:01 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 4 Jun 2020 18:15:01 +0200 (CEST) Subject: SUSE-RU-2020:1542-1: moderate: Recommended update for timezone Message-ID: <20200604161501.0B7FFFF46@maintenance.suse.de> SUSE Recommended Update: Recommended update for timezone ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1542-1 Rating: moderate References: #1172055 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for timezone fixes the following issue: - zdump --version reported "unknown" (bsc#1172055) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1542=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1542=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1542=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1542=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1542=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1542=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): timezone-2020a-3.29.1 timezone-debuginfo-2020a-3.29.1 timezone-debugsource-2020a-3.29.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): timezone-java-2020a-3.29.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): timezone-2020a-3.29.1 timezone-debuginfo-2020a-3.29.1 timezone-debugsource-2020a-3.29.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): timezone-java-2020a-3.29.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): timezone-2020a-3.29.1 timezone-debuginfo-2020a-3.29.1 timezone-debugsource-2020a-3.29.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): timezone-java-2020a-3.29.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): timezone-2020a-3.29.1 timezone-debuginfo-2020a-3.29.1 timezone-debugsource-2020a-3.29.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): timezone-java-2020a-3.29.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): timezone-2020a-3.29.1 timezone-debuginfo-2020a-3.29.1 timezone-debugsource-2020a-3.29.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): timezone-java-2020a-3.29.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): timezone-2020a-3.29.1 timezone-debuginfo-2020a-3.29.1 timezone-debugsource-2020a-3.29.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): timezone-java-2020a-3.29.1 References: https://bugzilla.suse.com/1172055 From sle-updates at lists.suse.com Thu Jun 4 10:15:59 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 4 Jun 2020 18:15:59 +0200 (CEST) Subject: SUSE-RU-2020:1541-1: moderate: Recommended update for pciutils Message-ID: <20200604161559.AE1D6FF46@maintenance.suse.de> SUSE Recommended Update: Recommended update for pciutils ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1541-1 Rating: moderate References: #1170554 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for pciutils fixes the following issues: - Fix lspci outputs when few of the VPD data fields are displayed as unknown. (bsc#1170554, ltc#185587) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1541=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libpci3-3.5.6-3.3.1 libpci3-debuginfo-3.5.6-3.3.1 pciutils-3.5.6-3.3.1 pciutils-debuginfo-3.5.6-3.3.1 pciutils-debugsource-3.5.6-3.3.1 pciutils-devel-3.5.6-3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libpci3-32bit-3.5.6-3.3.1 libpci3-32bit-debuginfo-3.5.6-3.3.1 References: https://bugzilla.suse.com/1170554 From sle-updates at lists.suse.com Thu Jun 4 10:16:56 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 4 Jun 2020 18:16:56 +0200 (CEST) Subject: SUSE-SU-2020:1538-1: moderate: Security update for qemu Message-ID: <20200604161656.A4FFCFF46@maintenance.suse.de> SUSE Security Update: Security update for qemu ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1538-1 Rating: moderate References: #1123156 #1146873 #1149811 #1160024 #1161066 #1163018 #1166240 #1170940 Cross-References: CVE-2019-12068 CVE-2019-15890 CVE-2019-6778 CVE-2020-1711 CVE-2020-1983 CVE-2020-7039 CVE-2020-8608 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has one errata is now available. Description: This update for qemu fixes the following issues: Security issues fixed: - CVE-2020-1711: Fixed a potential OOB access in the iSCSI client code (bsc#1166240). - CVE-2019-12068: Fixed a potential DoS in the LSI SCSI controller emulation (bsc#1146873). - CVE-2020-1983: Fixed a use-after-free in the ip_reass function of slirp (bsc#1170940). - CVE-2020-8608: Fixed a potential OOB access in slirp (bsc#1163018). - CVE-2020-7039: Fixed a potential OOB access in slirp (bsc#1161066). - CVE-2019-15890: Fixed a use-after-free during packet reassembly in slirp (bsc#1149811). - Fixed multiple potential DoS issues in SLIRP, similar to CVE-2019-6778 (bsc#1123156). Non-security issue fixed: - Make sure that required memory is mapped properly during an incoming migration of a Xen HVM domU (bsc#1160024). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1538=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1538=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1538=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1538=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1538=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1538=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1538=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): qemu-ipxe-1.0.0+-6.44.1 qemu-seabios-1.10.2-6.44.1 qemu-sgabios-8-6.44.1 qemu-vgabios-1.10.2-6.44.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): qemu-2.9.1-6.44.1 qemu-block-curl-2.9.1-6.44.1 qemu-block-curl-debuginfo-2.9.1-6.44.1 qemu-block-iscsi-2.9.1-6.44.1 qemu-block-iscsi-debuginfo-2.9.1-6.44.1 qemu-block-rbd-2.9.1-6.44.1 qemu-block-rbd-debuginfo-2.9.1-6.44.1 qemu-block-ssh-2.9.1-6.44.1 qemu-block-ssh-debuginfo-2.9.1-6.44.1 qemu-debugsource-2.9.1-6.44.1 qemu-guest-agent-2.9.1-6.44.1 qemu-guest-agent-debuginfo-2.9.1-6.44.1 qemu-kvm-2.9.1-6.44.1 qemu-lang-2.9.1-6.44.1 qemu-tools-2.9.1-6.44.1 qemu-tools-debuginfo-2.9.1-6.44.1 qemu-x86-2.9.1-6.44.1 qemu-x86-debuginfo-2.9.1-6.44.1 - SUSE OpenStack Cloud 8 (noarch): qemu-ipxe-1.0.0+-6.44.1 qemu-seabios-1.10.2-6.44.1 qemu-sgabios-8-6.44.1 qemu-vgabios-1.10.2-6.44.1 - SUSE OpenStack Cloud 8 (x86_64): qemu-2.9.1-6.44.1 qemu-block-curl-2.9.1-6.44.1 qemu-block-curl-debuginfo-2.9.1-6.44.1 qemu-block-iscsi-2.9.1-6.44.1 qemu-block-iscsi-debuginfo-2.9.1-6.44.1 qemu-block-rbd-2.9.1-6.44.1 qemu-block-rbd-debuginfo-2.9.1-6.44.1 qemu-block-ssh-2.9.1-6.44.1 qemu-block-ssh-debuginfo-2.9.1-6.44.1 qemu-debugsource-2.9.1-6.44.1 qemu-guest-agent-2.9.1-6.44.1 qemu-guest-agent-debuginfo-2.9.1-6.44.1 qemu-kvm-2.9.1-6.44.1 qemu-lang-2.9.1-6.44.1 qemu-tools-2.9.1-6.44.1 qemu-tools-debuginfo-2.9.1-6.44.1 qemu-x86-2.9.1-6.44.1 qemu-x86-debuginfo-2.9.1-6.44.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): qemu-2.9.1-6.44.1 qemu-block-curl-2.9.1-6.44.1 qemu-block-curl-debuginfo-2.9.1-6.44.1 qemu-block-iscsi-2.9.1-6.44.1 qemu-block-iscsi-debuginfo-2.9.1-6.44.1 qemu-block-ssh-2.9.1-6.44.1 qemu-block-ssh-debuginfo-2.9.1-6.44.1 qemu-debugsource-2.9.1-6.44.1 qemu-guest-agent-2.9.1-6.44.1 qemu-guest-agent-debuginfo-2.9.1-6.44.1 qemu-lang-2.9.1-6.44.1 qemu-tools-2.9.1-6.44.1 qemu-tools-debuginfo-2.9.1-6.44.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le): qemu-ppc-2.9.1-6.44.1 qemu-ppc-debuginfo-2.9.1-6.44.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): qemu-block-rbd-2.9.1-6.44.1 qemu-block-rbd-debuginfo-2.9.1-6.44.1 qemu-kvm-2.9.1-6.44.1 qemu-x86-2.9.1-6.44.1 qemu-x86-debuginfo-2.9.1-6.44.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): qemu-ipxe-1.0.0+-6.44.1 qemu-seabios-1.10.2-6.44.1 qemu-sgabios-8-6.44.1 qemu-vgabios-1.10.2-6.44.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): qemu-2.9.1-6.44.1 qemu-block-curl-2.9.1-6.44.1 qemu-block-curl-debuginfo-2.9.1-6.44.1 qemu-block-iscsi-2.9.1-6.44.1 qemu-block-iscsi-debuginfo-2.9.1-6.44.1 qemu-block-ssh-2.9.1-6.44.1 qemu-block-ssh-debuginfo-2.9.1-6.44.1 qemu-debugsource-2.9.1-6.44.1 qemu-guest-agent-2.9.1-6.44.1 qemu-guest-agent-debuginfo-2.9.1-6.44.1 qemu-lang-2.9.1-6.44.1 qemu-tools-2.9.1-6.44.1 qemu-tools-debuginfo-2.9.1-6.44.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 x86_64): qemu-block-rbd-2.9.1-6.44.1 qemu-block-rbd-debuginfo-2.9.1-6.44.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): qemu-kvm-2.9.1-6.44.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le): qemu-ppc-2.9.1-6.44.1 qemu-ppc-debuginfo-2.9.1-6.44.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64): qemu-arm-2.9.1-6.44.1 qemu-arm-debuginfo-2.9.1-6.44.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): qemu-x86-2.9.1-6.44.1 qemu-x86-debuginfo-2.9.1-6.44.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): qemu-ipxe-1.0.0+-6.44.1 qemu-seabios-1.10.2-6.44.1 qemu-sgabios-8-6.44.1 qemu-vgabios-1.10.2-6.44.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x): qemu-s390-2.9.1-6.44.1 qemu-s390-debuginfo-2.9.1-6.44.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): qemu-2.9.1-6.44.1 qemu-block-curl-2.9.1-6.44.1 qemu-block-curl-debuginfo-2.9.1-6.44.1 qemu-block-iscsi-2.9.1-6.44.1 qemu-block-iscsi-debuginfo-2.9.1-6.44.1 qemu-block-rbd-2.9.1-6.44.1 qemu-block-rbd-debuginfo-2.9.1-6.44.1 qemu-block-ssh-2.9.1-6.44.1 qemu-block-ssh-debuginfo-2.9.1-6.44.1 qemu-debugsource-2.9.1-6.44.1 qemu-guest-agent-2.9.1-6.44.1 qemu-guest-agent-debuginfo-2.9.1-6.44.1 qemu-kvm-2.9.1-6.44.1 qemu-lang-2.9.1-6.44.1 qemu-tools-2.9.1-6.44.1 qemu-tools-debuginfo-2.9.1-6.44.1 qemu-x86-2.9.1-6.44.1 qemu-x86-debuginfo-2.9.1-6.44.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): qemu-ipxe-1.0.0+-6.44.1 qemu-seabios-1.10.2-6.44.1 qemu-sgabios-8-6.44.1 qemu-vgabios-1.10.2-6.44.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): qemu-2.9.1-6.44.1 qemu-block-curl-2.9.1-6.44.1 qemu-block-curl-debuginfo-2.9.1-6.44.1 qemu-block-iscsi-2.9.1-6.44.1 qemu-block-iscsi-debuginfo-2.9.1-6.44.1 qemu-block-rbd-2.9.1-6.44.1 qemu-block-rbd-debuginfo-2.9.1-6.44.1 qemu-block-ssh-2.9.1-6.44.1 qemu-block-ssh-debuginfo-2.9.1-6.44.1 qemu-debugsource-2.9.1-6.44.1 qemu-guest-agent-2.9.1-6.44.1 qemu-guest-agent-debuginfo-2.9.1-6.44.1 qemu-lang-2.9.1-6.44.1 qemu-tools-2.9.1-6.44.1 qemu-tools-debuginfo-2.9.1-6.44.1 - SUSE Enterprise Storage 5 (aarch64): qemu-arm-2.9.1-6.44.1 qemu-arm-debuginfo-2.9.1-6.44.1 - SUSE Enterprise Storage 5 (noarch): qemu-ipxe-1.0.0+-6.44.1 qemu-seabios-1.10.2-6.44.1 qemu-sgabios-8-6.44.1 qemu-vgabios-1.10.2-6.44.1 - SUSE Enterprise Storage 5 (x86_64): qemu-kvm-2.9.1-6.44.1 qemu-x86-2.9.1-6.44.1 qemu-x86-debuginfo-2.9.1-6.44.1 - HPE Helion Openstack 8 (noarch): qemu-ipxe-1.0.0+-6.44.1 qemu-seabios-1.10.2-6.44.1 qemu-sgabios-8-6.44.1 qemu-vgabios-1.10.2-6.44.1 - HPE Helion Openstack 8 (x86_64): qemu-2.9.1-6.44.1 qemu-block-curl-2.9.1-6.44.1 qemu-block-curl-debuginfo-2.9.1-6.44.1 qemu-block-iscsi-2.9.1-6.44.1 qemu-block-iscsi-debuginfo-2.9.1-6.44.1 qemu-block-rbd-2.9.1-6.44.1 qemu-block-rbd-debuginfo-2.9.1-6.44.1 qemu-block-ssh-2.9.1-6.44.1 qemu-block-ssh-debuginfo-2.9.1-6.44.1 qemu-debugsource-2.9.1-6.44.1 qemu-guest-agent-2.9.1-6.44.1 qemu-guest-agent-debuginfo-2.9.1-6.44.1 qemu-kvm-2.9.1-6.44.1 qemu-lang-2.9.1-6.44.1 qemu-tools-2.9.1-6.44.1 qemu-tools-debuginfo-2.9.1-6.44.1 qemu-x86-2.9.1-6.44.1 qemu-x86-debuginfo-2.9.1-6.44.1 References: https://www.suse.com/security/cve/CVE-2019-12068.html https://www.suse.com/security/cve/CVE-2019-15890.html https://www.suse.com/security/cve/CVE-2019-6778.html https://www.suse.com/security/cve/CVE-2020-1711.html https://www.suse.com/security/cve/CVE-2020-1983.html https://www.suse.com/security/cve/CVE-2020-7039.html https://www.suse.com/security/cve/CVE-2020-8608.html https://bugzilla.suse.com/1123156 https://bugzilla.suse.com/1146873 https://bugzilla.suse.com/1149811 https://bugzilla.suse.com/1160024 https://bugzilla.suse.com/1161066 https://bugzilla.suse.com/1163018 https://bugzilla.suse.com/1166240 https://bugzilla.suse.com/1170940 From sle-updates at lists.suse.com Thu Jun 4 10:18:42 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 4 Jun 2020 18:18:42 +0200 (CEST) Subject: SUSE-RU-2020:1540-1: moderate: Recommended update for prometheus-webhook-snmp Message-ID: <20200604161842.2C269FF46@maintenance.suse.de> SUSE Recommended Update: Recommended update for prometheus-webhook-snmp ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1540-1 Rating: moderate References: #1172083 Affected Products: SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for prometheus-webhook-snmp fixes the following issues: - Fixed a bug where prometheus-webhook-snmp crashed when fields are missing in alertmanager notification (bsc#1172083) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2020-1540=1 Package List: - SUSE Enterprise Storage 6 (noarch): prometheus-webhook-snmp-1.4-3.6.1 References: https://bugzilla.suse.com/1172083 From sle-updates at lists.suse.com Thu Jun 4 10:19:36 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 4 Jun 2020 18:19:36 +0200 (CEST) Subject: SUSE-SU-2020:14385-1: moderate: Security update for vim Message-ID: <20200604161936.B714EFF46@maintenance.suse.de> SUSE Security Update: Security update for vim ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14385-1 Rating: moderate References: #1172225 Cross-References: CVE-2019-20807 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for vim fixes the following issues: - CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim was possible using interfaces (bsc#1172225). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-vim-14385=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-vim-14385=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-vim-14385=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): gvim-7.2-8.21.6.2 vim-7.2-8.21.6.2 vim-base-7.2-8.21.6.2 vim-data-7.2-8.21.6.2 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): gvim-7.2-8.21.6.2 vim-7.2-8.21.6.2 vim-base-7.2-8.21.6.2 vim-data-7.2-8.21.6.2 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): vim-debuginfo-7.2-8.21.6.2 vim-debugsource-7.2-8.21.6.2 References: https://www.suse.com/security/cve/CVE-2019-20807.html https://bugzilla.suse.com/1172225 From sle-updates at lists.suse.com Fri Jun 5 08:41:28 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 5 Jun 2020 16:41:28 +0200 (CEST) Subject: SUSE-SU-2020:1546-1: moderate: Security update for php72 Message-ID: <20200605144128.0F4FCFF46@maintenance.suse.de> SUSE Security Update: Security update for php72 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1546-1 Rating: moderate References: #1168326 #1168352 #1171999 Cross-References: CVE-2019-11048 CVE-2020-7064 CVE-2020-7066 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for php72 fixes the following issues: - CVE-2020-7064: Fixed a one byte read of uninitialized memory in exif_read_data() (bsc#1168326). - CVE-2020-7066: Fixed URL truncation get_headers() if the URL contains zero (\0) character (bsc#1168352). - CVE-2019-11048: Improved the handling of overly long filenames or field names in HTTP file uploads (bsc#1171999). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1546=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1546=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-1546=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): php72-debuginfo-7.2.5-1.46.1 php72-debugsource-7.2.5-1.46.1 php72-devel-7.2.5-1.46.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): php72-debuginfo-7.2.5-1.46.1 php72-debugsource-7.2.5-1.46.1 php72-devel-7.2.5-1.46.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php72-7.2.5-1.46.1 apache2-mod_php72-debuginfo-7.2.5-1.46.1 php72-7.2.5-1.46.1 php72-bcmath-7.2.5-1.46.1 php72-bcmath-debuginfo-7.2.5-1.46.1 php72-bz2-7.2.5-1.46.1 php72-bz2-debuginfo-7.2.5-1.46.1 php72-calendar-7.2.5-1.46.1 php72-calendar-debuginfo-7.2.5-1.46.1 php72-ctype-7.2.5-1.46.1 php72-ctype-debuginfo-7.2.5-1.46.1 php72-curl-7.2.5-1.46.1 php72-curl-debuginfo-7.2.5-1.46.1 php72-dba-7.2.5-1.46.1 php72-dba-debuginfo-7.2.5-1.46.1 php72-debuginfo-7.2.5-1.46.1 php72-debugsource-7.2.5-1.46.1 php72-dom-7.2.5-1.46.1 php72-dom-debuginfo-7.2.5-1.46.1 php72-enchant-7.2.5-1.46.1 php72-enchant-debuginfo-7.2.5-1.46.1 php72-exif-7.2.5-1.46.1 php72-exif-debuginfo-7.2.5-1.46.1 php72-fastcgi-7.2.5-1.46.1 php72-fastcgi-debuginfo-7.2.5-1.46.1 php72-fileinfo-7.2.5-1.46.1 php72-fileinfo-debuginfo-7.2.5-1.46.1 php72-fpm-7.2.5-1.46.1 php72-fpm-debuginfo-7.2.5-1.46.1 php72-ftp-7.2.5-1.46.1 php72-ftp-debuginfo-7.2.5-1.46.1 php72-gd-7.2.5-1.46.1 php72-gd-debuginfo-7.2.5-1.46.1 php72-gettext-7.2.5-1.46.1 php72-gettext-debuginfo-7.2.5-1.46.1 php72-gmp-7.2.5-1.46.1 php72-gmp-debuginfo-7.2.5-1.46.1 php72-iconv-7.2.5-1.46.1 php72-iconv-debuginfo-7.2.5-1.46.1 php72-imap-7.2.5-1.46.1 php72-imap-debuginfo-7.2.5-1.46.1 php72-intl-7.2.5-1.46.1 php72-intl-debuginfo-7.2.5-1.46.1 php72-json-7.2.5-1.46.1 php72-json-debuginfo-7.2.5-1.46.1 php72-ldap-7.2.5-1.46.1 php72-ldap-debuginfo-7.2.5-1.46.1 php72-mbstring-7.2.5-1.46.1 php72-mbstring-debuginfo-7.2.5-1.46.1 php72-mysql-7.2.5-1.46.1 php72-mysql-debuginfo-7.2.5-1.46.1 php72-odbc-7.2.5-1.46.1 php72-odbc-debuginfo-7.2.5-1.46.1 php72-opcache-7.2.5-1.46.1 php72-opcache-debuginfo-7.2.5-1.46.1 php72-openssl-7.2.5-1.46.1 php72-openssl-debuginfo-7.2.5-1.46.1 php72-pcntl-7.2.5-1.46.1 php72-pcntl-debuginfo-7.2.5-1.46.1 php72-pdo-7.2.5-1.46.1 php72-pdo-debuginfo-7.2.5-1.46.1 php72-pgsql-7.2.5-1.46.1 php72-pgsql-debuginfo-7.2.5-1.46.1 php72-phar-7.2.5-1.46.1 php72-phar-debuginfo-7.2.5-1.46.1 php72-posix-7.2.5-1.46.1 php72-posix-debuginfo-7.2.5-1.46.1 php72-pspell-7.2.5-1.46.1 php72-pspell-debuginfo-7.2.5-1.46.1 php72-readline-7.2.5-1.46.1 php72-readline-debuginfo-7.2.5-1.46.1 php72-shmop-7.2.5-1.46.1 php72-shmop-debuginfo-7.2.5-1.46.1 php72-snmp-7.2.5-1.46.1 php72-snmp-debuginfo-7.2.5-1.46.1 php72-soap-7.2.5-1.46.1 php72-soap-debuginfo-7.2.5-1.46.1 php72-sockets-7.2.5-1.46.1 php72-sockets-debuginfo-7.2.5-1.46.1 php72-sodium-7.2.5-1.46.1 php72-sodium-debuginfo-7.2.5-1.46.1 php72-sqlite-7.2.5-1.46.1 php72-sqlite-debuginfo-7.2.5-1.46.1 php72-sysvmsg-7.2.5-1.46.1 php72-sysvmsg-debuginfo-7.2.5-1.46.1 php72-sysvsem-7.2.5-1.46.1 php72-sysvsem-debuginfo-7.2.5-1.46.1 php72-sysvshm-7.2.5-1.46.1 php72-sysvshm-debuginfo-7.2.5-1.46.1 php72-tidy-7.2.5-1.46.1 php72-tidy-debuginfo-7.2.5-1.46.1 php72-tokenizer-7.2.5-1.46.1 php72-tokenizer-debuginfo-7.2.5-1.46.1 php72-wddx-7.2.5-1.46.1 php72-wddx-debuginfo-7.2.5-1.46.1 php72-xmlreader-7.2.5-1.46.1 php72-xmlreader-debuginfo-7.2.5-1.46.1 php72-xmlrpc-7.2.5-1.46.1 php72-xmlrpc-debuginfo-7.2.5-1.46.1 php72-xmlwriter-7.2.5-1.46.1 php72-xmlwriter-debuginfo-7.2.5-1.46.1 php72-xsl-7.2.5-1.46.1 php72-xsl-debuginfo-7.2.5-1.46.1 php72-zip-7.2.5-1.46.1 php72-zip-debuginfo-7.2.5-1.46.1 php72-zlib-7.2.5-1.46.1 php72-zlib-debuginfo-7.2.5-1.46.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php72-pear-7.2.5-1.46.1 php72-pear-Archive_Tar-7.2.5-1.46.1 References: https://www.suse.com/security/cve/CVE-2019-11048.html https://www.suse.com/security/cve/CVE-2020-7064.html https://www.suse.com/security/cve/CVE-2020-7066.html https://bugzilla.suse.com/1168326 https://bugzilla.suse.com/1168352 https://bugzilla.suse.com/1171999 From sle-updates at lists.suse.com Fri Jun 5 08:43:18 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 5 Jun 2020 16:43:18 +0200 (CEST) Subject: SUSE-SU-2020:1545-1: moderate: Security update for php7 Message-ID: <20200605144318.E7A21FF46@maintenance.suse.de> SUSE Security Update: Security update for php7 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1545-1 Rating: moderate References: #1171999 Cross-References: CVE-2019-11048 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for php7 fixes the following issues: Security issue fixed: - CVE-2019-11048: Improved the handling of overly long filenames or field names in HTTP file uploads (bsc#1171999). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1545=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1545=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-1545=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): php7-debuginfo-7.0.7-50.94.1 php7-debugsource-7.0.7-50.94.1 php7-devel-7.0.7-50.94.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): php7-debuginfo-7.0.7-50.94.1 php7-debugsource-7.0.7-50.94.1 php7-devel-7.0.7-50.94.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php7-7.0.7-50.94.1 apache2-mod_php7-debuginfo-7.0.7-50.94.1 php7-7.0.7-50.94.1 php7-bcmath-7.0.7-50.94.1 php7-bcmath-debuginfo-7.0.7-50.94.1 php7-bz2-7.0.7-50.94.1 php7-bz2-debuginfo-7.0.7-50.94.1 php7-calendar-7.0.7-50.94.1 php7-calendar-debuginfo-7.0.7-50.94.1 php7-ctype-7.0.7-50.94.1 php7-ctype-debuginfo-7.0.7-50.94.1 php7-curl-7.0.7-50.94.1 php7-curl-debuginfo-7.0.7-50.94.1 php7-dba-7.0.7-50.94.1 php7-dba-debuginfo-7.0.7-50.94.1 php7-debuginfo-7.0.7-50.94.1 php7-debugsource-7.0.7-50.94.1 php7-dom-7.0.7-50.94.1 php7-dom-debuginfo-7.0.7-50.94.1 php7-enchant-7.0.7-50.94.1 php7-enchant-debuginfo-7.0.7-50.94.1 php7-exif-7.0.7-50.94.1 php7-exif-debuginfo-7.0.7-50.94.1 php7-fastcgi-7.0.7-50.94.1 php7-fastcgi-debuginfo-7.0.7-50.94.1 php7-fileinfo-7.0.7-50.94.1 php7-fileinfo-debuginfo-7.0.7-50.94.1 php7-fpm-7.0.7-50.94.1 php7-fpm-debuginfo-7.0.7-50.94.1 php7-ftp-7.0.7-50.94.1 php7-ftp-debuginfo-7.0.7-50.94.1 php7-gd-7.0.7-50.94.1 php7-gd-debuginfo-7.0.7-50.94.1 php7-gettext-7.0.7-50.94.1 php7-gettext-debuginfo-7.0.7-50.94.1 php7-gmp-7.0.7-50.94.1 php7-gmp-debuginfo-7.0.7-50.94.1 php7-iconv-7.0.7-50.94.1 php7-iconv-debuginfo-7.0.7-50.94.1 php7-imap-7.0.7-50.94.1 php7-imap-debuginfo-7.0.7-50.94.1 php7-intl-7.0.7-50.94.1 php7-intl-debuginfo-7.0.7-50.94.1 php7-json-7.0.7-50.94.1 php7-json-debuginfo-7.0.7-50.94.1 php7-ldap-7.0.7-50.94.1 php7-ldap-debuginfo-7.0.7-50.94.1 php7-mbstring-7.0.7-50.94.1 php7-mbstring-debuginfo-7.0.7-50.94.1 php7-mcrypt-7.0.7-50.94.1 php7-mcrypt-debuginfo-7.0.7-50.94.1 php7-mysql-7.0.7-50.94.1 php7-mysql-debuginfo-7.0.7-50.94.1 php7-odbc-7.0.7-50.94.1 php7-odbc-debuginfo-7.0.7-50.94.1 php7-opcache-7.0.7-50.94.1 php7-opcache-debuginfo-7.0.7-50.94.1 php7-openssl-7.0.7-50.94.1 php7-openssl-debuginfo-7.0.7-50.94.1 php7-pcntl-7.0.7-50.94.1 php7-pcntl-debuginfo-7.0.7-50.94.1 php7-pdo-7.0.7-50.94.1 php7-pdo-debuginfo-7.0.7-50.94.1 php7-pgsql-7.0.7-50.94.1 php7-pgsql-debuginfo-7.0.7-50.94.1 php7-phar-7.0.7-50.94.1 php7-phar-debuginfo-7.0.7-50.94.1 php7-posix-7.0.7-50.94.1 php7-posix-debuginfo-7.0.7-50.94.1 php7-pspell-7.0.7-50.94.1 php7-pspell-debuginfo-7.0.7-50.94.1 php7-shmop-7.0.7-50.94.1 php7-shmop-debuginfo-7.0.7-50.94.1 php7-snmp-7.0.7-50.94.1 php7-snmp-debuginfo-7.0.7-50.94.1 php7-soap-7.0.7-50.94.1 php7-soap-debuginfo-7.0.7-50.94.1 php7-sockets-7.0.7-50.94.1 php7-sockets-debuginfo-7.0.7-50.94.1 php7-sqlite-7.0.7-50.94.1 php7-sqlite-debuginfo-7.0.7-50.94.1 php7-sysvmsg-7.0.7-50.94.1 php7-sysvmsg-debuginfo-7.0.7-50.94.1 php7-sysvsem-7.0.7-50.94.1 php7-sysvsem-debuginfo-7.0.7-50.94.1 php7-sysvshm-7.0.7-50.94.1 php7-sysvshm-debuginfo-7.0.7-50.94.1 php7-tokenizer-7.0.7-50.94.1 php7-tokenizer-debuginfo-7.0.7-50.94.1 php7-wddx-7.0.7-50.94.1 php7-wddx-debuginfo-7.0.7-50.94.1 php7-xmlreader-7.0.7-50.94.1 php7-xmlreader-debuginfo-7.0.7-50.94.1 php7-xmlrpc-7.0.7-50.94.1 php7-xmlrpc-debuginfo-7.0.7-50.94.1 php7-xmlwriter-7.0.7-50.94.1 php7-xmlwriter-debuginfo-7.0.7-50.94.1 php7-xsl-7.0.7-50.94.1 php7-xsl-debuginfo-7.0.7-50.94.1 php7-zip-7.0.7-50.94.1 php7-zip-debuginfo-7.0.7-50.94.1 php7-zlib-7.0.7-50.94.1 php7-zlib-debuginfo-7.0.7-50.94.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php7-pear-7.0.7-50.94.1 php7-pear-Archive_Tar-7.0.7-50.94.1 References: https://www.suse.com/security/cve/CVE-2019-11048.html https://bugzilla.suse.com/1171999 From sle-updates at lists.suse.com Fri Jun 5 08:51:39 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 5 Jun 2020 16:51:39 +0200 (CEST) Subject: SUSE-CU-2020:184-1: Recommended update of suse/sles12sp3 Message-ID: <20200605145139.7863CFF46@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp3 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:184-1 Container Tags : suse/sles12sp3:2.0.2 , suse/sles12sp3:24.159 , suse/sles12sp3:latest Container Release : 24.159 Severity : low Type : recommended References : ----------------------------------------------------------------- The container suse/sles12sp3 was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Fri Jun 5 09:01:59 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 5 Jun 2020 17:01:59 +0200 (CEST) Subject: SUSE-CU-2020:185-1: Recommended update of suse/sles12sp4 Message-ID: <20200605150159.4DA8CFF47@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:185-1 Container Tags : suse/sles12sp4:26.189 , suse/sles12sp4:latest Container Release : 26.189 Severity : moderate Type : recommended References : 1162930 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1490-1 Released: Wed May 27 18:30:36 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issue: - nptl: wait for pending setxid request also in detached thread (bsc#1162930) From sle-updates at lists.suse.com Fri Jun 5 09:06:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 5 Jun 2020 17:06:19 +0200 (CEST) Subject: SUSE-CU-2020:186-1: Recommended update of suse/sles12sp5 Message-ID: <20200605150619.4F731FF47@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:186-1 Container Tags : suse/sles12sp5:6.5.4 , suse/sles12sp5:latest Container Release : 6.5.4 Severity : moderate Type : recommended References : 1162930 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1490-1 Released: Wed May 27 18:30:36 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issue: - nptl: wait for pending setxid request also in detached thread (bsc#1162930) From sle-updates at lists.suse.com Fri Jun 5 10:21:56 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 5 Jun 2020 18:21:56 +0200 (CEST) Subject: SUSE-CU-2020:187-1: Security update of suse/sle15 Message-ID: <20200605162156.3D1C1FF46@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:187-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.215 Container Release : 4.22.215 Severity : moderate Type : security References : 1087982 1170527 1172021 CVE-2019-19956 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). From sle-updates at lists.suse.com Fri Jun 5 10:27:55 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 5 Jun 2020 18:27:55 +0200 (CEST) Subject: SUSE-CU-2020:188-1: Security update of suse/sle15 Message-ID: <20200605162755.799A4F3D7@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:188-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.244 Container Release : 6.2.244 Severity : moderate Type : security References : 1172021 CVE-2019-19956 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). From sle-updates at lists.suse.com Mon Jun 8 04:14:46 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 12:14:46 +0200 (CEST) Subject: SUSE-RU-2020:1548-1: important: Recommended update for python Message-ID: <20200608101446.CF77BFF46@maintenance.suse.de> SUSE Recommended Update: Recommended update for python ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1548-1 Rating: important References: #1172544 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for python fixes the following issues: - Revert the recent change to macros.python2, which caused that multispec python packages were generated with python2- instead of python- prefix (bsc#1172544) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1548=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1548=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1548=1 - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1548=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1548=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1548=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1548=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1548=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1548=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1548=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1548=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1548=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1548=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1548=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1548=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1548=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libpython2_7-1_0-2.7.17-28.45.1 libpython2_7-1_0-32bit-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.45.1 python-2.7.17-28.45.1 python-32bit-2.7.17-28.45.1 python-base-2.7.17-28.45.1 python-base-32bit-2.7.17-28.45.1 python-base-debuginfo-2.7.17-28.45.1 python-base-debuginfo-32bit-2.7.17-28.45.1 python-base-debugsource-2.7.17-28.45.1 python-curses-2.7.17-28.45.1 python-curses-debuginfo-2.7.17-28.45.1 python-debuginfo-2.7.17-28.45.1 python-debuginfo-32bit-2.7.17-28.45.1 python-debugsource-2.7.17-28.45.1 python-demo-2.7.17-28.45.1 python-devel-2.7.17-28.45.1 python-gdbm-2.7.17-28.45.1 python-gdbm-debuginfo-2.7.17-28.45.1 python-idle-2.7.17-28.45.1 python-tk-2.7.17-28.45.1 python-tk-debuginfo-2.7.17-28.45.1 python-xml-2.7.17-28.45.1 python-xml-debuginfo-2.7.17-28.45.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): python-doc-2.7.17-28.45.1 python-doc-pdf-2.7.17-28.45.1 - SUSE OpenStack Cloud 8 (x86_64): libpython2_7-1_0-2.7.17-28.45.1 libpython2_7-1_0-32bit-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.45.1 python-2.7.17-28.45.1 python-32bit-2.7.17-28.45.1 python-base-2.7.17-28.45.1 python-base-32bit-2.7.17-28.45.1 python-base-debuginfo-2.7.17-28.45.1 python-base-debuginfo-32bit-2.7.17-28.45.1 python-base-debugsource-2.7.17-28.45.1 python-curses-2.7.17-28.45.1 python-curses-debuginfo-2.7.17-28.45.1 python-debuginfo-2.7.17-28.45.1 python-debuginfo-32bit-2.7.17-28.45.1 python-debugsource-2.7.17-28.45.1 python-demo-2.7.17-28.45.1 python-devel-2.7.17-28.45.1 python-gdbm-2.7.17-28.45.1 python-gdbm-debuginfo-2.7.17-28.45.1 python-idle-2.7.17-28.45.1 python-tk-2.7.17-28.45.1 python-tk-debuginfo-2.7.17-28.45.1 python-xml-2.7.17-28.45.1 python-xml-debuginfo-2.7.17-28.45.1 - SUSE OpenStack Cloud 8 (noarch): python-doc-2.7.17-28.45.1 python-doc-pdf-2.7.17-28.45.1 - SUSE OpenStack Cloud 7 (s390x x86_64): libpython2_7-1_0-2.7.17-28.45.1 libpython2_7-1_0-32bit-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.45.1 python-2.7.17-28.45.1 python-32bit-2.7.17-28.45.1 python-base-2.7.17-28.45.1 python-base-32bit-2.7.17-28.45.1 python-base-debuginfo-2.7.17-28.45.1 python-base-debuginfo-32bit-2.7.17-28.45.1 python-base-debugsource-2.7.17-28.45.1 python-curses-2.7.17-28.45.1 python-curses-debuginfo-2.7.17-28.45.1 python-debuginfo-2.7.17-28.45.1 python-debuginfo-32bit-2.7.17-28.45.1 python-debugsource-2.7.17-28.45.1 python-demo-2.7.17-28.45.1 python-devel-2.7.17-28.45.1 python-gdbm-2.7.17-28.45.1 python-gdbm-debuginfo-2.7.17-28.45.1 python-idle-2.7.17-28.45.1 python-tk-2.7.17-28.45.1 python-tk-debuginfo-2.7.17-28.45.1 python-xml-2.7.17-28.45.1 python-xml-debuginfo-2.7.17-28.45.1 - SUSE OpenStack Cloud 7 (noarch): python-doc-2.7.17-28.45.1 python-doc-pdf-2.7.17-28.45.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): python-base-debuginfo-2.7.17-28.45.1 python-base-debugsource-2.7.17-28.45.1 python-devel-2.7.17-28.45.1 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): python-base-debuginfo-2.7.17-28.45.1 python-base-debugsource-2.7.17-28.45.1 python-devel-2.7.17-28.45.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): python-base-debuginfo-2.7.17-28.45.1 python-base-debugsource-2.7.17-28.45.1 python-devel-2.7.17-28.45.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libpython2_7-1_0-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-2.7.17-28.45.1 python-2.7.17-28.45.1 python-base-2.7.17-28.45.1 python-base-debuginfo-2.7.17-28.45.1 python-base-debugsource-2.7.17-28.45.1 python-curses-2.7.17-28.45.1 python-curses-debuginfo-2.7.17-28.45.1 python-debuginfo-2.7.17-28.45.1 python-debugsource-2.7.17-28.45.1 python-demo-2.7.17-28.45.1 python-devel-2.7.17-28.45.1 python-gdbm-2.7.17-28.45.1 python-gdbm-debuginfo-2.7.17-28.45.1 python-idle-2.7.17-28.45.1 python-tk-2.7.17-28.45.1 python-tk-debuginfo-2.7.17-28.45.1 python-xml-2.7.17-28.45.1 python-xml-debuginfo-2.7.17-28.45.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): python-doc-2.7.17-28.45.1 python-doc-pdf-2.7.17-28.45.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libpython2_7-1_0-32bit-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.45.1 python-32bit-2.7.17-28.45.1 python-base-32bit-2.7.17-28.45.1 python-base-debuginfo-32bit-2.7.17-28.45.1 python-debuginfo-32bit-2.7.17-28.45.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libpython2_7-1_0-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-2.7.17-28.45.1 python-2.7.17-28.45.1 python-base-2.7.17-28.45.1 python-base-debuginfo-2.7.17-28.45.1 python-base-debugsource-2.7.17-28.45.1 python-curses-2.7.17-28.45.1 python-curses-debuginfo-2.7.17-28.45.1 python-debuginfo-2.7.17-28.45.1 python-debugsource-2.7.17-28.45.1 python-demo-2.7.17-28.45.1 python-devel-2.7.17-28.45.1 python-gdbm-2.7.17-28.45.1 python-gdbm-debuginfo-2.7.17-28.45.1 python-idle-2.7.17-28.45.1 python-tk-2.7.17-28.45.1 python-tk-debuginfo-2.7.17-28.45.1 python-xml-2.7.17-28.45.1 python-xml-debuginfo-2.7.17-28.45.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): python-doc-2.7.17-28.45.1 python-doc-pdf-2.7.17-28.45.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libpython2_7-1_0-32bit-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.45.1 python-32bit-2.7.17-28.45.1 python-base-32bit-2.7.17-28.45.1 python-base-debuginfo-32bit-2.7.17-28.45.1 python-debuginfo-32bit-2.7.17-28.45.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-2.7.17-28.45.1 python-2.7.17-28.45.1 python-base-2.7.17-28.45.1 python-base-debuginfo-2.7.17-28.45.1 python-base-debugsource-2.7.17-28.45.1 python-curses-2.7.17-28.45.1 python-curses-debuginfo-2.7.17-28.45.1 python-debuginfo-2.7.17-28.45.1 python-debugsource-2.7.17-28.45.1 python-demo-2.7.17-28.45.1 python-devel-2.7.17-28.45.1 python-gdbm-2.7.17-28.45.1 python-gdbm-debuginfo-2.7.17-28.45.1 python-idle-2.7.17-28.45.1 python-tk-2.7.17-28.45.1 python-tk-debuginfo-2.7.17-28.45.1 python-xml-2.7.17-28.45.1 python-xml-debuginfo-2.7.17-28.45.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libpython2_7-1_0-32bit-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.45.1 python-32bit-2.7.17-28.45.1 python-base-32bit-2.7.17-28.45.1 python-base-debuginfo-32bit-2.7.17-28.45.1 python-debuginfo-32bit-2.7.17-28.45.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): python-doc-2.7.17-28.45.1 python-doc-pdf-2.7.17-28.45.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-2.7.17-28.45.1 python-2.7.17-28.45.1 python-base-2.7.17-28.45.1 python-base-debuginfo-2.7.17-28.45.1 python-base-debugsource-2.7.17-28.45.1 python-curses-2.7.17-28.45.1 python-curses-debuginfo-2.7.17-28.45.1 python-debuginfo-2.7.17-28.45.1 python-debugsource-2.7.17-28.45.1 python-demo-2.7.17-28.45.1 python-devel-2.7.17-28.45.1 python-gdbm-2.7.17-28.45.1 python-gdbm-debuginfo-2.7.17-28.45.1 python-idle-2.7.17-28.45.1 python-tk-2.7.17-28.45.1 python-tk-debuginfo-2.7.17-28.45.1 python-xml-2.7.17-28.45.1 python-xml-debuginfo-2.7.17-28.45.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libpython2_7-1_0-32bit-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.45.1 python-32bit-2.7.17-28.45.1 python-base-32bit-2.7.17-28.45.1 python-base-debuginfo-32bit-2.7.17-28.45.1 python-debuginfo-32bit-2.7.17-28.45.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): python-doc-2.7.17-28.45.1 python-doc-pdf-2.7.17-28.45.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libpython2_7-1_0-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-2.7.17-28.45.1 python-2.7.17-28.45.1 python-base-2.7.17-28.45.1 python-base-debuginfo-2.7.17-28.45.1 python-base-debugsource-2.7.17-28.45.1 python-curses-2.7.17-28.45.1 python-curses-debuginfo-2.7.17-28.45.1 python-debuginfo-2.7.17-28.45.1 python-debugsource-2.7.17-28.45.1 python-demo-2.7.17-28.45.1 python-devel-2.7.17-28.45.1 python-gdbm-2.7.17-28.45.1 python-gdbm-debuginfo-2.7.17-28.45.1 python-idle-2.7.17-28.45.1 python-tk-2.7.17-28.45.1 python-tk-debuginfo-2.7.17-28.45.1 python-xml-2.7.17-28.45.1 python-xml-debuginfo-2.7.17-28.45.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libpython2_7-1_0-32bit-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.45.1 python-32bit-2.7.17-28.45.1 python-base-32bit-2.7.17-28.45.1 python-base-debuginfo-32bit-2.7.17-28.45.1 python-debuginfo-32bit-2.7.17-28.45.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): python-doc-2.7.17-28.45.1 python-doc-pdf-2.7.17-28.45.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libpython2_7-1_0-2.7.17-28.45.1 libpython2_7-1_0-32bit-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.45.1 python-2.7.17-28.45.1 python-32bit-2.7.17-28.45.1 python-base-2.7.17-28.45.1 python-base-32bit-2.7.17-28.45.1 python-base-debuginfo-2.7.17-28.45.1 python-base-debuginfo-32bit-2.7.17-28.45.1 python-base-debugsource-2.7.17-28.45.1 python-curses-2.7.17-28.45.1 python-curses-debuginfo-2.7.17-28.45.1 python-debuginfo-2.7.17-28.45.1 python-debuginfo-32bit-2.7.17-28.45.1 python-debugsource-2.7.17-28.45.1 python-demo-2.7.17-28.45.1 python-devel-2.7.17-28.45.1 python-gdbm-2.7.17-28.45.1 python-gdbm-debuginfo-2.7.17-28.45.1 python-idle-2.7.17-28.45.1 python-tk-2.7.17-28.45.1 python-tk-debuginfo-2.7.17-28.45.1 python-xml-2.7.17-28.45.1 python-xml-debuginfo-2.7.17-28.45.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): python-doc-2.7.17-28.45.1 python-doc-pdf-2.7.17-28.45.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libpython2_7-1_0-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-2.7.17-28.45.1 python-2.7.17-28.45.1 python-base-2.7.17-28.45.1 python-base-debuginfo-2.7.17-28.45.1 python-base-debugsource-2.7.17-28.45.1 python-curses-2.7.17-28.45.1 python-curses-debuginfo-2.7.17-28.45.1 python-debuginfo-2.7.17-28.45.1 python-debugsource-2.7.17-28.45.1 python-demo-2.7.17-28.45.1 python-devel-2.7.17-28.45.1 python-gdbm-2.7.17-28.45.1 python-gdbm-debuginfo-2.7.17-28.45.1 python-idle-2.7.17-28.45.1 python-tk-2.7.17-28.45.1 python-tk-debuginfo-2.7.17-28.45.1 python-xml-2.7.17-28.45.1 python-xml-debuginfo-2.7.17-28.45.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libpython2_7-1_0-32bit-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.45.1 python-32bit-2.7.17-28.45.1 python-base-32bit-2.7.17-28.45.1 python-base-debuginfo-32bit-2.7.17-28.45.1 python-debuginfo-32bit-2.7.17-28.45.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): python-doc-2.7.17-28.45.1 python-doc-pdf-2.7.17-28.45.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): python-doc-2.7.17-28.45.1 python-doc-pdf-2.7.17-28.45.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libpython2_7-1_0-2.7.17-28.45.1 libpython2_7-1_0-32bit-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.45.1 python-2.7.17-28.45.1 python-32bit-2.7.17-28.45.1 python-base-2.7.17-28.45.1 python-base-32bit-2.7.17-28.45.1 python-base-debuginfo-2.7.17-28.45.1 python-base-debuginfo-32bit-2.7.17-28.45.1 python-base-debugsource-2.7.17-28.45.1 python-curses-2.7.17-28.45.1 python-curses-debuginfo-2.7.17-28.45.1 python-debuginfo-2.7.17-28.45.1 python-debuginfo-32bit-2.7.17-28.45.1 python-debugsource-2.7.17-28.45.1 python-demo-2.7.17-28.45.1 python-gdbm-2.7.17-28.45.1 python-gdbm-debuginfo-2.7.17-28.45.1 python-idle-2.7.17-28.45.1 python-tk-2.7.17-28.45.1 python-tk-debuginfo-2.7.17-28.45.1 python-xml-2.7.17-28.45.1 python-xml-debuginfo-2.7.17-28.45.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libpython2_7-1_0-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-2.7.17-28.45.1 python-2.7.17-28.45.1 python-base-2.7.17-28.45.1 python-base-debuginfo-2.7.17-28.45.1 python-base-debugsource-2.7.17-28.45.1 python-curses-2.7.17-28.45.1 python-curses-debuginfo-2.7.17-28.45.1 python-debuginfo-2.7.17-28.45.1 python-debugsource-2.7.17-28.45.1 python-demo-2.7.17-28.45.1 python-devel-2.7.17-28.45.1 python-gdbm-2.7.17-28.45.1 python-gdbm-debuginfo-2.7.17-28.45.1 python-idle-2.7.17-28.45.1 python-strict-tls-check-2.7.17-28.45.1 python-tk-2.7.17-28.45.1 python-tk-debuginfo-2.7.17-28.45.1 python-xml-2.7.17-28.45.1 python-xml-debuginfo-2.7.17-28.45.1 - SUSE Enterprise Storage 5 (x86_64): libpython2_7-1_0-32bit-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.45.1 python-32bit-2.7.17-28.45.1 python-base-32bit-2.7.17-28.45.1 python-base-debuginfo-32bit-2.7.17-28.45.1 python-debuginfo-32bit-2.7.17-28.45.1 - SUSE Enterprise Storage 5 (noarch): python-doc-2.7.17-28.45.1 python-doc-pdf-2.7.17-28.45.1 - HPE Helion Openstack 8 (x86_64): libpython2_7-1_0-2.7.17-28.45.1 libpython2_7-1_0-32bit-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-2.7.17-28.45.1 libpython2_7-1_0-debuginfo-32bit-2.7.17-28.45.1 python-2.7.17-28.45.1 python-32bit-2.7.17-28.45.1 python-base-2.7.17-28.45.1 python-base-32bit-2.7.17-28.45.1 python-base-debuginfo-2.7.17-28.45.1 python-base-debuginfo-32bit-2.7.17-28.45.1 python-base-debugsource-2.7.17-28.45.1 python-curses-2.7.17-28.45.1 python-curses-debuginfo-2.7.17-28.45.1 python-debuginfo-2.7.17-28.45.1 python-debuginfo-32bit-2.7.17-28.45.1 python-debugsource-2.7.17-28.45.1 python-demo-2.7.17-28.45.1 python-devel-2.7.17-28.45.1 python-gdbm-2.7.17-28.45.1 python-gdbm-debuginfo-2.7.17-28.45.1 python-idle-2.7.17-28.45.1 python-tk-2.7.17-28.45.1 python-tk-debuginfo-2.7.17-28.45.1 python-xml-2.7.17-28.45.1 python-xml-debuginfo-2.7.17-28.45.1 - HPE Helion Openstack 8 (noarch): python-doc-2.7.17-28.45.1 python-doc-pdf-2.7.17-28.45.1 References: https://bugzilla.suse.com/1172544 From sle-updates at lists.suse.com Mon Jun 8 04:15:50 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 12:15:50 +0200 (CEST) Subject: SUSE-RU-2020:1547-1: moderate: Recommended update for fontconfig Message-ID: <20200608101550.88044FF46@maintenance.suse.de> SUSE Recommended Update: Recommended update for fontconfig ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1547-1 Rating: moderate References: #1172301 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for fontconfig fixes the following issues: - fontconfig-devel-32bit needs to require fontconfig-32bit, needed for Wine development (bsc#1172301) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1547=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): fontconfig-2.12.6-4.3.1 fontconfig-debuginfo-2.12.6-4.3.1 fontconfig-debugsource-2.12.6-4.3.1 fontconfig-devel-2.12.6-4.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): fontconfig-32bit-2.12.6-4.3.1 fontconfig-32bit-debuginfo-2.12.6-4.3.1 References: https://bugzilla.suse.com/1172301 From sle-updates at lists.suse.com Mon Jun 8 07:15:09 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 15:15:09 +0200 (CEST) Subject: SUSE-SU-2020:14388-1: moderate: Security update for gnuplot Message-ID: <20200608131509.DC1BEFF46@maintenance.suse.de> SUSE Security Update: Security update for gnuplot ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14388-1 Rating: moderate References: #1044638 #1117463 #1117464 #1117465 #375175 Cross-References: CVE-2017-9670 CVE-2018-19490 CVE-2018-19491 CVE-2018-19492 Affected Products: SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update for gnuplot fixes the following issues: Security issues fixed: - CVE-2018-19492: Fixed a buffer overflow in cairotrm_options function (bsc#1117463) - CVE-2018-19491: Fixed a buffer overflow in the PS_options function (bsc#1117464) - CVE-2018-19490: Fixed a heap-based buffer overflow in the df_generate_ascii_array_entry function (bsc#1117465) - CVE-2017-9670: Fixed a uninitialized stack variable vulnerability which could lead to a Denial of Service (bsc#1044638) Non-security issues fixed: - postscript output does not show any German "umlauts" (bsc#375175) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-gnuplot-14388=1 Package List: - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): gnuplot-debuginfo-4.2.3-7.3.22 gnuplot-debugsource-4.2.3-7.3.22 References: https://www.suse.com/security/cve/CVE-2017-9670.html https://www.suse.com/security/cve/CVE-2018-19490.html https://www.suse.com/security/cve/CVE-2018-19491.html https://www.suse.com/security/cve/CVE-2018-19492.html https://bugzilla.suse.com/1044638 https://bugzilla.suse.com/1117463 https://bugzilla.suse.com/1117464 https://bugzilla.suse.com/1117465 https://bugzilla.suse.com/375175 From sle-updates at lists.suse.com Mon Jun 8 07:14:16 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 15:14:16 +0200 (CEST) Subject: SUSE-SU-2020:1556-1: important: Security update for MozillaFirefox Message-ID: <20200608131417.019FBFF46@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1556-1 Rating: important References: #1172402 Cross-References: CVE-2020-12405 CVE-2020-12406 CVE-2020-12410 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - MozillaFirefox was updated to version 68.9.0 Extended Support Release (bsc#1172402). - CVE-2020-12405: Fixed a use-after-free in SharedWorkerService. - CVE-2020-12406: Fixed a JavaScript Type confusion with NativeTypes. - CVE-2020-12410: Fixed multiple memory safety bugs. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2020-1556=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1556=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.9.0-3.91.1 MozillaFirefox-debuginfo-68.9.0-3.91.1 MozillaFirefox-debugsource-68.9.0-3.91.1 MozillaFirefox-translations-common-68.9.0-3.91.1 MozillaFirefox-translations-other-68.9.0-3.91.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le x86_64): MozillaFirefox-devel-68.9.0-3.91.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.9.0-3.91.1 MozillaFirefox-debuginfo-68.9.0-3.91.1 MozillaFirefox-debugsource-68.9.0-3.91.1 MozillaFirefox-translations-common-68.9.0-3.91.1 MozillaFirefox-translations-other-68.9.0-3.91.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le x86_64): MozillaFirefox-devel-68.9.0-3.91.1 References: https://www.suse.com/security/cve/CVE-2020-12405.html https://www.suse.com/security/cve/CVE-2020-12406.html https://www.suse.com/security/cve/CVE-2020-12410.html https://bugzilla.suse.com/1172402 From sle-updates at lists.suse.com Mon Jun 8 07:16:28 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 15:16:28 +0200 (CEST) Subject: SUSE-RU-2020:1558-1: moderate: Recommended update for chrony Message-ID: <20200608131628.918BFFF46@maintenance.suse.de> SUSE Recommended Update: Recommended update for chrony ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1558-1 Rating: moderate References: #1172113 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for chrony fixes the following issue: - Use iburst in the default pool statements to speed up initial synchronization. (bsc#1172113) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1558=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): chrony-3.2-9.15.1 chrony-debuginfo-3.2-9.15.1 chrony-debugsource-3.2-9.15.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): chrony-pool-empty-3.2-9.15.1 chrony-pool-suse-3.2-9.15.1 References: https://bugzilla.suse.com/1172113 From sle-updates at lists.suse.com Mon Jun 8 07:17:59 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 15:17:59 +0200 (CEST) Subject: SUSE-RU-2020:1560-1: Recommended update for llvm7 Message-ID: <20200608131759.E881EFF46@maintenance.suse.de> SUSE Recommended Update: Recommended update for llvm7 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1560-1 Rating: low References: #1171512 Affected Products: SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for llvm7 fixes the following issues: -Fix for build failures when using 'llvm7' on i586. (bsc#1171512) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP1-2020-1560=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1560=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1560=1 Package List: - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (x86_64): liblldb7-7.0.1-3.9.3 liblldb7-debuginfo-7.0.1-3.9.3 llvm7-debuginfo-7.0.1-3.9.3 llvm7-debugsource-7.0.1-3.9.3 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): clang7-checker-7.0.1-3.9.3 llvm7-debuginfo-7.0.1-3.9.3 llvm7-debugsource-7.0.1-3.9.3 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): clang7-7.0.1-3.9.3 clang7-debuginfo-7.0.1-3.9.3 clang7-devel-7.0.1-3.9.3 libLLVM7-7.0.1-3.9.3 libLLVM7-debuginfo-7.0.1-3.9.3 libLTO7-7.0.1-3.9.3 libLTO7-debuginfo-7.0.1-3.9.3 libclang7-7.0.1-3.9.3 libclang7-debuginfo-7.0.1-3.9.3 llvm7-7.0.1-3.9.3 llvm7-LTO-devel-7.0.1-3.9.3 llvm7-debuginfo-7.0.1-3.9.3 llvm7-debugsource-7.0.1-3.9.3 llvm7-devel-7.0.1-3.9.3 llvm7-devel-debuginfo-7.0.1-3.9.3 llvm7-gold-7.0.1-3.9.3 llvm7-gold-debuginfo-7.0.1-3.9.3 llvm7-polly-7.0.1-3.9.3 llvm7-polly-debuginfo-7.0.1-3.9.3 llvm7-polly-devel-7.0.1-3.9.3 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (ppc64le x86_64): libomp7-devel-7.0.1-3.9.3 libomp7-devel-debuginfo-7.0.1-3.9.3 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libLLVM7-32bit-7.0.1-3.9.3 libLLVM7-32bit-debuginfo-7.0.1-3.9.3 libc++-devel-7.0.1-3.9.3 libc++1-7.0.1-3.9.3 libc++1-debuginfo-7.0.1-3.9.3 libc++abi-devel-7.0.1-3.9.3 libc++abi1-7.0.1-3.9.3 libc++abi1-debuginfo-7.0.1-3.9.3 References: https://bugzilla.suse.com/1171512 From sle-updates at lists.suse.com Mon Jun 8 07:18:51 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 15:18:51 +0200 (CEST) Subject: SUSE-SU-2020:1554-1: moderate: Security update for slurm_20_02 Message-ID: <20200608131851.121B3FF46@maintenance.suse.de> SUSE Security Update: Security update for slurm_20_02 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1554-1 Rating: moderate References: #1172004 Cross-References: CVE-2020-12693 Affected Products: SUSE Linux Enterprise Module for HPC 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for slurm_20_02 to version 20.02.3 fixes the following issues: Security issue fixed: - CVE-2020-12693: Fixed an authentication bypass via an alternate path or channel (bsc#1172004). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for HPC 15-SP1: zypper in -t patch SUSE-SLE-Module-HPC-15-SP1-2020-1554=1 Package List: - SUSE Linux Enterprise Module for HPC 15-SP1 (aarch64 x86_64): libnss_slurm2-20.02.3-3.8.1 libnss_slurm2-debuginfo-20.02.3-3.8.1 libpmi0_20_02-20.02.3-3.8.1 libpmi0_20_02-debuginfo-20.02.3-3.8.1 libslurm35-20.02.3-3.8.1 libslurm35-debuginfo-20.02.3-3.8.1 perl-slurm_20_02-20.02.3-3.8.1 perl-slurm_20_02-debuginfo-20.02.3-3.8.1 slurm_20_02-20.02.3-3.8.1 slurm_20_02-auth-none-20.02.3-3.8.1 slurm_20_02-auth-none-debuginfo-20.02.3-3.8.1 slurm_20_02-config-20.02.3-3.8.1 slurm_20_02-config-man-20.02.3-3.8.1 slurm_20_02-debuginfo-20.02.3-3.8.1 slurm_20_02-debugsource-20.02.3-3.8.1 slurm_20_02-devel-20.02.3-3.8.1 slurm_20_02-doc-20.02.3-3.8.1 slurm_20_02-lua-20.02.3-3.8.1 slurm_20_02-lua-debuginfo-20.02.3-3.8.1 slurm_20_02-munge-20.02.3-3.8.1 slurm_20_02-munge-debuginfo-20.02.3-3.8.1 slurm_20_02-node-20.02.3-3.8.1 slurm_20_02-node-debuginfo-20.02.3-3.8.1 slurm_20_02-pam_slurm-20.02.3-3.8.1 slurm_20_02-pam_slurm-debuginfo-20.02.3-3.8.1 slurm_20_02-plugins-20.02.3-3.8.1 slurm_20_02-plugins-debuginfo-20.02.3-3.8.1 slurm_20_02-slurmdbd-20.02.3-3.8.1 slurm_20_02-slurmdbd-debuginfo-20.02.3-3.8.1 slurm_20_02-sql-20.02.3-3.8.1 slurm_20_02-sql-debuginfo-20.02.3-3.8.1 slurm_20_02-sview-20.02.3-3.8.1 slurm_20_02-sview-debuginfo-20.02.3-3.8.1 slurm_20_02-torque-20.02.3-3.8.1 slurm_20_02-torque-debuginfo-20.02.3-3.8.1 slurm_20_02-webdoc-20.02.3-3.8.1 References: https://www.suse.com/security/cve/CVE-2020-12693.html https://bugzilla.suse.com/1172004 From sle-updates at lists.suse.com Mon Jun 8 07:19:41 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 15:19:41 +0200 (CEST) Subject: SUSE-SU-2020:1553-1: moderate: Security update for libexif Message-ID: <20200608131941.06457FF46@maintenance.suse.de> SUSE Security Update: Security update for libexif ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1553-1 Rating: moderate References: #1055857 #1059893 #1120943 #1160770 #1171475 #1171847 #1172105 #1172116 #1172121 Cross-References: CVE-2016-6328 CVE-2017-7544 CVE-2018-20030 CVE-2019-9278 CVE-2020-0093 CVE-2020-12767 CVE-2020-13112 CVE-2020-13113 CVE-2020-13114 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: This update for libexif to 0.6.22 fixes the following issues: Security issues fixed: - CVE-2016-6328: Fixed an integer overflow in parsing MNOTE entry data of the input file (bsc#1055857). - CVE-2017-7544: Fixed an out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c (bsc#1059893). - CVE-2018-20030: Fixed a denial of service by endless recursion (bsc#1120943). - CVE-2019-9278: Fixed an integer overflow (bsc#1160770). - CVE-2020-0093: Fixed an out-of-bounds read in exif_data_save_data_entry (bsc#1171847). - CVE-2020-12767: Fixed a divide-by-zero error in exif_entry_get_value (bsc#1171475). - CVE-2020-13112: Fixed a time consumption DoS when parsing canon array markers (bsc#1172121). - CVE-2020-13113: Fixed a potential use of uninitialized memory (bsc#1172105). - CVE-2020-13114: Fixed various buffer overread fixes due to integer overflows in maker notes (bsc#1172116). Non-security issues fixed: - libexif was updated to version 0.6.22: * New translations: ms * Updated translations for most languages * Some useful EXIF 2.3 tag added: * EXIF_TAG_GAMMA * EXIF_TAG_COMPOSITE_IMAGE * EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE * EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE * EXIF_TAG_GPS_H_POSITIONING_ERROR * EXIF_TAG_CAMERA_OWNER_NAME * EXIF_TAG_BODY_SERIAL_NUMBER * EXIF_TAG_LENS_SPECIFICATION * EXIF_TAG_LENS_MAKE * EXIF_TAG_LENS_MODEL * EXIF_TAG_LENS_SERIAL_NUMBER Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1553=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libexif-debugsource-0.6.22-5.6.1 libexif-devel-0.6.22-5.6.1 libexif12-0.6.22-5.6.1 libexif12-debuginfo-0.6.22-5.6.1 References: https://www.suse.com/security/cve/CVE-2016-6328.html https://www.suse.com/security/cve/CVE-2017-7544.html https://www.suse.com/security/cve/CVE-2018-20030.html https://www.suse.com/security/cve/CVE-2019-9278.html https://www.suse.com/security/cve/CVE-2020-0093.html https://www.suse.com/security/cve/CVE-2020-12767.html https://www.suse.com/security/cve/CVE-2020-13112.html https://www.suse.com/security/cve/CVE-2020-13113.html https://www.suse.com/security/cve/CVE-2020-13114.html https://bugzilla.suse.com/1055857 https://bugzilla.suse.com/1059893 https://bugzilla.suse.com/1120943 https://bugzilla.suse.com/1160770 https://bugzilla.suse.com/1171475 https://bugzilla.suse.com/1171847 https://bugzilla.suse.com/1172105 https://bugzilla.suse.com/1172116 https://bugzilla.suse.com/1172121 From sle-updates at lists.suse.com Mon Jun 8 07:21:24 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 15:21:24 +0200 (CEST) Subject: SUSE-SU-2020:1550-1: moderate: Security update for vim Message-ID: <20200608132124.057E7FF46@maintenance.suse.de> SUSE Security Update: Security update for vim ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1550-1 Rating: moderate References: #1172031 #1172225 Cross-References: CVE-2019-20807 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for vim fixes the following issues: - CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim was possible using interfaces (bsc#1172225 and bsc#1172031). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1550=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1550=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1550=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1550=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1550=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1550=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1550=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1550=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1550=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1550=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1550=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1550=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1550=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): vim-data-7.4.326-17.6.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): gvim-7.4.326-17.6.1 gvim-debuginfo-7.4.326-17.6.1 vim-7.4.326-17.6.1 vim-debuginfo-7.4.326-17.6.1 vim-debugsource-7.4.326-17.6.1 - SUSE OpenStack Cloud 8 (noarch): vim-data-7.4.326-17.6.1 - SUSE OpenStack Cloud 8 (x86_64): gvim-7.4.326-17.6.1 gvim-debuginfo-7.4.326-17.6.1 vim-7.4.326-17.6.1 vim-debuginfo-7.4.326-17.6.1 vim-debugsource-7.4.326-17.6.1 - SUSE OpenStack Cloud 7 (s390x x86_64): gvim-7.4.326-17.6.1 gvim-debuginfo-7.4.326-17.6.1 vim-7.4.326-17.6.1 vim-debuginfo-7.4.326-17.6.1 vim-debugsource-7.4.326-17.6.1 - SUSE OpenStack Cloud 7 (noarch): vim-data-7.4.326-17.6.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): gvim-7.4.326-17.6.1 gvim-debuginfo-7.4.326-17.6.1 vim-7.4.326-17.6.1 vim-debuginfo-7.4.326-17.6.1 vim-debugsource-7.4.326-17.6.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): vim-data-7.4.326-17.6.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): gvim-7.4.326-17.6.1 gvim-debuginfo-7.4.326-17.6.1 vim-7.4.326-17.6.1 vim-debuginfo-7.4.326-17.6.1 vim-debugsource-7.4.326-17.6.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): vim-data-7.4.326-17.6.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): gvim-7.4.326-17.6.1 gvim-debuginfo-7.4.326-17.6.1 vim-7.4.326-17.6.1 vim-debuginfo-7.4.326-17.6.1 vim-debugsource-7.4.326-17.6.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): vim-data-7.4.326-17.6.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): gvim-7.4.326-17.6.1 gvim-debuginfo-7.4.326-17.6.1 vim-7.4.326-17.6.1 vim-debuginfo-7.4.326-17.6.1 vim-debugsource-7.4.326-17.6.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): vim-data-7.4.326-17.6.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): gvim-7.4.326-17.6.1 gvim-debuginfo-7.4.326-17.6.1 vim-7.4.326-17.6.1 vim-debuginfo-7.4.326-17.6.1 vim-debugsource-7.4.326-17.6.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): vim-data-7.4.326-17.6.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): gvim-7.4.326-17.6.1 gvim-debuginfo-7.4.326-17.6.1 vim-7.4.326-17.6.1 vim-debuginfo-7.4.326-17.6.1 vim-debugsource-7.4.326-17.6.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): vim-data-7.4.326-17.6.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): gvim-7.4.326-17.6.1 gvim-debuginfo-7.4.326-17.6.1 vim-7.4.326-17.6.1 vim-debuginfo-7.4.326-17.6.1 vim-debugsource-7.4.326-17.6.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): vim-data-7.4.326-17.6.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): vim-data-7.4.326-17.6.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): gvim-7.4.326-17.6.1 gvim-debuginfo-7.4.326-17.6.1 vim-7.4.326-17.6.1 vim-debuginfo-7.4.326-17.6.1 vim-debugsource-7.4.326-17.6.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): gvim-7.4.326-17.6.1 gvim-debuginfo-7.4.326-17.6.1 vim-7.4.326-17.6.1 vim-debuginfo-7.4.326-17.6.1 vim-debugsource-7.4.326-17.6.1 - SUSE Enterprise Storage 5 (noarch): vim-data-7.4.326-17.6.1 - HPE Helion Openstack 8 (noarch): vim-data-7.4.326-17.6.1 - HPE Helion Openstack 8 (x86_64): gvim-7.4.326-17.6.1 gvim-debuginfo-7.4.326-17.6.1 vim-7.4.326-17.6.1 vim-debuginfo-7.4.326-17.6.1 vim-debugsource-7.4.326-17.6.1 References: https://www.suse.com/security/cve/CVE-2019-20807.html https://bugzilla.suse.com/1172031 https://bugzilla.suse.com/1172225 From sle-updates at lists.suse.com Mon Jun 8 07:22:25 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 15:22:25 +0200 (CEST) Subject: SUSE-SU-2020:1551-1: moderate: Security update for vim Message-ID: <20200608132225.1F63BFF46@maintenance.suse.de> SUSE Security Update: Security update for vim ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1551-1 Rating: moderate References: #1172225 Cross-References: CVE-2019-20807 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Desktop Applications 15-SP2 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for vim fixes the following issues: - CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim was possible using interfaces (bsc#1172225). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1551=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1551=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP2-2020-1551=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1551=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1551=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1551=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1551=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1551=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): vim-8.0.1568-5.6.1 vim-debuginfo-8.0.1568-5.6.1 vim-debugsource-8.0.1568-5.6.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): vim-data-8.0.1568-5.6.1 vim-data-common-8.0.1568-5.6.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): vim-8.0.1568-5.6.1 vim-debuginfo-8.0.1568-5.6.1 vim-debugsource-8.0.1568-5.6.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): vim-data-8.0.1568-5.6.1 vim-data-common-8.0.1568-5.6.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (aarch64 ppc64le s390x x86_64): gvim-8.0.1568-5.6.1 gvim-debuginfo-8.0.1568-5.6.1 vim-debuginfo-8.0.1568-5.6.1 vim-debugsource-8.0.1568-5.6.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): gvim-8.0.1568-5.6.1 gvim-debuginfo-8.0.1568-5.6.1 vim-debuginfo-8.0.1568-5.6.1 vim-debugsource-8.0.1568-5.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): vim-8.0.1568-5.6.1 vim-debuginfo-8.0.1568-5.6.1 vim-debugsource-8.0.1568-5.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): vim-data-8.0.1568-5.6.1 vim-data-common-8.0.1568-5.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): vim-8.0.1568-5.6.1 vim-debuginfo-8.0.1568-5.6.1 vim-debugsource-8.0.1568-5.6.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): vim-data-8.0.1568-5.6.1 vim-data-common-8.0.1568-5.6.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): vim-8.0.1568-5.6.1 vim-debuginfo-8.0.1568-5.6.1 vim-debugsource-8.0.1568-5.6.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): vim-data-8.0.1568-5.6.1 vim-data-common-8.0.1568-5.6.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): vim-8.0.1568-5.6.1 vim-debuginfo-8.0.1568-5.6.1 vim-debugsource-8.0.1568-5.6.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): vim-data-8.0.1568-5.6.1 vim-data-common-8.0.1568-5.6.1 References: https://www.suse.com/security/cve/CVE-2019-20807.html https://bugzilla.suse.com/1172225 From sle-updates at lists.suse.com Mon Jun 8 07:23:16 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 15:23:16 +0200 (CEST) Subject: SUSE-RU-2020:1559-1: moderate: Recommended update for dracut Message-ID: <20200608132316.E762AFF46@maintenance.suse.de> SUSE Recommended Update: Recommended update for dracut ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1559-1 Rating: moderate References: #1171388 #975267 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for dracut fixes the following issues: - Detect the sysfs attribute "is_boot_target" (bsc#975267, bsc#1171388) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1559=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): dracut-044.2-18.61.1 dracut-debuginfo-044.2-18.61.1 dracut-debugsource-044.2-18.61.1 dracut-fips-044.2-18.61.1 dracut-ima-044.2-18.61.1 References: https://bugzilla.suse.com/1171388 https://bugzilla.suse.com/975267 From sle-updates at lists.suse.com Mon Jun 8 07:25:12 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 15:25:12 +0200 (CEST) Subject: SUSE-SU-2020:14389-1: important: Security update for MozillaFirefox Message-ID: <20200608132512.21BC8FF46@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14389-1 Rating: important References: #1172402 Cross-References: CVE-2020-12405 CVE-2020-12406 CVE-2020-12410 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - MozillaFirefox was updated to version 68.9.0 Extended Support Release (bsc#1172402). - CVE-2020-12405: Fixed a use-after-free in SharedWorkerService. - CVE-2020-12406: Fixed a JavaScript Type confusion with NativeTypes. - CVE-2020-12410: Fixed multiple memory safety bugs. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-MozillaFirefox-14389=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (x86_64): MozillaFirefox-68.9.0-78.77.1 MozillaFirefox-translations-common-68.9.0-78.77.1 MozillaFirefox-translations-other-68.9.0-78.77.1 References: https://www.suse.com/security/cve/CVE-2020-12405.html https://www.suse.com/security/cve/CVE-2020-12406.html https://www.suse.com/security/cve/CVE-2020-12410.html https://bugzilla.suse.com/1172402 From sle-updates at lists.suse.com Mon Jun 8 07:26:02 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 15:26:02 +0200 (CEST) Subject: SUSE-SU-2020:1557-1: Security update for file-roller Message-ID: <20200608132602.1D190F3D7@maintenance.suse.de> SUSE Security Update: Security update for file-roller ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1557-1 Rating: low References: #1151585 #1169428 Cross-References: CVE-2019-16680 CVE-2020-11736 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for file-roller fixes the following issues: - CVE-2020-11736: Fixed a directory traversal vulnerability due to improper checking whether a file's parent is an external symlink (bsc#1169428). - CVE-2019-16680: Fixed a path traversal vulnerability which could have allowed an overwriting of a file during extraction (bsc#1151585). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1557=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): file-roller-3.26.2-4.5.1 file-roller-debuginfo-3.26.2-4.5.1 file-roller-debugsource-3.26.2-4.5.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (noarch): file-roller-lang-3.26.2-4.5.1 References: https://www.suse.com/security/cve/CVE-2019-16680.html https://www.suse.com/security/cve/CVE-2020-11736.html https://bugzilla.suse.com/1151585 https://bugzilla.suse.com/1169428 From sle-updates at lists.suse.com Mon Jun 8 07:26:55 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 15:26:55 +0200 (CEST) Subject: SUSE-SU-2020:1552-1: moderate: Security update for dpdk Message-ID: <20200608132655.1E9CAF3D7@maintenance.suse.de> SUSE Security Update: Security update for dpdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1552-1 Rating: moderate References: #1171477 #1171925 #1171926 #1171930 Cross-References: CVE-2020-10722 CVE-2020-10723 CVE-2020-10724 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for dpdk fixes the following issues: - CVE-2020-10722: Fixed an integer overflow in vhost_user_set_log_base() (bsc#1171930). - CVE-2020-10723: Fixed an integer truncation in vhost_user_check_and_alloc_queue_pair() (bsc#1171925). - CVE-2020-10724: Fixed a missing inputs validation in Vhost-crypto (bsc#1171926). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1552=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1552=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le x86_64): dpdk-debuginfo-18.11.3-3.9.2 dpdk-debugsource-18.11.3-3.9.2 dpdk-devel-18.11.3-3.9.2 dpdk-devel-debuginfo-18.11.3-3.9.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64): dpdk-thunderx-debuginfo-18.11.3-3.9.2 dpdk-thunderx-debugsource-18.11.3-3.9.2 dpdk-thunderx-devel-18.11.3-3.9.2 dpdk-thunderx-devel-debuginfo-18.11.3-3.9.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le x86_64): dpdk-18.11.3-3.9.2 dpdk-debuginfo-18.11.3-3.9.2 dpdk-debugsource-18.11.3-3.9.2 dpdk-tools-18.11.3-3.9.2 dpdk-tools-debuginfo-18.11.3-3.9.2 libdpdk-18_11-18.11.3-3.9.2 libdpdk-18_11-debuginfo-18.11.3-3.9.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64): dpdk-thunderx-18.11.3-3.9.2 dpdk-thunderx-debuginfo-18.11.3-3.9.2 dpdk-thunderx-debugsource-18.11.3-3.9.2 dpdk-thunderx-kmp-default-18.11.3_k4.12.14_122.20-3.9.2 dpdk-thunderx-kmp-default-debuginfo-18.11.3_k4.12.14_122.20-3.9.2 - SUSE Linux Enterprise Server 12-SP5 (x86_64): dpdk-kmp-default-18.11.3_k4.12.14_122.20-3.9.2 dpdk-kmp-default-debuginfo-18.11.3_k4.12.14_122.20-3.9.2 References: https://www.suse.com/security/cve/CVE-2020-10722.html https://www.suse.com/security/cve/CVE-2020-10723.html https://www.suse.com/security/cve/CVE-2020-10724.html https://bugzilla.suse.com/1171477 https://bugzilla.suse.com/1171925 https://bugzilla.suse.com/1171926 https://bugzilla.suse.com/1171930 From sle-updates at lists.suse.com Mon Jun 8 10:14:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 18:14:19 +0200 (CEST) Subject: SUSE-RU-2020:1561-1: moderate: Recommended update for lvm2 Message-ID: <20200608161419.B5538FF46@maintenance.suse.de> SUSE Recommended Update: Recommended update for lvm2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1561-1 Rating: moderate References: #1145231 #1150021 #1158358 #1163526 #1164126 #1164718 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise High Availability 12-SP5 SUSE Linux Enterprise High Availability 12-SP4 ______________________________________________________________________________ An update that has 6 recommended fixes can now be installed. Description: This update for lvm2 fixes the following issues: - MD devices should be detected by LVM2 with metadata=1.0/0.9. (bsc#1145231) This the detection of MD devices with metadata 0.9 or 1.0 on lvm2 - Fix heap memory leak in lvmetad. (bsc#1164126) - lvmetad uses devices/global_filter but not devices/filter after lvm2 update. (bsc#1163526) This config item global_filter_compat is a SUSE special. The default value is 1, which means the devices/global_filter behaviour is same as before. When the value is 0, user should use global_filter to control system-wide software, e.g. udev and lvmetad global_filter_compat are not opened by LVM. - Avoid creation of mixed-blocksize 'PV' on 'LVM' volume groups (LVM2). (bsc#1149408) - Fix for LVM metadata when an error occurs writing device. (bsc#1150021) - Fix for boot when it takes extremely long time with 400 LUN's. (bsc#1158358) - Enhance block cache code to fix issues with 'lvmtad' and 'lvmcache'. (bsc#1164718) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1561=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1561=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1561=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1561=1 - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-1561=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2020-1561=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): device-mapper-devel-1.02.149-9.34.8 lvm2-debuginfo-2.02.180-9.34.8 lvm2-debugsource-2.02.180-9.34.8 lvm2-devel-2.02.180-9.34.8 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): device-mapper-devel-1.02.149-9.34.8 lvm2-debuginfo-2.02.180-9.34.8 lvm2-debugsource-2.02.180-9.34.8 lvm2-devel-2.02.180-9.34.8 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): device-mapper-1.02.149-9.34.8 device-mapper-debuginfo-1.02.149-9.34.8 lvm2-2.02.180-9.34.8 lvm2-debuginfo-2.02.180-9.34.8 lvm2-debugsource-2.02.180-9.34.8 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): device-mapper-32bit-1.02.149-9.34.8 device-mapper-debuginfo-32bit-1.02.149-9.34.8 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): device-mapper-1.02.149-9.34.8 device-mapper-debuginfo-1.02.149-9.34.8 lvm2-2.02.180-9.34.8 lvm2-debuginfo-2.02.180-9.34.8 lvm2-debugsource-2.02.180-9.34.8 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): device-mapper-32bit-1.02.149-9.34.8 device-mapper-debuginfo-32bit-1.02.149-9.34.8 - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): lvm2-clvm-2.02.180-9.34.8 lvm2-clvm-debuginfo-2.02.180-9.34.8 lvm2-cmirrord-2.02.180-9.34.8 lvm2-cmirrord-debuginfo-2.02.180-9.34.8 lvm2-debuginfo-2.02.180-9.34.8 lvm2-debugsource-2.02.180-9.34.8 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): lvm2-clvm-2.02.180-9.34.8 lvm2-clvm-debuginfo-2.02.180-9.34.8 lvm2-cmirrord-2.02.180-9.34.8 lvm2-cmirrord-debuginfo-2.02.180-9.34.8 lvm2-debuginfo-2.02.180-9.34.8 lvm2-debugsource-2.02.180-9.34.8 References: https://bugzilla.suse.com/1145231 https://bugzilla.suse.com/1150021 https://bugzilla.suse.com/1158358 https://bugzilla.suse.com/1163526 https://bugzilla.suse.com/1164126 https://bugzilla.suse.com/1164718 From sle-updates at lists.suse.com Mon Jun 8 10:16:00 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 18:16:00 +0200 (CEST) Subject: SUSE-SU-2020:1563-1: important: Security update for MozillaFirefox Message-ID: <20200608161600.C0545FF46@maintenance.suse.de> SUSE Security Update: Security update for MozillaFirefox ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1563-1 Rating: important References: #1172402 Cross-References: CVE-2020-12405 CVE-2020-12406 CVE-2020-12410 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for MozillaFirefox fixes the following issues: - MozillaFirefox was updated to version 68.9.0 Extended Support Release (bsc#1172402). - CVE-2020-12405: Fixed a use-after-free in SharedWorkerService. - CVE-2020-12406: Fixed a JavaScript Type confusion with NativeTypes. - CVE-2020-12410: Fixed multiple memory safety bugs. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1563=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1563=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1563=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1563=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1563=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1563=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1563=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1563=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1563=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1563=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1563=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1563=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1563=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1563=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1563=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): MozillaFirefox-68.9.0-109.123.1 MozillaFirefox-debuginfo-68.9.0-109.123.1 MozillaFirefox-debugsource-68.9.0-109.123.1 MozillaFirefox-translations-common-68.9.0-109.123.1 - SUSE OpenStack Cloud 8 (x86_64): MozillaFirefox-68.9.0-109.123.1 MozillaFirefox-debuginfo-68.9.0-109.123.1 MozillaFirefox-debugsource-68.9.0-109.123.1 MozillaFirefox-translations-common-68.9.0-109.123.1 - SUSE OpenStack Cloud 7 (s390x x86_64): MozillaFirefox-68.9.0-109.123.1 MozillaFirefox-debuginfo-68.9.0-109.123.1 MozillaFirefox-debugsource-68.9.0-109.123.1 MozillaFirefox-devel-68.9.0-109.123.1 MozillaFirefox-translations-common-68.9.0-109.123.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-68.9.0-109.123.1 MozillaFirefox-debugsource-68.9.0-109.123.1 MozillaFirefox-devel-68.9.0-109.123.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): MozillaFirefox-debuginfo-68.9.0-109.123.1 MozillaFirefox-debugsource-68.9.0-109.123.1 MozillaFirefox-devel-68.9.0-109.123.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): MozillaFirefox-68.9.0-109.123.1 MozillaFirefox-debuginfo-68.9.0-109.123.1 MozillaFirefox-debugsource-68.9.0-109.123.1 MozillaFirefox-translations-common-68.9.0-109.123.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): MozillaFirefox-68.9.0-109.123.1 MozillaFirefox-debuginfo-68.9.0-109.123.1 MozillaFirefox-debugsource-68.9.0-109.123.1 MozillaFirefox-devel-68.9.0-109.123.1 MozillaFirefox-translations-common-68.9.0-109.123.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.9.0-109.123.1 MozillaFirefox-debuginfo-68.9.0-109.123.1 MozillaFirefox-debugsource-68.9.0-109.123.1 MozillaFirefox-translations-common-68.9.0-109.123.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.9.0-109.123.1 MozillaFirefox-debuginfo-68.9.0-109.123.1 MozillaFirefox-debugsource-68.9.0-109.123.1 MozillaFirefox-translations-common-68.9.0-109.123.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): MozillaFirefox-68.9.0-109.123.1 MozillaFirefox-debuginfo-68.9.0-109.123.1 MozillaFirefox-debugsource-68.9.0-109.123.1 MozillaFirefox-translations-common-68.9.0-109.123.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): MozillaFirefox-68.9.0-109.123.1 MozillaFirefox-debuginfo-68.9.0-109.123.1 MozillaFirefox-debugsource-68.9.0-109.123.1 MozillaFirefox-translations-common-68.9.0-109.123.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): MozillaFirefox-68.9.0-109.123.1 MozillaFirefox-debuginfo-68.9.0-109.123.1 MozillaFirefox-debugsource-68.9.0-109.123.1 MozillaFirefox-devel-68.9.0-109.123.1 MozillaFirefox-translations-common-68.9.0-109.123.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): MozillaFirefox-68.9.0-109.123.1 MozillaFirefox-debuginfo-68.9.0-109.123.1 MozillaFirefox-debugsource-68.9.0-109.123.1 MozillaFirefox-devel-68.9.0-109.123.1 MozillaFirefox-translations-common-68.9.0-109.123.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): MozillaFirefox-68.9.0-109.123.1 MozillaFirefox-debuginfo-68.9.0-109.123.1 MozillaFirefox-debugsource-68.9.0-109.123.1 MozillaFirefox-translations-common-68.9.0-109.123.1 - HPE Helion Openstack 8 (x86_64): MozillaFirefox-68.9.0-109.123.1 MozillaFirefox-debuginfo-68.9.0-109.123.1 MozillaFirefox-debugsource-68.9.0-109.123.1 MozillaFirefox-translations-common-68.9.0-109.123.1 References: https://www.suse.com/security/cve/CVE-2020-12405.html https://www.suse.com/security/cve/CVE-2020-12406.html https://www.suse.com/security/cve/CVE-2020-12410.html https://bugzilla.suse.com/1172402 From sle-updates at lists.suse.com Mon Jun 8 10:16:58 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 18:16:58 +0200 (CEST) Subject: SUSE-RU-2020:1562-1: moderate: Recommended update for lvm2 Message-ID: <20200608161658.1D9E1FF46@maintenance.suse.de> SUSE Recommended Update: Recommended update for lvm2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1562-1 Rating: moderate References: #1145231 #1150021 #1158358 #1163526 #1164126 #1164718 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that has 6 recommended fixes can now be installed. Description: This update for lvm2 fixes the following issues: - Fix heap memory leak in lvmetad. (bsc#1164126) - lvmetad uses devices/global_filter but not devices/filter after lvm2 update. (bsc#1163526) This config item global_filter_compat is a SUSE special. The default value is 1, which means the devices/global_filter behaviour is same as before. When the value is 0, user should use global_filter to control system-wide software, e.g. udev and lvmetad global_filter_compat are not opened by LVM. - Avoid creation of mixed-blocksize 'PV' on 'LVM' volume groups (LVM2). (bsc#1149408) - Fix for LVM metadata when an error occurs writing device. (bsc#1150021) - Fix for boot when it takes extremely long time with 400 LUN's. (bsc#1158358) - Fix for LVM metadata to avoid faulty LVM detection. (bsc#1145231) - Enhance block cache code to fix issues with 'lvmtad' and 'lvmcache'. (bsc#1164718) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1562=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-1562=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): device-mapper-1.02.149-12.17.11 device-mapper-debuginfo-1.02.149-12.17.11 device-mapper-debugsource-1.02.149-12.17.11 device-mapper-devel-1.02.149-12.17.11 libdevmapper-event1_03-1.02.149-12.17.11 libdevmapper-event1_03-debuginfo-1.02.149-12.17.11 libdevmapper1_03-1.02.149-12.17.11 libdevmapper1_03-debuginfo-1.02.149-12.17.11 liblvm2app2_2-2.02.180-12.17.14 liblvm2app2_2-debuginfo-2.02.180-12.17.14 liblvm2cmd2_02-2.02.180-12.17.14 liblvm2cmd2_02-debuginfo-2.02.180-12.17.14 lvm2-2.02.180-12.17.14 lvm2-debuginfo-2.02.180-12.17.14 lvm2-debugsource-2.02.180-12.17.14 lvm2-devel-2.02.180-12.17.14 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libdevmapper1_03-32bit-1.02.149-12.17.11 libdevmapper1_03-32bit-debuginfo-1.02.149-12.17.11 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): lvm2-clvm-2.02.180-12.17.16 lvm2-clvm-debuginfo-2.02.180-12.17.16 lvm2-clvm-debugsource-2.02.180-12.17.16 lvm2-cmirrord-2.02.180-12.17.16 lvm2-cmirrord-debuginfo-2.02.180-12.17.16 lvm2-lockd-2.02.180-12.17.16 lvm2-lockd-debuginfo-2.02.180-12.17.16 References: https://bugzilla.suse.com/1145231 https://bugzilla.suse.com/1150021 https://bugzilla.suse.com/1158358 https://bugzilla.suse.com/1163526 https://bugzilla.suse.com/1164126 https://bugzilla.suse.com/1164718 From sle-updates at lists.suse.com Mon Jun 8 13:12:58 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 8 Jun 2020 21:12:58 +0200 (CEST) Subject: SUSE-RU-2020:1567-1: moderate: Recommended update for python-typing Message-ID: <20200608191258.84957FF46@maintenance.suse.de> SUSE Recommended Update: Recommended update for python-typing ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1567-1 Rating: moderate References: #1162547 Affected Products: SUSE Linux Enterprise Module for Python2 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for python-typing fixes the following issues: - Update to 3.7.4 (jsc#SLE-12548, bsc#1162547) - Fix subclassing builtin protocols on older Python versions - Move Protocol, runtime_checkable, Final, final, Literal, and TypedDict to typing - Add support for Python 3.8 in typing_extensions - Unify the implementation of annotated in src_py2 and src_py3 - Add Annotated in python2 - Pep 593 py3 - Drop support of Python 3.3 - [typing-extensions] Simple implementation for IntVar - Add a python 3.7+ version of Annotated to typing_extensions - Add SupportsIndex - Add TypedDict to typing_extensions - Add Final to the README - Run the tests using the current Python executable - Fix GeneralMeta.__instancecheck__() for old style classes - Add Literal[...] types to typing_extensions - Fix instance/subclass checks of functions against runtime protocols. - Bump typing_extension version - Improve PyPI entry for typing_extensions - Add Final to typing_extensions - include license file for typing-extensions and in wheels - Fix IO.closed to be property - Backport Generic.__new__ fix - Bump typing_extensions version before release - Add missing 'NoReturn' to __all__ in typing.py - Add annotations to NamedTuple children __new__ constructors - Fix typing_extensions to support PEP 560 - Pass *args and **kwargs to superclass in Generic.__new__ - Fix interaction between generics and __init_subclass__ - Fix protocols in unions (runtime problem) - Fix interaction between typing_extensions and collections.abc - Override subclass check for the singledispatch library - Fix copying generic instances in Python 3 - Switch to setuptools in typing_extensions - Add class Protocol and @runtime to typing extensions - get_type_hints(): find the right globalns for classes and modules - Document the workflow for publishing wheels - Make sure copy and deepcopy are returning same class - Update pytest and pytest-xdist versions - Fix failing test test_protocol_instance_works Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-1567=1 Package List: - SUSE Linux Enterprise Module for Python2 15-SP1 (noarch): python2-typing-3.7.4-3.3.2 References: https://bugzilla.suse.com/1162547 From sle-updates at lists.suse.com Tue Jun 9 07:13:40 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 9 Jun 2020 15:13:40 +0200 (CEST) Subject: SUSE-SU-2020:1573-1: moderate: Add features for Metrics Server, Cert Status Checker, VSphere VCP, and Cilium Envoy Message-ID: <20200609131340.15F42F749@maintenance.suse.de> SUSE Security Update: Add features for Metrics Server, Cert Status Checker, VSphere VCP, and Cilium Envoy ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1573-1 Rating: moderate References: #1041090 #1047218 #1048688 #1086909 #1094448 #1095603 #1102920 #1121353 #1129568 #1138908 #1144068 #1151876 #1156450 #1159002 #1159003 #1159004 #1159539 #1162651 #1167073 #1169506 Cross-References: CVE-2019-18801 CVE-2019-18802 CVE-2019-18836 CVE-2019-18838 Affected Products: SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that solves four vulnerabilities and has 16 fixes is now available. Description: Metrics Server * Support monitoring of *CPU* and *memory* of a pod or node. Cert Status Checker * Exposes cluster-wide certificates status and use monitoring stack (Prometheus and Grafana) to receives alerts by Prometheus Alertmanager and monitors certificate status by Grafana dashboard. VSphere VCP * Allow Kubernetes pods to use VMWare vSphere Virtual Machine Disk (VMDK) volumes as persistent storage. Cilium Envoy * Updated Cilium from version 1.5.3 to version 1.6.6 * Provide Envoy-proxy support for Cilium * Envoy and its dependencies packaged for version 1.12.2 * Cilium uses CRD and ConfigMap points on etcd are removed See release notes for installation instructions: https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/ Following CVE entries are relevant for the casp 4.2.1 update: cilium-proxy: CVE-2019-18801: An untrusted remote client might have been able to send HTTP/2 requests via cilium-proxyx that could have written to the heap outside of the request buffers when the upstream is HTTP/1. (bsc#1159002) CVE-2019-18802: A malformed request header may have caused bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) CVE-2019-18838: A malformed HTTP request without the Host header may cause abnormal termination ofthe Envoy process (bsc#1159004) CVE-2019-18836: Excessive iteration due to listener filter timeout in envoy could lead to DoS (bsc#1156450) kafka: CVE-2018-1288: authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request. (bsc#1102920) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform 4.0 (x86_64): caasp-release-4.2.1-24.23.4 skuba-1.3.5-3.39.1 terraform-provider-vsphere-1.17.3-3.3.4 - SUSE CaaS Platform 4.0 (noarch): skuba-update-1.3.5-3.39.1 References: https://www.suse.com/security/cve/CVE-2019-18801.html https://www.suse.com/security/cve/CVE-2019-18802.html https://www.suse.com/security/cve/CVE-2019-18836.html https://www.suse.com/security/cve/CVE-2019-18838.html https://bugzilla.suse.com/1041090 https://bugzilla.suse.com/1047218 https://bugzilla.suse.com/1048688 https://bugzilla.suse.com/1086909 https://bugzilla.suse.com/1094448 https://bugzilla.suse.com/1095603 https://bugzilla.suse.com/1102920 https://bugzilla.suse.com/1121353 https://bugzilla.suse.com/1129568 https://bugzilla.suse.com/1138908 https://bugzilla.suse.com/1144068 https://bugzilla.suse.com/1151876 https://bugzilla.suse.com/1156450 https://bugzilla.suse.com/1159002 https://bugzilla.suse.com/1159003 https://bugzilla.suse.com/1159004 https://bugzilla.suse.com/1159539 https://bugzilla.suse.com/1162651 https://bugzilla.suse.com/1167073 https://bugzilla.suse.com/1169506 From sle-updates at lists.suse.com Tue Jun 9 07:16:46 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 9 Jun 2020 15:16:46 +0200 (CEST) Subject: SUSE-SU-2020:1568-1: critical: Security update for nodejs10 Message-ID: <20200609131646.CB980F749@maintenance.suse.de> SUSE Security Update: Security update for nodejs10 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1568-1 Rating: critical References: #1162117 #1166844 #1166916 #1172442 #1172443 Cross-References: CVE-2020-10531 CVE-2020-11080 CVE-2020-7598 CVE-2020-8174 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Web Scripting 15-SP2 SUSE Linux Enterprise Module for Web Scripting 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update for nodejs10 fixes the following issues: nodejs10 was updated to version 10.21.0 - CVE-2020-8174: Fixed multiple memory corruption in napi_get_value_string_*() (bsc#1172443). - CVE-2020-11080: Fixed a potential denial of service when receiving unreasonably large HTTP/2 SETTINGS frames (bsc#1172442). - CVE-2020-10531: Fixed an integer overflow in UnicodeString:doAppend() (bsc#1166844). - Fixed an issue with openssl by adding getrandom syscall definition for all Linux platforms (bsc#1162117). npm was updated to 6.14.3 - CVE-2020-7598: Fixed an issue which could have tricked minimist into adding or modifying properties of Object.prototype (bsc#1166916). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1568=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1568=1 - SUSE Linux Enterprise Module for Web Scripting 15-SP2: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP2-2020-1568=1 - SUSE Linux Enterprise Module for Web Scripting 15-SP1: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP1-2020-1568=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1568=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1568=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): nodejs10-10.21.0-1.21.1 nodejs10-debuginfo-10.21.0-1.21.1 nodejs10-debugsource-10.21.0-1.21.1 nodejs10-devel-10.21.0-1.21.1 npm10-10.21.0-1.21.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): nodejs10-docs-10.21.0-1.21.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): nodejs10-10.21.0-1.21.1 nodejs10-debuginfo-10.21.0-1.21.1 nodejs10-debugsource-10.21.0-1.21.1 nodejs10-devel-10.21.0-1.21.1 npm10-10.21.0-1.21.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): nodejs10-docs-10.21.0-1.21.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP2 (aarch64 ppc64le s390x x86_64): nodejs10-10.21.0-1.21.1 nodejs10-debuginfo-10.21.0-1.21.1 nodejs10-debugsource-10.21.0-1.21.1 nodejs10-devel-10.21.0-1.21.1 npm10-10.21.0-1.21.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP2 (noarch): nodejs10-docs-10.21.0-1.21.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (aarch64 ppc64le s390x x86_64): nodejs10-10.21.0-1.21.1 nodejs10-debuginfo-10.21.0-1.21.1 nodejs10-debugsource-10.21.0-1.21.1 nodejs10-devel-10.21.0-1.21.1 npm10-10.21.0-1.21.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (noarch): nodejs10-docs-10.21.0-1.21.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): nodejs10-10.21.0-1.21.1 nodejs10-debuginfo-10.21.0-1.21.1 nodejs10-debugsource-10.21.0-1.21.1 nodejs10-devel-10.21.0-1.21.1 npm10-10.21.0-1.21.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): nodejs10-docs-10.21.0-1.21.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): nodejs10-10.21.0-1.21.1 nodejs10-debuginfo-10.21.0-1.21.1 nodejs10-debugsource-10.21.0-1.21.1 nodejs10-devel-10.21.0-1.21.1 npm10-10.21.0-1.21.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): nodejs10-docs-10.21.0-1.21.1 References: https://www.suse.com/security/cve/CVE-2020-10531.html https://www.suse.com/security/cve/CVE-2020-11080.html https://www.suse.com/security/cve/CVE-2020-7598.html https://www.suse.com/security/cve/CVE-2020-8174.html https://bugzilla.suse.com/1162117 https://bugzilla.suse.com/1166844 https://bugzilla.suse.com/1166916 https://bugzilla.suse.com/1172442 https://bugzilla.suse.com/1172443 From sle-updates at lists.suse.com Tue Jun 9 07:18:03 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 9 Jun 2020 15:18:03 +0200 (CEST) Subject: SUSE-RU-2020:1574-1: moderate: Recommended update for release-notes-caasp Message-ID: <20200609131803.3017AF749@maintenance.suse.de> SUSE Recommended Update: Recommended update for release-notes-caasp ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1574-1 Rating: moderate References: #1172588 Affected Products: SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update includes release notes for SUSE CaaS Platform 4.2.1. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform 4.0 (noarch): release-notes-caasp-4.2.20200605-4.48.1 References: https://bugzilla.suse.com/1172588 From sle-updates at lists.suse.com Tue Jun 9 07:18:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 9 Jun 2020 15:18:53 +0200 (CEST) Subject: SUSE-SU-2020:1569-1: important: Security update for java-1_8_0-openjdk Message-ID: <20200609131853.79AEFF749@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1569-1 Rating: important References: #1160398 #1169511 #1171352 Cross-References: CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2773 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2830 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Legacy Software 15-SP1 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This update for java-1_8_0-openjdk to version jdk8u252 fixes the following issues: - CVE-2020-2754: Forward references to Nashorn (bsc#1169511) - CVE-2020-2755: Improve Nashorn matching (bsc#1169511) - CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511) - CVE-2020-2757: Less Blocking Array Queues (bsc#1169511) - CVE-2020-2773: Better signatures in XML (bsc#1169511) - CVE-2020-2781: Improve TLS session handling (bsc#1169511) - CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511) - CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511) - CVE-2020-2805: Enhance typing of methods (bsc#1169511) - CVE-2020-2830: Better Scanner conversions (bsc#1169511) - Ignore whitespaces after the header or footer in PEM X.509 cert (bsc#1171352) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1569=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1569=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-1569=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.252-3.35.3 java-1_8_0-openjdk-debuginfo-1.8.0.252-3.35.3 java-1_8_0-openjdk-debugsource-1.8.0.252-3.35.3 java-1_8_0-openjdk-demo-1.8.0.252-3.35.3 java-1_8_0-openjdk-demo-debuginfo-1.8.0.252-3.35.3 java-1_8_0-openjdk-devel-1.8.0.252-3.35.3 java-1_8_0-openjdk-devel-debuginfo-1.8.0.252-3.35.3 java-1_8_0-openjdk-headless-1.8.0.252-3.35.3 java-1_8_0-openjdk-headless-debuginfo-1.8.0.252-3.35.3 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): java-1_8_0-openjdk-1.8.0.252-3.35.3 java-1_8_0-openjdk-debuginfo-1.8.0.252-3.35.3 java-1_8_0-openjdk-debugsource-1.8.0.252-3.35.3 java-1_8_0-openjdk-demo-1.8.0.252-3.35.3 java-1_8_0-openjdk-demo-debuginfo-1.8.0.252-3.35.3 java-1_8_0-openjdk-devel-1.8.0.252-3.35.3 java-1_8_0-openjdk-devel-debuginfo-1.8.0.252-3.35.3 java-1_8_0-openjdk-headless-1.8.0.252-3.35.3 java-1_8_0-openjdk-headless-debuginfo-1.8.0.252-3.35.3 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.252-3.35.3 java-1_8_0-openjdk-debuginfo-1.8.0.252-3.35.3 java-1_8_0-openjdk-debugsource-1.8.0.252-3.35.3 java-1_8_0-openjdk-demo-1.8.0.252-3.35.3 java-1_8_0-openjdk-demo-debuginfo-1.8.0.252-3.35.3 java-1_8_0-openjdk-devel-1.8.0.252-3.35.3 java-1_8_0-openjdk-devel-debuginfo-1.8.0.252-3.35.3 java-1_8_0-openjdk-headless-1.8.0.252-3.35.3 java-1_8_0-openjdk-headless-debuginfo-1.8.0.252-3.35.3 References: https://www.suse.com/security/cve/CVE-2020-2754.html https://www.suse.com/security/cve/CVE-2020-2755.html https://www.suse.com/security/cve/CVE-2020-2756.html https://www.suse.com/security/cve/CVE-2020-2757.html https://www.suse.com/security/cve/CVE-2020-2773.html https://www.suse.com/security/cve/CVE-2020-2781.html https://www.suse.com/security/cve/CVE-2020-2800.html https://www.suse.com/security/cve/CVE-2020-2803.html https://www.suse.com/security/cve/CVE-2020-2805.html https://www.suse.com/security/cve/CVE-2020-2830.html https://bugzilla.suse.com/1160398 https://bugzilla.suse.com/1169511 https://bugzilla.suse.com/1171352 From sle-updates at lists.suse.com Tue Jun 9 07:20:02 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 9 Jun 2020 15:20:02 +0200 (CEST) Subject: SUSE-SU-2020:1570-1: important: Security update for ruby2.1 Message-ID: <20200609132002.70CA4F749@maintenance.suse.de> SUSE Security Update: Security update for ruby2.1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1570-1 Rating: important References: #1043983 #1048072 #1055265 #1056286 #1056782 #1058754 #1058755 #1058757 #1062452 #1069607 #1069632 #1073002 #1078782 #1082007 #1082008 #1082009 #1082010 #1082011 #1082014 #1082058 #1087433 #1087434 #1087436 #1087437 #1087440 #1087441 #1112530 #1112532 #1130611 #1130617 #1130620 #1130622 #1130623 #1130627 #1152990 #1152992 #1152994 #1152995 #1171517 #1172275 Cross-References: CVE-2015-9096 CVE-2016-2339 CVE-2016-7798 CVE-2017-0898 CVE-2017-0899 CVE-2017-0900 CVE-2017-0901 CVE-2017-0902 CVE-2017-0903 CVE-2017-10784 CVE-2017-14033 CVE-2017-14064 CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2017-9228 CVE-2017-9229 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079 CVE-2018-16395 CVE-2018-16396 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2019-15845 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 CVE-2020-10663 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 42 vulnerabilities is now available. Description: This update for ruby2.1 fixes the following issues: Security issues fixed: - CVE-2015-9096: Fixed an SMTP command injection via CRLFsequences in a RCPT TO or MAIL FROM command (bsc#1043983). - CVE-2016-7798: Fixed an IV Reuse in GCM Mode (bsc#1055265). - CVE-2017-0898: Fixed a buffer underrun vulnerability in Kernel.sprintf (bsc#1058755). - CVE-2017-0899: Fixed an issue with malicious gem specifications, insufficient sanitation when printing gem specifications could have included terminal characters (bsc#1056286). - CVE-2017-0900: Fixed an issue with malicious gem specifications, the query command could have led to a denial of service attack against clients (bsc#1056286). - CVE-2017-0901: Fixed an issue with malicious gem specifications, potentially overwriting arbitrary files on the client system (bsc#1056286). - CVE-2017-0902: Fixed an issue with malicious gem specifications, that could have enabled MITM attacks against clients (bsc#1056286). - CVE-2017-0903: Fixed an unsafe object deserialization vulnerability (bsc#1062452). - CVE-2017-9228: Fixed a heap out-of-bounds write in bitset_set_range() during regex compilation (bsc#1069607). - CVE-2017-9229: Fixed an invalid pointer dereference in left_adjust_char_head() in oniguruma (bsc#1069632). - CVE-2017-10784: Fixed an escape sequence injection vulnerability in the Basic authentication of WEBrick (bsc#1058754). - CVE-2017-14033: Fixed a buffer underrun vulnerability in OpenSSL ASN1 decode (bsc#1058757). - CVE-2017-14064: Fixed an arbitrary memory exposure during a JSON.generate call (bsc#1056782). - CVE-2017-17405: Fixed a command injection vulnerability in Net::FTP (bsc#1073002). - CVE-2017-17742: Fixed an HTTP response splitting issue in WEBrick (bsc#1087434). - CVE-2017-17790: Fixed a command injection in lib/resolv.rb:lazy_initialize() (bsc#1078782). - CVE-2018-6914: Fixed an unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441). - CVE-2018-8777: Fixed a potential DoS caused by large requests in WEBrick (bsc#1087436). - CVE-2018-8778: Fixed a buffer under-read in String#unpack (bsc#1087433). - CVE-2018-8779: Fixed an unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440). - CVE-2018-8780: Fixed an unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437). - CVE-2018-16395: Fixed an issue with OpenSSL::X509::Name equality checking (bsc#1112530). - CVE-2018-16396: Fixed an issue with tainted string handling, where the flag was not propagated in Array#pack and String#unpack with some directives (bsc#1112532). - CVE-2018-1000073: Fixed a path traversal issue (bsc#1082007). - CVE-2018-1000074: Fixed an unsafe object deserialization vulnerability in gem owner, allowing arbitrary code execution with specially crafted YAML (bsc#1082008). - CVE-2018-1000075: Fixed an infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014). - CVE-2018-1000076: Fixed an improper verification of signatures in tarballs (bsc#1082009). - CVE-2018-1000077: Fixed an improper URL validation in the homepage attribute of ruby gems (bsc#1082010). - CVE-2018-1000078: Fixed a XSS vulnerability in the homepage attribute when displayed via gem server (bsc#1082011). - CVE-2018-1000079: Fixed a path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058). - CVE-2019-8320: Fixed a directory traversal issue when decompressing tar files (bsc#1130627). - CVE-2019-8321: Fixed an escape sequence injection vulnerability in verbose (bsc#1130623). - CVE-2019-8322: Fixed an escape sequence injection vulnerability in gem owner (bsc#1130622). - CVE-2019-8323: Fixed an escape sequence injection vulnerability in API response handling (bsc#1130620). - CVE-2019-8324: Fixed an issue with malicious gems that may have led to arbitrary code execution (bsc#1130617). - CVE-2019-8325: Fixed an escape sequence injection vulnerability in errors (bsc#1130611). - CVE-2019-15845: Fixed a NUL injection vulnerability in File.fnmatch and File.fnmatch? (bsc#1152994). - CVE-2019-16201: Fixed a regular expression denial of service vulnerability in WEBrick's digest access authentication (bsc#1152995). - CVE-2019-16254: Fixed an HTTP response splitting vulnerability in WEBrick (bsc#1152992). - CVE-2019-16255: Fixed a code injection vulnerability in Shell#[] and Shell#test (bsc#1152990). - CVE-2020-10663: Fixed an unsafe object creation vulnerability in JSON (bsc#1171517). Non-security issue fixed: - Add conflicts to libruby to make sure ruby and ruby-stdlib are also updated when libruby is updated (bsc#1048072). Also yast2-ruby-bindings on SLES 12 SP2 LTSS was updated to handle the updated ruby interpreter. (bsc#1172275) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1570=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1570=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1570=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1570=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1570=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1570=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1570=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1570=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1570=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1570=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1570=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1570=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1570=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1570=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1570=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libruby2_1-2_1-2.1.9-19.3.2 libruby2_1-2_1-debuginfo-2.1.9-19.3.2 ruby2.1-2.1.9-19.3.2 ruby2.1-debuginfo-2.1.9-19.3.2 ruby2.1-debugsource-2.1.9-19.3.2 ruby2.1-stdlib-2.1.9-19.3.2 ruby2.1-stdlib-debuginfo-2.1.9-19.3.2 - SUSE OpenStack Cloud 8 (x86_64): libruby2_1-2_1-2.1.9-19.3.2 libruby2_1-2_1-debuginfo-2.1.9-19.3.2 ruby2.1-2.1.9-19.3.2 ruby2.1-debuginfo-2.1.9-19.3.2 ruby2.1-debugsource-2.1.9-19.3.2 ruby2.1-stdlib-2.1.9-19.3.2 ruby2.1-stdlib-debuginfo-2.1.9-19.3.2 - SUSE OpenStack Cloud 7 (s390x x86_64): libruby2_1-2_1-2.1.9-19.3.2 libruby2_1-2_1-debuginfo-2.1.9-19.3.2 ruby2.1-2.1.9-19.3.2 ruby2.1-debuginfo-2.1.9-19.3.2 ruby2.1-debugsource-2.1.9-19.3.2 ruby2.1-stdlib-2.1.9-19.3.2 ruby2.1-stdlib-debuginfo-2.1.9-19.3.2 yast2-ruby-bindings-3.1.53-9.8.1 yast2-ruby-bindings-debuginfo-3.1.53-9.8.1 yast2-ruby-bindings-debugsource-3.1.53-9.8.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): ruby2.1-debuginfo-2.1.9-19.3.2 ruby2.1-debugsource-2.1.9-19.3.2 ruby2.1-devel-2.1.9-19.3.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): ruby2.1-debuginfo-2.1.9-19.3.2 ruby2.1-debugsource-2.1.9-19.3.2 ruby2.1-devel-2.1.9-19.3.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): libruby2_1-2_1-2.1.9-19.3.2 libruby2_1-2_1-debuginfo-2.1.9-19.3.2 ruby2.1-2.1.9-19.3.2 ruby2.1-debuginfo-2.1.9-19.3.2 ruby2.1-debugsource-2.1.9-19.3.2 ruby2.1-stdlib-2.1.9-19.3.2 ruby2.1-stdlib-debuginfo-2.1.9-19.3.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): libruby2_1-2_1-2.1.9-19.3.2 libruby2_1-2_1-debuginfo-2.1.9-19.3.2 ruby2.1-2.1.9-19.3.2 ruby2.1-debuginfo-2.1.9-19.3.2 ruby2.1-debugsource-2.1.9-19.3.2 ruby2.1-stdlib-2.1.9-19.3.2 ruby2.1-stdlib-debuginfo-2.1.9-19.3.2 yast2-ruby-bindings-3.1.53-9.8.1 yast2-ruby-bindings-debuginfo-3.1.53-9.8.1 yast2-ruby-bindings-debugsource-3.1.53-9.8.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libruby2_1-2_1-2.1.9-19.3.2 libruby2_1-2_1-debuginfo-2.1.9-19.3.2 ruby2.1-2.1.9-19.3.2 ruby2.1-debuginfo-2.1.9-19.3.2 ruby2.1-debugsource-2.1.9-19.3.2 ruby2.1-stdlib-2.1.9-19.3.2 ruby2.1-stdlib-debuginfo-2.1.9-19.3.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libruby2_1-2_1-2.1.9-19.3.2 libruby2_1-2_1-debuginfo-2.1.9-19.3.2 ruby2.1-2.1.9-19.3.2 ruby2.1-debuginfo-2.1.9-19.3.2 ruby2.1-debugsource-2.1.9-19.3.2 ruby2.1-stdlib-2.1.9-19.3.2 ruby2.1-stdlib-debuginfo-2.1.9-19.3.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): libruby2_1-2_1-2.1.9-19.3.2 libruby2_1-2_1-debuginfo-2.1.9-19.3.2 ruby2.1-2.1.9-19.3.2 ruby2.1-debuginfo-2.1.9-19.3.2 ruby2.1-debugsource-2.1.9-19.3.2 ruby2.1-stdlib-2.1.9-19.3.2 ruby2.1-stdlib-debuginfo-2.1.9-19.3.2 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): libruby2_1-2_1-2.1.9-19.3.2 libruby2_1-2_1-debuginfo-2.1.9-19.3.2 ruby2.1-2.1.9-19.3.2 ruby2.1-debuginfo-2.1.9-19.3.2 ruby2.1-debugsource-2.1.9-19.3.2 ruby2.1-stdlib-2.1.9-19.3.2 ruby2.1-stdlib-debuginfo-2.1.9-19.3.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): libruby2_1-2_1-2.1.9-19.3.2 libruby2_1-2_1-debuginfo-2.1.9-19.3.2 ruby2.1-2.1.9-19.3.2 ruby2.1-debuginfo-2.1.9-19.3.2 ruby2.1-debugsource-2.1.9-19.3.2 ruby2.1-stdlib-2.1.9-19.3.2 ruby2.1-stdlib-debuginfo-2.1.9-19.3.2 yast2-ruby-bindings-3.1.53-9.8.1 yast2-ruby-bindings-debuginfo-3.1.53-9.8.1 yast2-ruby-bindings-debugsource-3.1.53-9.8.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libruby2_1-2_1-2.1.9-19.3.2 libruby2_1-2_1-debuginfo-2.1.9-19.3.2 ruby2.1-2.1.9-19.3.2 ruby2.1-debuginfo-2.1.9-19.3.2 ruby2.1-debugsource-2.1.9-19.3.2 ruby2.1-stdlib-2.1.9-19.3.2 ruby2.1-stdlib-debuginfo-2.1.9-19.3.2 yast2-ruby-bindings-3.1.53-9.8.1 yast2-ruby-bindings-debuginfo-3.1.53-9.8.1 yast2-ruby-bindings-debugsource-3.1.53-9.8.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): libruby2_1-2_1-2.1.9-19.3.2 libruby2_1-2_1-debuginfo-2.1.9-19.3.2 ruby2.1-2.1.9-19.3.2 ruby2.1-debuginfo-2.1.9-19.3.2 ruby2.1-debugsource-2.1.9-19.3.2 ruby2.1-stdlib-2.1.9-19.3.2 ruby2.1-stdlib-debuginfo-2.1.9-19.3.2 - HPE Helion Openstack 8 (x86_64): libruby2_1-2_1-2.1.9-19.3.2 libruby2_1-2_1-debuginfo-2.1.9-19.3.2 ruby2.1-2.1.9-19.3.2 ruby2.1-debuginfo-2.1.9-19.3.2 ruby2.1-debugsource-2.1.9-19.3.2 ruby2.1-stdlib-2.1.9-19.3.2 ruby2.1-stdlib-debuginfo-2.1.9-19.3.2 References: https://www.suse.com/security/cve/CVE-2015-9096.html https://www.suse.com/security/cve/CVE-2016-2339.html https://www.suse.com/security/cve/CVE-2016-7798.html https://www.suse.com/security/cve/CVE-2017-0898.html https://www.suse.com/security/cve/CVE-2017-0899.html https://www.suse.com/security/cve/CVE-2017-0900.html https://www.suse.com/security/cve/CVE-2017-0901.html https://www.suse.com/security/cve/CVE-2017-0902.html https://www.suse.com/security/cve/CVE-2017-0903.html https://www.suse.com/security/cve/CVE-2017-10784.html https://www.suse.com/security/cve/CVE-2017-14033.html https://www.suse.com/security/cve/CVE-2017-14064.html https://www.suse.com/security/cve/CVE-2017-17405.html https://www.suse.com/security/cve/CVE-2017-17742.html https://www.suse.com/security/cve/CVE-2017-17790.html https://www.suse.com/security/cve/CVE-2017-9228.html https://www.suse.com/security/cve/CVE-2017-9229.html https://www.suse.com/security/cve/CVE-2018-1000073.html https://www.suse.com/security/cve/CVE-2018-1000074.html https://www.suse.com/security/cve/CVE-2018-1000075.html https://www.suse.com/security/cve/CVE-2018-1000076.html https://www.suse.com/security/cve/CVE-2018-1000077.html https://www.suse.com/security/cve/CVE-2018-1000078.html https://www.suse.com/security/cve/CVE-2018-1000079.html https://www.suse.com/security/cve/CVE-2018-16395.html https://www.suse.com/security/cve/CVE-2018-16396.html https://www.suse.com/security/cve/CVE-2018-6914.html https://www.suse.com/security/cve/CVE-2018-8777.html https://www.suse.com/security/cve/CVE-2018-8778.html https://www.suse.com/security/cve/CVE-2018-8779.html https://www.suse.com/security/cve/CVE-2018-8780.html https://www.suse.com/security/cve/CVE-2019-15845.html https://www.suse.com/security/cve/CVE-2019-16201.html https://www.suse.com/security/cve/CVE-2019-16254.html https://www.suse.com/security/cve/CVE-2019-16255.html https://www.suse.com/security/cve/CVE-2019-8320.html https://www.suse.com/security/cve/CVE-2019-8321.html https://www.suse.com/security/cve/CVE-2019-8322.html https://www.suse.com/security/cve/CVE-2019-8323.html https://www.suse.com/security/cve/CVE-2019-8324.html https://www.suse.com/security/cve/CVE-2019-8325.html https://www.suse.com/security/cve/CVE-2020-10663.html https://bugzilla.suse.com/1043983 https://bugzilla.suse.com/1048072 https://bugzilla.suse.com/1055265 https://bugzilla.suse.com/1056286 https://bugzilla.suse.com/1056782 https://bugzilla.suse.com/1058754 https://bugzilla.suse.com/1058755 https://bugzilla.suse.com/1058757 https://bugzilla.suse.com/1062452 https://bugzilla.suse.com/1069607 https://bugzilla.suse.com/1069632 https://bugzilla.suse.com/1073002 https://bugzilla.suse.com/1078782 https://bugzilla.suse.com/1082007 https://bugzilla.suse.com/1082008 https://bugzilla.suse.com/1082009 https://bugzilla.suse.com/1082010 https://bugzilla.suse.com/1082011 https://bugzilla.suse.com/1082014 https://bugzilla.suse.com/1082058 https://bugzilla.suse.com/1087433 https://bugzilla.suse.com/1087434 https://bugzilla.suse.com/1087436 https://bugzilla.suse.com/1087437 https://bugzilla.suse.com/1087440 https://bugzilla.suse.com/1087441 https://bugzilla.suse.com/1112530 https://bugzilla.suse.com/1112532 https://bugzilla.suse.com/1130611 https://bugzilla.suse.com/1130617 https://bugzilla.suse.com/1130620 https://bugzilla.suse.com/1130622 https://bugzilla.suse.com/1130623 https://bugzilla.suse.com/1130627 https://bugzilla.suse.com/1152990 https://bugzilla.suse.com/1152992 https://bugzilla.suse.com/1152994 https://bugzilla.suse.com/1152995 https://bugzilla.suse.com/1171517 https://bugzilla.suse.com/1172275 From sle-updates at lists.suse.com Tue Jun 9 07:25:04 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 9 Jun 2020 15:25:04 +0200 (CEST) Subject: SUSE-SU-2020:1571-1: important: Security update for java-1_7_0-openjdk Message-ID: <20200609132504.DE42DF749@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1571-1 Rating: important References: #1169511 Cross-References: CVE-2020-2756 CVE-2020-2757 CVE-2020-2773 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2830 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for java-1_7_0-openjdk to version 7u261 fixes the following issues: - CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511) - CVE-2020-2757: Less Blocking Array Queues (bsc#1169511) - CVE-2020-2773: Better signatures in XML (bsc#1169511) - CVE-2020-2781: Improve TLS session handling (bsc#1169511) - CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511) - CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511) - CVE-2020-2805: Enhance typing of methods (bsc#1169511) - CVE-2020-2830: Better Scanner conversions (bsc#1169511) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1571=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1571=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1571=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1571=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1571=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1571=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1571=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1571=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1571=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1571=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1571=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1571=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1571=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): java-1_7_0-openjdk-1.7.0.261-43.38.8 java-1_7_0-openjdk-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-debugsource-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-debuginfo-1.7.0.261-43.38.8 - SUSE OpenStack Cloud 8 (x86_64): java-1_7_0-openjdk-1.7.0.261-43.38.8 java-1_7_0-openjdk-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-debugsource-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-debuginfo-1.7.0.261-43.38.8 - SUSE OpenStack Cloud 7 (s390x x86_64): java-1_7_0-openjdk-1.7.0.261-43.38.8 java-1_7_0-openjdk-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-debugsource-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-debuginfo-1.7.0.261-43.38.8 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): java-1_7_0-openjdk-1.7.0.261-43.38.8 java-1_7_0-openjdk-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-debugsource-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-debuginfo-1.7.0.261-43.38.8 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): java-1_7_0-openjdk-1.7.0.261-43.38.8 java-1_7_0-openjdk-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-debugsource-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-debuginfo-1.7.0.261-43.38.8 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.261-43.38.8 java-1_7_0-openjdk-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-debugsource-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-debuginfo-1.7.0.261-43.38.8 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.261-43.38.8 java-1_7_0-openjdk-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-debugsource-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-debuginfo-1.7.0.261-43.38.8 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.261-43.38.8 java-1_7_0-openjdk-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-debugsource-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-debuginfo-1.7.0.261-43.38.8 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): java-1_7_0-openjdk-1.7.0.261-43.38.8 java-1_7_0-openjdk-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-debugsource-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-debuginfo-1.7.0.261-43.38.8 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.261-43.38.8 java-1_7_0-openjdk-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-debugsource-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-debuginfo-1.7.0.261-43.38.8 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): java-1_7_0-openjdk-1.7.0.261-43.38.8 java-1_7_0-openjdk-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-debugsource-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-debuginfo-1.7.0.261-43.38.8 - SUSE Enterprise Storage 5 (aarch64 x86_64): java-1_7_0-openjdk-1.7.0.261-43.38.8 java-1_7_0-openjdk-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-debugsource-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-debuginfo-1.7.0.261-43.38.8 - HPE Helion Openstack 8 (x86_64): java-1_7_0-openjdk-1.7.0.261-43.38.8 java-1_7_0-openjdk-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-debugsource-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-1.7.0.261-43.38.8 java-1_7_0-openjdk-demo-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-1.7.0.261-43.38.8 java-1_7_0-openjdk-devel-debuginfo-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-1.7.0.261-43.38.8 java-1_7_0-openjdk-headless-debuginfo-1.7.0.261-43.38.8 References: https://www.suse.com/security/cve/CVE-2020-2756.html https://www.suse.com/security/cve/CVE-2020-2757.html https://www.suse.com/security/cve/CVE-2020-2773.html https://www.suse.com/security/cve/CVE-2020-2781.html https://www.suse.com/security/cve/CVE-2020-2800.html https://www.suse.com/security/cve/CVE-2020-2803.html https://www.suse.com/security/cve/CVE-2020-2805.html https://www.suse.com/security/cve/CVE-2020-2830.html https://bugzilla.suse.com/1169511 From sle-updates at lists.suse.com Tue Jun 9 07:26:00 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 9 Jun 2020 15:26:00 +0200 (CEST) Subject: SUSE-SU-2020:1572-1: moderate: Security update for java-11-openjdk Message-ID: <20200609132600.3D7F4F749@maintenance.suse.de> SUSE Security Update: Security update for java-11-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1572-1 Rating: moderate References: #1167462 #1169511 Cross-References: CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2767 CVE-2020-2773 CVE-2020-2778 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2816 CVE-2020-2830 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: This update for java-11-openjdk fixes the following issues: Java was updated to jdk-11.0.7+10 (April 2020 CPU, bsc#1169511). Security issues fixed: - CVE-2020-2754: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2755: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2756: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2757: Fixed an object deserialization issue that could have resulted in denial of service via crafted serialized input (bsc#1169511). - CVE-2020-2767: Fixed an incorrect handling of certificate messages during TLS handshakes (bsc#1169511). - CVE-2020-2773: Fixed the incorrect handling of exceptions thrown by unmarshalKeyInfo() and unmarshalXMLSignature() (bsc#1169511). - CVE-2020-2778: Fixed the incorrect handling of SSLParameters in setAlgorithmConstraints(), which could have been abused to override the defined systems security policy and lead to the use of weak crypto algorithms (bsc#1169511). - CVE-2020-2781: Fixed the incorrect re-use of single null TLS sessions (bsc#1169511). - CVE-2020-2800: Fixed an HTTP header injection issue caused by mishandling of CR/LF in header values (bsc#1169511). - CVE-2020-2803: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511). - CVE-2020-2805: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511). - CVE-2020-2816: Fixed an incorrect handling of application data packets during TLS handshakes (bsc#1169511). - CVE-2020-2830: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1572=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.7.0-3.9.2 java-11-openjdk-debuginfo-11.0.7.0-3.9.2 java-11-openjdk-debugsource-11.0.7.0-3.9.2 java-11-openjdk-demo-11.0.7.0-3.9.2 java-11-openjdk-devel-11.0.7.0-3.9.2 java-11-openjdk-headless-11.0.7.0-3.9.2 References: https://www.suse.com/security/cve/CVE-2020-2754.html https://www.suse.com/security/cve/CVE-2020-2755.html https://www.suse.com/security/cve/CVE-2020-2756.html https://www.suse.com/security/cve/CVE-2020-2757.html https://www.suse.com/security/cve/CVE-2020-2767.html https://www.suse.com/security/cve/CVE-2020-2773.html https://www.suse.com/security/cve/CVE-2020-2778.html https://www.suse.com/security/cve/CVE-2020-2781.html https://www.suse.com/security/cve/CVE-2020-2800.html https://www.suse.com/security/cve/CVE-2020-2803.html https://www.suse.com/security/cve/CVE-2020-2805.html https://www.suse.com/security/cve/CVE-2020-2816.html https://www.suse.com/security/cve/CVE-2020-2830.html https://bugzilla.suse.com/1167462 https://bugzilla.suse.com/1169511 From sle-updates at lists.suse.com Tue Jun 9 10:13:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 9 Jun 2020 18:13:21 +0200 (CEST) Subject: SUSE-SU-2020:1576-1: critical: Security update for nodejs8 Message-ID: <20200609161321.A32E8F749@maintenance.suse.de> SUSE Security Update: Security update for nodejs8 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1576-1 Rating: critical References: #1166916 #1172442 #1172443 Cross-References: CVE-2020-11080 CVE-2020-7598 CVE-2020-8174 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Web Scripting 15-SP2 SUSE Linux Enterprise Module for Web Scripting 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for nodejs8 fixes the following issues: - CVE-2020-8174: Fixed multiple memory corruption in napi_get_value_string_*() (bsc#1172443). - CVE-2020-11080: Fixed a potential denial of service when receiving unreasonably large HTTP/2 SETTINGS frames (bsc#1172442). - CVE-2020-7598: Fixed an issue which could have tricked minimist into adding or modifying properties of Object.prototype (bsc#1166916). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1576=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1576=1 - SUSE Linux Enterprise Module for Web Scripting 15-SP2: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP2-2020-1576=1 - SUSE Linux Enterprise Module for Web Scripting 15-SP1: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP1-2020-1576=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1576=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1576=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): nodejs8-8.17.0-3.32.1 nodejs8-debuginfo-8.17.0-3.32.1 nodejs8-debugsource-8.17.0-3.32.1 nodejs8-devel-8.17.0-3.32.1 npm8-8.17.0-3.32.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): nodejs8-docs-8.17.0-3.32.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): nodejs8-8.17.0-3.32.1 nodejs8-debuginfo-8.17.0-3.32.1 nodejs8-debugsource-8.17.0-3.32.1 nodejs8-devel-8.17.0-3.32.1 npm8-8.17.0-3.32.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): nodejs8-docs-8.17.0-3.32.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP2 (aarch64 ppc64le s390x x86_64): nodejs8-8.17.0-3.32.1 nodejs8-debuginfo-8.17.0-3.32.1 nodejs8-debugsource-8.17.0-3.32.1 nodejs8-devel-8.17.0-3.32.1 npm8-8.17.0-3.32.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP2 (noarch): nodejs8-docs-8.17.0-3.32.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (aarch64 ppc64le s390x x86_64): nodejs8-8.17.0-3.32.1 nodejs8-debuginfo-8.17.0-3.32.1 nodejs8-debugsource-8.17.0-3.32.1 nodejs8-devel-8.17.0-3.32.1 npm8-8.17.0-3.32.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (noarch): nodejs8-docs-8.17.0-3.32.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): nodejs8-8.17.0-3.32.1 nodejs8-debuginfo-8.17.0-3.32.1 nodejs8-debugsource-8.17.0-3.32.1 nodejs8-devel-8.17.0-3.32.1 npm8-8.17.0-3.32.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): nodejs8-docs-8.17.0-3.32.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): nodejs8-8.17.0-3.32.1 nodejs8-debuginfo-8.17.0-3.32.1 nodejs8-debugsource-8.17.0-3.32.1 nodejs8-devel-8.17.0-3.32.1 npm8-8.17.0-3.32.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): nodejs8-docs-8.17.0-3.32.1 References: https://www.suse.com/security/cve/CVE-2020-11080.html https://www.suse.com/security/cve/CVE-2020-7598.html https://www.suse.com/security/cve/CVE-2020-8174.html https://bugzilla.suse.com/1166916 https://bugzilla.suse.com/1172442 https://bugzilla.suse.com/1172443 From sle-updates at lists.suse.com Tue Jun 9 10:14:28 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 9 Jun 2020 18:14:28 +0200 (CEST) Subject: SUSE-RU-2019:1915-2: moderate: Recommended update for openslp Message-ID: <20200609161428.798D7F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for openslp ______________________________________________________________________________ Announcement ID: SUSE-RU-2019:1915-2 Rating: moderate References: #1117969 #1136136 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for openslp fixes the following issues: - Use tcp connects to talk with other directory agents (DAs) (bsc#1117969) - Fix segfault in predicate match if a registered service has a malformed attribute list (bsc#1136136) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1577=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1577=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1577=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1577=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1577=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1577=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1577=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1577=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1577=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1577=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1577=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): openslp-2.0.0-18.20.2 openslp-32bit-2.0.0-18.20.2 openslp-debuginfo-2.0.0-18.20.2 openslp-debuginfo-32bit-2.0.0-18.20.2 openslp-debugsource-2.0.0-18.20.2 openslp-server-2.0.0-18.20.2 openslp-server-debuginfo-2.0.0-18.20.2 - SUSE OpenStack Cloud 8 (x86_64): openslp-2.0.0-18.20.2 openslp-32bit-2.0.0-18.20.2 openslp-debuginfo-2.0.0-18.20.2 openslp-debuginfo-32bit-2.0.0-18.20.2 openslp-debugsource-2.0.0-18.20.2 openslp-server-2.0.0-18.20.2 openslp-server-debuginfo-2.0.0-18.20.2 - SUSE OpenStack Cloud 7 (s390x x86_64): openslp-2.0.0-18.20.2 openslp-32bit-2.0.0-18.20.2 openslp-debuginfo-2.0.0-18.20.2 openslp-debuginfo-32bit-2.0.0-18.20.2 openslp-debugsource-2.0.0-18.20.2 openslp-server-2.0.0-18.20.2 openslp-server-debuginfo-2.0.0-18.20.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): openslp-2.0.0-18.20.2 openslp-debuginfo-2.0.0-18.20.2 openslp-debugsource-2.0.0-18.20.2 openslp-server-2.0.0-18.20.2 openslp-server-debuginfo-2.0.0-18.20.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): openslp-32bit-2.0.0-18.20.2 openslp-debuginfo-32bit-2.0.0-18.20.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): openslp-2.0.0-18.20.2 openslp-debuginfo-2.0.0-18.20.2 openslp-debugsource-2.0.0-18.20.2 openslp-server-2.0.0-18.20.2 openslp-server-debuginfo-2.0.0-18.20.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): openslp-32bit-2.0.0-18.20.2 openslp-debuginfo-32bit-2.0.0-18.20.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): openslp-2.0.0-18.20.2 openslp-debuginfo-2.0.0-18.20.2 openslp-debugsource-2.0.0-18.20.2 openslp-server-2.0.0-18.20.2 openslp-server-debuginfo-2.0.0-18.20.2 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): openslp-32bit-2.0.0-18.20.2 openslp-debuginfo-32bit-2.0.0-18.20.2 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): openslp-2.0.0-18.20.2 openslp-32bit-2.0.0-18.20.2 openslp-debuginfo-2.0.0-18.20.2 openslp-debuginfo-32bit-2.0.0-18.20.2 openslp-debugsource-2.0.0-18.20.2 openslp-server-2.0.0-18.20.2 openslp-server-debuginfo-2.0.0-18.20.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): openslp-2.0.0-18.20.2 openslp-debuginfo-2.0.0-18.20.2 openslp-debugsource-2.0.0-18.20.2 openslp-server-2.0.0-18.20.2 openslp-server-debuginfo-2.0.0-18.20.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): openslp-32bit-2.0.0-18.20.2 openslp-debuginfo-32bit-2.0.0-18.20.2 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): openslp-2.0.0-18.20.2 openslp-32bit-2.0.0-18.20.2 openslp-debuginfo-2.0.0-18.20.2 openslp-debuginfo-32bit-2.0.0-18.20.2 openslp-debugsource-2.0.0-18.20.2 openslp-server-2.0.0-18.20.2 openslp-server-debuginfo-2.0.0-18.20.2 - SUSE Enterprise Storage 5 (aarch64 x86_64): openslp-2.0.0-18.20.2 openslp-debuginfo-2.0.0-18.20.2 openslp-debugsource-2.0.0-18.20.2 openslp-server-2.0.0-18.20.2 openslp-server-debuginfo-2.0.0-18.20.2 - SUSE Enterprise Storage 5 (x86_64): openslp-32bit-2.0.0-18.20.2 openslp-debuginfo-32bit-2.0.0-18.20.2 - HPE Helion Openstack 8 (x86_64): openslp-2.0.0-18.20.2 openslp-32bit-2.0.0-18.20.2 openslp-debuginfo-2.0.0-18.20.2 openslp-debuginfo-32bit-2.0.0-18.20.2 openslp-debugsource-2.0.0-18.20.2 openslp-server-2.0.0-18.20.2 openslp-server-debuginfo-2.0.0-18.20.2 References: https://bugzilla.suse.com/1117969 https://bugzilla.suse.com/1136136 From sle-updates at lists.suse.com Tue Jun 9 10:15:30 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 9 Jun 2020 18:15:30 +0200 (CEST) Subject: SUSE-SU-2020:1575-1: critical: Security update for nodejs10 Message-ID: <20200609161530.324C6F749@maintenance.suse.de> SUSE Security Update: Security update for nodejs10 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1575-1 Rating: critical References: #1166844 #1166916 #1172442 #1172443 Cross-References: CVE-2020-10531 CVE-2020-11080 CVE-2020-7598 CVE-2020-8174 Affected Products: SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for nodejs10 fixes the following issues: nodejs10 was updated to version 10.21.0 - CVE-2020-8174: Fixed multiple memory corruption in napi_get_value_string_*() (bsc#1172443). - CVE-2020-11080: Fixed a potential denial of service when receiving unreasonably large HTTP/2 SETTINGS frames (bsc#1172442). - CVE-2020-10531: Fixed an integer overflow in UnicodeString:doAppend() (bsc#1166844). npm was updated to 6.14.3 - CVE-2020-7598: Fixed an issue which could have tricked minimist into adding or modifying properties of Object.prototype (bsc#1166916). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-1575=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): nodejs10-10.21.0-1.24.1 nodejs10-debuginfo-10.21.0-1.24.1 nodejs10-debugsource-10.21.0-1.24.1 nodejs10-devel-10.21.0-1.24.1 npm10-10.21.0-1.24.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): nodejs10-docs-10.21.0-1.24.1 References: https://www.suse.com/security/cve/CVE-2020-10531.html https://www.suse.com/security/cve/CVE-2020-11080.html https://www.suse.com/security/cve/CVE-2020-7598.html https://www.suse.com/security/cve/CVE-2020-8174.html https://bugzilla.suse.com/1166844 https://bugzilla.suse.com/1166916 https://bugzilla.suse.com/1172442 https://bugzilla.suse.com/1172443 From sle-updates at lists.suse.com Tue Jun 9 13:12:46 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 9 Jun 2020 21:12:46 +0200 (CEST) Subject: SUSE-RU-2020:1579-1: important: Recommended update for audit Message-ID: <20200609191246.A4326F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for audit ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1579-1 Rating: important References: #1156159 #1172295 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for audit fixes the following issues: - Fix hang on startup. (bsc#1156159) - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1579=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1579=1 - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-1579=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1579=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1579=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1579=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): audit-2.8.1-5.5.2 audit-audispd-plugins-2.8.1-5.5.2 audit-debugsource-2.8.1-5.5.1 audit-devel-2.8.1-5.5.1 libaudit1-2.8.1-5.5.1 libaudit1-debuginfo-2.8.1-5.5.1 libauparse0-2.8.1-5.5.1 libauparse0-debuginfo-2.8.1-5.5.1 python2-audit-2.8.1-5.5.2 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libaudit1-32bit-2.8.1-5.5.1 libaudit1-32bit-debuginfo-2.8.1-5.5.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): audit-2.8.1-5.5.2 audit-audispd-plugins-2.8.1-5.5.2 audit-debugsource-2.8.1-5.5.1 audit-devel-2.8.1-5.5.1 libaudit1-2.8.1-5.5.1 libaudit1-debuginfo-2.8.1-5.5.1 libauparse0-2.8.1-5.5.1 libauparse0-debuginfo-2.8.1-5.5.1 python2-audit-2.8.1-5.5.2 - SUSE Linux Enterprise Module for Python2 15-SP1 (aarch64 ppc64le s390x x86_64): python2-audit-2.8.1-5.5.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): audit-2.8.1-5.5.2 audit-audispd-plugins-2.8.1-5.5.2 audit-debugsource-2.8.1-5.5.1 audit-devel-2.8.1-5.5.1 libaudit1-2.8.1-5.5.1 libaudit1-debuginfo-2.8.1-5.5.1 libauparse0-2.8.1-5.5.1 libauparse0-debuginfo-2.8.1-5.5.1 python3-audit-2.8.1-5.5.2 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libaudit1-32bit-2.8.1-5.5.1 libaudit1-32bit-debuginfo-2.8.1-5.5.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): audit-2.8.1-5.5.2 audit-audispd-plugins-2.8.1-5.5.2 audit-debugsource-2.8.1-5.5.1 audit-devel-2.8.1-5.5.1 libaudit1-2.8.1-5.5.1 libaudit1-debuginfo-2.8.1-5.5.1 libauparse0-2.8.1-5.5.1 libauparse0-debuginfo-2.8.1-5.5.1 python2-audit-2.8.1-5.5.2 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libaudit1-32bit-2.8.1-5.5.1 libaudit1-32bit-debuginfo-2.8.1-5.5.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): audit-2.8.1-5.5.2 audit-audispd-plugins-2.8.1-5.5.2 audit-debugsource-2.8.1-5.5.1 audit-devel-2.8.1-5.5.1 libaudit1-2.8.1-5.5.1 libaudit1-debuginfo-2.8.1-5.5.1 libauparse0-2.8.1-5.5.1 libauparse0-debuginfo-2.8.1-5.5.1 python2-audit-2.8.1-5.5.2 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libaudit1-32bit-2.8.1-5.5.1 libaudit1-32bit-debuginfo-2.8.1-5.5.1 References: https://bugzilla.suse.com/1156159 https://bugzilla.suse.com/1172295 From sle-updates at lists.suse.com Tue Jun 9 16:13:29 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 00:13:29 +0200 (CEST) Subject: SUSE-SU-2020:1584-1: important: Security update for gnutls Message-ID: <20200609221329.70582FD07@maintenance.suse.de> SUSE Security Update: Security update for gnutls ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1584-1 Rating: important References: #1172461 #1172506 Cross-References: CVE-2020-13777 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for gnutls fixes the following issues: - CVE-2020-13777: Fixed an insecure session ticket key construction which could have made the TLS server to not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing an attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (bsc#1172506). - Fixed an improper handling of certificate chain with cross-signed intermediate CA certificates (bsc#1172461). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1584=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1584=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1584=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1584=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1584=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1584=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): gnutls-3.6.7-6.29.1 gnutls-debuginfo-3.6.7-6.29.1 gnutls-debugsource-3.6.7-6.29.1 libgnutls-devel-3.6.7-6.29.1 libgnutls30-3.6.7-6.29.1 libgnutls30-debuginfo-3.6.7-6.29.1 libgnutls30-hmac-3.6.7-6.29.1 libgnutlsxx-devel-3.6.7-6.29.1 libgnutlsxx28-3.6.7-6.29.1 libgnutlsxx28-debuginfo-3.6.7-6.29.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libgnutls30-32bit-3.6.7-6.29.1 libgnutls30-32bit-debuginfo-3.6.7-6.29.1 libgnutls30-hmac-32bit-3.6.7-6.29.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): gnutls-3.6.7-6.29.1 gnutls-debuginfo-3.6.7-6.29.1 gnutls-debugsource-3.6.7-6.29.1 libgnutls-devel-3.6.7-6.29.1 libgnutls30-3.6.7-6.29.1 libgnutls30-debuginfo-3.6.7-6.29.1 libgnutls30-hmac-3.6.7-6.29.1 libgnutlsxx-devel-3.6.7-6.29.1 libgnutlsxx28-3.6.7-6.29.1 libgnutlsxx28-debuginfo-3.6.7-6.29.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): gnutls-3.6.7-6.29.1 gnutls-debuginfo-3.6.7-6.29.1 gnutls-debugsource-3.6.7-6.29.1 libgnutls-devel-3.6.7-6.29.1 libgnutls30-3.6.7-6.29.1 libgnutls30-debuginfo-3.6.7-6.29.1 libgnutls30-hmac-3.6.7-6.29.1 libgnutlsxx-devel-3.6.7-6.29.1 libgnutlsxx28-3.6.7-6.29.1 libgnutlsxx28-debuginfo-3.6.7-6.29.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libgnutls30-32bit-3.6.7-6.29.1 libgnutls30-32bit-debuginfo-3.6.7-6.29.1 libgnutls30-hmac-32bit-3.6.7-6.29.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): gnutls-3.6.7-6.29.1 gnutls-debuginfo-3.6.7-6.29.1 gnutls-debugsource-3.6.7-6.29.1 libgnutls-devel-3.6.7-6.29.1 libgnutls30-3.6.7-6.29.1 libgnutls30-debuginfo-3.6.7-6.29.1 libgnutls30-hmac-3.6.7-6.29.1 libgnutlsxx-devel-3.6.7-6.29.1 libgnutlsxx28-3.6.7-6.29.1 libgnutlsxx28-debuginfo-3.6.7-6.29.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libgnutls30-32bit-3.6.7-6.29.1 libgnutls30-32bit-debuginfo-3.6.7-6.29.1 libgnutls30-hmac-32bit-3.6.7-6.29.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): gnutls-3.6.7-6.29.1 gnutls-debuginfo-3.6.7-6.29.1 gnutls-debugsource-3.6.7-6.29.1 libgnutls-devel-3.6.7-6.29.1 libgnutls30-3.6.7-6.29.1 libgnutls30-debuginfo-3.6.7-6.29.1 libgnutls30-hmac-3.6.7-6.29.1 libgnutlsxx-devel-3.6.7-6.29.1 libgnutlsxx28-3.6.7-6.29.1 libgnutlsxx28-debuginfo-3.6.7-6.29.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libgnutls30-32bit-3.6.7-6.29.1 libgnutls30-32bit-debuginfo-3.6.7-6.29.1 libgnutls30-hmac-32bit-3.6.7-6.29.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): gnutls-3.6.7-6.29.1 gnutls-debuginfo-3.6.7-6.29.1 gnutls-debugsource-3.6.7-6.29.1 libgnutls-devel-3.6.7-6.29.1 libgnutls30-3.6.7-6.29.1 libgnutls30-debuginfo-3.6.7-6.29.1 libgnutls30-hmac-3.6.7-6.29.1 libgnutlsxx-devel-3.6.7-6.29.1 libgnutlsxx28-3.6.7-6.29.1 libgnutlsxx28-debuginfo-3.6.7-6.29.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libgnutls30-32bit-3.6.7-6.29.1 libgnutls30-32bit-debuginfo-3.6.7-6.29.1 libgnutls30-hmac-32bit-3.6.7-6.29.1 References: https://www.suse.com/security/cve/CVE-2020-13777.html https://bugzilla.suse.com/1172461 https://bugzilla.suse.com/1172506 From sle-updates at lists.suse.com Tue Jun 9 16:14:31 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 00:14:31 +0200 (CEST) Subject: SUSE-SU-2020:14391-1: important: Security update for java-1_7_0-ibm Message-ID: <20200609221431.24572FD07@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14391-1 Rating: important References: #1169511 #1172277 Cross-References: CVE-2020-2654 CVE-2020-2756 CVE-2020-2757 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2830 Affected Products: SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for java-1_7_0-ibm fixes the following issues: java-1_7_1-ibm was updated to Java 7.1 Service Refresh 4 Fix Pack 65 (bsc#1172277 and bsc#1169511) - CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service - CVE-2020-2756: Improved mapping of serial ENUMs - CVE-2020-2757: Less Blocking Array Queues - CVE-2020-2781: Improved TLS session handling - CVE-2020-2800: Improved Headings for HTTP Servers - CVE-2020-2803: Enhanced buffering of byte buffers - CVE-2020-2805: Enhanced typing of methods - CVE-2020-2830: Improved Scanner conversions Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-java-1_7_0-ibm-14391=1 Package List: - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): java-1_7_0-ibm-1.7.0_sr10.65-65.51.1 java-1_7_0-ibm-alsa-1.7.0_sr10.65-65.51.1 java-1_7_0-ibm-devel-1.7.0_sr10.65-65.51.1 java-1_7_0-ibm-jdbc-1.7.0_sr10.65-65.51.1 java-1_7_0-ibm-plugin-1.7.0_sr10.65-65.51.1 References: https://www.suse.com/security/cve/CVE-2020-2654.html https://www.suse.com/security/cve/CVE-2020-2756.html https://www.suse.com/security/cve/CVE-2020-2757.html https://www.suse.com/security/cve/CVE-2020-2781.html https://www.suse.com/security/cve/CVE-2020-2800.html https://www.suse.com/security/cve/CVE-2020-2803.html https://www.suse.com/security/cve/CVE-2020-2805.html https://www.suse.com/security/cve/CVE-2020-2830.html https://bugzilla.suse.com/1169511 https://bugzilla.suse.com/1172277 From sle-updates at lists.suse.com Tue Jun 9 16:15:34 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 00:15:34 +0200 (CEST) Subject: SUSE-SU-2020:1587-1: important: Security update for the Linux Kernel Message-ID: <20200609221534.40A85FD07@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1587-1 Rating: important References: #1051510 #1058115 #1065729 #1071995 #1082555 #1083647 #1089895 #1103990 #1103991 #1103992 #1104745 #1109837 #1111666 #1112178 #1112374 #1113956 #1114279 #1124278 #1127354 #1127355 #1127371 #1133021 #1141558 #1142685 #1144333 #1151794 #1152489 #1154824 #1157169 #1158265 #1160388 #1160947 #1164780 #1164871 #1165183 #1165478 #1165741 #1166969 #1166978 #1167574 #1167851 #1167867 #1168332 #1168503 #1168670 #1168789 #1169005 #1169020 #1169514 #1169525 #1169762 #1170056 #1170125 #1170145 #1170284 #1170345 #1170457 #1170522 #1170592 #1170617 #1170618 #1170620 #1170621 #1170770 #1170778 #1170791 #1170901 #1171078 #1171098 #1171118 #1171189 #1171191 #1171195 #1171202 #1171205 #1171214 #1171217 #1171218 #1171219 #1171220 #1171244 #1171293 #1171417 #1171527 #1171599 #1171600 #1171601 #1171602 #1171604 #1171605 #1171606 #1171607 #1171608 #1171609 #1171610 #1171611 #1171612 #1171613 #1171614 #1171615 #1171616 #1171617 #1171618 #1171619 #1171620 #1171621 #1171622 #1171623 #1171624 #1171625 #1171626 #1171662 #1171679 #1171691 #1171692 #1171694 #1171695 #1171736 #1171761 #1171817 #1171948 #1171949 #1171951 #1171952 #1171979 #1171982 #1171983 #1172017 #1172096 #1172097 #1172098 #1172099 #1172101 #1172102 #1172103 #1172104 #1172127 #1172130 #1172185 #1172188 #1172199 #1172201 #1172202 #1172218 #1172221 #1172249 #1172251 #1172253 #1172317 #1172342 #1172343 #1172344 #1172366 #1172378 #1172391 #1172397 #1172453 Cross-References: CVE-2018-1000199 CVE-2019-19462 CVE-2019-20806 CVE-2019-20812 CVE-2019-9455 CVE-2020-0543 CVE-2020-10690 CVE-2020-10711 CVE-2020-10720 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-12114 CVE-2020-12464 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12655 CVE-2020-12656 CVE-2020-12657 CVE-2020-12659 CVE-2020-12768 CVE-2020-12769 CVE-2020-13143 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves 24 vulnerabilities and has 133 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982). - CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983). - CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736). - CVE-2020-12659: Fixed an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) due to improper headroom validation (bsc#1171214). - CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205). - CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219). - CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217). - CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202). - CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195). - CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218). - CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901). - CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098). - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317). - CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189). - CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220). - CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778). - CVE-2020-10711: Fixed a null pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191). - CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056). - CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345). - CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453). - CVE-2019-20806: Fixed a null pointer dereference which may had lead to denial of service (bsc#1172199). - CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895). The following non-security bugs were fixed: - ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe() (bsc#1051510). - ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile() (bsc#1051510). - acpi/x86: ignore unspecified bit positions in the ACPI global lock field (bsc#1051510). - Add br_netfilter to kernel-default-base (bsc#1169020) - Add commit for git-fix that's not a fix This commit cleans up debug code but does not fix anything, and it relies on a new kernel function that isn't yet in this version of SLE. - agp/intel: Reinforce the barrier after GTT updates (bsc#1051510). - ALSA: ctxfi: Remove unnecessary cast in kfree (bsc#1051510). - ALSA: doc: Document PC Beep Hidden Register on Realtek ALC256 (bsc#1051510). - ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666). - ALSA: hda: Add driver blacklist (bsc#1051510). - ALSA: hda: Always use jackpoll helper for jack update after resume (bsc#1051510). - ALSA: hda: call runtime_allow() for all hda controllers (bsc#1051510). - ALSA: hda: Do not release card at firmware loading error (bsc#1051510). - ALSA: hda: Explicitly permit using autosuspend if runtime PM is supported (bsc#1051510). - ALSA: hda/hdmi: fix race in monitor detection during probe (bsc#1051510). - ALSA: hda/hdmi: fix without unlocked before return (bsc#1051510). - ALSA: hda: Honor PM disablement in PM freeze and thaw_noirq ops (bsc#1051510). - ALSA: hda: Keep the controller initialization even if no codecs found (bsc#1051510). - ALSA: hda: Match both PCI ID and SSID for driver blacklist (bsc#1111666). - ALSA: hda/realtek - Add a model for Thinkpad T570 without DAC workaround (bsc#1172017). - ALSA: hda/realtek - Add COEF workaround for ASUS ZenBook UX431DA (git-fixes). - ALSA: hda/realtek - Add HP new mute led supported for ALC236 (git-fixes). - ALSA: hda/realtek - Add more fixup entries for Clevo machines (git-fixes). - ALSA: hda/realtek - Add new codec supported for ALC245 (bsc#1051510). - ALSA: hda/realtek - Add new codec supported for ALC287 (git-fixes). - ALSA: hda/realtek: Add quirk for Samsung Notebook (git-fixes). - ALSA: hda/realtek - Add supported new mute Led for HP (git-fixes). - ALSA: hda/realtek - Enable headset mic of ASUS GL503VM with ALC295 (git-fixes). - ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295 (git-fixes). - ALSA: hda/realtek: Enable headset mic of ASUS UX581LV with ALC295 (git-fixes). - ALSA: hda/realtek - Enable the headset mic on Asus FX505DT (bsc#1051510). - ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse (git-fixes). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Xtreme (bsc#1111666). - ALSA: hda/realtek - Fix unexpected init_amp override (bsc#1051510). - ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 (git-fixes bsc#1171293). - ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter (bsc#1051510). - ALSA: hda: Release resources at error in delayed probe (bsc#1051510). - ALSA: hda: Remove ASUS ROG Zenith from the blacklist (bsc#1051510). - ALSA: hda: Skip controller resume if not needed (bsc#1051510). - ALSA: hwdep: fix a left shifting 1 by 31 UB bug (git-fixes). - ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option (git-fixes). - ALSA: opti9xx: shut up gcc-10 range warning (bsc#1051510). - ALSA: pcm: fix incorrect hw_base increase (git-fixes). - ALSA: pcm: oss: Place the plugin buffer overflow checks correctly (bsc#1170522). - ALSA: rawmidi: Fix racy buffer resize under concurrent accesses (git-fixes). - ALSA: usb-audio: Add connector notifier delegation (bsc#1051510). - ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset (git-fixes). - ALSA: usb-audio: add mapping for ASRock TRX40 Creator (git-fixes). - ALSA: usb-audio: Add mixer workaround for TRX40 and co (bsc#1051510). - ALSA: usb-audio: Add quirk for Focusrite Scarlett 2i2 (bsc#1051510). - ALSA: usb-audio: Add static mapping table for ALC1220-VB-based mobos (bsc#1051510). - ALSA: usb-audio: Apply async workaround for Scarlett 2i4 2nd gen (bsc#1051510). - ALSA: usb-audio: Check mapping at creating connector controls, too (bsc#1051510). - ALSA: usb-audio: Correct a typo of NuPrime DAC-10 USB ID (bsc#1051510). - ALSA: usb-audio: Do not create jack controls for PCM terminals (bsc#1051510). - ALSA: usb-audio: Do not override ignore_ctl_error value from the map (bsc#1051510). - ALSA: usb-audio: Filter error from connector kctl ops, too (bsc#1051510). - ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif (bsc#1051510). - ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC (git-fixes). - ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio (git-fixes). - ALSA: usx2y: Fix potential NULL dereference (bsc#1051510). - ASoC: codecs: hdac_hdmi: Fix incorrect use of list_for_each_entry (bsc#1051510). - ASoC: dapm: connect virtual mux with default value (bsc#1051510). - ASoC: dapm: fixup dapm kcontrol widget (bsc#1051510). - ASoC: dpcm: allow start or stop during pause for backend (bsc#1051510). - ASoC: fix regwmask (bsc#1051510). - ASoC: msm8916-wcd-digital: Reset RX interpolation path after use (bsc#1051510). - ASoC: samsung: Prevent clk_get_rate() calls in atomic context (bsc#1111666). - ASoC: topology: Check return value of pcm_new_ver (bsc#1051510). - ASoC: topology: use name_prefix for new kcontrol (bsc#1051510). - b43legacy: Fix case where channel status is corrupted (bsc#1051510). - batman-adv: fix batadv_nc_random_weight_tq (git-fixes). - batman-adv: Fix refcnt leak in batadv_show_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_store_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_v_ogm_process (git-fixes). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (git fixes (block drivers)). - bcache: fix incorrect data type usage in btree_flush_write() (git fixes (block drivers)). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (git fixes (block drivers)). - blk-mq: honor IO scheduler for multiqueue devices (bsc#1165478). - blk-mq: simplify blk_mq_make_request() (bsc#1165478). - block/drbd: delete invalid function drbd_md_mark_dirty_ (bsc#1171527). - block: drbd: remove a stray unlock in __drbd_send_protocol() (bsc#1171599). - block: fix busy device checking in blk_drop_partitions again (bsc#1171948). - block: fix busy device checking in blk_drop_partitions (bsc#1171948). - block: fix memleak of bio integrity data (git fixes (block drivers)). - block: remove the bd_openers checks in blk_drop_partitions (bsc#1171948). - bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets() (networking-stable-20_03_28). - bnxt_en: Reduce BNXT_MSIX_VEC_MAX value to supported CQs per PF (bsc#1104745). - bnxt_en: reinitialize IRQs when MTU is modified (networking-stable-20_03_14). - bnxt_en: Return error if bnxt_alloc_ctx_mem() fails (bsc#1104745 ). - bnxt_en: Return error when allocating zero size context memory (bsc#1104745). - bonding/alb: make sure arp header is pulled before accessing it (networking-stable-20_03_14). - bpf: Fix sk_psock refcnt leak when receiving message (bsc#1083647). - bpf: Forbid XADD on spilled pointers for unprivileged users (bsc#1083647). - brcmfmac: abort and release host after error (bsc#1051510). - btrfs: fix deadlock with memory reclaim during scrub (bsc#1172127). - btrfs: fix log context list corruption after rename whiteout error (bsc#1172342). - btrfs: fix partial loss of prealloc extent past i_size after fsync (bsc#1172343). - btrfs: move the dio_sem higher up the callchain (bsc#1171761). - btrfs: relocation: add error injection points for cancelling balance (bsc#1171417). - btrfs: relocation: Check cancel request after each data page read (bsc#1171417). - btrfs: relocation: Check cancel request after each extent found (bsc#1171417). - btrfs: relocation: Clear the DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417). - btrfs: relocation: Fix reloc root leakage and the NULL pointer reference caused by the leakage (bsc#1171417). - btrfs: relocation: Work around dead relocation stage loop (bsc#1171417). - btrfs: reloc: clear DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417 bsc#1160947 bsc#1172366). - btrfs: reloc: fix reloc root leak and NULL pointer dereference (bsc#1171417 bsc#1160947 bsc#1172366). - btrfs: setup a nofs context for memory allocation at btrfs_create_tree() (bsc#1172127). - btrfs: setup a nofs context for memory allocation at __btrfs_set_acl (bsc#1172127). - btrfs: use nofs context when initializing security xattrs to avoid deadlock (bsc#1172127). - can: add missing attribute validation for termination (networking-stable-20_03_14). - cdc-acm: close race betrween suspend() and acm_softint (git-fixes). - cdc-acm: introduce a cool down (git-fixes). - ceph: check if file lock exists before sending unlock request (bsc#1168789). - ceph: demote quotarealm lookup warning to a debug message (bsc#1171692). - ceph: fix double unlock in handle_cap_export() (bsc#1171694). - ceph: fix double unlock in handle_cap_export() (bsc#1171694). - ceph: fix endianness bug when handling MDS session feature bits (bsc#1171695). - ceph: fix endianness bug when handling MDS session feature bits (bsc#1171695). - cgroup, netclassid: periodically release file_lock on classid updating (networking-stable-20_03_14). - CIFS: Allocate crypto structures on the fly for calculating signatures of incoming packets (bsc#1144333). - CIFS: Allocate encryption header through kmalloc (bsc#1144333). - CIFS: allow unlock flock and OFD lock across fork (bsc#1144333). - CIFS: check new file size when extending file by fallocate (bsc#1144333). - CIFS: cifspdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - CIFS: clear PF_MEMALLOC before exiting demultiplex thread (bsc#1144333). - CIFS: do not share tcons with DFS (bsc#1144333). - CIFS: dump the session id and keys also for SMB2 sessions (bsc#1144333). - CIFS: ensure correct super block for DFS reconnect (bsc#1144333). - CIFS: Fix bug which the return value by asynchronous read is error (bsc#1144333). - CIFS: fix uninitialised lease_key in open_shroot() (bsc#1144333). - CIFS: improve read performance for page size 64KB & cache=strict & vers=2.1+ (bsc#1144333). - CIFS: Increment num_remote_opens stats counter even in case of smb2_query_dir_first (bsc#1144333). - CIFS: minor update to comments around the cifs_tcp_ses_lock mutex (bsc#1144333). - CIFS: protect updating server->dstaddr with a spinlock (bsc#1144333). - CIFS: smb2pdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - CIFS: smbd: Calculate the correct maximum packet size for segmented SMBDirect send/receive (bsc#1144333). - CIFS: smbd: Check and extend sender credits in interrupt context (bsc#1144333). - CIFS: smbd: Check send queue size before posting a send (bsc#1144333). - CIFS: smbd: Do not schedule work to send immediate packet on every receive (bsc#1144333). - CIFS: smbd: Merge code to track pending packets (bsc#1144333). - CIFS: smbd: Properly process errors on ib_post_send (bsc#1144333). - CIFS: smbd: Update receive credits before sending and deal with credits roll back on failure before sending (bsc#1144333). - CIFS: Warn less noisily on default mount (bsc#1144333). - clk: Add clk_hw_unregister_composite helper function definition (bsc#1051510). - clk: imx6ull: use OSC clock during AXI rate change (bsc#1051510). - clk: imx: make mux parent strings const (bsc#1051510). - clk: mediatek: correct the clocks for MT2701 HDMI PHY module (bsc#1051510). - clk: sunxi-ng: a64: Fix gate bit of DSI DPHY (bsc#1051510). - clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620). - clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620, bsc#1170621). - clocksource: dw_apb_timer_of: Fix missing clockevent timers (bsc#1051510). - component: Silence bind error on -EPROBE_DEFER (bsc#1051510). - coresight: do not use the BIT() macro in the UAPI header (git fixes (block drivers)). - cpufreq: s3c64xx: Remove pointless NULL check in s3c64xx_cpufreq_driver_init (bsc#1051510). - crypto: ccp - AES CFB mode is a stream cipher (git-fixes). - crypto: ccp - Change a message to reflect status instead of failure (bsc#1172218). - crypto: ccp - Clean up and exit correctly on allocation failure (git-fixes). - crypto: ccp - Cleanup misc_dev on sev_exit() (bsc#1114279). - crypto: ccp - Cleanup sp_dev_master in psp_dev_destroy() (bsc#1114279). - cxgb4: fix MPS index overwrite when setting MAC address (bsc#1127355). - cxgb4: fix Txq restart check during backpressure (bsc#1127354 bsc#1127371). - debugfs: Add debugfs_create_xul() for hexadecimal unsigned long (git-fixes). - debugfs_lookup(): switch to lookup_one_len_unlocked() (bsc#1171979). - devlink: fix return value after hitting end in region read (bsc#1109837). - devlink: validate length of param values (bsc#1109837). - devlink: validate length of region addr/len (bsc#1109837). - dmaengine: dmatest: Fix iteration non-stop logic (bsc#1051510). - dm mpath: switch paths in dm_blk_ioctl() code path (bsc#1167574). - dm-raid1: fix invalid return value from dm_mirror (bsc#1172378). - dm writecache: fix data corruption when reloading the target (git fixes (block drivers)). - dm writecache: fix incorrect flush sequence when doing SSD mode commit (git fixes (block drivers)). - dm writecache: verify watermark during resume (git fixes (block drivers)). - dm zoned: fix invalid memory access (git fixes (block drivers)). - dm zoned: reduce overhead of backing device checks (git fixes (block drivers)). - dm zoned: remove duplicate nr_rnd_zones increase in dmz_init_zone() (git fixes (block drivers)). - dm zoned: support zone sizes smaller than 128MiB (git fixes (block drivers)). - dp83640: reverse arguments to list_add_tail (git-fixes). - drivers: hv: Add a module description line to the hv_vmbus driver (bsc#1172249, bsc#1172251). - drivers: hv: Add a module description line to the hv_vmbus driver (bsc#1172253). - drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170618). - drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170618). - drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618). - drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170618). - drivers/net/ibmvnic: Update VNIC protocol version reporting (bsc#1065729). - drivers: w1: add hwmon support structures (jsc#SLE-11048). - drivers: w1: add hwmon temp support for w1_therm (jsc#SLE-11048). - drivers: w1: refactor w1_slave_show to make the temp reading functionality separate (jsc#SLE-11048). - drm: amd/acp: fix broken menu structure (bsc#1114279) * context changes - drm/amdgpu: Correctly initialize thermal controller for GPUs with Powerplay table v0 (e.g Hawaii) (bsc#1111666). - drm/amdgpu: Fix oops when pp_funcs is unset in ACPI event (bsc#1111666). - drm/amd/powerplay: force the trim of the mclk dpm_levels if OD is (bsc#1113956) - drm/atomic: Take the atomic toys away from X (bsc#1112178) * context changes - drm/crc: Actually allow to change the crc source (bsc#1114279) * offset changes - drm/dp_mst: Fix clearing payload state on topology disable (bsc#1051510). - drm/dp_mst: Reformat drm_dp_check_act_status() a bit (bsc#1051510). - drm/edid: Fix off-by-one in DispID DTD pixel clock (bsc#1114279) - drm/etnaviv: fix perfmon domain interation (bsc#1113956) - drm/etnaviv: rework perfmon query infrastructure (bsc#1112178) - drm/i915: Apply Wa_1406680159:icl,ehl as an engine workaround (bsc#1112178) * rename gt/intel_workarounds.c to intel_workarounds.c * context changes - drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of (bsc#1114279) - drm/i915: HDCP: fix Ri prime check done during link check (bsc#1112178) * rename display/intel_hdmi.c to intel_hdmi.c * context changes - drm/i915: properly sanity check batch_start_offset (bsc#1114279) * renamed display/intel_fbc.c -> intel_fb.c * renamed gt/intel_rc6.c -> intel_pm.c * context changes - drm/meson: Delete an error message in meson_dw_hdmi_bind() (bsc#1051510). - drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem (bsc#1114279) - drm/qxl: qxl_release leak in qxl_draw_dirty_fb() (bsc#1051510). - drm/qxl: qxl_release leak in qxl_hw_surface_alloc() (bsc#1051510). - drm/qxl: qxl_release use after free (bsc#1051510). - drm: Remove PageReserved manipulation from drm_pci_alloc (bsc#1114279) * offset changes - drm/sun4i: dsi: Allow binding the host without a panel (bsc#1113956) - drm/sun4i: dsi: Avoid hotplug race with DRM driver bind (bsc#1113956) - drm/sun4i: dsi: Remove incorrect use of runtime PM (bsc#1113956) * context changes - drm/sun4i: dsi: Remove unused drv from driver context (bsc#1113956) * context changes * keep include of sun4i_drv.h - dump_stack: avoid the livelock of the dump_lock (git fixes (block drivers)). - EDAC/amd64: Add family ops for Family 19h Models 00h-0Fh (jsc#SLE-11833). - EDAC/amd64: Drop some family checks for newer systems (jsc#SLE-11833). - EDAC/mce_amd: Always load on SMCA systems (jsc#SLE-11833). - EDAC/mce_amd: Make fam_ops static global (jsc#SLE-11833). - EDAC, sb_edac: Add support for systems with segmented PCI buses (bsc#1169525). - ext4: do not zeroout extents beyond i_disksize (bsc#1167851). - ext4: fix extent_status fragmentation for plain files (bsc#1171949). - ext4: use non-movable memory for superblock readahead (bsc#1171952). - fanotify: fix merging marks masks with FAN_ONDIR (bsc#1171679). - fbcon: fix null-ptr-deref in fbcon_switch (bsc#1114279) * rename drivers/video/fbdev/core to drivers/video/console * context changes - fib: add missing attribute validation for tun_id (networking-stable-20_03_14). - firmware: qcom: scm: fix compilation error when disabled (bsc#1051510). - Fix a backport bug, where btrfs_put_root() -> btrfs_put_fs_root() modification is not needed due to missing dependency - fs/cifs: fix gcc warning in sid_to_id (bsc#1144333). - fs/seq_file.c: simplify seq_file iteration code and interface (bsc#1170125). - gpio: tegra: mask GPIO IRQs during IRQ shutdown (bsc#1051510). - gre: fix uninit-value in __iptunnel_pull_header (networking-stable-20_03_14). - HID: hid-input: clear unmapped usages (git-fixes). - HID: hyperv: Add a module description line (bsc#1172249, bsc#1172251). - HID: hyperv: Add a module description line (bsc#1172253). - HID: i2c-hid: add Trekstor Primebook C11B to descriptor override (git-fixes). - HID: i2c-hid: override HID descriptors for certain devices (git-fixes). - HID: multitouch: add eGalaxTouch P80H84 support (bsc#1051510). - HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices (git-fixes). - hrtimer: Annotate lockless access to timer->state (git fixes (block drivers)). - hsr: add restart routine into hsr_get_node_list() (networking-stable-20_03_28). - hsr: check protocol version in hsr_newlink() (networking-stable-20_04_17). - hsr: fix general protection fault in hsr_addr_is_self() (networking-stable-20_03_28). - hsr: set .netnsok flag (networking-stable-20_03_28). - hsr: use rcu_read_lock() in hsr_get_node_{list/status}() (networking-stable-20_03_28). - i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present (git-fixes). - i2c: acpi: put device when verifying client fails (git-fixes). - i2c: brcmstb: remove unused struct member (git-fixes). - i2c: core: Allow empty id_table in ACPI case as well (git-fixes). - i2c: core: decrease reference count of device node in i2c_unregister_device (git-fixes). - i2c: dev: Fix the race between the release of i2c_dev and cdev (bsc#1051510). - i2c: fix missing pm_runtime_put_sync in i2c_device_probe (git-fixes). - i2c-hid: properly terminate i2c_hid_dmi_desc_override_table array (git-fixes). - i2c: i801: Do not add ICH_RES_IO_SMI for the iTCO_wdt device (git-fixes). - i2c: iproc: Stop advertising support of SMBUS quick cmd (git-fixes). - i2c: isch: Remove unnecessary acpi.h include (git-fixes). - i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' (bsc#1051510). - i2c: st: fix missing struct parameter description (bsc#1051510). - IB/ipoib: Add child to parent list only if device initialized (bsc#1168503). - IB/ipoib: Consolidate checking of the proposed child interface (bsc#1168503). - IB/ipoib: Do not remove child devices from within the ndo_uninit (bsc#1168503). - IB/ipoib: Get rid of IPOIB_FLAG_GOING_DOWN (bsc#1168503). - IB/ipoib: Get rid of the sysfs_mutex (bsc#1168503). - IB/ipoib: Maintain the child_intfs list from ndo_init/uninit (bsc#1168503). - IB/ipoib: Move all uninit code into ndo_uninit (bsc#1168503). - IB/ipoib: Move init code to ndo_init (bsc#1168503). - IB/ipoib: Replace printk with pr_warn (bsc#1168503). - IB/ipoib: Use cancel_delayed_work_sync for neigh-clean task (bsc#1168503). - IB/ipoib: Warn when one port fails to initialize (bsc#1168503). - IB/mlx5: Fix missing congestion control debugfs on rep rdma device (bsc#1103991). - ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239). - iio:ad7797: Use correct attribute_group (bsc#1051510). - iio: adc: stm32-adc: fix device used to request dma (bsc#1051510). - iio: adc: stm32-adc: fix sleep in atomic context (git-fixes). - iio: adc: stm32-adc: Use dma_request_chan() instead dma_request_slave_channel() (bsc#1051510). - iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' (bsc#1051510). - iio: sca3000: Remove an erroneous 'get_device()' (bsc#1051510). - iio: xilinx-xadc: Fix ADC-B powerdown (bsc#1051510). - iio: xilinx-xadc: Fix clearing interrupt when enabling trigger (bsc#1051510). - iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode (bsc#1051510). - ima: Fix return value of ima_write_policy() (git-fixes). - Input: evdev - call input_flush_device() on release(), not flush() (bsc#1051510). - Input: hyperv-keyboard - add module description (bsc#1172249, bsc#1172251). - Input: hyperv-keyboard - add module description (bsc#1172253). - Input: i8042 - add Acer Aspire 5738z to nomux list (bsc#1051510). - Input: i8042 - add ThinkPad S230u to i8042 reset list (bsc#1051510). - Input: raydium_i2c_ts - use true and false for boolean values (bsc#1051510). - Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() (bsc#1051510). - Input: synaptics-rmi4 - really fix attn_data use-after-free (git-fixes). - Input: usbtouchscreen - add support for BonXeon TP (bsc#1051510). - Input: xpad - add custom init packet for Xbox One S controllers (bsc#1051510). - iommu/amd: Call domain_flush_complete() in update_domain() (bsc#1172096). - iommu/amd: Do not flush Device Table in iommu_map_page() (bsc#1172097). - iommu/amd: Do not loop forever when trying to increase address space (bsc#1172098). - iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system (bsc#1172099). - iommu/amd: Fix over-read of ACPI UID from IVRS table (bsc#1172101). - iommu/amd: Fix race in increase_address_space()/fetch_pte() (bsc#1172102). - iommu/amd: Update Device Table in increase_address_space() (bsc#1172103). - iommu: Fix reference count leak in iommu_group_alloc (bsc#1172397). - ip6_tunnel: Allow rcv/xmit even if remote address is a local address (bsc#1166978). - ipmi: fix hung processes in __get_guid() (git-fixes). - ipv4: fix a RCU-list lock in fib_triestat_seq_show (networking-stable-20_04_02). - ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface (networking-stable-20_03_14). - ipv6: do not auto-add link-local address to lag ports (networking-stable-20_04_09). - ipv6: fix IPV6_ADDRFORM operation logic (bsc#1171662). - ipv6: Fix nlmsg_flags when splitting a multipath route (networking-stable-20_03_01). - ipv6: fix restrict IPV6_ADDRFORM operation (bsc#1171662). - ipv6: Fix route replacement with dev-only route (networking-stable-20_03_01). - ipvlan: add cond_resched_rcu() while processing muticast backlog (networking-stable-20_03_14). - ipvlan: do not deref eth hdr before checking it's set (networking-stable-20_03_14). - ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast() (networking-stable-20_03_14). - iwlwifi: pcie: actually release queue memory in TVQM (bsc#1051510). - ixgbe: do not check firmware errors (bsc#1170284). - kabi fix for early XHCI debug (git-fixes). - kabi for for md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - kabi, protect struct ib_device (bsc#1168503). - kabi/severities: Do not track KVM internal symbols. - kabi/severities: Ingnore get_dev_data() The function is internal to the AMD IOMMU driver and must not be called by any third party. - kabi workaround for snd_rawmidi buffer_ref field addition (git-fixes). - KEYS: reaching the keys quotas correctly (bsc#1051510). - KVM: arm64: Change hyp_panic()s dependency on tpidr_el2 (bsc#1133021). - KVM: arm64: Stop save/restoring host tpidr_el1 on VHE (bsc#1133021). - KVM: Check validity of resolved slot when searching memslots (bsc#1172104). - KVM: s390: vsie: Fix delivery of addressing exceptions (git-fixes). - KVM: s390: vsie: Fix possible race when shadowing region 3 tables (git-fixes). - KVM: s390: vsie: Fix region 1 ASCE sanity shadow address checks (git-fixes). - KVM: SVM: Fix potential memory leak in svm_cpu_init() (bsc#1171736). - KVM x86: Extend AMD specific guest behavior to Hygon virtual CPUs (bsc#1152489). - l2tp: Allow management of tunnels and session in user namespace (networking-stable-20_04_17). - libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() (bsc#1051510). - libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set (bsc#1051510). - lib: raid6: fix awk build warnings (git fixes (block drivers)). - lib/raid6/test: fix build on distros whose /bin/sh is not bash (git fixes (block drivers)). - lib/stackdepot.c: fix global out-of-bounds in stack_slabs (git fixes (block drivers)). - locks: print unsigned ino in /proc/locks (bsc#1171951). - mac80211: add ieee80211_is_any_nullfunc() (bsc#1051510). - mac80211_hwsim: Use kstrndup() in place of kasprintf() (bsc#1051510). - mac80211: mesh: fix discovery timer re-arming issue / crash (bsc#1051510). - macsec: avoid to set wrong mtu (bsc#1051510). - macsec: restrict to ethernet devices (networking-stable-20_03_28). - macvlan: add cond_resched() during multicast processing (networking-stable-20_03_14). - macvlan: fix null dereference in macvlan_device_event() (bsc#1051510). - make some Fujitsu systems run (bsc#1141558). - md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - md/raid0: Fix an error message in raid0_make_request() (git fixes (block drivers)). - md/raid10: prevent access of uninitialized resync_pages offset (git-fixes). - media: dvb: return -EREMOTEIO on i2c transfer failure (bsc#1051510). - media: platform: fcp: Set appropriate DMA parameters (bsc#1051510). - media: ti-vpe: cal: fix disable_irqs to only the intended target (git-fixes). - mei: release me_cl object reference (bsc#1051510). - mlxsw: Fix some IS_ERR() vs NULL bugs (networking-stable-20_04_27). - mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE (networking-stable-20_04_09). - mlxsw: spectrum_mr: Fix list iteration in error path (bsc#1112374). - mmc: atmel-mci: Fix debugfs on 64-bit platforms (git-fixes). - mmc: core: Check request type before completing the request (git-fixes). - mmc: core: Fix recursive locking issue in CQE recovery path (git-fixes). - mmc: cqhci: Avoid false "cqhci: CQE stuck on" by not open-coding timeout loop (git-fixes). - mmc: dw_mmc: Fix debugfs on 64-bit platforms (git-fixes). - mmc: meson-gx: make sure the descriptor is stopped on errors (git-fixes). - mmc: meson-gx: simplify interrupt handler (git-fixes). - mmc: renesas_sdhi: limit block count to 16 bit for old revisions (git-fixes). - mmc: sdhci-esdhc-imx: fix the mask for tuning start point (bsc#1051510). - mmc: sdhci-msm: Clear tuning done flag while hs400 tuning (bsc#1051510). - mmc: sdhci-of-at91: fix memleak on clk_get failure (git-fixes). - mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers (bsc#1051510). - mmc: sdhci-xenon: fix annoying 1.8V regulator warning (bsc#1051510). - mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card() (bsc#1051510). - mmc: tmio: fix access width of Block Count Register (git-fixes). - mm: limit boost_watermark on small zones (git fixes (mm/pgalloc)). - mm: thp: handle page cache THP correctly in PageTransCompoundMap (git fixes (block drivers)). - mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer (bsc#1051510). - mtd: spi-nor: cadence-quadspi: add a delay in write sequence (git-fixes). - mtd: spi-nor: enable 4B opcodes for mx66l51235l (git-fixes). - mtd: spi-nor: fsl-quadspi: Do not let -EINVAL on the bus (git-fixes). - mwifiex: avoid -Wstringop-overflow warning (bsc#1051510). - mwifiex: Fix memory corruption in dump_station (bsc#1051510). - net: bcmgenet: correct per TX/RX ring statistics (networking-stable-20_04_27). - net: dsa: b53: Fix ARL register definitions (networking-stable-20_04_27). - net: dsa: b53: Rework ARL bin logic (networking-stable-20_04_27). - net: dsa: bcm_sf2: Do not register slave MDIO bus with OF (networking-stable-20_04_09). - net: dsa: bcm_sf2: Ensure correct sub-node is parsed (networking-stable-20_04_09). - net: dsa: bcm_sf2: Fix overflow checks (git-fixes). - net: dsa: Fix duplicate frames flooded by learning (networking-stable-20_03_28). - net: dsa: mv88e6xxx: fix lockup on warm boot (networking-stable-20_03_14). - net/ethernet: add Google GVE driver (jsc#SLE-10538) - net: fec: add phy_reset_after_clk_enable() support (git-fixes). - net: fec: validate the new settings in fec_enet_set_coalesce() (networking-stable-20_03_14). - net: fib_rules: Correctly set table field when table number exceeds 8 bits (networking-stable-20_03_01). - net: fix race condition in __inet_lookup_established() (bsc#1151794). - net: fq: add missing attribute validation for orphan mask (networking-stable-20_03_14). - net: hns3: fix "tc qdisc del" failed issue (bsc#1109837). - net, ip_tunnel: fix interface lookup with no key (networking-stable-20_04_02). - net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin (networking-stable-20_04_17). - net: ipv6: do not consider routes via gateways for anycast address check (networking-stable-20_04_17). - netlink: Use netlink header as base to calculate bad attribute offset (networking-stable-20_03_14). - net: macsec: update SCI upon MAC address change (networking-stable-20_03_14). - net: memcg: fix lockdep splat in inet_csk_accept() (networking-stable-20_03_14). - net: memcg: late association of sock to memcg (networking-stable-20_03_14). - net/mlx4_en: avoid indirect call in TX completion (networking-stable-20_04_27). - net/mlx5: Add new fields to Port Type and Speed register (bsc#1171118). - net/mlx5: Add new fields to Port Type and Speed register (bsc#1171118). - net/mlx5: Add RoCE RX ICRC encapsulated counter (bsc#1171118). - net/mlx5e: Fix ethtool self test: link speed (bsc#1171118). - net/mlx5e: Move port speed code from en_ethtool.c to en/port.c (bsc#1171118). - net/mlx5: Expose link speed directly (bsc#1171118). - net/mlx5: Expose link speed directly (bsc#1171118). - net/mlx5: Expose port speed when possible (bsc#1171118). - net/mlx5: Expose port speed when possible (bsc#1171118). - net/mlx5: Fix failing fw tracer allocation on s390 (bsc#1103990 ). - net: mvneta: Fix the case where the last poll did not process all rx (networking-stable-20_03_28). - net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node (networking-stable-20_04_27). - net/packet: tpacket_rcv: do not increment ring index on drop (networking-stable-20_03_14). - net: phy: restore mdio regs in the iproc mdio driver (networking-stable-20_03_01). - net: qmi_wwan: add support for ASKEY WWHC050 (networking-stable-20_03_28). - net: revert default NAPI poll timeout to 2 jiffies (networking-stable-20_04_17). - net_sched: cls_route: remove the right filter from hashtable (networking-stable-20_03_28). - net_sched: sch_skbprio: add message validation to skbprio_change() (bsc#1109837). - net/x25: Fix x25_neigh refcnt leak when receiving frame (networking-stable-20_04_27). - nfc: add missing attribute validation for SE API (networking-stable-20_03_14). - nfc: add missing attribute validation for vendor subcommand (networking-stable-20_03_14). - nfc: pn544: Fix occasional HW initialization failure (networking-stable-20_03_01). - nfc: st21nfca: add missed kfree_skb() in an error path (bsc#1051510). - nfp: abm: fix a memory leak bug (bsc#1109837). - nfsd4: fix up replay_matches_cache() (git-fixes). - nfsd: Ensure CLONE persists data and metadata changes to the target file (git-fixes). - nfsd: fix delay timer on 32-bit architectures (git-fixes). - nfsd: fix jiffies/time_t mixup in LRU list (git-fixes). - nfs: Directory page cache pages need to be locked when read (git-fixes). - nfsd: memory corruption in nfsd4_lock() (git-fixes). - nfs: Do not call generic_error_remove_page() while holding locks (bsc#1170457). - nfs: Fix memory leaks and corruption in readdir (git-fixes). - nfs: Fix O_DIRECT accounting of number of bytes read/written (git-fixes). - nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl (git-fixes). - nfs: fix racey wait in nfs_set_open_stateid_locked (bsc#1170592). - nfs/flexfiles: Use the correct TCP timeout for flexfiles I/O (git-fixes). - nfs/pnfs: Fix pnfs_generic_prepare_to_resend_writes() (git-fixes). - nfs: Revalidate the file size on a fatal write error (git-fixes). - NFSv4.0: nfs4_do_fsinfo() should not do implicit lease renewals (git-fixes). - NFSv4: Do not allow a cached open with a revoked delegation (git-fixes). - NFSv4: Fix leak of clp->cl_acceptor string (git-fixes). - NFSv4/pnfs: Return valid stateids in nfs_layout_find_inode_by_stateid() (git-fixes). - NFSv4: try lease recovery on NFS4ERR_EXPIRED (git-fixes). - NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn (git-fixes). - nl802154: add missing attribute validation for dev_type (networking-stable-20_03_14). - nl802154: add missing attribute validation (networking-stable-20_03_14). - nvme-fc: print proper nvme-fc devloss_tmo value (bsc#1172391). - objtool: Fix stack offset tracking for indirect CFAs (bsc#1169514). - objtool: Fix switch table detection in .text.unlikely (bsc#1169514). - objtool: Make BP scratch register warning more robust (bsc#1169514). - padata: Remove broken queue flushing (git-fixes). - Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()" (git fixes (block drivers)). - PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2 (bsc#1172201, bsc#1172202). - PCI: hv: Decouple the func definition in hv_dr_state from VSP message (bsc#1172201, bsc#1172202). - PCI: sanity test on PCI vendor to be sure we do not touch everything (bsc#1141558). - perf/x86/amd: Add support for Large Increment per Cycle Events (jsc#SLE-11831). - perf/x86/amd: Constrain Large Increment per Cycle events (jsc#SLE-11831). - pinctrl: baytrail: Enable pin configuration setting for GPIO chip (git-fixes). - pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler (git-fixes). - pinctrl: sunrisepoint: Fix PAD lock register offset for SPT-H (git-fixes). - platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA (bsc#1051510). - pNFS: Ensure we do clear the return-on-close layout stateid on fatal errors (git-fixes). - powerpc: Add attributes for setjmp/longjmp (bsc#1065729). - powerpc/pci/of: Parse unassigned resources (bsc#1065729). - powerpc/setup_64: Set cache-line-size based on cache-block-size (bsc#1065729). - powerpc/sstep: Fix DS operand in ld encoding to appropriate value (bsc#1065729). - qede: Fix race between rdma destroy workqueue and link change event (networking-stable-20_03_01). - r8152: check disconnect status after long sleep (networking-stable-20_03_14). - raid6/ppc: Fix build for clang (git fixes (block drivers)). - random: always use batched entropy for get_random_u{32,64} (bsc#1164871). - rcu: locking and unlocking need to always be at least barriers (git fixes (block drivers)). - RDMA/ipoib: Fix use of sizeof() (bsc#1168503). - RDMA/netdev: Fix netlink support in IPoIB (bsc#1168503). - RDMA/netdev: Hoist alloc_netdev_mqs out of the driver (bsc#1168503). - RDMA/netdev: Use priv_destructor for netdev cleanup (bsc#1168503). - Revert "ALSA: hda/realtek: Fix pop noise on ALC225" (git-fixes). - Revert "drm/panel: simple: Add support for Sharp LQ150X1LG11 panels" (bsc#1114279) * offset changes - Revert "HID: i2c-hid: add Trekstor Primebook C11B to descriptor override" Depends on 9b5c747685982d22efffeafc5ec601bd28f6d78b, which was also reverted. - Revert "HID: i2c-hid: override HID descriptors for certain devices" This broke i2c-hid.ko's build, there is no way around it without a big file rename or renaming the kernel module. - Revert "i2c-hid: properly terminate i2c_hid_dmi_desc_override_table" Fixed 9b5c747685982d22efffeafc5ec601bd28f6d78b, which was also reverted. - Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" (bsc#1172221). - Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow" (bsc#1103992). - rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() (bsc#1051510). - s390/cio: avoid duplicated 'ADD' uevents (git-fixes). - s390/cio: generate delayed uevent for vfio-ccw subchannels (git-fixes). - s390/cpuinfo: fix wrong output when CPU0 is offline (git-fixes). - s390/cpum_cf: Add new extended counters for IBM z15 (bsc#1169762 LTC#185291). - s390/diag: fix display of diagnose call statistics (git-fixes). - s390/ftrace: fix potential crashes when switching tracers (git-fixes). - s390/gmap: return proper error code on ksm unsharing (git-fixes). - s390/ism: fix error return code in ism_probe() (git-fixes). - s390/ism: fix error return code in ism_probe() (git-fixes). - s390/pci: do not set affinity for floating irqs (git-fixes). - s390/pci: Fix possible deadlock in recover_store() (bsc#1165183 LTC#184103). - s390/pci: Recover handle in clp_set_pci_fn() (bsc#1165183 LTC#184103). - s390/qeth: cancel RX reclaim work earlier (git-fixes). - s390/qeth: do not return -ENOTSUPP to userspace (git-fixes). - s390/qeth: do not warn for napi with 0 budget (git-fixes). - s390/qeth: fix off-by-one in RX copybreak check (git-fixes). - s390/qeth: fix promiscuous mode after reset (git-fixes). - s390/qeth: fix qdio teardown after early init error (git-fixes). - s390/qeth: handle error due to unsupported transport mode (git-fixes). - s390/qeth: handle error when backing RX buffer (git-fixes). - s390/qeth: lock the card while changing its hsuid (git-fixes). - s390/qeth: support net namespaces for L3 devices (git-fixes). - s390/time: Fix clk type in get_tod_clock (git-fixes). - scripts/decodecode: fix trapping instruction formatting (bsc#1065729). - scripts/dtc: Remove redundant YYLOC global declaration (bsc#1160388). - scsi: bnx2i: fix potential use after free (bsc#1171600). - scsi: core: Handle drivers which set sg_tablesize to zero (bsc#1171601) This commit also required: > scsi: core: avoid preallocating big SGL for data - scsi: core: save/restore command resid for error handling (bsc#1171602). - scsi: core: scsi_trace: Use get_unaligned_be*() (bsc#1171604). - scsi: core: try to get module before removing device (bsc#1171605). - scsi: csiostor: Adjust indentation in csio_device_reset (bsc#1171606). - scsi: csiostor: Do not enable IRQs too early (bsc#1171607). - scsi: esas2r: unlock on error in esas2r_nvram_read_direct() (bsc#1171608). - scsi: fnic: fix invalid stack access (bsc#1171609). - scsi: fnic: fix msix interrupt allocation (bsc#1171610). - scsi: ibmvscsi: Fix WARN_ON during event pool release (bsc#1170791 ltc#185128). - scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func (bsc#1171611). - scsi: iscsi: Fix a potential deadlock in the timeout handler (bsc#1171612). - scsi: iscsi: qla4xxx: fix double free in probe (bsc#1171613). - scsi: lpfc: Change default queue allocation for reduced memory consumption (bsc#1164780). - scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences (bsc#1171614). - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1171615). - scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event (bsc#1164780). - scsi: lpfc: Fix MDS Diagnostic Enablement definition (bsc#1164780). - scsi: lpfc: Fix negation of else clause in lpfc_prep_node_fc4type (bsc#1164780). - scsi: lpfc: Fix noderef and address space warnings (bsc#1164780). - scsi: lpfc: Maintain atomic consistency of queue_claimed flag (bsc#1164780). - scsi: lpfc: remove duplicate unloading checks (bsc#1164780). - scsi: lpfc: Remove re-binding of nvme rport during registration (bsc#1164780). - scsi: lpfc: Remove redundant initialization to variable rc (bsc#1164780). - scsi: lpfc: Remove unnecessary lockdep_assert_held calls (bsc#1164780). - scsi: lpfc: Update lpfc version to 12.8.0.1 (bsc#1164780). - scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state (bsc#1171616). - scsi: qla2xxx: add ring buffer for tracing debug logs (bsc#1157169). - scsi: qla2xxx: check UNLOADING before posting async work (bsc#1157169). - scsi: qla2xxx: Delete all sessions before unregister local nvme port (bsc#1157169). - scsi: qla2xxx: Do not log message when reading port speed via sysfs (bsc#1157169). - scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV (bsc#1157169). - scsi: qla2xxx: Fix regression warnings (bsc#1157169). - scsi: qla2xxx: Remove non functional code (bsc#1157169). - scsi: qla2xxx: set UNLOADING before waiting for session deletion (bsc#1157169). - scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free (bsc#1171617). - scsi: qla4xxx: fix double free bug (bsc#1171618). - scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI (bsc#1171619). - scsi: sg: add sg_remove_request in sg_common_write (bsc#1171620). - scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) (bsc#1171621). - scsi: ufs: change msleep to usleep_range (bsc#1171622). - scsi: ufs: Clean up ufshcd_scale_clks() and clock scaling error out path (bsc#1171623). - scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic (bsc#1171624). - scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails (bsc#1171625). - scsi: ufs: Recheck bkops level if bkops is disabled (bsc#1171626). - scsi: zfcp: fix missing erp_lock in port recovery trigger for point-to-point (git-fixes). - sctp: fix possibly using a bad saddr with a given dst (networking-stable-20_04_02). - sctp: fix refcount bug in sctp_wfree (networking-stable-20_04_02). - sctp: move the format error check out of __sctp_sf_do_9_1_abort (networking-stable-20_03_01). - selftests/powerpc: Fix build errors in powerpc ptrace selftests (boo#1124278). - Separate one more kABI fixup from the functional change: - seq_file: fix problem when seeking mid-record (bsc#1170125). - serial: uartps: Move the spinlock after the read of the tx empty (git-fixes). - sfc: detach from cb_page in efx_copy_channel() (networking-stable-20_03_14). - signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig (bsc#1172185). - slcan: not call free_netdev before rtnl_unlock in slcan_open (networking-stable-20_03_28). - slip: make slhc_compress() more robust against malicious packets (networking-stable-20_03_14). - smb3: Additional compression structures (bsc#1144333). - smb3: Add new compression flags (bsc#1144333). - smb3: change noisy error message to FYI (bsc#1144333). - smb3: enable swap on SMB3 mounts (bsc#1144333). - smb3: Minor cleanup of protocol definitions (bsc#1144333). - smb3: remove overly noisy debug line in signing errors (bsc#1144333). - smb3: smbdirect support can be configured by default (bsc#1144333). - smb3: use SMB2_SIGNATURE_SIZE define (bsc#1144333). - spi: bcm2835: Fix 3-wire mode if DMA is enabled (git-fixes). - spi: bcm63xx-hsspi: Really keep pll clk enabled (bsc#1051510). - spi: bcm-qspi: when tx/rx buffer is NULL set to 0 (bsc#1051510). - spi: dw: Add SPI Rx-done wait method to DMA-based transfer (bsc#1051510). - spi: dw: Add SPI Tx-done wait method to DMA-based transfer (bsc#1051510). - spi: dw: Zero DMA Tx and Rx configurations on stack (bsc#1051510). - spi: fsl: do not map irq during probe (git-fixes). - spi: fsl: use platform_get_irq() instead of of_irq_to_resource() (git-fixes). - spi: pxa2xx: Add CS control clock quirk (bsc#1051510). - spi: qup: call spi_qup_pm_resume_runtime before suspending (bsc#1051510). - spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion (git-fixes). - spi: spi-s3c64xx: Fix system resume support (git-fixes). - spi/zynqmp: remove entry that causes a cs glitch (bsc#1051510). - staging: comedi: dt2815: fix writing hi byte of analog output (bsc#1051510). - staging: comedi: Fix comedi_device refcnt leak in comedi_open (bsc#1051510). - staging: iio: ad2s1210: Fix SPI reading (bsc#1051510). - staging: vt6656: Do not set RCR_MULTICAST or RCR_BROADCAST by default (git-fixes). - staging: vt6656: Fix drivers TBTT timing counter (git-fixes). - staging: vt6656: Fix pairwise key entry save (git-fixes). - SUNRPC: expiry_time should be seconds not timeval (git-fixes). - SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()' (git-fixes). - supported.conf: Add br_netfilter to base (bsc#1169020). - supported.conf: support w1 core and thermometer support - svcrdma: Fix double svc_rdma_send_ctxt_put() in an error path (bsc#1103992). - svcrdma: Fix leak of transport addresses (git-fixes). - svcrdma: Fix trace point use-after-free race (bsc#1103992 ). - taskstats: fix data-race (bsc#1172188). - tcp: cache line align MAX_TCP_HEADER (networking-stable-20_04_27). - tcp: repair: fix TCP_QUEUE_SEQ implementation (networking-stable-20_03_28). - team: add missing attribute validation for array index (networking-stable-20_03_14). - team: add missing attribute validation for port ifindex (networking-stable-20_03_14). - team: fix hang in team_mode_get() (networking-stable-20_04_27). - tools lib traceevent: Remove unneeded qsort and uses memmove instead (git-fixes). - tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() (bsc#1065729). - tpm/tpm_tis: Free IRQ if probing fails (bsc#1082555). - tpm/tpm_tis: Free IRQ if probing fails (git-fixes). - tracing: Add a vmalloc_sync_mappings() for safe measure (git-fixes). - tracing: Disable trace_printk() on post poned tests (git-fixes). - tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation (git-fixes). - tty: rocket, avoid OOB access (git-fixes). - tun: Do not put_page() for all negative return values from XDP program (bsc#1109837). - UAS: fix deadlock in error handling and PM flushing work (git-fixes). - UAS: no use logging any details in case of ENODEV (git-fixes). - Update config files: Build w1 bus on arm64 (jsc#SLE-11048) - USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE (git-fixes). - USB: cdc-acm: restore capability check order (git-fixes). - USB: core: Fix misleading driver bug report (bsc#1051510). - USB: dwc3: do not set gadget->is_otg flag (git-fixes). - USB: dwc3: gadget: Do link recovery for SS and SSP (git-fixes). - USB: early: Handle AMD's spec-compliant identifiers, too (git-fixes). - USB: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset() (git-fixes). - USB: gadget: audio: Fix a missing error return value in audio_bind() (git-fixes). - USB: gadget: composite: Inform controller driver of self-powered (git-fixes). - USB: gadget: legacy: fix error return code in cdc_bind() (git-fixes). - USB: gadget: legacy: fix error return code in gncm_bind() (git-fixes). - USB: gadget: legacy: fix redundant initialization warnings (bsc#1051510). - USB: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()' (git-fixes). - USB: gadget: udc: atmel: Fix vbus disconnect handling (git-fixes). - USB: gadget: udc: atmel: Make some symbols static (git-fixes). - USB: gadget: udc: bdc: Remove unnecessary NULL checks in bdc_req_complete (git-fixes). - USB: host: xhci-plat: keep runtime active when removing host (git-fixes). - USB: hub: Fix handling of connect changes during sleep (git-fixes). - usbnet: silence an unnecessary warning (bsc#1170770). - USB: serial: garmin_gps: add sanity checking for data length (git-fixes). - USB: serial: option: add BroadMobi BM806U (git-fixes). - USB: serial: option: add support for ASKEY WWHC050 (git-fixes). - USB: serial: option: add Wistron Neweb D19Q1 (git-fixes). - USB: serial: qcserial: Add DW5816e support (git-fixes). - USB: sisusbvga: Change port variable from signed to unsigned (git-fixes). - usb-storage: Add unusual_devs entry for JMicron JMS566 (git-fixes). - USB: uas: add quirk for LaCie 2Big Quadra (git-fixes). - USB: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list (git-fixes). - video: fbdev: sis: Remove unnecessary parentheses and commented code (bsc#1114279) - video: fbdev: w100fb: Fix a potential double free (bsc#1051510). - vrf: Check skb for XFRM_TRANSFORMED flag (networking-stable-20_04_27). - vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines (git-fixes). - vt: selection, introduce vc_is_sel (git-fixes). - vt: vt_ioctl: fix race in VT_RESIZEX (git-fixes). - vt: vt_ioctl: fix use-after-free in vt_in_use() (git-fixes). - vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console (git-fixes). - vxlan: check return value of gro_cells_init() (networking-stable-20_03_28). - w1: Add subsystem kernel public interface (jsc#SLE-11048). - w1: Fix slave count on 1-Wire bus (resend) (jsc#SLE-11048). - w1: keep balance of mutex locks and refcnts (jsc#SLE-11048). - w1: use put_device() if device_register() fail (jsc#SLE-11048). - watchdog: reset last_hw_keepalive time at start (git-fixes). - wcn36xx: Fix error handling path in 'wcn36xx_probe()' (bsc#1051510). - wil6210: remove reset file from debugfs (git-fixes). - wimax/i2400m: Fix potential urb refcnt leak (bsc#1051510). - workqueue: do not use wq_select_unbound_cpu() for bound works (bsc#1172130). - x86/amd_nb: Add Family 19h PCI IDs (jsc#SLE-11834). - x86/entry/64: Fix unwind hints in kernel exit path (bsc#1058115). - x86/entry/64: Fix unwind hints in register clearing code (bsc#1058115). - x86/entry/64: Fix unwind hints in rewind_stack_do_exit() (bsc#1058115). - x86/entry/64: Fix unwind hints in __switch_to_asm() (bsc#1058115). - x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170620). - x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170621, bsc#1170620). - x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170617, bsc#1170618). - x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170618). - x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170618). - x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170618). - x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170618). - x86:Hyper-V: report value of misc_features (git fixes). - x86:Hyper-V: report value of misc_features (git-fixes). - x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170617, bsc#1170618). - x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170618). - x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170617, bsc#1170618). - x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170618). - x86/kprobes: Avoid kretprobe recursion bug (bsc#1114279). - x86/MCE/AMD: Add a KABI workaround for enum smca_bank_types (jsc#SLE-11833). - x86/MCE/AMD, EDAC/mce_amd: Add new Load Store unit McaType (jsc#SLE-11833). - x86/microcode/AMD: Increase microcode PATCH_MAX_SIZE (bsc#1169005). - x86/resctrl: Fix invalid attempt at removing the default resource group (git-fixes). - x86/resctrl: Preserve CDP enable over CPU hotplug (bsc#1114279). - x86/unwind/orc: Do not skip the first frame for inactive tasks (bsc#1058115). - x86/unwind/orc: Fix error handling in __unwind_start() (bsc#1058115). - x86/unwind/orc: Fix error path for bad ORC entry type (bsc#1058115). - x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bsc#1058115). - x86/unwind/orc: Prevent unwinding before ORC initialization (bsc#1058115). - x86/unwind: Prevent false warnings for non-current tasks (bsc#1058115). - x86/xen: fix booting 32-bit pv guest (bsc#1071995). - x86/xen: Make the boot CPU idle task reliable (bsc#1071995). - x86/xen: Make the secondary CPU idle tasks reliable (bsc#1071995). - xen/pci: reserve MCFG areas earlier (bsc#1170145). - xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish (networking-stable-20_04_27). - xfs: clear PF_MEMALLOC before exiting xfsaild thread (git-fixes). - xfs: Correctly invert xfs_buftarg LRU isolation logic (git-fixes). - xfs: do not ever return a stale pointer from __xfs_dir3_free_read (git-fixes). - xprtrdma: Fix completion wait during device removal (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1587=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-azure-4.12.14-16.16.1 kernel-azure-base-4.12.14-16.16.1 kernel-azure-base-debuginfo-4.12.14-16.16.1 kernel-azure-debuginfo-4.12.14-16.16.1 kernel-azure-debugsource-4.12.14-16.16.1 kernel-azure-devel-4.12.14-16.16.1 kernel-syms-azure-4.12.14-16.16.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-azure-4.12.14-16.16.1 kernel-source-azure-4.12.14-16.16.1 References: https://www.suse.com/security/cve/CVE-2018-1000199.html https://www.suse.com/security/cve/CVE-2019-19462.html https://www.suse.com/security/cve/CVE-2019-20806.html https://www.suse.com/security/cve/CVE-2019-20812.html https://www.suse.com/security/cve/CVE-2019-9455.html https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-10690.html https://www.suse.com/security/cve/CVE-2020-10711.html https://www.suse.com/security/cve/CVE-2020-10720.html https://www.suse.com/security/cve/CVE-2020-10732.html https://www.suse.com/security/cve/CVE-2020-10751.html https://www.suse.com/security/cve/CVE-2020-10757.html https://www.suse.com/security/cve/CVE-2020-12114.html https://www.suse.com/security/cve/CVE-2020-12464.html https://www.suse.com/security/cve/CVE-2020-12652.html https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://www.suse.com/security/cve/CVE-2020-12655.html https://www.suse.com/security/cve/CVE-2020-12656.html https://www.suse.com/security/cve/CVE-2020-12657.html https://www.suse.com/security/cve/CVE-2020-12659.html https://www.suse.com/security/cve/CVE-2020-12768.html https://www.suse.com/security/cve/CVE-2020-12769.html https://www.suse.com/security/cve/CVE-2020-13143.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1082555 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1089895 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103991 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1124278 https://bugzilla.suse.com/1127354 https://bugzilla.suse.com/1127355 https://bugzilla.suse.com/1127371 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1141558 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1151794 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1157169 https://bugzilla.suse.com/1158265 https://bugzilla.suse.com/1160388 https://bugzilla.suse.com/1160947 https://bugzilla.suse.com/1164780 https://bugzilla.suse.com/1164871 https://bugzilla.suse.com/1165183 https://bugzilla.suse.com/1165478 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1166969 https://bugzilla.suse.com/1166978 https://bugzilla.suse.com/1167574 https://bugzilla.suse.com/1167851 https://bugzilla.suse.com/1167867 https://bugzilla.suse.com/1168332 https://bugzilla.suse.com/1168503 https://bugzilla.suse.com/1168670 https://bugzilla.suse.com/1168789 https://bugzilla.suse.com/1169005 https://bugzilla.suse.com/1169020 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169525 https://bugzilla.suse.com/1169762 https://bugzilla.suse.com/1170056 https://bugzilla.suse.com/1170125 https://bugzilla.suse.com/1170145 https://bugzilla.suse.com/1170284 https://bugzilla.suse.com/1170345 https://bugzilla.suse.com/1170457 https://bugzilla.suse.com/1170522 https://bugzilla.suse.com/1170592 https://bugzilla.suse.com/1170617 https://bugzilla.suse.com/1170618 https://bugzilla.suse.com/1170620 https://bugzilla.suse.com/1170621 https://bugzilla.suse.com/1170770 https://bugzilla.suse.com/1170778 https://bugzilla.suse.com/1170791 https://bugzilla.suse.com/1170901 https://bugzilla.suse.com/1171078 https://bugzilla.suse.com/1171098 https://bugzilla.suse.com/1171118 https://bugzilla.suse.com/1171189 https://bugzilla.suse.com/1171191 https://bugzilla.suse.com/1171195 https://bugzilla.suse.com/1171202 https://bugzilla.suse.com/1171205 https://bugzilla.suse.com/1171214 https://bugzilla.suse.com/1171217 https://bugzilla.suse.com/1171218 https://bugzilla.suse.com/1171219 https://bugzilla.suse.com/1171220 https://bugzilla.suse.com/1171244 https://bugzilla.suse.com/1171293 https://bugzilla.suse.com/1171417 https://bugzilla.suse.com/1171527 https://bugzilla.suse.com/1171599 https://bugzilla.suse.com/1171600 https://bugzilla.suse.com/1171601 https://bugzilla.suse.com/1171602 https://bugzilla.suse.com/1171604 https://bugzilla.suse.com/1171605 https://bugzilla.suse.com/1171606 https://bugzilla.suse.com/1171607 https://bugzilla.suse.com/1171608 https://bugzilla.suse.com/1171609 https://bugzilla.suse.com/1171610 https://bugzilla.suse.com/1171611 https://bugzilla.suse.com/1171612 https://bugzilla.suse.com/1171613 https://bugzilla.suse.com/1171614 https://bugzilla.suse.com/1171615 https://bugzilla.suse.com/1171616 https://bugzilla.suse.com/1171617 https://bugzilla.suse.com/1171618 https://bugzilla.suse.com/1171619 https://bugzilla.suse.com/1171620 https://bugzilla.suse.com/1171621 https://bugzilla.suse.com/1171622 https://bugzilla.suse.com/1171623 https://bugzilla.suse.com/1171624 https://bugzilla.suse.com/1171625 https://bugzilla.suse.com/1171626 https://bugzilla.suse.com/1171662 https://bugzilla.suse.com/1171679 https://bugzilla.suse.com/1171691 https://bugzilla.suse.com/1171692 https://bugzilla.suse.com/1171694 https://bugzilla.suse.com/1171695 https://bugzilla.suse.com/1171736 https://bugzilla.suse.com/1171761 https://bugzilla.suse.com/1171817 https://bugzilla.suse.com/1171948 https://bugzilla.suse.com/1171949 https://bugzilla.suse.com/1171951 https://bugzilla.suse.com/1171952 https://bugzilla.suse.com/1171979 https://bugzilla.suse.com/1171982 https://bugzilla.suse.com/1171983 https://bugzilla.suse.com/1172017 https://bugzilla.suse.com/1172096 https://bugzilla.suse.com/1172097 https://bugzilla.suse.com/1172098 https://bugzilla.suse.com/1172099 https://bugzilla.suse.com/1172101 https://bugzilla.suse.com/1172102 https://bugzilla.suse.com/1172103 https://bugzilla.suse.com/1172104 https://bugzilla.suse.com/1172127 https://bugzilla.suse.com/1172130 https://bugzilla.suse.com/1172185 https://bugzilla.suse.com/1172188 https://bugzilla.suse.com/1172199 https://bugzilla.suse.com/1172201 https://bugzilla.suse.com/1172202 https://bugzilla.suse.com/1172218 https://bugzilla.suse.com/1172221 https://bugzilla.suse.com/1172249 https://bugzilla.suse.com/1172251 https://bugzilla.suse.com/1172253 https://bugzilla.suse.com/1172317 https://bugzilla.suse.com/1172342 https://bugzilla.suse.com/1172343 https://bugzilla.suse.com/1172344 https://bugzilla.suse.com/1172366 https://bugzilla.suse.com/1172378 https://bugzilla.suse.com/1172391 https://bugzilla.suse.com/1172397 https://bugzilla.suse.com/1172453 From sle-updates at lists.suse.com Tue Jun 9 16:32:40 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 00:32:40 +0200 (CEST) Subject: SUSE-SU-2020:14393-1: important: Security update for the Linux Kernel Message-ID: <20200609223240.F23C1F749@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14393-1 Rating: important References: #1154290 #1154824 #1164871 #1170056 #1171195 #1171202 #1171218 Cross-References: CVE-2020-0543 CVE-2020-10690 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Server 11-EXTRA SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has two fixes is now available. Description: The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218). - CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195). - CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202). - CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056). The following non-security bugs were fixed: - nfsd4: clean up open owners on OPEN failure (bsc#1154290). - random: always use batched entropy for get_random_u{32,64} (bsc#1164871). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-kernel-source-14393=1 - SUSE Linux Enterprise Server 11-EXTRA: zypper in -t patch slexsp3-kernel-source-14393=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-kernel-source-14393=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): kernel-default-3.0.101-108.114.1 kernel-default-base-3.0.101-108.114.1 kernel-default-devel-3.0.101-108.114.1 kernel-source-3.0.101-108.114.1 kernel-syms-3.0.101-108.114.1 kernel-trace-3.0.101-108.114.1 kernel-trace-base-3.0.101-108.114.1 kernel-trace-devel-3.0.101-108.114.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 x86_64): kernel-ec2-3.0.101-108.114.1 kernel-ec2-base-3.0.101-108.114.1 kernel-ec2-devel-3.0.101-108.114.1 kernel-xen-3.0.101-108.114.1 kernel-xen-base-3.0.101-108.114.1 kernel-xen-devel-3.0.101-108.114.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64): kernel-bigmem-3.0.101-108.114.1 kernel-bigmem-base-3.0.101-108.114.1 kernel-bigmem-devel-3.0.101-108.114.1 kernel-ppc64-3.0.101-108.114.1 kernel-ppc64-base-3.0.101-108.114.1 kernel-ppc64-devel-3.0.101-108.114.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (s390x): kernel-default-man-3.0.101-108.114.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (i586): kernel-pae-3.0.101-108.114.1 kernel-pae-base-3.0.101-108.114.1 kernel-pae-devel-3.0.101-108.114.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 ia64 ppc64 s390x x86_64): kernel-default-extra-3.0.101-108.114.1 - SUSE Linux Enterprise Server 11-EXTRA (i586 x86_64): kernel-xen-extra-3.0.101-108.114.1 - SUSE Linux Enterprise Server 11-EXTRA (x86_64): kernel-trace-extra-3.0.101-108.114.1 - SUSE Linux Enterprise Server 11-EXTRA (ppc64): kernel-ppc64-extra-3.0.101-108.114.1 - SUSE Linux Enterprise Server 11-EXTRA (i586): kernel-pae-extra-3.0.101-108.114.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): kernel-default-debuginfo-3.0.101-108.114.1 kernel-default-debugsource-3.0.101-108.114.1 kernel-trace-debuginfo-3.0.101-108.114.1 kernel-trace-debugsource-3.0.101-108.114.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 s390x x86_64): kernel-default-devel-debuginfo-3.0.101-108.114.1 kernel-trace-devel-debuginfo-3.0.101-108.114.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64): kernel-ec2-debuginfo-3.0.101-108.114.1 kernel-ec2-debugsource-3.0.101-108.114.1 kernel-xen-debuginfo-3.0.101-108.114.1 kernel-xen-debugsource-3.0.101-108.114.1 kernel-xen-devel-debuginfo-3.0.101-108.114.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64): kernel-bigmem-debuginfo-3.0.101-108.114.1 kernel-bigmem-debugsource-3.0.101-108.114.1 kernel-ppc64-debuginfo-3.0.101-108.114.1 kernel-ppc64-debugsource-3.0.101-108.114.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586): kernel-pae-debuginfo-3.0.101-108.114.1 kernel-pae-debugsource-3.0.101-108.114.1 kernel-pae-devel-debuginfo-3.0.101-108.114.1 References: https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-10690.html https://www.suse.com/security/cve/CVE-2020-12652.html https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://bugzilla.suse.com/1154290 https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1164871 https://bugzilla.suse.com/1170056 https://bugzilla.suse.com/1171195 https://bugzilla.suse.com/1171202 https://bugzilla.suse.com/1171218 From sle-updates at lists.suse.com Tue Jun 9 16:34:03 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 00:34:03 +0200 (CEST) Subject: SUSE-SU-2020:1580-1: moderate: Security update for texlive-filesystem Message-ID: <20200609223403.284A7F749@maintenance.suse.de> SUSE Security Update: Security update for texlive-filesystem ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1580-1 Rating: moderate References: #1158910 #1159740 Cross-References: CVE-2020-8016 CVE-2020-8017 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for texlive-filesystem fixes the following issues: Security issues fixed: - CVE-2020-8016: Fixed a race condition in the spec file (bsc#1159740). - CVE-2020-8017: Fixed a race condition on a cron job (bsc#1158910). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1580=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libkpathsea6-6.2.3-11.13.2 libkpathsea6-debuginfo-6.2.3-11.13.2 libptexenc1-1.3.5-11.13.2 libptexenc1-debuginfo-1.3.5-11.13.2 libsynctex1-1.18-11.13.2 libsynctex1-debuginfo-1.18-11.13.2 libtexlua52-5-5.2.4-11.13.2 libtexlua52-5-debuginfo-5.2.4-11.13.2 texlive-2017.20170520-11.13.2 texlive-a2ping-bin-2017.20170520.svn27321-11.13.2 texlive-accfonts-bin-2017.20170520.svn12688-11.13.2 texlive-adhocfilelist-bin-2017.20170520.svn28038-11.13.2 texlive-afm2pl-bin-2017.20170520.svn44143-11.13.2 texlive-afm2pl-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-aleph-bin-2017.20170520.svn44143-11.13.2 texlive-aleph-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-amstex-bin-2017.20170520.svn3006-11.13.2 texlive-arara-bin-2017.20170520.svn29036-11.13.2 texlive-asymptote-bin-2017.20170520.svn43843-11.13.2 texlive-asymptote-bin-debuginfo-2017.20170520.svn43843-11.13.2 texlive-authorindex-bin-2017.20170520.svn18790-11.13.2 texlive-autosp-bin-2017.20170520.svn44143-11.13.2 texlive-autosp-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-bibexport-bin-2017.20170520.svn16219-11.13.2 texlive-bibtex-bin-2017.20170520.svn44143-11.13.2 texlive-bibtex-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-bibtex8-bin-2017.20170520.svn44143-11.13.2 texlive-bibtex8-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-bibtexu-bin-2017.20170520.svn44143-11.13.2 texlive-bibtexu-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-bin-devel-2017.20170520-11.13.2 texlive-bundledoc-bin-2017.20170520.svn17794-11.13.2 texlive-cachepic-bin-2017.20170520.svn15543-11.13.2 texlive-checkcites-bin-2017.20170520.svn25623-11.13.2 texlive-checklistings-bin-2017.20170520.svn38300-11.13.2 texlive-chktex-bin-2017.20170520.svn44143-11.13.2 texlive-chktex-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-cjk-gs-integrate-bin-2017.20170520.svn37223-11.13.2 texlive-cjkutils-bin-2017.20170520.svn44143-11.13.2 texlive-cjkutils-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-context-bin-2017.20170520.svn34112-11.13.2 texlive-convbkmk-bin-2017.20170520.svn30408-11.13.2 texlive-crossrefware-bin-2017.20170520.svn43866-11.13.2 texlive-cslatex-bin-2017.20170520.svn3006-11.13.2 texlive-csplain-bin-2017.20170520.svn33902-11.13.2 texlive-ctanify-bin-2017.20170520.svn24061-11.13.2 texlive-ctanupload-bin-2017.20170520.svn23866-11.13.2 texlive-ctie-bin-2017.20170520.svn44143-11.13.2 texlive-ctie-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-cweb-bin-2017.20170520.svn44143-11.13.2 texlive-cweb-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-cyrillic-bin-bin-2017.20170520.svn29741-11.13.2 texlive-de-macro-bin-2017.20170520.svn17399-11.13.2 texlive-debuginfo-2017.20170520-11.13.2 texlive-debugsource-2017.20170520-11.13.2 texlive-detex-bin-2017.20170520.svn44143-11.13.2 texlive-detex-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-dosepsbin-bin-2017.20170520.svn24759-11.13.2 texlive-dtl-bin-2017.20170520.svn44143-11.13.2 texlive-dtl-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-dtxgen-bin-2017.20170520.svn29031-11.13.2 texlive-dviasm-bin-2017.20170520.svn8329-11.13.2 texlive-dvicopy-bin-2017.20170520.svn44143-11.13.2 texlive-dvicopy-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-dvidvi-bin-2017.20170520.svn44143-11.13.2 texlive-dvidvi-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-dviinfox-bin-2017.20170520.svn44515-11.13.2 texlive-dviljk-bin-2017.20170520.svn44143-11.13.2 texlive-dviljk-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-dvipdfmx-bin-2017.20170520.svn40273-11.13.2 texlive-dvipng-bin-2017.20170520.svn44143-11.13.2 texlive-dvipng-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-dvipos-bin-2017.20170520.svn44143-11.13.2 texlive-dvipos-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-dvips-bin-2017.20170520.svn44143-11.13.2 texlive-dvips-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-dvisvgm-bin-2017.20170520.svn40987-11.13.2 texlive-dvisvgm-bin-debuginfo-2017.20170520.svn40987-11.13.2 texlive-ebong-bin-2017.20170520.svn21000-11.13.2 texlive-eplain-bin-2017.20170520.svn3006-11.13.2 texlive-epspdf-bin-2017.20170520.svn29050-11.13.2 texlive-epstopdf-bin-2017.20170520.svn18336-11.13.2 texlive-exceltex-bin-2017.20170520.svn25860-11.13.2 texlive-fig4latex-bin-2017.20170520.svn14752-11.13.2 texlive-findhyph-bin-2017.20170520.svn14758-11.13.2 texlive-fontinst-bin-2017.20170520.svn29741-11.13.2 texlive-fontools-bin-2017.20170520.svn25997-11.13.2 texlive-fontware-bin-2017.20170520.svn44143-11.13.2 texlive-fontware-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-fragmaster-bin-2017.20170520.svn13663-11.13.2 texlive-getmap-bin-2017.20170520.svn34971-11.13.2 texlive-glossaries-bin-2017.20170520.svn37813-11.13.2 texlive-gregoriotex-bin-2017.20170520.svn44143-11.13.2 texlive-gregoriotex-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-gsftopk-bin-2017.20170520.svn44143-11.13.2 texlive-gsftopk-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-jadetex-bin-2017.20170520.svn3006-11.13.2 texlive-kotex-utils-bin-2017.20170520.svn32101-11.13.2 texlive-kpathsea-bin-2017.20170520.svn44143-11.13.2 texlive-kpathsea-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-kpathsea-devel-6.2.3-11.13.2 texlive-lacheck-bin-2017.20170520.svn44143-11.13.2 texlive-lacheck-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-latex-bin-bin-2017.20170520.svn14050-11.13.2 texlive-latex-git-log-bin-2017.20170520.svn30983-11.13.2 texlive-latex-papersize-bin-2017.20170520.svn42296-11.13.2 texlive-latex2man-bin-2017.20170520.svn13663-11.13.2 texlive-latex2nemeth-bin-2017.20170520.svn42300-11.13.2 texlive-latexdiff-bin-2017.20170520.svn16420-11.13.2 texlive-latexfileversion-bin-2017.20170520.svn25012-11.13.2 texlive-latexindent-bin-2017.20170520.svn32150-11.13.2 texlive-latexmk-bin-2017.20170520.svn10937-11.13.2 texlive-latexpand-bin-2017.20170520.svn27025-11.13.2 texlive-lcdftypetools-bin-2017.20170520.svn44143-11.13.2 texlive-lcdftypetools-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-lilyglyphs-bin-2017.20170520.svn31696-11.13.2 texlive-listbib-bin-2017.20170520.svn26126-11.13.2 texlive-listings-ext-bin-2017.20170520.svn15093-11.13.2 texlive-lollipop-bin-2017.20170520.svn41465-11.13.2 texlive-ltxfileinfo-bin-2017.20170520.svn29005-11.13.2 texlive-ltximg-bin-2017.20170520.svn32346-11.13.2 texlive-lua2dox-bin-2017.20170520.svn29053-11.13.2 texlive-luaotfload-bin-2017.20170520.svn34647-11.13.2 texlive-luatex-bin-2017.20170520.svn44549-11.13.2 texlive-luatex-bin-debuginfo-2017.20170520.svn44549-11.13.2 texlive-lwarp-bin-2017.20170520.svn43292-11.13.2 texlive-m-tx-bin-2017.20170520.svn44143-11.13.2 texlive-m-tx-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-make4ht-bin-2017.20170520.svn37750-11.13.2 texlive-makedtx-bin-2017.20170520.svn38769-11.13.2 texlive-makeindex-bin-2017.20170520.svn44143-11.13.2 texlive-makeindex-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-match_parens-bin-2017.20170520.svn23500-11.13.2 texlive-mathspic-bin-2017.20170520.svn23661-11.13.2 texlive-metafont-bin-2017.20170520.svn44143-11.13.2 texlive-metafont-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-metapost-bin-2017.20170520.svn44143-11.13.2 texlive-metapost-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-mex-bin-2017.20170520.svn3006-11.13.2 texlive-mf2pt1-bin-2017.20170520.svn23406-11.13.2 texlive-mflua-bin-2017.20170520.svn44143-11.13.2 texlive-mflua-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-mfware-bin-2017.20170520.svn44143-11.13.2 texlive-mfware-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-mkgrkindex-bin-2017.20170520.svn14428-11.13.2 texlive-mkjobtexmf-bin-2017.20170520.svn8457-11.13.2 texlive-mkpic-bin-2017.20170520.svn33688-11.13.2 texlive-mltex-bin-2017.20170520.svn3006-11.13.2 texlive-mptopdf-bin-2017.20170520.svn18674-11.13.2 texlive-multibibliography-bin-2017.20170520.svn30534-11.13.2 texlive-musixtex-bin-2017.20170520.svn37026-11.13.2 texlive-musixtnt-bin-2017.20170520.svn44143-11.13.2 texlive-musixtnt-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-omegaware-bin-2017.20170520.svn44143-11.13.2 texlive-omegaware-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-patgen-bin-2017.20170520.svn44143-11.13.2 texlive-patgen-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-pax-bin-2017.20170520.svn10843-11.13.2 texlive-pdfbook2-bin-2017.20170520.svn37537-11.13.2 texlive-pdfcrop-bin-2017.20170520.svn14387-11.13.2 texlive-pdfjam-bin-2017.20170520.svn17868-11.13.2 texlive-pdflatexpicscale-bin-2017.20170520.svn41779-11.13.2 texlive-pdftex-bin-2017.20170520.svn44143-11.13.2 texlive-pdftex-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-pdftools-bin-2017.20170520.svn44143-11.13.2 texlive-pdftools-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-pdfxup-bin-2017.20170520.svn40690-11.13.2 texlive-pedigree-perl-bin-2017.20170520.svn25962-11.13.2 texlive-perltex-bin-2017.20170520.svn16181-11.13.2 texlive-petri-nets-bin-2017.20170520.svn39165-11.13.2 texlive-pfarrei-bin-2017.20170520.svn29348-11.13.2 texlive-pkfix-bin-2017.20170520.svn13364-11.13.2 texlive-pkfix-helper-bin-2017.20170520.svn13663-11.13.2 texlive-platex-bin-2017.20170520.svn22859-11.13.2 texlive-pmx-bin-2017.20170520.svn44143-11.13.2 texlive-pmx-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-pmxchords-bin-2017.20170520.svn32405-11.13.2 texlive-ps2pk-bin-2017.20170520.svn44143-11.13.2 texlive-ps2pk-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-pst-pdf-bin-2017.20170520.svn7838-11.13.2 texlive-pst2pdf-bin-2017.20170520.svn29333-11.13.2 texlive-pstools-bin-2017.20170520.svn44143-11.13.2 texlive-pstools-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-ptex-bin-2017.20170520.svn44143-11.13.2 texlive-ptex-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-ptex-fontmaps-bin-2017.20170520.svn44206-11.13.2 texlive-ptex2pdf-bin-2017.20170520.svn29335-11.13.2 texlive-ptexenc-devel-1.3.5-11.13.2 texlive-purifyeps-bin-2017.20170520.svn13663-11.13.2 texlive-pygmentex-bin-2017.20170520.svn34996-11.13.2 texlive-pythontex-bin-2017.20170520.svn31638-11.13.2 texlive-rubik-bin-2017.20170520.svn32919-11.13.2 texlive-seetexk-bin-2017.20170520.svn44143-11.13.2 texlive-seetexk-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-splitindex-bin-2017.20170520.svn29688-11.13.2 texlive-srcredact-bin-2017.20170520.svn38710-11.13.2 texlive-sty2dtx-bin-2017.20170520.svn21215-11.13.2 texlive-svn-multi-bin-2017.20170520.svn13663-11.13.2 texlive-synctex-bin-2017.20170520.svn44143-11.13.2 texlive-synctex-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-synctex-devel-1.18-11.13.2 texlive-tetex-bin-2017.20170520.svn43957-11.13.2 texlive-tex-bin-2017.20170520.svn44143-11.13.2 texlive-tex-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-tex4ebook-bin-2017.20170520.svn37771-11.13.2 texlive-tex4ht-bin-2017.20170520.svn44143-11.13.2 texlive-tex4ht-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-texconfig-bin-2017.20170520.svn29741-11.13.2 texlive-texcount-bin-2017.20170520.svn13013-11.13.2 texlive-texdef-bin-2017.20170520.svn21802-11.13.2 texlive-texdiff-bin-2017.20170520.svn15506-11.13.2 texlive-texdirflatten-bin-2017.20170520.svn12782-11.13.2 texlive-texdoc-bin-2017.20170520.svn29741-11.13.2 texlive-texfot-bin-2017.20170520.svn33155-11.13.2 texlive-texliveonfly-bin-2017.20170520.svn24062-11.13.2 texlive-texloganalyser-bin-2017.20170520.svn13663-11.13.2 texlive-texlua-devel-5.2.4-11.13.2 texlive-texosquery-bin-2017.20170520.svn43596-11.13.2 texlive-texsis-bin-2017.20170520.svn3006-11.13.2 texlive-texware-bin-2017.20170520.svn44143-11.13.2 texlive-texware-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-thumbpdf-bin-2017.20170520.svn6898-11.13.2 texlive-tie-bin-2017.20170520.svn44143-11.13.2 texlive-tie-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-tpic2pdftex-bin-2017.20170520.svn29741-11.13.2 texlive-ttfutils-bin-2017.20170520.svn44143-11.13.2 texlive-ttfutils-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-typeoutfileinfo-bin-2017.20170520.svn25648-11.13.2 texlive-ulqda-bin-2017.20170520.svn13663-11.13.2 texlive-uplatex-bin-2017.20170520.svn26326-11.13.2 texlive-uptex-bin-2017.20170520.svn44143-11.13.2 texlive-uptex-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-urlbst-bin-2017.20170520.svn23262-11.13.2 texlive-velthuis-bin-2017.20170520.svn44143-11.13.2 texlive-velthuis-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-vlna-bin-2017.20170520.svn44143-11.13.2 texlive-vlna-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-vpe-bin-2017.20170520.svn6897-11.13.2 texlive-web-bin-2017.20170520.svn44143-11.13.2 texlive-web-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-xdvi-bin-2017.20170520.svn44143-11.13.2 texlive-xdvi-bin-debuginfo-2017.20170520.svn44143-11.13.2 texlive-xetex-bin-2017.20170520.svn44361-11.13.2 texlive-xetex-bin-debuginfo-2017.20170520.svn44361-11.13.2 texlive-xmltex-bin-2017.20170520.svn3006-11.13.2 texlive-yplan-bin-2017.20170520.svn34398-11.13.2 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 x86_64): libtexluajit2-2.1.0beta2-11.13.2 libtexluajit2-debuginfo-2.1.0beta2-11.13.2 texlive-texluajit-devel-2.1.0beta2-11.13.2 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (noarch): perl-biber-2017.20170520.svn30357-11.13.2 texlive-biber-bin-2017.20170520.svn42679-11.13.2 texlive-collection-basic-2017.135.svn41616-9.12.1 texlive-collection-bibtexextra-2017.135.svn44385-9.12.1 texlive-collection-binextra-2017.135.svn44515-9.12.1 texlive-collection-context-2017.135.svn42330-9.12.1 texlive-collection-fontsextra-2017.135.svn43356-9.12.1 texlive-collection-fontsrecommended-2017.135.svn35830-9.12.1 texlive-collection-fontutils-2017.135.svn37105-9.12.1 texlive-collection-formatsextra-2017.135.svn44177-9.12.1 texlive-collection-games-2017.135.svn42992-9.12.1 texlive-collection-humanities-2017.135.svn42268-9.12.1 texlive-collection-langarabic-2017.135.svn44496-9.12.1 texlive-collection-langchinese-2017.135.svn42675-9.12.1 texlive-collection-langcjk-2017.135.svn43009-9.12.1 texlive-collection-langcyrillic-2017.135.svn44401-9.12.1 texlive-collection-langczechslovak-2017.135.svn32550-9.12.1 texlive-collection-langenglish-2017.135.svn43650-9.12.1 texlive-collection-langeuropean-2017.135.svn44414-9.12.1 texlive-collection-langfrench-2017.135.svn40375-9.12.1 texlive-collection-langgerman-2017.135.svn42045-9.12.1 texlive-collection-langgreek-2017.135.svn44192-9.12.1 texlive-collection-langitalian-2017.135.svn30372-9.12.1 texlive-collection-langjapanese-2017.135.svn44554-9.12.1 texlive-collection-langkorean-2017.135.svn42106-9.12.1 texlive-collection-langother-2017.135.svn44414-9.12.1 texlive-collection-langpolish-2017.135.svn44371-9.12.1 texlive-collection-langportuguese-2017.135.svn30962-9.12.1 texlive-collection-langspanish-2017.135.svn40587-9.12.1 texlive-collection-latex-2017.135.svn41614-9.12.1 texlive-collection-latexextra-2017.135.svn44544-9.12.1 texlive-collection-latexrecommended-2017.135.svn44177-9.12.1 texlive-collection-luatex-2017.135.svn44500-9.12.1 texlive-collection-mathscience-2017.135.svn44396-9.12.1 texlive-collection-metapost-2017.135.svn44297-9.12.1 texlive-collection-music-2017.135.svn40561-9.12.1 texlive-collection-pictures-2017.135.svn44395-9.12.1 texlive-collection-plaingeneric-2017.135.svn44177-9.12.1 texlive-collection-pstricks-2017.135.svn44460-9.12.1 texlive-collection-publishers-2017.135.svn44485-9.12.1 texlive-collection-xetex-2017.135.svn43059-9.12.1 texlive-devel-2017.135-9.12.1 texlive-diadia-bin-2017.20170520.svn37645-11.13.2 texlive-extratools-2017.135-9.12.1 texlive-filesystem-2017.135-9.12.1 texlive-scheme-basic-2017.135.svn25923-9.12.1 texlive-scheme-context-2017.135.svn35799-9.12.1 texlive-scheme-full-2017.135.svn44177-9.12.1 texlive-scheme-gust-2017.135.svn44177-9.12.1 texlive-scheme-infraonly-2017.135.svn41515-9.12.1 texlive-scheme-medium-2017.135.svn44177-9.12.1 texlive-scheme-minimal-2017.135.svn13822-9.12.1 texlive-scheme-small-2017.135.svn41825-9.12.1 texlive-scheme-tetex-2017.135.svn44187-9.12.1 References: https://www.suse.com/security/cve/CVE-2020-8016.html https://www.suse.com/security/cve/CVE-2020-8017.html https://bugzilla.suse.com/1158910 https://bugzilla.suse.com/1159740 From sle-updates at lists.suse.com Tue Jun 9 16:34:57 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 00:34:57 +0200 (CEST) Subject: SUSE-SU-2020:1581-1: moderate: Security update for texlive Message-ID: <20200609223457.BF51AF749@maintenance.suse.de> SUSE Security Update: Security update for texlive ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1581-1 Rating: moderate References: #1138793 #1158910 #1159740 Cross-References: CVE-2020-8016 CVE-2020-8017 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for texlive fixes the following issues: Security issues fixed: - CVE-2020-8016: Fixed a race condition in the spec file (bsc#1159740). - CVE-2020-8017: Fixed a race condition on a cron job (bsc#1158910). - Fixed an issue where pstopdf was crashing (bsc#1138793). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1581=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1581=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1581=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1581=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libptexenc1-1.3.2dev-22.8.2 libptexenc1-debuginfo-1.3.2dev-22.8.2 texlive-2013.20130620-22.8.2 texlive-bibtex-bin-2013.20130620.svn30088-22.8.2 texlive-bibtex-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-bin-devel-2013.20130620-22.8.2 texlive-checkcites-bin-2013.20130620.svn25623-22.8.2 texlive-context-bin-2013.20130620.svn29741-22.8.2 texlive-cweb-bin-2013.20130620.svn30088-22.8.2 texlive-cweb-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-debugsource-2013.20130620-22.8.2 texlive-dviasm-bin-2013.20130620.svn8329-22.8.2 texlive-dvidvi-bin-2013.20130620.svn30088-22.8.2 texlive-dvidvi-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-dviljk-bin-2013.20130620.svn30088-22.8.2 texlive-dviljk-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-dvipdfmx-bin-2013.20130620.svn30845-22.8.2 texlive-dvipdfmx-bin-debuginfo-2013.20130620.svn30845-22.8.2 texlive-dvipng-bin-2013.20130620.svn30845-22.8.2 texlive-dvipng-bin-debuginfo-2013.20130620.svn30845-22.8.2 texlive-dvips-bin-2013.20130620.svn30088-22.8.2 texlive-dvips-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-dvisvgm-bin-2013.20130620.svn30613-22.8.2 texlive-dvisvgm-bin-debuginfo-2013.20130620.svn30613-22.8.2 texlive-gsftopk-bin-2013.20130620.svn30088-22.8.2 texlive-gsftopk-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-jadetex-bin-2013.20130620.svn3006-22.8.2 texlive-kpathsea-bin-2013.20130620.svn30088-22.8.2 texlive-kpathsea-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-kpathsea-devel-6.2.0dev-22.8.2 texlive-lacheck-bin-2013.20130620.svn30088-22.8.2 texlive-lacheck-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-latex-bin-bin-2013.20130620.svn14050-22.8.2 texlive-lua2dox-bin-2013.20130620.svn29053-22.8.2 texlive-luaotfload-bin-2013.20130620.svn30313-22.8.2 texlive-luatex-bin-2013.20130620.svn30845-22.8.2 texlive-luatex-bin-debuginfo-2013.20130620.svn30845-22.8.2 texlive-makeindex-bin-2013.20130620.svn30088-22.8.2 texlive-makeindex-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-metafont-bin-2013.20130620.svn30088-22.8.2 texlive-metafont-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-metapost-bin-2013.20130620.svn30845-22.8.2 texlive-metapost-bin-debuginfo-2013.20130620.svn30845-22.8.2 texlive-mfware-bin-2013.20130620.svn30088-22.8.2 texlive-mfware-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-mptopdf-bin-2013.20130620.svn18674-22.8.2 texlive-pdftex-bin-2013.20130620.svn30845-22.8.2 texlive-pdftex-bin-debuginfo-2013.20130620.svn30845-22.8.2 texlive-pstools-bin-2013.20130620.svn30088-22.8.2 texlive-pstools-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-ptexenc-devel-1.3.2dev-22.8.2 texlive-seetexk-bin-2013.20130620.svn30088-22.8.2 texlive-seetexk-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-splitindex-bin-2013.20130620.svn29688-22.8.2 texlive-tetex-bin-2013.20130620.svn29741-22.8.2 texlive-tex-bin-2013.20130620.svn30088-22.8.2 texlive-tex-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-tex4ht-bin-2013.20130620.svn30088-22.8.2 texlive-tex4ht-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-texconfig-bin-2013.20130620.svn29741-22.8.2 texlive-thumbpdf-bin-2013.20130620.svn6898-22.8.2 texlive-vlna-bin-2013.20130620.svn30088-22.8.2 texlive-vlna-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-web-bin-2013.20130620.svn30088-22.8.2 texlive-web-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-xdvi-bin-2013.20130620.svn30088-22.8.2 texlive-xdvi-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-xetex-bin-2013.20130620.svn30845-22.8.2 texlive-xetex-bin-debuginfo-2013.20130620.svn30845-22.8.2 texlive-xmltex-bin-2013.20130620.svn3006-22.8.2 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): texlive-collection-basic-2013.74.svn30372-16.12.1 texlive-collection-fontsrecommended-2013.74.svn30307-16.12.1 texlive-collection-htmlxml-2013.74.svn30307-16.12.1 texlive-collection-latex-2013.74.svn30308-16.12.1 texlive-collection-latexrecommended-2013.74.svn30811-16.12.1 texlive-collection-luatex-2013.74.svn30790-16.12.1 texlive-collection-xetex-2013.74.svn30396-16.12.1 texlive-devel-2013.74-16.12.1 texlive-extratools-2013.74-16.12.1 texlive-filesystem-2013.74-16.12.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libptexenc1-1.3.2dev-22.8.2 libptexenc1-debuginfo-1.3.2dev-22.8.2 texlive-2013.20130620-22.8.2 texlive-bibtex-bin-2013.20130620.svn30088-22.8.2 texlive-bibtex-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-bin-devel-2013.20130620-22.8.2 texlive-checkcites-bin-2013.20130620.svn25623-22.8.2 texlive-context-bin-2013.20130620.svn29741-22.8.2 texlive-cweb-bin-2013.20130620.svn30088-22.8.2 texlive-cweb-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-debugsource-2013.20130620-22.8.2 texlive-dviasm-bin-2013.20130620.svn8329-22.8.2 texlive-dvidvi-bin-2013.20130620.svn30088-22.8.2 texlive-dvidvi-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-dviljk-bin-2013.20130620.svn30088-22.8.2 texlive-dviljk-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-dvipdfmx-bin-2013.20130620.svn30845-22.8.2 texlive-dvipdfmx-bin-debuginfo-2013.20130620.svn30845-22.8.2 texlive-dvipng-bin-2013.20130620.svn30845-22.8.2 texlive-dvipng-bin-debuginfo-2013.20130620.svn30845-22.8.2 texlive-dvips-bin-2013.20130620.svn30088-22.8.2 texlive-dvips-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-dvisvgm-bin-2013.20130620.svn30613-22.8.2 texlive-dvisvgm-bin-debuginfo-2013.20130620.svn30613-22.8.2 texlive-gsftopk-bin-2013.20130620.svn30088-22.8.2 texlive-gsftopk-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-jadetex-bin-2013.20130620.svn3006-22.8.2 texlive-kpathsea-bin-2013.20130620.svn30088-22.8.2 texlive-kpathsea-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-kpathsea-devel-6.2.0dev-22.8.2 texlive-lacheck-bin-2013.20130620.svn30088-22.8.2 texlive-lacheck-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-latex-bin-bin-2013.20130620.svn14050-22.8.2 texlive-lua2dox-bin-2013.20130620.svn29053-22.8.2 texlive-luaotfload-bin-2013.20130620.svn30313-22.8.2 texlive-luatex-bin-2013.20130620.svn30845-22.8.2 texlive-luatex-bin-debuginfo-2013.20130620.svn30845-22.8.2 texlive-makeindex-bin-2013.20130620.svn30088-22.8.2 texlive-makeindex-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-metafont-bin-2013.20130620.svn30088-22.8.2 texlive-metafont-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-metapost-bin-2013.20130620.svn30845-22.8.2 texlive-metapost-bin-debuginfo-2013.20130620.svn30845-22.8.2 texlive-mfware-bin-2013.20130620.svn30088-22.8.2 texlive-mfware-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-mptopdf-bin-2013.20130620.svn18674-22.8.2 texlive-pdftex-bin-2013.20130620.svn30845-22.8.2 texlive-pdftex-bin-debuginfo-2013.20130620.svn30845-22.8.2 texlive-pstools-bin-2013.20130620.svn30088-22.8.2 texlive-pstools-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-ptexenc-devel-1.3.2dev-22.8.2 texlive-seetexk-bin-2013.20130620.svn30088-22.8.2 texlive-seetexk-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-splitindex-bin-2013.20130620.svn29688-22.8.2 texlive-tetex-bin-2013.20130620.svn29741-22.8.2 texlive-tex-bin-2013.20130620.svn30088-22.8.2 texlive-tex-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-tex4ht-bin-2013.20130620.svn30088-22.8.2 texlive-tex4ht-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-texconfig-bin-2013.20130620.svn29741-22.8.2 texlive-thumbpdf-bin-2013.20130620.svn6898-22.8.2 texlive-vlna-bin-2013.20130620.svn30088-22.8.2 texlive-vlna-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-web-bin-2013.20130620.svn30088-22.8.2 texlive-web-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-xdvi-bin-2013.20130620.svn30088-22.8.2 texlive-xdvi-bin-debuginfo-2013.20130620.svn30088-22.8.2 texlive-xetex-bin-2013.20130620.svn30845-22.8.2 texlive-xetex-bin-debuginfo-2013.20130620.svn30845-22.8.2 texlive-xmltex-bin-2013.20130620.svn3006-22.8.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): texlive-collection-basic-2013.74.svn30372-16.12.1 texlive-collection-fontsrecommended-2013.74.svn30307-16.12.1 texlive-collection-htmlxml-2013.74.svn30307-16.12.1 texlive-collection-latex-2013.74.svn30308-16.12.1 texlive-collection-latexrecommended-2013.74.svn30811-16.12.1 texlive-collection-luatex-2013.74.svn30790-16.12.1 texlive-collection-xetex-2013.74.svn30396-16.12.1 texlive-devel-2013.74-16.12.1 texlive-extratools-2013.74-16.12.1 texlive-filesystem-2013.74-16.12.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libkpathsea6-6.2.0dev-22.8.2 libkpathsea6-debuginfo-6.2.0dev-22.8.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libkpathsea6-6.2.0dev-22.8.2 libkpathsea6-debuginfo-6.2.0dev-22.8.2 References: https://www.suse.com/security/cve/CVE-2020-8016.html https://www.suse.com/security/cve/CVE-2020-8017.html https://bugzilla.suse.com/1138793 https://bugzilla.suse.com/1158910 https://bugzilla.suse.com/1159740 From sle-updates at lists.suse.com Tue Jun 9 16:35:59 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 00:35:59 +0200 (CEST) Subject: SUSE-SU-2020:1582-1: moderate: Security update for rubygem-bundler Message-ID: <20200609223559.268C5F749@maintenance.suse.de> SUSE Security Update: Security update for rubygem-bundler ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1582-1 Rating: moderate References: #1143436 Cross-References: CVE-2019-3881 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for rubygem-bundler fixes the following issue: - CVE-2019-3881: Fixed insecure permissions on a directory in /tmp/ that allowed malicious code execution (bsc#1143436). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1582=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): ruby2.5-rubygem-bundler-1.16.1-3.3.1 References: https://www.suse.com/security/cve/CVE-2019-3881.html https://bugzilla.suse.com/1143436 From sle-updates at lists.suse.com Wed Jun 10 04:13:40 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 12:13:40 +0200 (CEST) Subject: SUSE-SU-2020:1589-1: moderate: Security update for ucode-intel Message-ID: <20200610101340.09F99F749@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1589-1 Rating: moderate References: #1154824 #1156353 #1172466 Cross-References: CVE-2020-0543 CVE-2020-0548 CVE-2020-0549 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: Updated Intel CPU Microcode to 20200602 (prerelease) (bsc#1172466) This update contains security mitigations for: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-0548,CVE-2020-0549: Additional ucode updates were supplied to mitigate the Vector Register and L1D Eviction Sampling aka "CacheOutAttack" attacks. (bsc#1156353) Microcode Table: Processor Identifier Version Products Model Stepping F-MO-S/PI Old->New ---- new platforms ---------------------------------------- ---- updated platforms ------------------------------------ HSW C0 6-3c-3/32 00000027->00000028 Core Gen4 BDW-U/Y E0/F0 6-3d-4/c0 0000002e->0000002f Core Gen5 HSW-U C0/D0 6-45-1/72 00000025->00000026 Core Gen4 HSW-H C0 6-46-1/32 0000001b->0000001c Core Gen4 BDW-H/E3 E0/G0 6-47-1/22 00000021->00000022 Core Gen5 SKL-U/Y D0 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile SKL-U23e K1 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile SKX-SP B1 6-55-3/97 01000151->01000157 Xeon Scalable SKX-SP H0/M0/U0 6-55-4/b7 02000065->02006906 Xeon Scalable SKX-D M1 6-55-4/b7 02000065->02006906 Xeon D-21xx CLX-SP B0 6-55-6/bf 0400002c->04002f01 Xeon Scalable Gen2 CLX-SP B1 6-55-7/bf 0500002c->04002f01 Xeon Scalable Gen2 SKL-H/S R0/N0 6-5e-3/36 000000d6->000000dc Core Gen6; Xeon E3 v5 AML-Y22 H0 6-8e-9/10 000000ca->000000d6 Core Gen8 Mobile KBL-U/Y H0 6-8e-9/c0 000000ca->000000d6 Core Gen7 Mobile CFL-U43e D0 6-8e-a/c0 000000ca->000000d6 Core Gen8 Mobile WHL-U W0 6-8e-b/d0 000000ca->000000d6 Core Gen8 Mobile AML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile CML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile WHL-U V0 6-8e-c/94 000000ca->000000d6 Core Gen8 Mobile KBL-G/H/S/E3 B0 6-9e-9/2a 000000ca->000000d6 Core Gen7; Xeon E3 v6 CFL-H/S/E3 U0 6-9e-a/22 000000ca->000000d6 Core Gen8 Desktop, Mobile, Xeon E CFL-S B0 6-9e-b/02 000000ca->000000d6 Core Gen8 CFL-H/S P0 6-9e-c/22 000000ca->000000d6 Core Gen9 CFL-H R0 6-9e-d/22 000000ca->000000d6 Core Gen9 Mobile Also contains the Intel CPU Microcode update to 20200520: Processor Identifier Version Products Model Stepping F-MO-S/PI Old->New ---- new platforms ---------------------------------------- ---- updated platforms ------------------------------------ SNB-E/EN/EP C1/M0 6-2d-6/6d 0000061f->00000621 Xeon E3/E5, Core X SNB-E/EN/EP C2/M1 6-2d-7/6d 00000718->0000071a Xeon E3/E5, Core X Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1589=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): ucode-intel-20200602-3.25.1 References: https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-0548.html https://www.suse.com/security/cve/CVE-2020-0549.html https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1156353 https://bugzilla.suse.com/1172466 From sle-updates at lists.suse.com Wed Jun 10 07:13:45 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 15:13:45 +0200 (CEST) Subject: SUSE-RU-2020:1594-1: moderate: Recommended update for autoyast2 Message-ID: <20200610131345.08956F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for autoyast2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1594-1 Rating: moderate References: #1136454 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for autoyast2 fixes the following issues: - Fix an issue to avoid detecting block cache as a volume group. (bsc#1136454) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1594=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): autoyast2-4.1.16-3.16.1 autoyast2-installation-4.1.16-3.16.1 References: https://bugzilla.suse.com/1136454 From sle-updates at lists.suse.com Wed Jun 10 07:14:37 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 15:14:37 +0200 (CEST) Subject: SUSE-RU-2020:1592-1: Recommended update for ipmctl Message-ID: <20200610131437.45569F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for ipmctl ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1592-1 Rating: low References: #1158619 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for ipmctl adds man pages to this package. (bsc#1158619) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1592=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (x86_64): ipmctl-01.00.00.3440-3.3.4 ipmctl-debuginfo-01.00.00.3440-3.3.4 ipmctl-debugsource-01.00.00.3440-3.3.4 ipmctl-devel-01.00.00.3440-3.3.4 ipmctl-monitor-01.00.00.3440-3.3.4 ipmctl-monitor-debuginfo-01.00.00.3440-3.3.4 References: https://bugzilla.suse.com/1158619 From sle-updates at lists.suse.com Wed Jun 10 07:15:30 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 15:15:30 +0200 (CEST) Subject: SUSE-SU-2020:1595-1: moderate: Security update for ucode-intel Message-ID: <20200610131530.B8762F749@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1595-1 Rating: moderate References: #1154824 #1156353 #1172466 Cross-References: CVE-2020-0543 CVE-2020-0548 CVE-2020-0549 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: Updated Intel CPU Microcode to 20200602 (prerelease) (bsc#1172466) This update contains security mitigations for: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-0548,CVE-2020-0549: Additional ucode updates were supplied to mitigate the Vector Register and L1D Eviction Sampling aka "CacheOutAttack" attacks. (bsc#1156353) Microcode Table: Processor Identifier Version Products Model Stepping F-MO-S/PI Old->New ---- new platforms ---------------------------------------- ---- updated platforms ------------------------------------ HSW C0 6-3c-3/32 00000027->00000028 Core Gen4 BDW-U/Y E0/F0 6-3d-4/c0 0000002e->0000002f Core Gen5 HSW-U C0/D0 6-45-1/72 00000025->00000026 Core Gen4 HSW-H C0 6-46-1/32 0000001b->0000001c Core Gen4 BDW-H/E3 E0/G0 6-47-1/22 00000021->00000022 Core Gen5 SKL-U/Y D0 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile SKL-U23e K1 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile SKX-SP B1 6-55-3/97 01000151->01000157 Xeon Scalable SKX-SP H0/M0/U0 6-55-4/b7 02000065->02006906 Xeon Scalable SKX-D M1 6-55-4/b7 02000065->02006906 Xeon D-21xx CLX-SP B0 6-55-6/bf 0400002c->04002f01 Xeon Scalable Gen2 CLX-SP B1 6-55-7/bf 0500002c->04002f01 Xeon Scalable Gen2 SKL-H/S R0/N0 6-5e-3/36 000000d6->000000dc Core Gen6; Xeon E3 v5 AML-Y22 H0 6-8e-9/10 000000ca->000000d6 Core Gen8 Mobile KBL-U/Y H0 6-8e-9/c0 000000ca->000000d6 Core Gen7 Mobile CFL-U43e D0 6-8e-a/c0 000000ca->000000d6 Core Gen8 Mobile WHL-U W0 6-8e-b/d0 000000ca->000000d6 Core Gen8 Mobile AML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile CML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile WHL-U V0 6-8e-c/94 000000ca->000000d6 Core Gen8 Mobile KBL-G/H/S/E3 B0 6-9e-9/2a 000000ca->000000d6 Core Gen7; Xeon E3 v6 CFL-H/S/E3 U0 6-9e-a/22 000000ca->000000d6 Core Gen8 Desktop, Mobile, Xeon E CFL-S B0 6-9e-b/02 000000ca->000000d6 Core Gen8 CFL-H/S P0 6-9e-c/22 000000ca->000000d6 Core Gen9 CFL-H R0 6-9e-d/22 000000ca->000000d6 Core Gen9 Mobile Also contains the Intel CPU Microcode update to 20200520: Processor Identifier Version Products Model Stepping F-MO-S/PI Old->New ---- new platforms ---------------------------------------- ---- updated platforms ------------------------------------ SNB-E/EN/EP C1/M0 6-2d-6/6d 0000061f->00000621 Xeon E3/E5, Core X SNB-E/EN/EP C2/M1 6-2d-7/6d 00000718->0000071a Xeon E3/E5, Core X Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1595=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1595=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1595=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1595=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1595=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1595=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1595=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1595=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1595=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1595=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1595=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1595=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): ucode-intel-20200602-13.68.1 ucode-intel-debuginfo-20200602-13.68.1 ucode-intel-debugsource-20200602-13.68.1 - SUSE OpenStack Cloud 8 (x86_64): ucode-intel-20200602-13.68.1 ucode-intel-debuginfo-20200602-13.68.1 ucode-intel-debugsource-20200602-13.68.1 - SUSE OpenStack Cloud 7 (x86_64): ucode-intel-20200602-13.68.1 ucode-intel-debuginfo-20200602-13.68.1 ucode-intel-debugsource-20200602-13.68.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): ucode-intel-20200602-13.68.1 ucode-intel-debuginfo-20200602-13.68.1 ucode-intel-debugsource-20200602-13.68.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): ucode-intel-20200602-13.68.1 ucode-intel-debuginfo-20200602-13.68.1 ucode-intel-debugsource-20200602-13.68.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): ucode-intel-20200602-13.68.1 ucode-intel-debuginfo-20200602-13.68.1 ucode-intel-debugsource-20200602-13.68.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): ucode-intel-20200602-13.68.1 ucode-intel-debuginfo-20200602-13.68.1 ucode-intel-debugsource-20200602-13.68.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): ucode-intel-20200602-13.68.1 ucode-intel-debuginfo-20200602-13.68.1 ucode-intel-debugsource-20200602-13.68.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): ucode-intel-20200602-13.68.1 ucode-intel-debuginfo-20200602-13.68.1 ucode-intel-debugsource-20200602-13.68.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): ucode-intel-20200602-13.68.1 ucode-intel-debuginfo-20200602-13.68.1 ucode-intel-debugsource-20200602-13.68.1 - SUSE Enterprise Storage 5 (x86_64): ucode-intel-20200602-13.68.1 ucode-intel-debuginfo-20200602-13.68.1 ucode-intel-debugsource-20200602-13.68.1 - HPE Helion Openstack 8 (x86_64): ucode-intel-20200602-13.68.1 ucode-intel-debuginfo-20200602-13.68.1 ucode-intel-debugsource-20200602-13.68.1 References: https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-0548.html https://www.suse.com/security/cve/CVE-2020-0549.html https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1156353 https://bugzilla.suse.com/1172466 From sle-updates at lists.suse.com Wed Jun 10 07:16:36 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 15:16:36 +0200 (CEST) Subject: SUSE-RU-2020:1593-1: moderate: Recommended update for ceph Message-ID: <20200610131636.560D9F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for ceph ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1593-1 Rating: moderate References: #1152100 #1155045 #1155262 #1156087 #1156409 #1159689 #1160626 #1161718 #1162553 #1163119 #1164571 #1165713 #1165835 #1165840 #1166297 #1166393 #1166624 #1166670 #1166932 #1168403 #1169356 #1170938 #1171367 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that has 23 recommended fixes can now be installed. Description: This update for ceph to version 14.2.9-969-g9917342dc8d, fixes the following issues: - monitoring: add details to Prometheus alerts (jsc#SES-680) - mgr/dashboard: add debug mode, and accept expected exception when SSL handshaking (bsc#1155045) - monitoring: alert for prediction of disk and pool fill up broken (bsc#1152100) - mgr/dashboard: iSCSI targets not available if any gateway is down (bsc#1155262) - os/bluestore: more flexible DB volume space usage (bsc#1159689) - ceph-volume: make get_devices fs location independent (bsc#1156087) - monitoring: wait before firing osd full alert (bsc#1156409) - mgr/dashboard: Unable to remove an iSCSI gateway that is already in use (bsc#1160626) - mount.ceph: remove arbitrary limit on size of name= option (bsc#1161718) - ceph-volume: strip _dmcrypt suffix in simple scan json output (bsc#1162553) - mgr/dashboard: Not able to restrict bucket creation for new user (bsc#1163119) - mgr/dashboard: Prevent iSCSI target recreation when editing controls (bsc#1164571) - mgr/dashboard: Repair broken grafana panels (bsc#1165713) - rgw: get barbican secret key request maybe return error code (bsc#1165835) - rgw: making implicit_tenants backwards compatible (bsc#1165840) - mgr/dashboard: Repair broken grafana panels (bsc#1166297) - mgr/dashboard: KeyError on dashboard reload (bsc#1166393) - mgr/dashboard: Fix iSCSI's username and password validation (bsc#1166624) - monitoring: root volume full alert fires false positives (bsc#1166670) - mgr: synchronize ClusterState's health and mon_status (bsc#1166932) - mgr/dashboard: Add more debug information to Dashboard RGW backend (bsc#1168403) - rgw: reshard: skip stale bucket id entries from reshard queue (bsc#1169356) - mon/OSDMonitor: allow trimming maps even if osds are down (bsc#1170938) - Set OSD's bluefs-buffered-io param to false by default (bsc#1171367) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1593=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2020-1593=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): ceph-common-14.2.9.969+g9917342dc8-3.38.1 ceph-common-debuginfo-14.2.9.969+g9917342dc8-3.38.1 ceph-debugsource-14.2.9.969+g9917342dc8-3.38.1 libcephfs-devel-14.2.9.969+g9917342dc8-3.38.1 libcephfs2-14.2.9.969+g9917342dc8-3.38.1 libcephfs2-debuginfo-14.2.9.969+g9917342dc8-3.38.1 librados-devel-14.2.9.969+g9917342dc8-3.38.1 librados-devel-debuginfo-14.2.9.969+g9917342dc8-3.38.1 librados2-14.2.9.969+g9917342dc8-3.38.1 librados2-debuginfo-14.2.9.969+g9917342dc8-3.38.1 libradospp-devel-14.2.9.969+g9917342dc8-3.38.1 librbd-devel-14.2.9.969+g9917342dc8-3.38.1 librbd1-14.2.9.969+g9917342dc8-3.38.1 librbd1-debuginfo-14.2.9.969+g9917342dc8-3.38.1 librgw-devel-14.2.9.969+g9917342dc8-3.38.1 librgw2-14.2.9.969+g9917342dc8-3.38.1 librgw2-debuginfo-14.2.9.969+g9917342dc8-3.38.1 python3-ceph-argparse-14.2.9.969+g9917342dc8-3.38.1 python3-cephfs-14.2.9.969+g9917342dc8-3.38.1 python3-cephfs-debuginfo-14.2.9.969+g9917342dc8-3.38.1 python3-rados-14.2.9.969+g9917342dc8-3.38.1 python3-rados-debuginfo-14.2.9.969+g9917342dc8-3.38.1 python3-rbd-14.2.9.969+g9917342dc8-3.38.1 python3-rbd-debuginfo-14.2.9.969+g9917342dc8-3.38.1 python3-rgw-14.2.9.969+g9917342dc8-3.38.1 python3-rgw-debuginfo-14.2.9.969+g9917342dc8-3.38.1 rados-objclass-devel-14.2.9.969+g9917342dc8-3.38.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): ceph-14.2.9.969+g9917342dc8-3.38.1 ceph-base-14.2.9.969+g9917342dc8-3.38.1 ceph-base-debuginfo-14.2.9.969+g9917342dc8-3.38.1 ceph-common-14.2.9.969+g9917342dc8-3.38.1 ceph-common-debuginfo-14.2.9.969+g9917342dc8-3.38.1 ceph-debugsource-14.2.9.969+g9917342dc8-3.38.1 ceph-fuse-14.2.9.969+g9917342dc8-3.38.1 ceph-fuse-debuginfo-14.2.9.969+g9917342dc8-3.38.1 ceph-mds-14.2.9.969+g9917342dc8-3.38.1 ceph-mds-debuginfo-14.2.9.969+g9917342dc8-3.38.1 ceph-mgr-14.2.9.969+g9917342dc8-3.38.1 ceph-mgr-debuginfo-14.2.9.969+g9917342dc8-3.38.1 ceph-mon-14.2.9.969+g9917342dc8-3.38.1 ceph-mon-debuginfo-14.2.9.969+g9917342dc8-3.38.1 ceph-osd-14.2.9.969+g9917342dc8-3.38.1 ceph-osd-debuginfo-14.2.9.969+g9917342dc8-3.38.1 ceph-radosgw-14.2.9.969+g9917342dc8-3.38.1 ceph-radosgw-debuginfo-14.2.9.969+g9917342dc8-3.38.1 cephfs-shell-14.2.9.969+g9917342dc8-3.38.1 libcephfs2-14.2.9.969+g9917342dc8-3.38.1 libcephfs2-debuginfo-14.2.9.969+g9917342dc8-3.38.1 librados2-14.2.9.969+g9917342dc8-3.38.1 librados2-debuginfo-14.2.9.969+g9917342dc8-3.38.1 librbd1-14.2.9.969+g9917342dc8-3.38.1 librbd1-debuginfo-14.2.9.969+g9917342dc8-3.38.1 librgw2-14.2.9.969+g9917342dc8-3.38.1 librgw2-debuginfo-14.2.9.969+g9917342dc8-3.38.1 python3-ceph-argparse-14.2.9.969+g9917342dc8-3.38.1 python3-cephfs-14.2.9.969+g9917342dc8-3.38.1 python3-cephfs-debuginfo-14.2.9.969+g9917342dc8-3.38.1 python3-rados-14.2.9.969+g9917342dc8-3.38.1 python3-rados-debuginfo-14.2.9.969+g9917342dc8-3.38.1 python3-rbd-14.2.9.969+g9917342dc8-3.38.1 python3-rbd-debuginfo-14.2.9.969+g9917342dc8-3.38.1 python3-rgw-14.2.9.969+g9917342dc8-3.38.1 python3-rgw-debuginfo-14.2.9.969+g9917342dc8-3.38.1 rbd-fuse-14.2.9.969+g9917342dc8-3.38.1 rbd-fuse-debuginfo-14.2.9.969+g9917342dc8-3.38.1 rbd-mirror-14.2.9.969+g9917342dc8-3.38.1 rbd-mirror-debuginfo-14.2.9.969+g9917342dc8-3.38.1 rbd-nbd-14.2.9.969+g9917342dc8-3.38.1 rbd-nbd-debuginfo-14.2.9.969+g9917342dc8-3.38.1 - SUSE Enterprise Storage 6 (noarch): ceph-grafana-dashboards-14.2.9.969+g9917342dc8-3.38.1 ceph-mgr-dashboard-14.2.9.969+g9917342dc8-3.38.1 ceph-mgr-diskprediction-local-14.2.9.969+g9917342dc8-3.38.1 ceph-mgr-rook-14.2.9.969+g9917342dc8-3.38.1 ceph-prometheus-alerts-14.2.9.969+g9917342dc8-3.38.1 References: https://bugzilla.suse.com/1152100 https://bugzilla.suse.com/1155045 https://bugzilla.suse.com/1155262 https://bugzilla.suse.com/1156087 https://bugzilla.suse.com/1156409 https://bugzilla.suse.com/1159689 https://bugzilla.suse.com/1160626 https://bugzilla.suse.com/1161718 https://bugzilla.suse.com/1162553 https://bugzilla.suse.com/1163119 https://bugzilla.suse.com/1164571 https://bugzilla.suse.com/1165713 https://bugzilla.suse.com/1165835 https://bugzilla.suse.com/1165840 https://bugzilla.suse.com/1166297 https://bugzilla.suse.com/1166393 https://bugzilla.suse.com/1166624 https://bugzilla.suse.com/1166670 https://bugzilla.suse.com/1166932 https://bugzilla.suse.com/1168403 https://bugzilla.suse.com/1169356 https://bugzilla.suse.com/1170938 https://bugzilla.suse.com/1171367 From sle-updates at lists.suse.com Wed Jun 10 07:20:00 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 15:20:00 +0200 (CEST) Subject: SUSE-SU-2020:1596-1: important: Security update for the Linux Kernel Message-ID: <20200610132000.4999FF749@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1596-1 Rating: important References: #1154824 #1161951 #1164871 #1169025 #1169625 #1170383 #1170618 #1170620 #1171098 #1171195 #1171202 #1171218 #1171219 #1171689 #1171698 #1172032 #1172221 #1172317 Cross-References: CVE-2020-0543 CVE-2020-10757 CVE-2020-12114 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12656 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise High Availability 12-SP3 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has 11 fixes is now available. Description: The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218). - CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195). - CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202). - CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219). - CVE-2020-12114: Fixed A pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098). - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317). The following non-security bugs were fixed: - can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1171698). - clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620). - Drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170618). - Drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170618). - Drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618). - Drivers: hv: vmbus: Make panic reporting to be more useful (bsc#1170618). - Drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170618). - EDAC: Convert to new X86 CPU match macros - ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611). - ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - KEYS: reaching the keys quotas correctly (bsc#1171689). - NFS: Cleanup if nfs_match_client is interrupted (bsc#1169025). - NFS: Fix a double unlock from nfs_match,get_client (bsc#1169025). - NFS: make nfs_match_client killable (bsc#1169025). - NFS: Unlock requests must never fail (bsc#1172032). - random: always use batched entropy for get_random_u{32,64} (bsc#1164871). - Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" (bsc#1172221). - scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551). - scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - x86/dumpstack/64: Handle faults when printing the "Stack: " part of an OOPS (bsc#1170383). - x86/hyperv: Allow guests to enable InvariantTSC (bsc#1170620). - x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170618). - x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170618). - x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170618). - x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170618). - x86: hyperv: report value of misc_features (git fixes). - x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170618). - x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170618). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1596=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1596=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1596=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1596=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1596=1 - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2020-1596=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1596=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1596=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): kernel-devel-4.4.180-94.121.1 kernel-macros-4.4.180-94.121.1 kernel-source-4.4.180-94.121.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): kernel-default-4.4.180-94.121.1 kernel-default-base-4.4.180-94.121.1 kernel-default-base-debuginfo-4.4.180-94.121.1 kernel-default-debuginfo-4.4.180-94.121.1 kernel-default-debugsource-4.4.180-94.121.1 kernel-default-devel-4.4.180-94.121.1 kernel-default-kgraft-4.4.180-94.121.1 kernel-syms-4.4.180-94.121.1 kgraft-patch-4_4_180-94_121-default-1-4.5.1 kgraft-patch-4_4_180-94_121-default-debuginfo-1-4.5.1 - SUSE OpenStack Cloud 8 (noarch): kernel-devel-4.4.180-94.121.1 kernel-macros-4.4.180-94.121.1 kernel-source-4.4.180-94.121.1 - SUSE OpenStack Cloud 8 (x86_64): kernel-default-4.4.180-94.121.1 kernel-default-base-4.4.180-94.121.1 kernel-default-base-debuginfo-4.4.180-94.121.1 kernel-default-debuginfo-4.4.180-94.121.1 kernel-default-debugsource-4.4.180-94.121.1 kernel-default-devel-4.4.180-94.121.1 kernel-default-kgraft-4.4.180-94.121.1 kernel-syms-4.4.180-94.121.1 kgraft-patch-4_4_180-94_121-default-1-4.5.1 kgraft-patch-4_4_180-94_121-default-debuginfo-1-4.5.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kernel-default-4.4.180-94.121.1 kernel-default-base-4.4.180-94.121.1 kernel-default-base-debuginfo-4.4.180-94.121.1 kernel-default-debuginfo-4.4.180-94.121.1 kernel-default-debugsource-4.4.180-94.121.1 kernel-default-devel-4.4.180-94.121.1 kernel-default-kgraft-4.4.180-94.121.1 kernel-syms-4.4.180-94.121.1 kgraft-patch-4_4_180-94_121-default-1-4.5.1 kgraft-patch-4_4_180-94_121-default-debuginfo-1-4.5.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): kernel-devel-4.4.180-94.121.1 kernel-macros-4.4.180-94.121.1 kernel-source-4.4.180-94.121.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): kernel-default-4.4.180-94.121.1 kernel-default-base-4.4.180-94.121.1 kernel-default-base-debuginfo-4.4.180-94.121.1 kernel-default-debuginfo-4.4.180-94.121.1 kernel-default-debugsource-4.4.180-94.121.1 kernel-default-devel-4.4.180-94.121.1 kernel-syms-4.4.180-94.121.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kernel-default-kgraft-4.4.180-94.121.1 kgraft-patch-4_4_180-94_121-default-1-4.5.1 kgraft-patch-4_4_180-94_121-default-debuginfo-1-4.5.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): kernel-devel-4.4.180-94.121.1 kernel-macros-4.4.180-94.121.1 kernel-source-4.4.180-94.121.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x): kernel-default-man-4.4.180-94.121.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): kernel-default-4.4.180-94.121.1 kernel-default-base-4.4.180-94.121.1 kernel-default-base-debuginfo-4.4.180-94.121.1 kernel-default-debuginfo-4.4.180-94.121.1 kernel-default-debugsource-4.4.180-94.121.1 kernel-default-devel-4.4.180-94.121.1 kernel-syms-4.4.180-94.121.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): kernel-devel-4.4.180-94.121.1 kernel-macros-4.4.180-94.121.1 kernel-source-4.4.180-94.121.1 - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): cluster-md-kmp-default-4.4.180-94.121.1 cluster-md-kmp-default-debuginfo-4.4.180-94.121.1 dlm-kmp-default-4.4.180-94.121.1 dlm-kmp-default-debuginfo-4.4.180-94.121.1 gfs2-kmp-default-4.4.180-94.121.1 gfs2-kmp-default-debuginfo-4.4.180-94.121.1 kernel-default-debuginfo-4.4.180-94.121.1 kernel-default-debugsource-4.4.180-94.121.1 ocfs2-kmp-default-4.4.180-94.121.1 ocfs2-kmp-default-debuginfo-4.4.180-94.121.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): kernel-default-4.4.180-94.121.1 kernel-default-base-4.4.180-94.121.1 kernel-default-base-debuginfo-4.4.180-94.121.1 kernel-default-debuginfo-4.4.180-94.121.1 kernel-default-debugsource-4.4.180-94.121.1 kernel-default-devel-4.4.180-94.121.1 kernel-syms-4.4.180-94.121.1 - SUSE Enterprise Storage 5 (x86_64): kernel-default-kgraft-4.4.180-94.121.1 kgraft-patch-4_4_180-94_121-default-1-4.5.1 kgraft-patch-4_4_180-94_121-default-debuginfo-1-4.5.1 - SUSE Enterprise Storage 5 (noarch): kernel-devel-4.4.180-94.121.1 kernel-macros-4.4.180-94.121.1 kernel-source-4.4.180-94.121.1 - HPE Helion Openstack 8 (noarch): kernel-devel-4.4.180-94.121.1 kernel-macros-4.4.180-94.121.1 kernel-source-4.4.180-94.121.1 - HPE Helion Openstack 8 (x86_64): kernel-default-4.4.180-94.121.1 kernel-default-base-4.4.180-94.121.1 kernel-default-base-debuginfo-4.4.180-94.121.1 kernel-default-debuginfo-4.4.180-94.121.1 kernel-default-debugsource-4.4.180-94.121.1 kernel-default-devel-4.4.180-94.121.1 kernel-default-kgraft-4.4.180-94.121.1 kernel-syms-4.4.180-94.121.1 kgraft-patch-4_4_180-94_121-default-1-4.5.1 kgraft-patch-4_4_180-94_121-default-debuginfo-1-4.5.1 References: https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-10757.html https://www.suse.com/security/cve/CVE-2020-12114.html https://www.suse.com/security/cve/CVE-2020-12652.html https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://www.suse.com/security/cve/CVE-2020-12656.html https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1161951 https://bugzilla.suse.com/1164871 https://bugzilla.suse.com/1169025 https://bugzilla.suse.com/1169625 https://bugzilla.suse.com/1170383 https://bugzilla.suse.com/1170618 https://bugzilla.suse.com/1170620 https://bugzilla.suse.com/1171098 https://bugzilla.suse.com/1171195 https://bugzilla.suse.com/1171202 https://bugzilla.suse.com/1171218 https://bugzilla.suse.com/1171219 https://bugzilla.suse.com/1171689 https://bugzilla.suse.com/1171698 https://bugzilla.suse.com/1172032 https://bugzilla.suse.com/1172221 https://bugzilla.suse.com/1172317 From sle-updates at lists.suse.com Wed Jun 10 07:22:48 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 15:22:48 +0200 (CEST) Subject: SUSE-SU-2020:14394-1: moderate: Security update for microcode_ctl Message-ID: <20200610132248.01536F749@maintenance.suse.de> SUSE Security Update: Security update for microcode_ctl ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14394-1 Rating: moderate References: #1154824 #1156353 #1172466 Cross-References: CVE-2020-0543 CVE-2020-0548 CVE-2020-0549 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for microcode_ctl fixes the following issues: Updated Intel CPU Microcode to 20200602 (prerelease) (bsc#1172466) This update contains security mitigations for: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-0548,CVE-2020-0549: Additional ucode updates were supplied to mitigate the Vector Register and L1D Eviction Sampling aka "CacheOutAttack" attacks. (bsc#1156353) Microcode Table: Processor Identifier Version Products Model Stepping F-MO-S/PI Old->New ---- new platforms ---------------------------------------- ---- updated platforms ------------------------------------ HSW C0 6-3c-3/32 00000027->00000028 Core Gen4 BDW-U/Y E0/F0 6-3d-4/c0 0000002e->0000002f Core Gen5 HSW-U C0/D0 6-45-1/72 00000025->00000026 Core Gen4 HSW-H C0 6-46-1/32 0000001b->0000001c Core Gen4 BDW-H/E3 E0/G0 6-47-1/22 00000021->00000022 Core Gen5 SKL-U/Y D0 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile SKL-U23e K1 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile SKX-SP B1 6-55-3/97 01000151->01000157 Xeon Scalable SKX-SP H0/M0/U0 6-55-4/b7 02000065->02006906 Xeon Scalable SKX-D M1 6-55-4/b7 02000065->02006906 Xeon D-21xx CLX-SP B0 6-55-6/bf 0400002c->04002f01 Xeon Scalable Gen2 CLX-SP B1 6-55-7/bf 0500002c->04002f01 Xeon Scalable Gen2 SKL-H/S R0/N0 6-5e-3/36 000000d6->000000dc Core Gen6; Xeon E3 v5 AML-Y22 H0 6-8e-9/10 000000ca->000000d6 Core Gen8 Mobile KBL-U/Y H0 6-8e-9/c0 000000ca->000000d6 Core Gen7 Mobile CFL-U43e D0 6-8e-a/c0 000000ca->000000d6 Core Gen8 Mobile WHL-U W0 6-8e-b/d0 000000ca->000000d6 Core Gen8 Mobile AML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile CML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile WHL-U V0 6-8e-c/94 000000ca->000000d6 Core Gen8 Mobile KBL-G/H/S/E3 B0 6-9e-9/2a 000000ca->000000d6 Core Gen7; Xeon E3 v6 CFL-H/S/E3 U0 6-9e-a/22 000000ca->000000d6 Core Gen8 Desktop, Mobile, Xeon E CFL-S B0 6-9e-b/02 000000ca->000000d6 Core Gen8 CFL-H/S P0 6-9e-c/22 000000ca->000000d6 Core Gen9 CFL-H R0 6-9e-d/22 000000ca->000000d6 Core Gen9 Mobile Also contains the Intel CPU Microcode update to 20200520: Processor Identifier Version Products Model Stepping F-MO-S/PI Old->New ---- new platforms ---------------------------------------- ---- updated platforms ------------------------------------ SNB-E/EN/EP C1/M0 6-2d-6/6d 0000061f->00000621 Xeon E3/E5, Core X SNB-E/EN/EP C2/M1 6-2d-7/6d 00000718->0000071a Xeon E3/E5, Core X Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-microcode_ctl-14394=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-microcode_ctl-14394=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 x86_64): microcode_ctl-1.17-102.83.53.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): microcode_ctl-1.17-102.83.53.1 References: https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-0548.html https://www.suse.com/security/cve/CVE-2020-0549.html https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1156353 https://bugzilla.suse.com/1172466 From sle-updates at lists.suse.com Wed Jun 10 07:23:49 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 15:23:49 +0200 (CEST) Subject: SUSE-SU-2020:1599-1: important: Security update for the Linux Kernel Message-ID: <20200610132349.B0333F749@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1599-1 Rating: important References: #1051510 #1058115 #1065729 #1082555 #1083647 #1089895 #1103990 #1103991 #1103992 #1104745 #1109837 #1111666 #1112178 #1112374 #1113956 #1114279 #1124278 #1127354 #1127355 #1127371 #1133021 #1142685 #1144333 #1151794 #1152489 #1154824 #1157169 #1158265 #1160388 #1160947 #1164780 #1164871 #1165183 #1165478 #1165741 #1166969 #1166978 #1167574 #1167851 #1167867 #1168332 #1168670 #1168789 #1169020 #1169514 #1169525 #1169762 #1170056 #1170125 #1170145 #1170284 #1170345 #1170457 #1170522 #1170592 #1170617 #1170618 #1170620 #1170621 #1170770 #1170778 #1170791 #1170901 #1171078 #1171098 #1171118 #1171189 #1171191 #1171195 #1171202 #1171205 #1171214 #1171217 #1171218 #1171219 #1171220 #1171244 #1171293 #1171417 #1171527 #1171599 #1171600 #1171601 #1171602 #1171604 #1171605 #1171606 #1171607 #1171608 #1171609 #1171610 #1171611 #1171612 #1171613 #1171614 #1171615 #1171616 #1171617 #1171618 #1171619 #1171620 #1171621 #1171622 #1171623 #1171624 #1171625 #1171626 #1171662 #1171679 #1171691 #1171692 #1171694 #1171695 #1171736 #1171817 #1171948 #1171949 #1171951 #1171952 #1171979 #1171982 #1171983 #1172017 #1172096 #1172097 #1172098 #1172099 #1172101 #1172102 #1172103 #1172104 #1172127 #1172130 #1172185 #1172188 #1172199 #1172201 #1172202 #1172221 #1172249 #1172251 #1172317 #1172342 #1172343 #1172344 #1172366 #1172378 #1172391 #1172397 #1172453 Cross-References: CVE-2018-1000199 CVE-2019-19462 CVE-2019-20806 CVE-2019-20812 CVE-2019-9455 CVE-2020-0543 CVE-2020-10690 CVE-2020-10711 CVE-2020-10720 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-12114 CVE-2020-12464 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12655 CVE-2020-12656 CVE-2020-12657 CVE-2020-12659 CVE-2020-12768 CVE-2020-12769 CVE-2020-13143 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 ______________________________________________________________________________ An update that solves 24 vulnerabilities and has 126 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982). - CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983). - CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736). - CVE-2020-12659: Fixed an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) due to improper headroom validation (bsc#1171214). - CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205). - CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219). - CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217). - CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202). - CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195). - CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218). - CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901). - CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098). - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317). - CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189). - CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220). - CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778). - CVE-2020-10711: Fixed a null pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191). - CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056). - CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345). - CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453). - CVE-2019-20806: Fixed a null pointer dereference which may had lead to denial of service (bsc#1172199). - CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895) The following non-security bugs were fixed: - ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe() (bsc#1051510). - ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile() (bsc#1051510). - acpi/x86: ignore unspecified bit positions in the ACPI global lock field (bsc#1051510). - Add br_netfilter to kernel-default-base (bsc#1169020) - Add commit for git-fix that's not a fix This commit cleans up debug code but does not fix anything, and it relies on a new kernel function that isn't yet in this version of SLE. - agp/intel: Reinforce the barrier after GTT updates (bsc#1051510). - ALSA: ctxfi: Remove unnecessary cast in kfree (bsc#1051510). - ALSA: doc: Document PC Beep Hidden Register on Realtek ALC256 (bsc#1051510). - ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666). - ALSA: hda: Add driver blacklist (bsc#1051510). - ALSA: hda: Always use jackpoll helper for jack update after resume (bsc#1051510). - ALSA: hda: call runtime_allow() for all hda controllers (bsc#1051510). - ALSA: hda: Do not release card at firmware loading error (bsc#1051510). - ALSA: hda: Explicitly permit using autosuspend if runtime PM is supported (bsc#1051510). - ALSA: hda/hdmi: fix race in monitor detection during probe (bsc#1051510). - ALSA: hda/hdmi: fix without unlocked before return (bsc#1051510). - ALSA: hda: Honor PM disablement in PM freeze and thaw_noirq ops (bsc#1051510). - ALSA: hda: Keep the controller initialization even if no codecs found (bsc#1051510). - ALSA: hda: Match both PCI ID and SSID for driver blacklist (bsc#1111666). - ALSA: hda/realtek - Add a model for Thinkpad T570 without DAC workaround (bsc#1172017). - ALSA: hda/realtek - Add COEF workaround for ASUS ZenBook UX431DA (git-fixes). - ALSA: hda/realtek - Add HP new mute led supported for ALC236 (git-fixes). - ALSA: hda/realtek - Add more fixup entries for Clevo machines (git-fixes). - ALSA: hda/realtek - Add new codec supported for ALC245 (bsc#1051510). - ALSA: hda/realtek - Add new codec supported for ALC287 (git-fixes). - ALSA: hda/realtek: Add quirk for Samsung Notebook (git-fixes). - ALSA: hda/realtek - Add supported new mute Led for HP (git-fixes). - ALSA: hda/realtek - Enable headset mic of ASUS GL503VM with ALC295 (git-fixes). - ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295 (git-fixes). - ALSA: hda/realtek: Enable headset mic of ASUS UX581LV with ALC295 (git-fixes). - ALSA: hda/realtek - Enable the headset mic on Asus FX505DT (bsc#1051510). - ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse (git-fixes). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Xtreme (bsc#1111666). - ALSA: hda/realtek - Fix unexpected init_amp override (bsc#1051510). - ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 (git-fixes bsc#1171293). - ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter (bsc#1051510). - ALSA: hda: Release resources at error in delayed probe (bsc#1051510). - ALSA: hda: Remove ASUS ROG Zenith from the blacklist (bsc#1051510). - ALSA: hda: Skip controller resume if not needed (bsc#1051510). - ALSA: hwdep: fix a left shifting 1 by 31 UB bug (git-fixes). - ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option (git-fixes). - ALSA: opti9xx: shut up gcc-10 range warning (bsc#1051510). - ALSA: pcm: fix incorrect hw_base increase (git-fixes). - ALSA: pcm: oss: Place the plugin buffer overflow checks correctly (bsc#1170522). - ALSA: rawmidi: Fix racy buffer resize under concurrent accesses (git-fixes). - ALSA: usb-audio: Add connector notifier delegation (bsc#1051510). - ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset (git-fixes). - ALSA: usb-audio: add mapping for ASRock TRX40 Creator (git-fixes). - ALSA: usb-audio: Add mixer workaround for TRX40 and co (bsc#1051510). - ALSA: usb-audio: Add quirk for Focusrite Scarlett 2i2 (bsc#1051510). - ALSA: usb-audio: Add static mapping table for ALC1220-VB-based mobos (bsc#1051510). - ALSA: usb-audio: Apply async workaround for Scarlett 2i4 2nd gen (bsc#1051510). - ALSA: usb-audio: Check mapping at creating connector controls, too (bsc#1051510). - ALSA: usb-audio: Correct a typo of NuPrime DAC-10 USB ID (bsc#1051510). - ALSA: usb-audio: Do not create jack controls for PCM terminals (bsc#1051510). - ALSA: usb-audio: Do not override ignore_ctl_error value from the map (bsc#1051510). - ALSA: usb-audio: Filter error from connector kctl ops, too (bsc#1051510). - ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif (bsc#1051510). - ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC (git-fixes). - ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio (git-fixes). - ALSA: usx2y: Fix potential NULL dereference (bsc#1051510). - ASoC: codecs: hdac_hdmi: Fix incorrect use of list_for_each_entry (bsc#1051510). - ASoC: dapm: connect virtual mux with default value (bsc#1051510). - ASoC: dapm: fixup dapm kcontrol widget (bsc#1051510). - ASoC: dpcm: allow start or stop during pause for backend (bsc#1051510). - ASoC: fix regwmask (bsc#1051510). - ASoC: msm8916-wcd-digital: Reset RX interpolation path after use (bsc#1051510). - ASoC: samsung: Prevent clk_get_rate() calls in atomic context (bsc#1111666). - ASoC: topology: Check return value of pcm_new_ver (bsc#1051510). - ASoC: topology: use name_prefix for new kcontrol (bsc#1051510). - b43legacy: Fix case where channel status is corrupted (bsc#1051510). - batman-adv: fix batadv_nc_random_weight_tq (git-fixes). - batman-adv: Fix refcnt leak in batadv_show_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_store_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_v_ogm_process (git-fixes). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (git fixes (block drivers)). - bcache: fix incorrect data type usage in btree_flush_write() (git fixes (block drivers)). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (git fixes (block drivers)). - blk-mq: honor IO scheduler for multiqueue devices (bsc#1165478). - blk-mq: simplify blk_mq_make_request() (bsc#1165478). - block/drbd: delete invalid function drbd_md_mark_dirty_ (bsc#1171527). - block: drbd: remove a stray unlock in __drbd_send_protocol() (bsc#1171599). - block: fix busy device checking in blk_drop_partitions again (bsc#1171948). - block: fix busy device checking in blk_drop_partitions (bsc#1171948). - block: fix memleak of bio integrity data (git fixes (block drivers)). - block: remove the bd_openers checks in blk_drop_partitions (bsc#1171948). - bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets() (networking-stable-20_03_28). - bnxt_en: Reduce BNXT_MSIX_VEC_MAX value to supported CQs per PF (bsc#1104745). - bnxt_en: reinitialize IRQs when MTU is modified (networking-stable-20_03_14). - bnxt_en: Return error if bnxt_alloc_ctx_mem() fails (bsc#1104745 ). - bnxt_en: Return error when allocating zero size context memory (bsc#1104745). - bonding/alb: make sure arp header is pulled before accessing it (networking-stable-20_03_14). - bpf: Fix sk_psock refcnt leak when receiving message (bsc#1083647). - bpf: Forbid XADD on spilled pointers for unprivileged users (bsc#1083647). - brcmfmac: abort and release host after error (bsc#1051510). - BTRFS: fix deadlock with memory reclaim during scrub (bsc#1172127). - BTRFS: fix log context list corruption after rename whiteout error (bsc#1172342). - BTRFS: fix partial loss of prealloc extent past i_size after fsync (bsc#1172343). - BTRFS: relocation: add error injection points for cancelling balance (bsc#1171417). - BTRFS: relocation: Check cancel request after each data page read (bsc#1171417). - BTRFS: relocation: Check cancel request after each extent found (bsc#1171417). - BTRFS: relocation: Clear the DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417). - BTRFS: relocation: Fix reloc root leakage and the NULL pointer reference caused by the leakage (bsc#1171417). - BTRFS: relocation: Work around dead relocation stage loop (bsc#1171417). - BTRFS: reloc: clear DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417 bsc#1160947 bsc#1172366). - BTRFS: reloc: fix reloc root leak and NULL pointer dereference (bsc#1171417 bsc#1160947 bsc#1172366). - BTRFS: setup a nofs context for memory allocation at btrfs_create_tree() (bsc#1172127). - BTRFS: setup a nofs context for memory allocation at __btrfs_set_acl (bsc#1172127). - BTRFS: use nofs context when initializing security xattrs to avoid deadlock (bsc#1172127). - can: add missing attribute validation for termination (networking-stable-20_03_14). - cdc-acm: close race betrween suspend() and acm_softint (git-fixes). - cdc-acm: introduce a cool down (git-fixes). - ceph: check if file lock exists before sending unlock request (bsc#1168789). - ceph: demote quotarealm lookup warning to a debug message (bsc#1171692). - ceph: fix double unlock in handle_cap_export() (bsc#1171694). - ceph: fix endianness bug when handling MDS session feature bits (bsc#1171695). - cgroup, netclassid: periodically release file_lock on classid updating (networking-stable-20_03_14). - cifs: Allocate crypto structures on the fly for calculating signatures of incoming packets (bsc#1144333). - cifs: Allocate encryption header through kmalloc (bsc#1144333). - cifs: allow unlock flock and OFD lock across fork (bsc#1144333). - cifs: check new file size when extending file by fallocate (bsc#1144333). - cifs: cifspdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - cifs: clear PF_MEMALLOC before exiting demultiplex thread (bsc#1144333). - cifs: do not share tcons with DFS (bsc#1144333). - cifs: dump the session id and keys also for SMB2 sessions (bsc#1144333). - cifs: ensure correct super block for DFS reconnect (bsc#1144333). - cifs: Fix bug which the return value by asynchronous read is error (bsc#1144333). - cifs: fix uninitialised lease_key in open_shroot() (bsc#1144333). - cifs: improve read performance for page size 64KB & cache=strict & vers=2.1+ (bsc#1144333). - cifs: Increment num_remote_opens stats counter even in case of smb2_query_dir_first (bsc#1144333). - cifs: minor update to comments around the cifs_tcp_ses_lock mutex (bsc#1144333). - cifs: protect updating server->dstaddr with a spinlock (bsc#1144333). - cifs: smb2pdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - cifs: smbd: Calculate the correct maximum packet size for segmented SMBDirect send/receive (bsc#1144333). - cifs: smbd: Check and extend sender credits in interrupt context (bsc#1144333). - cifs: smbd: Check send queue size before posting a send (bsc#1144333). - cifs: smbd: Do not schedule work to send immediate packet on every receive (bsc#1144333). - cifs: smbd: Merge code to track pending packets (bsc#1144333). - cifs: smbd: Properly process errors on ib_post_send (bsc#1144333). - cifs: smbd: Update receive credits before sending and deal with credits roll back on failure before sending (bsc#1144333). - cifs: Warn less noisily on default mount (bsc#1144333). - clk: Add clk_hw_unregister_composite helper function definition (bsc#1051510). - clk: imx6ull: use OSC clock during AXI rate change (bsc#1051510). - clk: imx: make mux parent strings const (bsc#1051510). - clk: mediatek: correct the clocks for MT2701 HDMI PHY module (bsc#1051510). - clk: sunxi-ng: a64: Fix gate bit of DSI DPHY (bsc#1051510). - clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620, bsc#1170621). - clocksource: dw_apb_timer_of: Fix missing clockevent timers (bsc#1051510). - component: Silence bind error on -EPROBE_DEFER (bsc#1051510). - coresight: do not use the BIT() macro in the UAPI header (git fixes (block drivers)). - cpufreq: s3c64xx: Remove pointless NULL check in s3c64xx_cpufreq_driver_init (bsc#1051510). - crypto: ccp - AES CFB mode is a stream cipher (git-fixes). - crypto: ccp - Clean up and exit correctly on allocation failure (git-fixes). - crypto: ccp - Cleanup misc_dev on sev_exit() (bsc#1114279). - crypto: ccp - Cleanup sp_dev_master in psp_dev_destroy() (bsc#1114279). - cxgb4: fix MPS index overwrite when setting MAC address (bsc#1127355). - cxgb4: fix Txq restart check during backpressure (bsc#1127354 bsc#1127371). - debugfs: Add debugfs_create_xul() for hexadecimal unsigned long (git-fixes). - debugfs_lookup(): switch to lookup_one_len_unlocked() (bsc#1171979). - devlink: fix return value after hitting end in region read (bsc#1109837). - devlink: validate length of param values (bsc#1109837). - devlink: validate length of region addr/len (bsc#1109837). - dmaengine: dmatest: Fix iteration non-stop logic (bsc#1051510). - dm mpath: switch paths in dm_blk_ioctl() code path (bsc#1167574). - dm-raid1: fix invalid return value from dm_mirror (bsc#1172378). - dm writecache: fix data corruption when reloading the target (git fixes (block drivers)). - dm writecache: fix incorrect flush sequence when doing SSD mode commit (git fixes (block drivers)). - dm writecache: verify watermark during resume (git fixes (block drivers)). - dm zoned: fix invalid memory access (git fixes (block drivers)). - dm zoned: reduce overhead of backing device checks (git fixes (block drivers)). - dm zoned: remove duplicate nr_rnd_zones increase in dmz_init_zone() (git fixes (block drivers)). - dm zoned: support zone sizes smaller than 128MiB (git fixes (block drivers)). - dp83640: reverse arguments to list_add_tail (git-fixes). - drivers: hv: Add a module description line to the hv_vmbus driver (bsc#1172249, bsc#1172251). - drivers/net/ibmvnic: Update VNIC protocol version reporting (bsc#1065729). - drivers: w1: add hwmon support structures (jsc#SLE-11048). - drivers: w1: add hwmon temp support for w1_therm (jsc#SLE-11048). - drivers: w1: refactor w1_slave_show to make the temp reading functionality separate (jsc#SLE-11048). - drm: amd/acp: fix broken menu structure (bsc#1114279) * context changes - drm/amdgpu: Correctly initialize thermal controller for GPUs with Powerplay table v0 (e.g Hawaii) (bsc#1111666). - drm/amdgpu: Fix oops when pp_funcs is unset in ACPI event (bsc#1111666). - drm/amd/powerplay: force the trim of the mclk dpm_levels if OD is (bsc#1113956) - drm/atomic: Take the atomic toys away from X (bsc#1112178) * context changes - drm/crc: Actually allow to change the crc source (bsc#1114279) * offset changes - drm/dp_mst: Fix clearing payload state on topology disable (bsc#1051510). - drm/dp_mst: Reformat drm_dp_check_act_status() a bit (bsc#1051510). - drm/edid: Fix off-by-one in DispID DTD pixel clock (bsc#1114279) - drm/etnaviv: fix perfmon domain interation (bsc#1113956) - drm/etnaviv: rework perfmon query infrastructure (bsc#1112178) - drm/i915: Apply Wa_1406680159:icl,ehl as an engine workaround (bsc#1112178) * rename gt/intel_workarounds.c to intel_workarounds.c * context changes - drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of (bsc#1114279) - drm/i915: HDCP: fix Ri prime check done during link check (bsc#1112178) * rename display/intel_hdmi.c to intel_hdmi.c * context changes - drm/i915: properly sanity check batch_start_offset (bsc#1114279) * renamed display/intel_fbc.c -> intel_fb.c * renamed gt/intel_rc6.c -> intel_pm.c * context changes - drm/meson: Delete an error message in meson_dw_hdmi_bind() (bsc#1051510). - drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem (bsc#1114279) - drm/qxl: qxl_release leak in qxl_draw_dirty_fb() (bsc#1051510). - drm/qxl: qxl_release leak in qxl_hw_surface_alloc() (bsc#1051510). - drm/qxl: qxl_release use after free (bsc#1051510). - drm: Remove PageReserved manipulation from drm_pci_alloc (bsc#1114279) * offset changes - drm/sun4i: dsi: Allow binding the host without a panel (bsc#1113956) - drm/sun4i: dsi: Avoid hotplug race with DRM driver bind (bsc#1113956) - drm/sun4i: dsi: Remove incorrect use of runtime PM (bsc#1113956) * context changes - drm/sun4i: dsi: Remove unused drv from driver context (bsc#1113956) * context changes * keep include of sun4i_drv.h - dump_stack: avoid the livelock of the dump_lock (git fixes (block drivers)). - EDAC, sb_edac: Add support for systems with segmented PCI buses (bsc#1169525). - ext4: do not zeroout extents beyond i_disksize (bsc#1167851). - ext4: fix extent_status fragmentation for plain files (bsc#1171949). - ext4: use non-movable memory for superblock readahead (bsc#1171952). - fanotify: fix merging marks masks with FAN_ONDIR (bsc#1171679). - fbcon: fix null-ptr-deref in fbcon_switch (bsc#1114279) * rename drivers/video/fbdev/core to drivers/video/console * context changes - fib: add missing attribute validation for tun_id (networking-stable-20_03_14). - firmware: qcom: scm: fix compilation error when disabled (bsc#1051510). - fs/cifs: fix gcc warning in sid_to_id (bsc#1144333). - fs/seq_file.c: simplify seq_file iteration code and interface (bsc#1170125). - gpio: tegra: mask GPIO IRQs during IRQ shutdown (bsc#1051510). - gre: fix uninit-value in __iptunnel_pull_header (networking-stable-20_03_14). - HID: hid-input: clear unmapped usages (git-fixes). - HID: Hyper-V: Add a module description line (bsc#1172249, bsc#1172251). - HID: i2c-hid: add Trekstor Primebook C11B to descriptor override (git-fixes). - HID: i2c-hid: override HID descriptors for certain devices (git-fixes). - HID: multitouch: add eGalaxTouch P80H84 support (bsc#1051510). - HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices (git-fixes). - hrtimer: Annotate lockless access to timer->state (git fixes (block drivers)). - hsr: add restart routine into hsr_get_node_list() (networking-stable-20_03_28). - hsr: check protocol version in hsr_newlink() (networking-stable-20_04_17). - hsr: fix general protection fault in hsr_addr_is_self() (networking-stable-20_03_28). - hsr: set .netnsok flag (networking-stable-20_03_28). - hsr: use rcu_read_lock() in hsr_get_node_{list/status}() (networking-stable-20_03_28). - i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present (git-fixes). - i2c: acpi: put device when verifying client fails (git-fixes). - i2c: brcmstb: remove unused struct member (git-fixes). - i2c: core: Allow empty id_table in ACPI case as well (git-fixes). - i2c: core: decrease reference count of device node in i2c_unregister_device (git-fixes). - i2c: dev: Fix the race between the release of i2c_dev and cdev (bsc#1051510). - i2c: fix missing pm_runtime_put_sync in i2c_device_probe (git-fixes). - i2c-hid: properly terminate i2c_hid_dmi_desc_override_table array (git-fixes). - i2c: i801: Do not add ICH_RES_IO_SMI for the iTCO_wdt device (git-fixes). - i2c: iproc: Stop advertising support of SMBUS quick cmd (git-fixes). - i2c: isch: Remove unnecessary acpi.h include (git-fixes). - i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' (bsc#1051510). - i2c: st: fix missing struct parameter description (bsc#1051510). - IB/mlx5: Fix missing congestion control debugfs on rep rdma device (bsc#1103991). - ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239). - iio:ad7797: Use correct attribute_group (bsc#1051510). - iio: adc: stm32-adc: fix device used to request dma (bsc#1051510). - iio: adc: stm32-adc: fix sleep in atomic context (git-fixes). - iio: adc: stm32-adc: Use dma_request_chan() instead dma_request_slave_channel() (bsc#1051510). - iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' (bsc#1051510). - iio: sca3000: Remove an erroneous 'get_device()' (bsc#1051510). - iio: xilinx-xadc: Fix ADC-B powerdown (bsc#1051510). - iio: xilinx-xadc: Fix clearing interrupt when enabling trigger (bsc#1051510). - iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode (bsc#1051510). - ima: Fix return value of ima_write_policy() (git-fixes). - Input: evdev - call input_flush_device() on release(), not flush() (bsc#1051510). - Input: hyperv-keyboard - add module description (bsc#1172249, bsc#1172251). - Input: i8042 - add Acer Aspire 5738z to nomux list (bsc#1051510). - Input: i8042 - add ThinkPad S230u to i8042 reset list (bsc#1051510). - Input: raydium_i2c_ts - use true and false for boolean values (bsc#1051510). - Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() (bsc#1051510). - Input: synaptics-rmi4 - really fix attn_data use-after-free (git-fixes). - Input: usbtouchscreen - add support for BonXeon TP (bsc#1051510). - Input: xpad - add custom init packet for Xbox One S controllers (bsc#1051510). - iommu/amd: Call domain_flush_complete() in update_domain() (bsc#1172096). - iommu/amd: Do not flush Device Table in iommu_map_page() (bsc#1172097). - iommu/amd: Do not loop forever when trying to increase address space (bsc#1172098). - iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system (bsc#1172099). - iommu/amd: Fix over-read of ACPI UID from IVRS table (bsc#1172101). - iommu/amd: Fix race in increase_address_space()/fetch_pte() (bsc#1172102). - iommu/amd: Update Device Table in increase_address_space() (bsc#1172103). - iommu: Fix reference count leak in iommu_group_alloc (bsc#1172397). - ip6_tunnel: Allow rcv/xmit even if remote address is a local address (bsc#1166978). - ipv4: fix a RCU-list lock in fib_triestat_seq_show (networking-stable-20_04_02). - ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface (networking-stable-20_03_14). - ipv6: do not auto-add link-local address to lag ports (networking-stable-20_04_09). - ipv6: fix IPV6_ADDRFORM operation logic (bsc#1171662). - ipv6: fix restrict IPV6_ADDRFORM operation (bsc#1171662). - ipvlan: add cond_resched_rcu() while processing muticast backlog (networking-stable-20_03_14). - ipvlan: do not deref eth hdr before checking it's set (networking-stable-20_03_14). - ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast() (networking-stable-20_03_14). - iwlwifi: pcie: actually release queue memory in TVQM (bsc#1051510). - ixgbe: do not check firmware errors (bsc#1170284). - kabi fix for early XHCI debug (git-fixes). - kabi for for md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - kabi/severities: Do not track KVM internal symbols. - kabi/severities: Ingnore get_dev_data() The function is internal to the AMD IOMMU driver and must not be called by any third party. - kabi workaround for snd_rawmidi buffer_ref field addition (git-fixes). - KEYS: reaching the keys quotas correctly (bsc#1051510). - KVM: arm64: Change hyp_panic()s dependency on tpidr_el2 (bsc#1133021). - KVM: arm64: Stop save/restoring host tpidr_el1 on VHE (bsc#1133021). - KVM: Check validity of resolved slot when searching memslots (bsc#1172104). - KVM: s390: vsie: Fix delivery of addressing exceptions (git-fixes). - KVM: SVM: Fix potential memory leak in svm_cpu_init() (bsc#1171736). - KVM x86: Extend AMD specific guest behavior to Hygon virtual CPUs (bsc#1152489). - l2tp: Allow management of tunnels and session in user namespace (networking-stable-20_04_17). - libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() (bsc#1051510). - libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set (bsc#1051510). - lib: raid6: fix awk build warnings (git fixes (block drivers)). - lib/raid6/test: fix build on distros whose /bin/sh is not bash (git fixes (block drivers)). - lib/stackdepot.c: fix global out-of-bounds in stack_slabs (git fixes (block drivers)). - locks: print unsigned ino in /proc/locks (bsc#1171951). - mac80211: add ieee80211_is_any_nullfunc() (bsc#1051510). - mac80211_hwsim: Use kstrndup() in place of kasprintf() (bsc#1051510). - mac80211: mesh: fix discovery timer re-arming issue / crash (bsc#1051510). - macsec: avoid to set wrong mtu (bsc#1051510). - macsec: restrict to ethernet devices (networking-stable-20_03_28). - macvlan: add cond_resched() during multicast processing (networking-stable-20_03_14). - macvlan: fix null dereference in macvlan_device_event() (bsc#1051510). - md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - md/raid0: Fix an error message in raid0_make_request() (git fixes (block drivers)). - md/raid10: prevent access of uninitialized resync_pages offset (git-fixes). - media: dvb: return -EREMOTEIO on i2c transfer failure (bsc#1051510). - media: platform: fcp: Set appropriate DMA parameters (bsc#1051510). - media: ti-vpe: cal: fix disable_irqs to only the intended target (git-fixes). - mei: release me_cl object reference (bsc#1051510). - mlxsw: Fix some IS_ERR() vs NULL bugs (networking-stable-20_04_27). - mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE (networking-stable-20_04_09). - mlxsw: spectrum_mr: Fix list iteration in error path (bsc#1112374). - mmc: atmel-mci: Fix debugfs on 64-bit platforms (git-fixes). - mmc: core: Check request type before completing the request (git-fixes). - mmc: core: Fix recursive locking issue in CQE recovery path (git-fixes). - mmc: cqhci: Avoid false "cqhci: CQE stuck on" by not open-coding timeout loop (git-fixes). - mmc: dw_mmc: Fix debugfs on 64-bit platforms (git-fixes). - mmc: meson-gx: make sure the descriptor is stopped on errors (git-fixes). - mmc: meson-gx: simplify interrupt handler (git-fixes). - mmc: renesas_sdhi: limit block count to 16 bit for old revisions (git-fixes). - mmc: sdhci-esdhc-imx: fix the mask for tuning start point (bsc#1051510). - mmc: sdhci-msm: Clear tuning done flag while hs400 tuning (bsc#1051510). - mmc: sdhci-of-at91: fix memleak on clk_get failure (git-fixes). - mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers (bsc#1051510). - mmc: sdhci-xenon: fix annoying 1.8V regulator warning (bsc#1051510). - mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card() (bsc#1051510). - mmc: tmio: fix access width of Block Count Register (git-fixes). - mm: limit boost_watermark on small zones (git fixes (mm/pgalloc)). - mm: thp: handle page cache THP correctly in PageTransCompoundMap (git fixes (block drivers)). - mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer (bsc#1051510). - mtd: spi-nor: cadence-quadspi: add a delay in write sequence (git-fixes). - mtd: spi-nor: enable 4B opcodes for mx66l51235l (git-fixes). - mwifiex: avoid -Wstringop-overflow warning (bsc#1051510). - mwifiex: Fix memory corruption in dump_station (bsc#1051510). - net: bcmgenet: correct per TX/RX ring statistics (networking-stable-20_04_27). - net: dsa: b53: Fix ARL register definitions (networking-stable-20_04_27). - net: dsa: b53: Rework ARL bin logic (networking-stable-20_04_27). - net: dsa: bcm_sf2: Do not register slave MDIO bus with OF (networking-stable-20_04_09). - net: dsa: bcm_sf2: Ensure correct sub-node is parsed (networking-stable-20_04_09). - net: dsa: Fix duplicate frames flooded by learning (networking-stable-20_03_28). - net: dsa: mv88e6xxx: fix lockup on warm boot (networking-stable-20_03_14). - net/ethernet: add Google GVE driver (jsc#SLE-10538) - net: fec: add phy_reset_after_clk_enable() support (git-fixes). - net: fec: validate the new settings in fec_enet_set_coalesce() (networking-stable-20_03_14). - net: fix race condition in __inet_lookup_established() (bsc#1151794). - net: fq: add missing attribute validation for orphan mask (networking-stable-20_03_14). - net: hns3: fix "tc qdisc del" failed issue (bsc#1109837). - net, ip_tunnel: fix interface lookup with no key (networking-stable-20_04_02). - net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin (networking-stable-20_04_17). - net: ipv6: do not consider routes via gateways for anycast address check (networking-stable-20_04_17). - netlink: Use netlink header as base to calculate bad attribute offset (networking-stable-20_03_14). - net: macsec: update SCI upon MAC address change (networking-stable-20_03_14). - net: memcg: fix lockdep splat in inet_csk_accept() (networking-stable-20_03_14). - net: memcg: late association of sock to memcg (networking-stable-20_03_14). - net/mlx4_en: avoid indirect call in TX completion (networking-stable-20_04_27). - net/mlx5: Add new fields to Port Type and Speed register (bsc#1171118). - net/mlx5: Expose link speed directly (bsc#1171118). - net/mlx5: Expose port speed when possible (bsc#1171118). - net/mlx5: Fix failing fw tracer allocation on s390 (bsc#1103990 ). - net: mvneta: Fix the case where the last poll did not process all rx (networking-stable-20_03_28). - net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node (networking-stable-20_04_27). - net/packet: tpacket_rcv: do not increment ring index on drop (networking-stable-20_03_14). - net: qmi_wwan: add support for ASKEY WWHC050 (networking-stable-20_03_28). - net: revert default NAPI poll timeout to 2 jiffies (networking-stable-20_04_17). - net_sched: cls_route: remove the right filter from hashtable (networking-stable-20_03_28). - net_sched: sch_skbprio: add message validation to skbprio_change() (bsc#1109837). - net/x25: Fix x25_neigh refcnt leak when receiving frame (networking-stable-20_04_27). - nfc: add missing attribute validation for SE API (networking-stable-20_03_14). - nfc: add missing attribute validation for vendor subcommand (networking-stable-20_03_14). - nfc: st21nfca: add missed kfree_skb() in an error path (bsc#1051510). - nfp: abm: fix a memory leak bug (bsc#1109837). - nfsd4: fix up replay_matches_cache() (git-fixes). - nfsd: Ensure CLONE persists data and metadata changes to the target file (git-fixes). - nfsd: fix delay timer on 32-bit architectures (git-fixes). - nfsd: fix jiffies/time_t mixup in LRU list (git-fixes). - NFS: Directory page cache pages need to be locked when read (git-fixes). - nfsd: memory corruption in nfsd4_lock() (git-fixes). - NFS: Do not call generic_error_remove_page() while holding locks (bsc#1170457). - NFS: Fix memory leaks and corruption in readdir (git-fixes). - NFS: Fix O_DIRECT accounting of number of bytes read/written (git-fixes). - NFS: Fix potential posix_acl refcnt leak in nfs3_set_acl (git-fixes). - NFS: fix racey wait in nfs_set_open_stateid_locked (bsc#1170592). - NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O (git-fixes). - NFS/pnfs: Fix pnfs_generic_prepare_to_resend_writes() (git-fixes). - NFS: Revalidate the file size on a fatal write error (git-fixes). - NFSv4.0: nfs4_do_fsinfo() should not do implicit lease renewals (git-fixes). - NFSv4: Do not allow a cached open with a revoked delegation (git-fixes). - NFSv4: Fix leak of clp->cl_acceptor string (git-fixes). - NFSv4/pnfs: Return valid stateids in nfs_layout_find_inode_by_stateid() (git-fixes). - NFSv4: try lease recovery on NFS4ERR_EXPIRED (git-fixes). - NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn (git-fixes). - nl802154: add missing attribute validation for dev_type (networking-stable-20_03_14). - nl802154: add missing attribute validation (networking-stable-20_03_14). - nvme-fc: print proper nvme-fc devloss_tmo value (bsc#1172391). - objtool: Fix stack offset tracking for indirect CFAs (bsc#1169514). - objtool: Fix switch table detection in .text.unlikely (bsc#1169514). - objtool: Make BP scratch register warning more robust (bsc#1169514). - padata: Remove broken queue flushing (git-fixes). - Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()" (git fixes (block drivers)). - PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2 (bsc#1172201, bsc#1172202). - PCI: hv: Decouple the func definition in hv_dr_state from VSP message (bsc#1172201, bsc#1172202). - pinctrl: baytrail: Enable pin configuration setting for GPIO chip (git-fixes). - pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler (git-fixes). - pinctrl: sunrisepoint: Fix PAD lock register offset for SPT-H (git-fixes). - platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA (bsc#1051510). - pNFS: Ensure we do clear the return-on-close layout stateid on fatal errors (git-fixes). - powerpc: Add attributes for setjmp/longjmp (bsc#1065729). - powerpc/pci/of: Parse unassigned resources (bsc#1065729). - powerpc/setup_64: Set cache-line-size based on cache-block-size (bsc#1065729). - powerpc/sstep: Fix DS operand in ld encoding to appropriate value (bsc#1065729). - r8152: check disconnect status after long sleep (networking-stable-20_03_14). - raid6/ppc: Fix build for clang (git fixes (block drivers)). - random: always use batched entropy for get_random_u{32,64} (bsc#1164871). - rcu: locking and unlocking need to always be at least barriers (git fixes (block drivers)). - Revert "ALSA: hda/realtek: Fix pop noise on ALC225" (git-fixes). - Revert "drm/panel: simple: Add support for Sharp LQ150X1LG11 panels" (bsc#1114279) * offset changes - Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" (bsc#1172221). - Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow" (bsc#1103992). - rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() (bsc#1051510). - s390/cpum_cf: Add new extended counters for IBM z15 (bsc#1169762 LTC#185291). - s390/ftrace: fix potential crashes when switching tracers (git-fixes). - s390/ism: fix error return code in ism_probe() (git-fixes). - s390/pci: do not set affinity for floating irqs (git-fixes). - s390/pci: Fix possible deadlock in recover_store() (bsc#1165183 LTC#184103). - s390/pci: Recover handle in clp_set_pci_fn() (bsc#1165183 LTC#184103). - scripts/decodecode: fix trapping instruction formatting (bsc#1065729). - scripts/dtc: Remove redundant YYLOC global declaration (bsc#1160388). - scsi: bnx2i: fix potential use after free (bsc#1171600). - scsi: core: Handle drivers which set sg_tablesize to zero (bsc#1171601) This commit also required: > scsi: core: avoid preallocating big SGL for data - scsi: core: save/restore command resid for error handling (bsc#1171602). - scsi: core: scsi_trace: Use get_unaligned_be*() (bsc#1171604). - scsi: core: try to get module before removing device (bsc#1171605). - scsi: csiostor: Adjust indentation in csio_device_reset (bsc#1171606). - scsi: csiostor: Do not enable IRQs too early (bsc#1171607). - scsi: esas2r: unlock on error in esas2r_nvram_read_direct() (bsc#1171608). - scsi: fnic: fix invalid stack access (bsc#1171609). - scsi: fnic: fix msix interrupt allocation (bsc#1171610). - scsi: ibmvscsi: Fix WARN_ON during event pool release (bsc#1170791 ltc#185128). - scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func (bsc#1171611). - scsi: iscsi: Fix a potential deadlock in the timeout handler (bsc#1171612). - scsi: iscsi: qla4xxx: fix double free in probe (bsc#1171613). - scsi: lpfc: Change default queue allocation for reduced memory consumption (bsc#1164780). - scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences (bsc#1171614). - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1171615). - scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event (bsc#1164780). - scsi: lpfc: Fix MDS Diagnostic Enablement definition (bsc#1164780). - scsi: lpfc: Fix negation of else clause in lpfc_prep_node_fc4type (bsc#1164780). - scsi: lpfc: Fix noderef and address space warnings (bsc#1164780). - scsi: lpfc: Maintain atomic consistency of queue_claimed flag (bsc#1164780). - scsi: lpfc: remove duplicate unloading checks (bsc#1164780). - scsi: lpfc: Remove re-binding of nvme rport during registration (bsc#1164780). - scsi: lpfc: Remove redundant initialization to variable rc (bsc#1164780). - scsi: lpfc: Remove unnecessary lockdep_assert_held calls (bsc#1164780). - scsi: lpfc: Update lpfc version to 12.8.0.1 (bsc#1164780). - scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state (bsc#1171616). - scsi: qla2xxx: add ring buffer for tracing debug logs (bsc#1157169). - scsi: qla2xxx: check UNLOADING before posting async work (bsc#1157169). - scsi: qla2xxx: Delete all sessions before unregister local nvme port (bsc#1157169). - scsi: qla2xxx: Do not log message when reading port speed via sysfs (bsc#1157169). - scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV (bsc#1157169). - scsi: qla2xxx: Fix regression warnings (bsc#1157169). - scsi: qla2xxx: Remove non functional code (bsc#1157169). - scsi: qla2xxx: set UNLOADING before waiting for session deletion (bsc#1157169). - scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free (bsc#1171617). - scsi: qla4xxx: fix double free bug (bsc#1171618). - scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI (bsc#1171619). - scsi: sg: add sg_remove_request in sg_common_write (bsc#1171620). - scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) (bsc#1171621). - scsi: ufs: change msleep to usleep_range (bsc#1171622). - scsi: ufs: Clean up ufshcd_scale_clks() and clock scaling error out path (bsc#1171623). - scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic (bsc#1171624). - scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails (bsc#1171625). - scsi: ufs: Recheck bkops level if bkops is disabled (bsc#1171626). - sctp: fix possibly using a bad saddr with a given dst (networking-stable-20_04_02). - sctp: fix refcount bug in sctp_wfree (networking-stable-20_04_02). - selftests/powerpc: Fix build errors in powerpc ptrace selftests (boo#1124278). - Separate one more kABI fixup from the functional change: - seq_file: fix problem when seeking mid-record (bsc#1170125). - serial: uartps: Move the spinlock after the read of the tx empty (git-fixes). - sfc: detach from cb_page in efx_copy_channel() (networking-stable-20_03_14). - signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig (bsc#1172185). - slcan: not call free_netdev before rtnl_unlock in slcan_open (networking-stable-20_03_28). - slip: make slhc_compress() more robust against malicious packets (networking-stable-20_03_14). - SMB3: Additional compression structures (bsc#1144333). - SMB3: Add new compression flags (bsc#1144333). - SMB3: change noisy error message to FYI (bsc#1144333). - SMB3: enable swap on SMB3 mounts (bsc#1144333). - SMB3: Minor cleanup of protocol definitions (bsc#1144333). - SMB3: remove overly noisy debug line in signing errors (bsc#1144333). - SMB3: smbdirect support can be configured by default (bsc#1144333). - SMB3: use SMB2_SIGNATURE_SIZE define (bsc#1144333). - spi: bcm63xx-hsspi: Really keep pll clk enabled (bsc#1051510). - spi: bcm-qspi: when tx/rx buffer is NULL set to 0 (bsc#1051510). - spi: dw: Add SPI Rx-done wait method to DMA-based transfer (bsc#1051510). - spi: dw: Zero DMA Tx and Rx configurations on stack (bsc#1051510). - spi: pxa2xx: Add CS control clock quirk (bsc#1051510). - spi: qup: call spi_qup_pm_resume_runtime before suspending (bsc#1051510). - spi/zynqmp: remove entry that causes a cs glitch (bsc#1051510). - staging: comedi: dt2815: fix writing hi byte of analog output (bsc#1051510). - staging: comedi: Fix comedi_device refcnt leak in comedi_open (bsc#1051510). - staging: iio: ad2s1210: Fix SPI reading (bsc#1051510). - supported.conf: Add br_netfilter to base (bsc#1169020). - supported.conf: support w1 core and thermometer support - svcrdma: Fix double svc_rdma_send_ctxt_put() in an error path (bsc#1103992). - svcrdma: Fix leak of transport addresses (git-fixes). - svcrdma: Fix trace point use-after-free race (bsc#1103992 ). - taskstats: fix data-race (bsc#1172188). - tcp: cache line align MAX_TCP_HEADER (networking-stable-20_04_27). - tcp: repair: fix TCP_QUEUE_SEQ implementation (networking-stable-20_03_28). - team: add missing attribute validation for array index (networking-stable-20_03_14). - team: add missing attribute validation for port ifindex (networking-stable-20_03_14). - team: fix hang in team_mode_get() (networking-stable-20_04_27). - tools lib traceevent: Remove unneeded qsort and uses memmove instead (git-fixes). - tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() (bsc#1065729). - tpm/tpm_tis: Free IRQ if probing fails (bsc#1082555). - tun: Do not put_page() for all negative return values from XDP program (bsc#1109837). - Update config files: Build w1 bus on arm64 (jsc#SLE-11048) - USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE (git-fixes). - USB: cdc-acm: restore capability check order (git-fixes). - USB: core: Fix misleading driver bug report (bsc#1051510). - USB: dwc3: do not set gadget->is_otg flag (git-fixes). - USB: dwc3: gadget: Do link recovery for SS and SSP (git-fixes). - USB: early: Handle AMD's spec-compliant identifiers, too (git-fixes). - USB: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset() (git-fixes). - USB: gadget: audio: Fix a missing error return value in audio_bind() (git-fixes). - USB: gadget: composite: Inform controller driver of self-powered (git-fixes). - USB: gadget: legacy: fix error return code in cdc_bind() (git-fixes). - USB: gadget: legacy: fix error return code in gncm_bind() (git-fixes). - usb: gadget: legacy: fix redundant initialization warnings (bsc#1051510). - USB: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()' (git-fixes). - USB: gadget: udc: atmel: Fix vbus disconnect handling (git-fixes). - USB: gadget: udc: atmel: Make some symbols static (git-fixes). - USB: gadget: udc: bdc: Remove unnecessary NULL checks in bdc_req_complete (git-fixes). - USB: host: xhci-plat: keep runtime active when removing host (git-fixes). - USB: hub: Fix handling of connect changes during sleep (git-fixes). - usbnet: silence an unnecessary warning (bsc#1170770). - USB: serial: garmin_gps: add sanity checking for data length (git-fixes). - USB: serial: option: add BroadMobi BM806U (git-fixes). - USB: serial: option: add support for ASKEY WWHC050 (git-fixes). - USB: serial: option: add Wistron Neweb D19Q1 (git-fixes). - USB: serial: qcserial: Add DW5816e support (git-fixes). - USB: sisusbvga: Change port variable from signed to unsigned (git-fixes). - usb-storage: Add unusual_devs entry for JMicron JMS566 (git-fixes). - USB: uas: add quirk for LaCie 2Big Quadra (git-fixes). - USB: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list (git-fixes). - video: fbdev: sis: Remove unnecessary parentheses and commented code (bsc#1114279) - video: fbdev: w100fb: Fix a potential double free (bsc#1051510). - vrf: Check skb for XFRM_TRANSFORMED flag (networking-stable-20_04_27). - vxlan: check return value of gro_cells_init() (networking-stable-20_03_28). - w1: Add subsystem kernel public interface (jsc#SLE-11048). - w1: Fix slave count on 1-Wire bus (resend) (jsc#SLE-11048). - w1: keep balance of mutex locks and refcnts (jsc#SLE-11048). - w1: use put_device() if device_register() fail (jsc#SLE-11048). - watchdog: reset last_hw_keepalive time at start (git-fixes). - wcn36xx: Fix error handling path in 'wcn36xx_probe()' (bsc#1051510). - wil6210: remove reset file from debugfs (git-fixes). - wimax/i2400m: Fix potential urb refcnt leak (bsc#1051510). - workqueue: do not use wq_select_unbound_cpu() for bound works (bsc#1172130). - x86/entry/64: Fix unwind hints in kernel exit path (bsc#1058115). - x86/entry/64: Fix unwind hints in register clearing code (bsc#1058115). - x86/entry/64: Fix unwind hints in rewind_stack_do_exit() (bsc#1058115). - x86/entry/64: Fix unwind hints in __switch_to_asm() (bsc#1058115). - x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170621, bsc#1170620). - x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170617, bsc#1170618). - x86: Hyper-V: report value of misc_features (git fixes). - x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170617, bsc#1170618). - x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170617, bsc#1170618). - x86/kprobes: Avoid kretprobe recursion bug (bsc#1114279). - x86/resctrl: Fix invalid attempt at removing the default resource group (git-fixes). - x86/resctrl: Preserve CDP enable over CPU hotplug (bsc#1114279). - x86/unwind/orc: Do not skip the first frame for inactive tasks (bsc#1058115). - x86/unwind/orc: Fix error handling in __unwind_start() (bsc#1058115). - x86/unwind/orc: Fix error path for bad ORC entry type (bsc#1058115). - x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bsc#1058115). - x86/unwind/orc: Prevent unwinding before ORC initialization (bsc#1058115). - x86/unwind: Prevent false warnings for non-current tasks (bsc#1058115). - xen/pci: reserve MCFG areas earlier (bsc#1170145). - xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish (networking-stable-20_04_27). - xfs: clear PF_MEMALLOC before exiting xfsaild thread (git-fixes). - xfs: Correctly invert xfs_buftarg LRU isolation logic (git-fixes). - xfs: do not ever return a stale pointer from __xfs_dir3_free_read (git-fixes). - xprtrdma: Fix completion wait during device removal (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-1599=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-197.45.1 kernel-default-debugsource-4.12.14-197.45.1 kernel-default-livepatch-4.12.14-197.45.1 kernel-default-livepatch-devel-4.12.14-197.45.1 kernel-livepatch-4_12_14-197_45-default-1-3.5.1 References: https://www.suse.com/security/cve/CVE-2018-1000199.html https://www.suse.com/security/cve/CVE-2019-19462.html https://www.suse.com/security/cve/CVE-2019-20806.html https://www.suse.com/security/cve/CVE-2019-20812.html https://www.suse.com/security/cve/CVE-2019-9455.html https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-10690.html https://www.suse.com/security/cve/CVE-2020-10711.html https://www.suse.com/security/cve/CVE-2020-10720.html https://www.suse.com/security/cve/CVE-2020-10732.html https://www.suse.com/security/cve/CVE-2020-10751.html https://www.suse.com/security/cve/CVE-2020-10757.html https://www.suse.com/security/cve/CVE-2020-12114.html https://www.suse.com/security/cve/CVE-2020-12464.html https://www.suse.com/security/cve/CVE-2020-12652.html https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://www.suse.com/security/cve/CVE-2020-12655.html https://www.suse.com/security/cve/CVE-2020-12656.html https://www.suse.com/security/cve/CVE-2020-12657.html https://www.suse.com/security/cve/CVE-2020-12659.html https://www.suse.com/security/cve/CVE-2020-12768.html https://www.suse.com/security/cve/CVE-2020-12769.html https://www.suse.com/security/cve/CVE-2020-13143.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1082555 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1089895 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103991 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1124278 https://bugzilla.suse.com/1127354 https://bugzilla.suse.com/1127355 https://bugzilla.suse.com/1127371 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1151794 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1157169 https://bugzilla.suse.com/1158265 https://bugzilla.suse.com/1160388 https://bugzilla.suse.com/1160947 https://bugzilla.suse.com/1164780 https://bugzilla.suse.com/1164871 https://bugzilla.suse.com/1165183 https://bugzilla.suse.com/1165478 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1166969 https://bugzilla.suse.com/1166978 https://bugzilla.suse.com/1167574 https://bugzilla.suse.com/1167851 https://bugzilla.suse.com/1167867 https://bugzilla.suse.com/1168332 https://bugzilla.suse.com/1168670 https://bugzilla.suse.com/1168789 https://bugzilla.suse.com/1169020 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169525 https://bugzilla.suse.com/1169762 https://bugzilla.suse.com/1170056 https://bugzilla.suse.com/1170125 https://bugzilla.suse.com/1170145 https://bugzilla.suse.com/1170284 https://bugzilla.suse.com/1170345 https://bugzilla.suse.com/1170457 https://bugzilla.suse.com/1170522 https://bugzilla.suse.com/1170592 https://bugzilla.suse.com/1170617 https://bugzilla.suse.com/1170618 https://bugzilla.suse.com/1170620 https://bugzilla.suse.com/1170621 https://bugzilla.suse.com/1170770 https://bugzilla.suse.com/1170778 https://bugzilla.suse.com/1170791 https://bugzilla.suse.com/1170901 https://bugzilla.suse.com/1171078 https://bugzilla.suse.com/1171098 https://bugzilla.suse.com/1171118 https://bugzilla.suse.com/1171189 https://bugzilla.suse.com/1171191 https://bugzilla.suse.com/1171195 https://bugzilla.suse.com/1171202 https://bugzilla.suse.com/1171205 https://bugzilla.suse.com/1171214 https://bugzilla.suse.com/1171217 https://bugzilla.suse.com/1171218 https://bugzilla.suse.com/1171219 https://bugzilla.suse.com/1171220 https://bugzilla.suse.com/1171244 https://bugzilla.suse.com/1171293 https://bugzilla.suse.com/1171417 https://bugzilla.suse.com/1171527 https://bugzilla.suse.com/1171599 https://bugzilla.suse.com/1171600 https://bugzilla.suse.com/1171601 https://bugzilla.suse.com/1171602 https://bugzilla.suse.com/1171604 https://bugzilla.suse.com/1171605 https://bugzilla.suse.com/1171606 https://bugzilla.suse.com/1171607 https://bugzilla.suse.com/1171608 https://bugzilla.suse.com/1171609 https://bugzilla.suse.com/1171610 https://bugzilla.suse.com/1171611 https://bugzilla.suse.com/1171612 https://bugzilla.suse.com/1171613 https://bugzilla.suse.com/1171614 https://bugzilla.suse.com/1171615 https://bugzilla.suse.com/1171616 https://bugzilla.suse.com/1171617 https://bugzilla.suse.com/1171618 https://bugzilla.suse.com/1171619 https://bugzilla.suse.com/1171620 https://bugzilla.suse.com/1171621 https://bugzilla.suse.com/1171622 https://bugzilla.suse.com/1171623 https://bugzilla.suse.com/1171624 https://bugzilla.suse.com/1171625 https://bugzilla.suse.com/1171626 https://bugzilla.suse.com/1171662 https://bugzilla.suse.com/1171679 https://bugzilla.suse.com/1171691 https://bugzilla.suse.com/1171692 https://bugzilla.suse.com/1171694 https://bugzilla.suse.com/1171695 https://bugzilla.suse.com/1171736 https://bugzilla.suse.com/1171817 https://bugzilla.suse.com/1171948 https://bugzilla.suse.com/1171949 https://bugzilla.suse.com/1171951 https://bugzilla.suse.com/1171952 https://bugzilla.suse.com/1171979 https://bugzilla.suse.com/1171982 https://bugzilla.suse.com/1171983 https://bugzilla.suse.com/1172017 https://bugzilla.suse.com/1172096 https://bugzilla.suse.com/1172097 https://bugzilla.suse.com/1172098 https://bugzilla.suse.com/1172099 https://bugzilla.suse.com/1172101 https://bugzilla.suse.com/1172102 https://bugzilla.suse.com/1172103 https://bugzilla.suse.com/1172104 https://bugzilla.suse.com/1172127 https://bugzilla.suse.com/1172130 https://bugzilla.suse.com/1172185 https://bugzilla.suse.com/1172188 https://bugzilla.suse.com/1172199 https://bugzilla.suse.com/1172201 https://bugzilla.suse.com/1172202 https://bugzilla.suse.com/1172221 https://bugzilla.suse.com/1172249 https://bugzilla.suse.com/1172251 https://bugzilla.suse.com/1172317 https://bugzilla.suse.com/1172342 https://bugzilla.suse.com/1172343 https://bugzilla.suse.com/1172344 https://bugzilla.suse.com/1172366 https://bugzilla.suse.com/1172378 https://bugzilla.suse.com/1172391 https://bugzilla.suse.com/1172397 https://bugzilla.suse.com/1172453 From sle-updates at lists.suse.com Wed Jun 10 07:41:44 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 15:41:44 +0200 (CEST) Subject: SUSE-SU-2020:1600-1: moderate: Security update for ucode-intel Message-ID: <20200610134144.4349FF3D7@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1600-1 Rating: moderate References: #1154824 #1156353 #1172466 Cross-References: CVE-2020-0543 CVE-2020-0548 CVE-2020-0549 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: Updated Intel CPU Microcode to 20200602 (prerelease) (bsc#1172466) This update contains security mitigations for: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-0548,CVE-2020-0549: Additional ucode updates were supplied to mitigate the Vector Register and L1D Eviction Sampling aka "CacheOutAttack" attacks. (bsc#1156353) Microcode Table: Processor Identifier Version Products Model Stepping F-MO-S/PI Old->New ---- new platforms ---------------------------------------- ---- updated platforms ------------------------------------ HSW C0 6-3c-3/32 00000027->00000028 Core Gen4 BDW-U/Y E0/F0 6-3d-4/c0 0000002e->0000002f Core Gen5 HSW-U C0/D0 6-45-1/72 00000025->00000026 Core Gen4 HSW-H C0 6-46-1/32 0000001b->0000001c Core Gen4 BDW-H/E3 E0/G0 6-47-1/22 00000021->00000022 Core Gen5 SKL-U/Y D0 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile SKL-U23e K1 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile SKX-SP B1 6-55-3/97 01000151->01000157 Xeon Scalable SKX-SP H0/M0/U0 6-55-4/b7 02000065->02006906 Xeon Scalable SKX-D M1 6-55-4/b7 02000065->02006906 Xeon D-21xx CLX-SP B0 6-55-6/bf 0400002c->04002f01 Xeon Scalable Gen2 CLX-SP B1 6-55-7/bf 0500002c->04002f01 Xeon Scalable Gen2 SKL-H/S R0/N0 6-5e-3/36 000000d6->000000dc Core Gen6; Xeon E3 v5 AML-Y22 H0 6-8e-9/10 000000ca->000000d6 Core Gen8 Mobile KBL-U/Y H0 6-8e-9/c0 000000ca->000000d6 Core Gen7 Mobile CFL-U43e D0 6-8e-a/c0 000000ca->000000d6 Core Gen8 Mobile WHL-U W0 6-8e-b/d0 000000ca->000000d6 Core Gen8 Mobile AML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile CML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile WHL-U V0 6-8e-c/94 000000ca->000000d6 Core Gen8 Mobile KBL-G/H/S/E3 B0 6-9e-9/2a 000000ca->000000d6 Core Gen7; Xeon E3 v6 CFL-H/S/E3 U0 6-9e-a/22 000000ca->000000d6 Core Gen8 Desktop, Mobile, Xeon E CFL-S B0 6-9e-b/02 000000ca->000000d6 Core Gen8 CFL-H/S P0 6-9e-c/22 000000ca->000000d6 Core Gen9 CFL-H R0 6-9e-d/22 000000ca->000000d6 Core Gen9 Mobile Also contains the Intel CPU Microcode update to 20200520: Processor Identifier Version Products Model Stepping F-MO-S/PI Old->New ---- new platforms ---------------------------------------- ---- updated platforms ------------------------------------ SNB-E/EN/EP C1/M0 6-2d-6/6d 0000061f->00000621 Xeon E3/E5, Core X SNB-E/EN/EP C2/M1 6-2d-7/6d 00000718->0000071a Xeon E3/E5, Core X Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1600=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1600=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1600=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (x86_64): ucode-intel-20200602-3.43.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): ucode-intel-20200602-3.43.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): ucode-intel-20200602-3.43.1 References: https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-0548.html https://www.suse.com/security/cve/CVE-2020-0549.html https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1156353 https://bugzilla.suse.com/1172466 From sle-updates at lists.suse.com Wed Jun 10 07:42:49 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 15:42:49 +0200 (CEST) Subject: SUSE-SU-2020:1597-1: important: Security update for the Linux Kernel Message-ID: <20200610134249.E32D8F3D7@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1597-1 Rating: important References: #1154824 #1164871 #1171098 #1171195 #1171202 #1171218 #1171219 #1171689 #1171698 #1172221 #1172317 Cross-References: CVE-2020-0543 CVE-2020-10757 CVE-2020-12114 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12656 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise High Availability 12-SP2 ______________________________________________________________________________ An update that solves 7 vulnerabilities and has four fixes is now available. Description: The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219). - CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202). - CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195). - CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218). - CVE-2020-12114: Fixed A pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098). - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317). The following non-security bugs were fixed: - can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1171698). - KEYS: allow reaching the keys quotas exactly (bsc#1171689). - KEYS: reaching the keys quotas correctly (bsc#1171689). - Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" (bsc#1172221). - random: always use batched entropy for get_random_u{32,64} (bsc#1164871). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1597=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1597=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1597=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1597=1 - SUSE Linux Enterprise High Availability 12-SP2: zypper in -t patch SUSE-SLE-HA-12-SP2-2020-1597=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): kernel-default-4.4.121-92.135.1 kernel-default-base-4.4.121-92.135.1 kernel-default-base-debuginfo-4.4.121-92.135.1 kernel-default-debuginfo-4.4.121-92.135.1 kernel-default-debugsource-4.4.121-92.135.1 kernel-default-devel-4.4.121-92.135.1 kernel-syms-4.4.121-92.135.1 - SUSE OpenStack Cloud 7 (noarch): kernel-devel-4.4.121-92.135.1 kernel-macros-4.4.121-92.135.1 kernel-source-4.4.121-92.135.1 - SUSE OpenStack Cloud 7 (x86_64): kgraft-patch-4_4_121-92_135-default-1-3.5.1 - SUSE OpenStack Cloud 7 (s390x): kernel-default-man-4.4.121-92.135.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kernel-default-4.4.121-92.135.1 kernel-default-base-4.4.121-92.135.1 kernel-default-base-debuginfo-4.4.121-92.135.1 kernel-default-debuginfo-4.4.121-92.135.1 kernel-default-debugsource-4.4.121-92.135.1 kernel-default-devel-4.4.121-92.135.1 kernel-syms-4.4.121-92.135.1 kgraft-patch-4_4_121-92_135-default-1-3.5.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): kernel-devel-4.4.121-92.135.1 kernel-macros-4.4.121-92.135.1 kernel-source-4.4.121-92.135.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): kernel-default-4.4.121-92.135.1 kernel-default-base-4.4.121-92.135.1 kernel-default-base-debuginfo-4.4.121-92.135.1 kernel-default-debuginfo-4.4.121-92.135.1 kernel-default-debugsource-4.4.121-92.135.1 kernel-default-devel-4.4.121-92.135.1 kernel-syms-4.4.121-92.135.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64): kgraft-patch-4_4_121-92_135-default-1-3.5.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): kernel-devel-4.4.121-92.135.1 kernel-macros-4.4.121-92.135.1 kernel-source-4.4.121-92.135.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x): kernel-default-man-4.4.121-92.135.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): kernel-devel-4.4.121-92.135.1 kernel-macros-4.4.121-92.135.1 kernel-source-4.4.121-92.135.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): kernel-default-4.4.121-92.135.1 kernel-default-base-4.4.121-92.135.1 kernel-default-base-debuginfo-4.4.121-92.135.1 kernel-default-debuginfo-4.4.121-92.135.1 kernel-default-debugsource-4.4.121-92.135.1 kernel-default-devel-4.4.121-92.135.1 kernel-syms-4.4.121-92.135.1 - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64): cluster-md-kmp-default-4.4.121-92.135.1 cluster-md-kmp-default-debuginfo-4.4.121-92.135.1 cluster-network-kmp-default-4.4.121-92.135.1 cluster-network-kmp-default-debuginfo-4.4.121-92.135.1 dlm-kmp-default-4.4.121-92.135.1 dlm-kmp-default-debuginfo-4.4.121-92.135.1 gfs2-kmp-default-4.4.121-92.135.1 gfs2-kmp-default-debuginfo-4.4.121-92.135.1 kernel-default-debuginfo-4.4.121-92.135.1 kernel-default-debugsource-4.4.121-92.135.1 ocfs2-kmp-default-4.4.121-92.135.1 ocfs2-kmp-default-debuginfo-4.4.121-92.135.1 References: https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-10757.html https://www.suse.com/security/cve/CVE-2020-12114.html https://www.suse.com/security/cve/CVE-2020-12652.html https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://www.suse.com/security/cve/CVE-2020-12656.html https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1164871 https://bugzilla.suse.com/1171098 https://bugzilla.suse.com/1171195 https://bugzilla.suse.com/1171202 https://bugzilla.suse.com/1171218 https://bugzilla.suse.com/1171219 https://bugzilla.suse.com/1171689 https://bugzilla.suse.com/1171698 https://bugzilla.suse.com/1172221 https://bugzilla.suse.com/1172317 From sle-updates at lists.suse.com Wed Jun 10 07:44:55 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 15:44:55 +0200 (CEST) Subject: SUSE-SU-2020:1599-1: important: Security update for the Linux Kernel Message-ID: <20200610134455.56405F3D7@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1599-1 Rating: important References: #1051510 #1058115 #1065729 #1082555 #1083647 #1089895 #1103990 #1103991 #1103992 #1104745 #1109837 #1111666 #1112178 #1112374 #1113956 #1114279 #1124278 #1127354 #1127355 #1127371 #1133021 #1142685 #1144333 #1151794 #1152489 #1154824 #1157169 #1158265 #1160388 #1160947 #1164780 #1164871 #1165183 #1165478 #1165741 #1166969 #1166978 #1167574 #1167851 #1167867 #1168332 #1168670 #1168789 #1169020 #1169514 #1169525 #1169762 #1170056 #1170125 #1170145 #1170284 #1170345 #1170457 #1170522 #1170592 #1170617 #1170618 #1170620 #1170621 #1170770 #1170778 #1170791 #1170901 #1171078 #1171098 #1171118 #1171189 #1171191 #1171195 #1171202 #1171205 #1171214 #1171217 #1171218 #1171219 #1171220 #1171244 #1171293 #1171417 #1171527 #1171599 #1171600 #1171601 #1171602 #1171604 #1171605 #1171606 #1171607 #1171608 #1171609 #1171610 #1171611 #1171612 #1171613 #1171614 #1171615 #1171616 #1171617 #1171618 #1171619 #1171620 #1171621 #1171622 #1171623 #1171624 #1171625 #1171626 #1171662 #1171679 #1171691 #1171692 #1171694 #1171695 #1171736 #1171817 #1171948 #1171949 #1171951 #1171952 #1171979 #1171982 #1171983 #1172017 #1172096 #1172097 #1172098 #1172099 #1172101 #1172102 #1172103 #1172104 #1172127 #1172130 #1172185 #1172188 #1172199 #1172201 #1172202 #1172221 #1172249 #1172251 #1172317 #1172342 #1172343 #1172344 #1172366 #1172378 #1172391 #1172397 #1172453 Cross-References: CVE-2018-1000199 CVE-2019-19462 CVE-2019-20806 CVE-2019-20812 CVE-2019-9455 CVE-2020-0543 CVE-2020-10690 CVE-2020-10711 CVE-2020-10720 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-12114 CVE-2020-12464 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12655 CVE-2020-12656 CVE-2020-12657 CVE-2020-12659 CVE-2020-12768 CVE-2020-12769 CVE-2020-13143 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Module for Legacy Software 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Availability 15-SP1 ______________________________________________________________________________ An update that solves 24 vulnerabilities and has 126 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982). - CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983). - CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736). - CVE-2020-12659: Fixed an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) due to improper headroom validation (bsc#1171214). - CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205). - CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219). - CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217). - CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202). - CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195). - CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218). - CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901). - CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098). - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317). - CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189). - CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220). - CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778). - CVE-2020-10711: Fixed a null pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191). - CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056). - CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345). - CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453). - CVE-2019-20806: Fixed a null pointer dereference which may had lead to denial of service (bsc#1172199). - CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895) The following non-security bugs were fixed: - ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe() (bsc#1051510). - ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile() (bsc#1051510). - acpi/x86: ignore unspecified bit positions in the ACPI global lock field (bsc#1051510). - Add br_netfilter to kernel-default-base (bsc#1169020) - Add commit for git-fix that's not a fix This commit cleans up debug code but does not fix anything, and it relies on a new kernel function that isn't yet in this version of SLE. - agp/intel: Reinforce the barrier after GTT updates (bsc#1051510). - ALSA: ctxfi: Remove unnecessary cast in kfree (bsc#1051510). - ALSA: doc: Document PC Beep Hidden Register on Realtek ALC256 (bsc#1051510). - ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666). - ALSA: hda: Add driver blacklist (bsc#1051510). - ALSA: hda: Always use jackpoll helper for jack update after resume (bsc#1051510). - ALSA: hda: call runtime_allow() for all hda controllers (bsc#1051510). - ALSA: hda: Do not release card at firmware loading error (bsc#1051510). - ALSA: hda: Explicitly permit using autosuspend if runtime PM is supported (bsc#1051510). - ALSA: hda/hdmi: fix race in monitor detection during probe (bsc#1051510). - ALSA: hda/hdmi: fix without unlocked before return (bsc#1051510). - ALSA: hda: Honor PM disablement in PM freeze and thaw_noirq ops (bsc#1051510). - ALSA: hda: Keep the controller initialization even if no codecs found (bsc#1051510). - ALSA: hda: Match both PCI ID and SSID for driver blacklist (bsc#1111666). - ALSA: hda/realtek - Add a model for Thinkpad T570 without DAC workaround (bsc#1172017). - ALSA: hda/realtek - Add COEF workaround for ASUS ZenBook UX431DA (git-fixes). - ALSA: hda/realtek - Add HP new mute led supported for ALC236 (git-fixes). - ALSA: hda/realtek - Add more fixup entries for Clevo machines (git-fixes). - ALSA: hda/realtek - Add new codec supported for ALC245 (bsc#1051510). - ALSA: hda/realtek - Add new codec supported for ALC287 (git-fixes). - ALSA: hda/realtek: Add quirk for Samsung Notebook (git-fixes). - ALSA: hda/realtek - Add supported new mute Led for HP (git-fixes). - ALSA: hda/realtek - Enable headset mic of ASUS GL503VM with ALC295 (git-fixes). - ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295 (git-fixes). - ALSA: hda/realtek: Enable headset mic of ASUS UX581LV with ALC295 (git-fixes). - ALSA: hda/realtek - Enable the headset mic on Asus FX505DT (bsc#1051510). - ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse (git-fixes). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Xtreme (bsc#1111666). - ALSA: hda/realtek - Fix unexpected init_amp override (bsc#1051510). - ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 (git-fixes bsc#1171293). - ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter (bsc#1051510). - ALSA: hda: Release resources at error in delayed probe (bsc#1051510). - ALSA: hda: Remove ASUS ROG Zenith from the blacklist (bsc#1051510). - ALSA: hda: Skip controller resume if not needed (bsc#1051510). - ALSA: hwdep: fix a left shifting 1 by 31 UB bug (git-fixes). - ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option (git-fixes). - ALSA: opti9xx: shut up gcc-10 range warning (bsc#1051510). - ALSA: pcm: fix incorrect hw_base increase (git-fixes). - ALSA: pcm: oss: Place the plugin buffer overflow checks correctly (bsc#1170522). - ALSA: rawmidi: Fix racy buffer resize under concurrent accesses (git-fixes). - ALSA: usb-audio: Add connector notifier delegation (bsc#1051510). - ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset (git-fixes). - ALSA: usb-audio: add mapping for ASRock TRX40 Creator (git-fixes). - ALSA: usb-audio: Add mixer workaround for TRX40 and co (bsc#1051510). - ALSA: usb-audio: Add quirk for Focusrite Scarlett 2i2 (bsc#1051510). - ALSA: usb-audio: Add static mapping table for ALC1220-VB-based mobos (bsc#1051510). - ALSA: usb-audio: Apply async workaround for Scarlett 2i4 2nd gen (bsc#1051510). - ALSA: usb-audio: Check mapping at creating connector controls, too (bsc#1051510). - ALSA: usb-audio: Correct a typo of NuPrime DAC-10 USB ID (bsc#1051510). - ALSA: usb-audio: Do not create jack controls for PCM terminals (bsc#1051510). - ALSA: usb-audio: Do not override ignore_ctl_error value from the map (bsc#1051510). - ALSA: usb-audio: Filter error from connector kctl ops, too (bsc#1051510). - ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif (bsc#1051510). - ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC (git-fixes). - ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio (git-fixes). - ALSA: usx2y: Fix potential NULL dereference (bsc#1051510). - ASoC: codecs: hdac_hdmi: Fix incorrect use of list_for_each_entry (bsc#1051510). - ASoC: dapm: connect virtual mux with default value (bsc#1051510). - ASoC: dapm: fixup dapm kcontrol widget (bsc#1051510). - ASoC: dpcm: allow start or stop during pause for backend (bsc#1051510). - ASoC: fix regwmask (bsc#1051510). - ASoC: msm8916-wcd-digital: Reset RX interpolation path after use (bsc#1051510). - ASoC: samsung: Prevent clk_get_rate() calls in atomic context (bsc#1111666). - ASoC: topology: Check return value of pcm_new_ver (bsc#1051510). - ASoC: topology: use name_prefix for new kcontrol (bsc#1051510). - b43legacy: Fix case where channel status is corrupted (bsc#1051510). - batman-adv: fix batadv_nc_random_weight_tq (git-fixes). - batman-adv: Fix refcnt leak in batadv_show_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_store_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_v_ogm_process (git-fixes). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (git fixes (block drivers)). - bcache: fix incorrect data type usage in btree_flush_write() (git fixes (block drivers)). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (git fixes (block drivers)). - blk-mq: honor IO scheduler for multiqueue devices (bsc#1165478). - blk-mq: simplify blk_mq_make_request() (bsc#1165478). - block/drbd: delete invalid function drbd_md_mark_dirty_ (bsc#1171527). - block: drbd: remove a stray unlock in __drbd_send_protocol() (bsc#1171599). - block: fix busy device checking in blk_drop_partitions again (bsc#1171948). - block: fix busy device checking in blk_drop_partitions (bsc#1171948). - block: fix memleak of bio integrity data (git fixes (block drivers)). - block: remove the bd_openers checks in blk_drop_partitions (bsc#1171948). - bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets() (networking-stable-20_03_28). - bnxt_en: Reduce BNXT_MSIX_VEC_MAX value to supported CQs per PF (bsc#1104745). - bnxt_en: reinitialize IRQs when MTU is modified (networking-stable-20_03_14). - bnxt_en: Return error if bnxt_alloc_ctx_mem() fails (bsc#1104745 ). - bnxt_en: Return error when allocating zero size context memory (bsc#1104745). - bonding/alb: make sure arp header is pulled before accessing it (networking-stable-20_03_14). - bpf: Fix sk_psock refcnt leak when receiving message (bsc#1083647). - bpf: Forbid XADD on spilled pointers for unprivileged users (bsc#1083647). - brcmfmac: abort and release host after error (bsc#1051510). - BTRFS: fix deadlock with memory reclaim during scrub (bsc#1172127). - BTRFS: fix log context list corruption after rename whiteout error (bsc#1172342). - BTRFS: fix partial loss of prealloc extent past i_size after fsync (bsc#1172343). - BTRFS: relocation: add error injection points for cancelling balance (bsc#1171417). - BTRFS: relocation: Check cancel request after each data page read (bsc#1171417). - BTRFS: relocation: Check cancel request after each extent found (bsc#1171417). - BTRFS: relocation: Clear the DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417). - BTRFS: relocation: Fix reloc root leakage and the NULL pointer reference caused by the leakage (bsc#1171417). - BTRFS: relocation: Work around dead relocation stage loop (bsc#1171417). - BTRFS: reloc: clear DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417 bsc#1160947 bsc#1172366). - BTRFS: reloc: fix reloc root leak and NULL pointer dereference (bsc#1171417 bsc#1160947 bsc#1172366). - BTRFS: setup a nofs context for memory allocation at btrfs_create_tree() (bsc#1172127). - BTRFS: setup a nofs context for memory allocation at __btrfs_set_acl (bsc#1172127). - BTRFS: use nofs context when initializing security xattrs to avoid deadlock (bsc#1172127). - can: add missing attribute validation for termination (networking-stable-20_03_14). - cdc-acm: close race betrween suspend() and acm_softint (git-fixes). - cdc-acm: introduce a cool down (git-fixes). - ceph: check if file lock exists before sending unlock request (bsc#1168789). - ceph: demote quotarealm lookup warning to a debug message (bsc#1171692). - ceph: fix double unlock in handle_cap_export() (bsc#1171694). - ceph: fix endianness bug when handling MDS session feature bits (bsc#1171695). - cgroup, netclassid: periodically release file_lock on classid updating (networking-stable-20_03_14). - cifs: Allocate crypto structures on the fly for calculating signatures of incoming packets (bsc#1144333). - cifs: Allocate encryption header through kmalloc (bsc#1144333). - cifs: allow unlock flock and OFD lock across fork (bsc#1144333). - cifs: check new file size when extending file by fallocate (bsc#1144333). - cifs: cifspdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - cifs: clear PF_MEMALLOC before exiting demultiplex thread (bsc#1144333). - cifs: do not share tcons with DFS (bsc#1144333). - cifs: dump the session id and keys also for SMB2 sessions (bsc#1144333). - cifs: ensure correct super block for DFS reconnect (bsc#1144333). - cifs: Fix bug which the return value by asynchronous read is error (bsc#1144333). - cifs: fix uninitialised lease_key in open_shroot() (bsc#1144333). - cifs: improve read performance for page size 64KB & cache=strict & vers=2.1+ (bsc#1144333). - cifs: Increment num_remote_opens stats counter even in case of smb2_query_dir_first (bsc#1144333). - cifs: minor update to comments around the cifs_tcp_ses_lock mutex (bsc#1144333). - cifs: protect updating server->dstaddr with a spinlock (bsc#1144333). - cifs: smb2pdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - cifs: smbd: Calculate the correct maximum packet size for segmented SMBDirect send/receive (bsc#1144333). - cifs: smbd: Check and extend sender credits in interrupt context (bsc#1144333). - cifs: smbd: Check send queue size before posting a send (bsc#1144333). - cifs: smbd: Do not schedule work to send immediate packet on every receive (bsc#1144333). - cifs: smbd: Merge code to track pending packets (bsc#1144333). - cifs: smbd: Properly process errors on ib_post_send (bsc#1144333). - cifs: smbd: Update receive credits before sending and deal with credits roll back on failure before sending (bsc#1144333). - cifs: Warn less noisily on default mount (bsc#1144333). - clk: Add clk_hw_unregister_composite helper function definition (bsc#1051510). - clk: imx6ull: use OSC clock during AXI rate change (bsc#1051510). - clk: imx: make mux parent strings const (bsc#1051510). - clk: mediatek: correct the clocks for MT2701 HDMI PHY module (bsc#1051510). - clk: sunxi-ng: a64: Fix gate bit of DSI DPHY (bsc#1051510). - clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620, bsc#1170621). - clocksource: dw_apb_timer_of: Fix missing clockevent timers (bsc#1051510). - component: Silence bind error on -EPROBE_DEFER (bsc#1051510). - coresight: do not use the BIT() macro in the UAPI header (git fixes (block drivers)). - cpufreq: s3c64xx: Remove pointless NULL check in s3c64xx_cpufreq_driver_init (bsc#1051510). - crypto: ccp - AES CFB mode is a stream cipher (git-fixes). - crypto: ccp - Clean up and exit correctly on allocation failure (git-fixes). - crypto: ccp - Cleanup misc_dev on sev_exit() (bsc#1114279). - crypto: ccp - Cleanup sp_dev_master in psp_dev_destroy() (bsc#1114279). - cxgb4: fix MPS index overwrite when setting MAC address (bsc#1127355). - cxgb4: fix Txq restart check during backpressure (bsc#1127354 bsc#1127371). - debugfs: Add debugfs_create_xul() for hexadecimal unsigned long (git-fixes). - debugfs_lookup(): switch to lookup_one_len_unlocked() (bsc#1171979). - devlink: fix return value after hitting end in region read (bsc#1109837). - devlink: validate length of param values (bsc#1109837). - devlink: validate length of region addr/len (bsc#1109837). - dmaengine: dmatest: Fix iteration non-stop logic (bsc#1051510). - dm mpath: switch paths in dm_blk_ioctl() code path (bsc#1167574). - dm-raid1: fix invalid return value from dm_mirror (bsc#1172378). - dm writecache: fix data corruption when reloading the target (git fixes (block drivers)). - dm writecache: fix incorrect flush sequence when doing SSD mode commit (git fixes (block drivers)). - dm writecache: verify watermark during resume (git fixes (block drivers)). - dm zoned: fix invalid memory access (git fixes (block drivers)). - dm zoned: reduce overhead of backing device checks (git fixes (block drivers)). - dm zoned: remove duplicate nr_rnd_zones increase in dmz_init_zone() (git fixes (block drivers)). - dm zoned: support zone sizes smaller than 128MiB (git fixes (block drivers)). - dp83640: reverse arguments to list_add_tail (git-fixes). - drivers: hv: Add a module description line to the hv_vmbus driver (bsc#1172249, bsc#1172251). - drivers/net/ibmvnic: Update VNIC protocol version reporting (bsc#1065729). - drivers: w1: add hwmon support structures (jsc#SLE-11048). - drivers: w1: add hwmon temp support for w1_therm (jsc#SLE-11048). - drivers: w1: refactor w1_slave_show to make the temp reading functionality separate (jsc#SLE-11048). - drm: amd/acp: fix broken menu structure (bsc#1114279) * context changes - drm/amdgpu: Correctly initialize thermal controller for GPUs with Powerplay table v0 (e.g Hawaii) (bsc#1111666). - drm/amdgpu: Fix oops when pp_funcs is unset in ACPI event (bsc#1111666). - drm/amd/powerplay: force the trim of the mclk dpm_levels if OD is (bsc#1113956) - drm/atomic: Take the atomic toys away from X (bsc#1112178) * context changes - drm/crc: Actually allow to change the crc source (bsc#1114279) * offset changes - drm/dp_mst: Fix clearing payload state on topology disable (bsc#1051510). - drm/dp_mst: Reformat drm_dp_check_act_status() a bit (bsc#1051510). - drm/edid: Fix off-by-one in DispID DTD pixel clock (bsc#1114279) - drm/etnaviv: fix perfmon domain interation (bsc#1113956) - drm/etnaviv: rework perfmon query infrastructure (bsc#1112178) - drm/i915: Apply Wa_1406680159:icl,ehl as an engine workaround (bsc#1112178) * rename gt/intel_workarounds.c to intel_workarounds.c * context changes - drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of (bsc#1114279) - drm/i915: HDCP: fix Ri prime check done during link check (bsc#1112178) * rename display/intel_hdmi.c to intel_hdmi.c * context changes - drm/i915: properly sanity check batch_start_offset (bsc#1114279) * renamed display/intel_fbc.c -> intel_fb.c * renamed gt/intel_rc6.c -> intel_pm.c * context changes - drm/meson: Delete an error message in meson_dw_hdmi_bind() (bsc#1051510). - drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem (bsc#1114279) - drm/qxl: qxl_release leak in qxl_draw_dirty_fb() (bsc#1051510). - drm/qxl: qxl_release leak in qxl_hw_surface_alloc() (bsc#1051510). - drm/qxl: qxl_release use after free (bsc#1051510). - drm: Remove PageReserved manipulation from drm_pci_alloc (bsc#1114279) * offset changes - drm/sun4i: dsi: Allow binding the host without a panel (bsc#1113956) - drm/sun4i: dsi: Avoid hotplug race with DRM driver bind (bsc#1113956) - drm/sun4i: dsi: Remove incorrect use of runtime PM (bsc#1113956) * context changes - drm/sun4i: dsi: Remove unused drv from driver context (bsc#1113956) * context changes * keep include of sun4i_drv.h - dump_stack: avoid the livelock of the dump_lock (git fixes (block drivers)). - EDAC, sb_edac: Add support for systems with segmented PCI buses (bsc#1169525). - ext4: do not zeroout extents beyond i_disksize (bsc#1167851). - ext4: fix extent_status fragmentation for plain files (bsc#1171949). - ext4: use non-movable memory for superblock readahead (bsc#1171952). - fanotify: fix merging marks masks with FAN_ONDIR (bsc#1171679). - fbcon: fix null-ptr-deref in fbcon_switch (bsc#1114279) * rename drivers/video/fbdev/core to drivers/video/console * context changes - fib: add missing attribute validation for tun_id (networking-stable-20_03_14). - firmware: qcom: scm: fix compilation error when disabled (bsc#1051510). - fs/cifs: fix gcc warning in sid_to_id (bsc#1144333). - fs/seq_file.c: simplify seq_file iteration code and interface (bsc#1170125). - gpio: tegra: mask GPIO IRQs during IRQ shutdown (bsc#1051510). - gre: fix uninit-value in __iptunnel_pull_header (networking-stable-20_03_14). - HID: hid-input: clear unmapped usages (git-fixes). - HID: Hyper-V: Add a module description line (bsc#1172249, bsc#1172251). - HID: i2c-hid: add Trekstor Primebook C11B to descriptor override (git-fixes). - HID: i2c-hid: override HID descriptors for certain devices (git-fixes). - HID: multitouch: add eGalaxTouch P80H84 support (bsc#1051510). - HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices (git-fixes). - hrtimer: Annotate lockless access to timer->state (git fixes (block drivers)). - hsr: add restart routine into hsr_get_node_list() (networking-stable-20_03_28). - hsr: check protocol version in hsr_newlink() (networking-stable-20_04_17). - hsr: fix general protection fault in hsr_addr_is_self() (networking-stable-20_03_28). - hsr: set .netnsok flag (networking-stable-20_03_28). - hsr: use rcu_read_lock() in hsr_get_node_{list/status}() (networking-stable-20_03_28). - i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present (git-fixes). - i2c: acpi: put device when verifying client fails (git-fixes). - i2c: brcmstb: remove unused struct member (git-fixes). - i2c: core: Allow empty id_table in ACPI case as well (git-fixes). - i2c: core: decrease reference count of device node in i2c_unregister_device (git-fixes). - i2c: dev: Fix the race between the release of i2c_dev and cdev (bsc#1051510). - i2c: fix missing pm_runtime_put_sync in i2c_device_probe (git-fixes). - i2c-hid: properly terminate i2c_hid_dmi_desc_override_table array (git-fixes). - i2c: i801: Do not add ICH_RES_IO_SMI for the iTCO_wdt device (git-fixes). - i2c: iproc: Stop advertising support of SMBUS quick cmd (git-fixes). - i2c: isch: Remove unnecessary acpi.h include (git-fixes). - i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' (bsc#1051510). - i2c: st: fix missing struct parameter description (bsc#1051510). - IB/mlx5: Fix missing congestion control debugfs on rep rdma device (bsc#1103991). - ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239). - iio:ad7797: Use correct attribute_group (bsc#1051510). - iio: adc: stm32-adc: fix device used to request dma (bsc#1051510). - iio: adc: stm32-adc: fix sleep in atomic context (git-fixes). - iio: adc: stm32-adc: Use dma_request_chan() instead dma_request_slave_channel() (bsc#1051510). - iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' (bsc#1051510). - iio: sca3000: Remove an erroneous 'get_device()' (bsc#1051510). - iio: xilinx-xadc: Fix ADC-B powerdown (bsc#1051510). - iio: xilinx-xadc: Fix clearing interrupt when enabling trigger (bsc#1051510). - iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode (bsc#1051510). - ima: Fix return value of ima_write_policy() (git-fixes). - Input: evdev - call input_flush_device() on release(), not flush() (bsc#1051510). - Input: hyperv-keyboard - add module description (bsc#1172249, bsc#1172251). - Input: i8042 - add Acer Aspire 5738z to nomux list (bsc#1051510). - Input: i8042 - add ThinkPad S230u to i8042 reset list (bsc#1051510). - Input: raydium_i2c_ts - use true and false for boolean values (bsc#1051510). - Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() (bsc#1051510). - Input: synaptics-rmi4 - really fix attn_data use-after-free (git-fixes). - Input: usbtouchscreen - add support for BonXeon TP (bsc#1051510). - Input: xpad - add custom init packet for Xbox One S controllers (bsc#1051510). - iommu/amd: Call domain_flush_complete() in update_domain() (bsc#1172096). - iommu/amd: Do not flush Device Table in iommu_map_page() (bsc#1172097). - iommu/amd: Do not loop forever when trying to increase address space (bsc#1172098). - iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system (bsc#1172099). - iommu/amd: Fix over-read of ACPI UID from IVRS table (bsc#1172101). - iommu/amd: Fix race in increase_address_space()/fetch_pte() (bsc#1172102). - iommu/amd: Update Device Table in increase_address_space() (bsc#1172103). - iommu: Fix reference count leak in iommu_group_alloc (bsc#1172397). - ip6_tunnel: Allow rcv/xmit even if remote address is a local address (bsc#1166978). - ipv4: fix a RCU-list lock in fib_triestat_seq_show (networking-stable-20_04_02). - ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface (networking-stable-20_03_14). - ipv6: do not auto-add link-local address to lag ports (networking-stable-20_04_09). - ipv6: fix IPV6_ADDRFORM operation logic (bsc#1171662). - ipv6: fix restrict IPV6_ADDRFORM operation (bsc#1171662). - ipvlan: add cond_resched_rcu() while processing muticast backlog (networking-stable-20_03_14). - ipvlan: do not deref eth hdr before checking it's set (networking-stable-20_03_14). - ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast() (networking-stable-20_03_14). - iwlwifi: pcie: actually release queue memory in TVQM (bsc#1051510). - ixgbe: do not check firmware errors (bsc#1170284). - kabi fix for early XHCI debug (git-fixes). - kabi for for md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - kabi/severities: Do not track KVM internal symbols. - kabi/severities: Ingnore get_dev_data() The function is internal to the AMD IOMMU driver and must not be called by any third party. - kabi workaround for snd_rawmidi buffer_ref field addition (git-fixes). - KEYS: reaching the keys quotas correctly (bsc#1051510). - KVM: arm64: Change hyp_panic()s dependency on tpidr_el2 (bsc#1133021). - KVM: arm64: Stop save/restoring host tpidr_el1 on VHE (bsc#1133021). - KVM: Check validity of resolved slot when searching memslots (bsc#1172104). - KVM: s390: vsie: Fix delivery of addressing exceptions (git-fixes). - KVM: SVM: Fix potential memory leak in svm_cpu_init() (bsc#1171736). - KVM x86: Extend AMD specific guest behavior to Hygon virtual CPUs (bsc#1152489). - l2tp: Allow management of tunnels and session in user namespace (networking-stable-20_04_17). - libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() (bsc#1051510). - libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set (bsc#1051510). - lib: raid6: fix awk build warnings (git fixes (block drivers)). - lib/raid6/test: fix build on distros whose /bin/sh is not bash (git fixes (block drivers)). - lib/stackdepot.c: fix global out-of-bounds in stack_slabs (git fixes (block drivers)). - locks: print unsigned ino in /proc/locks (bsc#1171951). - mac80211: add ieee80211_is_any_nullfunc() (bsc#1051510). - mac80211_hwsim: Use kstrndup() in place of kasprintf() (bsc#1051510). - mac80211: mesh: fix discovery timer re-arming issue / crash (bsc#1051510). - macsec: avoid to set wrong mtu (bsc#1051510). - macsec: restrict to ethernet devices (networking-stable-20_03_28). - macvlan: add cond_resched() during multicast processing (networking-stable-20_03_14). - macvlan: fix null dereference in macvlan_device_event() (bsc#1051510). - md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - md/raid0: Fix an error message in raid0_make_request() (git fixes (block drivers)). - md/raid10: prevent access of uninitialized resync_pages offset (git-fixes). - media: dvb: return -EREMOTEIO on i2c transfer failure (bsc#1051510). - media: platform: fcp: Set appropriate DMA parameters (bsc#1051510). - media: ti-vpe: cal: fix disable_irqs to only the intended target (git-fixes). - mei: release me_cl object reference (bsc#1051510). - mlxsw: Fix some IS_ERR() vs NULL bugs (networking-stable-20_04_27). - mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE (networking-stable-20_04_09). - mlxsw: spectrum_mr: Fix list iteration in error path (bsc#1112374). - mmc: atmel-mci: Fix debugfs on 64-bit platforms (git-fixes). - mmc: core: Check request type before completing the request (git-fixes). - mmc: core: Fix recursive locking issue in CQE recovery path (git-fixes). - mmc: cqhci: Avoid false "cqhci: CQE stuck on" by not open-coding timeout loop (git-fixes). - mmc: dw_mmc: Fix debugfs on 64-bit platforms (git-fixes). - mmc: meson-gx: make sure the descriptor is stopped on errors (git-fixes). - mmc: meson-gx: simplify interrupt handler (git-fixes). - mmc: renesas_sdhi: limit block count to 16 bit for old revisions (git-fixes). - mmc: sdhci-esdhc-imx: fix the mask for tuning start point (bsc#1051510). - mmc: sdhci-msm: Clear tuning done flag while hs400 tuning (bsc#1051510). - mmc: sdhci-of-at91: fix memleak on clk_get failure (git-fixes). - mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers (bsc#1051510). - mmc: sdhci-xenon: fix annoying 1.8V regulator warning (bsc#1051510). - mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card() (bsc#1051510). - mmc: tmio: fix access width of Block Count Register (git-fixes). - mm: limit boost_watermark on small zones (git fixes (mm/pgalloc)). - mm: thp: handle page cache THP correctly in PageTransCompoundMap (git fixes (block drivers)). - mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer (bsc#1051510). - mtd: spi-nor: cadence-quadspi: add a delay in write sequence (git-fixes). - mtd: spi-nor: enable 4B opcodes for mx66l51235l (git-fixes). - mwifiex: avoid -Wstringop-overflow warning (bsc#1051510). - mwifiex: Fix memory corruption in dump_station (bsc#1051510). - net: bcmgenet: correct per TX/RX ring statistics (networking-stable-20_04_27). - net: dsa: b53: Fix ARL register definitions (networking-stable-20_04_27). - net: dsa: b53: Rework ARL bin logic (networking-stable-20_04_27). - net: dsa: bcm_sf2: Do not register slave MDIO bus with OF (networking-stable-20_04_09). - net: dsa: bcm_sf2: Ensure correct sub-node is parsed (networking-stable-20_04_09). - net: dsa: Fix duplicate frames flooded by learning (networking-stable-20_03_28). - net: dsa: mv88e6xxx: fix lockup on warm boot (networking-stable-20_03_14). - net/ethernet: add Google GVE driver (jsc#SLE-10538) - net: fec: add phy_reset_after_clk_enable() support (git-fixes). - net: fec: validate the new settings in fec_enet_set_coalesce() (networking-stable-20_03_14). - net: fix race condition in __inet_lookup_established() (bsc#1151794). - net: fq: add missing attribute validation for orphan mask (networking-stable-20_03_14). - net: hns3: fix "tc qdisc del" failed issue (bsc#1109837). - net, ip_tunnel: fix interface lookup with no key (networking-stable-20_04_02). - net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin (networking-stable-20_04_17). - net: ipv6: do not consider routes via gateways for anycast address check (networking-stable-20_04_17). - netlink: Use netlink header as base to calculate bad attribute offset (networking-stable-20_03_14). - net: macsec: update SCI upon MAC address change (networking-stable-20_03_14). - net: memcg: fix lockdep splat in inet_csk_accept() (networking-stable-20_03_14). - net: memcg: late association of sock to memcg (networking-stable-20_03_14). - net/mlx4_en: avoid indirect call in TX completion (networking-stable-20_04_27). - net/mlx5: Add new fields to Port Type and Speed register (bsc#1171118). - net/mlx5: Expose link speed directly (bsc#1171118). - net/mlx5: Expose port speed when possible (bsc#1171118). - net/mlx5: Fix failing fw tracer allocation on s390 (bsc#1103990 ). - net: mvneta: Fix the case where the last poll did not process all rx (networking-stable-20_03_28). - net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node (networking-stable-20_04_27). - net/packet: tpacket_rcv: do not increment ring index on drop (networking-stable-20_03_14). - net: qmi_wwan: add support for ASKEY WWHC050 (networking-stable-20_03_28). - net: revert default NAPI poll timeout to 2 jiffies (networking-stable-20_04_17). - net_sched: cls_route: remove the right filter from hashtable (networking-stable-20_03_28). - net_sched: sch_skbprio: add message validation to skbprio_change() (bsc#1109837). - net/x25: Fix x25_neigh refcnt leak when receiving frame (networking-stable-20_04_27). - nfc: add missing attribute validation for SE API (networking-stable-20_03_14). - nfc: add missing attribute validation for vendor subcommand (networking-stable-20_03_14). - nfc: st21nfca: add missed kfree_skb() in an error path (bsc#1051510). - nfp: abm: fix a memory leak bug (bsc#1109837). - nfsd4: fix up replay_matches_cache() (git-fixes). - nfsd: Ensure CLONE persists data and metadata changes to the target file (git-fixes). - nfsd: fix delay timer on 32-bit architectures (git-fixes). - nfsd: fix jiffies/time_t mixup in LRU list (git-fixes). - NFS: Directory page cache pages need to be locked when read (git-fixes). - nfsd: memory corruption in nfsd4_lock() (git-fixes). - NFS: Do not call generic_error_remove_page() while holding locks (bsc#1170457). - NFS: Fix memory leaks and corruption in readdir (git-fixes). - NFS: Fix O_DIRECT accounting of number of bytes read/written (git-fixes). - NFS: Fix potential posix_acl refcnt leak in nfs3_set_acl (git-fixes). - NFS: fix racey wait in nfs_set_open_stateid_locked (bsc#1170592). - NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O (git-fixes). - NFS/pnfs: Fix pnfs_generic_prepare_to_resend_writes() (git-fixes). - NFS: Revalidate the file size on a fatal write error (git-fixes). - NFSv4.0: nfs4_do_fsinfo() should not do implicit lease renewals (git-fixes). - NFSv4: Do not allow a cached open with a revoked delegation (git-fixes). - NFSv4: Fix leak of clp->cl_acceptor string (git-fixes). - NFSv4/pnfs: Return valid stateids in nfs_layout_find_inode_by_stateid() (git-fixes). - NFSv4: try lease recovery on NFS4ERR_EXPIRED (git-fixes). - NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn (git-fixes). - nl802154: add missing attribute validation for dev_type (networking-stable-20_03_14). - nl802154: add missing attribute validation (networking-stable-20_03_14). - nvme-fc: print proper nvme-fc devloss_tmo value (bsc#1172391). - objtool: Fix stack offset tracking for indirect CFAs (bsc#1169514). - objtool: Fix switch table detection in .text.unlikely (bsc#1169514). - objtool: Make BP scratch register warning more robust (bsc#1169514). - padata: Remove broken queue flushing (git-fixes). - Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()" (git fixes (block drivers)). - PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2 (bsc#1172201, bsc#1172202). - PCI: hv: Decouple the func definition in hv_dr_state from VSP message (bsc#1172201, bsc#1172202). - pinctrl: baytrail: Enable pin configuration setting for GPIO chip (git-fixes). - pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler (git-fixes). - pinctrl: sunrisepoint: Fix PAD lock register offset for SPT-H (git-fixes). - platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA (bsc#1051510). - pNFS: Ensure we do clear the return-on-close layout stateid on fatal errors (git-fixes). - powerpc: Add attributes for setjmp/longjmp (bsc#1065729). - powerpc/pci/of: Parse unassigned resources (bsc#1065729). - powerpc/setup_64: Set cache-line-size based on cache-block-size (bsc#1065729). - powerpc/sstep: Fix DS operand in ld encoding to appropriate value (bsc#1065729). - r8152: check disconnect status after long sleep (networking-stable-20_03_14). - raid6/ppc: Fix build for clang (git fixes (block drivers)). - random: always use batched entropy for get_random_u{32,64} (bsc#1164871). - rcu: locking and unlocking need to always be at least barriers (git fixes (block drivers)). - Revert "ALSA: hda/realtek: Fix pop noise on ALC225" (git-fixes). - Revert "drm/panel: simple: Add support for Sharp LQ150X1LG11 panels" (bsc#1114279) * offset changes - Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" (bsc#1172221). - Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow" (bsc#1103992). - rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() (bsc#1051510). - s390/cpum_cf: Add new extended counters for IBM z15 (bsc#1169762 LTC#185291). - s390/ftrace: fix potential crashes when switching tracers (git-fixes). - s390/ism: fix error return code in ism_probe() (git-fixes). - s390/pci: do not set affinity for floating irqs (git-fixes). - s390/pci: Fix possible deadlock in recover_store() (bsc#1165183 LTC#184103). - s390/pci: Recover handle in clp_set_pci_fn() (bsc#1165183 LTC#184103). - scripts/decodecode: fix trapping instruction formatting (bsc#1065729). - scripts/dtc: Remove redundant YYLOC global declaration (bsc#1160388). - scsi: bnx2i: fix potential use after free (bsc#1171600). - scsi: core: Handle drivers which set sg_tablesize to zero (bsc#1171601) This commit also required: > scsi: core: avoid preallocating big SGL for data - scsi: core: save/restore command resid for error handling (bsc#1171602). - scsi: core: scsi_trace: Use get_unaligned_be*() (bsc#1171604). - scsi: core: try to get module before removing device (bsc#1171605). - scsi: csiostor: Adjust indentation in csio_device_reset (bsc#1171606). - scsi: csiostor: Do not enable IRQs too early (bsc#1171607). - scsi: esas2r: unlock on error in esas2r_nvram_read_direct() (bsc#1171608). - scsi: fnic: fix invalid stack access (bsc#1171609). - scsi: fnic: fix msix interrupt allocation (bsc#1171610). - scsi: ibmvscsi: Fix WARN_ON during event pool release (bsc#1170791 ltc#185128). - scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func (bsc#1171611). - scsi: iscsi: Fix a potential deadlock in the timeout handler (bsc#1171612). - scsi: iscsi: qla4xxx: fix double free in probe (bsc#1171613). - scsi: lpfc: Change default queue allocation for reduced memory consumption (bsc#1164780). - scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences (bsc#1171614). - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1171615). - scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event (bsc#1164780). - scsi: lpfc: Fix MDS Diagnostic Enablement definition (bsc#1164780). - scsi: lpfc: Fix negation of else clause in lpfc_prep_node_fc4type (bsc#1164780). - scsi: lpfc: Fix noderef and address space warnings (bsc#1164780). - scsi: lpfc: Maintain atomic consistency of queue_claimed flag (bsc#1164780). - scsi: lpfc: remove duplicate unloading checks (bsc#1164780). - scsi: lpfc: Remove re-binding of nvme rport during registration (bsc#1164780). - scsi: lpfc: Remove redundant initialization to variable rc (bsc#1164780). - scsi: lpfc: Remove unnecessary lockdep_assert_held calls (bsc#1164780). - scsi: lpfc: Update lpfc version to 12.8.0.1 (bsc#1164780). - scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state (bsc#1171616). - scsi: qla2xxx: add ring buffer for tracing debug logs (bsc#1157169). - scsi: qla2xxx: check UNLOADING before posting async work (bsc#1157169). - scsi: qla2xxx: Delete all sessions before unregister local nvme port (bsc#1157169). - scsi: qla2xxx: Do not log message when reading port speed via sysfs (bsc#1157169). - scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV (bsc#1157169). - scsi: qla2xxx: Fix regression warnings (bsc#1157169). - scsi: qla2xxx: Remove non functional code (bsc#1157169). - scsi: qla2xxx: set UNLOADING before waiting for session deletion (bsc#1157169). - scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free (bsc#1171617). - scsi: qla4xxx: fix double free bug (bsc#1171618). - scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI (bsc#1171619). - scsi: sg: add sg_remove_request in sg_common_write (bsc#1171620). - scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) (bsc#1171621). - scsi: ufs: change msleep to usleep_range (bsc#1171622). - scsi: ufs: Clean up ufshcd_scale_clks() and clock scaling error out path (bsc#1171623). - scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic (bsc#1171624). - scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails (bsc#1171625). - scsi: ufs: Recheck bkops level if bkops is disabled (bsc#1171626). - sctp: fix possibly using a bad saddr with a given dst (networking-stable-20_04_02). - sctp: fix refcount bug in sctp_wfree (networking-stable-20_04_02). - selftests/powerpc: Fix build errors in powerpc ptrace selftests (boo#1124278). - Separate one more kABI fixup from the functional change: - seq_file: fix problem when seeking mid-record (bsc#1170125). - serial: uartps: Move the spinlock after the read of the tx empty (git-fixes). - sfc: detach from cb_page in efx_copy_channel() (networking-stable-20_03_14). - signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig (bsc#1172185). - slcan: not call free_netdev before rtnl_unlock in slcan_open (networking-stable-20_03_28). - slip: make slhc_compress() more robust against malicious packets (networking-stable-20_03_14). - SMB3: Additional compression structures (bsc#1144333). - SMB3: Add new compression flags (bsc#1144333). - SMB3: change noisy error message to FYI (bsc#1144333). - SMB3: enable swap on SMB3 mounts (bsc#1144333). - SMB3: Minor cleanup of protocol definitions (bsc#1144333). - SMB3: remove overly noisy debug line in signing errors (bsc#1144333). - SMB3: smbdirect support can be configured by default (bsc#1144333). - SMB3: use SMB2_SIGNATURE_SIZE define (bsc#1144333). - spi: bcm63xx-hsspi: Really keep pll clk enabled (bsc#1051510). - spi: bcm-qspi: when tx/rx buffer is NULL set to 0 (bsc#1051510). - spi: dw: Add SPI Rx-done wait method to DMA-based transfer (bsc#1051510). - spi: dw: Zero DMA Tx and Rx configurations on stack (bsc#1051510). - spi: pxa2xx: Add CS control clock quirk (bsc#1051510). - spi: qup: call spi_qup_pm_resume_runtime before suspending (bsc#1051510). - spi/zynqmp: remove entry that causes a cs glitch (bsc#1051510). - staging: comedi: dt2815: fix writing hi byte of analog output (bsc#1051510). - staging: comedi: Fix comedi_device refcnt leak in comedi_open (bsc#1051510). - staging: iio: ad2s1210: Fix SPI reading (bsc#1051510). - supported.conf: Add br_netfilter to base (bsc#1169020). - supported.conf: support w1 core and thermometer support - svcrdma: Fix double svc_rdma_send_ctxt_put() in an error path (bsc#1103992). - svcrdma: Fix leak of transport addresses (git-fixes). - svcrdma: Fix trace point use-after-free race (bsc#1103992 ). - taskstats: fix data-race (bsc#1172188). - tcp: cache line align MAX_TCP_HEADER (networking-stable-20_04_27). - tcp: repair: fix TCP_QUEUE_SEQ implementation (networking-stable-20_03_28). - team: add missing attribute validation for array index (networking-stable-20_03_14). - team: add missing attribute validation for port ifindex (networking-stable-20_03_14). - team: fix hang in team_mode_get() (networking-stable-20_04_27). - tools lib traceevent: Remove unneeded qsort and uses memmove instead (git-fixes). - tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() (bsc#1065729). - tpm/tpm_tis: Free IRQ if probing fails (bsc#1082555). - tun: Do not put_page() for all negative return values from XDP program (bsc#1109837). - Update config files: Build w1 bus on arm64 (jsc#SLE-11048) - USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE (git-fixes). - USB: cdc-acm: restore capability check order (git-fixes). - USB: core: Fix misleading driver bug report (bsc#1051510). - USB: dwc3: do not set gadget->is_otg flag (git-fixes). - USB: dwc3: gadget: Do link recovery for SS and SSP (git-fixes). - USB: early: Handle AMD's spec-compliant identifiers, too (git-fixes). - USB: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset() (git-fixes). - USB: gadget: audio: Fix a missing error return value in audio_bind() (git-fixes). - USB: gadget: composite: Inform controller driver of self-powered (git-fixes). - USB: gadget: legacy: fix error return code in cdc_bind() (git-fixes). - USB: gadget: legacy: fix error return code in gncm_bind() (git-fixes). - usb: gadget: legacy: fix redundant initialization warnings (bsc#1051510). - USB: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()' (git-fixes). - USB: gadget: udc: atmel: Fix vbus disconnect handling (git-fixes). - USB: gadget: udc: atmel: Make some symbols static (git-fixes). - USB: gadget: udc: bdc: Remove unnecessary NULL checks in bdc_req_complete (git-fixes). - USB: host: xhci-plat: keep runtime active when removing host (git-fixes). - USB: hub: Fix handling of connect changes during sleep (git-fixes). - usbnet: silence an unnecessary warning (bsc#1170770). - USB: serial: garmin_gps: add sanity checking for data length (git-fixes). - USB: serial: option: add BroadMobi BM806U (git-fixes). - USB: serial: option: add support for ASKEY WWHC050 (git-fixes). - USB: serial: option: add Wistron Neweb D19Q1 (git-fixes). - USB: serial: qcserial: Add DW5816e support (git-fixes). - USB: sisusbvga: Change port variable from signed to unsigned (git-fixes). - usb-storage: Add unusual_devs entry for JMicron JMS566 (git-fixes). - USB: uas: add quirk for LaCie 2Big Quadra (git-fixes). - USB: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list (git-fixes). - video: fbdev: sis: Remove unnecessary parentheses and commented code (bsc#1114279) - video: fbdev: w100fb: Fix a potential double free (bsc#1051510). - vrf: Check skb for XFRM_TRANSFORMED flag (networking-stable-20_04_27). - vxlan: check return value of gro_cells_init() (networking-stable-20_03_28). - w1: Add subsystem kernel public interface (jsc#SLE-11048). - w1: Fix slave count on 1-Wire bus (resend) (jsc#SLE-11048). - w1: keep balance of mutex locks and refcnts (jsc#SLE-11048). - w1: use put_device() if device_register() fail (jsc#SLE-11048). - watchdog: reset last_hw_keepalive time at start (git-fixes). - wcn36xx: Fix error handling path in 'wcn36xx_probe()' (bsc#1051510). - wil6210: remove reset file from debugfs (git-fixes). - wimax/i2400m: Fix potential urb refcnt leak (bsc#1051510). - workqueue: do not use wq_select_unbound_cpu() for bound works (bsc#1172130). - x86/entry/64: Fix unwind hints in kernel exit path (bsc#1058115). - x86/entry/64: Fix unwind hints in register clearing code (bsc#1058115). - x86/entry/64: Fix unwind hints in rewind_stack_do_exit() (bsc#1058115). - x86/entry/64: Fix unwind hints in __switch_to_asm() (bsc#1058115). - x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170621, bsc#1170620). - x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170617, bsc#1170618). - x86: Hyper-V: report value of misc_features (git fixes). - x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170617, bsc#1170618). - x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170617, bsc#1170618). - x86/kprobes: Avoid kretprobe recursion bug (bsc#1114279). - x86/resctrl: Fix invalid attempt at removing the default resource group (git-fixes). - x86/resctrl: Preserve CDP enable over CPU hotplug (bsc#1114279). - x86/unwind/orc: Do not skip the first frame for inactive tasks (bsc#1058115). - x86/unwind/orc: Fix error handling in __unwind_start() (bsc#1058115). - x86/unwind/orc: Fix error path for bad ORC entry type (bsc#1058115). - x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bsc#1058115). - x86/unwind/orc: Prevent unwinding before ORC initialization (bsc#1058115). - x86/unwind: Prevent false warnings for non-current tasks (bsc#1058115). - xen/pci: reserve MCFG areas earlier (bsc#1170145). - xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish (networking-stable-20_04_27). - xfs: clear PF_MEMALLOC before exiting xfsaild thread (git-fixes). - xfs: Correctly invert xfs_buftarg LRU isolation logic (git-fixes). - xfs: do not ever return a stale pointer from __xfs_dir3_free_read (git-fixes). - xprtrdma: Fix completion wait during device removal (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-1599=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-1599=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-1599=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1599=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1599=1 - SUSE Linux Enterprise High Availability 15-SP1: zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2020-1599=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): kernel-default-debuginfo-4.12.14-197.45.1 kernel-default-debugsource-4.12.14-197.45.1 kernel-default-extra-4.12.14-197.45.1 kernel-default-extra-debuginfo-4.12.14-197.45.1 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-197.45.1 kernel-default-debugsource-4.12.14-197.45.1 kernel-default-livepatch-4.12.14-197.45.1 kernel-default-livepatch-devel-4.12.14-197.45.1 kernel-livepatch-4_12_14-197_45-default-1-3.5.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-197.45.1 kernel-default-debugsource-4.12.14-197.45.1 reiserfs-kmp-default-4.12.14-197.45.1 reiserfs-kmp-default-debuginfo-4.12.14-197.45.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-197.45.1 kernel-obs-build-debugsource-4.12.14-197.45.1 kernel-syms-4.12.14-197.45.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): kernel-docs-4.12.14-197.45.1 kernel-source-4.12.14-197.45.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-197.45.1 kernel-default-base-4.12.14-197.45.1 kernel-default-base-debuginfo-4.12.14-197.45.1 kernel-default-debuginfo-4.12.14-197.45.1 kernel-default-debugsource-4.12.14-197.45.1 kernel-default-devel-4.12.14-197.45.1 kernel-default-devel-debuginfo-4.12.14-197.45.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): kernel-devel-4.12.14-197.45.1 kernel-macros-4.12.14-197.45.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (s390x): kernel-default-man-4.12.14-197.45.1 kernel-zfcpdump-debuginfo-4.12.14-197.45.1 kernel-zfcpdump-debugsource-4.12.14-197.45.1 - SUSE Linux Enterprise High Availability 15-SP1 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-197.45.1 cluster-md-kmp-default-debuginfo-4.12.14-197.45.1 dlm-kmp-default-4.12.14-197.45.1 dlm-kmp-default-debuginfo-4.12.14-197.45.1 gfs2-kmp-default-4.12.14-197.45.1 gfs2-kmp-default-debuginfo-4.12.14-197.45.1 kernel-default-debuginfo-4.12.14-197.45.1 kernel-default-debugsource-4.12.14-197.45.1 ocfs2-kmp-default-4.12.14-197.45.1 ocfs2-kmp-default-debuginfo-4.12.14-197.45.1 References: https://www.suse.com/security/cve/CVE-2018-1000199.html https://www.suse.com/security/cve/CVE-2019-19462.html https://www.suse.com/security/cve/CVE-2019-20806.html https://www.suse.com/security/cve/CVE-2019-20812.html https://www.suse.com/security/cve/CVE-2019-9455.html https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-10690.html https://www.suse.com/security/cve/CVE-2020-10711.html https://www.suse.com/security/cve/CVE-2020-10720.html https://www.suse.com/security/cve/CVE-2020-10732.html https://www.suse.com/security/cve/CVE-2020-10751.html https://www.suse.com/security/cve/CVE-2020-10757.html https://www.suse.com/security/cve/CVE-2020-12114.html https://www.suse.com/security/cve/CVE-2020-12464.html https://www.suse.com/security/cve/CVE-2020-12652.html https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://www.suse.com/security/cve/CVE-2020-12655.html https://www.suse.com/security/cve/CVE-2020-12656.html https://www.suse.com/security/cve/CVE-2020-12657.html https://www.suse.com/security/cve/CVE-2020-12659.html https://www.suse.com/security/cve/CVE-2020-12768.html https://www.suse.com/security/cve/CVE-2020-12769.html https://www.suse.com/security/cve/CVE-2020-13143.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1082555 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1089895 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103991 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1124278 https://bugzilla.suse.com/1127354 https://bugzilla.suse.com/1127355 https://bugzilla.suse.com/1127371 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1151794 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1157169 https://bugzilla.suse.com/1158265 https://bugzilla.suse.com/1160388 https://bugzilla.suse.com/1160947 https://bugzilla.suse.com/1164780 https://bugzilla.suse.com/1164871 https://bugzilla.suse.com/1165183 https://bugzilla.suse.com/1165478 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1166969 https://bugzilla.suse.com/1166978 https://bugzilla.suse.com/1167574 https://bugzilla.suse.com/1167851 https://bugzilla.suse.com/1167867 https://bugzilla.suse.com/1168332 https://bugzilla.suse.com/1168670 https://bugzilla.suse.com/1168789 https://bugzilla.suse.com/1169020 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169525 https://bugzilla.suse.com/1169762 https://bugzilla.suse.com/1170056 https://bugzilla.suse.com/1170125 https://bugzilla.suse.com/1170145 https://bugzilla.suse.com/1170284 https://bugzilla.suse.com/1170345 https://bugzilla.suse.com/1170457 https://bugzilla.suse.com/1170522 https://bugzilla.suse.com/1170592 https://bugzilla.suse.com/1170617 https://bugzilla.suse.com/1170618 https://bugzilla.suse.com/1170620 https://bugzilla.suse.com/1170621 https://bugzilla.suse.com/1170770 https://bugzilla.suse.com/1170778 https://bugzilla.suse.com/1170791 https://bugzilla.suse.com/1170901 https://bugzilla.suse.com/1171078 https://bugzilla.suse.com/1171098 https://bugzilla.suse.com/1171118 https://bugzilla.suse.com/1171189 https://bugzilla.suse.com/1171191 https://bugzilla.suse.com/1171195 https://bugzilla.suse.com/1171202 https://bugzilla.suse.com/1171205 https://bugzilla.suse.com/1171214 https://bugzilla.suse.com/1171217 https://bugzilla.suse.com/1171218 https://bugzilla.suse.com/1171219 https://bugzilla.suse.com/1171220 https://bugzilla.suse.com/1171244 https://bugzilla.suse.com/1171293 https://bugzilla.suse.com/1171417 https://bugzilla.suse.com/1171527 https://bugzilla.suse.com/1171599 https://bugzilla.suse.com/1171600 https://bugzilla.suse.com/1171601 https://bugzilla.suse.com/1171602 https://bugzilla.suse.com/1171604 https://bugzilla.suse.com/1171605 https://bugzilla.suse.com/1171606 https://bugzilla.suse.com/1171607 https://bugzilla.suse.com/1171608 https://bugzilla.suse.com/1171609 https://bugzilla.suse.com/1171610 https://bugzilla.suse.com/1171611 https://bugzilla.suse.com/1171612 https://bugzilla.suse.com/1171613 https://bugzilla.suse.com/1171614 https://bugzilla.suse.com/1171615 https://bugzilla.suse.com/1171616 https://bugzilla.suse.com/1171617 https://bugzilla.suse.com/1171618 https://bugzilla.suse.com/1171619 https://bugzilla.suse.com/1171620 https://bugzilla.suse.com/1171621 https://bugzilla.suse.com/1171622 https://bugzilla.suse.com/1171623 https://bugzilla.suse.com/1171624 https://bugzilla.suse.com/1171625 https://bugzilla.suse.com/1171626 https://bugzilla.suse.com/1171662 https://bugzilla.suse.com/1171679 https://bugzilla.suse.com/1171691 https://bugzilla.suse.com/1171692 https://bugzilla.suse.com/1171694 https://bugzilla.suse.com/1171695 https://bugzilla.suse.com/1171736 https://bugzilla.suse.com/1171817 https://bugzilla.suse.com/1171948 https://bugzilla.suse.com/1171949 https://bugzilla.suse.com/1171951 https://bugzilla.suse.com/1171952 https://bugzilla.suse.com/1171979 https://bugzilla.suse.com/1171982 https://bugzilla.suse.com/1171983 https://bugzilla.suse.com/1172017 https://bugzilla.suse.com/1172096 https://bugzilla.suse.com/1172097 https://bugzilla.suse.com/1172098 https://bugzilla.suse.com/1172099 https://bugzilla.suse.com/1172101 https://bugzilla.suse.com/1172102 https://bugzilla.suse.com/1172103 https://bugzilla.suse.com/1172104 https://bugzilla.suse.com/1172127 https://bugzilla.suse.com/1172130 https://bugzilla.suse.com/1172185 https://bugzilla.suse.com/1172188 https://bugzilla.suse.com/1172199 https://bugzilla.suse.com/1172201 https://bugzilla.suse.com/1172202 https://bugzilla.suse.com/1172221 https://bugzilla.suse.com/1172249 https://bugzilla.suse.com/1172251 https://bugzilla.suse.com/1172317 https://bugzilla.suse.com/1172342 https://bugzilla.suse.com/1172343 https://bugzilla.suse.com/1172344 https://bugzilla.suse.com/1172366 https://bugzilla.suse.com/1172378 https://bugzilla.suse.com/1172391 https://bugzilla.suse.com/1172397 https://bugzilla.suse.com/1172453 From sle-updates at lists.suse.com Wed Jun 10 08:03:07 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 16:03:07 +0200 (CEST) Subject: SUSE-SU-2020:1601-1: moderate: Security update for ucode-intel Message-ID: <20200610140307.4CBBDFD07@maintenance.suse.de> SUSE Security Update: Security update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1601-1 Rating: moderate References: #1154824 #1156353 #1172466 Cross-References: CVE-2020-0543 CVE-2020-0548 CVE-2020-0549 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for ucode-intel fixes the following issues: Updated Intel CPU Microcode to 20200602 (prerelease) (bsc#1172466) This update contains security mitigations for: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-0548,CVE-2020-0549: Additional ucode updates were supplied to mitigate the Vector Register and L1D Eviction Sampling aka "CacheOutAttack" attacks. (bsc#1156353) Microcode Table: Processor Identifier Version Products Model Stepping F-MO-S/PI Old->New ---- new platforms ---------------------------------------- ---- updated platforms ------------------------------------ HSW C0 6-3c-3/32 00000027->00000028 Core Gen4 BDW-U/Y E0/F0 6-3d-4/c0 0000002e->0000002f Core Gen5 HSW-U C0/D0 6-45-1/72 00000025->00000026 Core Gen4 HSW-H C0 6-46-1/32 0000001b->0000001c Core Gen4 BDW-H/E3 E0/G0 6-47-1/22 00000021->00000022 Core Gen5 SKL-U/Y D0 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile SKL-U23e K1 6-4e-3/c0 000000d6->000000dc Core Gen6 Mobile SKX-SP B1 6-55-3/97 01000151->01000157 Xeon Scalable SKX-SP H0/M0/U0 6-55-4/b7 02000065->02006906 Xeon Scalable SKX-D M1 6-55-4/b7 02000065->02006906 Xeon D-21xx CLX-SP B0 6-55-6/bf 0400002c->04002f01 Xeon Scalable Gen2 CLX-SP B1 6-55-7/bf 0500002c->04002f01 Xeon Scalable Gen2 SKL-H/S R0/N0 6-5e-3/36 000000d6->000000dc Core Gen6; Xeon E3 v5 AML-Y22 H0 6-8e-9/10 000000ca->000000d6 Core Gen8 Mobile KBL-U/Y H0 6-8e-9/c0 000000ca->000000d6 Core Gen7 Mobile CFL-U43e D0 6-8e-a/c0 000000ca->000000d6 Core Gen8 Mobile WHL-U W0 6-8e-b/d0 000000ca->000000d6 Core Gen8 Mobile AML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile CML-Y42 V0 6-8e-c/94 000000ca->000000d6 Core Gen10 Mobile WHL-U V0 6-8e-c/94 000000ca->000000d6 Core Gen8 Mobile KBL-G/H/S/E3 B0 6-9e-9/2a 000000ca->000000d6 Core Gen7; Xeon E3 v6 CFL-H/S/E3 U0 6-9e-a/22 000000ca->000000d6 Core Gen8 Desktop, Mobile, Xeon E CFL-S B0 6-9e-b/02 000000ca->000000d6 Core Gen8 CFL-H/S P0 6-9e-c/22 000000ca->000000d6 Core Gen9 CFL-H R0 6-9e-d/22 000000ca->000000d6 Core Gen9 Mobile Also contains the Intel CPU Microcode update to 20200520: Processor Identifier Version Products Model Stepping F-MO-S/PI Old->New ---- new platforms ---------------------------------------- ---- updated platforms ------------------------------------ SNB-E/EN/EP C1/M0 6-2d-6/6d 0000061f->00000621 Xeon E3/E5, Core X SNB-E/EN/EP C2/M1 6-2d-7/6d 00000718->0000071a Xeon E3/E5, Core X Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1601=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (x86_64): ucode-intel-20200602-3.12.1 ucode-intel-debuginfo-20200602-3.12.1 ucode-intel-debugsource-20200602-3.12.1 References: https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-0548.html https://www.suse.com/security/cve/CVE-2020-0549.html https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1156353 https://bugzilla.suse.com/1172466 From sle-updates at lists.suse.com Wed Jun 10 08:04:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 16:04:21 +0200 (CEST) Subject: SUSE-RU-2020:1598-1: important: Recommended update for audit Message-ID: <20200610140421.C328EFD07@maintenance.suse.de> SUSE Recommended Update: Recommended update for audit ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1598-1 Rating: important References: #1156159 #1172295 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for audit fixes the following issues: - Fix hang on startup. (bsc#1156159) - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1598=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1598=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1598=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1598=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): audit-debugsource-2.8.1-10.8.1 audit-devel-2.8.1-10.8.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): audit-debugsource-2.8.1-10.8.1 audit-devel-2.8.1-10.8.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): audit-2.8.1-10.8.1 audit-audispd-plugins-2.8.1-10.8.1 audit-audispd-plugins-debuginfo-2.8.1-10.8.1 audit-debuginfo-2.8.1-10.8.1 audit-debugsource-2.8.1-10.8.1 audit-secondary-debugsource-2.8.1-10.8.1 libaudit1-2.8.1-10.8.1 libaudit1-debuginfo-2.8.1-10.8.1 libauparse0-2.8.1-10.8.1 libauparse0-debuginfo-2.8.1-10.8.1 python2-audit-2.8.1-10.8.1 python2-audit-debuginfo-2.8.1-10.8.1 python3-audit-2.8.1-10.8.1 python3-audit-debuginfo-2.8.1-10.8.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libaudit1-32bit-2.8.1-10.8.1 libaudit1-debuginfo-32bit-2.8.1-10.8.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): audit-2.8.1-10.8.1 audit-audispd-plugins-2.8.1-10.8.1 audit-audispd-plugins-debuginfo-2.8.1-10.8.1 audit-debuginfo-2.8.1-10.8.1 audit-debugsource-2.8.1-10.8.1 audit-secondary-debugsource-2.8.1-10.8.1 libaudit1-2.8.1-10.8.1 libaudit1-debuginfo-2.8.1-10.8.1 libauparse0-2.8.1-10.8.1 libauparse0-debuginfo-2.8.1-10.8.1 python2-audit-2.8.1-10.8.1 python2-audit-debuginfo-2.8.1-10.8.1 python3-audit-2.8.1-10.8.1 python3-audit-debuginfo-2.8.1-10.8.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libaudit1-32bit-2.8.1-10.8.1 libaudit1-debuginfo-32bit-2.8.1-10.8.1 References: https://bugzilla.suse.com/1156159 https://bugzilla.suse.com/1172295 From sle-updates at lists.suse.com Wed Jun 10 08:05:24 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 16:05:24 +0200 (CEST) Subject: SUSE-SU-2020:1591-1: important: Security update for MozillaThunderbird Message-ID: <20200610140524.BF47FFD07@maintenance.suse.de> SUSE Security Update: Security update for MozillaThunderbird ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1591-1 Rating: important References: #1172402 Cross-References: CVE-2020-12398 CVE-2020-12405 CVE-2020-12406 CVE-2020-12410 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for MozillaThunderbird fixes the following issues: Mozilla Thunderbird 68.9.0 (bsc#1172402) - CVE-2020-12405: Fixed a use-after-free in SharedWorkerService. - CVE-2020-12406: Fixed a JavaScript Type confusion with NativeTypes. - CVE-2020-12410: Fixed multiple memory safety issues - CVE-2020-12398: Fixed a potential information leak due to security downgrade with IMAP STARTTLS - Use a symbolic icon from branding internals Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-1591=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): MozillaThunderbird-68.9.0-3.85.2 MozillaThunderbird-debuginfo-68.9.0-3.85.2 MozillaThunderbird-debugsource-68.9.0-3.85.2 MozillaThunderbird-translations-common-68.9.0-3.85.2 MozillaThunderbird-translations-other-68.9.0-3.85.2 References: https://www.suse.com/security/cve/CVE-2020-12398.html https://www.suse.com/security/cve/CVE-2020-12405.html https://www.suse.com/security/cve/CVE-2020-12406.html https://www.suse.com/security/cve/CVE-2020-12410.html https://bugzilla.suse.com/1172402 From sle-updates at lists.suse.com Wed Jun 10 13:12:34 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 21:12:34 +0200 (CEST) Subject: SUSE-SU-2020:1603-1: important: Security update for the Linux Kernel Message-ID: <20200610191234.7A769F749@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1603-1 Rating: important References: #1051510 #1058115 #1065729 #1082555 #1089895 #1114279 #1133021 #1144333 #1151794 #1152489 #1154824 #1157169 #1158265 #1160388 #1160947 #1165183 #1165741 #1166969 #1167574 #1167851 #1168503 #1168670 #1169020 #1169514 #1169525 #1170056 #1170125 #1170145 #1170345 #1170457 #1170522 #1170592 #1170618 #1170620 #1170770 #1170778 #1170791 #1170901 #1171078 #1171098 #1171118 #1171189 #1171191 #1171195 #1171202 #1171205 #1171217 #1171218 #1171219 #1171220 #1171293 #1171417 #1171527 #1171599 #1171600 #1171601 #1171602 #1171604 #1171605 #1171606 #1171607 #1171608 #1171609 #1171610 #1171611 #1171612 #1171613 #1171614 #1171615 #1171616 #1171617 #1171618 #1171619 #1171620 #1171621 #1171622 #1171623 #1171624 #1171625 #1171626 #1171679 #1171691 #1171694 #1171695 #1171736 #1171761 #1171948 #1171949 #1171951 #1171952 #1171982 #1171983 #1172096 #1172097 #1172098 #1172099 #1172101 #1172102 #1172103 #1172104 #1172127 #1172130 #1172185 #1172188 #1172199 #1172221 #1172253 #1172317 #1172342 #1172343 #1172344 #1172366 #1172391 #1172397 #1172453 Cross-References: CVE-2018-1000199 CVE-2019-19462 CVE-2019-20806 CVE-2019-20812 CVE-2019-9455 CVE-2020-0543 CVE-2020-10690 CVE-2020-10711 CVE-2020-10720 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-12114 CVE-2020-12464 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12655 CVE-2020-12656 CVE-2020-12657 CVE-2020-12768 CVE-2020-12769 CVE-2020-13143 Affected Products: SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that solves 23 vulnerabilities and has 92 fixes is now available. Description: The SUSE Linux Enterprise 12 SP4 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982). - CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983). - CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736). - CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205). - CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219). - CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217). - CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202). - CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195). - CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218). - CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901). - CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098). - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317). - CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189). - CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220). - CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778). - CVE-2020-10711: Fixed a null pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191). - CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056). - CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345). - CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453). - CVE-2019-20806: Fixed a null pointer dereference which may had lead to denial of service (bsc#1172199). - CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895). The following non-security bugs were fixed: - ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe() (bsc#1051510). - ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile() (bsc#1051510). - acpi/x86: ignore unspecified bit positions in the ACPI global lock field (bsc#1051510). - Add commit for git-fix that's not a fix This commit cleans up debug code but does not fix anything, and it relies on a new kernel function that isn't yet in this version of SLE. - agp/intel: Reinforce the barrier after GTT updates (bsc#1051510). - ALSA: ctxfi: Remove unnecessary cast in kfree (bsc#1051510). - ALSA: hda: Do not release card at firmware loading error (bsc#1051510). - ALSA: hda/hdmi: fix race in monitor detection during probe (bsc#1051510). - ALSA: hda/hdmi: fix without unlocked before return (bsc#1051510). - ALSA: hda: Keep the controller initialization even if no codecs found (bsc#1051510). - ALSA: hda/realtek - Add more fixup entries for Clevo machines (git-fixes). - ALSA: hda/realtek - Add new codec supported for ALC245 (bsc#1051510). - ALSA: hda/realtek - Add new codec supported for ALC287 (git-fixes). - ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse (git-fixes). - ALSA: hda/realtek - Fix unexpected init_amp override (bsc#1051510). - ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 (git-fixes bsc#1171293). - ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter (bsc#1051510). - ALSA: hwdep: fix a left shifting 1 by 31 UB bug (git-fixes). - ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option (git-fixes). - ALSA: opti9xx: shut up gcc-10 range warning (bsc#1051510). - ALSA: pcm: fix incorrect hw_base increase (git-fixes). - ALSA: pcm: oss: Place the plugin buffer overflow checks correctly (bsc#1170522). - ALSA: rawmidi: Fix racy buffer resize under concurrent accesses (git-fixes). - ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset (git-fixes). - ALSA: usb-audio: Correct a typo of NuPrime DAC-10 USB ID (bsc#1051510). - ALSA: usb-audio: Do not override ignore_ctl_error value from the map (bsc#1051510). - ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif (bsc#1051510). - ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC (git-fixes). - ALSA: usx2y: Fix potential NULL dereference (bsc#1051510). - ASoC: codecs: hdac_hdmi: Fix incorrect use of list_for_each_entry (bsc#1051510). - ASoC: dapm: connect virtual mux with default value (bsc#1051510). - ASoC: dapm: fixup dapm kcontrol widget (bsc#1051510). - ASoC: dpcm: allow start or stop during pause for backend (bsc#1051510). - ASoC: fix regwmask (bsc#1051510). - ASoC: msm8916-wcd-digital: Reset RX interpolation path after use (bsc#1051510). - ASoC: topology: Check return value of pcm_new_ver (bsc#1051510). - ASoC: topology: use name_prefix for new kcontrol (bsc#1051510). - b43legacy: Fix case where channel status is corrupted (bsc#1051510). - batman-adv: fix batadv_nc_random_weight_tq (git-fixes). - batman-adv: Fix refcnt leak in batadv_show_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_store_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_v_ogm_process (git-fixes). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (git fixes (block drivers)). - bcache: fix incorrect data type usage in btree_flush_write() (git fixes (block drivers)). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (git fixes (block drivers)). - block/drbd: delete invalid function drbd_md_mark_dirty_ (bsc#1171527). - block: drbd: remove a stray unlock in __drbd_send_protocol() (bsc#1171599). - block: fix busy device checking in blk_drop_partitions again (bsc#1171948). - block: fix busy device checking in blk_drop_partitions (bsc#1171948). - block: fix memleak of bio integrity data (git fixes (block drivers)). - block: remove the bd_openers checks in blk_drop_partitions (bsc#1171948). - bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets() (networking-stable-20_03_28). - bnxt_en: reinitialize IRQs when MTU is modified (networking-stable-20_03_14). - bonding/alb: make sure arp header is pulled before accessing it (networking-stable-20_03_14). - brcmfmac: abort and release host after error (bsc#1051510). - btrfs: fix deadlock with memory reclaim during scrub (bsc#1172127). - btrfs: fix log context list corruption after rename whiteout error (bsc#1172342). - btrfs: fix partial loss of prealloc extent past i_size after fsync (bsc#1172343). - btrfs: move the dio_sem higher up the callchain (bsc#1171761). - btrfs: reloc: clear DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417 bsc#1160947 bsc#1172366). - btrfs: reloc: fix reloc root leak and NULL pointer dereference (bsc#1171417 bsc#1160947 bsc#1172366). - btrfs: setup a nofs context for memory allocation at btrfs_create_tree() (bsc#1172127). - btrfs: setup a nofs context for memory allocation at __btrfs_set_acl (bsc#1172127). - btrfs: use nofs context when initializing security xattrs to avoid deadlock (bsc#1172127). - can: add missing attribute validation for termination (networking-stable-20_03_14). - cdc-acm: close race betrween suspend() and acm_softint (git-fixes). - cdc-acm: introduce a cool down (git-fixes). - ceph: fix double unlock in handle_cap_export() (bsc#1171694). - ceph: fix endianness bug when handling MDS session feature bits (bsc#1171695). - cgroup, netclassid: periodically release file_lock on classid updating (networking-stable-20_03_14). - CIFS: Allocate crypto structures on the fly for calculating signatures of incoming packets (bsc#1144333). - CIFS: Allocate encryption header through kmalloc (bsc#1144333). - CIFS: allow unlock flock and OFD lock across fork (bsc#1144333). - CIFS: check new file size when extending file by fallocate (bsc#1144333). - CIFS: cifspdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - CIFS: clear PF_MEMALLOC before exiting demultiplex thread (bsc#1144333). - CIFS: do not share tcons with DFS (bsc#1144333). - CIFS: dump the session id and keys also for SMB2 sessions (bsc#1144333). - CIFS: ensure correct super block for DFS reconnect (bsc#1144333). - CIFS: Fix bug which the return value by asynchronous read is error (bsc#1144333). - CIFS: fix uninitialised lease_key in open_shroot() (bsc#1144333). - CIFS: improve read performance for page size 64KB & cache=strict & vers=2.1+ (bsc#1144333). - CIFS: Increment num_remote_opens stats counter even in case of smb2_query_dir_first (bsc#1144333). - CIFS: minor update to comments around the cifs_tcp_ses_lock mutex (bsc#1144333). - CIFS: protect updating server->dstaddr with a spinlock (bsc#1144333). - CIFS: smb2pdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - CIFS: smbd: Calculate the correct maximum packet size for segmented SMBDirect send/receive (bsc#1144333). - CIFS: smbd: Check and extend sender credits in interrupt context (bsc#1144333). - CIFS: smbd: Check send queue size before posting a send (bsc#1144333). - CIFS: smbd: Do not schedule work to send immediate packet on every receive (bsc#1144333). - CIFS: smbd: Merge code to track pending packets (bsc#1144333). - CIFS: smbd: Properly process errors on ib_post_send (bsc#1144333). - CIFS: smbd: Update receive credits before sending and deal with credits roll back on failure before sending (bsc#1144333). - CIFS: Warn less noisily on default mount (bsc#1144333). - clk: Add clk_hw_unregister_composite helper function definition (bsc#1051510). - clk: imx6ull: use OSC clock during AXI rate change (bsc#1051510). - clk: imx: make mux parent strings const (bsc#1051510). - clk: mediatek: correct the clocks for MT2701 HDMI PHY module (bsc#1051510). - clk: sunxi-ng: a64: Fix gate bit of DSI DPHY (bsc#1051510). - clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620). - clocksource: dw_apb_timer_of: Fix missing clockevent timers (bsc#1051510). - component: Silence bind error on -EPROBE_DEFER (bsc#1051510). - coresight: do not use the BIT() macro in the UAPI header (git fixes (block drivers)). - cpufreq: s3c64xx: Remove pointless NULL check in s3c64xx_cpufreq_driver_init (bsc#1051510). - crypto: ccp - AES CFB mode is a stream cipher (git-fixes). - crypto: ccp - Clean up and exit correctly on allocation failure (git-fixes). - crypto: ccp - Cleanup misc_dev on sev_exit() (bsc#1114279). - crypto: ccp - Cleanup sp_dev_master in psp_dev_destroy() (bsc#1114279). - debugfs: Add debugfs_create_xul() for hexadecimal unsigned long (git-fixes). - dmaengine: dmatest: Fix iteration non-stop logic (bsc#1051510). - dm mpath: switch paths in dm_blk_ioctl() code path (bsc#1167574). - dm writecache: fix data corruption when reloading the target (git fixes (block drivers)). - dm writecache: fix incorrect flush sequence when doing SSD mode commit (git fixes (block drivers)). - dm writecache: verify watermark during resume (git fixes (block drivers)). - dm zoned: fix invalid memory access (git fixes (block drivers)). - dm zoned: reduce overhead of backing device checks (git fixes (block drivers)). - dm zoned: remove duplicate nr_rnd_zones increase in dmz_init_zone() (git fixes (block drivers)). - dm zoned: support zone sizes smaller than 128MiB (git fixes (block drivers)). - dp83640: reverse arguments to list_add_tail (git-fixes). - Drivers: hv: Add a module description line to the hv_vmbus driver (bsc#1172253). - Drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170618). - Drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170618). - Drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618). - Drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170618). - drivers/net/ibmvnic: Update VNIC protocol version reporting (bsc#1065729). - drm: amd/acp: fix broken menu structure (bsc#1114279) * context changes - drm/crc: Actually allow to change the crc source (bsc#1114279) * offset changes - drm/dp_mst: Fix clearing payload state on topology disable (bsc#1051510). - drm/dp_mst: Reformat drm_dp_check_act_status() a bit (bsc#1051510). - drm/edid: Fix off-by-one in DispID DTD pixel clock (bsc#1114279) - drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of (bsc#1114279) - drm/i915: properly sanity check batch_start_offset (bsc#1114279) * renamed display/intel_fbc.c -> intel_fb.c * renamed gt/intel_rc6.c -> intel_pm.c * context changes - drm/meson: Delete an error message in meson_dw_hdmi_bind() (bsc#1051510). - drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem (bsc#1114279) - drm/qxl: qxl_release leak in qxl_draw_dirty_fb() (bsc#1051510). - drm/qxl: qxl_release leak in qxl_hw_surface_alloc() (bsc#1051510). - drm/qxl: qxl_release use after free (bsc#1051510). - drm: Remove PageReserved manipulation from drm_pci_alloc (bsc#1114279) * offset changes - dump_stack: avoid the livelock of the dump_lock (git fixes (block drivers)). - EDAC, sb_edac: Add support for systems with segmented PCI buses (bsc#1169525). - ext4: do not zeroout extents beyond i_disksize (bsc#1167851). - ext4: fix extent_status fragmentation for plain files (bsc#1171949). - ext4: use non-movable memory for superblock readahead (bsc#1171952). - fanotify: fix merging marks masks with FAN_ONDIR (bsc#1171679). - fbcon: fix null-ptr-deref in fbcon_switch (bsc#1114279) * rename drivers/video/fbdev/core to drivers/video/console * context changes - fib: add missing attribute validation for tun_id (networking-stable-20_03_14). - firmware: qcom: scm: fix compilation error when disabled (bsc#1051510). - fs/cifs: fix gcc warning in sid_to_id (bsc#1144333). - fs/seq_file.c: simplify seq_file iteration code and interface (bsc#1170125). - gpio: tegra: mask GPIO IRQs during IRQ shutdown (bsc#1051510). - gre: fix uninit-value in __iptunnel_pull_header (networking-stable-20_03_14). - HID: hid-input: clear unmapped usages (git-fixes). - HID: hyperv: Add a module description line (bsc#1172253). - HID: i2c-hid: add Trekstor Primebook C11B to descriptor override (git-fixes). - HID: i2c-hid: override HID descriptors for certain devices (git-fixes). - HID: multitouch: add eGalaxTouch P80H84 support (bsc#1051510). - HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices (git-fixes). - hrtimer: Annotate lockless access to timer->state (git fixes (block drivers)). - hsr: add restart routine into hsr_get_node_list() (networking-stable-20_03_28). - hsr: check protocol version in hsr_newlink() (networking-stable-20_04_17). - hsr: fix general protection fault in hsr_addr_is_self() (networking-stable-20_03_28). - hsr: set .netnsok flag (networking-stable-20_03_28). - hsr: use rcu_read_lock() in hsr_get_node_{list/status}() (networking-stable-20_03_28). - i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present (git-fixes). - i2c: acpi: put device when verifying client fails (git-fixes). - i2c: brcmstb: remove unused struct member (git-fixes). - i2c: core: Allow empty id_table in ACPI case as well (git-fixes). - i2c: core: decrease reference count of device node in i2c_unregister_device (git-fixes). - i2c: dev: Fix the race between the release of i2c_dev and cdev (bsc#1051510). - i2c: fix missing pm_runtime_put_sync in i2c_device_probe (git-fixes). - i2c-hid: properly terminate i2c_hid_dmi_desc_override_table array (git-fixes). - i2c: i801: Do not add ICH_RES_IO_SMI for the iTCO_wdt device (git-fixes). - i2c: iproc: Stop advertising support of SMBUS quick cmd (git-fixes). - i2c: isch: Remove unnecessary acpi.h include (git-fixes). - i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' (bsc#1051510). - i2c: st: fix missing struct parameter description (bsc#1051510). - IB/ipoib: Add child to parent list only if device initialized (bsc#1168503). - IB/ipoib: Consolidate checking of the proposed child interface (bsc#1168503). - IB/ipoib: Do not remove child devices from within the ndo_uninit (bsc#1168503). - IB/ipoib: Get rid of IPOIB_FLAG_GOING_DOWN (bsc#1168503). - IB/ipoib: Get rid of the sysfs_mutex (bsc#1168503). - IB/ipoib: Maintain the child_intfs list from ndo_init/uninit (bsc#1168503). - IB/ipoib: Move all uninit code into ndo_uninit (bsc#1168503). - IB/ipoib: Move init code to ndo_init (bsc#1168503). - IB/ipoib: Replace printk with pr_warn (bsc#1168503). - IB/ipoib: Use cancel_delayed_work_sync for neigh-clean task (bsc#1168503). - IB/ipoib: Warn when one port fails to initialize (bsc#1168503). - ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239). - iio:ad7797: Use correct attribute_group (bsc#1051510). - iio: adc: stm32-adc: fix device used to request dma (bsc#1051510). - iio: adc: stm32-adc: fix sleep in atomic context (git-fixes). - iio: adc: stm32-adc: Use dma_request_chan() instead dma_request_slave_channel() (bsc#1051510). - iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' (bsc#1051510). - iio: sca3000: Remove an erroneous 'get_device()' (bsc#1051510). - iio: xilinx-xadc: Fix ADC-B powerdown (bsc#1051510). - iio: xilinx-xadc: Fix clearing interrupt when enabling trigger (bsc#1051510). - iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode (bsc#1051510). - ima: Fix return value of ima_write_policy() (git-fixes). - Input: evdev - call input_flush_device() on release(), not flush() (bsc#1051510). - Input: hyperv-keyboard - add module description (bsc#1172253). - Input: i8042 - add Acer Aspire 5738z to nomux list (bsc#1051510). - Input: i8042 - add ThinkPad S230u to i8042 reset list (bsc#1051510). - Input: raydium_i2c_ts - use true and false for boolean values (bsc#1051510). - Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() (bsc#1051510). - Input: synaptics-rmi4 - really fix attn_data use-after-free (git-fixes). - Input: usbtouchscreen - add support for BonXeon TP (bsc#1051510). - Input: xpad - add custom init packet for Xbox One S controllers (bsc#1051510). - iommu/amd: Call domain_flush_complete() in update_domain() (bsc#1172096). - iommu/amd: Do not flush Device Table in iommu_map_page() (bsc#1172097). - iommu/amd: Do not loop forever when trying to increase address space (bsc#1172098). - iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system (bsc#1172099). - iommu/amd: Fix over-read of ACPI UID from IVRS table (bsc#1172101). - iommu/amd: Fix race in increase_address_space()/fetch_pte() (bsc#1172102). - iommu/amd: Update Device Table in increase_address_space() (bsc#1172103). - iommu: Fix reference count leak in iommu_group_alloc (bsc#1172397). - ipv4: fix a RCU-list lock in fib_triestat_seq_show (networking-stable-20_04_02). - ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface (networking-stable-20_03_14). - ipv6: do not auto-add link-local address to lag ports (networking-stable-20_04_09). - ipvlan: add cond_resched_rcu() while processing muticast backlog (networking-stable-20_03_14). - ipvlan: do not deref eth hdr before checking it's set (networking-stable-20_03_14). - ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast() (networking-stable-20_03_14). - iwlwifi: pcie: actually release queue memory in TVQM (bsc#1051510). - kabi fix for early XHCI debug (git-fixes). - kabi for for md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - kabi, protect struct ib_device (bsc#1168503). - kabi/severities: Do not track KVM internal symbols. - kabi/severities: Ingnore get_dev_data() The function is internal to the AMD IOMMU driver and must not be called by any third party. - kabi workaround for snd_rawmidi buffer_ref field addition (git-fixes). - KEYS: reaching the keys quotas correctly (bsc#1051510). - KVM: arm64: Change hyp_panic()s dependency on tpidr_el2 (bsc#1133021). - KVM: arm64: Stop save/restoring host tpidr_el1 on VHE (bsc#1133021). - KVM: Check validity of resolved slot when searching memslots (bsc#1172104). - KVM: s390: vsie: Fix delivery of addressing exceptions (git-fixes). - KVM: SVM: Fix potential memory leak in svm_cpu_init() (bsc#1171736). - KVM x86: Extend AMD specific guest behavior to Hygon virtual CPUs (bsc#1152489). - l2tp: Allow management of tunnels and session in user namespace (networking-stable-20_04_17). - libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() (bsc#1051510). - libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set (bsc#1051510). - lib: raid6: fix awk build warnings (git fixes (block drivers)). - lib/raid6/test: fix build on distros whose /bin/sh is not bash (git fixes (block drivers)). - lib/stackdepot.c: fix global out-of-bounds in stack_slabs (git fixes (block drivers)). - locks: print unsigned ino in /proc/locks (bsc#1171951). - mac80211: add ieee80211_is_any_nullfunc() (bsc#1051510). - mac80211_hwsim: Use kstrndup() in place of kasprintf() (bsc#1051510). - mac80211: mesh: fix discovery timer re-arming issue / crash (bsc#1051510). - macsec: avoid to set wrong mtu (bsc#1051510). - macsec: restrict to ethernet devices (networking-stable-20_03_28). - macvlan: add cond_resched() during multicast processing (networking-stable-20_03_14). - macvlan: fix null dereference in macvlan_device_event() (bsc#1051510). - md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - md/raid0: Fix an error message in raid0_make_request() (git fixes (block drivers)). - md/raid10: prevent access of uninitialized resync_pages offset (git-fixes). - media: dvb: return -EREMOTEIO on i2c transfer failure (bsc#1051510). - media: platform: fcp: Set appropriate DMA parameters (bsc#1051510). - media: ti-vpe: cal: fix disable_irqs to only the intended target (git-fixes). - mei: release me_cl object reference (bsc#1051510). - mlxsw: Fix some IS_ERR() vs NULL bugs (networking-stable-20_04_27). - mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE (networking-stable-20_04_09). - mmc: atmel-mci: Fix debugfs on 64-bit platforms (git-fixes). - mmc: dw_mmc: Fix debugfs on 64-bit platforms (git-fixes). - mmc: meson-gx: make sure the descriptor is stopped on errors (git-fixes). - mmc: meson-gx: simplify interrupt handler (git-fixes). - mmc: renesas_sdhi: limit block count to 16 bit for old revisions (git-fixes). - mmc: sdhci-esdhc-imx: fix the mask for tuning start point (bsc#1051510). - mmc: sdhci-msm: Clear tuning done flag while hs400 tuning (bsc#1051510). - mmc: sdhci-of-at91: fix memleak on clk_get failure (git-fixes). - mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers (bsc#1051510). - mmc: sdhci-xenon: fix annoying 1.8V regulator warning (bsc#1051510). - mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card() (bsc#1051510). - mmc: tmio: fix access width of Block Count Register (git-fixes). - mm: thp: handle page cache THP correctly in PageTransCompoundMap (git fixes (block drivers)). - mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer (bsc#1051510). - mtd: spi-nor: cadence-quadspi: add a delay in write sequence (git-fixes). - mtd: spi-nor: enable 4B opcodes for mx66l51235l (git-fixes). - mtd: spi-nor: fsl-quadspi: Do not let -EINVAL on the bus (git-fixes). - mwifiex: avoid -Wstringop-overflow warning (bsc#1051510). - mwifiex: Fix memory corruption in dump_station (bsc#1051510). - net: bcmgenet: correct per TX/RX ring statistics (networking-stable-20_04_27). - net: dsa: b53: Fix ARL register definitions (networking-stable-20_04_27). - net: dsa: b53: Rework ARL bin logic (networking-stable-20_04_27). - net: dsa: bcm_sf2: Do not register slave MDIO bus with OF (networking-stable-20_04_09). - net: dsa: bcm_sf2: Ensure correct sub-node is parsed (networking-stable-20_04_09). - net: dsa: Fix duplicate frames flooded by learning (networking-stable-20_03_28). - net: dsa: mv88e6xxx: fix lockup on warm boot (networking-stable-20_03_14). - net: fec: validate the new settings in fec_enet_set_coalesce() (networking-stable-20_03_14). - net: fix race condition in __inet_lookup_established() (bsc#1151794). - net: fq: add missing attribute validation for orphan mask (networking-stable-20_03_14). - net, ip_tunnel: fix interface lookup with no key (networking-stable-20_04_02). - net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin (networking-stable-20_04_17). - net: ipv6: do not consider routes via gateways for anycast address check (networking-stable-20_04_17). - netlink: Use netlink header as base to calculate bad attribute offset (networking-stable-20_03_14). - net: memcg: fix lockdep splat in inet_csk_accept() (networking-stable-20_03_14). - net: memcg: late association of sock to memcg (networking-stable-20_03_14). - net/mlx4_en: avoid indirect call in TX completion (networking-stable-20_04_27). - net/mlx5: Add new fields to Port Type and Speed register (bsc#1171118). - net/mlx5: Add RoCE RX ICRC encapsulated counter (bsc#1171118). - net/mlx5e: Fix ethtool self test: link speed (bsc#1171118). - net/mlx5e: Move port speed code from en_ethtool.c to en/port.c (bsc#1171118). - net/mlx5: Expose link speed directly (bsc#1171118). - net/mlx5: Expose port speed when possible (bsc#1171118). - net: mvneta: Fix the case where the last poll did not process all rx (networking-stable-20_03_28). - net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node (networking-stable-20_04_27). - net/packet: tpacket_rcv: do not increment ring index on drop (networking-stable-20_03_14). - net: qmi_wwan: add support for ASKEY WWHC050 (networking-stable-20_03_28). - net: revert default NAPI poll timeout to 2 jiffies (networking-stable-20_04_17). - net_sched: cls_route: remove the right filter from hashtable (networking-stable-20_03_28). - net/x25: Fix x25_neigh refcnt leak when receiving frame (networking-stable-20_04_27). - nfc: add missing attribute validation for SE API (networking-stable-20_03_14). - nfc: add missing attribute validation for vendor subcommand (networking-stable-20_03_14). - nfc: st21nfca: add missed kfree_skb() in an error path (bsc#1051510). - nfsd4: fix up replay_matches_cache() (git-fixes). - nfsd: Ensure CLONE persists data and metadata changes to the target file (git-fixes). - nfsd: fix delay timer on 32-bit architectures (git-fixes). - nfsd: fix jiffies/time_t mixup in LRU list (git-fixes). - NFS: Directory page cache pages need to be locked when read (git-fixes). - nfsd: memory corruption in nfsd4_lock() (git-fixes). - NFS: Do not call generic_error_remove_page() while holding locks (bsc#1170457). - NFS: Fix memory leaks and corruption in readdir (git-fixes). - NFS: Fix O_DIRECT accounting of number of bytes read/written (git-fixes). - nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl (git-fixes). - NFS: fix racey wait in nfs_set_open_stateid_locked (bsc#1170592). - NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O (git-fixes). - NFS/pnfs: Fix pnfs_generic_prepare_to_resend_writes() (git-fixes). - NFS: Revalidate the file size on a fatal write error (git-fixes). - NFSv4.0: nfs4_do_fsinfo() should not do implicit lease renewals (git-fixes). - NFSv4: Do not allow a cached open with a revoked delegation (git-fixes). - NFSv4: Fix leak of clp->cl_acceptor string (git-fixes). - NFSv4/pnfs: Return valid stateids in nfs_layout_find_inode_by_stateid() (git-fixes). - NFSv4: try lease recovery on NFS4ERR_EXPIRED (git-fixes). - NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn (git-fixes). - nl802154: add missing attribute validation for dev_type (networking-stable-20_03_14). - nl802154: add missing attribute validation (networking-stable-20_03_14). - nvme-fc: print proper nvme-fc devloss_tmo value (bsc#1172391). - objtool: Fix stack offset tracking for indirect CFAs (bsc#1169514). - objtool: Fix switch table detection in .text.unlikely (bsc#1169514). - objtool: Make BP scratch register warning more robust (bsc#1169514). - padata: Remove broken queue flushing (git-fixes). - Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()" (git fixes (block drivers)). - pinctrl: baytrail: Enable pin configuration setting for GPIO chip (git-fixes). - pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler (git-fixes). - platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA (bsc#1051510). - pNFS: Ensure we do clear the return-on-close layout stateid on fatal errors (git-fixes). - powerpc: Add attributes for setjmp/longjmp (bsc#1065729). - powerpc/pci/of: Parse unassigned resources (bsc#1065729). - powerpc/setup_64: Set cache-line-size based on cache-block-size (bsc#1065729). - powerpc/sstep: Fix DS operand in ld encoding to appropriate value (bsc#1065729). - r8152: check disconnect status after long sleep (networking-stable-20_03_14). - raid6/ppc: Fix build for clang (git fixes (block drivers)). - rcu: locking and unlocking need to always be at least barriers (git fixes (block drivers)). - RDMA/ipoib: Fix use of sizeof() (bsc#1168503). - RDMA/netdev: Fix netlink support in IPoIB (bsc#1168503). - RDMA/netdev: Hoist alloc_netdev_mqs out of the driver (bsc#1168503). - RDMA/netdev: Use priv_destructor for netdev cleanup (bsc#1168503). - Remove 2 git-fixes that cause build issues. (bsc#1171691) - Revert "ALSA: hda/realtek: Fix pop noise on ALC225" (git-fixes). - Revert "drm/panel: simple: Add support for Sharp LQ150X1LG11 panels" (bsc#1114279) - Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" (bsc#1172221). - rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() (bsc#1051510). - s390/ftrace: fix potential crashes when switching tracers (git-fixes). - s390/ism: fix error return code in ism_probe() (git-fixes). - s390/pci: Fix possible deadlock in recover_store() (bsc#1165183 LTC#184103). - s390/pci: Recover handle in clp_set_pci_fn() (bsc#1165183 LTC#184103). - scripts/decodecode: fix trapping instruction formatting (bsc#1065729). - scripts/dtc: Remove redundant YYLOC global declaration (bsc#1160388). - scsi: bnx2i: fix potential use after free (bsc#1171600). - scsi: core: Handle drivers which set sg_tablesize to zero (bsc#1171601) This commit also required: > scsi: core: avoid preallocating big SGL for data - scsi: core: save/restore command resid for error handling (bsc#1171602). - scsi: core: scsi_trace: Use get_unaligned_be*() (bsc#1171604). - scsi: core: try to get module before removing device (bsc#1171605). - scsi: csiostor: Adjust indentation in csio_device_reset (bsc#1171606). - scsi: csiostor: Do not enable IRQs too early (bsc#1171607). - scsi: esas2r: unlock on error in esas2r_nvram_read_direct() (bsc#1171608). - scsi: fnic: fix invalid stack access (bsc#1171609). - scsi: fnic: fix msix interrupt allocation (bsc#1171610). - scsi: ibmvscsi: Fix WARN_ON during event pool release (bsc#1170791 ltc#185128). - scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func (bsc#1171611). - scsi: iscsi: Fix a potential deadlock in the timeout handler (bsc#1171612). - scsi: iscsi: qla4xxx: fix double free in probe (bsc#1171613). - scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences (bsc#1171614). - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1171615). - scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state (bsc#1171616). - scsi: qla2xxx: add ring buffer for tracing debug logs (bsc#1157169). - scsi: qla2xxx: check UNLOADING before posting async work (bsc#1157169). - scsi: qla2xxx: Delete all sessions before unregister local nvme port (bsc#1157169). - scsi: qla2xxx: Do not log message when reading port speed via sysfs (bsc#1157169). - scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV (bsc#1157169). - scsi: qla2xxx: Fix regression warnings (bsc#1157169). - scsi: qla2xxx: Remove non functional code (bsc#1157169). - scsi: qla2xxx: set UNLOADING before waiting for session deletion (bsc#1157169). - scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free (bsc#1171617). - scsi: qla4xxx: fix double free bug (bsc#1171618). - scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI (bsc#1171619). - scsi: sg: add sg_remove_request in sg_common_write (bsc#1171620). - scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) (bsc#1171621). - scsi: ufs: change msleep to usleep_range (bsc#1171622). - scsi: ufs: Clean up ufshcd_scale_clks() and clock scaling error out path (bsc#1171623). - scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic (bsc#1171624). - scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails (bsc#1171625). - scsi: ufs: Recheck bkops level if bkops is disabled (bsc#1171626). - sctp: fix possibly using a bad saddr with a given dst (networking-stable-20_04_02). - sctp: fix refcount bug in sctp_wfree (networking-stable-20_04_02). - seq_file: fix problem when seeking mid-record (bsc#1170125). - serial: uartps: Move the spinlock after the read of the tx empty (git-fixes). - sfc: detach from cb_page in efx_copy_channel() (networking-stable-20_03_14). - signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig (bsc#1172185). - slcan: not call free_netdev before rtnl_unlock in slcan_open (networking-stable-20_03_28). - slip: make slhc_compress() more robust against malicious packets (networking-stable-20_03_14). - smb3: Additional compression structures (bsc#1144333). - smb3: Add new compression flags (bsc#1144333). - smb3: change noisy error message to FYI (bsc#1144333). - smb3: enable swap on SMB3 mounts (bsc#1144333). - smb3: Minor cleanup of protocol definitions (bsc#1144333). - smb3: remove overly noisy debug line in signing errors (bsc#1144333). - smb3: smbdirect support can be configured by default (bsc#1144333). - smb3: use SMB2_SIGNATURE_SIZE define (bsc#1144333). - spi: bcm2835: Fix 3-wire mode if DMA is enabled (git-fixes). - spi: bcm63xx-hsspi: Really keep pll clk enabled (bsc#1051510). - spi: bcm-qspi: when tx/rx buffer is NULL set to 0 (bsc#1051510). - spi: dw: Add SPI Rx-done wait method to DMA-based transfer (bsc#1051510). - spi: dw: Add SPI Tx-done wait method to DMA-based transfer (bsc#1051510). - spi: dw: Zero DMA Tx and Rx configurations on stack (bsc#1051510). - spi: fsl: do not map irq during probe (git-fixes). - spi: fsl: use platform_get_irq() instead of of_irq_to_resource() (git-fixes). - spi: pxa2xx: Add CS control clock quirk (bsc#1051510). - spi: qup: call spi_qup_pm_resume_runtime before suspending (bsc#1051510). - spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion (git-fixes). - spi: spi-s3c64xx: Fix system resume support (git-fixes). - spi/zynqmp: remove entry that causes a cs glitch (bsc#1051510). - staging: comedi: dt2815: fix writing hi byte of analog output (bsc#1051510). - staging: comedi: Fix comedi_device refcnt leak in comedi_open (bsc#1051510). - staging: iio: ad2s1210: Fix SPI reading (bsc#1051510). - staging: vt6656: Do not set RCR_MULTICAST or RCR_BROADCAST by default (git-fixes). - staging: vt6656: Fix drivers TBTT timing counter (git-fixes). - staging: vt6656: Fix pairwise key entry save (git-fixes). - sunrpc: expiry_time should be seconds not timeval (git-fixes). - SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()' (git-fixes). - supported.conf: Add br_netfilter to base (bsc#1169020). - svcrdma: Fix leak of transport addresses (git-fixes). - taskstats: fix data-race (bsc#1172188). - tcp: cache line align MAX_TCP_HEADER (networking-stable-20_04_27). - tcp: repair: fix TCP_QUEUE_SEQ implementation (networking-stable-20_03_28). - team: add missing attribute validation for array index (networking-stable-20_03_14). - team: add missing attribute validation for port ifindex (networking-stable-20_03_14). - team: fix hang in team_mode_get() (networking-stable-20_04_27). - tools lib traceevent: Remove unneeded qsort and uses memmove instead (git-fixes). - tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() (bsc#1065729). - tpm/tpm_tis: Free IRQ if probing fails (bsc#1082555). - tpm/tpm_tis: Free IRQ if probing fails (git-fixes). - tracing: Add a vmalloc_sync_mappings() for safe measure (git-fixes). - tracing: Disable trace_printk() on post poned tests (git-fixes). - tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation (git-fixes). - tty: rocket, avoid OOB access (git-fixes). - UAS: fix deadlock in error handling and PM flushing work (git-fixes). - UAS: no use logging any details in case of ENODEV (git-fixes). - USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE (git-fixes). - USB: cdc-acm: restore capability check order (git-fixes). - USB: core: Fix misleading driver bug report (bsc#1051510). - USB: dwc3: do not set gadget->is_otg flag (git-fixes). - USB: dwc3: gadget: Do link recovery for SS and SSP (git-fixes). - USB: early: Handle AMD's spec-compliant identifiers, too (git-fixes). - USB: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset() (git-fixes). - USB: gadget: audio: Fix a missing error return value in audio_bind() (git-fixes). - USB: gadget: composite: Inform controller driver of self-powered (git-fixes). - USB: gadget: legacy: fix error return code in cdc_bind() (git-fixes). - USB: gadget: legacy: fix error return code in gncm_bind() (git-fixes). - USB: gadget: legacy: fix redundant initialization warnings (bsc#1051510). - USB: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()' (git-fixes). - USB: gadget: udc: atmel: Fix vbus disconnect handling (git-fixes). - USB: gadget: udc: atmel: Make some symbols static (git-fixes). - USB: gadget: udc: bdc: Remove unnecessary NULL checks in bdc_req_complete (git-fixes). - USB: host: xhci-plat: keep runtime active when removing host (git-fixes). - USB: hub: Fix handling of connect changes during sleep (git-fixes). - usbnet: silence an unnecessary warning (bsc#1170770). - USB: serial: garmin_gps: add sanity checking for data length (git-fixes). - USB: serial: option: add BroadMobi BM806U (git-fixes). - USB: serial: option: add support for ASKEY WWHC050 (git-fixes). - USB: serial: option: add Wistron Neweb D19Q1 (git-fixes). - USB: serial: qcserial: Add DW5816e support (git-fixes). - USB: sisusbvga: Change port variable from signed to unsigned (git-fixes). - usb-storage: Add unusual_devs entry for JMicron JMS566 (git-fixes). - USB: uas: add quirk for LaCie 2Big Quadra (git-fixes). - USB: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list (git-fixes). - video: fbdev: sis: Remove unnecessary parentheses and commented code (bsc#1114279) - video: fbdev: w100fb: Fix a potential double free (bsc#1051510). - vrf: Check skb for XFRM_TRANSFORMED flag (networking-stable-20_04_27). - vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines (git-fixes). - vt: selection, introduce vc_is_sel (git-fixes). - vt: vt_ioctl: fix race in VT_RESIZEX (git-fixes). - vt: vt_ioctl: fix use-after-free in vt_in_use() (git-fixes). - vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console (git-fixes). - vxlan: check return value of gro_cells_init() (networking-stable-20_03_28). - watchdog: reset last_hw_keepalive time at start (git-fixes). - wcn36xx: Fix error handling path in 'wcn36xx_probe()' (bsc#1051510). - wil6210: remove reset file from debugfs (git-fixes). - wimax/i2400m: Fix potential urb refcnt leak (bsc#1051510). - workqueue: do not use wq_select_unbound_cpu() for bound works (bsc#1172130). - x86/entry/64: Fix unwind hints in kernel exit path (bsc#1058115). - x86/entry/64: Fix unwind hints in register clearing code (bsc#1058115). - x86/entry/64: Fix unwind hints in rewind_stack_do_exit() (bsc#1058115). - x86/entry/64: Fix unwind hints in __switch_to_asm() (bsc#1058115). - x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170620). - x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170618). - x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170618). - x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170618). - x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170618). - x86/Hyper-V: report value of misc_features (git-fixes). - x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170618). - x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170618). - x86/kprobes: Avoid kretprobe recursion bug (bsc#1114279). - x86/resctrl: Fix invalid attempt at removing the default resource group (git-fixes). - x86/resctrl: Preserve CDP enable over CPU hotplug (bsc#1114279). - x86/unwind/orc: Do not skip the first frame for inactive tasks (bsc#1058115). - x86/unwind/orc: Fix error handling in __unwind_start() (bsc#1058115). - x86/unwind/orc: Fix error path for bad ORC entry type (bsc#1058115). - x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bsc#1058115). - x86/unwind/orc: Prevent unwinding before ORC initialization (bsc#1058115). - x86/unwind: Prevent false warnings for non-current tasks (bsc#1058115). - xen/pci: reserve MCFG areas earlier (bsc#1170145). - xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish (networking-stable-20_04_27). - xfs: Correctly invert xfs_buftarg LRU isolation logic (git-fixes). - xfs: do not ever return a stale pointer from __xfs_dir3_free_read (git-fixes). - xprtrdma: Fix completion wait during device removal (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1603=1 Package List: - SUSE Linux Enterprise Server 12-SP4 (noarch): kernel-devel-azure-4.12.14-6.43.1 kernel-source-azure-4.12.14-6.43.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): kernel-azure-4.12.14-6.43.1 kernel-azure-base-4.12.14-6.43.1 kernel-azure-base-debuginfo-4.12.14-6.43.1 kernel-azure-debuginfo-4.12.14-6.43.1 kernel-azure-debugsource-4.12.14-6.43.1 kernel-azure-devel-4.12.14-6.43.1 kernel-syms-azure-4.12.14-6.43.1 References: https://www.suse.com/security/cve/CVE-2018-1000199.html https://www.suse.com/security/cve/CVE-2019-19462.html https://www.suse.com/security/cve/CVE-2019-20806.html https://www.suse.com/security/cve/CVE-2019-20812.html https://www.suse.com/security/cve/CVE-2019-9455.html https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-10690.html https://www.suse.com/security/cve/CVE-2020-10711.html https://www.suse.com/security/cve/CVE-2020-10720.html https://www.suse.com/security/cve/CVE-2020-10732.html https://www.suse.com/security/cve/CVE-2020-10751.html https://www.suse.com/security/cve/CVE-2020-10757.html https://www.suse.com/security/cve/CVE-2020-12114.html https://www.suse.com/security/cve/CVE-2020-12464.html https://www.suse.com/security/cve/CVE-2020-12652.html https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://www.suse.com/security/cve/CVE-2020-12655.html https://www.suse.com/security/cve/CVE-2020-12656.html https://www.suse.com/security/cve/CVE-2020-12657.html https://www.suse.com/security/cve/CVE-2020-12768.html https://www.suse.com/security/cve/CVE-2020-12769.html https://www.suse.com/security/cve/CVE-2020-13143.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1082555 https://bugzilla.suse.com/1089895 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1151794 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1157169 https://bugzilla.suse.com/1158265 https://bugzilla.suse.com/1160388 https://bugzilla.suse.com/1160947 https://bugzilla.suse.com/1165183 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1166969 https://bugzilla.suse.com/1167574 https://bugzilla.suse.com/1167851 https://bugzilla.suse.com/1168503 https://bugzilla.suse.com/1168670 https://bugzilla.suse.com/1169020 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169525 https://bugzilla.suse.com/1170056 https://bugzilla.suse.com/1170125 https://bugzilla.suse.com/1170145 https://bugzilla.suse.com/1170345 https://bugzilla.suse.com/1170457 https://bugzilla.suse.com/1170522 https://bugzilla.suse.com/1170592 https://bugzilla.suse.com/1170618 https://bugzilla.suse.com/1170620 https://bugzilla.suse.com/1170770 https://bugzilla.suse.com/1170778 https://bugzilla.suse.com/1170791 https://bugzilla.suse.com/1170901 https://bugzilla.suse.com/1171078 https://bugzilla.suse.com/1171098 https://bugzilla.suse.com/1171118 https://bugzilla.suse.com/1171189 https://bugzilla.suse.com/1171191 https://bugzilla.suse.com/1171195 https://bugzilla.suse.com/1171202 https://bugzilla.suse.com/1171205 https://bugzilla.suse.com/1171217 https://bugzilla.suse.com/1171218 https://bugzilla.suse.com/1171219 https://bugzilla.suse.com/1171220 https://bugzilla.suse.com/1171293 https://bugzilla.suse.com/1171417 https://bugzilla.suse.com/1171527 https://bugzilla.suse.com/1171599 https://bugzilla.suse.com/1171600 https://bugzilla.suse.com/1171601 https://bugzilla.suse.com/1171602 https://bugzilla.suse.com/1171604 https://bugzilla.suse.com/1171605 https://bugzilla.suse.com/1171606 https://bugzilla.suse.com/1171607 https://bugzilla.suse.com/1171608 https://bugzilla.suse.com/1171609 https://bugzilla.suse.com/1171610 https://bugzilla.suse.com/1171611 https://bugzilla.suse.com/1171612 https://bugzilla.suse.com/1171613 https://bugzilla.suse.com/1171614 https://bugzilla.suse.com/1171615 https://bugzilla.suse.com/1171616 https://bugzilla.suse.com/1171617 https://bugzilla.suse.com/1171618 https://bugzilla.suse.com/1171619 https://bugzilla.suse.com/1171620 https://bugzilla.suse.com/1171621 https://bugzilla.suse.com/1171622 https://bugzilla.suse.com/1171623 https://bugzilla.suse.com/1171624 https://bugzilla.suse.com/1171625 https://bugzilla.suse.com/1171626 https://bugzilla.suse.com/1171679 https://bugzilla.suse.com/1171691 https://bugzilla.suse.com/1171694 https://bugzilla.suse.com/1171695 https://bugzilla.suse.com/1171736 https://bugzilla.suse.com/1171761 https://bugzilla.suse.com/1171948 https://bugzilla.suse.com/1171949 https://bugzilla.suse.com/1171951 https://bugzilla.suse.com/1171952 https://bugzilla.suse.com/1171982 https://bugzilla.suse.com/1171983 https://bugzilla.suse.com/1172096 https://bugzilla.suse.com/1172097 https://bugzilla.suse.com/1172098 https://bugzilla.suse.com/1172099 https://bugzilla.suse.com/1172101 https://bugzilla.suse.com/1172102 https://bugzilla.suse.com/1172103 https://bugzilla.suse.com/1172104 https://bugzilla.suse.com/1172127 https://bugzilla.suse.com/1172130 https://bugzilla.suse.com/1172185 https://bugzilla.suse.com/1172188 https://bugzilla.suse.com/1172199 https://bugzilla.suse.com/1172221 https://bugzilla.suse.com/1172253 https://bugzilla.suse.com/1172317 https://bugzilla.suse.com/1172342 https://bugzilla.suse.com/1172343 https://bugzilla.suse.com/1172344 https://bugzilla.suse.com/1172366 https://bugzilla.suse.com/1172391 https://bugzilla.suse.com/1172397 https://bugzilla.suse.com/1172453 From sle-updates at lists.suse.com Wed Jun 10 13:25:40 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 21:25:40 +0200 (CEST) Subject: SUSE-SU-2020:1602-1: important: Security update for the Linux Kernel Message-ID: <20200610192540.D62E4F3D7@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1602-1 Rating: important References: #1051510 #1058115 #1065729 #1071995 #1082555 #1083647 #1089895 #1103990 #1103991 #1103992 #1104745 #1109837 #1111666 #1112178 #1112374 #1113956 #1114279 #1124278 #1127354 #1127355 #1127371 #1133021 #1141558 #1142685 #1144333 #1151794 #1152489 #1154824 #1157169 #1158265 #1160388 #1160947 #1164780 #1164871 #1165183 #1165478 #1165741 #1166969 #1166978 #1167574 #1167851 #1167867 #1168332 #1168503 #1168670 #1168789 #1169005 #1169020 #1169514 #1169525 #1169762 #1170056 #1170125 #1170145 #1170284 #1170345 #1170457 #1170522 #1170592 #1170617 #1170618 #1170620 #1170621 #1170770 #1170778 #1170791 #1170901 #1171078 #1171098 #1171118 #1171189 #1171191 #1171195 #1171202 #1171205 #1171214 #1171217 #1171218 #1171219 #1171220 #1171244 #1171293 #1171417 #1171527 #1171599 #1171600 #1171601 #1171602 #1171604 #1171605 #1171606 #1171607 #1171608 #1171609 #1171610 #1171611 #1171612 #1171613 #1171614 #1171615 #1171616 #1171617 #1171618 #1171619 #1171620 #1171621 #1171622 #1171623 #1171624 #1171625 #1171626 #1171662 #1171679 #1171691 #1171692 #1171694 #1171695 #1171736 #1171761 #1171817 #1171948 #1171949 #1171951 #1171952 #1171979 #1171982 #1171983 #1172017 #1172096 #1172097 #1172098 #1172099 #1172101 #1172102 #1172103 #1172104 #1172127 #1172130 #1172185 #1172188 #1172199 #1172201 #1172202 #1172218 #1172221 #1172249 #1172251 #1172253 #1172317 #1172342 #1172343 #1172344 #1172366 #1172378 #1172391 #1172397 #1172453 Cross-References: CVE-2018-1000199 CVE-2019-19462 CVE-2019-20806 CVE-2019-20812 CVE-2019-9455 CVE-2020-0543 CVE-2020-10690 CVE-2020-10711 CVE-2020-10720 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-12114 CVE-2020-12464 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12655 CVE-2020-12656 CVE-2020-12657 CVE-2020-12659 CVE-2020-12768 CVE-2020-12769 CVE-2020-13143 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise High Availability 12-SP5 ______________________________________________________________________________ An update that solves 24 vulnerabilities and has 133 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982). - CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983). - CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736). - CVE-2020-12659: Fixed an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) due to improper headroom validation (bsc#1171214). - CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205). - CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219). - CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217). - CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202). - CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195). - CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218). - CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901). - CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098). - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317). - CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189). - CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220). - CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778). - CVE-2020-10711: Fixed a null pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191). - CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056). - CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345). - CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453). - CVE-2019-20806: Fixed a null pointer dereference which may had lead to denial of service (bsc#1172199). - CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895). The following non-security bugs were fixed: - ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe() (bsc#1051510). - ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile() (bsc#1051510). - acpi/x86: ignore unspecified bit positions in the ACPI global lock field (bsc#1051510). - Add br_netfilter to kernel-default-base (bsc#1169020) - Add commit for git-fix that's not a fix This commit cleans up debug code but does not fix anything, and it relies on a new kernel function that isn't yet in this version of SLE. - agp/intel: Reinforce the barrier after GTT updates (bsc#1051510). - ALSA: ctxfi: Remove unnecessary cast in kfree (bsc#1051510). - ALSA: doc: Document PC Beep Hidden Register on Realtek ALC256 (bsc#1051510). - ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666). - ALSA: hda: Add driver blacklist (bsc#1051510). - ALSA: hda: Always use jackpoll helper for jack update after resume (bsc#1051510). - ALSA: hda: call runtime_allow() for all hda controllers (bsc#1051510). - ALSA: hda: Do not release card at firmware loading error (bsc#1051510). - ALSA: hda: Explicitly permit using autosuspend if runtime PM is supported (bsc#1051510). - ALSA: hda/hdmi: fix race in monitor detection during probe (bsc#1051510). - ALSA: hda/hdmi: fix without unlocked before return (bsc#1051510). - ALSA: hda: Honor PM disablement in PM freeze and thaw_noirq ops (bsc#1051510). - ALSA: hda: Keep the controller initialization even if no codecs found (bsc#1051510). - ALSA: hda: Match both PCI ID and SSID for driver blacklist (bsc#1111666). - ALSA: hda/realtek - Add a model for Thinkpad T570 without DAC workaround (bsc#1172017). - ALSA: hda/realtek - Add COEF workaround for ASUS ZenBook UX431DA (git-fixes). - ALSA: hda/realtek - Add HP new mute led supported for ALC236 (git-fixes). - ALSA: hda/realtek - Add more fixup entries for Clevo machines (git-fixes). - ALSA: hda/realtek - Add new codec supported for ALC245 (bsc#1051510). - ALSA: hda/realtek - Add new codec supported for ALC287 (git-fixes). - ALSA: hda/realtek: Add quirk for Samsung Notebook (git-fixes). - ALSA: hda/realtek - Add supported new mute Led for HP (git-fixes). - ALSA: hda/realtek - Enable headset mic of ASUS GL503VM with ALC295 (git-fixes). - ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295 (git-fixes). - ALSA: hda/realtek: Enable headset mic of ASUS UX581LV with ALC295 (git-fixes). - ALSA: hda/realtek - Enable the headset mic on Asus FX505DT (bsc#1051510). - ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse (git-fixes). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Xtreme (bsc#1111666). - ALSA: hda/realtek - Fix unexpected init_amp override (bsc#1051510). - ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 (git-fixes bsc#1171293). - ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter (bsc#1051510). - ALSA: hda: Release resources at error in delayed probe (bsc#1051510). - ALSA: hda: Remove ASUS ROG Zenith from the blacklist (bsc#1051510). - ALSA: hda: Skip controller resume if not needed (bsc#1051510). - ALSA: hwdep: fix a left shifting 1 by 31 UB bug (git-fixes). - ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option (git-fixes). - ALSA: opti9xx: shut up gcc-10 range warning (bsc#1051510). - ALSA: pcm: fix incorrect hw_base increase (git-fixes). - ALSA: pcm: oss: Place the plugin buffer overflow checks correctly (bsc#1170522). - ALSA: rawmidi: Fix racy buffer resize under concurrent accesses (git-fixes). - ALSA: usb-audio: Add connector notifier delegation (bsc#1051510). - ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset (git-fixes). - ALSA: usb-audio: add mapping for ASRock TRX40 Creator (git-fixes). - ALSA: usb-audio: Add mixer workaround for TRX40 and co (bsc#1051510). - ALSA: usb-audio: Add quirk for Focusrite Scarlett 2i2 (bsc#1051510). - ALSA: usb-audio: Add static mapping table for ALC1220-VB-based mobos (bsc#1051510). - ALSA: usb-audio: Apply async workaround for Scarlett 2i4 2nd gen (bsc#1051510). - ALSA: usb-audio: Check mapping at creating connector controls, too (bsc#1051510). - ALSA: usb-audio: Correct a typo of NuPrime DAC-10 USB ID (bsc#1051510). - ALSA: usb-audio: Do not create jack controls for PCM terminals (bsc#1051510). - ALSA: usb-audio: Do not override ignore_ctl_error value from the map (bsc#1051510). - ALSA: usb-audio: Filter error from connector kctl ops, too (bsc#1051510). - ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif (bsc#1051510). - ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC (git-fixes). - ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio (git-fixes). - ALSA: usx2y: Fix potential NULL dereference (bsc#1051510). - ASoC: codecs: hdac_hdmi: Fix incorrect use of list_for_each_entry (bsc#1051510). - ASoC: dapm: connect virtual mux with default value (bsc#1051510). - ASoC: dapm: fixup dapm kcontrol widget (bsc#1051510). - ASoC: dpcm: allow start or stop during pause for backend (bsc#1051510). - ASoC: fix regwmask (bsc#1051510). - ASoC: msm8916-wcd-digital: Reset RX interpolation path after use (bsc#1051510). - ASoC: samsung: Prevent clk_get_rate() calls in atomic context (bsc#1111666). - ASoC: topology: Check return value of pcm_new_ver (bsc#1051510). - ASoC: topology: use name_prefix for new kcontrol (bsc#1051510). - b43legacy: Fix case where channel status is corrupted (bsc#1051510). - batman-adv: fix batadv_nc_random_weight_tq (git-fixes). - batman-adv: Fix refcnt leak in batadv_show_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_store_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_v_ogm_process (git-fixes). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (git fixes (block drivers)). - bcache: fix incorrect data type usage in btree_flush_write() (git fixes (block drivers)). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (git fixes (block drivers)). - blk-mq: honor IO scheduler for multiqueue devices (bsc#1165478). - blk-mq: simplify blk_mq_make_request() (bsc#1165478). - block/drbd: delete invalid function drbd_md_mark_dirty_ (bsc#1171527). - block: drbd: remove a stray unlock in __drbd_send_protocol() (bsc#1171599). - block: fix busy device checking in blk_drop_partitions again (bsc#1171948). - block: fix busy device checking in blk_drop_partitions (bsc#1171948). - block: fix memleak of bio integrity data (git fixes (block drivers)). - block: remove the bd_openers checks in blk_drop_partitions (bsc#1171948). - bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets() (networking-stable-20_03_28). - bnxt_en: Reduce BNXT_MSIX_VEC_MAX value to supported CQs per PF (bsc#1104745). - bnxt_en: reinitialize IRQs when MTU is modified (networking-stable-20_03_14). - bnxt_en: Return error if bnxt_alloc_ctx_mem() fails (bsc#1104745 ). - bnxt_en: Return error when allocating zero size context memory (bsc#1104745). - bonding/alb: make sure arp header is pulled before accessing it (networking-stable-20_03_14). - bpf: Fix sk_psock refcnt leak when receiving message (bsc#1083647). - bpf: Forbid XADD on spilled pointers for unprivileged users (bsc#1083647). - brcmfmac: abort and release host after error (bsc#1051510). - btrfs: fix deadlock with memory reclaim during scrub (bsc#1172127). - btrfs: fix log context list corruption after rename whiteout error (bsc#1172342). - btrfs: fix partial loss of prealloc extent past i_size after fsync (bsc#1172343). - btrfs: move the dio_sem higher up the callchain (bsc#1171761). - btrfs: relocation: add error injection points for cancelling balance (bsc#1171417). - btrfs: relocation: Check cancel request after each data page read (bsc#1171417). - btrfs: relocation: Check cancel request after each extent found (bsc#1171417). - btrfs: relocation: Clear the DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417). - btrfs: relocation: Fix reloc root leakage and the NULL pointer reference caused by the leakage (bsc#1171417). - btrfs: relocation: Work around dead relocation stage loop (bsc#1171417). - btrfs: reloc: clear DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417 bsc#1160947 bsc#1172366). - btrfs: reloc: fix reloc root leak and NULL pointer dereference (bsc#1171417 bsc#1160947 bsc#1172366). - btrfs: setup a nofs context for memory allocation at btrfs_create_tree() (bsc#1172127). - btrfs: setup a nofs context for memory allocation at __btrfs_set_acl (bsc#1172127). - btrfs: use nofs context when initializing security xattrs to avoid deadlock (bsc#1172127). - can: add missing attribute validation for termination (networking-stable-20_03_14). - cdc-acm: close race betrween suspend() and acm_softint (git-fixes). - cdc-acm: introduce a cool down (git-fixes). - ceph: check if file lock exists before sending unlock request (bsc#1168789). - ceph: demote quotarealm lookup warning to a debug message (bsc#1171692). - ceph: fix double unlock in handle_cap_export() (bsc#1171694). - ceph: fix double unlock in handle_cap_export() (bsc#1171694). - ceph: fix endianness bug when handling MDS session feature bits (bsc#1171695). - ceph: fix endianness bug when handling MDS session feature bits (bsc#1171695). - cgroup, netclassid: periodically release file_lock on classid updating (networking-stable-20_03_14). - CIFS: Allocate crypto structures on the fly for calculating signatures of incoming packets (bsc#1144333). - CIFS: Allocate encryption header through kmalloc (bsc#1144333). - CIFS: allow unlock flock and OFD lock across fork (bsc#1144333). - CIFS: check new file size when extending file by fallocate (bsc#1144333). - CIFS: cifspdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - CIFS: clear PF_MEMALLOC before exiting demultiplex thread (bsc#1144333). - CIFS: do not share tcons with DFS (bsc#1144333). - CIFS: dump the session id and keys also for SMB2 sessions (bsc#1144333). - CIFS: ensure correct super block for DFS reconnect (bsc#1144333). - CIFS: Fix bug which the return value by asynchronous read is error (bsc#1144333). - CIFS: fix uninitialised lease_key in open_shroot() (bsc#1144333). - CIFS: improve read performance for page size 64KB & cache=strict & vers=2.1+ (bsc#1144333). - CIFS: Increment num_remote_opens stats counter even in case of smb2_query_dir_first (bsc#1144333). - CIFS: minor update to comments around the cifs_tcp_ses_lock mutex (bsc#1144333). - CIFS: protect updating server->dstaddr with a spinlock (bsc#1144333). - CIFS: smb2pdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - CIFS: smbd: Calculate the correct maximum packet size for segmented SMBDirect send/receive (bsc#1144333). - CIFS: smbd: Check and extend sender credits in interrupt context (bsc#1144333). - CIFS: smbd: Check send queue size before posting a send (bsc#1144333). - CIFS: smbd: Do not schedule work to send immediate packet on every receive (bsc#1144333). - CIFS: smbd: Merge code to track pending packets (bsc#1144333). - CIFS: smbd: Properly process errors on ib_post_send (bsc#1144333). - CIFS: smbd: Update receive credits before sending and deal with credits roll back on failure before sending (bsc#1144333). - CIFS: Warn less noisily on default mount (bsc#1144333). - clk: Add clk_hw_unregister_composite helper function definition (bsc#1051510). - clk: imx6ull: use OSC clock during AXI rate change (bsc#1051510). - clk: imx: make mux parent strings const (bsc#1051510). - clk: mediatek: correct the clocks for MT2701 HDMI PHY module (bsc#1051510). - clk: sunxi-ng: a64: Fix gate bit of DSI DPHY (bsc#1051510). - clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620). - clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620, bsc#1170621). - clocksource: dw_apb_timer_of: Fix missing clockevent timers (bsc#1051510). - component: Silence bind error on -EPROBE_DEFER (bsc#1051510). - coresight: do not use the BIT() macro in the UAPI header (git fixes (block drivers)). - cpufreq: s3c64xx: Remove pointless NULL check in s3c64xx_cpufreq_driver_init (bsc#1051510). - crypto: ccp - AES CFB mode is a stream cipher (git-fixes). - crypto: ccp - Change a message to reflect status instead of failure (bsc#1172218). - crypto: ccp - Clean up and exit correctly on allocation failure (git-fixes). - crypto: ccp - Cleanup misc_dev on sev_exit() (bsc#1114279). - crypto: ccp - Cleanup sp_dev_master in psp_dev_destroy() (bsc#1114279). - cxgb4: fix MPS index overwrite when setting MAC address (bsc#1127355). - cxgb4: fix Txq restart check during backpressure (bsc#1127354 bsc#1127371). - debugfs: Add debugfs_create_xul() for hexadecimal unsigned long (git-fixes). - debugfs_lookup(): switch to lookup_one_len_unlocked() (bsc#1171979). - devlink: fix return value after hitting end in region read (bsc#1109837). - devlink: validate length of param values (bsc#1109837). - devlink: validate length of region addr/len (bsc#1109837). - dmaengine: dmatest: Fix iteration non-stop logic (bsc#1051510). - dm mpath: switch paths in dm_blk_ioctl() code path (bsc#1167574). - dm-raid1: fix invalid return value from dm_mirror (bsc#1172378). - dm writecache: fix data corruption when reloading the target (git fixes (block drivers)). - dm writecache: fix incorrect flush sequence when doing SSD mode commit (git fixes (block drivers)). - dm writecache: verify watermark during resume (git fixes (block drivers)). - dm zoned: fix invalid memory access (git fixes (block drivers)). - dm zoned: reduce overhead of backing device checks (git fixes (block drivers)). - dm zoned: remove duplicate nr_rnd_zones increase in dmz_init_zone() (git fixes (block drivers)). - dm zoned: support zone sizes smaller than 128MiB (git fixes (block drivers)). - dp83640: reverse arguments to list_add_tail (git-fixes). - Drivers: hv: Add a module description line to the hv_vmbus driver (bsc#1172249, bsc#1172251). - Drivers: hv: Add a module description line to the hv_vmbus driver (bsc#1172253). - Drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170618). - Drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170618). - Drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618). - Drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170618). - drivers/net/ibmvnic: Update VNIC protocol version reporting (bsc#1065729). - Drivers: w1: add hwmon support structures (jsc#SLE-11048). - Drivers: w1: add hwmon temp support for w1_therm (jsc#SLE-11048). - Drivers: w1: refactor w1_slave_show to make the temp reading functionality separate (jsc#SLE-11048). - drm: amd/acp: fix broken menu structure (bsc#1114279) * context changes - drm/amdgpu: Correctly initialize thermal controller for GPUs with Powerplay table v0 (e.g Hawaii) (bsc#1111666). - drm/amdgpu: Fix oops when pp_funcs is unset in ACPI event (bsc#1111666). - drm/amd/powerplay: force the trim of the mclk dpm_levels if OD is (bsc#1113956) - drm/atomic: Take the atomic toys away from X (bsc#1112178) * context changes - drm/crc: Actually allow to change the crc source (bsc#1114279) * offset changes - drm/dp_mst: Fix clearing payload state on topology disable (bsc#1051510). - drm/dp_mst: Reformat drm_dp_check_act_status() a bit (bsc#1051510). - drm/edid: Fix off-by-one in DispID DTD pixel clock (bsc#1114279) - drm/etnaviv: fix perfmon domain interation (bsc#1113956) - drm/etnaviv: rework perfmon query infrastructure (bsc#1112178) - drm/i915: Apply Wa_1406680159:icl,ehl as an engine workaround (bsc#1112178) * rename gt/intel_workarounds.c to intel_workarounds.c * context changes - drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of (bsc#1114279) - drm/i915: HDCP: fix Ri prime check done during link check (bsc#1112178) * rename display/intel_hdmi.c to intel_hdmi.c * context changes - drm/i915: properly sanity check batch_start_offset (bsc#1114279) * renamed display/intel_fbc.c -> intel_fb.c * renamed gt/intel_rc6.c -> intel_pm.c * context changes - drm/meson: Delete an error message in meson_dw_hdmi_bind() (bsc#1051510). - drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem (bsc#1114279) - drm/qxl: qxl_release leak in qxl_draw_dirty_fb() (bsc#1051510). - drm/qxl: qxl_release leak in qxl_hw_surface_alloc() (bsc#1051510). - drm/qxl: qxl_release use after free (bsc#1051510). - drm: Remove PageReserved manipulation from drm_pci_alloc (bsc#1114279) * offset changes - drm/sun4i: dsi: Allow binding the host without a panel (bsc#1113956) - drm/sun4i: dsi: Avoid hotplug race with DRM driver bind (bsc#1113956) - drm/sun4i: dsi: Remove incorrect use of runtime PM (bsc#1113956) * context changes - drm/sun4i: dsi: Remove unused drv from driver context (bsc#1113956) * context changes * keep include of sun4i_drv.h - dump_stack: avoid the livelock of the dump_lock (git fixes (block drivers)). - EDAC/amd64: Add family ops for Family 19h Models 00h-0Fh (jsc#SLE-11833). - EDAC/amd64: Drop some family checks for newer systems (jsc#SLE-11833). - EDAC/mce_amd: Always load on SMCA systems (jsc#SLE-11833). - EDAC/mce_amd: Make fam_ops static global (jsc#SLE-11833). - EDAC, sb_edac: Add support for systems with segmented PCI buses (bsc#1169525). - ext4: do not zeroout extents beyond i_disksize (bsc#1167851). - ext4: fix extent_status fragmentation for plain files (bsc#1171949). - ext4: use non-movable memory for superblock readahead (bsc#1171952). - fanotify: fix merging marks masks with FAN_ONDIR (bsc#1171679). - fbcon: fix null-ptr-deref in fbcon_switch (bsc#1114279) * rename drivers/video/fbdev/core to drivers/video/console * context changes - fib: add missing attribute validation for tun_id (networking-stable-20_03_14). - firmware: qcom: scm: fix compilation error when disabled (bsc#1051510). - Fix a backport bug, where btrfs_put_root() -> btrfs_put_fs_root() modification is not needed due to missing dependency - fs/cifs: fix gcc warning in sid_to_id (bsc#1144333). - fs/seq_file.c: simplify seq_file iteration code and interface (bsc#1170125). - gpio: tegra: mask GPIO IRQs during IRQ shutdown (bsc#1051510). - gre: fix uninit-value in __iptunnel_pull_header (networking-stable-20_03_14). - HID: hid-input: clear unmapped usages (git-fixes). - HID: hyperv: Add a module description line (bsc#1172249, bsc#1172251). - HID: hyperv: Add a module description line (bsc#1172253). - HID: i2c-hid: add Trekstor Primebook C11B to descriptor override (git-fixes). - HID: i2c-hid: override HID descriptors for certain devices (git-fixes). - HID: multitouch: add eGalaxTouch P80H84 support (bsc#1051510). - HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices (git-fixes). - hrtimer: Annotate lockless access to timer->state (git fixes (block drivers)). - hsr: add restart routine into hsr_get_node_list() (networking-stable-20_03_28). - hsr: check protocol version in hsr_newlink() (networking-stable-20_04_17). - hsr: fix general protection fault in hsr_addr_is_self() (networking-stable-20_03_28). - hsr: set .netnsok flag (networking-stable-20_03_28). - hsr: use rcu_read_lock() in hsr_get_node_{list/status}() (networking-stable-20_03_28). - i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present (git-fixes). - i2c: acpi: put device when verifying client fails (git-fixes). - i2c: brcmstb: remove unused struct member (git-fixes). - i2c: core: Allow empty id_table in ACPI case as well (git-fixes). - i2c: core: decrease reference count of device node in i2c_unregister_device (git-fixes). - i2c: dev: Fix the race between the release of i2c_dev and cdev (bsc#1051510). - i2c: fix missing pm_runtime_put_sync in i2c_device_probe (git-fixes). - i2c-hid: properly terminate i2c_hid_dmi_desc_override_table array (git-fixes). - i2c: i801: Do not add ICH_RES_IO_SMI for the iTCO_wdt device (git-fixes). - i2c: iproc: Stop advertising support of SMBUS quick cmd (git-fixes). - i2c: isch: Remove unnecessary acpi.h include (git-fixes). - i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' (bsc#1051510). - i2c: st: fix missing struct parameter description (bsc#1051510). - IB/ipoib: Add child to parent list only if device initialized (bsc#1168503). - IB/ipoib: Consolidate checking of the proposed child interface (bsc#1168503). - IB/ipoib: Do not remove child devices from within the ndo_uninit (bsc#1168503). - IB/ipoib: Get rid of IPOIB_FLAG_GOING_DOWN (bsc#1168503). - IB/ipoib: Get rid of the sysfs_mutex (bsc#1168503). - IB/ipoib: Maintain the child_intfs list from ndo_init/uninit (bsc#1168503). - IB/ipoib: Move all uninit code into ndo_uninit (bsc#1168503). - IB/ipoib: Move init code to ndo_init (bsc#1168503). - IB/ipoib: Replace printk with pr_warn (bsc#1168503). - IB/ipoib: Use cancel_delayed_work_sync for neigh-clean task (bsc#1168503). - IB/ipoib: Warn when one port fails to initialize (bsc#1168503). - IB/mlx5: Fix missing congestion control debugfs on rep rdma device (bsc#1103991). - ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239). - iio:ad7797: Use correct attribute_group (bsc#1051510). - iio: adc: stm32-adc: fix device used to request dma (bsc#1051510). - iio: adc: stm32-adc: fix sleep in atomic context (git-fixes). - iio: adc: stm32-adc: Use dma_request_chan() instead dma_request_slave_channel() (bsc#1051510). - iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' (bsc#1051510). - iio: sca3000: Remove an erroneous 'get_device()' (bsc#1051510). - iio: xilinx-xadc: Fix ADC-B powerdown (bsc#1051510). - iio: xilinx-xadc: Fix clearing interrupt when enabling trigger (bsc#1051510). - iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode (bsc#1051510). - ima: Fix return value of ima_write_policy() (git-fixes). - Input: evdev - call input_flush_device() on release(), not flush() (bsc#1051510). - Input: hyperv-keyboard - add module description (bsc#1172249, bsc#1172251). - Input: hyperv-keyboard - add module description (bsc#1172253). - Input: i8042 - add Acer Aspire 5738z to nomux list (bsc#1051510). - Input: i8042 - add ThinkPad S230u to i8042 reset list (bsc#1051510). - Input: raydium_i2c_ts - use true and false for boolean values (bsc#1051510). - Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() (bsc#1051510). - Input: synaptics-rmi4 - really fix attn_data use-after-free (git-fixes). - Input: usbtouchscreen - add support for BonXeon TP (bsc#1051510). - Input: xpad - add custom init packet for Xbox One S controllers (bsc#1051510). - iommu/amd: Call domain_flush_complete() in update_domain() (bsc#1172096). - iommu/amd: Do not flush Device Table in iommu_map_page() (bsc#1172097). - iommu/amd: Do not loop forever when trying to increase address space (bsc#1172098). - iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system (bsc#1172099). - iommu/amd: Fix over-read of ACPI UID from IVRS table (bsc#1172101). - iommu/amd: Fix race in increase_address_space()/fetch_pte() (bsc#1172102). - iommu/amd: Update Device Table in increase_address_space() (bsc#1172103). - iommu: Fix reference count leak in iommu_group_alloc (bsc#1172397). - ip6_tunnel: Allow rcv/xmit even if remote address is a local address (bsc#1166978). - ipmi: fix hung processes in __get_guid() (git-fixes). - ipv4: fix a RCU-list lock in fib_triestat_seq_show (networking-stable-20_04_02). - ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface (networking-stable-20_03_14). - ipv6: do not auto-add link-local address to lag ports (networking-stable-20_04_09). - ipv6: fix IPV6_ADDRFORM operation logic (bsc#1171662). - ipv6: Fix nlmsg_flags when splitting a multipath route (networking-stable-20_03_01). - ipv6: fix restrict IPV6_ADDRFORM operation (bsc#1171662). - ipv6: Fix route replacement with dev-only route (networking-stable-20_03_01). - ipvlan: add cond_resched_rcu() while processing muticast backlog (networking-stable-20_03_14). - ipvlan: do not deref eth hdr before checking it's set (networking-stable-20_03_14). - ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast() (networking-stable-20_03_14). - iwlwifi: pcie: actually release queue memory in TVQM (bsc#1051510). - ixgbe: do not check firmware errors (bsc#1170284). - kabi fix for early XHCI debug (git-fixes). - kabi for for md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - kabi, protect struct ib_device (bsc#1168503). - kabi/severities: Do not track KVM internal symbols. - kabi/severities: Ingnore get_dev_data() The function is internal to the AMD IOMMU driver and must not be called by any third party. - kabi workaround for snd_rawmidi buffer_ref field addition (git-fixes). - KEYS: reaching the keys quotas correctly (bsc#1051510). - KVM: arm64: Change hyp_panic()s dependency on tpidr_el2 (bsc#1133021). - KVM: arm64: Stop save/restoring host tpidr_el1 on VHE (bsc#1133021). - KVM: Check validity of resolved slot when searching memslots (bsc#1172104). - KVM: s390: vsie: Fix delivery of addressing exceptions (git-fixes). - KVM: s390: vsie: Fix possible race when shadowing region 3 tables (git-fixes). - KVM: s390: vsie: Fix region 1 ASCE sanity shadow address checks (git-fixes). - KVM: SVM: Fix potential memory leak in svm_cpu_init() (bsc#1171736). - KVM x86: Extend AMD specific guest behavior to Hygon virtual CPUs (bsc#1152489). - l2tp: Allow management of tunnels and session in user namespace (networking-stable-20_04_17). - libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() (bsc#1051510). - libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set (bsc#1051510). - lib: raid6: fix awk build warnings (git fixes (block drivers)). - lib/raid6/test: fix build on distros whose /bin/sh is not bash (git fixes (block drivers)). - lib/stackdepot.c: fix global out-of-bounds in stack_slabs (git fixes (block drivers)). - locks: print unsigned ino in /proc/locks (bsc#1171951). - mac80211: add ieee80211_is_any_nullfunc() (bsc#1051510). - mac80211_hwsim: Use kstrndup() in place of kasprintf() (bsc#1051510). - mac80211: mesh: fix discovery timer re-arming issue / crash (bsc#1051510). - macsec: avoid to set wrong mtu (bsc#1051510). - macsec: restrict to ethernet devices (networking-stable-20_03_28). - macvlan: add cond_resched() during multicast processing (networking-stable-20_03_14). - macvlan: fix null dereference in macvlan_device_event() (bsc#1051510). - make some Fujitsu systems run (bsc#1141558). - md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - md/raid0: Fix an error message in raid0_make_request() (git fixes (block drivers)). - md/raid10: prevent access of uninitialized resync_pages offset (git-fixes). - media: dvb: return -EREMOTEIO on i2c transfer failure (bsc#1051510). - media: platform: fcp: Set appropriate DMA parameters (bsc#1051510). - media: ti-vpe: cal: fix disable_irqs to only the intended target (git-fixes). - mei: release me_cl object reference (bsc#1051510). - mlxsw: Fix some IS_ERR() vs NULL bugs (networking-stable-20_04_27). - mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE (networking-stable-20_04_09). - mlxsw: spectrum_mr: Fix list iteration in error path (bsc#1112374). - mmc: atmel-mci: Fix debugfs on 64-bit platforms (git-fixes). - mmc: core: Check request type before completing the request (git-fixes). - mmc: core: Fix recursive locking issue in CQE recovery path (git-fixes). - mmc: cqhci: Avoid false "cqhci: CQE stuck on" by not open-coding timeout loop (git-fixes). - mmc: dw_mmc: Fix debugfs on 64-bit platforms (git-fixes). - mmc: meson-gx: make sure the descriptor is stopped on errors (git-fixes). - mmc: meson-gx: simplify interrupt handler (git-fixes). - mmc: renesas_sdhi: limit block count to 16 bit for old revisions (git-fixes). - mmc: sdhci-esdhc-imx: fix the mask for tuning start point (bsc#1051510). - mmc: sdhci-msm: Clear tuning done flag while hs400 tuning (bsc#1051510). - mmc: sdhci-of-at91: fix memleak on clk_get failure (git-fixes). - mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers (bsc#1051510). - mmc: sdhci-xenon: fix annoying 1.8V regulator warning (bsc#1051510). - mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card() (bsc#1051510). - mmc: tmio: fix access width of Block Count Register (git-fixes). - mm: limit boost_watermark on small zones (git fixes (mm/pgalloc)). - mm: thp: handle page cache THP correctly in PageTransCompoundMap (git fixes (block drivers)). - mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer (bsc#1051510). - mtd: spi-nor: cadence-quadspi: add a delay in write sequence (git-fixes). - mtd: spi-nor: enable 4B opcodes for mx66l51235l (git-fixes). - mtd: spi-nor: fsl-quadspi: Do not let -EINVAL on the bus (git-fixes). - mwifiex: avoid -Wstringop-overflow warning (bsc#1051510). - mwifiex: Fix memory corruption in dump_station (bsc#1051510). - net: bcmgenet: correct per TX/RX ring statistics (networking-stable-20_04_27). - net: dsa: b53: Fix ARL register definitions (networking-stable-20_04_27). - net: dsa: b53: Rework ARL bin logic (networking-stable-20_04_27). - net: dsa: bcm_sf2: Do not register slave MDIO bus with OF (networking-stable-20_04_09). - net: dsa: bcm_sf2: Ensure correct sub-node is parsed (networking-stable-20_04_09). - net: dsa: bcm_sf2: Fix overflow checks (git-fixes). - net: dsa: Fix duplicate frames flooded by learning (networking-stable-20_03_28). - net: dsa: mv88e6xxx: fix lockup on warm boot (networking-stable-20_03_14). - net/ethernet: add Google GVE driver (jsc#SLE-10538) - net: fec: add phy_reset_after_clk_enable() support (git-fixes). - net: fec: validate the new settings in fec_enet_set_coalesce() (networking-stable-20_03_14). - net: fib_rules: Correctly set table field when table number exceeds 8 bits (networking-stable-20_03_01). - net: fix race condition in __inet_lookup_established() (bsc#1151794). - net: fq: add missing attribute validation for orphan mask (networking-stable-20_03_14). - net: hns3: fix "tc qdisc del" failed issue (bsc#1109837). - net, ip_tunnel: fix interface lookup with no key (networking-stable-20_04_02). - net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin (networking-stable-20_04_17). - net: ipv6: do not consider routes via gateways for anycast address check (networking-stable-20_04_17). - netlink: Use netlink header as base to calculate bad attribute offset (networking-stable-20_03_14). - net: macsec: update SCI upon MAC address change (networking-stable-20_03_14). - net: memcg: fix lockdep splat in inet_csk_accept() (networking-stable-20_03_14). - net: memcg: late association of sock to memcg (networking-stable-20_03_14). - net/mlx4_en: avoid indirect call in TX completion (networking-stable-20_04_27). - net/mlx5: Add new fields to Port Type and Speed register (bsc#1171118). - net/mlx5: Add new fields to Port Type and Speed register (bsc#1171118). - net/mlx5: Add RoCE RX ICRC encapsulated counter (bsc#1171118). - net/mlx5e: Fix ethtool self test: link speed (bsc#1171118). - net/mlx5e: Move port speed code from en_ethtool.c to en/port.c (bsc#1171118). - net/mlx5: Expose link speed directly (bsc#1171118). - net/mlx5: Expose link speed directly (bsc#1171118). - net/mlx5: Expose port speed when possible (bsc#1171118). - net/mlx5: Expose port speed when possible (bsc#1171118). - net/mlx5: Fix failing fw tracer allocation on s390 (bsc#1103990 ). - net: mvneta: Fix the case where the last poll did not process all rx (networking-stable-20_03_28). - net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node (networking-stable-20_04_27). - net/packet: tpacket_rcv: do not increment ring index on drop (networking-stable-20_03_14). - net: phy: restore mdio regs in the iproc mdio driver (networking-stable-20_03_01). - net: qmi_wwan: add support for ASKEY WWHC050 (networking-stable-20_03_28). - net: revert default NAPI poll timeout to 2 jiffies (networking-stable-20_04_17). - net_sched: cls_route: remove the right filter from hashtable (networking-stable-20_03_28). - net_sched: sch_skbprio: add message validation to skbprio_change() (bsc#1109837). - net/x25: Fix x25_neigh refcnt leak when receiving frame (networking-stable-20_04_27). - nfc: add missing attribute validation for SE API (networking-stable-20_03_14). - nfc: add missing attribute validation for vendor subcommand (networking-stable-20_03_14). - nfc: pn544: Fix occasional HW initialization failure (networking-stable-20_03_01). - nfc: st21nfca: add missed kfree_skb() in an error path (bsc#1051510). - nfp: abm: fix a memory leak bug (bsc#1109837). - nfsd4: fix up replay_matches_cache() (git-fixes). - nfsd: Ensure CLONE persists data and metadata changes to the target file (git-fixes). - nfsd: fix delay timer on 32-bit architectures (git-fixes). - nfsd: fix jiffies/time_t mixup in LRU list (git-fixes). - nfs: Directory page cache pages need to be locked when read (git-fixes). - nfsd: memory corruption in nfsd4_lock() (git-fixes). - nfs: Do not call generic_error_remove_page() while holding locks (bsc#1170457). - nfs: Fix memory leaks and corruption in readdir (git-fixes). - nfs: Fix O_DIRECT accounting of number of bytes read/written (git-fixes). - nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl (git-fixes). - nfs: fix racey wait in nfs_set_open_stateid_locked (bsc#1170592). - nfs/flexfiles: Use the correct TCP timeout for flexfiles I/O (git-fixes). - nfs/pnfs: Fix pnfs_generic_prepare_to_resend_writes() (git-fixes). - nfs: Revalidate the file size on a fatal write error (git-fixes). - NFSv4.0: nfs4_do_fsinfo() should not do implicit lease renewals (git-fixes). - NFSv4: Do not allow a cached open with a revoked delegation (git-fixes). - NFSv4: Fix leak of clp->cl_acceptor string (git-fixes). - NFSv4/pnfs: Return valid stateids in nfs_layout_find_inode_by_stateid() (git-fixes). - NFSv4: try lease recovery on NFS4ERR_EXPIRED (git-fixes). - NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn (git-fixes). - nl802154: add missing attribute validation for dev_type (networking-stable-20_03_14). - nl802154: add missing attribute validation (networking-stable-20_03_14). - nvme-fc: print proper nvme-fc devloss_tmo value (bsc#1172391). - objtool: Fix stack offset tracking for indirect CFAs (bsc#1169514). - objtool: Fix switch table detection in .text.unlikely (bsc#1169514). - objtool: Make BP scratch register warning more robust (bsc#1169514). - padata: Remove broken queue flushing (git-fixes). - Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()" (git fixes (block drivers)). - PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2 (bsc#1172201, bsc#1172202). - PCI: hv: Decouple the func definition in hv_dr_state from VSP message (bsc#1172201, bsc#1172202). - PCI: sanity test on PCI vendor to be sure we do not touch everything (bsc#1141558). - perf/x86/amd: Add support for Large Increment per Cycle Events (jsc#SLE-11831). - perf/x86/amd: Constrain Large Increment per Cycle events (jsc#SLE-11831). - pinctrl: baytrail: Enable pin configuration setting for GPIO chip (git-fixes). - pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler (git-fixes). - pinctrl: sunrisepoint: Fix PAD lock register offset for SPT-H (git-fixes). - platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA (bsc#1051510). - pNFS: Ensure we do clear the return-on-close layout stateid on fatal errors (git-fixes). - powerpc: Add attributes for setjmp/longjmp (bsc#1065729). - powerpc/pci/of: Parse unassigned resources (bsc#1065729). - powerpc/setup_64: Set cache-line-size based on cache-block-size (bsc#1065729). - powerpc/sstep: Fix DS operand in ld encoding to appropriate value (bsc#1065729). - qede: Fix race between rdma destroy workqueue and link change event (networking-stable-20_03_01). - r8152: check disconnect status after long sleep (networking-stable-20_03_14). - raid6/ppc: Fix build for clang (git fixes (block drivers)). - random: always use batched entropy for get_random_u{32,64} (bsc#1164871). - rcu: locking and unlocking need to always be at least barriers (git fixes (block drivers)). - RDMA/ipoib: Fix use of sizeof() (bsc#1168503). - RDMA/netdev: Fix netlink support in IPoIB (bsc#1168503). - RDMA/netdev: Hoist alloc_netdev_mqs out of the driver (bsc#1168503). - RDMA/netdev: Use priv_destructor for netdev cleanup (bsc#1168503). - Remove 2 git-fixes that cause build issues. (bsc#1171691) - Revert "drm/panel: simple: Add support for Sharp LQ150X1LG11 panels" (bsc#1114279) - Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" (bsc#1172221). - Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow" (bsc#1103992). - rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() (bsc#1051510). - s390/cpum_cf: Add new extended counters for IBM z15 (bsc#1169762 LTC#185291). - s390/pci: Fix possible deadlock in recover_store() (bsc#1165183 LTC#184103). - s390/pci: Recover handle in clp_set_pci_fn() (bsc#1165183 LTC#184103). - scripts/decodecode: fix trapping instruction formatting (bsc#1065729). - scripts/dtc: Remove redundant YYLOC global declaration (bsc#1160388). - scsi: bnx2i: fix potential use after free (bsc#1171600). - scsi: core: Handle drivers which set sg_tablesize to zero (bsc#1171601) - scsi: core: save/restore command resid for error handling (bsc#1171602). - scsi: core: scsi_trace: Use get_unaligned_be*() (bsc#1171604). - scsi: core: try to get module before removing device (bsc#1171605). - scsi: csiostor: Adjust indentation in csio_device_reset (bsc#1171606). - scsi: csiostor: Do not enable IRQs too early (bsc#1171607). - scsi: esas2r: unlock on error in esas2r_nvram_read_direct() (bsc#1171608). - scsi: fnic: fix invalid stack access (bsc#1171609). - scsi: fnic: fix msix interrupt allocation (bsc#1171610). - scsi: ibmvscsi: Fix WARN_ON during event pool release (bsc#1170791 ltc#185128). - scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func (bsc#1171611). - scsi: iscsi: Fix a potential deadlock in the timeout handler (bsc#1171612). - scsi: iscsi: qla4xxx: fix double free in probe (bsc#1171613). - scsi: lpfc: Change default queue allocation for reduced memory consumption (bsc#1164780). - scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences (bsc#1171614). - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1171615). - scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event (bsc#1164780). - scsi: lpfc: Fix MDS Diagnostic Enablement definition (bsc#1164780). - scsi: lpfc: Fix negation of else clause in lpfc_prep_node_fc4type (bsc#1164780). - scsi: lpfc: Fix noderef and address space warnings (bsc#1164780). - scsi: lpfc: Maintain atomic consistency of queue_claimed flag (bsc#1164780). - scsi: lpfc: remove duplicate unloading checks (bsc#1164780). - scsi: lpfc: Remove re-binding of nvme rport during registration (bsc#1164780). - scsi: lpfc: Remove redundant initialization to variable rc (bsc#1164780). - scsi: lpfc: Remove unnecessary lockdep_assert_held calls (bsc#1164780). - scsi: lpfc: Update lpfc version to 12.8.0.1 (bsc#1164780). - scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state (bsc#1171616). - scsi: qla2xxx: add ring buffer for tracing debug logs (bsc#1157169). - scsi: qla2xxx: check UNLOADING before posting async work (bsc#1157169). - scsi: qla2xxx: Delete all sessions before unregister local nvme port (bsc#1157169). - scsi: qla2xxx: Do not log message when reading port speed via sysfs (bsc#1157169). - scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV (bsc#1157169). - scsi: qla2xxx: Fix regression warnings (bsc#1157169). - scsi: qla2xxx: Remove non functional code (bsc#1157169). - scsi: qla2xxx: set UNLOADING before waiting for session deletion (bsc#1157169). - scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free (bsc#1171617). - scsi: qla4xxx: fix double free bug (bsc#1171618). - scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI (bsc#1171619). - scsi: sg: add sg_remove_request in sg_common_write (bsc#1171620). - scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) (bsc#1171621). - scsi: ufs: change msleep to usleep_range (bsc#1171622). - scsi: ufs: Clean up ufshcd_scale_clks() and clock scaling error out path (bsc#1171623). - scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic (bsc#1171624). - scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails (bsc#1171625). - scsi: ufs: Recheck bkops level if bkops is disabled (bsc#1171626). - sctp: fix possibly using a bad saddr with a given dst (networking-stable-20_04_02). - sctp: fix refcount bug in sctp_wfree (networking-stable-20_04_02). - sctp: move the format error check out of __sctp_sf_do_9_1_abort (networking-stable-20_03_01). - selftests/powerpc: Fix build errors in powerpc ptrace selftests (boo#1124278). - seq_file: fix problem when seeking mid-record (bsc#1170125). - sfc: detach from cb_page in efx_copy_channel() (networking-stable-20_03_14). - signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig (bsc#1172185). - slcan: not call free_netdev before rtnl_unlock in slcan_open (networking-stable-20_03_28). - slip: make slhc_compress() more robust against malicious packets (networking-stable-20_03_14). - smb3: Additional compression structures (bsc#1144333). - smb3: Add new compression flags (bsc#1144333). - smb3: change noisy error message to FYI (bsc#1144333). - smb3: enable swap on SMB3 mounts (bsc#1144333). - smb3: Minor cleanup of protocol definitions (bsc#1144333). - smb3: remove overly noisy debug line in signing errors (bsc#1144333). - smb3: smbdirect support can be configured by default (bsc#1144333). - smb3: use SMB2_SIGNATURE_SIZE define (bsc#1144333). - spi: bcm63xx-hsspi: Really keep pll clk enabled (bsc#1051510). - spi: bcm-qspi: when tx/rx buffer is NULL set to 0 (bsc#1051510). - spi: dw: Add SPI Rx-done wait method to DMA-based transfer (bsc#1051510). - spi: dw: Add SPI Tx-done wait method to DMA-based transfer (bsc#1051510). - spi: dw: Zero DMA Tx and Rx configurations on stack (bsc#1051510). - spi: pxa2xx: Add CS control clock quirk (bsc#1051510). - spi: qup: call spi_qup_pm_resume_runtime before suspending (bsc#1051510). - spi/zynqmp: remove entry that causes a cs glitch (bsc#1051510). - staging: comedi: dt2815: fix writing hi byte of analog output (bsc#1051510). - staging: comedi: Fix comedi_device refcnt leak in comedi_open (bsc#1051510). - staging: iio: ad2s1210: Fix SPI reading (bsc#1051510). - supported.conf: Add br_netfilter to base (bsc#1169020). - supported.conf: support w1 core and thermometer support - svcrdma: Fix double svc_rdma_send_ctxt_put() in an error path (bsc#1103992). - svcrdma: Fix leak of transport addresses (git-fixes). - svcrdma: Fix trace point use-after-free race (bsc#1103992 ). - taskstats: fix data-race (bsc#1172188). - tcp: cache line align MAX_TCP_HEADER (networking-stable-20_04_27). - tcp: repair: fix TCP_QUEUE_SEQ implementation (networking-stable-20_03_28). - team: add missing attribute validation for array index (networking-stable-20_03_14). - team: add missing attribute validation for port ifindex (networking-stable-20_03_14). - team: fix hang in team_mode_get() (networking-stable-20_04_27). - tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() (bsc#1065729). - tpm/tpm_tis: Free IRQ if probing fails (bsc#1082555). - tun: Do not put_page() for all negative return values from XDP program (bsc#1109837). - Update config files: Build w1 bus on arm64 (jsc#SLE-11048) - usb: core: Fix misleading driver bug report (bsc#1051510). - usb: gadget: legacy: fix redundant initialization warnings (bsc#1051510). - usbnet: silence an unnecessary warning (bsc#1170770). - video: fbdev: sis: Remove unnecessary parentheses and commented code (bsc#1114279) - video: fbdev: w100fb: Fix a potential double free (bsc#1051510). - vrf: Check skb for XFRM_TRANSFORMED flag (networking-stable-20_04_27). - vxlan: check return value of gro_cells_init() (networking-stable-20_03_28). - w1: Add subsystem kernel public interface (jsc#SLE-11048). - w1: Fix slave count on 1-Wire bus (resend) (jsc#SLE-11048). - w1: keep balance of mutex locks and refcnts (jsc#SLE-11048). - w1: use put_device() if device_register() fail (jsc#SLE-11048). - wcn36xx: Fix error handling path in 'wcn36xx_probe()' (bsc#1051510). - wimax/i2400m: Fix potential urb refcnt leak (bsc#1051510). - workqueue: do not use wq_select_unbound_cpu() for bound works (bsc#1172130). - x86/amd_nb: Add Family 19h PCI IDs (jsc#SLE-11834). - x86/entry/64: Fix unwind hints in kernel exit path (bsc#1058115). - x86/entry/64: Fix unwind hints in register clearing code (bsc#1058115). - x86/entry/64: Fix unwind hints in rewind_stack_do_exit() (bsc#1058115). - x86/entry/64: Fix unwind hints in __switch_to_asm() (bsc#1058115). - x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170620). - x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170621, bsc#1170620). - x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170617, bsc#1170618). - x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170618). - x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170618). - x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170618). - x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170618). - x86: Hyper-V: report value of misc_features (git fixes). - x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170617, bsc#1170618). - x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170618). - x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170617, bsc#1170618). - x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170618). - x86/kprobes: Avoid kretprobe recursion bug (bsc#1114279). - x86/MCE/AMD: Add a KABI workaround for enum smca_bank_types (jsc#SLE-11833). - x86/MCE/AMD, EDAC/mce_amd: Add new Load Store unit McaType (jsc#SLE-11833). - x86/microcode/AMD: Increase microcode PATCH_MAX_SIZE (bsc#1169005). - x86/resctrl: Preserve CDP enable over CPU hotplug (bsc#1114279). - x86/unwind/orc: Do not skip the first frame for inactive tasks (bsc#1058115). - x86/unwind/orc: Fix error handling in __unwind_start() (bsc#1058115). - x86/unwind/orc: Fix error path for bad ORC entry type (bsc#1058115). - x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bsc#1058115). - x86/unwind/orc: Prevent unwinding before ORC initialization (bsc#1058115). - x86/unwind: Prevent false warnings for non-current tasks (bsc#1058115). - x86/xen: fix booting 32-bit pv guest (bsc#1071995). - x86/xen: Make the boot CPU idle task reliable (bsc#1071995). - x86/xen: Make the secondary CPU idle tasks reliable (bsc#1071995). - xen/pci: reserve MCFG areas earlier (bsc#1170145). - xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish (networking-stable-20_04_27). - xfs: Correctly invert xfs_buftarg LRU isolation logic (git-fixes). - xfs: do not ever return a stale pointer from __xfs_dir3_free_read (git-fixes). - xprtrdma: Fix completion wait during device removal (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1602=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1602=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1602=1 - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-1602=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): kernel-default-debuginfo-4.12.14-122.23.1 kernel-default-debugsource-4.12.14-122.23.1 kernel-default-extra-4.12.14-122.23.1 kernel-default-extra-debuginfo-4.12.14-122.23.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-122.23.1 kernel-obs-build-debugsource-4.12.14-122.23.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): kernel-docs-4.12.14-122.23.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-122.23.1 kernel-default-base-4.12.14-122.23.1 kernel-default-base-debuginfo-4.12.14-122.23.1 kernel-default-debuginfo-4.12.14-122.23.1 kernel-default-debugsource-4.12.14-122.23.1 kernel-default-devel-4.12.14-122.23.1 kernel-syms-4.12.14-122.23.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-default-devel-debuginfo-4.12.14-122.23.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-4.12.14-122.23.1 kernel-macros-4.12.14-122.23.1 kernel-source-4.12.14-122.23.1 - SUSE Linux Enterprise Server 12-SP5 (s390x): kernel-default-man-4.12.14-122.23.1 - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-122.23.1 cluster-md-kmp-default-debuginfo-4.12.14-122.23.1 dlm-kmp-default-4.12.14-122.23.1 dlm-kmp-default-debuginfo-4.12.14-122.23.1 gfs2-kmp-default-4.12.14-122.23.1 gfs2-kmp-default-debuginfo-4.12.14-122.23.1 kernel-default-debuginfo-4.12.14-122.23.1 kernel-default-debugsource-4.12.14-122.23.1 ocfs2-kmp-default-4.12.14-122.23.1 ocfs2-kmp-default-debuginfo-4.12.14-122.23.1 References: https://www.suse.com/security/cve/CVE-2018-1000199.html https://www.suse.com/security/cve/CVE-2019-19462.html https://www.suse.com/security/cve/CVE-2019-20806.html https://www.suse.com/security/cve/CVE-2019-20812.html https://www.suse.com/security/cve/CVE-2019-9455.html https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-10690.html https://www.suse.com/security/cve/CVE-2020-10711.html https://www.suse.com/security/cve/CVE-2020-10720.html https://www.suse.com/security/cve/CVE-2020-10732.html https://www.suse.com/security/cve/CVE-2020-10751.html https://www.suse.com/security/cve/CVE-2020-10757.html https://www.suse.com/security/cve/CVE-2020-12114.html https://www.suse.com/security/cve/CVE-2020-12464.html https://www.suse.com/security/cve/CVE-2020-12652.html https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://www.suse.com/security/cve/CVE-2020-12655.html https://www.suse.com/security/cve/CVE-2020-12656.html https://www.suse.com/security/cve/CVE-2020-12657.html https://www.suse.com/security/cve/CVE-2020-12659.html https://www.suse.com/security/cve/CVE-2020-12768.html https://www.suse.com/security/cve/CVE-2020-12769.html https://www.suse.com/security/cve/CVE-2020-13143.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1082555 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1089895 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103991 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1124278 https://bugzilla.suse.com/1127354 https://bugzilla.suse.com/1127355 https://bugzilla.suse.com/1127371 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1141558 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1151794 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1157169 https://bugzilla.suse.com/1158265 https://bugzilla.suse.com/1160388 https://bugzilla.suse.com/1160947 https://bugzilla.suse.com/1164780 https://bugzilla.suse.com/1164871 https://bugzilla.suse.com/1165183 https://bugzilla.suse.com/1165478 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1166969 https://bugzilla.suse.com/1166978 https://bugzilla.suse.com/1167574 https://bugzilla.suse.com/1167851 https://bugzilla.suse.com/1167867 https://bugzilla.suse.com/1168332 https://bugzilla.suse.com/1168503 https://bugzilla.suse.com/1168670 https://bugzilla.suse.com/1168789 https://bugzilla.suse.com/1169005 https://bugzilla.suse.com/1169020 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169525 https://bugzilla.suse.com/1169762 https://bugzilla.suse.com/1170056 https://bugzilla.suse.com/1170125 https://bugzilla.suse.com/1170145 https://bugzilla.suse.com/1170284 https://bugzilla.suse.com/1170345 https://bugzilla.suse.com/1170457 https://bugzilla.suse.com/1170522 https://bugzilla.suse.com/1170592 https://bugzilla.suse.com/1170617 https://bugzilla.suse.com/1170618 https://bugzilla.suse.com/1170620 https://bugzilla.suse.com/1170621 https://bugzilla.suse.com/1170770 https://bugzilla.suse.com/1170778 https://bugzilla.suse.com/1170791 https://bugzilla.suse.com/1170901 https://bugzilla.suse.com/1171078 https://bugzilla.suse.com/1171098 https://bugzilla.suse.com/1171118 https://bugzilla.suse.com/1171189 https://bugzilla.suse.com/1171191 https://bugzilla.suse.com/1171195 https://bugzilla.suse.com/1171202 https://bugzilla.suse.com/1171205 https://bugzilla.suse.com/1171214 https://bugzilla.suse.com/1171217 https://bugzilla.suse.com/1171218 https://bugzilla.suse.com/1171219 https://bugzilla.suse.com/1171220 https://bugzilla.suse.com/1171244 https://bugzilla.suse.com/1171293 https://bugzilla.suse.com/1171417 https://bugzilla.suse.com/1171527 https://bugzilla.suse.com/1171599 https://bugzilla.suse.com/1171600 https://bugzilla.suse.com/1171601 https://bugzilla.suse.com/1171602 https://bugzilla.suse.com/1171604 https://bugzilla.suse.com/1171605 https://bugzilla.suse.com/1171606 https://bugzilla.suse.com/1171607 https://bugzilla.suse.com/1171608 https://bugzilla.suse.com/1171609 https://bugzilla.suse.com/1171610 https://bugzilla.suse.com/1171611 https://bugzilla.suse.com/1171612 https://bugzilla.suse.com/1171613 https://bugzilla.suse.com/1171614 https://bugzilla.suse.com/1171615 https://bugzilla.suse.com/1171616 https://bugzilla.suse.com/1171617 https://bugzilla.suse.com/1171618 https://bugzilla.suse.com/1171619 https://bugzilla.suse.com/1171620 https://bugzilla.suse.com/1171621 https://bugzilla.suse.com/1171622 https://bugzilla.suse.com/1171623 https://bugzilla.suse.com/1171624 https://bugzilla.suse.com/1171625 https://bugzilla.suse.com/1171626 https://bugzilla.suse.com/1171662 https://bugzilla.suse.com/1171679 https://bugzilla.suse.com/1171691 https://bugzilla.suse.com/1171692 https://bugzilla.suse.com/1171694 https://bugzilla.suse.com/1171695 https://bugzilla.suse.com/1171736 https://bugzilla.suse.com/1171761 https://bugzilla.suse.com/1171817 https://bugzilla.suse.com/1171948 https://bugzilla.suse.com/1171949 https://bugzilla.suse.com/1171951 https://bugzilla.suse.com/1171952 https://bugzilla.suse.com/1171979 https://bugzilla.suse.com/1171982 https://bugzilla.suse.com/1171983 https://bugzilla.suse.com/1172017 https://bugzilla.suse.com/1172096 https://bugzilla.suse.com/1172097 https://bugzilla.suse.com/1172098 https://bugzilla.suse.com/1172099 https://bugzilla.suse.com/1172101 https://bugzilla.suse.com/1172102 https://bugzilla.suse.com/1172103 https://bugzilla.suse.com/1172104 https://bugzilla.suse.com/1172127 https://bugzilla.suse.com/1172130 https://bugzilla.suse.com/1172185 https://bugzilla.suse.com/1172188 https://bugzilla.suse.com/1172199 https://bugzilla.suse.com/1172201 https://bugzilla.suse.com/1172202 https://bugzilla.suse.com/1172218 https://bugzilla.suse.com/1172221 https://bugzilla.suse.com/1172249 https://bugzilla.suse.com/1172251 https://bugzilla.suse.com/1172253 https://bugzilla.suse.com/1172317 https://bugzilla.suse.com/1172342 https://bugzilla.suse.com/1172343 https://bugzilla.suse.com/1172344 https://bugzilla.suse.com/1172366 https://bugzilla.suse.com/1172378 https://bugzilla.suse.com/1172391 https://bugzilla.suse.com/1172397 https://bugzilla.suse.com/1172453 From sle-updates at lists.suse.com Wed Jun 10 13:43:57 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 21:43:57 +0200 (CEST) Subject: SUSE-SU-2020:1605-1: important: Security update for the Linux Kernel Message-ID: <20200610194357.5AA89F3D7@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1605-1 Rating: important References: #1051510 #1058115 #1065729 #1071995 #1082555 #1089895 #1111666 #1114279 #1133021 #1144333 #1151794 #1152489 #1154824 #1157169 #1158265 #1160388 #1160947 #1165183 #1165741 #1166969 #1167574 #1167851 #1168503 #1168670 #1169020 #1169514 #1169525 #1170056 #1170125 #1170145 #1170345 #1170457 #1170522 #1170592 #1170618 #1170620 #1170770 #1170778 #1170791 #1170901 #1171078 #1171098 #1171118 #1171189 #1171191 #1171195 #1171202 #1171205 #1171217 #1171218 #1171219 #1171220 #1171293 #1171417 #1171527 #1171599 #1171600 #1171601 #1171602 #1171604 #1171605 #1171606 #1171607 #1171608 #1171609 #1171610 #1171611 #1171612 #1171613 #1171614 #1171615 #1171616 #1171617 #1171618 #1171619 #1171620 #1171621 #1171622 #1171623 #1171624 #1171625 #1171626 #1171679 #1171691 #1171694 #1171695 #1171736 #1171761 #1171948 #1171949 #1171951 #1171952 #1171982 #1171983 #1172096 #1172097 #1172098 #1172099 #1172101 #1172102 #1172103 #1172104 #1172127 #1172130 #1172185 #1172188 #1172199 #1172221 #1172253 #1172317 #1172342 #1172343 #1172344 #1172366 #1172391 #1172397 #1172453 Cross-References: CVE-2018-1000199 CVE-2019-19462 CVE-2019-20806 CVE-2019-20812 CVE-2019-9455 CVE-2020-0543 CVE-2020-10690 CVE-2020-10711 CVE-2020-10720 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-12114 CVE-2020-12464 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12655 CVE-2020-12656 CVE-2020-12657 CVE-2020-12768 CVE-2020-12769 CVE-2020-13143 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise High Availability 12-SP4 ______________________________________________________________________________ An update that solves 23 vulnerabilities and has 94 fixes is now available. Description: The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982). - CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983). - CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736). - CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205). - CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219). - CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217). - CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202). - CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195). - CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218). - CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901). - CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098). - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317). - CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189). - CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220). - CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778). - CVE-2020-10711: Fixed a null pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191). - CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056). - CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345). - CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453). - CVE-2019-20806: Fixed a null pointer dereference which may had lead to denial of service (bsc#1172199). - CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895). The following non-security bugs were fixed: - ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe() (bsc#1051510). - ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile() (bsc#1051510). - acpi/x86: ignore unspecified bit positions in the ACPI global lock field (bsc#1051510). - Add commit for git-fix that's not a fix This commit cleans up debug code but does not fix anything, and it relies on a new kernel function that isn't yet in this version of SLE. - agp/intel: Reinforce the barrier after GTT updates (bsc#1051510). - ALSA: ctxfi: Remove unnecessary cast in kfree (bsc#1051510). - ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666). - ALSA: hda: Do not release card at firmware loading error (bsc#1051510). - ALSA: hda/hdmi: fix race in monitor detection during probe (bsc#1051510). - ALSA: hda/hdmi: fix without unlocked before return (bsc#1051510). - ALSA: hda: Keep the controller initialization even if no codecs found (bsc#1051510). - ALSA: hda/realtek - Add more fixup entries for Clevo machines (git-fixes). - ALSA: hda/realtek - Add new codec supported for ALC245 (bsc#1051510). - ALSA: hda/realtek - Add new codec supported for ALC287 (git-fixes). - ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse (git-fixes). - ALSA: hda/realtek - Fix unexpected init_amp override (bsc#1051510). - ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 (git-fixes bsc#1171293). - ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter (bsc#1051510). - ALSA: hwdep: fix a left shifting 1 by 31 UB bug (git-fixes). - ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option (git-fixes). - ALSA: opti9xx: shut up gcc-10 range warning (bsc#1051510). - ALSA: pcm: fix incorrect hw_base increase (git-fixes). - ALSA: pcm: oss: Place the plugin buffer overflow checks correctly (bsc#1170522). - ALSA-pcm-oss-Place-the-plugin-buffer-overflow-checks.patch - ALSA: rawmidi: Fix racy buffer resize under concurrent accesses (git-fixes). - ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset (git-fixes). - ALSA: usb-audio: Correct a typo of NuPrime DAC-10 USB ID (bsc#1051510). - ALSA: usb-audio: Do not override ignore_ctl_error value from the map (bsc#1051510). - ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif (bsc#1051510). - ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC (git-fixes). - ALSA: usx2y: Fix potential NULL dereference (bsc#1051510). - ASoC: codecs: hdac_hdmi: Fix incorrect use of list_for_each_entry (bsc#1051510). - ASoC: dapm: connect virtual mux with default value (bsc#1051510). - ASoC: dapm: fixup dapm kcontrol widget (bsc#1051510). - ASoC: dpcm: allow start or stop during pause for backend (bsc#1051510). - ASoC: fix regwmask (bsc#1051510). - ASoC: msm8916-wcd-digital: Reset RX interpolation path after use (bsc#1051510). - ASoC: samsung: Prevent clk_get_rate() calls in atomic context (bsc#1111666). - ASoC: topology: Check return value of pcm_new_ver (bsc#1051510). - ASoC: topology: use name_prefix for new kcontrol (bsc#1051510). - b43legacy: Fix case where channel status is corrupted (bsc#1051510). - batman-adv: fix batadv_nc_random_weight_tq (git-fixes). - batman-adv: Fix refcnt leak in batadv_show_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_store_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_v_ogm_process (git-fixes). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (git fixes (block drivers)). - bcache: fix incorrect data type usage in btree_flush_write() (git fixes (block drivers)). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (git fixes (block drivers)). - block/drbd: delete invalid function drbd_md_mark_dirty_ (bsc#1171527). - block: drbd: remove a stray unlock in __drbd_send_protocol() (bsc#1171599). - block: fix busy device checking in blk_drop_partitions again (bsc#1171948). - block: fix busy device checking in blk_drop_partitions (bsc#1171948). - block: fix memleak of bio integrity data (git fixes (block drivers)). - block: remove the bd_openers checks in blk_drop_partitions (bsc#1171948). - bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets() (networking-stable-20_03_28). - bnxt_en: reinitialize IRQs when MTU is modified (networking-stable-20_03_14). - bonding/alb: make sure arp header is pulled before accessing it (networking-stable-20_03_14). - brcmfmac: abort and release host after error (bsc#1051510). - Btrfs: fix deadlock with memory reclaim during scrub (bsc#1172127). - btrfs: fix log context list corruption after rename whiteout error (bsc#1172342). - btrfs: fix partial loss of prealloc extent past i_size after fsync (bsc#1172343). - btrfs: move the dio_sem higher up the callchain (bsc#1171761). - btrfs: reloc: clear DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417 bsc#1160947 bsc#1172366). - btrfs: reloc: fix reloc root leak and NULL pointer dereference (bsc#1171417 bsc#1160947 bsc#1172366). - btrfs: setup a nofs context for memory allocation at btrfs_create_tree() (bsc#1172127). - btrfs: setup a nofs context for memory allocation at __btrfs_set_acl (bsc#1172127). - btrfs: use nofs context when initializing security xattrs to avoid deadlock (bsc#1172127). - can: add missing attribute validation for termination (networking-stable-20_03_14). - cdc-acm: close race betrween suspend() and acm_softint (git-fixes). - cdc-acm: introduce a cool down (git-fixes). - ceph: fix double unlock in handle_cap_export() (bsc#1171694). - ceph: fix endianness bug when handling MDS session feature bits (bsc#1171695). - cgroup, netclassid: periodically release file_lock on classid updating (networking-stable-20_03_14). - CIFS: Allocate crypto structures on the fly for calculating signatures of incoming packets (bsc#1144333). - CIFS: Allocate encryption header through kmalloc (bsc#1144333). - CIFS: allow unlock flock and OFD lock across fork (bsc#1144333). - CIFS: check new file size when extending file by fallocate (bsc#1144333). - CIFS: cifspdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - CIFS: clear PF_MEMALLOC before exiting demultiplex thread (bsc#1144333). - CIFS: do not share tcons with DFS (bsc#1144333). - CIFS: dump the session id and keys also for SMB2 sessions (bsc#1144333). - CIFS: ensure correct super block for DFS reconnect (bsc#1144333). - CIFS: Fix bug which the return value by asynchronous read is error (bsc#1144333). - CIFS: fix uninitialised lease_key in open_shroot() (bsc#1144333). - CIFS: improve read performance for page size 64KB & cache=strict & vers=2.1+ (bsc#1144333). - CIFS: Increment num_remote_opens stats counter even in case of smb2_query_dir_first (bsc#1144333). - CIFS: minor update to comments around the cifs_tcp_ses_lock mutex (bsc#1144333). - CIFS: protect updating server->dstaddr with a spinlock (bsc#1144333). - CIFS: smb2pdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - CIFS: smbd: Calculate the correct maximum packet size for segmented SMBDirect send/receive (bsc#1144333). - CIFS: smbd: Check and extend sender credits in interrupt context (bsc#1144333). - CIFS: smbd: Check send queue size before posting a send (bsc#1144333). - CIFS: smbd: Do not schedule work to send immediate packet on every receive (bsc#1144333). - CIFS: smbd: Merge code to track pending packets (bsc#1144333). - CIFS: smbd: Properly process errors on ib_post_send (bsc#1144333). - CIFS: smbd: Update receive credits before sending and deal with credits roll back on failure before sending (bsc#1144333). - CIFS: Warn less noisily on default mount (bsc#1144333). - clk: Add clk_hw_unregister_composite helper function definition (bsc#1051510). - clk: imx6ull: use OSC clock during AXI rate change (bsc#1051510). - clk: imx: make mux parent strings const (bsc#1051510). - clk: mediatek: correct the clocks for MT2701 HDMI PHY module (bsc#1051510). - clk: sunxi-ng: a64: Fix gate bit of DSI DPHY (bsc#1051510). - clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620). - clocksource: dw_apb_timer_of: Fix missing clockevent timers (bsc#1051510). - component: Silence bind error on -EPROBE_DEFER (bsc#1051510). - coresight: do not use the BIT() macro in the UAPI header (git fixes (block drivers)). - cpufreq: s3c64xx: Remove pointless NULL check in s3c64xx_cpufreq_driver_init (bsc#1051510). - crypto: ccp - AES CFB mode is a stream cipher (git-fixes). - crypto: ccp - Clean up and exit correctly on allocation failure (git-fixes). - crypto: ccp - Cleanup misc_dev on sev_exit() (bsc#1114279). - crypto: ccp - Cleanup sp_dev_master in psp_dev_destroy() (bsc#1114279). - debugfs: Add debugfs_create_xul() for hexadecimal unsigned long (git-fixes). - dmaengine: dmatest: Fix iteration non-stop logic (bsc#1051510). - dm mpath: switch paths in dm_blk_ioctl() code path (bsc#1167574). - dm writecache: fix data corruption when reloading the target (git fixes (block drivers)). - dm writecache: fix incorrect flush sequence when doing SSD mode commit (git fixes (block drivers)). - dm writecache: verify watermark during resume (git fixes (block drivers)). - dm zoned: fix invalid memory access (git fixes (block drivers)). - dm zoned: reduce overhead of backing device checks (git fixes (block drivers)). - dm zoned: remove duplicate nr_rnd_zones increase in dmz_init_zone() (git fixes (block drivers)). - dm zoned: support zone sizes smaller than 128MiB (git fixes (block drivers)). - dp83640: reverse arguments to list_add_tail (git-fixes). - drivers: hv: Add a module description line to the hv_vmbus driver (bsc#1172253). - Drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170618). - Drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170618). - Drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618). - Drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170618). - drivers/net/ibmvnic: Update VNIC protocol version reporting (bsc#1065729). - drm: amd/acp: fix broken menu structure (bsc#1114279) * context changes - drm/crc: Actually allow to change the crc source (bsc#1114279) * offset changes - drm/dp_mst: Fix clearing payload state on topology disable (bsc#1051510). - drm/dp_mst: Reformat drm_dp_check_act_status() a bit (bsc#1051510). - drm/edid: Fix off-by-one in DispID DTD pixel clock (bsc#1114279) - drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of (bsc#1114279) - drm/i915: properly sanity check batch_start_offset (bsc#1114279) * renamed display/intel_fbc.c -> intel_fb.c * renamed gt/intel_rc6.c -> intel_pm.c * context changes - drm/meson: Delete an error message in meson_dw_hdmi_bind() (bsc#1051510). - drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem (bsc#1114279) - drm/qxl: qxl_release leak in qxl_draw_dirty_fb() (bsc#1051510). - drm/qxl: qxl_release leak in qxl_hw_surface_alloc() (bsc#1051510). - drm/qxl: qxl_release use after free (bsc#1051510). - drm: Remove PageReserved manipulation from drm_pci_alloc (bsc#1114279) * offset changes - dump_stack: avoid the livelock of the dump_lock (git fixes (block drivers)). - EDAC, sb_edac: Add support for systems with segmented PCI buses (bsc#1169525). - ext4: do not zeroout extents beyond i_disksize (bsc#1167851). - ext4: fix extent_status fragmentation for plain files (bsc#1171949). - ext4: use non-movable memory for superblock readahead (bsc#1171952). - fanotify: fix merging marks masks with FAN_ONDIR (bsc#1171679). - fbcon: fix null-ptr-deref in fbcon_switch (bsc#1114279) * rename drivers/video/fbdev/core to drivers/video/console * context changes - fib: add missing attribute validation for tun_id (networking-stable-20_03_14). - firmware: qcom: scm: fix compilation error when disabled (bsc#1051510). - fs/cifs: fix gcc warning in sid_to_id (bsc#1144333). - fs/seq_file.c: simplify seq_file iteration code and interface (bsc#1170125). - gpio: tegra: mask GPIO IRQs during IRQ shutdown (bsc#1051510). - gre: fix uninit-value in __iptunnel_pull_header (networking-stable-20_03_14). - HID: hid-input: clear unmapped usages (git-fixes). - HID: hyperv: Add a module description line (bsc#1172253). - HID: i2c-hid: add Trekstor Primebook C11B to descriptor override (git-fixes). - HID: i2c-hid: override HID descriptors for certain devices (git-fixes). - HID: multitouch: add eGalaxTouch P80H84 support (bsc#1051510). - HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices (git-fixes). - hrtimer: Annotate lockless access to timer->state (git fixes (block drivers)). - hsr: add restart routine into hsr_get_node_list() (networking-stable-20_03_28). - hsr: check protocol version in hsr_newlink() (networking-stable-20_04_17). - hsr: fix general protection fault in hsr_addr_is_self() (networking-stable-20_03_28). - hsr: set .netnsok flag (networking-stable-20_03_28). - hsr: use rcu_read_lock() in hsr_get_node_{list/status}() (networking-stable-20_03_28). - i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present (git-fixes). - i2c: acpi: put device when verifying client fails (git-fixes). - i2c: brcmstb: remove unused struct member (git-fixes). - i2c: core: Allow empty id_table in ACPI case as well (git-fixes). - i2c: core: decrease reference count of device node in i2c_unregister_device (git-fixes). - i2c: dev: Fix the race between the release of i2c_dev and cdev (bsc#1051510). - i2c: fix missing pm_runtime_put_sync in i2c_device_probe (git-fixes). - i2c-hid: properly terminate i2c_hid_dmi_desc_override_table array (git-fixes). - i2c: i801: Do not add ICH_RES_IO_SMI for the iTCO_wdt device (git-fixes). - i2c: iproc: Stop advertising support of SMBUS quick cmd (git-fixes). - i2c: isch: Remove unnecessary acpi.h include (git-fixes). - i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' (bsc#1051510). - i2c: st: fix missing struct parameter description (bsc#1051510). - IB/ipoib: Add child to parent list only if device initialized (bsc#1168503). - IB/ipoib: Consolidate checking of the proposed child interface (bsc#1168503). - IB/ipoib: Do not remove child devices from within the ndo_uninit (bsc#1168503). - IB/ipoib: Get rid of IPOIB_FLAG_GOING_DOWN (bsc#1168503). - IB/ipoib: Get rid of the sysfs_mutex (bsc#1168503). - IB/ipoib: Maintain the child_intfs list from ndo_init/uninit (bsc#1168503). - IB/ipoib: Move all uninit code into ndo_uninit (bsc#1168503). - IB/ipoib: Move init code to ndo_init (bsc#1168503). - IB/ipoib: Replace printk with pr_warn (bsc#1168503). - IB/ipoib: Use cancel_delayed_work_sync for neigh-clean task (bsc#1168503). - IB/ipoib: Warn when one port fails to initialize (bsc#1168503). - ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239). - iio:ad7797: Use correct attribute_group (bsc#1051510). - iio: adc: stm32-adc: fix device used to request dma (bsc#1051510). - iio: adc: stm32-adc: fix sleep in atomic context (git-fixes). - iio: adc: stm32-adc: Use dma_request_chan() instead dma_request_slave_channel() (bsc#1051510). - iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' (bsc#1051510). - iio: sca3000: Remove an erroneous 'get_device()' (bsc#1051510). - iio: xilinx-xadc: Fix ADC-B powerdown (bsc#1051510). - iio: xilinx-xadc: Fix clearing interrupt when enabling trigger (bsc#1051510). - iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode (bsc#1051510). - ima: Fix return value of ima_write_policy() (git-fixes). - Input: evdev - call input_flush_device() on release(), not flush() (bsc#1051510). - Input: hyperv-keyboard - add module description (bsc#1172253). - Input: i8042 - add Acer Aspire 5738z to nomux list (bsc#1051510). - Input: i8042 - add ThinkPad S230u to i8042 reset list (bsc#1051510). - Input: raydium_i2c_ts - use true and false for boolean values (bsc#1051510). - Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() (bsc#1051510). - Input: synaptics-rmi4 - really fix attn_data use-after-free (git-fixes). - Input: usbtouchscreen - add support for BonXeon TP (bsc#1051510). - Input: xpad - add custom init packet for Xbox One S controllers (bsc#1051510). - iommu/amd: Call domain_flush_complete() in update_domain() (bsc#1172096). - iommu/amd: Do not flush Device Table in iommu_map_page() (bsc#1172097). - iommu/amd: Do not loop forever when trying to increase address space (bsc#1172098). - iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system (bsc#1172099). - iommu/amd: Fix over-read of ACPI UID from IVRS table (bsc#1172101). - iommu/amd: Fix race in increase_address_space()/fetch_pte() (bsc#1172102). - iommu/amd: Update Device Table in increase_address_space() (bsc#1172103). - iommu: Fix reference count leak in iommu_group_alloc (bsc#1172397). - ipmi: fix hung processes in __get_guid() (git-fixes). - ipv4: fix a RCU-list lock in fib_triestat_seq_show (networking-stable-20_04_02). - ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface (networking-stable-20_03_14). - ipv6: do not auto-add link-local address to lag ports (networking-stable-20_04_09). - ipv6: Fix nlmsg_flags when splitting a multipath route (networking-stable-20_03_01). - ipv6: Fix route replacement with dev-only route (networking-stable-20_03_01). - ipvlan: add cond_resched_rcu() while processing muticast backlog (networking-stable-20_03_14). - ipvlan: do not deref eth hdr before checking it's set (networking-stable-20_03_14). - ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast() (networking-stable-20_03_14). - iwlwifi: pcie: actually release queue memory in TVQM (bsc#1051510). - kabi fix for early XHCI debug (git-fixes). - kabi for for md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - kabi, protect struct ib_device (bsc#1168503). - kabi/severities: Do not track KVM internal symbols. - kabi/severities: Ingnore get_dev_data() The function is internal to the AMD IOMMU driver and must not be called by any third party. - kabi workaround for snd_rawmidi buffer_ref field addition (git-fixes). - KEYS: reaching the keys quotas correctly (bsc#1051510). - KVM: arm64: Change hyp_panic()s dependency on tpidr_el2 (bsc#1133021). - KVM: arm64: Stop save/restoring host tpidr_el1 on VHE (bsc#1133021). - KVM: Check validity of resolved slot when searching memslots (bsc#1172104). - KVM: s390: vsie: Fix delivery of addressing exceptions (git-fixes). - KVM: s390: vsie: Fix possible race when shadowing region 3 tables (git-fixes). - KVM: s390: vsie: Fix region 1 ASCE sanity shadow address checks (git-fixes). - KVM: SVM: Fix potential memory leak in svm_cpu_init() (bsc#1171736). - KVM x86: Extend AMD specific guest behavior to Hygon virtual CPUs (bsc#1152489). - l2tp: Allow management of tunnels and session in user namespace (networking-stable-20_04_17). - libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() (bsc#1051510). - libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set (bsc#1051510). - lib: raid6: fix awk build warnings (git fixes (block drivers)). - lib/raid6/test: fix build on distros whose /bin/sh is not bash (git fixes (block drivers)). - lib/stackdepot.c: fix global out-of-bounds in stack_slabs (git fixes (block drivers)). - locks: print unsigned ino in /proc/locks (bsc#1171951). - mac80211: add ieee80211_is_any_nullfunc() (bsc#1051510). - mac80211_hwsim: Use kstrndup() in place of kasprintf() (bsc#1051510). - mac80211: mesh: fix discovery timer re-arming issue / crash (bsc#1051510). - macsec: avoid to set wrong mtu (bsc#1051510). - macsec: restrict to ethernet devices (networking-stable-20_03_28). - macvlan: add cond_resched() during multicast processing (networking-stable-20_03_14). - macvlan: fix null dereference in macvlan_device_event() (bsc#1051510). - md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - md/raid0: Fix an error message in raid0_make_request() (git fixes (block drivers)). - md/raid10: prevent access of uninitialized resync_pages offset (git-fixes). - media: dvb: return -EREMOTEIO on i2c transfer failure (bsc#1051510). - media: platform: fcp: Set appropriate DMA parameters (bsc#1051510). - media: ti-vpe: cal: fix disable_irqs to only the intended target (git-fixes). - mei: release me_cl object reference (bsc#1051510). - mlxsw: Fix some IS_ERR() vs NULL bugs (networking-stable-20_04_27). - mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE (networking-stable-20_04_09). - mmc: atmel-mci: Fix debugfs on 64-bit platforms (git-fixes). - mmc: dw_mmc: Fix debugfs on 64-bit platforms (git-fixes). - mmc: meson-gx: make sure the descriptor is stopped on errors (git-fixes). - mmc: meson-gx: simplify interrupt handler (git-fixes). - mmc: renesas_sdhi: limit block count to 16 bit for old revisions (git-fixes). - mmc: sdhci-esdhc-imx: fix the mask for tuning start point (bsc#1051510). - mmc: sdhci-msm: Clear tuning done flag while hs400 tuning (bsc#1051510). - mmc: sdhci-of-at91: fix memleak on clk_get failure (git-fixes). - mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers (bsc#1051510). - mmc: sdhci-xenon: fix annoying 1.8V regulator warning (bsc#1051510). - mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card() (bsc#1051510). - mmc: tmio: fix access width of Block Count Register (git-fixes). - mm: thp: handle page cache THP correctly in PageTransCompoundMap (git fixes (block drivers)). - mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer (bsc#1051510). - mtd: spi-nor: cadence-quadspi: add a delay in write sequence (git-fixes). - mtd: spi-nor: enable 4B opcodes for mx66l51235l (git-fixes). - mtd: spi-nor: fsl-quadspi: Do not let -EINVAL on the bus (git-fixes). - mwifiex: avoid -Wstringop-overflow warning (bsc#1051510). - mwifiex: Fix memory corruption in dump_station (bsc#1051510). - net: bcmgenet: correct per TX/RX ring statistics (networking-stable-20_04_27). - net: dsa: b53: Fix ARL register definitions (networking-stable-20_04_27). - net: dsa: b53: Rework ARL bin logic (networking-stable-20_04_27). - net: dsa: bcm_sf2: Do not register slave MDIO bus with OF (networking-stable-20_04_09). - net: dsa: bcm_sf2: Ensure correct sub-node is parsed (networking-stable-20_04_09). - net: dsa: bcm_sf2: Fix overflow checks (git-fixes). - net: dsa: Fix duplicate frames flooded by learning (networking-stable-20_03_28). - net: dsa: mv88e6xxx: fix lockup on warm boot (networking-stable-20_03_14). - net: fec: validate the new settings in fec_enet_set_coalesce() (networking-stable-20_03_14). - net: fib_rules: Correctly set table field when table number exceeds 8 bits (networking-stable-20_03_01). - net: fix race condition in __inet_lookup_established() (bsc#1151794). - net: fq: add missing attribute validation for orphan mask (networking-stable-20_03_14). - net, ip_tunnel: fix interface lookup with no key (networking-stable-20_04_02). - net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin (networking-stable-20_04_17). - net: ipv6: do not consider routes via gateways for anycast address check (networking-stable-20_04_17). - netlink: Use netlink header as base to calculate bad attribute offset (networking-stable-20_03_14). - net: macsec: update SCI upon MAC address change (networking-stable-20_03_14). - net: memcg: fix lockdep splat in inet_csk_accept() (networking-stable-20_03_14). - net: memcg: late association of sock to memcg (networking-stable-20_03_14). - net/mlx4_en: avoid indirect call in TX completion (networking-stable-20_04_27). - net/mlx5: Add new fields to Port Type and Speed register (bsc#1171118). - net/mlx5: Add RoCE RX ICRC encapsulated counter (bsc#1171118). - net/mlx5e: Fix ethtool self test: link speed (bsc#1171118). - net/mlx5e: Move port speed code from en_ethtool.c to en/port.c (bsc#1171118). - net/mlx5: Expose link speed directly (bsc#1171118). - net/mlx5: Expose port speed when possible (bsc#1171118). - net: mvneta: Fix the case where the last poll did not process all rx (networking-stable-20_03_28). - net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node (networking-stable-20_04_27). - net/packet: tpacket_rcv: do not increment ring index on drop (networking-stable-20_03_14). - net: phy: restore mdio regs in the iproc mdio driver (networking-stable-20_03_01). - net: qmi_wwan: add support for ASKEY WWHC050 (networking-stable-20_03_28). - net: revert default NAPI poll timeout to 2 jiffies (networking-stable-20_04_17). - net_sched: cls_route: remove the right filter from hashtable (networking-stable-20_03_28). - net/x25: Fix x25_neigh refcnt leak when receiving frame (networking-stable-20_04_27). - nfc: add missing attribute validation for SE API (networking-stable-20_03_14). - nfc: add missing attribute validation for vendor subcommand (networking-stable-20_03_14). - nfc: pn544: Fix occasional HW initialization failure (networking-stable-20_03_01). - NFC: st21nfca: add missed kfree_skb() in an error path (bsc#1051510). - nfsd4: fix up replay_matches_cache() (git-fixes). - nfsd: Ensure CLONE persists data and metadata changes to the target file (git-fixes). - nfsd: fix delay timer on 32-bit architectures (git-fixes). - nfsd: fix jiffies/time_t mixup in LRU list (git-fixes). - NFS: Directory page cache pages need to be locked when read (git-fixes). - nfsd: memory corruption in nfsd4_lock() (git-fixes). - NFS: Do not call generic_error_remove_page() while holding locks (bsc#1170457). - NFS: Fix memory leaks and corruption in readdir (git-fixes). - NFS: Fix O_DIRECT accounting of number of bytes read/written (git-fixes). - NFS: Fix potential posix_acl refcnt leak in nfs3_set_acl (git-fixes). - NFS: fix racey wait in nfs_set_open_stateid_locked (bsc#1170592). - NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O (git-fixes). - NFS/pnfs: Fix pnfs_generic_prepare_to_resend_writes() (git-fixes). - NFS: Revalidate the file size on a fatal write error (git-fixes). - NFSv4.0: nfs4_do_fsinfo() should not do implicit lease renewals (git-fixes). - NFSv4: Do not allow a cached open with a revoked delegation (git-fixes). - NFSv4: Fix leak of clp->cl_acceptor string (git-fixes). - NFSv4/pnfs: Return valid stateids in nfs_layout_find_inode_by_stateid() (git-fixes). - NFSv4: try lease recovery on NFS4ERR_EXPIRED (git-fixes). - NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn (git-fixes). - nl802154: add missing attribute validation for dev_type (networking-stable-20_03_14). - nl802154: add missing attribute validation (networking-stable-20_03_14). - nvme-fc: print proper nvme-fc devloss_tmo value (bsc#1172391). - objtool: Fix stack offset tracking for indirect CFAs (bsc#1169514). - objtool: Fix switch table detection in .text.unlikely (bsc#1169514). - objtool: Make BP scratch register warning more robust (bsc#1169514). - padata: Remove broken queue flushing (git-fixes). - Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()" (git fixes (block drivers)). - pinctrl: baytrail: Enable pin configuration setting for GPIO chip (git-fixes). - pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler (git-fixes). - platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA (bsc#1051510). - pNFS: Ensure we do clear the return-on-close layout stateid on fatal errors (git-fixes). - powerpc: Add attributes for setjmp/longjmp (bsc#1065729). - powerpc/pci/of: Parse unassigned resources (bsc#1065729). - powerpc/setup_64: Set cache-line-size based on cache-block-size (bsc#1065729). - powerpc/sstep: Fix DS operand in ld encoding to appropriate value (bsc#1065729). - qede: Fix race between rdma destroy workqueue and link change event (networking-stable-20_03_01). - r8152: check disconnect status after long sleep (networking-stable-20_03_14). - raid6/ppc: Fix build for clang (git fixes (block drivers)). - rcu: locking and unlocking need to always be at least barriers (git fixes (block drivers)). - RDMA/ipoib: Fix use of sizeof() (bsc#1168503). - RDMA/netdev: Fix netlink support in IPoIB (bsc#1168503). - RDMA/netdev: Hoist alloc_netdev_mqs out of the driver (bsc#1168503). - RDMA/netdev: Use priv_destructor for netdev cleanup (bsc#1168503). - Remove 2 git-fixes that cause build issues. (bsc#1171691) - Revert "ALSA: hda/realtek: Fix pop noise on ALC225" (git-fixes). - Revert "drm/panel: simple: Add support for Sharp LQ150X1LG11 panels" (bsc#1114279) * offset changes - Revert "HID: i2c-hid: add Trekstor Primebook C11B to descriptor override" Depends on 9b5c747685982d22efffeafc5ec601bd28f6d78b, which was also reverted. - Revert "HID: i2c-hid: override HID descriptors for certain devices" This broke i2c-hid.ko's build, there is no way around it without a big file rename or renaming the kernel module. - Revert "i2c-hid: properly terminate i2c_hid_dmi_desc_override_table" Fixed 9b5c747685982d22efffeafc5ec601bd28f6d78b, which was also reverted. - Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" (bsc#1172221). - rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() (bsc#1051510). - s390/cio: avoid duplicated 'ADD' uevents (git-fixes). - s390/cio: generate delayed uevent for vfio-ccw subchannels (git-fixes). - s390/cpuinfo: fix wrong output when CPU0 is offline (git-fixes). - s390/diag: fix display of diagnose call statistics (git-fixes). - s390/ftrace: fix potential crashes when switching tracers (git-fixes). - s390/gmap: return proper error code on ksm unsharing (git-fixes). - s390/ism: fix error return code in ism_probe() (git-fixes). - s390/pci: Fix possible deadlock in recover_store() (bsc#1165183 LTC#184103). - s390/pci: Recover handle in clp_set_pci_fn() (bsc#1165183 LTC#184103). - s390/qeth: cancel RX reclaim work earlier (git-fixes). - s390/qeth: do not return -ENOTSUPP to userspace (git-fixes). - s390/qeth: do not warn for napi with 0 budget (git-fixes). - s390/qeth: fix off-by-one in RX copybreak check (git-fixes). - s390/qeth: fix promiscuous mode after reset (git-fixes). - s390/qeth: fix qdio teardown after early init error (git-fixes). - s390/qeth: handle error due to unsupported transport mode (git-fixes). - s390/qeth: handle error when backing RX buffer (git-fixes). - s390/qeth: lock the card while changing its hsuid (git-fixes). - s390/qeth: support net namespaces for L3 devices (git-fixes). - s390/time: Fix clk type in get_tod_clock (git-fixes). - scripts/decodecode: fix trapping instruction formatting (bsc#1065729). - scripts/dtc: Remove redundant YYLOC global declaration (bsc#1160388). - scsi: bnx2i: fix potential use after free (bsc#1171600). - scsi: core: Handle drivers which set sg_tablesize to zero (bsc#1171601) This commit also required: > scsi: core: avoid preallocating big SGL for data - scsi: core: save/restore command resid for error handling (bsc#1171602). - scsi: core: scsi_trace: Use get_unaligned_be*() (bsc#1171604). - scsi: core: try to get module before removing device (bsc#1171605). - scsi: csiostor: Adjust indentation in csio_device_reset (bsc#1171606). - scsi: csiostor: Do not enable IRQs too early (bsc#1171607). - scsi: esas2r: unlock on error in esas2r_nvram_read_direct() (bsc#1171608). - scsi: fnic: fix invalid stack access (bsc#1171609). - scsi: fnic: fix msix interrupt allocation (bsc#1171610). - scsi: ibmvscsi: Fix WARN_ON during event pool release (bsc#1170791 ltc#185128). - scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func (bsc#1171611). - scsi: iscsi: Fix a potential deadlock in the timeout handler (bsc#1171612). - scsi: iscsi: qla4xxx: fix double free in probe (bsc#1171613). - scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences (bsc#1171614). - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1171615). - scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state (bsc#1171616). - scsi: qla2xxx: add ring buffer for tracing debug logs (bsc#1157169). - scsi: qla2xxx: check UNLOADING before posting async work (bsc#1157169). - scsi: qla2xxx: Delete all sessions before unregister local nvme port (bsc#1157169). - scsi: qla2xxx: Do not log message when reading port speed via sysfs (bsc#1157169). - scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV (bsc#1157169). - scsi: qla2xxx: Fix regression warnings (bsc#1157169). - scsi: qla2xxx: Remove non functional code (bsc#1157169). - scsi: qla2xxx: set UNLOADING before waiting for session deletion (bsc#1157169). - scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free (bsc#1171617). - scsi: qla4xxx: fix double free bug (bsc#1171618). - scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI (bsc#1171619). - scsi: sg: add sg_remove_request in sg_common_write (bsc#1171620). - scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) (bsc#1171621). - scsi: ufs: change msleep to usleep_range (bsc#1171622). - scsi: ufs: Clean up ufshcd_scale_clks() and clock scaling error out path (bsc#1171623). - scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic (bsc#1171624). - scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails (bsc#1171625). - scsi: ufs: Recheck bkops level if bkops is disabled (bsc#1171626). - scsi: zfcp: fix missing erp_lock in port recovery trigger for point-to-point (git-fixes). - sctp: fix possibly using a bad saddr with a given dst (networking-stable-20_04_02). - sctp: fix refcount bug in sctp_wfree (networking-stable-20_04_02). - sctp: move the format error check out of __sctp_sf_do_9_1_abort (networking-stable-20_03_01). - seq_file: fix problem when seeking mid-record (bsc#1170125). - serial: uartps: Move the spinlock after the read of the tx empty (git-fixes). - sfc: detach from cb_page in efx_copy_channel() (networking-stable-20_03_14). - signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig (bsc#1172185). - slcan: not call free_netdev before rtnl_unlock in slcan_open (networking-stable-20_03_28). - slip: make slhc_compress() more robust against malicious packets (networking-stable-20_03_14). - smb3: Additional compression structures (bsc#1144333). - smb3: Add new compression flags (bsc#1144333). - smb3: change noisy error message to FYI (bsc#1144333). - smb3: enable swap on SMB3 mounts (bsc#1144333). - smb3: Minor cleanup of protocol definitions (bsc#1144333). - smb3: remove overly noisy debug line in signing errors (bsc#1144333). - smb3: smbdirect support can be configured by default (bsc#1144333). - smb3: use SMB2_SIGNATURE_SIZE define (bsc#1144333). - spi: bcm2835: Fix 3-wire mode if DMA is enabled (git-fixes). - spi: bcm63xx-hsspi: Really keep pll clk enabled (bsc#1051510). - spi: bcm-qspi: when tx/rx buffer is NULL set to 0 (bsc#1051510). - spi: dw: Add SPI Rx-done wait method to DMA-based transfer (bsc#1051510). - spi: dw: Add SPI Tx-done wait method to DMA-based transfer (bsc#1051510). - spi: dw: Zero DMA Tx and Rx configurations on stack (bsc#1051510). - spi: fsl: do not map irq during probe (git-fixes). - spi: fsl: use platform_get_irq() instead of of_irq_to_resource() (git-fixes). - spi: pxa2xx: Add CS control clock quirk (bsc#1051510). - spi: qup: call spi_qup_pm_resume_runtime before suspending (bsc#1051510). - spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion (git-fixes). - spi: spi-s3c64xx: Fix system resume support (git-fixes). - spi/zynqmp: remove entry that causes a cs glitch (bsc#1051510). - staging: comedi: dt2815: fix writing hi byte of analog output (bsc#1051510). - staging: comedi: Fix comedi_device refcnt leak in comedi_open (bsc#1051510). - staging: iio: ad2s1210: Fix SPI reading (bsc#1051510). - staging: vt6656: Do not set RCR_MULTICAST or RCR_BROADCAST by default (git-fixes). - staging: vt6656: Fix drivers TBTT timing counter (git-fixes). - staging: vt6656: Fix pairwise key entry save (git-fixes). - sunrpc: expiry_time should be seconds not timeval (git-fixes). - SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()' (git-fixes). - supported.conf: Add br_netfilter to base (bsc#1169020). - svcrdma: Fix leak of transport addresses (git-fixes). - taskstats: fix data-race (bsc#1172188). - tcp: cache line align MAX_TCP_HEADER (networking-stable-20_04_27). - tcp: repair: fix TCP_QUEUE_SEQ implementation (networking-stable-20_03_28). - team: add missing attribute validation for array index (networking-stable-20_03_14). - team: add missing attribute validation for port ifindex (networking-stable-20_03_14). - team: fix hang in team_mode_get() (networking-stable-20_04_27). - tools lib traceevent: Remove unneeded qsort and uses memmove instead (git-fixes). - tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() (bsc#1065729). - tpm/tpm_tis: Free IRQ if probing fails (bsc#1082555). - tpm/tpm_tis: Free IRQ if probing fails (git-fixes). - tracing: Add a vmalloc_sync_mappings() for safe measure (git-fixes). - tracing: Disable trace_printk() on post poned tests (git-fixes). - tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation (git-fixes). - tty: rocket, avoid OOB access (git-fixes). - UAS: fix deadlock in error handling and PM flushing work (git-fixes). - UAS: no use logging any details in case of ENODEV (git-fixes). - USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE (git-fixes). - USB: cdc-acm: restore capability check order (git-fixes). - USB: core: Fix misleading driver bug report (bsc#1051510). - USB: dwc3: do not set gadget->is_otg flag (git-fixes). - USB: dwc3: gadget: Do link recovery for SS and SSP (git-fixes). - USB: early: Handle AMD's spec-compliant identifiers, too (git-fixes). - USB: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset() (git-fixes). - USB: gadget: audio: Fix a missing error return value in audio_bind() (git-fixes). - USB: gadget: composite: Inform controller driver of self-powered (git-fixes). - USB: gadget: legacy: fix error return code in cdc_bind() (git-fixes). - USB: gadget: legacy: fix error return code in gncm_bind() (git-fixes). - USB: gadget: legacy: fix redundant initialization warnings (bsc#1051510). - USB: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()' (git-fixes). - USB: gadget: udc: atmel: Fix vbus disconnect handling (git-fixes). - USB: gadget: udc: atmel: Make some symbols static (git-fixes). - USB: gadget: udc: bdc: Remove unnecessary NULL checks in bdc_req_complete (git-fixes). - USB: host: xhci-plat: keep runtime active when removing host (git-fixes). - USB: hub: Fix handling of connect changes during sleep (git-fixes). - usbnet: silence an unnecessary warning (bsc#1170770). - USB: serial: garmin_gps: add sanity checking for data length (git-fixes). - USB: serial: option: add BroadMobi BM806U (git-fixes). - USB: serial: option: add support for ASKEY WWHC050 (git-fixes). - USB: serial: option: add Wistron Neweb D19Q1 (git-fixes). - USB: serial: qcserial: Add DW5816e support (git-fixes). - USB: sisusbvga: Change port variable from signed to unsigned (git-fixes). - usb-storage: Add unusual_devs entry for JMicron JMS566 (git-fixes). - USB: uas: add quirk for LaCie 2Big Quadra (git-fixes). - USB: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list (git-fixes). - video: fbdev: sis: Remove unnecessary parentheses and commented code (bsc#1114279) - video: fbdev: w100fb: Fix a potential double free (bsc#1051510). - vrf: Check skb for XFRM_TRANSFORMED flag (networking-stable-20_04_27). - vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines (git-fixes). - vt: selection, introduce vc_is_sel (git-fixes). - vt: vt_ioctl: fix race in VT_RESIZEX (git-fixes). - vt: vt_ioctl: fix use-after-free in vt_in_use() (git-fixes). - vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console (git-fixes). - vxlan: check return value of gro_cells_init() (networking-stable-20_03_28). - watchdog: reset last_hw_keepalive time at start (git-fixes). - wcn36xx: Fix error handling path in 'wcn36xx_probe()' (bsc#1051510). - wil6210: remove reset file from debugfs (git-fixes). - wimax/i2400m: Fix potential urb refcnt leak (bsc#1051510). - workqueue: do not use wq_select_unbound_cpu() for bound works (bsc#1172130). - x86/entry/64: Fix unwind hints in kernel exit path (bsc#1058115). - x86/entry/64: Fix unwind hints in register clearing code (bsc#1058115). - x86/entry/64: Fix unwind hints in rewind_stack_do_exit() (bsc#1058115). - x86/entry/64: Fix unwind hints in __switch_to_asm() (bsc#1058115). - x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170620). - x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170618). - x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170618). - x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170618). - x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170618). - x86:Hyper-V: report value of misc_features (git-fixes). - x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170618). - x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170618). - x86/kprobes: Avoid kretprobe recursion bug (bsc#1114279). - x86/resctrl: Fix invalid attempt at removing the default resource group (git-fixes). - x86/resctrl: Preserve CDP enable over CPU hotplug (bsc#1114279). - x86/unwind/orc: Do not skip the first frame for inactive tasks (bsc#1058115). - x86/unwind/orc: Fix error handling in __unwind_start() (bsc#1058115). - x86/unwind/orc: Fix error path for bad ORC entry type (bsc#1058115). - x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bsc#1058115). - x86/unwind/orc: Prevent unwinding before ORC initialization (bsc#1058115). - x86/unwind: Prevent false warnings for non-current tasks (bsc#1058115). - x86/xen: fix booting 32-bit pv guest (bsc#1071995). - x86/xen: Make the boot CPU idle task reliable (bsc#1071995). - x86/xen: Make the secondary CPU idle tasks reliable (bsc#1071995). - xen/pci: reserve MCFG areas earlier (bsc#1170145). - xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish (networking-stable-20_04_27). - xfs: Correctly invert xfs_buftarg LRU isolation logic (git-fixes). - xfs: do not ever return a stale pointer from __xfs_dir3_free_read (git-fixes). - xprtrdma: Fix completion wait during device removal (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1605=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1605=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1605=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2020-1605=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): kernel-default-debuginfo-4.12.14-95.54.1 kernel-default-debugsource-4.12.14-95.54.1 kernel-default-extra-4.12.14-95.54.1 kernel-default-extra-debuginfo-4.12.14-95.54.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-95.54.1 kernel-obs-build-debugsource-4.12.14-95.54.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): kernel-docs-4.12.14-95.54.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-95.54.1 kernel-default-base-4.12.14-95.54.1 kernel-default-base-debuginfo-4.12.14-95.54.1 kernel-default-debuginfo-4.12.14-95.54.1 kernel-default-debugsource-4.12.14-95.54.1 kernel-default-devel-4.12.14-95.54.1 kernel-syms-4.12.14-95.54.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): kernel-default-devel-debuginfo-4.12.14-95.54.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): kernel-devel-4.12.14-95.54.1 kernel-macros-4.12.14-95.54.1 kernel-source-4.12.14-95.54.1 - SUSE Linux Enterprise Server 12-SP4 (s390x): kernel-default-man-4.12.14-95.54.1 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-95.54.1 cluster-md-kmp-default-debuginfo-4.12.14-95.54.1 dlm-kmp-default-4.12.14-95.54.1 dlm-kmp-default-debuginfo-4.12.14-95.54.1 gfs2-kmp-default-4.12.14-95.54.1 gfs2-kmp-default-debuginfo-4.12.14-95.54.1 kernel-default-debuginfo-4.12.14-95.54.1 kernel-default-debugsource-4.12.14-95.54.1 ocfs2-kmp-default-4.12.14-95.54.1 ocfs2-kmp-default-debuginfo-4.12.14-95.54.1 References: https://www.suse.com/security/cve/CVE-2018-1000199.html https://www.suse.com/security/cve/CVE-2019-19462.html https://www.suse.com/security/cve/CVE-2019-20806.html https://www.suse.com/security/cve/CVE-2019-20812.html https://www.suse.com/security/cve/CVE-2019-9455.html https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-10690.html https://www.suse.com/security/cve/CVE-2020-10711.html https://www.suse.com/security/cve/CVE-2020-10720.html https://www.suse.com/security/cve/CVE-2020-10732.html https://www.suse.com/security/cve/CVE-2020-10751.html https://www.suse.com/security/cve/CVE-2020-10757.html https://www.suse.com/security/cve/CVE-2020-12114.html https://www.suse.com/security/cve/CVE-2020-12464.html https://www.suse.com/security/cve/CVE-2020-12652.html https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://www.suse.com/security/cve/CVE-2020-12655.html https://www.suse.com/security/cve/CVE-2020-12656.html https://www.suse.com/security/cve/CVE-2020-12657.html https://www.suse.com/security/cve/CVE-2020-12768.html https://www.suse.com/security/cve/CVE-2020-12769.html https://www.suse.com/security/cve/CVE-2020-13143.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1082555 https://bugzilla.suse.com/1089895 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1151794 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1157169 https://bugzilla.suse.com/1158265 https://bugzilla.suse.com/1160388 https://bugzilla.suse.com/1160947 https://bugzilla.suse.com/1165183 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1166969 https://bugzilla.suse.com/1167574 https://bugzilla.suse.com/1167851 https://bugzilla.suse.com/1168503 https://bugzilla.suse.com/1168670 https://bugzilla.suse.com/1169020 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169525 https://bugzilla.suse.com/1170056 https://bugzilla.suse.com/1170125 https://bugzilla.suse.com/1170145 https://bugzilla.suse.com/1170345 https://bugzilla.suse.com/1170457 https://bugzilla.suse.com/1170522 https://bugzilla.suse.com/1170592 https://bugzilla.suse.com/1170618 https://bugzilla.suse.com/1170620 https://bugzilla.suse.com/1170770 https://bugzilla.suse.com/1170778 https://bugzilla.suse.com/1170791 https://bugzilla.suse.com/1170901 https://bugzilla.suse.com/1171078 https://bugzilla.suse.com/1171098 https://bugzilla.suse.com/1171118 https://bugzilla.suse.com/1171189 https://bugzilla.suse.com/1171191 https://bugzilla.suse.com/1171195 https://bugzilla.suse.com/1171202 https://bugzilla.suse.com/1171205 https://bugzilla.suse.com/1171217 https://bugzilla.suse.com/1171218 https://bugzilla.suse.com/1171219 https://bugzilla.suse.com/1171220 https://bugzilla.suse.com/1171293 https://bugzilla.suse.com/1171417 https://bugzilla.suse.com/1171527 https://bugzilla.suse.com/1171599 https://bugzilla.suse.com/1171600 https://bugzilla.suse.com/1171601 https://bugzilla.suse.com/1171602 https://bugzilla.suse.com/1171604 https://bugzilla.suse.com/1171605 https://bugzilla.suse.com/1171606 https://bugzilla.suse.com/1171607 https://bugzilla.suse.com/1171608 https://bugzilla.suse.com/1171609 https://bugzilla.suse.com/1171610 https://bugzilla.suse.com/1171611 https://bugzilla.suse.com/1171612 https://bugzilla.suse.com/1171613 https://bugzilla.suse.com/1171614 https://bugzilla.suse.com/1171615 https://bugzilla.suse.com/1171616 https://bugzilla.suse.com/1171617 https://bugzilla.suse.com/1171618 https://bugzilla.suse.com/1171619 https://bugzilla.suse.com/1171620 https://bugzilla.suse.com/1171621 https://bugzilla.suse.com/1171622 https://bugzilla.suse.com/1171623 https://bugzilla.suse.com/1171624 https://bugzilla.suse.com/1171625 https://bugzilla.suse.com/1171626 https://bugzilla.suse.com/1171679 https://bugzilla.suse.com/1171691 https://bugzilla.suse.com/1171694 https://bugzilla.suse.com/1171695 https://bugzilla.suse.com/1171736 https://bugzilla.suse.com/1171761 https://bugzilla.suse.com/1171948 https://bugzilla.suse.com/1171949 https://bugzilla.suse.com/1171951 https://bugzilla.suse.com/1171952 https://bugzilla.suse.com/1171982 https://bugzilla.suse.com/1171983 https://bugzilla.suse.com/1172096 https://bugzilla.suse.com/1172097 https://bugzilla.suse.com/1172098 https://bugzilla.suse.com/1172099 https://bugzilla.suse.com/1172101 https://bugzilla.suse.com/1172102 https://bugzilla.suse.com/1172103 https://bugzilla.suse.com/1172104 https://bugzilla.suse.com/1172127 https://bugzilla.suse.com/1172130 https://bugzilla.suse.com/1172185 https://bugzilla.suse.com/1172188 https://bugzilla.suse.com/1172199 https://bugzilla.suse.com/1172221 https://bugzilla.suse.com/1172253 https://bugzilla.suse.com/1172317 https://bugzilla.suse.com/1172342 https://bugzilla.suse.com/1172343 https://bugzilla.suse.com/1172344 https://bugzilla.suse.com/1172366 https://bugzilla.suse.com/1172391 https://bugzilla.suse.com/1172397 https://bugzilla.suse.com/1172453 From sle-updates at lists.suse.com Wed Jun 10 13:57:27 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 21:57:27 +0200 (CEST) Subject: SUSE-SU-2020:1605-1: important: Security update for the Linux Kernel Message-ID: <20200610195727.CF467F749@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1605-1 Rating: important References: #1051510 #1058115 #1065729 #1071995 #1082555 #1089895 #1111666 #1114279 #1133021 #1144333 #1151794 #1152489 #1154824 #1157169 #1158265 #1160388 #1160947 #1165183 #1165741 #1166969 #1167574 #1167851 #1168503 #1168670 #1169020 #1169514 #1169525 #1170056 #1170125 #1170145 #1170345 #1170457 #1170522 #1170592 #1170618 #1170620 #1170770 #1170778 #1170791 #1170901 #1171078 #1171098 #1171118 #1171189 #1171191 #1171195 #1171202 #1171205 #1171217 #1171218 #1171219 #1171220 #1171293 #1171417 #1171527 #1171599 #1171600 #1171601 #1171602 #1171604 #1171605 #1171606 #1171607 #1171608 #1171609 #1171610 #1171611 #1171612 #1171613 #1171614 #1171615 #1171616 #1171617 #1171618 #1171619 #1171620 #1171621 #1171622 #1171623 #1171624 #1171625 #1171626 #1171679 #1171691 #1171694 #1171695 #1171736 #1171761 #1171948 #1171949 #1171951 #1171952 #1171982 #1171983 #1172096 #1172097 #1172098 #1172099 #1172101 #1172102 #1172103 #1172104 #1172127 #1172130 #1172185 #1172188 #1172199 #1172221 #1172253 #1172317 #1172342 #1172343 #1172344 #1172366 #1172391 #1172397 #1172453 Cross-References: CVE-2018-1000199 CVE-2019-19462 CVE-2019-20806 CVE-2019-20812 CVE-2019-9455 CVE-2020-0543 CVE-2020-10690 CVE-2020-10711 CVE-2020-10720 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-12114 CVE-2020-12464 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12655 CVE-2020-12656 CVE-2020-12657 CVE-2020-12768 CVE-2020-12769 CVE-2020-13143 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Live Patching 12-SP4 SUSE Linux Enterprise High Availability 12-SP4 ______________________________________________________________________________ An update that solves 23 vulnerabilities and has 94 fixes is now available. Description: The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982). - CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983). - CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736). - CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205). - CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219). - CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217). - CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202). - CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195). - CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218). - CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901). - CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098). - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317). - CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189). - CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220). - CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778). - CVE-2020-10711: Fixed a null pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191). - CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056). - CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345). - CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453). - CVE-2019-20806: Fixed a null pointer dereference which may had lead to denial of service (bsc#1172199). - CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895). The following non-security bugs were fixed: - ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe() (bsc#1051510). - ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile() (bsc#1051510). - acpi/x86: ignore unspecified bit positions in the ACPI global lock field (bsc#1051510). - Add commit for git-fix that's not a fix This commit cleans up debug code but does not fix anything, and it relies on a new kernel function that isn't yet in this version of SLE. - agp/intel: Reinforce the barrier after GTT updates (bsc#1051510). - ALSA: ctxfi: Remove unnecessary cast in kfree (bsc#1051510). - ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666). - ALSA: hda: Do not release card at firmware loading error (bsc#1051510). - ALSA: hda/hdmi: fix race in monitor detection during probe (bsc#1051510). - ALSA: hda/hdmi: fix without unlocked before return (bsc#1051510). - ALSA: hda: Keep the controller initialization even if no codecs found (bsc#1051510). - ALSA: hda/realtek - Add more fixup entries for Clevo machines (git-fixes). - ALSA: hda/realtek - Add new codec supported for ALC245 (bsc#1051510). - ALSA: hda/realtek - Add new codec supported for ALC287 (git-fixes). - ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse (git-fixes). - ALSA: hda/realtek - Fix unexpected init_amp override (bsc#1051510). - ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 (git-fixes bsc#1171293). - ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter (bsc#1051510). - ALSA: hwdep: fix a left shifting 1 by 31 UB bug (git-fixes). - ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option (git-fixes). - ALSA: opti9xx: shut up gcc-10 range warning (bsc#1051510). - ALSA: pcm: fix incorrect hw_base increase (git-fixes). - ALSA: pcm: oss: Place the plugin buffer overflow checks correctly (bsc#1170522). - ALSA-pcm-oss-Place-the-plugin-buffer-overflow-checks.patch - ALSA: rawmidi: Fix racy buffer resize under concurrent accesses (git-fixes). - ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset (git-fixes). - ALSA: usb-audio: Correct a typo of NuPrime DAC-10 USB ID (bsc#1051510). - ALSA: usb-audio: Do not override ignore_ctl_error value from the map (bsc#1051510). - ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif (bsc#1051510). - ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC (git-fixes). - ALSA: usx2y: Fix potential NULL dereference (bsc#1051510). - ASoC: codecs: hdac_hdmi: Fix incorrect use of list_for_each_entry (bsc#1051510). - ASoC: dapm: connect virtual mux with default value (bsc#1051510). - ASoC: dapm: fixup dapm kcontrol widget (bsc#1051510). - ASoC: dpcm: allow start or stop during pause for backend (bsc#1051510). - ASoC: fix regwmask (bsc#1051510). - ASoC: msm8916-wcd-digital: Reset RX interpolation path after use (bsc#1051510). - ASoC: samsung: Prevent clk_get_rate() calls in atomic context (bsc#1111666). - ASoC: topology: Check return value of pcm_new_ver (bsc#1051510). - ASoC: topology: use name_prefix for new kcontrol (bsc#1051510). - b43legacy: Fix case where channel status is corrupted (bsc#1051510). - batman-adv: fix batadv_nc_random_weight_tq (git-fixes). - batman-adv: Fix refcnt leak in batadv_show_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_store_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_v_ogm_process (git-fixes). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (git fixes (block drivers)). - bcache: fix incorrect data type usage in btree_flush_write() (git fixes (block drivers)). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (git fixes (block drivers)). - block/drbd: delete invalid function drbd_md_mark_dirty_ (bsc#1171527). - block: drbd: remove a stray unlock in __drbd_send_protocol() (bsc#1171599). - block: fix busy device checking in blk_drop_partitions again (bsc#1171948). - block: fix busy device checking in blk_drop_partitions (bsc#1171948). - block: fix memleak of bio integrity data (git fixes (block drivers)). - block: remove the bd_openers checks in blk_drop_partitions (bsc#1171948). - bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets() (networking-stable-20_03_28). - bnxt_en: reinitialize IRQs when MTU is modified (networking-stable-20_03_14). - bonding/alb: make sure arp header is pulled before accessing it (networking-stable-20_03_14). - brcmfmac: abort and release host after error (bsc#1051510). - Btrfs: fix deadlock with memory reclaim during scrub (bsc#1172127). - btrfs: fix log context list corruption after rename whiteout error (bsc#1172342). - btrfs: fix partial loss of prealloc extent past i_size after fsync (bsc#1172343). - btrfs: move the dio_sem higher up the callchain (bsc#1171761). - btrfs: reloc: clear DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417 bsc#1160947 bsc#1172366). - btrfs: reloc: fix reloc root leak and NULL pointer dereference (bsc#1171417 bsc#1160947 bsc#1172366). - btrfs: setup a nofs context for memory allocation at btrfs_create_tree() (bsc#1172127). - btrfs: setup a nofs context for memory allocation at __btrfs_set_acl (bsc#1172127). - btrfs: use nofs context when initializing security xattrs to avoid deadlock (bsc#1172127). - can: add missing attribute validation for termination (networking-stable-20_03_14). - cdc-acm: close race betrween suspend() and acm_softint (git-fixes). - cdc-acm: introduce a cool down (git-fixes). - ceph: fix double unlock in handle_cap_export() (bsc#1171694). - ceph: fix endianness bug when handling MDS session feature bits (bsc#1171695). - cgroup, netclassid: periodically release file_lock on classid updating (networking-stable-20_03_14). - CIFS: Allocate crypto structures on the fly for calculating signatures of incoming packets (bsc#1144333). - CIFS: Allocate encryption header through kmalloc (bsc#1144333). - CIFS: allow unlock flock and OFD lock across fork (bsc#1144333). - CIFS: check new file size when extending file by fallocate (bsc#1144333). - CIFS: cifspdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - CIFS: clear PF_MEMALLOC before exiting demultiplex thread (bsc#1144333). - CIFS: do not share tcons with DFS (bsc#1144333). - CIFS: dump the session id and keys also for SMB2 sessions (bsc#1144333). - CIFS: ensure correct super block for DFS reconnect (bsc#1144333). - CIFS: Fix bug which the return value by asynchronous read is error (bsc#1144333). - CIFS: fix uninitialised lease_key in open_shroot() (bsc#1144333). - CIFS: improve read performance for page size 64KB & cache=strict & vers=2.1+ (bsc#1144333). - CIFS: Increment num_remote_opens stats counter even in case of smb2_query_dir_first (bsc#1144333). - CIFS: minor update to comments around the cifs_tcp_ses_lock mutex (bsc#1144333). - CIFS: protect updating server->dstaddr with a spinlock (bsc#1144333). - CIFS: smb2pdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - CIFS: smbd: Calculate the correct maximum packet size for segmented SMBDirect send/receive (bsc#1144333). - CIFS: smbd: Check and extend sender credits in interrupt context (bsc#1144333). - CIFS: smbd: Check send queue size before posting a send (bsc#1144333). - CIFS: smbd: Do not schedule work to send immediate packet on every receive (bsc#1144333). - CIFS: smbd: Merge code to track pending packets (bsc#1144333). - CIFS: smbd: Properly process errors on ib_post_send (bsc#1144333). - CIFS: smbd: Update receive credits before sending and deal with credits roll back on failure before sending (bsc#1144333). - CIFS: Warn less noisily on default mount (bsc#1144333). - clk: Add clk_hw_unregister_composite helper function definition (bsc#1051510). - clk: imx6ull: use OSC clock during AXI rate change (bsc#1051510). - clk: imx: make mux parent strings const (bsc#1051510). - clk: mediatek: correct the clocks for MT2701 HDMI PHY module (bsc#1051510). - clk: sunxi-ng: a64: Fix gate bit of DSI DPHY (bsc#1051510). - clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620). - clocksource: dw_apb_timer_of: Fix missing clockevent timers (bsc#1051510). - component: Silence bind error on -EPROBE_DEFER (bsc#1051510). - coresight: do not use the BIT() macro in the UAPI header (git fixes (block drivers)). - cpufreq: s3c64xx: Remove pointless NULL check in s3c64xx_cpufreq_driver_init (bsc#1051510). - crypto: ccp - AES CFB mode is a stream cipher (git-fixes). - crypto: ccp - Clean up and exit correctly on allocation failure (git-fixes). - crypto: ccp - Cleanup misc_dev on sev_exit() (bsc#1114279). - crypto: ccp - Cleanup sp_dev_master in psp_dev_destroy() (bsc#1114279). - debugfs: Add debugfs_create_xul() for hexadecimal unsigned long (git-fixes). - dmaengine: dmatest: Fix iteration non-stop logic (bsc#1051510). - dm mpath: switch paths in dm_blk_ioctl() code path (bsc#1167574). - dm writecache: fix data corruption when reloading the target (git fixes (block drivers)). - dm writecache: fix incorrect flush sequence when doing SSD mode commit (git fixes (block drivers)). - dm writecache: verify watermark during resume (git fixes (block drivers)). - dm zoned: fix invalid memory access (git fixes (block drivers)). - dm zoned: reduce overhead of backing device checks (git fixes (block drivers)). - dm zoned: remove duplicate nr_rnd_zones increase in dmz_init_zone() (git fixes (block drivers)). - dm zoned: support zone sizes smaller than 128MiB (git fixes (block drivers)). - dp83640: reverse arguments to list_add_tail (git-fixes). - drivers: hv: Add a module description line to the hv_vmbus driver (bsc#1172253). - Drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170618). - Drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170618). - Drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618). - Drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170618). - drivers/net/ibmvnic: Update VNIC protocol version reporting (bsc#1065729). - drm: amd/acp: fix broken menu structure (bsc#1114279) * context changes - drm/crc: Actually allow to change the crc source (bsc#1114279) * offset changes - drm/dp_mst: Fix clearing payload state on topology disable (bsc#1051510). - drm/dp_mst: Reformat drm_dp_check_act_status() a bit (bsc#1051510). - drm/edid: Fix off-by-one in DispID DTD pixel clock (bsc#1114279) - drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of (bsc#1114279) - drm/i915: properly sanity check batch_start_offset (bsc#1114279) * renamed display/intel_fbc.c -> intel_fb.c * renamed gt/intel_rc6.c -> intel_pm.c * context changes - drm/meson: Delete an error message in meson_dw_hdmi_bind() (bsc#1051510). - drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem (bsc#1114279) - drm/qxl: qxl_release leak in qxl_draw_dirty_fb() (bsc#1051510). - drm/qxl: qxl_release leak in qxl_hw_surface_alloc() (bsc#1051510). - drm/qxl: qxl_release use after free (bsc#1051510). - drm: Remove PageReserved manipulation from drm_pci_alloc (bsc#1114279) * offset changes - dump_stack: avoid the livelock of the dump_lock (git fixes (block drivers)). - EDAC, sb_edac: Add support for systems with segmented PCI buses (bsc#1169525). - ext4: do not zeroout extents beyond i_disksize (bsc#1167851). - ext4: fix extent_status fragmentation for plain files (bsc#1171949). - ext4: use non-movable memory for superblock readahead (bsc#1171952). - fanotify: fix merging marks masks with FAN_ONDIR (bsc#1171679). - fbcon: fix null-ptr-deref in fbcon_switch (bsc#1114279) * rename drivers/video/fbdev/core to drivers/video/console * context changes - fib: add missing attribute validation for tun_id (networking-stable-20_03_14). - firmware: qcom: scm: fix compilation error when disabled (bsc#1051510). - fs/cifs: fix gcc warning in sid_to_id (bsc#1144333). - fs/seq_file.c: simplify seq_file iteration code and interface (bsc#1170125). - gpio: tegra: mask GPIO IRQs during IRQ shutdown (bsc#1051510). - gre: fix uninit-value in __iptunnel_pull_header (networking-stable-20_03_14). - HID: hid-input: clear unmapped usages (git-fixes). - HID: hyperv: Add a module description line (bsc#1172253). - HID: i2c-hid: add Trekstor Primebook C11B to descriptor override (git-fixes). - HID: i2c-hid: override HID descriptors for certain devices (git-fixes). - HID: multitouch: add eGalaxTouch P80H84 support (bsc#1051510). - HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices (git-fixes). - hrtimer: Annotate lockless access to timer->state (git fixes (block drivers)). - hsr: add restart routine into hsr_get_node_list() (networking-stable-20_03_28). - hsr: check protocol version in hsr_newlink() (networking-stable-20_04_17). - hsr: fix general protection fault in hsr_addr_is_self() (networking-stable-20_03_28). - hsr: set .netnsok flag (networking-stable-20_03_28). - hsr: use rcu_read_lock() in hsr_get_node_{list/status}() (networking-stable-20_03_28). - i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present (git-fixes). - i2c: acpi: put device when verifying client fails (git-fixes). - i2c: brcmstb: remove unused struct member (git-fixes). - i2c: core: Allow empty id_table in ACPI case as well (git-fixes). - i2c: core: decrease reference count of device node in i2c_unregister_device (git-fixes). - i2c: dev: Fix the race between the release of i2c_dev and cdev (bsc#1051510). - i2c: fix missing pm_runtime_put_sync in i2c_device_probe (git-fixes). - i2c-hid: properly terminate i2c_hid_dmi_desc_override_table array (git-fixes). - i2c: i801: Do not add ICH_RES_IO_SMI for the iTCO_wdt device (git-fixes). - i2c: iproc: Stop advertising support of SMBUS quick cmd (git-fixes). - i2c: isch: Remove unnecessary acpi.h include (git-fixes). - i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' (bsc#1051510). - i2c: st: fix missing struct parameter description (bsc#1051510). - IB/ipoib: Add child to parent list only if device initialized (bsc#1168503). - IB/ipoib: Consolidate checking of the proposed child interface (bsc#1168503). - IB/ipoib: Do not remove child devices from within the ndo_uninit (bsc#1168503). - IB/ipoib: Get rid of IPOIB_FLAG_GOING_DOWN (bsc#1168503). - IB/ipoib: Get rid of the sysfs_mutex (bsc#1168503). - IB/ipoib: Maintain the child_intfs list from ndo_init/uninit (bsc#1168503). - IB/ipoib: Move all uninit code into ndo_uninit (bsc#1168503). - IB/ipoib: Move init code to ndo_init (bsc#1168503). - IB/ipoib: Replace printk with pr_warn (bsc#1168503). - IB/ipoib: Use cancel_delayed_work_sync for neigh-clean task (bsc#1168503). - IB/ipoib: Warn when one port fails to initialize (bsc#1168503). - ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239). - iio:ad7797: Use correct attribute_group (bsc#1051510). - iio: adc: stm32-adc: fix device used to request dma (bsc#1051510). - iio: adc: stm32-adc: fix sleep in atomic context (git-fixes). - iio: adc: stm32-adc: Use dma_request_chan() instead dma_request_slave_channel() (bsc#1051510). - iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' (bsc#1051510). - iio: sca3000: Remove an erroneous 'get_device()' (bsc#1051510). - iio: xilinx-xadc: Fix ADC-B powerdown (bsc#1051510). - iio: xilinx-xadc: Fix clearing interrupt when enabling trigger (bsc#1051510). - iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode (bsc#1051510). - ima: Fix return value of ima_write_policy() (git-fixes). - Input: evdev - call input_flush_device() on release(), not flush() (bsc#1051510). - Input: hyperv-keyboard - add module description (bsc#1172253). - Input: i8042 - add Acer Aspire 5738z to nomux list (bsc#1051510). - Input: i8042 - add ThinkPad S230u to i8042 reset list (bsc#1051510). - Input: raydium_i2c_ts - use true and false for boolean values (bsc#1051510). - Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() (bsc#1051510). - Input: synaptics-rmi4 - really fix attn_data use-after-free (git-fixes). - Input: usbtouchscreen - add support for BonXeon TP (bsc#1051510). - Input: xpad - add custom init packet for Xbox One S controllers (bsc#1051510). - iommu/amd: Call domain_flush_complete() in update_domain() (bsc#1172096). - iommu/amd: Do not flush Device Table in iommu_map_page() (bsc#1172097). - iommu/amd: Do not loop forever when trying to increase address space (bsc#1172098). - iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system (bsc#1172099). - iommu/amd: Fix over-read of ACPI UID from IVRS table (bsc#1172101). - iommu/amd: Fix race in increase_address_space()/fetch_pte() (bsc#1172102). - iommu/amd: Update Device Table in increase_address_space() (bsc#1172103). - iommu: Fix reference count leak in iommu_group_alloc (bsc#1172397). - ipmi: fix hung processes in __get_guid() (git-fixes). - ipv4: fix a RCU-list lock in fib_triestat_seq_show (networking-stable-20_04_02). - ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface (networking-stable-20_03_14). - ipv6: do not auto-add link-local address to lag ports (networking-stable-20_04_09). - ipv6: Fix nlmsg_flags when splitting a multipath route (networking-stable-20_03_01). - ipv6: Fix route replacement with dev-only route (networking-stable-20_03_01). - ipvlan: add cond_resched_rcu() while processing muticast backlog (networking-stable-20_03_14). - ipvlan: do not deref eth hdr before checking it's set (networking-stable-20_03_14). - ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast() (networking-stable-20_03_14). - iwlwifi: pcie: actually release queue memory in TVQM (bsc#1051510). - kabi fix for early XHCI debug (git-fixes). - kabi for for md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - kabi, protect struct ib_device (bsc#1168503). - kabi/severities: Do not track KVM internal symbols. - kabi/severities: Ingnore get_dev_data() The function is internal to the AMD IOMMU driver and must not be called by any third party. - kabi workaround for snd_rawmidi buffer_ref field addition (git-fixes). - KEYS: reaching the keys quotas correctly (bsc#1051510). - KVM: arm64: Change hyp_panic()s dependency on tpidr_el2 (bsc#1133021). - KVM: arm64: Stop save/restoring host tpidr_el1 on VHE (bsc#1133021). - KVM: Check validity of resolved slot when searching memslots (bsc#1172104). - KVM: s390: vsie: Fix delivery of addressing exceptions (git-fixes). - KVM: s390: vsie: Fix possible race when shadowing region 3 tables (git-fixes). - KVM: s390: vsie: Fix region 1 ASCE sanity shadow address checks (git-fixes). - KVM: SVM: Fix potential memory leak in svm_cpu_init() (bsc#1171736). - KVM x86: Extend AMD specific guest behavior to Hygon virtual CPUs (bsc#1152489). - l2tp: Allow management of tunnels and session in user namespace (networking-stable-20_04_17). - libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() (bsc#1051510). - libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set (bsc#1051510). - lib: raid6: fix awk build warnings (git fixes (block drivers)). - lib/raid6/test: fix build on distros whose /bin/sh is not bash (git fixes (block drivers)). - lib/stackdepot.c: fix global out-of-bounds in stack_slabs (git fixes (block drivers)). - locks: print unsigned ino in /proc/locks (bsc#1171951). - mac80211: add ieee80211_is_any_nullfunc() (bsc#1051510). - mac80211_hwsim: Use kstrndup() in place of kasprintf() (bsc#1051510). - mac80211: mesh: fix discovery timer re-arming issue / crash (bsc#1051510). - macsec: avoid to set wrong mtu (bsc#1051510). - macsec: restrict to ethernet devices (networking-stable-20_03_28). - macvlan: add cond_resched() during multicast processing (networking-stable-20_03_14). - macvlan: fix null dereference in macvlan_device_event() (bsc#1051510). - md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - md/raid0: Fix an error message in raid0_make_request() (git fixes (block drivers)). - md/raid10: prevent access of uninitialized resync_pages offset (git-fixes). - media: dvb: return -EREMOTEIO on i2c transfer failure (bsc#1051510). - media: platform: fcp: Set appropriate DMA parameters (bsc#1051510). - media: ti-vpe: cal: fix disable_irqs to only the intended target (git-fixes). - mei: release me_cl object reference (bsc#1051510). - mlxsw: Fix some IS_ERR() vs NULL bugs (networking-stable-20_04_27). - mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE (networking-stable-20_04_09). - mmc: atmel-mci: Fix debugfs on 64-bit platforms (git-fixes). - mmc: dw_mmc: Fix debugfs on 64-bit platforms (git-fixes). - mmc: meson-gx: make sure the descriptor is stopped on errors (git-fixes). - mmc: meson-gx: simplify interrupt handler (git-fixes). - mmc: renesas_sdhi: limit block count to 16 bit for old revisions (git-fixes). - mmc: sdhci-esdhc-imx: fix the mask for tuning start point (bsc#1051510). - mmc: sdhci-msm: Clear tuning done flag while hs400 tuning (bsc#1051510). - mmc: sdhci-of-at91: fix memleak on clk_get failure (git-fixes). - mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers (bsc#1051510). - mmc: sdhci-xenon: fix annoying 1.8V regulator warning (bsc#1051510). - mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card() (bsc#1051510). - mmc: tmio: fix access width of Block Count Register (git-fixes). - mm: thp: handle page cache THP correctly in PageTransCompoundMap (git fixes (block drivers)). - mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer (bsc#1051510). - mtd: spi-nor: cadence-quadspi: add a delay in write sequence (git-fixes). - mtd: spi-nor: enable 4B opcodes for mx66l51235l (git-fixes). - mtd: spi-nor: fsl-quadspi: Do not let -EINVAL on the bus (git-fixes). - mwifiex: avoid -Wstringop-overflow warning (bsc#1051510). - mwifiex: Fix memory corruption in dump_station (bsc#1051510). - net: bcmgenet: correct per TX/RX ring statistics (networking-stable-20_04_27). - net: dsa: b53: Fix ARL register definitions (networking-stable-20_04_27). - net: dsa: b53: Rework ARL bin logic (networking-stable-20_04_27). - net: dsa: bcm_sf2: Do not register slave MDIO bus with OF (networking-stable-20_04_09). - net: dsa: bcm_sf2: Ensure correct sub-node is parsed (networking-stable-20_04_09). - net: dsa: bcm_sf2: Fix overflow checks (git-fixes). - net: dsa: Fix duplicate frames flooded by learning (networking-stable-20_03_28). - net: dsa: mv88e6xxx: fix lockup on warm boot (networking-stable-20_03_14). - net: fec: validate the new settings in fec_enet_set_coalesce() (networking-stable-20_03_14). - net: fib_rules: Correctly set table field when table number exceeds 8 bits (networking-stable-20_03_01). - net: fix race condition in __inet_lookup_established() (bsc#1151794). - net: fq: add missing attribute validation for orphan mask (networking-stable-20_03_14). - net, ip_tunnel: fix interface lookup with no key (networking-stable-20_04_02). - net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin (networking-stable-20_04_17). - net: ipv6: do not consider routes via gateways for anycast address check (networking-stable-20_04_17). - netlink: Use netlink header as base to calculate bad attribute offset (networking-stable-20_03_14). - net: macsec: update SCI upon MAC address change (networking-stable-20_03_14). - net: memcg: fix lockdep splat in inet_csk_accept() (networking-stable-20_03_14). - net: memcg: late association of sock to memcg (networking-stable-20_03_14). - net/mlx4_en: avoid indirect call in TX completion (networking-stable-20_04_27). - net/mlx5: Add new fields to Port Type and Speed register (bsc#1171118). - net/mlx5: Add RoCE RX ICRC encapsulated counter (bsc#1171118). - net/mlx5e: Fix ethtool self test: link speed (bsc#1171118). - net/mlx5e: Move port speed code from en_ethtool.c to en/port.c (bsc#1171118). - net/mlx5: Expose link speed directly (bsc#1171118). - net/mlx5: Expose port speed when possible (bsc#1171118). - net: mvneta: Fix the case where the last poll did not process all rx (networking-stable-20_03_28). - net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node (networking-stable-20_04_27). - net/packet: tpacket_rcv: do not increment ring index on drop (networking-stable-20_03_14). - net: phy: restore mdio regs in the iproc mdio driver (networking-stable-20_03_01). - net: qmi_wwan: add support for ASKEY WWHC050 (networking-stable-20_03_28). - net: revert default NAPI poll timeout to 2 jiffies (networking-stable-20_04_17). - net_sched: cls_route: remove the right filter from hashtable (networking-stable-20_03_28). - net/x25: Fix x25_neigh refcnt leak when receiving frame (networking-stable-20_04_27). - nfc: add missing attribute validation for SE API (networking-stable-20_03_14). - nfc: add missing attribute validation for vendor subcommand (networking-stable-20_03_14). - nfc: pn544: Fix occasional HW initialization failure (networking-stable-20_03_01). - NFC: st21nfca: add missed kfree_skb() in an error path (bsc#1051510). - nfsd4: fix up replay_matches_cache() (git-fixes). - nfsd: Ensure CLONE persists data and metadata changes to the target file (git-fixes). - nfsd: fix delay timer on 32-bit architectures (git-fixes). - nfsd: fix jiffies/time_t mixup in LRU list (git-fixes). - NFS: Directory page cache pages need to be locked when read (git-fixes). - nfsd: memory corruption in nfsd4_lock() (git-fixes). - NFS: Do not call generic_error_remove_page() while holding locks (bsc#1170457). - NFS: Fix memory leaks and corruption in readdir (git-fixes). - NFS: Fix O_DIRECT accounting of number of bytes read/written (git-fixes). - NFS: Fix potential posix_acl refcnt leak in nfs3_set_acl (git-fixes). - NFS: fix racey wait in nfs_set_open_stateid_locked (bsc#1170592). - NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O (git-fixes). - NFS/pnfs: Fix pnfs_generic_prepare_to_resend_writes() (git-fixes). - NFS: Revalidate the file size on a fatal write error (git-fixes). - NFSv4.0: nfs4_do_fsinfo() should not do implicit lease renewals (git-fixes). - NFSv4: Do not allow a cached open with a revoked delegation (git-fixes). - NFSv4: Fix leak of clp->cl_acceptor string (git-fixes). - NFSv4/pnfs: Return valid stateids in nfs_layout_find_inode_by_stateid() (git-fixes). - NFSv4: try lease recovery on NFS4ERR_EXPIRED (git-fixes). - NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn (git-fixes). - nl802154: add missing attribute validation for dev_type (networking-stable-20_03_14). - nl802154: add missing attribute validation (networking-stable-20_03_14). - nvme-fc: print proper nvme-fc devloss_tmo value (bsc#1172391). - objtool: Fix stack offset tracking for indirect CFAs (bsc#1169514). - objtool: Fix switch table detection in .text.unlikely (bsc#1169514). - objtool: Make BP scratch register warning more robust (bsc#1169514). - padata: Remove broken queue flushing (git-fixes). - Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()" (git fixes (block drivers)). - pinctrl: baytrail: Enable pin configuration setting for GPIO chip (git-fixes). - pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler (git-fixes). - platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA (bsc#1051510). - pNFS: Ensure we do clear the return-on-close layout stateid on fatal errors (git-fixes). - powerpc: Add attributes for setjmp/longjmp (bsc#1065729). - powerpc/pci/of: Parse unassigned resources (bsc#1065729). - powerpc/setup_64: Set cache-line-size based on cache-block-size (bsc#1065729). - powerpc/sstep: Fix DS operand in ld encoding to appropriate value (bsc#1065729). - qede: Fix race between rdma destroy workqueue and link change event (networking-stable-20_03_01). - r8152: check disconnect status after long sleep (networking-stable-20_03_14). - raid6/ppc: Fix build for clang (git fixes (block drivers)). - rcu: locking and unlocking need to always be at least barriers (git fixes (block drivers)). - RDMA/ipoib: Fix use of sizeof() (bsc#1168503). - RDMA/netdev: Fix netlink support in IPoIB (bsc#1168503). - RDMA/netdev: Hoist alloc_netdev_mqs out of the driver (bsc#1168503). - RDMA/netdev: Use priv_destructor for netdev cleanup (bsc#1168503). - Remove 2 git-fixes that cause build issues. (bsc#1171691) - Revert "ALSA: hda/realtek: Fix pop noise on ALC225" (git-fixes). - Revert "drm/panel: simple: Add support for Sharp LQ150X1LG11 panels" (bsc#1114279) * offset changes - Revert "HID: i2c-hid: add Trekstor Primebook C11B to descriptor override" Depends on 9b5c747685982d22efffeafc5ec601bd28f6d78b, which was also reverted. - Revert "HID: i2c-hid: override HID descriptors for certain devices" This broke i2c-hid.ko's build, there is no way around it without a big file rename or renaming the kernel module. - Revert "i2c-hid: properly terminate i2c_hid_dmi_desc_override_table" Fixed 9b5c747685982d22efffeafc5ec601bd28f6d78b, which was also reverted. - Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" (bsc#1172221). - rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() (bsc#1051510). - s390/cio: avoid duplicated 'ADD' uevents (git-fixes). - s390/cio: generate delayed uevent for vfio-ccw subchannels (git-fixes). - s390/cpuinfo: fix wrong output when CPU0 is offline (git-fixes). - s390/diag: fix display of diagnose call statistics (git-fixes). - s390/ftrace: fix potential crashes when switching tracers (git-fixes). - s390/gmap: return proper error code on ksm unsharing (git-fixes). - s390/ism: fix error return code in ism_probe() (git-fixes). - s390/pci: Fix possible deadlock in recover_store() (bsc#1165183 LTC#184103). - s390/pci: Recover handle in clp_set_pci_fn() (bsc#1165183 LTC#184103). - s390/qeth: cancel RX reclaim work earlier (git-fixes). - s390/qeth: do not return -ENOTSUPP to userspace (git-fixes). - s390/qeth: do not warn for napi with 0 budget (git-fixes). - s390/qeth: fix off-by-one in RX copybreak check (git-fixes). - s390/qeth: fix promiscuous mode after reset (git-fixes). - s390/qeth: fix qdio teardown after early init error (git-fixes). - s390/qeth: handle error due to unsupported transport mode (git-fixes). - s390/qeth: handle error when backing RX buffer (git-fixes). - s390/qeth: lock the card while changing its hsuid (git-fixes). - s390/qeth: support net namespaces for L3 devices (git-fixes). - s390/time: Fix clk type in get_tod_clock (git-fixes). - scripts/decodecode: fix trapping instruction formatting (bsc#1065729). - scripts/dtc: Remove redundant YYLOC global declaration (bsc#1160388). - scsi: bnx2i: fix potential use after free (bsc#1171600). - scsi: core: Handle drivers which set sg_tablesize to zero (bsc#1171601) This commit also required: > scsi: core: avoid preallocating big SGL for data - scsi: core: save/restore command resid for error handling (bsc#1171602). - scsi: core: scsi_trace: Use get_unaligned_be*() (bsc#1171604). - scsi: core: try to get module before removing device (bsc#1171605). - scsi: csiostor: Adjust indentation in csio_device_reset (bsc#1171606). - scsi: csiostor: Do not enable IRQs too early (bsc#1171607). - scsi: esas2r: unlock on error in esas2r_nvram_read_direct() (bsc#1171608). - scsi: fnic: fix invalid stack access (bsc#1171609). - scsi: fnic: fix msix interrupt allocation (bsc#1171610). - scsi: ibmvscsi: Fix WARN_ON during event pool release (bsc#1170791 ltc#185128). - scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func (bsc#1171611). - scsi: iscsi: Fix a potential deadlock in the timeout handler (bsc#1171612). - scsi: iscsi: qla4xxx: fix double free in probe (bsc#1171613). - scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences (bsc#1171614). - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1171615). - scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state (bsc#1171616). - scsi: qla2xxx: add ring buffer for tracing debug logs (bsc#1157169). - scsi: qla2xxx: check UNLOADING before posting async work (bsc#1157169). - scsi: qla2xxx: Delete all sessions before unregister local nvme port (bsc#1157169). - scsi: qla2xxx: Do not log message when reading port speed via sysfs (bsc#1157169). - scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV (bsc#1157169). - scsi: qla2xxx: Fix regression warnings (bsc#1157169). - scsi: qla2xxx: Remove non functional code (bsc#1157169). - scsi: qla2xxx: set UNLOADING before waiting for session deletion (bsc#1157169). - scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free (bsc#1171617). - scsi: qla4xxx: fix double free bug (bsc#1171618). - scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI (bsc#1171619). - scsi: sg: add sg_remove_request in sg_common_write (bsc#1171620). - scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) (bsc#1171621). - scsi: ufs: change msleep to usleep_range (bsc#1171622). - scsi: ufs: Clean up ufshcd_scale_clks() and clock scaling error out path (bsc#1171623). - scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic (bsc#1171624). - scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails (bsc#1171625). - scsi: ufs: Recheck bkops level if bkops is disabled (bsc#1171626). - scsi: zfcp: fix missing erp_lock in port recovery trigger for point-to-point (git-fixes). - sctp: fix possibly using a bad saddr with a given dst (networking-stable-20_04_02). - sctp: fix refcount bug in sctp_wfree (networking-stable-20_04_02). - sctp: move the format error check out of __sctp_sf_do_9_1_abort (networking-stable-20_03_01). - seq_file: fix problem when seeking mid-record (bsc#1170125). - serial: uartps: Move the spinlock after the read of the tx empty (git-fixes). - sfc: detach from cb_page in efx_copy_channel() (networking-stable-20_03_14). - signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig (bsc#1172185). - slcan: not call free_netdev before rtnl_unlock in slcan_open (networking-stable-20_03_28). - slip: make slhc_compress() more robust against malicious packets (networking-stable-20_03_14). - smb3: Additional compression structures (bsc#1144333). - smb3: Add new compression flags (bsc#1144333). - smb3: change noisy error message to FYI (bsc#1144333). - smb3: enable swap on SMB3 mounts (bsc#1144333). - smb3: Minor cleanup of protocol definitions (bsc#1144333). - smb3: remove overly noisy debug line in signing errors (bsc#1144333). - smb3: smbdirect support can be configured by default (bsc#1144333). - smb3: use SMB2_SIGNATURE_SIZE define (bsc#1144333). - spi: bcm2835: Fix 3-wire mode if DMA is enabled (git-fixes). - spi: bcm63xx-hsspi: Really keep pll clk enabled (bsc#1051510). - spi: bcm-qspi: when tx/rx buffer is NULL set to 0 (bsc#1051510). - spi: dw: Add SPI Rx-done wait method to DMA-based transfer (bsc#1051510). - spi: dw: Add SPI Tx-done wait method to DMA-based transfer (bsc#1051510). - spi: dw: Zero DMA Tx and Rx configurations on stack (bsc#1051510). - spi: fsl: do not map irq during probe (git-fixes). - spi: fsl: use platform_get_irq() instead of of_irq_to_resource() (git-fixes). - spi: pxa2xx: Add CS control clock quirk (bsc#1051510). - spi: qup: call spi_qup_pm_resume_runtime before suspending (bsc#1051510). - spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion (git-fixes). - spi: spi-s3c64xx: Fix system resume support (git-fixes). - spi/zynqmp: remove entry that causes a cs glitch (bsc#1051510). - staging: comedi: dt2815: fix writing hi byte of analog output (bsc#1051510). - staging: comedi: Fix comedi_device refcnt leak in comedi_open (bsc#1051510). - staging: iio: ad2s1210: Fix SPI reading (bsc#1051510). - staging: vt6656: Do not set RCR_MULTICAST or RCR_BROADCAST by default (git-fixes). - staging: vt6656: Fix drivers TBTT timing counter (git-fixes). - staging: vt6656: Fix pairwise key entry save (git-fixes). - sunrpc: expiry_time should be seconds not timeval (git-fixes). - SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()' (git-fixes). - supported.conf: Add br_netfilter to base (bsc#1169020). - svcrdma: Fix leak of transport addresses (git-fixes). - taskstats: fix data-race (bsc#1172188). - tcp: cache line align MAX_TCP_HEADER (networking-stable-20_04_27). - tcp: repair: fix TCP_QUEUE_SEQ implementation (networking-stable-20_03_28). - team: add missing attribute validation for array index (networking-stable-20_03_14). - team: add missing attribute validation for port ifindex (networking-stable-20_03_14). - team: fix hang in team_mode_get() (networking-stable-20_04_27). - tools lib traceevent: Remove unneeded qsort and uses memmove instead (git-fixes). - tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() (bsc#1065729). - tpm/tpm_tis: Free IRQ if probing fails (bsc#1082555). - tpm/tpm_tis: Free IRQ if probing fails (git-fixes). - tracing: Add a vmalloc_sync_mappings() for safe measure (git-fixes). - tracing: Disable trace_printk() on post poned tests (git-fixes). - tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation (git-fixes). - tty: rocket, avoid OOB access (git-fixes). - UAS: fix deadlock in error handling and PM flushing work (git-fixes). - UAS: no use logging any details in case of ENODEV (git-fixes). - USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE (git-fixes). - USB: cdc-acm: restore capability check order (git-fixes). - USB: core: Fix misleading driver bug report (bsc#1051510). - USB: dwc3: do not set gadget->is_otg flag (git-fixes). - USB: dwc3: gadget: Do link recovery for SS and SSP (git-fixes). - USB: early: Handle AMD's spec-compliant identifiers, too (git-fixes). - USB: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset() (git-fixes). - USB: gadget: audio: Fix a missing error return value in audio_bind() (git-fixes). - USB: gadget: composite: Inform controller driver of self-powered (git-fixes). - USB: gadget: legacy: fix error return code in cdc_bind() (git-fixes). - USB: gadget: legacy: fix error return code in gncm_bind() (git-fixes). - USB: gadget: legacy: fix redundant initialization warnings (bsc#1051510). - USB: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()' (git-fixes). - USB: gadget: udc: atmel: Fix vbus disconnect handling (git-fixes). - USB: gadget: udc: atmel: Make some symbols static (git-fixes). - USB: gadget: udc: bdc: Remove unnecessary NULL checks in bdc_req_complete (git-fixes). - USB: host: xhci-plat: keep runtime active when removing host (git-fixes). - USB: hub: Fix handling of connect changes during sleep (git-fixes). - usbnet: silence an unnecessary warning (bsc#1170770). - USB: serial: garmin_gps: add sanity checking for data length (git-fixes). - USB: serial: option: add BroadMobi BM806U (git-fixes). - USB: serial: option: add support for ASKEY WWHC050 (git-fixes). - USB: serial: option: add Wistron Neweb D19Q1 (git-fixes). - USB: serial: qcserial: Add DW5816e support (git-fixes). - USB: sisusbvga: Change port variable from signed to unsigned (git-fixes). - usb-storage: Add unusual_devs entry for JMicron JMS566 (git-fixes). - USB: uas: add quirk for LaCie 2Big Quadra (git-fixes). - USB: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list (git-fixes). - video: fbdev: sis: Remove unnecessary parentheses and commented code (bsc#1114279) - video: fbdev: w100fb: Fix a potential double free (bsc#1051510). - vrf: Check skb for XFRM_TRANSFORMED flag (networking-stable-20_04_27). - vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines (git-fixes). - vt: selection, introduce vc_is_sel (git-fixes). - vt: vt_ioctl: fix race in VT_RESIZEX (git-fixes). - vt: vt_ioctl: fix use-after-free in vt_in_use() (git-fixes). - vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console (git-fixes). - vxlan: check return value of gro_cells_init() (networking-stable-20_03_28). - watchdog: reset last_hw_keepalive time at start (git-fixes). - wcn36xx: Fix error handling path in 'wcn36xx_probe()' (bsc#1051510). - wil6210: remove reset file from debugfs (git-fixes). - wimax/i2400m: Fix potential urb refcnt leak (bsc#1051510). - workqueue: do not use wq_select_unbound_cpu() for bound works (bsc#1172130). - x86/entry/64: Fix unwind hints in kernel exit path (bsc#1058115). - x86/entry/64: Fix unwind hints in register clearing code (bsc#1058115). - x86/entry/64: Fix unwind hints in rewind_stack_do_exit() (bsc#1058115). - x86/entry/64: Fix unwind hints in __switch_to_asm() (bsc#1058115). - x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170620). - x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170618). - x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170618). - x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170618). - x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170618). - x86:Hyper-V: report value of misc_features (git-fixes). - x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170618). - x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170618). - x86/kprobes: Avoid kretprobe recursion bug (bsc#1114279). - x86/resctrl: Fix invalid attempt at removing the default resource group (git-fixes). - x86/resctrl: Preserve CDP enable over CPU hotplug (bsc#1114279). - x86/unwind/orc: Do not skip the first frame for inactive tasks (bsc#1058115). - x86/unwind/orc: Fix error handling in __unwind_start() (bsc#1058115). - x86/unwind/orc: Fix error path for bad ORC entry type (bsc#1058115). - x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bsc#1058115). - x86/unwind/orc: Prevent unwinding before ORC initialization (bsc#1058115). - x86/unwind: Prevent false warnings for non-current tasks (bsc#1058115). - x86/xen: fix booting 32-bit pv guest (bsc#1071995). - x86/xen: Make the boot CPU idle task reliable (bsc#1071995). - x86/xen: Make the secondary CPU idle tasks reliable (bsc#1071995). - xen/pci: reserve MCFG areas earlier (bsc#1170145). - xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish (networking-stable-20_04_27). - xfs: Correctly invert xfs_buftarg LRU isolation logic (git-fixes). - xfs: do not ever return a stale pointer from __xfs_dir3_free_read (git-fixes). - xprtrdma: Fix completion wait during device removal (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1605=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1605=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1605=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-1605=1 - SUSE Linux Enterprise High Availability 12-SP4: zypper in -t patch SUSE-SLE-HA-12-SP4-2020-1605=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): kernel-default-debuginfo-4.12.14-95.54.1 kernel-default-debugsource-4.12.14-95.54.1 kernel-default-extra-4.12.14-95.54.1 kernel-default-extra-debuginfo-4.12.14-95.54.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-95.54.1 kernel-obs-build-debugsource-4.12.14-95.54.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): kernel-docs-4.12.14-95.54.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-95.54.1 kernel-default-base-4.12.14-95.54.1 kernel-default-base-debuginfo-4.12.14-95.54.1 kernel-default-debuginfo-4.12.14-95.54.1 kernel-default-debugsource-4.12.14-95.54.1 kernel-default-devel-4.12.14-95.54.1 kernel-syms-4.12.14-95.54.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): kernel-devel-4.12.14-95.54.1 kernel-macros-4.12.14-95.54.1 kernel-source-4.12.14-95.54.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): kernel-default-devel-debuginfo-4.12.14-95.54.1 - SUSE Linux Enterprise Server 12-SP4 (s390x): kernel-default-man-4.12.14-95.54.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kernel-default-kgraft-4.12.14-95.54.1 kernel-default-kgraft-devel-4.12.14-95.54.1 kgraft-patch-4_12_14-95_54-default-1-6.3.1 - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-95.54.1 cluster-md-kmp-default-debuginfo-4.12.14-95.54.1 dlm-kmp-default-4.12.14-95.54.1 dlm-kmp-default-debuginfo-4.12.14-95.54.1 gfs2-kmp-default-4.12.14-95.54.1 gfs2-kmp-default-debuginfo-4.12.14-95.54.1 kernel-default-debuginfo-4.12.14-95.54.1 kernel-default-debugsource-4.12.14-95.54.1 ocfs2-kmp-default-4.12.14-95.54.1 ocfs2-kmp-default-debuginfo-4.12.14-95.54.1 References: https://www.suse.com/security/cve/CVE-2018-1000199.html https://www.suse.com/security/cve/CVE-2019-19462.html https://www.suse.com/security/cve/CVE-2019-20806.html https://www.suse.com/security/cve/CVE-2019-20812.html https://www.suse.com/security/cve/CVE-2019-9455.html https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-10690.html https://www.suse.com/security/cve/CVE-2020-10711.html https://www.suse.com/security/cve/CVE-2020-10720.html https://www.suse.com/security/cve/CVE-2020-10732.html https://www.suse.com/security/cve/CVE-2020-10751.html https://www.suse.com/security/cve/CVE-2020-10757.html https://www.suse.com/security/cve/CVE-2020-12114.html https://www.suse.com/security/cve/CVE-2020-12464.html https://www.suse.com/security/cve/CVE-2020-12652.html https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://www.suse.com/security/cve/CVE-2020-12655.html https://www.suse.com/security/cve/CVE-2020-12656.html https://www.suse.com/security/cve/CVE-2020-12657.html https://www.suse.com/security/cve/CVE-2020-12768.html https://www.suse.com/security/cve/CVE-2020-12769.html https://www.suse.com/security/cve/CVE-2020-13143.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1082555 https://bugzilla.suse.com/1089895 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1151794 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1157169 https://bugzilla.suse.com/1158265 https://bugzilla.suse.com/1160388 https://bugzilla.suse.com/1160947 https://bugzilla.suse.com/1165183 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1166969 https://bugzilla.suse.com/1167574 https://bugzilla.suse.com/1167851 https://bugzilla.suse.com/1168503 https://bugzilla.suse.com/1168670 https://bugzilla.suse.com/1169020 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169525 https://bugzilla.suse.com/1170056 https://bugzilla.suse.com/1170125 https://bugzilla.suse.com/1170145 https://bugzilla.suse.com/1170345 https://bugzilla.suse.com/1170457 https://bugzilla.suse.com/1170522 https://bugzilla.suse.com/1170592 https://bugzilla.suse.com/1170618 https://bugzilla.suse.com/1170620 https://bugzilla.suse.com/1170770 https://bugzilla.suse.com/1170778 https://bugzilla.suse.com/1170791 https://bugzilla.suse.com/1170901 https://bugzilla.suse.com/1171078 https://bugzilla.suse.com/1171098 https://bugzilla.suse.com/1171118 https://bugzilla.suse.com/1171189 https://bugzilla.suse.com/1171191 https://bugzilla.suse.com/1171195 https://bugzilla.suse.com/1171202 https://bugzilla.suse.com/1171205 https://bugzilla.suse.com/1171217 https://bugzilla.suse.com/1171218 https://bugzilla.suse.com/1171219 https://bugzilla.suse.com/1171220 https://bugzilla.suse.com/1171293 https://bugzilla.suse.com/1171417 https://bugzilla.suse.com/1171527 https://bugzilla.suse.com/1171599 https://bugzilla.suse.com/1171600 https://bugzilla.suse.com/1171601 https://bugzilla.suse.com/1171602 https://bugzilla.suse.com/1171604 https://bugzilla.suse.com/1171605 https://bugzilla.suse.com/1171606 https://bugzilla.suse.com/1171607 https://bugzilla.suse.com/1171608 https://bugzilla.suse.com/1171609 https://bugzilla.suse.com/1171610 https://bugzilla.suse.com/1171611 https://bugzilla.suse.com/1171612 https://bugzilla.suse.com/1171613 https://bugzilla.suse.com/1171614 https://bugzilla.suse.com/1171615 https://bugzilla.suse.com/1171616 https://bugzilla.suse.com/1171617 https://bugzilla.suse.com/1171618 https://bugzilla.suse.com/1171619 https://bugzilla.suse.com/1171620 https://bugzilla.suse.com/1171621 https://bugzilla.suse.com/1171622 https://bugzilla.suse.com/1171623 https://bugzilla.suse.com/1171624 https://bugzilla.suse.com/1171625 https://bugzilla.suse.com/1171626 https://bugzilla.suse.com/1171679 https://bugzilla.suse.com/1171691 https://bugzilla.suse.com/1171694 https://bugzilla.suse.com/1171695 https://bugzilla.suse.com/1171736 https://bugzilla.suse.com/1171761 https://bugzilla.suse.com/1171948 https://bugzilla.suse.com/1171949 https://bugzilla.suse.com/1171951 https://bugzilla.suse.com/1171952 https://bugzilla.suse.com/1171982 https://bugzilla.suse.com/1171983 https://bugzilla.suse.com/1172096 https://bugzilla.suse.com/1172097 https://bugzilla.suse.com/1172098 https://bugzilla.suse.com/1172099 https://bugzilla.suse.com/1172101 https://bugzilla.suse.com/1172102 https://bugzilla.suse.com/1172103 https://bugzilla.suse.com/1172104 https://bugzilla.suse.com/1172127 https://bugzilla.suse.com/1172130 https://bugzilla.suse.com/1172185 https://bugzilla.suse.com/1172188 https://bugzilla.suse.com/1172199 https://bugzilla.suse.com/1172221 https://bugzilla.suse.com/1172253 https://bugzilla.suse.com/1172317 https://bugzilla.suse.com/1172342 https://bugzilla.suse.com/1172343 https://bugzilla.suse.com/1172344 https://bugzilla.suse.com/1172366 https://bugzilla.suse.com/1172391 https://bugzilla.suse.com/1172397 https://bugzilla.suse.com/1172453 From sle-updates at lists.suse.com Wed Jun 10 14:10:45 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 22:10:45 +0200 (CEST) Subject: SUSE-SU-2020:1604-1: important: Security update for the Linux Kernel Message-ID: <20200610201045.1A148F749@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1604-1 Rating: important References: #1051510 #1058115 #1065729 #1082555 #1083647 #1089895 #1103990 #1103991 #1103992 #1104745 #1109837 #1111666 #1112178 #1112374 #1113956 #1114279 #1124278 #1127354 #1127355 #1127371 #1133021 #1142685 #1144333 #1151794 #1152489 #1154824 #1157169 #1158265 #1160388 #1160947 #1164780 #1164871 #1165183 #1165478 #1165741 #1166969 #1166978 #1167574 #1167851 #1167867 #1168332 #1168670 #1168789 #1169020 #1169514 #1169525 #1169762 #1170056 #1170125 #1170145 #1170284 #1170345 #1170457 #1170522 #1170592 #1170617 #1170618 #1170620 #1170621 #1170770 #1170778 #1170791 #1170901 #1171078 #1171098 #1171118 #1171189 #1171191 #1171195 #1171202 #1171205 #1171214 #1171217 #1171218 #1171219 #1171220 #1171244 #1171293 #1171417 #1171527 #1171599 #1171600 #1171601 #1171602 #1171604 #1171605 #1171606 #1171607 #1171608 #1171609 #1171610 #1171611 #1171612 #1171613 #1171614 #1171615 #1171616 #1171617 #1171618 #1171619 #1171620 #1171621 #1171622 #1171623 #1171624 #1171625 #1171626 #1171662 #1171679 #1171691 #1171692 #1171694 #1171695 #1171736 #1171817 #1171948 #1171949 #1171951 #1171952 #1171979 #1171982 #1171983 #1172017 #1172096 #1172097 #1172098 #1172099 #1172101 #1172102 #1172103 #1172104 #1172127 #1172130 #1172185 #1172188 #1172199 #1172201 #1172202 #1172221 #1172249 #1172251 #1172317 #1172342 #1172343 #1172344 #1172366 #1172378 #1172391 #1172397 #1172453 Cross-References: CVE-2018-1000199 CVE-2019-19462 CVE-2019-20806 CVE-2019-20812 CVE-2019-9455 CVE-2020-0543 CVE-2020-10690 CVE-2020-10711 CVE-2020-10720 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-12114 CVE-2020-12464 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12655 CVE-2020-12656 CVE-2020-12657 CVE-2020-12659 CVE-2020-12768 CVE-2020-12769 CVE-2020-13143 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP1 ______________________________________________________________________________ An update that solves 24 vulnerabilities and has 126 fixes is now available. Description: The SUSE Linux Enterprise 15 SP1 azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982). - CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983). - CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736). - CVE-2020-12659: Fixed an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) due to improper headroom validation (bsc#1171214). - CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205). - CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219). - CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217). - CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202). - CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195). - CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218). - CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901). - CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098). - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317). - CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189). - CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220). - CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778). - CVE-2020-10711: Fixed a null pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191). - CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056). - CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345). - CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453). - CVE-2019-20806: Fixed a null pointer dereference which may had lead to denial of service (bsc#1172199). - CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895). The following non-security bugs were fixed: - ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe() (bsc#1051510). - ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile() (bsc#1051510). - acpi/x86: ignore unspecified bit positions in the ACPI global lock field (bsc#1051510). - Add br_netfilter to kernel-default-base (bsc#1169020) - Add commit for git-fix that's not a fix This commit cleans up debug code but does not fix anything, and it relies on a new kernel function that isn't yet in this version of SLE. - agp/intel: Reinforce the barrier after GTT updates (bsc#1051510). - ALSA: ctxfi: Remove unnecessary cast in kfree (bsc#1051510). - ALSA: doc: Document PC Beep Hidden Register on Realtek ALC256 (bsc#1051510). - ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666). - ALSA: hda: Add driver blacklist (bsc#1051510). - ALSA: hda: Always use jackpoll helper for jack update after resume (bsc#1051510). - ALSA: hda: call runtime_allow() for all hda controllers (bsc#1051510). - ALSA: hda: Do not release card at firmware loading error (bsc#1051510). - ALSA: hda: Explicitly permit using autosuspend if runtime PM is supported (bsc#1051510). - ALSA: hda/hdmi: fix race in monitor detection during probe (bsc#1051510). - ALSA: hda/hdmi: fix without unlocked before return (bsc#1051510). - ALSA: hda: Honor PM disablement in PM freeze and thaw_noirq ops (bsc#1051510). - ALSA: hda: Keep the controller initialization even if no codecs found (bsc#1051510). - ALSA: hda: Match both PCI ID and SSID for driver blacklist (bsc#1111666). - ALSA: hda/realtek - Add a model for Thinkpad T570 without DAC workaround (bsc#1172017). - ALSA: hda/realtek - Add COEF workaround for ASUS ZenBook UX431DA (git-fixes). - ALSA: hda/realtek - Add HP new mute led supported for ALC236 (git-fixes). - ALSA: hda/realtek - Add more fixup entries for Clevo machines (git-fixes). - ALSA: hda/realtek - Add new codec supported for ALC245 (bsc#1051510). - ALSA: hda/realtek - Add new codec supported for ALC287 (git-fixes). - ALSA: hda/realtek: Add quirk for Samsung Notebook (git-fixes). - ALSA: hda/realtek - Add supported new mute Led for HP (git-fixes). - ALSA: hda/realtek - Enable headset mic of ASUS GL503VM with ALC295 (git-fixes). - ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295 (git-fixes). - ALSA: hda/realtek: Enable headset mic of ASUS UX581LV with ALC295 (git-fixes). - ALSA: hda/realtek - Enable the headset mic on Asus FX505DT (bsc#1051510). - ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse (git-fixes). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Xtreme (bsc#1111666). - ALSA: hda/realtek - Fix unexpected init_amp override (bsc#1051510). - ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 (git-fixes bsc#1171293). - ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter (bsc#1051510). - ALSA: hda: Release resources at error in delayed probe (bsc#1051510). - ALSA: hda: Remove ASUS ROG Zenith from the blacklist (bsc#1051510). - ALSA: hda: Skip controller resume if not needed (bsc#1051510). - ALSA: hwdep: fix a left shifting 1 by 31 UB bug (git-fixes). - ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option (git-fixes). - ALSA: opti9xx: shut up gcc-10 range warning (bsc#1051510). - ALSA: pcm: fix incorrect hw_base increase (git-fixes). - ALSA: pcm: oss: Place the plugin buffer overflow checks correctly (bsc#1170522). - ALSA: rawmidi: Fix racy buffer resize under concurrent accesses (git-fixes). - ALSA: usb-audio: Add connector notifier delegation (bsc#1051510). - ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset (git-fixes). - ALSA: usb-audio: add mapping for ASRock TRX40 Creator (git-fixes). - ALSA: usb-audio: Add mixer workaround for TRX40 and co (bsc#1051510). - ALSA: usb-audio: Add quirk for Focusrite Scarlett 2i2 (bsc#1051510). - ALSA: usb-audio: Add static mapping table for ALC1220-VB-based mobos (bsc#1051510). - ALSA: usb-audio: Apply async workaround for Scarlett 2i4 2nd gen (bsc#1051510). - ALSA: usb-audio: Check mapping at creating connector controls, too (bsc#1051510). - ALSA: usb-audio: Correct a typo of NuPrime DAC-10 USB ID (bsc#1051510). - ALSA: usb-audio: Do not create jack controls for PCM terminals (bsc#1051510). - ALSA: usb-audio: Do not override ignore_ctl_error value from the map (bsc#1051510). - ALSA: usb-audio: Filter error from connector kctl ops, too (bsc#1051510). - ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif (bsc#1051510). - ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC (git-fixes). - ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio (git-fixes). - ALSA: usx2y: Fix potential NULL dereference (bsc#1051510). - ASoC: codecs: hdac_hdmi: Fix incorrect use of list_for_each_entry (bsc#1051510). - ASoC: dapm: connect virtual mux with default value (bsc#1051510). - ASoC: dapm: fixup dapm kcontrol widget (bsc#1051510). - ASoC: dpcm: allow start or stop during pause for backend (bsc#1051510). - ASoC: fix regwmask (bsc#1051510). - ASoC: msm8916-wcd-digital: Reset RX interpolation path after use (bsc#1051510). - ASoC: samsung: Prevent clk_get_rate() calls in atomic context (bsc#1111666). - ASoC: topology: Check return value of pcm_new_ver (bsc#1051510). - ASoC: topology: use name_prefix for new kcontrol (bsc#1051510). - b43legacy: Fix case where channel status is corrupted (bsc#1051510). - batman-adv: fix batadv_nc_random_weight_tq (git-fixes). - batman-adv: Fix refcnt leak in batadv_show_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_store_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_v_ogm_process (git-fixes). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (git fixes (block drivers)). - bcache: fix incorrect data type usage in btree_flush_write() (git fixes (block drivers)). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (git fixes (block drivers)). - blk-mq: honor IO scheduler for multiqueue devices (bsc#1165478). - blk-mq: simplify blk_mq_make_request() (bsc#1165478). - block/drbd: delete invalid function drbd_md_mark_dirty_ (bsc#1171527). - block: drbd: remove a stray unlock in __drbd_send_protocol() (bsc#1171599). - block: fix busy device checking in blk_drop_partitions again (bsc#1171948). - block: fix busy device checking in blk_drop_partitions (bsc#1171948). - block: fix memleak of bio integrity data (git fixes (block drivers)). - block: remove the bd_openers checks in blk_drop_partitions (bsc#1171948). - bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets() (networking-stable-20_03_28). - bnxt_en: Reduce BNXT_MSIX_VEC_MAX value to supported CQs per PF (bsc#1104745). - bnxt_en: reinitialize IRQs when MTU is modified (networking-stable-20_03_14). - bnxt_en: Return error if bnxt_alloc_ctx_mem() fails (bsc#1104745 ). - bnxt_en: Return error when allocating zero size context memory (bsc#1104745). - bonding/alb: make sure arp header is pulled before accessing it (networking-stable-20_03_14). - bpf: Fix sk_psock refcnt leak when receiving message (bsc#1083647). - bpf: Forbid XADD on spilled pointers for unprivileged users (bsc#1083647). - brcmfmac: abort and release host after error (bsc#1051510). - btrfs: fix deadlock with memory reclaim during scrub (bsc#1172127). - btrfs: fix log context list corruption after rename whiteout error (bsc#1172342). - btrfs: fix partial loss of prealloc extent past i_size after fsync (bsc#1172343). - btrfs: relocation: add error injection points for cancelling balance (bsc#1171417). - btrfs: relocation: Check cancel request after each data page read (bsc#1171417). - btrfs: relocation: Check cancel request after each extent found (bsc#1171417). - btrfs: relocation: Clear the DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417). - btrfs: relocation: Fix reloc root leakage and the NULL pointer reference caused by the leakage (bsc#1171417). - btrfs: relocation: Work around dead relocation stage loop (bsc#1171417). - btrfs: reloc: clear DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417 bsc#1160947 bsc#1172366). - btrfs: reloc: fix reloc root leak and NULL pointer dereference (bsc#1171417 bsc#1160947 bsc#1172366). - btrfs: setup a nofs context for memory allocation at btrfs_create_tree() (bsc#1172127). - btrfs: setup a nofs context for memory allocation at __btrfs_set_acl (bsc#1172127). - btrfs: use nofs context when initializing security xattrs to avoid deadlock (bsc#1172127). - can: add missing attribute validation for termination (networking-stable-20_03_14). - cdc-acm: close race betrween suspend() and acm_softint (git-fixes). - cdc-acm: introduce a cool down (git-fixes). - ceph: check if file lock exists before sending unlock request (bsc#1168789). - ceph: demote quotarealm lookup warning to a debug message (bsc#1171692). - ceph: fix double unlock in handle_cap_export() (bsc#1171694). - ceph: fix endianness bug when handling MDS session feature bits (bsc#1171695). - cgroup, netclassid: periodically release file_lock on classid updating (networking-stable-20_03_14). - CIFS: Allocate crypto structures on the fly for calculating signatures of incoming packets (bsc#1144333). - CIFS: Allocate encryption header through kmalloc (bsc#1144333). - CIFS: allow unlock flock and OFD lock across fork (bsc#1144333). - CIFS: check new file size when extending file by fallocate (bsc#1144333). - CIFS: cifspdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - CIFS: clear PF_MEMALLOC before exiting demultiplex thread (bsc#1144333). - CIFS: do not share tcons with DFS (bsc#1144333). - CIFS: dump the session id and keys also for SMB2 sessions (bsc#1144333). - CIFS: ensure correct super block for DFS reconnect (bsc#1144333). - CIFS: Fix bug which the return value by asynchronous read is error (bsc#1144333). - CIFS: fix uninitialised lease_key in open_shroot() (bsc#1144333). - CIFS: improve read performance for page size 64KB & cache=strict & vers=2.1+ (bsc#1144333). - CIFS: Increment num_remote_opens stats counter even in case of smb2_query_dir_first (bsc#1144333). - CIFS: minor update to comments around the cifs_tcp_ses_lock mutex (bsc#1144333). - CIFS: protect updating server->dstaddr with a spinlock (bsc#1144333). - CIFS: smb2pdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - CIFS: smbd: Calculate the correct maximum packet size for segmented SMBDirect send/receive (bsc#1144333). - CIFS: smbd: Check and extend sender credits in interrupt context (bsc#1144333). - CIFS: smbd: Check send queue size before posting a send (bsc#1144333). - CIFS: smbd: Do not schedule work to send immediate packet on every receive (bsc#1144333). - CIFS: smbd: Merge code to track pending packets (bsc#1144333). - CIFS: smbd: Properly process errors on ib_post_send (bsc#1144333). - CIFS: smbd: Update receive credits before sending and deal with credits roll back on failure before sending (bsc#1144333). - CIFS: Warn less noisily on default mount (bsc#1144333). - clk: Add clk_hw_unregister_composite helper function definition (bsc#1051510). - clk: imx6ull: use OSC clock during AXI rate change (bsc#1051510). - clk: imx: make mux parent strings const (bsc#1051510). - clk: mediatek: correct the clocks for MT2701 HDMI PHY module (bsc#1051510). - clk: sunxi-ng: a64: Fix gate bit of DSI DPHY (bsc#1051510). - clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620, bsc#1170621). - clocksource: dw_apb_timer_of: Fix missing clockevent timers (bsc#1051510). - component: Silence bind error on -EPROBE_DEFER (bsc#1051510). - coresight: do not use the BIT() macro in the UAPI header (git fixes (block drivers)). - cpufreq: s3c64xx: Remove pointless NULL check in s3c64xx_cpufreq_driver_init (bsc#1051510). - crypto: ccp - AES CFB mode is a stream cipher (git-fixes). - crypto: ccp - Clean up and exit correctly on allocation failure (git-fixes). - crypto: ccp - Cleanup misc_dev on sev_exit() (bsc#1114279). - crypto: ccp - Cleanup sp_dev_master in psp_dev_destroy() (bsc#1114279). - cxgb4: fix MPS index overwrite when setting MAC address (bsc#1127355). - cxgb4: fix Txq restart check during backpressure (bsc#1127354 bsc#1127371). - debugfs: Add debugfs_create_xul() for hexadecimal unsigned long (git-fixes). - debugfs_lookup(): switch to lookup_one_len_unlocked() (bsc#1171979). - devlink: fix return value after hitting end in region read (bsc#1109837). - devlink: validate length of param values (bsc#1109837). - devlink: validate length of region addr/len (bsc#1109837). - dmaengine: dmatest: Fix iteration non-stop logic (bsc#1051510). - dm mpath: switch paths in dm_blk_ioctl() code path (bsc#1167574). - dm-raid1: fix invalid return value from dm_mirror (bsc#1172378). - dm writecache: fix data corruption when reloading the target (git fixes (block drivers)). - dm writecache: fix incorrect flush sequence when doing SSD mode commit (git fixes (block drivers)). - dm writecache: verify watermark during resume (git fixes (block drivers)). - dm zoned: fix invalid memory access (git fixes (block drivers)). - dm zoned: reduce overhead of backing device checks (git fixes (block drivers)). - dm zoned: remove duplicate nr_rnd_zones increase in dmz_init_zone() (git fixes (block drivers)). - dm zoned: support zone sizes smaller than 128MiB (git fixes (block drivers)). - dp83640: reverse arguments to list_add_tail (git-fixes). - drivers: hv: Add a module description line to the hv_vmbus driver (bsc#1172249, bsc#1172251). - drivers/net/ibmvnic: Update VNIC protocol version reporting (bsc#1065729). - drivers: w1: add hwmon support structures (jsc#SLE-11048). - drivers: w1: add hwmon temp support for w1_therm (jsc#SLE-11048). - drivers: w1: refactor w1_slave_show to make the temp reading functionality separate (jsc#SLE-11048). - drm: amd/acp: fix broken menu structure (bsc#1114279) * context changes - drm/amdgpu: Correctly initialize thermal controller for GPUs with Powerplay table v0 (e.g Hawaii) (bsc#1111666). - drm/amdgpu: Fix oops when pp_funcs is unset in ACPI event (bsc#1111666). - drm/amd/powerplay: force the trim of the mclk dpm_levels if OD is (bsc#1113956) - drm/atomic: Take the atomic toys away from X (bsc#1112178) * context changes - drm/crc: Actually allow to change the crc source (bsc#1114279) * offset changes - drm/dp_mst: Fix clearing payload state on topology disable (bsc#1051510). - drm/dp_mst: Reformat drm_dp_check_act_status() a bit (bsc#1051510). - drm/edid: Fix off-by-one in DispID DTD pixel clock (bsc#1114279) - drm/etnaviv: fix perfmon domain interation (bsc#1113956) - drm/etnaviv: rework perfmon query infrastructure (bsc#1112178) - drm/i915: Apply Wa_1406680159:icl,ehl as an engine workaround (bsc#1112178) * rename gt/intel_workarounds.c to intel_workarounds.c * context changes - drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of (bsc#1114279) - drm/i915: HDCP: fix Ri prime check done during link check (bsc#1112178) * rename display/intel_hdmi.c to intel_hdmi.c * context changes - drm/i915: properly sanity check batch_start_offset (bsc#1114279) * renamed display/intel_fbc.c -> intel_fb.c * renamed gt/intel_rc6.c -> intel_pm.c * context changes - drm/meson: Delete an error message in meson_dw_hdmi_bind() (bsc#1051510). - drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem (bsc#1114279) - drm/qxl: qxl_release leak in qxl_draw_dirty_fb() (bsc#1051510). - drm/qxl: qxl_release leak in qxl_hw_surface_alloc() (bsc#1051510). - drm/qxl: qxl_release use after free (bsc#1051510). - drm: Remove PageReserved manipulation from drm_pci_alloc (bsc#1114279) * offset changes - drm/sun4i: dsi: Allow binding the host without a panel (bsc#1113956) - drm/sun4i: dsi: Avoid hotplug race with DRM driver bind (bsc#1113956) - drm/sun4i: dsi: Remove incorrect use of runtime PM (bsc#1113956) * context changes - drm/sun4i: dsi: Remove unused drv from driver context (bsc#1113956) * context changes * keep include of sun4i_drv.h - dump_stack: avoid the livelock of the dump_lock (git fixes (block drivers)). - EDAC, sb_edac: Add support for systems with segmented PCI buses (bsc#1169525). - ext4: do not zeroout extents beyond i_disksize (bsc#1167851). - ext4: fix extent_status fragmentation for plain files (bsc#1171949). - ext4: use non-movable memory for superblock readahead (bsc#1171952). - fanotify: fix merging marks masks with FAN_ONDIR (bsc#1171679). - fbcon: fix null-ptr-deref in fbcon_switch (bsc#1114279) * rename drivers/video/fbdev/core to drivers/video/console * context changes - fib: add missing attribute validation for tun_id (networking-stable-20_03_14). - firmware: qcom: scm: fix compilation error when disabled (bsc#1051510). - fs/cifs: fix gcc warning in sid_to_id (bsc#1144333). - fs/seq_file.c: simplify seq_file iteration code and interface (bsc#1170125). - gpio: tegra: mask GPIO IRQs during IRQ shutdown (bsc#1051510). - gre: fix uninit-value in __iptunnel_pull_header (networking-stable-20_03_14). - HID: hid-input: clear unmapped usages (git-fixes). - HID: hyperv: Add a module description line (bsc#1172249, bsc#1172251). - HID: i2c-hid: add Trekstor Primebook C11B to descriptor override (git-fixes). - HID: i2c-hid: override HID descriptors for certain devices (git-fixes). - HID: multitouch: add eGalaxTouch P80H84 support (bsc#1051510). - HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices (git-fixes). - hrtimer: Annotate lockless access to timer->state (git fixes (block drivers)). - hsr: add restart routine into hsr_get_node_list() (networking-stable-20_03_28). - hsr: check protocol version in hsr_newlink() (networking-stable-20_04_17). - hsr: fix general protection fault in hsr_addr_is_self() (networking-stable-20_03_28). - hsr: set .netnsok flag (networking-stable-20_03_28). - hsr: use rcu_read_lock() in hsr_get_node_{list/status}() (networking-stable-20_03_28). - i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present (git-fixes). - i2c: acpi: put device when verifying client fails (git-fixes). - i2c: brcmstb: remove unused struct member (git-fixes). - i2c: core: Allow empty id_table in ACPI case as well (git-fixes). - i2c: core: decrease reference count of device node in i2c_unregister_device (git-fixes). - i2c: dev: Fix the race between the release of i2c_dev and cdev (bsc#1051510). - i2c: fix missing pm_runtime_put_sync in i2c_device_probe (git-fixes). - i2c-hid: properly terminate i2c_hid_dmi_desc_override_table array (git-fixes). - i2c: i801: Do not add ICH_RES_IO_SMI for the iTCO_wdt device (git-fixes). - i2c: iproc: Stop advertising support of SMBUS quick cmd (git-fixes). - i2c: isch: Remove unnecessary acpi.h include (git-fixes). - i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' (bsc#1051510). - i2c: st: fix missing struct parameter description (bsc#1051510). - IB/mlx5: Fix missing congestion control debugfs on rep rdma device (bsc#1103991). - ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239). - iio:ad7797: Use correct attribute_group (bsc#1051510). - iio: adc: stm32-adc: fix device used to request dma (bsc#1051510). - iio: adc: stm32-adc: fix sleep in atomic context (git-fixes). - iio: adc: stm32-adc: Use dma_request_chan() instead dma_request_slave_channel() (bsc#1051510). - iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' (bsc#1051510). - iio: sca3000: Remove an erroneous 'get_device()' (bsc#1051510). - iio: xilinx-xadc: Fix ADC-B powerdown (bsc#1051510). - iio: xilinx-xadc: Fix clearing interrupt when enabling trigger (bsc#1051510). - iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode (bsc#1051510). - ima: Fix return value of ima_write_policy() (git-fixes). - Input: evdev - call input_flush_device() on release(), not flush() (bsc#1051510). - Input: hyperv-keyboard - add module description (bsc#1172249, bsc#1172251). - Input: i8042 - add Acer Aspire 5738z to nomux list (bsc#1051510). - Input: i8042 - add ThinkPad S230u to i8042 reset list (bsc#1051510). - Input: raydium_i2c_ts - use true and false for boolean values (bsc#1051510). - Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() (bsc#1051510). - Input: synaptics-rmi4 - really fix attn_data use-after-free (git-fixes). - Input: usbtouchscreen - add support for BonXeon TP (bsc#1051510). - Input: xpad - add custom init packet for Xbox One S controllers (bsc#1051510). - iommu/amd: Call domain_flush_complete() in update_domain() (bsc#1172096). - iommu/amd: Do not flush Device Table in iommu_map_page() (bsc#1172097). - iommu/amd: Do not loop forever when trying to increase address space (bsc#1172098). - iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system (bsc#1172099). - iommu/amd: Fix over-read of ACPI UID from IVRS table (bsc#1172101). - iommu/amd: Fix race in increase_address_space()/fetch_pte() (bsc#1172102). - iommu/amd: Update Device Table in increase_address_space() (bsc#1172103). - iommu: Fix reference count leak in iommu_group_alloc (bsc#1172397). - ip6_tunnel: Allow rcv/xmit even if remote address is a local address (bsc#1166978). - ipv4: fix a RCU-list lock in fib_triestat_seq_show (networking-stable-20_04_02). - ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface (networking-stable-20_03_14). - ipv6: do not auto-add link-local address to lag ports (networking-stable-20_04_09). - ipv6: fix IPV6_ADDRFORM operation logic (bsc#1171662). - ipv6: fix restrict IPV6_ADDRFORM operation (bsc#1171662). - ipvlan: add cond_resched_rcu() while processing muticast backlog (networking-stable-20_03_14). - ipvlan: do not deref eth hdr before checking it's set (networking-stable-20_03_14). - ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast() (networking-stable-20_03_14). - iwlwifi: pcie: actually release queue memory in TVQM (bsc#1051510). - ixgbe: do not check firmware errors (bsc#1170284). - kabi fix for early XHCI debug (git-fixes). - kabi for for md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - kabi/severities: Do not track KVM internal symbols. - kabi/severities: Ingnore get_dev_data() The function is internal to the AMD IOMMU driver and must not be called by any third party. - kabi workaround for snd_rawmidi buffer_ref field addition (git-fixes). - KEYS: reaching the keys quotas correctly (bsc#1051510). - KVM: arm64: Change hyp_panic()s dependency on tpidr_el2 (bsc#1133021). - KVM: arm64: Stop save/restoring host tpidr_el1 on VHE (bsc#1133021). - KVM: Check validity of resolved slot when searching memslots (bsc#1172104). - KVM: s390: vsie: Fix delivery of addressing exceptions (git-fixes). - KVM: SVM: Fix potential memory leak in svm_cpu_init() (bsc#1171736). - KVM x86: Extend AMD specific guest behavior to Hygon virtual CPUs (bsc#1152489). - l2tp: Allow management of tunnels and session in user namespace (networking-stable-20_04_17). - libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() (bsc#1051510). - libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set (bsc#1051510). - lib: raid6: fix awk build warnings (git fixes (block drivers)). - lib/raid6/test: fix build on distros whose /bin/sh is not bash (git fixes (block drivers)). - lib/stackdepot.c: fix global out-of-bounds in stack_slabs (git fixes (block drivers)). - locks: print unsigned ino in /proc/locks (bsc#1171951). - mac80211: add ieee80211_is_any_nullfunc() (bsc#1051510). - mac80211_hwsim: Use kstrndup() in place of kasprintf() (bsc#1051510). - mac80211: mesh: fix discovery timer re-arming issue / crash (bsc#1051510). - macsec: avoid to set wrong mtu (bsc#1051510). - macsec: restrict to ethernet devices (networking-stable-20_03_28). - macvlan: add cond_resched() during multicast processing (networking-stable-20_03_14). - macvlan: fix null dereference in macvlan_device_event() (bsc#1051510). - md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - md/raid0: Fix an error message in raid0_make_request() (git fixes (block drivers)). - md/raid10: prevent access of uninitialized resync_pages offset (git-fixes). - media: dvb: return -EREMOTEIO on i2c transfer failure (bsc#1051510). - media: platform: fcp: Set appropriate DMA parameters (bsc#1051510). - media: ti-vpe: cal: fix disable_irqs to only the intended target (git-fixes). - mei: release me_cl object reference (bsc#1051510). - mlxsw: Fix some IS_ERR() vs NULL bugs (networking-stable-20_04_27). - mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE (networking-stable-20_04_09). - mlxsw: spectrum_mr: Fix list iteration in error path (bsc#1112374). - mmc: atmel-mci: Fix debugfs on 64-bit platforms (git-fixes). - mmc: core: Check request type before completing the request (git-fixes). - mmc: core: Fix recursive locking issue in CQE recovery path (git-fixes). - mmc: cqhci: Avoid false "cqhci: CQE stuck on" by not open-coding timeout loop (git-fixes). - mmc: dw_mmc: Fix debugfs on 64-bit platforms (git-fixes). - mmc: meson-gx: make sure the descriptor is stopped on errors (git-fixes). - mmc: meson-gx: simplify interrupt handler (git-fixes). - mmc: renesas_sdhi: limit block count to 16 bit for old revisions (git-fixes). - mmc: sdhci-esdhc-imx: fix the mask for tuning start point (bsc#1051510). - mmc: sdhci-msm: Clear tuning done flag while hs400 tuning (bsc#1051510). - mmc: sdhci-of-at91: fix memleak on clk_get failure (git-fixes). - mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers (bsc#1051510). - mmc: sdhci-xenon: fix annoying 1.8V regulator warning (bsc#1051510). - mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card() (bsc#1051510). - mmc: tmio: fix access width of Block Count Register (git-fixes). - mm: limit boost_watermark on small zones (git fixes (mm/pgalloc)). - mm: thp: handle page cache THP correctly in PageTransCompoundMap (git fixes (block drivers)). - mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer (bsc#1051510). - mtd: spi-nor: cadence-quadspi: add a delay in write sequence (git-fixes). - mtd: spi-nor: enable 4B opcodes for mx66l51235l (git-fixes). - mtd: spi-nor: fsl-quadspi: Do not let -EINVAL on the bus (git-fixes). - mwifiex: avoid -Wstringop-overflow warning (bsc#1051510). - mwifiex: Fix memory corruption in dump_station (bsc#1051510). - net: bcmgenet: correct per TX/RX ring statistics (networking-stable-20_04_27). - net: dsa: b53: Fix ARL register definitions (networking-stable-20_04_27). - net: dsa: b53: Rework ARL bin logic (networking-stable-20_04_27). - net: dsa: bcm_sf2: Do not register slave MDIO bus with OF (networking-stable-20_04_09). - net: dsa: bcm_sf2: Ensure correct sub-node is parsed (networking-stable-20_04_09). - net: dsa: Fix duplicate frames flooded by learning (networking-stable-20_03_28). - net: dsa: mv88e6xxx: fix lockup on warm boot (networking-stable-20_03_14). - net/ethernet: add Google GVE driver (jsc#SLE-10538) - net: fec: add phy_reset_after_clk_enable() support (git-fixes). - net: fec: validate the new settings in fec_enet_set_coalesce() (networking-stable-20_03_14). - net: fix race condition in __inet_lookup_established() (bsc#1151794). - net: fq: add missing attribute validation for orphan mask (networking-stable-20_03_14). - net: hns3: fix "tc qdisc del" failed issue (bsc#1109837). - net, ip_tunnel: fix interface lookup with no key (networking-stable-20_04_02). - net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin (networking-stable-20_04_17). - net: ipv6: do not consider routes via gateways for anycast address check (networking-stable-20_04_17). - netlink: Use netlink header as base to calculate bad attribute offset (networking-stable-20_03_14). - net: macsec: update SCI upon MAC address change (networking-stable-20_03_14). - net: memcg: fix lockdep splat in inet_csk_accept() (networking-stable-20_03_14). - net: memcg: late association of sock to memcg (networking-stable-20_03_14). - net/mlx4_en: avoid indirect call in TX completion (networking-stable-20_04_27). - net/mlx5: Add new fields to Port Type and Speed register (bsc#1171118). - net/mlx5: Expose link speed directly (bsc#1171118). - net/mlx5: Expose port speed when possible (bsc#1171118). - net/mlx5: Fix failing fw tracer allocation on s390 (bsc#1103990 ). - net: mvneta: Fix the case where the last poll did not process all rx (networking-stable-20_03_28). - net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node (networking-stable-20_04_27). - net/packet: tpacket_rcv: do not increment ring index on drop (networking-stable-20_03_14). - net: qmi_wwan: add support for ASKEY WWHC050 (networking-stable-20_03_28). - net: revert default NAPI poll timeout to 2 jiffies (networking-stable-20_04_17). - net_sched: cls_route: remove the right filter from hashtable (networking-stable-20_03_28). - net_sched: sch_skbprio: add message validation to skbprio_change() (bsc#1109837). - net/x25: Fix x25_neigh refcnt leak when receiving frame (networking-stable-20_04_27). - nfc: add missing attribute validation for SE API (networking-stable-20_03_14). - nfc: add missing attribute validation for vendor subcommand (networking-stable-20_03_14). - nfc: st21nfca: add missed kfree_skb() in an error path (bsc#1051510). - nfp: abm: fix a memory leak bug (bsc#1109837). - nfsd4: fix up replay_matches_cache() (git-fixes). - nfsd: Ensure CLONE persists data and metadata changes to the target file (git-fixes). - nfsd: fix delay timer on 32-bit architectures (git-fixes). - nfsd: fix jiffies/time_t mixup in LRU list (git-fixes). - NFS: Directory page cache pages need to be locked when read (git-fixes). - nfsd: memory corruption in nfsd4_lock() (git-fixes). - NFS: Do not call generic_error_remove_page() while holding locks (bsc#1170457). - NFS: Fix memory leaks and corruption in readdir (git-fixes). - NFS: Fix O_DIRECT accounting of number of bytes read/written (git-fixes). - NFS: Fix potential posix_acl refcnt leak in nfs3_set_acl (git-fixes). - NFS: fix racey wait in nfs_set_open_stateid_locked (bsc#1170592). - NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O (git-fixes). - NFS/pnfs: Fix pnfs_generic_prepare_to_resend_writes() (git-fixes). - NFS: Revalidate the file size on a fatal write error (git-fixes). - NFSv4.0: nfs4_do_fsinfo() should not do implicit lease renewals (git-fixes). - NFSv4: Do not allow a cached open with a revoked delegation (git-fixes). - NFSv4: Fix leak of clp->cl_acceptor string (git-fixes). - NFSv4/pnfs: Return valid stateids in nfs_layout_find_inode_by_stateid() (git-fixes). - NFSv4: try lease recovery on NFS4ERR_EXPIRED (git-fixes). - NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn (git-fixes). - nl802154: add missing attribute validation for dev_type (networking-stable-20_03_14). - nl802154: add missing attribute validation (networking-stable-20_03_14). - nvme-fc: print proper nvme-fc devloss_tmo value (bsc#1172391). - objtool: Fix stack offset tracking for indirect CFAs (bsc#1169514). - objtool: Fix switch table detection in .text.unlikely (bsc#1169514). - objtool: Make BP scratch register warning more robust (bsc#1169514). - padata: Remove broken queue flushing (git-fixes). - Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()" (git fixes (block drivers)). - PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2 (bsc#1172201, bsc#1172202). - PCI: hv: Decouple the func definition in hv_dr_state from VSP message (bsc#1172201, bsc#1172202). - pinctrl: baytrail: Enable pin configuration setting for GPIO chip (git-fixes). - pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler (git-fixes). - pinctrl: sunrisepoint: Fix PAD lock register offset for SPT-H (git-fixes). - platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA (bsc#1051510). - pNFS: Ensure we do clear the return-on-close layout stateid on fatal errors (git-fixes). - powerpc: Add attributes for setjmp/longjmp (bsc#1065729). - powerpc/pci/of: Parse unassigned resources (bsc#1065729). - powerpc/setup_64: Set cache-line-size based on cache-block-size (bsc#1065729). - powerpc/sstep: Fix DS operand in ld encoding to appropriate value (bsc#1065729). - r8152: check disconnect status after long sleep (networking-stable-20_03_14). - raid6/ppc: Fix build for clang (git fixes (block drivers)). - random: always use batched entropy for get_random_u{32,64} (bsc#1164871). - rcu: locking and unlocking need to always be at least barriers (git fixes (block drivers)). - Revert "ALSA: hda/realtek: Fix pop noise on ALC225" (git-fixes). - Revert "drm/panel: simple: Add support for Sharp LQ150X1LG11 panels" (bsc#1114279) * offset changes - Revert "HID: i2c-hid: add Trekstor Primebook C11B to descriptor override" Depends on 9b5c747685982d22efffeafc5ec601bd28f6d78b, which was also reverted. - Revert "HID: i2c-hid: override HID descriptors for certain devices" This broke i2c-hid.ko's build, there is no way around it without a big file rename or renaming the kernel module. - Revert "i2c-hid: properly terminate i2c_hid_dmi_desc_override_table" Fixed 9b5c747685982d22efffeafc5ec601bd28f6d78b, which was also reverted. - Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" (bsc#1172221). - Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow" (bsc#1103992). - rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() (bsc#1051510). - s390/cpum_cf: Add new extended counters for IBM z15 (bsc#1169762 LTC#185291). - s390/ftrace: fix potential crashes when switching tracers (git-fixes). - s390/ism: fix error return code in ism_probe() (git-fixes). - s390/pci: do not set affinity for floating irqs (git-fixes). - s390/pci: Fix possible deadlock in recover_store() (bsc#1165183 LTC#184103). - s390/pci: Recover handle in clp_set_pci_fn() (bsc#1165183 LTC#184103). - scripts/decodecode: fix trapping instruction formatting (bsc#1065729). - scripts/dtc: Remove redundant YYLOC global declaration (bsc#1160388). - scsi: bnx2i: fix potential use after free (bsc#1171600). - scsi: core: Handle drivers which set sg_tablesize to zero (bsc#1171601) This commit also required: > scsi: core: avoid preallocating big SGL for data - scsi: core: save/restore command resid for error handling (bsc#1171602). - scsi: core: scsi_trace: Use get_unaligned_be*() (bsc#1171604). - scsi: core: try to get module before removing device (bsc#1171605). - scsi: csiostor: Adjust indentation in csio_device_reset (bsc#1171606). - scsi: csiostor: Do not enable IRQs too early (bsc#1171607). - scsi: esas2r: unlock on error in esas2r_nvram_read_direct() (bsc#1171608). - scsi: fnic: fix invalid stack access (bsc#1171609). - scsi: fnic: fix msix interrupt allocation (bsc#1171610). - scsi: ibmvscsi: Fix WARN_ON during event pool release (bsc#1170791 ltc#185128). - scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func (bsc#1171611). - scsi: iscsi: Fix a potential deadlock in the timeout handler (bsc#1171612). - scsi: iscsi: qla4xxx: fix double free in probe (bsc#1171613). - scsi: lpfc: Change default queue allocation for reduced memory consumption (bsc#1164780). - scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences (bsc#1171614). - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1171615). - scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event (bsc#1164780). - scsi: lpfc: Fix MDS Diagnostic Enablement definition (bsc#1164780). - scsi: lpfc: Fix negation of else clause in lpfc_prep_node_fc4type (bsc#1164780). - scsi: lpfc: Fix noderef and address space warnings (bsc#1164780). - scsi: lpfc: Maintain atomic consistency of queue_claimed flag (bsc#1164780). - scsi: lpfc: remove duplicate unloading checks (bsc#1164780). - scsi: lpfc: Remove re-binding of nvme rport during registration (bsc#1164780). - scsi: lpfc: Remove redundant initialization to variable rc (bsc#1164780). - scsi: lpfc: Remove unnecessary lockdep_assert_held calls (bsc#1164780). - scsi: lpfc: Update lpfc version to 12.8.0.1 (bsc#1164780). - scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state (bsc#1171616). - scsi: qla2xxx: add ring buffer for tracing debug logs (bsc#1157169). - scsi: qla2xxx: check UNLOADING before posting async work (bsc#1157169). - scsi: qla2xxx: Delete all sessions before unregister local nvme port (bsc#1157169). - scsi: qla2xxx: Do not log message when reading port speed via sysfs (bsc#1157169). - scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV (bsc#1157169). - scsi: qla2xxx: Fix regression warnings (bsc#1157169). - scsi: qla2xxx: Remove non functional code (bsc#1157169). - scsi: qla2xxx: set UNLOADING before waiting for session deletion (bsc#1157169). - scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free (bsc#1171617). - scsi: qla4xxx: fix double free bug (bsc#1171618). - scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI (bsc#1171619). - scsi: sg: add sg_remove_request in sg_common_write (bsc#1171620). - scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) (bsc#1171621). - scsi: ufs: change msleep to usleep_range (bsc#1171622). - scsi: ufs: Clean up ufshcd_scale_clks() and clock scaling error out path (bsc#1171623). - scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic (bsc#1171624). - scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails (bsc#1171625). - scsi: ufs: Recheck bkops level if bkops is disabled (bsc#1171626). - sctp: fix possibly using a bad saddr with a given dst (networking-stable-20_04_02). - sctp: fix refcount bug in sctp_wfree (networking-stable-20_04_02). - selftests/powerpc: Fix build errors in powerpc ptrace selftests (boo#1124278). - Separate one more kABI fixup from the functional change: - seq_file: fix problem when seeking mid-record (bsc#1170125). - serial: uartps: Move the spinlock after the read of the tx empty (git-fixes). - sfc: detach from cb_page in efx_copy_channel() (networking-stable-20_03_14). - signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig (bsc#1172185). - slcan: not call free_netdev before rtnl_unlock in slcan_open (networking-stable-20_03_28). - slip: make slhc_compress() more robust against malicious packets (networking-stable-20_03_14). - smb3: Additional compression structures (bsc#1144333). - smb3: Add new compression flags (bsc#1144333). - smb3: change noisy error message to FYI (bsc#1144333). - smb3: enable swap on SMB3 mounts (bsc#1144333). - smb3: Minor cleanup of protocol definitions (bsc#1144333). - smb3: remove overly noisy debug line in signing errors (bsc#1144333). - smb3: smbdirect support can be configured by default (bsc#1144333). - smb3: use SMB2_SIGNATURE_SIZE define (bsc#1144333). - spi: bcm2835: Fix 3-wire mode if DMA is enabled (git-fixes). - spi: bcm63xx-hsspi: Really keep pll clk enabled (bsc#1051510). - spi: bcm-qspi: when tx/rx buffer is NULL set to 0 (bsc#1051510). - spi: dw: Add SPI Rx-done wait method to DMA-based transfer (bsc#1051510). - spi: dw: Add SPI Tx-done wait method to DMA-based transfer (bsc#1051510). - spi: dw: Zero DMA Tx and Rx configurations on stack (bsc#1051510). - spi: fsl: do not map irq during probe (git-fixes). - spi: fsl: use platform_get_irq() instead of of_irq_to_resource() (git-fixes). - spi: pxa2xx: Add CS control clock quirk (bsc#1051510). - spi: qup: call spi_qup_pm_resume_runtime before suspending (bsc#1051510). - spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion (git-fixes). - spi: spi-s3c64xx: Fix system resume support (git-fixes). - spi/zynqmp: remove entry that causes a cs glitch (bsc#1051510). - staging: comedi: dt2815: fix writing hi byte of analog output (bsc#1051510). - staging: comedi: Fix comedi_device refcnt leak in comedi_open (bsc#1051510). - staging: iio: ad2s1210: Fix SPI reading (bsc#1051510). - staging: vt6656: Do not set RCR_MULTICAST or RCR_BROADCAST by default (git-fixes). - staging: vt6656: Fix drivers TBTT timing counter (git-fixes). - staging: vt6656: Fix pairwise key entry save (git-fixes). - sunrpc: expiry_time should be seconds not timeval (git-fixes). - SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()' (git-fixes). - supported.conf: Add br_netfilter to base (bsc#1169020). - supported.conf: support w1 core and thermometer support - svcrdma: Fix double svc_rdma_send_ctxt_put() in an error path (bsc#1103992). - svcrdma: Fix leak of transport addresses (git-fixes). - svcrdma: Fix trace point use-after-free race (bsc#1103992 ). - taskstats: fix data-race (bsc#1172188). - tcp: cache line align MAX_TCP_HEADER (networking-stable-20_04_27). - tcp: repair: fix TCP_QUEUE_SEQ implementation (networking-stable-20_03_28). - team: add missing attribute validation for array index (networking-stable-20_03_14). - team: add missing attribute validation for port ifindex (networking-stable-20_03_14). - team: fix hang in team_mode_get() (networking-stable-20_04_27). - tools lib traceevent: Remove unneeded qsort and uses memmove instead (git-fixes). - tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() (bsc#1065729). - tpm/tpm_tis: Free IRQ if probing fails (bsc#1082555). - tpm/tpm_tis: Free IRQ if probing fails (git-fixes). - tracing: Add a vmalloc_sync_mappings() for safe measure (git-fixes). - tracing: Disable trace_printk() on post poned tests (git-fixes). - tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation (git-fixes). - tty: rocket, avoid OOB access (git-fixes). - tun: Do not put_page() for all negative return values from XDP program (bsc#1109837). - UAS: fix deadlock in error handling and PM flushing work (git-fixes). - UAS: no use logging any details in case of ENODEV (git-fixes). - Update config files: Build w1 bus on arm64 (jsc#SLE-11048) - USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE (git-fixes). - USB: cdc-acm: restore capability check order (git-fixes). - USB: core: Fix misleading driver bug report (bsc#1051510). - USB: dwc3: do not set gadget->is_otg flag (git-fixes). - USB: dwc3: gadget: Do link recovery for SS and SSP (git-fixes). - USB: early: Handle AMD's spec-compliant identifiers, too (git-fixes). - USB: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset() (git-fixes). - USB: gadget: audio: Fix a missing error return value in audio_bind() (git-fixes). - USB: gadget: composite: Inform controller driver of self-powered (git-fixes). - USB: gadget: legacy: fix error return code in cdc_bind() (git-fixes). - USB: gadget: legacy: fix error return code in gncm_bind() (git-fixes). - USB: gadget: legacy: fix redundant initialization warnings (bsc#1051510). - USB: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()' (git-fixes). - USB: gadget: udc: atmel: Fix vbus disconnect handling (git-fixes). - USB: gadget: udc: atmel: Make some symbols static (git-fixes). - USB: gadget: udc: bdc: Remove unnecessary NULL checks in bdc_req_complete (git-fixes). - USB: host: xhci-plat: keep runtime active when removing host (git-fixes). - USB: hub: Fix handling of connect changes during sleep (git-fixes). - usbnet: silence an unnecessary warning (bsc#1170770). - USB: serial: garmin_gps: add sanity checking for data length (git-fixes). - USB: serial: option: add BroadMobi BM806U (git-fixes). - USB: serial: option: add support for ASKEY WWHC050 (git-fixes). - USB: serial: option: add Wistron Neweb D19Q1 (git-fixes). - USB: serial: qcserial: Add DW5816e support (git-fixes). - USB: sisusbvga: Change port variable from signed to unsigned (git-fixes). - usb-storage: Add unusual_devs entry for JMicron JMS566 (git-fixes). - USB: uas: add quirk for LaCie 2Big Quadra (git-fixes). - USB: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list (git-fixes). - video: fbdev: sis: Remove unnecessary parentheses and commented code (bsc#1114279) - video: fbdev: w100fb: Fix a potential double free (bsc#1051510). - vrf: Check skb for XFRM_TRANSFORMED flag (networking-stable-20_04_27). - vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines (git-fixes). - vt: selection, introduce vc_is_sel (git-fixes). - vt: vt_ioctl: fix race in VT_RESIZEX (git-fixes). - vt: vt_ioctl: fix use-after-free in vt_in_use() (git-fixes). - vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console (git-fixes). - vxlan: check return value of gro_cells_init() (networking-stable-20_03_28). - w1: Add subsystem kernel public interface (jsc#SLE-11048). - w1: Fix slave count on 1-Wire bus (resend) (jsc#SLE-11048). - w1: keep balance of mutex locks and refcnts (jsc#SLE-11048). - w1: use put_device() if device_register() fail (jsc#SLE-11048). - watchdog: reset last_hw_keepalive time at start (git-fixes). - wcn36xx: Fix error handling path in 'wcn36xx_probe()' (bsc#1051510). - wil6210: remove reset file from debugfs (git-fixes). - wimax/i2400m: Fix potential urb refcnt leak (bsc#1051510). - workqueue: do not use wq_select_unbound_cpu() for bound works (bsc#1172130). - x86/entry/64: Fix unwind hints in kernel exit path (bsc#1058115). - x86/entry/64: Fix unwind hints in register clearing code (bsc#1058115). - x86/entry/64: Fix unwind hints in rewind_stack_do_exit() (bsc#1058115). - x86/entry/64: Fix unwind hints in __switch_to_asm() (bsc#1058115). - x86/hyperv: Allow guests to enable InvariantTSC (bsc#1170621, bsc#1170620). - x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170617, bsc#1170618). - x86/Hyper-V: report value of misc_features (git fixes). - x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170617, bsc#1170618). - x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170617, bsc#1170618). - x86/kprobes: Avoid kretprobe recursion bug (bsc#1114279). - x86/resctrl: Fix invalid attempt at removing the default resource group (git-fixes). - x86/resctrl: Preserve CDP enable over CPU hotplug (bsc#1114279). - x86/unwind/orc: Do not skip the first frame for inactive tasks (bsc#1058115). - x86/unwind/orc: Fix error handling in __unwind_start() (bsc#1058115). - x86/unwind/orc: Fix error path for bad ORC entry type (bsc#1058115). - x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bsc#1058115). - x86/unwind/orc: Prevent unwinding before ORC initialization (bsc#1058115). - x86/unwind: Prevent false warnings for non-current tasks (bsc#1058115). - xen/pci: reserve MCFG areas earlier (bsc#1170145). - xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish (networking-stable-20_04_27). - xfs: clear PF_MEMALLOC before exiting xfsaild thread (git-fixes). - xfs: Correctly invert xfs_buftarg LRU isolation logic (git-fixes). - xfs: do not ever return a stale pointer from __xfs_dir3_free_read (git-fixes). - xprtrdma: Fix completion wait during device removal (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-1604=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (noarch): kernel-devel-azure-4.12.14-8.33.1 kernel-source-azure-4.12.14-8.33.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (x86_64): kernel-azure-4.12.14-8.33.1 kernel-azure-base-4.12.14-8.33.1 kernel-azure-base-debuginfo-4.12.14-8.33.1 kernel-azure-debuginfo-4.12.14-8.33.1 kernel-azure-devel-4.12.14-8.33.1 kernel-syms-azure-4.12.14-8.33.1 References: https://www.suse.com/security/cve/CVE-2018-1000199.html https://www.suse.com/security/cve/CVE-2019-19462.html https://www.suse.com/security/cve/CVE-2019-20806.html https://www.suse.com/security/cve/CVE-2019-20812.html https://www.suse.com/security/cve/CVE-2019-9455.html https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-10690.html https://www.suse.com/security/cve/CVE-2020-10711.html https://www.suse.com/security/cve/CVE-2020-10720.html https://www.suse.com/security/cve/CVE-2020-10732.html https://www.suse.com/security/cve/CVE-2020-10751.html https://www.suse.com/security/cve/CVE-2020-10757.html https://www.suse.com/security/cve/CVE-2020-12114.html https://www.suse.com/security/cve/CVE-2020-12464.html https://www.suse.com/security/cve/CVE-2020-12652.html https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://www.suse.com/security/cve/CVE-2020-12655.html https://www.suse.com/security/cve/CVE-2020-12656.html https://www.suse.com/security/cve/CVE-2020-12657.html https://www.suse.com/security/cve/CVE-2020-12659.html https://www.suse.com/security/cve/CVE-2020-12768.html https://www.suse.com/security/cve/CVE-2020-12769.html https://www.suse.com/security/cve/CVE-2020-13143.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1082555 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1089895 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103991 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1124278 https://bugzilla.suse.com/1127354 https://bugzilla.suse.com/1127355 https://bugzilla.suse.com/1127371 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1151794 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1157169 https://bugzilla.suse.com/1158265 https://bugzilla.suse.com/1160388 https://bugzilla.suse.com/1160947 https://bugzilla.suse.com/1164780 https://bugzilla.suse.com/1164871 https://bugzilla.suse.com/1165183 https://bugzilla.suse.com/1165478 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1166969 https://bugzilla.suse.com/1166978 https://bugzilla.suse.com/1167574 https://bugzilla.suse.com/1167851 https://bugzilla.suse.com/1167867 https://bugzilla.suse.com/1168332 https://bugzilla.suse.com/1168670 https://bugzilla.suse.com/1168789 https://bugzilla.suse.com/1169020 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169525 https://bugzilla.suse.com/1169762 https://bugzilla.suse.com/1170056 https://bugzilla.suse.com/1170125 https://bugzilla.suse.com/1170145 https://bugzilla.suse.com/1170284 https://bugzilla.suse.com/1170345 https://bugzilla.suse.com/1170457 https://bugzilla.suse.com/1170522 https://bugzilla.suse.com/1170592 https://bugzilla.suse.com/1170617 https://bugzilla.suse.com/1170618 https://bugzilla.suse.com/1170620 https://bugzilla.suse.com/1170621 https://bugzilla.suse.com/1170770 https://bugzilla.suse.com/1170778 https://bugzilla.suse.com/1170791 https://bugzilla.suse.com/1170901 https://bugzilla.suse.com/1171078 https://bugzilla.suse.com/1171098 https://bugzilla.suse.com/1171118 https://bugzilla.suse.com/1171189 https://bugzilla.suse.com/1171191 https://bugzilla.suse.com/1171195 https://bugzilla.suse.com/1171202 https://bugzilla.suse.com/1171205 https://bugzilla.suse.com/1171214 https://bugzilla.suse.com/1171217 https://bugzilla.suse.com/1171218 https://bugzilla.suse.com/1171219 https://bugzilla.suse.com/1171220 https://bugzilla.suse.com/1171244 https://bugzilla.suse.com/1171293 https://bugzilla.suse.com/1171417 https://bugzilla.suse.com/1171527 https://bugzilla.suse.com/1171599 https://bugzilla.suse.com/1171600 https://bugzilla.suse.com/1171601 https://bugzilla.suse.com/1171602 https://bugzilla.suse.com/1171604 https://bugzilla.suse.com/1171605 https://bugzilla.suse.com/1171606 https://bugzilla.suse.com/1171607 https://bugzilla.suse.com/1171608 https://bugzilla.suse.com/1171609 https://bugzilla.suse.com/1171610 https://bugzilla.suse.com/1171611 https://bugzilla.suse.com/1171612 https://bugzilla.suse.com/1171613 https://bugzilla.suse.com/1171614 https://bugzilla.suse.com/1171615 https://bugzilla.suse.com/1171616 https://bugzilla.suse.com/1171617 https://bugzilla.suse.com/1171618 https://bugzilla.suse.com/1171619 https://bugzilla.suse.com/1171620 https://bugzilla.suse.com/1171621 https://bugzilla.suse.com/1171622 https://bugzilla.suse.com/1171623 https://bugzilla.suse.com/1171624 https://bugzilla.suse.com/1171625 https://bugzilla.suse.com/1171626 https://bugzilla.suse.com/1171662 https://bugzilla.suse.com/1171679 https://bugzilla.suse.com/1171691 https://bugzilla.suse.com/1171692 https://bugzilla.suse.com/1171694 https://bugzilla.suse.com/1171695 https://bugzilla.suse.com/1171736 https://bugzilla.suse.com/1171817 https://bugzilla.suse.com/1171948 https://bugzilla.suse.com/1171949 https://bugzilla.suse.com/1171951 https://bugzilla.suse.com/1171952 https://bugzilla.suse.com/1171979 https://bugzilla.suse.com/1171982 https://bugzilla.suse.com/1171983 https://bugzilla.suse.com/1172017 https://bugzilla.suse.com/1172096 https://bugzilla.suse.com/1172097 https://bugzilla.suse.com/1172098 https://bugzilla.suse.com/1172099 https://bugzilla.suse.com/1172101 https://bugzilla.suse.com/1172102 https://bugzilla.suse.com/1172103 https://bugzilla.suse.com/1172104 https://bugzilla.suse.com/1172127 https://bugzilla.suse.com/1172130 https://bugzilla.suse.com/1172185 https://bugzilla.suse.com/1172188 https://bugzilla.suse.com/1172199 https://bugzilla.suse.com/1172201 https://bugzilla.suse.com/1172202 https://bugzilla.suse.com/1172221 https://bugzilla.suse.com/1172249 https://bugzilla.suse.com/1172251 https://bugzilla.suse.com/1172317 https://bugzilla.suse.com/1172342 https://bugzilla.suse.com/1172343 https://bugzilla.suse.com/1172344 https://bugzilla.suse.com/1172366 https://bugzilla.suse.com/1172378 https://bugzilla.suse.com/1172391 https://bugzilla.suse.com/1172397 https://bugzilla.suse.com/1172453 From sle-updates at lists.suse.com Wed Jun 10 14:28:05 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 10 Jun 2020 22:28:05 +0200 (CEST) Subject: SUSE-SU-2020:1602-1: important: Security update for the Linux Kernel Message-ID: <20200610202805.1278FF749@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1602-1 Rating: important References: #1051510 #1058115 #1065729 #1071995 #1082555 #1083647 #1089895 #1103990 #1103991 #1103992 #1104745 #1109837 #1111666 #1112178 #1112374 #1113956 #1114279 #1124278 #1127354 #1127355 #1127371 #1133021 #1141558 #1142685 #1144333 #1151794 #1152489 #1154824 #1157169 #1158265 #1160388 #1160947 #1164780 #1164871 #1165183 #1165478 #1165741 #1166969 #1166978 #1167574 #1167851 #1167867 #1168332 #1168503 #1168670 #1168789 #1169005 #1169020 #1169514 #1169525 #1169762 #1170056 #1170125 #1170145 #1170284 #1170345 #1170457 #1170522 #1170592 #1170617 #1170618 #1170620 #1170621 #1170770 #1170778 #1170791 #1170901 #1171078 #1171098 #1171118 #1171189 #1171191 #1171195 #1171202 #1171205 #1171214 #1171217 #1171218 #1171219 #1171220 #1171244 #1171293 #1171417 #1171527 #1171599 #1171600 #1171601 #1171602 #1171604 #1171605 #1171606 #1171607 #1171608 #1171609 #1171610 #1171611 #1171612 #1171613 #1171614 #1171615 #1171616 #1171617 #1171618 #1171619 #1171620 #1171621 #1171622 #1171623 #1171624 #1171625 #1171626 #1171662 #1171679 #1171691 #1171692 #1171694 #1171695 #1171736 #1171761 #1171817 #1171948 #1171949 #1171951 #1171952 #1171979 #1171982 #1171983 #1172017 #1172096 #1172097 #1172098 #1172099 #1172101 #1172102 #1172103 #1172104 #1172127 #1172130 #1172185 #1172188 #1172199 #1172201 #1172202 #1172218 #1172221 #1172249 #1172251 #1172253 #1172317 #1172342 #1172343 #1172344 #1172366 #1172378 #1172391 #1172397 #1172453 Cross-References: CVE-2018-1000199 CVE-2019-19462 CVE-2019-20806 CVE-2019-20812 CVE-2019-9455 CVE-2020-0543 CVE-2020-10690 CVE-2020-10711 CVE-2020-10720 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-12114 CVE-2020-12464 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12655 CVE-2020-12656 CVE-2020-12657 CVE-2020-12659 CVE-2020-12768 CVE-2020-12769 CVE-2020-13143 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise High Availability 12-SP5 ______________________________________________________________________________ An update that solves 24 vulnerabilities and has 133 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982). - CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983). - CVE-2020-12768: Fixed a memory leak in svm_cpu_uninit in arch/x86/kvm/svm.c (bsc#1171736). - CVE-2020-12659: Fixed an out-of-bounds write (by a user with the CAP_NET_ADMIN capability) due to improper headroom validation (bsc#1171214). - CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205). - CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219). - CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217). - CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202). - CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195). - CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218). - CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901). - CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098). - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317). - CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189). - CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220). - CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778). - CVE-2020-10711: Fixed a null pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191). - CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056). - CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345). - CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453). - CVE-2019-20806: Fixed a null pointer dereference which may had lead to denial of service (bsc#1172199). - CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895). The following non-security bugs were fixed: - ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe() (bsc#1051510). - ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile() (bsc#1051510). - acpi/x86: ignore unspecified bit positions in the ACPI global lock field (bsc#1051510). - Add br_netfilter to kernel-default-base (bsc#1169020) - Add commit for git-fix that's not a fix This commit cleans up debug code but does not fix anything, and it relies on a new kernel function that isn't yet in this version of SLE. - agp/intel: Reinforce the barrier after GTT updates (bsc#1051510). - ALSA: ctxfi: Remove unnecessary cast in kfree (bsc#1051510). - ALSA: doc: Document PC Beep Hidden Register on Realtek ALC256 (bsc#1051510). - ALSA: dummy: Fix PCM format loop in proc output (bsc#1111666). - ALSA: hda: Add driver blacklist (bsc#1051510). - ALSA: hda: Always use jackpoll helper for jack update after resume (bsc#1051510). - ALSA: hda: call runtime_allow() for all hda controllers (bsc#1051510). - ALSA: hda: Do not release card at firmware loading error (bsc#1051510). - ALSA: hda: Explicitly permit using autosuspend if runtime PM is supported (bsc#1051510). - ALSA: hda/hdmi: fix race in monitor detection during probe (bsc#1051510). - ALSA: hda/hdmi: fix without unlocked before return (bsc#1051510). - ALSA: hda: Honor PM disablement in PM freeze and thaw_noirq ops (bsc#1051510). - ALSA: hda: Keep the controller initialization even if no codecs found (bsc#1051510). - ALSA: hda: Match both PCI ID and SSID for driver blacklist (bsc#1111666). - ALSA: hda/realtek - Add a model for Thinkpad T570 without DAC workaround (bsc#1172017). - ALSA: hda/realtek - Add COEF workaround for ASUS ZenBook UX431DA (git-fixes). - ALSA: hda/realtek - Add HP new mute led supported for ALC236 (git-fixes). - ALSA: hda/realtek - Add more fixup entries for Clevo machines (git-fixes). - ALSA: hda/realtek - Add new codec supported for ALC245 (bsc#1051510). - ALSA: hda/realtek - Add new codec supported for ALC287 (git-fixes). - ALSA: hda/realtek: Add quirk for Samsung Notebook (git-fixes). - ALSA: hda/realtek - Add supported new mute Led for HP (git-fixes). - ALSA: hda/realtek - Enable headset mic of ASUS GL503VM with ALC295 (git-fixes). - ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295 (git-fixes). - ALSA: hda/realtek: Enable headset mic of ASUS UX581LV with ALC295 (git-fixes). - ALSA: hda/realtek - Enable the headset mic on Asus FX505DT (bsc#1051510). - ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse (git-fixes). - ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Xtreme (bsc#1111666). - ALSA: hda/realtek - Fix unexpected init_amp override (bsc#1051510). - ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 (git-fixes bsc#1171293). - ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter (bsc#1051510). - ALSA: hda: Release resources at error in delayed probe (bsc#1051510). - ALSA: hda: Remove ASUS ROG Zenith from the blacklist (bsc#1051510). - ALSA: hda: Skip controller resume if not needed (bsc#1051510). - ALSA: hwdep: fix a left shifting 1 by 31 UB bug (git-fixes). - ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option (git-fixes). - ALSA: opti9xx: shut up gcc-10 range warning (bsc#1051510). - ALSA: pcm: fix incorrect hw_base increase (git-fixes). - ALSA: pcm: oss: Place the plugin buffer overflow checks correctly (bsc#1170522). - ALSA: rawmidi: Fix racy buffer resize under concurrent accesses (git-fixes). - ALSA: usb-audio: Add connector notifier delegation (bsc#1051510). - ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset (git-fixes). - ALSA: usb-audio: add mapping for ASRock TRX40 Creator (git-fixes). - ALSA: usb-audio: Add mixer workaround for TRX40 and co (bsc#1051510). - ALSA: usb-audio: Add quirk for Focusrite Scarlett 2i2 (bsc#1051510). - ALSA: usb-audio: Add static mapping table for ALC1220-VB-based mobos (bsc#1051510). - ALSA: usb-audio: Apply async workaround for Scarlett 2i4 2nd gen (bsc#1051510). - ALSA: usb-audio: Check mapping at creating connector controls, too (bsc#1051510). - ALSA: usb-audio: Correct a typo of NuPrime DAC-10 USB ID (bsc#1051510). - ALSA: usb-audio: Do not create jack controls for PCM terminals (bsc#1051510). - ALSA: usb-audio: Do not override ignore_ctl_error value from the map (bsc#1051510). - ALSA: usb-audio: Filter error from connector kctl ops, too (bsc#1051510). - ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif (bsc#1051510). - ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC (git-fixes). - ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio (git-fixes). - ALSA: usx2y: Fix potential NULL dereference (bsc#1051510). - ASoC: codecs: hdac_hdmi: Fix incorrect use of list_for_each_entry (bsc#1051510). - ASoC: dapm: connect virtual mux with default value (bsc#1051510). - ASoC: dapm: fixup dapm kcontrol widget (bsc#1051510). - ASoC: dpcm: allow start or stop during pause for backend (bsc#1051510). - ASoC: fix regwmask (bsc#1051510). - ASoC: msm8916-wcd-digital: Reset RX interpolation path after use (bsc#1051510). - ASoC: samsung: Prevent clk_get_rate() calls in atomic context (bsc#1111666). - ASoC: topology: Check return value of pcm_new_ver (bsc#1051510). - ASoC: topology: use name_prefix for new kcontrol (bsc#1051510). - b43legacy: Fix case where channel status is corrupted (bsc#1051510). - batman-adv: fix batadv_nc_random_weight_tq (git-fixes). - batman-adv: Fix refcnt leak in batadv_show_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_store_throughput_override (git-fixes). - batman-adv: Fix refcnt leak in batadv_v_ogm_process (git-fixes). - bcache: avoid unnecessary btree nodes flushing in btree_flush_write() (git fixes (block drivers)). - bcache: fix incorrect data type usage in btree_flush_write() (git fixes (block drivers)). - bcache: Revert "bcache: shrink btree node cache after bch_btree_check()" (git fixes (block drivers)). - blk-mq: honor IO scheduler for multiqueue devices (bsc#1165478). - blk-mq: simplify blk_mq_make_request() (bsc#1165478). - block/drbd: delete invalid function drbd_md_mark_dirty_ (bsc#1171527). - block: drbd: remove a stray unlock in __drbd_send_protocol() (bsc#1171599). - block: fix busy device checking in blk_drop_partitions again (bsc#1171948). - block: fix busy device checking in blk_drop_partitions (bsc#1171948). - block: fix memleak of bio integrity data (git fixes (block drivers)). - block: remove the bd_openers checks in blk_drop_partitions (bsc#1171948). - bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets() (networking-stable-20_03_28). - bnxt_en: Reduce BNXT_MSIX_VEC_MAX value to supported CQs per PF (bsc#1104745). - bnxt_en: reinitialize IRQs when MTU is modified (networking-stable-20_03_14). - bnxt_en: Return error if bnxt_alloc_ctx_mem() fails (bsc#1104745 ). - bnxt_en: Return error when allocating zero size context memory (bsc#1104745). - bonding/alb: make sure arp header is pulled before accessing it (networking-stable-20_03_14). - bpf: Fix sk_psock refcnt leak when receiving message (bsc#1083647). - bpf: Forbid XADD on spilled pointers for unprivileged users (bsc#1083647). - brcmfmac: abort and release host after error (bsc#1051510). - btrfs: fix deadlock with memory reclaim during scrub (bsc#1172127). - btrfs: fix log context list corruption after rename whiteout error (bsc#1172342). - btrfs: fix partial loss of prealloc extent past i_size after fsync (bsc#1172343). - btrfs: move the dio_sem higher up the callchain (bsc#1171761). - btrfs: relocation: add error injection points for cancelling balance (bsc#1171417). - btrfs: relocation: Check cancel request after each data page read (bsc#1171417). - btrfs: relocation: Check cancel request after each extent found (bsc#1171417). - btrfs: relocation: Clear the DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417). - btrfs: relocation: Fix reloc root leakage and the NULL pointer reference caused by the leakage (bsc#1171417). - btrfs: relocation: Work around dead relocation stage loop (bsc#1171417). - btrfs: reloc: clear DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417 bsc#1160947 bsc#1172366). - btrfs: reloc: fix reloc root leak and NULL pointer dereference (bsc#1171417 bsc#1160947 bsc#1172366). - btrfs: setup a nofs context for memory allocation at btrfs_create_tree() (bsc#1172127). - btrfs: setup a nofs context for memory allocation at __btrfs_set_acl (bsc#1172127). - btrfs: use nofs context when initializing security xattrs to avoid deadlock (bsc#1172127). - can: add missing attribute validation for termination (networking-stable-20_03_14). - cdc-acm: close race betrween suspend() and acm_softint (git-fixes). - cdc-acm: introduce a cool down (git-fixes). - ceph: check if file lock exists before sending unlock request (bsc#1168789). - ceph: demote quotarealm lookup warning to a debug message (bsc#1171692). - ceph: fix double unlock in handle_cap_export() (bsc#1171694). - ceph: fix double unlock in handle_cap_export() (bsc#1171694). - ceph: fix endianness bug when handling MDS session feature bits (bsc#1171695). - ceph: fix endianness bug when handling MDS session feature bits (bsc#1171695). - cgroup, netclassid: periodically release file_lock on classid updating (networking-stable-20_03_14). - CIFS: Allocate crypto structures on the fly for calculating signatures of incoming packets (bsc#1144333). - CIFS: Allocate encryption header through kmalloc (bsc#1144333). - CIFS: allow unlock flock and OFD lock across fork (bsc#1144333). - CIFS: check new file size when extending file by fallocate (bsc#1144333). - CIFS: cifspdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - CIFS: clear PF_MEMALLOC before exiting demultiplex thread (bsc#1144333). - CIFS: do not share tcons with DFS (bsc#1144333). - CIFS: dump the session id and keys also for SMB2 sessions (bsc#1144333). - CIFS: ensure correct super block for DFS reconnect (bsc#1144333). - CIFS: Fix bug which the return value by asynchronous read is error (bsc#1144333). - CIFS: fix uninitialised lease_key in open_shroot() (bsc#1144333). - CIFS: improve read performance for page size 64KB & cache=strict & vers=2.1+ (bsc#1144333). - CIFS: Increment num_remote_opens stats counter even in case of smb2_query_dir_first (bsc#1144333). - CIFS: minor update to comments around the cifs_tcp_ses_lock mutex (bsc#1144333). - CIFS: protect updating server->dstaddr with a spinlock (bsc#1144333). - CIFS: smb2pdu.h: Replace zero-length array with flexible-array member (bsc#1144333). - CIFS: smbd: Calculate the correct maximum packet size for segmented SMBDirect send/receive (bsc#1144333). - CIFS: smbd: Check and extend sender credits in interrupt context (bsc#1144333). - CIFS: smbd: Check send queue size before posting a send (bsc#1144333). - CIFS: smbd: Do not schedule work to send immediate packet on every receive (bsc#1144333). - CIFS: smbd: Merge code to track pending packets (bsc#1144333). - CIFS: smbd: Properly process errors on ib_post_send (bsc#1144333). - CIFS: smbd: Update receive credits before sending and deal with credits roll back on failure before sending (bsc#1144333). - CIFS: Warn less noisily on default mount (bsc#1144333). - clk: Add clk_hw_unregister_composite helper function definition (bsc#1051510). - clk: imx6ull: use OSC clock during AXI rate change (bsc#1051510). - clk: imx: make mux parent strings const (bsc#1051510). - clk: mediatek: correct the clocks for MT2701 HDMI PHY module (bsc#1051510). - clk: sunxi-ng: a64: Fix gate bit of DSI DPHY (bsc#1051510). - clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620). - clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170620, bsc#1170621). - clocksource: dw_apb_timer_of: Fix missing clockevent timers (bsc#1051510). - component: Silence bind error on -EPROBE_DEFER (bsc#1051510). - coresight: do not use the BIT() macro in the UAPI header (git fixes (block drivers)). - cpufreq: s3c64xx: Remove pointless NULL check in s3c64xx_cpufreq_driver_init (bsc#1051510). - crypto: ccp - AES CFB mode is a stream cipher (git-fixes). - crypto: ccp - Change a message to reflect status instead of failure (bsc#1172218). - crypto: ccp - Clean up and exit correctly on allocation failure (git-fixes). - crypto: ccp - Cleanup misc_dev on sev_exit() (bsc#1114279). - crypto: ccp - Cleanup sp_dev_master in psp_dev_destroy() (bsc#1114279). - cxgb4: fix MPS index overwrite when setting MAC address (bsc#1127355). - cxgb4: fix Txq restart check during backpressure (bsc#1127354 bsc#1127371). - debugfs: Add debugfs_create_xul() for hexadecimal unsigned long (git-fixes). - debugfs_lookup(): switch to lookup_one_len_unlocked() (bsc#1171979). - devlink: fix return value after hitting end in region read (bsc#1109837). - devlink: validate length of param values (bsc#1109837). - devlink: validate length of region addr/len (bsc#1109837). - dmaengine: dmatest: Fix iteration non-stop logic (bsc#1051510). - dm mpath: switch paths in dm_blk_ioctl() code path (bsc#1167574). - dm-raid1: fix invalid return value from dm_mirror (bsc#1172378). - dm writecache: fix data corruption when reloading the target (git fixes (block drivers)). - dm writecache: fix incorrect flush sequence when doing SSD mode commit (git fixes (block drivers)). - dm writecache: verify watermark during resume (git fixes (block drivers)). - dm zoned: fix invalid memory access (git fixes (block drivers)). - dm zoned: reduce overhead of backing device checks (git fixes (block drivers)). - dm zoned: remove duplicate nr_rnd_zones increase in dmz_init_zone() (git fixes (block drivers)). - dm zoned: support zone sizes smaller than 128MiB (git fixes (block drivers)). - dp83640: reverse arguments to list_add_tail (git-fixes). - Drivers: hv: Add a module description line to the hv_vmbus driver (bsc#1172249, bsc#1172251). - Drivers: hv: Add a module description line to the hv_vmbus driver (bsc#1172253). - Drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170618). - Drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170618). - Drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618). - Drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170618). - drivers/net/ibmvnic: Update VNIC protocol version reporting (bsc#1065729). - Drivers: w1: add hwmon support structures (jsc#SLE-11048). - Drivers: w1: add hwmon temp support for w1_therm (jsc#SLE-11048). - Drivers: w1: refactor w1_slave_show to make the temp reading functionality separate (jsc#SLE-11048). - drm: amd/acp: fix broken menu structure (bsc#1114279) * context changes - drm/amdgpu: Correctly initialize thermal controller for GPUs with Powerplay table v0 (e.g Hawaii) (bsc#1111666). - drm/amdgpu: Fix oops when pp_funcs is unset in ACPI event (bsc#1111666). - drm/amd/powerplay: force the trim of the mclk dpm_levels if OD is (bsc#1113956) - drm/atomic: Take the atomic toys away from X (bsc#1112178) * context changes - drm/crc: Actually allow to change the crc source (bsc#1114279) * offset changes - drm/dp_mst: Fix clearing payload state on topology disable (bsc#1051510). - drm/dp_mst: Reformat drm_dp_check_act_status() a bit (bsc#1051510). - drm/edid: Fix off-by-one in DispID DTD pixel clock (bsc#1114279) - drm/etnaviv: fix perfmon domain interation (bsc#1113956) - drm/etnaviv: rework perfmon query infrastructure (bsc#1112178) - drm/i915: Apply Wa_1406680159:icl,ehl as an engine workaround (bsc#1112178) * rename gt/intel_workarounds.c to intel_workarounds.c * context changes - drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of (bsc#1114279) - drm/i915: HDCP: fix Ri prime check done during link check (bsc#1112178) * rename display/intel_hdmi.c to intel_hdmi.c * context changes - drm/i915: properly sanity check batch_start_offset (bsc#1114279) * renamed display/intel_fbc.c -> intel_fb.c * renamed gt/intel_rc6.c -> intel_pm.c * context changes - drm/meson: Delete an error message in meson_dw_hdmi_bind() (bsc#1051510). - drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem (bsc#1114279) - drm/qxl: qxl_release leak in qxl_draw_dirty_fb() (bsc#1051510). - drm/qxl: qxl_release leak in qxl_hw_surface_alloc() (bsc#1051510). - drm/qxl: qxl_release use after free (bsc#1051510). - drm: Remove PageReserved manipulation from drm_pci_alloc (bsc#1114279) * offset changes - drm/sun4i: dsi: Allow binding the host without a panel (bsc#1113956) - drm/sun4i: dsi: Avoid hotplug race with DRM driver bind (bsc#1113956) - drm/sun4i: dsi: Remove incorrect use of runtime PM (bsc#1113956) * context changes - drm/sun4i: dsi: Remove unused drv from driver context (bsc#1113956) * context changes * keep include of sun4i_drv.h - dump_stack: avoid the livelock of the dump_lock (git fixes (block drivers)). - EDAC/amd64: Add family ops for Family 19h Models 00h-0Fh (jsc#SLE-11833). - EDAC/amd64: Drop some family checks for newer systems (jsc#SLE-11833). - EDAC/mce_amd: Always load on SMCA systems (jsc#SLE-11833). - EDAC/mce_amd: Make fam_ops static global (jsc#SLE-11833). - EDAC, sb_edac: Add support for systems with segmented PCI buses (bsc#1169525). - ext4: do not zeroout extents beyond i_disksize (bsc#1167851). - ext4: fix extent_status fragmentation for plain files (bsc#1171949). - ext4: use non-movable memory for superblock readahead (bsc#1171952). - fanotify: fix merging marks masks with FAN_ONDIR (bsc#1171679). - fbcon: fix null-ptr-deref in fbcon_switch (bsc#1114279) * rename drivers/video/fbdev/core to drivers/video/console * context changes - fib: add missing attribute validation for tun_id (networking-stable-20_03_14). - firmware: qcom: scm: fix compilation error when disabled (bsc#1051510). - Fix a backport bug, where btrfs_put_root() -> btrfs_put_fs_root() modification is not needed due to missing dependency - fs/cifs: fix gcc warning in sid_to_id (bsc#1144333). - fs/seq_file.c: simplify seq_file iteration code and interface (bsc#1170125). - gpio: tegra: mask GPIO IRQs during IRQ shutdown (bsc#1051510). - gre: fix uninit-value in __iptunnel_pull_header (networking-stable-20_03_14). - HID: hid-input: clear unmapped usages (git-fixes). - HID: hyperv: Add a module description line (bsc#1172249, bsc#1172251). - HID: hyperv: Add a module description line (bsc#1172253). - HID: i2c-hid: add Trekstor Primebook C11B to descriptor override (git-fixes). - HID: i2c-hid: override HID descriptors for certain devices (git-fixes). - HID: multitouch: add eGalaxTouch P80H84 support (bsc#1051510). - HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices (git-fixes). - hrtimer: Annotate lockless access to timer->state (git fixes (block drivers)). - hsr: add restart routine into hsr_get_node_list() (networking-stable-20_03_28). - hsr: check protocol version in hsr_newlink() (networking-stable-20_04_17). - hsr: fix general protection fault in hsr_addr_is_self() (networking-stable-20_03_28). - hsr: set .netnsok flag (networking-stable-20_03_28). - hsr: use rcu_read_lock() in hsr_get_node_{list/status}() (networking-stable-20_03_28). - i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present (git-fixes). - i2c: acpi: put device when verifying client fails (git-fixes). - i2c: brcmstb: remove unused struct member (git-fixes). - i2c: core: Allow empty id_table in ACPI case as well (git-fixes). - i2c: core: decrease reference count of device node in i2c_unregister_device (git-fixes). - i2c: dev: Fix the race between the release of i2c_dev and cdev (bsc#1051510). - i2c: fix missing pm_runtime_put_sync in i2c_device_probe (git-fixes). - i2c-hid: properly terminate i2c_hid_dmi_desc_override_table array (git-fixes). - i2c: i801: Do not add ICH_RES_IO_SMI for the iTCO_wdt device (git-fixes). - i2c: iproc: Stop advertising support of SMBUS quick cmd (git-fixes). - i2c: isch: Remove unnecessary acpi.h include (git-fixes). - i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' (bsc#1051510). - i2c: st: fix missing struct parameter description (bsc#1051510). - IB/ipoib: Add child to parent list only if device initialized (bsc#1168503). - IB/ipoib: Consolidate checking of the proposed child interface (bsc#1168503). - IB/ipoib: Do not remove child devices from within the ndo_uninit (bsc#1168503). - IB/ipoib: Get rid of IPOIB_FLAG_GOING_DOWN (bsc#1168503). - IB/ipoib: Get rid of the sysfs_mutex (bsc#1168503). - IB/ipoib: Maintain the child_intfs list from ndo_init/uninit (bsc#1168503). - IB/ipoib: Move all uninit code into ndo_uninit (bsc#1168503). - IB/ipoib: Move init code to ndo_init (bsc#1168503). - IB/ipoib: Replace printk with pr_warn (bsc#1168503). - IB/ipoib: Use cancel_delayed_work_sync for neigh-clean task (bsc#1168503). - IB/ipoib: Warn when one port fails to initialize (bsc#1168503). - IB/mlx5: Fix missing congestion control debugfs on rep rdma device (bsc#1103991). - ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239). - iio:ad7797: Use correct attribute_group (bsc#1051510). - iio: adc: stm32-adc: fix device used to request dma (bsc#1051510). - iio: adc: stm32-adc: fix sleep in atomic context (git-fixes). - iio: adc: stm32-adc: Use dma_request_chan() instead dma_request_slave_channel() (bsc#1051510). - iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' (bsc#1051510). - iio: sca3000: Remove an erroneous 'get_device()' (bsc#1051510). - iio: xilinx-xadc: Fix ADC-B powerdown (bsc#1051510). - iio: xilinx-xadc: Fix clearing interrupt when enabling trigger (bsc#1051510). - iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode (bsc#1051510). - ima: Fix return value of ima_write_policy() (git-fixes). - Input: evdev - call input_flush_device() on release(), not flush() (bsc#1051510). - Input: hyperv-keyboard - add module description (bsc#1172249, bsc#1172251). - Input: hyperv-keyboard - add module description (bsc#1172253). - Input: i8042 - add Acer Aspire 5738z to nomux list (bsc#1051510). - Input: i8042 - add ThinkPad S230u to i8042 reset list (bsc#1051510). - Input: raydium_i2c_ts - use true and false for boolean values (bsc#1051510). - Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() (bsc#1051510). - Input: synaptics-rmi4 - really fix attn_data use-after-free (git-fixes). - Input: usbtouchscreen - add support for BonXeon TP (bsc#1051510). - Input: xpad - add custom init packet for Xbox One S controllers (bsc#1051510). - iommu/amd: Call domain_flush_complete() in update_domain() (bsc#1172096). - iommu/amd: Do not flush Device Table in iommu_map_page() (bsc#1172097). - iommu/amd: Do not loop forever when trying to increase address space (bsc#1172098). - iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system (bsc#1172099). - iommu/amd: Fix over-read of ACPI UID from IVRS table (bsc#1172101). - iommu/amd: Fix race in increase_address_space()/fetch_pte() (bsc#1172102). - iommu/amd: Update Device Table in increase_address_space() (bsc#1172103). - iommu: Fix reference count leak in iommu_group_alloc (bsc#1172397). - ip6_tunnel: Allow rcv/xmit even if remote address is a local address (bsc#1166978). - ipmi: fix hung processes in __get_guid() (git-fixes). - ipv4: fix a RCU-list lock in fib_triestat_seq_show (networking-stable-20_04_02). - ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface (networking-stable-20_03_14). - ipv6: do not auto-add link-local address to lag ports (networking-stable-20_04_09). - ipv6: fix IPV6_ADDRFORM operation logic (bsc#1171662). - ipv6: Fix nlmsg_flags when splitting a multipath route (networking-stable-20_03_01). - ipv6: fix restrict IPV6_ADDRFORM operation (bsc#1171662). - ipv6: Fix route replacement with dev-only route (networking-stable-20_03_01). - ipvlan: add cond_resched_rcu() while processing muticast backlog (networking-stable-20_03_14). - ipvlan: do not deref eth hdr before checking it's set (networking-stable-20_03_14). - ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast() (networking-stable-20_03_14). - iwlwifi: pcie: actually release queue memory in TVQM (bsc#1051510). - ixgbe: do not check firmware errors (bsc#1170284). - kabi fix for early XHCI debug (git-fixes). - kabi for for md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - kabi, protect struct ib_device (bsc#1168503). - kabi/severities: Do not track KVM internal symbols. - kabi/severities: Ingnore get_dev_data() The function is internal to the AMD IOMMU driver and must not be called by any third party. - kabi workaround for snd_rawmidi buffer_ref field addition (git-fixes). - KEYS: reaching the keys quotas correctly (bsc#1051510). - KVM: arm64: Change hyp_panic()s dependency on tpidr_el2 (bsc#1133021). - KVM: arm64: Stop save/restoring host tpidr_el1 on VHE (bsc#1133021). - KVM: Check validity of resolved slot when searching memslots (bsc#1172104). - KVM: s390: vsie: Fix delivery of addressing exceptions (git-fixes). - KVM: s390: vsie: Fix possible race when shadowing region 3 tables (git-fixes). - KVM: s390: vsie: Fix region 1 ASCE sanity shadow address checks (git-fixes). - KVM: SVM: Fix potential memory leak in svm_cpu_init() (bsc#1171736). - KVM x86: Extend AMD specific guest behavior to Hygon virtual CPUs (bsc#1152489). - l2tp: Allow management of tunnels and session in user namespace (networking-stable-20_04_17). - libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() (bsc#1051510). - libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set (bsc#1051510). - lib: raid6: fix awk build warnings (git fixes (block drivers)). - lib/raid6/test: fix build on distros whose /bin/sh is not bash (git fixes (block drivers)). - lib/stackdepot.c: fix global out-of-bounds in stack_slabs (git fixes (block drivers)). - locks: print unsigned ino in /proc/locks (bsc#1171951). - mac80211: add ieee80211_is_any_nullfunc() (bsc#1051510). - mac80211_hwsim: Use kstrndup() in place of kasprintf() (bsc#1051510). - mac80211: mesh: fix discovery timer re-arming issue / crash (bsc#1051510). - macsec: avoid to set wrong mtu (bsc#1051510). - macsec: restrict to ethernet devices (networking-stable-20_03_28). - macvlan: add cond_resched() during multicast processing (networking-stable-20_03_14). - macvlan: fix null dereference in macvlan_device_event() (bsc#1051510). - make some Fujitsu systems run (bsc#1141558). - md: improve handling of bio with REQ_PREFLUSH in md_flush_request() (git-fixes). - md/raid0: Fix an error message in raid0_make_request() (git fixes (block drivers)). - md/raid10: prevent access of uninitialized resync_pages offset (git-fixes). - media: dvb: return -EREMOTEIO on i2c transfer failure (bsc#1051510). - media: platform: fcp: Set appropriate DMA parameters (bsc#1051510). - media: ti-vpe: cal: fix disable_irqs to only the intended target (git-fixes). - mei: release me_cl object reference (bsc#1051510). - mlxsw: Fix some IS_ERR() vs NULL bugs (networking-stable-20_04_27). - mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE (networking-stable-20_04_09). - mlxsw: spectrum_mr: Fix list iteration in error path (bsc#1112374). - mmc: atmel-mci: Fix debugfs on 64-bit platforms (git-fixes). - mmc: core: Check request type before completing the request (git-fixes). - mmc: core: Fix recursive locking issue in CQE recovery path (git-fixes). - mmc: cqhci: Avoid false "cqhci: CQE stuck on" by not open-coding timeout loop (git-fixes). - mmc: dw_mmc: Fix debugfs on 64-bit platforms (git-fixes). - mmc: meson-gx: make sure the descriptor is stopped on errors (git-fixes). - mmc: meson-gx: simplify interrupt handler (git-fixes). - mmc: renesas_sdhi: limit block count to 16 bit for old revisions (git-fixes). - mmc: sdhci-esdhc-imx: fix the mask for tuning start point (bsc#1051510). - mmc: sdhci-msm: Clear tuning done flag while hs400 tuning (bsc#1051510). - mmc: sdhci-of-at91: fix memleak on clk_get failure (git-fixes). - mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers (bsc#1051510). - mmc: sdhci-xenon: fix annoying 1.8V regulator warning (bsc#1051510). - mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card() (bsc#1051510). - mmc: tmio: fix access width of Block Count Register (git-fixes). - mm: limit boost_watermark on small zones (git fixes (mm/pgalloc)). - mm: thp: handle page cache THP correctly in PageTransCompoundMap (git fixes (block drivers)). - mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer (bsc#1051510). - mtd: spi-nor: cadence-quadspi: add a delay in write sequence (git-fixes). - mtd: spi-nor: enable 4B opcodes for mx66l51235l (git-fixes). - mtd: spi-nor: fsl-quadspi: Do not let -EINVAL on the bus (git-fixes). - mwifiex: avoid -Wstringop-overflow warning (bsc#1051510). - mwifiex: Fix memory corruption in dump_station (bsc#1051510). - net: bcmgenet: correct per TX/RX ring statistics (networking-stable-20_04_27). - net: dsa: b53: Fix ARL register definitions (networking-stable-20_04_27). - net: dsa: b53: Rework ARL bin logic (networking-stable-20_04_27). - net: dsa: bcm_sf2: Do not register slave MDIO bus with OF (networking-stable-20_04_09). - net: dsa: bcm_sf2: Ensure correct sub-node is parsed (networking-stable-20_04_09). - net: dsa: bcm_sf2: Fix overflow checks (git-fixes). - net: dsa: Fix duplicate frames flooded by learning (networking-stable-20_03_28). - net: dsa: mv88e6xxx: fix lockup on warm boot (networking-stable-20_03_14). - net/ethernet: add Google GVE driver (jsc#SLE-10538) - net: fec: add phy_reset_after_clk_enable() support (git-fixes). - net: fec: validate the new settings in fec_enet_set_coalesce() (networking-stable-20_03_14). - net: fib_rules: Correctly set table field when table number exceeds 8 bits (networking-stable-20_03_01). - net: fix race condition in __inet_lookup_established() (bsc#1151794). - net: fq: add missing attribute validation for orphan mask (networking-stable-20_03_14). - net: hns3: fix "tc qdisc del" failed issue (bsc#1109837). - net, ip_tunnel: fix interface lookup with no key (networking-stable-20_04_02). - net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin (networking-stable-20_04_17). - net: ipv6: do not consider routes via gateways for anycast address check (networking-stable-20_04_17). - netlink: Use netlink header as base to calculate bad attribute offset (networking-stable-20_03_14). - net: macsec: update SCI upon MAC address change (networking-stable-20_03_14). - net: memcg: fix lockdep splat in inet_csk_accept() (networking-stable-20_03_14). - net: memcg: late association of sock to memcg (networking-stable-20_03_14). - net/mlx4_en: avoid indirect call in TX completion (networking-stable-20_04_27). - net/mlx5: Add new fields to Port Type and Speed register (bsc#1171118). - net/mlx5: Add new fields to Port Type and Speed register (bsc#1171118). - net/mlx5: Add RoCE RX ICRC encapsulated counter (bsc#1171118). - net/mlx5e: Fix ethtool self test: link speed (bsc#1171118). - net/mlx5e: Move port speed code from en_ethtool.c to en/port.c (bsc#1171118). - net/mlx5: Expose link speed directly (bsc#1171118). - net/mlx5: Expose link speed directly (bsc#1171118). - net/mlx5: Expose port speed when possible (bsc#1171118). - net/mlx5: Expose port speed when possible (bsc#1171118). - net/mlx5: Fix failing fw tracer allocation on s390 (bsc#1103990 ). - net: mvneta: Fix the case where the last poll did not process all rx (networking-stable-20_03_28). - net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node (networking-stable-20_04_27). - net/packet: tpacket_rcv: do not increment ring index on drop (networking-stable-20_03_14). - net: phy: restore mdio regs in the iproc mdio driver (networking-stable-20_03_01). - net: qmi_wwan: add support for ASKEY WWHC050 (networking-stable-20_03_28). - net: revert default NAPI poll timeout to 2 jiffies (networking-stable-20_04_17). - net_sched: cls_route: remove the right filter from hashtable (networking-stable-20_03_28). - net_sched: sch_skbprio: add message validation to skbprio_change() (bsc#1109837). - net/x25: Fix x25_neigh refcnt leak when receiving frame (networking-stable-20_04_27). - nfc: add missing attribute validation for SE API (networking-stable-20_03_14). - nfc: add missing attribute validation for vendor subcommand (networking-stable-20_03_14). - nfc: pn544: Fix occasional HW initialization failure (networking-stable-20_03_01). - nfc: st21nfca: add missed kfree_skb() in an error path (bsc#1051510). - nfp: abm: fix a memory leak bug (bsc#1109837). - nfsd4: fix up replay_matches_cache() (git-fixes). - nfsd: Ensure CLONE persists data and metadata changes to the target file (git-fixes). - nfsd: fix delay timer on 32-bit architectures (git-fixes). - nfsd: fix jiffies/time_t mixup in LRU list (git-fixes). - nfs: Directory page cache pages need to be locked when read (git-fixes). - nfsd: memory corruption in nfsd4_lock() (git-fixes). - nfs: Do not call generic_error_remove_page() while holding locks (bsc#1170457). - nfs: Fix memory leaks and corruption in readdir (git-fixes). - nfs: Fix O_DIRECT accounting of number of bytes read/written (git-fixes). - nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl (git-fixes). - nfs: fix racey wait in nfs_set_open_stateid_locked (bsc#1170592). - nfs/flexfiles: Use the correct TCP timeout for flexfiles I/O (git-fixes). - nfs/pnfs: Fix pnfs_generic_prepare_to_resend_writes() (git-fixes). - nfs: Revalidate the file size on a fatal write error (git-fixes). - NFSv4.0: nfs4_do_fsinfo() should not do implicit lease renewals (git-fixes). - NFSv4: Do not allow a cached open with a revoked delegation (git-fixes). - NFSv4: Fix leak of clp->cl_acceptor string (git-fixes). - NFSv4/pnfs: Return valid stateids in nfs_layout_find_inode_by_stateid() (git-fixes). - NFSv4: try lease recovery on NFS4ERR_EXPIRED (git-fixes). - NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn (git-fixes). - nl802154: add missing attribute validation for dev_type (networking-stable-20_03_14). - nl802154: add missing attribute validation (networking-stable-20_03_14). - nvme-fc: print proper nvme-fc devloss_tmo value (bsc#1172391). - objtool: Fix stack offset tracking for indirect CFAs (bsc#1169514). - objtool: Fix switch table detection in .text.unlikely (bsc#1169514). - objtool: Make BP scratch register warning more robust (bsc#1169514). - padata: Remove broken queue flushing (git-fixes). - Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()" (git fixes (block drivers)). - PCI: hv: Add support for protocol 1.3 and support PCI_BUS_RELATIONS2 (bsc#1172201, bsc#1172202). - PCI: hv: Decouple the func definition in hv_dr_state from VSP message (bsc#1172201, bsc#1172202). - PCI: sanity test on PCI vendor to be sure we do not touch everything (bsc#1141558). - perf/x86/amd: Add support for Large Increment per Cycle Events (jsc#SLE-11831). - perf/x86/amd: Constrain Large Increment per Cycle events (jsc#SLE-11831). - pinctrl: baytrail: Enable pin configuration setting for GPIO chip (git-fixes). - pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler (git-fixes). - pinctrl: sunrisepoint: Fix PAD lock register offset for SPT-H (git-fixes). - platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA (bsc#1051510). - pNFS: Ensure we do clear the return-on-close layout stateid on fatal errors (git-fixes). - powerpc: Add attributes for setjmp/longjmp (bsc#1065729). - powerpc/pci/of: Parse unassigned resources (bsc#1065729). - powerpc/setup_64: Set cache-line-size based on cache-block-size (bsc#1065729). - powerpc/sstep: Fix DS operand in ld encoding to appropriate value (bsc#1065729). - qede: Fix race between rdma destroy workqueue and link change event (networking-stable-20_03_01). - r8152: check disconnect status after long sleep (networking-stable-20_03_14). - raid6/ppc: Fix build for clang (git fixes (block drivers)). - random: always use batched entropy for get_random_u{32,64} (bsc#1164871). - rcu: locking and unlocking need to always be at least barriers (git fixes (block drivers)). - RDMA/ipoib: Fix use of sizeof() (bsc#1168503). - RDMA/netdev: Fix netlink support in IPoIB (bsc#1168503). - RDMA/netdev: Hoist alloc_netdev_mqs out of the driver (bsc#1168503). - RDMA/netdev: Use priv_destructor for netdev cleanup (bsc#1168503). - Remove 2 git-fixes that cause build issues. (bsc#1171691) - Revert "drm/panel: simple: Add support for Sharp LQ150X1LG11 panels" (bsc#1114279) - Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" (bsc#1172221). - Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow" (bsc#1103992). - rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() (bsc#1051510). - s390/cpum_cf: Add new extended counters for IBM z15 (bsc#1169762 LTC#185291). - s390/pci: Fix possible deadlock in recover_store() (bsc#1165183 LTC#184103). - s390/pci: Recover handle in clp_set_pci_fn() (bsc#1165183 LTC#184103). - scripts/decodecode: fix trapping instruction formatting (bsc#1065729). - scripts/dtc: Remove redundant YYLOC global declaration (bsc#1160388). - scsi: bnx2i: fix potential use after free (bsc#1171600). - scsi: core: Handle drivers which set sg_tablesize to zero (bsc#1171601) - scsi: core: save/restore command resid for error handling (bsc#1171602). - scsi: core: scsi_trace: Use get_unaligned_be*() (bsc#1171604). - scsi: core: try to get module before removing device (bsc#1171605). - scsi: csiostor: Adjust indentation in csio_device_reset (bsc#1171606). - scsi: csiostor: Do not enable IRQs too early (bsc#1171607). - scsi: esas2r: unlock on error in esas2r_nvram_read_direct() (bsc#1171608). - scsi: fnic: fix invalid stack access (bsc#1171609). - scsi: fnic: fix msix interrupt allocation (bsc#1171610). - scsi: ibmvscsi: Fix WARN_ON during event pool release (bsc#1170791 ltc#185128). - scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func (bsc#1171611). - scsi: iscsi: Fix a potential deadlock in the timeout handler (bsc#1171612). - scsi: iscsi: qla4xxx: fix double free in probe (bsc#1171613). - scsi: lpfc: Change default queue allocation for reduced memory consumption (bsc#1164780). - scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences (bsc#1171614). - scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG (bsc#1171615). - scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event (bsc#1164780). - scsi: lpfc: Fix MDS Diagnostic Enablement definition (bsc#1164780). - scsi: lpfc: Fix negation of else clause in lpfc_prep_node_fc4type (bsc#1164780). - scsi: lpfc: Fix noderef and address space warnings (bsc#1164780). - scsi: lpfc: Maintain atomic consistency of queue_claimed flag (bsc#1164780). - scsi: lpfc: remove duplicate unloading checks (bsc#1164780). - scsi: lpfc: Remove re-binding of nvme rport during registration (bsc#1164780). - scsi: lpfc: Remove redundant initialization to variable rc (bsc#1164780). - scsi: lpfc: Remove unnecessary lockdep_assert_held calls (bsc#1164780). - scsi: lpfc: Update lpfc version to 12.8.0.1 (bsc#1164780). - scsi: megaraid_sas: Do not initiate OCR if controller is not in ready state (bsc#1171616). - scsi: qla2xxx: add ring buffer for tracing debug logs (bsc#1157169). - scsi: qla2xxx: check UNLOADING before posting async work (bsc#1157169). - scsi: qla2xxx: Delete all sessions before unregister local nvme port (bsc#1157169). - scsi: qla2xxx: Do not log message when reading port speed via sysfs (bsc#1157169). - scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV (bsc#1157169). - scsi: qla2xxx: Fix regression warnings (bsc#1157169). - scsi: qla2xxx: Remove non functional code (bsc#1157169). - scsi: qla2xxx: set UNLOADING before waiting for session deletion (bsc#1157169). - scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free (bsc#1171617). - scsi: qla4xxx: fix double free bug (bsc#1171618). - scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI (bsc#1171619). - scsi: sg: add sg_remove_request in sg_common_write (bsc#1171620). - scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) (bsc#1171621). - scsi: ufs: change msleep to usleep_range (bsc#1171622). - scsi: ufs: Clean up ufshcd_scale_clks() and clock scaling error out path (bsc#1171623). - scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic (bsc#1171624). - scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails (bsc#1171625). - scsi: ufs: Recheck bkops level if bkops is disabled (bsc#1171626). - sctp: fix possibly using a bad saddr with a given dst (networking-stable-20_04_02). - sctp: fix refcount bug in sctp_wfree (networking-stable-20_04_02). - sctp: move the format error check out of __sctp_sf_do_9_1_abort (networking-stable-20_03_01). - selftests/powerpc: Fix build errors in powerpc ptrace selftests (boo#1124278). - seq_file: fix problem when seeking mid-record (bsc#1170125). - sfc: detach from cb_page in efx_copy_channel() (networking-stable-20_03_14). - signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig (bsc#1172185). - slcan: not call free_netdev before rtnl_unlock in slcan_open (networking-stable-20_03_28). - slip: make slhc_compress() more robust against malicious packets (networking-stable-20_03_14). - smb3: Additional compression structures (bsc#1144333). - smb3: Add new compression flags (bsc#1144333). - smb3: change noisy error message to FYI (bsc#1144333). - smb3: enable swap on SMB3 mounts (bsc#1144333). - smb3: Minor cleanup of protocol definitions (bsc#1144333). - smb3: remove overly noisy debug line in signing errors (bsc#1144333). - smb3: smbdirect support can be configured by default (bsc#1144333). - smb3: use SMB2_SIGNATURE_SIZE define (bsc#1144333). - spi: bcm63xx-hsspi: Really keep pll clk enabled (bsc#1051510). - spi: bcm-qspi: when tx/rx buffer is NULL set to 0 (bsc#1051510). - spi: dw: Add SPI Rx-done wait method to DMA-based transfer (bsc#1051510). - spi: dw: Add SPI Tx-done wait method to DMA-based transfer (bsc#1051510). - spi: dw: Zero DMA Tx and Rx configurations on stack (bsc#1051510). - spi: pxa2xx: Add CS control clock quirk (bsc#1051510). - spi: qup: call spi_qup_pm_resume_runtime before suspending (bsc#1051510). - spi/zynqmp: remove entry that causes a cs glitch (bsc#1051510). - staging: comedi: dt2815: fix writing hi byte of analog output (bsc#1051510). - staging: comedi: Fix comedi_device refcnt leak in comedi_open (bsc#1051510). - staging: iio: ad2s1210: Fix SPI reading (bsc#1051510). - supported.conf: Add br_netfilter to base (bsc#1169020). - supported.conf: support w1 core and thermometer support - svcrdma: Fix double svc_rdma_send_ctxt_put() in an error path (bsc#1103992). - svcrdma: Fix leak of transport addresses (git-fixes). - svcrdma: Fix trace point use-after-free race (bsc#1103992 ). - taskstats: fix data-race (bsc#1172188). - tcp: cache line align MAX_TCP_HEADER (networking-stable-20_04_27). - tcp: repair: fix TCP_QUEUE_SEQ implementation (networking-stable-20_03_28). - team: add missing attribute validation for array index (networking-stable-20_03_14). - team: add missing attribute validation for port ifindex (networking-stable-20_03_14). - team: fix hang in team_mode_get() (networking-stable-20_04_27). - tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() (bsc#1065729). - tpm/tpm_tis: Free IRQ if probing fails (bsc#1082555). - tun: Do not put_page() for all negative return values from XDP program (bsc#1109837). - Update config files: Build w1 bus on arm64 (jsc#SLE-11048) - usb: core: Fix misleading driver bug report (bsc#1051510). - usb: gadget: legacy: fix redundant initialization warnings (bsc#1051510). - usbnet: silence an unnecessary warning (bsc#1170770). - video: fbdev: sis: Remove unnecessary parentheses and commented code (bsc#1114279) - video: fbdev: w100fb: Fix a potential double free (bsc#1051510). - vrf: Check skb for XFRM_TRANSFORMED flag (networking-stable-20_04_27). - vxlan: check return value of gro_cells_init() (networking-stable-20_03_28). - w1: Add subsystem kernel public interface (jsc#SLE-11048). - w1: Fix slave count on 1-Wire bus (resend) (jsc#SLE-11048). - w1: keep balance of mutex locks and refcnts (jsc#SLE-11048). - w1: use put_device() if device_register() fail (jsc#SLE-11048). - wcn36xx: Fix error handling path in 'wcn36xx_probe()' (bsc#1051510). - wimax/i2400m: Fix potential urb refcnt leak (bsc#1051510). - workqueue: do not use wq_select_unbound_cpu() for bound works (bsc#1172130). - x86/amd_nb: Add Family 19h PCI IDs (jsc#SLE-11834). - x86/entry/64: Fix unwind hints in kernel exit path (bsc#1058115). - x86/entry/64: Fix unwind hints in register clearing code (bsc#1058115). - x86/entry/64: Fix unwind hints in rewind_stack_do_exit() (bsc#1058115). - x86/entry/64: Fix unwind hints in __switch_to_asm() (bsc#1058115). - x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170620). - x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170621, bsc#1170620). - x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170617, bsc#1170618). - x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170618). - x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170618). - x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170618). - x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170617, bsc#1170618). - x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170618). - x86: Hyper-V: report value of misc_features (git fixes). - x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170617, bsc#1170618). - x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170618). - x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170617, bsc#1170618). - x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170618). - x86/kprobes: Avoid kretprobe recursion bug (bsc#1114279). - x86/MCE/AMD: Add a KABI workaround for enum smca_bank_types (jsc#SLE-11833). - x86/MCE/AMD, EDAC/mce_amd: Add new Load Store unit McaType (jsc#SLE-11833). - x86/microcode/AMD: Increase microcode PATCH_MAX_SIZE (bsc#1169005). - x86/resctrl: Preserve CDP enable over CPU hotplug (bsc#1114279). - x86/unwind/orc: Do not skip the first frame for inactive tasks (bsc#1058115). - x86/unwind/orc: Fix error handling in __unwind_start() (bsc#1058115). - x86/unwind/orc: Fix error path for bad ORC entry type (bsc#1058115). - x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bsc#1058115). - x86/unwind/orc: Prevent unwinding before ORC initialization (bsc#1058115). - x86/unwind: Prevent false warnings for non-current tasks (bsc#1058115). - x86/xen: fix booting 32-bit pv guest (bsc#1071995). - x86/xen: Make the boot CPU idle task reliable (bsc#1071995). - x86/xen: Make the secondary CPU idle tasks reliable (bsc#1071995). - xen/pci: reserve MCFG areas earlier (bsc#1170145). - xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish (networking-stable-20_04_27). - xfs: Correctly invert xfs_buftarg LRU isolation logic (git-fixes). - xfs: do not ever return a stale pointer from __xfs_dir3_free_read (git-fixes). - xprtrdma: Fix completion wait during device removal (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1602=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1602=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1602=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-1602=1 - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-1602=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): kernel-default-debuginfo-4.12.14-122.23.1 kernel-default-debugsource-4.12.14-122.23.1 kernel-default-extra-4.12.14-122.23.1 kernel-default-extra-debuginfo-4.12.14-122.23.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-122.23.1 kernel-obs-build-debugsource-4.12.14-122.23.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): kernel-docs-4.12.14-122.23.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-122.23.1 kernel-default-base-4.12.14-122.23.1 kernel-default-base-debuginfo-4.12.14-122.23.1 kernel-default-debuginfo-4.12.14-122.23.1 kernel-default-debugsource-4.12.14-122.23.1 kernel-default-devel-4.12.14-122.23.1 kernel-syms-4.12.14-122.23.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-default-devel-debuginfo-4.12.14-122.23.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-4.12.14-122.23.1 kernel-macros-4.12.14-122.23.1 kernel-source-4.12.14-122.23.1 - SUSE Linux Enterprise Server 12-SP5 (s390x): kernel-default-man-4.12.14-122.23.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-122.23.1 kernel-default-debugsource-4.12.14-122.23.1 kernel-default-kgraft-4.12.14-122.23.1 kernel-default-kgraft-devel-4.12.14-122.23.1 kgraft-patch-4_12_14-122_23-default-1-8.3.1 - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-122.23.1 cluster-md-kmp-default-debuginfo-4.12.14-122.23.1 dlm-kmp-default-4.12.14-122.23.1 dlm-kmp-default-debuginfo-4.12.14-122.23.1 gfs2-kmp-default-4.12.14-122.23.1 gfs2-kmp-default-debuginfo-4.12.14-122.23.1 kernel-default-debuginfo-4.12.14-122.23.1 kernel-default-debugsource-4.12.14-122.23.1 ocfs2-kmp-default-4.12.14-122.23.1 ocfs2-kmp-default-debuginfo-4.12.14-122.23.1 References: https://www.suse.com/security/cve/CVE-2018-1000199.html https://www.suse.com/security/cve/CVE-2019-19462.html https://www.suse.com/security/cve/CVE-2019-20806.html https://www.suse.com/security/cve/CVE-2019-20812.html https://www.suse.com/security/cve/CVE-2019-9455.html https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-10690.html https://www.suse.com/security/cve/CVE-2020-10711.html https://www.suse.com/security/cve/CVE-2020-10720.html https://www.suse.com/security/cve/CVE-2020-10732.html https://www.suse.com/security/cve/CVE-2020-10751.html https://www.suse.com/security/cve/CVE-2020-10757.html https://www.suse.com/security/cve/CVE-2020-12114.html https://www.suse.com/security/cve/CVE-2020-12464.html https://www.suse.com/security/cve/CVE-2020-12652.html https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://www.suse.com/security/cve/CVE-2020-12655.html https://www.suse.com/security/cve/CVE-2020-12656.html https://www.suse.com/security/cve/CVE-2020-12657.html https://www.suse.com/security/cve/CVE-2020-12659.html https://www.suse.com/security/cve/CVE-2020-12768.html https://www.suse.com/security/cve/CVE-2020-12769.html https://www.suse.com/security/cve/CVE-2020-13143.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1082555 https://bugzilla.suse.com/1083647 https://bugzilla.suse.com/1089895 https://bugzilla.suse.com/1103990 https://bugzilla.suse.com/1103991 https://bugzilla.suse.com/1103992 https://bugzilla.suse.com/1104745 https://bugzilla.suse.com/1109837 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1112178 https://bugzilla.suse.com/1112374 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1124278 https://bugzilla.suse.com/1127354 https://bugzilla.suse.com/1127355 https://bugzilla.suse.com/1127371 https://bugzilla.suse.com/1133021 https://bugzilla.suse.com/1141558 https://bugzilla.suse.com/1142685 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1151794 https://bugzilla.suse.com/1152489 https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1157169 https://bugzilla.suse.com/1158265 https://bugzilla.suse.com/1160388 https://bugzilla.suse.com/1160947 https://bugzilla.suse.com/1164780 https://bugzilla.suse.com/1164871 https://bugzilla.suse.com/1165183 https://bugzilla.suse.com/1165478 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1166969 https://bugzilla.suse.com/1166978 https://bugzilla.suse.com/1167574 https://bugzilla.suse.com/1167851 https://bugzilla.suse.com/1167867 https://bugzilla.suse.com/1168332 https://bugzilla.suse.com/1168503 https://bugzilla.suse.com/1168670 https://bugzilla.suse.com/1168789 https://bugzilla.suse.com/1169005 https://bugzilla.suse.com/1169020 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169525 https://bugzilla.suse.com/1169762 https://bugzilla.suse.com/1170056 https://bugzilla.suse.com/1170125 https://bugzilla.suse.com/1170145 https://bugzilla.suse.com/1170284 https://bugzilla.suse.com/1170345 https://bugzilla.suse.com/1170457 https://bugzilla.suse.com/1170522 https://bugzilla.suse.com/1170592 https://bugzilla.suse.com/1170617 https://bugzilla.suse.com/1170618 https://bugzilla.suse.com/1170620 https://bugzilla.suse.com/1170621 https://bugzilla.suse.com/1170770 https://bugzilla.suse.com/1170778 https://bugzilla.suse.com/1170791 https://bugzilla.suse.com/1170901 https://bugzilla.suse.com/1171078 https://bugzilla.suse.com/1171098 https://bugzilla.suse.com/1171118 https://bugzilla.suse.com/1171189 https://bugzilla.suse.com/1171191 https://bugzilla.suse.com/1171195 https://bugzilla.suse.com/1171202 https://bugzilla.suse.com/1171205 https://bugzilla.suse.com/1171214 https://bugzilla.suse.com/1171217 https://bugzilla.suse.com/1171218 https://bugzilla.suse.com/1171219 https://bugzilla.suse.com/1171220 https://bugzilla.suse.com/1171244 https://bugzilla.suse.com/1171293 https://bugzilla.suse.com/1171417 https://bugzilla.suse.com/1171527 https://bugzilla.suse.com/1171599 https://bugzilla.suse.com/1171600 https://bugzilla.suse.com/1171601 https://bugzilla.suse.com/1171602 https://bugzilla.suse.com/1171604 https://bugzilla.suse.com/1171605 https://bugzilla.suse.com/1171606 https://bugzilla.suse.com/1171607 https://bugzilla.suse.com/1171608 https://bugzilla.suse.com/1171609 https://bugzilla.suse.com/1171610 https://bugzilla.suse.com/1171611 https://bugzilla.suse.com/1171612 https://bugzilla.suse.com/1171613 https://bugzilla.suse.com/1171614 https://bugzilla.suse.com/1171615 https://bugzilla.suse.com/1171616 https://bugzilla.suse.com/1171617 https://bugzilla.suse.com/1171618 https://bugzilla.suse.com/1171619 https://bugzilla.suse.com/1171620 https://bugzilla.suse.com/1171621 https://bugzilla.suse.com/1171622 https://bugzilla.suse.com/1171623 https://bugzilla.suse.com/1171624 https://bugzilla.suse.com/1171625 https://bugzilla.suse.com/1171626 https://bugzilla.suse.com/1171662 https://bugzilla.suse.com/1171679 https://bugzilla.suse.com/1171691 https://bugzilla.suse.com/1171692 https://bugzilla.suse.com/1171694 https://bugzilla.suse.com/1171695 https://bugzilla.suse.com/1171736 https://bugzilla.suse.com/1171761 https://bugzilla.suse.com/1171817 https://bugzilla.suse.com/1171948 https://bugzilla.suse.com/1171949 https://bugzilla.suse.com/1171951 https://bugzilla.suse.com/1171952 https://bugzilla.suse.com/1171979 https://bugzilla.suse.com/1171982 https://bugzilla.suse.com/1171983 https://bugzilla.suse.com/1172017 https://bugzilla.suse.com/1172096 https://bugzilla.suse.com/1172097 https://bugzilla.suse.com/1172098 https://bugzilla.suse.com/1172099 https://bugzilla.suse.com/1172101 https://bugzilla.suse.com/1172102 https://bugzilla.suse.com/1172103 https://bugzilla.suse.com/1172104 https://bugzilla.suse.com/1172127 https://bugzilla.suse.com/1172130 https://bugzilla.suse.com/1172185 https://bugzilla.suse.com/1172188 https://bugzilla.suse.com/1172199 https://bugzilla.suse.com/1172201 https://bugzilla.suse.com/1172202 https://bugzilla.suse.com/1172218 https://bugzilla.suse.com/1172221 https://bugzilla.suse.com/1172249 https://bugzilla.suse.com/1172251 https://bugzilla.suse.com/1172253 https://bugzilla.suse.com/1172317 https://bugzilla.suse.com/1172342 https://bugzilla.suse.com/1172343 https://bugzilla.suse.com/1172344 https://bugzilla.suse.com/1172366 https://bugzilla.suse.com/1172378 https://bugzilla.suse.com/1172391 https://bugzilla.suse.com/1172397 https://bugzilla.suse.com/1172453 From sle-updates at lists.suse.com Thu Jun 11 07:14:24 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 11 Jun 2020 15:14:24 +0200 (CEST) Subject: SUSE-SU-2020:1606-1: critical: Security update for nodejs12 Message-ID: <20200611131424.2534BF749@maintenance.suse.de> SUSE Security Update: Security update for nodejs12 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1606-1 Rating: critical References: #1166916 #1172441 #1172442 #1172443 #1172728 Cross-References: CVE-2020-11080 CVE-2020-7598 CVE-2020-8172 CVE-2020-8174 Affected Products: SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update for nodejs12 fixes the following issues: nodejs12 was updated to version 12.18.0 - CVE-2020-8174: Fixed multiple memory corruption in napi_get_value_string_*() (bsc#1172443). - CVE-2020-8172: Fixed am issue where TLS session reuse could have led to host certificate verification bypass (bsc#1172441). - CVE-2020-11080: Fixed a potential denial of service when receiving unreasonably large HTTP/2 SETTINGS frames (bsc#1172442). npm was updated to 6.13.6 - CVE-2020-7598: Fixed an issue which could have tricked minimist into adding or modifying properties of Object.prototype (bsc#1166916). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-1606=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): nodejs12-12.18.0-1.14.1 nodejs12-debuginfo-12.18.0-1.14.1 nodejs12-debugsource-12.18.0-1.14.1 nodejs12-devel-12.18.0-1.14.1 npm12-12.18.0-1.14.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): nodejs12-docs-12.18.0-1.14.1 References: https://www.suse.com/security/cve/CVE-2020-11080.html https://www.suse.com/security/cve/CVE-2020-7598.html https://www.suse.com/security/cve/CVE-2020-8172.html https://www.suse.com/security/cve/CVE-2020-8174.html https://bugzilla.suse.com/1166916 https://bugzilla.suse.com/1172441 https://bugzilla.suse.com/1172442 https://bugzilla.suse.com/1172443 https://bugzilla.suse.com/1172728 From sle-updates at lists.suse.com Thu Jun 11 13:12:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 11 Jun 2020 21:12:19 +0200 (CEST) Subject: SUSE-SU-2020:14396-1: moderate: Security update for kvm Message-ID: <20200611191219.0AED8F749@maintenance.suse.de> SUSE Security Update: Security update for kvm ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14396-1 Rating: moderate References: #1123156 #1146873 #1149811 #1161066 #1163018 #1170940 Cross-References: CVE-2019-12068 CVE-2019-15890 CVE-2019-6778 CVE-2020-1983 CVE-2020-7039 CVE-2020-8608 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for kvm fixes the following issues: Security issues fixed: - CVE-2019-12068: Fixed a potential DoS in the LSI SCSI controller emulation (bsc#1146873). - CVE-2020-1983: Fixed a use-after-free in the ip_reass function of slirp (bsc#1170940). - CVE-2020-8608: Fixed a potential OOB access in slirp (bsc#1163018). - CVE-2020-7039: Fixed a potential OOB access in slirp (bsc#1161066). - CVE-2019-15890: Fixed a use-after-free during packet reassembly in slirp (bsc#1149811). - Fixed multiple potential DoS issues in SLIRP, similar to CVE-2019-6778 (bsc#1123156). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-kvm-14396=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 s390x x86_64): kvm-1.4.2-60.31.1 References: https://www.suse.com/security/cve/CVE-2019-12068.html https://www.suse.com/security/cve/CVE-2019-15890.html https://www.suse.com/security/cve/CVE-2019-6778.html https://www.suse.com/security/cve/CVE-2020-1983.html https://www.suse.com/security/cve/CVE-2020-7039.html https://www.suse.com/security/cve/CVE-2020-8608.html https://bugzilla.suse.com/1123156 https://bugzilla.suse.com/1146873 https://bugzilla.suse.com/1149811 https://bugzilla.suse.com/1161066 https://bugzilla.suse.com/1163018 https://bugzilla.suse.com/1170940 From sle-updates at lists.suse.com Thu Jun 11 13:14:49 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 11 Jun 2020 21:14:49 +0200 (CEST) Subject: SUSE-SU-2020:1609-1: important: Security update for xen Message-ID: <20200611191449.AA959F749@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1609-1 Rating: important References: #1027519 #1157490 #1167007 #1172205 Cross-References: CVE-2020-0543 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for xen to version 4.12.3 fixes the following issues: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1172205). - Added support for new 64bit libxl memory API (bsc#1167007 and bsc#1157490). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1609=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1609=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (x86_64): xen-4.12.3_02-3.18.1 xen-debugsource-4.12.3_02-3.18.1 xen-devel-4.12.3_02-3.18.1 xen-tools-4.12.3_02-3.18.1 xen-tools-debuginfo-4.12.3_02-3.18.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): xen-debugsource-4.12.3_02-3.18.1 xen-libs-4.12.3_02-3.18.1 xen-libs-debuginfo-4.12.3_02-3.18.1 xen-tools-domU-4.12.3_02-3.18.1 xen-tools-domU-debuginfo-4.12.3_02-3.18.1 References: https://www.suse.com/security/cve/CVE-2020-0543.html https://bugzilla.suse.com/1027519 https://bugzilla.suse.com/1157490 https://bugzilla.suse.com/1167007 https://bugzilla.suse.com/1172205 From sle-updates at lists.suse.com Thu Jun 11 13:15:56 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 11 Jun 2020 21:15:56 +0200 (CEST) Subject: SUSE-SU-2020:1608-1: Security update for ed Message-ID: <20200611191556.54D18F749@maintenance.suse.de> SUSE Security Update: Security update for ed ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1608-1 Rating: low References: #1019807 Cross-References: CVE-2017-5357 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ed fixes the following security issue: - CVE-2017-5357: An invalid free in the regular expression handling of the "ed" command processing could allow local users to crash ed. (bsc#1019807) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1608=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1608=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): ed-1.9-4.4.5 ed-debuginfo-1.9-4.4.5 ed-debugsource-1.9-4.4.5 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): ed-1.9-4.4.5 ed-debuginfo-1.9-4.4.5 ed-debugsource-1.9-4.4.5 References: https://www.suse.com/security/cve/CVE-2017-5357.html https://bugzilla.suse.com/1019807 From sle-updates at lists.suse.com Fri Jun 12 07:07:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 12 Jun 2020 15:07:21 +0200 (CEST) Subject: SUSE-CU-2020:189-1: Recommended update of suse/sles12sp4 Message-ID: <20200612130721.21822F749@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:189-1 Container Tags : suse/sles12sp4:26.194 , suse/sles12sp4:latest Container Release : 26.194 Severity : important Type : recommended References : 1156159 1172295 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1598-1 Released: Wed Jun 10 10:52:04 2020 Summary: Recommended update for audit Type: recommended Severity: important References: 1156159,1172295 This update for audit fixes the following issues: - Fix hang on startup. (bsc#1156159) - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295) From sle-updates at lists.suse.com Fri Jun 12 07:11:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 12 Jun 2020 15:11:19 +0200 (CEST) Subject: SUSE-CU-2020:190-1: Recommended update of suse/sles12sp5 Message-ID: <20200612131119.26F85F749@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:190-1 Container Tags : suse/sles12sp5:6.5.9 , suse/sles12sp5:latest Container Release : 6.5.9 Severity : important Type : recommended References : 1156159 1172295 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1598-1 Released: Wed Jun 10 10:52:04 2020 Summary: Recommended update for audit Type: recommended Severity: important References: 1156159,1172295 This update for audit fixes the following issues: - Fix hang on startup. (bsc#1156159) - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295) From sle-updates at lists.suse.com Fri Jun 12 07:13:23 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 12 Jun 2020 15:13:23 +0200 (CEST) Subject: SUSE-RU-2020:1616-1: moderate: Recommended update for SAPHanaSR-ScaleOut Message-ID: <20200612131323.37F8AF749@maintenance.suse.de> SUSE Recommended Update: Recommended update for SAPHanaSR-ScaleOut ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1616-1 Rating: moderate References: #1156067 #1156150 #1157685 Affected Products: SUSE Linux Enterprise Module for SAP Applications 15-SP1 SUSE Linux Enterprise Module for SAP Applications 15 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for SAPHanaSR-ScaleOut fixes the following issues: - Restart 'sapstartsrv' service on master nameserver node. (bsc#1156150) - Use a fall-back scoring for the master nameserver nodes, if the current roles of the node(s) got lost. (bsc#1156067) - SAPHanaSR-ScaleOut-doc will no longer be installable when SAPHanaSR-doc is installed (bsc#1157685) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SAP Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-SAP-Applications-15-SP1-2020-1616=1 - SUSE Linux Enterprise Module for SAP Applications 15: zypper in -t patch SUSE-SLE-Module-SAP-Applications-15-2020-1616=1 Package List: - SUSE Linux Enterprise Module for SAP Applications 15-SP1 (noarch): SAPHanaSR-ScaleOut-0.164.0-3.10.2 SAPHanaSR-ScaleOut-doc-0.164.0-3.10.2 - SUSE Linux Enterprise Module for SAP Applications 15 (noarch): SAPHanaSR-ScaleOut-0.164.0-3.10.2 SAPHanaSR-ScaleOut-doc-0.164.0-3.10.2 References: https://bugzilla.suse.com/1156067 https://bugzilla.suse.com/1156150 https://bugzilla.suse.com/1157685 From sle-updates at lists.suse.com Fri Jun 12 07:14:34 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 12 Jun 2020 15:14:34 +0200 (CEST) Subject: SUSE-SU-2020:1612-1: important: Security update for adns Message-ID: <20200612131434.A76EBF749@maintenance.suse.de> SUSE Security Update: Security update for adns ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1612-1 Rating: important References: #1172265 Cross-References: CVE-2017-9103 CVE-2017-9104 CVE-2017-9105 CVE-2017-9106 CVE-2017-9107 CVE-2017-9108 CVE-2017-9109 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for adns fixes the following issues: - CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver which could have led to remote code execution (bsc#1172265). - CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of service (bsc#1172265). - CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265). - CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1612=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1612=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1612=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1612=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1612=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1612=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1612=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1612=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1612=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1612=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1612=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1612=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1612=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1612=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1612=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): adns-debuginfo-1.4-103.3.1 adns-debugsource-1.4-103.3.1 libadns1-1.4-103.3.1 libadns1-debuginfo-1.4-103.3.1 - SUSE OpenStack Cloud 8 (x86_64): adns-debuginfo-1.4-103.3.1 adns-debugsource-1.4-103.3.1 libadns1-1.4-103.3.1 libadns1-debuginfo-1.4-103.3.1 - SUSE OpenStack Cloud 7 (s390x x86_64): adns-debuginfo-1.4-103.3.1 adns-debugsource-1.4-103.3.1 libadns1-1.4-103.3.1 libadns1-debuginfo-1.4-103.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): adns-debuginfo-1.4-103.3.1 adns-debugsource-1.4-103.3.1 libadns-devel-1.4-103.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): adns-debuginfo-1.4-103.3.1 adns-debugsource-1.4-103.3.1 libadns-devel-1.4-103.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): adns-debuginfo-1.4-103.3.1 adns-debugsource-1.4-103.3.1 libadns1-1.4-103.3.1 libadns1-debuginfo-1.4-103.3.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): adns-debuginfo-1.4-103.3.1 adns-debugsource-1.4-103.3.1 libadns1-1.4-103.3.1 libadns1-debuginfo-1.4-103.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): adns-debuginfo-1.4-103.3.1 adns-debugsource-1.4-103.3.1 libadns1-1.4-103.3.1 libadns1-debuginfo-1.4-103.3.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): adns-debuginfo-1.4-103.3.1 adns-debugsource-1.4-103.3.1 libadns1-1.4-103.3.1 libadns1-debuginfo-1.4-103.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): adns-debuginfo-1.4-103.3.1 adns-debugsource-1.4-103.3.1 libadns1-1.4-103.3.1 libadns1-debuginfo-1.4-103.3.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): adns-debuginfo-1.4-103.3.1 adns-debugsource-1.4-103.3.1 libadns1-1.4-103.3.1 libadns1-debuginfo-1.4-103.3.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): adns-debuginfo-1.4-103.3.1 adns-debugsource-1.4-103.3.1 libadns1-1.4-103.3.1 libadns1-debuginfo-1.4-103.3.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): adns-debuginfo-1.4-103.3.1 adns-debugsource-1.4-103.3.1 libadns1-1.4-103.3.1 libadns1-debuginfo-1.4-103.3.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): adns-debuginfo-1.4-103.3.1 adns-debugsource-1.4-103.3.1 libadns1-1.4-103.3.1 libadns1-debuginfo-1.4-103.3.1 - HPE Helion Openstack 8 (x86_64): adns-debuginfo-1.4-103.3.1 adns-debugsource-1.4-103.3.1 libadns1-1.4-103.3.1 libadns1-debuginfo-1.4-103.3.1 References: https://www.suse.com/security/cve/CVE-2017-9103.html https://www.suse.com/security/cve/CVE-2017-9104.html https://www.suse.com/security/cve/CVE-2017-9105.html https://www.suse.com/security/cve/CVE-2017-9106.html https://www.suse.com/security/cve/CVE-2017-9107.html https://www.suse.com/security/cve/CVE-2017-9108.html https://www.suse.com/security/cve/CVE-2017-9109.html https://bugzilla.suse.com/1172265 From sle-updates at lists.suse.com Fri Jun 12 07:15:38 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 12 Jun 2020 15:15:38 +0200 (CEST) Subject: SUSE-RU-2020:1611-1: moderate: Recommended update for libsolv, libzypp, zypper Message-ID: <20200612131538.730C8F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for libsolv, libzypp, zypper ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1611-1 Rating: moderate References: #1130873 #1154803 #1164543 #1165476 #1165573 #1166610 #1167122 #1168990 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Installer 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has 8 recommended fixes can now be installed. Description: This update for libsolv, libzypp, zypper fixes the following issues: libsolv was updated to 0.7.13 to fix: - Fix solvable swapping messing up idarrays - fix ruleinfo of complex dependencies returning the wrong origin libzypp was updated to 17.23.4 to fix: - Get retracted patch status from updateinfo data (jsc#SLE-8770) libsolv injects the indicator provides into packages only. - remove 'using namespace std;' (bsc#1166610, fixes #218) - Online doc: add 'Hardware (modalias) dependencies' page (fixes #216) - Add HistoryLogReader actionFilter to parse only specific HistoryActionIDs. - RepoVariables: Add safe guard in case the caller does not own a zypp instance. - Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake. - Fix package status computation regarding unneeded, orphaned, recommended and suggested packages (broken in 17.23.0) (bsc#1165476) - Log patch status changes to history (jsc#SLE-5116) - Allow to disable all WebServer dependent tests when building. OBS wants to be able to get rid of the nginx/FastCGI-devel build requirement. Use 'rpmbuild --without mediabackend_tests' or 'cmake -DDISABLE_MEDIABACKEND_TESTS=1'. - update translations - boost: Fix deprecated auto_unit_test.hpp includes. - Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck. - Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format. - yum::Downloader: Prefer zchunk compressed metadata if libvsolv supports it. - Selectable: Fix highestAvailableVersionObj if only retracted packages are available. Avoid using retracted items as candidate (jsc#SLE-8770) - RpmDb: Become rpmdb backend independent (jsc#SLE-7272) - RpmDb: Close API offering a custom rpmdb path It's actually not needed and for this to work also libsolv needs to support it. You can sill use a librpmDb::db_const_iterator to access a database at a custom location (ro). - Remove legacy rpmV3database conversion code. - Reformat manpages to workaround asciidoctor shortcomings (bsc#1154803, bsc#1167122, bsc#1168990) - Remove undocumented rug legacy stuff. - Remove 'using namespace std;' (bsc#1166610) - patch table: Add 'Since' column if history data are available (jsc#SLE-5116) zypper was updated to version 1.14.36: - Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770) - Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770) - Relax 'Do not allow the abbreviation of cli arguments' in legacy distibutions (bsc#1164543) - Correctly detect ambigous switch abbreviations (bsc#1165573) - zypper-aptitude: don't supplement zypper. supplementing zypper means zypper-aptitude gets installed by default and pulls in perl. Neither is desired on small systems. - Do not allow the abbreviation of cli arguments (bsc#1164543) - accoring to according in all translation files. - Always show exception history if available. - Use default package cache location for temporary repos (bsc#1130873) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-1611=1 - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1611=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1611=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP1-2020-1611=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1611=1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1611=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1611=1 - SUSE Linux Enterprise Installer 15: zypper in -t patch SUSE-SLE-INSTALLER-15-2020-1611=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1611=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1611=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): PackageKit-debuginfo-1.1.10-12.5.11 PackageKit-debugsource-1.1.10-12.5.11 PackageKit-gstreamer-plugin-1.1.10-12.5.11 PackageKit-gstreamer-plugin-debuginfo-1.1.10-12.5.11 PackageKit-gtk3-module-1.1.10-12.5.11 PackageKit-gtk3-module-debuginfo-1.1.10-12.5.11 - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libsigc++2-debugsource-2.10.0-3.3.1 libsigc++2-devel-2.10.0-3.3.1 libsigc-2_0-0-2.10.0-3.3.1 libsigc-2_0-0-debuginfo-2.10.0-3.3.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libsigc++2-debugsource-2.10.0-3.3.1 libsigc++2-devel-2.10.0-3.3.1 libsigc-2_0-0-2.10.0-3.3.1 libsigc-2_0-0-debuginfo-2.10.0-3.3.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (aarch64 ppc64le s390x x86_64): libsolv-debuginfo-0.7.13-3.19.7 libsolv-debugsource-0.7.13-3.19.7 python-solv-0.7.13-3.19.7 python-solv-debuginfo-0.7.13-3.19.7 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): libsolv-debuginfo-0.7.13-3.19.7 libsolv-debugsource-0.7.13-3.19.7 perl-solv-0.7.13-3.19.7 perl-solv-debuginfo-0.7.13-3.19.7 ruby-solv-0.7.13-3.19.7 ruby-solv-debuginfo-0.7.13-3.19.7 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): PackageKit-1.1.10-12.5.11 PackageKit-backend-zypp-1.1.10-12.5.11 PackageKit-backend-zypp-debuginfo-1.1.10-12.5.11 PackageKit-debuginfo-1.1.10-12.5.11 PackageKit-debugsource-1.1.10-12.5.11 PackageKit-devel-1.1.10-12.5.11 PackageKit-devel-debuginfo-1.1.10-12.5.11 libpackagekit-glib2-18-1.1.10-12.5.11 libpackagekit-glib2-18-debuginfo-1.1.10-12.5.11 libpackagekit-glib2-devel-1.1.10-12.5.11 libsigc++2-debugsource-2.10.0-3.3.1 libsigc++2-devel-2.10.0-3.3.1 libsigc-2_0-0-2.10.0-3.3.1 libsigc-2_0-0-debuginfo-2.10.0-3.3.1 libyui-qt-pkg-debugsource-2.45.28-3.8.9 libyui-qt-pkg-devel-2.45.28-3.8.9 typelib-1_0-PackageKitGlib-1_0-1.1.10-12.5.11 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (noarch): PackageKit-lang-1.1.10-12.5.11 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libsigc++2-debugsource-2.10.0-3.3.1 libsigc++2-devel-2.10.0-3.3.1 libsigc-2_0-0-2.10.0-3.3.1 libsigc-2_0-0-debuginfo-2.10.0-3.3.1 libsolv-debuginfo-0.7.13-3.19.7 libsolv-debugsource-0.7.13-3.19.7 libsolv-devel-0.7.13-3.19.7 libsolv-devel-debuginfo-0.7.13-3.19.7 libsolv-tools-0.7.13-3.19.7 libsolv-tools-debuginfo-0.7.13-3.19.7 libyui-ncurses-pkg-debugsource-2.48.9-7.5.8 libyui-ncurses-pkg-devel-2.48.9-7.5.8 libyui-ncurses-pkg9-2.48.9-7.5.8 libyui-ncurses-pkg9-debuginfo-2.48.9-7.5.8 libyui-qt-pkg-debugsource-2.45.28-3.8.9 libyui-qt-pkg9-2.45.28-3.8.9 libyui-qt-pkg9-debuginfo-2.45.28-3.8.9 libzypp-17.23.4-3.19.9 libzypp-debuginfo-17.23.4-3.19.9 libzypp-debugsource-17.23.4-3.19.9 libzypp-devel-17.23.4-3.19.9 python3-solv-0.7.13-3.19.7 python3-solv-debuginfo-0.7.13-3.19.7 yast2-pkg-bindings-4.1.2-3.5.9 yast2-pkg-bindings-debuginfo-4.1.2-3.5.9 yast2-pkg-bindings-debugsource-4.1.2-3.5.9 zypper-1.14.36-3.16.9 zypper-debuginfo-1.14.36-3.16.9 zypper-debugsource-1.14.36-3.16.9 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): libyui-ncurses-pkg-doc-2.48.9-7.5.7 libyui-qt-pkg-doc-2.45.28-3.8.7 zypper-log-1.14.36-3.16.9 zypper-needs-restarting-1.14.36-3.16.9 - SUSE Linux Enterprise Installer 15 (aarch64 ppc64le s390x x86_64): libsigc-2_0-0-2.10.0-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libsigc++2-debugsource-2.10.0-3.3.1 libsigc++2-devel-2.10.0-3.3.1 libsigc-2_0-0-2.10.0-3.3.1 libsigc-2_0-0-debuginfo-2.10.0-3.3.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libsigc++2-debugsource-2.10.0-3.3.1 libsigc++2-devel-2.10.0-3.3.1 libsigc-2_0-0-2.10.0-3.3.1 libsigc-2_0-0-debuginfo-2.10.0-3.3.1 References: https://bugzilla.suse.com/1130873 https://bugzilla.suse.com/1154803 https://bugzilla.suse.com/1164543 https://bugzilla.suse.com/1165476 https://bugzilla.suse.com/1165573 https://bugzilla.suse.com/1166610 https://bugzilla.suse.com/1167122 https://bugzilla.suse.com/1168990 From sle-updates at lists.suse.com Fri Jun 12 07:17:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 12 Jun 2020 15:17:21 +0200 (CEST) Subject: SUSE-RU-2020:1614-1: moderate: Recommended update for gtk3 Message-ID: <20200612131721.0DF6CF749@maintenance.suse.de> SUSE Recommended Update: Recommended update for gtk3 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1614-1 Rating: moderate References: #1167951 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for gtk3 fixes the following issue: - GtkMenu under X11 is it not able to handle touch events properly. (bsc#1167951) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1614=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): gettext-its-gtk3-3.22.30-4.19.1 gtk3-debugsource-3.22.30-4.19.1 gtk3-devel-3.22.30-4.19.1 gtk3-devel-debuginfo-3.22.30-4.19.1 gtk3-tools-3.22.30-4.19.1 gtk3-tools-debuginfo-3.22.30-4.19.1 libgtk-3-0-3.22.30-4.19.1 libgtk-3-0-debuginfo-3.22.30-4.19.1 typelib-1_0-Gtk-3_0-3.22.30-4.19.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): gtk3-data-3.22.30-4.19.1 gtk3-lang-3.22.30-4.19.1 gtk3-schema-3.22.30-4.19.1 References: https://bugzilla.suse.com/1167951 From sle-updates at lists.suse.com Fri Jun 12 07:18:17 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 12 Jun 2020 15:18:17 +0200 (CEST) Subject: SUSE-SU-2020:1619-1: Security update for audiofile Message-ID: <20200612131817.635BCF749@maintenance.suse.de> SUSE Security Update: Security update for audiofile ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1619-1 Rating: low References: #1100523 Cross-References: CVE-2018-13440 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for audiofile fixes the following issues: Security issue fixed: - CVE-2018-13440: Return AF_FAIL instead of causing NULL pointer dereferences later (bsc#1100523). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1619=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1619=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1619=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1619=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): audiofile-debuginfo-0.3.6-11.7.8 audiofile-debugsource-0.3.6-11.7.8 audiofile-devel-0.3.6-11.7.8 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): audiofile-debuginfo-0.3.6-11.7.8 audiofile-debugsource-0.3.6-11.7.8 audiofile-devel-0.3.6-11.7.8 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): audiofile-0.3.6-11.7.8 audiofile-debuginfo-0.3.6-11.7.8 audiofile-debugsource-0.3.6-11.7.8 libaudiofile1-0.3.6-11.7.8 libaudiofile1-debuginfo-0.3.6-11.7.8 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libaudiofile1-32bit-0.3.6-11.7.8 libaudiofile1-debuginfo-32bit-0.3.6-11.7.8 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): audiofile-0.3.6-11.7.8 audiofile-debuginfo-0.3.6-11.7.8 audiofile-debugsource-0.3.6-11.7.8 libaudiofile1-0.3.6-11.7.8 libaudiofile1-debuginfo-0.3.6-11.7.8 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libaudiofile1-32bit-0.3.6-11.7.8 libaudiofile1-debuginfo-32bit-0.3.6-11.7.8 References: https://www.suse.com/security/cve/CVE-2018-13440.html https://bugzilla.suse.com/1100523 From sle-updates at lists.suse.com Fri Jun 12 07:19:12 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 12 Jun 2020 15:19:12 +0200 (CEST) Subject: SUSE-RU-2020:1615-1: moderate: Recommended update for perf Message-ID: <20200612131912.D0648F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for perf ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1615-1 Rating: moderate References: #1171432 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for perf fixes the following issue: - Fix assertion error when handling cgroups (bsc#1171432) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1615=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): perf-4.12.14-17.12.1 perf-debuginfo-4.12.14-17.12.1 perf-debugsource-4.12.14-17.12.1 References: https://bugzilla.suse.com/1171432 From sle-updates at lists.suse.com Fri Jun 12 07:21:38 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 12 Jun 2020 15:21:38 +0200 (CEST) Subject: SUSE-CU-2020:191-1: Security update of suse/sle15 Message-ID: <20200612132138.1E8BFF749@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:191-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.220 Container Release : 4.22.220 Severity : important Type : security References : 1156159 1172295 1172461 1172506 CVE-2020-13777 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1579-1 Released: Tue Jun 9 17:05:23 2020 Summary: Recommended update for audit Type: recommended Severity: important References: 1156159,1172295 This update for audit fixes the following issues: - Fix hang on startup. (bsc#1156159) - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1584-1 Released: Tue Jun 9 18:39:15 2020 Summary: Security update for gnutls Type: security Severity: important References: 1172461,1172506,CVE-2020-13777 This update for gnutls fixes the following issues: - CVE-2020-13777: Fixed an insecure session ticket key construction which could have made the TLS server to not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing an attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (bsc#1172506). - Fixed an improper handling of certificate chain with cross-signed intermediate CA certificates (bsc#1172461). From sle-updates at lists.suse.com Fri Jun 12 07:28:29 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 12 Jun 2020 15:28:29 +0200 (CEST) Subject: SUSE-CU-2020:192-1: Security update of suse/sle15 Message-ID: <20200612132829.CB5A9F3D7@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:192-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.251 Container Release : 6.2.251 Severity : important Type : security References : 1090047 1103678 1107116 1107121 1111499 1130873 1137001 1139959 1154803 1156159 1164543 1165476 1165573 1166610 1167122 1168990 1172295 1172461 1172506 CVE-2018-16428 CVE-2018-16429 CVE-2019-12450 CVE-2019-13012 CVE-2020-13777 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2780-1 Released: Mon Nov 26 17:46:10 2018 Summary: Security update for glib2 Type: security Severity: moderate References: 1107116,1107121,1111499,CVE-2018-16428,CVE-2018-16429 This update for glib2 fixes the following issues: Security issues fixed: - CVE-2018-16428: Do not do a NULL pointer dereference (crash). Avoid that, at the cost of introducing a new translatable error message (bsc#1107121). - CVE-2018-16429: Fixed out-of-bounds read vulnerability ing_markup_parse_context_parse() (bsc#1107116). Non-security issue fixed: - various GVariant parsing issues have been resolved (bsc#1111499) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:251-1 Released: Wed Feb 6 11:22:43 2019 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1090047 This update for glib2 provides the following fix: - Enable systemtap. (fate#326393, bsc#1090047) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1594-1 Released: Fri Jun 21 10:17:15 2019 Summary: Security update for glib2 Type: security Severity: important References: 1103678,1137001,CVE-2019-12450 This update for glib2 fixes the following issues: Security issue fixed: - CVE-2019-12450: Fixed an improper file permission when copy operation takes place (bsc#1137001). Other issue addressed: - glib2 was handling an UNKNOWN connectivity state from NetworkManager as if there was a connection thus giving false positives to PackageKit (bsc#1103678) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1833-1 Released: Fri Jul 12 17:53:51 2019 Summary: Security update for glib2 Type: security Severity: moderate References: 1139959,CVE-2019-13012 This update for glib2 fixes the following issues: Security issue fixed: - CVE-2019-13012: Fixed improper restriction of file permissions when creating directories (bsc#1139959). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1579-1 Released: Tue Jun 9 17:05:23 2020 Summary: Recommended update for audit Type: recommended Severity: important References: 1156159,1172295 This update for audit fixes the following issues: - Fix hang on startup. (bsc#1156159) - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1584-1 Released: Tue Jun 9 18:39:15 2020 Summary: Security update for gnutls Type: security Severity: important References: 1172461,1172506,CVE-2020-13777 This update for gnutls fixes the following issues: - CVE-2020-13777: Fixed an insecure session ticket key construction which could have made the TLS server to not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing an attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (bsc#1172506). - Fixed an improper handling of certificate chain with cross-signed intermediate CA certificates (bsc#1172461). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1611-1 Released: Fri Jun 12 09:38:03 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990 This update for libsolv, libzypp, zypper fixes the following issues: libsolv was updated to 0.7.13 to fix: - Fix solvable swapping messing up idarrays - fix ruleinfo of complex dependencies returning the wrong origin libzypp was updated to 17.23.4 to fix: - Get retracted patch status from updateinfo data (jsc#SLE-8770) libsolv injects the indicator provides into packages only. - remove 'using namespace std;' (bsc#1166610, fixes #218) - Online doc: add 'Hardware (modalias) dependencies' page (fixes #216) - Add HistoryLogReader actionFilter to parse only specific HistoryActionIDs. - RepoVariables: Add safe guard in case the caller does not own a zypp instance. - Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake. - Fix package status computation regarding unneeded, orphaned, recommended and suggested packages (broken in 17.23.0) (bsc#1165476) - Log patch status changes to history (jsc#SLE-5116) - Allow to disable all WebServer dependent tests when building. OBS wants to be able to get rid of the nginx/FastCGI-devel build requirement. Use 'rpmbuild --without mediabackend_tests' or 'cmake -DDISABLE_MEDIABACKEND_TESTS=1'. - update translations - boost: Fix deprecated auto_unit_test.hpp includes. - Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck. - Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format. - yum::Downloader: Prefer zchunk compressed metadata if libvsolv supports it. - Selectable: Fix highestAvailableVersionObj if only retracted packages are available. Avoid using retracted items as candidate (jsc#SLE-8770) - RpmDb: Become rpmdb backend independent (jsc#SLE-7272) - RpmDb: Close API offering a custom rpmdb path It's actually not needed and for this to work also libsolv needs to support it. You can sill use a librpmDb::db_const_iterator to access a database at a custom location (ro). - Remove legacy rpmV3database conversion code. - Reformat manpages to workaround asciidoctor shortcomings (bsc#1154803, bsc#1167122, bsc#1168990) - Remove undocumented rug legacy stuff. - Remove 'using namespace std;' (bsc#1166610) - patch table: Add 'Since' column if history data are available (jsc#SLE-5116) zypper was updated to version 1.14.36: - Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770) - Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770) - Relax 'Do not allow the abbreviation of cli arguments' in legacy distibutions (bsc#1164543) - Correctly detect ambigous switch abbreviations (bsc#1165573) - zypper-aptitude: don't supplement zypper. supplementing zypper means zypper-aptitude gets installed by default and pulls in perl. Neither is desired on small systems. - Do not allow the abbreviation of cli arguments (bsc#1164543) - accoring to according in all translation files. - Always show exception history if available. - Use default package cache location for temporary repos (bsc#1130873) From meissner at suse.de Fri Jun 12 09:38:05 2020 From: meissner at suse.de (Marcus Meissner) Date: Fri, 12 Jun 2020 17:38:05 +0200 Subject: Announcement: Administrative downtime until June 16th afternoon Message-ID: <20200612153805.GE26094@suse.de> Dear sle-updates subscribers, The sle-updates list will be transitioned from Microfocus to SUSE control in our company carve out activities. This will happen between today and Tuesday June 16th afternoon, when mail delivery will resume. We are also currently also reviewing email delivery problems with the partner list sle-security-updates, which will also be addressed in this interval. Ciao, Marcus (list admin) From sle-updates at lists.suse.com Fri Jun 12 10:44:46 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 12 Jun 2020 18:44:46 +0200 (CEST) Subject: SUSE-RU-2020:1620-1: important: Recommended update for yast2-ftp-server Message-ID: <20200612164446.0A09FF3D7@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2-ftp-server ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1620-1 Rating: important References: #1132116 #1149932 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for yast2-ftp-server fixes the following issues: - Add missing dependency of yast2-users. (bsc#1132116) - Fix autoyast client to locate the 'ftp server' module. (bsc#1149932) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1620=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): yast2-ftp-server-4.1.9-9.8.1 References: https://bugzilla.suse.com/1132116 https://bugzilla.suse.com/1149932 From sle-updates at lists.suse.com Sat Jun 13 01:16:33 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 13 Jun 2020 09:16:33 +0200 (CEST) Subject: SUSE-SU-2020:1622-1: important: Security update for libEMF Message-ID: <20200613071633.6D44FF3D7@maintenance.suse.de> SUSE Security Update: Security update for libEMF ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1622-1 Rating: important References: #1171496 #1171497 #1171498 #1171499 Cross-References: CVE-2020-11863 CVE-2020-11864 CVE-2020-11865 CVE-2020-11866 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for libEMF fixes the following issues: - CVE-2020-11863: Fixed an issue which could have led to denial of service (bsc#1171496). - CVE-2020-11864: Fixed an issue which could have led to denial of service (bsc#1171499). - CVE-2020-11865: Fixed an out of bounds memory access (bsc#1171497). - CVE-2020-11866: Fixed a use after free (bsc#1171498). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1622=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1622=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1622=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1622=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): libEMF-debugsource-1.0.7-11.3.1 libEMF1-1.0.7-11.3.1 libEMF1-debuginfo-1.0.7-11.3.1 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): libEMF-debugsource-1.0.7-11.3.1 libEMF1-1.0.7-11.3.1 libEMF1-debuginfo-1.0.7-11.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libEMF-debugsource-1.0.7-11.3.1 libEMF-devel-1.0.7-11.3.1 libEMF1-1.0.7-11.3.1 libEMF1-debuginfo-1.0.7-11.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libEMF-debugsource-1.0.7-11.3.1 libEMF-devel-1.0.7-11.3.1 libEMF1-1.0.7-11.3.1 libEMF1-debuginfo-1.0.7-11.3.1 References: https://www.suse.com/security/cve/CVE-2020-11863.html https://www.suse.com/security/cve/CVE-2020-11864.html https://www.suse.com/security/cve/CVE-2020-11865.html https://www.suse.com/security/cve/CVE-2020-11866.html https://bugzilla.suse.com/1171496 https://bugzilla.suse.com/1171497 https://bugzilla.suse.com/1171498 https://bugzilla.suse.com/1171499 From sle-updates at lists.suse.com Sat Jun 13 01:18:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 13 Jun 2020 09:18:19 +0200 (CEST) Subject: SUSE-SU-2020:1621-1: important: Security update for libEMF Message-ID: <20200613071819.5BCC1F3D7@maintenance.suse.de> SUSE Security Update: Security update for libEMF ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1621-1 Rating: important References: #1171496 #1171497 #1171498 #1171499 Cross-References: CVE-2020-11863 CVE-2020-11864 CVE-2020-11865 CVE-2020-11866 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for libEMF fixes the following issues: - CVE-2020-11863: Fixed an issue which could have led to denial of service (bsc#1171496). - CVE-2020-11864: Fixed an issue which could have led to denial of service (bsc#1171499). - CVE-2020-11865: Fixed an out of bounds memory access (bsc#1171497). - CVE-2020-11866: Fixed a use after free (bsc#1171498). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-1621=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): libEMF-debuginfo-1.0.7-3.3.1 libEMF-debugsource-1.0.7-3.3.1 libEMF1-1.0.7-3.3.1 libEMF1-debuginfo-1.0.7-3.3.1 References: https://www.suse.com/security/cve/CVE-2020-11863.html https://www.suse.com/security/cve/CVE-2020-11864.html https://www.suse.com/security/cve/CVE-2020-11865.html https://www.suse.com/security/cve/CVE-2020-11866.html https://bugzilla.suse.com/1171496 https://bugzilla.suse.com/1171497 https://bugzilla.suse.com/1171498 https://bugzilla.suse.com/1171499 From sle-updates at lists.suse.com Tue Jun 16 07:35:08 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 16 Jun 2020 15:35:08 +0200 (CEST) Subject: SUSE-SU-2020:1626-1: moderate: Security update for poppler Message-ID: <20200616133508.81B6CF3D7@maintenance.suse.de> SUSE Security Update: Security update for poppler ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1626-1 Rating: moderate References: #1059066 #1060220 #1064593 #1074453 #1092105 Cross-References: CVE-2017-1000456 CVE-2017-14517 CVE-2017-14617 CVE-2017-15565 CVE-2018-10768 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for poppler fixes the following issues: These security issues were fixed: - CVE-2017-14617: Fixed a floating point exception in Stream.cc, which may lead to a potential attack when handling malicious PDF files. (bsc#1060220) - CVE-2017-1000456: Validate boundaries in TextPool::addWord to prevent overflows in subsequent calculations (bsc#1074453) - CVE-2017-15565: Prevent NULL Pointer dereference in the GfxImageColorMap::getGrayLine() function via a crafted PDF document (bsc#1064593) - CVE-2018-10768: Prevent NULL pointer dereference in the AnnotPath::getCoordsLength function. A crafted input could have lead to a remote denial of service attack (bsc#1092105). This update also fixes an additional segmentation fault that is trigger by the reproducer for CVE-2017-14517 (bsc#1059066). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1626=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1626=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libpoppler44-0.24.4-14.16.6 libpoppler44-debuginfo-0.24.4-14.16.6 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libpoppler44-0.24.4-14.16.6 libpoppler44-debuginfo-0.24.4-14.16.6 References: https://www.suse.com/security/cve/CVE-2017-1000456.html https://www.suse.com/security/cve/CVE-2017-14517.html https://www.suse.com/security/cve/CVE-2017-14617.html https://www.suse.com/security/cve/CVE-2017-15565.html https://www.suse.com/security/cve/CVE-2018-10768.html https://bugzilla.suse.com/1059066 https://bugzilla.suse.com/1060220 https://bugzilla.suse.com/1064593 https://bugzilla.suse.com/1074453 https://bugzilla.suse.com/1092105 From sle-updates at lists.suse.com Tue Jun 16 07:37:08 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 16 Jun 2020 15:37:08 +0200 (CEST) Subject: SUSE-SU-2020:1623-1: critical: Security update for nodejs6 Message-ID: <20200616133708.2CF6EF3D7@maintenance.suse.de> SUSE Security Update: Security update for nodejs6 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1623-1 Rating: critical References: #1166916 #1172443 Cross-References: CVE-2020-7598 CVE-2020-8174 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for nodejs6 fixes the following issues: - CVE-2020-8174: Fixed multiple memory corruption in napi_get_value_string_*() (bsc#1172443). - CVE-2020-7598: Fixed an issue which could have tricked minimist into adding or modifying properties of Object.prototype (bsc#1166916). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-1623=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1623=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1623=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-1623=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): nodejs6-6.17.1-11.37.1 nodejs6-debuginfo-6.17.1-11.37.1 nodejs6-debugsource-6.17.1-11.37.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): nodejs6-6.17.1-11.37.1 nodejs6-debuginfo-6.17.1-11.37.1 nodejs6-debugsource-6.17.1-11.37.1 - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): nodejs6-6.17.1-11.37.1 nodejs6-debuginfo-6.17.1-11.37.1 nodejs6-debugsource-6.17.1-11.37.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): nodejs6-6.17.1-11.37.1 nodejs6-debuginfo-6.17.1-11.37.1 nodejs6-debugsource-6.17.1-11.37.1 nodejs6-devel-6.17.1-11.37.1 npm6-6.17.1-11.37.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): nodejs6-docs-6.17.1-11.37.1 References: https://www.suse.com/security/cve/CVE-2020-7598.html https://www.suse.com/security/cve/CVE-2020-8174.html https://bugzilla.suse.com/1166916 https://bugzilla.suse.com/1172443 From sle-updates at lists.suse.com Tue Jun 16 07:42:54 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 16 Jun 2020 15:42:54 +0200 (CEST) Subject: SUSE-OU-2020:1627-1: Optional update for python-keystoneclient and python-keystoneauth1 Message-ID: <20200616134254.E770CF3D7@maintenance.suse.de> SUSE Optional Update: Optional update for python-keystoneclient and python-keystoneauth1 ______________________________________________________________________________ Announcement ID: SUSE-OU-2020:1627-1 Rating: low References: #1172765 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP1 ______________________________________________________________________________ An update that has one optional fix can now be installed. Description: This update for python-keystoneclient and python-keystoneauth1 doesn't fix any user visible issues. Patch Instructions: To install this SUSE Optional Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-1627=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (noarch): python3-keystoneauth1-3.10.1-4.3.1 python3-keystoneclient-3.17.0-4.3.1 References: https://bugzilla.suse.com/1172765 From sle-updates at lists.suse.com Tue Jun 16 07:50:38 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 16 Jun 2020 15:50:38 +0200 (CEST) Subject: SUSE-SU-2020:1625-1: moderate: Security update for mariadb Message-ID: <20200616135038.BE5CFF749@maintenance.suse.de> SUSE Security Update: Security update for mariadb ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1625-1 Rating: moderate References: #1171550 Cross-References: CVE-2020-2752 CVE-2020-2812 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for mariadb fixes the following issues: mariadb was updated to version 10.0.44 (bsc#1171550) - CVE-2020-2752: Fixed an issue which could have resulted in unauthorized ability to cause denial of service. - CVE-2020-2812: Fixed an issue which could have resulted in unauthorized ability to cause denial of service. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1625=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1625=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1625=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): libmysqlclient18-10.0.40.4-29.41.3 libmysqlclient18-debuginfo-10.0.40.4-29.41.3 - SUSE OpenStack Cloud 8 (x86_64): libmysqlclient18-10.0.40.4-29.41.3 libmysqlclient18-debuginfo-10.0.40.4-29.41.3 - HPE Helion Openstack 8 (x86_64): libmysqlclient18-10.0.40.4-29.41.3 libmysqlclient18-debuginfo-10.0.40.4-29.41.3 References: https://www.suse.com/security/cve/CVE-2020-2752.html https://www.suse.com/security/cve/CVE-2020-2812.html https://bugzilla.suse.com/1171550 From sle-updates at lists.suse.com Tue Jun 16 08:53:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 16 Jun 2020 16:53:19 +0200 (CEST) Subject: SUSE-CU-2020:193-1: Security update of suse/sles12sp3 Message-ID: <20200616145319.3B0FEF749@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp3 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:193-1 Container Tags : suse/sles12sp3:2.0.2 , suse/sles12sp3:24.164 , suse/sles12sp3:latest Container Release : 24.164 Severity : important Type : security References : 1172265 CVE-2017-9103 CVE-2017-9104 CVE-2017-9105 CVE-2017-9106 CVE-2017-9107 CVE-2017-9108 CVE-2017-9109 ----------------------------------------------------------------- The container suse/sles12sp3 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1612-1 Released: Fri Jun 12 09:43:17 2020 Summary: Security update for adns Type: security Severity: important References: 1172265,CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9106,CVE-2017-9107,CVE-2017-9108,CVE-2017-9109 This update for adns fixes the following issues: - CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver which could have led to remote code execution (bsc#1172265). - CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of service (bsc#1172265). - CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265). - CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265). From sle-updates at lists.suse.com Tue Jun 16 09:02:41 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 16 Jun 2020 17:02:41 +0200 (CEST) Subject: SUSE-CU-2020:194-1: Security update of suse/sles12sp4 Message-ID: <20200616150241.12BD1FD07@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:194-1 Container Tags : suse/sles12sp4:26.196 , suse/sles12sp4:latest Container Release : 26.196 Severity : important Type : security References : 1172265 CVE-2017-9103 CVE-2017-9104 CVE-2017-9105 CVE-2017-9106 CVE-2017-9107 CVE-2017-9108 CVE-2017-9109 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1612-1 Released: Fri Jun 12 09:43:17 2020 Summary: Security update for adns Type: security Severity: important References: 1172265,CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9106,CVE-2017-9107,CVE-2017-9108,CVE-2017-9109 This update for adns fixes the following issues: - CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver which could have led to remote code execution (bsc#1172265). - CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of service (bsc#1172265). - CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265). - CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265). From sle-updates at lists.suse.com Tue Jun 16 09:06:48 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 16 Jun 2020 17:06:48 +0200 (CEST) Subject: SUSE-CU-2020:195-1: Security update of suse/sles12sp5 Message-ID: <20200616150648.C9A24FD07@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:195-1 Container Tags : suse/sles12sp5:6.5.11 , suse/sles12sp5:latest Container Release : 6.5.11 Severity : important Type : security References : 1172265 CVE-2017-9103 CVE-2017-9104 CVE-2017-9105 CVE-2017-9106 CVE-2017-9107 CVE-2017-9108 CVE-2017-9109 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1612-1 Released: Fri Jun 12 09:43:17 2020 Summary: Security update for adns Type: security Severity: important References: 1172265,CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9106,CVE-2017-9107,CVE-2017-9108,CVE-2017-9109 This update for adns fixes the following issues: - CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver which could have led to remote code execution (bsc#1172265). - CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of service (bsc#1172265). - CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265). - CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265). From sle-updates at lists.suse.com Tue Jun 16 10:13:13 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 16 Jun 2020 18:13:13 +0200 (CEST) Subject: SUSE-RU-2020:1628-1: moderate: Initial update for blue-horizon, blue-horizon-config-deploy-cap-aks, python3-cloudinstancecredentials, rubygem-active_link_to, rubygem-addressable, rubygem-cf-uaac, rubygem-erubis, rubygem-haml-rails, rubygem-hamster, rubygem-hcl-checker, rubygem-html2haml, rubygem-jbuilder, rubygem-lino, rubygem-open4, rubygem-public_suffix, rubygem-redcarpet, rubygem-ruby-terraform, rubygem-rubyzip, rubygem-sqlite3, rubygem-temple, terraform-provider-azurerm, terraform-provider-external, terraform-provider-helm, terraform-provider-kubernetes, terraform-provider-local, terraform-provider-null, terraform-provider-random Message-ID: <20200616161313.ECC5FF749@maintenance.suse.de> SUSE Recommended Update: Initial update for blue-horizon, blue-horizon-config-deploy-cap-aks, python3-cloudinstancecredentials, rubygem-active_link_to, rubygem-addressable, rubygem-cf-uaac, rubygem-erubis, rubygem-haml-rails, rubygem-hamster, rubygem-hcl-checker, rubygem-html2haml, rubygem-jbuilder, rubygem-lino, rubygem-open4, rubygem-public_suffix, rubygem-redcarpet, rubygem-ruby-terraform, rubygem-rubyzip, rubygem-sqlite3, rubygem-temple, terraform-provider-azurerm, terraform-provider-external, terraform-provider-helm, terraform-provider-kubernetes, terraform-provider-local, terraform-provider-null, terraform-provider-random ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1628-1 Rating: moderate References: #1170721 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for blue-horizon, blue-horizon-config-deploy-cap-aks, python3-cloudinstancecredentials, rubygem-active_link_to, rubygem-addressable, rubygem-cf-uaac, rubygem-erubis, rubygem-haml-rails, rubygem-hamster, rubygem-hcl-checker, rubygem-html2haml, rubygem-jbuilder, rubygem-lino, rubygem-open4, rubygem-public_suffix, rubygem-redcarpet, rubygem-ruby-terraform, rubygem-rubyzip, rubygem-sqlite3, rubygem-temple, terraform-provider-azurerm, terraform-provider-external, terraform-provider-helm, terraform-provider-kubernetes, terraform-provider-local, terraform-provider-null, terraform-provider-random contains the following fixes: Include package dependencies for CAP in Azure Marketplace as part of the ECO-1567. (bsc#1170721, jsc#ECO-1567) The following packages were added to the product: - terraform-provider-azurerm - terraform-provider-helm - terraform-provider-kubernetes - terraform-provider-random - terraform-provider-external - terraform-provider-local - terraform-provider-null (codestream-only): - rubygem-redcarpet - rubygem-hamster - rubygem-hcl-checker - rubygem-lino - rubygem-ruby-terraform - rubygem-sqlite3 - rubygem-temple - rubygem-active_link_to - rubygem-addressable - rubygem-erubis - rubygem-haml-rails - rubygem-html2haml - rubygem-jbuilder - rubygem-open4 - rubygem-public_suffix - rubygem-rubyzip - rubygem-cf-uaac - python3-cloudinstancecredentials - blue-horizon - blue-horizon-config-deploy-cap-aks Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-1628=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (aarch64 ppc64le s390x x86_64): terraform-provider-azurerm-2.7.0-3.3.2 terraform-provider-external-1.2.0-3.3.7 terraform-provider-helm-1.0.0-3.3.2 terraform-provider-kubernetes-1.10.0-3.3.7 terraform-provider-local-1.4.0-3.3.7 terraform-provider-null-2.1.2-3.3.7 terraform-provider-random-2.2.1-3.3.6 References: https://bugzilla.suse.com/1170721 From sle-updates at lists.suse.com Tue Jun 16 11:25:08 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 16 Jun 2020 19:25:08 +0200 (CEST) Subject: SUSE-CU-2020:196-1: Security update of caasp/v4/cert-exporter Message-ID: <20200616172508.75562F749@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/cert-exporter ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:196-1 Container Tags : caasp/v4/cert-exporter:2.3.0 , caasp/v4/cert-exporter:2.3.0-rev1 , caasp/v4/cert-exporter:2.3.0-rev1-build1.5.1 Container Release : 1.5.1 Severity : important Type : security References : 1005023 1007715 1009532 1013125 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1041090 1044840 1045723 1047002 1047218 1048688 1049825 1051143 1063675 1065270 1071321 1072183 1073313 1076696 1080919 1081947 1081947 1082293 1082318 1083158 1084671 1084812 1084842 1084934 1085196 1086367 1086367 1086909 1087550 1087982 1088052 1088279 1088524 1089640 1089761 1090944 1091265 1091677 1092100 1092877 1092920 1093414 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094448 1094735 1095096 1095148 1095603 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097073 1097158 1098569 1099793 1100396 1100415 1100488 1101040 1101470 1101470 1101591 1102046 1102310 1102526 1102564 1102840 1102908 1102920 1103320 1103320 1104531 1104780 1105031 1105166 1105435 1105437 1105459 1105460 1106019 1106214 1106383 1106390 1107066 1107067 1107617 1107640 1107941 1109197 1109252 1110304 1110445 1110700 1110797 1111019 1111388 1111498 1111973 1112024 1112570 1112723 1112726 1112758 1113083 1113100 1113632 1113660 1113665 1114135 1114407 1114592 1114674 1114675 1114681 1114686 1114845 1114933 1114984 1114993 1115640 1115929 1116995 1117025 1117063 1117993 1118086 1118087 1118087 1118364 1119414 1119687 1119971 1120323 1120346 1120629 1120630 1120631 1120689 1121051 1121197 1121353 1121446 1121563 1121563 1121753 1122000 1122417 1122729 1123043 1123333 1123371 1123377 1123378 1123685 1123710 1123727 1123892 1123919 1124122 1124153 1124223 1124847 1125007 1125352 1125352 1125410 1125604 1125689 1125886 1126056 1126096 1126117 1126118 1126119 1126327 1126377 1126590 1127155 1127223 1127308 1127557 1127608 1127701 1128246 1128383 1128598 1129568 1129576 1129598 1129753 1130045 1130230 1130306 1130325 1130326 1130681 1130682 1131060 1131113 1131330 1131686 1131823 1132348 1132400 1132721 1133495 1133506 1133509 1133773 1133808 1134193 1134217 1134226 1134524 1134856 1135114 1135123 1135170 1135254 1135534 1135708 1135709 1135749 1136717 1137053 1137624 1137977 1138793 1138869 1138908 1138939 1139083 1139083 1139459 1139459 1139795 1139939 1140039 1140631 1140647 1141059 1141093 1141113 1141883 1141897 1142649 1142654 1143055 1143194 1143273 1144047 1144068 1144169 1145023 1145521 1145554 1145716 1146027 1146182 1146184 1146415 1146415 1146866 1146947 1148517 1148788 1148987 1149145 1149332 1149495 1149496 1149511 1149995 1150003 1150137 1150250 1150595 1150734 1151023 1151023 1151377 1151582 1151876 1152101 1152590 1152692 1152755 1153351 1153557 1153936 1154019 1154036 1154037 1154256 1154295 1154661 1154804 1154805 1154871 1154884 1154887 1155198 1155199 1155205 1155207 1155271 1155298 1155327 1155337 1155338 1155339 1155346 1155574 1155678 1155819 1156158 1156213 1156300 1156450 1156482 1157198 1157278 1157292 1157377 1157775 1157794 1157893 1158095 1158095 1158101 1158485 1158763 1158809 1158830 1158921 1158996 1159002 1159003 1159003 1159004 1159314 1159539 1159814 1159928 1160039 1160160 1160571 1160594 1160595 1160735 1160764 1160970 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161517 1161521 1161779 1161816 1162108 1162108 1162152 1162518 1162651 1162930 1163184 1163922 1164505 1164562 1164717 1164950 1164950 1165011 1165539 1165579 1165784 1166106 1166260 1166481 1166510 1166510 1166748 1166881 1167073 1167163 1167223 1167631 1167674 1167898 1168076 1168345 1168364 1168699 1168835 1169506 1169512 1169569 1169944 1169992 1170527 1170771 1171173 1171422 1171872 1172021 353876 859480 915402 918346 943457 953659 960273 985657 991901 CVE-2009-5155 CVE-2015-0247 CVE-2015-1572 CVE-2016-10739 CVE-2016-3189 CVE-2017-10790 CVE-2017-17740 CVE-2017-18269 CVE-2017-7500 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-0500 CVE-2018-0732 CVE-2018-1000654 CVE-2018-1000858 CVE-2018-10360 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16839 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16868 CVE-2018-16868 CVE-2018-16869 CVE-2018-16890 CVE-2018-17953 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18520 CVE-2018-18521 CVE-2018-19211 CVE-2018-20346 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2018-6954 CVE-2018-9251 CVE-2019-12290 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-18224 CVE-2019-18801 CVE-2019-18802 CVE-2019-18802 CVE-2019-18836 CVE-2019-18838 CVE-2019-18900 CVE-2019-19126 CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-3687 CVE-2019-3688 CVE-2019-3690 CVE-2019-3822 CVE-2019-3823 CVE-2019-3829 CVE-2019-3836 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-5436 CVE-2019-5481 CVE-2019-5482 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9511 CVE-2019-9513 CVE-2019-9936 CVE-2019-9937 CVE-2020-10029 CVE-2020-11501 CVE-2020-12243 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-7595 CVE-2020-8013 SLE-3853 SLE-4117 SLE-5807 SLE-5933 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/cert-exporter was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1264-1 Released: Tue Jul 3 10:56:12 2018 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1086367 This update for curl provides the following fix: - Use OPENSSL_config() instead of CONF_modules_load_file() to avoid crashes due to conflicting openssl engines. (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1396-1 Released: Thu Jul 26 16:23:09 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1094735,1095148,943457,CVE-2017-7500 This update for rpm fixes the following issues: This security vulnerability was fixed: - CVE-2017-7500: Fixed symlink attacks during RPM installation (bsc#943457) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1685-1 Released: Fri Aug 17 18:20:58 2018 Summary: Security update for curl Type: security Severity: moderate References: 1099793,CVE-2018-0500 This update for curl fixes the following issues: Security issue fixed: - CVE-2018-0500: Fix a SMTP send heap buffer overflow (bsc#1099793). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1904-1 Released: Fri Sep 14 12:46:39 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086367,1106019,CVE-2018-14618 This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Use OPENSSL_config instead of CONF_modules_load_file() to avoid crashes due to openssl engines conflicts (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2070-1 Released: Fri Sep 28 08:02:02 2018 Summary: Security update for gnutls Type: security Severity: moderate References: 1047002,1105437,1105459,1105460,CVE-2017-10790,CVE-2018-10844,CVE-2018-10845,CVE-2018-10846 This update for gnutls fixes the following security issues: - Improved mitigations against Lucky 13 class of attacks - CVE-2018-10846: 'Just in Time' PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (bsc#1105460) - CVE-2018-10845: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (bsc#1105459) - CVE-2018-10844: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (bsc#1105437) - CVE-2017-10790: The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (bsc#1047002) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2083-1 Released: Sun Sep 30 14:06:33 2018 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1097158,1101470,CVE-2018-0732 This update for openssl-1_1 to 1.1.0i fixes the following issues: These security issues were fixed: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158) - Make problematic ECDSA sign addition length-invariant - Add blinding to ECDSA and DSA signatures to protect against side channel attacks These non-security issues were fixed: - When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. - Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. - Fixed a text canonicalisation bug in CMS - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2539-1 Released: Tue Oct 30 16:17:23 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1113100 This update for rpm fixes the following issues: - On PowerPC64 fix the superfluous TOC. dependency (bsc#1113100) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2578-1 Released: Mon Nov 5 17:55:35 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16839,CVE-2018-16840,CVE-2018-16842 This update for curl fixes the following issues: - CVE-2018-16839: A SASL password overflow via integer overflow was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16840: A use-after-free in SASL handle close was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:189-1 Released: Mon Jan 28 14:14:46 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: This update for rpm fixes the following issues: - Add kmod(module) provides to kernel and KMPs (fate#326579). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:248-1 Released: Wed Feb 6 08:35:20 2019 Summary: Security update for curl Type: security Severity: important References: 1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378). - CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377). - CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:664-1 Released: Wed Mar 20 14:54:12 2019 Summary: Recommended update for gpgme Type: recommended Severity: low References: 1121051 This update for gpgme provides the following fix: - Re-generate keys in Qt tests to not expire. (bsc#1121051) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:894-1 Released: Fri Apr 5 17:16:23 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1119414,1126327,1129753,SLE-3853,SLE-4117 This update for rpm fixes the following issues: - This update shortens RPM changelog to after a certain cut off date (bsc#1129753) - Translate dashes to underscores in kmod provides (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1119414). - Re-add symset-table from SLE 12 (bsc#1126327). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1121-1 Released: Tue Apr 30 18:02:43 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1130681,1130682,CVE-2018-16868,CVE-2019-3829,CVE-2019-3836 This update for gnutls fixes to version 3.6.7 the following issues: Security issued fixed: - CVE-2019-3836: Fixed an invalid pointer access via malformed TLS1.3 async messages (bsc#1130682). - CVE-2019-3829: Fixed a double free vulnerability in the certificate verification API (bsc#1130681). - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification (bsc#1118087) Non-security issue fixed: - Update gnutls to support TLS 1.3 (fate#327114) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1351-1 Released: Fri May 24 14:41:10 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1134856,CVE-2018-16868 This update for gnutls fixes the following issues: Security issue fixed: - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification (bsc#1118087). Non-security issue fixed: - Explicitly require libnettle 3.4.1 to prevent missing symbol errors (bsc#1134856). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1357-1 Released: Mon May 27 13:29:15 2019 Summary: Security update for curl Type: security Severity: important References: 1135170,CVE-2019-5436 This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1590-1 Released: Thu Jun 20 19:49:57 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1128598 This update for permissions fixes the following issues: - Added whitelisting for /usr/lib/singularity/bin/starter-suid in the new singularity 3.1 version. (bsc#1128598) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:726-1 Released: Thu Mar 19 13:23:03 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461). - CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) Bug fixes and enhancements: - Fixed mistake in spec file (bsc#1125689) Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal - Conditionally remove dependecy on jemalloc for SLE-12 - Require correct library from devel package - boo#1125689 Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 ???Data Dribble??? and CVE-2019-9513 ???Resource Loop??? vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:981-1 Released: Mon Apr 13 15:43:44 2020 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1156300 This update for rpm fixes the following issues: - Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1026-1 Released: Fri Apr 17 16:14:43 2020 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1159314 This update for libsolv fixes the following issues: libsolv was updated to version 0.7.11: - fix solv_zchunk decoding error if large chunks are used (bsc#1159314) - treat retracted pathes as irrelevant - made add_update_target work with multiversion installs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1047-1 Released: Tue Apr 21 10:33:06 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1168835 This update for gnutls fixes the following issues: - Backport AES XTS support (bsc#1168835) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1108-1 Released: Fri Apr 24 16:31:01 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1169992 This update for gnutls fixes the following issues: - FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1271-1 Released: Wed May 13 13:17:59 2020 Summary: Recommended update for permissions Type: recommended Severity: important References: 1171173 This update for permissions fixes the following issues: - Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1290-1 Released: Fri May 15 16:39:59 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1171422 This update for gnutls fixes the following issues: - Add RSA 4096 key generation support in FIPS mode (bsc#1171422) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1573-1 Released: Tue Jun 9 12:07:53 2020 Summary: Add features for Metrics Server, Cert Status Checker, VSphere VCP, and Cilium Envoy Type: security Severity: moderate References: 1041090,1047218,1048688,1086909,1094448,1095603,1102920,1121353,1129568,1138908,1144068,1151876,1156450,1159002,1159003,1159004,1159539,1162651,1167073,1169506,CVE-2019-18801,CVE-2019-18802,CVE-2019-18836,CVE-2019-18838 Metrics Server * Support monitoring of *CPU* and *memory* of a pod or node. Cert Status Checker * Exposes cluster-wide certificates status and use monitoring stack (Prometheus and Grafana) to receives alerts by Prometheus Alertmanager and monitors certificate status by Grafana dashboard. VSphere VCP * Allow Kubernetes pods to use VMWare vSphere Virtual Machine Disk (VMDK) volumes as persistent storage. Cilium Envoy * Updated Cilium from version 1.5.3 to version 1.6.6 * Provide Envoy-proxy support for Cilium * Envoy and its dependencies packaged for version 1.12.2 * Cilium uses CRD and ConfigMap points on etcd are removed See release notes for installation instructions: https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/ Following CVE entries are relevant for the casp 4.2.1 update: cilium-proxy: CVE-2019-18801: An untrusted remote client might have been able to send HTTP/2 requests via cilium-proxyx that could have written to the heap outside of the request buffers when the upstream is HTTP/1. (bsc#1159002) CVE-2019-18802: A malformed request header may have caused bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) CVE-2019-18838: A malformed HTTP request without the Host header may cause abnormal termination ofthe Envoy process (bsc#1159004) CVE-2019-18836: Excessive iteration due to listener filter timeout in envoy could lead to DoS (bsc#1156450) kafka: CVE-2018-1288: authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request. (bsc#1102920) From sle-updates at lists.suse.com Tue Jun 16 11:26:36 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 16 Jun 2020 19:26:36 +0200 (CEST) Subject: SUSE-CU-2020:197-1: Security update of caasp/v4/cilium-etcd-operator Message-ID: <20200616172636.95E29F749@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/cilium-etcd-operator ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:197-1 Container Tags : caasp/v4/cilium-etcd-operator:2.0.5 , caasp/v4/cilium-etcd-operator:2.0.5-rev3 , caasp/v4/cilium-etcd-operator:2.0.5-rev3-build3.5.1 Container Release : 3.5.1 Severity : important Type : security References : 1007715 1013125 1049825 1051143 1073313 1081947 1081947 1082293 1084671 1084934 1085196 1087982 1092100 1092920 1093414 1102840 1103320 1106214 1106383 1110797 1111388 1114592 1114845 1116995 1120629 1120630 1120631 1121197 1121753 1122417 1123919 1125689 1125886 1127155 1127608 1127701 1130306 1131113 1131823 1133495 1133773 1134226 1135114 1135254 1135534 1135708 1135749 1137977 1138793 1138869 1139459 1139459 1139795 1139939 1140039 1140631 1141113 1141897 1142649 1142654 1143055 1143194 1143273 1144047 1144169 1145023 1145521 1145554 1145716 1146027 1146182 1146184 1146415 1146415 1146866 1146947 1148517 1148788 1148987 1149145 1149332 1149495 1149496 1149511 1149995 1150003 1150137 1150250 1150595 1150734 1151023 1151023 1151377 1151582 1152101 1152590 1152692 1152755 1153351 1153557 1153936 1154019 1154036 1154037 1154256 1154295 1154661 1154804 1154805 1154871 1154884 1154887 1155198 1155199 1155205 1155207 1155271 1155298 1155327 1155337 1155338 1155339 1155346 1155574 1155678 1155819 1156158 1156213 1156300 1156482 1157198 1157278 1157292 1157377 1157775 1157794 1157893 1158095 1158095 1158101 1158485 1158763 1158809 1158830 1158921 1158996 1159003 1159314 1159814 1159928 1160039 1160160 1160571 1160594 1160595 1160735 1160764 1160970 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161517 1161521 1161779 1161816 1162108 1162108 1162152 1162518 1162930 1163184 1163922 1164505 1164562 1164717 1164950 1164950 1165011 1165539 1165579 1165784 1166106 1166260 1166481 1166510 1166510 1166748 1166881 1167163 1167223 1167631 1167674 1167898 1168076 1168345 1168364 1168699 1168835 1169512 1169569 1169944 1169992 1170527 1170771 1171173 1171422 1171872 1172021 353876 859480 CVE-2017-17740 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2019-12290 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-18224 CVE-2019-18802 CVE-2019-18900 CVE-2019-19126 CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-3687 CVE-2019-3688 CVE-2019-3690 CVE-2019-5094 CVE-2019-5188 CVE-2019-5481 CVE-2019-5482 CVE-2019-9511 CVE-2019-9513 CVE-2020-10029 CVE-2020-11501 CVE-2020-12243 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-7595 CVE-2020-8013 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/cilium-etcd-operator was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:726-1 Released: Thu Mar 19 13:23:03 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461). - CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) Bug fixes and enhancements: - Fixed mistake in spec file (bsc#1125689) Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal - Conditionally remove dependecy on jemalloc for SLE-12 - Require correct library from devel package - boo#1125689 Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 ???Data Dribble??? and CVE-2019-9513 ???Resource Loop??? vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:981-1 Released: Mon Apr 13 15:43:44 2020 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1156300 This update for rpm fixes the following issues: - Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1026-1 Released: Fri Apr 17 16:14:43 2020 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1159314 This update for libsolv fixes the following issues: libsolv was updated to version 0.7.11: - fix solv_zchunk decoding error if large chunks are used (bsc#1159314) - treat retracted pathes as irrelevant - made add_update_target work with multiversion installs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1047-1 Released: Tue Apr 21 10:33:06 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1168835 This update for gnutls fixes the following issues: - Backport AES XTS support (bsc#1168835) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1108-1 Released: Fri Apr 24 16:31:01 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1169992 This update for gnutls fixes the following issues: - FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1271-1 Released: Wed May 13 13:17:59 2020 Summary: Recommended update for permissions Type: recommended Severity: important References: 1171173 This update for permissions fixes the following issues: - Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1290-1 Released: Fri May 15 16:39:59 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1171422 This update for gnutls fixes the following issues: - Add RSA 4096 key generation support in FIPS mode (bsc#1171422) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). From sle-updates at lists.suse.com Tue Jun 16 11:29:12 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 16 Jun 2020 19:29:12 +0200 (CEST) Subject: SUSE-CU-2020:198-1: Security update of caasp/v4/cilium Message-ID: <20200616172912.21C12F749@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/cilium ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:198-1 Container Tags : caasp/v4/cilium:1.6.6 , caasp/v4/cilium:1.6.6-rev4 , caasp/v4/cilium:1.6.6-rev4-build3.5.1 Container Release : 3.5.1 Severity : important Type : security References : 1007715 1013125 1041090 1047218 1048688 1049825 1051143 1071995 1073313 1081947 1081947 1082293 1082318 1084671 1084934 1085196 1086909 1087982 1092100 1092920 1093414 1094448 1095603 1102840 1102920 1103320 1106214 1106383 1109412 1109413 1109414 1110797 1111388 1111996 1112534 1112535 1113247 1113252 1113255 1114592 1114845 1116827 1116995 1118644 1118830 1118831 1120629 1120630 1120631 1120640 1121034 1121035 1121056 1121197 1121353 1121353 1121753 1122417 1122666 1123919 1125306 1125689 1125886 1127155 1127608 1127701 1128828 1129568 1130306 1131113 1131823 1133131 1133232 1133495 1133773 1134226 1135114 1135254 1135534 1135708 1135749 1135984 1137296 1137977 1138457 1138793 1138869 1138908 1139459 1139459 1139584 1139795 1139939 1140039 1140631 1141113 1141897 1141897 1141913 1142614 1142649 1142649 1142654 1142772 1143055 1143194 1143273 1144047 1144068 1144169 1145023 1145231 1145231 1145521 1145554 1145716 1146027 1146182 1146184 1146415 1146415 1146475 1146866 1146947 1148244 1148517 1148517 1148788 1148987 1149145 1149145 1149332 1149429 1149495 1149496 1149511 1149995 1150003 1150021 1150021 1150137 1150250 1150595 1150734 1151023 1151023 1151377 1151582 1151876 1152101 1152334 1152590 1152590 1152692 1152755 1153351 1153557 1153936 1154016 1154019 1154025 1154036 1154037 1154256 1154295 1154661 1154804 1154805 1154871 1154884 1154887 1155198 1155199 1155205 1155207 1155217 1155271 1155298 1155327 1155337 1155338 1155339 1155346 1155574 1155668 1155678 1155819 1156158 1156213 1156300 1156450 1156482 1157198 1157278 1157292 1157337 1157377 1157775 1157794 1157893 1158095 1158095 1158101 1158358 1158485 1158763 1158809 1158830 1158921 1158996 1159002 1159003 1159003 1159004 1159006 1159108 1159314 1159539 1159814 1159928 1160039 1160086 1160160 1160460 1160460 1160571 1160590 1160594 1160595 1160735 1160764 1160970 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161517 1161521 1161779 1161816 1162093 1162108 1162108 1162152 1162518 1162651 1162930 1163184 1163526 1163922 1164126 1164390 1164390 1164505 1164562 1164717 1164718 1164950 1164950 1165011 1165539 1165579 1165784 1166106 1166260 1166481 1166510 1166510 1166748 1166881 1167073 1167163 1167223 1167631 1167674 1167898 1168076 1168345 1168364 1168699 1168835 1169506 1169512 1169569 1169944 1169992 1170173 1170527 1170771 1171173 1171422 1171512 1171656 1171872 1172021 353876 859480 CVE-2017-17740 CVE-2018-1000876 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-17358 CVE-2018-17359 CVE-2018-17360 CVE-2018-17985 CVE-2018-18309 CVE-2018-18483 CVE-2018-18484 CVE-2018-18605 CVE-2018-18606 CVE-2018-18607 CVE-2018-19931 CVE-2018-19932 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2018-20623 CVE-2018-20651 CVE-2018-20671 CVE-2018-6323 CVE-2018-6543 CVE-2018-6759 CVE-2018-6872 CVE-2018-7208 CVE-2018-7568 CVE-2018-7569 CVE-2018-7570 CVE-2018-7642 CVE-2018-7643 CVE-2018-8945 CVE-2019-1010180 CVE-2019-12290 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-15847 CVE-2019-15903 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-18224 CVE-2019-18466 CVE-2019-18801 CVE-2019-18802 CVE-2019-18802 CVE-2019-18836 CVE-2019-18838 CVE-2019-18900 CVE-2019-19126 CVE-2019-19391 CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-3687 CVE-2019-3688 CVE-2019-3690 CVE-2019-5094 CVE-2019-5188 CVE-2019-5481 CVE-2019-5482 CVE-2019-9511 CVE-2019-9513 CVE-2019-9893 CVE-2020-10029 CVE-2020-11501 CVE-2020-12243 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-7595 CVE-2020-8013 ECO-368 SLE-6206 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/cilium was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2367-1 Released: Thu Sep 12 12:59:37 2019 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1122666,1135984,1137296 This update for lvm2 fixes the following issues: - Fix unknown feature in status message (bsc#1135984) - Fix using device aliases with lvmetad (bsc#1137296) - Fix devices drop open error message (bsc#1122666) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2429-1 Released: Mon Sep 23 09:28:40 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 This update for expat fixes the following issues: Security issues fixed: - CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2517-1 Released: Wed Oct 2 10:49:20 2019 Summary: Security update for libseccomp Type: security Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 This update for libseccomp fixes the following issues: Security issues fixed: - CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828) libseccomp was updated to new upstream release 2.4.1: - Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893): - Update the syscall table for Linux v5.0-rc5 - Added support for the SCMP_ACT_KILL_PROCESS action - Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute - Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension - Added support for the parisc and parisc64 architectures - Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) - Return -EDOM on an endian mismatch when adding an architecture to a filter - Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() - Fix PFC generation when a syscall is prioritized, but no rule exists - Numerous fixes to the seccomp-bpf filter generation code - Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 - Numerous tests added to the included test suite, coverage now at ~92% - Update our Travis CI configuration to use Ubuntu 16.04 - Numerous documentation fixes and updates libseccomp was updated to release 2.3.3: - Updated the syscall table for Linux v4.15-rc7 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2681-1 Released: Tue Oct 15 22:01:40 2019 Summary: Recommended update for libdb-4_8 Type: recommended Severity: moderate References: 1148244 This update for libdb-4_8 fixes the following issues: - Add off-page deadlock patch as found and documented by Red Hat. (bsc#1148244) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2702-1 Released: Wed Oct 16 18:41:30 2019 Summary: Security update for gcc7 Type: security Severity: moderate References: 1071995,1141897,1142649,1148517,1149145,CVE-2019-14250,CVE-2019-15847 This update for gcc7 to r275405 fixes the following issues: Security issues fixed: - CVE-2019-14250: Fixed an integer overflow in binutils (bsc#1142649). - CVE-2019-15847: Fixed an optimization in the POWER9 backend of gcc that could reduce the entropy of the random number generator (bsc#1149145). Non-security issue fixed: - Move Live Patching technology stack from kGraft to upstream klp (bsc#1071995, fate#323487). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2779-1 Released: Thu Oct 24 16:57:42 2019 Summary: Security update for binutils Type: security Severity: moderate References: 1109412,1109413,1109414,1111996,1112534,1112535,1113247,1113252,1113255,1116827,1118644,1118830,1118831,1120640,1121034,1121035,1121056,1133131,1133232,1141913,1142772,1152590,1154016,1154025,CVE-2018-1000876,CVE-2018-17358,CVE-2018-17359,CVE-2018-17360,CVE-2018-17985,CVE-2018-18309,CVE-2018-18483,CVE-2018-18484,CVE-2018-18605,CVE-2018-18606,CVE-2018-18607,CVE-2018-19931,CVE-2018-19932,CVE-2018-20623,CVE-2018-20651,CVE-2018-20671,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945,CVE-2019-1010180,ECO-368,SLE-6206 This update for binutils fixes the following issues: binutils was updated to current 2.32 branch [jsc#ECO-368]. Includes following security fixes: - CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412) - CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413) - CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414) - CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827) - CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996) - CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535) - CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534) - CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255) - CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252) - CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247) - CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831) - CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830) - CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035) - CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034) - CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056) - CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640) - CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772) - enable xtensa architecture (Tensilica lc6 and related) - Use -ffat-lto-objects in order to provide assembly for static libs (bsc#1141913). - Fixed some LTO build issues (bsc#1133131 bsc#1133232). - riscv: Don't check ABI flags if no code section - Fixed a segfault in ld when building some versions of pacemaker (bsc#1154025, bsc#1154016). - Add avr, epiphany and rx to target_list so that the common binutils can handle all objects we can create with crosses (bsc#1152590). Update to binutils 2.32: * The binutils now support for the C-SKY processor series. * The x86 assembler now supports a -mvexwig=[0|1] option to control encoding of VEX.W-ignored (WIG) VEX instructions. It also has a new -mx86-used-note=[yes|no] option to generate (or not) x86 GNU property notes. * The MIPS assembler now supports the Loongson EXTensions R2 (EXT2), the Loongson EXTensions (EXT) instructions, the Loongson Content Address Memory (CAM) ASE and the Loongson MultiMedia extensions Instructions (MMI) ASE. * The addr2line, c++filt, nm and objdump tools now have a default limit on the maximum amount of recursion that is allowed whilst demangling strings. This limit can be disabled if necessary. * Objdump's --disassemble option can now take a parameter, specifying the starting symbol for disassembly. Disassembly will continue from this symbol up to the next symbol or the end of the function. * The BFD linker will now report property change in linker map file when merging GNU properties. * The BFD linker's -t option now doesn't report members within archives, unless -t is given twice. This makes it more useful when generating a list of files that should be packaged for a linker bug report. * The GOLD linker has improved warning messages for relocations that refer to discarded sections. - Improve relro support on s390 [fate#326356] - Fix broken debug symbols (bsc#1118644) - Handle ELF compressed header alignment correctly. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2811-1 Released: Tue Oct 29 14:57:18 2019 Summary: Recommended update for llvm7 Type: recommended Severity: moderate References: 1138457 This update for llvm7 doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2933-1 Released: Fri Nov 8 11:46:01 2019 Summary: Recommended update for llvm7 Type: recommended Severity: moderate References: 1139584 This update for llvm7 fixes the following issues: - Enable RTTI (run time type information) by built for LLVM. (bsc#1139584) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3040-1 Released: Fri Nov 22 11:59:52 2019 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1145231 This update for lvm2 fixes the following issues: - Adds a fix to detect MD devices by LVM2 with metadata=1.0/0.9 (bsc#1145231) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3343-1 Released: Thu Dec 19 11:05:27 2019 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1155668 This update for lvm2 fixes the following issues: - Fix seeing a 90 Second delay during shutdown and reboot. (bsc#1155668) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:10-1 Released: Thu Jan 2 12:35:06 2020 Summary: Recommended update for gcc7 Type: recommended Severity: moderate References: 1146475 This update for gcc7 fixes the following issues: - Fix miscompilation with thread-safe localstatic initialization (gcc#85887). - Fix debug info created for array definitions that complete an earlier declaration (bsc#1146475). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:277-1 Released: Fri Jan 31 10:43:03 2020 Summary: Security update for bazel-platforms, bazel-rules-swift, bazel-toolchains, bazel2.0, cel-cpp, envoy-build-tools, moonjit, re2, sql-parser, udpa, zipkin-api Type: security Severity: moderate References: CVE-2019-19391 This update for bazel-platforms, bazel-rules-swift, bazel-toolchains, bazel2.0, cel-cpp, envoy-build-tools, moonjit, re2, sql-parser, udpa, zipkin-api fixes the following issues: Changes in bazel-platforms, bazel-rules-swift, bazel-toolchains, bazel2.0, cel-cpp, envoy-build-tools, moonjit, re2, udpa, zipkin-api: These are build dependencies for cilium and envoy. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:368-1 Released: Fri Feb 7 13:49:41 2020 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1150021 This update for lvm2 fixes the following issues: - Fix for LVM in KVM: The scsi presistent reservation scenario can trigger and error during LVM actions. (bsc#1150021) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:395-1 Released: Tue Feb 18 14:16:48 2020 Summary: Recommended update for gcc7 Type: recommended Severity: moderate References: 1160086 This update for gcc7 fixes the following issue: - Fixed a miscompilation in zSeries code (bsc#1160086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:453-1 Released: Tue Feb 25 10:51:53 2020 Summary: Recommended update for binutils Type: recommended Severity: moderate References: 1160590 This update for binutils fixes the following issues: - Recognize the official name of s390 arch13: 'z15'. (bsc#1160590, jsc#SLE-7903 aka jsc#SLE-7464) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:521-1 Released: Thu Feb 27 18:08:56 2020 Summary: Recommended update for c-ares Type: recommended Severity: moderate References: 1125306,1159006 This update for c-ares fixes the following issues: c-ares version update to 1.15.0: * Add ares_init_options() configurability for path to resolv.conf file * Ability to exclude building of tools (adig, ahost, acountry) in CMake * Report ARES_ENOTFOUND for .onion domain names as per RFC7686 (bsc#1125306) * Apply the IPv6 server blacklist to all nameserver sources * Prevent changing name servers while queries are outstanding * ares_set_servers_csv() on failure should not leave channel in a bad state * getaddrinfo - avoid infinite loop in case of NXDOMAIN * ares_getenv - return NULL in all cases * implement ares_getaddrinfo - Fixed a regression in DNS results that contain both A and AAAA answers. - Add netcfg as the build requirement and runtime requirement. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:697-1 Released: Mon Mar 16 13:17:10 2020 Summary: Security update for cni, cni-plugins, conmon, fuse-overlayfs, podman Type: security Severity: moderate References: 1155217,1160460,1164390,CVE-2019-18466 This update for cni, cni-plugins, conmon, fuse-overlayfs, podman fixes the following issues: podman was updated to 1.8.0: - CVE-2019-18466: Fixed a bug where podman cp would improperly copy files on the host when copying a symlink in the container that included a glob operator (#3829 bsc#1155217) - The name of the cni-bridge in the default config changed from 'cni0' to 'podman-cni0' with podman-1.6.0. Add a %trigger to rename the bridge in the system to the new default if it exists. The trigger is only excuted when updating podman-cni-config from something older than 1.6.0. This is mainly needed for SLE where we're updating from 1.4.4 to 1.8.0 (bsc#1160460). Update podman to v1.8.0 (bsc#1160460): * Features - The podman system service command has been added, providing a preview of Podman's new Docker-compatible API. This API is still very new, and not yet ready for production use, but is available for early testing - Rootless Podman now uses Rootlesskit for port forwarding, which should greatly improve performance and capabilities - The podman untag command has been added to remove tags from images without deleting them - The podman inspect command on images now displays previous names they used - The podman generate systemd command now supports a --new option to generate service files that create and run new containers instead of managing existing containers - Support for --log-opt tag= to set logging tags has been added to the journald log driver - Added support for using Seccomp profiles embedded in images for podman run and podman create via the new --seccomp-policy CLI flag - The podman play kube command now honors pull policy * Bugfixes - Fixed a bug where the podman cp command would not copy the contents of directories when paths ending in /. were given - Fixed a bug where the podman play kube command did not properly locate Seccomp profiles specified relative to localhost - Fixed a bug where the podman info command for remote Podman did not show registry information - Fixed a bug where the podman exec command did not support having input piped into it - Fixed a bug where the podman cp command with rootless Podman on CGroups v2 systems did not properly determine if the container could be paused while copying - Fixed a bug where the podman container prune --force command could possible remove running containers if they were started while the command was running - Fixed a bug where Podman, when run as root, would not properly configure slirp4netns networking when requested - Fixed a bug where podman run --userns=keep-id did not work when the user had a UID over 65535 - Fixed a bug where rootless podman run and podman create with the --userns=keep-id option could change permissions on /run/user/$UID and break KDE - Fixed a bug where rootless Podman could not be run in a systemd service on systems using CGroups v2 - Fixed a bug where podman inspect would show CPUShares as 0, instead of the default (1024), when it was not explicitly set - Fixed a bug where podman-remote push would segfault - Fixed a bug where image healthchecks were not shown in the output of podman inspect - Fixed a bug where named volumes created with containers from pre-1.6.3 releases of Podman would be autoremoved with their containers if the --rm flag was given, even if they were given names - Fixed a bug where podman history was not computing image sizes correctly - Fixed a bug where Podman would not error on invalid values to the --sort flag to podman images - Fixed a bug where providing a name for the image made by podman commit was mandatory, not optional as it should be - Fixed a bug where the remote Podman client would append an extra ' to %PATH - Fixed a bug where the podman build command would sometimes ignore the -f option and build the wrong Containerfile - Fixed a bug where the podman ps --filter command would only filter running containers, instead of all containers, if --all was not passed - Fixed a bug where the podman load command on compressed images would leave an extra copy on disk - Fixed a bug where the podman restart command would not properly clean up the network, causing it to function differently from podman stop; podman start - Fixed a bug where setting the --memory-swap flag to podman create and podman run to -1 (to indicate unlimited) was not supported * Misc - Initial work on version 2 of the Podman remote API has been merged, but is still in an alpha state and not ready for use. Read more here - Many formatting corrections have been made to the manpages - The changes to address (#5009) may cause anonymous volumes created by Podman versions 1.6.3 to 1.7.0 to not be removed when their container is removed - Updated vendored Buildah to v1.13.1 - Updated vendored containers/storage to v1.15.8 - Updated vendored containers/image to v5.2.0 - Add apparmor-abstractions as required runtime dependency to have `tunables/global` available. - fixed the --force flag for the 'container prune' command. (https://github.com/containers/libpod/issues/4844) Update podman to v1.7.0 * Features - Added support for setting a static MAC address for containers - Added support for creating macvlan networks with podman network create, allowing Podman containers to be attached directly to networks the host is connected to - The podman image prune and podman container prune commands now support the --filter flag to filter what will be pruned, and now prompts for confirmation when run without --force (#4410 and #4411) - Podman now creates CGroup namespaces by default on systems using CGroups v2 (#4363) - Added the podman system reset command to remove all Podman files and perform a factory reset of the Podman installation - Added the --history flag to podman images to display previous names used by images (#4566) - Added the --ignore flag to podman rm and podman stop to not error when requested containers no longer exist - Added the --cidfile flag to podman rm and podman stop to read the IDs of containers to be removed or stopped from a file - The podman play kube command now honors Seccomp annotations (#3111) - The podman play kube command now honors RunAsUser, RunAsGroup, and selinuxOptions - The output format of the podman version command has been changed to better match docker version when using the --format flag - Rootless Podman will no longer initialize containers/storage twice, removing a potential deadlock preventing Podman commands from running while an image was being pulled (#4591) - Added tmpcopyup and notmpcopyup options to the --tmpfs and --mount type=tmpfs flags to podman create and podman run to control whether the content of directories are copied into tmpfs filesystems mounted over them - Added support for disabling detaching from containers by setting empty detach keys via --detach-keys='' - The podman build command now supports the --pull and --pull-never flags to control when images are pulled during a build - The podman ps -p command now shows the name of the pod as well as its ID (#4703) - The podman inspect command on containers will now display the command used to create the container - The podman info command now displays information on registry mirrors (#4553) * Bugfixes - Fixed a bug where Podman would use an incorrect runtime directory as root, causing state to be deleted after root logged out and making Podman in systemd services not function properly - Fixed a bug where the --change flag to podman import and podman commit was not being parsed properly in many cases - Fixed a bug where detach keys specified in libpod.conf were not used by the podman attach and podman exec commands, which always used the global default ctrl-p,ctrl-q key combination (#4556) - Fixed a bug where rootless Podman was not able to run podman pod stats even on CGroups v2 enabled systems (#4634) - Fixed a bug where rootless Podman would fail on kernels without the renameat2 syscall (#4570) - Fixed a bug where containers with chained network namespace dependencies (IE, container A using --net container=B and container B using --net container=C) would not properly mount /etc/hosts and /etc/resolv.conf into the container (#4626) - Fixed a bug where podman run with the --rm flag and without -d could, when run in the background, throw a 'container does not exist' error when attempting to remove the container after it exited - Fixed a bug where named volume locks were not properly reacquired after a reboot, potentially leading to deadlocks when trying to start containers using the volume (#4605 and #4621) - Fixed a bug where Podman could not completely remove containers if sent SIGKILL during removal, leaving the container name unusable without the podman rm --storage command to complete removal (#3906) - Fixed a bug where checkpointing containers started with --rm was allowed when --export was not specified (the container, and checkpoint, would be removed after checkpointing was complete by --rm) (#3774) - Fixed a bug where the podman pod prune command would fail if containers were present in the pods and the --force flag was not passed (#4346) - Fixed a bug where containers could not set a static IP or static MAC address if they joined a non-default CNI network (#4500) - Fixed a bug where podman system renumber would always throw an error if a container was mounted when it was run - Fixed a bug where podman container restore would fail with containers using a user namespace - Fixed a bug where rootless Podman would attempt to use the journald events backend even on systems without systemd installed - Fixed a bug where podman history would sometimes not properly identify the IDs of layers in an image (#3359) - Fixed a bug where containers could not be restarted when Conmon v2.0.3 or later was used - Fixed a bug where Podman did not check image OS and Architecture against the host when starting a container - Fixed a bug where containers in pods did not function properly with the Kata OCI runtime (#4353) - Fixed a bug where `podman info --format '{{ json . }}' would not produce JSON output (#4391) - Fixed a bug where Podman would not verify if files passed to --authfile existed (#4328) - Fixed a bug where podman images --digest would not always print digests when they were available - Fixed a bug where rootless podman run could hang due to a race with reading and writing events - Fixed a bug where rootless Podman would print warning-level logs despite not be instructed to do so (#4456) - Fixed a bug where podman pull would attempt to fetch from remote registries when pulling an unqualified image using the docker-daemon transport (#4434) - Fixed a bug where podman cp would not work if STDIN was a pipe - Fixed a bug where podman exec could stop accepting input if anything was typed between the command being run and the exec session starting (#4397) - Fixed a bug where podman logs --tail 0 would print all lines of a container's logs, instead of no lines (#4396) - Fixed a bug where the timeout for slirp4netns was incorrectly set, resulting in an extremely long timeout (#4344) - Fixed a bug where the podman stats command would print CPU utilizations figures incorrectly (#4409) - Fixed a bug where the podman inspect --size command would not print the size of the container's read/write layer if the size was 0 (#4744) - Fixed a bug where the podman kill command was not properly validating signals before use (#4746) - Fixed a bug where the --quiet and --format flags to podman ps could not be used at the same time - Fixed a bug where the podman stop command was not stopping exec sessions when a container was created without a PID namespace (--pid=host) - Fixed a bug where the podman pod rm --force command was not removing anonymous volumes for containers that were removed - Fixed a bug where the podman checkpoint command would not export all changes to the root filesystem of the container if performed more than once on the same container (#4606) - Fixed a bug where containers started with --rm would not be automatically removed on being stopped if an exec session was running inside the container (#4666) * Misc - The fixes to runtime directory path as root can cause strange behavior if an upgrade is performed while containers are running - Updated vendored Buildah to v1.12.0 - Updated vendored containers/storage library to v1.15.4 - Updated vendored containers/image library to v5.1.0 - Kata Containers runtimes (kata-runtime, kata-qemu, and kata-fc) are now present in the default libpod.conf, but will not be available unless Kata containers is installed on the system - Podman previously did not allow the creation of containers with a memory limit lower than 4MB. This restriction has been removed, as the crun runtime can create containers with significantly less memory Update podman to v1.6.4 - Remove winsz FIFO on container restart to allow use with Conmon 2.03 and higher - Ensure volumes reacquire locks on system restart, preventing deadlocks when starting containers - Suppress spurious log messages when running rootless Podman - Update vendored containers/storage to v1.13.6 - Fix a deadlock related to writing events - Do not use the journald event logger when it is not available Update podman to v1.6.2 * Features - Added a --runtime flag to podman system migrate to allow the OCI runtime for all containers to be reset, to ease transition to the crun runtime on CGroups V2 systems until runc gains full support - The podman rm command can now remove containers in broken states which previously could not be removed - The podman info command, when run without root, now shows information on UID and GID mappings in the rootless user namespace - Added podman build --squash-all flag, which squashes all layers (including those of the base image) into one layer - The --systemd flag to podman run and podman create now accepts a string argument and allows a new value, always, which forces systemd support without checking if the the container entrypoint is systemd * Bugfixes - Fixed a bug where the podman top command did not work on systems using CGroups V2 (#4192) - Fixed a bug where rootless Podman could double-close a file, leading to a panic - Fixed a bug where rootless Podman could fail to retrieve some containers while refreshing the state - Fixed a bug where podman start --attach --sig-proxy=false would still proxy signals into the container - Fixed a bug where Podman would unconditionally use a non-default path for authentication credentials (auth.json), breaking podman login integration with skopeo and other tools using the containers/image library - Fixed a bug where podman ps --format=json and podman images --format=json would display null when no results were returned, instead of valid JSON - Fixed a bug where podman build --squash was incorrectly squashing all layers into one, instead of only new layers - Fixed a bug where rootless Podman would allow volumes with options to be mounted (mounting volumes requires root), creating an inconsistent state where volumes reported as mounted but were not (#4248) - Fixed a bug where volumes which failed to unmount could not be removed (#4247) - Fixed a bug where Podman incorrectly handled some errors relating to unmounted or missing containers in containers/storage - Fixed a bug where podman stats was broken on systems running CGroups V2 when run rootless (#4268) - Fixed a bug where the podman start command would print the short container ID, instead of the full ID - Fixed a bug where containers created with an OCI runtime that is no longer available (uninstalled or removed from the config file) would not appear in podman ps and could not be removed via podman rm - Fixed a bug where containers restored via podman container restore --import would retain the CGroup path of the original container, even if their container ID changed; thus, multiple containers created from the same checkpoint would all share the same CGroup * Misc - The default PID limit for containers is now set to 4096. It can be adjusted back to the old default (unlimited) by passing --pids-limit 0 to podman create and podman run - The podman start --attach command now automatically attaches STDIN if the container was created with -i - The podman network create command now validates network names using the same regular expression as container and pod names - The --systemd flag to podman run and podman create will now only enable systemd mode when the binary being run inside the container is /sbin/init, /usr/sbin/init, or ends in systemd (previously detected any path ending in init or systemd) - Updated vendored Buildah to 1.11.3 - Updated vendored containers/storage to 1.13.5 - Updated vendored containers/image to 4.0.1 Update podman to v1.6.1 * Features - The podman network create, podman network rm, podman network inspect, and podman network ls commands have been added to manage CNI networks used by Podman - The podman volume create command can now create and mount volumes with options, allowing volumes backed by NFS, tmpfs, and many other filesystems - Podman can now run containers without CGroups for better integration with systemd by using the --cgroups=disabled flag with podman create and podman run. This is presently only supported with the crun OCI runtime - The podman volume rm and podman volume inspect commands can now refer to volumes by an unambiguous partial name, in addition to full name (e.g. podman volume rm myvol to remove a volume named myvolume) (#3891) - The podman run and podman create commands now support the --pull flag to allow forced re-pulling of images (#3734) - Mounting volumes into a container using --volume, --mount, and --tmpfs now allows the suid, dev, and exec mount options (the inverse of nosuid, nodev, noexec) (#3819) - Mounting volumes into a container using --mount now allows the relabel=Z and relabel=z options to relabel mounts. - The podman push command now supports the --digestfile option to save a file containing the pushed digest - Pods can now have their hostname set via podman pod create --hostname or providing Pod YAML with a hostname set to podman play kube (#3732) - The podman image sign command now supports the --cert-dir flag - The podman run and podman create commands now support the --security-opt label=filetype:$LABEL flag to set the SELinux label for container files - The remote Podman client now supports healthchecks * Bugfixes - Fixed a bug where remote podman pull would panic if a Varlink connection was not available (#4013) - Fixed a bug where podman exec would not properly set terminal size when creating a new exec session (#3903) - Fixed a bug where podman exec would not clean up socket symlinks on the host (#3962) - Fixed a bug where Podman could not run systemd in containers that created a CGroup namespace - Fixed a bug where podman prune -a would attempt to prune images used by Buildah and CRI-O, causing errors (#3983) - Fixed a bug where improper permissions on the ~/.config directory could cause rootless Podman to use an incorrect directory for storing some files - Fixed a bug where the bash completions for podman import threw errors - Fixed a bug where Podman volumes created with podman volume create would not copy the contents of their mountpoint the first time they were mounted into a container (#3945) - Fixed a bug where rootless Podman could not run podman exec when the container was not run inside a CGroup owned by the user (#3937) - Fixed a bug where podman play kube would panic when given Pod YAML without a securityContext (#3956) - Fixed a bug where Podman would place files incorrectly when storage.conf configuration items were set to the empty string (#3952) - Fixed a bug where podman build did not correctly inherit Podman's CGroup configuration, causing crashed on CGroups V2 systems (#3938) - Fixed a bug where remote podman run --rm would exit before the container was completely removed, allowing race conditions when removing container resources (#3870) - Fixed a bug where rootless Podman would not properly handle changes to /etc/subuid and /etc/subgid after a container was launched - Fixed a bug where rootless Podman could not include some devices in a container using the --device flag (#3905) - Fixed a bug where the commit Varlink API would segfault if provided incorrect arguments (#3897) - Fixed a bug where temporary files were not properly cleaned up after a build using remote Podman (#3869) - Fixed a bug where podman remote cp crashed instead of reporting it was not yet supported (#3861) - Fixed a bug where podman exec would run as the wrong user when execing into a container was started from an image with Dockerfile USER (or a user specified via podman run --user) (#3838) - Fixed a bug where images pulled using the oci: transport would be improperly named - Fixed a bug where podman varlink would hang when managed by systemd due to SD_NOTIFY support conflicting with Varlink (#3572) - Fixed a bug where mounts to the same destination would sometimes not trigger a conflict, causing a race as to which was actually mounted - Fixed a bug where podman exec --preserve-fds caused Podman to hang (#4020) - Fixed a bug where removing an unmounted container that was unmounted might sometimes not properly clean up the container (#4033) - Fixed a bug where the Varlink server would freeze when run in a systemd unit file (#4005) - Fixed a bug where Podman would not properly set the $HOME environment variable when the OCI runtime did not set it - Fixed a bug where rootless Podman would incorrectly print warning messages when an OCI runtime was not found (#4012) - Fixed a bug where named volumes would conflict with, instead of overriding, tmpfs filesystems added by the --read-only-tmpfs flag to podman create and podman run - Fixed a bug where podman cp would incorrectly make the target directory when copying to a symlink which pointed to a nonexistent directory (#3894) - Fixed a bug where remote Podman would incorrectly read STDIN when the -i flag was not set (#4095) - Fixed a bug where podman play kube would create an empty pod when given an unsupported YAML type (#4093) - Fixed a bug where podman import --change improperly parsed CMD (#4000) - Fixed a bug where rootless Podman on systems using CGroups V2 would not function with the cgroupfs CGroups manager - Fixed a bug where rootless Podman could not correctly identify the DBus session address, causing containers to fail to start (#4162) - Fixed a bug where rootless Podman with slirp4netns networking would fail to start containers due to mount leaks * Misc - Significant changes were made to Podman volumes in this release. If you have pre-existing volumes, it is strongly recommended to run podman system renumber after upgrading. - Version 0.8.1 or greater of the CNI Plugins is now required for Podman - Version 2.0.1 or greater of Conmon is strongly recommended - Updated vendored Buildah to v1.11.2 - Updated vendored containers/storage library to v1.13.4 - Improved error messages when trying to create a pod with no name via podman play kube - Improved error messages when trying to run podman pause or podman stats on a rootless container on a system without CGroups V2 enabled - TMPDIR has been set to /var/tmp by default to better handle large temporary files - podman wait has been optimized to detect stopped containers more rapidly - Podman containers now include a ContainerManager annotation indicating they were created by libpod - The podman info command now includes information about slirp4netns and fuse-overlayfs if they are available - Podman no longer sets a default size of 65kb for tmpfs filesystems - The default Podman CNI network has been renamed in an attempt to prevent conflicts with CRI-O when both are run on the same system. This should only take effect on system restart - The output of podman volume inspect has been more closely matched to docker volume inspect - Add katacontainers as a recommended package, and include it as an additional OCI runtime in the configuration. Update podman to v1.5.1 * Features - The hostname of pods is now set to the pod's name * Bugfixes - Fixed a bug where podman run and podman create did not honor the --authfile option (#3730) - Fixed a bug where containers restored with podman container restore --import would incorrectly duplicate the Conmon PID file of the original container - Fixed a bug where podman build ignored the default OCI runtime configured in libpod.conf - Fixed a bug where podman run --rm (or force-removing any running container with podman rm --force) were not retrieving the correct exit code (#3795) - Fixed a bug where Podman would exit with an error if any configured hooks directory was not present - Fixed a bug where podman inspect and podman commit would not use the correct CMD for containers run with podman play kube - Fixed a bug created pods when using rootless Podman and CGroups V2 (#3801) - Fixed a bug where the podman events command with the --since or --until options could take a very long time to complete * Misc - Rootless Podman will now inherit OCI runtime configuration from the root configuration (#3781) - Podman now properly sets a user agent while contacting registries (#3788) - Add zsh completion for podman commands Update podman to v1.5.0 * Features - Podman containers can now join the user namespaces of other containers with --userns=container:$ID, or a user namespace at an arbitary path with --userns=ns:$PATH - Rootless Podman can experimentally squash all UIDs and GIDs in an image to a single UID and GID (which does not require use of the newuidmap and newgidmap executables) by passing --storage-opt ignore_chown_errors - The podman generate kube command now produces YAML for any bind mounts the container has created (#2303) - The podman container restore command now features a new flag, --ignore-static-ip, that can be used with --import to import a single container with a static IP multiple times on the same host - Added the ability for podman events to output JSON by specifying --format=json - If the OCI runtime or conmon binary cannot be found at the paths specified in libpod.conf, Podman will now also search for them in the calling user's path - Added the ability to use podman import with URLs (#3609) - The podman ps command now supports filtering names using regular expressions (#3394) - Rootless Podman containers with --privileged set will now mount in all host devices that the user can access - The podman create and podman run commands now support the --env-host flag to forward all environment variables from the host into the container - Rootless Podman now supports healthchecks (#3523) - The format of the HostConfig portion of the output of podman inspect on containers has been improved and synced with Docker - Podman containers now support CGroup namespaces, and can create them by passing --cgroupns=private to podman run or podman create - The podman create and podman run commands now support the --ulimit=host flag, which uses any ulimits currently set on the host for the container - The podman rm and podman rmi commands now use different exit codes to indicate 'no such container' and 'container is running' errors - Support for CGroups V2 through the crun OCI runtime has been greatly improved, allowing resource limits to be set for rootless containers when the CGroups V2 hierarchy is in use * Bugfixes - Fixed a bug where a race condition could cause podman restart to fail to start containers with ports - Fixed a bug where containers restored from a checkpoint would not properly report the time they were started at - Fixed a bug where podman search would return at most 25 results, even when the maximum number of results was set higher - Fixed a bug where podman play kube would not honor capabilities set in imported YAML (#3689) - Fixed a bug where podman run --env, when passed a single key (to use the value from the host), would set the environment variable in the container even if it was not set on the host (#3648) - Fixed a bug where podman commit --changes would not properly set environment variables - Fixed a bug where Podman could segfault while working with images with no history - Fixed a bug where podman volume rm could remove arbitrary volumes if given an ambiguous name (#3635) - Fixed a bug where podman exec invocations leaked memory by not cleaning up files in tmpfs - Fixed a bug where the --dns and --net=container flags to podman run and podman create were not mutually exclusive (#3553) - Fixed a bug where rootless Podman would be unable to run containers when less than 5 UIDs were available - Fixed a bug where containers in pods could not be removed without removing the entire pod (#3556) - Fixed a bug where Podman would not properly clean up all CGroup controllers for created cgroups when using the cgroupfs CGroup driver - Fixed a bug where Podman containers did not properly clean up files in tmpfs, resulting in a memory leak as containers stopped - Fixed a bug where healthchecks from images would not use default settings for interval, retries, timeout, and start period when they were not provided by the image (#3525) - Fixed a bug where healthchecks using the HEALTHCHECK CMD format where not properly supported (#3507) - Fixed a bug where volume mounts using relative source paths would not be properly resolved (#3504) - Fixed a bug where podman run did not use authorization credentials when a custom path was specified (#3524) - Fixed a bug where containers checkpointed with podman container checkpoint did not properly set their finished time - Fixed a bug where running podman inspect on any container not created with podman run or podman create (for example, pod infra containers) would result in a segfault (#3500) - Fixed a bug where healthcheck flags for podman create and podman run were incorrectly named (#3455) - Fixed a bug where Podman commands would fail to find targets if a partial ID was specified that was ambiguous between a container and pod (#3487) - Fixed a bug where restored containers would not have the correct SELinux label - Fixed a bug where Varlink endpoints were not working properly if more was not correctly specified - Fixed a bug where the Varlink PullImage endpoint would crash if an error occurred (#3715) - Fixed a bug where the --mount flag to podman create and podman run did not allow boolean arguments for its ro and rw options (#2980) - Fixed a bug where pods did not properly share the UTS namespace, resulting in incorrect behavior from some utilities which rely on hostname (#3547) - Fixed a bug where Podman would unconditionally append ENTRYPOINT to CMD during podman commit (and when reporting CMD in podman inspect) (#3708) - Fixed a bug where podman events with the journald events backend would incorrectly print 6 previous events when only new events were requested (#3616) - Fixed a bug where podman port would exit prematurely when a port number was specified (#3747) - Fixed a bug where passing . as an argument to the --dns-search flag to podman create and podman run was not properly clearing DNS search domains in the container * Misc - Updated vendored Buildah to v1.10.1 - Updated vendored containers/image to v3.0.2 - Updated vendored containers/storage to v1.13.1 - Podman now requires conmon v2.0.0 or higher - The podman info command now displays the events logger being in use - The podman inspect command on containers now includes the ID of the pod a container has joined and the PID of the container's conmon process - The -v short flag for podman --version has been re-added - Error messages from podman pull should be significantly clearer - The podman exec command is now available in the remote client - The podman-v1.5.0.tar.gz file attached is podman packaged for MacOS. It can be installed using Homebrew. - Update libpod.conf to support latest path discovery feature for `runc` and `conmon` binaries. conmon was included in version 2.0.10. (bsc#1160460, bsc#1164390, jsc#ECO-1048, jsc#SLE-11485, jsc#SLE-11331): fuse-overlayfs was updated to v0.7.6 (bsc#1160460) - do not look in lower layers for the ino if there is no origin xattr set - attempt to use the file path if the operation on the fd fails with ENXIO - do not expose internal xattrs through listxattr and getxattr - fix fallocate for deleted files. - ignore O_DIRECT. It causes issues with libfuse not using an aligned buffer, causing write(2) to fail with EINVAL. - on copyup, do not copy the opaque xattr. - fix a wrong lookup for whiteout files, that could happen on a double unlink. - fix possible segmentation fault in direct_fsync() - use the data store to create missing whiteouts - after a rename, force a directory reload - introduce inodes cache - correctly read inode for unix sockets - avoid hash map lookup when possible - use st_dev for the ino key - check whether writeback is supported - set_attrs: don't require write to S_IFREG - ioctl: do not reuse fi->fh for directories - fix skip whiteout deletion optimization - store the new mode after chmod - support fuse writeback cache and enable it by default - add option to disable fsync - add option to disable xattrs - add option to skip ino number check in lower layers - fix fd validity check - fix memory leak - fix read after free - fix type for flistxattr return - fix warnings reported by lgtm.com - enable parallel dirops cni was updated to 0.7.1: - Set correct CNI version for 99-loopback.conf Update to version 0.7.1 (bsc#1160460): * Library changes: + invoke : ensure custom envs of CNIArgs are prepended to process envs + add GetNetworkListCachedResult to CNI interface + delegate : allow delegation funcs override CNI_COMMAND env automatically in heritance * Documentation & Convention changes: + Update cnitool documentation for spec v0.4.0 + Add cni-route-override to CNI plugin list Update to version 0.7.0: * Spec changes: + Use more RFC2119 style language in specification (must, should...) + add notes about ADD/DEL ordering + Make the container ID required and unique. + remove the version parameter from ADD and DEL commands. + Network interface name matters + be explicit about optional and required structure members + add CHECK method + Add a well-known error for 'try again' + SPEC.md: clarify meaning of 'routes' * Library changes: + pkg/types: Makes IPAM concrete type + libcni: return error if Type is empty + skel: VERSION shouldn't block on stdin + non-pointer instances of types.Route now correctly marshal to JSON + libcni: add ValidateNetwork and ValidateNetworkList functions + pkg/skel: return error if JSON config has no network name + skel: add support for plugin version string + libcni: make exec handling an interface for better downstream testing + libcni: api now takes a Context to allow operations to be timed out or cancelled + types/version: add helper to parse PrevResult + skel: only print about message, not errors + skel,invoke,libcni: implementation of CHECK method + cnitool: Honor interface name supplied via CNI_IFNAME environment variable. + cnitool: validate correct number of args + Don't copy gw from IP4.Gateway to Route.GW When converting from 0.2.0 + add PrintTo method to Result interface + Return a better error when the plugin returns none - Install sleep binary into CNI plugin directory cni-plugins was updated to 0.8.4: Update to version 0.8.4 (bsc#1160460): * add support for mips64le * Add missing cniVersion in README example * bump go-iptables module to v0.4.5 * iptables: add idempotent functions * portmap doesn't fail if chain doesn't exist * fix portmap port forward flakiness * Add Bruce Ma and Piotr Skarmuk as owners Update to version 0.8.3: * Enhancements: * static: prioritize the input sources for IPs (#400). * tuning: send gratuitous ARP in case of MAC address update (#403). * bandwidth: use uint64 for Bandwidth value (#389). * ptp: only override DNS conf if DNS settings provided (#388). * loopback: When prevResults are not supplied to loopback plugin, create results to return (#383). * loopback support CNI CHECK and result cache (#374). * Better input validation: * vlan: add MTU validation to loadNetConf (#405). * macvlan: add MTU validation to loadNetConf (#404). * bridge: check vlan id when loading net conf (#394). * Bugfixes: * bugfix: defer after err check, or it may panic (#391). * portmap: Fix dual-stack support (#379). * firewall: don't return error in DEL if prevResult is not found (#390). * bump up libcni back to v0.7.1 (#377). * Docs: * contributing doc: revise test script name to run (#396). * contributing doc: describe cnitool installation (#397). Update plugins to v0.8.2 + New features: * Support 'args' in static and tuning * Add Loopback DSR support, allow l2tunnel networks to be used with the l2bridge plugin * host-local: return error if same ADD request is seen twice * bandwidth: fix collisions * Support ips capability in static and mac capability in tuning * pkg/veth: Make host-side veth name configurable + Bug fixes: * Fix: failed to set bridge addr: could not add IP address to 'cni0': file exists * host-device: revert name setting to make retries idempotent (#357). * Vendor update go-iptables. Vendor update go-iptables to obtain commit f1d0510cabcb710d5c5dd284096f81444b9d8d10 * Update go.mod & go.sub * Remove link Down/Up in MAC address change to prevent route flush (#364). * pkg/ip unit test: be agnostic of Linux version, on Linux 4.4 the syscall error message is 'invalid argument' not 'file exists' * bump containernetworking/cni to v0.7.1 Updated plugins to v0.8.1: + Bugs: * bridge: fix ipMasq setup to use correct source address * fix compilation error on 386 * bandwidth: get bandwidth interface in host ns through container interface + Improvements: * host-device: add pciBusID property Updated plugins to v0.8.0: + New plugins: * bandwidth - limit incoming and outgoing bandwidth * firewall - add containers to firewall rules * sbr - convert container routes to source-based routes * static - assign a fixed IP address * win-bridge, win-overlay: Windows plugins + Plugin features / changelog: * CHECK Support * macvlan: - Allow to configure empty ipam for macvlan - Make master config optional * bridge: - Add vlan tag to the bridge cni plugin - Allow the user to assign VLAN tag - L2 bridge Implementation. * dhcp: - Include Subnet Mask option parameter in DHCPREQUEST - Add systemd unit file to activate socket with systemd - Add container ifName to the dhcp clientID, making the clientID value * flannel: - Pass through runtimeConfig to delegate * host-local: - host-local: add ifname to file tracking IP address used * host-device: - Support the IPAM in the host-device - Handle empty netns in DEL for loopback and host-device * tuning: - adds 'ip link' command related feature into tuning + Bug fixes & minor changes * Correctly DEL on ipam failure for all plugins * Fix bug on ip revert if cmdAdd fails on macvlan and host-device * host-device: Ensure device is down before rename * Fix -hostprefix option * some DHCP servers expect to request for explicit router options * bridge: release IP in case of error * change source of ipmasq rule from ipn to ip from version v0.7.5: + This release takes a minor change to the portmap plugin: * Portmap: append, rather than prepend, entry rules + This fixes a potential issue where firewall rules may be bypassed by port mapping ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:726-1 Released: Thu Mar 19 13:23:03 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461). - CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) Bug fixes and enhancements: - Fixed mistake in spec file (bsc#1125689) Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal - Conditionally remove dependecy on jemalloc for SLE-12 - Require correct library from devel package - boo#1125689 Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 ???Data Dribble??? and CVE-2019-9513 ???Resource Loop??? vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:981-1 Released: Mon Apr 13 15:43:44 2020 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1156300 This update for rpm fixes the following issues: - Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1026-1 Released: Fri Apr 17 16:14:43 2020 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1159314 This update for libsolv fixes the following issues: libsolv was updated to version 0.7.11: - fix solv_zchunk decoding error if large chunks are used (bsc#1159314) - treat retracted pathes as irrelevant - made add_update_target work with multiversion installs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1047-1 Released: Tue Apr 21 10:33:06 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1168835 This update for gnutls fixes the following issues: - Backport AES XTS support (bsc#1168835) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1108-1 Released: Fri Apr 24 16:31:01 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1169992 This update for gnutls fixes the following issues: - FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-feature-2020:1196-1 Released: Wed May 6 13:35:05 2020 Summary: Update to kubernetes 1.17, podman, cri-o and docs Type: feature Severity: moderate References: 1121353,1152334,1157337,1159108,1160460,1162093,1164390,1170173 = Required Actions == Kubernetes 1.17 In order to update to kubernetes 1.17, follow the instructions in the admin guide https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_updating_kubernetes_components . Make sure you look at the Release Notes https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/#_changes_in_4_3_0 for any known bug. == conmon and cri-o Conmon and cri-o will be updated by `skuba-update`. No action is required from your side. For more info see https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_base_os_updates == skuba In order to update skuba, you need to update the admin workstation. See detailed instructions at https://documentation.suse.com/suse-caasp/4.1/html/caasp-admin/_cluster_updates.html#_update_management_workstation ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1271-1 Released: Wed May 13 13:17:59 2020 Summary: Recommended update for permissions Type: recommended Severity: important References: 1171173 This update for permissions fixes the following issues: - Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1290-1 Released: Fri May 15 16:39:59 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1171422 This update for gnutls fixes the following issues: - Add RSA 4096 key generation support in FIPS mode (bsc#1171422) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1370-1 Released: Thu May 21 19:06:00 2020 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1171656 This update for systemd-presets-branding-SLE fixes the following issues: Cleanup of outdated autostart services (bsc#1171656): - Remove acpid.service. acpid is only available on SLE via openSUSE backports. In openSUSE acpid.service is *not* autostarted. I see no reason why it should be on SLE. - Remove spamassassin.timer. This timer never seems to have existed. Instead spamassassin ships a 'sa-update.timer'. But it is not default-enabled and nobody ever complained about this. - Remove snapd.apparmor.service: This service was proactively added a year ago, but snapd didn't even make it into openSUSE yet. There's no reason to keep this entry unless snapd actually enters SLE which is not foreseeable. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1560-1 Released: Mon Jun 8 12:08:28 2020 Summary: Recommended update for llvm7 Type: recommended Severity: low References: 1171512 This update for llvm7 fixes the following issues: -Fix for build failures when using 'llvm7' on i586. (bsc#1171512) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1562-1 Released: Mon Jun 8 12:39:15 2020 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1145231,1150021,1158358,1163526,1164126,1164718 This update for lvm2 fixes the following issues: - Fix heap memory leak in lvmetad. (bsc#1164126) - lvmetad uses devices/global_filter but not devices/filter after lvm2 update. (bsc#1163526) This config item global_filter_compat is a SUSE special. The default value is 1, which means the devices/global_filter behaviour is same as before. When the value is 0, user should use global_filter to control system-wide software, e.g. udev and lvmetad global_filter_compat are not opened by LVM. - Avoid creation of mixed-blocksize 'PV' on 'LVM' volume groups (LVM2). (bsc#1149408) - Fix for LVM metadata when an error occurs writing device. (bsc#1150021) - Fix for boot when it takes extremely long time with 400 LUN's. (bsc#1158358) - Fix for LVM metadata to avoid faulty LVM detection. (bsc#1145231) - Enhance block cache code to fix issues with 'lvmtad' and 'lvmcache'. (bsc#1164718) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1573-1 Released: Tue Jun 9 12:07:53 2020 Summary: Add features for Metrics Server, Cert Status Checker, VSphere VCP, and Cilium Envoy Type: security Severity: moderate References: 1041090,1047218,1048688,1086909,1094448,1095603,1102920,1121353,1129568,1138908,1144068,1151876,1156450,1159002,1159003,1159004,1159539,1162651,1167073,1169506,CVE-2019-18801,CVE-2019-18802,CVE-2019-18836,CVE-2019-18838 Metrics Server * Support monitoring of *CPU* and *memory* of a pod or node. Cert Status Checker * Exposes cluster-wide certificates status and use monitoring stack (Prometheus and Grafana) to receives alerts by Prometheus Alertmanager and monitors certificate status by Grafana dashboard. VSphere VCP * Allow Kubernetes pods to use VMWare vSphere Virtual Machine Disk (VMDK) volumes as persistent storage. Cilium Envoy * Updated Cilium from version 1.5.3 to version 1.6.6 * Provide Envoy-proxy support for Cilium * Envoy and its dependencies packaged for version 1.12.2 * Cilium uses CRD and ConfigMap points on etcd are removed See release notes for installation instructions: https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/ Following CVE entries are relevant for the casp 4.2.1 update: cilium-proxy: CVE-2019-18801: An untrusted remote client might have been able to send HTTP/2 requests via cilium-proxyx that could have written to the heap outside of the request buffers when the upstream is HTTP/1. (bsc#1159002) CVE-2019-18802: A malformed request header may have caused bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) CVE-2019-18838: A malformed HTTP request without the Host header may cause abnormal termination ofthe Envoy process (bsc#1159004) CVE-2019-18836: Excessive iteration due to listener filter timeout in envoy could lead to DoS (bsc#1156450) kafka: CVE-2018-1288: authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request. (bsc#1102920) From sle-updates at lists.suse.com Tue Jun 16 11:30:39 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 16 Jun 2020 19:30:39 +0200 (CEST) Subject: SUSE-CU-2020:199-1: Security update of caasp/v4/cilium-init Message-ID: <20200616173039.4FB60F749@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/cilium-init ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:199-1 Container Tags : caasp/v4/cilium-init:1.5.3 , caasp/v4/cilium-init:1.5.3-rev3 , caasp/v4/cilium-init:1.5.3-rev3-build3.5.1 Container Release : 3.5.1 Severity : important Type : security References : 1007715 1013125 1049825 1051143 1073313 1081947 1081947 1082293 1084671 1084934 1085196 1087982 1092100 1092920 1093414 1102840 1103320 1106214 1106383 1110797 1111388 1114592 1114845 1116995 1120629 1120630 1120631 1121197 1121753 1122417 1123919 1125689 1125886 1127155 1127608 1127701 1130306 1131113 1131823 1133495 1133773 1134226 1135114 1135254 1135534 1135708 1135749 1137977 1138793 1138869 1139459 1139459 1139795 1139939 1140039 1140631 1141113 1141897 1142649 1142654 1143055 1143194 1143273 1144047 1144169 1145023 1145521 1145554 1145716 1146027 1146182 1146184 1146415 1146415 1146866 1146947 1148517 1148788 1148987 1149145 1149332 1149495 1149496 1149511 1149995 1150003 1150137 1150250 1150595 1150734 1151023 1151023 1151377 1151582 1152101 1152590 1152692 1152755 1153351 1153557 1153936 1154019 1154036 1154037 1154256 1154295 1154661 1154804 1154805 1154871 1154884 1154887 1155198 1155199 1155205 1155207 1155271 1155298 1155327 1155337 1155338 1155339 1155346 1155574 1155678 1155819 1156158 1156213 1156300 1156482 1157198 1157278 1157292 1157377 1157775 1157794 1157893 1158095 1158095 1158101 1158485 1158763 1158809 1158830 1158921 1158996 1159003 1159314 1159814 1159928 1160039 1160160 1160571 1160594 1160595 1160735 1160764 1160970 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161517 1161521 1161779 1161816 1162108 1162108 1162152 1162518 1162930 1163184 1163922 1164505 1164562 1164717 1164950 1164950 1165011 1165539 1165579 1165784 1166106 1166260 1166481 1166510 1166510 1166748 1166881 1167163 1167223 1167631 1167674 1167898 1168076 1168345 1168364 1168699 1168835 1169512 1169569 1169944 1169992 1170527 1170771 1171173 1171422 1171872 1172021 353876 859480 CVE-2017-17740 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2019-12290 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-18224 CVE-2019-18802 CVE-2019-18900 CVE-2019-19126 CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-3687 CVE-2019-3688 CVE-2019-3690 CVE-2019-5094 CVE-2019-5188 CVE-2019-5481 CVE-2019-5482 CVE-2019-9511 CVE-2019-9513 CVE-2020-10029 CVE-2020-11501 CVE-2020-12243 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-7595 CVE-2020-8013 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/cilium-init was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:726-1 Released: Thu Mar 19 13:23:03 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461). - CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) Bug fixes and enhancements: - Fixed mistake in spec file (bsc#1125689) Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal - Conditionally remove dependecy on jemalloc for SLE-12 - Require correct library from devel package - boo#1125689 Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 ???Data Dribble??? and CVE-2019-9513 ???Resource Loop??? vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:981-1 Released: Mon Apr 13 15:43:44 2020 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1156300 This update for rpm fixes the following issues: - Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1026-1 Released: Fri Apr 17 16:14:43 2020 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1159314 This update for libsolv fixes the following issues: libsolv was updated to version 0.7.11: - fix solv_zchunk decoding error if large chunks are used (bsc#1159314) - treat retracted pathes as irrelevant - made add_update_target work with multiversion installs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1047-1 Released: Tue Apr 21 10:33:06 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1168835 This update for gnutls fixes the following issues: - Backport AES XTS support (bsc#1168835) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1108-1 Released: Fri Apr 24 16:31:01 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1169992 This update for gnutls fixes the following issues: - FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1271-1 Released: Wed May 13 13:17:59 2020 Summary: Recommended update for permissions Type: recommended Severity: important References: 1171173 This update for permissions fixes the following issues: - Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1290-1 Released: Fri May 15 16:39:59 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1171422 This update for gnutls fixes the following issues: - Add RSA 4096 key generation support in FIPS mode (bsc#1171422) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). From sle-updates at lists.suse.com Tue Jun 16 11:32:06 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 16 Jun 2020 19:32:06 +0200 (CEST) Subject: SUSE-CU-2020:200-1: Security update of caasp/v4/cilium-operator Message-ID: <20200616173206.C158AF749@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/cilium-operator ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:200-1 Container Tags : caasp/v4/cilium-operator:1.6.6 , caasp/v4/cilium-operator:1.6.6-rev3 , caasp/v4/cilium-operator:1.6.6-rev3-build3.5.1 Container Release : 3.5.1 Severity : important Type : security References : 1007715 1013125 1041090 1047218 1048688 1049825 1051143 1073313 1081947 1081947 1082293 1084671 1084934 1085196 1086909 1087982 1092100 1092920 1093414 1094448 1095603 1102840 1102920 1103320 1106214 1106383 1110797 1111388 1114592 1114845 1116995 1120629 1120630 1120631 1121197 1121353 1121753 1122417 1123919 1125689 1125886 1127155 1127608 1127701 1129568 1130306 1131113 1131823 1133495 1133773 1134226 1135114 1135254 1135534 1135708 1135749 1137977 1138793 1138869 1138908 1139459 1139459 1139795 1139939 1140039 1140631 1141113 1141897 1142649 1142654 1143055 1143194 1143273 1144047 1144068 1144169 1145023 1145521 1145554 1145716 1146027 1146182 1146184 1146415 1146415 1146866 1146947 1148517 1148788 1148987 1149145 1149332 1149495 1149496 1149511 1149995 1150003 1150137 1150250 1150595 1150734 1151023 1151023 1151377 1151582 1151876 1152101 1152590 1152692 1152755 1153351 1153557 1153936 1154019 1154036 1154037 1154256 1154295 1154661 1154804 1154805 1154871 1154884 1154887 1155198 1155199 1155205 1155207 1155271 1155298 1155327 1155337 1155338 1155339 1155346 1155574 1155678 1155819 1156158 1156213 1156300 1156450 1156482 1157198 1157278 1157292 1157377 1157775 1157794 1157893 1158095 1158095 1158101 1158485 1158763 1158809 1158830 1158921 1158996 1159002 1159003 1159003 1159004 1159314 1159539 1159814 1159928 1160039 1160160 1160571 1160594 1160595 1160735 1160764 1160970 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161517 1161521 1161779 1161816 1162108 1162108 1162152 1162518 1162651 1162930 1163184 1163922 1164505 1164562 1164717 1164950 1164950 1165011 1165539 1165579 1165784 1166106 1166260 1166481 1166510 1166510 1166748 1166881 1167073 1167163 1167223 1167631 1167674 1167898 1168076 1168345 1168364 1168699 1168835 1169506 1169512 1169569 1169944 1169992 1170527 1170771 1171173 1171422 1171872 1172021 353876 859480 CVE-2017-17740 CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2019-12290 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-18224 CVE-2019-18801 CVE-2019-18802 CVE-2019-18802 CVE-2019-18836 CVE-2019-18838 CVE-2019-18900 CVE-2019-19126 CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-3687 CVE-2019-3688 CVE-2019-3690 CVE-2019-5094 CVE-2019-5188 CVE-2019-5481 CVE-2019-5482 CVE-2019-9511 CVE-2019-9513 CVE-2020-10029 CVE-2020-11501 CVE-2020-12243 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-7595 CVE-2020-8013 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/cilium-operator was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:726-1 Released: Thu Mar 19 13:23:03 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461). - CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) Bug fixes and enhancements: - Fixed mistake in spec file (bsc#1125689) Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal - Conditionally remove dependecy on jemalloc for SLE-12 - Require correct library from devel package - boo#1125689 Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 ???Data Dribble??? and CVE-2019-9513 ???Resource Loop??? vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:981-1 Released: Mon Apr 13 15:43:44 2020 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1156300 This update for rpm fixes the following issues: - Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1026-1 Released: Fri Apr 17 16:14:43 2020 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1159314 This update for libsolv fixes the following issues: libsolv was updated to version 0.7.11: - fix solv_zchunk decoding error if large chunks are used (bsc#1159314) - treat retracted pathes as irrelevant - made add_update_target work with multiversion installs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1047-1 Released: Tue Apr 21 10:33:06 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1168835 This update for gnutls fixes the following issues: - Backport AES XTS support (bsc#1168835) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1108-1 Released: Fri Apr 24 16:31:01 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1169992 This update for gnutls fixes the following issues: - FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1271-1 Released: Wed May 13 13:17:59 2020 Summary: Recommended update for permissions Type: recommended Severity: important References: 1171173 This update for permissions fixes the following issues: - Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1290-1 Released: Fri May 15 16:39:59 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1171422 This update for gnutls fixes the following issues: - Add RSA 4096 key generation support in FIPS mode (bsc#1171422) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1573-1 Released: Tue Jun 9 12:07:53 2020 Summary: Add features for Metrics Server, Cert Status Checker, VSphere VCP, and Cilium Envoy Type: security Severity: moderate References: 1041090,1047218,1048688,1086909,1094448,1095603,1102920,1121353,1129568,1138908,1144068,1151876,1156450,1159002,1159003,1159004,1159539,1162651,1167073,1169506,CVE-2019-18801,CVE-2019-18802,CVE-2019-18836,CVE-2019-18838 Metrics Server * Support monitoring of *CPU* and *memory* of a pod or node. Cert Status Checker * Exposes cluster-wide certificates status and use monitoring stack (Prometheus and Grafana) to receives alerts by Prometheus Alertmanager and monitors certificate status by Grafana dashboard. VSphere VCP * Allow Kubernetes pods to use VMWare vSphere Virtual Machine Disk (VMDK) volumes as persistent storage. Cilium Envoy * Updated Cilium from version 1.5.3 to version 1.6.6 * Provide Envoy-proxy support for Cilium * Envoy and its dependencies packaged for version 1.12.2 * Cilium uses CRD and ConfigMap points on etcd are removed See release notes for installation instructions: https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/ Following CVE entries are relevant for the casp 4.2.1 update: cilium-proxy: CVE-2019-18801: An untrusted remote client might have been able to send HTTP/2 requests via cilium-proxyx that could have written to the heap outside of the request buffers when the upstream is HTTP/1. (bsc#1159002) CVE-2019-18802: A malformed request header may have caused bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) CVE-2019-18838: A malformed HTTP request without the Host header may cause abnormal termination ofthe Envoy process (bsc#1159004) CVE-2019-18836: Excessive iteration due to listener filter timeout in envoy could lead to DoS (bsc#1156450) kafka: CVE-2018-1288: authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request. (bsc#1102920) From sle-updates at lists.suse.com Tue Jun 16 11:45:25 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 16 Jun 2020 19:45:25 +0200 (CEST) Subject: SUSE-CU-2020:201-1: Security update of caasp/v4/metrics-server Message-ID: <20200616174525.7CB56F749@maintenance.suse.de> SUSE Container Update Advisory: caasp/v4/metrics-server ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:201-1 Container Tags : caasp/v4/metrics-server:0.3.6 , caasp/v4/metrics-server:0.3.6-rev1 , caasp/v4/metrics-server:0.3.6-rev1-build1.5.1 Container Release : 1.5.1 Severity : important Type : security References : 1005023 1007715 1009532 1013125 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1041090 1044840 1045723 1047002 1047218 1048688 1049825 1051143 1063675 1065270 1071321 1072183 1073313 1076696 1080919 1081947 1081947 1082293 1082318 1083158 1084671 1084812 1084842 1084934 1085196 1086367 1086367 1086909 1087550 1087982 1088052 1088279 1088524 1089640 1089761 1090944 1091265 1091677 1092100 1092877 1092920 1093414 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094448 1094735 1095096 1095148 1095603 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097073 1097158 1098569 1099793 1100396 1100415 1100488 1101040 1101470 1101470 1101591 1102046 1102310 1102526 1102564 1102840 1102908 1102920 1103320 1103320 1104531 1104780 1105031 1105166 1105435 1105437 1105459 1105460 1106019 1106214 1106383 1106390 1107066 1107067 1107617 1107640 1107941 1109197 1109252 1110304 1110445 1110700 1110797 1111019 1111388 1111498 1111973 1112024 1112570 1112723 1112726 1112758 1113083 1113100 1113632 1113660 1113665 1114135 1114407 1114592 1114674 1114675 1114681 1114686 1114845 1114933 1114984 1114993 1115640 1115929 1116995 1117025 1117063 1117993 1118086 1118087 1118087 1118364 1119414 1119687 1119971 1120323 1120346 1120629 1120630 1120631 1120689 1121051 1121197 1121353 1121446 1121563 1121563 1121753 1122000 1122417 1122729 1123043 1123333 1123371 1123377 1123378 1123685 1123710 1123727 1123892 1123919 1124122 1124153 1124223 1124847 1125007 1125352 1125352 1125410 1125604 1125689 1125886 1126056 1126096 1126117 1126118 1126119 1126327 1126377 1126590 1127155 1127223 1127308 1127557 1127608 1127701 1128246 1128383 1128598 1129568 1129576 1129598 1129753 1130045 1130230 1130306 1130325 1130326 1130681 1130682 1131060 1131113 1131330 1131686 1131823 1132348 1132400 1132721 1133495 1133506 1133509 1133773 1133808 1134193 1134217 1134226 1134524 1134856 1135114 1135123 1135170 1135254 1135534 1135708 1135709 1135749 1136717 1137053 1137624 1137977 1138793 1138869 1138908 1138939 1139083 1139083 1139459 1139459 1139795 1139939 1140039 1140631 1140647 1141059 1141093 1141113 1141883 1141897 1142649 1142654 1143055 1143194 1143273 1144047 1144068 1144169 1145023 1145521 1145554 1145716 1146027 1146182 1146184 1146415 1146415 1146866 1146947 1148517 1148788 1148987 1149145 1149332 1149495 1149496 1149511 1149995 1150003 1150137 1150250 1150595 1150734 1151023 1151023 1151377 1151582 1151876 1152101 1152590 1152692 1152755 1153351 1153557 1153936 1154019 1154036 1154037 1154256 1154295 1154661 1154804 1154805 1154871 1154884 1154887 1155198 1155199 1155205 1155207 1155271 1155298 1155327 1155337 1155338 1155339 1155346 1155574 1155678 1155819 1156158 1156213 1156300 1156450 1156482 1157198 1157278 1157292 1157377 1157775 1157794 1157893 1158095 1158095 1158101 1158485 1158763 1158809 1158830 1158921 1158996 1159002 1159003 1159003 1159004 1159314 1159539 1159814 1159928 1160039 1160160 1160571 1160594 1160595 1160735 1160764 1160970 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161517 1161521 1161779 1161816 1162108 1162108 1162152 1162518 1162651 1162930 1163184 1163922 1164505 1164562 1164717 1164950 1164950 1165011 1165539 1165579 1165784 1166106 1166260 1166481 1166510 1166510 1166748 1166881 1167073 1167163 1167223 1167631 1167674 1167898 1168076 1168345 1168364 1168699 1168835 1169506 1169512 1169569 1169944 1169992 1170527 1170771 1171173 1171422 1171872 1172021 353876 859480 915402 918346 943457 953659 960273 985657 991901 CVE-2009-5155 CVE-2015-0247 CVE-2015-1572 CVE-2016-10739 CVE-2016-3189 CVE-2017-10790 CVE-2017-17740 CVE-2017-18269 CVE-2017-7500 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-0500 CVE-2018-0732 CVE-2018-1000654 CVE-2018-1000858 CVE-2018-10360 CVE-2018-10844 CVE-2018-10845 CVE-2018-10846 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14618 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16839 CVE-2018-16840 CVE-2018-16842 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16868 CVE-2018-16868 CVE-2018-16869 CVE-2018-16890 CVE-2018-17953 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18520 CVE-2018-18521 CVE-2018-19211 CVE-2018-20346 CVE-2018-20532 CVE-2018-20533 CVE-2018-20534 CVE-2018-6954 CVE-2018-9251 CVE-2019-12290 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-1547 CVE-2019-1551 CVE-2019-1563 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-18224 CVE-2019-18801 CVE-2019-18802 CVE-2019-18802 CVE-2019-18836 CVE-2019-18838 CVE-2019-18900 CVE-2019-19126 CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-3687 CVE-2019-3688 CVE-2019-3690 CVE-2019-3822 CVE-2019-3823 CVE-2019-3829 CVE-2019-3836 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-5436 CVE-2019-5481 CVE-2019-5482 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9511 CVE-2019-9513 CVE-2019-9936 CVE-2019-9937 CVE-2020-10029 CVE-2020-11501 CVE-2020-12243 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-7595 CVE-2020-8013 SLE-3853 SLE-4117 SLE-5807 SLE-5933 SLE-6533 SLE-6536 SLE-7687 SLE-8789 SLE-9132 SLE-9171 ----------------------------------------------------------------- The container caasp/v4/metrics-server was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1264-1 Released: Tue Jul 3 10:56:12 2018 Summary: Recommended update for curl Type: recommended Severity: moderate References: 1086367 This update for curl provides the following fix: - Use OPENSSL_config() instead of CONF_modules_load_file() to avoid crashes due to conflicting openssl engines. (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1396-1 Released: Thu Jul 26 16:23:09 2018 Summary: Security update for rpm Type: security Severity: moderate References: 1094735,1095148,943457,CVE-2017-7500 This update for rpm fixes the following issues: This security vulnerability was fixed: - CVE-2017-7500: Fixed symlink attacks during RPM installation (bsc#943457) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1685-1 Released: Fri Aug 17 18:20:58 2018 Summary: Security update for curl Type: security Severity: moderate References: 1099793,CVE-2018-0500 This update for curl fixes the following issues: Security issue fixed: - CVE-2018-0500: Fix a SMTP send heap buffer overflow (bsc#1099793). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1904-1 Released: Fri Sep 14 12:46:39 2018 Summary: Security update for curl Type: security Severity: moderate References: 1086367,1106019,CVE-2018-14618 This update for curl fixes the following issues: This security issue was fixed: - CVE-2018-14618: Prevent integer overflow in the NTLM authentication code (bsc#1106019) This non-security issue was fixed: - Use OPENSSL_config instead of CONF_modules_load_file() to avoid crashes due to openssl engines conflicts (bsc#1086367) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2070-1 Released: Fri Sep 28 08:02:02 2018 Summary: Security update for gnutls Type: security Severity: moderate References: 1047002,1105437,1105459,1105460,CVE-2017-10790,CVE-2018-10844,CVE-2018-10845,CVE-2018-10846 This update for gnutls fixes the following security issues: - Improved mitigations against Lucky 13 class of attacks - CVE-2018-10846: 'Just in Time' PRIME + PROBE cache-based side channel attack can lead to plaintext recovery (bsc#1105460) - CVE-2018-10845: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant (bsc#1105459) - CVE-2018-10844: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls (bsc#1105437) - CVE-2017-10790: The _asn1_check_identifier function in Libtasn1 caused a NULL pointer dereference and crash (bsc#1047002) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2083-1 Released: Sun Sep 30 14:06:33 2018 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1097158,1101470,CVE-2018-0732 This update for openssl-1_1 to 1.1.0i fixes the following issues: These security issues were fixed: - CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server could have sent a very large prime value to the client. This caused the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (bsc#1097158) - Make problematic ECDSA sign addition length-invariant - Add blinding to ECDSA and DSA signatures to protect against side channel attacks These non-security issues were fixed: - When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. - Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. - Fixed a text canonicalisation bug in CMS - Add openssl(cli) Provide so the packages that require the openssl binary can require this instead of the new openssl meta package (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2539-1 Released: Tue Oct 30 16:17:23 2018 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1113100 This update for rpm fixes the following issues: - On PowerPC64 fix the superfluous TOC. dependency (bsc#1113100) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2578-1 Released: Mon Nov 5 17:55:35 2018 Summary: Security update for curl Type: security Severity: moderate References: 1112758,1113660,CVE-2018-16839,CVE-2018-16840,CVE-2018-16842 This update for curl fixes the following issues: - CVE-2018-16839: A SASL password overflow via integer overflow was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16840: A use-after-free in SASL handle close was fixed which could lead to crashes (bsc#1112758) - CVE-2018-16842: A Out-of-bounds Read in tool_msgs.c was fixed which could lead to crashes (bsc#1113660) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:189-1 Released: Mon Jan 28 14:14:46 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: This update for rpm fixes the following issues: - Add kmod(module) provides to kernel and KMPs (fate#326579). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:248-1 Released: Wed Feb 6 08:35:20 2019 Summary: Security update for curl Type: security Severity: important References: 1123371,1123377,1123378,CVE-2018-16890,CVE-2019-3822,CVE-2019-3823 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-3823: Fixed a heap out-of-bounds read in the code handling the end-of-response for SMTP (bsc#1123378). - CVE-2019-3822: Fixed a stack based buffer overflow in the function creating an outgoing NTLM type-3 message (bsc#1123377). - CVE-2018-16890: Fixed a heap buffer out-of-bounds read in the function handling incoming NTLM type-2 messages (bsc#1123371). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:664-1 Released: Wed Mar 20 14:54:12 2019 Summary: Recommended update for gpgme Type: recommended Severity: low References: 1121051 This update for gpgme provides the following fix: - Re-generate keys in Qt tests to not expire. (bsc#1121051) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:894-1 Released: Fri Apr 5 17:16:23 2019 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1119414,1126327,1129753,SLE-3853,SLE-4117 This update for rpm fixes the following issues: - This update shortens RPM changelog to after a certain cut off date (bsc#1129753) - Translate dashes to underscores in kmod provides (FATE#326579, jsc#SLE-4117, jsc#SLE-3853, bsc#1119414). - Re-add symset-table from SLE 12 (bsc#1126327). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1121-1 Released: Tue Apr 30 18:02:43 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1130681,1130682,CVE-2018-16868,CVE-2019-3829,CVE-2019-3836 This update for gnutls fixes to version 3.6.7 the following issues: Security issued fixed: - CVE-2019-3836: Fixed an invalid pointer access via malformed TLS1.3 async messages (bsc#1130682). - CVE-2019-3829: Fixed a double free vulnerability in the certificate verification API (bsc#1130681). - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification and padding oracle verification (bsc#1118087) Non-security issue fixed: - Update gnutls to support TLS 1.3 (fate#327114) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1351-1 Released: Fri May 24 14:41:10 2019 Summary: Security update for gnutls Type: security Severity: important References: 1118087,1134856,CVE-2018-16868 This update for gnutls fixes the following issues: Security issue fixed: - CVE-2018-16868: Fixed Bleichenbacher-like side channel leakage in PKCS#1 v1.5 verification (bsc#1118087). Non-security issue fixed: - Explicitly require libnettle 3.4.1 to prevent missing symbol errors (bsc#1134856). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1357-1 Released: Mon May 27 13:29:15 2019 Summary: Security update for curl Type: security Severity: important References: 1135170,CVE-2019-5436 This update for curl fixes the following issues: Security issue fixed: - CVE-2019-5436: Fixed a heap buffer overflow exists in tftp_receive_packet that receives data from a TFTP server (bsc#1135170). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1590-1 Released: Thu Jun 20 19:49:57 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1128598 This update for permissions fixes the following issues: - Added whitelisting for /usr/lib/singularity/bin/starter-suid in the new singularity 3.1 version. (bsc#1128598) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2373-1 Released: Thu Sep 12 14:18:53 2019 Summary: Security update for curl Type: security Severity: important References: 1149495,1149496,CVE-2019-5481,CVE-2019-5482 This update for curl fixes the following issues: Security issues fixed: - CVE-2019-5481: Fixed FTP-KRB double-free during kerberos FTP data transfer (bsc#1149495). - CVE-2019-5482: Fixed TFTP small blocksize heap buffer overflow (bsc#1149496). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2403-1 Released: Wed Sep 18 16:14:29 2019 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1150003,1150250,CVE-2019-1547,CVE-2019-1563 This update for openssl-1_1 fixes the following issues: OpenSSL Security Advisory [10 September 2019] * CVE-2019-1547: Added EC_GROUP_set_generator side channel attack avoidance. (bsc#1150003) * CVE-2019-1563: Fixed Bleichenbacher attack against cms/pkcs7 encryption transported key (bsc#1150250) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2626-1 Released: Thu Oct 10 17:22:35 2019 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1110797 This update for permissions fixes the following issues: - Updated permissons for amanda. (bsc#1110797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2742-1 Released: Tue Oct 22 15:40:16 2019 Summary: Recommended update for libzypp, zypper, libsolv and PackageKit Type: recommended Severity: important References: 1049825,1116995,1120629,1120630,1120631,1127155,1127608,1130306,1131113,1131823,1134226,1135749,1137977,1139795,1140039,1145521,1146027,1146415,1146947,1153557,859480,CVE-2018-20532,CVE-2018-20533,CVE-2018-20534 This update for libzypp, zypper, libsolv and PackageKit fixes the following issues: Security issues fixed in libsolv: - CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629). - CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630). - CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631). Other issues addressed in libsolv: - Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749). - Fixed an issue with the package name (bsc#1131823). - repo_add_rpmdb: do not copy bad solvables from the old solv file - Fixed an issue with cleandeps updates in which all packages were not updated - Experimental DISTTYPE_CONDA and REL_CONDA support - Fixed cleandeps jobs when using patterns (bsc#1137977) - Fixed favorq leaking between solver runs if the solver is reused - Fixed SOLVER_FLAG_FOCUS_BEST updateing packages without reason - Be more correct with multiversion packages that obsolete their own name (bnc#1127155) - Fix repository priority handling for multiversion packages - Make code compatible with swig 4.0, remove obj0 instances - repo2solv: support zchunk compressed data - Remove NO_BRP_STRIP_DEBUG=true as brp-15-strip-debug will not strip debug info for archives Issues fixed in libzypp: - Fix empty metalink downloads if filesize is unknown (bsc#1153557) - Recognize riscv64 as architecture - Fix installation of new header file (fixes #185) - zypp.conf: Introduce `solver.focus` to define the resolvers general attitude when resolving jobs. (bsc#1146415) - New container detection algorithm for zypper ps (bsc#1146947) - Fix leaking filedescriptors in MediaCurl. (bsc#1116995) - Run file conflict check on dry-run. (bsc#1140039) - Do not remove orphan products if the .prod file is owned by a package. (bsc#1139795) - Rephrase file conflict check summary. (bsc#1140039) - Fix bash completions option detection. (bsc#1049825) - Fixes a bug where zypper exited on SIGPIPE when downloading packages (bsc#1145521) - Fixes an issue where zypper exited with a segmentation fault when updating via YaST2 (bsc#1146027) - PublicKey::algoName: supply key algorithm and length Issues fixed in zypper: - Update to version 1.14.30 - Ignore SIGPIPE while STDOUT/STDERR are OK (bsc#1145521) - Dump stacktrace on SIGPIPE (bsc#1145521) - info: The requested info must be shown in QUIET mode (fixes #287) - Fix local/remote url classification. - Rephrase file conflict check summary (bsc#1140039) - Fix bash completions option detection (bsc#1049825) - man: split '--with[out]' like options to ease searching. - Unhided 'ps' command in help - Added option to show more conflict information - Rephrased `zypper ps` hint (bsc#859480) - Fixed repo refresh not returning 106-ZYPPER_EXIT_INF_REPOS_SKIPPED if --root is used (bsc#1134226) - Fixed unknown package handling in zypper install (bsc#1127608) - Re-show progress bar after pressing retry upon install error (bsc#1131113) Issues fixed in PackageKit: - Port the cron configuration variables to the systemd timer script, and add -sendwait parameter to mail in the script(bsc#1130306). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2980-1 Released: Thu Nov 14 22:45:33 2019 Summary: Optional update for curl Type: optional Severity: low References: 1154019 This update for curl doesn't address any user visible issues. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3010-1 Released: Tue Nov 19 18:10:58 2019 Summary: Recommended update for zypper and libsolv Type: recommended Severity: moderate References: 1145554,1146415,1149511,1153351,SLE-9171 This update for zypper and libsolv fixes the following issues: Package: zypper - Improved the documentation of $releasever and --releasever usescases (bsc#1149511) - zypper will now ask only once when multiple packages share the same license text (bsc#1145554) - Added a new 'solver.focus' option for /etc/zypp/zypp.conf to define systemwide focus mode when resolving jobs (bsc#1146415) - Fixes an issue where 'zypper lu' didn't list all available package updates (bsc#1153351) - Added a new --repo option to the 'download' command to allow to specify a repository (jsc#SLE-9171) Package: libsolv - Fixes issues when updating too many packages in focusbest mode - Fixes the handling of disabled and installed packages in distupgrade ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3181-1 Released: Thu Dec 5 11:43:07 2019 Summary: Security update for permissions Type: security Severity: moderate References: 1093414,1150734,1157198,CVE-2019-3688,CVE-2019-3690 This update for permissions fixes the following issues: - CVE-2019-3688: Changed wrong ownership in /usr/sbin/pinger to root:squid which could have allowed a squid user to gain persistence by changing the binary (bsc#1093414). - CVE-2019-3690: Fixed a privilege escalation through untrusted symbolic links (bsc#1150734). - Fixed a regression which caused sagmentation fault (bsc#1157198). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:69-1 Released: Fri Jan 10 12:33:59 2020 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1155346,1157775,1158101,1158809,CVE-2019-1551,SLE-8789 This update for openssl-1_1 fixes the following issues: Security issue fixed: - CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). Various FIPS related improvements were done: - FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775). - Port FIPS patches from SLE-12 (bsc#1158101). - Use SHA-2 in the RSA pairwise consistency check (bsc#1155346). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:432-1 Released: Fri Feb 21 14:34:16 2020 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: moderate References: 1135114,1154804,1154805,1155198,1155205,1155298,1155678,1155819,1156158,1157377,1158763,CVE-2019-18900 This update for libsolv, libzypp, zypper fixes the following issues: Security issue fixed: - CVE-2019-18900: Fixed assert cookie file that was world readable (bsc#1158763). Bug fixes - Fixed removing orphaned packages dropped by to-be-installed products (bsc#1155819). - Adds libzypp API to mark all obsolete kernels according to the existing purge-kernel script rules (bsc#1155198). - Do not enforce 'en' being in RequestedLocales If the user decides to have a system without explicit language support he may do so (bsc#1155678). - Load only target resolvables for zypper rm (bsc#1157377). - Fix broken search by filelist (bsc#1135114). - Replace python by a bash script in zypper-log (fixes#304, fixes#306, bsc#1156158). - Do not sort out requested locales which are not available (bsc#1155678). - Prevent listing duplicate matches in tables. XML result is provided within the new list-patches-byissue element (bsc#1154805). - XML add patch issue-date and issue-list (bsc#1154805). - Fix zypper lp --cve/bugzilla/issue options (bsc#1155298). - Always execute commit when adding/removing locales (fixes bsc#1155205). - Fix description of --table-style,-s in man page (bsc#1154804). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:547-1 Released: Fri Feb 28 16:26:21 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1148788,1160594,1160764,1161779,1163922,CVE-2019-3687,CVE-2020-8013 This update for permissions fixes the following issues: Security issues fixed: - CVE-2019-3687: Fixed a privilege escalation which could allow a local user to read network traffic if wireshark is installed (bsc#1148788) - CVE-2020-8013: Fixed an issue where chkstat set unintended setuid/capabilities for mrsh and wodim (bsc#1163922). Non-security issues fixed: - Fixed a regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594). - Fixed capability handling when doing multiple permission changes at once (bsc#1161779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:726-1 Released: Thu Mar 19 13:23:03 2020 Summary: Security update for nghttp2 Type: security Severity: moderate References: 1125689,1146182,1146184,1159003,1166481,CVE-2019-18802,CVE-2019-9511,CVE-2019-9513 This update for nghttp2 fixes the following issues: Security issues fixed: - CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184). - CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#11461). - CVE-2019-18802: Fixed malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) Bug fixes and enhancements: - Fixed mistake in spec file (bsc#1125689) Update to version 1.40.0 to fix CVE-2019-18802 in envoy-proxy and cilium-proxy (bsc#1166481) * lib: Add nghttp2_check_authority as public API * lib: Fix the bug that stream is closed with wrong error code * lib: Faster huffman encoding and decoding * build: Avoid filename collision of static and dynamic lib * build: Add new flag ENABLE_STATIC_CRT for Windows * build: cmake: Support building nghttpx with systemd * third-party: Update neverbleed to fix memory leak * nghttpx: Fix bug that mruby is incorrectly shared between backends * nghttpx: Reconnect h1 backend if it lost connection before sending headers * nghttpx: Returns 408 if backend timed out before sending headers * nghttpx: Fix request stal - Conditionally remove dependecy on jemalloc for SLE-12 - Require correct library from devel package - boo#1125689 Update to version 1.39.2 (bsc#1146184, bsc#1146182): * This release fixes CVE-2019-9511 ???Data Dribble??? and CVE-2019-9513 ???Resource Loop??? vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack. * Add nghttp2_option_set_max_outbound_ack API function * nghttpx: Fix request stall Update to version 1.39.1: * This release fixes the bug that log-level is not set with cmd-line or configuration file. It also fixes FPE with default backend. Changes for version 1.39.0: * libnghttp2 now ignores content-length in 200 response to CONNECT request as per RFC 7230. * mruby has been upgraded to 2.0.1. * libnghttp2-asio now supports boost-1.70. * http-parser has been replaced with llhttp. * nghttpx now ignores Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:834-1 Released: Tue Mar 31 17:21:34 2020 Summary: Recommended update for permissions Type: recommended Severity: moderate References: 1167163 This update for permissions fixes the following issue: - whitelist s390-tools set group ID (setgid) bit on log directory. (bsc#1167163) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:969-1 Released: Thu Apr 9 11:43:17 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1168364 This update for permissions fixes the following issues: - Fixed spelling of icinga group (bsc#1168364) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:981-1 Released: Mon Apr 13 15:43:44 2020 Summary: Recommended update for rpm Type: recommended Severity: moderate References: 1156300 This update for rpm fixes the following issues: - Fix for language package macros to avoid wrong requirement on shared library. (bsc#1156300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1026-1 Released: Fri Apr 17 16:14:43 2020 Summary: Recommended update for libsolv Type: recommended Severity: moderate References: 1159314 This update for libsolv fixes the following issues: libsolv was updated to version 0.7.11: - fix solv_zchunk decoding error if large chunks are used (bsc#1159314) - treat retracted pathes as irrelevant - made add_update_target work with multiversion installs ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1047-1 Released: Tue Apr 21 10:33:06 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1168835 This update for gnutls fixes the following issues: - Backport AES XTS support (bsc#1168835) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1108-1 Released: Fri Apr 24 16:31:01 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1169992 This update for gnutls fixes the following issues: - FIPS: Do not check for /etc/system-fips which we don't have (bsc#1169992) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1271-1 Released: Wed May 13 13:17:59 2020 Summary: Recommended update for permissions Type: recommended Severity: important References: 1171173 This update for permissions fixes the following issues: - Remove setuid bit for newgidmap and newuidmap in paranoid profile. (bsc#1171173) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1290-1 Released: Fri May 15 16:39:59 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1171422 This update for gnutls fixes the following issues: - Add RSA 4096 key generation support in FIPS mode (bsc#1171422) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1573-1 Released: Tue Jun 9 12:07:53 2020 Summary: Add features for Metrics Server, Cert Status Checker, VSphere VCP, and Cilium Envoy Type: security Severity: moderate References: 1041090,1047218,1048688,1086909,1094448,1095603,1102920,1121353,1129568,1138908,1144068,1151876,1156450,1159002,1159003,1159004,1159539,1162651,1167073,1169506,CVE-2019-18801,CVE-2019-18802,CVE-2019-18836,CVE-2019-18838 Metrics Server * Support monitoring of *CPU* and *memory* of a pod or node. Cert Status Checker * Exposes cluster-wide certificates status and use monitoring stack (Prometheus and Grafana) to receives alerts by Prometheus Alertmanager and monitors certificate status by Grafana dashboard. VSphere VCP * Allow Kubernetes pods to use VMWare vSphere Virtual Machine Disk (VMDK) volumes as persistent storage. Cilium Envoy * Updated Cilium from version 1.5.3 to version 1.6.6 * Provide Envoy-proxy support for Cilium * Envoy and its dependencies packaged for version 1.12.2 * Cilium uses CRD and ConfigMap points on etcd are removed See release notes for installation instructions: https://www.suse.com/releasenotes/x86_64/SUSE-CAASP/4/ Following CVE entries are relevant for the casp 4.2.1 update: cilium-proxy: CVE-2019-18801: An untrusted remote client might have been able to send HTTP/2 requests via cilium-proxyx that could have written to the heap outside of the request buffers when the upstream is HTTP/1. (bsc#1159002) CVE-2019-18802: A malformed request header may have caused bypass of route matchers resulting in escalation of privileges or information disclosure (bsc#1159003) CVE-2019-18838: A malformed HTTP request without the Host header may cause abnormal termination ofthe Envoy process (bsc#1159004) CVE-2019-18836: Excessive iteration due to listener filter timeout in envoy could lead to DoS (bsc#1156450) kafka: CVE-2018-1288: authenticated Kafka users may perform action reserved for the Broker via a manually created fetch request. (bsc#1102920) From sle-updates at lists.suse.com Tue Jun 16 13:12:18 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 16 Jun 2020 21:12:18 +0200 (CEST) Subject: SUSE-SU-2020:1630-1: important: Security update for xen Message-ID: <20200616191218.D4604F749@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1630-1 Rating: important References: #1157888 #1158003 #1158004 #1158005 #1158006 #1158007 #1161181 #1167152 #1168140 #1168142 #1169392 #1172205 Cross-References: CVE-2019-19577 CVE-2019-19578 CVE-2019-19579 CVE-2019-19580 CVE-2019-19581 CVE-2019-19583 CVE-2020-0543 CVE-2020-11739 CVE-2020-11740 CVE-2020-11741 CVE-2020-11742 CVE-2020-7211 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. Description: This update for xen fixes the following issues: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1172205). - CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392). - CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140). - CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142). - CVE-2019-19583: Fixed improper checks which could have allowed HVM/PVH guest userspace code to crash the guest, leading to a guest denial of service (bsc#1158004 XSA-308). - CVE-2019-19581: Fixed a potential out of bounds on 32-bit Arm (bsc#1158003 XSA-307). - CVE-2019-19580: Fixed a privilege escalation where a malicious PV guest administrator could have been able to escalate their privilege to that of the host (bsc#1158006 XSA-310). - CVE-2019-19579: Fixed a privilege escalation where an untrusted domain with access to a physical device can DMA into host memory (bsc#1157888 XSA-306). - CVE-2019-19578: Fixed an issue where a malicious or buggy PV guest could have caused hypervisor crash resulting in denial of service affecting the entire host (bsc#1158005 XSA-309). - CVE-2019-19577: Fixed an issue where a malicious guest administrator could have caused Xen to access data structures while they are being modified leading to a crash (bsc#1158007 XSA-311). - Xenstored Crashed during VM install (bsc#1167152) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1630=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1630=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1630=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1630=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1630=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1630=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1630=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): xen-4.9.4_06-3.62.1 xen-debugsource-4.9.4_06-3.62.1 xen-doc-html-4.9.4_06-3.62.1 xen-libs-32bit-4.9.4_06-3.62.1 xen-libs-4.9.4_06-3.62.1 xen-libs-debuginfo-32bit-4.9.4_06-3.62.1 xen-libs-debuginfo-4.9.4_06-3.62.1 xen-tools-4.9.4_06-3.62.1 xen-tools-debuginfo-4.9.4_06-3.62.1 xen-tools-domU-4.9.4_06-3.62.1 xen-tools-domU-debuginfo-4.9.4_06-3.62.1 - SUSE OpenStack Cloud 8 (x86_64): xen-4.9.4_06-3.62.1 xen-debugsource-4.9.4_06-3.62.1 xen-doc-html-4.9.4_06-3.62.1 xen-libs-32bit-4.9.4_06-3.62.1 xen-libs-4.9.4_06-3.62.1 xen-libs-debuginfo-32bit-4.9.4_06-3.62.1 xen-libs-debuginfo-4.9.4_06-3.62.1 xen-tools-4.9.4_06-3.62.1 xen-tools-debuginfo-4.9.4_06-3.62.1 xen-tools-domU-4.9.4_06-3.62.1 xen-tools-domU-debuginfo-4.9.4_06-3.62.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): xen-4.9.4_06-3.62.1 xen-debugsource-4.9.4_06-3.62.1 xen-doc-html-4.9.4_06-3.62.1 xen-libs-32bit-4.9.4_06-3.62.1 xen-libs-4.9.4_06-3.62.1 xen-libs-debuginfo-32bit-4.9.4_06-3.62.1 xen-libs-debuginfo-4.9.4_06-3.62.1 xen-tools-4.9.4_06-3.62.1 xen-tools-debuginfo-4.9.4_06-3.62.1 xen-tools-domU-4.9.4_06-3.62.1 xen-tools-domU-debuginfo-4.9.4_06-3.62.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): xen-4.9.4_06-3.62.1 xen-debugsource-4.9.4_06-3.62.1 xen-doc-html-4.9.4_06-3.62.1 xen-libs-32bit-4.9.4_06-3.62.1 xen-libs-4.9.4_06-3.62.1 xen-libs-debuginfo-32bit-4.9.4_06-3.62.1 xen-libs-debuginfo-4.9.4_06-3.62.1 xen-tools-4.9.4_06-3.62.1 xen-tools-debuginfo-4.9.4_06-3.62.1 xen-tools-domU-4.9.4_06-3.62.1 xen-tools-domU-debuginfo-4.9.4_06-3.62.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): xen-4.9.4_06-3.62.1 xen-debugsource-4.9.4_06-3.62.1 xen-doc-html-4.9.4_06-3.62.1 xen-libs-32bit-4.9.4_06-3.62.1 xen-libs-4.9.4_06-3.62.1 xen-libs-debuginfo-32bit-4.9.4_06-3.62.1 xen-libs-debuginfo-4.9.4_06-3.62.1 xen-tools-4.9.4_06-3.62.1 xen-tools-debuginfo-4.9.4_06-3.62.1 xen-tools-domU-4.9.4_06-3.62.1 xen-tools-domU-debuginfo-4.9.4_06-3.62.1 - SUSE Enterprise Storage 5 (x86_64): xen-4.9.4_06-3.62.1 xen-debugsource-4.9.4_06-3.62.1 xen-doc-html-4.9.4_06-3.62.1 xen-libs-32bit-4.9.4_06-3.62.1 xen-libs-4.9.4_06-3.62.1 xen-libs-debuginfo-32bit-4.9.4_06-3.62.1 xen-libs-debuginfo-4.9.4_06-3.62.1 xen-tools-4.9.4_06-3.62.1 xen-tools-debuginfo-4.9.4_06-3.62.1 xen-tools-domU-4.9.4_06-3.62.1 xen-tools-domU-debuginfo-4.9.4_06-3.62.1 - HPE Helion Openstack 8 (x86_64): xen-4.9.4_06-3.62.1 xen-debugsource-4.9.4_06-3.62.1 xen-doc-html-4.9.4_06-3.62.1 xen-libs-32bit-4.9.4_06-3.62.1 xen-libs-4.9.4_06-3.62.1 xen-libs-debuginfo-32bit-4.9.4_06-3.62.1 xen-libs-debuginfo-4.9.4_06-3.62.1 xen-tools-4.9.4_06-3.62.1 xen-tools-debuginfo-4.9.4_06-3.62.1 xen-tools-domU-4.9.4_06-3.62.1 xen-tools-domU-debuginfo-4.9.4_06-3.62.1 References: https://www.suse.com/security/cve/CVE-2019-19577.html https://www.suse.com/security/cve/CVE-2019-19578.html https://www.suse.com/security/cve/CVE-2019-19579.html https://www.suse.com/security/cve/CVE-2019-19580.html https://www.suse.com/security/cve/CVE-2019-19581.html https://www.suse.com/security/cve/CVE-2019-19583.html https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-11739.html https://www.suse.com/security/cve/CVE-2020-11740.html https://www.suse.com/security/cve/CVE-2020-11741.html https://www.suse.com/security/cve/CVE-2020-11742.html https://www.suse.com/security/cve/CVE-2020-7211.html https://bugzilla.suse.com/1157888 https://bugzilla.suse.com/1158003 https://bugzilla.suse.com/1158004 https://bugzilla.suse.com/1158005 https://bugzilla.suse.com/1158006 https://bugzilla.suse.com/1158007 https://bugzilla.suse.com/1161181 https://bugzilla.suse.com/1167152 https://bugzilla.suse.com/1168140 https://bugzilla.suse.com/1168142 https://bugzilla.suse.com/1169392 https://bugzilla.suse.com/1172205 From sle-updates at lists.suse.com Tue Jun 16 13:14:23 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 16 Jun 2020 21:14:23 +0200 (CEST) Subject: SUSE-RU-2020:1629-1: moderate: Recommended update for terraform-provider-aws Message-ID: <20200616191423.ADD36FD07@maintenance.suse.de> SUSE Recommended Update: Recommended update for terraform-provider-aws ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1629-1 Rating: moderate References: #1170264 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for terraform-provider-aws fixes the following issues: - Add symlink required by terraform execution - Update to version 2.59.0: (bsc#1170264) * v2.59.0 * add CHANGELOG entry for PR #12935, PR #11657 * update expected ID example for ssm_maintenance_window_target * Update CHANGELOG for #12777, #12775, #12793, #12734, #12867, #12967, #12890, #12936, #12715 * resource/aws_waf_xss_match_set: Add plan-time validation for xss_match_tuples configuration block arguments (#12777) * resource/aws_waf_ipset: Add plan-time validation for ip_set_descriptors configuration block arguments (#12775) * resource/aws_wafregional_web_acl: Add plan-time validation to various arguments (#12793) * add CHANGELOG entry for PR #12933 * resource/aws_rds_cluster: Support aurora-mysql and aurora-postgres Global Clusters (#12867) * provider: Support af-south-1 (Cape Town) in various data sources (#12967) * docs/provider: Fix formatting of code block in Contributing Guide (#12965) * add changelog entry for PR #12929 * add changelog entry for PR #12948 * Update CHANGELOG.md * entry for adding import support network_acl_rule * update import id expected value formatting * add import note * fix tag list + expand test * resource/aws_route: Allow using compressed IPV6 CIDR (#12890) * data-source/aws_launch_template: Prevent type error with network_interfaces associate_public_ip_address (#12936) * docs/resource/aws_acm_certificate_validation: Use explicit zone_id attribute references (#12885) * docs/provider: Change "mapping" to "map" (when referring to the data structure) (#12908) * docs/resource/aws_iam_role_policy: Explicitly call out inline policy (#12905) * updates to add in resource attribute checks * Update module aws/aws-sdk-go to v1.30.12 (#12715) * resource/aws_codepipeline: Add stage action namespace argument (#11910) * docs/provider: Correct ELB, S3 and Elastic Beanstalk links for new AWS regions in Contributing Guide (#12946) * update comments in test * add support for importing aws_volume_attachment resouce * add support for importing aws_ssm_maintenance_window_target resource * add support for importing aws_ssm_activation resource * code review updates and doc update * run linters * change delimiter and namespace attribute name * add vpc-related example/docs * add support for importing aws_service_discovery_private_dns_namespace * move linux wording * docs/provider: make website-lint-fix * add support for importing aws_default_etwork_acl resources * Fix typo in CHANGELOG * rename example resource * formatting with linter * update documentation for acl_rule importing * Update CHANGELOG for #12884, #11783, #12898, #9461, #10542, #12902, #9391, #9232, #12620, #12452 * resource/aws_appsync_graphql_api: Add `log_config` configuration block `exclude_verbose_content` argument (#12884) * add support for importing aws_network_acl_rule resources * resource/aws_ssm_maintanance_window_target: Add plan-time validation to `resource_type` argument (#11783) * tests/resource/aws_glue_security_configuration: Keep empty string test in TestAccAWSGlueSecurityConfiguration_S3Encryption_S3EncryptionMode_SSES3 * Do not send kms_arn in glue security configuration if mode is SSES3 * resource/aws_iam_user: Ensure `force_destroy` removes signing certificates (#10542) * docs/resource/aws_dms_endpoint: Add missing aurora-postgresql to engine_name valid values (#12899) * resource/aws_lambda_alias: Suppress differences for equivalent function_name name and ARN (#12902) * .github/workflows/issues: Try removing curly braces from JSON to prevent error * r/aws_acm_certificate: Add test sweeper. * r/aws_apigatewayv2_api: Add test sweeper dependency on 'aws_apigatewayv2_domain_name'. * Removes "magic string" error code from error conditionals * Updates ARN test missed by linter * r/aws_apigatewayv2_vpc_link: Move waiter logic into its own package. * Add aws_apigatewayv2_vpc_link resource. * Fix lint warning. * Fix broken documentation links. * r/aws_apigatewayv2_api_mapping: Create ACM certificate outside of Terraform configuration. * Renamed resource to 'aws_apigatewayv2_api_mapping'. * Add 'aws_api_gateway_v2_api_mapping' resource. * Cleanup after v2.58.0 release * v2.58.0 * .github/workflows/issues: Remove extra closing parenthesis * .github/workflows/issues: Add curly braces in JSON * .github/workflows/issues: Try using fromJSON() to prevent errors * Update CHANGELOG for #12620 * .github/workflows/issues: Ignore collaborators for needs-triage issue labeling (#12857) * Adds checks for nil results to prevent panics * Removes extraneous API call when updating root EBS volume * Test that route_settings are removed when empty. * Rename resource to 'aws_apigatewayv2_stage'. * tests/service/rds: Remove rds-ca-2015 from CA Certificate Identifier testing (#12855) * Add 'aws_api_gateway2_stage' resource. * service/servicediscovery: Refactor waiter logic into separate package, add test sweepers (#12765) * Update CHANGELOG for #9245 * Change after review. * Update CHANGELOG for #9373 * Update CHANGELOG for #8633 and #11792 * resource/aws_dms_endpoint: Finish initial elasticsearch implementation and refactor schema/testing * Add deployment status waiter. * Rename resource to 'aws_apigatewayv2_deployment'. * Add 'aws_api_gateway2_deployment' resource. * Rename resource to 'aws_apigatewayv2_route_response'. * Add 'aws_api_gateway2_route_response' resource. * resource/aws_dms_endpoint: Minor adjustments to finish kinesis implementation and back out mongodb changes from #8633 * Update CHANGELOG for #8881 * Update CHANGELOG for #7170 * resource/aws_dms_event_subscription: Finish initial implementation * docs/resource/aws_ram_resource_share: Fix typo (#12827) * Rename aws_apigatewayv2_integration_response resource source files to match standard naming convention. * Add note to documentation on inability to import API Gateway managed resources created as part of API quick create. * tests/resource/aws_backup_plan: Remove unused testAccCheckAwsBackupPlanRuleAttrSet * Fix and enable tfproviderlint S023 check (#12781) * Update CHANGELOG for #10705 * resource/aws_cognito_identity_provider: Address PR #10705 feedback * Update CHANGELOG for #11923 * resource/aws_backup_plan: Finish initial copy_action implementation * Update CHANGELOG for #12269 * data-source/aws_regions: Finish initial implementation * data-source/aws_regions: Apply suggestions from code review * docs/resource/aws_pinpoint_email_channel: Fix description (#12824) * Update CHANGELOG for #9365 * Update CHANGELOG for #12819 * resource/aws_ec2_client_vpn_endpoint: Allow two `authentication_options` configuration blocks (#12819) * Update CHANGELOG for #12342 * resource/aws_dynamodb_table: Finish up initial Global Table Version 2019.11.21 implementation * deps: Vendor github.com/aws/aws-sdk-go/service/route53domains (#12797) * Fixes tests * fmt updates * Apply suggestions from code review * docs/data-source/aws_route_tables: Update ids attribute type (#12802) * Update CHANGELOG for #12800 * resource/aws_dlm_lifecycle_policy: Ensure plan-time validation for times argument only allows 24 hour format (#12800) * provider: Fix and enable tfproviderlint S024 check: ForceNew is extraneous in data source schema attributes (#12778) * tests(staticcheck): fix failing tests (#12782) * add extra line to indicate issue may exist in linux * add glob to provider pr labeller * tests/resource/aws_ecs_task_definition: Add sweeper (#12760) * Cleanup after v2.57.0 release * v2.57.0 * Update CHANGELOG for #12735 * Update CHANGELOG for #12738 * r/aws_apigatewayv2_route: Add support for JWT authorizers. * Update CHANGELOG for #12401 * resource/aws_rds_global_cluster: Add aurora-postgresql to engine argument plan-time validation (#12401) * 'aws_api_gateway2_route' -> 'aws_apigatewayv2_route'. * Add 'aws_api_gateway_v2_route' resource. * 'aws_api_gateway2_integration_response' -> 'aws_apigatewayv2_integration_response'. * Add 'aws_api_gateway_v2_integration_response' resource. * Add message to highlight ulimit option which can prevent issues with AT runs * Fix missing side navigation links. (#12746) * resource/aws_network_acl: Ensure tags are handled on creation * resource/aws_vpc_peering_connection_accepter: Do not overwrite incoming ResourceData on creation * Update CHANGELOG for #8912 * resource/aws_kms_key: Prevent eventual consistency related errors on creation * Update CHANGELOG for #8949 * Update CHANGELOG for #9228 * service/ec2: Switch tagging during resource creation to keyvaluetags.CreateEc2Tags implementation * internal/keyvaluetags: Initial tagging function generator for handling tagging of new resources * Updates AWS Config acceptance tests to use ARN testing check functions * Updates CloudFront acceptance tests to use ARN testing check functions * internal/keyvaluetags: Move all generator customization functions into shared service_generation_customizations.go * Update CHANGELOG for #12712 * service/lambda: Support for .NET Core 3.1 (#12712) * Update CHANGELOG for #11568 * resource/aws_egress_only_internet_gateway: Finish tags implementation and fix errors * Update CHANGELOG for #11683 * resource/aws_cloudhsm_v2_cluster: Support tag-on-create (#11683) * Update CHANGELOG for #12295 * resource/aws_spot_fleet_request: Add tags argument, support more plan-time validations, refactor testing (#12295) * Updates App Autoscaling acceptance tests to use ARN testing check functions * Update CHANGELOG for #12700 * tests/resource/aws_db_instance: Add covering acceptance testing for db_subnet_group_name and replicate_source_db arguments * Updates API Gateway acceptance tests to use ARN testing check functions * Use 'testAccCheckResourceAttrEquivalentJSON'. * Updates ECS acceptance tests to use ARN testing check functions * Updates ECR acceptance tests to use ARN testing check functions * 'aws_api_gateway2_model' -> 'aws_apigatewayv2_model'. * Add 'aws_api_gateway_v2_model' resource. * Updates ACM acceptance tests to use ARN testing check functions * Update CHANGELOG for #12586 * provider: Update preview ignore tags handling to configuration block and shared struct type (#12586) * Update module aws/aws-sdk-go to v1.30.5 (#12706) * Update aws/resource_aws_db_instance.go * Update module hashicorp/terraform-plugin-sdk to v1.9.0 (#12531) * Update CHANGELOG for #12650 * Update CHANGELOG for #12650 * resource/aws_docdb_cluster: Add deletion_protection argument (#12650) * Update module aws/aws-sdk-go to v1.30.4 (#12414) * docs/resource/aws_ssm_maintenance_window_task: Fix example value for `notification_type` (#12705) * Update CHANGELOG for #10350 * resource/aws_redshift_snapshot_copy_grant: Finish import implementation * Update CHANGELOG for #4568 * resource/aws_lb_target_group: Ensure unconfigured health checks for Network LB do not trigger recreation and add covering acceptance testing * Adds `device_name` to `data-source/aws_instance` * Adds EBS root volume delete-on-termination modification * resource/aws_lb_target_group: go fmt after fixing merge conflict * Adds EBS root volume type and IOPS modification * Fix for creating an RDS read replica in shared subnets. * Update CHANGELOG for #11232 * tests/resource/aws_appautoscaling_policy: Ensure covering acceptance testing for DynamoDB index policy * Update CHANGELOG for #6468 * New Data Source: aws_cloudfront_distribution (#6468) * service/elastictranscoder: Refactor out SetMap usage (#12641) * docs/resource/aws_cloudtrail: Fix broken link to Cloudtrail Data Events (#12687) * docs/resource/aws_launch_template: fix documentation for EBS block kms_key_id property (#12672) * docs/resource/aws_neptune_cluster: Fix attribute name typo deletion_protection (#12649) * enable s20 lint check and fix issues * Adds test for retrieving computed root EBS device values * Cleanup after v2.56.0 release * v2.56.0 * Updates documentation * Stops waiting for volume update when state is `optimizing`, since the volume is useable in that state * Updates root volume resize to work when multiple EBS volumes are attached * Uses AWS SDK provided functions for value dereference * Consolidates EC2 instance retrieval * Update CHANGELOG for #12549 * service/sagemaker: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12462) * resource/aws_s3_bucket: Fix lint error (#12626) * Updates to current framework * Improve code quality and fix tests as requested * resource_aws_instance: Modify root volume size without instance recreation * Update CHANGELOG for #12614 * resource/aws_s3_bucket: Prevent various panics with empty configuration blocks (#12614) * Removes nested resource testing in favour of `ImportStateVerify` and adds missing CodePipeline precheck * Update CHANGELOG for #12389 * resource/aws_elastic_transcoder_preset: Remove stringptr and refactor tests (#12581) * Update CHANGELOG for #12596 * resource/aws_volume_attachment: Do not swallow error when detaching volume (#12596) * Update CHANGELOG for #12575 * resource/aws_elastic_transcoder_preset: Remove `getStringPtr` calls, refactor tests, validate role argument (#12575) * Update CHANGELOG for #12560 * resource/aws_kms_grant: Remove resource from Terraform state instead of error if removed outside Terraform (#12560) * tests/resource/aws_codebuild_project: Fix typo in error message testing for buildspec * resource/aws_codebuild_project: Fix typo of buildspec (#12590) * resource/aws_codestarnotifications_notification_rule: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12469) * resource/aws_lb_listener: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12468) * resource/aws_api_gateway_stage: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12467) * resource/aws_lambda_function: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12466) * service/ec2: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12465) * resource/aws_autoscaling_group: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12464) * resource/aws_directory_service_directory: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12463) * service/redshift: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12461) * service/route53resolver: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12460) * service/elb: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12459) * service/docdb: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12457) * Consolidates artifact stores into a single argument * Typo fix * Change naming according to #9950 * Switch to filter for more flexibility * Add data source "aws_regions" * Adds tests for converting CodePipeline actions from single- to cross-region * Adds tests for updating cross-region CodePipeline actions * Properly hashes artifact stores * Adds test for changing artifact store location * service/rds: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12477) * Removes "foo" and "bar" * (docs) show AWS recommended EFS volume mount options (#12576) * Update CHANGELOG for #12559 * service/directconnect: Support 2Gbps and 5Gbps values in plan-time validation for bandwidth argument (#12559) * Update CHANGELOG for #11991 * resource/aws_kms_grant: Support resource import (#11991) * Update CHANGELOG for #12492 * service/ec2: Add hibernation_options to aws_launch_template resource and data source (#12492) * Update CHANGELOG for #11885 * resource/aws_codedeploy_deployment_group: Fix blue_green_deployment_config updates for ECS (#11885) * tests/service/rds: Sweeper and randomization of Database Snapshots (#12546) * resource/aws_opsworks_rds_db_instance: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12476) * resource/aws_route53_zone: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12475) * resource/aws_qldb_ledger: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12474) * resource/aws_globalaccelerator_accelerator: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12472) * resource/aws_elasticache_parameter_group: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12471) * resource/aws_licensemanager_license_configuration: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() (#12470) * Handles creation and import of cross-region CodePipeline actions * Removes redundant CodePipelineExists test from CodePipleline webhook tests * Fixes rebase errors and adds `depends_on` for IAM policy attachments * Cleanup after v2.55.0 release * v2.55.0 * Update CHANGELOG for #12305 * Update CHANGELOG for #12079 * resource/aws_neptune_cluster_instance: Add missing configuring-log-exports as allowed pending state (#12079) * Update CHANGELOG for #12491 * service/ec2: Support metadata_options in aws_instance and aws_launch_template resources/data sources (#12491) * tests/data-source/aws_vpc_endpoint_service: Fix EC2 policy check (#12544) * provider: Updates to verify hashibot behaviors and increase stale handling per run (#12556) * Removes unneeded test * Applies `terrafmt fmt` * Adds tests for adding and reordering `bootstrap_actions` * Corrects type of `bootstrap_action` from TypeSet to TypeList * resource/aws_ecs_task_definition: Remove pluralization from inference_accelerator configuration block argument * docs/provider: Run make website-lint-fix * resource/aws_ecs_task_definition: Add inference_accelerator configuration block (#11757) * Update CHANGELOG for #12215 * resource/aws_msk_cluster: Add logging_info configuration block (support CloudWatch, Firehose, and S3 logging) (#12215) * docs/resource/aws_api_gateway_deployment: Fixed documentation example (#12486) * Corrects error in destroy check * Fixes and test updates * [WIP] Test for multi region codepipeline. * Use expandAwsCodePipelineArtifactStore to expand artifactStores * One definition of the artifactStoreSchema * Add support for Codepipeline artifact_stores * Add Codepipeline action region support * Update CHANGELOG for #12483 * resource/aws_flow_log: Add max_aggregation_interval argument (#12483) * Reorders parameters for composed configurations for cleaner formatting * Update CHANGELOG for #12516 * data-source/aws_ec2_transit_gateway_dx_gateway_attachement: Add filter and tags arguments (#12516) * Update CHANGELOG for #12530 * resource/aws_storagegateway_nfs_file_share: Implement path attribute (#12530) * provider: Switch stale handling from hashibot to official GitHub Action (#12542) * Update CHANGELOG for #12415 * data-source/aws_ec2_transit_gateway_vpn_attachment: Add filter and tags arguments (#12415) * Update CHANGELOG for #12404 to account for tags argument * Update CHANGELOG for #12404 * data-source/aws_vpc_endpoint_service: Add filter argument (#12404) * Update CHANGELOG for #12403 * Update CHANGELOG for #12416 * data-source/aws_prefix_list: Add filter argument (#12416) * docs/data-source/aws_launch_template: Add missing tags argument * tests/provider: Bulk update aws_availability_zones data sources in test configurations to exclude Local Zones (#12517) * docs/resource/aws_cognito_user_pool: Update the resource definition (#12529) * Update CHANGELOG for #12447 * plan only test for change revert * resource/aws_db_instance: Use expandStringSet and add testing for snapshot_identifier with db_subnet_group_name * Removes extra attributes. * Correcting possible values for encryption_option (#12510) * Update CHANGELOG for #12254 * resource/aws_athena_workgroup: Add force_destroy argument (#12254) * Update CHANGELOG for #11843 * resource/aws_mq_configuration: Remove extraneous call to ListTags during refresh and add ValidateFunc to engine_type (#11843) * Update CHANGELOG for #11992 * resource/aws_cloudwatch_log_metric_filter: Support resource import (#11992) * plan only test for change * Adds fix to filter out Local Zones from list of Availability Zones * Update resource_aws_route53_health_check_test.go * Adds functions to compose acceptance test configurations * Replaces `RandInt()` with `RandomWithPrefix()` * Removes unneeded `bootstrap_action` arguments from tests. Adds check to `TestAccAWSEMRCluster_security_config` to test `security_configuration` * Refactors IAM roles and policies * Fixes linting error * Cleans up some formatting and adds some tests to actually test some cases * Use availability zone filter (https://github.com/terraform-providers/terraform-provider-aws/pull/12400 m erged). * Remove 'tls_config' attribute. It doesn't seem to do anything right now. * r/aws_apigatewayv2_integration: Add 'payload_format_version' and 'tls_config' attributes. * r/aws_apigatewayv2_integration: Don't import API Gateway managed integrations. * 'aws_api_gateway2_integration' -> 'aws_apigatewayv2_integration'. * Add 'aws_api_gateway_v2_integration' resource. * Adds fix to filter out Local Zones from list of Availability Zones * Corrects function name * Terraform formatting fixes * Corrects test for Elastic Beanstalk Platform ARN * Formatting fixes * Consolidates Elastic Beanstalk Environment deletion * Adds option to ignore error events when terminating Elastic Beanstalk Environment * Formatting fixes * Updates Elastic Beanstalk Platform ARN to supported platform version * No longer stops sweepers for Elastic Beanstalk Applications and Environments on the first error * Update launch_template.html.markdown * Update CHANGELOG for #12400 * service/ec2: Initial support for Local Zones (#12400) * Update module bflad/tfproviderlint to v0.14.0 (#12505) * Rename test. * r/aws_apigatewayv2_api: Add CORS configuration and quick start attributes. * Cleanup after v2.54.0 release * v2.54.0 * service/neptune: Remove deprecated (helper/schema.ResourceData).Partial() and (helper/schema.ResourceData).SetPartial() * docs/resource/aws_securityhub_standards_subscription: Add PCI standard examples and docs (#12090) * Update module bflad/tfproviderlint to v0.12.0 (#12456) * Moved VPC SGs from ModifyDB to RestoreDB API Call * Update CHANGELOG for #7252 * resource/aws_vpc_dhcp_options_association: Minor testing and linting fixes * Update CHANGELOG for #6975 * New Resource: aws_securityhub_member (#6975) * Update CHANGELOG for #11604 * resource/aws_cognito_user_pool_client: Add prevent_user_existence_errors argument (#11604) * Update CHANGELOG for #12317 * resource/aws_cognito_user_pool: Add username_configuration configuration block (Support case insensitive usernames) (#12317) * Update CHANGELOG for #11607 * resource/aws_cognito_user_pool: Add email_configuration configuration block from_email_address argument (#11607) * Update CHANGELOG for #11762 * resource/aws_cognito_user_pool_client: Add analytics_configuration configuration block (Support Pinpoint analytics) (#11762) * Moves `replica` to `aws_dynamodb_table`. * Update CHANGELOG for #12350 * resource/aws_api_gateway_rest_api: Ignore ordering differences for endpoint_configuration configuration block vpc_endpoint_ids argument (#12350) * tests/resource/aws_launch_template: Add test for network interface ipv4 addresses (#12307) * Update CHANGELOG for #12411 * resource/aws_lambda_function: Add plan-time validation for handler argument (#12411) * Update CHANGELOG for #12418 * resource/aws_s3_bucket: Retry NoSuchBucket error when setting tags during resource creation (#12418) * Update CHANGELOG for #12388 * resource/aws_cognito_user_pool_client: Ignore ordering differences for callback_urls, logout_urls, and supported_identity_providers arguments (#12388) * Update CHANGELOG for #12327 * resource/aws_dlm_lifecycle_policy: Add 1 hour backup interval (#12327) * Update CHANGELOG for #11667 * service/opsworks: Layers tagging support (#11667) * Update CHANGELOG for #11984 * service/opsworks: Add Sensitive flag to private ssh_key properties (#11984) * Update CHANGELOG for #12383 * resource/aws_opsworks_application: Support resource import and add plan-time validations (#12383) * service/docdb: Add length checking to identifier value validation (#10826) * 'aws_api_gateway2_domain_name' -> 'aws_apigatewayv2_domain_name'. * Add 'aws_api_gateway_v2_domain_name' resource. * r/aws_apigatewayv2_authorizer: Add support for JWT. * 'aws_api_gateway2_authorizer' -> 'aws_apigatewayv2_authorizer'. * Add 'aws_api_gateway_v2_authorizer' resource. * docs/resource/aws_default_network_acl: Fix terraform 0.12 warning (#12406) * Update CHANGELOG for #12008 * resource/aws_kinesis_stream: Ensure kms_key_id argument in-place updates complete successfully (#12008) * docs/service/ec2: Clarify usage of 'service_name' and 'service' attributes for VPC Endpoints and VPC Endpoint Services (#11842) * Update CHANGELOG for #11170 * resource/aws_lambda_alias: Add ForceNew to function_name attribute (#11170) * remove check * Update launch_template.html.markdown * docs/resource/aws_security_group_rule: restore "required" field in example (#12392) * add filter support - docs * rename tests * rename tests * add support for filtering launch templates * Update CHANGELOG for #12359 * Update module aws/aws-sdk-go to v1.29.24 (#12359) * Update module hashicorp/terraform-plugin-sdk to v1.8.0 (#12357) * Update CHANGELOG for #11257 * service/elbv2: Add drop_invalid_header_fields attributes to aws_lb resource and datasource (#11257) * Update CHANGELOG for #11845 * resource/aws_backup_vault: Remove from state on AccessDeniedException (#11845) * Update CHANGELOG for #10687 * resource/aws_backup_selection: Automatically retry on additional IAM Role eventual consistency error (#10687) * Update CHANGELOG for #12349 * data-source/aws_iam_role: Add tags attribute (#12349) * Update CHANGELOG for #12381 * resource/aws_backup_plan: Support resource import (#12381) * docs/resource/aws_ssm_activation: Update example IAM Policy (#12385) * tests/provider: Add misspell for CHANGELOG.md in docscheck Make target (#12377) * Update CHANGELOG for #12347 * resource/aws_nat_gateway: Support tag-on-create (#12347) * Update CHANGELOG for #12375 * resource/aws_inspector_assessment_template: Add tags argument and support resource import (#12375) * resource/aws_elastic_beanstalk_environment: make fmt (Go 1.14 support) (#12393) * docs/resource/aws_kinesis_video_stream: Fix example HCL formatting * Spelling fixes for CHANGELOG (#12240) * Update CHANGELOG for #8291 * New Resource: aws_kinesis_video_stream (#8291) * provider: Consistent service client naming for API Gateway v1 and SES services (#12372) * Update CHANGELOG for #12283 * resource/aws_ebs_snapshot_copy: Return API errors instead of panic if unable to read snapshot (#12283) * Cleanup after v2.53.0 release * v2.53.0 * Update CHANGELOG for #8842 * Tweaks documentation subcategory for API Gateway v2 * Update CHANGELOG for #12358 * resource/aws_cognito_user_pool: Support Software Token MFA Configuration (#12358) * Adds missing comma in hashibot config * provider: Enable automatic terrform formatting enforcement in CI for documentation (#12232) * Rename resource to 'aws_apigatewayv2_api'. * docs/resource/aws_lambda_function: Update to supported nodejs version (#12355) * Lint fixes. * provider: Add AWSClient PartitionHostname() and RegionalHostname() receiver methods and AWSR001 linter (#12189) * Correct the dropdown section title. * Spell check. * Adds rest of Replica schema. * Use resourceAwsDynamoDbTable to drive main schema. * Basic support for HTTP APIs - No new attributes yet. * Changes `region` to `region_name`. * Uses flattenAwsDynamoDbTableResource. * Removes comments. * Uses resourceAwsDynamoDbTableUpdate. * Continue with sweep after any individual API fails deletion and capture all errors. * Uses resourceAwsDynamoDbTableCreate * Rename resource to 'aws_api_gatewayv2'. * Removes comments. * Adds support for DynamoDB v2019.11.21. * tests/provider: Enable tfproviderlint R002 check (#12033) * provider: Fix and enable tfproviderlint V002, V004, V007, and V008 (#12233) * provider: Fix and enable tfproviderlint S031, S032, and S033 (#12234) * tests/resource/aws_key_pair: Randomize name in test configurations (#11890) * tests/data-source/aws_ssm_parameter: Randomize naming (#12174) * tests/resource/aws_launch_template: Randomize naming in network interface test configurations (#11959) * resource/aws_opsworks_stack: Fixes for tfproviderlint R002 (#12028) * tests/provider: Enable passing tfproviderlint v0.10.0 checks (#12088) * tests/resource/aws_ssm_activation: Remove broken ExpectError testing from TestAccAWSSSMActivation_expirationDate (#12173) * Update CHANGELOG for #11720 * service/ec2: Automatically retry on DetachVpnGateway calls receiving `InvalidParameterValue: This call cannot be completed because there are pending VPNs or Virtual Interfaces` (#11720) * provider: Additional hashibot pull request labeling (#12241) * Updates hashibot config to identify `apigatewayv2` service name * Update index.html.markdown (#12328) * tests/service/storagegateway: Refactor to use aws_ec2_instance_type_offering and aws_ssm_parameter data sources (#12247) * tests/data-source/aws_internet_gateway: Remove hardcoded provider region and ExpectNonEmptyPlan (#12253) * tests/provider: Remove extraneously hardcoded provider configurations in test configurations (#12277) * docs: fix S3 ACL permissions * Correct test check function name. * Clean up function names - https://github.com/terraform-providers/terraform-provider-aws/pull/12299. * Add TestAccAWSAPIGateway2Api_disappears acceptance test. * Fix website documentation errors. * Fix go.mod/go.sum conflicts. * r/aws_api_gateway2_api: Tag-on-create. * Add 'subcategory'. * Replace 'testAccMatchResourceAttrAnonymousRegionalARN' with 'testAccMatchResourceAttrRegionalARNNoAccount'. * Use new internal/keyvaluetags functionality. * Add API Gateway v2 list tags code generation. * Terraform Plugin SDK migration. * Add 'execution_arn' attribute to 'aws_api_gateway2_api' resource. * Minor enhancement to error message. * Test API ARN in acceptance tests. * Add test sweeper. * API Gateway v2 API tags. * Better acceptance tests when all attributes are set. * Update resource name in tests. * More anonynous API ID for import example. * Get 'aws_api_gateway_v2_api' acceptance tests passing. * Add 'aws_api_gateway_v2_api' documentation. * Move 'aws_api_gateway_v2_route' to its own PR. * Rename resource methods to match CloudHSM v2 resource method naming. * Rename files to match CloudHSM v2 file naming. * Get tests to compile after rebase. * adding some routes * cleaning out some files * WIP on additional v2 resources * fixing tests * can create and delete * initial addition of v2 definition * Update module aws/aws-sdk-go to v1.29.20 * Update CHANGELOG for #12273 * resource/aws_flow_log: Add tags argument (#12273) * Add AT005 lint rule and fix tests (#12308) * docs/resource/aws_ram_resource_share_accepter: Fixed wrong resource name (#12314) * service/ec2: Finish refactoring to keyvaluetags package (#12289) * Update CHANGELOG for #12309 * resource/aws_globalaccelerator_accelerator: Add tags argument (#12309) * Update CHANGELOG for #12290 * resource/aws_vpc_endpoint_service: Support tag-on-create and add network_load_balancer_arns plan-time validation (#12290) * Update CHANGELOG for #11972 * Update CHANGELOG for #11972 * resource/aws_appsync_graphql_api: Add xray_enabled argument (#11972) * Update CHANGELOG for #12132 * resource/aws_cloud9_environment_ec2: Add tags argument (#12132) * Update CHANGELOG for #12133 * resource/aws_ec2_traffic_mirror_filter: Add tags argument (#12133) * Update CHANGELOG for #12134 * resource/aws_ec2_traffic_mirror_session: Add tags argument (#12134) * Update CHANGELOG for #12135 * resource/aws_ec2_traffic_mirror_target: Add tags argument and network_load_balancer_arn plan-time validation (#12135) * Update CHANGELOG for #12288 * resource/aws_vpc_endpoint: Support tag-on-create (#12288) * add disappears test case * suppress diff when expanded ipv6 address is the same * Updates naming of HSM v2 functions to match conventions * Corrects resource names in CHANGELOG * Renames documentation subcategory for API Gateway v1 to prepare for v2 * docs/resource/aws_launch_template: Fix typo (#12244) * resource/aws_elasticsearch_domain: Clarify zone_awareness_enabled argument (#12296) * Securityhub is no longer in preview - update docs (#12256) * docs/resource/aws_sns_topic_policy: Update resource name to snake case (#12274) * Update module golangci/golangci-lint to v1.23.8 (#12242) * service/workspaces: Refactor to use keyvaluetags package (#11645) * Cleanup after v2.52.0 release * v2.52.0 * service/ec2: Refactor Security Group data sources and resources to use keyvaluetags package (#11918) * Update CHANGELOG for #12280 * resource/aws_eks_cluster: Add encryption_config configuration block (#12280) * Update module aws/aws-sdk-go to v1.29.18 (#12258) * service/ec2: Refactor aws_internet_gateway data source and resource to use keyvaluetags package (#11907) * Update module bflad/tfproviderlint to v0.11.0 (#12259) * Update CHANGELOG for #3728 * s3 bucket grant implementation: fix fmt * Update module aws/aws-sdk-go to v1.29.16 (#12214) * tests/resource/aws_cloudwatch_metric_alarm: Blacklist usw2-az4 AZ for instance testing * tests/resource/aws_eks_node_group: Update TestAccAWSEksNodeGroup_ReleaseVersion argument value (#12172) * Update CHANGELOG for #12171 * resource/aws_lambda_function_event_invoke_config: Retry on additional IAM eventual consistency error with SNS Topic destinations (#12171) * Update CHANGELOG for #12170 * resource/aws_media_store_container: Prevent ValidationException on creation when no tags are configured (#12170) * Update CHANGELOG for #12139 * New Data Sources: aws_ec2_instance_type_offering and aws_ec2_instance_type_offerings (#12139) * docs/resource/aws_msk_cluster: Correct default value for client-broker encryption setting. (#12177) * docs/data-source/aws_pricing_product: Add capacitystatus filter (#12122) * service/elastictranscoder: Fix tfproviderlint R009 check in structure.go (#12137) * default EBS Volume type (#12155) * docs/resource/aws_cloudtrail: Fix spelling typo (#12180) * fixup(cloudwatch_log_group) documentation (#12193) * docs/data-source/aws_subnet_ids: Fixing example resource (#12224) * docs/resource/aws_s3_bucket_notification: Fix race condition in examples (#12228) * Update CHANGELOG for #11141 * resource/aws_lb_target_group: Add `load_balancing_algorithm_type` argument (support Least Outstanding Requests algorithm for Application Load Balancers) (#11141) * provider: Replace local version of schema validators with identical versions from terraform-plugin-sdk helper/validation package (#12207) * internal/keyvaluetags: Support Quicksight service (#12220) * resource/aws_vpc_peering_connection: Refactor to use keyvaluetags package (#11935) * service/ec2: Refactor Spot Instance and Fleet resources to use keyvaluetags package (#11934) * service/ec2: Refactor aws_route_table(s) data sources and resource to use keyvaluetags package (#11915) * service/ec2: Refactor VPC Endpoint (Service) data sources and resource to use keyvaluetags package (#11931) * resource/aws_vpn_connection: Refactor to use keyvaluetags package (#11932) * service/ec2: Refactor Network ACL data source and resources to use keyvaluetags package (#11913) * Update CHANGELOG for #11919 * resource/aws_iam_service_linked_role: Allow aws_service_name validation to accept values in AWS partitions outside AWS Commercial and AWS GovCloud (US) (#11919) * docs/provider: Fix invalid HCL in example configurations (#12209) * Skips CloudFormation StackSets acceptance tests when not supported * Fixes naming of CloudFormation StackSet * Skips CloudFormation StackSet sweepers when not supported * add dms elasticsearch target * Update CHANGELOG.md (#12211) * resource/aws_globalaccelerator_accelerator: go fmt * Update CHANGELOG for #11670 * resource/aws_globalaccelerator_accelerator: Add dns_name and hosted_zone_id attributes (#11670) * Update module aws/aws-sdk-go to v1.29.12 (#12128) * Update module golangci/golangci-lint to v1.23.7 (#12205) * Cleanup after v2.51.0 release * v2.51.0 * Update CHANGELOG for #11080 * New Data Source: aws_sfn_activity (#11080) * Update CHANGELOG for #12116 * resource/aws_lambda_function: Support plan-time validation for runtime argument ruby2.7 value (#12116) * Update CHANGELOG for #11415 * service/directconnect: Refactor tagging logic to keyvaluetags package and add 'amazon_side_asn' attribute (#11415) * service/ec2: Refactor aws_network_interface(s) data sources and resource to use keyvaluetags package (#11912) * resource/aws_ec2_client_vpn_endpoint: Refactor to use keyvaluetags package (#11917) * data-source/aws_iam_server_certificate: Fixes for tfproviderlint R002 (#11920) * service/cloudwatchlogs: Fixes for tfproviderlint R002 (#11921) * service/cognito: Fixes for tfproviderlint R002 (#11943) * service/elastictranscoder: Fixes for tfproviderlint R002 (#11944) * resource/aws_elastic_beanstalk_environment: Fixes for tfproviderlint R002 (#11945) * service/ec2: Fixes for tfproviderlint R002 (#11947) * Adds validation on CloudFront distribution georestriction type * Adds `.go-version` file and sets version to 1.13.7 * Fixes Elastic Beanstalk sweeper names to match resource and prevent warnings in sweeper runs * s3 bucket grant implementation: fix docs and tests * tests/resource/aws_s3_access_point: Fix log.Printf linting issue * resource/aws_s3_access_point: Address minor PR #11276 feedback * Update CHANGELOG for #11276 * New Resource: aws_s3_access_point (#11276) * Update CHANGELOG for #11837 * resource/aws_workspaces_directory: Prevent panic and remove resource from Terraform state if removed outside Terraform (#11837) * docs/provider: Fix aws_ec2_traffic_mirror_* location in terraform.io sidebar * Fix example of IP ranges usage (#11320) * Update CHANGELOG for #12115 * resource/aws_glue_job: Add notification_property configuration block (#12115) * docs/resource/aws_glue_job: Updating pythonshell details (#12114) * Update CHANGELOG for #11451 * resource/aws_msk_cluster: Support Cluster expansion and Open Monitoring (#11451) * Update CHANGELOG for #11100 * resource/aws_lambda_event_source_mapping: Adding ParallelizationFactor, MaximumRecordAgeInSeconds, BisectBatchOnFunctionError, MaximumRetryAttempts, DestinationConfig (#11100) * Update CHANGELOG for #10932 * New Data Source: aws_sfn_state_machine (#10932) * tests/resource/aws_ec2_traffic_mirror_session: Fix TestAccAWSEc2TrafficMirrorSession_basic * Fix CHANGELOG for #9372 * Update CHANGELOG for #9372 * service/ec2: New Resources for EC2 Traffic Mirroring (#9372) * Update module aws/aws-sdk-go to v1.29.7 (#11893) * resource/aws_glacier_vault: Fixes for tfproviderlint R002 (#11946) * tests/provider: Enable tfproviderlint R006 check (#12048) * tests/service/elasticache: Replace deprecated cache.m1 with cache.t3, refactor data source testing (#11956) * resource/aws_iot_certificate: Fixes for tfproviderlint R002 (#12026) * resource/aws_iam_saml_provider: Fixes for tfproviderlint R002 (#12027) * resource/aws_redshift_security_group: Fixes for tfproviderlint R002 (#12029) * resource/aws_proxy_protocol_policy: Fixes for tfproviderlint R002 (#12030) * resource/aws_route53_record: Fixes for tfproviderlint R002 (#12031) * resource/aws_ses_receipt_rule: Fixes for tfproviderlint R002 (#12032) * Cleanup after v2.50.0 release * v2.50.0 * docs/resource/aws_codestarnotifications_notification_rule: Fixed spacing and spelling (#12109) * resource/aws_transfer_server: Minor adjustments to new host_key handling * Update CHANGELOG for #8913 * resource/aws_transfer_server: Add host_key argument and host_key_fingerprint attribute (#8913) * Update CHANGELOG for #11144 * resource/aws_iam_access_key: Add ses_smtp_password_v4 attribute (#11144) * Update CHANGELOG for #11211 * resource/aws_lambda_function: Publish new version on config-only function updates (#11211) * Update CHANGELOG for #10402 * Update CHANGELOG for #9490 * data-source/aws_lambda_alias: Modernization for codebase and testing changes since submission, use name instead of alias_name to match resource * Update default EBS Volume type (#12092) * Make weight in default_capacity_provider_strategy optional. (#12091) * docs/guides/custom-service-endpoints: Use fully HTML list for Terraform Registry compatibility (#12004) * tests/resource/aws_launch_template: Add sweeper (#11962) * tests/resource/aws_organizations_policy: Add missing testAccOrganizationsAccountPreCheck (#12035) * resource/aws_codedeploy_deployment_group: Fixes for tfproviderlint R006 (#12042) * resource/aws_iam_policy_attachment: Fixes for tfproviderlint R006 (#12043) * resource/aws_lambda_permission: Fixes for tfproviderlint R006 (#12044) * resource/aws_redshift_snapshot_copy_grant: Fixes for tfproviderlint R006 (#12045) * resource/aws_ssm_document: Fixes for tfproviderlint R006 (#12046) * service/sfn: Fixes for tfproviderlint R006 (#12047) * Update CHANGELOG for #12052 * internal/naming: New package for shared naming logic (#12052) * Limits directories for sweepers to just `./aws` * Update module bflad/tfproviderlint to v0.10.0 (#12074) * Update module hashicorp/terraform-plugin-sdk to v1.7.0 (#12012) * Update CHANGELOG for #11924 * changes * Fix Doc: InvalidParameterValue: 'MaxAgeRule' and 'MaxCountRule' cannot be enabled simultaneously. (#12064) * Be clear about type for aws_subnet_ids (#12020) * Update the syntax of the examples in sns_topic_subscription to terraform (#12068) * update r/aws_globalaccelerator_endpoint_group documentation (#12063) * Update CHANGELOG for #11562 * resource/aws_ram_resource_share_accepter: Minor PR review feedback changes * add acceptance tests * Cleanup after v2.49.0 release * v2.49.0 * Adds `terraform-remote-s3-test` pattern for S3 backend * Compiles regexp once * Converts LB subnets to use splat expressions * Passes correct number of subnets to test * Updates Elastic Transcoder bucket names to match S3 sweeper patterns * Updates Macie S3 association bucket names to match S3 sweeper patterns * Updates Global Accelerator flow log bucket names to match S3 sweeper patterns * Updates Redshift bucket names to match S3 sweeper patterns * Updates Athena database and Athena named query bucket names to match S3 sweeper patterns * Updates ALB and NLB access log bucket names to match S3 sweeper patterns * Updates ELB access log bucket names to match S3 sweeper patterns * Adds default S3 bucket name to S3 sweeper * Update CHANGELOG for #12009 and #9810 * resource/aws_launch_configuration: Allow missing EC2 Image during root block device lookup (#12009) * Update CHANGELOG for #12000 * resource/aws_batch_job_definition: Prevent extraneous differences with container properties missing environment, mount point, ulimits, and volumes configuration (#12000) * Update CHANGELOG for #12001 * resource/aws_cognito_user_pool: Allow admin_create_user_config configuration block unused_account_validity_days to be omitted (#12001) * Update module golangci/golangci-lint to v1.23.6 (#11981) * service/s3: Refactor S3 Bucket Object data source and resource to use keyvaluetags package (#11964) * tests/resource/aws_instance: Refactor TestAccAWSInstance_hibernation to use aws_ami data source and launch with encrypted volume instead of copying AMI * Update CHANGELOG for #6961 * resource/aws_instance: Add `hibernation` argument (#6961) * tests/resource/aws_launch_configuration: Refactor TestAccAWSLaunchConfiguration_withInstanceStoreAMI to use Amazon Linux and filter root device by instance-store * Update CHANGELOG for #9810 * resource/aws_launch_configuration: Fix regression from version 2.22.0 with instance store AMIs returning an unexpected error (#9810) * Update CHANGELOG for #6552 * resource/aws_launch_template: Add `cpu_options` configuration block (support disabling multithreading) (#6552) * Update CHANGELOG for #11874 * docs/provider: Fix and enable markdownlint rules MD003, MD018, MD019, MD026, MD030, MD033, and MD046 (#12002) * Removes hardcoded partition checks and uses error values and acceptance pre-check to control test skip * internal/keyvaluetags: Fix CodestarnotificationsUpdateTags generation from old pull request * Update CHANGELOG for #10991 * New Resource: aws_codestarnotifications_notification_rule (#10991) * docs/resource/aws_kinesis_firehose_delivery_stream: Fixed Splunk configuration option description (#11995) * tests/provider: Increase make test timeout for Docker environments (#11996) * Update CHANGELOG for #11953 * data-source/aws_route53_zone: Filter on tags is containment, not exact equality. (#11953) * Update CHANGELOG for #11731 * resource/aws_neptune_cluster: Add deletion_protection argument (#11731) * Update CHANGELOG for #8461 * resource/aws_db_instance: Add delete_automated_backups argument (#8461) * docs/data-source/aws_api_gateway_rest_api: Alphabetize attributes and add missing execution_arn attribute * Update CHANGELOG for 10971 * data-source/aws_api_gateway_rest_api: Add attributes (#10971) * Update CHANGELOG for #11472 * resource/aws_db_instance: Enable RDS MSSQL agent log export to CloudWatch (#11472) * Update CHANGELOG for #11790 * resource/aws_rds_global_database: Allow Aurora MySQL 5.7 as a Global Database Engine (#11790) * Update CHANGELOG for #11949 * resource/aws_neptune_cluster: Add enable_cloudwatch_logs_exports argument (support audit logging) (#11949) * Update CHANGELOG for #11895 * aws/resource_aws_route53_record.go: update change record set to use SDK backoff (#11895) * Update CHANGELOG for #11559 * resource/aws_gamelift_fleet: Add tags argument (#11559) * docs/resource/aws_lb_listener_rule: Fix attribute names (#11985) * Adds TEST_COUNT makefile parameter * Add documentation on custom keyvaluetags functions. (#11974) * Update module golangci/golangci-lint to v1.23.4 (#11979) * Fix CHANGELOG entry for #9877 * docs/resource/aws_codebuild_project: Fix documentation example for 'source_version' attribute. (#11975) * docs/data-source/aws_kms_secrets: use identical text string for file and string arguments (#11980) * Update module bflad/tfproviderdocs to v0.5.0 (#11978) * New Service: WorkMail (#11958) * Refactors to use keyvaluetags package * Removes panics adding during debugging * r/_aws_s3_bucket_metric: Refactor to use keyvaluetags package. * Tidy up use of keyvaluetags. * Revert "r/aws_s3_bucket_object: Refactor to use keyvaluetags package." * Replace 'tagsMapToHash' with 'KeyValueTags.Hash' method. * r/aws_s3_bucket_object: Refactor to use keyvaluetags package. * Cleanup after v2.48.0 release * Fixes Route 53 resolver endpoint sweeper to return errors. Adds sweepers for Route 53 resolver rules and resolver rule associations * v2.48.0 * Update CHANGELOG for #11407 * tests/resource/aws_batch_job_queue: Revert errant ImportState testing in _disappears test * Update CHANGELOG for #11649 * resource/aws_kinesis_firehose_delivery_stream: Allow processor clearing (#11649) * removing unnecessary nil check * go fmt * update to re-create resoure when lambda policy sid not found * fixing bugs, adding tests, updating docs * Update CHANGELOG for #11617 * resource/aws_cloudwatch_log_stream: Prevent early state removal (#11617) * Update CHANGELOG for #11612 * services/organization: Support TAG_POLICY type in policy and policy attachment resources (#11612) * Update CHANGELOG for #11650 * resource/aws_default_security_group: Ensure description attribute is written into Terraform state (#11650) * Update CHANGELOG for #11544 * resource/aws_network_acl_rule: Fix provider error when missing rule (#11544) * docs/provider: Fixed link and modified sentence in README (#11816) * fix typo in aws_lb_listener_rule doc (#11856) * Update CHANGELOG for #11847 * resource/aws_fsx_lustre_file_system: Lower minimum storage cap to 1200Gb (#11847) * Update CHANGELOG for #11889 * resource/aws_ec2_client_vpn_endpoint: Ensure dns_servers attribute is refreshed in Terraform state (#11889) * deps: Update renovate ignoreDeps to include golang.org/x/tools, remove unused dependencies, and alphabetize list (#11886) * service/ec2: Refactor aws_vpn_gateway data source and resource to use keyvaluetags package (#11909) * service/ec2: Refactor aws_nat_gateway data source and resource to use keyvaluetags package (#11908) * service/ec2: Refactor aws_customer_gateway data source and resource to use keyvaluetags package (#11906) * resource/aws_glacier_vault: Refactor to use keyvaluetags package (#11900) * r/aws_s3_bucket: Refactor to use keyvaluetags package. * Update CHANGELOG for #11894 * resource/aws_s3_bucket: Retry read after creation for 404 status code (#11894) * tests/provider: Enable tfproviderlint R004 check (#11499) * Update website/aws.erb * service/ec2: Refactor aws_vpc_dhcp_options data source and resource to use keyvaluetags package (#11904) * internal/keyvaluetags: Use build constraint with custom implementation files, add gencheck Makefile target and add to CI (#11638) * data-source/aws_route53_zone: Refactor to use keyvaluetags package (#11661) * resource/aws_vpc_endpoint: Refactor to use keyvaluetags package (#11730) * Update CHANGELOG for #10381 * New Resource: aws_datasync_location_smb (#10381) * Add missing aws_ in #10017 CHANGELOG entry * Update CHANGELOG for #11488 * resource/aws_batch_job_definition: Properly set container_properties and name into Terraform state and fix basic test (#11488) * docs/provider: Fix markdownlint MD032 failures and enable rule (#11875) * Sets `Force` parameter when deleting CloudWatch event targets and event rules. Allows deletion of managed resources * Inlines `tags` field definition * Update CHANGELOG for #11648 * Addresses code review comments * Adds documentation navigation link * Add resource documentation links which is omitted (#11877) * Update module golangci/golangci-lint to v1.23.3 (#11876) * awsproviderlint: Initial implementation with AWSAT001 check (#11532) * deps: Migrate from github.com/kubernetes-sigs/aws-iam-authenticator/pkg/token to internal implementation (#11822) * Update CHANGELOG for #11726 * resource/aws_cloudformation_stack_set: Wait for update operation completion and report any errors (#11726) * tests/service/cloudformation: Add sweepers and export randomization (#11725) * tests/resource/aws_guardduty_detector: Add sweeper (#11722) * tests/provider: Enable new passing tfproviderlint checks (#11873) * docs/provider: Add information for tfproviderdocs, tfproviderlint, and yaml.v2 in Maintaining Guide Dependency Updates section (#11820) * docs/provider: Fix markdownlint MD031 failures and enable rule (#11861) * Adds documentation * Adds `TESTARGS` parameter to `make test` to narrow unit tests * Implements Import operation * Implements flattening and expansion of Storage Class Analytics values * Update CHANGELOG for #9877 * resousrce/aws_codebuild_project: Add source_version argument (#9877) * tests/resource/aws_cloud9_environment_ec2: Remove dependency on Default VPC and blacklist usw2-az4 (#11704) * tests/resource/aws_lb_target_group_attachment: Refactoring for region/partition agnostic and blacklist usw2-az4 (#11714) * tests/resource/aws_elastic_beanstalk_environment: Refactoring and modernization (#11702) * Update module golangci/golangci-lint to v1.23.2 (#11851) * Update module bflad/tfproviderlint to v0.9.0 (#11860) * Update CHANGELOG for #11701 * resource/aws_ecs_cluster: Delay check of ECS Cluster status during creation for ECS eventual consistency (#11701) * Update CHANGELOG for #11693 * resource/aws_appautoscaling_scheduled_action: Automatically retry creation on `ValidationException: ECS service doesn't exist` for ECS eventual consistency (#11693) * Update CHANGELOG for #11692 * resource/aws_dynamodb_table: Skip ResourceNotFoundException during deletion (#11692) * tests/resource/aws_ssm_maintenance_window: Add sweeper (#11689) * tests/provider: Add markdownlint to website-lint target (#11838) * initial commit * Update to use keyvaluetags. * Update Changelog for #10017 * resource/elasticache_cluster: Add Computed flag for Port property and set to true (#10017) * Update CHANGELOG for #9486 * New Data Source: aws_ssm_patch_baseline (#9486) * Update CHANGELOG for #11671 * resource/aws_placement_group: Additional handling for creation and deletion eventual consistency (#11671) * Fix broken documentation formatting for ssm_patch_baseline.html.markdown (#11825) * Update CHANGELOG for #10952 * resource/aws_codebuild_project: Implements git_submodules_config block (#10952) * Update CHANGELOG for #11819 * resource/aws_appautoscaling_target: Prevent state removal at creation (#11819) * Adds storage class analysis data export parameters to resource. Adds tests for empty case * Prevents acc tests and sweeper for AWS Glue workflows in GovCloud, since it's not supported * Update module yaml to v2.2.8 (#11740) * Update module aws/aws-sdk-go to v1.28.9 (#11753) * Update module hashicorp/terraform-plugin-sdk to v1.6.0 (#11802) * Update module bflad/tfproviderlint to v0.8.0 (#11815) * Cleanup after v2.47.0 release * Adds test for removing filter * Adds tests for filter with tags and combined prefix and tags * Adds tests for filter with prefix. Since the API only has a Put operation, use a single function for Create and Update * Updates test S3 bucket name to match sweeper patterns * Prevents empty filter parameter * Adds tests for basic update with `ForceNew` parameters * Adds wait function for deletes * Adds basic CRD operations for the resource with only required fields * Updates tests for Terraform v0.12 format * Renames test values to remove "foo" and "bar". Some additional reformatting * r/aws_appmesh_route: Add support for HTTP header-based routing and route priorities. * add docs * add tags to acm cert data source * add import step to all tests * add import support refactor errors + tests * Adds `BLUE_GREEN` deployment type as needed to tests. AWS ignores `blue_green_deployment_config` if it is not set * r/aws_egress_only_internet_gateway: Support tagging. * Allows deleting `deployment_style`, and resets to default values * Allows deleting `load_balancer_info` blocks * Remove unneeded argument + fix import still not working * Fix Read operation since invitations are purged after 7 days * formatting fix * Add import support for aws_batch_job_definition * Add import support for aws_batch_job_queue #11207 * Detect and handle DynamoDB resource IDs pointing to an index * Add failing testcase * Various aws_cognito_identity_provider improvements * allow snapshot copy grants to be imported * data/aws_lambda_alias: added docs * data/aws_lambda_alias: added basic test * data/aws_lambda_alias: new data source * fix lint * docs update * aws_dms_endpoint: Add support for Kinesis target endpoint * removed unused validator * fix docs * change grant to schema.HashSet type, re-evaluate grant logic, fix minor comments * Error check on fallback * add tests * add docs * add import functionality * Add dms_event_subscription resource * r/aws_lb_target_group: use diff.ForceNew * Fix diff.GetChange on previous commit * r/lb_target_group health chk proto chg req taint * Implementation of acl grants and update in docs - Update to version 2.47.0: NOTES: * resource/aws_efs_file_system: Tagging API calls have been refactored to the AWS standardized `TagResource` and `UntagResource` API calls (from `CreateTags` and `DeleteTags` respectively). Restrictive IAM Policies for Terraform execution may require updates. ([#11654](https://github.com/terraform-providers/terraform-provider-aws/iss ues/11654)) ENHANCEMENTS: * data-source/aws_api_gateway_vpc_link: Add `description`, `status`, `status_message`, `tags`, and `target_arns` attributes ([#10822](https://github.com/terraform-providers/terraform-provider-aws/iss ues/10822)) * data-source/aws_dynamodb_table: Add `server_side_encryption` `kms_key_arn` attribute ([#11081](https://github.com/terraform-providers/terraform-provider-aws/iss ues/11081)) * data-source/aws_efs_file_system: Add `lifecycle_policy`, `provisioned_throughput_in_mibps`, and `throughput_mode` attributes ([#11647](https://github.com/terraform-providers/terraform-provider-aws/iss ues/11647)) * data-source/aws_kms_key: Add `customer_master_key_spec` attribute ([#11062](https://github.com/terraform-providers/terraform-provider-aws/iss ues/11062)) * resource/aws_dynamodb_table: Add `server_side_encryption` configuration block `kms_key_arn` argument (support customer managed CMKs for server-side encryption) ([#11081](https://github.com/terraform-providers/terraform-provider-aws/iss ues/11081)) * resource/aws_dynamodb_table: Support in-place updates for `server_side_encryption` configurations ([#11081](https://github.com/terraform-providers/terraform-provider-aws/iss ues/11081)) * resource/aws_elasticsearch_domain: Add `domain_endpoint_options` configuration block (support enforcing HTTPS) ([#10430](https://github.com/terraform-providers/terraform-provider-aws/iss ues/10430)) * resource/aws_gamelift_fleet: Add `fleet_type` argument (support Spot Fleets) ([#8234](https://github.com/terraform-providers/terraform-provider-aws/issu es/8234)) * resource/aws_kms_key: Add `customer_master_key_spec` argument and plan-time validation support for `key_usage` value `SIGN_VERIFY` (support asymmetric keys) ([#11062](https://github.com/terraform-providers/terraform-provider-aws/iss ues/11062)) * resource/aws_sagemaker_notebook_instance: Add `direct_internet_access` argument ([#8618](https://github.com/terraform-providers/terraform-provider-aws/issu es/8618)) * resource/aws_ssm_activation: Add `automation_target_parameter_name` argument ([#11755](https://github.com/terraform-providers/terraform-provider-aws/iss ues/11755)) * resource/aws_ssm_document: Add `target_type` argument ([#11479](https://github.com/terraform-providers/terraform-provider-aws/iss ues/11479)) * resource/aws_ssm_maintenance_window: Add `description` argument ([#11478](https://github.com/terraform-providers/terraform-provider-aws/iss ues/11478)) * resource/aws_storagegateway_gateway: Add `cloudwatch_log_group_arn` argument ([#10939](https://github.com/terraform-providers/terraform-provider-aws/iss ues/10939)) BUG FIXES: * data-source/aws_api_gateway_rest_api: Fixes `root_resource_id` not being set on correctly when REST API contains more than 25 resources ([#11705](https://github.com/terraform-providers/terraform-provider-aws/iss ues/11705)) * resource/aws_cloudwatch_log_subscription_filter: Perform eventual consistency retries on update ([#11739](https://github.com/terraform-providers/terraform-provider-aws/iss ues/11739)) * resource/aws_cognito_user_pool: Deprecate `unused_account_validity_days` argument and add support for `temporary_password_validity_days` argument ([#10890](https://github.com/terraform-providers/terraform-provider-aws/iss ues/10890)) * resource/aws_elasticsearch_domain: Automatically retry resource creation on additional error messages relating to eventual consistency ([#11663](https://github.com/terraform-providers/terraform-provider-aws/iss ues/11663)) * resource/aws_elasticsearch_domain: Ensure in-place version upgrade is fully successful before returning ([#11793](https://github.com/terraform-providers/terraform-provider-aws/iss ues/11793)) * resource/aws_emr_instance_group: Wait for `RUNNING` status on creation ([#11688](https://github.com/terraform-providers/terraform-provider-aws/iss ues/11688)) * resource/aws_ssm_activation: Properly trigger resource recreation when deleted outside Terraform ([#11658](https://github.com/terraform-providers/terraform-provider-aws/iss ues/11658)) * resource/aws_ssm_parameter: Prevent `KeyId` error when switching `type` value from `SecureString` to `String` ([#10819](https://github.com/terraform-providers/terraform-provider-aws/iss ues/10819)) * service/efs: Generate proper `dns_name` attribute hostname suffix in AWS China, AWS C2S, and AWS SC2S partitions ([#11746](https://github.com/terraform-providers/terraform-provider-aws/iss ues/11746)) - For the changes between 2.29.0 and 2.47.0, see CHANGELOG.md included in this package - Update _service file - Include CHANGELOG.md in %doc section - Increase golang API in BuildRequires to > 1.13 Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-1629=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (aarch64 s390x x86_64): terraform-provider-aws-2.59.0-3.8.1 References: https://bugzilla.suse.com/1170264 From sle-updates at lists.suse.com Wed Jun 17 07:12:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 15:12:53 +0200 (CEST) Subject: SUSE-SU-2020:1634-1: important: Security update for xen Message-ID: <20200617131253.F21D9F749@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1634-1 Rating: important References: #1167152 #1168140 #1168142 #1168143 #1169392 #1172205 Cross-References: CVE-2020-0543 CVE-2020-11739 CVE-2020-11740 CVE-2020-11741 CVE-2020-11742 CVE-2020-11743 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes 6 vulnerabilities is now available. Description: This update for xen fixes the following issues: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1172205). - CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392). - CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140). - CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142). - CVE-2020-11743: Bad error path in GNTTABOP_map_grant (bsc#1168143). - Xenstored Crashed during VM install (bsc#1167152) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1634=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1634=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1634=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (x86_64): xen-4.10.4_10-3.31.1 xen-debugsource-4.10.4_10-3.31.1 xen-devel-4.10.4_10-3.31.1 xen-libs-4.10.4_10-3.31.1 xen-libs-debuginfo-4.10.4_10-3.31.1 xen-tools-4.10.4_10-3.31.1 xen-tools-debuginfo-4.10.4_10-3.31.1 xen-tools-domU-4.10.4_10-3.31.1 xen-tools-domU-debuginfo-4.10.4_10-3.31.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): xen-4.10.4_10-3.31.1 xen-debugsource-4.10.4_10-3.31.1 xen-devel-4.10.4_10-3.31.1 xen-libs-4.10.4_10-3.31.1 xen-libs-debuginfo-4.10.4_10-3.31.1 xen-tools-4.10.4_10-3.31.1 xen-tools-debuginfo-4.10.4_10-3.31.1 xen-tools-domU-4.10.4_10-3.31.1 xen-tools-domU-debuginfo-4.10.4_10-3.31.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): xen-4.10.4_10-3.31.1 xen-debugsource-4.10.4_10-3.31.1 xen-devel-4.10.4_10-3.31.1 xen-libs-4.10.4_10-3.31.1 xen-libs-debuginfo-4.10.4_10-3.31.1 xen-tools-4.10.4_10-3.31.1 xen-tools-debuginfo-4.10.4_10-3.31.1 xen-tools-domU-4.10.4_10-3.31.1 xen-tools-domU-debuginfo-4.10.4_10-3.31.1 References: https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-11739.html https://www.suse.com/security/cve/CVE-2020-11740.html https://www.suse.com/security/cve/CVE-2020-11741.html https://www.suse.com/security/cve/CVE-2020-11742.html https://www.suse.com/security/cve/CVE-2020-11743.html https://bugzilla.suse.com/1167152 https://bugzilla.suse.com/1168140 https://bugzilla.suse.com/1168142 https://bugzilla.suse.com/1168143 https://bugzilla.suse.com/1169392 https://bugzilla.suse.com/1172205 From sle-updates at lists.suse.com Wed Jun 17 07:14:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 15:14:19 +0200 (CEST) Subject: SUSE-RU-2020:1631-1: important: Recommended update for fonts-config Message-ID: <20200617131419.395C4F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for fonts-config ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1631-1 Rating: important References: #1049056 #1092737 #1101985 #1106850 #1111791 #1172022 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has 6 recommended fixes can now be installed. Description: This update for fonts-config fixes the following issues: - Update version from 20160921 to version 20200609+git0.42e2b1b * Check if it's required to use some default settings in /etc/sysconfig/fonts-config. (bsc#1172022) * Add variable to allow fonts-config to update default settings * Fix en-US, en-GB font matching. * Allow non-ASCII letters in font names. (bsc#1049056, bsc#1101985). * Update subpixel rendering config * Fix misspelling in configuration file. (bsc#1111791) * Fix wrong visualization for special characters and numbers. (bsc#1092737) * Support color emoji * Modern fonts for symbol * Add configurations for Noto Sans/Serif CJK * No longer create encodings.dir in /usr/share/fonts/encodings/ (bsc#1106850) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1631=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1631=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1631=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1631=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1631=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1631=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (noarch): fonts-config-20200609+git0.42e2b1b-4.7.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): fonts-config-20200609+git0.42e2b1b-4.7.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): fonts-config-20200609+git0.42e2b1b-4.7.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): fonts-config-20200609+git0.42e2b1b-4.7.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): fonts-config-20200609+git0.42e2b1b-4.7.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): fonts-config-20200609+git0.42e2b1b-4.7.1 References: https://bugzilla.suse.com/1049056 https://bugzilla.suse.com/1092737 https://bugzilla.suse.com/1101985 https://bugzilla.suse.com/1106850 https://bugzilla.suse.com/1111791 https://bugzilla.suse.com/1172022 From sle-updates at lists.suse.com Wed Jun 17 07:15:48 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 15:15:48 +0200 (CEST) Subject: SUSE-SU-2020:1633-1: important: Security update for xen Message-ID: <20200617131548.AE0ADF749@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1633-1 Rating: important References: #1027519 #1168178 #1172205 Cross-References: CVE-2020-0543 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for xen fixes the following issues: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1172205). - Fixed an issue with efi boot when nvidia optimus or newer graphic cards are used (bsc#1168178).d Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1633=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1633=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 x86_64): xen-debugsource-4.12.3_02-3.14.1 xen-devel-4.12.3_02-3.14.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): xen-4.12.3_02-3.14.1 xen-debugsource-4.12.3_02-3.14.1 xen-doc-html-4.12.3_02-3.14.1 xen-libs-32bit-4.12.3_02-3.14.1 xen-libs-4.12.3_02-3.14.1 xen-libs-debuginfo-32bit-4.12.3_02-3.14.1 xen-libs-debuginfo-4.12.3_02-3.14.1 xen-tools-4.12.3_02-3.14.1 xen-tools-debuginfo-4.12.3_02-3.14.1 xen-tools-domU-4.12.3_02-3.14.1 xen-tools-domU-debuginfo-4.12.3_02-3.14.1 References: https://www.suse.com/security/cve/CVE-2020-0543.html https://bugzilla.suse.com/1027519 https://bugzilla.suse.com/1168178 https://bugzilla.suse.com/1172205 From sle-updates at lists.suse.com Wed Jun 17 07:16:50 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 15:16:50 +0200 (CEST) Subject: SUSE-SU-2020:1632-1: important: Security update for xen Message-ID: <20200617131650.51FA6F749@maintenance.suse.de> SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1632-1 Rating: important References: #1027519 #1172205 Cross-References: CVE-2020-0543 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for xen to version 4.11.4 fixes the following issues: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1172205). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1632=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1632=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 x86_64): xen-debugsource-4.11.4_02-2.26.1 xen-devel-4.11.4_02-2.26.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): xen-4.11.4_02-2.26.1 xen-debugsource-4.11.4_02-2.26.1 xen-doc-html-4.11.4_02-2.26.1 xen-libs-32bit-4.11.4_02-2.26.1 xen-libs-4.11.4_02-2.26.1 xen-libs-debuginfo-32bit-4.11.4_02-2.26.1 xen-libs-debuginfo-4.11.4_02-2.26.1 xen-tools-4.11.4_02-2.26.1 xen-tools-debuginfo-4.11.4_02-2.26.1 xen-tools-domU-4.11.4_02-2.26.1 xen-tools-domU-debuginfo-4.11.4_02-2.26.1 References: https://www.suse.com/security/cve/CVE-2020-0543.html https://bugzilla.suse.com/1027519 https://bugzilla.suse.com/1172205 From sle-updates at lists.suse.com Wed Jun 17 10:13:29 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 18:13:29 +0200 (CEST) Subject: SUSE-RU-2020:1637-1: important: Recommended update for zypper Message-ID: <20200617161329.5AE10F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for zypper ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1637-1 Rating: important References: #1169947 #1172925 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for zypper fixes the following issues: - Print switch abbrev warning to stderr (bsc#1172925) - Fix typo in man page (bsc#1169947) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1637=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): zypper-1.14.37-3.19.1 zypper-debuginfo-1.14.37-3.19.1 zypper-debugsource-1.14.37-3.19.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): zypper-log-1.14.37-3.19.1 zypper-needs-restarting-1.14.37-3.19.1 References: https://bugzilla.suse.com/1169947 https://bugzilla.suse.com/1172925 From sle-updates at lists.suse.com Wed Jun 17 10:14:27 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 18:14:27 +0200 (CEST) Subject: SUSE-RU-2020:1635-1: important: Recommended update for susemanager-cloud-setup Message-ID: <20200617161427.5DA5CF749@maintenance.suse.de> SUSE Recommended Update: Recommended update for susemanager-cloud-setup ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1635-1 Rating: important References: #1172645 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for susemanager-cloud-setup contains the following fix: - Update to version 1.5: * adapt to new azuremetadata output (bsc#1172645) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-1635=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (noarch): susemanager-cloud-setup-proxy-1.5-3.9.1 susemanager-cloud-setup-server-1.5-3.9.1 References: https://bugzilla.suse.com/1172645 From sle-updates at lists.suse.com Wed Jun 17 10:15:16 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 18:15:16 +0200 (CEST) Subject: SUSE-RU-2020:1636-1: moderate: Recommended update for google-worksans-fonts Message-ID: <20200617161516.2DA17F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for google-worksans-fonts ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1636-1 Rating: moderate References: #1172154 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for google-worksans-fonts fixes the following issues: - First release 1.6+git145.18037a0 * Fix _service file to include TTF file instead of just overwriting the tarball. * Use fixed revision 18037a0b49722b70379d9bca074fa4503fb136bd instead of master. * Don't install WOFF files, TTF is good enough and in line with other fonts. * Pick TTF format fonts back: the desktop needs ttf to render gui program. (jsc#SLE-12421, bsc#1172154) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1636=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (noarch): google-worksans-fonts-1.6+git145.18037a0-8.3.1 References: https://bugzilla.suse.com/1172154 From sle-updates at lists.suse.com Wed Jun 17 11:27:51 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:27:51 +0200 (CEST) Subject: SUSE-CU-2020:202-1: Recommended update of Message-ID: <20200617172751.81424FD07@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:202-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Wed Jun 17 11:27:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:27:53 +0200 (CEST) Subject: SUSE-CU-2020:203-1: Recommended update of Message-ID: <20200617172753.C35F9FD07@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:203-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Wed Jun 17 11:27:55 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:27:55 +0200 (CEST) Subject: SUSE-CU-2020:204-1: Recommended update of Message-ID: <20200617172755.EFFC9FD07@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:204-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Wed Jun 17 11:27:58 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:27:58 +0200 (CEST) Subject: SUSE-CU-2020:205-1: Recommended update of Message-ID: <20200617172758.55F27FD07@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:205-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Wed Jun 17 11:28:00 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:28:00 +0200 (CEST) Subject: SUSE-CU-2020:206-1: Recommended update of Message-ID: <20200617172800.6E428FD07@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:206-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Wed Jun 17 11:28:02 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:28:02 +0200 (CEST) Subject: SUSE-CU-2020:207-1: Recommended update of Message-ID: <20200617172802.57FF9FD07@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:207-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Wed Jun 17 11:28:04 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:28:04 +0200 (CEST) Subject: SUSE-CU-2020:208-1: Recommended update of Message-ID: <20200617172804.A1025FD07@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:208-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Wed Jun 17 11:28:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:28:19 +0200 (CEST) Subject: SUSE-CU-2020:209-1: Security update of ses/7/cephcsi/cephcsi Message-ID: <20200617172819.8DC0FFD07@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/cephcsi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:209-1 Container Tags : ses/7/cephcsi/cephcsi:2.0.0 , ses/7/cephcsi/cephcsi:2.0.0.0 , ses/7/cephcsi/cephcsi:2.0.0.0.1.1179 , ses/7/cephcsi/cephcsi:latest , ses/7/cephcsi/cephcsi:sle15.2.octopus Container Release : 1.1179 Severity : important Type : security References : 1002895 1005023 1007715 1009532 1013125 1014478 1027282 1029377 1029902 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1040164 1042670 1044840 1045723 1051143 1054413 1063675 1065270 1070853 1071321 1072183 1073299 1073313 1073421 1076519 1076696 1079761 1080919 1081750 1081947 1081947 1082293 1082318 1082318 1082318 1082318 1083158 1083507 1084671 1084812 1084842 1084934 1085196 1086001 1087550 1087982 1088004 1088009 1088052 1088279 1088358 1088358 1088524 1088573 1089640 1089761 1089777 1090944 1091265 1091677 1092100 1092877 1092920 1093392 1093617 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094814 1094814 1095096 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097073 1097643 1098217 1098569 1098697 1100396 1100415 1100488 1101040 1101470 1101591 1101797 1102046 1102310 1102526 1102564 1102840 1102908 1103320 1103320 1104531 1104700 1104780 1105031 1105068 1105166 1105396 1105435 1106214 1106383 1106390 1107030 1107030 1107066 1107067 1107105 1107617 1107640 1107941 1109197 1109252 1109412 1109413 1109414 1109663 1109694 1109847 1110304 1110435 1110445 1110700 1111019 1111388 1111498 1111622 1111973 1111996 1112024 1112310 1112534 1112535 1112570 1112723 1112726 1112780 1112928 1113083 1113247 1113252 1113255 1113554 1113632 1113665 1114135 1114407 1114592 1114674 1114675 1114681 1114686 1114845 1114933 1114984 1114993 1115640 1115929 1116827 1117025 1117063 1117993 1118086 1118364 1118629 1118644 1118830 1118831 1119063 1119687 1119971 1120323 1120346 1120402 1120640 1120644 1120644 1120689 1121034 1121035 1121056 1121197 1121446 1121563 1121563 1121753 1122000 1122191 1122191 1122271 1122417 1122669 1122729 1123043 1123333 1123685 1123710 1123727 1123892 1123919 1124122 1124153 1124223 1124847 1125007 1125352 1125352 1125410 1125604 1125815 1125886 1126056 1126096 1126117 1126118 1126119 1126377 1126590 1127223 1127308 1127557 1127701 1128246 1128323 1128383 1128828 1129071 1129346 1129346 1129576 1129598 1129859 1130045 1130230 1130325 1130326 1130557 1130840 1130840 1131060 1131330 1131686 1132160 1132174 1132323 1132348 1132400 1132663 1132721 1132900 1133131 1133232 1133297 1133452 1133452 1133495 1133506 1133509 1133773 1133808 1134193 1134217 1134524 1134659 1135123 1135254 1135534 1135708 1135709 1136184 1136245 1136717 1137053 1137624 1137832 1137942 1138459 1138459 1138666 1138793 1138869 1138939 1139083 1139083 1139459 1139459 1139937 1139939 1140016 1140095 1140101 1140565 1140631 1140647 1141059 1141093 1141113 1141853 1141853 1141883 1141897 1141913 1142343 1142614 1142649 1142654 1142772 1143055 1143194 1143273 1144047 1144169 1145023 1145383 1145716 1146853 1146854 1146866 1148517 1148987 1149121 1149121 1149145 1149332 1149429 1149792 1149792 1149792 1149955 1149955 1149955 1149995 1150137 1150451 1150595 1150733 1150895 1151023 1151023 1151377 1151481 1151490 1151490 1151582 1152101 1152590 1152590 1152692 1152755 1153165 1153238 1153238 1153674 1153936 1154016 1154025 1154036 1154037 1154217 1154256 1154295 1154609 1154661 1154871 1154884 1154887 1155199 1155207 1155271 1155327 1155337 1155338 1155339 1155574 1155951 1156213 1156482 1157278 1157292 1157438 1157794 1157893 1158095 1158095 1158485 1158504 1158509 1158630 1158630 1158758 1158830 1158921 1158996 1159018 1159035 1159622 1159814 1159928 1159989 1160039 1160160 1160571 1160590 1160595 1160735 1160933 1160970 1160978 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161517 1161521 1161770 1161783 1161816 1162108 1162108 1162152 1162202 1162224 1162367 1162423 1162518 1162675 1162825 1162930 1163184 1164260 1164505 1164562 1164717 1164950 1164950 1165011 1165439 1165539 1165579 1165784 1165894 1165894 1166106 1166260 1166510 1166510 1166748 1166881 1167205 1167206 1167223 1167631 1167674 1167732 1167898 1168076 1168345 1168699 1168756 1169512 1169569 1169582 1169944 1170175 1170247 1170527 1170771 1171561 1171656 1171872 1172021 1172055 353876 637176 658604 673071 709442 743787 747125 751718 754447 754677 787526 809831 831629 834601 871152 885662 885882 915402 917607 918346 942751 951166 953659 960273 969953 982804 983582 984751 985177 985348 985657 989523 991901 999200 CVE-2009-5155 CVE-2011-3389 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2013-1752 CVE-2013-4238 CVE-2014-2667 CVE-2014-4650 CVE-2015-0247 CVE-2015-1572 CVE-2016-0772 CVE-2016-1000110 CVE-2016-10739 CVE-2016-10745 CVE-2016-3189 CVE-2016-5636 CVE-2016-5699 CVE-2017-17740 CVE-2017-18207 CVE-2017-18269 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-1000654 CVE-2018-1000802 CVE-2018-1000858 CVE-2018-1000876 CVE-2018-10360 CVE-2018-1060 CVE-2018-1061 CVE-2018-10906 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14647 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16869 CVE-2018-17358 CVE-2018-17359 CVE-2018-17360 CVE-2018-17953 CVE-2018-17985 CVE-2018-18074 CVE-2018-18309 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18483 CVE-2018-18484 CVE-2018-18520 CVE-2018-18521 CVE-2018-18605 CVE-2018-18606 CVE-2018-18607 CVE-2018-19211 CVE-2018-19931 CVE-2018-19932 CVE-2018-20346 CVE-2018-20406 CVE-2018-20406 CVE-2018-20623 CVE-2018-20651 CVE-2018-20671 CVE-2018-20843 CVE-2018-20852 CVE-2018-20852 CVE-2018-6323 CVE-2018-6543 CVE-2018-6759 CVE-2018-6872 CVE-2018-6954 CVE-2018-7208 CVE-2018-7568 CVE-2018-7569 CVE-2018-7570 CVE-2018-7642 CVE-2018-7643 CVE-2018-8945 CVE-2018-9251 CVE-2019-1010180 CVE-2019-10160 CVE-2019-10160 CVE-2019-10906 CVE-2019-11068 CVE-2019-11236 CVE-2019-11324 CVE-2019-12290 CVE-2019-12749 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-13057 CVE-2019-13117 CVE-2019-13118 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14287 CVE-2019-14806 CVE-2019-14853 CVE-2019-14859 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-15847 CVE-2019-15903 CVE-2019-15903 CVE-2019-16056 CVE-2019-16056 CVE-2019-16056 CVE-2019-16168 CVE-2019-16935 CVE-2019-16935 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18197 CVE-2019-18218 CVE-2019-18224 CVE-2019-18634 CVE-2019-19126 CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-3689 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5010 CVE-2019-5010 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8341 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9636 CVE-2019-9636 CVE-2019-9674 CVE-2019-9740 CVE-2019-9893 CVE-2019-9936 CVE-2019-9937 CVE-2019-9947 CVE-2019-9947 CVE-2020-10029 CVE-2020-11501 CVE-2020-12243 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1747 CVE-2020-1752 CVE-2020-7595 CVE-2020-8492 ECO-368 PM-1350 SLE-5807 SLE-5933 SLE-6206 SLE-6533 SLE-6536 SLE-7687 SLE-9132 SLE-9426 ----------------------------------------------------------------- The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1332-1 Released: Tue Jul 17 09:01:19 2018 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1073299,1093392 This update for timezone provides the following fixes: - North Korea switches back from +0830 to +09 on 2018-05-05. - Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299) - yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1775-1 Released: Tue Aug 28 12:40:50 2018 Summary: Recommended update for xfsprogs Type: recommended Severity: important References: 1089777,1105396 This update for xfsprogs fixes the following issues: - avoid divide-by-zero when hardware reports optimal i/o size as 0 (bsc#1089777) - repair: shift inode back into place if corrupted by bad log replay (bsc#1105396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1887-1 Released: Wed Sep 12 12:34:28 2018 Summary: Recommended update for python-websocket-client Type: recommended Severity: moderate References: 1076519 This update for python-websocket-client fixes the following issues: - Use systems ca bundle file by default. (bsc#1076519) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2138-1 Released: Thu Oct 4 15:52:15 2018 Summary: Recommended update for sudo Type: recommended Severity: low References: 1097643 This update for sudo fixes the following issues: - fix permissions for /var/lib/sudo and /var/lib/sudo/ts (bsc#1097643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2170-1 Released: Mon Oct 8 10:31:14 2018 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1107030 This update for python3 fixes the following issues: - Add -fwrapv to OPTS, which is default for python3 for bugs which are caused by avoiding it. (bsc#1107030) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2340-1 Released: Fri Oct 19 16:05:53 2018 Summary: Security update for fuse Type: security Severity: moderate References: 1101797,CVE-2018-10906 This update for fuse fixes the following issues: - CVE-2018-10906: fusermount was vulnerable to a restriction bypass when SELinux is active. This allowed non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects (bsc#1101797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2346-1 Released: Mon Oct 22 09:40:46 2018 Summary: Recommended update for logrotate Type: recommended Severity: moderate References: 1093617 This update for logrotate provides the following fix: - Ensure the HOME environment variable is set to /root when logrotate is started via systemd. This allows mariadb to rotate its logs when the database has a root password defined. (bsc#1093617) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2442-1 Released: Wed Oct 24 16:39:09 2018 Summary: Recommended update for python-msrestazure and it's dependencies Type: recommended Severity: moderate References: 1109694 This update for python-adal, python-isodate, python-msrest, python-msrestazure fixes the following issues: python-msrestazure: - Update to version 0.5.0 + Features * Implementation is now using ADAL and not request-oauthlib. This allows more AD scenarios (like federated). * Add additionalInfo parsing for CloudError. * Implement new LRO options of Autorest. * Improve MSI for VM token polling algorithm. * MSIAuthentication now uses IMDS endpoint if available. * MSIAuthentication can be used in any environment that defines MSI_ENDPOINT env variable. * CloudError now includes the 'innererror' attribute to match OData v4. * Introduces ARMPolling implementation of Azure Resource Management LRO. * Add support for WebApp/Functions in MSIAuthentication classes. * Add parse_resource_id(), resource_id(), validate_resource_id() to parse ARM ids. * Retry strategy now n reach 24 seconds (instead of 12 seconds). * Add Managed Service Integrated (MSI) authentication. * Add 'timeout' to ServicePrincipalCredentials and UserPasswordCredentials. * Threads created by AzureOperationPoller have now a name prefixed by 'AzureOperationPoller' to help identify them. * Improve MSIAuthentication to support User Assigned Identity. + Bugfixes * MSIAuthentication regression for KeyVault since IMDS support. * MSIAuthentication should initialize the token attribute on creation. * Fixes refreshToken in UserPassCredentials and AADTokenCredentials. * Fix US government cloud definition. * Reduce max MSI polling time for VM. * IMDS/MSI: Retry on more error codes. * IMDS/MSI: Fix a boundary case on timeout. * Fix parse_resource_id() tool to be case*insensitive to keywords when matching. * Add missing baseclass init call for AdalAuthentication. * Fix LRO result if POST uses AsyncOperation header. * Remove a possible infinite loop with MSIAuthentication. * Fix session obj for cloudmetadata endpoint. * Fix authentication resource node for AzureSatck. * Better detection of AppService with MSIAuthentication. * get_cloud_from_metadata_endpoint incorrect on AzureStack. * get_cloud_from_metadata_endpoint certificate issue. * Fix AttributeError if error JSON from ARM does not follow ODatav4 (as it should). * Fix AttributeError if input JSON is not a dict. * Fix AdalError handling in some scenarios. * Update Azure Gov login endpoint. * Update metadata ARM endpoint parser. + Incompatible changes * Remove unused auth_uri, state, client and token_uri attributes in ServicePrincipalCredentials, UserPassCredentials and AADTokenCredentials. * Remove token caching based on 'keyring'. Token caching should be implemented using ADAL now. * Remove InteractiveCredentials. This class was deprecated and unusable. Use ADAL device code instead. python-msrest - Update to version 0.5.0 + Require python-enum32 and python-typing. + Features * Support additionalProperties and XML. * Deserialize/from_dict now accepts a content*type parameter to parse XML strings. * Add XML support * Add many type hints, and MyPY testing on CI. * HTTP calls are made through a HTTPDriver API. Only implementation is `requests` for now. This driver API is *not* considered stable and you should pin your msrest version if you want to provide a personal implementation. * msrest is now able to keep the 'requests.Session' alive for performance. * All Authentication classes now define `signed_session` and `refresh_session` with an optional `session` parameter. * Disable HTTP log by default (security), add `enable_http_log` to restore it. * Add TopicCredentials for EventGrid client. * Add LROPoller class. This is a customizable LRO engine. * Model now accept kwargs in constructor for future kwargs models. * Add support for additional_properties. * The interpretation of Swagger 2.0 'discriminator' is now lenient. * Add ApiKeyCredentials class. This can be used to support OpenAPI ApiKey feature. * Add CognitiveServicesAuthentication class. Pre*declared ApiKeyCredentials class for Cognitive Services. * Add Configuration.session_configuration_callback to customize the requests.Session if necessary. * Add a flag to Serializer to disable client*side*validation. * Remove 'import requests' from 'exceptions.py' for apps that require fast loading time. * Input is now more lenient. * Model have a 'validate' method to check content constraints. * Model have now new methods for serialize, as_dict, deserialize and from_dict. + Bugfixes * Fix a serialization issue if additional_properties is declared, and 'automatic model' syntax is used ('automatic model' being the ability to pass a dict to command and have the model auto*created). * Better parse empty node and not string types. * Improve 'object' XML parsing. * Fix some XML serialization subtle scenarios. * Fix some complex XML Swagger definitions. * Lower Accept header overwrite logging message. * Fix 'object' type and XML format. * Incorrect milliseconds serialization for some datetime object. * Improve `SDKClient.__exit__` to take exc_details as optional parameters and not required. * Refresh_session should also use the permanent HTTP session if available. * Fix incorrect date parsing if ms precision is over 6 digits. * Fix minimal dependency of isodate. * Fix serialisation from dict if datetime provided. * Date parsing is now compliant with Autorest / Swagger 2.0 specification (less lenient). * Accept to deserialize enum of different type if content string match. * Stop failing on deserialization if enum string is unkwon. Return the string instead. * Do not validate additional_properties. * Improve validation error if expected type is dict, but actual type is not. * Fix additional_properties if Swagger was flatten. * Optional formdata parameters were raising an exception. * 'application/x*www*form*urlencoded' form was sent using 'multipart/form*data'. * Fix regression: accept 'set' as a valid '[str]' * Always log response body. * Improved exception message if error JSON is Odata v4. * Refuse 'str' as a valid '[str]' type. * Better exception handling if input from server is not JSON valid. * Fix regression introduced in msrest 0.4.12 * dict syntax with enum modeled as string and enum used. * Fix regression introduced in msrest 0.4.12 * dict syntax using isodate.Duration. * Better Enum checking. + Internal optimisation * Call that does not return a streamable object are now executed in requests stream mode False (was True whatever the type of the call). This should reduce the number of leaked opened session and allow urllib3 to manage connection pooling more efficiently. Only clients generated with Autorest.Python >= 2.1.31 (not impacted otherwise, fully backward compatible) + Deprecation * Trigger DeprecationWarning for _client.add_header and _client.send_formdata. python-adal - Update to version 1.0.2 python-isodate - Update to version 0.6.0 + Support incomplete month date. + Rely on duck typing when doing duration maths. + Support ':' as separator in fractional time zones. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2454-1 Released: Thu Oct 25 11:19:46 2018 Summary: Recommended update for python-pyOpenSSL Type: recommended Severity: moderate References: 1110435 This update for python-pyOpenSSL fixes the following issues: - Handle duplicate certificate addition using X509_STORE_add_cert so it works after upgrading to openssl 1.1.1. (bsc#1110435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2463-1 Released: Thu Oct 25 14:48:34 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: moderate References: 1104700,1112310 This update for timezone, timezone-java fixes the following issues: The timezone database was updated to 2018f: - Volgograd moves from +03 to +04 on 2018-10-28. - Fiji ends DST 2019-01-13, not 2019-01-20. - Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700) - Corrections to past timestamps of DST transitions - Use 'PST' and 'PDT' for Philippine time - minor code changes to zic handling of the TZif format - documentation updates Other bugfixes: - Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2485-1 Released: Fri Oct 26 12:38:01 2018 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1112928 This update for kmod provides the following fixes: - Allow 'modprobe -c' print the status of 'allow_unsupported_modules' option. (bsc#1112928) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2486-1 Released: Fri Oct 26 12:38:27 2018 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1105068 This update for xfsprogs fixes the following issues: - Explictly disable systemd unit files for scrub (bsc#1105068). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2550-1 Released: Wed Oct 31 16:16:56 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: moderate References: 1113554 This update provides the latest time zone definitions (2018g), including the following change: - Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2641-1 Released: Mon Nov 12 20:39:30 2018 Summary: Recommended update for nfsidmap Type: recommended Severity: moderate References: 1098217 This update for nfsidmap fixes the following issues: - Improve support for SAMBA with Active Directory. (bsc#1098217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2742-1 Released: Thu Nov 22 13:28:36 2018 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 969953 This update for rpcbind fixes the following issues: - Fix tool stack buffer overflow aborting (bsc#969953) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2961-1 Released: Mon Dec 17 19:51:40 2018 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1098697,1112780 This update for psmisc provides the following fix: - Make the fuser option -m work even with mountinfo. (bsc#1098697) - Support also btrFS entries in mountinfo, that is use stat(2) to determine the device of the mounted subvolume (bsc#1098697, bsc#1112780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:62-1 Released: Thu Jan 10 20:30:58 2019 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1119063 This update for xfsprogs fixes the following issues: - Fix root inode's parent when it's bogus for sf directory (xfs repair). (bsc#1119063) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:102-1 Released: Tue Jan 15 18:02:58 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1120402 This update for timezone fixes the following issues: - Update 2018i: S??o Tom?? and Pr??ncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402) - Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:170-1 Released: Fri Jan 25 13:43:29 2019 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1118629 This update for kmod fixes the following issues: - Fixes module dependency file corruption on parallel invocation (bsc#1118629). - Allows 'modprobe -c' to print the status of 'allow_unsupported_modules' option. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:215-1 Released: Thu Jan 31 15:59:57 2019 Summary: Security update for python3 Type: security Severity: important References: 1120644,1122191,CVE-2018-20406,CVE-2019-5010 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191) - CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:790-1 Released: Thu Mar 28 12:06:17 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1130557 This update for timezone fixes the following issues: timezone was updated 2019a: * Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23 * Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00 * Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25) * zic now has an -r option to limit the time range of output data ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:966-1 Released: Wed Apr 17 12:20:13 2019 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1128323 This update for python-rpm-macros fixes the following issues: The Python RPM macros were updated to version 20190408.32abece, fixing bugs (bsc#1128323) * Add missing $ expansion on the pytest call * Rewrite pytest and pytest_arch into Lua macros with multiple arguments. * We should preserve existing PYTHONPATH. * Add --ignore to pytest calls to ignore build directories. * Actually make pytest into function to capture arguments as well * Add pytest definitions. * Use upstream-recommended %{_rpmconfigdir}/macros.d directory for the rpm macros. * Fix an issue with epoch printing having too many \ * add epoch while printing 'Provides:' ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:971-1 Released: Wed Apr 17 14:43:26 2019 Summary: Security update for python3 Type: security Severity: important References: 1129346,CVE-2019-9636 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1156-1 Released: Mon May 6 13:46:07 2019 Summary: Security update for python-Jinja2 Type: security Severity: important References: 1125815,1132174,1132323,CVE-2016-10745,CVE-2019-10906,CVE-2019-8341 This update for python-Jinja2 to version 2.10.1 fixes the following issues: Security issues fixed: - CVE-2019-8341: Fixed a command injection in from_string() (bsc#1125815). - CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1221-1 Released: Mon May 13 13:28:42 2019 Summary: Security update for libxslt Type: security Severity: moderate References: 1132160,CVE-2019-11068 This update for libxslt fixes the following issues: Security issue fixed: - CVE-2019-11068: Fixed a protection mechanism bypass where callers of xsltCheckRead() and xsltCheckWrite() would permit access upon receiving an error (bsc#1132160). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1352-1 Released: Fri May 24 14:41:44 2019 Summary: Security update for python3 Type: security Severity: moderate References: 1130840,1133452,CVE-2019-9947 This update for python3 to version 3.6.8 fixes the following issues: Security issue fixed: - CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840). Non-security issue fixed: - Fixed broken debuginfo packages by switching off LTO and PGO optimization (bsc#1133452). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1487-1 Released: Thu Jun 13 09:40:56 2019 Summary: Security update for python-requests Type: security Severity: moderate References: 1111622,CVE-2018-18074 This update for python-requests to version 2.20.1 fixes the following issues: Security issue fixed: - CVE-2018-18074: Fixed an information disclosure vulnerability of the HTTP Authorization header (bsc#1111622). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1595-1 Released: Fri Jun 21 10:17:44 2019 Summary: Security update for dbus-1 Type: security Severity: important References: 1137832,CVE-2019-12749 This update for dbus-1 fixes the following issues: Security issue fixed: - CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1616-1 Released: Fri Jun 21 11:04:39 2019 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 1134659 This update for rpcbind fixes the following issues: - Change rpcbind locking path from /var/run/rpcbind.lock to /run/rpcbind.lock. (bsc#1134659) - Change the order of socket/service in the %postun scriptlet to avoid an error from rpcbind.socket when rpcbind is running during package update. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1627-1 Released: Fri Jun 21 11:15:11 2019 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1073421,1122271,1129859 This update for xfsprogs fixes the following issues: - xfs_repair: will now allow '/' in attribute names (bsc#1122271) - xfs_repair: will now allow zeroing of corrupt log (bsc#1073421) - enabdled offline (unmounted) filesystem geometry queries (bsc#1129859) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1815-1 Released: Thu Jul 11 07:47:55 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1140016 This update for timezone fixes the following issues: - Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1835-1 Released: Fri Jul 12 18:06:31 2019 Summary: Security update for expat Type: security Severity: moderate References: 1139937,CVE-2018-20843 This update for expat fixes the following issues: Security issue fixed: - CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2050-1 Released: Tue Aug 6 09:42:37 2019 Summary: Security update for python3 Type: security Severity: important References: 1094814,1138459,1141853,CVE-2018-20852,CVE-2019-10160 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459). - CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853). Non-security issue fixed: - Fixed an issue where the SIGINT signal was ignored or not handled (bsc#1094814). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2306-1 Released: Thu Sep 5 14:39:23 2019 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1082318,1136245 This update for parted fixes the following issues: - Included several minor bug fixes - for more details please refer to this rpm's changelog (bsc#1136245) - Installs the license file in the correct directory (bsc#1082318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2332-1 Released: Mon Sep 9 10:17:16 2019 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1129071,1132663,1132900,CVE-2019-11236,CVE-2019-11324,CVE-2019-9740 This update for python-urllib3 fixes the following issues: Security issues fixed: - CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071). - CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900). - CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2365-1 Released: Thu Sep 12 11:23:31 2019 Summary: Security update for python-Werkzeug Type: security Severity: moderate References: 1145383,CVE-2019-14806 This update for python-Werkzeug fixes the following issues: Security issue fixed: - CVE-2019-14806: Fixed the development server in Docker, the debugger security pin is now unique per container (bsc#1145383). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2422-1 Released: Fri Sep 20 16:36:43 2019 Summary: Recommended update for python-urllib3 Type: recommended Severity: moderate References: 1150895 This update for python-urllib3 fixes the following issues: - Add missing dependency on python-six (bsc#1150895) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2429-1 Released: Mon Sep 23 09:28:40 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 This update for expat fixes the following issues: Security issues fixed: - CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2483-1 Released: Fri Sep 27 14:16:23 2019 Summary: Optional update for python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate. Type: optional Severity: low References: 1088358 This update ships python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate for the SUSE Linux Enterprise Public Cloud 15 module. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2517-1 Released: Wed Oct 2 10:49:20 2019 Summary: Security update for libseccomp Type: security Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 This update for libseccomp fixes the following issues: Security issues fixed: - CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828) libseccomp was updated to new upstream release 2.4.1: - Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893): - Update the syscall table for Linux v5.0-rc5 - Added support for the SCMP_ACT_KILL_PROCESS action - Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute - Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension - Added support for the parisc and parisc64 architectures - Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) - Return -EDOM on an endian mismatch when adding an architecture to a filter - Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() - Fix PFC generation when a syscall is prioritized, but no rule exists - Numerous fixes to the seccomp-bpf filter generation code - Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 - Numerous tests added to the included test suite, coverage now at ~92% - Update our Travis CI configuration to use Ubuntu 16.04 - Numerous documentation fixes and updates libseccomp was updated to release 2.3.3: - Updated the syscall table for Linux v4.15-rc7 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2647-1 Released: Fri Oct 11 17:12:06 2019 Summary: Recommended update for python-pyOpenSSL Type: recommended Severity: moderate References: 1149792 This update for python-pyOpenSSL fixes the following issues: - Adds compatibility for openSSL 1.1.1d (bsc#1149792) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2656-1 Released: Mon Oct 14 17:02:24 2019 Summary: Security update for sudo Type: security Severity: important References: 1153674,CVE-2019-14287 This update for sudo fixes the following issue: - CVE-2019-14287: Fixed an issue where a user with sudo privileges that allowed them to run commands with an arbitrary uid, could run commands as root, despite being forbidden to do so in sudoers (bsc#1153674). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2693-1 Released: Wed Oct 16 16:43:30 2019 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 1142343 This update for rpcbind fixes the following issues: - Return correct IP address with multiple ip addresses in the same subnet. (bsc#1142343) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2762-1 Released: Thu Oct 24 07:08:44 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1150451 This update for timezone fixes the following issues: - Fiji observes DST from 2019-11-10 to 2020-01-12. - Norfolk Island starts observing Australian-style DST. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2779-1 Released: Thu Oct 24 16:57:42 2019 Summary: Security update for binutils Type: security Severity: moderate References: 1109412,1109413,1109414,1111996,1112534,1112535,1113247,1113252,1113255,1116827,1118644,1118830,1118831,1120640,1121034,1121035,1121056,1133131,1133232,1141913,1142772,1152590,1154016,1154025,CVE-2018-1000876,CVE-2018-17358,CVE-2018-17359,CVE-2018-17360,CVE-2018-17985,CVE-2018-18309,CVE-2018-18483,CVE-2018-18484,CVE-2018-18605,CVE-2018-18606,CVE-2018-18607,CVE-2018-19931,CVE-2018-19932,CVE-2018-20623,CVE-2018-20651,CVE-2018-20671,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945,CVE-2019-1010180,ECO-368,SLE-6206 This update for binutils fixes the following issues: binutils was updated to current 2.32 branch [jsc#ECO-368]. Includes following security fixes: - CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412) - CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413) - CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414) - CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827) - CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996) - CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535) - CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534) - CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255) - CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252) - CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247) - CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831) - CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830) - CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035) - CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034) - CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056) - CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640) - CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772) - enable xtensa architecture (Tensilica lc6 and related) - Use -ffat-lto-objects in order to provide assembly for static libs (bsc#1141913). - Fixed some LTO build issues (bsc#1133131 bsc#1133232). - riscv: Don't check ABI flags if no code section - Fixed a segfault in ld when building some versions of pacemaker (bsc#1154025, bsc#1154016). - Add avr, epiphany and rx to target_list so that the common binutils can handle all objects we can create with crosses (bsc#1152590). Update to binutils 2.32: * The binutils now support for the C-SKY processor series. * The x86 assembler now supports a -mvexwig=[0|1] option to control encoding of VEX.W-ignored (WIG) VEX instructions. It also has a new -mx86-used-note=[yes|no] option to generate (or not) x86 GNU property notes. * The MIPS assembler now supports the Loongson EXTensions R2 (EXT2), the Loongson EXTensions (EXT) instructions, the Loongson Content Address Memory (CAM) ASE and the Loongson MultiMedia extensions Instructions (MMI) ASE. * The addr2line, c++filt, nm and objdump tools now have a default limit on the maximum amount of recursion that is allowed whilst demangling strings. This limit can be disabled if necessary. * Objdump's --disassemble option can now take a parameter, specifying the starting symbol for disassembly. Disassembly will continue from this symbol up to the next symbol or the end of the function. * The BFD linker will now report property change in linker map file when merging GNU properties. * The BFD linker's -t option now doesn't report members within archives, unless -t is given twice. This makes it more useful when generating a list of files that should be packaged for a linker bug report. * The GOLD linker has improved warning messages for relocations that refer to discarded sections. - Improve relro support on s390 [fate#326356] - Fix broken debug symbols (bsc#1118644) - Handle ELF compressed header alignment correctly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2782-1 Released: Fri Oct 25 14:27:52 2019 Summary: Security update for nfs-utils Type: security Severity: moderate References: 1150733,CVE-2019-3689 This update for nfs-utils fixes the following issues: - CVE-2019-3689: Fixed root-owned files stored in insecure /var/lib/nfs. (bsc#1150733) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2802-1 Released: Tue Oct 29 11:39:05 2019 Summary: Security update for python3 Type: security Severity: moderate References: 1149121,1149792,1149955,1151490,1153238,CVE-2019-16056,CVE-2019-16935,PM-1350,SLE-9426 This update for python3 to 3.6.9 fixes the following issues: Security issues fixed: - CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Non-security issues fixed: - Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490) - Improved locale handling by implementing PEP 538. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2891-1 Released: Mon Nov 4 17:47:10 2019 Summary: Security update for python-ecdsa Type: security Severity: moderate References: 1153165,1154217,CVE-2019-14853,CVE-2019-14859 This update for python-ecdsa to version 0.13.3 fixes the following issues: Security issues fixed: - CVE-2019-14853: Fixed unexpected exceptions during signature decoding (bsc#1153165). - CVE-2019-14859: Fixed a signature malleability caused by insufficient checks of DER encoding (bsc#1154217). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2929-1 Released: Thu Nov 7 16:45:13 2019 Summary: Recommended update for python-kubernetes Type: recommended Severity: moderate References: 1151481 This update for python-kubernetes fixes the following issues: - python-ipaddress is only required for building on Python2 (on Python3 is part of the standard library) - Backport fix for base64 padding in kubeconfig (bsc#1151481) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:9-1 Released: Thu Jan 2 12:33:47 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1157438 This update for xfsprogs fixes the following issues: - Remove the 'xfs_scrub_all' script from the package, and the corresponding dependency of python. (bsc#1157438) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:36-1 Released: Wed Jan 8 10:26:46 2020 Summary: Recommended update for python-pyOpenSSL Type: recommended Severity: low References: 1159989 This update fixes the build of python-pyOpenSSL in 2020 (bsc#1159989). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:114-1 Released: Thu Jan 16 10:11:52 2020 Summary: Security update for python3 Type: security Severity: important References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947 This update for python3 to version 3.6.10 fixes the following issues: - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). - CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:119-1 Released: Thu Jan 16 15:42:39 2020 Summary: Recommended update for python-jsonpatch Type: recommended Severity: moderate References: 1160978 This update for python-jsonpatch fixes the following issues: - Drop jsondiff binary to avoid conflict with python-jsondiff package. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:340-1 Released: Thu Feb 6 13:03:56 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1161770 This update for python-rpm-macros fixes the following issues: - Add macros related to the Python dist metadata dependency generator. (bsc#1161770) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:408-1 Released: Wed Feb 19 09:32:46 2020 Summary: Security update for sudo Type: security Severity: important References: 1162202,1162675,CVE-2019-18634 This update for sudo fixes the following issues: Security issue fixed: - CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed: - Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:453-1 Released: Tue Feb 25 10:51:53 2020 Summary: Recommended update for binutils Type: recommended Severity: moderate References: 1160590 This update for binutils fixes the following issues: - Recognize the official name of s390 arch13: 'z15'. (bsc#1160590, jsc#SLE-7903 aka jsc#SLE-7464) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:462-1 Released: Tue Feb 25 11:49:30 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158504,1158509,1158630,1158758 This update for xfsprogs fixes the following issues: - Allow the filesystem utility xfs_io to suffix sizes with k,m,g for kilobytes, megabytes or gigabytes respectively. (bsc#1158630) - Validate extent size hint parameters through libxfs to avoid output mismatch. (bsc#1158509) - Fix for 'xfs_repair' not to fail recovery of orphaned shortform directories. (bsc#1158504) - Fix for 'xfs_quota' to avoid false error reporting of project inheritance flag is not set. (bsc#1158758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:467-1 Released: Tue Feb 25 12:00:39 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492 This update for python3 fixes the following issues: Security issues fixed: - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). - CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367). Non-security issue fixed: - If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:498-1 Released: Wed Feb 26 17:59:44 2020 Summary: Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized Type: recommended Severity: moderate References: 1122669,1136184,1146853,1146854,1159018 This update for aws-cli, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized, python-boto3, python-botocore, python-s3transfer fixes the following issues: python-aws-sam-translator was updated to 1.11.0 (bsc#1159018, jsc#PM-1507): Upgrade to 1.11.0: * Add ReservedConcurrentExecutions to globals * Fix ElasticsearchHttpPostPolicy resource reference * Support using AWS::Region in Ref and Sub * Documentation and examples updates * Add VersionDescription property to Serverless::Function * Update ServerlessRepoReadWriteAccessPolicy * Add additional template validation Upgrade to 1.10.0: * Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy * Add DynamoDBReconfigurePolicy * Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy * Add EKSDescribePolicy * Add SESBulkTemplatedCrudPolicy * Add FilterLogEventsPolicy * Add SSMParameterReadPolicy * Add SESEmailTemplateCrudPolicy * Add s3:PutObjectAcl to S3CrudPolicy * Add allow_credentials CORS option * Add support for AccessLogSetting and CanarySetting Serverless::Api properties * Add support for X-Ray in Serverless::Api * Add support for MinimumCompressionSize in Serverless::Api * Add Auth to Serverless::Api globals * Remove trailing slashes from APIGW permissions * Add SNS FilterPolicy and an example application * Add Enabled property to Serverless::Function event sources * Add support for PermissionsBoundary in Serverless::Function * Fix boto3 client initialization * Add PublicAccessBlockConfiguration property to S3 bucket resource * Make PAY_PER_REQUEST default mode for Serverless::SimpleTable * Add limited support for resolving intrinsics in Serverless::LayerVersion * SAM now uses Flake8 * Add example application for S3 Events written in Go * Updated several example applications python-cfn-lint was added in version 0.21.4: - Add upstream patch to fix EOL dates for lambda runtimes - Add upstream patch to fix test_config_expand_paths test - Rename to python-cfn-lint. This package has a python API, which is required by python-moto. Update to version 0.21.4: + Features * Include more resource types in W3037 + CloudFormation Specifications * Add Resource Type `AWS::CDK::Metadata` + Fixes * Uncap requests dependency in setup.py * Check Join functions have lists in the correct sections * Pass a parameter value for AutoPublishAlias when doing a Transform * Show usage examples when displaying the help Update to version 0.21.3 + Fixes * Support dumping strings for datetime objects when doing a Transform Update to version 0.21.2 + CloudFormation Specifications * Update CloudFormation specs to 3.3.0 * Update instance types from pricing API as of 2019.05.23 Update to version 0.21.1 + Features * Add `Info` logging capability and set the default logging to `NotSet` + Fixes * Only do rule logging (start/stop/time) when the rule is going to be called * Update rule E1019 to allow `Fn::Transform` inside a `Fn::Sub` * Update rule W2001 to not break when `Fn::Transform` inside a `Fn::Sub` * Update rule E2503 to allow conditions to be used and to not default to `network` load balancer when an object is used for the Load Balancer type Update to version 0.21.0 + Features * New rule E3038 to check if a Serverless resource includes the appropriate Transform * New rule E2531 to validate a Lambda's runtime against the deprecated dates * New rule W2531 to validate a Lambda's runtime against the EOL dates * Update rule E2541 to include updates to Code Pipeline capabilities * Update rule E2503 to include checking of values for load balancer attributes + CloudFormation Specifications * Update CloudFormation specs to 3.2.0 * Update instance types from pricing API as of 2019.05.20 + Fixes * Include setuptools in setup.py requires Update to version 0.20.3 + CloudFormation Specifications * Update instance types from pricing API as of 2019.05.16 + Fixes * Update E7001 to allow float/doubles for mapping values * Update W1020 to check pre-transformed Fn::Sub(s) to determine if a Sub is needed * Pin requests to be below or equal to 2.21.0 to prevent issues with botocore Update to version 0.20.2 + Features * Add support for List Parameter types + CloudFormation Specifications * Add allowed values for AWS::EC2 EIP, FlowLog, CustomerGateway, DHCPOptions, EC2Fleet * Create new property type for Security Group IDs or Names * Add new Lambda runtime environment for NodeJs 10.x * Move AWS::ServiceDiscovery::Service Health checks from Only One to Exclusive * Update Glue Crawler Role to take an ARN or a name * Remove PrimitiveType from MaintenanceWindowTarget Targets * Add Min/Max values for Load Balancer Ports to be between 1-65535 + Fixes * Include License file in the pypi package to help with downstream projects * Filter out dynamic references from rule E3031 and E3030 * Convert Python linting and Code Coverage from Python 3.6 to 3.7 Update to version 0.20.1 + Fixes * Update rule E8003 to support more functions inside a Fn::Equals Update to version 0.20.0 + Features * Allow a rule's exception to be defined in a resource's metadata * Add rule configuration capabilities * Update rule E3012 to allow for non strict property checking * Add rule E8003 to test Fn::Equals structure and syntax * Add rule E8004 to test Fn::And structure and syntax * Add rule E8005 to test Fn::Not structure and syntax * Add rule E8006 to test Fn::Or structure and syntax * Include Path to error in the JSON output * Update documentation to describe how to install cfn-lint from brew + CloudFormation Specifications * Update CloudFormation specs to version 3.0.0 * Add new region ap-east-1 * Add list min/max and string min/max for CloudWatch Alarm Actions * Add allowed values for EC2::LaunchTemplate * Add allowed values for EC2::Host * Update allowed values for Amazon MQ to include 5.15.9 * Add AWS::Greengrass::ResourceDefinition to GreenGrass supported regions * Add AWS::EC2::VPCEndpointService to all regions * Update AWS::ECS::TaskDefinition ExecutionRoleArn to be a IAM Role ARN * Patch spec files for SSM MaintenanceWindow to look for Target and not Targets * Update ManagedPolicyArns list size to be 20 which is the hard limit. 10 is the soft limit. + Fixes * Fix rule E3033 to check the string size when the string is inside a list * Fix an issue in which AWS::NotificationARNs was not a list * Add AWS::EC2::Volume to rule W3010 * Fix an issue with W2001 where SAM translate would remove the Ref to a parameter causing this error to falsely trigger * Fix rule W3010 to not error when the availability zone is 'all' Update to version 0.19.1 + Fixes * Fix core Condition processing to support direct Condition in another Condition * Fix the W2030 to check numbers against string allowed values Update to version 0.19.0 + Features * Add NS and PTR Route53 record checking to rule E3020 * New rule E3050 to check if a Ref to IAM Role has a Role path of '/' * New rule E3037 to look for duplicates in a list that doesn't support duplicates * New rule I3037 to look for duplicates in a list when duplicates are allowed + CloudFormation Specifications * Add Min/Max values to AWS::ElasticLoadBalancingV2::TargetGroup HealthCheckTimeoutSeconds * Add Max JSON size to AWS::IAM::ManagedPolicy PolicyDocument * Add allowed values for AWS::EC2 SpotFleet, TransitGateway, NetworkAcl NetworkInterface, PlacementGroup, and Volume * Add Min/max values to AWS::Budgets::Budget.Notification Threshold * Update RDS Instance types by database engine and license definitions using the pricing API * Update AWS::CodeBuild::Project ServiceRole to support Role Name or ARN * Update AWS::ECS::Service Role to support Role Name or ARN + Fixes * Update E3025 to support the new structure of data in the RDS instance type json * Update E2540 to remove all nested conditions from the object * Update E3030 to not do strict type checking * Update E3020 to support conditions nested in the record sets * Update E3008 to better handle CloudFormation sub stacks with different GetAtt formats Update to version 0.18.1 + CloudFormation Specifications * Update CloudFormation Specs to 2.30.0 * Fix IAM Regex Path to support more character types * Update AWS::Batch::ComputeEnvironment.ComputeResources InstanceRole to reference an InstanceProfile or GetAtt the InstanceProfile Arn * Allow VPC IDs to Ref a Parameter of type String + Fixes * Fix E3502 to check the size of the property instead of the parent object Update to version 0.18.0 + Features * New rule E3032 to check the size of lists * New rule E3502 to check JSON Object Size using definitions in the spec file * New rule E3033 to test the minimum and maximum length of a string * New rule E3034 to validate the min and max of a number * Remove Ebs Iops check from E2504 and use rule E3034 instead * Remove rule E2509 and use rule E3033 instead * Remove rule E2508 as it replaced by E3032 and E3502 * Update rule E2503 to check that there are at least two 2 Subnets or SubnetMappings for ALBs * SAM requirement upped to minimal version of 1.10.0 + CloudFormation Specifications * Extend specs to include: > `ListMin` and `ListMax` for the minimum and maximum size of a list > `JsonMax` to check the max size of a JSON Object > `StringMin` and `StringMax` to check the minimum and maximum length of a String > `NumberMin` and `NumberMax` to check the minimum and maximum value of a Number, Float, Long * Update State and ExecutionRoleArn to be required on AWS::DLM::LifecyclePolicy * Add AllowedValues for PerformanceInsightsRetentionPeriod for AWS::RDS::Instance * Add AllowedValues for the AWS::GuardDuty Resources * Add AllowedValues for AWS::EC2 VPC and VPN Resources * Switch IAM Instance Profiles for certain resources to the type that only takes the name * Add regex pattern for IAM Instance Profile when a name (not Arn) is used * Add regex pattern for IAM Paths * Add Regex pattern for IAM Role Arn * Update OnlyOne spec to require require at least one of Subnets or SubnetMappings with ELB v2 + Fixes * Fix serverless transform to use DefinitionBody when Auth is in the API definition * Fix rule W2030 to not error when checking SSM or List Parameters Update to version 0.17.1 + Features * Update rule E2503 to make sure NLBs don't have a Security Group configured + CloudFormation Specifications * Add all the allowed values of the `AWS::Glue` Resources * Update OnlyOne check for `AWS::CloudWatch::Alarm` to only `MetricName` or `Metrics` * Update Exclusive check for `AWS::CloudWatch::Alarm` for properties mixed with `Metrics` and `Statistic` * Update CloudFormation specs to 2.29.0 * Fix type with MariaDB in the AllowedValues * Update pricing information for data available on 2018.3.29 + Fixes * Fix rule E1029 to not look for a sub is needed when looking for iot strings in policies * Fix rule E2541 to allow for ActionId Versions of length 1-9 and meets regex `[0-9A-Za-z_-]+` * Fix rule E2532 to allow for `Parameters` inside a `Pass` action * Fix an issue when getting the location of an error in which numbers are causing an attribute error Update to version 0.17.0 + Features * Add new rule E3026 to validate Redis cluster settings including AutomaticFailoverEnabled and NumCacheClusters. Status: Released * Add new rule W3037 to validate IAM resource policies. Status: Experimental * Add new parameter `-e/--include-experimental` to allow for new rules in that aren't ready to be fully released + CloudFormation Specifications * Update Spec files to 2.28.0 * Add all the allowed values of the AWS::Redshift::* Resources * Add all the allowed values of the AWS::Neptune::* Resources * Patch spec to make AWS::CloudFront::Distribution.LambdaFunctionAssociation.LambdaFunctionARN required * Patch spec to make AWS::DynamoDB::Table AttributeDefinitions required + Fixes * Remove extra blank lines when there is no errors in the output * Add exception to rule E1029 to have exceptions for EMR CloudWatchAlarmDefinition * Update rule E1029 to allow for literals in a Sub * Remove sub checks from rule E3031 as it won't match in all cases of an allowed pattern regex check * Correct typos for errors in rule W1001 * Switch from parsing a template as Yaml to Json when finding an escape character * Fix an issue with SAM related to transforming templates with Serverless Application and Lambda Layers * Fix an issue with rule E2541 when non strings were used for Stage Names Update to version 0.16.0 + Features * Add rule E3031 to look for regex patterns based on the patched spec file * Remove regex checks from rule E2509 * Add parameter `ignore-templates` to allow the ignoring of templates when doing bulk linting + CloudFormation Specifications * Update Spec files to 2.26.0 * Add all the allowed values of the AWS::DirectoryService::* Resources * Add all the allowed values of the AWS::DynamoDB::* Resources * Added AWS::Route53Resolver resources to the Spec Patches of ap-southeast-2 * Patch the spec file with regex patterns * Add all the allowed values of the AWS::DocDb::* Resources + Fixes * Update rule E2504 to have '20000' as the max value * Update rule E1016 to not allow ImportValue inside of Conditions * Update rule E2508 to check conditions when providing limit checks on managed policies * Convert unicode to strings when in Py 3.4/3.5 and updating specs * Convert from `awslabs` to `aws-cloudformation` organization * Remove suppression of logging that was removed from samtranslator >1.7.0 and incompatibility with samtranslator 1.10.0 Update to version 0.15.0 + Features * Add scaffolding for arbitrary Match attributes, adding attributes for Type checks * Add rule E3024 to validate that ProvisionedThroughput is not specified with BillingMode PAY_PER_REQUEST + CloudFormation Specifications * Update Spec files to 2.24.0 * Update OnlyOne spec to have BlockDeviceMapping to include NoDevice with Ebs and VirtualName * Add all the allowed values of the AWS::CloudFront::* Resources * Add all the allowed values of the AWS::DAX::* Resources + Fixes * Update config parsing to use the builtin Yaml decoder * Add condition support for Inclusive E2521, Exclusive E2520, and AtLeastOne E2522 rules * Update rule E1029 to better check Resource strings inside IAM Policies * Improve the line/column information of a Match with array support Update to version 0.14.1 + CloudFormation Specifications * Update CloudFormation Specs to version 2.23.0 * Add allowed values for AWS::Config::* resources * Add allowed values for AWS::ServiceDiscovery::* resources * Fix allowed values for Apache MQ + Fixes * Update rule E3008 to not error when using a list from a custom resource * Support simple types in the CloudFormation spec * Add tests for the formatters Update to version 0.14.0 + Features * Add rule E3035 to check the values of DeletionPolicy * Add rule E3036 to check the values of UpdateReplacePolicy * Add rule E2014 to check that there are no REFs in the Parameter section * Update rule E2503 to support TLS on NLBs + CloudFormation Specifications * Update CloudFormation spec to version 2.22.0 * Add allowed values for AWS::Cognito::* resources + Fixes * Update rule E3002 to allow GetAtts to Custom Resources under a Condition Update to version 0.13.2 + Features * Introducing the cfn-lint logo! * Update SAM dependency version + Fixes * Fix CloudWatchAlarmComparisonOperator allowed values. * Fix typo resoruce_type_spec in several files * Better support for nested And, Or, and Not when processing Conditions Update to version 0.13.1 + CloudFormation Specifications * Add allowed values for AWS::CloudTrail::Trail resources * Patch spec to have AWS::CodePipeline::CustomActionType Version included + Fixes * Fix conditions logic to use AllowedValues when REFing a Parameter that has AllowedValues specified Update to version 0.13.0 + Features * New rule W1011 to check if a FindInMap is using the correct map name and keys * New rule W1001 to check if a Ref/GetAtt to a resource that exists when Conditions are used * Removed logic in E1011 and moved it to W1011 for validating keys * Add property relationships for AWS::ApplicationAutoScaling::ScalingPolicy into Inclusive, Exclusive, and AtLeastOne * Update rule E2505 to check the netmask bit * Include the ability to update the CloudFormation Specs using the Pricing API + CloudFormation Specifications * Update to version 2.21.0 * Add allowed values for AWS::Budgets::Budget * Add allowed values for AWS::CertificateManager resources * Add allowed values for AWS::CodePipeline resources * Add allowed values for AWS::CodeCommit resources * Add allowed values for EC2 InstanceTypes from pricing API * Add allowed values for RedShift InstanceTypes from pricing API * Add allowed values for MQ InstanceTypes from pricing API * Add allowed values for RDS InstanceTypes from pricing API + Fixes * Fixed README indentation issue with .pre-commit-config.yaml * Fixed rule E2541 to allow for multiple inputs/outputs in a CodeBuild task * Fixed rule E3020 to allow for a period or no period at the end of a ACM registration record * Update rule E3001 to support UpdateReplacePolicy * Fix a cli issue where `--template` wouldn't be used when a .cfnlintrc was in the same folder * Update rule E3002 and E1024 to support packaging of AWS::Lambda::LayerVersion content - Initial build + Version 0.12.1 Update to 0.9.1 * the prof plugin now uses cProfile instead of hotshot for profiling * skipped tests now include the user's reason in junit XML's message field * the prettyassert plugin mishandled multi-line function definitions * Using a plugin's CLI flag when the plugin is already enabled via config no longer errors * nose2.plugins.prettyassert, enabled with --pretty-assert * Cleanup code for EOLed python versions * Dropped support for distutils. * Result reporter respects failure status set by other plugins * JUnit XML plugin now includes the skip reason in its output Upgrade to 0.8.0: - List of changes is too long to show here, see https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst changes between 0.6.5 and 0.8.0 Update to 0.7.0: * Added parameterized_class feature, for parameterizing entire test classes (many thanks to @TobyLL for their suggestions and help testing!) * Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh; https://github.com/wolever/parameterized/issues/67) * Make sure that `setUp` and `tearDown` methods work correctly (#40) * Raise a ValueError when input is empty (thanks @danielbradburn; https://github.com/wolever/parameterized/pull/48) * Fix the order when number of cases exceeds 10 (thanks @ntflc; https://github.com/wolever/parameterized/pull/49) aws-cli was updated to version 1.16.223: For detailed changes see the changes entries: https://github.com/aws/aws-cli/blob/1.16.223/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.189/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.182/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.176/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.103/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.94/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.84/CHANGELOG.rst python-boto3 was updated to 1.9.213, python-botocore was updated to 1.9.188, and python-s3transfer was updated to 1.12.74, fixing lots of bugs and adding features (bsc#1146853, bsc#1146854) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:556-1 Released: Mon Mar 2 13:32:11 2020 Summary: Recommended update for 389-ds Type: recommended Severity: moderate References: 1155951 This update for 389-ds to version 1.4.2.2 fixes the following issues: 389-ds was updated to 1.4.2.6 (fate#326677, bsc#1155951), bringing many bug and stability fixes. Issue addressed: - Enabled python lib389 installer tooling to match upstream and suse documentation. More information for this release at: https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-2-1.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:777-1 Released: Tue Mar 24 18:07:52 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1165894 This update for python3 fixes the following issue: - Rename idle icons to idle3 in order to not conflict with python2 variant of the package (bsc#1165894) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:823-1 Released: Tue Mar 31 13:28:14 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1161783,1164260 This update for parted fixes the following issue: - Make parted work with pmemXs devices. (bsc#1164260) - Fix for error when parted output size crashing parted in yast. (bsc#1161783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:935-1 Released: Tue Apr 7 03:46:39 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158630,1167205,1167206 This update for xfsprogs fixes the following issues: - xfs_quota: reformat commands in the manpage. (bsc#1167206) Reformat commands in the manpage so that fstest can check that each command is actually documented. - xfs_db: document missing commands. (bsc#1167205) Document the commands 'attr_set', 'attr_remove', 'logformat' in the manpage. - xfs_io: allow size suffixes for the copy_range command. (bsc#1158630) Allow the usage of size suffixes k,m,g for kilobytes, megabytes or gigabytes respectively for the copy_range command ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:959-1 Released: Wed Apr 8 12:59:50 2020 Summary: Security update for python-PyYAML Type: security Severity: important References: 1165439,CVE-2020-1747 This update for python-PyYAML fixes the following issues: - CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:979-1 Released: Mon Apr 13 15:42:59 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1168756 This update for parted fixes the following issue: - fix null pointer dereference. (bsc#1168756) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1000-1 Released: Wed Apr 15 14:18:57 2020 Summary: Recommended update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager Type: recommended Severity: moderate References: 1014478,1054413,1140565,982804,999200 This update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager fixes the following issues: The Azure python modules and client tool stack was updated to the 2020 state. Various other python modules were added and updated. - python-PyYAML was updated to 5.1.2. - python-humanfriendly was updated 4.16.1. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1037-1 Released: Mon Apr 20 10:49:39 2020 Summary: Recommended update for python-pytest Type: recommended Severity: low References: 1002895,1107105,1138666,1167732 This update fixes the following issues: New python-pytest versions are provided. In Basesystem: - python3-pexpect: updated to 4.8.0 - python3-py: updated to 1.8.1 - python3-zipp: shipped as dependency in version 0.6.0 In Python2: - python2-pexpect: updated to 4.8.0 - python2-py: updated to 1.8.1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1094-1 Released: Thu Apr 23 16:34:21 2020 Summary: Recommended update for python-google-api-python-client Type: recommended Severity: moderate References: 1088358,1160933 This update for python-google-api-python-client fixes the following issues: - Fix dependencies to use google-auth instead of deprecated oauth2client (bsc#1160933, jsc#ECO-1148) python-cachetools 2.0.1 is shipped to the Public Cloud Module. python-google-auth 1.5.1 is shipped to the Public Cloud Module. python-google-api-python-client was updated to: - Upgrade to 1.7.4: just series of minor bugfixes - Fix check for error text on Python 3.7. (#278) - Use new Auth URIs. (#281) - Add code-of-conduct document. (#270) - Fix some typos in test_urllib3.py (#268) - Warn when using user credentials from the Cloud SDK (#266) - Add compute engine-based IDTokenCredentials (#236) - Corrected some typos (#265) Update to 1.4.2: - Raise a helpful exception when trying to refresh credentials without a refresh token. (#262) - Fix links to README and CONTRIBUTING in docs/index.rst. (#260) - Fix a typo in credentials.py. (#256) - Use pytest instead of py.test per upstream recommendation, #dropthedot. (#255) - Fix typo on exemple of jwt usage (#245) New upstream release 1.4.1 (bsc#1088358) - Added a check for the cryptography version before attempting to use it. + From version 1.4.0 - Added `cryptography`-based RSA signer and verifier. - Added `google.oauth2.service_account.IDTokenCredentials`. - Improved documentation around ID Tokens + From version 1.3.0 - Added ``google.oauth2.credentials.Credentials.from_authorized_user_file``. - Dropped direct pyasn1 dependency in favor of letting ``pyasn1-modules`` specify the right version. - ``default()`` now checks for the project ID environment var before warning about missing project ID. - Fixed the docstrings for ``has_scopes()`` and ``with_scopes()``. - Fixed example in docstring for ``ReadOnlyScoped``. - Made ``transport.requests`` use timeouts and retries to improve reliability. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1303-1 Released: Mon May 18 09:40:36 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1169582 This update for timezone fixes the following issues: - timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1308-1 Released: Mon May 18 10:05:46 2020 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1170247 This update for psmisc fixes the following issues: - Allow not unique mounts as well as not unique mountpoint. (bsc#1170247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1342-1 Released: Tue May 19 13:27:31 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1149955,1165894,CVE-2019-16056 This update for python3 fixes the following issues: - Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1370-1 Released: Thu May 21 19:06:00 2020 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1171656 This update for systemd-presets-branding-SLE fixes the following issues: Cleanup of outdated autostart services (bsc#1171656): - Remove acpid.service. acpid is only available on SLE via openSUSE backports. In openSUSE acpid.service is *not* autostarted. I see no reason why it should be on SLE. - Remove spamassassin.timer. This timer never seems to have existed. Instead spamassassin ships a 'sa-update.timer'. But it is not default-enabled and nobody ever complained about this. - Remove snapd.apparmor.service: This service was proactively added a year ago, but snapd didn't even make it into openSUSE yet. There's no reason to keep this entry unless snapd actually enters SLE which is not foreseeable. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1396-1 Released: Mon May 25 12:04:39 2020 Summary: Security update for zstd Type: security Severity: moderate References: 1082318,1133297 This update for zstd fixes the following issues: - Fix for build error caused by wrong static libraries. (bsc#1133297) - Correction in spec file marking the license as documentation. (bsc#1082318) - Add new package for SLE-15. (jsc#ECO-1886) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1409-1 Released: Mon May 25 17:01:33 2020 Summary: Security update for libxslt Type: security Severity: moderate References: 1140095,1140101,1154609,CVE-2019-13117,CVE-2019-13118,CVE-2019-18197 This update for libxslt fixes the following issues: Security issues fixed: - CVE-2019-13118: Fixed a read of uninitialized stack data (bsc#1140101). - CVE-2019-13117: Fixed a uninitialized read which allowed to discern whether a byte on the stack contains certain special characters (bsc#1140095). - CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1492-1 Released: Wed May 27 18:32:41 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1171561 This update for python-rpm-macros fixes the following issue: - Update to version 20200207.5feb6c1 (bsc#1171561) * Do not write .pyc files for tests ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1496-1 Released: Wed May 27 20:30:31 2020 Summary: Recommended update for python-requests Type: recommended Severity: low References: 1170175 This update for python-requests fixes the following issues: - Fix for warnings 'test fails to build' for python http. (bsc#1170175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1542-1 Released: Thu Jun 4 13:24:37 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1172055 This update for timezone fixes the following issue: - zdump --version reported 'unknown' (bsc#1172055) From sle-updates at lists.suse.com Wed Jun 17 11:28:35 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:28:35 +0200 (CEST) Subject: SUSE-CU-2020:210-1: Recommended update of ses/7/cephcsi/cephcsi Message-ID: <20200617172835.0AA74FD07@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/cephcsi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:210-1 Container Tags : ses/7/cephcsi/cephcsi:2.0.0 , ses/7/cephcsi/cephcsi:2.0.0.0 , ses/7/cephcsi/cephcsi:2.0.0.0.1.1179 , ses/7/cephcsi/cephcsi:latest , ses/7/cephcsi/cephcsi:sle15.2.octopus Container Release : 1.1179 Severity : low Type : recommended References : ----------------------------------------------------------------- The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Wed Jun 17 11:28:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:28:53 +0200 (CEST) Subject: SUSE-CU-2020:211-1: Recommended update of ses/7/cephcsi/cephcsi Message-ID: <20200617172853.1FD42FD07@maintenance.suse.de> SUSE Container Update Advisory: ses/7/cephcsi/cephcsi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:211-1 Container Tags : ses/7/cephcsi/cephcsi:2.0.0 , ses/7/cephcsi/cephcsi:2.0.0.0 , ses/7/cephcsi/cephcsi:2.0.0.0.1.1179 , ses/7/cephcsi/cephcsi:latest , ses/7/cephcsi/cephcsi:sle15.2.octopus Container Release : 1.1179 Severity : low Type : recommended References : ----------------------------------------------------------------- The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Wed Jun 17 11:29:01 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:29:01 +0200 (CEST) Subject: SUSE-CU-2020:212-1: Security update of ses/7/ceph/grafana Message-ID: <20200617172901.764B2FD07@maintenance.suse.de> SUSE Container Update Advisory: ses/7/ceph/grafana ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:212-1 Container Tags : ses/7/ceph/grafana:6.3.5 , ses/7/ceph/grafana:6.3.5.2.740 , ses/7/ceph/grafana:latest , ses/7/ceph/grafana:sle15.2.octopus Container Release : 2.740 Severity : important Type : security References : 1005023 1007715 1009532 1013125 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1044840 1045723 1051143 1052837 1063675 1065270 1071321 1072183 1073313 1076696 1080919 1081947 1081947 1082293 1082318 1082318 1082318 1083158 1084671 1084812 1084842 1084934 1085196 1087550 1087982 1088052 1088279 1088524 1089640 1089761 1090944 1091265 1091677 1092100 1092877 1092920 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1095096 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097073 1098569 1100396 1100415 1100488 1101040 1101470 1101591 1102046 1102310 1102526 1102564 1102840 1102908 1103320 1103320 1104531 1104780 1105031 1105166 1105435 1106214 1106383 1106390 1107066 1107067 1107617 1107640 1107941 1109197 1109252 1110304 1110445 1110700 1111019 1111388 1111498 1111973 1112024 1112570 1112723 1112726 1112928 1113083 1113632 1113665 1114135 1114407 1114592 1114674 1114675 1114681 1114686 1114845 1114933 1114984 1114993 1115640 1115929 1117025 1117063 1117993 1118086 1118364 1118629 1119687 1119971 1120323 1120346 1120689 1121197 1121446 1121563 1121563 1121753 1122000 1122417 1122729 1123043 1123333 1123685 1123710 1123727 1123892 1123919 1124122 1124153 1124223 1124847 1125007 1125352 1125352 1125410 1125604 1125886 1126056 1126096 1126117 1126118 1126119 1126377 1126590 1127223 1127308 1127557 1127701 1128246 1128383 1128828 1129576 1129598 1130045 1130230 1130325 1130326 1131060 1131330 1131686 1132348 1132400 1132721 1133297 1133306 1133495 1133506 1133509 1133773 1133808 1134193 1134217 1134524 1135123 1135254 1135534 1135708 1135709 1136717 1137053 1137624 1137832 1138793 1138869 1138939 1139083 1139083 1139459 1139459 1139937 1139939 1140631 1140647 1141059 1141093 1141113 1141883 1141897 1142614 1142649 1142654 1143055 1143194 1143273 1144047 1144169 1145023 1145716 1146866 1148517 1148987 1149145 1149332 1149429 1149995 1150137 1150595 1151023 1151023 1151377 1151582 1152101 1152590 1152692 1152755 1153936 1154036 1154037 1154256 1154295 1154661 1154871 1154884 1154887 1155199 1155207 1155271 1155327 1155337 1155338 1155339 1155574 1156213 1156482 1157278 1157292 1157794 1157893 1158095 1158095 1158485 1158830 1158921 1158996 1159814 1159928 1160039 1160160 1160571 1160595 1160735 1160970 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161517 1161521 1162108 1162108 1162518 1162930 1163184 1164505 1164562 1164717 1164950 1164950 1165011 1165539 1165579 1165784 1166106 1166260 1166510 1166510 1166748 1166881 1167631 1167674 1167898 1168076 1168345 1168699 1169512 1169569 1169944 1170527 1170771 1171656 1171872 1172021 353876 915402 918346 953659 960273 985657 991901 CVE-2009-5155 CVE-2015-0247 CVE-2015-1572 CVE-2016-10739 CVE-2016-3189 CVE-2017-17740 CVE-2017-18269 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-1000654 CVE-2018-1000858 CVE-2018-10360 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16869 CVE-2018-17953 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18520 CVE-2018-18521 CVE-2018-19211 CVE-2018-20346 CVE-2018-20843 CVE-2018-6954 CVE-2018-9251 CVE-2019-12290 CVE-2019-12749 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-15847 CVE-2019-15903 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-18224 CVE-2019-19126 CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9893 CVE-2019-9936 CVE-2019-9937 CVE-2020-10029 CVE-2020-11501 CVE-2020-12243 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-7595 SLE-5807 SLE-5933 SLE-6533 SLE-6536 SLE-7687 SLE-9132 ----------------------------------------------------------------- The container ses/7/ceph/grafana was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2485-1 Released: Fri Oct 26 12:38:01 2018 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1112928 This update for kmod provides the following fixes: - Allow 'modprobe -c' print the status of 'allow_unsupported_modules' option. (bsc#1112928) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:170-1 Released: Fri Jan 25 13:43:29 2019 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1118629 This update for kmod fixes the following issues: - Fixes module dependency file corruption on parallel invocation (bsc#1118629). - Allows 'modprobe -c' to print the status of 'allow_unsupported_modules' option. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1595-1 Released: Fri Jun 21 10:17:44 2019 Summary: Security update for dbus-1 Type: security Severity: important References: 1137832,CVE-2019-12749 This update for dbus-1 fixes the following issues: Security issue fixed: - CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1835-1 Released: Fri Jul 12 18:06:31 2019 Summary: Security update for expat Type: security Severity: moderate References: 1139937,CVE-2018-20843 This update for expat fixes the following issues: Security issue fixed: - CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2429-1 Released: Mon Sep 23 09:28:40 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 This update for expat fixes the following issues: Security issues fixed: - CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2517-1 Released: Wed Oct 2 10:49:20 2019 Summary: Security update for libseccomp Type: security Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 This update for libseccomp fixes the following issues: Security issues fixed: - CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828) libseccomp was updated to new upstream release 2.4.1: - Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893): - Update the syscall table for Linux v5.0-rc5 - Added support for the SCMP_ACT_KILL_PROCESS action - Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute - Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension - Added support for the parisc and parisc64 architectures - Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) - Return -EDOM on an endian mismatch when adding an architecture to a filter - Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() - Fix PFC generation when a syscall is prioritized, but no rule exists - Numerous fixes to the seccomp-bpf filter generation code - Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 - Numerous tests added to the included test suite, coverage now at ~92% - Update our Travis CI configuration to use Ubuntu 16.04 - Numerous documentation fixes and updates libseccomp was updated to release 2.3.3: - Updated the syscall table for Linux v4.15-rc7 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3205-1 Released: Mon Dec 9 13:48:28 2019 Summary: Recommended update for insserv-compat Type: recommended Severity: moderate References: 1052837,1133306 This update for insserv-compat fixes the following issues: - Fix handling of start parameters. (bsc#1133306) - Remove unnecessary entry from configuration file. (bsc#1052837) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1370-1 Released: Thu May 21 19:06:00 2020 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1171656 This update for systemd-presets-branding-SLE fixes the following issues: Cleanup of outdated autostart services (bsc#1171656): - Remove acpid.service. acpid is only available on SLE via openSUSE backports. In openSUSE acpid.service is *not* autostarted. I see no reason why it should be on SLE. - Remove spamassassin.timer. This timer never seems to have existed. Instead spamassassin ships a 'sa-update.timer'. But it is not default-enabled and nobody ever complained about this. - Remove snapd.apparmor.service: This service was proactively added a year ago, but snapd didn't even make it into openSUSE yet. There's no reason to keep this entry unless snapd actually enters SLE which is not foreseeable. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1396-1 Released: Mon May 25 12:04:39 2020 Summary: Security update for zstd Type: security Severity: moderate References: 1082318,1133297 This update for zstd fixes the following issues: - Fix for build error caused by wrong static libraries. (bsc#1133297) - Correction in spec file marking the license as documentation. (bsc#1082318) - Add new package for SLE-15. (jsc#ECO-1886) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). From sle-updates at lists.suse.com Wed Jun 17 11:29:09 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:29:09 +0200 (CEST) Subject: SUSE-CU-2020:213-1: Recommended update of ses/7/ceph/grafana Message-ID: <20200617172909.BBC59FD07@maintenance.suse.de> SUSE Container Update Advisory: ses/7/ceph/grafana ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:213-1 Container Tags : ses/7/ceph/grafana:6.3.5 , ses/7/ceph/grafana:6.3.5.2.740 , ses/7/ceph/grafana:latest , ses/7/ceph/grafana:sle15.2.octopus Container Release : 2.740 Severity : low Type : recommended References : ----------------------------------------------------------------- The container ses/7/ceph/grafana was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Wed Jun 17 11:29:17 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:29:17 +0200 (CEST) Subject: SUSE-CU-2020:214-1: Recommended update of ses/7/ceph/grafana Message-ID: <20200617172917.98E6CFD07@maintenance.suse.de> SUSE Container Update Advisory: ses/7/ceph/grafana ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:214-1 Container Tags : ses/7/ceph/grafana:6.3.5 , ses/7/ceph/grafana:6.3.5.2.740 , ses/7/ceph/grafana:latest , ses/7/ceph/grafana:sle15.2.octopus Container Release : 2.740 Severity : low Type : recommended References : ----------------------------------------------------------------- The container ses/7/ceph/grafana was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Wed Jun 17 11:29:32 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:29:32 +0200 (CEST) Subject: SUSE-CU-2020:215-1: Security update of ses/7/ceph/ceph Message-ID: <20200617172932.C5DD3FD07@maintenance.suse.de> SUSE Container Update Advisory: ses/7/ceph/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:215-1 Container Tags : ses/7/ceph/ceph:15.2.3.455 , ses/7/ceph/ceph:15.2.3.455.3.373 , ses/7/ceph/ceph:latest , ses/7/ceph/ceph:sle15.2.octopus Container Release : 3.373 Severity : important Type : security References : 1002895 1005023 1007715 1009532 1013125 1014478 1027282 1029377 1029902 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1040164 1042670 1044840 1045723 1051143 1054413 1063675 1065270 1070853 1071321 1072183 1073299 1073313 1073421 1076519 1076696 1079761 1080919 1081750 1081947 1081947 1082293 1082318 1082318 1082318 1082318 1083158 1083507 1084671 1084812 1084842 1084934 1085196 1086001 1087550 1087982 1088004 1088009 1088052 1088279 1088358 1088358 1088524 1088573 1089640 1089761 1089777 1090944 1091265 1091677 1092100 1092877 1092920 1093392 1093617 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094814 1094814 1095096 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097073 1097643 1098217 1098569 1098697 1100396 1100415 1100488 1101040 1101470 1101591 1101797 1102046 1102310 1102526 1102564 1102840 1102908 1103320 1103320 1104531 1104700 1104780 1105031 1105068 1105166 1105396 1105435 1106214 1106383 1106390 1107030 1107030 1107066 1107067 1107105 1107617 1107640 1107941 1109197 1109252 1109412 1109413 1109414 1109663 1109694 1109847 1110304 1110435 1110445 1110700 1111019 1111388 1111498 1111622 1111973 1111996 1112024 1112310 1112534 1112535 1112570 1112723 1112726 1112780 1112928 1113083 1113247 1113252 1113255 1113554 1113632 1113665 1114135 1114407 1114592 1114674 1114675 1114681 1114686 1114845 1114933 1114984 1114993 1115640 1115929 1116827 1117025 1117063 1117993 1118086 1118364 1118629 1118644 1118830 1118831 1119063 1119687 1119971 1120323 1120346 1120402 1120640 1120644 1120644 1120689 1121034 1121035 1121056 1121197 1121446 1121563 1121563 1121753 1122000 1122191 1122191 1122271 1122417 1122669 1122729 1123043 1123333 1123685 1123710 1123727 1123892 1123919 1124122 1124153 1124223 1124847 1125007 1125352 1125352 1125410 1125604 1125815 1125886 1126056 1126096 1126117 1126118 1126119 1126377 1126590 1127223 1127308 1127557 1127701 1128246 1128323 1128383 1128828 1129071 1129346 1129346 1129576 1129598 1129859 1130045 1130230 1130325 1130326 1130557 1130840 1130840 1131060 1131330 1131686 1132160 1132174 1132323 1132348 1132400 1132663 1132721 1132900 1133131 1133232 1133297 1133452 1133452 1133495 1133506 1133509 1133773 1133808 1134193 1134217 1134524 1134659 1135123 1135254 1135534 1135708 1135709 1136184 1136245 1136717 1137053 1137624 1137832 1137942 1138459 1138459 1138666 1138793 1138869 1138939 1139083 1139083 1139459 1139459 1139937 1139939 1140016 1140095 1140101 1140565 1140631 1140647 1141059 1141093 1141113 1141853 1141853 1141883 1141897 1141913 1142343 1142614 1142649 1142654 1142772 1143055 1143194 1143273 1144047 1144169 1145023 1145383 1145716 1146853 1146854 1146866 1148517 1148987 1149121 1149121 1149145 1149332 1149429 1149792 1149792 1149792 1149955 1149955 1149955 1149995 1150137 1150451 1150595 1150733 1150895 1151023 1151023 1151377 1151481 1151490 1151490 1151582 1152101 1152590 1152590 1152692 1152755 1153165 1153238 1153238 1153674 1153936 1154016 1154025 1154036 1154037 1154217 1154256 1154295 1154609 1154661 1154871 1154884 1154887 1155199 1155207 1155271 1155327 1155337 1155338 1155339 1155574 1155951 1156213 1156482 1157278 1157292 1157438 1157794 1157893 1158095 1158095 1158485 1158504 1158509 1158630 1158630 1158758 1158830 1158921 1158996 1159018 1159035 1159622 1159814 1159928 1159989 1160039 1160160 1160571 1160590 1160595 1160735 1160933 1160970 1160978 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161517 1161521 1161770 1161783 1161816 1162108 1162108 1162152 1162202 1162224 1162367 1162423 1162518 1162675 1162825 1162930 1163184 1164260 1164505 1164562 1164717 1164950 1164950 1165011 1165439 1165539 1165579 1165784 1165894 1165894 1166106 1166260 1166510 1166510 1166748 1166881 1167205 1167206 1167223 1167631 1167674 1167732 1167898 1168076 1168345 1168699 1168756 1169512 1169569 1169582 1169944 1170175 1170247 1170527 1170771 1171561 1171656 1171872 1172021 1172055 353876 637176 658604 673071 709442 743787 747125 751718 754447 754677 787526 809831 831629 834601 871152 885662 885882 915402 917607 918346 942751 951166 953659 960273 969953 982804 983582 984751 985177 985348 985657 989523 991901 999200 CVE-2009-5155 CVE-2011-3389 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2013-1752 CVE-2013-4238 CVE-2014-2667 CVE-2014-4650 CVE-2015-0247 CVE-2015-1572 CVE-2016-0772 CVE-2016-1000110 CVE-2016-10739 CVE-2016-10745 CVE-2016-3189 CVE-2016-5636 CVE-2016-5699 CVE-2017-17740 CVE-2017-18207 CVE-2017-18269 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-1000654 CVE-2018-1000802 CVE-2018-1000858 CVE-2018-1000876 CVE-2018-10360 CVE-2018-1060 CVE-2018-1061 CVE-2018-10906 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14647 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16869 CVE-2018-17358 CVE-2018-17359 CVE-2018-17360 CVE-2018-17953 CVE-2018-17985 CVE-2018-18074 CVE-2018-18309 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18483 CVE-2018-18484 CVE-2018-18520 CVE-2018-18521 CVE-2018-18605 CVE-2018-18606 CVE-2018-18607 CVE-2018-19211 CVE-2018-19931 CVE-2018-19932 CVE-2018-20346 CVE-2018-20406 CVE-2018-20406 CVE-2018-20623 CVE-2018-20651 CVE-2018-20671 CVE-2018-20843 CVE-2018-20852 CVE-2018-20852 CVE-2018-6323 CVE-2018-6543 CVE-2018-6759 CVE-2018-6872 CVE-2018-6954 CVE-2018-7208 CVE-2018-7568 CVE-2018-7569 CVE-2018-7570 CVE-2018-7642 CVE-2018-7643 CVE-2018-8945 CVE-2018-9251 CVE-2019-1010180 CVE-2019-10160 CVE-2019-10160 CVE-2019-10906 CVE-2019-11068 CVE-2019-11236 CVE-2019-11324 CVE-2019-12290 CVE-2019-12749 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-13057 CVE-2019-13117 CVE-2019-13118 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14287 CVE-2019-14806 CVE-2019-14853 CVE-2019-14859 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-15847 CVE-2019-15903 CVE-2019-15903 CVE-2019-16056 CVE-2019-16056 CVE-2019-16056 CVE-2019-16168 CVE-2019-16935 CVE-2019-16935 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18197 CVE-2019-18218 CVE-2019-18224 CVE-2019-18634 CVE-2019-19126 CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-3689 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5010 CVE-2019-5010 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8341 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9636 CVE-2019-9636 CVE-2019-9674 CVE-2019-9740 CVE-2019-9893 CVE-2019-9936 CVE-2019-9937 CVE-2019-9947 CVE-2019-9947 CVE-2020-10029 CVE-2020-11501 CVE-2020-12243 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1747 CVE-2020-1752 CVE-2020-7595 CVE-2020-8492 ECO-368 PM-1350 SLE-5807 SLE-5933 SLE-6206 SLE-6533 SLE-6536 SLE-7687 SLE-9132 SLE-9426 ----------------------------------------------------------------- The container ses/7/ceph/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1332-1 Released: Tue Jul 17 09:01:19 2018 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1073299,1093392 This update for timezone provides the following fixes: - North Korea switches back from +0830 to +09 on 2018-05-05. - Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299) - yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1775-1 Released: Tue Aug 28 12:40:50 2018 Summary: Recommended update for xfsprogs Type: recommended Severity: important References: 1089777,1105396 This update for xfsprogs fixes the following issues: - avoid divide-by-zero when hardware reports optimal i/o size as 0 (bsc#1089777) - repair: shift inode back into place if corrupted by bad log replay (bsc#1105396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1887-1 Released: Wed Sep 12 12:34:28 2018 Summary: Recommended update for python-websocket-client Type: recommended Severity: moderate References: 1076519 This update for python-websocket-client fixes the following issues: - Use systems ca bundle file by default. (bsc#1076519) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2138-1 Released: Thu Oct 4 15:52:15 2018 Summary: Recommended update for sudo Type: recommended Severity: low References: 1097643 This update for sudo fixes the following issues: - fix permissions for /var/lib/sudo and /var/lib/sudo/ts (bsc#1097643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2170-1 Released: Mon Oct 8 10:31:14 2018 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1107030 This update for python3 fixes the following issues: - Add -fwrapv to OPTS, which is default for python3 for bugs which are caused by avoiding it. (bsc#1107030) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2340-1 Released: Fri Oct 19 16:05:53 2018 Summary: Security update for fuse Type: security Severity: moderate References: 1101797,CVE-2018-10906 This update for fuse fixes the following issues: - CVE-2018-10906: fusermount was vulnerable to a restriction bypass when SELinux is active. This allowed non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects (bsc#1101797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2346-1 Released: Mon Oct 22 09:40:46 2018 Summary: Recommended update for logrotate Type: recommended Severity: moderate References: 1093617 This update for logrotate provides the following fix: - Ensure the HOME environment variable is set to /root when logrotate is started via systemd. This allows mariadb to rotate its logs when the database has a root password defined. (bsc#1093617) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2442-1 Released: Wed Oct 24 16:39:09 2018 Summary: Recommended update for python-msrestazure and it's dependencies Type: recommended Severity: moderate References: 1109694 This update for python-adal, python-isodate, python-msrest, python-msrestazure fixes the following issues: python-msrestazure: - Update to version 0.5.0 + Features * Implementation is now using ADAL and not request-oauthlib. This allows more AD scenarios (like federated). * Add additionalInfo parsing for CloudError. * Implement new LRO options of Autorest. * Improve MSI for VM token polling algorithm. * MSIAuthentication now uses IMDS endpoint if available. * MSIAuthentication can be used in any environment that defines MSI_ENDPOINT env variable. * CloudError now includes the 'innererror' attribute to match OData v4. * Introduces ARMPolling implementation of Azure Resource Management LRO. * Add support for WebApp/Functions in MSIAuthentication classes. * Add parse_resource_id(), resource_id(), validate_resource_id() to parse ARM ids. * Retry strategy now n reach 24 seconds (instead of 12 seconds). * Add Managed Service Integrated (MSI) authentication. * Add 'timeout' to ServicePrincipalCredentials and UserPasswordCredentials. * Threads created by AzureOperationPoller have now a name prefixed by 'AzureOperationPoller' to help identify them. * Improve MSIAuthentication to support User Assigned Identity. + Bugfixes * MSIAuthentication regression for KeyVault since IMDS support. * MSIAuthentication should initialize the token attribute on creation. * Fixes refreshToken in UserPassCredentials and AADTokenCredentials. * Fix US government cloud definition. * Reduce max MSI polling time for VM. * IMDS/MSI: Retry on more error codes. * IMDS/MSI: Fix a boundary case on timeout. * Fix parse_resource_id() tool to be case*insensitive to keywords when matching. * Add missing baseclass init call for AdalAuthentication. * Fix LRO result if POST uses AsyncOperation header. * Remove a possible infinite loop with MSIAuthentication. * Fix session obj for cloudmetadata endpoint. * Fix authentication resource node for AzureSatck. * Better detection of AppService with MSIAuthentication. * get_cloud_from_metadata_endpoint incorrect on AzureStack. * get_cloud_from_metadata_endpoint certificate issue. * Fix AttributeError if error JSON from ARM does not follow ODatav4 (as it should). * Fix AttributeError if input JSON is not a dict. * Fix AdalError handling in some scenarios. * Update Azure Gov login endpoint. * Update metadata ARM endpoint parser. + Incompatible changes * Remove unused auth_uri, state, client and token_uri attributes in ServicePrincipalCredentials, UserPassCredentials and AADTokenCredentials. * Remove token caching based on 'keyring'. Token caching should be implemented using ADAL now. * Remove InteractiveCredentials. This class was deprecated and unusable. Use ADAL device code instead. python-msrest - Update to version 0.5.0 + Require python-enum32 and python-typing. + Features * Support additionalProperties and XML. * Deserialize/from_dict now accepts a content*type parameter to parse XML strings. * Add XML support * Add many type hints, and MyPY testing on CI. * HTTP calls are made through a HTTPDriver API. Only implementation is `requests` for now. This driver API is *not* considered stable and you should pin your msrest version if you want to provide a personal implementation. * msrest is now able to keep the 'requests.Session' alive for performance. * All Authentication classes now define `signed_session` and `refresh_session` with an optional `session` parameter. * Disable HTTP log by default (security), add `enable_http_log` to restore it. * Add TopicCredentials for EventGrid client. * Add LROPoller class. This is a customizable LRO engine. * Model now accept kwargs in constructor for future kwargs models. * Add support for additional_properties. * The interpretation of Swagger 2.0 'discriminator' is now lenient. * Add ApiKeyCredentials class. This can be used to support OpenAPI ApiKey feature. * Add CognitiveServicesAuthentication class. Pre*declared ApiKeyCredentials class for Cognitive Services. * Add Configuration.session_configuration_callback to customize the requests.Session if necessary. * Add a flag to Serializer to disable client*side*validation. * Remove 'import requests' from 'exceptions.py' for apps that require fast loading time. * Input is now more lenient. * Model have a 'validate' method to check content constraints. * Model have now new methods for serialize, as_dict, deserialize and from_dict. + Bugfixes * Fix a serialization issue if additional_properties is declared, and 'automatic model' syntax is used ('automatic model' being the ability to pass a dict to command and have the model auto*created). * Better parse empty node and not string types. * Improve 'object' XML parsing. * Fix some XML serialization subtle scenarios. * Fix some complex XML Swagger definitions. * Lower Accept header overwrite logging message. * Fix 'object' type and XML format. * Incorrect milliseconds serialization for some datetime object. * Improve `SDKClient.__exit__` to take exc_details as optional parameters and not required. * Refresh_session should also use the permanent HTTP session if available. * Fix incorrect date parsing if ms precision is over 6 digits. * Fix minimal dependency of isodate. * Fix serialisation from dict if datetime provided. * Date parsing is now compliant with Autorest / Swagger 2.0 specification (less lenient). * Accept to deserialize enum of different type if content string match. * Stop failing on deserialization if enum string is unkwon. Return the string instead. * Do not validate additional_properties. * Improve validation error if expected type is dict, but actual type is not. * Fix additional_properties if Swagger was flatten. * Optional formdata parameters were raising an exception. * 'application/x*www*form*urlencoded' form was sent using 'multipart/form*data'. * Fix regression: accept 'set' as a valid '[str]' * Always log response body. * Improved exception message if error JSON is Odata v4. * Refuse 'str' as a valid '[str]' type. * Better exception handling if input from server is not JSON valid. * Fix regression introduced in msrest 0.4.12 * dict syntax with enum modeled as string and enum used. * Fix regression introduced in msrest 0.4.12 * dict syntax using isodate.Duration. * Better Enum checking. + Internal optimisation * Call that does not return a streamable object are now executed in requests stream mode False (was True whatever the type of the call). This should reduce the number of leaked opened session and allow urllib3 to manage connection pooling more efficiently. Only clients generated with Autorest.Python >= 2.1.31 (not impacted otherwise, fully backward compatible) + Deprecation * Trigger DeprecationWarning for _client.add_header and _client.send_formdata. python-adal - Update to version 1.0.2 python-isodate - Update to version 0.6.0 + Support incomplete month date. + Rely on duck typing when doing duration maths. + Support ':' as separator in fractional time zones. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2454-1 Released: Thu Oct 25 11:19:46 2018 Summary: Recommended update for python-pyOpenSSL Type: recommended Severity: moderate References: 1110435 This update for python-pyOpenSSL fixes the following issues: - Handle duplicate certificate addition using X509_STORE_add_cert so it works after upgrading to openssl 1.1.1. (bsc#1110435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2463-1 Released: Thu Oct 25 14:48:34 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: moderate References: 1104700,1112310 This update for timezone, timezone-java fixes the following issues: The timezone database was updated to 2018f: - Volgograd moves from +03 to +04 on 2018-10-28. - Fiji ends DST 2019-01-13, not 2019-01-20. - Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700) - Corrections to past timestamps of DST transitions - Use 'PST' and 'PDT' for Philippine time - minor code changes to zic handling of the TZif format - documentation updates Other bugfixes: - Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2485-1 Released: Fri Oct 26 12:38:01 2018 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1112928 This update for kmod provides the following fixes: - Allow 'modprobe -c' print the status of 'allow_unsupported_modules' option. (bsc#1112928) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2486-1 Released: Fri Oct 26 12:38:27 2018 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1105068 This update for xfsprogs fixes the following issues: - Explictly disable systemd unit files for scrub (bsc#1105068). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2550-1 Released: Wed Oct 31 16:16:56 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: moderate References: 1113554 This update provides the latest time zone definitions (2018g), including the following change: - Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2641-1 Released: Mon Nov 12 20:39:30 2018 Summary: Recommended update for nfsidmap Type: recommended Severity: moderate References: 1098217 This update for nfsidmap fixes the following issues: - Improve support for SAMBA with Active Directory. (bsc#1098217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2742-1 Released: Thu Nov 22 13:28:36 2018 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 969953 This update for rpcbind fixes the following issues: - Fix tool stack buffer overflow aborting (bsc#969953) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2961-1 Released: Mon Dec 17 19:51:40 2018 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1098697,1112780 This update for psmisc provides the following fix: - Make the fuser option -m work even with mountinfo. (bsc#1098697) - Support also btrFS entries in mountinfo, that is use stat(2) to determine the device of the mounted subvolume (bsc#1098697, bsc#1112780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:62-1 Released: Thu Jan 10 20:30:58 2019 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1119063 This update for xfsprogs fixes the following issues: - Fix root inode's parent when it's bogus for sf directory (xfs repair). (bsc#1119063) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:102-1 Released: Tue Jan 15 18:02:58 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1120402 This update for timezone fixes the following issues: - Update 2018i: S??o Tom?? and Pr??ncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402) - Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:170-1 Released: Fri Jan 25 13:43:29 2019 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1118629 This update for kmod fixes the following issues: - Fixes module dependency file corruption on parallel invocation (bsc#1118629). - Allows 'modprobe -c' to print the status of 'allow_unsupported_modules' option. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:215-1 Released: Thu Jan 31 15:59:57 2019 Summary: Security update for python3 Type: security Severity: important References: 1120644,1122191,CVE-2018-20406,CVE-2019-5010 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191) - CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:790-1 Released: Thu Mar 28 12:06:17 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1130557 This update for timezone fixes the following issues: timezone was updated 2019a: * Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23 * Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00 * Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25) * zic now has an -r option to limit the time range of output data ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:966-1 Released: Wed Apr 17 12:20:13 2019 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1128323 This update for python-rpm-macros fixes the following issues: The Python RPM macros were updated to version 20190408.32abece, fixing bugs (bsc#1128323) * Add missing $ expansion on the pytest call * Rewrite pytest and pytest_arch into Lua macros with multiple arguments. * We should preserve existing PYTHONPATH. * Add --ignore to pytest calls to ignore build directories. * Actually make pytest into function to capture arguments as well * Add pytest definitions. * Use upstream-recommended %{_rpmconfigdir}/macros.d directory for the rpm macros. * Fix an issue with epoch printing having too many \ * add epoch while printing 'Provides:' ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:971-1 Released: Wed Apr 17 14:43:26 2019 Summary: Security update for python3 Type: security Severity: important References: 1129346,CVE-2019-9636 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1156-1 Released: Mon May 6 13:46:07 2019 Summary: Security update for python-Jinja2 Type: security Severity: important References: 1125815,1132174,1132323,CVE-2016-10745,CVE-2019-10906,CVE-2019-8341 This update for python-Jinja2 to version 2.10.1 fixes the following issues: Security issues fixed: - CVE-2019-8341: Fixed a command injection in from_string() (bsc#1125815). - CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1221-1 Released: Mon May 13 13:28:42 2019 Summary: Security update for libxslt Type: security Severity: moderate References: 1132160,CVE-2019-11068 This update for libxslt fixes the following issues: Security issue fixed: - CVE-2019-11068: Fixed a protection mechanism bypass where callers of xsltCheckRead() and xsltCheckWrite() would permit access upon receiving an error (bsc#1132160). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1352-1 Released: Fri May 24 14:41:44 2019 Summary: Security update for python3 Type: security Severity: moderate References: 1130840,1133452,CVE-2019-9947 This update for python3 to version 3.6.8 fixes the following issues: Security issue fixed: - CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840). Non-security issue fixed: - Fixed broken debuginfo packages by switching off LTO and PGO optimization (bsc#1133452). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1487-1 Released: Thu Jun 13 09:40:56 2019 Summary: Security update for python-requests Type: security Severity: moderate References: 1111622,CVE-2018-18074 This update for python-requests to version 2.20.1 fixes the following issues: Security issue fixed: - CVE-2018-18074: Fixed an information disclosure vulnerability of the HTTP Authorization header (bsc#1111622). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1595-1 Released: Fri Jun 21 10:17:44 2019 Summary: Security update for dbus-1 Type: security Severity: important References: 1137832,CVE-2019-12749 This update for dbus-1 fixes the following issues: Security issue fixed: - CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1616-1 Released: Fri Jun 21 11:04:39 2019 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 1134659 This update for rpcbind fixes the following issues: - Change rpcbind locking path from /var/run/rpcbind.lock to /run/rpcbind.lock. (bsc#1134659) - Change the order of socket/service in the %postun scriptlet to avoid an error from rpcbind.socket when rpcbind is running during package update. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1627-1 Released: Fri Jun 21 11:15:11 2019 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1073421,1122271,1129859 This update for xfsprogs fixes the following issues: - xfs_repair: will now allow '/' in attribute names (bsc#1122271) - xfs_repair: will now allow zeroing of corrupt log (bsc#1073421) - enabdled offline (unmounted) filesystem geometry queries (bsc#1129859) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1815-1 Released: Thu Jul 11 07:47:55 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1140016 This update for timezone fixes the following issues: - Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1835-1 Released: Fri Jul 12 18:06:31 2019 Summary: Security update for expat Type: security Severity: moderate References: 1139937,CVE-2018-20843 This update for expat fixes the following issues: Security issue fixed: - CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2050-1 Released: Tue Aug 6 09:42:37 2019 Summary: Security update for python3 Type: security Severity: important References: 1094814,1138459,1141853,CVE-2018-20852,CVE-2019-10160 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459). - CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853). Non-security issue fixed: - Fixed an issue where the SIGINT signal was ignored or not handled (bsc#1094814). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2306-1 Released: Thu Sep 5 14:39:23 2019 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1082318,1136245 This update for parted fixes the following issues: - Included several minor bug fixes - for more details please refer to this rpm's changelog (bsc#1136245) - Installs the license file in the correct directory (bsc#1082318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2332-1 Released: Mon Sep 9 10:17:16 2019 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1129071,1132663,1132900,CVE-2019-11236,CVE-2019-11324,CVE-2019-9740 This update for python-urllib3 fixes the following issues: Security issues fixed: - CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071). - CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900). - CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2365-1 Released: Thu Sep 12 11:23:31 2019 Summary: Security update for python-Werkzeug Type: security Severity: moderate References: 1145383,CVE-2019-14806 This update for python-Werkzeug fixes the following issues: Security issue fixed: - CVE-2019-14806: Fixed the development server in Docker, the debugger security pin is now unique per container (bsc#1145383). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2422-1 Released: Fri Sep 20 16:36:43 2019 Summary: Recommended update for python-urllib3 Type: recommended Severity: moderate References: 1150895 This update for python-urllib3 fixes the following issues: - Add missing dependency on python-six (bsc#1150895) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2429-1 Released: Mon Sep 23 09:28:40 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 This update for expat fixes the following issues: Security issues fixed: - CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2483-1 Released: Fri Sep 27 14:16:23 2019 Summary: Optional update for python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate. Type: optional Severity: low References: 1088358 This update ships python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate for the SUSE Linux Enterprise Public Cloud 15 module. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2517-1 Released: Wed Oct 2 10:49:20 2019 Summary: Security update for libseccomp Type: security Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 This update for libseccomp fixes the following issues: Security issues fixed: - CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828) libseccomp was updated to new upstream release 2.4.1: - Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893): - Update the syscall table for Linux v5.0-rc5 - Added support for the SCMP_ACT_KILL_PROCESS action - Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute - Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension - Added support for the parisc and parisc64 architectures - Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) - Return -EDOM on an endian mismatch when adding an architecture to a filter - Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() - Fix PFC generation when a syscall is prioritized, but no rule exists - Numerous fixes to the seccomp-bpf filter generation code - Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 - Numerous tests added to the included test suite, coverage now at ~92% - Update our Travis CI configuration to use Ubuntu 16.04 - Numerous documentation fixes and updates libseccomp was updated to release 2.3.3: - Updated the syscall table for Linux v4.15-rc7 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2647-1 Released: Fri Oct 11 17:12:06 2019 Summary: Recommended update for python-pyOpenSSL Type: recommended Severity: moderate References: 1149792 This update for python-pyOpenSSL fixes the following issues: - Adds compatibility for openSSL 1.1.1d (bsc#1149792) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2656-1 Released: Mon Oct 14 17:02:24 2019 Summary: Security update for sudo Type: security Severity: important References: 1153674,CVE-2019-14287 This update for sudo fixes the following issue: - CVE-2019-14287: Fixed an issue where a user with sudo privileges that allowed them to run commands with an arbitrary uid, could run commands as root, despite being forbidden to do so in sudoers (bsc#1153674). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2693-1 Released: Wed Oct 16 16:43:30 2019 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 1142343 This update for rpcbind fixes the following issues: - Return correct IP address with multiple ip addresses in the same subnet. (bsc#1142343) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2762-1 Released: Thu Oct 24 07:08:44 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1150451 This update for timezone fixes the following issues: - Fiji observes DST from 2019-11-10 to 2020-01-12. - Norfolk Island starts observing Australian-style DST. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2779-1 Released: Thu Oct 24 16:57:42 2019 Summary: Security update for binutils Type: security Severity: moderate References: 1109412,1109413,1109414,1111996,1112534,1112535,1113247,1113252,1113255,1116827,1118644,1118830,1118831,1120640,1121034,1121035,1121056,1133131,1133232,1141913,1142772,1152590,1154016,1154025,CVE-2018-1000876,CVE-2018-17358,CVE-2018-17359,CVE-2018-17360,CVE-2018-17985,CVE-2018-18309,CVE-2018-18483,CVE-2018-18484,CVE-2018-18605,CVE-2018-18606,CVE-2018-18607,CVE-2018-19931,CVE-2018-19932,CVE-2018-20623,CVE-2018-20651,CVE-2018-20671,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945,CVE-2019-1010180,ECO-368,SLE-6206 This update for binutils fixes the following issues: binutils was updated to current 2.32 branch [jsc#ECO-368]. Includes following security fixes: - CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412) - CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413) - CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414) - CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827) - CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996) - CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535) - CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534) - CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255) - CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252) - CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247) - CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831) - CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830) - CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035) - CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034) - CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056) - CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640) - CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772) - enable xtensa architecture (Tensilica lc6 and related) - Use -ffat-lto-objects in order to provide assembly for static libs (bsc#1141913). - Fixed some LTO build issues (bsc#1133131 bsc#1133232). - riscv: Don't check ABI flags if no code section - Fixed a segfault in ld when building some versions of pacemaker (bsc#1154025, bsc#1154016). - Add avr, epiphany and rx to target_list so that the common binutils can handle all objects we can create with crosses (bsc#1152590). Update to binutils 2.32: * The binutils now support for the C-SKY processor series. * The x86 assembler now supports a -mvexwig=[0|1] option to control encoding of VEX.W-ignored (WIG) VEX instructions. It also has a new -mx86-used-note=[yes|no] option to generate (or not) x86 GNU property notes. * The MIPS assembler now supports the Loongson EXTensions R2 (EXT2), the Loongson EXTensions (EXT) instructions, the Loongson Content Address Memory (CAM) ASE and the Loongson MultiMedia extensions Instructions (MMI) ASE. * The addr2line, c++filt, nm and objdump tools now have a default limit on the maximum amount of recursion that is allowed whilst demangling strings. This limit can be disabled if necessary. * Objdump's --disassemble option can now take a parameter, specifying the starting symbol for disassembly. Disassembly will continue from this symbol up to the next symbol or the end of the function. * The BFD linker will now report property change in linker map file when merging GNU properties. * The BFD linker's -t option now doesn't report members within archives, unless -t is given twice. This makes it more useful when generating a list of files that should be packaged for a linker bug report. * The GOLD linker has improved warning messages for relocations that refer to discarded sections. - Improve relro support on s390 [fate#326356] - Fix broken debug symbols (bsc#1118644) - Handle ELF compressed header alignment correctly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2782-1 Released: Fri Oct 25 14:27:52 2019 Summary: Security update for nfs-utils Type: security Severity: moderate References: 1150733,CVE-2019-3689 This update for nfs-utils fixes the following issues: - CVE-2019-3689: Fixed root-owned files stored in insecure /var/lib/nfs. (bsc#1150733) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2802-1 Released: Tue Oct 29 11:39:05 2019 Summary: Security update for python3 Type: security Severity: moderate References: 1149121,1149792,1149955,1151490,1153238,CVE-2019-16056,CVE-2019-16935,PM-1350,SLE-9426 This update for python3 to 3.6.9 fixes the following issues: Security issues fixed: - CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Non-security issues fixed: - Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490) - Improved locale handling by implementing PEP 538. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2891-1 Released: Mon Nov 4 17:47:10 2019 Summary: Security update for python-ecdsa Type: security Severity: moderate References: 1153165,1154217,CVE-2019-14853,CVE-2019-14859 This update for python-ecdsa to version 0.13.3 fixes the following issues: Security issues fixed: - CVE-2019-14853: Fixed unexpected exceptions during signature decoding (bsc#1153165). - CVE-2019-14859: Fixed a signature malleability caused by insufficient checks of DER encoding (bsc#1154217). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2929-1 Released: Thu Nov 7 16:45:13 2019 Summary: Recommended update for python-kubernetes Type: recommended Severity: moderate References: 1151481 This update for python-kubernetes fixes the following issues: - python-ipaddress is only required for building on Python2 (on Python3 is part of the standard library) - Backport fix for base64 padding in kubeconfig (bsc#1151481) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:9-1 Released: Thu Jan 2 12:33:47 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1157438 This update for xfsprogs fixes the following issues: - Remove the 'xfs_scrub_all' script from the package, and the corresponding dependency of python. (bsc#1157438) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:36-1 Released: Wed Jan 8 10:26:46 2020 Summary: Recommended update for python-pyOpenSSL Type: recommended Severity: low References: 1159989 This update fixes the build of python-pyOpenSSL in 2020 (bsc#1159989). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:114-1 Released: Thu Jan 16 10:11:52 2020 Summary: Security update for python3 Type: security Severity: important References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947 This update for python3 to version 3.6.10 fixes the following issues: - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). - CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:119-1 Released: Thu Jan 16 15:42:39 2020 Summary: Recommended update for python-jsonpatch Type: recommended Severity: moderate References: 1160978 This update for python-jsonpatch fixes the following issues: - Drop jsondiff binary to avoid conflict with python-jsondiff package. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:340-1 Released: Thu Feb 6 13:03:56 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1161770 This update for python-rpm-macros fixes the following issues: - Add macros related to the Python dist metadata dependency generator. (bsc#1161770) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:408-1 Released: Wed Feb 19 09:32:46 2020 Summary: Security update for sudo Type: security Severity: important References: 1162202,1162675,CVE-2019-18634 This update for sudo fixes the following issues: Security issue fixed: - CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed: - Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:453-1 Released: Tue Feb 25 10:51:53 2020 Summary: Recommended update for binutils Type: recommended Severity: moderate References: 1160590 This update for binutils fixes the following issues: - Recognize the official name of s390 arch13: 'z15'. (bsc#1160590, jsc#SLE-7903 aka jsc#SLE-7464) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:462-1 Released: Tue Feb 25 11:49:30 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158504,1158509,1158630,1158758 This update for xfsprogs fixes the following issues: - Allow the filesystem utility xfs_io to suffix sizes with k,m,g for kilobytes, megabytes or gigabytes respectively. (bsc#1158630) - Validate extent size hint parameters through libxfs to avoid output mismatch. (bsc#1158509) - Fix for 'xfs_repair' not to fail recovery of orphaned shortform directories. (bsc#1158504) - Fix for 'xfs_quota' to avoid false error reporting of project inheritance flag is not set. (bsc#1158758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:467-1 Released: Tue Feb 25 12:00:39 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492 This update for python3 fixes the following issues: Security issues fixed: - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). - CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367). Non-security issue fixed: - If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:498-1 Released: Wed Feb 26 17:59:44 2020 Summary: Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized Type: recommended Severity: moderate References: 1122669,1136184,1146853,1146854,1159018 This update for aws-cli, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized, python-boto3, python-botocore, python-s3transfer fixes the following issues: python-aws-sam-translator was updated to 1.11.0 (bsc#1159018, jsc#PM-1507): Upgrade to 1.11.0: * Add ReservedConcurrentExecutions to globals * Fix ElasticsearchHttpPostPolicy resource reference * Support using AWS::Region in Ref and Sub * Documentation and examples updates * Add VersionDescription property to Serverless::Function * Update ServerlessRepoReadWriteAccessPolicy * Add additional template validation Upgrade to 1.10.0: * Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy * Add DynamoDBReconfigurePolicy * Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy * Add EKSDescribePolicy * Add SESBulkTemplatedCrudPolicy * Add FilterLogEventsPolicy * Add SSMParameterReadPolicy * Add SESEmailTemplateCrudPolicy * Add s3:PutObjectAcl to S3CrudPolicy * Add allow_credentials CORS option * Add support for AccessLogSetting and CanarySetting Serverless::Api properties * Add support for X-Ray in Serverless::Api * Add support for MinimumCompressionSize in Serverless::Api * Add Auth to Serverless::Api globals * Remove trailing slashes from APIGW permissions * Add SNS FilterPolicy and an example application * Add Enabled property to Serverless::Function event sources * Add support for PermissionsBoundary in Serverless::Function * Fix boto3 client initialization * Add PublicAccessBlockConfiguration property to S3 bucket resource * Make PAY_PER_REQUEST default mode for Serverless::SimpleTable * Add limited support for resolving intrinsics in Serverless::LayerVersion * SAM now uses Flake8 * Add example application for S3 Events written in Go * Updated several example applications python-cfn-lint was added in version 0.21.4: - Add upstream patch to fix EOL dates for lambda runtimes - Add upstream patch to fix test_config_expand_paths test - Rename to python-cfn-lint. This package has a python API, which is required by python-moto. Update to version 0.21.4: + Features * Include more resource types in W3037 + CloudFormation Specifications * Add Resource Type `AWS::CDK::Metadata` + Fixes * Uncap requests dependency in setup.py * Check Join functions have lists in the correct sections * Pass a parameter value for AutoPublishAlias when doing a Transform * Show usage examples when displaying the help Update to version 0.21.3 + Fixes * Support dumping strings for datetime objects when doing a Transform Update to version 0.21.2 + CloudFormation Specifications * Update CloudFormation specs to 3.3.0 * Update instance types from pricing API as of 2019.05.23 Update to version 0.21.1 + Features * Add `Info` logging capability and set the default logging to `NotSet` + Fixes * Only do rule logging (start/stop/time) when the rule is going to be called * Update rule E1019 to allow `Fn::Transform` inside a `Fn::Sub` * Update rule W2001 to not break when `Fn::Transform` inside a `Fn::Sub` * Update rule E2503 to allow conditions to be used and to not default to `network` load balancer when an object is used for the Load Balancer type Update to version 0.21.0 + Features * New rule E3038 to check if a Serverless resource includes the appropriate Transform * New rule E2531 to validate a Lambda's runtime against the deprecated dates * New rule W2531 to validate a Lambda's runtime against the EOL dates * Update rule E2541 to include updates to Code Pipeline capabilities * Update rule E2503 to include checking of values for load balancer attributes + CloudFormation Specifications * Update CloudFormation specs to 3.2.0 * Update instance types from pricing API as of 2019.05.20 + Fixes * Include setuptools in setup.py requires Update to version 0.20.3 + CloudFormation Specifications * Update instance types from pricing API as of 2019.05.16 + Fixes * Update E7001 to allow float/doubles for mapping values * Update W1020 to check pre-transformed Fn::Sub(s) to determine if a Sub is needed * Pin requests to be below or equal to 2.21.0 to prevent issues with botocore Update to version 0.20.2 + Features * Add support for List Parameter types + CloudFormation Specifications * Add allowed values for AWS::EC2 EIP, FlowLog, CustomerGateway, DHCPOptions, EC2Fleet * Create new property type for Security Group IDs or Names * Add new Lambda runtime environment for NodeJs 10.x * Move AWS::ServiceDiscovery::Service Health checks from Only One to Exclusive * Update Glue Crawler Role to take an ARN or a name * Remove PrimitiveType from MaintenanceWindowTarget Targets * Add Min/Max values for Load Balancer Ports to be between 1-65535 + Fixes * Include License file in the pypi package to help with downstream projects * Filter out dynamic references from rule E3031 and E3030 * Convert Python linting and Code Coverage from Python 3.6 to 3.7 Update to version 0.20.1 + Fixes * Update rule E8003 to support more functions inside a Fn::Equals Update to version 0.20.0 + Features * Allow a rule's exception to be defined in a resource's metadata * Add rule configuration capabilities * Update rule E3012 to allow for non strict property checking * Add rule E8003 to test Fn::Equals structure and syntax * Add rule E8004 to test Fn::And structure and syntax * Add rule E8005 to test Fn::Not structure and syntax * Add rule E8006 to test Fn::Or structure and syntax * Include Path to error in the JSON output * Update documentation to describe how to install cfn-lint from brew + CloudFormation Specifications * Update CloudFormation specs to version 3.0.0 * Add new region ap-east-1 * Add list min/max and string min/max for CloudWatch Alarm Actions * Add allowed values for EC2::LaunchTemplate * Add allowed values for EC2::Host * Update allowed values for Amazon MQ to include 5.15.9 * Add AWS::Greengrass::ResourceDefinition to GreenGrass supported regions * Add AWS::EC2::VPCEndpointService to all regions * Update AWS::ECS::TaskDefinition ExecutionRoleArn to be a IAM Role ARN * Patch spec files for SSM MaintenanceWindow to look for Target and not Targets * Update ManagedPolicyArns list size to be 20 which is the hard limit. 10 is the soft limit. + Fixes * Fix rule E3033 to check the string size when the string is inside a list * Fix an issue in which AWS::NotificationARNs was not a list * Add AWS::EC2::Volume to rule W3010 * Fix an issue with W2001 where SAM translate would remove the Ref to a parameter causing this error to falsely trigger * Fix rule W3010 to not error when the availability zone is 'all' Update to version 0.19.1 + Fixes * Fix core Condition processing to support direct Condition in another Condition * Fix the W2030 to check numbers against string allowed values Update to version 0.19.0 + Features * Add NS and PTR Route53 record checking to rule E3020 * New rule E3050 to check if a Ref to IAM Role has a Role path of '/' * New rule E3037 to look for duplicates in a list that doesn't support duplicates * New rule I3037 to look for duplicates in a list when duplicates are allowed + CloudFormation Specifications * Add Min/Max values to AWS::ElasticLoadBalancingV2::TargetGroup HealthCheckTimeoutSeconds * Add Max JSON size to AWS::IAM::ManagedPolicy PolicyDocument * Add allowed values for AWS::EC2 SpotFleet, TransitGateway, NetworkAcl NetworkInterface, PlacementGroup, and Volume * Add Min/max values to AWS::Budgets::Budget.Notification Threshold * Update RDS Instance types by database engine and license definitions using the pricing API * Update AWS::CodeBuild::Project ServiceRole to support Role Name or ARN * Update AWS::ECS::Service Role to support Role Name or ARN + Fixes * Update E3025 to support the new structure of data in the RDS instance type json * Update E2540 to remove all nested conditions from the object * Update E3030 to not do strict type checking * Update E3020 to support conditions nested in the record sets * Update E3008 to better handle CloudFormation sub stacks with different GetAtt formats Update to version 0.18.1 + CloudFormation Specifications * Update CloudFormation Specs to 2.30.0 * Fix IAM Regex Path to support more character types * Update AWS::Batch::ComputeEnvironment.ComputeResources InstanceRole to reference an InstanceProfile or GetAtt the InstanceProfile Arn * Allow VPC IDs to Ref a Parameter of type String + Fixes * Fix E3502 to check the size of the property instead of the parent object Update to version 0.18.0 + Features * New rule E3032 to check the size of lists * New rule E3502 to check JSON Object Size using definitions in the spec file * New rule E3033 to test the minimum and maximum length of a string * New rule E3034 to validate the min and max of a number * Remove Ebs Iops check from E2504 and use rule E3034 instead * Remove rule E2509 and use rule E3033 instead * Remove rule E2508 as it replaced by E3032 and E3502 * Update rule E2503 to check that there are at least two 2 Subnets or SubnetMappings for ALBs * SAM requirement upped to minimal version of 1.10.0 + CloudFormation Specifications * Extend specs to include: > `ListMin` and `ListMax` for the minimum and maximum size of a list > `JsonMax` to check the max size of a JSON Object > `StringMin` and `StringMax` to check the minimum and maximum length of a String > `NumberMin` and `NumberMax` to check the minimum and maximum value of a Number, Float, Long * Update State and ExecutionRoleArn to be required on AWS::DLM::LifecyclePolicy * Add AllowedValues for PerformanceInsightsRetentionPeriod for AWS::RDS::Instance * Add AllowedValues for the AWS::GuardDuty Resources * Add AllowedValues for AWS::EC2 VPC and VPN Resources * Switch IAM Instance Profiles for certain resources to the type that only takes the name * Add regex pattern for IAM Instance Profile when a name (not Arn) is used * Add regex pattern for IAM Paths * Add Regex pattern for IAM Role Arn * Update OnlyOne spec to require require at least one of Subnets or SubnetMappings with ELB v2 + Fixes * Fix serverless transform to use DefinitionBody when Auth is in the API definition * Fix rule W2030 to not error when checking SSM or List Parameters Update to version 0.17.1 + Features * Update rule E2503 to make sure NLBs don't have a Security Group configured + CloudFormation Specifications * Add all the allowed values of the `AWS::Glue` Resources * Update OnlyOne check for `AWS::CloudWatch::Alarm` to only `MetricName` or `Metrics` * Update Exclusive check for `AWS::CloudWatch::Alarm` for properties mixed with `Metrics` and `Statistic` * Update CloudFormation specs to 2.29.0 * Fix type with MariaDB in the AllowedValues * Update pricing information for data available on 2018.3.29 + Fixes * Fix rule E1029 to not look for a sub is needed when looking for iot strings in policies * Fix rule E2541 to allow for ActionId Versions of length 1-9 and meets regex `[0-9A-Za-z_-]+` * Fix rule E2532 to allow for `Parameters` inside a `Pass` action * Fix an issue when getting the location of an error in which numbers are causing an attribute error Update to version 0.17.0 + Features * Add new rule E3026 to validate Redis cluster settings including AutomaticFailoverEnabled and NumCacheClusters. Status: Released * Add new rule W3037 to validate IAM resource policies. Status: Experimental * Add new parameter `-e/--include-experimental` to allow for new rules in that aren't ready to be fully released + CloudFormation Specifications * Update Spec files to 2.28.0 * Add all the allowed values of the AWS::Redshift::* Resources * Add all the allowed values of the AWS::Neptune::* Resources * Patch spec to make AWS::CloudFront::Distribution.LambdaFunctionAssociation.LambdaFunctionARN required * Patch spec to make AWS::DynamoDB::Table AttributeDefinitions required + Fixes * Remove extra blank lines when there is no errors in the output * Add exception to rule E1029 to have exceptions for EMR CloudWatchAlarmDefinition * Update rule E1029 to allow for literals in a Sub * Remove sub checks from rule E3031 as it won't match in all cases of an allowed pattern regex check * Correct typos for errors in rule W1001 * Switch from parsing a template as Yaml to Json when finding an escape character * Fix an issue with SAM related to transforming templates with Serverless Application and Lambda Layers * Fix an issue with rule E2541 when non strings were used for Stage Names Update to version 0.16.0 + Features * Add rule E3031 to look for regex patterns based on the patched spec file * Remove regex checks from rule E2509 * Add parameter `ignore-templates` to allow the ignoring of templates when doing bulk linting + CloudFormation Specifications * Update Spec files to 2.26.0 * Add all the allowed values of the AWS::DirectoryService::* Resources * Add all the allowed values of the AWS::DynamoDB::* Resources * Added AWS::Route53Resolver resources to the Spec Patches of ap-southeast-2 * Patch the spec file with regex patterns * Add all the allowed values of the AWS::DocDb::* Resources + Fixes * Update rule E2504 to have '20000' as the max value * Update rule E1016 to not allow ImportValue inside of Conditions * Update rule E2508 to check conditions when providing limit checks on managed policies * Convert unicode to strings when in Py 3.4/3.5 and updating specs * Convert from `awslabs` to `aws-cloudformation` organization * Remove suppression of logging that was removed from samtranslator >1.7.0 and incompatibility with samtranslator 1.10.0 Update to version 0.15.0 + Features * Add scaffolding for arbitrary Match attributes, adding attributes for Type checks * Add rule E3024 to validate that ProvisionedThroughput is not specified with BillingMode PAY_PER_REQUEST + CloudFormation Specifications * Update Spec files to 2.24.0 * Update OnlyOne spec to have BlockDeviceMapping to include NoDevice with Ebs and VirtualName * Add all the allowed values of the AWS::CloudFront::* Resources * Add all the allowed values of the AWS::DAX::* Resources + Fixes * Update config parsing to use the builtin Yaml decoder * Add condition support for Inclusive E2521, Exclusive E2520, and AtLeastOne E2522 rules * Update rule E1029 to better check Resource strings inside IAM Policies * Improve the line/column information of a Match with array support Update to version 0.14.1 + CloudFormation Specifications * Update CloudFormation Specs to version 2.23.0 * Add allowed values for AWS::Config::* resources * Add allowed values for AWS::ServiceDiscovery::* resources * Fix allowed values for Apache MQ + Fixes * Update rule E3008 to not error when using a list from a custom resource * Support simple types in the CloudFormation spec * Add tests for the formatters Update to version 0.14.0 + Features * Add rule E3035 to check the values of DeletionPolicy * Add rule E3036 to check the values of UpdateReplacePolicy * Add rule E2014 to check that there are no REFs in the Parameter section * Update rule E2503 to support TLS on NLBs + CloudFormation Specifications * Update CloudFormation spec to version 2.22.0 * Add allowed values for AWS::Cognito::* resources + Fixes * Update rule E3002 to allow GetAtts to Custom Resources under a Condition Update to version 0.13.2 + Features * Introducing the cfn-lint logo! * Update SAM dependency version + Fixes * Fix CloudWatchAlarmComparisonOperator allowed values. * Fix typo resoruce_type_spec in several files * Better support for nested And, Or, and Not when processing Conditions Update to version 0.13.1 + CloudFormation Specifications * Add allowed values for AWS::CloudTrail::Trail resources * Patch spec to have AWS::CodePipeline::CustomActionType Version included + Fixes * Fix conditions logic to use AllowedValues when REFing a Parameter that has AllowedValues specified Update to version 0.13.0 + Features * New rule W1011 to check if a FindInMap is using the correct map name and keys * New rule W1001 to check if a Ref/GetAtt to a resource that exists when Conditions are used * Removed logic in E1011 and moved it to W1011 for validating keys * Add property relationships for AWS::ApplicationAutoScaling::ScalingPolicy into Inclusive, Exclusive, and AtLeastOne * Update rule E2505 to check the netmask bit * Include the ability to update the CloudFormation Specs using the Pricing API + CloudFormation Specifications * Update to version 2.21.0 * Add allowed values for AWS::Budgets::Budget * Add allowed values for AWS::CertificateManager resources * Add allowed values for AWS::CodePipeline resources * Add allowed values for AWS::CodeCommit resources * Add allowed values for EC2 InstanceTypes from pricing API * Add allowed values for RedShift InstanceTypes from pricing API * Add allowed values for MQ InstanceTypes from pricing API * Add allowed values for RDS InstanceTypes from pricing API + Fixes * Fixed README indentation issue with .pre-commit-config.yaml * Fixed rule E2541 to allow for multiple inputs/outputs in a CodeBuild task * Fixed rule E3020 to allow for a period or no period at the end of a ACM registration record * Update rule E3001 to support UpdateReplacePolicy * Fix a cli issue where `--template` wouldn't be used when a .cfnlintrc was in the same folder * Update rule E3002 and E1024 to support packaging of AWS::Lambda::LayerVersion content - Initial build + Version 0.12.1 Update to 0.9.1 * the prof plugin now uses cProfile instead of hotshot for profiling * skipped tests now include the user's reason in junit XML's message field * the prettyassert plugin mishandled multi-line function definitions * Using a plugin's CLI flag when the plugin is already enabled via config no longer errors * nose2.plugins.prettyassert, enabled with --pretty-assert * Cleanup code for EOLed python versions * Dropped support for distutils. * Result reporter respects failure status set by other plugins * JUnit XML plugin now includes the skip reason in its output Upgrade to 0.8.0: - List of changes is too long to show here, see https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst changes between 0.6.5 and 0.8.0 Update to 0.7.0: * Added parameterized_class feature, for parameterizing entire test classes (many thanks to @TobyLL for their suggestions and help testing!) * Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh; https://github.com/wolever/parameterized/issues/67) * Make sure that `setUp` and `tearDown` methods work correctly (#40) * Raise a ValueError when input is empty (thanks @danielbradburn; https://github.com/wolever/parameterized/pull/48) * Fix the order when number of cases exceeds 10 (thanks @ntflc; https://github.com/wolever/parameterized/pull/49) aws-cli was updated to version 1.16.223: For detailed changes see the changes entries: https://github.com/aws/aws-cli/blob/1.16.223/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.189/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.182/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.176/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.103/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.94/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.84/CHANGELOG.rst python-boto3 was updated to 1.9.213, python-botocore was updated to 1.9.188, and python-s3transfer was updated to 1.12.74, fixing lots of bugs and adding features (bsc#1146853, bsc#1146854) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:556-1 Released: Mon Mar 2 13:32:11 2020 Summary: Recommended update for 389-ds Type: recommended Severity: moderate References: 1155951 This update for 389-ds to version 1.4.2.2 fixes the following issues: 389-ds was updated to 1.4.2.6 (fate#326677, bsc#1155951), bringing many bug and stability fixes. Issue addressed: - Enabled python lib389 installer tooling to match upstream and suse documentation. More information for this release at: https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-2-1.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:777-1 Released: Tue Mar 24 18:07:52 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1165894 This update for python3 fixes the following issue: - Rename idle icons to idle3 in order to not conflict with python2 variant of the package (bsc#1165894) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:823-1 Released: Tue Mar 31 13:28:14 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1161783,1164260 This update for parted fixes the following issue: - Make parted work with pmemXs devices. (bsc#1164260) - Fix for error when parted output size crashing parted in yast. (bsc#1161783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:935-1 Released: Tue Apr 7 03:46:39 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158630,1167205,1167206 This update for xfsprogs fixes the following issues: - xfs_quota: reformat commands in the manpage. (bsc#1167206) Reformat commands in the manpage so that fstest can check that each command is actually documented. - xfs_db: document missing commands. (bsc#1167205) Document the commands 'attr_set', 'attr_remove', 'logformat' in the manpage. - xfs_io: allow size suffixes for the copy_range command. (bsc#1158630) Allow the usage of size suffixes k,m,g for kilobytes, megabytes or gigabytes respectively for the copy_range command ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:959-1 Released: Wed Apr 8 12:59:50 2020 Summary: Security update for python-PyYAML Type: security Severity: important References: 1165439,CVE-2020-1747 This update for python-PyYAML fixes the following issues: - CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:979-1 Released: Mon Apr 13 15:42:59 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1168756 This update for parted fixes the following issue: - fix null pointer dereference. (bsc#1168756) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1000-1 Released: Wed Apr 15 14:18:57 2020 Summary: Recommended update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager Type: recommended Severity: moderate References: 1014478,1054413,1140565,982804,999200 This update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager fixes the following issues: The Azure python modules and client tool stack was updated to the 2020 state. Various other python modules were added and updated. - python-PyYAML was updated to 5.1.2. - python-humanfriendly was updated 4.16.1. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1037-1 Released: Mon Apr 20 10:49:39 2020 Summary: Recommended update for python-pytest Type: recommended Severity: low References: 1002895,1107105,1138666,1167732 This update fixes the following issues: New python-pytest versions are provided. In Basesystem: - python3-pexpect: updated to 4.8.0 - python3-py: updated to 1.8.1 - python3-zipp: shipped as dependency in version 0.6.0 In Python2: - python2-pexpect: updated to 4.8.0 - python2-py: updated to 1.8.1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1094-1 Released: Thu Apr 23 16:34:21 2020 Summary: Recommended update for python-google-api-python-client Type: recommended Severity: moderate References: 1088358,1160933 This update for python-google-api-python-client fixes the following issues: - Fix dependencies to use google-auth instead of deprecated oauth2client (bsc#1160933, jsc#ECO-1148) python-cachetools 2.0.1 is shipped to the Public Cloud Module. python-google-auth 1.5.1 is shipped to the Public Cloud Module. python-google-api-python-client was updated to: - Upgrade to 1.7.4: just series of minor bugfixes - Fix check for error text on Python 3.7. (#278) - Use new Auth URIs. (#281) - Add code-of-conduct document. (#270) - Fix some typos in test_urllib3.py (#268) - Warn when using user credentials from the Cloud SDK (#266) - Add compute engine-based IDTokenCredentials (#236) - Corrected some typos (#265) Update to 1.4.2: - Raise a helpful exception when trying to refresh credentials without a refresh token. (#262) - Fix links to README and CONTRIBUTING in docs/index.rst. (#260) - Fix a typo in credentials.py. (#256) - Use pytest instead of py.test per upstream recommendation, #dropthedot. (#255) - Fix typo on exemple of jwt usage (#245) New upstream release 1.4.1 (bsc#1088358) - Added a check for the cryptography version before attempting to use it. + From version 1.4.0 - Added `cryptography`-based RSA signer and verifier. - Added `google.oauth2.service_account.IDTokenCredentials`. - Improved documentation around ID Tokens + From version 1.3.0 - Added ``google.oauth2.credentials.Credentials.from_authorized_user_file``. - Dropped direct pyasn1 dependency in favor of letting ``pyasn1-modules`` specify the right version. - ``default()`` now checks for the project ID environment var before warning about missing project ID. - Fixed the docstrings for ``has_scopes()`` and ``with_scopes()``. - Fixed example in docstring for ``ReadOnlyScoped``. - Made ``transport.requests`` use timeouts and retries to improve reliability. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1303-1 Released: Mon May 18 09:40:36 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1169582 This update for timezone fixes the following issues: - timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1308-1 Released: Mon May 18 10:05:46 2020 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1170247 This update for psmisc fixes the following issues: - Allow not unique mounts as well as not unique mountpoint. (bsc#1170247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1342-1 Released: Tue May 19 13:27:31 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1149955,1165894,CVE-2019-16056 This update for python3 fixes the following issues: - Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1370-1 Released: Thu May 21 19:06:00 2020 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1171656 This update for systemd-presets-branding-SLE fixes the following issues: Cleanup of outdated autostart services (bsc#1171656): - Remove acpid.service. acpid is only available on SLE via openSUSE backports. In openSUSE acpid.service is *not* autostarted. I see no reason why it should be on SLE. - Remove spamassassin.timer. This timer never seems to have existed. Instead spamassassin ships a 'sa-update.timer'. But it is not default-enabled and nobody ever complained about this. - Remove snapd.apparmor.service: This service was proactively added a year ago, but snapd didn't even make it into openSUSE yet. There's no reason to keep this entry unless snapd actually enters SLE which is not foreseeable. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1396-1 Released: Mon May 25 12:04:39 2020 Summary: Security update for zstd Type: security Severity: moderate References: 1082318,1133297 This update for zstd fixes the following issues: - Fix for build error caused by wrong static libraries. (bsc#1133297) - Correction in spec file marking the license as documentation. (bsc#1082318) - Add new package for SLE-15. (jsc#ECO-1886) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1409-1 Released: Mon May 25 17:01:33 2020 Summary: Security update for libxslt Type: security Severity: moderate References: 1140095,1140101,1154609,CVE-2019-13117,CVE-2019-13118,CVE-2019-18197 This update for libxslt fixes the following issues: Security issues fixed: - CVE-2019-13118: Fixed a read of uninitialized stack data (bsc#1140101). - CVE-2019-13117: Fixed a uninitialized read which allowed to discern whether a byte on the stack contains certain special characters (bsc#1140095). - CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1492-1 Released: Wed May 27 18:32:41 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1171561 This update for python-rpm-macros fixes the following issue: - Update to version 20200207.5feb6c1 (bsc#1171561) * Do not write .pyc files for tests ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1496-1 Released: Wed May 27 20:30:31 2020 Summary: Recommended update for python-requests Type: recommended Severity: low References: 1170175 This update for python-requests fixes the following issues: - Fix for warnings 'test fails to build' for python http. (bsc#1170175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1542-1 Released: Thu Jun 4 13:24:37 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1172055 This update for timezone fixes the following issue: - zdump --version reported 'unknown' (bsc#1172055) From sle-updates at lists.suse.com Wed Jun 17 11:29:47 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:29:47 +0200 (CEST) Subject: SUSE-CU-2020:216-1: Recommended update of ses/7/ceph/ceph Message-ID: <20200617172947.BBBC7FD07@maintenance.suse.de> SUSE Container Update Advisory: ses/7/ceph/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:216-1 Container Tags : ses/7/ceph/ceph:15.2.3.455 , ses/7/ceph/ceph:15.2.3.455.3.373 , ses/7/ceph/ceph:latest , ses/7/ceph/ceph:sle15.2.octopus Container Release : 3.373 Severity : low Type : recommended References : ----------------------------------------------------------------- The container ses/7/ceph/ceph was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Wed Jun 17 11:30:02 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:30:02 +0200 (CEST) Subject: SUSE-CU-2020:217-1: Recommended update of ses/7/ceph/ceph Message-ID: <20200617173002.E0541FD07@maintenance.suse.de> SUSE Container Update Advisory: ses/7/ceph/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:217-1 Container Tags : ses/7/ceph/ceph:15.2.3.455 , ses/7/ceph/ceph:15.2.3.455.3.373 , ses/7/ceph/ceph:latest , ses/7/ceph/ceph:sle15.2.octopus Container Release : 3.373 Severity : low Type : recommended References : ----------------------------------------------------------------- The container ses/7/ceph/ceph was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Wed Jun 17 11:31:11 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:31:11 +0200 (CEST) Subject: SUSE-CU-2020:218-1: Security update of ses/7/rook/ceph Message-ID: <20200617173111.7BC4DFD07@maintenance.suse.de> SUSE Container Update Advisory: ses/7/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:218-1 Container Tags : ses/7/rook/ceph:1.3.4 , ses/7/rook/ceph:1.3.4.0 , ses/7/rook/ceph:1.3.4.0.1.1049 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus Container Release : 1.1049 Severity : important Type : security References : 1002895 1005023 1007715 1009532 1013125 1014478 1027282 1029377 1029902 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1040164 1042670 1044840 1045723 1051143 1054413 1063675 1065270 1070853 1071321 1072183 1073299 1073313 1073421 1076519 1076696 1079761 1080919 1081750 1081947 1081947 1082293 1082318 1082318 1082318 1082318 1083158 1083507 1084671 1084812 1084842 1084934 1085196 1086001 1087550 1087982 1088004 1088009 1088052 1088279 1088358 1088358 1088524 1088573 1089640 1089761 1089777 1090944 1091265 1091677 1092100 1092877 1092920 1093392 1093617 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094814 1094814 1095096 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097073 1097643 1098217 1098569 1098697 1100396 1100415 1100488 1101040 1101470 1101591 1101797 1102046 1102310 1102526 1102564 1102840 1102908 1103320 1103320 1104531 1104700 1104780 1105031 1105068 1105166 1105396 1105435 1106214 1106383 1106390 1107030 1107030 1107066 1107067 1107105 1107617 1107640 1107941 1109197 1109252 1109412 1109413 1109414 1109663 1109694 1109847 1110304 1110435 1110445 1110700 1111019 1111388 1111498 1111622 1111973 1111996 1112024 1112310 1112534 1112535 1112570 1112723 1112726 1112780 1112928 1113083 1113247 1113252 1113255 1113554 1113632 1113665 1114135 1114407 1114592 1114674 1114675 1114681 1114686 1114845 1114933 1114984 1114993 1115640 1115929 1116827 1117025 1117063 1117993 1118086 1118364 1118629 1118644 1118830 1118831 1119063 1119687 1119971 1120323 1120346 1120402 1120640 1120644 1120644 1120689 1121034 1121035 1121056 1121197 1121446 1121563 1121563 1121753 1122000 1122191 1122191 1122271 1122417 1122669 1122729 1123043 1123333 1123685 1123710 1123727 1123892 1123919 1124122 1124153 1124223 1124847 1125007 1125352 1125352 1125410 1125604 1125815 1125886 1126056 1126096 1126117 1126118 1126119 1126377 1126590 1127223 1127308 1127557 1127701 1128246 1128323 1128383 1128828 1129071 1129346 1129346 1129576 1129598 1129859 1130045 1130230 1130325 1130326 1130557 1130840 1130840 1131060 1131330 1131686 1132160 1132174 1132323 1132348 1132400 1132663 1132721 1132900 1133131 1133232 1133297 1133452 1133452 1133495 1133506 1133509 1133773 1133808 1134193 1134217 1134524 1134659 1135123 1135254 1135534 1135708 1135709 1136184 1136245 1136717 1137053 1137624 1137832 1137942 1138459 1138459 1138666 1138793 1138869 1138939 1139083 1139083 1139459 1139459 1139937 1139939 1140016 1140095 1140101 1140565 1140631 1140647 1141059 1141093 1141113 1141853 1141853 1141883 1141897 1141913 1142343 1142614 1142649 1142654 1142772 1143055 1143194 1143273 1144047 1144169 1145023 1145383 1145716 1146853 1146854 1146866 1148517 1148987 1149121 1149121 1149145 1149332 1149429 1149792 1149792 1149792 1149955 1149955 1149955 1149995 1150137 1150451 1150595 1150733 1150895 1151023 1151023 1151377 1151481 1151490 1151490 1151582 1152101 1152590 1152590 1152692 1152755 1153165 1153238 1153238 1153674 1153936 1154016 1154025 1154036 1154037 1154217 1154256 1154295 1154609 1154661 1154871 1154884 1154887 1155199 1155207 1155271 1155327 1155337 1155338 1155339 1155574 1155951 1156213 1156482 1157278 1157292 1157438 1157794 1157893 1158095 1158095 1158485 1158504 1158509 1158630 1158630 1158758 1158830 1158921 1158996 1159018 1159035 1159622 1159814 1159928 1159989 1160039 1160160 1160571 1160590 1160595 1160735 1160933 1160970 1160978 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161517 1161521 1161770 1161783 1161816 1162108 1162108 1162152 1162202 1162224 1162367 1162423 1162518 1162675 1162825 1162930 1163184 1164260 1164505 1164562 1164717 1164950 1164950 1165011 1165439 1165539 1165579 1165784 1165894 1165894 1166106 1166260 1166510 1166510 1166748 1166881 1167205 1167206 1167223 1167631 1167674 1167732 1167898 1168076 1168345 1168699 1168756 1169512 1169569 1169582 1169944 1170175 1170247 1170527 1170771 1171561 1171656 1171872 1172021 1172055 353876 637176 658604 673071 709442 743787 747125 751718 754447 754677 787526 809831 831629 834601 871152 885662 885882 915402 917607 918346 942751 951166 953659 960273 969953 982804 983582 984751 985177 985348 985657 989523 991901 999200 CVE-2009-5155 CVE-2011-3389 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2013-1752 CVE-2013-4238 CVE-2014-2667 CVE-2014-4650 CVE-2015-0247 CVE-2015-1572 CVE-2016-0772 CVE-2016-1000110 CVE-2016-10739 CVE-2016-10745 CVE-2016-3189 CVE-2016-5636 CVE-2016-5699 CVE-2017-17740 CVE-2017-18207 CVE-2017-18269 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-1000654 CVE-2018-1000802 CVE-2018-1000858 CVE-2018-1000876 CVE-2018-10360 CVE-2018-1060 CVE-2018-1061 CVE-2018-10906 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14647 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16869 CVE-2018-17358 CVE-2018-17359 CVE-2018-17360 CVE-2018-17953 CVE-2018-17985 CVE-2018-18074 CVE-2018-18309 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18483 CVE-2018-18484 CVE-2018-18520 CVE-2018-18521 CVE-2018-18605 CVE-2018-18606 CVE-2018-18607 CVE-2018-19211 CVE-2018-19931 CVE-2018-19932 CVE-2018-20346 CVE-2018-20406 CVE-2018-20406 CVE-2018-20623 CVE-2018-20651 CVE-2018-20671 CVE-2018-20843 CVE-2018-20852 CVE-2018-20852 CVE-2018-6323 CVE-2018-6543 CVE-2018-6759 CVE-2018-6872 CVE-2018-6954 CVE-2018-7208 CVE-2018-7568 CVE-2018-7569 CVE-2018-7570 CVE-2018-7642 CVE-2018-7643 CVE-2018-8945 CVE-2018-9251 CVE-2019-1010180 CVE-2019-10160 CVE-2019-10160 CVE-2019-10906 CVE-2019-11068 CVE-2019-11236 CVE-2019-11324 CVE-2019-12290 CVE-2019-12749 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-13057 CVE-2019-13117 CVE-2019-13118 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14287 CVE-2019-14806 CVE-2019-14853 CVE-2019-14859 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-15847 CVE-2019-15903 CVE-2019-15903 CVE-2019-16056 CVE-2019-16056 CVE-2019-16056 CVE-2019-16168 CVE-2019-16935 CVE-2019-16935 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18197 CVE-2019-18218 CVE-2019-18224 CVE-2019-18634 CVE-2019-19126 CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-3689 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5010 CVE-2019-5010 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8341 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9636 CVE-2019-9636 CVE-2019-9674 CVE-2019-9740 CVE-2019-9893 CVE-2019-9936 CVE-2019-9937 CVE-2019-9947 CVE-2019-9947 CVE-2020-10029 CVE-2020-11501 CVE-2020-12243 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1747 CVE-2020-1752 CVE-2020-7595 CVE-2020-8492 ECO-368 PM-1350 SLE-5807 SLE-5933 SLE-6206 SLE-6533 SLE-6536 SLE-7687 SLE-9132 SLE-9426 ----------------------------------------------------------------- The container ses/7/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1332-1 Released: Tue Jul 17 09:01:19 2018 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1073299,1093392 This update for timezone provides the following fixes: - North Korea switches back from +0830 to +09 on 2018-05-05. - Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299) - yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1775-1 Released: Tue Aug 28 12:40:50 2018 Summary: Recommended update for xfsprogs Type: recommended Severity: important References: 1089777,1105396 This update for xfsprogs fixes the following issues: - avoid divide-by-zero when hardware reports optimal i/o size as 0 (bsc#1089777) - repair: shift inode back into place if corrupted by bad log replay (bsc#1105396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1887-1 Released: Wed Sep 12 12:34:28 2018 Summary: Recommended update for python-websocket-client Type: recommended Severity: moderate References: 1076519 This update for python-websocket-client fixes the following issues: - Use systems ca bundle file by default. (bsc#1076519) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2138-1 Released: Thu Oct 4 15:52:15 2018 Summary: Recommended update for sudo Type: recommended Severity: low References: 1097643 This update for sudo fixes the following issues: - fix permissions for /var/lib/sudo and /var/lib/sudo/ts (bsc#1097643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2170-1 Released: Mon Oct 8 10:31:14 2018 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1107030 This update for python3 fixes the following issues: - Add -fwrapv to OPTS, which is default for python3 for bugs which are caused by avoiding it. (bsc#1107030) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2340-1 Released: Fri Oct 19 16:05:53 2018 Summary: Security update for fuse Type: security Severity: moderate References: 1101797,CVE-2018-10906 This update for fuse fixes the following issues: - CVE-2018-10906: fusermount was vulnerable to a restriction bypass when SELinux is active. This allowed non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects (bsc#1101797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2346-1 Released: Mon Oct 22 09:40:46 2018 Summary: Recommended update for logrotate Type: recommended Severity: moderate References: 1093617 This update for logrotate provides the following fix: - Ensure the HOME environment variable is set to /root when logrotate is started via systemd. This allows mariadb to rotate its logs when the database has a root password defined. (bsc#1093617) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2442-1 Released: Wed Oct 24 16:39:09 2018 Summary: Recommended update for python-msrestazure and it's dependencies Type: recommended Severity: moderate References: 1109694 This update for python-adal, python-isodate, python-msrest, python-msrestazure fixes the following issues: python-msrestazure: - Update to version 0.5.0 + Features * Implementation is now using ADAL and not request-oauthlib. This allows more AD scenarios (like federated). * Add additionalInfo parsing for CloudError. * Implement new LRO options of Autorest. * Improve MSI for VM token polling algorithm. * MSIAuthentication now uses IMDS endpoint if available. * MSIAuthentication can be used in any environment that defines MSI_ENDPOINT env variable. * CloudError now includes the 'innererror' attribute to match OData v4. * Introduces ARMPolling implementation of Azure Resource Management LRO. * Add support for WebApp/Functions in MSIAuthentication classes. * Add parse_resource_id(), resource_id(), validate_resource_id() to parse ARM ids. * Retry strategy now n reach 24 seconds (instead of 12 seconds). * Add Managed Service Integrated (MSI) authentication. * Add 'timeout' to ServicePrincipalCredentials and UserPasswordCredentials. * Threads created by AzureOperationPoller have now a name prefixed by 'AzureOperationPoller' to help identify them. * Improve MSIAuthentication to support User Assigned Identity. + Bugfixes * MSIAuthentication regression for KeyVault since IMDS support. * MSIAuthentication should initialize the token attribute on creation. * Fixes refreshToken in UserPassCredentials and AADTokenCredentials. * Fix US government cloud definition. * Reduce max MSI polling time for VM. * IMDS/MSI: Retry on more error codes. * IMDS/MSI: Fix a boundary case on timeout. * Fix parse_resource_id() tool to be case*insensitive to keywords when matching. * Add missing baseclass init call for AdalAuthentication. * Fix LRO result if POST uses AsyncOperation header. * Remove a possible infinite loop with MSIAuthentication. * Fix session obj for cloudmetadata endpoint. * Fix authentication resource node for AzureSatck. * Better detection of AppService with MSIAuthentication. * get_cloud_from_metadata_endpoint incorrect on AzureStack. * get_cloud_from_metadata_endpoint certificate issue. * Fix AttributeError if error JSON from ARM does not follow ODatav4 (as it should). * Fix AttributeError if input JSON is not a dict. * Fix AdalError handling in some scenarios. * Update Azure Gov login endpoint. * Update metadata ARM endpoint parser. + Incompatible changes * Remove unused auth_uri, state, client and token_uri attributes in ServicePrincipalCredentials, UserPassCredentials and AADTokenCredentials. * Remove token caching based on 'keyring'. Token caching should be implemented using ADAL now. * Remove InteractiveCredentials. This class was deprecated and unusable. Use ADAL device code instead. python-msrest - Update to version 0.5.0 + Require python-enum32 and python-typing. + Features * Support additionalProperties and XML. * Deserialize/from_dict now accepts a content*type parameter to parse XML strings. * Add XML support * Add many type hints, and MyPY testing on CI. * HTTP calls are made through a HTTPDriver API. Only implementation is `requests` for now. This driver API is *not* considered stable and you should pin your msrest version if you want to provide a personal implementation. * msrest is now able to keep the 'requests.Session' alive for performance. * All Authentication classes now define `signed_session` and `refresh_session` with an optional `session` parameter. * Disable HTTP log by default (security), add `enable_http_log` to restore it. * Add TopicCredentials for EventGrid client. * Add LROPoller class. This is a customizable LRO engine. * Model now accept kwargs in constructor for future kwargs models. * Add support for additional_properties. * The interpretation of Swagger 2.0 'discriminator' is now lenient. * Add ApiKeyCredentials class. This can be used to support OpenAPI ApiKey feature. * Add CognitiveServicesAuthentication class. Pre*declared ApiKeyCredentials class for Cognitive Services. * Add Configuration.session_configuration_callback to customize the requests.Session if necessary. * Add a flag to Serializer to disable client*side*validation. * Remove 'import requests' from 'exceptions.py' for apps that require fast loading time. * Input is now more lenient. * Model have a 'validate' method to check content constraints. * Model have now new methods for serialize, as_dict, deserialize and from_dict. + Bugfixes * Fix a serialization issue if additional_properties is declared, and 'automatic model' syntax is used ('automatic model' being the ability to pass a dict to command and have the model auto*created). * Better parse empty node and not string types. * Improve 'object' XML parsing. * Fix some XML serialization subtle scenarios. * Fix some complex XML Swagger definitions. * Lower Accept header overwrite logging message. * Fix 'object' type and XML format. * Incorrect milliseconds serialization for some datetime object. * Improve `SDKClient.__exit__` to take exc_details as optional parameters and not required. * Refresh_session should also use the permanent HTTP session if available. * Fix incorrect date parsing if ms precision is over 6 digits. * Fix minimal dependency of isodate. * Fix serialisation from dict if datetime provided. * Date parsing is now compliant with Autorest / Swagger 2.0 specification (less lenient). * Accept to deserialize enum of different type if content string match. * Stop failing on deserialization if enum string is unkwon. Return the string instead. * Do not validate additional_properties. * Improve validation error if expected type is dict, but actual type is not. * Fix additional_properties if Swagger was flatten. * Optional formdata parameters were raising an exception. * 'application/x*www*form*urlencoded' form was sent using 'multipart/form*data'. * Fix regression: accept 'set' as a valid '[str]' * Always log response body. * Improved exception message if error JSON is Odata v4. * Refuse 'str' as a valid '[str]' type. * Better exception handling if input from server is not JSON valid. * Fix regression introduced in msrest 0.4.12 * dict syntax with enum modeled as string and enum used. * Fix regression introduced in msrest 0.4.12 * dict syntax using isodate.Duration. * Better Enum checking. + Internal optimisation * Call that does not return a streamable object are now executed in requests stream mode False (was True whatever the type of the call). This should reduce the number of leaked opened session and allow urllib3 to manage connection pooling more efficiently. Only clients generated with Autorest.Python >= 2.1.31 (not impacted otherwise, fully backward compatible) + Deprecation * Trigger DeprecationWarning for _client.add_header and _client.send_formdata. python-adal - Update to version 1.0.2 python-isodate - Update to version 0.6.0 + Support incomplete month date. + Rely on duck typing when doing duration maths. + Support ':' as separator in fractional time zones. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2454-1 Released: Thu Oct 25 11:19:46 2018 Summary: Recommended update for python-pyOpenSSL Type: recommended Severity: moderate References: 1110435 This update for python-pyOpenSSL fixes the following issues: - Handle duplicate certificate addition using X509_STORE_add_cert so it works after upgrading to openssl 1.1.1. (bsc#1110435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2463-1 Released: Thu Oct 25 14:48:34 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: moderate References: 1104700,1112310 This update for timezone, timezone-java fixes the following issues: The timezone database was updated to 2018f: - Volgograd moves from +03 to +04 on 2018-10-28. - Fiji ends DST 2019-01-13, not 2019-01-20. - Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700) - Corrections to past timestamps of DST transitions - Use 'PST' and 'PDT' for Philippine time - minor code changes to zic handling of the TZif format - documentation updates Other bugfixes: - Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2485-1 Released: Fri Oct 26 12:38:01 2018 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1112928 This update for kmod provides the following fixes: - Allow 'modprobe -c' print the status of 'allow_unsupported_modules' option. (bsc#1112928) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2486-1 Released: Fri Oct 26 12:38:27 2018 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1105068 This update for xfsprogs fixes the following issues: - Explictly disable systemd unit files for scrub (bsc#1105068). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2550-1 Released: Wed Oct 31 16:16:56 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: moderate References: 1113554 This update provides the latest time zone definitions (2018g), including the following change: - Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2641-1 Released: Mon Nov 12 20:39:30 2018 Summary: Recommended update for nfsidmap Type: recommended Severity: moderate References: 1098217 This update for nfsidmap fixes the following issues: - Improve support for SAMBA with Active Directory. (bsc#1098217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2742-1 Released: Thu Nov 22 13:28:36 2018 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 969953 This update for rpcbind fixes the following issues: - Fix tool stack buffer overflow aborting (bsc#969953) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2961-1 Released: Mon Dec 17 19:51:40 2018 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1098697,1112780 This update for psmisc provides the following fix: - Make the fuser option -m work even with mountinfo. (bsc#1098697) - Support also btrFS entries in mountinfo, that is use stat(2) to determine the device of the mounted subvolume (bsc#1098697, bsc#1112780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:62-1 Released: Thu Jan 10 20:30:58 2019 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1119063 This update for xfsprogs fixes the following issues: - Fix root inode's parent when it's bogus for sf directory (xfs repair). (bsc#1119063) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:102-1 Released: Tue Jan 15 18:02:58 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1120402 This update for timezone fixes the following issues: - Update 2018i: S??o Tom?? and Pr??ncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402) - Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:170-1 Released: Fri Jan 25 13:43:29 2019 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1118629 This update for kmod fixes the following issues: - Fixes module dependency file corruption on parallel invocation (bsc#1118629). - Allows 'modprobe -c' to print the status of 'allow_unsupported_modules' option. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:215-1 Released: Thu Jan 31 15:59:57 2019 Summary: Security update for python3 Type: security Severity: important References: 1120644,1122191,CVE-2018-20406,CVE-2019-5010 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191) - CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:790-1 Released: Thu Mar 28 12:06:17 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1130557 This update for timezone fixes the following issues: timezone was updated 2019a: * Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23 * Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00 * Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25) * zic now has an -r option to limit the time range of output data ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:966-1 Released: Wed Apr 17 12:20:13 2019 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1128323 This update for python-rpm-macros fixes the following issues: The Python RPM macros were updated to version 20190408.32abece, fixing bugs (bsc#1128323) * Add missing $ expansion on the pytest call * Rewrite pytest and pytest_arch into Lua macros with multiple arguments. * We should preserve existing PYTHONPATH. * Add --ignore to pytest calls to ignore build directories. * Actually make pytest into function to capture arguments as well * Add pytest definitions. * Use upstream-recommended %{_rpmconfigdir}/macros.d directory for the rpm macros. * Fix an issue with epoch printing having too many \ * add epoch while printing 'Provides:' ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:971-1 Released: Wed Apr 17 14:43:26 2019 Summary: Security update for python3 Type: security Severity: important References: 1129346,CVE-2019-9636 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1156-1 Released: Mon May 6 13:46:07 2019 Summary: Security update for python-Jinja2 Type: security Severity: important References: 1125815,1132174,1132323,CVE-2016-10745,CVE-2019-10906,CVE-2019-8341 This update for python-Jinja2 to version 2.10.1 fixes the following issues: Security issues fixed: - CVE-2019-8341: Fixed a command injection in from_string() (bsc#1125815). - CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1221-1 Released: Mon May 13 13:28:42 2019 Summary: Security update for libxslt Type: security Severity: moderate References: 1132160,CVE-2019-11068 This update for libxslt fixes the following issues: Security issue fixed: - CVE-2019-11068: Fixed a protection mechanism bypass where callers of xsltCheckRead() and xsltCheckWrite() would permit access upon receiving an error (bsc#1132160). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1352-1 Released: Fri May 24 14:41:44 2019 Summary: Security update for python3 Type: security Severity: moderate References: 1130840,1133452,CVE-2019-9947 This update for python3 to version 3.6.8 fixes the following issues: Security issue fixed: - CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840). Non-security issue fixed: - Fixed broken debuginfo packages by switching off LTO and PGO optimization (bsc#1133452). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1487-1 Released: Thu Jun 13 09:40:56 2019 Summary: Security update for python-requests Type: security Severity: moderate References: 1111622,CVE-2018-18074 This update for python-requests to version 2.20.1 fixes the following issues: Security issue fixed: - CVE-2018-18074: Fixed an information disclosure vulnerability of the HTTP Authorization header (bsc#1111622). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1595-1 Released: Fri Jun 21 10:17:44 2019 Summary: Security update for dbus-1 Type: security Severity: important References: 1137832,CVE-2019-12749 This update for dbus-1 fixes the following issues: Security issue fixed: - CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1616-1 Released: Fri Jun 21 11:04:39 2019 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 1134659 This update for rpcbind fixes the following issues: - Change rpcbind locking path from /var/run/rpcbind.lock to /run/rpcbind.lock. (bsc#1134659) - Change the order of socket/service in the %postun scriptlet to avoid an error from rpcbind.socket when rpcbind is running during package update. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1627-1 Released: Fri Jun 21 11:15:11 2019 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1073421,1122271,1129859 This update for xfsprogs fixes the following issues: - xfs_repair: will now allow '/' in attribute names (bsc#1122271) - xfs_repair: will now allow zeroing of corrupt log (bsc#1073421) - enabdled offline (unmounted) filesystem geometry queries (bsc#1129859) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1815-1 Released: Thu Jul 11 07:47:55 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1140016 This update for timezone fixes the following issues: - Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1835-1 Released: Fri Jul 12 18:06:31 2019 Summary: Security update for expat Type: security Severity: moderate References: 1139937,CVE-2018-20843 This update for expat fixes the following issues: Security issue fixed: - CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2050-1 Released: Tue Aug 6 09:42:37 2019 Summary: Security update for python3 Type: security Severity: important References: 1094814,1138459,1141853,CVE-2018-20852,CVE-2019-10160 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459). - CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853). Non-security issue fixed: - Fixed an issue where the SIGINT signal was ignored or not handled (bsc#1094814). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2306-1 Released: Thu Sep 5 14:39:23 2019 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1082318,1136245 This update for parted fixes the following issues: - Included several minor bug fixes - for more details please refer to this rpm's changelog (bsc#1136245) - Installs the license file in the correct directory (bsc#1082318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2332-1 Released: Mon Sep 9 10:17:16 2019 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1129071,1132663,1132900,CVE-2019-11236,CVE-2019-11324,CVE-2019-9740 This update for python-urllib3 fixes the following issues: Security issues fixed: - CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071). - CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900). - CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2365-1 Released: Thu Sep 12 11:23:31 2019 Summary: Security update for python-Werkzeug Type: security Severity: moderate References: 1145383,CVE-2019-14806 This update for python-Werkzeug fixes the following issues: Security issue fixed: - CVE-2019-14806: Fixed the development server in Docker, the debugger security pin is now unique per container (bsc#1145383). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2422-1 Released: Fri Sep 20 16:36:43 2019 Summary: Recommended update for python-urllib3 Type: recommended Severity: moderate References: 1150895 This update for python-urllib3 fixes the following issues: - Add missing dependency on python-six (bsc#1150895) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2429-1 Released: Mon Sep 23 09:28:40 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 This update for expat fixes the following issues: Security issues fixed: - CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2483-1 Released: Fri Sep 27 14:16:23 2019 Summary: Optional update for python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate. Type: optional Severity: low References: 1088358 This update ships python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate for the SUSE Linux Enterprise Public Cloud 15 module. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2517-1 Released: Wed Oct 2 10:49:20 2019 Summary: Security update for libseccomp Type: security Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 This update for libseccomp fixes the following issues: Security issues fixed: - CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828) libseccomp was updated to new upstream release 2.4.1: - Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893): - Update the syscall table for Linux v5.0-rc5 - Added support for the SCMP_ACT_KILL_PROCESS action - Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute - Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension - Added support for the parisc and parisc64 architectures - Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) - Return -EDOM on an endian mismatch when adding an architecture to a filter - Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() - Fix PFC generation when a syscall is prioritized, but no rule exists - Numerous fixes to the seccomp-bpf filter generation code - Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 - Numerous tests added to the included test suite, coverage now at ~92% - Update our Travis CI configuration to use Ubuntu 16.04 - Numerous documentation fixes and updates libseccomp was updated to release 2.3.3: - Updated the syscall table for Linux v4.15-rc7 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2647-1 Released: Fri Oct 11 17:12:06 2019 Summary: Recommended update for python-pyOpenSSL Type: recommended Severity: moderate References: 1149792 This update for python-pyOpenSSL fixes the following issues: - Adds compatibility for openSSL 1.1.1d (bsc#1149792) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2656-1 Released: Mon Oct 14 17:02:24 2019 Summary: Security update for sudo Type: security Severity: important References: 1153674,CVE-2019-14287 This update for sudo fixes the following issue: - CVE-2019-14287: Fixed an issue where a user with sudo privileges that allowed them to run commands with an arbitrary uid, could run commands as root, despite being forbidden to do so in sudoers (bsc#1153674). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2693-1 Released: Wed Oct 16 16:43:30 2019 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 1142343 This update for rpcbind fixes the following issues: - Return correct IP address with multiple ip addresses in the same subnet. (bsc#1142343) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2762-1 Released: Thu Oct 24 07:08:44 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1150451 This update for timezone fixes the following issues: - Fiji observes DST from 2019-11-10 to 2020-01-12. - Norfolk Island starts observing Australian-style DST. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2779-1 Released: Thu Oct 24 16:57:42 2019 Summary: Security update for binutils Type: security Severity: moderate References: 1109412,1109413,1109414,1111996,1112534,1112535,1113247,1113252,1113255,1116827,1118644,1118830,1118831,1120640,1121034,1121035,1121056,1133131,1133232,1141913,1142772,1152590,1154016,1154025,CVE-2018-1000876,CVE-2018-17358,CVE-2018-17359,CVE-2018-17360,CVE-2018-17985,CVE-2018-18309,CVE-2018-18483,CVE-2018-18484,CVE-2018-18605,CVE-2018-18606,CVE-2018-18607,CVE-2018-19931,CVE-2018-19932,CVE-2018-20623,CVE-2018-20651,CVE-2018-20671,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945,CVE-2019-1010180,ECO-368,SLE-6206 This update for binutils fixes the following issues: binutils was updated to current 2.32 branch [jsc#ECO-368]. Includes following security fixes: - CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412) - CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413) - CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414) - CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827) - CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996) - CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535) - CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534) - CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255) - CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252) - CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247) - CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831) - CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830) - CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035) - CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034) - CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056) - CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640) - CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772) - enable xtensa architecture (Tensilica lc6 and related) - Use -ffat-lto-objects in order to provide assembly for static libs (bsc#1141913). - Fixed some LTO build issues (bsc#1133131 bsc#1133232). - riscv: Don't check ABI flags if no code section - Fixed a segfault in ld when building some versions of pacemaker (bsc#1154025, bsc#1154016). - Add avr, epiphany and rx to target_list so that the common binutils can handle all objects we can create with crosses (bsc#1152590). Update to binutils 2.32: * The binutils now support for the C-SKY processor series. * The x86 assembler now supports a -mvexwig=[0|1] option to control encoding of VEX.W-ignored (WIG) VEX instructions. It also has a new -mx86-used-note=[yes|no] option to generate (or not) x86 GNU property notes. * The MIPS assembler now supports the Loongson EXTensions R2 (EXT2), the Loongson EXTensions (EXT) instructions, the Loongson Content Address Memory (CAM) ASE and the Loongson MultiMedia extensions Instructions (MMI) ASE. * The addr2line, c++filt, nm and objdump tools now have a default limit on the maximum amount of recursion that is allowed whilst demangling strings. This limit can be disabled if necessary. * Objdump's --disassemble option can now take a parameter, specifying the starting symbol for disassembly. Disassembly will continue from this symbol up to the next symbol or the end of the function. * The BFD linker will now report property change in linker map file when merging GNU properties. * The BFD linker's -t option now doesn't report members within archives, unless -t is given twice. This makes it more useful when generating a list of files that should be packaged for a linker bug report. * The GOLD linker has improved warning messages for relocations that refer to discarded sections. - Improve relro support on s390 [fate#326356] - Fix broken debug symbols (bsc#1118644) - Handle ELF compressed header alignment correctly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2782-1 Released: Fri Oct 25 14:27:52 2019 Summary: Security update for nfs-utils Type: security Severity: moderate References: 1150733,CVE-2019-3689 This update for nfs-utils fixes the following issues: - CVE-2019-3689: Fixed root-owned files stored in insecure /var/lib/nfs. (bsc#1150733) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2802-1 Released: Tue Oct 29 11:39:05 2019 Summary: Security update for python3 Type: security Severity: moderate References: 1149121,1149792,1149955,1151490,1153238,CVE-2019-16056,CVE-2019-16935,PM-1350,SLE-9426 This update for python3 to 3.6.9 fixes the following issues: Security issues fixed: - CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Non-security issues fixed: - Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490) - Improved locale handling by implementing PEP 538. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2891-1 Released: Mon Nov 4 17:47:10 2019 Summary: Security update for python-ecdsa Type: security Severity: moderate References: 1153165,1154217,CVE-2019-14853,CVE-2019-14859 This update for python-ecdsa to version 0.13.3 fixes the following issues: Security issues fixed: - CVE-2019-14853: Fixed unexpected exceptions during signature decoding (bsc#1153165). - CVE-2019-14859: Fixed a signature malleability caused by insufficient checks of DER encoding (bsc#1154217). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2929-1 Released: Thu Nov 7 16:45:13 2019 Summary: Recommended update for python-kubernetes Type: recommended Severity: moderate References: 1151481 This update for python-kubernetes fixes the following issues: - python-ipaddress is only required for building on Python2 (on Python3 is part of the standard library) - Backport fix for base64 padding in kubeconfig (bsc#1151481) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:9-1 Released: Thu Jan 2 12:33:47 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1157438 This update for xfsprogs fixes the following issues: - Remove the 'xfs_scrub_all' script from the package, and the corresponding dependency of python. (bsc#1157438) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:36-1 Released: Wed Jan 8 10:26:46 2020 Summary: Recommended update for python-pyOpenSSL Type: recommended Severity: low References: 1159989 This update fixes the build of python-pyOpenSSL in 2020 (bsc#1159989). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:114-1 Released: Thu Jan 16 10:11:52 2020 Summary: Security update for python3 Type: security Severity: important References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947 This update for python3 to version 3.6.10 fixes the following issues: - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). - CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:119-1 Released: Thu Jan 16 15:42:39 2020 Summary: Recommended update for python-jsonpatch Type: recommended Severity: moderate References: 1160978 This update for python-jsonpatch fixes the following issues: - Drop jsondiff binary to avoid conflict with python-jsondiff package. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:340-1 Released: Thu Feb 6 13:03:56 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1161770 This update for python-rpm-macros fixes the following issues: - Add macros related to the Python dist metadata dependency generator. (bsc#1161770) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:408-1 Released: Wed Feb 19 09:32:46 2020 Summary: Security update for sudo Type: security Severity: important References: 1162202,1162675,CVE-2019-18634 This update for sudo fixes the following issues: Security issue fixed: - CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed: - Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:453-1 Released: Tue Feb 25 10:51:53 2020 Summary: Recommended update for binutils Type: recommended Severity: moderate References: 1160590 This update for binutils fixes the following issues: - Recognize the official name of s390 arch13: 'z15'. (bsc#1160590, jsc#SLE-7903 aka jsc#SLE-7464) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:462-1 Released: Tue Feb 25 11:49:30 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158504,1158509,1158630,1158758 This update for xfsprogs fixes the following issues: - Allow the filesystem utility xfs_io to suffix sizes with k,m,g for kilobytes, megabytes or gigabytes respectively. (bsc#1158630) - Validate extent size hint parameters through libxfs to avoid output mismatch. (bsc#1158509) - Fix for 'xfs_repair' not to fail recovery of orphaned shortform directories. (bsc#1158504) - Fix for 'xfs_quota' to avoid false error reporting of project inheritance flag is not set. (bsc#1158758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:467-1 Released: Tue Feb 25 12:00:39 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492 This update for python3 fixes the following issues: Security issues fixed: - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). - CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367). Non-security issue fixed: - If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:498-1 Released: Wed Feb 26 17:59:44 2020 Summary: Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized Type: recommended Severity: moderate References: 1122669,1136184,1146853,1146854,1159018 This update for aws-cli, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized, python-boto3, python-botocore, python-s3transfer fixes the following issues: python-aws-sam-translator was updated to 1.11.0 (bsc#1159018, jsc#PM-1507): Upgrade to 1.11.0: * Add ReservedConcurrentExecutions to globals * Fix ElasticsearchHttpPostPolicy resource reference * Support using AWS::Region in Ref and Sub * Documentation and examples updates * Add VersionDescription property to Serverless::Function * Update ServerlessRepoReadWriteAccessPolicy * Add additional template validation Upgrade to 1.10.0: * Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy * Add DynamoDBReconfigurePolicy * Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy * Add EKSDescribePolicy * Add SESBulkTemplatedCrudPolicy * Add FilterLogEventsPolicy * Add SSMParameterReadPolicy * Add SESEmailTemplateCrudPolicy * Add s3:PutObjectAcl to S3CrudPolicy * Add allow_credentials CORS option * Add support for AccessLogSetting and CanarySetting Serverless::Api properties * Add support for X-Ray in Serverless::Api * Add support for MinimumCompressionSize in Serverless::Api * Add Auth to Serverless::Api globals * Remove trailing slashes from APIGW permissions * Add SNS FilterPolicy and an example application * Add Enabled property to Serverless::Function event sources * Add support for PermissionsBoundary in Serverless::Function * Fix boto3 client initialization * Add PublicAccessBlockConfiguration property to S3 bucket resource * Make PAY_PER_REQUEST default mode for Serverless::SimpleTable * Add limited support for resolving intrinsics in Serverless::LayerVersion * SAM now uses Flake8 * Add example application for S3 Events written in Go * Updated several example applications python-cfn-lint was added in version 0.21.4: - Add upstream patch to fix EOL dates for lambda runtimes - Add upstream patch to fix test_config_expand_paths test - Rename to python-cfn-lint. This package has a python API, which is required by python-moto. Update to version 0.21.4: + Features * Include more resource types in W3037 + CloudFormation Specifications * Add Resource Type `AWS::CDK::Metadata` + Fixes * Uncap requests dependency in setup.py * Check Join functions have lists in the correct sections * Pass a parameter value for AutoPublishAlias when doing a Transform * Show usage examples when displaying the help Update to version 0.21.3 + Fixes * Support dumping strings for datetime objects when doing a Transform Update to version 0.21.2 + CloudFormation Specifications * Update CloudFormation specs to 3.3.0 * Update instance types from pricing API as of 2019.05.23 Update to version 0.21.1 + Features * Add `Info` logging capability and set the default logging to `NotSet` + Fixes * Only do rule logging (start/stop/time) when the rule is going to be called * Update rule E1019 to allow `Fn::Transform` inside a `Fn::Sub` * Update rule W2001 to not break when `Fn::Transform` inside a `Fn::Sub` * Update rule E2503 to allow conditions to be used and to not default to `network` load balancer when an object is used for the Load Balancer type Update to version 0.21.0 + Features * New rule E3038 to check if a Serverless resource includes the appropriate Transform * New rule E2531 to validate a Lambda's runtime against the deprecated dates * New rule W2531 to validate a Lambda's runtime against the EOL dates * Update rule E2541 to include updates to Code Pipeline capabilities * Update rule E2503 to include checking of values for load balancer attributes + CloudFormation Specifications * Update CloudFormation specs to 3.2.0 * Update instance types from pricing API as of 2019.05.20 + Fixes * Include setuptools in setup.py requires Update to version 0.20.3 + CloudFormation Specifications * Update instance types from pricing API as of 2019.05.16 + Fixes * Update E7001 to allow float/doubles for mapping values * Update W1020 to check pre-transformed Fn::Sub(s) to determine if a Sub is needed * Pin requests to be below or equal to 2.21.0 to prevent issues with botocore Update to version 0.20.2 + Features * Add support for List Parameter types + CloudFormation Specifications * Add allowed values for AWS::EC2 EIP, FlowLog, CustomerGateway, DHCPOptions, EC2Fleet * Create new property type for Security Group IDs or Names * Add new Lambda runtime environment for NodeJs 10.x * Move AWS::ServiceDiscovery::Service Health checks from Only One to Exclusive * Update Glue Crawler Role to take an ARN or a name * Remove PrimitiveType from MaintenanceWindowTarget Targets * Add Min/Max values for Load Balancer Ports to be between 1-65535 + Fixes * Include License file in the pypi package to help with downstream projects * Filter out dynamic references from rule E3031 and E3030 * Convert Python linting and Code Coverage from Python 3.6 to 3.7 Update to version 0.20.1 + Fixes * Update rule E8003 to support more functions inside a Fn::Equals Update to version 0.20.0 + Features * Allow a rule's exception to be defined in a resource's metadata * Add rule configuration capabilities * Update rule E3012 to allow for non strict property checking * Add rule E8003 to test Fn::Equals structure and syntax * Add rule E8004 to test Fn::And structure and syntax * Add rule E8005 to test Fn::Not structure and syntax * Add rule E8006 to test Fn::Or structure and syntax * Include Path to error in the JSON output * Update documentation to describe how to install cfn-lint from brew + CloudFormation Specifications * Update CloudFormation specs to version 3.0.0 * Add new region ap-east-1 * Add list min/max and string min/max for CloudWatch Alarm Actions * Add allowed values for EC2::LaunchTemplate * Add allowed values for EC2::Host * Update allowed values for Amazon MQ to include 5.15.9 * Add AWS::Greengrass::ResourceDefinition to GreenGrass supported regions * Add AWS::EC2::VPCEndpointService to all regions * Update AWS::ECS::TaskDefinition ExecutionRoleArn to be a IAM Role ARN * Patch spec files for SSM MaintenanceWindow to look for Target and not Targets * Update ManagedPolicyArns list size to be 20 which is the hard limit. 10 is the soft limit. + Fixes * Fix rule E3033 to check the string size when the string is inside a list * Fix an issue in which AWS::NotificationARNs was not a list * Add AWS::EC2::Volume to rule W3010 * Fix an issue with W2001 where SAM translate would remove the Ref to a parameter causing this error to falsely trigger * Fix rule W3010 to not error when the availability zone is 'all' Update to version 0.19.1 + Fixes * Fix core Condition processing to support direct Condition in another Condition * Fix the W2030 to check numbers against string allowed values Update to version 0.19.0 + Features * Add NS and PTR Route53 record checking to rule E3020 * New rule E3050 to check if a Ref to IAM Role has a Role path of '/' * New rule E3037 to look for duplicates in a list that doesn't support duplicates * New rule I3037 to look for duplicates in a list when duplicates are allowed + CloudFormation Specifications * Add Min/Max values to AWS::ElasticLoadBalancingV2::TargetGroup HealthCheckTimeoutSeconds * Add Max JSON size to AWS::IAM::ManagedPolicy PolicyDocument * Add allowed values for AWS::EC2 SpotFleet, TransitGateway, NetworkAcl NetworkInterface, PlacementGroup, and Volume * Add Min/max values to AWS::Budgets::Budget.Notification Threshold * Update RDS Instance types by database engine and license definitions using the pricing API * Update AWS::CodeBuild::Project ServiceRole to support Role Name or ARN * Update AWS::ECS::Service Role to support Role Name or ARN + Fixes * Update E3025 to support the new structure of data in the RDS instance type json * Update E2540 to remove all nested conditions from the object * Update E3030 to not do strict type checking * Update E3020 to support conditions nested in the record sets * Update E3008 to better handle CloudFormation sub stacks with different GetAtt formats Update to version 0.18.1 + CloudFormation Specifications * Update CloudFormation Specs to 2.30.0 * Fix IAM Regex Path to support more character types * Update AWS::Batch::ComputeEnvironment.ComputeResources InstanceRole to reference an InstanceProfile or GetAtt the InstanceProfile Arn * Allow VPC IDs to Ref a Parameter of type String + Fixes * Fix E3502 to check the size of the property instead of the parent object Update to version 0.18.0 + Features * New rule E3032 to check the size of lists * New rule E3502 to check JSON Object Size using definitions in the spec file * New rule E3033 to test the minimum and maximum length of a string * New rule E3034 to validate the min and max of a number * Remove Ebs Iops check from E2504 and use rule E3034 instead * Remove rule E2509 and use rule E3033 instead * Remove rule E2508 as it replaced by E3032 and E3502 * Update rule E2503 to check that there are at least two 2 Subnets or SubnetMappings for ALBs * SAM requirement upped to minimal version of 1.10.0 + CloudFormation Specifications * Extend specs to include: > `ListMin` and `ListMax` for the minimum and maximum size of a list > `JsonMax` to check the max size of a JSON Object > `StringMin` and `StringMax` to check the minimum and maximum length of a String > `NumberMin` and `NumberMax` to check the minimum and maximum value of a Number, Float, Long * Update State and ExecutionRoleArn to be required on AWS::DLM::LifecyclePolicy * Add AllowedValues for PerformanceInsightsRetentionPeriod for AWS::RDS::Instance * Add AllowedValues for the AWS::GuardDuty Resources * Add AllowedValues for AWS::EC2 VPC and VPN Resources * Switch IAM Instance Profiles for certain resources to the type that only takes the name * Add regex pattern for IAM Instance Profile when a name (not Arn) is used * Add regex pattern for IAM Paths * Add Regex pattern for IAM Role Arn * Update OnlyOne spec to require require at least one of Subnets or SubnetMappings with ELB v2 + Fixes * Fix serverless transform to use DefinitionBody when Auth is in the API definition * Fix rule W2030 to not error when checking SSM or List Parameters Update to version 0.17.1 + Features * Update rule E2503 to make sure NLBs don't have a Security Group configured + CloudFormation Specifications * Add all the allowed values of the `AWS::Glue` Resources * Update OnlyOne check for `AWS::CloudWatch::Alarm` to only `MetricName` or `Metrics` * Update Exclusive check for `AWS::CloudWatch::Alarm` for properties mixed with `Metrics` and `Statistic` * Update CloudFormation specs to 2.29.0 * Fix type with MariaDB in the AllowedValues * Update pricing information for data available on 2018.3.29 + Fixes * Fix rule E1029 to not look for a sub is needed when looking for iot strings in policies * Fix rule E2541 to allow for ActionId Versions of length 1-9 and meets regex `[0-9A-Za-z_-]+` * Fix rule E2532 to allow for `Parameters` inside a `Pass` action * Fix an issue when getting the location of an error in which numbers are causing an attribute error Update to version 0.17.0 + Features * Add new rule E3026 to validate Redis cluster settings including AutomaticFailoverEnabled and NumCacheClusters. Status: Released * Add new rule W3037 to validate IAM resource policies. Status: Experimental * Add new parameter `-e/--include-experimental` to allow for new rules in that aren't ready to be fully released + CloudFormation Specifications * Update Spec files to 2.28.0 * Add all the allowed values of the AWS::Redshift::* Resources * Add all the allowed values of the AWS::Neptune::* Resources * Patch spec to make AWS::CloudFront::Distribution.LambdaFunctionAssociation.LambdaFunctionARN required * Patch spec to make AWS::DynamoDB::Table AttributeDefinitions required + Fixes * Remove extra blank lines when there is no errors in the output * Add exception to rule E1029 to have exceptions for EMR CloudWatchAlarmDefinition * Update rule E1029 to allow for literals in a Sub * Remove sub checks from rule E3031 as it won't match in all cases of an allowed pattern regex check * Correct typos for errors in rule W1001 * Switch from parsing a template as Yaml to Json when finding an escape character * Fix an issue with SAM related to transforming templates with Serverless Application and Lambda Layers * Fix an issue with rule E2541 when non strings were used for Stage Names Update to version 0.16.0 + Features * Add rule E3031 to look for regex patterns based on the patched spec file * Remove regex checks from rule E2509 * Add parameter `ignore-templates` to allow the ignoring of templates when doing bulk linting + CloudFormation Specifications * Update Spec files to 2.26.0 * Add all the allowed values of the AWS::DirectoryService::* Resources * Add all the allowed values of the AWS::DynamoDB::* Resources * Added AWS::Route53Resolver resources to the Spec Patches of ap-southeast-2 * Patch the spec file with regex patterns * Add all the allowed values of the AWS::DocDb::* Resources + Fixes * Update rule E2504 to have '20000' as the max value * Update rule E1016 to not allow ImportValue inside of Conditions * Update rule E2508 to check conditions when providing limit checks on managed policies * Convert unicode to strings when in Py 3.4/3.5 and updating specs * Convert from `awslabs` to `aws-cloudformation` organization * Remove suppression of logging that was removed from samtranslator >1.7.0 and incompatibility with samtranslator 1.10.0 Update to version 0.15.0 + Features * Add scaffolding for arbitrary Match attributes, adding attributes for Type checks * Add rule E3024 to validate that ProvisionedThroughput is not specified with BillingMode PAY_PER_REQUEST + CloudFormation Specifications * Update Spec files to 2.24.0 * Update OnlyOne spec to have BlockDeviceMapping to include NoDevice with Ebs and VirtualName * Add all the allowed values of the AWS::CloudFront::* Resources * Add all the allowed values of the AWS::DAX::* Resources + Fixes * Update config parsing to use the builtin Yaml decoder * Add condition support for Inclusive E2521, Exclusive E2520, and AtLeastOne E2522 rules * Update rule E1029 to better check Resource strings inside IAM Policies * Improve the line/column information of a Match with array support Update to version 0.14.1 + CloudFormation Specifications * Update CloudFormation Specs to version 2.23.0 * Add allowed values for AWS::Config::* resources * Add allowed values for AWS::ServiceDiscovery::* resources * Fix allowed values for Apache MQ + Fixes * Update rule E3008 to not error when using a list from a custom resource * Support simple types in the CloudFormation spec * Add tests for the formatters Update to version 0.14.0 + Features * Add rule E3035 to check the values of DeletionPolicy * Add rule E3036 to check the values of UpdateReplacePolicy * Add rule E2014 to check that there are no REFs in the Parameter section * Update rule E2503 to support TLS on NLBs + CloudFormation Specifications * Update CloudFormation spec to version 2.22.0 * Add allowed values for AWS::Cognito::* resources + Fixes * Update rule E3002 to allow GetAtts to Custom Resources under a Condition Update to version 0.13.2 + Features * Introducing the cfn-lint logo! * Update SAM dependency version + Fixes * Fix CloudWatchAlarmComparisonOperator allowed values. * Fix typo resoruce_type_spec in several files * Better support for nested And, Or, and Not when processing Conditions Update to version 0.13.1 + CloudFormation Specifications * Add allowed values for AWS::CloudTrail::Trail resources * Patch spec to have AWS::CodePipeline::CustomActionType Version included + Fixes * Fix conditions logic to use AllowedValues when REFing a Parameter that has AllowedValues specified Update to version 0.13.0 + Features * New rule W1011 to check if a FindInMap is using the correct map name and keys * New rule W1001 to check if a Ref/GetAtt to a resource that exists when Conditions are used * Removed logic in E1011 and moved it to W1011 for validating keys * Add property relationships for AWS::ApplicationAutoScaling::ScalingPolicy into Inclusive, Exclusive, and AtLeastOne * Update rule E2505 to check the netmask bit * Include the ability to update the CloudFormation Specs using the Pricing API + CloudFormation Specifications * Update to version 2.21.0 * Add allowed values for AWS::Budgets::Budget * Add allowed values for AWS::CertificateManager resources * Add allowed values for AWS::CodePipeline resources * Add allowed values for AWS::CodeCommit resources * Add allowed values for EC2 InstanceTypes from pricing API * Add allowed values for RedShift InstanceTypes from pricing API * Add allowed values for MQ InstanceTypes from pricing API * Add allowed values for RDS InstanceTypes from pricing API + Fixes * Fixed README indentation issue with .pre-commit-config.yaml * Fixed rule E2541 to allow for multiple inputs/outputs in a CodeBuild task * Fixed rule E3020 to allow for a period or no period at the end of a ACM registration record * Update rule E3001 to support UpdateReplacePolicy * Fix a cli issue where `--template` wouldn't be used when a .cfnlintrc was in the same folder * Update rule E3002 and E1024 to support packaging of AWS::Lambda::LayerVersion content - Initial build + Version 0.12.1 Update to 0.9.1 * the prof plugin now uses cProfile instead of hotshot for profiling * skipped tests now include the user's reason in junit XML's message field * the prettyassert plugin mishandled multi-line function definitions * Using a plugin's CLI flag when the plugin is already enabled via config no longer errors * nose2.plugins.prettyassert, enabled with --pretty-assert * Cleanup code for EOLed python versions * Dropped support for distutils. * Result reporter respects failure status set by other plugins * JUnit XML plugin now includes the skip reason in its output Upgrade to 0.8.0: - List of changes is too long to show here, see https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst changes between 0.6.5 and 0.8.0 Update to 0.7.0: * Added parameterized_class feature, for parameterizing entire test classes (many thanks to @TobyLL for their suggestions and help testing!) * Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh; https://github.com/wolever/parameterized/issues/67) * Make sure that `setUp` and `tearDown` methods work correctly (#40) * Raise a ValueError when input is empty (thanks @danielbradburn; https://github.com/wolever/parameterized/pull/48) * Fix the order when number of cases exceeds 10 (thanks @ntflc; https://github.com/wolever/parameterized/pull/49) aws-cli was updated to version 1.16.223: For detailed changes see the changes entries: https://github.com/aws/aws-cli/blob/1.16.223/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.189/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.182/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.176/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.103/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.94/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.84/CHANGELOG.rst python-boto3 was updated to 1.9.213, python-botocore was updated to 1.9.188, and python-s3transfer was updated to 1.12.74, fixing lots of bugs and adding features (bsc#1146853, bsc#1146854) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:556-1 Released: Mon Mar 2 13:32:11 2020 Summary: Recommended update for 389-ds Type: recommended Severity: moderate References: 1155951 This update for 389-ds to version 1.4.2.2 fixes the following issues: 389-ds was updated to 1.4.2.6 (fate#326677, bsc#1155951), bringing many bug and stability fixes. Issue addressed: - Enabled python lib389 installer tooling to match upstream and suse documentation. More information for this release at: https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-2-1.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:777-1 Released: Tue Mar 24 18:07:52 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1165894 This update for python3 fixes the following issue: - Rename idle icons to idle3 in order to not conflict with python2 variant of the package (bsc#1165894) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:823-1 Released: Tue Mar 31 13:28:14 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1161783,1164260 This update for parted fixes the following issue: - Make parted work with pmemXs devices. (bsc#1164260) - Fix for error when parted output size crashing parted in yast. (bsc#1161783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:935-1 Released: Tue Apr 7 03:46:39 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158630,1167205,1167206 This update for xfsprogs fixes the following issues: - xfs_quota: reformat commands in the manpage. (bsc#1167206) Reformat commands in the manpage so that fstest can check that each command is actually documented. - xfs_db: document missing commands. (bsc#1167205) Document the commands 'attr_set', 'attr_remove', 'logformat' in the manpage. - xfs_io: allow size suffixes for the copy_range command. (bsc#1158630) Allow the usage of size suffixes k,m,g for kilobytes, megabytes or gigabytes respectively for the copy_range command ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:959-1 Released: Wed Apr 8 12:59:50 2020 Summary: Security update for python-PyYAML Type: security Severity: important References: 1165439,CVE-2020-1747 This update for python-PyYAML fixes the following issues: - CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:979-1 Released: Mon Apr 13 15:42:59 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1168756 This update for parted fixes the following issue: - fix null pointer dereference. (bsc#1168756) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1000-1 Released: Wed Apr 15 14:18:57 2020 Summary: Recommended update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager Type: recommended Severity: moderate References: 1014478,1054413,1140565,982804,999200 This update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager fixes the following issues: The Azure python modules and client tool stack was updated to the 2020 state. Various other python modules were added and updated. - python-PyYAML was updated to 5.1.2. - python-humanfriendly was updated 4.16.1. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1037-1 Released: Mon Apr 20 10:49:39 2020 Summary: Recommended update for python-pytest Type: recommended Severity: low References: 1002895,1107105,1138666,1167732 This update fixes the following issues: New python-pytest versions are provided. In Basesystem: - python3-pexpect: updated to 4.8.0 - python3-py: updated to 1.8.1 - python3-zipp: shipped as dependency in version 0.6.0 In Python2: - python2-pexpect: updated to 4.8.0 - python2-py: updated to 1.8.1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1094-1 Released: Thu Apr 23 16:34:21 2020 Summary: Recommended update for python-google-api-python-client Type: recommended Severity: moderate References: 1088358,1160933 This update for python-google-api-python-client fixes the following issues: - Fix dependencies to use google-auth instead of deprecated oauth2client (bsc#1160933, jsc#ECO-1148) python-cachetools 2.0.1 is shipped to the Public Cloud Module. python-google-auth 1.5.1 is shipped to the Public Cloud Module. python-google-api-python-client was updated to: - Upgrade to 1.7.4: just series of minor bugfixes - Fix check for error text on Python 3.7. (#278) - Use new Auth URIs. (#281) - Add code-of-conduct document. (#270) - Fix some typos in test_urllib3.py (#268) - Warn when using user credentials from the Cloud SDK (#266) - Add compute engine-based IDTokenCredentials (#236) - Corrected some typos (#265) Update to 1.4.2: - Raise a helpful exception when trying to refresh credentials without a refresh token. (#262) - Fix links to README and CONTRIBUTING in docs/index.rst. (#260) - Fix a typo in credentials.py. (#256) - Use pytest instead of py.test per upstream recommendation, #dropthedot. (#255) - Fix typo on exemple of jwt usage (#245) New upstream release 1.4.1 (bsc#1088358) - Added a check for the cryptography version before attempting to use it. + From version 1.4.0 - Added `cryptography`-based RSA signer and verifier. - Added `google.oauth2.service_account.IDTokenCredentials`. - Improved documentation around ID Tokens + From version 1.3.0 - Added ``google.oauth2.credentials.Credentials.from_authorized_user_file``. - Dropped direct pyasn1 dependency in favor of letting ``pyasn1-modules`` specify the right version. - ``default()`` now checks for the project ID environment var before warning about missing project ID. - Fixed the docstrings for ``has_scopes()`` and ``with_scopes()``. - Fixed example in docstring for ``ReadOnlyScoped``. - Made ``transport.requests`` use timeouts and retries to improve reliability. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1303-1 Released: Mon May 18 09:40:36 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1169582 This update for timezone fixes the following issues: - timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1308-1 Released: Mon May 18 10:05:46 2020 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1170247 This update for psmisc fixes the following issues: - Allow not unique mounts as well as not unique mountpoint. (bsc#1170247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1342-1 Released: Tue May 19 13:27:31 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1149955,1165894,CVE-2019-16056 This update for python3 fixes the following issues: - Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1370-1 Released: Thu May 21 19:06:00 2020 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1171656 This update for systemd-presets-branding-SLE fixes the following issues: Cleanup of outdated autostart services (bsc#1171656): - Remove acpid.service. acpid is only available on SLE via openSUSE backports. In openSUSE acpid.service is *not* autostarted. I see no reason why it should be on SLE. - Remove spamassassin.timer. This timer never seems to have existed. Instead spamassassin ships a 'sa-update.timer'. But it is not default-enabled and nobody ever complained about this. - Remove snapd.apparmor.service: This service was proactively added a year ago, but snapd didn't even make it into openSUSE yet. There's no reason to keep this entry unless snapd actually enters SLE which is not foreseeable. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1396-1 Released: Mon May 25 12:04:39 2020 Summary: Security update for zstd Type: security Severity: moderate References: 1082318,1133297 This update for zstd fixes the following issues: - Fix for build error caused by wrong static libraries. (bsc#1133297) - Correction in spec file marking the license as documentation. (bsc#1082318) - Add new package for SLE-15. (jsc#ECO-1886) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1409-1 Released: Mon May 25 17:01:33 2020 Summary: Security update for libxslt Type: security Severity: moderate References: 1140095,1140101,1154609,CVE-2019-13117,CVE-2019-13118,CVE-2019-18197 This update for libxslt fixes the following issues: Security issues fixed: - CVE-2019-13118: Fixed a read of uninitialized stack data (bsc#1140101). - CVE-2019-13117: Fixed a uninitialized read which allowed to discern whether a byte on the stack contains certain special characters (bsc#1140095). - CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1492-1 Released: Wed May 27 18:32:41 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1171561 This update for python-rpm-macros fixes the following issue: - Update to version 20200207.5feb6c1 (bsc#1171561) * Do not write .pyc files for tests ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1496-1 Released: Wed May 27 20:30:31 2020 Summary: Recommended update for python-requests Type: recommended Severity: low References: 1170175 This update for python-requests fixes the following issues: - Fix for warnings 'test fails to build' for python http. (bsc#1170175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1542-1 Released: Thu Jun 4 13:24:37 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1172055 This update for timezone fixes the following issue: - zdump --version reported 'unknown' (bsc#1172055) From sle-updates at lists.suse.com Wed Jun 17 11:31:27 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:31:27 +0200 (CEST) Subject: SUSE-CU-2020:219-1: Recommended update of ses/7/rook/ceph Message-ID: <20200617173127.0C7CAFD07@maintenance.suse.de> SUSE Container Update Advisory: ses/7/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:219-1 Container Tags : ses/7/rook/ceph:1.3.4 , ses/7/rook/ceph:1.3.4.0 , ses/7/rook/ceph:1.3.4.0.1.1049 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus Container Release : 1.1049 Severity : low Type : recommended References : ----------------------------------------------------------------- The container ses/7/rook/ceph was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Wed Jun 17 11:31:43 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:31:43 +0200 (CEST) Subject: SUSE-CU-2020:220-1: Recommended update of ses/7/rook/ceph Message-ID: <20200617173143.136F8FD07@maintenance.suse.de> SUSE Container Update Advisory: ses/7/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:220-1 Container Tags : ses/7/rook/ceph:1.3.4 , ses/7/rook/ceph:1.3.4.0 , ses/7/rook/ceph:1.3.4.0.1.1050 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus Container Release : 1.1050 Severity : low Type : recommended References : ----------------------------------------------------------------- The container ses/7/rook/ceph was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Wed Jun 17 11:32:00 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:32:00 +0200 (CEST) Subject: SUSE-CU-2020:221-1: Security update of ses/7/rook/ceph Message-ID: <20200617173200.7A082FD07@maintenance.suse.de> SUSE Container Update Advisory: ses/7/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:221-1 Container Tags : ses/7/rook/ceph:1.3.4 , ses/7/rook/ceph:1.3.4.0 , ses/7/rook/ceph:1.3.4.0.1.1049 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus Container Release : 1.1049 Severity : important Type : security References : 1002895 1005023 1007715 1009532 1013125 1014478 1027282 1029377 1029902 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1040164 1042670 1044840 1045723 1051143 1054413 1063675 1065270 1070853 1071321 1072183 1073299 1073313 1073421 1076519 1076696 1079761 1080919 1081750 1081947 1081947 1082293 1082318 1082318 1082318 1082318 1083158 1083507 1084671 1084812 1084842 1084934 1085196 1086001 1087550 1087982 1088004 1088009 1088052 1088279 1088358 1088358 1088524 1088573 1089640 1089761 1089777 1090944 1091265 1091677 1092100 1092877 1092920 1093392 1093617 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1094814 1094814 1095096 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097073 1097643 1098217 1098569 1098697 1100396 1100415 1100488 1101040 1101470 1101591 1101797 1102046 1102310 1102526 1102564 1102840 1102908 1103320 1103320 1104531 1104700 1104780 1105031 1105068 1105166 1105396 1105435 1106214 1106383 1106390 1107030 1107030 1107066 1107067 1107105 1107617 1107640 1107941 1109197 1109252 1109412 1109413 1109414 1109663 1109694 1109847 1110304 1110435 1110445 1110700 1111019 1111388 1111498 1111622 1111973 1111996 1112024 1112310 1112534 1112535 1112570 1112723 1112726 1112780 1112928 1113083 1113247 1113252 1113255 1113554 1113632 1113665 1114135 1114407 1114592 1114674 1114675 1114681 1114686 1114845 1114933 1114984 1114993 1115640 1115929 1116827 1117025 1117063 1117993 1118086 1118364 1118629 1118644 1118830 1118831 1119063 1119687 1119971 1120323 1120346 1120402 1120640 1120644 1120644 1120689 1121034 1121035 1121056 1121197 1121446 1121563 1121563 1121753 1122000 1122191 1122191 1122271 1122417 1122669 1122729 1123043 1123333 1123685 1123710 1123727 1123892 1123919 1124122 1124153 1124223 1124847 1125007 1125352 1125352 1125410 1125604 1125815 1125886 1126056 1126096 1126117 1126118 1126119 1126377 1126590 1127223 1127308 1127557 1127701 1128246 1128323 1128383 1128828 1129071 1129346 1129346 1129576 1129598 1129859 1130045 1130230 1130325 1130326 1130557 1130840 1130840 1131060 1131330 1131686 1132160 1132174 1132323 1132348 1132400 1132663 1132721 1132900 1133131 1133232 1133297 1133452 1133452 1133495 1133506 1133509 1133773 1133808 1134193 1134217 1134524 1134659 1135123 1135254 1135534 1135708 1135709 1136184 1136245 1136717 1137053 1137624 1137832 1137942 1138459 1138459 1138666 1138793 1138869 1138939 1139083 1139083 1139459 1139459 1139937 1139939 1140016 1140095 1140101 1140565 1140631 1140647 1141059 1141093 1141113 1141853 1141853 1141883 1141897 1141913 1142343 1142614 1142649 1142654 1142772 1143055 1143194 1143273 1144047 1144169 1145023 1145383 1145716 1146853 1146854 1146866 1148517 1148987 1149121 1149121 1149145 1149332 1149429 1149792 1149792 1149792 1149955 1149955 1149955 1149995 1150137 1150451 1150595 1150733 1150895 1151023 1151023 1151377 1151481 1151490 1151490 1151582 1152101 1152590 1152590 1152692 1152755 1153165 1153238 1153238 1153674 1153936 1154016 1154025 1154036 1154037 1154217 1154256 1154295 1154609 1154661 1154871 1154884 1154887 1155199 1155207 1155271 1155327 1155337 1155338 1155339 1155574 1155951 1156213 1156482 1157278 1157292 1157438 1157794 1157893 1158095 1158095 1158485 1158504 1158509 1158630 1158630 1158758 1158830 1158921 1158996 1159018 1159035 1159622 1159814 1159928 1159989 1160039 1160160 1160571 1160590 1160595 1160735 1160933 1160970 1160978 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161517 1161521 1161770 1161783 1161816 1162108 1162108 1162152 1162202 1162224 1162367 1162423 1162518 1162675 1162825 1162930 1163184 1164260 1164505 1164562 1164717 1164950 1164950 1165011 1165439 1165539 1165579 1165784 1165894 1165894 1166106 1166260 1166510 1166510 1166748 1166881 1167205 1167206 1167223 1167631 1167674 1167732 1167898 1168076 1168345 1168699 1168756 1169512 1169569 1169582 1169944 1170175 1170247 1170527 1170771 1171561 1171656 1171872 1172021 1172055 353876 637176 658604 673071 709442 743787 747125 751718 754447 754677 787526 809831 831629 834601 871152 885662 885882 915402 917607 918346 942751 951166 953659 960273 969953 982804 983582 984751 985177 985348 985657 989523 991901 999200 CVE-2009-5155 CVE-2011-3389 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2013-1752 CVE-2013-4238 CVE-2014-2667 CVE-2014-4650 CVE-2015-0247 CVE-2015-1572 CVE-2016-0772 CVE-2016-1000110 CVE-2016-10739 CVE-2016-10745 CVE-2016-3189 CVE-2016-5636 CVE-2016-5699 CVE-2017-17740 CVE-2017-18207 CVE-2017-18269 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-1000654 CVE-2018-1000802 CVE-2018-1000858 CVE-2018-1000876 CVE-2018-10360 CVE-2018-1060 CVE-2018-1061 CVE-2018-10906 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-14647 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16869 CVE-2018-17358 CVE-2018-17359 CVE-2018-17360 CVE-2018-17953 CVE-2018-17985 CVE-2018-18074 CVE-2018-18309 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18483 CVE-2018-18484 CVE-2018-18520 CVE-2018-18521 CVE-2018-18605 CVE-2018-18606 CVE-2018-18607 CVE-2018-19211 CVE-2018-19931 CVE-2018-19932 CVE-2018-20346 CVE-2018-20406 CVE-2018-20406 CVE-2018-20623 CVE-2018-20651 CVE-2018-20671 CVE-2018-20843 CVE-2018-20852 CVE-2018-20852 CVE-2018-6323 CVE-2018-6543 CVE-2018-6759 CVE-2018-6872 CVE-2018-6954 CVE-2018-7208 CVE-2018-7568 CVE-2018-7569 CVE-2018-7570 CVE-2018-7642 CVE-2018-7643 CVE-2018-8945 CVE-2018-9251 CVE-2019-1010180 CVE-2019-10160 CVE-2019-10160 CVE-2019-10906 CVE-2019-11068 CVE-2019-11236 CVE-2019-11324 CVE-2019-12290 CVE-2019-12749 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-13057 CVE-2019-13117 CVE-2019-13118 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14287 CVE-2019-14806 CVE-2019-14853 CVE-2019-14859 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-15847 CVE-2019-15903 CVE-2019-15903 CVE-2019-16056 CVE-2019-16056 CVE-2019-16056 CVE-2019-16168 CVE-2019-16935 CVE-2019-16935 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18197 CVE-2019-18218 CVE-2019-18224 CVE-2019-18634 CVE-2019-19126 CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-3689 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5010 CVE-2019-5010 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8341 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9636 CVE-2019-9636 CVE-2019-9674 CVE-2019-9740 CVE-2019-9893 CVE-2019-9936 CVE-2019-9937 CVE-2019-9947 CVE-2019-9947 CVE-2020-10029 CVE-2020-11501 CVE-2020-12243 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1747 CVE-2020-1752 CVE-2020-7595 CVE-2020-8492 ECO-368 PM-1350 SLE-5807 SLE-5933 SLE-6206 SLE-6533 SLE-6536 SLE-7687 SLE-9132 SLE-9426 ----------------------------------------------------------------- The container ses/7/rook/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1332-1 Released: Tue Jul 17 09:01:19 2018 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1073299,1093392 This update for timezone provides the following fixes: - North Korea switches back from +0830 to +09 on 2018-05-05. - Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299) - yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1775-1 Released: Tue Aug 28 12:40:50 2018 Summary: Recommended update for xfsprogs Type: recommended Severity: important References: 1089777,1105396 This update for xfsprogs fixes the following issues: - avoid divide-by-zero when hardware reports optimal i/o size as 0 (bsc#1089777) - repair: shift inode back into place if corrupted by bad log replay (bsc#1105396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1887-1 Released: Wed Sep 12 12:34:28 2018 Summary: Recommended update for python-websocket-client Type: recommended Severity: moderate References: 1076519 This update for python-websocket-client fixes the following issues: - Use systems ca bundle file by default. (bsc#1076519) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2138-1 Released: Thu Oct 4 15:52:15 2018 Summary: Recommended update for sudo Type: recommended Severity: low References: 1097643 This update for sudo fixes the following issues: - fix permissions for /var/lib/sudo and /var/lib/sudo/ts (bsc#1097643) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2170-1 Released: Mon Oct 8 10:31:14 2018 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1107030 This update for python3 fixes the following issues: - Add -fwrapv to OPTS, which is default for python3 for bugs which are caused by avoiding it. (bsc#1107030) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2340-1 Released: Fri Oct 19 16:05:53 2018 Summary: Security update for fuse Type: security Severity: moderate References: 1101797,CVE-2018-10906 This update for fuse fixes the following issues: - CVE-2018-10906: fusermount was vulnerable to a restriction bypass when SELinux is active. This allowed non-root users to mount a FUSE file system with the 'allow_other' mount option regardless of whether 'user_allow_other' is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects (bsc#1101797) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2346-1 Released: Mon Oct 22 09:40:46 2018 Summary: Recommended update for logrotate Type: recommended Severity: moderate References: 1093617 This update for logrotate provides the following fix: - Ensure the HOME environment variable is set to /root when logrotate is started via systemd. This allows mariadb to rotate its logs when the database has a root password defined. (bsc#1093617) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2442-1 Released: Wed Oct 24 16:39:09 2018 Summary: Recommended update for python-msrestazure and it's dependencies Type: recommended Severity: moderate References: 1109694 This update for python-adal, python-isodate, python-msrest, python-msrestazure fixes the following issues: python-msrestazure: - Update to version 0.5.0 + Features * Implementation is now using ADAL and not request-oauthlib. This allows more AD scenarios (like federated). * Add additionalInfo parsing for CloudError. * Implement new LRO options of Autorest. * Improve MSI for VM token polling algorithm. * MSIAuthentication now uses IMDS endpoint if available. * MSIAuthentication can be used in any environment that defines MSI_ENDPOINT env variable. * CloudError now includes the 'innererror' attribute to match OData v4. * Introduces ARMPolling implementation of Azure Resource Management LRO. * Add support for WebApp/Functions in MSIAuthentication classes. * Add parse_resource_id(), resource_id(), validate_resource_id() to parse ARM ids. * Retry strategy now n reach 24 seconds (instead of 12 seconds). * Add Managed Service Integrated (MSI) authentication. * Add 'timeout' to ServicePrincipalCredentials and UserPasswordCredentials. * Threads created by AzureOperationPoller have now a name prefixed by 'AzureOperationPoller' to help identify them. * Improve MSIAuthentication to support User Assigned Identity. + Bugfixes * MSIAuthentication regression for KeyVault since IMDS support. * MSIAuthentication should initialize the token attribute on creation. * Fixes refreshToken in UserPassCredentials and AADTokenCredentials. * Fix US government cloud definition. * Reduce max MSI polling time for VM. * IMDS/MSI: Retry on more error codes. * IMDS/MSI: Fix a boundary case on timeout. * Fix parse_resource_id() tool to be case*insensitive to keywords when matching. * Add missing baseclass init call for AdalAuthentication. * Fix LRO result if POST uses AsyncOperation header. * Remove a possible infinite loop with MSIAuthentication. * Fix session obj for cloudmetadata endpoint. * Fix authentication resource node for AzureSatck. * Better detection of AppService with MSIAuthentication. * get_cloud_from_metadata_endpoint incorrect on AzureStack. * get_cloud_from_metadata_endpoint certificate issue. * Fix AttributeError if error JSON from ARM does not follow ODatav4 (as it should). * Fix AttributeError if input JSON is not a dict. * Fix AdalError handling in some scenarios. * Update Azure Gov login endpoint. * Update metadata ARM endpoint parser. + Incompatible changes * Remove unused auth_uri, state, client and token_uri attributes in ServicePrincipalCredentials, UserPassCredentials and AADTokenCredentials. * Remove token caching based on 'keyring'. Token caching should be implemented using ADAL now. * Remove InteractiveCredentials. This class was deprecated and unusable. Use ADAL device code instead. python-msrest - Update to version 0.5.0 + Require python-enum32 and python-typing. + Features * Support additionalProperties and XML. * Deserialize/from_dict now accepts a content*type parameter to parse XML strings. * Add XML support * Add many type hints, and MyPY testing on CI. * HTTP calls are made through a HTTPDriver API. Only implementation is `requests` for now. This driver API is *not* considered stable and you should pin your msrest version if you want to provide a personal implementation. * msrest is now able to keep the 'requests.Session' alive for performance. * All Authentication classes now define `signed_session` and `refresh_session` with an optional `session` parameter. * Disable HTTP log by default (security), add `enable_http_log` to restore it. * Add TopicCredentials for EventGrid client. * Add LROPoller class. This is a customizable LRO engine. * Model now accept kwargs in constructor for future kwargs models. * Add support for additional_properties. * The interpretation of Swagger 2.0 'discriminator' is now lenient. * Add ApiKeyCredentials class. This can be used to support OpenAPI ApiKey feature. * Add CognitiveServicesAuthentication class. Pre*declared ApiKeyCredentials class for Cognitive Services. * Add Configuration.session_configuration_callback to customize the requests.Session if necessary. * Add a flag to Serializer to disable client*side*validation. * Remove 'import requests' from 'exceptions.py' for apps that require fast loading time. * Input is now more lenient. * Model have a 'validate' method to check content constraints. * Model have now new methods for serialize, as_dict, deserialize and from_dict. + Bugfixes * Fix a serialization issue if additional_properties is declared, and 'automatic model' syntax is used ('automatic model' being the ability to pass a dict to command and have the model auto*created). * Better parse empty node and not string types. * Improve 'object' XML parsing. * Fix some XML serialization subtle scenarios. * Fix some complex XML Swagger definitions. * Lower Accept header overwrite logging message. * Fix 'object' type and XML format. * Incorrect milliseconds serialization for some datetime object. * Improve `SDKClient.__exit__` to take exc_details as optional parameters and not required. * Refresh_session should also use the permanent HTTP session if available. * Fix incorrect date parsing if ms precision is over 6 digits. * Fix minimal dependency of isodate. * Fix serialisation from dict if datetime provided. * Date parsing is now compliant with Autorest / Swagger 2.0 specification (less lenient). * Accept to deserialize enum of different type if content string match. * Stop failing on deserialization if enum string is unkwon. Return the string instead. * Do not validate additional_properties. * Improve validation error if expected type is dict, but actual type is not. * Fix additional_properties if Swagger was flatten. * Optional formdata parameters were raising an exception. * 'application/x*www*form*urlencoded' form was sent using 'multipart/form*data'. * Fix regression: accept 'set' as a valid '[str]' * Always log response body. * Improved exception message if error JSON is Odata v4. * Refuse 'str' as a valid '[str]' type. * Better exception handling if input from server is not JSON valid. * Fix regression introduced in msrest 0.4.12 * dict syntax with enum modeled as string and enum used. * Fix regression introduced in msrest 0.4.12 * dict syntax using isodate.Duration. * Better Enum checking. + Internal optimisation * Call that does not return a streamable object are now executed in requests stream mode False (was True whatever the type of the call). This should reduce the number of leaked opened session and allow urllib3 to manage connection pooling more efficiently. Only clients generated with Autorest.Python >= 2.1.31 (not impacted otherwise, fully backward compatible) + Deprecation * Trigger DeprecationWarning for _client.add_header and _client.send_formdata. python-adal - Update to version 1.0.2 python-isodate - Update to version 0.6.0 + Support incomplete month date. + Rely on duck typing when doing duration maths. + Support ':' as separator in fractional time zones. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2454-1 Released: Thu Oct 25 11:19:46 2018 Summary: Recommended update for python-pyOpenSSL Type: recommended Severity: moderate References: 1110435 This update for python-pyOpenSSL fixes the following issues: - Handle duplicate certificate addition using X509_STORE_add_cert so it works after upgrading to openssl 1.1.1. (bsc#1110435) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2463-1 Released: Thu Oct 25 14:48:34 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: moderate References: 1104700,1112310 This update for timezone, timezone-java fixes the following issues: The timezone database was updated to 2018f: - Volgograd moves from +03 to +04 on 2018-10-28. - Fiji ends DST 2019-01-13, not 2019-01-20. - Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700) - Corrections to past timestamps of DST transitions - Use 'PST' and 'PDT' for Philippine time - minor code changes to zic handling of the TZif format - documentation updates Other bugfixes: - Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2485-1 Released: Fri Oct 26 12:38:01 2018 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1112928 This update for kmod provides the following fixes: - Allow 'modprobe -c' print the status of 'allow_unsupported_modules' option. (bsc#1112928) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2486-1 Released: Fri Oct 26 12:38:27 2018 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1105068 This update for xfsprogs fixes the following issues: - Explictly disable systemd unit files for scrub (bsc#1105068). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2550-1 Released: Wed Oct 31 16:16:56 2018 Summary: Recommended update for timezone, timezone-java Type: recommended Severity: moderate References: 1113554 This update provides the latest time zone definitions (2018g), including the following change: - Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2641-1 Released: Mon Nov 12 20:39:30 2018 Summary: Recommended update for nfsidmap Type: recommended Severity: moderate References: 1098217 This update for nfsidmap fixes the following issues: - Improve support for SAMBA with Active Directory. (bsc#1098217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2742-1 Released: Thu Nov 22 13:28:36 2018 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 969953 This update for rpcbind fixes the following issues: - Fix tool stack buffer overflow aborting (bsc#969953) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2961-1 Released: Mon Dec 17 19:51:40 2018 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1098697,1112780 This update for psmisc provides the following fix: - Make the fuser option -m work even with mountinfo. (bsc#1098697) - Support also btrFS entries in mountinfo, that is use stat(2) to determine the device of the mounted subvolume (bsc#1098697, bsc#1112780) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:62-1 Released: Thu Jan 10 20:30:58 2019 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1119063 This update for xfsprogs fixes the following issues: - Fix root inode's parent when it's bogus for sf directory (xfs repair). (bsc#1119063) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:102-1 Released: Tue Jan 15 18:02:58 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1120402 This update for timezone fixes the following issues: - Update 2018i: S??o Tom?? and Pr??ncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402) - Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:170-1 Released: Fri Jan 25 13:43:29 2019 Summary: Recommended update for kmod Type: recommended Severity: moderate References: 1118629 This update for kmod fixes the following issues: - Fixes module dependency file corruption on parallel invocation (bsc#1118629). - Allows 'modprobe -c' to print the status of 'allow_unsupported_modules' option. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:215-1 Released: Thu Jan 31 15:59:57 2019 Summary: Security update for python3 Type: security Severity: important References: 1120644,1122191,CVE-2018-20406,CVE-2019-5010 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-5010: Fixed a denial-of-service vulnerability in the X509 certificate parser (bsc#1122191) - CVE-2018-20406: Fixed a integer overflow via a large LONG_BINPUT (bsc#1120644) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:790-1 Released: Thu Mar 28 12:06:17 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1130557 This update for timezone fixes the following issues: timezone was updated 2019a: * Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23 * Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00 * Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25) * zic now has an -r option to limit the time range of output data ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:966-1 Released: Wed Apr 17 12:20:13 2019 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1128323 This update for python-rpm-macros fixes the following issues: The Python RPM macros were updated to version 20190408.32abece, fixing bugs (bsc#1128323) * Add missing $ expansion on the pytest call * Rewrite pytest and pytest_arch into Lua macros with multiple arguments. * We should preserve existing PYTHONPATH. * Add --ignore to pytest calls to ignore build directories. * Actually make pytest into function to capture arguments as well * Add pytest definitions. * Use upstream-recommended %{_rpmconfigdir}/macros.d directory for the rpm macros. * Fix an issue with epoch printing having too many \ * add epoch while printing 'Provides:' ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:971-1 Released: Wed Apr 17 14:43:26 2019 Summary: Security update for python3 Type: security Severity: important References: 1129346,CVE-2019-9636 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-9636: Fixed an information disclosure because of incorrect handling of Unicode encoding during NFKC normalization (bsc#1129346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1156-1 Released: Mon May 6 13:46:07 2019 Summary: Security update for python-Jinja2 Type: security Severity: important References: 1125815,1132174,1132323,CVE-2016-10745,CVE-2019-10906,CVE-2019-8341 This update for python-Jinja2 to version 2.10.1 fixes the following issues: Security issues fixed: - CVE-2019-8341: Fixed a command injection in from_string() (bsc#1125815). - CVE-2019-10906: Fixed a sandbox escape due to information disclosure via str.format (bsc#1132323). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1221-1 Released: Mon May 13 13:28:42 2019 Summary: Security update for libxslt Type: security Severity: moderate References: 1132160,CVE-2019-11068 This update for libxslt fixes the following issues: Security issue fixed: - CVE-2019-11068: Fixed a protection mechanism bypass where callers of xsltCheckRead() and xsltCheckWrite() would permit access upon receiving an error (bsc#1132160). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1352-1 Released: Fri May 24 14:41:44 2019 Summary: Security update for python3 Type: security Severity: moderate References: 1130840,1133452,CVE-2019-9947 This update for python3 to version 3.6.8 fixes the following issues: Security issue fixed: - CVE-2019-9947: Fixed an issue in urllib2 which allowed CRLF injection if the attacker controls a url parameter (bsc#1130840). Non-security issue fixed: - Fixed broken debuginfo packages by switching off LTO and PGO optimization (bsc#1133452). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1487-1 Released: Thu Jun 13 09:40:56 2019 Summary: Security update for python-requests Type: security Severity: moderate References: 1111622,CVE-2018-18074 This update for python-requests to version 2.20.1 fixes the following issues: Security issue fixed: - CVE-2018-18074: Fixed an information disclosure vulnerability of the HTTP Authorization header (bsc#1111622). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1595-1 Released: Fri Jun 21 10:17:44 2019 Summary: Security update for dbus-1 Type: security Severity: important References: 1137832,CVE-2019-12749 This update for dbus-1 fixes the following issues: Security issue fixed: - CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1616-1 Released: Fri Jun 21 11:04:39 2019 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 1134659 This update for rpcbind fixes the following issues: - Change rpcbind locking path from /var/run/rpcbind.lock to /run/rpcbind.lock. (bsc#1134659) - Change the order of socket/service in the %postun scriptlet to avoid an error from rpcbind.socket when rpcbind is running during package update. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1627-1 Released: Fri Jun 21 11:15:11 2019 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1073421,1122271,1129859 This update for xfsprogs fixes the following issues: - xfs_repair: will now allow '/' in attribute names (bsc#1122271) - xfs_repair: will now allow zeroing of corrupt log (bsc#1073421) - enabdled offline (unmounted) filesystem geometry queries (bsc#1129859) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1815-1 Released: Thu Jul 11 07:47:55 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1140016 This update for timezone fixes the following issues: - Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1835-1 Released: Fri Jul 12 18:06:31 2019 Summary: Security update for expat Type: security Severity: moderate References: 1139937,CVE-2018-20843 This update for expat fixes the following issues: Security issue fixed: - CVE-2018-20843: Fixed a denial of service triggered by high resource consumption in the XML parser when XML names contain a large amount of colons (bsc#1139937). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2050-1 Released: Tue Aug 6 09:42:37 2019 Summary: Security update for python3 Type: security Severity: important References: 1094814,1138459,1141853,CVE-2018-20852,CVE-2019-10160 This update for python3 fixes the following issues: Security issue fixed: - CVE-2019-10160: Fixed a regression in urlparse() and urlsplit() introduced by the fix for CVE-2019-9636 (bsc#1138459). - CVE-2018-20852: Fixed an information leak where cookies could be send to the wrong server because of incorrect domain validation (bsc#1141853). Non-security issue fixed: - Fixed an issue where the SIGINT signal was ignored or not handled (bsc#1094814). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2306-1 Released: Thu Sep 5 14:39:23 2019 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1082318,1136245 This update for parted fixes the following issues: - Included several minor bug fixes - for more details please refer to this rpm's changelog (bsc#1136245) - Installs the license file in the correct directory (bsc#1082318) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2332-1 Released: Mon Sep 9 10:17:16 2019 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1129071,1132663,1132900,CVE-2019-11236,CVE-2019-11324,CVE-2019-9740 This update for python-urllib3 fixes the following issues: Security issues fixed: - CVE-2019-9740: Fixed CRLF injection issue (bsc#1129071). - CVE-2019-11324: Fixed invalid CA certificat verification (bsc#1132900). - CVE-2019-11236: Fixed CRLF injection via request parameter (bsc#1132663). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2365-1 Released: Thu Sep 12 11:23:31 2019 Summary: Security update for python-Werkzeug Type: security Severity: moderate References: 1145383,CVE-2019-14806 This update for python-Werkzeug fixes the following issues: Security issue fixed: - CVE-2019-14806: Fixed the development server in Docker, the debugger security pin is now unique per container (bsc#1145383). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2422-1 Released: Fri Sep 20 16:36:43 2019 Summary: Recommended update for python-urllib3 Type: recommended Severity: moderate References: 1150895 This update for python-urllib3 fixes the following issues: - Add missing dependency on python-six (bsc#1150895) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2429-1 Released: Mon Sep 23 09:28:40 2019 Summary: Security update for expat Type: security Severity: moderate References: 1149429,CVE-2019-15903 This update for expat fixes the following issues: Security issues fixed: - CVE-2019-15903: Fixed heap-based buffer over-read caused by crafted XML input. (bsc#1149429) ----------------------------------------------------------------- Advisory ID: SUSE-OU-2019:2483-1 Released: Fri Sep 27 14:16:23 2019 Summary: Optional update for python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate. Type: optional Severity: low References: 1088358 This update ships python3-google-api-python-client, python3-httplib2, python3-oauth2client, and python3-uritemplate for the SUSE Linux Enterprise Public Cloud 15 module. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2517-1 Released: Wed Oct 2 10:49:20 2019 Summary: Security update for libseccomp Type: security Severity: moderate References: 1082318,1128828,1142614,CVE-2019-9893 This update for libseccomp fixes the following issues: Security issues fixed: - CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed (bsc#1128828) libseccomp was updated to new upstream release 2.4.1: - Fix a BPF generation bug where the optimizer mistakenly identified duplicate BPF code blocks. libseccomp was updated to 2.4.0 (bsc#1128828 CVE-2019-9893): - Update the syscall table for Linux v5.0-rc5 - Added support for the SCMP_ACT_KILL_PROCESS action - Added support for the SCMP_ACT_LOG action and SCMP_FLTATR_CTL_LOG attribute - Added explicit 32-bit (SCMP_AX_32(...)) and 64-bit (SCMP_AX_64(...)) argument comparison macros to help protect against unexpected sign extension - Added support for the parisc and parisc64 architectures - Added the ability to query and set the libseccomp API level via seccomp_api_get(3) and seccomp_api_set(3) - Return -EDOM on an endian mismatch when adding an architecture to a filter - Renumber the pseudo syscall number for subpage_prot() so it no longer conflicts with spu_run() - Fix PFC generation when a syscall is prioritized, but no rule exists - Numerous fixes to the seccomp-bpf filter generation code - Switch our internal hashing function to jhash/Lookup3 to MurmurHash3 - Numerous tests added to the included test suite, coverage now at ~92% - Update our Travis CI configuration to use Ubuntu 16.04 - Numerous documentation fixes and updates libseccomp was updated to release 2.3.3: - Updated the syscall table for Linux v4.15-rc7 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2647-1 Released: Fri Oct 11 17:12:06 2019 Summary: Recommended update for python-pyOpenSSL Type: recommended Severity: moderate References: 1149792 This update for python-pyOpenSSL fixes the following issues: - Adds compatibility for openSSL 1.1.1d (bsc#1149792) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2656-1 Released: Mon Oct 14 17:02:24 2019 Summary: Security update for sudo Type: security Severity: important References: 1153674,CVE-2019-14287 This update for sudo fixes the following issue: - CVE-2019-14287: Fixed an issue where a user with sudo privileges that allowed them to run commands with an arbitrary uid, could run commands as root, despite being forbidden to do so in sudoers (bsc#1153674). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2693-1 Released: Wed Oct 16 16:43:30 2019 Summary: Recommended update for rpcbind Type: recommended Severity: moderate References: 1142343 This update for rpcbind fixes the following issues: - Return correct IP address with multiple ip addresses in the same subnet. (bsc#1142343) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2762-1 Released: Thu Oct 24 07:08:44 2019 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1150451 This update for timezone fixes the following issues: - Fiji observes DST from 2019-11-10 to 2020-01-12. - Norfolk Island starts observing Australian-style DST. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2779-1 Released: Thu Oct 24 16:57:42 2019 Summary: Security update for binutils Type: security Severity: moderate References: 1109412,1109413,1109414,1111996,1112534,1112535,1113247,1113252,1113255,1116827,1118644,1118830,1118831,1120640,1121034,1121035,1121056,1133131,1133232,1141913,1142772,1152590,1154016,1154025,CVE-2018-1000876,CVE-2018-17358,CVE-2018-17359,CVE-2018-17360,CVE-2018-17985,CVE-2018-18309,CVE-2018-18483,CVE-2018-18484,CVE-2018-18605,CVE-2018-18606,CVE-2018-18607,CVE-2018-19931,CVE-2018-19932,CVE-2018-20623,CVE-2018-20651,CVE-2018-20671,CVE-2018-6323,CVE-2018-6543,CVE-2018-6759,CVE-2018-6872,CVE-2018-7208,CVE-2018-7568,CVE-2018-7569,CVE-2018-7570,CVE-2018-7642,CVE-2018-7643,CVE-2018-8945,CVE-2019-1010180,ECO-368,SLE-6206 This update for binutils fixes the following issues: binutils was updated to current 2.32 branch [jsc#ECO-368]. Includes following security fixes: - CVE-2018-17358: Fixed invalid memory access in _bfd_stab_section_find_nearest_line in syms.c (bsc#1109412) - CVE-2018-17359: Fixed invalid memory access exists in bfd_zalloc in opncls.c (bsc#1109413) - CVE-2018-17360: Fixed heap-based buffer over-read in bfd_getl32 in libbfd.c (bsc#1109414) - CVE-2018-17985: Fixed a stack consumption problem caused by the cplus_demangle_type (bsc#1116827) - CVE-2018-18309: Fixed an invalid memory address dereference was discovered in read_reloc in reloc.c (bsc#1111996) - CVE-2018-18483: Fixed get_count function provided by libiberty that allowed attackers to cause a denial of service or other unspecified impact (bsc#1112535) - CVE-2018-18484: Fixed stack exhaustion in the C++ demangling functions provided by libiberty, caused by recursive stack frames (bsc#1112534) - CVE-2018-18605: Fixed a heap-based buffer over-read issue was discovered in the function sec_merge_hash_lookup causing a denial of service (bsc#1113255) - CVE-2018-18606: Fixed a NULL pointer dereference in _bfd_add_merge_section when attempting to merge sections with large alignments, causing denial of service (bsc#1113252) - CVE-2018-18607: Fixed a NULL pointer dereference in elf_link_input_bfd when used for finding STT_TLS symbols without any TLS section, causing denial of service (bsc#1113247) - CVE-2018-19931: Fixed a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h (bsc#1118831) - CVE-2018-19932: Fixed an integer overflow and infinite loop caused by the IS_CONTAINED_BY_LMA (bsc#1118830) - CVE-2018-20623: Fixed a use-after-free in the error function in elfcomm.c (bsc#1121035) - CVE-2018-20651: Fixed a denial of service via a NULL pointer dereference in elf_link_add_object_symbols in elflink.c (bsc#1121034) - CVE-2018-20671: Fixed an integer overflow that can trigger a heap-based buffer overflow in load_specific_debug_section in objdump.c (bsc#1121056) - CVE-2018-1000876: Fixed integer overflow in bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc in objdump (bsc#1120640) - CVE-2019-1010180: Fixed an out of bound memory access that could lead to crashes (bsc#1142772) - enable xtensa architecture (Tensilica lc6 and related) - Use -ffat-lto-objects in order to provide assembly for static libs (bsc#1141913). - Fixed some LTO build issues (bsc#1133131 bsc#1133232). - riscv: Don't check ABI flags if no code section - Fixed a segfault in ld when building some versions of pacemaker (bsc#1154025, bsc#1154016). - Add avr, epiphany and rx to target_list so that the common binutils can handle all objects we can create with crosses (bsc#1152590). Update to binutils 2.32: * The binutils now support for the C-SKY processor series. * The x86 assembler now supports a -mvexwig=[0|1] option to control encoding of VEX.W-ignored (WIG) VEX instructions. It also has a new -mx86-used-note=[yes|no] option to generate (or not) x86 GNU property notes. * The MIPS assembler now supports the Loongson EXTensions R2 (EXT2), the Loongson EXTensions (EXT) instructions, the Loongson Content Address Memory (CAM) ASE and the Loongson MultiMedia extensions Instructions (MMI) ASE. * The addr2line, c++filt, nm and objdump tools now have a default limit on the maximum amount of recursion that is allowed whilst demangling strings. This limit can be disabled if necessary. * Objdump's --disassemble option can now take a parameter, specifying the starting symbol for disassembly. Disassembly will continue from this symbol up to the next symbol or the end of the function. * The BFD linker will now report property change in linker map file when merging GNU properties. * The BFD linker's -t option now doesn't report members within archives, unless -t is given twice. This makes it more useful when generating a list of files that should be packaged for a linker bug report. * The GOLD linker has improved warning messages for relocations that refer to discarded sections. - Improve relro support on s390 [fate#326356] - Fix broken debug symbols (bsc#1118644) - Handle ELF compressed header alignment correctly. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2782-1 Released: Fri Oct 25 14:27:52 2019 Summary: Security update for nfs-utils Type: security Severity: moderate References: 1150733,CVE-2019-3689 This update for nfs-utils fixes the following issues: - CVE-2019-3689: Fixed root-owned files stored in insecure /var/lib/nfs. (bsc#1150733) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2802-1 Released: Tue Oct 29 11:39:05 2019 Summary: Security update for python3 Type: security Severity: moderate References: 1149121,1149792,1149955,1151490,1153238,CVE-2019-16056,CVE-2019-16935,PM-1350,SLE-9426 This update for python3 to 3.6.9 fixes the following issues: Security issues fixed: - CVE-2019-16056: Fixed a parser issue in the email module. (bsc#1149955) - CVE-2019-16935: Fixed a reflected XSS in python/Lib/DocXMLRPCServer.py (bsc#1153238). Non-security issues fixed: - Fixed regression of OpenSSL 1.1.1b-1 in EVP_PBE_scrypt() with salt=NULL. (bsc#1151490) - Improved locale handling by implementing PEP 538. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2891-1 Released: Mon Nov 4 17:47:10 2019 Summary: Security update for python-ecdsa Type: security Severity: moderate References: 1153165,1154217,CVE-2019-14853,CVE-2019-14859 This update for python-ecdsa to version 0.13.3 fixes the following issues: Security issues fixed: - CVE-2019-14853: Fixed unexpected exceptions during signature decoding (bsc#1153165). - CVE-2019-14859: Fixed a signature malleability caused by insufficient checks of DER encoding (bsc#1154217). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2929-1 Released: Thu Nov 7 16:45:13 2019 Summary: Recommended update for python-kubernetes Type: recommended Severity: moderate References: 1151481 This update for python-kubernetes fixes the following issues: - python-ipaddress is only required for building on Python2 (on Python3 is part of the standard library) - Backport fix for base64 padding in kubeconfig (bsc#1151481) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:9-1 Released: Thu Jan 2 12:33:47 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1157438 This update for xfsprogs fixes the following issues: - Remove the 'xfs_scrub_all' script from the package, and the corresponding dependency of python. (bsc#1157438) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:36-1 Released: Wed Jan 8 10:26:46 2020 Summary: Recommended update for python-pyOpenSSL Type: recommended Severity: low References: 1159989 This update fixes the build of python-pyOpenSSL in 2020 (bsc#1159989). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:114-1 Released: Thu Jan 16 10:11:52 2020 Summary: Security update for python3 Type: security Severity: important References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947 This update for python3 to version 3.6.10 fixes the following issues: - CVE-2017-18207: Fixed a denial of service in Wave_read._read_fmt_chunk() (bsc#1083507). - CVE-2019-16056: Fixed an issue where email parsing could fail for multiple @ (bsc#1149955). - CVE-2019-15903: Fixed a heap-based buffer over-read in libexpat (bsc#1149429). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:119-1 Released: Thu Jan 16 15:42:39 2020 Summary: Recommended update for python-jsonpatch Type: recommended Severity: moderate References: 1160978 This update for python-jsonpatch fixes the following issues: - Drop jsondiff binary to avoid conflict with python-jsondiff package. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:340-1 Released: Thu Feb 6 13:03:56 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1161770 This update for python-rpm-macros fixes the following issues: - Add macros related to the Python dist metadata dependency generator. (bsc#1161770) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:408-1 Released: Wed Feb 19 09:32:46 2020 Summary: Security update for sudo Type: security Severity: important References: 1162202,1162675,CVE-2019-18634 This update for sudo fixes the following issues: Security issue fixed: - CVE-2019-18634: Fixed a buffer overflow in the passphrase prompt that could occur when pwfeedback was enabled in /etc/sudoers (bsc#1162202). Non-security issue fixed: - Fixed an issue where sudo -l would ask for a password even though `listpw` was set to `never` (bsc#1162675). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:453-1 Released: Tue Feb 25 10:51:53 2020 Summary: Recommended update for binutils Type: recommended Severity: moderate References: 1160590 This update for binutils fixes the following issues: - Recognize the official name of s390 arch13: 'z15'. (bsc#1160590, jsc#SLE-7903 aka jsc#SLE-7464) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:462-1 Released: Tue Feb 25 11:49:30 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158504,1158509,1158630,1158758 This update for xfsprogs fixes the following issues: - Allow the filesystem utility xfs_io to suffix sizes with k,m,g for kilobytes, megabytes or gigabytes respectively. (bsc#1158630) - Validate extent size hint parameters through libxfs to avoid output mismatch. (bsc#1158509) - Fix for 'xfs_repair' not to fail recovery of orphaned shortform directories. (bsc#1158504) - Fix for 'xfs_quota' to avoid false error reporting of project inheritance flag is not set. (bsc#1158758) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:467-1 Released: Tue Feb 25 12:00:39 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1162224,1162367,1162423,1162825,CVE-2019-9674,CVE-2020-8492 This update for python3 fixes the following issues: Security issues fixed: - CVE-2019-9674: Improved the documentation to reflect the dangers of zip-bombs (bsc#1162825). - CVE-2020-8492: Fixed a regular expression in urrlib that was prone to denial of service via HTTP (bsc#1162367). Non-security issue fixed: - If the locale is 'C', coerce it to C.UTF-8 (bsc#1162423). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:498-1 Released: Wed Feb 26 17:59:44 2020 Summary: Recommended update for aws-cli, python-boto3, python-botocore, python-s3transfer, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized Type: recommended Severity: moderate References: 1122669,1136184,1146853,1146854,1159018 This update for aws-cli, python-aws-sam-translator, python-cfn-lint, python-nose2, python-parameterized, python-boto3, python-botocore, python-s3transfer fixes the following issues: python-aws-sam-translator was updated to 1.11.0 (bsc#1159018, jsc#PM-1507): Upgrade to 1.11.0: * Add ReservedConcurrentExecutions to globals * Fix ElasticsearchHttpPostPolicy resource reference * Support using AWS::Region in Ref and Sub * Documentation and examples updates * Add VersionDescription property to Serverless::Function * Update ServerlessRepoReadWriteAccessPolicy * Add additional template validation Upgrade to 1.10.0: * Add GSIs to DynamoDBReadPolicy and DynamoDBCrudPolicy * Add DynamoDBReconfigurePolicy * Add CostExplorerReadOnlyPolicy and OrganizationsListAccountsPolicy * Add EKSDescribePolicy * Add SESBulkTemplatedCrudPolicy * Add FilterLogEventsPolicy * Add SSMParameterReadPolicy * Add SESEmailTemplateCrudPolicy * Add s3:PutObjectAcl to S3CrudPolicy * Add allow_credentials CORS option * Add support for AccessLogSetting and CanarySetting Serverless::Api properties * Add support for X-Ray in Serverless::Api * Add support for MinimumCompressionSize in Serverless::Api * Add Auth to Serverless::Api globals * Remove trailing slashes from APIGW permissions * Add SNS FilterPolicy and an example application * Add Enabled property to Serverless::Function event sources * Add support for PermissionsBoundary in Serverless::Function * Fix boto3 client initialization * Add PublicAccessBlockConfiguration property to S3 bucket resource * Make PAY_PER_REQUEST default mode for Serverless::SimpleTable * Add limited support for resolving intrinsics in Serverless::LayerVersion * SAM now uses Flake8 * Add example application for S3 Events written in Go * Updated several example applications python-cfn-lint was added in version 0.21.4: - Add upstream patch to fix EOL dates for lambda runtimes - Add upstream patch to fix test_config_expand_paths test - Rename to python-cfn-lint. This package has a python API, which is required by python-moto. Update to version 0.21.4: + Features * Include more resource types in W3037 + CloudFormation Specifications * Add Resource Type `AWS::CDK::Metadata` + Fixes * Uncap requests dependency in setup.py * Check Join functions have lists in the correct sections * Pass a parameter value for AutoPublishAlias when doing a Transform * Show usage examples when displaying the help Update to version 0.21.3 + Fixes * Support dumping strings for datetime objects when doing a Transform Update to version 0.21.2 + CloudFormation Specifications * Update CloudFormation specs to 3.3.0 * Update instance types from pricing API as of 2019.05.23 Update to version 0.21.1 + Features * Add `Info` logging capability and set the default logging to `NotSet` + Fixes * Only do rule logging (start/stop/time) when the rule is going to be called * Update rule E1019 to allow `Fn::Transform` inside a `Fn::Sub` * Update rule W2001 to not break when `Fn::Transform` inside a `Fn::Sub` * Update rule E2503 to allow conditions to be used and to not default to `network` load balancer when an object is used for the Load Balancer type Update to version 0.21.0 + Features * New rule E3038 to check if a Serverless resource includes the appropriate Transform * New rule E2531 to validate a Lambda's runtime against the deprecated dates * New rule W2531 to validate a Lambda's runtime against the EOL dates * Update rule E2541 to include updates to Code Pipeline capabilities * Update rule E2503 to include checking of values for load balancer attributes + CloudFormation Specifications * Update CloudFormation specs to 3.2.0 * Update instance types from pricing API as of 2019.05.20 + Fixes * Include setuptools in setup.py requires Update to version 0.20.3 + CloudFormation Specifications * Update instance types from pricing API as of 2019.05.16 + Fixes * Update E7001 to allow float/doubles for mapping values * Update W1020 to check pre-transformed Fn::Sub(s) to determine if a Sub is needed * Pin requests to be below or equal to 2.21.0 to prevent issues with botocore Update to version 0.20.2 + Features * Add support for List Parameter types + CloudFormation Specifications * Add allowed values for AWS::EC2 EIP, FlowLog, CustomerGateway, DHCPOptions, EC2Fleet * Create new property type for Security Group IDs or Names * Add new Lambda runtime environment for NodeJs 10.x * Move AWS::ServiceDiscovery::Service Health checks from Only One to Exclusive * Update Glue Crawler Role to take an ARN or a name * Remove PrimitiveType from MaintenanceWindowTarget Targets * Add Min/Max values for Load Balancer Ports to be between 1-65535 + Fixes * Include License file in the pypi package to help with downstream projects * Filter out dynamic references from rule E3031 and E3030 * Convert Python linting and Code Coverage from Python 3.6 to 3.7 Update to version 0.20.1 + Fixes * Update rule E8003 to support more functions inside a Fn::Equals Update to version 0.20.0 + Features * Allow a rule's exception to be defined in a resource's metadata * Add rule configuration capabilities * Update rule E3012 to allow for non strict property checking * Add rule E8003 to test Fn::Equals structure and syntax * Add rule E8004 to test Fn::And structure and syntax * Add rule E8005 to test Fn::Not structure and syntax * Add rule E8006 to test Fn::Or structure and syntax * Include Path to error in the JSON output * Update documentation to describe how to install cfn-lint from brew + CloudFormation Specifications * Update CloudFormation specs to version 3.0.0 * Add new region ap-east-1 * Add list min/max and string min/max for CloudWatch Alarm Actions * Add allowed values for EC2::LaunchTemplate * Add allowed values for EC2::Host * Update allowed values for Amazon MQ to include 5.15.9 * Add AWS::Greengrass::ResourceDefinition to GreenGrass supported regions * Add AWS::EC2::VPCEndpointService to all regions * Update AWS::ECS::TaskDefinition ExecutionRoleArn to be a IAM Role ARN * Patch spec files for SSM MaintenanceWindow to look for Target and not Targets * Update ManagedPolicyArns list size to be 20 which is the hard limit. 10 is the soft limit. + Fixes * Fix rule E3033 to check the string size when the string is inside a list * Fix an issue in which AWS::NotificationARNs was not a list * Add AWS::EC2::Volume to rule W3010 * Fix an issue with W2001 where SAM translate would remove the Ref to a parameter causing this error to falsely trigger * Fix rule W3010 to not error when the availability zone is 'all' Update to version 0.19.1 + Fixes * Fix core Condition processing to support direct Condition in another Condition * Fix the W2030 to check numbers against string allowed values Update to version 0.19.0 + Features * Add NS and PTR Route53 record checking to rule E3020 * New rule E3050 to check if a Ref to IAM Role has a Role path of '/' * New rule E3037 to look for duplicates in a list that doesn't support duplicates * New rule I3037 to look for duplicates in a list when duplicates are allowed + CloudFormation Specifications * Add Min/Max values to AWS::ElasticLoadBalancingV2::TargetGroup HealthCheckTimeoutSeconds * Add Max JSON size to AWS::IAM::ManagedPolicy PolicyDocument * Add allowed values for AWS::EC2 SpotFleet, TransitGateway, NetworkAcl NetworkInterface, PlacementGroup, and Volume * Add Min/max values to AWS::Budgets::Budget.Notification Threshold * Update RDS Instance types by database engine and license definitions using the pricing API * Update AWS::CodeBuild::Project ServiceRole to support Role Name or ARN * Update AWS::ECS::Service Role to support Role Name or ARN + Fixes * Update E3025 to support the new structure of data in the RDS instance type json * Update E2540 to remove all nested conditions from the object * Update E3030 to not do strict type checking * Update E3020 to support conditions nested in the record sets * Update E3008 to better handle CloudFormation sub stacks with different GetAtt formats Update to version 0.18.1 + CloudFormation Specifications * Update CloudFormation Specs to 2.30.0 * Fix IAM Regex Path to support more character types * Update AWS::Batch::ComputeEnvironment.ComputeResources InstanceRole to reference an InstanceProfile or GetAtt the InstanceProfile Arn * Allow VPC IDs to Ref a Parameter of type String + Fixes * Fix E3502 to check the size of the property instead of the parent object Update to version 0.18.0 + Features * New rule E3032 to check the size of lists * New rule E3502 to check JSON Object Size using definitions in the spec file * New rule E3033 to test the minimum and maximum length of a string * New rule E3034 to validate the min and max of a number * Remove Ebs Iops check from E2504 and use rule E3034 instead * Remove rule E2509 and use rule E3033 instead * Remove rule E2508 as it replaced by E3032 and E3502 * Update rule E2503 to check that there are at least two 2 Subnets or SubnetMappings for ALBs * SAM requirement upped to minimal version of 1.10.0 + CloudFormation Specifications * Extend specs to include: > `ListMin` and `ListMax` for the minimum and maximum size of a list > `JsonMax` to check the max size of a JSON Object > `StringMin` and `StringMax` to check the minimum and maximum length of a String > `NumberMin` and `NumberMax` to check the minimum and maximum value of a Number, Float, Long * Update State and ExecutionRoleArn to be required on AWS::DLM::LifecyclePolicy * Add AllowedValues for PerformanceInsightsRetentionPeriod for AWS::RDS::Instance * Add AllowedValues for the AWS::GuardDuty Resources * Add AllowedValues for AWS::EC2 VPC and VPN Resources * Switch IAM Instance Profiles for certain resources to the type that only takes the name * Add regex pattern for IAM Instance Profile when a name (not Arn) is used * Add regex pattern for IAM Paths * Add Regex pattern for IAM Role Arn * Update OnlyOne spec to require require at least one of Subnets or SubnetMappings with ELB v2 + Fixes * Fix serverless transform to use DefinitionBody when Auth is in the API definition * Fix rule W2030 to not error when checking SSM or List Parameters Update to version 0.17.1 + Features * Update rule E2503 to make sure NLBs don't have a Security Group configured + CloudFormation Specifications * Add all the allowed values of the `AWS::Glue` Resources * Update OnlyOne check for `AWS::CloudWatch::Alarm` to only `MetricName` or `Metrics` * Update Exclusive check for `AWS::CloudWatch::Alarm` for properties mixed with `Metrics` and `Statistic` * Update CloudFormation specs to 2.29.0 * Fix type with MariaDB in the AllowedValues * Update pricing information for data available on 2018.3.29 + Fixes * Fix rule E1029 to not look for a sub is needed when looking for iot strings in policies * Fix rule E2541 to allow for ActionId Versions of length 1-9 and meets regex `[0-9A-Za-z_-]+` * Fix rule E2532 to allow for `Parameters` inside a `Pass` action * Fix an issue when getting the location of an error in which numbers are causing an attribute error Update to version 0.17.0 + Features * Add new rule E3026 to validate Redis cluster settings including AutomaticFailoverEnabled and NumCacheClusters. Status: Released * Add new rule W3037 to validate IAM resource policies. Status: Experimental * Add new parameter `-e/--include-experimental` to allow for new rules in that aren't ready to be fully released + CloudFormation Specifications * Update Spec files to 2.28.0 * Add all the allowed values of the AWS::Redshift::* Resources * Add all the allowed values of the AWS::Neptune::* Resources * Patch spec to make AWS::CloudFront::Distribution.LambdaFunctionAssociation.LambdaFunctionARN required * Patch spec to make AWS::DynamoDB::Table AttributeDefinitions required + Fixes * Remove extra blank lines when there is no errors in the output * Add exception to rule E1029 to have exceptions for EMR CloudWatchAlarmDefinition * Update rule E1029 to allow for literals in a Sub * Remove sub checks from rule E3031 as it won't match in all cases of an allowed pattern regex check * Correct typos for errors in rule W1001 * Switch from parsing a template as Yaml to Json when finding an escape character * Fix an issue with SAM related to transforming templates with Serverless Application and Lambda Layers * Fix an issue with rule E2541 when non strings were used for Stage Names Update to version 0.16.0 + Features * Add rule E3031 to look for regex patterns based on the patched spec file * Remove regex checks from rule E2509 * Add parameter `ignore-templates` to allow the ignoring of templates when doing bulk linting + CloudFormation Specifications * Update Spec files to 2.26.0 * Add all the allowed values of the AWS::DirectoryService::* Resources * Add all the allowed values of the AWS::DynamoDB::* Resources * Added AWS::Route53Resolver resources to the Spec Patches of ap-southeast-2 * Patch the spec file with regex patterns * Add all the allowed values of the AWS::DocDb::* Resources + Fixes * Update rule E2504 to have '20000' as the max value * Update rule E1016 to not allow ImportValue inside of Conditions * Update rule E2508 to check conditions when providing limit checks on managed policies * Convert unicode to strings when in Py 3.4/3.5 and updating specs * Convert from `awslabs` to `aws-cloudformation` organization * Remove suppression of logging that was removed from samtranslator >1.7.0 and incompatibility with samtranslator 1.10.0 Update to version 0.15.0 + Features * Add scaffolding for arbitrary Match attributes, adding attributes for Type checks * Add rule E3024 to validate that ProvisionedThroughput is not specified with BillingMode PAY_PER_REQUEST + CloudFormation Specifications * Update Spec files to 2.24.0 * Update OnlyOne spec to have BlockDeviceMapping to include NoDevice with Ebs and VirtualName * Add all the allowed values of the AWS::CloudFront::* Resources * Add all the allowed values of the AWS::DAX::* Resources + Fixes * Update config parsing to use the builtin Yaml decoder * Add condition support for Inclusive E2521, Exclusive E2520, and AtLeastOne E2522 rules * Update rule E1029 to better check Resource strings inside IAM Policies * Improve the line/column information of a Match with array support Update to version 0.14.1 + CloudFormation Specifications * Update CloudFormation Specs to version 2.23.0 * Add allowed values for AWS::Config::* resources * Add allowed values for AWS::ServiceDiscovery::* resources * Fix allowed values for Apache MQ + Fixes * Update rule E3008 to not error when using a list from a custom resource * Support simple types in the CloudFormation spec * Add tests for the formatters Update to version 0.14.0 + Features * Add rule E3035 to check the values of DeletionPolicy * Add rule E3036 to check the values of UpdateReplacePolicy * Add rule E2014 to check that there are no REFs in the Parameter section * Update rule E2503 to support TLS on NLBs + CloudFormation Specifications * Update CloudFormation spec to version 2.22.0 * Add allowed values for AWS::Cognito::* resources + Fixes * Update rule E3002 to allow GetAtts to Custom Resources under a Condition Update to version 0.13.2 + Features * Introducing the cfn-lint logo! * Update SAM dependency version + Fixes * Fix CloudWatchAlarmComparisonOperator allowed values. * Fix typo resoruce_type_spec in several files * Better support for nested And, Or, and Not when processing Conditions Update to version 0.13.1 + CloudFormation Specifications * Add allowed values for AWS::CloudTrail::Trail resources * Patch spec to have AWS::CodePipeline::CustomActionType Version included + Fixes * Fix conditions logic to use AllowedValues when REFing a Parameter that has AllowedValues specified Update to version 0.13.0 + Features * New rule W1011 to check if a FindInMap is using the correct map name and keys * New rule W1001 to check if a Ref/GetAtt to a resource that exists when Conditions are used * Removed logic in E1011 and moved it to W1011 for validating keys * Add property relationships for AWS::ApplicationAutoScaling::ScalingPolicy into Inclusive, Exclusive, and AtLeastOne * Update rule E2505 to check the netmask bit * Include the ability to update the CloudFormation Specs using the Pricing API + CloudFormation Specifications * Update to version 2.21.0 * Add allowed values for AWS::Budgets::Budget * Add allowed values for AWS::CertificateManager resources * Add allowed values for AWS::CodePipeline resources * Add allowed values for AWS::CodeCommit resources * Add allowed values for EC2 InstanceTypes from pricing API * Add allowed values for RedShift InstanceTypes from pricing API * Add allowed values for MQ InstanceTypes from pricing API * Add allowed values for RDS InstanceTypes from pricing API + Fixes * Fixed README indentation issue with .pre-commit-config.yaml * Fixed rule E2541 to allow for multiple inputs/outputs in a CodeBuild task * Fixed rule E3020 to allow for a period or no period at the end of a ACM registration record * Update rule E3001 to support UpdateReplacePolicy * Fix a cli issue where `--template` wouldn't be used when a .cfnlintrc was in the same folder * Update rule E3002 and E1024 to support packaging of AWS::Lambda::LayerVersion content - Initial build + Version 0.12.1 Update to 0.9.1 * the prof plugin now uses cProfile instead of hotshot for profiling * skipped tests now include the user's reason in junit XML's message field * the prettyassert plugin mishandled multi-line function definitions * Using a plugin's CLI flag when the plugin is already enabled via config no longer errors * nose2.plugins.prettyassert, enabled with --pretty-assert * Cleanup code for EOLed python versions * Dropped support for distutils. * Result reporter respects failure status set by other plugins * JUnit XML plugin now includes the skip reason in its output Upgrade to 0.8.0: - List of changes is too long to show here, see https://github.com/nose-devs/nose2/blob/master/docs/changelog.rst changes between 0.6.5 and 0.8.0 Update to 0.7.0: * Added parameterized_class feature, for parameterizing entire test classes (many thanks to @TobyLL for their suggestions and help testing!) * Fix DeprecationWarning on `inspect.getargs` (thanks @brettdh; https://github.com/wolever/parameterized/issues/67) * Make sure that `setUp` and `tearDown` methods work correctly (#40) * Raise a ValueError when input is empty (thanks @danielbradburn; https://github.com/wolever/parameterized/pull/48) * Fix the order when number of cases exceeds 10 (thanks @ntflc; https://github.com/wolever/parameterized/pull/49) aws-cli was updated to version 1.16.223: For detailed changes see the changes entries: https://github.com/aws/aws-cli/blob/1.16.223/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.189/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.182/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.176/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.103/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.94/CHANGELOG.rst https://github.com/aws/aws-cli/blob/1.16.84/CHANGELOG.rst python-boto3 was updated to 1.9.213, python-botocore was updated to 1.9.188, and python-s3transfer was updated to 1.12.74, fixing lots of bugs and adding features (bsc#1146853, bsc#1146854) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:556-1 Released: Mon Mar 2 13:32:11 2020 Summary: Recommended update for 389-ds Type: recommended Severity: moderate References: 1155951 This update for 389-ds to version 1.4.2.2 fixes the following issues: 389-ds was updated to 1.4.2.6 (fate#326677, bsc#1155951), bringing many bug and stability fixes. Issue addressed: - Enabled python lib389 installer tooling to match upstream and suse documentation. More information for this release at: https://directory.fedoraproject.org/docs/389ds/releases/release-1-4-2-1.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:777-1 Released: Tue Mar 24 18:07:52 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1165894 This update for python3 fixes the following issue: - Rename idle icons to idle3 in order to not conflict with python2 variant of the package (bsc#1165894) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:814-1 Released: Mon Mar 30 16:23:42 2020 Summary: Recommended update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 Type: recommended Severity: moderate References: 1161816,1162152,1167223 This update for QR-Code-generator, boost, libreoffice, myspell-dictionaries, xmlsec1 fixes the following issues: libreoffice was updated to 6.4.2.2 (jsc#SLE-11174 jsc#SLE-11175 jsc#SLE-11176 bsc#1167223): Full Release Notes can be found on: https://wiki.documentfoundation.org/ReleaseNotes/6.4 - Fixed broken handling of non-ASCII characters in the KDE filedialog (bsc#1161816) - Move the animation library to core package bsc#1162152 xmlsec1 was updated to 1.2.28: * Added BoringSSL support (chenbd). * Added gnutls-3.6.x support (alonbl). * Added DSA and ECDSA key size getter for MSCNG (vmiklos). * Added --enable-mans configuration option (alonbl). * Added coninuous build integration for MacOSX (vmiklos). * Several other small fixes (more details). - Make sure to recommend at least one backend when you install just xmlsec1 - Drop the gnutls backend as based on the tests it is quite borked: * We still have nss and openssl backend for people to use Version update to 1.2.27: * Added AES-GCM support for OpenSSL and MSCNG (snargit). * Added DSA-SHA256 and ECDSA-SHA384 support for NSS (vmiklos). * Added RSA-OAEP support for MSCNG (vmiklos). * Continuous build integration in Travis and Appveyor. * Several other small fixes (more details). myspell-dictionaries was updated to 20191219: * Updated the English dictionaries: GB+US+CA+AU * Bring shipped Spanish dictionary up to version 2.5 boost was updated to fix: - add a backport of Boost.Optional::has_value() for LibreOffice The QR-Code-generator is shipped: - Initial commit, needed by libreoffice 6.4 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:823-1 Released: Tue Mar 31 13:28:14 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1161783,1164260 This update for parted fixes the following issue: - Make parted work with pmemXs devices. (bsc#1164260) - Fix for error when parted output size crashing parted in yast. (bsc#1161783) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:935-1 Released: Tue Apr 7 03:46:39 2020 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1158630,1167205,1167206 This update for xfsprogs fixes the following issues: - xfs_quota: reformat commands in the manpage. (bsc#1167206) Reformat commands in the manpage so that fstest can check that each command is actually documented. - xfs_db: document missing commands. (bsc#1167205) Document the commands 'attr_set', 'attr_remove', 'logformat' in the manpage. - xfs_io: allow size suffixes for the copy_range command. (bsc#1158630) Allow the usage of size suffixes k,m,g for kilobytes, megabytes or gigabytes respectively for the copy_range command ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:959-1 Released: Wed Apr 8 12:59:50 2020 Summary: Security update for python-PyYAML Type: security Severity: important References: 1165439,CVE-2020-1747 This update for python-PyYAML fixes the following issues: - CVE-2020-1747: Fixed an arbitrary code execution when YAML files are parsed by FullLoader (bsc#1165439). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:979-1 Released: Mon Apr 13 15:42:59 2020 Summary: Recommended update for parted Type: recommended Severity: moderate References: 1168756 This update for parted fixes the following issue: - fix null pointer dereference. (bsc#1168756) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1000-1 Released: Wed Apr 15 14:18:57 2020 Summary: Recommended update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager Type: recommended Severity: moderate References: 1014478,1054413,1140565,982804,999200 This update for azure-cli tools, python-adal, python-applicationinsights, python-azure modules, python-msrest, python-msrestazure, python-pydocumentdb, python-uamqp, python-vsts-cd-manager fixes the following issues: The Azure python modules and client tool stack was updated to the 2020 state. Various other python modules were added and updated. - python-PyYAML was updated to 5.1.2. - python-humanfriendly was updated 4.16.1. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1037-1 Released: Mon Apr 20 10:49:39 2020 Summary: Recommended update for python-pytest Type: recommended Severity: low References: 1002895,1107105,1138666,1167732 This update fixes the following issues: New python-pytest versions are provided. In Basesystem: - python3-pexpect: updated to 4.8.0 - python3-py: updated to 1.8.1 - python3-zipp: shipped as dependency in version 0.6.0 In Python2: - python2-pexpect: updated to 4.8.0 - python2-py: updated to 1.8.1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1094-1 Released: Thu Apr 23 16:34:21 2020 Summary: Recommended update for python-google-api-python-client Type: recommended Severity: moderate References: 1088358,1160933 This update for python-google-api-python-client fixes the following issues: - Fix dependencies to use google-auth instead of deprecated oauth2client (bsc#1160933, jsc#ECO-1148) python-cachetools 2.0.1 is shipped to the Public Cloud Module. python-google-auth 1.5.1 is shipped to the Public Cloud Module. python-google-api-python-client was updated to: - Upgrade to 1.7.4: just series of minor bugfixes - Fix check for error text on Python 3.7. (#278) - Use new Auth URIs. (#281) - Add code-of-conduct document. (#270) - Fix some typos in test_urllib3.py (#268) - Warn when using user credentials from the Cloud SDK (#266) - Add compute engine-based IDTokenCredentials (#236) - Corrected some typos (#265) Update to 1.4.2: - Raise a helpful exception when trying to refresh credentials without a refresh token. (#262) - Fix links to README and CONTRIBUTING in docs/index.rst. (#260) - Fix a typo in credentials.py. (#256) - Use pytest instead of py.test per upstream recommendation, #dropthedot. (#255) - Fix typo on exemple of jwt usage (#245) New upstream release 1.4.1 (bsc#1088358) - Added a check for the cryptography version before attempting to use it. + From version 1.4.0 - Added `cryptography`-based RSA signer and verifier. - Added `google.oauth2.service_account.IDTokenCredentials`. - Improved documentation around ID Tokens + From version 1.3.0 - Added ``google.oauth2.credentials.Credentials.from_authorized_user_file``. - Dropped direct pyasn1 dependency in favor of letting ``pyasn1-modules`` specify the right version. - ``default()`` now checks for the project ID environment var before warning about missing project ID. - Fixed the docstrings for ``has_scopes()`` and ``with_scopes()``. - Fixed example in docstring for ``ReadOnlyScoped``. - Made ``transport.requests`` use timeouts and retries to improve reliability. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1303-1 Released: Mon May 18 09:40:36 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1169582 This update for timezone fixes the following issues: - timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1308-1 Released: Mon May 18 10:05:46 2020 Summary: Recommended update for psmisc Type: recommended Severity: moderate References: 1170247 This update for psmisc fixes the following issues: - Allow not unique mounts as well as not unique mountpoint. (bsc#1170247) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1342-1 Released: Tue May 19 13:27:31 2020 Summary: Recommended update for python3 Type: recommended Severity: moderate References: 1149955,1165894,CVE-2019-16056 This update for python3 fixes the following issues: - Changed the name of idle3 icons to idle3.png to avoid collision with Python 2 version (bsc#1165894). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1370-1 Released: Thu May 21 19:06:00 2020 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: moderate References: 1171656 This update for systemd-presets-branding-SLE fixes the following issues: Cleanup of outdated autostart services (bsc#1171656): - Remove acpid.service. acpid is only available on SLE via openSUSE backports. In openSUSE acpid.service is *not* autostarted. I see no reason why it should be on SLE. - Remove spamassassin.timer. This timer never seems to have existed. Instead spamassassin ships a 'sa-update.timer'. But it is not default-enabled and nobody ever complained about this. - Remove snapd.apparmor.service: This service was proactively added a year ago, but snapd didn't even make it into openSUSE yet. There's no reason to keep this entry unless snapd actually enters SLE which is not foreseeable. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1396-1 Released: Mon May 25 12:04:39 2020 Summary: Security update for zstd Type: security Severity: moderate References: 1082318,1133297 This update for zstd fixes the following issues: - Fix for build error caused by wrong static libraries. (bsc#1133297) - Correction in spec file marking the license as documentation. (bsc#1082318) - Add new package for SLE-15. (jsc#ECO-1886) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1409-1 Released: Mon May 25 17:01:33 2020 Summary: Security update for libxslt Type: security Severity: moderate References: 1140095,1140101,1154609,CVE-2019-13117,CVE-2019-13118,CVE-2019-18197 This update for libxslt fixes the following issues: Security issues fixed: - CVE-2019-13118: Fixed a read of uninitialized stack data (bsc#1140101). - CVE-2019-13117: Fixed a uninitialized read which allowed to discern whether a byte on the stack contains certain special characters (bsc#1140095). - CVE-2019-18197: Fixed a dangling pointer in xsltCopyText which may have led to information disclosure (bsc#1154609). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1492-1 Released: Wed May 27 18:32:41 2020 Summary: Recommended update for python-rpm-macros Type: recommended Severity: moderate References: 1171561 This update for python-rpm-macros fixes the following issue: - Update to version 20200207.5feb6c1 (bsc#1171561) * Do not write .pyc files for tests ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1496-1 Released: Wed May 27 20:30:31 2020 Summary: Recommended update for python-requests Type: recommended Severity: low References: 1170175 This update for python-requests fixes the following issues: - Fix for warnings 'test fails to build' for python http. (bsc#1170175) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1542-1 Released: Thu Jun 4 13:24:37 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1172055 This update for timezone fixes the following issue: - zdump --version reported 'unknown' (bsc#1172055) From sle-updates at lists.suse.com Wed Jun 17 11:32:16 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:32:16 +0200 (CEST) Subject: SUSE-CU-2020:222-1: Recommended update of ses/7/rook/ceph Message-ID: <20200617173216.65FD0FD07@maintenance.suse.de> SUSE Container Update Advisory: ses/7/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:222-1 Container Tags : ses/7/rook/ceph:1.3.4 , ses/7/rook/ceph:1.3.4.0 , ses/7/rook/ceph:1.3.4.0.1.1049 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus Container Release : 1.1049 Severity : low Type : recommended References : ----------------------------------------------------------------- The container ses/7/rook/ceph was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Wed Jun 17 11:32:32 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 19:32:32 +0200 (CEST) Subject: SUSE-CU-2020:223-1: Recommended update of ses/7/rook/ceph Message-ID: <20200617173232.ABDD4FD07@maintenance.suse.de> SUSE Container Update Advisory: ses/7/rook/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:223-1 Container Tags : ses/7/rook/ceph:1.3.4 , ses/7/rook/ceph:1.3.4.0 , ses/7/rook/ceph:1.3.4.0.1.1050 , ses/7/rook/ceph:latest , ses/7/rook/ceph:sle15.2.octopus Container Release : 1.1050 Severity : low Type : recommended References : ----------------------------------------------------------------- The container ses/7/rook/ceph was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Wed Jun 17 13:12:31 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 21:12:31 +0200 (CEST) Subject: SUSE-SU-2020:14398-1: important: Security update for java-1_7_1-ibm Message-ID: <20200617191231.5B329F749@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_1-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14398-1 Rating: important References: #1169511 #1172277 Cross-References: CVE-2020-2654 CVE-2020-2756 CVE-2020-2757 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2830 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for java-1_7_1-ibm fixes the following issues: java-1_7_1-ibm was updated to Java 7.1 Service Refresh 4 Fix Pack 65 (bsc#1172277 and bsc#1169511) - CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service - CVE-2020-2756: Improved mapping of serial ENUMs - CVE-2020-2757: Less Blocking Array Queues - CVE-2020-2781: Improved TLS session handling - CVE-2020-2800: Improved Headings for HTTP Servers - CVE-2020-2803: Enhanced buffering of byte buffers - CVE-2020-2805: Enhanced typing of methods - CVE-2020-2830: Improved Scanner conversions Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-java-1_7_1-ibm-14398=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.65-26.55.1 java-1_7_1-ibm-devel-1.7.1_sr4.65-26.55.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.65-26.55.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.65-26.55.1 java-1_7_1-ibm-plugin-1.7.1_sr4.65-26.55.1 References: https://www.suse.com/security/cve/CVE-2020-2654.html https://www.suse.com/security/cve/CVE-2020-2756.html https://www.suse.com/security/cve/CVE-2020-2757.html https://www.suse.com/security/cve/CVE-2020-2781.html https://www.suse.com/security/cve/CVE-2020-2800.html https://www.suse.com/security/cve/CVE-2020-2803.html https://www.suse.com/security/cve/CVE-2020-2805.html https://www.suse.com/security/cve/CVE-2020-2830.html https://bugzilla.suse.com/1169511 https://bugzilla.suse.com/1172277 From sle-updates at lists.suse.com Wed Jun 17 13:13:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 21:13:21 +0200 (CEST) Subject: SUSE-RU-2020:1640-1: important: Recommended update for grub2 Message-ID: <20200617191321.488B3F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for grub2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1640-1 Rating: important References: #1166409 #1166513 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for grub2 fixes the following issues: - Implement support searching for specific config files for netboot. (bsc#1166409) - Skip zfcpdump kernel from the grub boot menu (bsc#1166513) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1640=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1640=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1640=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1640=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): grub2-2.02-19.41.1 grub2-debuginfo-2.02-19.41.1 - SUSE Linux Enterprise Server for SAP 15 (ppc64le): grub2-powerpc-ieee1275-2.02-19.41.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): grub2-debugsource-2.02-19.41.1 grub2-i386-pc-2.02-19.41.1 grub2-x86_64-efi-2.02-19.41.1 grub2-x86_64-xen-2.02-19.41.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): grub2-snapper-plugin-2.02-19.41.1 grub2-systemd-sleep-plugin-2.02-19.41.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): grub2-2.02-19.41.1 grub2-debuginfo-2.02-19.41.1 grub2-debugsource-2.02-19.41.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64): grub2-arm64-efi-2.02-19.41.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): grub2-snapper-plugin-2.02-19.41.1 grub2-systemd-sleep-plugin-2.02-19.41.1 - SUSE Linux Enterprise Server 15-LTSS (s390x): grub2-s390x-emu-2.02-19.41.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): grub2-2.02-19.41.1 grub2-debuginfo-2.02-19.41.1 grub2-debugsource-2.02-19.41.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64): grub2-arm64-efi-2.02-19.41.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): grub2-snapper-plugin-2.02-19.41.1 grub2-systemd-sleep-plugin-2.02-19.41.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): grub2-i386-pc-2.02-19.41.1 grub2-x86_64-efi-2.02-19.41.1 grub2-x86_64-xen-2.02-19.41.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): grub2-2.02-19.41.1 grub2-debuginfo-2.02-19.41.1 grub2-debugsource-2.02-19.41.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64): grub2-arm64-efi-2.02-19.41.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): grub2-snapper-plugin-2.02-19.41.1 grub2-systemd-sleep-plugin-2.02-19.41.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): grub2-i386-pc-2.02-19.41.1 grub2-x86_64-efi-2.02-19.41.1 grub2-x86_64-xen-2.02-19.41.1 References: https://bugzilla.suse.com/1166409 https://bugzilla.suse.com/1166513 From sle-updates at lists.suse.com Wed Jun 17 13:14:14 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 21:14:14 +0200 (CEST) Subject: SUSE-RU-2020:1638-1: moderate: Recommended update for google-worksans-fonts Message-ID: <20200617191414.9A8E2F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for google-worksans-fonts ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1638-1 Rating: moderate References: #1172154 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for google-worksans-fonts fixes the following issues: - First package release 1.6+git145.18037a0 * Fix _service file to include TTF file instead of just overwriting the tarball. * Use fixed revision 18037a0b49722b70379d9bca074fa4503fb136bd instead of master. * Don't install WOFF files, TTF is good enough and in line with other fonts. * Pick TTF format fonts back: the desktop needs ttf to render gui program. (jsc#SLE-12421, bsc#1172154) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1638=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): google-worksans-fonts-1.6+git145.18037a0-3.3.1 References: https://bugzilla.suse.com/1172154 From sle-updates at lists.suse.com Wed Jun 17 13:14:59 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 21:14:59 +0200 (CEST) Subject: SUSE-RU-2020:1639-1: moderate: Recommended update for python3-ec2imgutils Message-ID: <20200617191459.8D65AF749@maintenance.suse.de> SUSE Recommended Update: Recommended update for python3-ec2imgutils ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1639-1 Rating: moderate References: #1171933 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for python3-ec2imgutils contains the following fixes: - Update to version 8.0.0 (bsc#1171933) + Incompatible command line argument change for ec2publishimg. The --allow-copy option is no longer a boolean. It now supports the image and none keywords as well as a comma separated list of AWS account numbers. + Support having the snapshot copy permissions set differently than the image copy permissions. This supports published image aggregation into AWS MP. + ec2uploadimg tags the helper instance Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-1639=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (noarch): python3-ec2imgutils-8.0.0-3.12.4 References: https://bugzilla.suse.com/1171933 From sle-updates at lists.suse.com Wed Jun 17 13:15:45 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 17 Jun 2020 21:15:45 +0200 (CEST) Subject: SUSE-RU-2020:1641-1: moderate: Recommended update for SAPHanaSR-ScaleOut Message-ID: <20200617191545.01460F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for SAPHanaSR-ScaleOut ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1641-1 Rating: moderate References: #1156067 #1156150 #1157685 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for SAPHanaSR-ScaleOut fixes the following issues: - Restart 'sapstartsrv' service on master nameserver node. (bsc#1156150) - Use a fall-back scoring for the master nameserver nodes, if the current roles of the node(s) got lost. (bsc#1156067) - SAPHanaSR-ScaleOut-doc will no longer be installable when SAPHanaSR-doc is installed (bsc#1157685) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP5: zypper in -t patch SUSE-SLE-SAP-12-SP5-2020-1641=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-1641=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1641=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1641=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP5 (noarch): SAPHanaSR-ScaleOut-0.164.0-3.14.1 SAPHanaSR-ScaleOut-doc-0.164.0-3.14.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): SAPHanaSR-ScaleOut-0.164.0-3.14.1 SAPHanaSR-ScaleOut-doc-0.164.0-3.14.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): SAPHanaSR-ScaleOut-0.164.0-3.14.1 SAPHanaSR-ScaleOut-doc-0.164.0-3.14.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): SAPHanaSR-ScaleOut-0.164.0-3.14.1 References: https://bugzilla.suse.com/1156067 https://bugzilla.suse.com/1156150 https://bugzilla.suse.com/1157685 From sle-updates at lists.suse.com Wed Jun 17 16:17:36 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 00:17:36 +0200 (CEST) Subject: SUSE-RU-2020:1643-1: moderate: Recommended update for release-notes-susemanager Message-ID: <20200617221736.30EEBFD07@maintenance.suse.de> SUSE Recommended Update: Recommended update for release-notes-susemanager ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1643-1 Rating: moderate References: #1171954 Affected Products: SUSE Manager Server 3.2 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for release-notes-susemanager fixes the following issues: - Fix typo in 3.2.14 version number in the "version history" section. (bsc#1171954) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-1643=1 Package List: - SUSE Manager Server 3.2 (ppc64le s390x x86_64): release-notes-susemanager-3.2.14-6.53.1 References: https://bugzilla.suse.com/1171954 From sle-updates at lists.suse.com Thu Jun 18 04:13:13 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 12:13:13 +0200 (CEST) Subject: SUSE-RU-2020:1644-1: moderate: Recommended update for powerpc-utils Message-ID: <20200618101313.C9F3CF749@maintenance.suse.de> SUSE Recommended Update: Recommended update for powerpc-utils ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1644-1 Rating: moderate References: #1160890 #1164068 #1164726 #1171892 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for powerpc-utils fixes the following issues: - Could not retrieve logical device name for Open Firmware path. (bsc#1164068) - Stop using /sbin/udevadm symlink. (bsc#1160890) - Remove a trailing NUL ('\0') byte from a vendor_id contents. (bsc#1171892) - Reduce the number of searches of /sys by searching directly in /sys/class/block. (bsc#1164726) - Reduce the number of searches of /sys by caching the content of a single search into a file in /tmp. (bsc#1164726) - Fixed one instance where the previous change corrupted the exit status of a command. (bsc#1164068) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1644=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (ppc64le): powerpc-utils-1.3.7.1-3.15.1 powerpc-utils-debuginfo-1.3.7.1-3.15.1 powerpc-utils-debugsource-1.3.7.1-3.15.1 References: https://bugzilla.suse.com/1160890 https://bugzilla.suse.com/1164068 https://bugzilla.suse.com/1164726 https://bugzilla.suse.com/1171892 From sle-updates at lists.suse.com Thu Jun 18 07:12:43 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 15:12:43 +0200 (CEST) Subject: SUSE-SU-2020:1671-1: important: Security update for the Linux Kernel (Live Patch 11 for SLE 15) Message-ID: <20200618131243.B9364F749@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 11 for SLE 15) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1671-1 Rating: important References: #1171746 #1172140 #1172437 Cross-References: CVE-2018-1000199 CVE-2019-15666 CVE-2020-10757 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-150_22 fixes several issues. The following security issues were fixed: - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437). - CVE-2019-15666: Fixed an out of bounds read __xfrm_policy_unlink, which could have led to denial of service (bsc#1172140). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1171746). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-1652=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1653=1 - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2020-1669=1 SUSE-SLE-Module-Live-Patching-15-2020-1670=1 SUSE-SLE-Module-Live-Patching-15-2020-1671=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_10-default-8-2.1 kernel-livepatch-4_12_14-197_15-default-8-2.1 - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_22-default-9-2.1 kernel-livepatch-4_12_14-150_22-default-debuginfo-9-2.1 kernel-livepatch-4_12_14-150_27-default-8-2.1 kernel-livepatch-4_12_14-150_27-default-debuginfo-8-2.1 kernel-livepatch-4_12_14-150_32-default-8-2.1 kernel-livepatch-4_12_14-150_32-default-debuginfo-8-2.1 References: https://www.suse.com/security/cve/CVE-2018-1000199.html https://www.suse.com/security/cve/CVE-2019-15666.html https://www.suse.com/security/cve/CVE-2020-10757.html https://bugzilla.suse.com/1171746 https://bugzilla.suse.com/1172140 https://bugzilla.suse.com/1172437 From sle-updates at lists.suse.com Thu Jun 18 07:13:38 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 15:13:38 +0200 (CEST) Subject: SUSE-SU-2020:1660-1: moderate: Security update for gnuplot Message-ID: <20200618131338.8E36EF749@maintenance.suse.de> SUSE Security Update: Security update for gnuplot ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1660-1 Rating: moderate References: #1044638 #1117463 #1117464 #1117465 Cross-References: CVE-2017-9670 CVE-2018-19490 CVE-2018-19491 CVE-2018-19492 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for gnuplot fixes the following issues: Following security issues were fixed: - CVE-2018-19492: Fixed a buffer overflow in cairotrm_options function (bsc#1117463) - CVE-2018-19491: Fixed a buffer overlow in the PS_options function (bsc#1117464) - CVE-2018-19490: Fixed a heap-based buffer overflow in the df_generate_ascii_array_entry function (bsc#1117465) - CVE-2017-9670: Fixed a uninitialized stack variable vulnerability which could lead to a Denial of Service (bsc#1044638) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1660=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1660=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): gnuplot-4.6.5-3.3.74 gnuplot-debuginfo-4.6.5-3.3.74 gnuplot-debugsource-4.6.5-3.3.74 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): gnuplot-4.6.5-3.3.74 gnuplot-debuginfo-4.6.5-3.3.74 gnuplot-debugsource-4.6.5-3.3.74 References: https://www.suse.com/security/cve/CVE-2017-9670.html https://www.suse.com/security/cve/CVE-2018-19490.html https://www.suse.com/security/cve/CVE-2018-19491.html https://www.suse.com/security/cve/CVE-2018-19492.html https://bugzilla.suse.com/1044638 https://bugzilla.suse.com/1117463 https://bugzilla.suse.com/1117464 https://bugzilla.suse.com/1117465 From sle-updates at lists.suse.com Thu Jun 18 07:14:42 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 15:14:42 +0200 (CEST) Subject: SUSE-SU-2020:1664-1: moderate: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Message-ID: <20200618131442.A41D2F749@maintenance.suse.de> SUSE Security Update: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1664-1 Rating: moderate References: #1172377 Cross-References: CVE-2020-13401 Affected Products: SUSE Linux Enterprise Module for Containers 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Docker was updated to 19.03.11-ce runc was updated to version 1.0.0-rc10 containerd was updated to version 1.2.13 - CVE-2020-13401: Fixed an issue where an attacker with CAP_NET_RAW capability, could have crafted IPv6 router advertisements, and spoof external IPv6 hosts, resulting in obtaining sensitive information or causing denial of service (bsc#1172377). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Containers 12: zypper in -t patch SUSE-SLE-Module-Containers-12-2020-1664=1 Package List: - SUSE Linux Enterprise Module for Containers 12 (ppc64le s390x x86_64): containerd-1.2.13-16.29.1 docker-19.03.11_ce-98.54.1 docker-debuginfo-19.03.11_ce-98.54.1 docker-libnetwork-0.7.0.1+gitr2902_153d0769a118-31.1 docker-libnetwork-debuginfo-0.7.0.1+gitr2902_153d0769a118-31.1 docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-1.46.1 References: https://www.suse.com/security/cve/CVE-2020-13401.html https://bugzilla.suse.com/1172377 From sle-updates at lists.suse.com Thu Jun 18 07:15:22 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 15:15:22 +0200 (CEST) Subject: SUSE-SU-2020:1658-1: moderate: Security update for gegl Message-ID: <20200618131522.77947F749@maintenance.suse.de> SUSE Security Update: Security update for gegl ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1658-1 Rating: moderate References: #1089731 Cross-References: CVE-2018-10113 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gegl fixes the following issues: - CVE-2018-10113: The process function in operations/external/ppm-load.c has unbounded memory allocation, leading to a denial of service (application crash) upon allocation failure. (bsc#1089731) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1658=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1658=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1658=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1658=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (noarch): gegl-0_2-lang-0.2.0-15.3.99 - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): gegl-0_2-0.2.0-15.3.99 gegl-0_2-debuginfo-0.2.0-15.3.99 gegl-debuginfo-0.2.0-15.3.99 gegl-debugsource-0.2.0-15.3.99 libgegl-0_2-0-0.2.0-15.3.99 libgegl-0_2-0-debuginfo-0.2.0-15.3.99 - SUSE Linux Enterprise Workstation Extension 12-SP4 (noarch): gegl-0_2-lang-0.2.0-15.3.99 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): gegl-0_2-0.2.0-15.3.99 gegl-0_2-debuginfo-0.2.0-15.3.99 gegl-debuginfo-0.2.0-15.3.99 gegl-debugsource-0.2.0-15.3.99 libgegl-0_2-0-0.2.0-15.3.99 libgegl-0_2-0-debuginfo-0.2.0-15.3.99 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): gegl-debuginfo-0.2.0-15.3.99 gegl-debugsource-0.2.0-15.3.99 gegl-devel-0.2.0-15.3.99 libgegl-0_2-0-0.2.0-15.3.99 libgegl-0_2-0-debuginfo-0.2.0-15.3.99 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): gegl-debuginfo-0.2.0-15.3.99 gegl-debugsource-0.2.0-15.3.99 gegl-devel-0.2.0-15.3.99 libgegl-0_2-0-0.2.0-15.3.99 libgegl-0_2-0-debuginfo-0.2.0-15.3.99 References: https://www.suse.com/security/cve/CVE-2018-10113.html https://bugzilla.suse.com/1089731 From sle-updates at lists.suse.com Thu Jun 18 07:16:10 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 15:16:10 +0200 (CEST) Subject: SUSE-SU-2020:1646-1: important: Security update for the Linux Kernel (Live Patch 10 for SLE 15 SP1) Message-ID: <20200618131610.134BFF749@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 10 for SLE 15 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1646-1 Rating: important References: #1171746 #1172437 Cross-References: CVE-2018-1000199 CVE-2020-10757 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Module for Live Patching 15 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-197_37 fixes several issues. The following security issues were fixed: - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1171746). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-1645=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1646=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1647=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1648=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1649=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1650=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1651=1 - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2020-1665=1 SUSE-SLE-Module-Live-Patching-15-2020-1666=1 SUSE-SLE-Module-Live-Patching-15-2020-1667=1 SUSE-SLE-Module-Live-Patching-15-2020-1668=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_18-default-7-2.1 kernel-livepatch-4_12_14-197_21-default-7-2.1 kernel-livepatch-4_12_14-197_26-default-5-2.1 kernel-livepatch-4_12_14-197_29-default-5-2.1 kernel-livepatch-4_12_14-197_34-default-4-2.1 kernel-livepatch-4_12_14-197_37-default-4-2.1 kernel-livepatch-4_12_14-197_40-default-3-2.1 - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_35-default-7-2.1 kernel-livepatch-4_12_14-150_35-default-debuginfo-7-2.1 kernel-livepatch-4_12_14-150_38-default-7-2.1 kernel-livepatch-4_12_14-150_38-default-debuginfo-7-2.1 kernel-livepatch-4_12_14-150_41-default-5-2.1 kernel-livepatch-4_12_14-150_41-default-debuginfo-5-2.1 kernel-livepatch-4_12_14-150_47-default-5-2.1 kernel-livepatch-4_12_14-150_47-default-debuginfo-5-2.1 References: https://www.suse.com/security/cve/CVE-2018-1000199.html https://www.suse.com/security/cve/CVE-2020-10757.html https://bugzilla.suse.com/1171746 https://bugzilla.suse.com/1172437 From sle-updates at lists.suse.com Thu Jun 18 07:17:01 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 15:17:01 +0200 (CEST) Subject: SUSE-SU-2020:1663-1: important: Security update for the Linux Kernel Message-ID: <20200618131701.A96B8F749@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1663-1 Rating: important References: #1050244 #1051510 #1051858 #1058115 #1061840 #1065600 #1065729 #1071995 #1085030 #1086301 #1086313 #1086314 #1089895 #1109911 #1114279 #1118338 #1120386 #1134973 #1143959 #1144333 #1151910 #1151927 #1153917 #1154243 #1154824 #1156286 #1157155 #1157157 #1157692 #1158013 #1158021 #1158026 #1158265 #1158819 #1159028 #1159198 #1159271 #1159285 #1159394 #1159483 #1159484 #1159569 #1159588 #1159841 #1159908 #1159909 #1159910 #1159911 #1159955 #1160195 #1160210 #1160211 #1160218 #1160433 #1160442 #1160476 #1160560 #1160755 #1160756 #1160784 #1160787 #1160802 #1160803 #1160804 #1160917 #1160966 #1161087 #1161514 #1161518 #1161522 #1161523 #1161549 #1161552 #1161555 #1161674 #1161931 #1161933 #1161934 #1161935 #1161936 #1161937 #1161951 #1162067 #1162109 #1162139 #1162928 #1162929 #1162931 #1163971 #1164051 #1164069 #1164078 #1164705 #1164712 #1164727 #1164728 #1164729 #1164730 #1164731 #1164732 #1164733 #1164734 #1164735 #1164871 #1165111 #1165741 #1165873 #1165881 #1165984 #1165985 #1166969 #1167421 #1167423 #1167629 #1168075 #1168276 #1168295 #1168424 #1168670 #1168829 #1168854 #1169390 #1169514 #1169625 #1170056 #1170345 #1170617 #1170618 #1170621 #1170778 #1170901 #1171098 #1171189 #1171191 #1171195 #1171202 #1171205 #1171217 #1171218 #1171219 #1171220 #1171689 #1171982 #1171983 #1172221 #1172317 #1172453 #1172458 Cross-References: CVE-2018-1000199 CVE-2019-14615 CVE-2019-14896 CVE-2019-14897 CVE-2019-16994 CVE-2019-19036 CVE-2019-19045 CVE-2019-19054 CVE-2019-19318 CVE-2019-19319 CVE-2019-19447 CVE-2019-19462 CVE-2019-19768 CVE-2019-19770 CVE-2019-19965 CVE-2019-19966 CVE-2019-20054 CVE-2019-20095 CVE-2019-20096 CVE-2019-20810 CVE-2019-20812 CVE-2019-3701 CVE-2019-9455 CVE-2019-9458 CVE-2020-0543 CVE-2020-10690 CVE-2020-10711 CVE-2020-10720 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-10942 CVE-2020-11494 CVE-2020-11608 CVE-2020-11609 CVE-2020-11669 CVE-2020-12114 CVE-2020-12464 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12655 CVE-2020-12656 CVE-2020-12657 CVE-2020-12769 CVE-2020-13143 CVE-2020-2732 CVE-2020-7053 CVE-2020-8428 CVE-2020-8647 CVE-2020-8648 CVE-2020-8649 CVE-2020-8834 CVE-2020-8992 CVE-2020-9383 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that solves 55 vulnerabilities and has 93 fixes is now available. Description: The SUSE Linux Enterprise 15 kernel was updated receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-9383: Fixed an out-of-bounds read due to improper error condition check of FDC index (bsc#1165111). - CVE-2020-8992: Fixed an issue which could have allowed attackers to cause a soft lockup via a crafted journal size (bsc#1164069). - CVE-2020-8834: Fixed a stack corruption which could have lead to kernel panic (bsc#1168276). - CVE-2020-8649: Fixed a use-after-free in the vgacon_invert_region function in drivers/video/console/vgacon.c (bsc#1162931). - CVE-2020-8648: Fixed a use-after-free in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bsc#1162928). - CVE-2020-8647: Fixed a use-after-free in the vc_do_resize function in drivers/tty/vt/vt.c (bsc#1162929). - CVE-2020-8428: Fixed a use-after-free which could have allowed local users to cause a denial of service (bsc#1162109). - CVE-2020-7053: Fixed a use-after-free in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c (bsc#1160966). - CVE-2020-2732: Fixed an issue affecting Intel CPUs where an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources (bsc#1163971). - CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982). - CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983). - CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205). - CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219). - CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217). - CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202). - CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195). - CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218). - CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901). - CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098). - CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390). - CVE-2020-11609: Fixed a null pointer dereference due to improper handling of descriptors (bsc#1168854). - CVE-2020-11608: Fixed a null pointer dereferences via a crafted USB (bsc#1168829). - CVE-2020-11494: Fixed an issue which could have allowed attackers to read uninitialized can_frame data (bsc#1168424). - CVE-2020-10942: Fixed a kernel stack corruption via crafted system calls (bsc#1167629). - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317). - CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189). - CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220). - CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778). - CVE-2020-10711: Fixed a null pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191). - CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056). - CVE-2019-9458: Fixed a use after free due to a race condition which could have led to privilege escalation of privilege (bsc#1168295). - CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345). - CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bsc#1120386). - CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453). - CVE-2019-20810: Fixed a memory leak in due to not calling of snd_card_free (bsc#1172458). - CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which could have caused denial of service (bsc#1159908). - CVE-2019-20095: Fixed an improper error-handling cases that did not free allocated hostcmd memory which was causing memory leak (bsc#1159909). - CVE-2019-20054: Fixed a null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bsc#1159910). - CVE-2019-19966: Fixed a use-after-free in cpia2_exit() which could have caused denial of service (bsc#1159841). - CVE-2019-19965: Fixed a null pointer dereference, due to mishandling of port disconnection during discovery (bsc#1159911). - CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bsc#1159285). - CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265). - CVE-2019-19447: Fixed a user after free via a crafted ext4 filesystem image (bsc#1158819). - CVE-2019-19319: Fixed a user after free when a large old_size value is used in a memset call (bsc#1158021). - CVE-2019-19318: Fixed a use after free via a crafted btrfs image (bsc#1158026). - CVE-2019-19054: Fixed a memory leak in the cx23888_ir_probe() which could have allowed attackers to cause a denial of service (bsc#1161518). - CVE-2019-19045: Fixed a memory leak in which could have allowed attackers to cause a denial of service (bsc#1161522). - CVE-2019-19036: Fixed a null pointer dereference in btrfs_root_node (bsc#1157692). - CVE-2019-16994: Fixed a memory leak which might have caused denial of service (bsc#1161523). - CVE-2019-14897: Fixed a stack overflow in Marvell Wifi Driver (bsc#1157155). - CVE-2019-14896: Fixed a heap overflow in Marvell Wifi Driver (bsc#1157157). - CVE-2019-14615: Fixed an improper control flow in certain data structures which could have led to information disclosure (bsc#1160195). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895). The following non-security bugs were fixed: - 6pack,mkiss: fix possible deadlock (bsc#1051510). - ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510). - ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() (bsc#1051510). - ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510). - af_packet: set defaule value for tmo (bsc#1051510). - ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes). - ALSA: hda: Add Clevo W65_67SB the power_save blacklist (git-fixes). - ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes). - ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes). - ALSA: hda/ca0132 - Avoid endless loop (git-fixes). - ALSA: hda/ca0132 - Fix work handling in delayed HP detection (git-fixes). - ALSA: hda/ca0132 - Keep power on during processing DSP response (git-fixes). - ALSA: hda - Downgrade error message for single-cmd fallback (git-fixes). - ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes). - ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA (bsc#1051510). - ALSA: hda/realtek - Add headset Mic no shutup for ALC283 (bsc#1051510). - ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code (bsc#1051510). - ALSA: pcm: Avoid possible info leaks from PCM stream buffers (git-fixes). - ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510). - ALSA: sh: Fix compile warning wrt const (git-fixes). - ALSA: usb-audio: fix set_format altsetting sanity check (bsc#1051510). - ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510). - ar5523: check NULL before memcpy() in ar5523_cmd() (bsc#1051510). - arm64: Revert support for execute-only user mappings (bsc#1160218). - ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510). - ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510). - ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report (bsc#1051510). - ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510). - ASoC: wm8962: fix lambda value (git-fixes). - ath10k: fix fw crash by moving chip reset after napi disabled (bsc#1051510). - ath9k: fix storage endpoint lookup (git-fixes). - a typo in %kernel_base_conflicts macro name - batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510). - bcma: remove set but not used variable 'sizel' (git-fixes). - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - bonding: fix active-backup transition after link failure (git-fixes). - bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510). - bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510). - brcmfmac: fix interface sanity check (git-fixes). - brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes). - brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes). - btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936). - btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483). - btrfs: avoid fallback to transaction commit during fsync of files with holes (bsc#1159569). - btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067). - btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934). - btrfs: Ensure we trim ranges across block group boundary (bsc#1151910). - btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442). - btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243). - btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804). - btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433). - btrfs: fix missing data checksums after replaying a log tree (bsc#1161931). - btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802). - btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803). - btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692). - btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937). - btrfs: harden agaist duplicate fsid on scanned devices (bsc#1134973). - btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692). - btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931). - btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692). - btrfs: record all roots for rename exchange on a subvol (bsc#1161933). - btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588). - btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067). - btrfs: send, skip backreference walking for extents with many references (bsc#1162139). - btrfs: skip log replay on orphaned roots (bsc#1161935). - btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692). - btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692). - btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692). - btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692). - btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692). - btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692). - btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692). - btrfs: tree-checker: Verify dev item (dependency for bsc#1157692). - btrfs: tree-checker: Verify inode item (dependency for bsc#1157692). - btrfs: volumes: Use more straightforward way to calculate map length (bsc#1151910). - can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510). - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510). - can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510). - can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510). - cfg80211: check for set_wiphy_params (bsc#1051510). - cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510). - cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510). - cgroup: pids: use atomic64_t for pids->limit (bsc#1161514). - CIFS: add support for flock (bsc#1144333). - CIFS: Close cached root handle only if it had a lease (bsc#1144333). - CIFS: Close open handle after interrupted close (bsc#1144333). - CIFS: close the shared root handle on tree disconnect (bsc#1144333). - CIFS: Do not miss cancelled OPEN responses (bsc#1144333). - CIFS: Fix lookup of root ses in DFS referral cache (bsc#1144333). - CIFS: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - CIFS: Fix mount options set in automount (bsc#1144333). - CIFS: Fix NULL pointer dereference in mid callback (bsc#1144333). - CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333). - CIFS: Fix potential softlockups while refreshing DFS cache (bsc#1144333). - CIFS: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333). - CIFS: Fix use-after-free bug in cifs_reconnect() (bsc#1144333). - CIFS: Properly process SMB3 lease breaks (bsc#1144333). - CIFS: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333). - CIFS: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333). - clk: Do not try to enable critical clocks if prepare failed (bsc#1051510). - clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510). - clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510). - clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510). - clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510). - clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510). - clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510). - clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170621). - copy/pasted "Recommends:" instead of "Provides:", "Obsoletes:" and "Conflicts: - crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510). - crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510). - crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510). - crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510). - crypto: ccp - fix uninitialized list head (bsc#1051510). - crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510). - crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510). - crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510). - crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix). - debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). Prerequisite for bsc#1159198. - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: simplify __debugfs_remove_file() (bsc#1159198). Prerequisite for bsc#1159198. - dmaengine: coh901318: Fix a double-lock bug (bsc#1051510). - dmaengine: coh901318: Remove unused variable (bsc#1051510). - dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510). - dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510). - drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993). - drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510). - drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170617). - drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170617). - drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618). - drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170617). - drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510). - drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510). - drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510). - drm: bridge: dw-hdmi: constify copied structure (bsc#1051510). - drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510). - drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510). - drm/i810: Prevent underflow in ioctl (bsc#1114279) - drm/i915: Add missing include file (bsc#1051510). - drm/i915: Fix pid leak with banned clients (bsc#1114279) - drm: limit to INT_MAX in create_blob ioctl (bsc#1051510). - drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510). - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510). - drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510). - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279) - drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510). - drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510). - e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait (bsc#1051510). - exit: panic before exit_mm() on global init exit (bsc#1161549). - extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510). - firestream: fix memory leaks (bsc#1051510). - fix autofs regression caused by follow_managed() changes (bsc#1159271). - fix dget_parent() fastpath race (bsc#1159271). - Fix partial checked out tree build ... so that bisection does not break. - fjes: fix missed check in fjes_acpi_add (bsc#1051510). - fs: cifs: Fix atime update check vs mtime (bsc#1144333). - fs/namei.c: fix missing barriers when checking positivity (bsc#1159271). - fs/namei.c: pull positivity check into follow_managed() (bsc#1159271). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - ftrace: Avoid potential division by zero in function profiler (bsc#1160784). - futex: Prevent robust futex exit race (bsc#1161555). - gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510). - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510). - HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510). - hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510). - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510). - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510). - hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510). - hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510). - i2c: imx: do not print error message on probe defer (bsc#1051510). - IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - ibmveth: Detect unsupported packets before sending to the hypervisor (bsc#1159484 ltc#182983). - ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611). - iio: adc: max9611: Fix too short conversion time delay (bsc#1051510). - iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510). - inet: protect against too small mtu values (networking-stable-19_12_16). - Input: add safety guards to input_set_keycode() (bsc#1168075). - Input: aiptek - fix endpoint sanity check (bsc#1051510). - Input: cyttsp4_core - fix use after free bug (bsc#1051510). - Input: goodix - add upside-down quirk for Teclast X89 tablet (bsc#1051510). - Input: gtco - fix endpoint sanity check (bsc#1051510). - Input: keyspan-remote - fix control-message timeouts (bsc#1051510). - Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510). - Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510). - Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510). - Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510). - Input: sur40 - fix interface sanity checks (bsc#1051510). - Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers (bsc#1051510). - Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510). - Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus (bsc#1051510). - iommu: Remove device link to group on failure (bsc#1160755). - iommu/vt-d: Unlink device if failed to add to group (bsc#1160756). - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes). - iwlwifi: mvm: Send non offchannel traffic via AP sta (bsc#1051510). - iwlwifi: mvm: synchronize TID queue removal (bsc#1051510). - kABI: protect struct sctp_ep_common (kabi). - kABI: restore debugfs_remove_recursive() (bsc#1159198). - kABI workaround for can/skb.h inclusion (bsc#1051510). - kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787). - KEYS: reaching the keys quotas correctly (bsc#1171689). - KVM: fix spectrev1 gadgets (bsc#1164705). - KVM: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476). - KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734). - KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728). - KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729). - KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712). - KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730). - KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733). - KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731). - KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732). - KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735). - KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705). - KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727). - leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674). - leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674). - lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510). - lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510). - livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995). - livepatch/selftest: Clean up shadow variable names and type (bsc#1071995). - mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510). - macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510). - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510). - md/raid0: Fix buffer overflow at debug print (bsc#1164051). - media: cec.h: CEC_OP_REC_FLAG_ values were swapped (bsc#1051510). - media: cec: report Vendor ID after initialization (bsc#1051510). - media: iguanair: fix endpoint sanity check (bsc#1051510). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: pulse8-cec: return 0 when invalidating the logical address (bsc#1051510). - media: stkwebcam: Bugfix for wrong return values (bsc#1051510). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510). - media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510). - media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510). - missing escaping of backslashes in macro expansions Fixes: f3b74b0ae86b ("rpm/kernel-subpackage-spec: Unify dependency handling.") Fixes: 3fd22e219f77 ("rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959)") - mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode (bsc#1051510). - mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510). - mmc: sdhci-of-esdhc: fix P2020 errata handling (bsc#1051510). - mmc: sdhci-of-esdhc: Revert "mmc: sdhci-of-esdhc: add erratum A-009204 support" (bsc#1051510). - mmc: tegra: fix SDR50 tuning override (bsc#1051510). - mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993). - mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394). - mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes). - net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16). - net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423). - net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16). - netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes). - net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25). - net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25). - net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858). - net: psample: fix skb_over_panic (networking-stable-19_12_03). - net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25). - net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25). - net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03). - net: usb: lan78xx: limit size of local TSO packets (bsc#1051510). - net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18). - new helper: lookup_positive_unlocked() (bsc#1159271). - NFC: pn533: fix bulk-message timeout (bsc#1051510). - NFC: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes). - objtool: Fix stack offset tracking for indirect CFAs (bsc#1169514). - openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03). - openvswitch: remove another BUG_ON() (networking-stable-19_12_03). - openvswitch: support asymmetric conntrack (networking-stable-19_12_16). - orinoco_usb: fix interface sanity check (git-fixes). - PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510). - PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510). - phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510). - pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510). - platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510). - platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes (bsc#1051510). - platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table (bsc#1051510). - powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc/archrandom: fix arch_get_random_seed_int() (bsc#1065729). - powerpc: Fix vDSO clock_getres() (bsc#1065729). - powerpc/irq: fix stack overflow verification (bsc#1065729). - powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729). - powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840). - powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729). - powerpc/powernv: Disable native PCIe port management (bsc#1065729). - powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729). - powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734). - powerpc/tools: Do not quote $objdump in scripts (bsc#1065729). - powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030). - powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030). - powerpc/xmon: do not access ASDR in VMs (bsc#1065729). - ppp: Adjust indentation into ppp_async_input (git-fixes). - prevent active file list thrashing due to refault detection (VM Performance, bsc#1156286). - pstore/ram: Write new dumps to start of recycled zones (bsc#1051510). - qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ). - r8152: add missing endpoint sanity check (bsc#1051510). - random: always use batched entropy for get_random_u{32,64} (bsc#1164871). - RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244). - regulator: Fix return value of _set_load() stub (bsc#1051510). - regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510). - regulator: rn5t618: fix module aliases (bsc#1051510). - Revert "Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers" (bsc#1051510). - Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" (bsc#1172221). - Revert "mmc: sdhci: Fix incorrect switch to HS mode" (bsc#1051510). - rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510). - rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510). - rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510). - rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510). - rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510). - scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551). - scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013). - scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013). - scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013). - scsi: qla2xxx: Consolidate fabric scan (bsc#1158013). - scsi: qla2xxx: Correct fcport flags handling (bsc#1158013). - scsi: qla2xxx: Fix fabric scan hang (bsc#1158013). - scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013). - scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013). - scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013). - scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013). - scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013). - scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013). - scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013). - scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013). - scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013). - scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013). - scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013). - sctp: cache netns in sctp_ep_common (networking-stable-19_12_03). - serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510). - serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510). - serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510). - serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510). - serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510). - sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25). - sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510). - sh_eth: fix dumping ARSTR (bsc#1051510). - sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510). - sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510). - sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510). - sh_eth: fix TXALCR1 offsets (bsc#1051510). - sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510). - smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333). - smb3: Fix persistent handles reconnect (bsc#1144333). - smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333). - smb3: remove confusing dmesg when mounting with encryption ("seal") (bsc#1144333). - soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510). - spi: tegra114: clear packed bit for unpacked mode (bsc#1051510). - spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510). - spi: tegra114: fix for unpacked mode transfers (bsc#1051510). - spi: tegra114: flush fifos (bsc#1051510). - spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510). - staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510). - Staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510). - staging: rtl8188eu: fix interface sanity check (bsc#1051510). - staging: wlan-ng: ensure error return is actually returned (bsc#1051510). - tcp: clear tp->packets_out when purging write queue (bsc#1160560). - tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159). - tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16). - tracing: Have the histogram compare functions convert to u64 first (bsc#1160210). - tracing: xen: Ordered comparison of function pointers (git-fixes). - tty: n_hdlc: fix build on SPARC (bsc#1051510). - tty/serial: atmel: Add is_half_duplex helper (bsc#1051510). - tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510). - tty: vt: keyboard: reject invalid keycodes (bsc#1051510). - USB: Allow USB device to be warm reset in suspended state (bsc#1051510). - USB: atm: ueagle-atm: add missing endpoint check (bsc#1051510). - USB: chipidea: host: Disable port power only if previously enabled (bsc#1051510). - USB: core: hub: Improved device recognition on remote wakeup (bsc#1051510). - USB: core: urb: fix URB structure initialization function (bsc#1051510). - USB: documentation: flags on usb-storage versus UAS (bsc#1051510). - USB: dwc3: debugfs: Properly print/set link state for HS (bsc#1051510). - USB: dwc3: do not log probe deferrals; but do log other error codes (bsc#1051510). - USB: dwc3: ep0: Clear started flag on completion (bsc#1051510). - USB: dwc3: turn off VBUS when leaving host mode (bsc#1051510). - USB: gadget: f_ecm: Use atomic_t to track in-flight request (bsc#1051510). - USB: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510). - USB: gadget: pch_udc: fix use after free (bsc#1051510). - USB: gadget: u_serial: add missing port entry locking (bsc#1051510). - USB: gadget: Zero ffs_io_data (bsc#1051510). - USB: host: xhci-hub: fix extra endianness conversion (bsc#1051510). - usbip: Fix receive error in vhci-hcd when using scatter-gather (bsc#1051510). - USB: mtu3: fix dbginfo in qmu_tx_zlp_error_handler (bsc#1051510). - USB: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510). - USB: musb: fix idling for suspend after disconnect interrupt (bsc#1051510). - USB: serial: ch341: handle unbound port at reset_resume (bsc#1051510). - USB: serial: io_edgeport: add missing active-port sanity check (bsc#1051510). - USB: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510). - USB: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510). - USB: serial: ir-usb: add missing endpoint sanity check (bsc#1051510). - USB: serial: ir-usb: fix IrLAP framing (bsc#1051510). - USB: serial: ir-usb: fix link-speed handling (bsc#1051510). - USB: serial: keyspan: handle unbound ports (bsc#1051510). - USB: serial: opticon: fix control-message timeouts (bsc#1051510). - USB: serial: option: Add support for Quectel RM500Q (bsc#1051510). - USB: serial: quatech2: handle unbound ports (bsc#1051510). - USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510). - USB: serial: suppress driver bind attributes (bsc#1051510). - USB: typec: tcpci: mask event interrupts when remove driver (bsc#1051510). - USB: uas: heed CAPACITY_HEURISTICS (bsc#1051510). - USB: uas: honor flag to avoid CAPACITY16 (bsc#1051510). - USB: xhci: Fix build warning seen with CONFIG_PM=n (bsc#1051510). - workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211). - x86/entry/64: Fix unwind hints in kernel exit path (bsc#1058115). - x86/entry/64: Fix unwind hints in register clearing code (bsc#1058115). - x86/entry/64: Fix unwind hints in rewind_stack_do_exit() (bsc#1058115). - x86/entry/64: Fix unwind hints in __switch_to_asm() (bsc#1058115). - x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170621). - x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170617). - x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170617). - x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170617). - x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170617). - x86/Hyper-V: report value of misc_features (git-fixes). - x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170617). - x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170617). - x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279). - x86/mce/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279). - x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279). - x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279). - x86/mce: Fix possibly incorrect severity calculation on AMD (bsc#1114279). - x86/mm: Split vmalloc_sync_all() (bsc#1165741). - x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279). - x86/resctrl: Fix potential memory leak (bsc#1114279). - x86/unwind/orc: Do not skip the first frame for inactive tasks (bsc#1058115). - x86/unwind/orc: Fix error handling in __unwind_start() (bsc#1058115). - x86/unwind/orc: Fix error path for bad ORC entry type (bsc#1058115). - x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bsc#1058115). - x86/unwind/orc: Prevent unwinding before ORC initialization (bsc#1058115). - x86/unwind: Prevent false warnings for non-current tasks (bsc#1058115). - x86/xen: fix booting 32-bit pv guest (bsc#1071995). - x86/xen: Make the boot CPU idle task reliable (bsc#1071995). - x86/xen: Make the secondary CPU idle tasks reliable (bsc#1071995). - xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600). - xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917). - xfrm: Fix transport mode skb control buffer usage (bsc#1161552). - xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873). - xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984). - xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917). - xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510). - xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510). - xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour (bsc#1051510). - xhci: make sure interrupts are restored to correct state (bsc#1051510). - zd1211rw: fix storage endpoint lookup (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1663=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1663=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1663=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1663=1 - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2020-1663=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): kernel-default-4.12.14-150.52.1 kernel-default-base-4.12.14-150.52.1 kernel-default-debuginfo-4.12.14-150.52.1 kernel-default-debugsource-4.12.14-150.52.1 kernel-default-devel-4.12.14-150.52.1 kernel-default-devel-debuginfo-4.12.14-150.52.1 kernel-obs-build-4.12.14-150.52.1 kernel-obs-build-debugsource-4.12.14-150.52.1 kernel-syms-4.12.14-150.52.1 kernel-vanilla-base-4.12.14-150.52.1 kernel-vanilla-base-debuginfo-4.12.14-150.52.1 kernel-vanilla-debuginfo-4.12.14-150.52.1 kernel-vanilla-debugsource-4.12.14-150.52.1 reiserfs-kmp-default-4.12.14-150.52.1 reiserfs-kmp-default-debuginfo-4.12.14-150.52.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): kernel-devel-4.12.14-150.52.1 kernel-docs-4.12.14-150.52.1 kernel-macros-4.12.14-150.52.1 kernel-source-4.12.14-150.52.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): kernel-default-4.12.14-150.52.1 kernel-default-base-4.12.14-150.52.1 kernel-default-debuginfo-4.12.14-150.52.1 kernel-default-debugsource-4.12.14-150.52.1 kernel-default-devel-4.12.14-150.52.1 kernel-default-devel-debuginfo-4.12.14-150.52.1 kernel-obs-build-4.12.14-150.52.1 kernel-obs-build-debugsource-4.12.14-150.52.1 kernel-syms-4.12.14-150.52.1 kernel-vanilla-base-4.12.14-150.52.1 kernel-vanilla-base-debuginfo-4.12.14-150.52.1 kernel-vanilla-debuginfo-4.12.14-150.52.1 kernel-vanilla-debugsource-4.12.14-150.52.1 reiserfs-kmp-default-4.12.14-150.52.1 reiserfs-kmp-default-debuginfo-4.12.14-150.52.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): kernel-devel-4.12.14-150.52.1 kernel-docs-4.12.14-150.52.1 kernel-macros-4.12.14-150.52.1 kernel-source-4.12.14-150.52.1 - SUSE Linux Enterprise Server 15-LTSS (s390x): kernel-default-man-4.12.14-150.52.1 kernel-zfcpdump-debuginfo-4.12.14-150.52.1 kernel-zfcpdump-debugsource-4.12.14-150.52.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): kernel-default-4.12.14-150.52.1 kernel-default-base-4.12.14-150.52.1 kernel-default-debuginfo-4.12.14-150.52.1 kernel-default-debugsource-4.12.14-150.52.1 kernel-default-devel-4.12.14-150.52.1 kernel-default-devel-debuginfo-4.12.14-150.52.1 kernel-obs-build-4.12.14-150.52.1 kernel-obs-build-debugsource-4.12.14-150.52.1 kernel-syms-4.12.14-150.52.1 kernel-vanilla-base-4.12.14-150.52.1 kernel-vanilla-base-debuginfo-4.12.14-150.52.1 kernel-vanilla-debuginfo-4.12.14-150.52.1 kernel-vanilla-debugsource-4.12.14-150.52.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): kernel-devel-4.12.14-150.52.1 kernel-docs-4.12.14-150.52.1 kernel-macros-4.12.14-150.52.1 kernel-source-4.12.14-150.52.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): kernel-default-4.12.14-150.52.1 kernel-default-base-4.12.14-150.52.1 kernel-default-debuginfo-4.12.14-150.52.1 kernel-default-debugsource-4.12.14-150.52.1 kernel-default-devel-4.12.14-150.52.1 kernel-default-devel-debuginfo-4.12.14-150.52.1 kernel-obs-build-4.12.14-150.52.1 kernel-obs-build-debugsource-4.12.14-150.52.1 kernel-syms-4.12.14-150.52.1 kernel-vanilla-base-4.12.14-150.52.1 kernel-vanilla-base-debuginfo-4.12.14-150.52.1 kernel-vanilla-debuginfo-4.12.14-150.52.1 kernel-vanilla-debugsource-4.12.14-150.52.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): kernel-devel-4.12.14-150.52.1 kernel-docs-4.12.14-150.52.1 kernel-macros-4.12.14-150.52.1 kernel-source-4.12.14-150.52.1 - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-150.52.1 cluster-md-kmp-default-debuginfo-4.12.14-150.52.1 dlm-kmp-default-4.12.14-150.52.1 dlm-kmp-default-debuginfo-4.12.14-150.52.1 gfs2-kmp-default-4.12.14-150.52.1 gfs2-kmp-default-debuginfo-4.12.14-150.52.1 kernel-default-debuginfo-4.12.14-150.52.1 kernel-default-debugsource-4.12.14-150.52.1 ocfs2-kmp-default-4.12.14-150.52.1 ocfs2-kmp-default-debuginfo-4.12.14-150.52.1 References: https://www.suse.com/security/cve/CVE-2018-1000199.html https://www.suse.com/security/cve/CVE-2019-14615.html https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://www.suse.com/security/cve/CVE-2019-16994.html https://www.suse.com/security/cve/CVE-2019-19036.html https://www.suse.com/security/cve/CVE-2019-19045.html https://www.suse.com/security/cve/CVE-2019-19054.html https://www.suse.com/security/cve/CVE-2019-19318.html https://www.suse.com/security/cve/CVE-2019-19319.html https://www.suse.com/security/cve/CVE-2019-19447.html https://www.suse.com/security/cve/CVE-2019-19462.html https://www.suse.com/security/cve/CVE-2019-19768.html https://www.suse.com/security/cve/CVE-2019-19770.html https://www.suse.com/security/cve/CVE-2019-19965.html https://www.suse.com/security/cve/CVE-2019-19966.html https://www.suse.com/security/cve/CVE-2019-20054.html https://www.suse.com/security/cve/CVE-2019-20095.html https://www.suse.com/security/cve/CVE-2019-20096.html https://www.suse.com/security/cve/CVE-2019-20810.html https://www.suse.com/security/cve/CVE-2019-20812.html https://www.suse.com/security/cve/CVE-2019-3701.html https://www.suse.com/security/cve/CVE-2019-9455.html https://www.suse.com/security/cve/CVE-2019-9458.html https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-10690.html https://www.suse.com/security/cve/CVE-2020-10711.html https://www.suse.com/security/cve/CVE-2020-10720.html https://www.suse.com/security/cve/CVE-2020-10732.html https://www.suse.com/security/cve/CVE-2020-10751.html https://www.suse.com/security/cve/CVE-2020-10757.html https://www.suse.com/security/cve/CVE-2020-10942.html https://www.suse.com/security/cve/CVE-2020-11494.html https://www.suse.com/security/cve/CVE-2020-11608.html https://www.suse.com/security/cve/CVE-2020-11609.html https://www.suse.com/security/cve/CVE-2020-11669.html https://www.suse.com/security/cve/CVE-2020-12114.html https://www.suse.com/security/cve/CVE-2020-12464.html https://www.suse.com/security/cve/CVE-2020-12652.html https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://www.suse.com/security/cve/CVE-2020-12655.html https://www.suse.com/security/cve/CVE-2020-12656.html https://www.suse.com/security/cve/CVE-2020-12657.html https://www.suse.com/security/cve/CVE-2020-12769.html https://www.suse.com/security/cve/CVE-2020-13143.html https://www.suse.com/security/cve/CVE-2020-2732.html https://www.suse.com/security/cve/CVE-2020-7053.html https://www.suse.com/security/cve/CVE-2020-8428.html https://www.suse.com/security/cve/CVE-2020-8647.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8649.html https://www.suse.com/security/cve/CVE-2020-8834.html https://www.suse.com/security/cve/CVE-2020-8992.html https://www.suse.com/security/cve/CVE-2020-9383.html https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1086301 https://bugzilla.suse.com/1086313 https://bugzilla.suse.com/1086314 https://bugzilla.suse.com/1089895 https://bugzilla.suse.com/1109911 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1120386 https://bugzilla.suse.com/1134973 https://bugzilla.suse.com/1143959 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1151910 https://bugzilla.suse.com/1151927 https://bugzilla.suse.com/1153917 https://bugzilla.suse.com/1154243 https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1156286 https://bugzilla.suse.com/1157155 https://bugzilla.suse.com/1157157 https://bugzilla.suse.com/1157692 https://bugzilla.suse.com/1158013 https://bugzilla.suse.com/1158021 https://bugzilla.suse.com/1158026 https://bugzilla.suse.com/1158265 https://bugzilla.suse.com/1158819 https://bugzilla.suse.com/1159028 https://bugzilla.suse.com/1159198 https://bugzilla.suse.com/1159271 https://bugzilla.suse.com/1159285 https://bugzilla.suse.com/1159394 https://bugzilla.suse.com/1159483 https://bugzilla.suse.com/1159484 https://bugzilla.suse.com/1159569 https://bugzilla.suse.com/1159588 https://bugzilla.suse.com/1159841 https://bugzilla.suse.com/1159908 https://bugzilla.suse.com/1159909 https://bugzilla.suse.com/1159910 https://bugzilla.suse.com/1159911 https://bugzilla.suse.com/1159955 https://bugzilla.suse.com/1160195 https://bugzilla.suse.com/1160210 https://bugzilla.suse.com/1160211 https://bugzilla.suse.com/1160218 https://bugzilla.suse.com/1160433 https://bugzilla.suse.com/1160442 https://bugzilla.suse.com/1160476 https://bugzilla.suse.com/1160560 https://bugzilla.suse.com/1160755 https://bugzilla.suse.com/1160756 https://bugzilla.suse.com/1160784 https://bugzilla.suse.com/1160787 https://bugzilla.suse.com/1160802 https://bugzilla.suse.com/1160803 https://bugzilla.suse.com/1160804 https://bugzilla.suse.com/1160917 https://bugzilla.suse.com/1160966 https://bugzilla.suse.com/1161087 https://bugzilla.suse.com/1161514 https://bugzilla.suse.com/1161518 https://bugzilla.suse.com/1161522 https://bugzilla.suse.com/1161523 https://bugzilla.suse.com/1161549 https://bugzilla.suse.com/1161552 https://bugzilla.suse.com/1161555 https://bugzilla.suse.com/1161674 https://bugzilla.suse.com/1161931 https://bugzilla.suse.com/1161933 https://bugzilla.suse.com/1161934 https://bugzilla.suse.com/1161935 https://bugzilla.suse.com/1161936 https://bugzilla.suse.com/1161937 https://bugzilla.suse.com/1161951 https://bugzilla.suse.com/1162067 https://bugzilla.suse.com/1162109 https://bugzilla.suse.com/1162139 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162929 https://bugzilla.suse.com/1162931 https://bugzilla.suse.com/1163971 https://bugzilla.suse.com/1164051 https://bugzilla.suse.com/1164069 https://bugzilla.suse.com/1164078 https://bugzilla.suse.com/1164705 https://bugzilla.suse.com/1164712 https://bugzilla.suse.com/1164727 https://bugzilla.suse.com/1164728 https://bugzilla.suse.com/1164729 https://bugzilla.suse.com/1164730 https://bugzilla.suse.com/1164731 https://bugzilla.suse.com/1164732 https://bugzilla.suse.com/1164733 https://bugzilla.suse.com/1164734 https://bugzilla.suse.com/1164735 https://bugzilla.suse.com/1164871 https://bugzilla.suse.com/1165111 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1165873 https://bugzilla.suse.com/1165881 https://bugzilla.suse.com/1165984 https://bugzilla.suse.com/1165985 https://bugzilla.suse.com/1166969 https://bugzilla.suse.com/1167421 https://bugzilla.suse.com/1167423 https://bugzilla.suse.com/1167629 https://bugzilla.suse.com/1168075 https://bugzilla.suse.com/1168276 https://bugzilla.suse.com/1168295 https://bugzilla.suse.com/1168424 https://bugzilla.suse.com/1168670 https://bugzilla.suse.com/1168829 https://bugzilla.suse.com/1168854 https://bugzilla.suse.com/1169390 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169625 https://bugzilla.suse.com/1170056 https://bugzilla.suse.com/1170345 https://bugzilla.suse.com/1170617 https://bugzilla.suse.com/1170618 https://bugzilla.suse.com/1170621 https://bugzilla.suse.com/1170778 https://bugzilla.suse.com/1170901 https://bugzilla.suse.com/1171098 https://bugzilla.suse.com/1171189 https://bugzilla.suse.com/1171191 https://bugzilla.suse.com/1171195 https://bugzilla.suse.com/1171202 https://bugzilla.suse.com/1171205 https://bugzilla.suse.com/1171217 https://bugzilla.suse.com/1171218 https://bugzilla.suse.com/1171219 https://bugzilla.suse.com/1171220 https://bugzilla.suse.com/1171689 https://bugzilla.suse.com/1171982 https://bugzilla.suse.com/1171983 https://bugzilla.suse.com/1172221 https://bugzilla.suse.com/1172317 https://bugzilla.suse.com/1172453 https://bugzilla.suse.com/1172458 From sle-updates at lists.suse.com Thu Jun 18 07:35:04 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 15:35:04 +0200 (CEST) Subject: SUSE-SU-2020:1662-1: important: Security update for perl Message-ID: <20200618133504.EF6F6F749@maintenance.suse.de> SUSE Security Update: Security update for perl ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1662-1 Rating: important References: #1102840 #1160039 #1170601 #1171863 #1171864 #1171866 Cross-References: CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves three vulnerabilities and has three fixes is now available. Description: This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601). - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1662=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1662=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1662=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1662=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1662=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1662=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1662=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1662=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1662=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1662=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1662=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1662=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1662=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): perl-doc-5.18.2-12.23.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): perl-32bit-5.18.2-12.23.1 perl-5.18.2-12.23.1 perl-base-5.18.2-12.23.1 perl-base-debuginfo-5.18.2-12.23.1 perl-debuginfo-32bit-5.18.2-12.23.1 perl-debuginfo-5.18.2-12.23.1 perl-debugsource-5.18.2-12.23.1 - SUSE OpenStack Cloud 8 (noarch): perl-doc-5.18.2-12.23.1 - SUSE OpenStack Cloud 8 (x86_64): perl-32bit-5.18.2-12.23.1 perl-5.18.2-12.23.1 perl-base-5.18.2-12.23.1 perl-base-debuginfo-5.18.2-12.23.1 perl-debuginfo-32bit-5.18.2-12.23.1 perl-debuginfo-5.18.2-12.23.1 perl-debugsource-5.18.2-12.23.1 - SUSE OpenStack Cloud 7 (s390x x86_64): perl-32bit-5.18.2-12.23.1 perl-5.18.2-12.23.1 perl-base-5.18.2-12.23.1 perl-base-debuginfo-5.18.2-12.23.1 perl-debuginfo-32bit-5.18.2-12.23.1 perl-debuginfo-5.18.2-12.23.1 perl-debugsource-5.18.2-12.23.1 - SUSE OpenStack Cloud 7 (noarch): perl-doc-5.18.2-12.23.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): perl-5.18.2-12.23.1 perl-base-5.18.2-12.23.1 perl-base-debuginfo-5.18.2-12.23.1 perl-debuginfo-5.18.2-12.23.1 perl-debugsource-5.18.2-12.23.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): perl-32bit-5.18.2-12.23.1 perl-debuginfo-32bit-5.18.2-12.23.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): perl-doc-5.18.2-12.23.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): perl-5.18.2-12.23.1 perl-base-5.18.2-12.23.1 perl-base-debuginfo-5.18.2-12.23.1 perl-debuginfo-5.18.2-12.23.1 perl-debugsource-5.18.2-12.23.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): perl-doc-5.18.2-12.23.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): perl-32bit-5.18.2-12.23.1 perl-debuginfo-32bit-5.18.2-12.23.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): perl-5.18.2-12.23.1 perl-base-5.18.2-12.23.1 perl-base-debuginfo-5.18.2-12.23.1 perl-debuginfo-5.18.2-12.23.1 perl-debugsource-5.18.2-12.23.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): perl-32bit-5.18.2-12.23.1 perl-debuginfo-32bit-5.18.2-12.23.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): perl-doc-5.18.2-12.23.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): perl-5.18.2-12.23.1 perl-base-5.18.2-12.23.1 perl-base-debuginfo-5.18.2-12.23.1 perl-debuginfo-5.18.2-12.23.1 perl-debugsource-5.18.2-12.23.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): perl-32bit-5.18.2-12.23.1 perl-debuginfo-32bit-5.18.2-12.23.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): perl-doc-5.18.2-12.23.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): perl-5.18.2-12.23.1 perl-base-5.18.2-12.23.1 perl-base-debuginfo-5.18.2-12.23.1 perl-debuginfo-5.18.2-12.23.1 perl-debugsource-5.18.2-12.23.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): perl-32bit-5.18.2-12.23.1 perl-debuginfo-32bit-5.18.2-12.23.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): perl-doc-5.18.2-12.23.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): perl-doc-5.18.2-12.23.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): perl-32bit-5.18.2-12.23.1 perl-5.18.2-12.23.1 perl-base-5.18.2-12.23.1 perl-base-debuginfo-5.18.2-12.23.1 perl-debuginfo-32bit-5.18.2-12.23.1 perl-debuginfo-5.18.2-12.23.1 perl-debugsource-5.18.2-12.23.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): perl-5.18.2-12.23.1 perl-base-5.18.2-12.23.1 perl-base-debuginfo-5.18.2-12.23.1 perl-debuginfo-5.18.2-12.23.1 perl-debugsource-5.18.2-12.23.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): perl-32bit-5.18.2-12.23.1 perl-debuginfo-32bit-5.18.2-12.23.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): perl-doc-5.18.2-12.23.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): perl-32bit-5.18.2-12.23.1 perl-5.18.2-12.23.1 perl-base-5.18.2-12.23.1 perl-base-debuginfo-5.18.2-12.23.1 perl-debuginfo-32bit-5.18.2-12.23.1 perl-debuginfo-5.18.2-12.23.1 perl-debugsource-5.18.2-12.23.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): perl-doc-5.18.2-12.23.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): perl-5.18.2-12.23.1 perl-base-5.18.2-12.23.1 perl-base-debuginfo-5.18.2-12.23.1 perl-debuginfo-5.18.2-12.23.1 perl-debugsource-5.18.2-12.23.1 - SUSE Enterprise Storage 5 (x86_64): perl-32bit-5.18.2-12.23.1 perl-debuginfo-32bit-5.18.2-12.23.1 - SUSE Enterprise Storage 5 (noarch): perl-doc-5.18.2-12.23.1 - HPE Helion Openstack 8 (noarch): perl-doc-5.18.2-12.23.1 - HPE Helion Openstack 8 (x86_64): perl-32bit-5.18.2-12.23.1 perl-5.18.2-12.23.1 perl-base-5.18.2-12.23.1 perl-base-debuginfo-5.18.2-12.23.1 perl-debuginfo-32bit-5.18.2-12.23.1 perl-debuginfo-5.18.2-12.23.1 perl-debugsource-5.18.2-12.23.1 References: https://www.suse.com/security/cve/CVE-2020-10543.html https://www.suse.com/security/cve/CVE-2020-10878.html https://www.suse.com/security/cve/CVE-2020-12723.html https://bugzilla.suse.com/1102840 https://bugzilla.suse.com/1160039 https://bugzilla.suse.com/1170601 https://bugzilla.suse.com/1171863 https://bugzilla.suse.com/1171864 https://bugzilla.suse.com/1171866 From sle-updates at lists.suse.com Thu Jun 18 07:36:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 15:36:19 +0200 (CEST) Subject: SUSE-SU-2020:1659-1: Security update for guile Message-ID: <20200618133619.DC1CFF3D7@maintenance.suse.de> SUSE Security Update: Security update for guile ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1659-1 Rating: low References: #1004221 Cross-References: CVE-2016-8605 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for guile fixes the following issues: - CVE-2016-8605: Fixed thread-unsafe umask modification (bsc#1004221). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1659=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1659=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1659=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1659=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): guile1-1.8.8-16.4.39 guile1-debuginfo-1.8.8-16.4.39 guile1-debugsource-1.8.8-16.4.39 libguile-srfi-srfi-1-v-3-3-1.8.8-16.4.39 libguile-srfi-srfi-1-v-3-3-debuginfo-1.8.8-16.4.39 libguile-srfi-srfi-13-14-v-3-3-1.8.8-16.4.39 libguile-srfi-srfi-13-14-v-3-3-debuginfo-1.8.8-16.4.39 libguile-srfi-srfi-4-v-3-3-1.8.8-16.4.39 libguile-srfi-srfi-4-v-3-3-debuginfo-1.8.8-16.4.39 libguile-srfi-srfi-60-v-2-2-1.8.8-16.4.39 libguile-srfi-srfi-60-v-2-2-debuginfo-1.8.8-16.4.39 libguile17-1.8.8-16.4.39 libguile17-debuginfo-1.8.8-16.4.39 libguilereadline-v-17-17-1.8.8-16.4.39 libguilereadline-v-17-17-debuginfo-1.8.8-16.4.39 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): guile1-1.8.8-16.4.39 guile1-debuginfo-1.8.8-16.4.39 guile1-debugsource-1.8.8-16.4.39 libguile-srfi-srfi-1-v-3-3-1.8.8-16.4.39 libguile-srfi-srfi-1-v-3-3-debuginfo-1.8.8-16.4.39 libguile-srfi-srfi-13-14-v-3-3-1.8.8-16.4.39 libguile-srfi-srfi-13-14-v-3-3-debuginfo-1.8.8-16.4.39 libguile-srfi-srfi-4-v-3-3-1.8.8-16.4.39 libguile-srfi-srfi-4-v-3-3-debuginfo-1.8.8-16.4.39 libguile-srfi-srfi-60-v-2-2-1.8.8-16.4.39 libguile-srfi-srfi-60-v-2-2-debuginfo-1.8.8-16.4.39 libguile17-1.8.8-16.4.39 libguile17-debuginfo-1.8.8-16.4.39 libguilereadline-v-17-17-1.8.8-16.4.39 libguilereadline-v-17-17-debuginfo-1.8.8-16.4.39 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): guile1-1.8.8-16.4.39 guile1-debuginfo-1.8.8-16.4.39 guile1-debugsource-1.8.8-16.4.39 libguile-srfi-srfi-1-v-3-3-1.8.8-16.4.39 libguile-srfi-srfi-1-v-3-3-debuginfo-1.8.8-16.4.39 libguile-srfi-srfi-13-14-v-3-3-1.8.8-16.4.39 libguile-srfi-srfi-13-14-v-3-3-debuginfo-1.8.8-16.4.39 libguile-srfi-srfi-4-v-3-3-1.8.8-16.4.39 libguile-srfi-srfi-4-v-3-3-debuginfo-1.8.8-16.4.39 libguile-srfi-srfi-60-v-2-2-1.8.8-16.4.39 libguile-srfi-srfi-60-v-2-2-debuginfo-1.8.8-16.4.39 libguile1-devel-1.8.8-16.4.39 libguile17-1.8.8-16.4.39 libguile17-debuginfo-1.8.8-16.4.39 libguilereadline-v-17-17-1.8.8-16.4.39 libguilereadline-v-17-17-debuginfo-1.8.8-16.4.39 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): guile1-1.8.8-16.4.39 guile1-debuginfo-1.8.8-16.4.39 guile1-debugsource-1.8.8-16.4.39 libguile-srfi-srfi-1-v-3-3-1.8.8-16.4.39 libguile-srfi-srfi-1-v-3-3-debuginfo-1.8.8-16.4.39 libguile-srfi-srfi-13-14-v-3-3-1.8.8-16.4.39 libguile-srfi-srfi-13-14-v-3-3-debuginfo-1.8.8-16.4.39 libguile-srfi-srfi-4-v-3-3-1.8.8-16.4.39 libguile-srfi-srfi-4-v-3-3-debuginfo-1.8.8-16.4.39 libguile-srfi-srfi-60-v-2-2-1.8.8-16.4.39 libguile-srfi-srfi-60-v-2-2-debuginfo-1.8.8-16.4.39 libguile1-devel-1.8.8-16.4.39 libguile17-1.8.8-16.4.39 libguile17-debuginfo-1.8.8-16.4.39 libguilereadline-v-17-17-1.8.8-16.4.39 libguilereadline-v-17-17-debuginfo-1.8.8-16.4.39 References: https://www.suse.com/security/cve/CVE-2016-8605.html https://bugzilla.suse.com/1004221 From sle-updates at lists.suse.com Thu Jun 18 07:37:09 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 15:37:09 +0200 (CEST) Subject: SUSE-SU-2020:1657-1: moderate: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Message-ID: <20200618133709.52C54F3D7@maintenance.suse.de> SUSE Security Update: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1657-1 Rating: moderate References: #1172377 Cross-References: CVE-2020-13401 Affected Products: SUSE Linux Enterprise Module for Containers 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Docker was updated to 19.03.11-ce runc was updated to version 1.0.0-rc10 containerd was updated to version 1.2.13 - CVE-2020-13401: Fixed an issue where an attacker with CAP_NET_RAW capability, could have crafted IPv6 router advertisements, and spoof external IPv6 hosts, resulting in obtaining sensitive information or causing denial of service (bsc#1172377). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Containers 15-SP1: zypper in -t patch SUSE-SLE-Module-Containers-15-SP1-2020-1657=1 Package List: - SUSE Linux Enterprise Module for Containers 15-SP1 (aarch64 ppc64le s390x x86_64): containerd-1.2.13-5.22.2 docker-19.03.11_ce-6.34.2 docker-debuginfo-19.03.11_ce-6.34.2 docker-libnetwork-0.7.0.1+gitr2902_153d0769a118-4.21.2 docker-libnetwork-debuginfo-0.7.0.1+gitr2902_153d0769a118-4.21.2 docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.38.2 docker-runc-debuginfo-1.0.0rc10+gitr3981_dc9208a3303f-6.38.2 - SUSE Linux Enterprise Module for Containers 15-SP1 (noarch): docker-bash-completion-19.03.11_ce-6.34.2 References: https://www.suse.com/security/cve/CVE-2020-13401.html https://bugzilla.suse.com/1172377 From sle-updates at lists.suse.com Thu Jun 18 07:37:50 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 15:37:50 +0200 (CEST) Subject: SUSE-SU-2020:1663-1: important: Security update for the Linux Kernel Message-ID: <20200618133750.73E19F3D7@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1663-1 Rating: important References: #1050244 #1051510 #1051858 #1058115 #1061840 #1065600 #1065729 #1071995 #1085030 #1086301 #1086313 #1086314 #1089895 #1109911 #1114279 #1118338 #1120386 #1134973 #1143959 #1144333 #1151910 #1151927 #1153917 #1154243 #1154824 #1156286 #1157155 #1157157 #1157692 #1158013 #1158021 #1158026 #1158265 #1158819 #1159028 #1159198 #1159271 #1159285 #1159394 #1159483 #1159484 #1159569 #1159588 #1159841 #1159908 #1159909 #1159910 #1159911 #1159955 #1160195 #1160210 #1160211 #1160218 #1160433 #1160442 #1160476 #1160560 #1160755 #1160756 #1160784 #1160787 #1160802 #1160803 #1160804 #1160917 #1160966 #1161087 #1161514 #1161518 #1161522 #1161523 #1161549 #1161552 #1161555 #1161674 #1161931 #1161933 #1161934 #1161935 #1161936 #1161937 #1161951 #1162067 #1162109 #1162139 #1162928 #1162929 #1162931 #1163971 #1164051 #1164069 #1164078 #1164705 #1164712 #1164727 #1164728 #1164729 #1164730 #1164731 #1164732 #1164733 #1164734 #1164735 #1164871 #1165111 #1165741 #1165873 #1165881 #1165984 #1165985 #1166969 #1167421 #1167423 #1167629 #1168075 #1168276 #1168295 #1168424 #1168670 #1168829 #1168854 #1169390 #1169514 #1169625 #1170056 #1170345 #1170617 #1170618 #1170621 #1170778 #1170901 #1171098 #1171189 #1171191 #1171195 #1171202 #1171205 #1171217 #1171218 #1171219 #1171220 #1171689 #1171982 #1171983 #1172221 #1172317 #1172453 #1172458 Cross-References: CVE-2018-1000199 CVE-2019-14615 CVE-2019-14896 CVE-2019-14897 CVE-2019-16994 CVE-2019-19036 CVE-2019-19045 CVE-2019-19054 CVE-2019-19318 CVE-2019-19319 CVE-2019-19447 CVE-2019-19462 CVE-2019-19768 CVE-2019-19770 CVE-2019-19965 CVE-2019-19966 CVE-2019-20054 CVE-2019-20095 CVE-2019-20096 CVE-2019-20810 CVE-2019-20812 CVE-2019-3701 CVE-2019-9455 CVE-2019-9458 CVE-2020-0543 CVE-2020-10690 CVE-2020-10711 CVE-2020-10720 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-10942 CVE-2020-11494 CVE-2020-11608 CVE-2020-11609 CVE-2020-11669 CVE-2020-12114 CVE-2020-12464 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12655 CVE-2020-12656 CVE-2020-12657 CVE-2020-12769 CVE-2020-13143 CVE-2020-2732 CVE-2020-7053 CVE-2020-8428 CVE-2020-8647 CVE-2020-8648 CVE-2020-8649 CVE-2020-8834 CVE-2020-8992 CVE-2020-9383 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that solves 55 vulnerabilities and has 93 fixes is now available. Description: The SUSE Linux Enterprise 15 kernel was updated receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or "CrossTalk" (bsc#1154824). - CVE-2020-9383: Fixed an out-of-bounds read due to improper error condition check of FDC index (bsc#1165111). - CVE-2020-8992: Fixed an issue which could have allowed attackers to cause a soft lockup via a crafted journal size (bsc#1164069). - CVE-2020-8834: Fixed a stack corruption which could have lead to kernel panic (bsc#1168276). - CVE-2020-8649: Fixed a use-after-free in the vgacon_invert_region function in drivers/video/console/vgacon.c (bsc#1162931). - CVE-2020-8648: Fixed a use-after-free in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bsc#1162928). - CVE-2020-8647: Fixed a use-after-free in the vc_do_resize function in drivers/tty/vt/vt.c (bsc#1162929). - CVE-2020-8428: Fixed a use-after-free which could have allowed local users to cause a denial of service (bsc#1162109). - CVE-2020-7053: Fixed a use-after-free in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c (bsc#1160966). - CVE-2020-2732: Fixed an issue affecting Intel CPUs where an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources (bsc#1163971). - CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982). - CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983). - CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205). - CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219). - CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217). - CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202). - CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195). - CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218). - CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901). - CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098). - CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390). - CVE-2020-11609: Fixed a null pointer dereference due to improper handling of descriptors (bsc#1168854). - CVE-2020-11608: Fixed a null pointer dereferences via a crafted USB (bsc#1168829). - CVE-2020-11494: Fixed an issue which could have allowed attackers to read uninitialized can_frame data (bsc#1168424). - CVE-2020-10942: Fixed a kernel stack corruption via crafted system calls (bsc#1167629). - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317). - CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189). - CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220). - CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778). - CVE-2020-10711: Fixed a null pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191). - CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056). - CVE-2019-9458: Fixed a use after free due to a race condition which could have led to privilege escalation of privilege (bsc#1168295). - CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345). - CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bsc#1120386). - CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453). - CVE-2019-20810: Fixed a memory leak in due to not calling of snd_card_free (bsc#1172458). - CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which could have caused denial of service (bsc#1159908). - CVE-2019-20095: Fixed an improper error-handling cases that did not free allocated hostcmd memory which was causing memory leak (bsc#1159909). - CVE-2019-20054: Fixed a null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bsc#1159910). - CVE-2019-19966: Fixed a use-after-free in cpia2_exit() which could have caused denial of service (bsc#1159841). - CVE-2019-19965: Fixed a null pointer dereference, due to mishandling of port disconnection during discovery (bsc#1159911). - CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bsc#1159285). - CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265). - CVE-2019-19447: Fixed a user after free via a crafted ext4 filesystem image (bsc#1158819). - CVE-2019-19319: Fixed a user after free when a large old_size value is used in a memset call (bsc#1158021). - CVE-2019-19318: Fixed a use after free via a crafted btrfs image (bsc#1158026). - CVE-2019-19054: Fixed a memory leak in the cx23888_ir_probe() which could have allowed attackers to cause a denial of service (bsc#1161518). - CVE-2019-19045: Fixed a memory leak in which could have allowed attackers to cause a denial of service (bsc#1161522). - CVE-2019-19036: Fixed a null pointer dereference in btrfs_root_node (bsc#1157692). - CVE-2019-16994: Fixed a memory leak which might have caused denial of service (bsc#1161523). - CVE-2019-14897: Fixed a stack overflow in Marvell Wifi Driver (bsc#1157155). - CVE-2019-14896: Fixed a heap overflow in Marvell Wifi Driver (bsc#1157157). - CVE-2019-14615: Fixed an improper control flow in certain data structures which could have led to information disclosure (bsc#1160195). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895). The following non-security bugs were fixed: - 6pack,mkiss: fix possible deadlock (bsc#1051510). - ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510). - ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() (bsc#1051510). - ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510). - af_packet: set defaule value for tmo (bsc#1051510). - ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes). - ALSA: hda: Add Clevo W65_67SB the power_save blacklist (git-fixes). - ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes). - ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes). - ALSA: hda/ca0132 - Avoid endless loop (git-fixes). - ALSA: hda/ca0132 - Fix work handling in delayed HP detection (git-fixes). - ALSA: hda/ca0132 - Keep power on during processing DSP response (git-fixes). - ALSA: hda - Downgrade error message for single-cmd fallback (git-fixes). - ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes). - ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA (bsc#1051510). - ALSA: hda/realtek - Add headset Mic no shutup for ALC283 (bsc#1051510). - ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code (bsc#1051510). - ALSA: pcm: Avoid possible info leaks from PCM stream buffers (git-fixes). - ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510). - ALSA: sh: Fix compile warning wrt const (git-fixes). - ALSA: usb-audio: fix set_format altsetting sanity check (bsc#1051510). - ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510). - ar5523: check NULL before memcpy() in ar5523_cmd() (bsc#1051510). - arm64: Revert support for execute-only user mappings (bsc#1160218). - ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510). - ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510). - ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report (bsc#1051510). - ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510). - ASoC: wm8962: fix lambda value (git-fixes). - ath10k: fix fw crash by moving chip reset after napi disabled (bsc#1051510). - ath9k: fix storage endpoint lookup (git-fixes). - a typo in %kernel_base_conflicts macro name - batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510). - bcma: remove set but not used variable 'sizel' (git-fixes). - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - bonding: fix active-backup transition after link failure (git-fixes). - bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510). - bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510). - brcmfmac: fix interface sanity check (git-fixes). - brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes). - brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes). - btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936). - btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483). - btrfs: avoid fallback to transaction commit during fsync of files with holes (bsc#1159569). - btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067). - btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934). - btrfs: Ensure we trim ranges across block group boundary (bsc#1151910). - btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442). - btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243). - btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804). - btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433). - btrfs: fix missing data checksums after replaying a log tree (bsc#1161931). - btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802). - btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803). - btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692). - btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937). - btrfs: harden agaist duplicate fsid on scanned devices (bsc#1134973). - btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692). - btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931). - btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692). - btrfs: record all roots for rename exchange on a subvol (bsc#1161933). - btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588). - btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067). - btrfs: send, skip backreference walking for extents with many references (bsc#1162139). - btrfs: skip log replay on orphaned roots (bsc#1161935). - btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692). - btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692). - btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692). - btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692). - btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692). - btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692). - btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692). - btrfs: tree-checker: Verify dev item (dependency for bsc#1157692). - btrfs: tree-checker: Verify inode item (dependency for bsc#1157692). - btrfs: volumes: Use more straightforward way to calculate map length (bsc#1151910). - can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510). - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510). - can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510). - can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510). - cfg80211: check for set_wiphy_params (bsc#1051510). - cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510). - cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510). - cgroup: pids: use atomic64_t for pids->limit (bsc#1161514). - CIFS: add support for flock (bsc#1144333). - CIFS: Close cached root handle only if it had a lease (bsc#1144333). - CIFS: Close open handle after interrupted close (bsc#1144333). - CIFS: close the shared root handle on tree disconnect (bsc#1144333). - CIFS: Do not miss cancelled OPEN responses (bsc#1144333). - CIFS: Fix lookup of root ses in DFS referral cache (bsc#1144333). - CIFS: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - CIFS: Fix mount options set in automount (bsc#1144333). - CIFS: Fix NULL pointer dereference in mid callback (bsc#1144333). - CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333). - CIFS: Fix potential softlockups while refreshing DFS cache (bsc#1144333). - CIFS: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333). - CIFS: Fix use-after-free bug in cifs_reconnect() (bsc#1144333). - CIFS: Properly process SMB3 lease breaks (bsc#1144333). - CIFS: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333). - CIFS: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333). - clk: Do not try to enable critical clocks if prepare failed (bsc#1051510). - clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510). - clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510). - clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510). - clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510). - clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510). - clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510). - clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170621). - copy/pasted "Recommends:" instead of "Provides:", "Obsoletes:" and "Conflicts: - crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510). - crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510). - crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510). - crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510). - crypto: ccp - fix uninitialized list head (bsc#1051510). - crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510). - crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510). - crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510). - crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix). - debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). Prerequisite for bsc#1159198. - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: simplify __debugfs_remove_file() (bsc#1159198). Prerequisite for bsc#1159198. - dmaengine: coh901318: Fix a double-lock bug (bsc#1051510). - dmaengine: coh901318: Remove unused variable (bsc#1051510). - dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510). - dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510). - drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993). - drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510). - drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170617). - drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170617). - drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618). - drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170617). - drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510). - drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510). - drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510). - drm: bridge: dw-hdmi: constify copied structure (bsc#1051510). - drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510). - drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510). - drm/i810: Prevent underflow in ioctl (bsc#1114279) - drm/i915: Add missing include file (bsc#1051510). - drm/i915: Fix pid leak with banned clients (bsc#1114279) - drm: limit to INT_MAX in create_blob ioctl (bsc#1051510). - drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510). - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510). - drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510). - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279) - drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510). - drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510). - e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait (bsc#1051510). - exit: panic before exit_mm() on global init exit (bsc#1161549). - extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510). - firestream: fix memory leaks (bsc#1051510). - fix autofs regression caused by follow_managed() changes (bsc#1159271). - fix dget_parent() fastpath race (bsc#1159271). - Fix partial checked out tree build ... so that bisection does not break. - fjes: fix missed check in fjes_acpi_add (bsc#1051510). - fs: cifs: Fix atime update check vs mtime (bsc#1144333). - fs/namei.c: fix missing barriers when checking positivity (bsc#1159271). - fs/namei.c: pull positivity check into follow_managed() (bsc#1159271). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - ftrace: Avoid potential division by zero in function profiler (bsc#1160784). - futex: Prevent robust futex exit race (bsc#1161555). - gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510). - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510). - HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510). - hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510). - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510). - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510). - hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510). - hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510). - i2c: imx: do not print error message on probe defer (bsc#1051510). - IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - ibmveth: Detect unsupported packets before sending to the hypervisor (bsc#1159484 ltc#182983). - ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611). - iio: adc: max9611: Fix too short conversion time delay (bsc#1051510). - iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510). - inet: protect against too small mtu values (networking-stable-19_12_16). - Input: add safety guards to input_set_keycode() (bsc#1168075). - Input: aiptek - fix endpoint sanity check (bsc#1051510). - Input: cyttsp4_core - fix use after free bug (bsc#1051510). - Input: goodix - add upside-down quirk for Teclast X89 tablet (bsc#1051510). - Input: gtco - fix endpoint sanity check (bsc#1051510). - Input: keyspan-remote - fix control-message timeouts (bsc#1051510). - Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510). - Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510). - Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510). - Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510). - Input: sur40 - fix interface sanity checks (bsc#1051510). - Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers (bsc#1051510). - Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510). - Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus (bsc#1051510). - iommu: Remove device link to group on failure (bsc#1160755). - iommu/vt-d: Unlink device if failed to add to group (bsc#1160756). - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes). - iwlwifi: mvm: Send non offchannel traffic via AP sta (bsc#1051510). - iwlwifi: mvm: synchronize TID queue removal (bsc#1051510). - kABI: protect struct sctp_ep_common (kabi). - kABI: restore debugfs_remove_recursive() (bsc#1159198). - kABI workaround for can/skb.h inclusion (bsc#1051510). - kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787). - KEYS: reaching the keys quotas correctly (bsc#1171689). - KVM: fix spectrev1 gadgets (bsc#1164705). - KVM: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476). - KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734). - KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728). - KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729). - KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712). - KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730). - KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733). - KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731). - KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732). - KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735). - KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705). - KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727). - leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674). - leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674). - lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510). - lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510). - livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995). - livepatch/selftest: Clean up shadow variable names and type (bsc#1071995). - mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510). - macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510). - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510). - md/raid0: Fix buffer overflow at debug print (bsc#1164051). - media: cec.h: CEC_OP_REC_FLAG_ values were swapped (bsc#1051510). - media: cec: report Vendor ID after initialization (bsc#1051510). - media: iguanair: fix endpoint sanity check (bsc#1051510). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: pulse8-cec: return 0 when invalidating the logical address (bsc#1051510). - media: stkwebcam: Bugfix for wrong return values (bsc#1051510). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510). - media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510). - media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510). - missing escaping of backslashes in macro expansions Fixes: f3b74b0ae86b ("rpm/kernel-subpackage-spec: Unify dependency handling.") Fixes: 3fd22e219f77 ("rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959)") - mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode (bsc#1051510). - mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510). - mmc: sdhci-of-esdhc: fix P2020 errata handling (bsc#1051510). - mmc: sdhci-of-esdhc: Revert "mmc: sdhci-of-esdhc: add erratum A-009204 support" (bsc#1051510). - mmc: tegra: fix SDR50 tuning override (bsc#1051510). - mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993). - mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394). - mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes). - net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16). - net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423). - net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16). - netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes). - net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25). - net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25). - net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858). - net: psample: fix skb_over_panic (networking-stable-19_12_03). - net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25). - net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25). - net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03). - net: usb: lan78xx: limit size of local TSO packets (bsc#1051510). - net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18). - new helper: lookup_positive_unlocked() (bsc#1159271). - NFC: pn533: fix bulk-message timeout (bsc#1051510). - NFC: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes). - objtool: Fix stack offset tracking for indirect CFAs (bsc#1169514). - openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03). - openvswitch: remove another BUG_ON() (networking-stable-19_12_03). - openvswitch: support asymmetric conntrack (networking-stable-19_12_16). - orinoco_usb: fix interface sanity check (git-fixes). - PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510). - PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510). - phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510). - pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510). - platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510). - platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes (bsc#1051510). - platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table (bsc#1051510). - powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc/archrandom: fix arch_get_random_seed_int() (bsc#1065729). - powerpc: Fix vDSO clock_getres() (bsc#1065729). - powerpc/irq: fix stack overflow verification (bsc#1065729). - powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729). - powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840). - powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729). - powerpc/powernv: Disable native PCIe port management (bsc#1065729). - powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729). - powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734). - powerpc/tools: Do not quote $objdump in scripts (bsc#1065729). - powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030). - powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030). - powerpc/xmon: do not access ASDR in VMs (bsc#1065729). - ppp: Adjust indentation into ppp_async_input (git-fixes). - prevent active file list thrashing due to refault detection (VM Performance, bsc#1156286). - pstore/ram: Write new dumps to start of recycled zones (bsc#1051510). - qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ). - r8152: add missing endpoint sanity check (bsc#1051510). - random: always use batched entropy for get_random_u{32,64} (bsc#1164871). - RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244). - regulator: Fix return value of _set_load() stub (bsc#1051510). - regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510). - regulator: rn5t618: fix module aliases (bsc#1051510). - Revert "Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers" (bsc#1051510). - Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" (bsc#1172221). - Revert "mmc: sdhci: Fix incorrect switch to HS mode" (bsc#1051510). - rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510). - rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510). - rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510). - rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510). - rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510). - scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551). - scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013). - scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013). - scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013). - scsi: qla2xxx: Consolidate fabric scan (bsc#1158013). - scsi: qla2xxx: Correct fcport flags handling (bsc#1158013). - scsi: qla2xxx: Fix fabric scan hang (bsc#1158013). - scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013). - scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013). - scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013). - scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013). - scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013). - scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013). - scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013). - scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013). - scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013). - scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013). - scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013). - sctp: cache netns in sctp_ep_common (networking-stable-19_12_03). - serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510). - serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510). - serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510). - serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510). - serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510). - sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25). - sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510). - sh_eth: fix dumping ARSTR (bsc#1051510). - sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510). - sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510). - sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510). - sh_eth: fix TXALCR1 offsets (bsc#1051510). - sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510). - smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333). - smb3: Fix persistent handles reconnect (bsc#1144333). - smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333). - smb3: remove confusing dmesg when mounting with encryption ("seal") (bsc#1144333). - soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510). - spi: tegra114: clear packed bit for unpacked mode (bsc#1051510). - spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510). - spi: tegra114: fix for unpacked mode transfers (bsc#1051510). - spi: tegra114: flush fifos (bsc#1051510). - spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510). - staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510). - Staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510). - staging: rtl8188eu: fix interface sanity check (bsc#1051510). - staging: wlan-ng: ensure error return is actually returned (bsc#1051510). - tcp: clear tp->packets_out when purging write queue (bsc#1160560). - tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159). - tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16). - tracing: Have the histogram compare functions convert to u64 first (bsc#1160210). - tracing: xen: Ordered comparison of function pointers (git-fixes). - tty: n_hdlc: fix build on SPARC (bsc#1051510). - tty/serial: atmel: Add is_half_duplex helper (bsc#1051510). - tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510). - tty: vt: keyboard: reject invalid keycodes (bsc#1051510). - USB: Allow USB device to be warm reset in suspended state (bsc#1051510). - USB: atm: ueagle-atm: add missing endpoint check (bsc#1051510). - USB: chipidea: host: Disable port power only if previously enabled (bsc#1051510). - USB: core: hub: Improved device recognition on remote wakeup (bsc#1051510). - USB: core: urb: fix URB structure initialization function (bsc#1051510). - USB: documentation: flags on usb-storage versus UAS (bsc#1051510). - USB: dwc3: debugfs: Properly print/set link state for HS (bsc#1051510). - USB: dwc3: do not log probe deferrals; but do log other error codes (bsc#1051510). - USB: dwc3: ep0: Clear started flag on completion (bsc#1051510). - USB: dwc3: turn off VBUS when leaving host mode (bsc#1051510). - USB: gadget: f_ecm: Use atomic_t to track in-flight request (bsc#1051510). - USB: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510). - USB: gadget: pch_udc: fix use after free (bsc#1051510). - USB: gadget: u_serial: add missing port entry locking (bsc#1051510). - USB: gadget: Zero ffs_io_data (bsc#1051510). - USB: host: xhci-hub: fix extra endianness conversion (bsc#1051510). - usbip: Fix receive error in vhci-hcd when using scatter-gather (bsc#1051510). - USB: mtu3: fix dbginfo in qmu_tx_zlp_error_handler (bsc#1051510). - USB: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510). - USB: musb: fix idling for suspend after disconnect interrupt (bsc#1051510). - USB: serial: ch341: handle unbound port at reset_resume (bsc#1051510). - USB: serial: io_edgeport: add missing active-port sanity check (bsc#1051510). - USB: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510). - USB: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510). - USB: serial: ir-usb: add missing endpoint sanity check (bsc#1051510). - USB: serial: ir-usb: fix IrLAP framing (bsc#1051510). - USB: serial: ir-usb: fix link-speed handling (bsc#1051510). - USB: serial: keyspan: handle unbound ports (bsc#1051510). - USB: serial: opticon: fix control-message timeouts (bsc#1051510). - USB: serial: option: Add support for Quectel RM500Q (bsc#1051510). - USB: serial: quatech2: handle unbound ports (bsc#1051510). - USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510). - USB: serial: suppress driver bind attributes (bsc#1051510). - USB: typec: tcpci: mask event interrupts when remove driver (bsc#1051510). - USB: uas: heed CAPACITY_HEURISTICS (bsc#1051510). - USB: uas: honor flag to avoid CAPACITY16 (bsc#1051510). - USB: xhci: Fix build warning seen with CONFIG_PM=n (bsc#1051510). - workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211). - x86/entry/64: Fix unwind hints in kernel exit path (bsc#1058115). - x86/entry/64: Fix unwind hints in register clearing code (bsc#1058115). - x86/entry/64: Fix unwind hints in rewind_stack_do_exit() (bsc#1058115). - x86/entry/64: Fix unwind hints in __switch_to_asm() (bsc#1058115). - x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170621). - x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170617). - x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170617). - x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170617). - x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170617). - x86/Hyper-V: report value of misc_features (git-fixes). - x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170617). - x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170617). - x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279). - x86/mce/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279). - x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279). - x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279). - x86/mce: Fix possibly incorrect severity calculation on AMD (bsc#1114279). - x86/mm: Split vmalloc_sync_all() (bsc#1165741). - x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279). - x86/resctrl: Fix potential memory leak (bsc#1114279). - x86/unwind/orc: Do not skip the first frame for inactive tasks (bsc#1058115). - x86/unwind/orc: Fix error handling in __unwind_start() (bsc#1058115). - x86/unwind/orc: Fix error path for bad ORC entry type (bsc#1058115). - x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bsc#1058115). - x86/unwind/orc: Prevent unwinding before ORC initialization (bsc#1058115). - x86/unwind: Prevent false warnings for non-current tasks (bsc#1058115). - x86/xen: fix booting 32-bit pv guest (bsc#1071995). - x86/xen: Make the boot CPU idle task reliable (bsc#1071995). - x86/xen: Make the secondary CPU idle tasks reliable (bsc#1071995). - xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600). - xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917). - xfrm: Fix transport mode skb control buffer usage (bsc#1161552). - xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873). - xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984). - xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917). - xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510). - xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510). - xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour (bsc#1051510). - xhci: make sure interrupts are restored to correct state (bsc#1051510). - zd1211rw: fix storage endpoint lookup (git-fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1663=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1663=1 - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2020-1663=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1663=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1663=1 - SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2020-1663=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): kernel-default-4.12.14-150.52.1 kernel-default-base-4.12.14-150.52.1 kernel-default-debuginfo-4.12.14-150.52.1 kernel-default-debugsource-4.12.14-150.52.1 kernel-default-devel-4.12.14-150.52.1 kernel-default-devel-debuginfo-4.12.14-150.52.1 kernel-obs-build-4.12.14-150.52.1 kernel-obs-build-debugsource-4.12.14-150.52.1 kernel-syms-4.12.14-150.52.1 kernel-vanilla-base-4.12.14-150.52.1 kernel-vanilla-base-debuginfo-4.12.14-150.52.1 kernel-vanilla-debuginfo-4.12.14-150.52.1 kernel-vanilla-debugsource-4.12.14-150.52.1 reiserfs-kmp-default-4.12.14-150.52.1 reiserfs-kmp-default-debuginfo-4.12.14-150.52.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): kernel-devel-4.12.14-150.52.1 kernel-docs-4.12.14-150.52.1 kernel-macros-4.12.14-150.52.1 kernel-source-4.12.14-150.52.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): kernel-default-4.12.14-150.52.1 kernel-default-base-4.12.14-150.52.1 kernel-default-debuginfo-4.12.14-150.52.1 kernel-default-debugsource-4.12.14-150.52.1 kernel-default-devel-4.12.14-150.52.1 kernel-default-devel-debuginfo-4.12.14-150.52.1 kernel-obs-build-4.12.14-150.52.1 kernel-obs-build-debugsource-4.12.14-150.52.1 kernel-syms-4.12.14-150.52.1 kernel-vanilla-base-4.12.14-150.52.1 kernel-vanilla-base-debuginfo-4.12.14-150.52.1 kernel-vanilla-debuginfo-4.12.14-150.52.1 kernel-vanilla-debugsource-4.12.14-150.52.1 reiserfs-kmp-default-4.12.14-150.52.1 reiserfs-kmp-default-debuginfo-4.12.14-150.52.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): kernel-devel-4.12.14-150.52.1 kernel-docs-4.12.14-150.52.1 kernel-macros-4.12.14-150.52.1 kernel-source-4.12.14-150.52.1 - SUSE Linux Enterprise Server 15-LTSS (s390x): kernel-default-man-4.12.14-150.52.1 kernel-zfcpdump-debuginfo-4.12.14-150.52.1 kernel-zfcpdump-debugsource-4.12.14-150.52.1 - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-150.52.1 kernel-default-debugsource-4.12.14-150.52.1 kernel-default-livepatch-4.12.14-150.52.1 kernel-livepatch-4_12_14-150_52-default-1-1.5.1 kernel-livepatch-4_12_14-150_52-default-debuginfo-1-1.5.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): kernel-default-4.12.14-150.52.1 kernel-default-base-4.12.14-150.52.1 kernel-default-debuginfo-4.12.14-150.52.1 kernel-default-debugsource-4.12.14-150.52.1 kernel-default-devel-4.12.14-150.52.1 kernel-default-devel-debuginfo-4.12.14-150.52.1 kernel-obs-build-4.12.14-150.52.1 kernel-obs-build-debugsource-4.12.14-150.52.1 kernel-syms-4.12.14-150.52.1 kernel-vanilla-base-4.12.14-150.52.1 kernel-vanilla-base-debuginfo-4.12.14-150.52.1 kernel-vanilla-debuginfo-4.12.14-150.52.1 kernel-vanilla-debugsource-4.12.14-150.52.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): kernel-devel-4.12.14-150.52.1 kernel-docs-4.12.14-150.52.1 kernel-macros-4.12.14-150.52.1 kernel-source-4.12.14-150.52.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): kernel-default-4.12.14-150.52.1 kernel-default-base-4.12.14-150.52.1 kernel-default-debuginfo-4.12.14-150.52.1 kernel-default-debugsource-4.12.14-150.52.1 kernel-default-devel-4.12.14-150.52.1 kernel-default-devel-debuginfo-4.12.14-150.52.1 kernel-obs-build-4.12.14-150.52.1 kernel-obs-build-debugsource-4.12.14-150.52.1 kernel-syms-4.12.14-150.52.1 kernel-vanilla-base-4.12.14-150.52.1 kernel-vanilla-base-debuginfo-4.12.14-150.52.1 kernel-vanilla-debuginfo-4.12.14-150.52.1 kernel-vanilla-debugsource-4.12.14-150.52.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): kernel-devel-4.12.14-150.52.1 kernel-docs-4.12.14-150.52.1 kernel-macros-4.12.14-150.52.1 kernel-source-4.12.14-150.52.1 - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-150.52.1 cluster-md-kmp-default-debuginfo-4.12.14-150.52.1 dlm-kmp-default-4.12.14-150.52.1 dlm-kmp-default-debuginfo-4.12.14-150.52.1 gfs2-kmp-default-4.12.14-150.52.1 gfs2-kmp-default-debuginfo-4.12.14-150.52.1 kernel-default-debuginfo-4.12.14-150.52.1 kernel-default-debugsource-4.12.14-150.52.1 ocfs2-kmp-default-4.12.14-150.52.1 ocfs2-kmp-default-debuginfo-4.12.14-150.52.1 References: https://www.suse.com/security/cve/CVE-2018-1000199.html https://www.suse.com/security/cve/CVE-2019-14615.html https://www.suse.com/security/cve/CVE-2019-14896.html https://www.suse.com/security/cve/CVE-2019-14897.html https://www.suse.com/security/cve/CVE-2019-16994.html https://www.suse.com/security/cve/CVE-2019-19036.html https://www.suse.com/security/cve/CVE-2019-19045.html https://www.suse.com/security/cve/CVE-2019-19054.html https://www.suse.com/security/cve/CVE-2019-19318.html https://www.suse.com/security/cve/CVE-2019-19319.html https://www.suse.com/security/cve/CVE-2019-19447.html https://www.suse.com/security/cve/CVE-2019-19462.html https://www.suse.com/security/cve/CVE-2019-19768.html https://www.suse.com/security/cve/CVE-2019-19770.html https://www.suse.com/security/cve/CVE-2019-19965.html https://www.suse.com/security/cve/CVE-2019-19966.html https://www.suse.com/security/cve/CVE-2019-20054.html https://www.suse.com/security/cve/CVE-2019-20095.html https://www.suse.com/security/cve/CVE-2019-20096.html https://www.suse.com/security/cve/CVE-2019-20810.html https://www.suse.com/security/cve/CVE-2019-20812.html https://www.suse.com/security/cve/CVE-2019-3701.html https://www.suse.com/security/cve/CVE-2019-9455.html https://www.suse.com/security/cve/CVE-2019-9458.html https://www.suse.com/security/cve/CVE-2020-0543.html https://www.suse.com/security/cve/CVE-2020-10690.html https://www.suse.com/security/cve/CVE-2020-10711.html https://www.suse.com/security/cve/CVE-2020-10720.html https://www.suse.com/security/cve/CVE-2020-10732.html https://www.suse.com/security/cve/CVE-2020-10751.html https://www.suse.com/security/cve/CVE-2020-10757.html https://www.suse.com/security/cve/CVE-2020-10942.html https://www.suse.com/security/cve/CVE-2020-11494.html https://www.suse.com/security/cve/CVE-2020-11608.html https://www.suse.com/security/cve/CVE-2020-11609.html https://www.suse.com/security/cve/CVE-2020-11669.html https://www.suse.com/security/cve/CVE-2020-12114.html https://www.suse.com/security/cve/CVE-2020-12464.html https://www.suse.com/security/cve/CVE-2020-12652.html https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://www.suse.com/security/cve/CVE-2020-12655.html https://www.suse.com/security/cve/CVE-2020-12656.html https://www.suse.com/security/cve/CVE-2020-12657.html https://www.suse.com/security/cve/CVE-2020-12769.html https://www.suse.com/security/cve/CVE-2020-13143.html https://www.suse.com/security/cve/CVE-2020-2732.html https://www.suse.com/security/cve/CVE-2020-7053.html https://www.suse.com/security/cve/CVE-2020-8428.html https://www.suse.com/security/cve/CVE-2020-8647.html https://www.suse.com/security/cve/CVE-2020-8648.html https://www.suse.com/security/cve/CVE-2020-8649.html https://www.suse.com/security/cve/CVE-2020-8834.html https://www.suse.com/security/cve/CVE-2020-8992.html https://www.suse.com/security/cve/CVE-2020-9383.html https://bugzilla.suse.com/1050244 https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1051858 https://bugzilla.suse.com/1058115 https://bugzilla.suse.com/1061840 https://bugzilla.suse.com/1065600 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1086301 https://bugzilla.suse.com/1086313 https://bugzilla.suse.com/1086314 https://bugzilla.suse.com/1089895 https://bugzilla.suse.com/1109911 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1118338 https://bugzilla.suse.com/1120386 https://bugzilla.suse.com/1134973 https://bugzilla.suse.com/1143959 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1151910 https://bugzilla.suse.com/1151927 https://bugzilla.suse.com/1153917 https://bugzilla.suse.com/1154243 https://bugzilla.suse.com/1154824 https://bugzilla.suse.com/1156286 https://bugzilla.suse.com/1157155 https://bugzilla.suse.com/1157157 https://bugzilla.suse.com/1157692 https://bugzilla.suse.com/1158013 https://bugzilla.suse.com/1158021 https://bugzilla.suse.com/1158026 https://bugzilla.suse.com/1158265 https://bugzilla.suse.com/1158819 https://bugzilla.suse.com/1159028 https://bugzilla.suse.com/1159198 https://bugzilla.suse.com/1159271 https://bugzilla.suse.com/1159285 https://bugzilla.suse.com/1159394 https://bugzilla.suse.com/1159483 https://bugzilla.suse.com/1159484 https://bugzilla.suse.com/1159569 https://bugzilla.suse.com/1159588 https://bugzilla.suse.com/1159841 https://bugzilla.suse.com/1159908 https://bugzilla.suse.com/1159909 https://bugzilla.suse.com/1159910 https://bugzilla.suse.com/1159911 https://bugzilla.suse.com/1159955 https://bugzilla.suse.com/1160195 https://bugzilla.suse.com/1160210 https://bugzilla.suse.com/1160211 https://bugzilla.suse.com/1160218 https://bugzilla.suse.com/1160433 https://bugzilla.suse.com/1160442 https://bugzilla.suse.com/1160476 https://bugzilla.suse.com/1160560 https://bugzilla.suse.com/1160755 https://bugzilla.suse.com/1160756 https://bugzilla.suse.com/1160784 https://bugzilla.suse.com/1160787 https://bugzilla.suse.com/1160802 https://bugzilla.suse.com/1160803 https://bugzilla.suse.com/1160804 https://bugzilla.suse.com/1160917 https://bugzilla.suse.com/1160966 https://bugzilla.suse.com/1161087 https://bugzilla.suse.com/1161514 https://bugzilla.suse.com/1161518 https://bugzilla.suse.com/1161522 https://bugzilla.suse.com/1161523 https://bugzilla.suse.com/1161549 https://bugzilla.suse.com/1161552 https://bugzilla.suse.com/1161555 https://bugzilla.suse.com/1161674 https://bugzilla.suse.com/1161931 https://bugzilla.suse.com/1161933 https://bugzilla.suse.com/1161934 https://bugzilla.suse.com/1161935 https://bugzilla.suse.com/1161936 https://bugzilla.suse.com/1161937 https://bugzilla.suse.com/1161951 https://bugzilla.suse.com/1162067 https://bugzilla.suse.com/1162109 https://bugzilla.suse.com/1162139 https://bugzilla.suse.com/1162928 https://bugzilla.suse.com/1162929 https://bugzilla.suse.com/1162931 https://bugzilla.suse.com/1163971 https://bugzilla.suse.com/1164051 https://bugzilla.suse.com/1164069 https://bugzilla.suse.com/1164078 https://bugzilla.suse.com/1164705 https://bugzilla.suse.com/1164712 https://bugzilla.suse.com/1164727 https://bugzilla.suse.com/1164728 https://bugzilla.suse.com/1164729 https://bugzilla.suse.com/1164730 https://bugzilla.suse.com/1164731 https://bugzilla.suse.com/1164732 https://bugzilla.suse.com/1164733 https://bugzilla.suse.com/1164734 https://bugzilla.suse.com/1164735 https://bugzilla.suse.com/1164871 https://bugzilla.suse.com/1165111 https://bugzilla.suse.com/1165741 https://bugzilla.suse.com/1165873 https://bugzilla.suse.com/1165881 https://bugzilla.suse.com/1165984 https://bugzilla.suse.com/1165985 https://bugzilla.suse.com/1166969 https://bugzilla.suse.com/1167421 https://bugzilla.suse.com/1167423 https://bugzilla.suse.com/1167629 https://bugzilla.suse.com/1168075 https://bugzilla.suse.com/1168276 https://bugzilla.suse.com/1168295 https://bugzilla.suse.com/1168424 https://bugzilla.suse.com/1168670 https://bugzilla.suse.com/1168829 https://bugzilla.suse.com/1168854 https://bugzilla.suse.com/1169390 https://bugzilla.suse.com/1169514 https://bugzilla.suse.com/1169625 https://bugzilla.suse.com/1170056 https://bugzilla.suse.com/1170345 https://bugzilla.suse.com/1170617 https://bugzilla.suse.com/1170618 https://bugzilla.suse.com/1170621 https://bugzilla.suse.com/1170778 https://bugzilla.suse.com/1170901 https://bugzilla.suse.com/1171098 https://bugzilla.suse.com/1171189 https://bugzilla.suse.com/1171191 https://bugzilla.suse.com/1171195 https://bugzilla.suse.com/1171202 https://bugzilla.suse.com/1171205 https://bugzilla.suse.com/1171217 https://bugzilla.suse.com/1171218 https://bugzilla.suse.com/1171219 https://bugzilla.suse.com/1171220 https://bugzilla.suse.com/1171689 https://bugzilla.suse.com/1171982 https://bugzilla.suse.com/1171983 https://bugzilla.suse.com/1172221 https://bugzilla.suse.com/1172317 https://bugzilla.suse.com/1172453 https://bugzilla.suse.com/1172458 From sle-updates at lists.suse.com Thu Jun 18 07:55:49 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 15:55:49 +0200 (CEST) Subject: SUSE-SU-2020:1661-1: moderate: Security update for php7 Message-ID: <20200618135549.5411DF749@maintenance.suse.de> SUSE Security Update: Security update for php7 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1661-1 Rating: moderate References: #1171999 Cross-References: CVE-2019-11048 Affected Products: SUSE Linux Enterprise Module for Web Scripting 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for php7 fixes the following issues: Security issue fixed: - CVE-2019-11048: Improved the handling of overly long filenames or field names in HTTP file uploads (bsc#1171999). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 15-SP1: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP1-2020-1661=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (aarch64 ppc64le s390x x86_64): apache2-mod_php7-7.2.5-4.58.2 apache2-mod_php7-debuginfo-7.2.5-4.58.2 php7-7.2.5-4.58.2 php7-bcmath-7.2.5-4.58.2 php7-bcmath-debuginfo-7.2.5-4.58.2 php7-bz2-7.2.5-4.58.2 php7-bz2-debuginfo-7.2.5-4.58.2 php7-calendar-7.2.5-4.58.2 php7-calendar-debuginfo-7.2.5-4.58.2 php7-ctype-7.2.5-4.58.2 php7-ctype-debuginfo-7.2.5-4.58.2 php7-curl-7.2.5-4.58.2 php7-curl-debuginfo-7.2.5-4.58.2 php7-dba-7.2.5-4.58.2 php7-dba-debuginfo-7.2.5-4.58.2 php7-debuginfo-7.2.5-4.58.2 php7-debugsource-7.2.5-4.58.2 php7-devel-7.2.5-4.58.2 php7-dom-7.2.5-4.58.2 php7-dom-debuginfo-7.2.5-4.58.2 php7-enchant-7.2.5-4.58.2 php7-enchant-debuginfo-7.2.5-4.58.2 php7-exif-7.2.5-4.58.2 php7-exif-debuginfo-7.2.5-4.58.2 php7-fastcgi-7.2.5-4.58.2 php7-fastcgi-debuginfo-7.2.5-4.58.2 php7-fileinfo-7.2.5-4.58.2 php7-fileinfo-debuginfo-7.2.5-4.58.2 php7-fpm-7.2.5-4.58.2 php7-fpm-debuginfo-7.2.5-4.58.2 php7-ftp-7.2.5-4.58.2 php7-ftp-debuginfo-7.2.5-4.58.2 php7-gd-7.2.5-4.58.2 php7-gd-debuginfo-7.2.5-4.58.2 php7-gettext-7.2.5-4.58.2 php7-gettext-debuginfo-7.2.5-4.58.2 php7-gmp-7.2.5-4.58.2 php7-gmp-debuginfo-7.2.5-4.58.2 php7-iconv-7.2.5-4.58.2 php7-iconv-debuginfo-7.2.5-4.58.2 php7-intl-7.2.5-4.58.2 php7-intl-debuginfo-7.2.5-4.58.2 php7-json-7.2.5-4.58.2 php7-json-debuginfo-7.2.5-4.58.2 php7-ldap-7.2.5-4.58.2 php7-ldap-debuginfo-7.2.5-4.58.2 php7-mbstring-7.2.5-4.58.2 php7-mbstring-debuginfo-7.2.5-4.58.2 php7-mysql-7.2.5-4.58.2 php7-mysql-debuginfo-7.2.5-4.58.2 php7-odbc-7.2.5-4.58.2 php7-odbc-debuginfo-7.2.5-4.58.2 php7-opcache-7.2.5-4.58.2 php7-opcache-debuginfo-7.2.5-4.58.2 php7-openssl-7.2.5-4.58.2 php7-openssl-debuginfo-7.2.5-4.58.2 php7-pcntl-7.2.5-4.58.2 php7-pcntl-debuginfo-7.2.5-4.58.2 php7-pdo-7.2.5-4.58.2 php7-pdo-debuginfo-7.2.5-4.58.2 php7-pgsql-7.2.5-4.58.2 php7-pgsql-debuginfo-7.2.5-4.58.2 php7-phar-7.2.5-4.58.2 php7-phar-debuginfo-7.2.5-4.58.2 php7-posix-7.2.5-4.58.2 php7-posix-debuginfo-7.2.5-4.58.2 php7-readline-7.2.5-4.58.2 php7-readline-debuginfo-7.2.5-4.58.2 php7-shmop-7.2.5-4.58.2 php7-shmop-debuginfo-7.2.5-4.58.2 php7-snmp-7.2.5-4.58.2 php7-snmp-debuginfo-7.2.5-4.58.2 php7-soap-7.2.5-4.58.2 php7-soap-debuginfo-7.2.5-4.58.2 php7-sockets-7.2.5-4.58.2 php7-sockets-debuginfo-7.2.5-4.58.2 php7-sodium-7.2.5-4.58.2 php7-sodium-debuginfo-7.2.5-4.58.2 php7-sqlite-7.2.5-4.58.2 php7-sqlite-debuginfo-7.2.5-4.58.2 php7-sysvmsg-7.2.5-4.58.2 php7-sysvmsg-debuginfo-7.2.5-4.58.2 php7-sysvsem-7.2.5-4.58.2 php7-sysvsem-debuginfo-7.2.5-4.58.2 php7-sysvshm-7.2.5-4.58.2 php7-sysvshm-debuginfo-7.2.5-4.58.2 php7-tidy-7.2.5-4.58.2 php7-tidy-debuginfo-7.2.5-4.58.2 php7-tokenizer-7.2.5-4.58.2 php7-tokenizer-debuginfo-7.2.5-4.58.2 php7-wddx-7.2.5-4.58.2 php7-wddx-debuginfo-7.2.5-4.58.2 php7-xmlreader-7.2.5-4.58.2 php7-xmlreader-debuginfo-7.2.5-4.58.2 php7-xmlrpc-7.2.5-4.58.2 php7-xmlrpc-debuginfo-7.2.5-4.58.2 php7-xmlwriter-7.2.5-4.58.2 php7-xmlwriter-debuginfo-7.2.5-4.58.2 php7-xsl-7.2.5-4.58.2 php7-xsl-debuginfo-7.2.5-4.58.2 php7-zip-7.2.5-4.58.2 php7-zip-debuginfo-7.2.5-4.58.2 php7-zlib-7.2.5-4.58.2 php7-zlib-debuginfo-7.2.5-4.58.2 - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (noarch): php7-pear-7.2.5-4.58.2 php7-pear-Archive_Tar-7.2.5-4.58.2 References: https://www.suse.com/security/cve/CVE-2019-11048.html https://bugzilla.suse.com/1171999 From sle-updates at lists.suse.com Thu Jun 18 07:56:35 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 15:56:35 +0200 (CEST) Subject: SUSE-SU-2020:1656-1: important: Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP1) Message-ID: <20200618135635.31325F749@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1656-1 Rating: important References: #1144502 #1171746 #1172140 #1172437 Cross-References: CVE-2018-1000199 CVE-2019-15666 CVE-2020-10757 CVE-2020-13233 Affected Products: SUSE Linux Enterprise Module for Live Patching 15-SP1 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-197_4 fixes several issues. The following security issues were fixed: - CVE-2019-13233: Fixed a race condition between modify_ldt() and a #BR exception for an MPX bounds violation (bsc#1144502). - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437). - CVE-2019-15666: Fixed an out of bounds read __xfrm_policy_unlink, which could have led to denial of service (bsc#1172140). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1171746). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2020-1654=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1655=1 SUSE-SLE-Module-Live-Patching-15-SP1-2020-1656=1 Package List: - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-195-default-12-34.1 kernel-livepatch-4_12_14-197_4-default-11-2.1 kernel-livepatch-4_12_14-197_7-default-10-2.1 References: https://www.suse.com/security/cve/CVE-2018-1000199.html https://www.suse.com/security/cve/CVE-2019-15666.html https://www.suse.com/security/cve/CVE-2020-10757.html https://www.suse.com/security/cve/CVE-2020-13233.html https://bugzilla.suse.com/1144502 https://bugzilla.suse.com/1171746 https://bugzilla.suse.com/1172140 https://bugzilla.suse.com/1172437 From sle-updates at lists.suse.com Thu Jun 18 10:13:10 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 18:13:10 +0200 (CEST) Subject: SUSE-SU-2020:1672-1: important: Security update for dbus-1 Message-ID: <20200618161310.56605F749@maintenance.suse.de> SUSE Security Update: Security update for dbus-1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1672-1 Rating: important References: #1137832 #1140091 Cross-References: CVE-2019-12749 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for dbus-1 fixes the following issues: - CVE-2019-12749: Fixed an implementation flaw in DBUS_COOKIE_SHA1 which could have allowed local attackers to bypass authentication (bsc#1137832). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1672=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1672=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): dbus-1-debugsource-1.8.22-11.3.1 dbus-1-devel-1.8.22-11.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): dbus-1-devel-doc-1.8.22-11.3.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): dbus-1-1.8.22-11.3.1 dbus-1-debuginfo-1.8.22-11.3.1 dbus-1-debugsource-1.8.22-11.3.1 dbus-1-x11-1.8.22-11.3.1 dbus-1-x11-debuginfo-1.8.22-11.3.1 dbus-1-x11-debugsource-1.8.22-11.3.1 libdbus-1-3-1.8.22-11.3.1 libdbus-1-3-debuginfo-1.8.22-11.3.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libdbus-1-3-32bit-1.8.22-11.3.1 libdbus-1-3-debuginfo-32bit-1.8.22-11.3.1 References: https://www.suse.com/security/cve/CVE-2019-12749.html https://bugzilla.suse.com/1137832 https://bugzilla.suse.com/1140091 From sle-updates at lists.suse.com Thu Jun 18 10:14:11 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 18:14:11 +0200 (CEST) Subject: SUSE-SU-2020:14399-1: important: Security update for adns Message-ID: <20200618161411.62AC6F749@maintenance.suse.de> SUSE Security Update: Security update for adns ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14399-1 Rating: important References: #1172265 Cross-References: CVE-2017-9103 CVE-2017-9104 CVE-2017-9105 CVE-2017-9106 CVE-2017-9107 CVE-2017-9108 CVE-2017-9109 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for adns fixes the following issues: - CVE-2017-9103,CVE-2017-9104,CVE-2017-9105,CVE-2017-9109: Fixed an issue in local recursive resolver which could have led to remote code execution (bsc#1172265). - CVE-2017-9106: Fixed an issue with upstream DNS data sources which could have led to denial of service (bsc#1172265). - CVE-2017-9107: Fixed an issue when quering domain names which could have led to denial of service (bsc#1172265). - CVE-2017-9108: Fixed an issue which could have led to denial of service (bsc#1172265). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-adns-14399=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-adns-14399=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-adns-14399=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-adns-14399=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): libadns1-1.4-75.3.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): libadns1-1.4-75.3.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): adns-debuginfo-1.4-75.3.1 adns-debugsource-1.4-75.3.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): adns-debuginfo-1.4-75.3.1 adns-debugsource-1.4-75.3.1 References: https://www.suse.com/security/cve/CVE-2017-9103.html https://www.suse.com/security/cve/CVE-2017-9104.html https://www.suse.com/security/cve/CVE-2017-9105.html https://www.suse.com/security/cve/CVE-2017-9106.html https://www.suse.com/security/cve/CVE-2017-9107.html https://www.suse.com/security/cve/CVE-2017-9108.html https://www.suse.com/security/cve/CVE-2017-9109.html https://bugzilla.suse.com/1172265 From sle-updates at lists.suse.com Thu Jun 18 10:15:01 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 18:15:01 +0200 (CEST) Subject: SUSE-OU-2020:1674-1: Optional update for opensaml Message-ID: <20200618161501.8B708F3D7@maintenance.suse.de> SUSE Optional Update: Optional update for opensaml ______________________________________________________________________________ Announcement ID: SUSE-OU-2020:1674-1 Rating: low References: #1172352 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 ______________________________________________________________________________ An update that has one optional fix can now be installed. Description: This update for opensaml doesn't address any user visible bugs. Patch Instructions: To install this SUSE Optional Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1674=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libsaml-devel-2.6.1-3.3.1 libsaml9-2.6.1-3.3.1 libsaml9-debuginfo-2.6.1-3.3.1 opensaml-debuginfo-2.6.1-3.3.1 opensaml-debugsource-2.6.1-3.3.1 opensaml-schemas-2.6.1-3.3.1 References: https://bugzilla.suse.com/1172352 From sle-updates at lists.suse.com Thu Jun 18 10:15:46 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 18:15:46 +0200 (CEST) Subject: SUSE-OU-2020:1676-1: Optional update for 5 packages related to prometheus Message-ID: <20200618161546.62B5CF749@maintenance.suse.de> SUSE Optional Update: Optional update for 5 packages related to prometheus ______________________________________________________________________________ Announcement ID: SUSE-OU-2020:1676-1 Rating: low References: #1137989 #1164604 #1170717 Affected Products: SUSE Linux Enterprise Module for SAP Applications 15-SP1 SUSE Linux Enterprise Module for SAP Applications 15 ______________________________________________________________________________ An update that has three optional fixes can now be installed. Description: This update adds prometheus-ha_cluster_exporter, prometheus-hanadb_exporter, prometheus-sap_host_exporter, python3-prometheus_client, and python3-shaptools to SUSE Linux Enterprise Server for SAP Applications 15. Patch Instructions: To install this SUSE Optional Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SAP Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-SAP-Applications-15-SP1-2020-1676=1 - SUSE Linux Enterprise Module for SAP Applications 15: zypper in -t patch SUSE-SLE-Module-SAP-Applications-15-2020-1676=1 Package List: - SUSE Linux Enterprise Module for SAP Applications 15-SP1 (aarch64 ppc64le s390x x86_64): prometheus-ha_cluster_exporter-1.0.1+git.1588608085.3a3faf7-1.3.3 prometheus-sap_host_exporter-0.4.0+git.1587141635.71f3338-1.3.1 - SUSE Linux Enterprise Module for SAP Applications 15-SP1 (noarch): prometheus-hanadb_exporter-0.7.1+git.1589791930.dbf0d1a-1.3.1 python3-prometheus_client-0.8.0-1.3.1 python3-shaptools-0.3.8+git.1591003106.824596b-1.3.1 - SUSE Linux Enterprise Module for SAP Applications 15 (aarch64 ppc64le s390x x86_64): prometheus-ha_cluster_exporter-1.0.1+git.1588608085.3a3faf7-1.3.3 prometheus-sap_host_exporter-0.4.0+git.1587141635.71f3338-1.3.1 - SUSE Linux Enterprise Module for SAP Applications 15 (noarch): prometheus-hanadb_exporter-0.7.1+git.1589791930.dbf0d1a-1.3.1 python3-prometheus_client-0.8.0-1.3.1 python3-shaptools-0.3.8+git.1591003106.824596b-1.3.1 References: https://bugzilla.suse.com/1137989 https://bugzilla.suse.com/1164604 https://bugzilla.suse.com/1170717 From sle-updates at lists.suse.com Thu Jun 18 10:16:43 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 18 Jun 2020 18:16:43 +0200 (CEST) Subject: SUSE-OU-2020:1675-1: Optional update for 5 packages related to prometheus Message-ID: <20200618161643.EAD4BF749@maintenance.suse.de> SUSE Optional Update: Optional update for 5 packages related to prometheus ______________________________________________________________________________ Announcement ID: SUSE-OU-2020:1675-1 Rating: low References: #1170717 #1170843 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 ______________________________________________________________________________ An update that has two optional fixes can now be installed. Description: This update adds prometheus-ha_cluster_exporter, prometheus-hanadb_exporter, prometheus-sap_host_exporter, python3-prometheus_client, and python3-shaptools to SUSE Linux Enterprise Server for SAP Applications 12. Patch Instructions: To install this SUSE Optional Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP5: zypper in -t patch SUSE-SLE-SAP-12-SP5-2020-1675=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-1675=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1675=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP5 (ppc64le x86_64): prometheus-ha_cluster_exporter-1.0.1+git.1588608085.3a3faf7-4.3.3 prometheus-sap_host_exporter-0.4.0+git.1587141635.71f3338-4.3.2 - SUSE Linux Enterprise Server for SAP 12-SP5 (noarch): prometheus-hanadb_exporter-0.7.1+git.1589791930.dbf0d1a-4.3.3 python3-prometheus_client-0.8.0-4.3.4 python3-shaptools-0.3.8+git.1591003106.824596b-4.3.3 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): prometheus-ha_cluster_exporter-1.0.1+git.1588608085.3a3faf7-4.3.3 prometheus-sap_host_exporter-0.4.0+git.1587141635.71f3338-4.3.2 - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): prometheus-hanadb_exporter-0.7.1+git.1589791930.dbf0d1a-4.3.3 python3-prometheus_client-0.8.0-4.3.4 python3-shaptools-0.3.8+git.1591003106.824596b-4.3.3 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): prometheus-ha_cluster_exporter-1.0.1+git.1588608085.3a3faf7-4.3.3 prometheus-sap_host_exporter-0.4.0+git.1587141635.71f3338-4.3.2 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): prometheus-hanadb_exporter-0.7.1+git.1589791930.dbf0d1a-4.3.3 python3-prometheus_client-0.8.0-4.3.4 python3-shaptools-0.3.8+git.1591003106.824596b-4.3.3 References: https://bugzilla.suse.com/1170717 https://bugzilla.suse.com/1170843 From sle-updates at lists.suse.com Thu Jun 18 16:13:39 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 00:13:39 +0200 (CEST) Subject: SUSE-RU-2020:1678-1: moderate: Recommended update for cloud-init Message-ID: <20200618221339.1EC1DFD07@maintenance.suse.de> SUSE Recommended Update: Recommended update for cloud-init ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1678-1 Rating: moderate References: #1170154 #1171546 #1171995 Affected Products: SUSE Linux Enterprise Module for Public Cloud 12 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for cloud-init contains the following fixes: - rsyslog warning, '~' is deprecated: (bsc#1170154) + replace deprecated syntax '& ~' by '& stop' for more information please see https://www.rsyslog.com/rsyslog-error-2307/. + Explicitly test for netconfig version 1 as well as 2. + Handle netconfig v2 device configurations (bsc#1171546, bsc#1171995) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2020-1678=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 12 (aarch64 ppc64le s390x x86_64): cloud-init-19.4-37.45.1 cloud-init-config-suse-19.4-37.45.1 References: https://bugzilla.suse.com/1170154 https://bugzilla.suse.com/1171546 https://bugzilla.suse.com/1171995 From sle-updates at lists.suse.com Thu Jun 18 16:17:04 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 00:17:04 +0200 (CEST) Subject: SUSE-SU-2020:1677-1: important: Security update for mozilla-nspr, mozilla-nss Message-ID: <20200618221704.0BD58FD07@maintenance.suse.de> SUSE Security Update: Security update for mozilla-nspr, mozilla-nss ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1677-1 Rating: important References: #1159819 #1169746 #1171978 Cross-References: CVE-2019-17006 CVE-2020-12399 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53 - CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978). - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_rele ase_notes mozilla-nspr to version 4.25 Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1677=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1677=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2020-1677=1 - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1677=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1677=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1677=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1677=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1677=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libfreebl3-3.53-3.40.1 libfreebl3-debuginfo-3.53-3.40.1 libfreebl3-hmac-3.53-3.40.1 libsoftokn3-3.53-3.40.1 libsoftokn3-debuginfo-3.53-3.40.1 libsoftokn3-hmac-3.53-3.40.1 mozilla-nspr-4.25-3.12.1 mozilla-nspr-debuginfo-4.25-3.12.1 mozilla-nspr-debugsource-4.25-3.12.1 mozilla-nspr-devel-4.25-3.12.1 mozilla-nss-3.53-3.40.1 mozilla-nss-certs-3.53-3.40.1 mozilla-nss-certs-debuginfo-3.53-3.40.1 mozilla-nss-debuginfo-3.53-3.40.1 mozilla-nss-debugsource-3.53-3.40.1 mozilla-nss-devel-3.53-3.40.1 mozilla-nss-sysinit-3.53-3.40.1 mozilla-nss-sysinit-debuginfo-3.53-3.40.1 mozilla-nss-tools-3.53-3.40.1 mozilla-nss-tools-debuginfo-3.53-3.40.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libfreebl3-32bit-3.53-3.40.1 libfreebl3-32bit-debuginfo-3.53-3.40.1 libfreebl3-hmac-32bit-3.53-3.40.1 libsoftokn3-32bit-3.53-3.40.1 libsoftokn3-32bit-debuginfo-3.53-3.40.1 libsoftokn3-hmac-32bit-3.53-3.40.1 mozilla-nspr-32bit-4.25-3.12.1 mozilla-nspr-32bit-debuginfo-4.25-3.12.1 mozilla-nss-32bit-3.53-3.40.1 mozilla-nss-32bit-debuginfo-3.53-3.40.1 mozilla-nss-certs-32bit-3.53-3.40.1 mozilla-nss-certs-32bit-debuginfo-3.53-3.40.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libfreebl3-3.53-3.40.1 libfreebl3-debuginfo-3.53-3.40.1 libfreebl3-hmac-3.53-3.40.1 libsoftokn3-3.53-3.40.1 libsoftokn3-debuginfo-3.53-3.40.1 libsoftokn3-hmac-3.53-3.40.1 mozilla-nspr-4.25-3.12.1 mozilla-nspr-debuginfo-4.25-3.12.1 mozilla-nspr-debugsource-4.25-3.12.1 mozilla-nspr-devel-4.25-3.12.1 mozilla-nss-3.53-3.40.1 mozilla-nss-certs-3.53-3.40.1 mozilla-nss-certs-debuginfo-3.53-3.40.1 mozilla-nss-debuginfo-3.53-3.40.1 mozilla-nss-debugsource-3.53-3.40.1 mozilla-nss-devel-3.53-3.40.1 mozilla-nss-sysinit-3.53-3.40.1 mozilla-nss-sysinit-debuginfo-3.53-3.40.1 mozilla-nss-tools-3.53-3.40.1 mozilla-nss-tools-debuginfo-3.53-3.40.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): libfreebl3-hmac-3.53-3.40.1 libsoftokn3-hmac-3.53-3.40.1 mozilla-nss-debuginfo-3.53-3.40.1 mozilla-nss-debugsource-3.53-3.40.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libfreebl3-hmac-3.53-3.40.1 libsoftokn3-hmac-3.53-3.40.1 mozilla-nss-debuginfo-3.53-3.40.1 mozilla-nss-debugsource-3.53-3.40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libfreebl3-3.53-3.40.1 libfreebl3-debuginfo-3.53-3.40.1 libsoftokn3-3.53-3.40.1 libsoftokn3-debuginfo-3.53-3.40.1 mozilla-nspr-4.25-3.12.1 mozilla-nspr-debuginfo-4.25-3.12.1 mozilla-nspr-debugsource-4.25-3.12.1 mozilla-nspr-devel-4.25-3.12.1 mozilla-nss-3.53-3.40.1 mozilla-nss-certs-3.53-3.40.1 mozilla-nss-certs-debuginfo-3.53-3.40.1 mozilla-nss-debuginfo-3.53-3.40.1 mozilla-nss-debugsource-3.53-3.40.1 mozilla-nss-devel-3.53-3.40.1 mozilla-nss-sysinit-3.53-3.40.1 mozilla-nss-sysinit-debuginfo-3.53-3.40.1 mozilla-nss-tools-3.53-3.40.1 mozilla-nss-tools-debuginfo-3.53-3.40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libfreebl3-32bit-3.53-3.40.1 libfreebl3-32bit-debuginfo-3.53-3.40.1 libsoftokn3-32bit-3.53-3.40.1 libsoftokn3-32bit-debuginfo-3.53-3.40.1 mozilla-nspr-32bit-4.25-3.12.1 mozilla-nspr-32bit-debuginfo-4.25-3.12.1 mozilla-nss-32bit-3.53-3.40.1 mozilla-nss-32bit-debuginfo-3.53-3.40.1 mozilla-nss-certs-32bit-3.53-3.40.1 mozilla-nss-certs-32bit-debuginfo-3.53-3.40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libfreebl3-3.53-3.40.1 libfreebl3-debuginfo-3.53-3.40.1 libsoftokn3-3.53-3.40.1 libsoftokn3-debuginfo-3.53-3.40.1 mozilla-nspr-4.25-3.12.1 mozilla-nspr-debuginfo-4.25-3.12.1 mozilla-nspr-debugsource-4.25-3.12.1 mozilla-nspr-devel-4.25-3.12.1 mozilla-nss-3.53-3.40.1 mozilla-nss-certs-3.53-3.40.1 mozilla-nss-certs-debuginfo-3.53-3.40.1 mozilla-nss-debuginfo-3.53-3.40.1 mozilla-nss-debugsource-3.53-3.40.1 mozilla-nss-devel-3.53-3.40.1 mozilla-nss-sysinit-3.53-3.40.1 mozilla-nss-sysinit-debuginfo-3.53-3.40.1 mozilla-nss-tools-3.53-3.40.1 mozilla-nss-tools-debuginfo-3.53-3.40.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libfreebl3-32bit-3.53-3.40.1 libfreebl3-32bit-debuginfo-3.53-3.40.1 libsoftokn3-32bit-3.53-3.40.1 libsoftokn3-32bit-debuginfo-3.53-3.40.1 mozilla-nspr-32bit-4.25-3.12.1 mozilla-nspr-32bit-debuginfo-4.25-3.12.1 mozilla-nss-32bit-3.53-3.40.1 mozilla-nss-32bit-debuginfo-3.53-3.40.1 mozilla-nss-certs-32bit-3.53-3.40.1 mozilla-nss-certs-32bit-debuginfo-3.53-3.40.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libfreebl3-3.53-3.40.1 libfreebl3-debuginfo-3.53-3.40.1 libfreebl3-hmac-3.53-3.40.1 libsoftokn3-3.53-3.40.1 libsoftokn3-debuginfo-3.53-3.40.1 libsoftokn3-hmac-3.53-3.40.1 mozilla-nspr-4.25-3.12.1 mozilla-nspr-debuginfo-4.25-3.12.1 mozilla-nspr-debugsource-4.25-3.12.1 mozilla-nspr-devel-4.25-3.12.1 mozilla-nss-3.53-3.40.1 mozilla-nss-certs-3.53-3.40.1 mozilla-nss-certs-debuginfo-3.53-3.40.1 mozilla-nss-debuginfo-3.53-3.40.1 mozilla-nss-debugsource-3.53-3.40.1 mozilla-nss-devel-3.53-3.40.1 mozilla-nss-sysinit-3.53-3.40.1 mozilla-nss-sysinit-debuginfo-3.53-3.40.1 mozilla-nss-tools-3.53-3.40.1 mozilla-nss-tools-debuginfo-3.53-3.40.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libfreebl3-32bit-3.53-3.40.1 libfreebl3-32bit-debuginfo-3.53-3.40.1 libfreebl3-hmac-32bit-3.53-3.40.1 libsoftokn3-32bit-3.53-3.40.1 libsoftokn3-32bit-debuginfo-3.53-3.40.1 libsoftokn3-hmac-32bit-3.53-3.40.1 mozilla-nspr-32bit-4.25-3.12.1 mozilla-nspr-32bit-debuginfo-4.25-3.12.1 mozilla-nss-32bit-3.53-3.40.1 mozilla-nss-32bit-debuginfo-3.53-3.40.1 mozilla-nss-certs-32bit-3.53-3.40.1 mozilla-nss-certs-32bit-debuginfo-3.53-3.40.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libfreebl3-3.53-3.40.1 libfreebl3-debuginfo-3.53-3.40.1 libfreebl3-hmac-3.53-3.40.1 libsoftokn3-3.53-3.40.1 libsoftokn3-debuginfo-3.53-3.40.1 libsoftokn3-hmac-3.53-3.40.1 mozilla-nspr-4.25-3.12.1 mozilla-nspr-debuginfo-4.25-3.12.1 mozilla-nspr-debugsource-4.25-3.12.1 mozilla-nspr-devel-4.25-3.12.1 mozilla-nss-3.53-3.40.1 mozilla-nss-certs-3.53-3.40.1 mozilla-nss-certs-debuginfo-3.53-3.40.1 mozilla-nss-debuginfo-3.53-3.40.1 mozilla-nss-debugsource-3.53-3.40.1 mozilla-nss-devel-3.53-3.40.1 mozilla-nss-sysinit-3.53-3.40.1 mozilla-nss-sysinit-debuginfo-3.53-3.40.1 mozilla-nss-tools-3.53-3.40.1 mozilla-nss-tools-debuginfo-3.53-3.40.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libfreebl3-32bit-3.53-3.40.1 libfreebl3-32bit-debuginfo-3.53-3.40.1 libfreebl3-hmac-32bit-3.53-3.40.1 libsoftokn3-32bit-3.53-3.40.1 libsoftokn3-32bit-debuginfo-3.53-3.40.1 libsoftokn3-hmac-32bit-3.53-3.40.1 mozilla-nspr-32bit-4.25-3.12.1 mozilla-nspr-32bit-debuginfo-4.25-3.12.1 mozilla-nss-32bit-3.53-3.40.1 mozilla-nss-32bit-debuginfo-3.53-3.40.1 mozilla-nss-certs-32bit-3.53-3.40.1 mozilla-nss-certs-32bit-debuginfo-3.53-3.40.1 References: https://www.suse.com/security/cve/CVE-2019-17006.html https://www.suse.com/security/cve/CVE-2020-12399.html https://bugzilla.suse.com/1159819 https://bugzilla.suse.com/1169746 https://bugzilla.suse.com/1171978 From sle-updates at lists.suse.com Thu Jun 18 16:18:09 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 00:18:09 +0200 (CEST) Subject: SUSE-RU-2020:1679-1: moderate: Recommended update for cloud-init Message-ID: <20200618221809.CCC4DFD07@maintenance.suse.de> SUSE Recommended Update: Recommended update for cloud-init ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1679-1 Rating: moderate References: #1170154 #1171546 #1171995 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for cloud-init contains the following fixes: - rsyslog warning, '~' is deprecated: (bsc#1170154) + replace deprecated syntax '& ~' by '& stop' for more information please see https://www.rsyslog.com/rsyslog-error-2307/. + Explicitly test for netconfig version 1 as well as 2. + Handle netconfig v2 device configurations (bsc#1171546, bsc#1171995) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-2020-1679=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15 (aarch64 ppc64le s390x x86_64): cloud-init-19.4-5.30.3 cloud-init-config-suse-19.4-5.30.3 References: https://bugzilla.suse.com/1170154 https://bugzilla.suse.com/1171546 https://bugzilla.suse.com/1171995 From sle-updates at lists.suse.com Fri Jun 19 04:14:00 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 12:14:00 +0200 (CEST) Subject: SUSE-RU-2020:1680-1: moderate: Recommended update for python-applicationinsights, python-portalocker, python-sshtunnel Message-ID: <20200619101400.46462F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for python-applicationinsights, python-portalocker, python-sshtunnel ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1680-1 Rating: moderate References: #1138748 Affected Products: SUSE Linux Enterprise Module for Public Cloud 12 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for python-applicationinsights, python-portalocker, python-sshtunnel fixes the following issues: python-applicationinsights was updated to 0.11.6: + For detailed information about changes see the CHANGELOG.md file provided with this package python-portalocker was included in version 1.4.0. + The default cache directory has been renamed from .cache to .pytest_cache after community feedback that the name .cache did not make it clear that it was used by pytest. (#3138) + Colorize the levelname column in the live-log output. (#3142) python-sshtunnel was included version 0.1.5. Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2020-1680=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 12 (noarch): python-applicationinsights-0.11.6-2.7.1 python3-applicationinsights-0.11.6-2.7.1 python3-portalocker-1.4.0-2.3.6 python3-sshtunnel-0.1.5-2.4.2 References: https://bugzilla.suse.com/1138748 From sle-updates at lists.suse.com Fri Jun 19 07:13:14 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 15:13:14 +0200 (CEST) Subject: SUSE-SU-2020:1684-1: important: Security update for java-1_8_0-ibm Message-ID: <20200619131314.3E765F749@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1684-1 Rating: important References: #1160968 #1169511 #1171352 #1172277 Cross-References: CVE-2019-2949 CVE-2020-2654 CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2830 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Legacy Software 15-SP2 SUSE Linux Enterprise Module for Legacy Software 15-SP1 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for java-1_8_0-ibm fixes the following issues: java-1_8_0-ibm was updated to Java 8.0 Service Refresh 6 Fix Pack 10 (bsc#1172277,bsc#1169511,bsc#1160968) - CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service - CVE-2020-2754: Forwarded references to Nashorn - CVE-2020-2755: Improved Nashorn matching - CVE-2020-2756: Improved mapping of serial ENUMs - CVE-2020-2757: Less Blocking Array Queues - CVE-2020-2781: Improved TLS session handling - CVE-2020-2800: Improved Headings for HTTP Servers - CVE-2020-2803: Enhanced buffering of byte buffers - CVE-2020-2805: Enhanced typing of methods - CVE-2020-2830: Improved Scanner conversions - CVE-2019-2949: Fixed an issue which could have resulted in unauthorized access to critical data - Added RSA PSS SUPPORT TO IBMPKCS11IMPL - The pack200 and unpack200 alternatives should be slaves of java (bsc#1171352). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1684=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1684=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP2-2020-1684=1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2020-1684=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): java-1_8_0-ibm-1.8.0_sr6.10-3.38.1 java-1_8_0-ibm-devel-1.8.0_sr6.10-3.38.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.10-3.38.1 java-1_8_0-ibm-plugin-1.8.0_sr6.10-3.38.1 - SUSE Linux Enterprise Server 15-LTSS (s390x): java-1_8_0-ibm-1.8.0_sr6.10-3.38.1 java-1_8_0-ibm-devel-1.8.0_sr6.10-3.38.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.10-3.38.1 java-1_8_0-ibm-devel-1.8.0_sr6.10-3.38.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP2 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.10-3.38.1 java-1_8_0-ibm-plugin-1.8.0_sr6.10-3.38.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.10-3.38.1 java-1_8_0-ibm-devel-1.8.0_sr6.10-3.38.1 - SUSE Linux Enterprise Module for Legacy Software 15-SP1 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.10-3.38.1 java-1_8_0-ibm-plugin-1.8.0_sr6.10-3.38.1 References: https://www.suse.com/security/cve/CVE-2019-2949.html https://www.suse.com/security/cve/CVE-2020-2654.html https://www.suse.com/security/cve/CVE-2020-2754.html https://www.suse.com/security/cve/CVE-2020-2755.html https://www.suse.com/security/cve/CVE-2020-2756.html https://www.suse.com/security/cve/CVE-2020-2757.html https://www.suse.com/security/cve/CVE-2020-2781.html https://www.suse.com/security/cve/CVE-2020-2800.html https://www.suse.com/security/cve/CVE-2020-2803.html https://www.suse.com/security/cve/CVE-2020-2805.html https://www.suse.com/security/cve/CVE-2020-2830.html https://bugzilla.suse.com/1160968 https://bugzilla.suse.com/1169511 https://bugzilla.suse.com/1171352 https://bugzilla.suse.com/1172277 From sle-updates at lists.suse.com Fri Jun 19 07:14:22 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 15:14:22 +0200 (CEST) Subject: SUSE-RU-2020:1689-1: important: Recommended update for audit Message-ID: <20200619131422.75D00F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for audit ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1689-1 Rating: important References: #1156159 #1172295 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for audit fixes the following issues: - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295) - Fix hang on startup. (bsc#1156159) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1689=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1689=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1689=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1689=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1689=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1689=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1689=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): audit-2.8.1-8.8.1 audit-audispd-plugins-2.8.1-8.8.1 audit-debugsource-2.8.1-8.8.1 libaudit1-2.8.1-8.8.1 libaudit1-32bit-2.8.1-8.8.1 libaudit1-debuginfo-2.8.1-8.8.1 libaudit1-debuginfo-32bit-2.8.1-8.8.1 libauparse0-2.8.1-8.8.1 libauparse0-debuginfo-2.8.1-8.8.1 python2-audit-2.8.1-8.8.1 - SUSE OpenStack Cloud 8 (x86_64): audit-2.8.1-8.8.1 audit-audispd-plugins-2.8.1-8.8.1 audit-debugsource-2.8.1-8.8.1 libaudit1-2.8.1-8.8.1 libaudit1-32bit-2.8.1-8.8.1 libaudit1-debuginfo-2.8.1-8.8.1 libaudit1-debuginfo-32bit-2.8.1-8.8.1 libauparse0-2.8.1-8.8.1 libauparse0-debuginfo-2.8.1-8.8.1 python2-audit-2.8.1-8.8.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): audit-2.8.1-8.8.1 audit-audispd-plugins-2.8.1-8.8.1 audit-debugsource-2.8.1-8.8.1 libaudit1-2.8.1-8.8.1 libaudit1-debuginfo-2.8.1-8.8.1 libauparse0-2.8.1-8.8.1 libauparse0-debuginfo-2.8.1-8.8.1 python2-audit-2.8.1-8.8.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libaudit1-32bit-2.8.1-8.8.1 libaudit1-debuginfo-32bit-2.8.1-8.8.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): audit-2.8.1-8.8.1 audit-audispd-plugins-2.8.1-8.8.1 audit-debugsource-2.8.1-8.8.1 libaudit1-2.8.1-8.8.1 libaudit1-debuginfo-2.8.1-8.8.1 libauparse0-2.8.1-8.8.1 libauparse0-debuginfo-2.8.1-8.8.1 python2-audit-2.8.1-8.8.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libaudit1-32bit-2.8.1-8.8.1 libaudit1-debuginfo-32bit-2.8.1-8.8.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): audit-2.8.1-8.8.1 audit-audispd-plugins-2.8.1-8.8.1 audit-debugsource-2.8.1-8.8.1 libaudit1-2.8.1-8.8.1 libaudit1-32bit-2.8.1-8.8.1 libaudit1-debuginfo-2.8.1-8.8.1 libaudit1-debuginfo-32bit-2.8.1-8.8.1 libauparse0-2.8.1-8.8.1 libauparse0-debuginfo-2.8.1-8.8.1 python2-audit-2.8.1-8.8.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): audit-2.8.1-8.8.1 audit-audispd-plugins-2.8.1-8.8.1 audit-debugsource-2.8.1-8.8.1 libaudit1-2.8.1-8.8.1 libaudit1-debuginfo-2.8.1-8.8.1 libauparse0-2.8.1-8.8.1 libauparse0-debuginfo-2.8.1-8.8.1 python2-audit-2.8.1-8.8.1 - SUSE Enterprise Storage 5 (x86_64): libaudit1-32bit-2.8.1-8.8.1 libaudit1-debuginfo-32bit-2.8.1-8.8.1 - HPE Helion Openstack 8 (x86_64): audit-2.8.1-8.8.1 audit-audispd-plugins-2.8.1-8.8.1 audit-debugsource-2.8.1-8.8.1 libaudit1-2.8.1-8.8.1 libaudit1-32bit-2.8.1-8.8.1 libaudit1-debuginfo-2.8.1-8.8.1 libaudit1-debuginfo-32bit-2.8.1-8.8.1 libauparse0-2.8.1-8.8.1 libauparse0-debuginfo-2.8.1-8.8.1 python2-audit-2.8.1-8.8.1 References: https://bugzilla.suse.com/1156159 https://bugzilla.suse.com/1172295 From sle-updates at lists.suse.com Fri Jun 19 07:15:15 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 15:15:15 +0200 (CEST) Subject: SUSE-SU-2020:1681-1: important: Security update for fwupd Message-ID: <20200619131515.0701FF749@maintenance.suse.de> SUSE Security Update: Security update for fwupd ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1681-1 Rating: important References: #1172643 Cross-References: CVE-2020-10759 Affected Products: SUSE Linux Enterprise Module for Desktop Applications 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for fwupd fixes the following issues: - CVE-2020-10759: Fixed a potential PGP signature bypass, which could have led to installation of unsigned firmware (bsc#1172643) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP1-2020-1681=1 Package List: - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (aarch64 ppc64le s390x x86_64): fwupd-1.0.9-6.3.1 fwupd-debuginfo-1.0.9-6.3.1 fwupd-debugsource-1.0.9-6.3.1 fwupd-devel-1.0.9-6.3.1 libfwupd2-1.0.9-6.3.1 libfwupd2-debuginfo-1.0.9-6.3.1 typelib-1_0-Fwupd-2_0-1.0.9-6.3.1 - SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (noarch): fwupd-lang-1.0.9-6.3.1 References: https://www.suse.com/security/cve/CVE-2020-10759.html https://bugzilla.suse.com/1172643 From sle-updates at lists.suse.com Fri Jun 19 07:16:09 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 15:16:09 +0200 (CEST) Subject: SUSE-SU-2020:1682-1: important: Security update for perl Message-ID: <20200619131609.CC9F7F749@maintenance.suse.de> SUSE Security Update: Security update for perl ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1682-1 Rating: important References: #1171863 #1171864 #1171866 #1172348 Cross-References: CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP2 SUSE Linux Enterprise Module for Development Tools 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1682=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1682=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2020-1682=1 - SUSE Linux Enterprise Module for Development Tools 15-SP2: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP2-2020-1682=1 - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1682=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1682=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1682=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1682=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1682=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): perl-5.26.1-7.12.1 perl-base-5.26.1-7.12.1 perl-base-debuginfo-5.26.1-7.12.1 perl-debuginfo-5.26.1-7.12.1 perl-debugsource-5.26.1-7.12.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): perl-doc-5.26.1-7.12.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): perl-32bit-debuginfo-5.26.1-7.12.1 perl-base-32bit-5.26.1-7.12.1 perl-base-32bit-debuginfo-5.26.1-7.12.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): perl-5.26.1-7.12.1 perl-base-5.26.1-7.12.1 perl-base-debuginfo-5.26.1-7.12.1 perl-debuginfo-5.26.1-7.12.1 perl-debugsource-5.26.1-7.12.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): perl-doc-5.26.1-7.12.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (x86_64): perl-32bit-5.26.1-7.12.1 perl-32bit-debuginfo-5.26.1-7.12.1 perl-debugsource-5.26.1-7.12.1 - SUSE Linux Enterprise Module for Development Tools 15-SP2 (noarch): perl-doc-5.26.1-7.12.1 - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): perl-doc-5.26.1-7.12.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): perl-5.26.1-7.12.1 perl-base-5.26.1-7.12.1 perl-base-debuginfo-5.26.1-7.12.1 perl-debuginfo-5.26.1-7.12.1 perl-debugsource-5.26.1-7.12.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): perl-32bit-debuginfo-5.26.1-7.12.1 perl-base-32bit-5.26.1-7.12.1 perl-base-32bit-debuginfo-5.26.1-7.12.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): perl-5.26.1-7.12.1 perl-base-5.26.1-7.12.1 perl-base-debuginfo-5.26.1-7.12.1 perl-debuginfo-5.26.1-7.12.1 perl-debugsource-5.26.1-7.12.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): perl-32bit-debuginfo-5.26.1-7.12.1 perl-base-32bit-5.26.1-7.12.1 perl-base-32bit-debuginfo-5.26.1-7.12.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): perl-5.26.1-7.12.1 perl-base-5.26.1-7.12.1 perl-base-debuginfo-5.26.1-7.12.1 perl-debuginfo-5.26.1-7.12.1 perl-debugsource-5.26.1-7.12.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): perl-doc-5.26.1-7.12.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): perl-32bit-debuginfo-5.26.1-7.12.1 perl-base-32bit-5.26.1-7.12.1 perl-base-32bit-debuginfo-5.26.1-7.12.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): perl-5.26.1-7.12.1 perl-base-5.26.1-7.12.1 perl-base-debuginfo-5.26.1-7.12.1 perl-debuginfo-5.26.1-7.12.1 perl-debugsource-5.26.1-7.12.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): perl-32bit-debuginfo-5.26.1-7.12.1 perl-base-32bit-5.26.1-7.12.1 perl-base-32bit-debuginfo-5.26.1-7.12.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): perl-doc-5.26.1-7.12.1 References: https://www.suse.com/security/cve/CVE-2020-10543.html https://www.suse.com/security/cve/CVE-2020-10878.html https://www.suse.com/security/cve/CVE-2020-12723.html https://bugzilla.suse.com/1171863 https://bugzilla.suse.com/1171864 https://bugzilla.suse.com/1171866 https://bugzilla.suse.com/1172348 From sle-updates at lists.suse.com Fri Jun 19 07:17:28 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 15:17:28 +0200 (CEST) Subject: SUSE-SU-2020:1683-1: important: Security update for java-1_7_1-ibm Message-ID: <20200619131728.2B8DAF749@maintenance.suse.de> SUSE Security Update: Security update for java-1_7_1-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1683-1 Rating: important References: #1169511 #1172277 Cross-References: CVE-2020-2654 CVE-2020-2756 CVE-2020-2757 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2830 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for java-1_7_1-ibm fixes the following issues: java-1_7_1-ibm was updated to Java 7.1 Service Refresh 4 Fix Pack 65 (bsc#1172277 and bsc#1169511) - CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service - CVE-2020-2756: Improved mapping of serial ENUMs - CVE-2020-2757: Less Blocking Array Queues - CVE-2020-2781: Improved TLS session handling - CVE-2020-2800: Improved Headings for HTTP Servers - CVE-2020-2803: Enhanced buffering of byte buffers - CVE-2020-2805: Enhanced typing of methods - CVE-2020-2830: Improved Scanner conversions Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1683=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1683=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1683=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1683=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1683=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1683=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1683=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1683=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1683=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1683=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1683=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1683=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1683=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1683=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1683=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): java-1_7_1-ibm-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-alsa-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-plugin-1.7.1_sr4.65-38.53.1 - SUSE OpenStack Cloud 8 (x86_64): java-1_7_1-ibm-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-alsa-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-plugin-1.7.1_sr4.65-38.53.1 - SUSE OpenStack Cloud 7 (s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.65-38.53.1 - SUSE OpenStack Cloud 7 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-plugin-1.7.1_sr4.65-38.53.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (ppc64le s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (ppc64le s390x x86_64): java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): java-1_7_1-ibm-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.65-38.53.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-plugin-1.7.1_sr4.65-38.53.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): java-1_7_1-ibm-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.65-38.53.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-plugin-1.7.1_sr4.65-38.53.1 - SUSE Linux Enterprise Server 12-SP5 (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.65-38.53.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-plugin-1.7.1_sr4.65-38.53.1 - SUSE Linux Enterprise Server 12-SP4 (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.65-38.53.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-plugin-1.7.1_sr4.65-38.53.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.65-38.53.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-plugin-1.7.1_sr4.65-38.53.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): java-1_7_1-ibm-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-alsa-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-plugin-1.7.1_sr4.65-38.53.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): java-1_7_1-ibm-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.65-38.53.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): java-1_7_1-ibm-alsa-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-plugin-1.7.1_sr4.65-38.53.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): java-1_7_1-ibm-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-alsa-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-plugin-1.7.1_sr4.65-38.53.1 - SUSE Enterprise Storage 5 (x86_64): java-1_7_1-ibm-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-alsa-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-plugin-1.7.1_sr4.65-38.53.1 - HPE Helion Openstack 8 (x86_64): java-1_7_1-ibm-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-alsa-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-devel-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-jdbc-1.7.1_sr4.65-38.53.1 java-1_7_1-ibm-plugin-1.7.1_sr4.65-38.53.1 References: https://www.suse.com/security/cve/CVE-2020-2654.html https://www.suse.com/security/cve/CVE-2020-2756.html https://www.suse.com/security/cve/CVE-2020-2757.html https://www.suse.com/security/cve/CVE-2020-2781.html https://www.suse.com/security/cve/CVE-2020-2800.html https://www.suse.com/security/cve/CVE-2020-2803.html https://www.suse.com/security/cve/CVE-2020-2805.html https://www.suse.com/security/cve/CVE-2020-2830.html https://bugzilla.suse.com/1169511 https://bugzilla.suse.com/1172277 From sle-updates at lists.suse.com Fri Jun 19 07:18:24 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 15:18:24 +0200 (CEST) Subject: SUSE-SU-2020:1685-1: important: Security update for java-1_8_0-ibm Message-ID: <20200619131824.48C38F749@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1685-1 Rating: important References: #1160968 #1169511 #1171352 #1172277 Cross-References: CVE-2019-2949 CVE-2020-2654 CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2830 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for java-1_8_0-ibm fixes the following issues: java-1_8_0-ibm was updated to Java 8.0 Service Refresh 6 Fix Pack 10 (bsc#1172277,bsc#1169511,bsc#1160968) - CVE-2020-2654: Fixed an issue which could have resulted in unauthorized ability to cause a partial denial of service - CVE-2020-2754: Forwarded references to Nashorn - CVE-2020-2755: Improved Nashorn matching - CVE-2020-2756: Improved mapping of serial ENUMs - CVE-2020-2757: Less Blocking Array Queues - CVE-2020-2781: Improved TLS session handling - CVE-2020-2800: Improved Headings for HTTP Servers - CVE-2020-2803: Enhanced buffering of byte buffers - CVE-2020-2805: Enhanced typing of methods - CVE-2020-2830: Improved Scanner conversions - CVE-2019-2949: Fixed an issue which could have resulted in unauthorized access to critical data - Added RSA PSS SUPPORT TO IBMPKCS11IMPL - The pack200 and unpack200 alternatives should be slaves of java (bsc#1171352). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1685=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1685=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1685=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1685=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1685=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1685=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1685=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1685=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1685=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1685=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1685=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1685=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1685=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1685=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1685=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): java-1_8_0-ibm-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-alsa-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-plugin-1.8.0_sr6.10-30.69.1 - SUSE OpenStack Cloud 8 (x86_64): java-1_8_0-ibm-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-alsa-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-plugin-1.8.0_sr6.10-30.69.1 - SUSE OpenStack Cloud 7 (s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1 - SUSE OpenStack Cloud 7 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-plugin-1.8.0_sr6.10-30.69.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (ppc64le s390x x86_64): java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (ppc64le s390x x86_64): java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): java-1_8_0-ibm-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-plugin-1.8.0_sr6.10-30.69.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): java-1_8_0-ibm-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-plugin-1.8.0_sr6.10-30.69.1 - SUSE Linux Enterprise Server 12-SP5 (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-plugin-1.8.0_sr6.10-30.69.1 - SUSE Linux Enterprise Server 12-SP4 (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-plugin-1.8.0_sr6.10-30.69.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-plugin-1.8.0_sr6.10-30.69.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): java-1_8_0-ibm-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-alsa-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-plugin-1.8.0_sr6.10-30.69.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): java-1_8_0-ibm-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): java-1_8_0-ibm-alsa-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-plugin-1.8.0_sr6.10-30.69.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): java-1_8_0-ibm-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-alsa-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-plugin-1.8.0_sr6.10-30.69.1 - SUSE Enterprise Storage 5 (x86_64): java-1_8_0-ibm-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-alsa-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-plugin-1.8.0_sr6.10-30.69.1 - HPE Helion Openstack 8 (x86_64): java-1_8_0-ibm-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-alsa-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-devel-1.8.0_sr6.10-30.69.1 java-1_8_0-ibm-plugin-1.8.0_sr6.10-30.69.1 References: https://www.suse.com/security/cve/CVE-2019-2949.html https://www.suse.com/security/cve/CVE-2020-2654.html https://www.suse.com/security/cve/CVE-2020-2754.html https://www.suse.com/security/cve/CVE-2020-2755.html https://www.suse.com/security/cve/CVE-2020-2756.html https://www.suse.com/security/cve/CVE-2020-2757.html https://www.suse.com/security/cve/CVE-2020-2781.html https://www.suse.com/security/cve/CVE-2020-2800.html https://www.suse.com/security/cve/CVE-2020-2803.html https://www.suse.com/security/cve/CVE-2020-2805.html https://www.suse.com/security/cve/CVE-2020-2830.html https://bugzilla.suse.com/1160968 https://bugzilla.suse.com/1169511 https://bugzilla.suse.com/1171352 https://bugzilla.suse.com/1172277 From sle-updates at lists.suse.com Fri Jun 19 07:19:39 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 15:19:39 +0200 (CEST) Subject: SUSE-SU-2020:1687-1: moderate: Security update for libgxps Message-ID: <20200619131939.2797FF749@maintenance.suse.de> SUSE Security Update: Security update for libgxps ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1687-1 Rating: moderate References: #1092125 Cross-References: CVE-2018-10733 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libgxps fixes the following issues: - CVE-2018-10733: Fixed a heap-based buffer over-read issue in ft_font_face_hash (bsc#1092125). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1687=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1687=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1687=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1687=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libgxps-debugsource-0.2.2-10.3.5 libgxps-devel-0.2.2-10.3.5 typelib-1_0-GXPS-0_1-0.2.2-10.3.5 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libgxps-debugsource-0.2.2-10.3.5 libgxps-devel-0.2.2-10.3.5 typelib-1_0-GXPS-0_1-0.2.2-10.3.5 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libgxps-debugsource-0.2.2-10.3.5 libgxps2-0.2.2-10.3.5 libgxps2-debuginfo-0.2.2-10.3.5 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libgxps-debugsource-0.2.2-10.3.5 libgxps2-0.2.2-10.3.5 libgxps2-debuginfo-0.2.2-10.3.5 References: https://www.suse.com/security/cve/CVE-2018-10733.html https://bugzilla.suse.com/1092125 From sle-updates at lists.suse.com Fri Jun 19 07:20:26 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 15:20:26 +0200 (CEST) Subject: SUSE-SU-2020:1686-1: important: Security update for java-1_8_0-openjdk Message-ID: <20200619132026.4509BF749@maintenance.suse.de> SUSE Security Update: Security update for java-1_8_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1686-1 Rating: important References: #1160398 #1169511 Cross-References: CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2773 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2830 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: This update for java-1_8_0-openjdk to version jdk8u252 fixes the following issues: - CVE-2020-2754: Forward references to Nashorn (bsc#1169511) - CVE-2020-2755: Improve Nashorn matching (bsc#1169511) - CVE-2020-2756: Better mapping of serial ENUMs (bsc#1169511) - CVE-2020-2757: Less Blocking Array Queues (bsc#1169511) - CVE-2020-2773: Better signatures in XML (bsc#1169511) - CVE-2020-2781: Improve TLS session handling (bsc#1169511) - CVE-2020-2800: Better Headings for HTTP Servers (bsc#1169511) - CVE-2020-2803: Enhance buffering of byte buffers (bsc#1169511) - CVE-2020-2805: Enhance typing of methods (bsc#1169511) - CVE-2020-2830: Better Scanner conversions (bsc#1169511) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1686=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1686=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1686=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1686=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1686=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1686=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1686=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1686=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1686=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1686=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1686=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1686=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1686=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): java-1_8_0-openjdk-1.8.0.252-27.45.6 java-1_8_0-openjdk-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-debugsource-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-debuginfo-1.8.0.252-27.45.6 - SUSE OpenStack Cloud 8 (x86_64): java-1_8_0-openjdk-1.8.0.252-27.45.6 java-1_8_0-openjdk-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-debugsource-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-debuginfo-1.8.0.252-27.45.6 - SUSE OpenStack Cloud 7 (s390x x86_64): java-1_8_0-openjdk-1.8.0.252-27.45.6 java-1_8_0-openjdk-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-debugsource-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-debuginfo-1.8.0.252-27.45.6 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.252-27.45.6 java-1_8_0-openjdk-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-debugsource-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-debuginfo-1.8.0.252-27.45.6 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.252-27.45.6 java-1_8_0-openjdk-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-debugsource-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-debuginfo-1.8.0.252-27.45.6 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.252-27.45.6 java-1_8_0-openjdk-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-debugsource-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-debuginfo-1.8.0.252-27.45.6 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.252-27.45.6 java-1_8_0-openjdk-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-debugsource-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-debuginfo-1.8.0.252-27.45.6 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.252-27.45.6 java-1_8_0-openjdk-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-debugsource-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-debuginfo-1.8.0.252-27.45.6 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): java-1_8_0-openjdk-1.8.0.252-27.45.6 java-1_8_0-openjdk-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-debugsource-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-debuginfo-1.8.0.252-27.45.6 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.252-27.45.6 java-1_8_0-openjdk-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-debugsource-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-debuginfo-1.8.0.252-27.45.6 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): java-1_8_0-openjdk-1.8.0.252-27.45.6 java-1_8_0-openjdk-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-debugsource-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-debuginfo-1.8.0.252-27.45.6 - SUSE Enterprise Storage 5 (aarch64 x86_64): java-1_8_0-openjdk-1.8.0.252-27.45.6 java-1_8_0-openjdk-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-debugsource-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-debuginfo-1.8.0.252-27.45.6 - HPE Helion Openstack 8 (x86_64): java-1_8_0-openjdk-1.8.0.252-27.45.6 java-1_8_0-openjdk-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-debugsource-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-1.8.0.252-27.45.6 java-1_8_0-openjdk-demo-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-1.8.0.252-27.45.6 java-1_8_0-openjdk-devel-debuginfo-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-1.8.0.252-27.45.6 java-1_8_0-openjdk-headless-debuginfo-1.8.0.252-27.45.6 References: https://www.suse.com/security/cve/CVE-2020-2754.html https://www.suse.com/security/cve/CVE-2020-2755.html https://www.suse.com/security/cve/CVE-2020-2756.html https://www.suse.com/security/cve/CVE-2020-2757.html https://www.suse.com/security/cve/CVE-2020-2773.html https://www.suse.com/security/cve/CVE-2020-2781.html https://www.suse.com/security/cve/CVE-2020-2800.html https://www.suse.com/security/cve/CVE-2020-2803.html https://www.suse.com/security/cve/CVE-2020-2805.html https://www.suse.com/security/cve/CVE-2020-2830.html https://bugzilla.suse.com/1160398 https://bugzilla.suse.com/1169511 From sle-updates at lists.suse.com Fri Jun 19 07:21:27 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 15:21:27 +0200 (CEST) Subject: SUSE-RU-2020:1690-1: moderate: Recommended update for powerpc-utils Message-ID: <20200619132127.340E7F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for powerpc-utils ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1690-1 Rating: moderate References: #1160890 #1164068 #1164726 #1171892 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that has four recommended fixes can now be installed. Description: This update for powerpc-utils fixes the following issues: - Could not retrieve logical device name for Open Firmware path. (bsc#1164068) - Fixed one instance where the previous change corrupted the exit status of a command. (bsc#1164068) - Stop using /sbin/udevadm symlink. (bsc#1160890) - Remove a trailing NUL ('\0') byte from a vendor_id contents. (bsc#1171892) - Reduce the number of searches of /sys by searching directly in /sys/class/block. (bsc#1164726) - Reduce the number of searches of /sys by caching the content of a single search into a file in /tmp. (bsc#1164726) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1690=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1690=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (ppc64le): powerpc-utils-1.3.7.1-5.14.1 powerpc-utils-debuginfo-1.3.7.1-5.14.1 powerpc-utils-debugsource-1.3.7.1-5.14.1 - SUSE Linux Enterprise Server 12-SP4 (ppc64le): powerpc-utils-1.3.7.1-5.14.1 powerpc-utils-debuginfo-1.3.7.1-5.14.1 powerpc-utils-debugsource-1.3.7.1-5.14.1 References: https://bugzilla.suse.com/1160890 https://bugzilla.suse.com/1164068 https://bugzilla.suse.com/1164726 https://bugzilla.suse.com/1171892 From sle-updates at lists.suse.com Fri Jun 19 07:22:31 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 15:22:31 +0200 (CEST) Subject: SUSE-RU-2020:1688-1: important: Recommended update for dracut Message-ID: <20200619132231.8F8DFF749@maintenance.suse.de> SUSE Recommended Update: Recommended update for dracut ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1688-1 Rating: important References: #1171370 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for dracut fixes the following issue: - modules.d: fix udev rules detection of multipath devices. (bsc#1171370) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1688=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): dracut-044.2-17.12.1 dracut-debuginfo-044.2-17.12.1 dracut-debugsource-044.2-17.12.1 dracut-fips-044.2-17.12.1 References: https://bugzilla.suse.com/1171370 From sle-updates at lists.suse.com Fri Jun 19 10:13:36 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 18:13:36 +0200 (CEST) Subject: SUSE-SU-2020:1695-1: moderate: Security update for osc Message-ID: <20200619161336.7D025F749@maintenance.suse.de> SUSE Security Update: Security update for osc ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1695-1 Rating: moderate References: #1122675 Cross-References: CVE-2019-3681 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for osc to 0.169.1 fixes the following issues: Security issue fixed: - CVE-2019-3681: Fixed an insufficient validation of network-controlled filesystem paths (bsc#1122675). Non-security issues fixed: - Improved the speed and usability of osc bash completion. - improved some error messages. - osc add: support git@ (private github) or git:// URLs correctly. - Split dependson and whatdependson commands. - Added support for osc build --shell-cmd. - Added pkg-ccache support for osc build. - Added --ccache option to osc getbinaries Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1695=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP1 (noarch): osc-0.169.1-3.20.1 References: https://www.suse.com/security/cve/CVE-2019-3681.html https://bugzilla.suse.com/1122675 From sle-updates at lists.suse.com Fri Jun 19 10:14:25 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 18:14:25 +0200 (CEST) Subject: SUSE-SU-2020:1693-1: important: Security update for the Linux Kernel Message-ID: <20200619161425.026A0F749@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1693-1 Rating: important References: #1051510 #1065729 #1071995 #1085030 #1111666 #1113956 #1114279 #1144333 #1148868 #1158983 #1161016 #1162063 #1166985 #1168081 #1169194 #1170592 #1171904 #1172458 #1172472 #1172537 #1172538 #1172759 #1172775 #1172781 #1172782 #1172783 #1172884 Cross-References: CVE-2019-20810 CVE-2020-10766 CVE-2020-10767 CVE-2020-10768 CVE-2020-13974 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise High Availability 12-SP5 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 22 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-10768: The prctl() function could be used to enable indirect branch speculation even after it has been disabled. (bnc#1172783) - CVE-2020-10766: A bug in the logic handling could allow an attacker with a local account to disable SSBD protection. (bnc#1172781) - CVE-2020-10767: A IBPB would be disabled when STIBP was not available or when Enhanced Indirect Branch Restricted Speculation (IBRS) was available. This is unexpected behaviour could leave the system open to a spectre v2 style attack (bnc#1172782) - CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if k_ascii was called several times in a row (bnc#1172775) - CVE-2019-20810: go7007_snd_init did not call snd_card_free for a failure path, which caused a memory leak (bnc#1172458) The following non-security bugs were fixed: - ACPI: PM: Avoid using power resources if there are none for D0 (bsc#1051510). - ALSA: es1688: Add the missed snd_card_free() (bsc#1051510). - ALSA: hda/hdmi - enable runtime pm for newer AMD display audio (bsc#1111666). - ALSA: hda/realtek - Add LED class support for micmute LED (bsc#1111666). - ALSA: hda/realtek - Enable micmute LED on and HP system (bsc#1111666). - ALSA: hda/realtek - Fix unused variable warning w/o CONFIG_LEDS_TRIGGER_AUDIO (bsc#1111666). - ALSA: hda/realtek - Introduce polarity for micmute LED GPIO (bsc#1111666). - ALSA: hda/realtek - add a pintbl quirk for several Lenovo machines (bsc#1111666). - ALSA: hda: Add ElkhartLake HDMI codec vid (bsc#1111666). - ALSA: hda: add sienna_cichlid audio asic id for sienna_cichlid up (bsc#1111666). - ALSA: pcm: disallow linking stream to itself (bsc#1111666). - ALSA: usb-audio: Add Pioneer DJ DJM-900NXS2 support (bsc#1111666). - ALSA: usb-audio: Add duplex sound support for USB devices using implicit feedback (bsc#1111666). - ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt Dock (bsc#1111666). - ALSA: usb-audio: Clean up quirk entries with macros (bsc#1111666). - ALSA: usb-audio: Fix inconsistent card PM state after resume (bsc#1111666). - ALSA: usb-audio: Fix racy list management in output queue (bsc#1111666). - ALSA: usb-audio: Manage auto-pm of all bundled interfaces (bsc#1111666). - ALSA: usb-audio: Use the new macro for HP Dock rename quirks (bsc#1111666). - CDC-ACM: heed quirk also in error handling (git-fixes). - HID: sony: Fix for broken buttons on DS3 USB dongles (bsc#1051510). - KVM: x86/mmu: Set mmio_value to '0' if reserved #PF can't be generated (bsc#1171904). - KVM: x86: only do L1TF workaround on affected processors (bsc#1171904). - NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid() (bsc#1170592). - NFSv4: Retry CLOSE and DELEGRETURN on NFS4ERR_OLD_STATEID (bsc#1170592). - PCI/PM: Call .bridge_d3() hook only if non-NULL (git-fixes). - PCI/PTM: Inherit Switch Downstream Port PTM settings from Upstream Port (bsc#1051510). - PCI: Allow pci_resize_resource() for devices on root bus (bsc#1051510). - PCI: Fix pci_register_host_bridge() device_register() error handling (bsc#1051510). - PCI: Program MPS for RCiEP devices (bsc#1051510). - RDMA/efa: Fix setting of wrong bit in get/set_feature commands (bsc#1111666) - RDMA/efa: Support remote read access in MR registration (bsc#1111666) - RDMA/efa: Unified getters/setters for device structs bitmask access (bsc#1111666) - USB: gadget: udc: s3c2410_udc: Remove pointless NULL check in s3c2410_udc_nuke (bsc#1051510). - USB: host: ehci-mxc: Add error handling in ehci_mxc_drv_probe() (bsc#1051510). - USB: serial: option: add Telit LE910C1-EUX compositions (bsc#1051510). - USB: serial: qcserial: add DW5816e QDL support (bsc#1051510). - USB: serial: usb_wwan: do not resubmit rx urb on fatal errors (bsc#1051510). - USB: serial: usb_wwan: do not resubmit rx urb on fatal errors (git-fixes). - arm64: map FDT as RW for early_init_dt_scan() (jsc#SLE-12423). - bcache: Fix an error code in bch_dump_read() (git fixes (block drivers)). - block: remove QUEUE_FLAG_STACKABLE (git fixes (block drivers)). - block: sed-opal: fix sparse warning: convert __be64 data (git fixes (block drivers)). - brcmfmac: fix wrong location to get firmware feature (bsc#1111666). - btrfs: do not zero f_bavail if we have available space (bsc#1168081). - btrfs: do not zero f_bavail if we have available space (bsc#1168081). - char/random: Add a newline at the end of the file (jsc#SLE-12423). - cifs: get rid of unused parameter in reconn_setup_dfs_targets() (bsc#1144333). - cifs: handle hostnames that resolve to same ip in failover (bsc#1144333 bsc#1161016). - cifs: set up next DFS target before generic_ip_connect() (bsc#1144333 bsc#1161016). - clk: bcm2835: Fix return type of bcm2835_register_gate (bsc#1051510). - clk: clk-flexgen: fix clock-critical handling (bsc#1051510). - clk: sunxi: Fix incorrect usage of round_down() (bsc#1051510). - compat_ioctl: block: handle BLKREPORTZONE/BLKRESETZONE (git fixes (block drivers)). - compat_ioctl: block: handle Persistent Reservations (git fixes (block drivers)). - copy_{to,from}_user(): consolidate object size checks (git fixes). - crypto: caam - update xts sector size for large input length (bsc#1111666). - crypto: chelsio/chtls: properly set tp->lsndtime (bsc#1111666). - dm btree: increase rebalance threshold in __rebalance2() (git fixes (block drivers)). - dm cache: fix a crash due to incorrect work item cancelling (git fixes (block drivers)). - dm crypt: fix benbi IV constructor crash if used in authenticated mode (git fixes (block drivers)). - dm space map common: fix to ensure new block isn't already in use (git fixes (block drivers)). - dm verity fec: fix hash block number in verity_fec_decode (git fixes (block drivers)). - dm verity fec: fix memory leak in verity_fec_dtr (git fixes (block drivers)). - dm: fix potential for q->make_request_fn NULL pointer (git fixes (block drivers)). - dm: various cleanups to md->queue initialization code (git fixes). - dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()' (bsc#1111666). - drivers: soc: ti: knav_qmss_queue: Make knav_gp_range_ops static (bsc#1051510). - drm/i915: Whitelist context-local timestamp in the gen9 cmdparser (bsc#1111666). - drm: amd/display: fix Kconfig help text (bsc#1113956) - efi/random: Increase size of firmware supplied randomness (jsc#SLE-12423). - efi/random: Treat EFI_RNG_PROTOCOL output as bootloader randomness (jsc#SLE-12423). - efi: READ_ONCE rng seed size before munmap (jsc#SLE-12423). - efi: Reorder pr_notice() with add_device_randomness() call (jsc#SLE-12423). - evm: Check also if *tfm is an error pointer in init_desc() (bsc#1051510). - evm: Fix a small race in init_desc() (bsc#1051510). - extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()' (bsc#1051510). - fdt: Update CRC check for rng-seed (jsc#SLE-12423). - fdt: add support for rng-seed (jsc#SLE-12423). - firmware: imx: scu: Fix corruption of header (git-fixes). - firmware: imx: scu: Fix possible memory leak in imx_scu_probe() (bsc#1111666). - firmware: revert letter case change which broke compatibility with the SAP license generator (bsc#1172472). - fpga: dfl: afu: Corrected error handling levels (git-fixes). - fs/reiserfs: Reenabled reiserfs (bsc#1172884) - gpiolib: Document that GPIO line names are not globally unique (bsc#1051510). - gpu: ipu-v3: pre: do not trigger update if buffer address does not change (bsc#1111666). - iio: buffer: Do not allow buffers without any channels enabled to be activated (bsc#1051510). - iio: pressure: bmp280: Tolerate IRQ before registering (bsc#1051510). - ima: Directly assign the ima_default_policy pointer to ima_rules (bsc#1051510). - ima: Fix ima digest hash table key calculation (bsc#1051510). - include/asm-generic/topology.h: guard cpumask_of_node() macro argument (bsc#1148868). - kabi: ppc64le: prevent struct dma_map_ops to become defined (jsc#SLE-12423). - kvm: x86: Fix L1TF mitigation for shadow MMU (bsc#1171904). - livepatch: Apply vmlinux-specific KLP relocations early (bsc#1071995). - livepatch: Disallow vmlinux.ko (bsc#1071995). - livepatch: Make klp_apply_object_relocs static (bsc#1071995). - livepatch: Prevent module-specific KLP rela sections from referencing vmlinux symbols (bsc#1071995). - livepatch: Remove .klp.arch (bsc#1071995). - mac80211: add option for setting control flags (bsc#1111666). - mac80211: set IEEE80211_TX_CTRL_PORT_CTRL_PROTO for nl80211 TX (bsc#1111666). - mailbox: imx: Disable the clock on devm_mbox_controller_register() failure (git-fixes). - md: Avoid namespace collision with bitmap API (git fixes (block drivers)). - md: use memalloc scope APIs in mddev_suspend()/mddev_resume() (bsc#1166985)). - md: use memalloc scope APIs in mddev_suspend()/mddev_resume() (git fixes (block drivers)). - mdraid: fix read/write bytes accounting (bsc#1172537). - mmc: block: Fix request completion in the CQE timeout path (bsc#1111666). - mmc: block: Fix use-after-free issue for rpmb (bsc#1111666). - mmc: fix compilation of user API (bsc#1051510). - netfilter: connlabels: prefer static lock initialiser (git-fixes). - netfilter: not mark a spinlock as __read_mostly (git-fixes). - nl80211: fix NL80211_ATTR_CHANNEL_WIDTH attribute type (bsc#1111666). - nvme-fc: Fail transport errors with NVME_SC_HOST_PATH (bsc#1158983 bsc#1172538). - nvme-tcp: fail command with NVME_SC_HOST_PATH_ERROR send failed (bsc#1158983 bsc#1172538). - nvme: fail cancelled commands with NVME_SC_HOST_PATH_ERROR (bsc#1158983 bsc#1172538). - overflow.h: Add arithmetic shift helper (git fixes). - overflow: Fix -Wtype-limits compilation warnings (git fixes). - p54usb: add AirVasT USB stick device-id (bsc#1051510). - pcm_native: result of put_user() needs to be checked (bsc#1111666). - perf, pt, coresight: Fix address filters for vmas with non-zero offset (git-fixes). - perf, pt, coresight: Fix address filters for vmas with non-zero offset (git-fixes). - perf/cgroup: Fix perf cgroup hierarchy support (git-fixes). - perf/cgroup: Fix perf cgroup hierarchy support (git-fixes). - perf/core: Add sanity check to deal with pinned event failure (git-fixes). - perf/core: Add sanity check to deal with pinned event failure (git-fixes). - perf/core: Avoid freeing static PMU contexts when PMU is unregistered (git-fixes). - perf/core: Avoid freeing static PMU contexts when PMU is unregistered (git-fixes). - perf/core: Correct event creation with PERF_FORMAT_GROUP (git-fixes). - perf/core: Correct event creation with PERF_FORMAT_GROUP (git-fixes). - perf/core: Do not WARN() for impossible ring-buffer sizes (git-fixes). - perf/core: Do not WARN() for impossible ring-buffer sizes (git-fixes). - perf/core: Fix __perf_read_group_add() locking (git-fixes (dependent patch)). - perf/core: Fix __perf_read_group_add() locking (git-fixes (dependent patch)). - perf/core: Fix bad use of igrab() (git fixes (dependent patch)). - perf/core: Fix crash when using HW tracing kernel filters (git-fixes). - perf/core: Fix ctx_event_type in ctx_resched() (git-fixes). - perf/core: Fix ctx_event_type in ctx_resched() (git-fixes). - perf/core: Fix error handling in perf_event_alloc() (git-fixes). - perf/core: Fix error handling in perf_event_alloc() (git-fixes). - perf/core: Fix exclusive events' grouping (git-fixes). - perf/core: Fix exclusive events' grouping (git-fixes). - perf/core: Fix group scheduling with mixed hw and sw events (git-fixes). - perf/core: Fix group scheduling with mixed hw and sw events (git-fixes). - perf/core: Fix impossible ring-buffer sizes warning (git-fixes). - perf/core: Fix impossible ring-buffer sizes warning (git-fixes). - perf/core: Fix lock inversion between perf,trace,cpuhp (git-fixes (dependent patch for 18736eef1213)). - perf/core: Fix lock inversion between perf,trace,cpuhp (git-fixes (dependent patch for 18736eef1213)). - perf/core: Fix locking for children siblings group read (git-fixes). - perf/core: Fix locking for children siblings group read (git-fixes). - perf/core: Fix perf_event_read_value() locking (git-fixes). - perf/core: Fix perf_event_read_value() locking (git-fixes). - perf/core: Fix perf_pmu_unregister() locking (git-fixes). - perf/core: Fix perf_pmu_unregister() locking (git-fixes). - perf/core: Fix perf_sample_regs_user() mm check (git-fixes). - perf/core: Fix perf_sample_regs_user() mm check (git-fixes). - perf/core: Fix possible Spectre-v1 indexing for ->aux_pages (git-fixes). - perf/core: Fix possible Spectre-v1 indexing for ->aux_pages (git-fixes). - perf/core: Fix race between close() and fork() (git-fixes). - perf/core: Fix race between close() and fork() (git-fixes). - perf/core: Fix the address filtering fix (git-fixes). - perf/core: Fix the address filtering fix (git-fixes). - perf/core: Fix use-after-free in uprobe_perf_close() (git-fixes). - perf/core: Fix use-after-free in uprobe_perf_close() (git-fixes). - perf/core: Force USER_DS when recording user stack data (git-fixes). - perf/core: Force USER_DS when recording user stack data (git-fixes). - perf/core: Restore mmap record type correctly (git-fixes). - perf/core: Restore mmap record type correctly (git-fixes). - perf/ioctl: Add check for the sample_period value (git-fixes). - perf/ioctl: Add check for the sample_period value (git-fixes). - perf/x86/pt, coresight: Clean up address filter structure (git fixes (dependent patch)). - perf: Allocate context task_ctx_data for child event (git-fixes). - perf: Allocate context task_ctx_data for child event (git-fixes). - perf: Copy parent's address filter offsets on clone (git-fixes). - perf: Copy parent's address filter offsets on clone (git-fixes). - perf: Fix header.size for namespace events (git-fixes). - perf: Fix header.size for namespace events (git-fixes). - perf: Return proper values for user stack errors (git-fixes). - perf: Return proper values for user stack errors (git-fixes). - pid: Improve the comment about waiting in zap_pid_ns_processes (git fixes)). - pinctrl: freescale: imx: Fix an error handling path in 'imx_pinctrl_probe()' (bsc#1051510). - pinctrl: imxl: Fix an error handling path in 'imx1_pinctrl_core_probe()' (bsc#1051510). - pinctrl: samsung: Save/restore eint_mask over suspend for EINT_TYPE GPIOs (bsc#1051510). - platform/x86: dell-laptop: do not register micmute LED if there is no token (bsc#1111666). - pnp: Use list_for_each_entry() instead of open coding (git fixes). - power: supply: bq24257_charger: Replace depends on REGMAP_I2C with select (bsc#1051510). - power: supply: lp8788: Fix an error handling path in 'lp8788_charger_probe()' (bsc#1051510). - power: supply: smb347-charger: IRQSTAT_D is volatile (bsc#1051510). - powerpc/64s: Do not let DT CPU features set FSCR_DSCR (bsc#1065729). - powerpc/64s: Save FSCR to init_task.thread.fscr after feature init (bsc#1065729). - powerpc/xive: Clear the page tables for the ESB IO mapping (bsc#1085030). - raid5: remove gfp flags from scribble_alloc() (bsc#1166985). - raid5: remove gfp flags from scribble_alloc() (git fixes (block drivers)). - resolve KABI warning for perf-pt-coresight (git-fixes). - resolve KABI warning for perf-pt-coresight (git-fixes). - s390/bpf: Maintain 8-byte stack alignment (bsc#1169194). - scsi: ibmvscsi: Do not send host info in adapter info MAD after LPM (bsc#1172759 ltc#184814). - spi: dw: use "smp_mb()" to avoid sending spi data error (bsc#1051510). - spi: spi-mem: Fix Dual/Quad modes on Octal-capable devices (bsc#1111666). - staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK (bsc#1051510). - staging: sm750fb: add missing case while setting FB_VISUAL (bsc#1051510). - tty: n_gsm: Fix SOF skipping (bsc#1051510). - tty: n_gsm: Fix bogus i++ in gsm_data_kick (bsc#1051510). - tty: n_gsm: Fix waking up upper tty layer when room available (bsc#1051510). - usb: dwc2: gadget: move gadget resume after the core is in L0 state (bsc#1051510). - usb: gadget: lpc32xx_udc: do not dereference ep pointer before null check (bsc#1051510). - usb: musb: Fix runtime PM imbalance on error (bsc#1051510). - usb: musb: start session in resume for host port (bsc#1051510). - virtio-blk: handle block_device_operations callbacks after hot unplug (git fixes (block drivers)). - w1: omap-hdq: cleanup to add missing newline for some dev_dbg (bsc#1051510). - watchdog: sp805: fix restart handler (bsc#1111666). - wil6210: add general initialization/size checks (bsc#1111666). - wil6210: check rx_buff_mgmt before accessing it (bsc#1111666). - wil6210: ignore HALP ICR if already handled (bsc#1111666). - work around mvfs bug (bsc#1162063). - x86/cpu/amd: Make erratum #1054 a legacy erratum (bsc#1114279). - x86: Fix early boot crash on gcc-10, third try (bsc#1114279). - xfrm: fix error in comment (git fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1693=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1693=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1693=1 - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-1693=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): kernel-default-debuginfo-4.12.14-122.26.1 kernel-default-debugsource-4.12.14-122.26.1 kernel-default-extra-4.12.14-122.26.1 kernel-default-extra-debuginfo-4.12.14-122.26.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-122.26.1 kernel-obs-build-debugsource-4.12.14-122.26.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): kernel-docs-4.12.14-122.26.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-122.26.1 kernel-default-base-4.12.14-122.26.1 kernel-default-base-debuginfo-4.12.14-122.26.1 kernel-default-debuginfo-4.12.14-122.26.1 kernel-default-debugsource-4.12.14-122.26.1 kernel-default-devel-4.12.14-122.26.1 kernel-syms-4.12.14-122.26.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-4.12.14-122.26.1 kernel-macros-4.12.14-122.26.1 kernel-source-4.12.14-122.26.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-default-devel-debuginfo-4.12.14-122.26.1 - SUSE Linux Enterprise Server 12-SP5 (s390x): kernel-default-man-4.12.14-122.26.1 - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-122.26.1 cluster-md-kmp-default-debuginfo-4.12.14-122.26.1 dlm-kmp-default-4.12.14-122.26.1 dlm-kmp-default-debuginfo-4.12.14-122.26.1 gfs2-kmp-default-4.12.14-122.26.1 gfs2-kmp-default-debuginfo-4.12.14-122.26.1 kernel-default-debuginfo-4.12.14-122.26.1 kernel-default-debugsource-4.12.14-122.26.1 ocfs2-kmp-default-4.12.14-122.26.1 ocfs2-kmp-default-debuginfo-4.12.14-122.26.1 References: https://www.suse.com/security/cve/CVE-2019-20810.html https://www.suse.com/security/cve/CVE-2020-10766.html https://www.suse.com/security/cve/CVE-2020-10767.html https://www.suse.com/security/cve/CVE-2020-10768.html https://www.suse.com/security/cve/CVE-2020-13974.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1158983 https://bugzilla.suse.com/1161016 https://bugzilla.suse.com/1162063 https://bugzilla.suse.com/1166985 https://bugzilla.suse.com/1168081 https://bugzilla.suse.com/1169194 https://bugzilla.suse.com/1170592 https://bugzilla.suse.com/1171904 https://bugzilla.suse.com/1172458 https://bugzilla.suse.com/1172472 https://bugzilla.suse.com/1172537 https://bugzilla.suse.com/1172538 https://bugzilla.suse.com/1172759 https://bugzilla.suse.com/1172775 https://bugzilla.suse.com/1172781 https://bugzilla.suse.com/1172782 https://bugzilla.suse.com/1172783 https://bugzilla.suse.com/1172884 From sle-updates at lists.suse.com Fri Jun 19 10:18:41 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 18:18:41 +0200 (CEST) Subject: SUSE-SU-2020:1693-1: important: Security update for the Linux Kernel Message-ID: <20200619161841.2230DF749@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1693-1 Rating: important References: #1051510 #1065729 #1071995 #1085030 #1111666 #1113956 #1114279 #1144333 #1148868 #1158983 #1161016 #1162063 #1166985 #1168081 #1169194 #1170592 #1171904 #1172458 #1172472 #1172537 #1172538 #1172759 #1172775 #1172781 #1172782 #1172783 #1172884 Cross-References: CVE-2019-20810 CVE-2020-10766 CVE-2020-10767 CVE-2020-10768 CVE-2020-13974 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise High Availability 12-SP5 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 22 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-10768: The prctl() function could be used to enable indirect branch speculation even after it has been disabled. (bnc#1172783) - CVE-2020-10766: A bug in the logic handling could allow an attacker with a local account to disable SSBD protection. (bnc#1172781) - CVE-2020-10767: A IBPB would be disabled when STIBP was not available or when Enhanced Indirect Branch Restricted Speculation (IBRS) was available. This is unexpected behaviour could leave the system open to a spectre v2 style attack (bnc#1172782) - CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if k_ascii was called several times in a row (bnc#1172775) - CVE-2019-20810: go7007_snd_init did not call snd_card_free for a failure path, which caused a memory leak (bnc#1172458) The following non-security bugs were fixed: - ACPI: PM: Avoid using power resources if there are none for D0 (bsc#1051510). - ALSA: es1688: Add the missed snd_card_free() (bsc#1051510). - ALSA: hda/hdmi - enable runtime pm for newer AMD display audio (bsc#1111666). - ALSA: hda/realtek - Add LED class support for micmute LED (bsc#1111666). - ALSA: hda/realtek - Enable micmute LED on and HP system (bsc#1111666). - ALSA: hda/realtek - Fix unused variable warning w/o CONFIG_LEDS_TRIGGER_AUDIO (bsc#1111666). - ALSA: hda/realtek - Introduce polarity for micmute LED GPIO (bsc#1111666). - ALSA: hda/realtek - add a pintbl quirk for several Lenovo machines (bsc#1111666). - ALSA: hda: Add ElkhartLake HDMI codec vid (bsc#1111666). - ALSA: hda: add sienna_cichlid audio asic id for sienna_cichlid up (bsc#1111666). - ALSA: pcm: disallow linking stream to itself (bsc#1111666). - ALSA: usb-audio: Add Pioneer DJ DJM-900NXS2 support (bsc#1111666). - ALSA: usb-audio: Add duplex sound support for USB devices using implicit feedback (bsc#1111666). - ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt Dock (bsc#1111666). - ALSA: usb-audio: Clean up quirk entries with macros (bsc#1111666). - ALSA: usb-audio: Fix inconsistent card PM state after resume (bsc#1111666). - ALSA: usb-audio: Fix racy list management in output queue (bsc#1111666). - ALSA: usb-audio: Manage auto-pm of all bundled interfaces (bsc#1111666). - ALSA: usb-audio: Use the new macro for HP Dock rename quirks (bsc#1111666). - CDC-ACM: heed quirk also in error handling (git-fixes). - HID: sony: Fix for broken buttons on DS3 USB dongles (bsc#1051510). - KVM: x86/mmu: Set mmio_value to '0' if reserved #PF can't be generated (bsc#1171904). - KVM: x86: only do L1TF workaround on affected processors (bsc#1171904). - NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid() (bsc#1170592). - NFSv4: Retry CLOSE and DELEGRETURN on NFS4ERR_OLD_STATEID (bsc#1170592). - PCI/PM: Call .bridge_d3() hook only if non-NULL (git-fixes). - PCI/PTM: Inherit Switch Downstream Port PTM settings from Upstream Port (bsc#1051510). - PCI: Allow pci_resize_resource() for devices on root bus (bsc#1051510). - PCI: Fix pci_register_host_bridge() device_register() error handling (bsc#1051510). - PCI: Program MPS for RCiEP devices (bsc#1051510). - RDMA/efa: Fix setting of wrong bit in get/set_feature commands (bsc#1111666) - RDMA/efa: Support remote read access in MR registration (bsc#1111666) - RDMA/efa: Unified getters/setters for device structs bitmask access (bsc#1111666) - USB: gadget: udc: s3c2410_udc: Remove pointless NULL check in s3c2410_udc_nuke (bsc#1051510). - USB: host: ehci-mxc: Add error handling in ehci_mxc_drv_probe() (bsc#1051510). - USB: serial: option: add Telit LE910C1-EUX compositions (bsc#1051510). - USB: serial: qcserial: add DW5816e QDL support (bsc#1051510). - USB: serial: usb_wwan: do not resubmit rx urb on fatal errors (bsc#1051510). - USB: serial: usb_wwan: do not resubmit rx urb on fatal errors (git-fixes). - arm64: map FDT as RW for early_init_dt_scan() (jsc#SLE-12423). - bcache: Fix an error code in bch_dump_read() (git fixes (block drivers)). - block: remove QUEUE_FLAG_STACKABLE (git fixes (block drivers)). - block: sed-opal: fix sparse warning: convert __be64 data (git fixes (block drivers)). - brcmfmac: fix wrong location to get firmware feature (bsc#1111666). - btrfs: do not zero f_bavail if we have available space (bsc#1168081). - btrfs: do not zero f_bavail if we have available space (bsc#1168081). - char/random: Add a newline at the end of the file (jsc#SLE-12423). - cifs: get rid of unused parameter in reconn_setup_dfs_targets() (bsc#1144333). - cifs: handle hostnames that resolve to same ip in failover (bsc#1144333 bsc#1161016). - cifs: set up next DFS target before generic_ip_connect() (bsc#1144333 bsc#1161016). - clk: bcm2835: Fix return type of bcm2835_register_gate (bsc#1051510). - clk: clk-flexgen: fix clock-critical handling (bsc#1051510). - clk: sunxi: Fix incorrect usage of round_down() (bsc#1051510). - compat_ioctl: block: handle BLKREPORTZONE/BLKRESETZONE (git fixes (block drivers)). - compat_ioctl: block: handle Persistent Reservations (git fixes (block drivers)). - copy_{to,from}_user(): consolidate object size checks (git fixes). - crypto: caam - update xts sector size for large input length (bsc#1111666). - crypto: chelsio/chtls: properly set tp->lsndtime (bsc#1111666). - dm btree: increase rebalance threshold in __rebalance2() (git fixes (block drivers)). - dm cache: fix a crash due to incorrect work item cancelling (git fixes (block drivers)). - dm crypt: fix benbi IV constructor crash if used in authenticated mode (git fixes (block drivers)). - dm space map common: fix to ensure new block isn't already in use (git fixes (block drivers)). - dm verity fec: fix hash block number in verity_fec_decode (git fixes (block drivers)). - dm verity fec: fix memory leak in verity_fec_dtr (git fixes (block drivers)). - dm: fix potential for q->make_request_fn NULL pointer (git fixes (block drivers)). - dm: various cleanups to md->queue initialization code (git fixes). - dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()' (bsc#1111666). - drivers: soc: ti: knav_qmss_queue: Make knav_gp_range_ops static (bsc#1051510). - drm/i915: Whitelist context-local timestamp in the gen9 cmdparser (bsc#1111666). - drm: amd/display: fix Kconfig help text (bsc#1113956) - efi/random: Increase size of firmware supplied randomness (jsc#SLE-12423). - efi/random: Treat EFI_RNG_PROTOCOL output as bootloader randomness (jsc#SLE-12423). - efi: READ_ONCE rng seed size before munmap (jsc#SLE-12423). - efi: Reorder pr_notice() with add_device_randomness() call (jsc#SLE-12423). - evm: Check also if *tfm is an error pointer in init_desc() (bsc#1051510). - evm: Fix a small race in init_desc() (bsc#1051510). - extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()' (bsc#1051510). - fdt: Update CRC check for rng-seed (jsc#SLE-12423). - fdt: add support for rng-seed (jsc#SLE-12423). - firmware: imx: scu: Fix corruption of header (git-fixes). - firmware: imx: scu: Fix possible memory leak in imx_scu_probe() (bsc#1111666). - firmware: revert letter case change which broke compatibility with the SAP license generator (bsc#1172472). - fpga: dfl: afu: Corrected error handling levels (git-fixes). - fs/reiserfs: Reenabled reiserfs (bsc#1172884) - gpiolib: Document that GPIO line names are not globally unique (bsc#1051510). - gpu: ipu-v3: pre: do not trigger update if buffer address does not change (bsc#1111666). - iio: buffer: Do not allow buffers without any channels enabled to be activated (bsc#1051510). - iio: pressure: bmp280: Tolerate IRQ before registering (bsc#1051510). - ima: Directly assign the ima_default_policy pointer to ima_rules (bsc#1051510). - ima: Fix ima digest hash table key calculation (bsc#1051510). - include/asm-generic/topology.h: guard cpumask_of_node() macro argument (bsc#1148868). - kabi: ppc64le: prevent struct dma_map_ops to become defined (jsc#SLE-12423). - kvm: x86: Fix L1TF mitigation for shadow MMU (bsc#1171904). - livepatch: Apply vmlinux-specific KLP relocations early (bsc#1071995). - livepatch: Disallow vmlinux.ko (bsc#1071995). - livepatch: Make klp_apply_object_relocs static (bsc#1071995). - livepatch: Prevent module-specific KLP rela sections from referencing vmlinux symbols (bsc#1071995). - livepatch: Remove .klp.arch (bsc#1071995). - mac80211: add option for setting control flags (bsc#1111666). - mac80211: set IEEE80211_TX_CTRL_PORT_CTRL_PROTO for nl80211 TX (bsc#1111666). - mailbox: imx: Disable the clock on devm_mbox_controller_register() failure (git-fixes). - md: Avoid namespace collision with bitmap API (git fixes (block drivers)). - md: use memalloc scope APIs in mddev_suspend()/mddev_resume() (bsc#1166985)). - md: use memalloc scope APIs in mddev_suspend()/mddev_resume() (git fixes (block drivers)). - mdraid: fix read/write bytes accounting (bsc#1172537). - mmc: block: Fix request completion in the CQE timeout path (bsc#1111666). - mmc: block: Fix use-after-free issue for rpmb (bsc#1111666). - mmc: fix compilation of user API (bsc#1051510). - netfilter: connlabels: prefer static lock initialiser (git-fixes). - netfilter: not mark a spinlock as __read_mostly (git-fixes). - nl80211: fix NL80211_ATTR_CHANNEL_WIDTH attribute type (bsc#1111666). - nvme-fc: Fail transport errors with NVME_SC_HOST_PATH (bsc#1158983 bsc#1172538). - nvme-tcp: fail command with NVME_SC_HOST_PATH_ERROR send failed (bsc#1158983 bsc#1172538). - nvme: fail cancelled commands with NVME_SC_HOST_PATH_ERROR (bsc#1158983 bsc#1172538). - overflow.h: Add arithmetic shift helper (git fixes). - overflow: Fix -Wtype-limits compilation warnings (git fixes). - p54usb: add AirVasT USB stick device-id (bsc#1051510). - pcm_native: result of put_user() needs to be checked (bsc#1111666). - perf, pt, coresight: Fix address filters for vmas with non-zero offset (git-fixes). - perf, pt, coresight: Fix address filters for vmas with non-zero offset (git-fixes). - perf/cgroup: Fix perf cgroup hierarchy support (git-fixes). - perf/cgroup: Fix perf cgroup hierarchy support (git-fixes). - perf/core: Add sanity check to deal with pinned event failure (git-fixes). - perf/core: Add sanity check to deal with pinned event failure (git-fixes). - perf/core: Avoid freeing static PMU contexts when PMU is unregistered (git-fixes). - perf/core: Avoid freeing static PMU contexts when PMU is unregistered (git-fixes). - perf/core: Correct event creation with PERF_FORMAT_GROUP (git-fixes). - perf/core: Correct event creation with PERF_FORMAT_GROUP (git-fixes). - perf/core: Do not WARN() for impossible ring-buffer sizes (git-fixes). - perf/core: Do not WARN() for impossible ring-buffer sizes (git-fixes). - perf/core: Fix __perf_read_group_add() locking (git-fixes (dependent patch)). - perf/core: Fix __perf_read_group_add() locking (git-fixes (dependent patch)). - perf/core: Fix bad use of igrab() (git fixes (dependent patch)). - perf/core: Fix crash when using HW tracing kernel filters (git-fixes). - perf/core: Fix ctx_event_type in ctx_resched() (git-fixes). - perf/core: Fix ctx_event_type in ctx_resched() (git-fixes). - perf/core: Fix error handling in perf_event_alloc() (git-fixes). - perf/core: Fix error handling in perf_event_alloc() (git-fixes). - perf/core: Fix exclusive events' grouping (git-fixes). - perf/core: Fix exclusive events' grouping (git-fixes). - perf/core: Fix group scheduling with mixed hw and sw events (git-fixes). - perf/core: Fix group scheduling with mixed hw and sw events (git-fixes). - perf/core: Fix impossible ring-buffer sizes warning (git-fixes). - perf/core: Fix impossible ring-buffer sizes warning (git-fixes). - perf/core: Fix lock inversion between perf,trace,cpuhp (git-fixes (dependent patch for 18736eef1213)). - perf/core: Fix lock inversion between perf,trace,cpuhp (git-fixes (dependent patch for 18736eef1213)). - perf/core: Fix locking for children siblings group read (git-fixes). - perf/core: Fix locking for children siblings group read (git-fixes). - perf/core: Fix perf_event_read_value() locking (git-fixes). - perf/core: Fix perf_event_read_value() locking (git-fixes). - perf/core: Fix perf_pmu_unregister() locking (git-fixes). - perf/core: Fix perf_pmu_unregister() locking (git-fixes). - perf/core: Fix perf_sample_regs_user() mm check (git-fixes). - perf/core: Fix perf_sample_regs_user() mm check (git-fixes). - perf/core: Fix possible Spectre-v1 indexing for ->aux_pages (git-fixes). - perf/core: Fix possible Spectre-v1 indexing for ->aux_pages (git-fixes). - perf/core: Fix race between close() and fork() (git-fixes). - perf/core: Fix race between close() and fork() (git-fixes). - perf/core: Fix the address filtering fix (git-fixes). - perf/core: Fix the address filtering fix (git-fixes). - perf/core: Fix use-after-free in uprobe_perf_close() (git-fixes). - perf/core: Fix use-after-free in uprobe_perf_close() (git-fixes). - perf/core: Force USER_DS when recording user stack data (git-fixes). - perf/core: Force USER_DS when recording user stack data (git-fixes). - perf/core: Restore mmap record type correctly (git-fixes). - perf/core: Restore mmap record type correctly (git-fixes). - perf/ioctl: Add check for the sample_period value (git-fixes). - perf/ioctl: Add check for the sample_period value (git-fixes). - perf/x86/pt, coresight: Clean up address filter structure (git fixes (dependent patch)). - perf: Allocate context task_ctx_data for child event (git-fixes). - perf: Allocate context task_ctx_data for child event (git-fixes). - perf: Copy parent's address filter offsets on clone (git-fixes). - perf: Copy parent's address filter offsets on clone (git-fixes). - perf: Fix header.size for namespace events (git-fixes). - perf: Fix header.size for namespace events (git-fixes). - perf: Return proper values for user stack errors (git-fixes). - perf: Return proper values for user stack errors (git-fixes). - pid: Improve the comment about waiting in zap_pid_ns_processes (git fixes)). - pinctrl: freescale: imx: Fix an error handling path in 'imx_pinctrl_probe()' (bsc#1051510). - pinctrl: imxl: Fix an error handling path in 'imx1_pinctrl_core_probe()' (bsc#1051510). - pinctrl: samsung: Save/restore eint_mask over suspend for EINT_TYPE GPIOs (bsc#1051510). - platform/x86: dell-laptop: do not register micmute LED if there is no token (bsc#1111666). - pnp: Use list_for_each_entry() instead of open coding (git fixes). - power: supply: bq24257_charger: Replace depends on REGMAP_I2C with select (bsc#1051510). - power: supply: lp8788: Fix an error handling path in 'lp8788_charger_probe()' (bsc#1051510). - power: supply: smb347-charger: IRQSTAT_D is volatile (bsc#1051510). - powerpc/64s: Do not let DT CPU features set FSCR_DSCR (bsc#1065729). - powerpc/64s: Save FSCR to init_task.thread.fscr after feature init (bsc#1065729). - powerpc/xive: Clear the page tables for the ESB IO mapping (bsc#1085030). - raid5: remove gfp flags from scribble_alloc() (bsc#1166985). - raid5: remove gfp flags from scribble_alloc() (git fixes (block drivers)). - resolve KABI warning for perf-pt-coresight (git-fixes). - resolve KABI warning for perf-pt-coresight (git-fixes). - s390/bpf: Maintain 8-byte stack alignment (bsc#1169194). - scsi: ibmvscsi: Do not send host info in adapter info MAD after LPM (bsc#1172759 ltc#184814). - spi: dw: use "smp_mb()" to avoid sending spi data error (bsc#1051510). - spi: spi-mem: Fix Dual/Quad modes on Octal-capable devices (bsc#1111666). - staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK (bsc#1051510). - staging: sm750fb: add missing case while setting FB_VISUAL (bsc#1051510). - tty: n_gsm: Fix SOF skipping (bsc#1051510). - tty: n_gsm: Fix bogus i++ in gsm_data_kick (bsc#1051510). - tty: n_gsm: Fix waking up upper tty layer when room available (bsc#1051510). - usb: dwc2: gadget: move gadget resume after the core is in L0 state (bsc#1051510). - usb: gadget: lpc32xx_udc: do not dereference ep pointer before null check (bsc#1051510). - usb: musb: Fix runtime PM imbalance on error (bsc#1051510). - usb: musb: start session in resume for host port (bsc#1051510). - virtio-blk: handle block_device_operations callbacks after hot unplug (git fixes (block drivers)). - w1: omap-hdq: cleanup to add missing newline for some dev_dbg (bsc#1051510). - watchdog: sp805: fix restart handler (bsc#1111666). - wil6210: add general initialization/size checks (bsc#1111666). - wil6210: check rx_buff_mgmt before accessing it (bsc#1111666). - wil6210: ignore HALP ICR if already handled (bsc#1111666). - work around mvfs bug (bsc#1162063). - x86/cpu/amd: Make erratum #1054 a legacy erratum (bsc#1114279). - x86: Fix early boot crash on gcc-10, third try (bsc#1114279). - xfrm: fix error in comment (git fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1693=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1693=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1693=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-1693=1 - SUSE Linux Enterprise High Availability 12-SP5: zypper in -t patch SUSE-SLE-HA-12-SP5-2020-1693=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): kernel-default-debuginfo-4.12.14-122.26.1 kernel-default-debugsource-4.12.14-122.26.1 kernel-default-extra-4.12.14-122.26.1 kernel-default-extra-debuginfo-4.12.14-122.26.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-obs-build-4.12.14-122.26.1 kernel-obs-build-debugsource-4.12.14-122.26.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): kernel-docs-4.12.14-122.26.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): kernel-default-4.12.14-122.26.1 kernel-default-base-4.12.14-122.26.1 kernel-default-base-debuginfo-4.12.14-122.26.1 kernel-default-debuginfo-4.12.14-122.26.1 kernel-default-debugsource-4.12.14-122.26.1 kernel-default-devel-4.12.14-122.26.1 kernel-syms-4.12.14-122.26.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-4.12.14-122.26.1 kernel-macros-4.12.14-122.26.1 kernel-source-4.12.14-122.26.1 - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-default-devel-debuginfo-4.12.14-122.26.1 - SUSE Linux Enterprise Server 12-SP5 (s390x): kernel-default-man-4.12.14-122.26.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kernel-default-debuginfo-4.12.14-122.26.1 kernel-default-debugsource-4.12.14-122.26.1 kernel-default-kgraft-4.12.14-122.26.1 kernel-default-kgraft-devel-4.12.14-122.26.1 kgraft-patch-4_12_14-122_26-default-1-8.3.1 - SUSE Linux Enterprise High Availability 12-SP5 (ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-122.26.1 cluster-md-kmp-default-debuginfo-4.12.14-122.26.1 dlm-kmp-default-4.12.14-122.26.1 dlm-kmp-default-debuginfo-4.12.14-122.26.1 gfs2-kmp-default-4.12.14-122.26.1 gfs2-kmp-default-debuginfo-4.12.14-122.26.1 kernel-default-debuginfo-4.12.14-122.26.1 kernel-default-debugsource-4.12.14-122.26.1 ocfs2-kmp-default-4.12.14-122.26.1 ocfs2-kmp-default-debuginfo-4.12.14-122.26.1 References: https://www.suse.com/security/cve/CVE-2019-20810.html https://www.suse.com/security/cve/CVE-2020-10766.html https://www.suse.com/security/cve/CVE-2020-10767.html https://www.suse.com/security/cve/CVE-2020-10768.html https://www.suse.com/security/cve/CVE-2020-13974.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1158983 https://bugzilla.suse.com/1161016 https://bugzilla.suse.com/1162063 https://bugzilla.suse.com/1166985 https://bugzilla.suse.com/1168081 https://bugzilla.suse.com/1169194 https://bugzilla.suse.com/1170592 https://bugzilla.suse.com/1171904 https://bugzilla.suse.com/1172458 https://bugzilla.suse.com/1172472 https://bugzilla.suse.com/1172537 https://bugzilla.suse.com/1172538 https://bugzilla.suse.com/1172759 https://bugzilla.suse.com/1172775 https://bugzilla.suse.com/1172781 https://bugzilla.suse.com/1172782 https://bugzilla.suse.com/1172783 https://bugzilla.suse.com/1172884 From sle-updates at lists.suse.com Fri Jun 19 10:22:59 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 18:22:59 +0200 (CEST) Subject: SUSE-RU-2020:1692-1: moderate: Recommended update for gdm Message-ID: <20200619162259.5F176F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for gdm ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1692-1 Rating: moderate References: #980337 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for gdm fixes the following issue: - When the file system is read-only, gdm exits immediately. (bsc#980337) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1692=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1692=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1692=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1692=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): gdm-debuginfo-3.10.0.1-54.9.1 gdm-debugsource-3.10.0.1-54.9.1 gdm-devel-3.10.0.1-54.9.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): gdm-debuginfo-3.10.0.1-54.9.1 gdm-debugsource-3.10.0.1-54.9.1 gdm-devel-3.10.0.1-54.9.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): gdm-3.10.0.1-54.9.1 gdm-debuginfo-3.10.0.1-54.9.1 gdm-debugsource-3.10.0.1-54.9.1 libgdm1-3.10.0.1-54.9.1 libgdm1-debuginfo-3.10.0.1-54.9.1 typelib-1_0-Gdm-1_0-3.10.0.1-54.9.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): gdm-lang-3.10.0.1-54.9.1 gdmflexiserver-3.10.0.1-54.9.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): gdm-3.10.0.1-54.9.1 gdm-debuginfo-3.10.0.1-54.9.1 gdm-debugsource-3.10.0.1-54.9.1 libgdm1-3.10.0.1-54.9.1 libgdm1-debuginfo-3.10.0.1-54.9.1 typelib-1_0-Gdm-1_0-3.10.0.1-54.9.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): gdm-lang-3.10.0.1-54.9.1 gdmflexiserver-3.10.0.1-54.9.1 References: https://bugzilla.suse.com/980337 From sle-updates at lists.suse.com Fri Jun 19 13:12:48 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 21:12:48 +0200 (CEST) Subject: SUSE-SU-2020:14400-1: important: Security update for bind Message-ID: <20200619191248.B77D0F749@maintenance.suse.de> SUSE Security Update: Security update for bind ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14400-1 Rating: important References: #1033843 #1092283 #1109160 #1171740 #1172220 #1172680 Cross-References: CVE-2018-5741 CVE-2020-8616 CVE-2020-8617 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that solves three vulnerabilities and has three fixes is now available. Description: This update for bind fixes the following issues: - CVE-2020-8616: Fixed the insufficient limit on the number of fetches performed when processing referrals (bsc#1171740). - CVE-2020-8617: Fixed a logic error in code which checks TSIG validity (bsc#1171740). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - Removed rndc.key generation from bind.spec file (bsc#1092283, bsc#1033843) bind should create the key on first boot or if it went missing. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-bind-14400=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-bind-14400=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-bind-14400=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-bind-14400=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): bind-9.9.6P1-0.51.20.1 bind-chrootenv-9.9.6P1-0.51.20.1 bind-doc-9.9.6P1-0.51.20.1 bind-libs-9.9.6P1-0.51.20.1 bind-utils-9.9.6P1-0.51.20.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): bind-libs-32bit-9.9.6P1-0.51.20.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): bind-9.9.6P1-0.51.20.1 bind-chrootenv-9.9.6P1-0.51.20.1 bind-devel-9.9.6P1-0.51.20.1 bind-doc-9.9.6P1-0.51.20.1 bind-libs-9.9.6P1-0.51.20.1 bind-utils-9.9.6P1-0.51.20.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): bind-debuginfo-9.9.6P1-0.51.20.1 bind-debugsource-9.9.6P1-0.51.20.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): bind-debuginfo-9.9.6P1-0.51.20.1 bind-debugsource-9.9.6P1-0.51.20.1 References: https://www.suse.com/security/cve/CVE-2018-5741.html https://www.suse.com/security/cve/CVE-2020-8616.html https://www.suse.com/security/cve/CVE-2020-8617.html https://bugzilla.suse.com/1033843 https://bugzilla.suse.com/1092283 https://bugzilla.suse.com/1109160 https://bugzilla.suse.com/1171740 https://bugzilla.suse.com/1172220 https://bugzilla.suse.com/1172680 From sle-updates at lists.suse.com Fri Jun 19 13:14:15 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 19 Jun 2020 21:14:15 +0200 (CEST) Subject: SUSE-RU-2020:1696-1: moderate: Recommended update for nodejs6 Message-ID: <20200619191415.3535EF749@maintenance.suse.de> SUSE Recommended Update: Recommended update for nodejs6 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1696-1 Rating: moderate References: #1172728 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for nodejs6 fixes the following issues: - Added Require for nodejs6 when intalling npm6. (bsc#1172728) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-1696=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1696=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1696=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-1696=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): nodejs6-6.17.1-11.40.1 nodejs6-debuginfo-6.17.1-11.40.1 nodejs6-debugsource-6.17.1-11.40.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): nodejs6-6.17.1-11.40.1 nodejs6-debuginfo-6.17.1-11.40.1 nodejs6-debugsource-6.17.1-11.40.1 - SUSE OpenStack Cloud 7 (aarch64 s390x x86_64): nodejs6-6.17.1-11.40.1 nodejs6-debuginfo-6.17.1-11.40.1 nodejs6-debugsource-6.17.1-11.40.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): nodejs6-6.17.1-11.40.1 nodejs6-debuginfo-6.17.1-11.40.1 nodejs6-debugsource-6.17.1-11.40.1 nodejs6-devel-6.17.1-11.40.1 npm6-6.17.1-11.40.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): nodejs6-docs-6.17.1-11.40.1 References: https://bugzilla.suse.com/1172728 From sle-updates at lists.suse.com Sat Jun 20 15:27:23 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:27:23 +0200 (CEST) Subject: SUSE-CU-2020:346-1: Security update of caasp/v5/caasp-dex Message-ID: <20200620212723.E2A0F100E9@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/caasp-dex ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:346-1 Container Tags : caasp/v5/caasp-dex:2.23.0 , caasp/v5/caasp-dex:2.23.0-rev1 , caasp/v5/caasp-dex:2.23.0-rev1-build2.3 , caasp/v5/caasp-dex:beta Container Release : 2.3 Severity : important Type : security References : 1171863 1171864 1171866 1172348 CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 ----------------------------------------------------------------- The container caasp/v5/caasp-dex was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). From sle-updates at lists.suse.com Sat Jun 20 15:27:16 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:27:16 +0200 (CEST) Subject: SUSE-CU-2020:345-1: Recommended update of caasp/v5/caasp-dex Message-ID: <20200620212716.E6A5A10169@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/caasp-dex ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:345-1 Container Tags : caasp/v5/caasp-dex:2.23.0 , caasp/v5/caasp-dex:2.23.0-rev1 , caasp/v5/caasp-dex:2.23.0-rev1-build2.2 , caasp/v5/caasp-dex:beta Container Release : 2.2 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/caasp-dex was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:27:10 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:27:10 +0200 (CEST) Subject: SUSE-CU-2020:344-1: Recommended update of caasp/v5/caasp-dex Message-ID: <20200620212710.4A0EC10168@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/caasp-dex ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:344-1 Container Tags : caasp/v5/caasp-dex:2.23.0 , caasp/v5/caasp-dex:2.23.0-rev1 , caasp/v5/caasp-dex:2.23.0-rev1-build2.2 , caasp/v5/caasp-dex:beta Container Release : 2.2 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/caasp-dex was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:10 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:10 +0200 (CEST) Subject: SUSE-CU-2020:237-1: Recommended update of Message-ID: <20200620211910.68140100FB@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:237-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:54 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:54 +0200 (CEST) Subject: SUSE-CU-2020:284-1: Recommended update of Message-ID: <20200620212054.6C1451012A@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:284-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:52 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:52 +0200 (CEST) Subject: SUSE-CU-2020:283-1: Recommended update of Message-ID: <20200620212052.71CC710129@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:283-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:18:41 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:18:41 +0200 (CEST) Subject: SUSE-CU-2020:225-1: Recommended update of Message-ID: <20200620211841.67686100EC@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:225-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:53 +0200 (CEST) Subject: SUSE-CU-2020:255-1: Recommended update of Message-ID: <20200620211953.E6F5C1010D@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:255-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:29 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:29 +0200 (CEST) Subject: SUSE-CU-2020:245-1: Recommended update of Message-ID: <20200620211929.7CE9910103@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:245-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:21:13 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:21:13 +0200 (CEST) Subject: SUSE-CU-2020:292-1: Recommended update of Message-ID: <20200620212113.E039310132@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:292-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:46 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:46 +0200 (CEST) Subject: SUSE-CU-2020:252-1: Recommended update of Message-ID: <20200620211946.E77F21010A@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:252-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:24 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:24 +0200 (CEST) Subject: SUSE-CU-2020:243-1: Recommended update of Message-ID: <20200620211924.7E4ED10101@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:243-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:23 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:23 +0200 (CEST) Subject: SUSE-CU-2020:269-1: Recommended update of Message-ID: <20200620212023.7E5D81011B@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:269-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:41 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:41 +0200 (CEST) Subject: SUSE-CU-2020:278-1: Recommended update of Message-ID: <20200620212041.E926210124@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:278-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:51 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:51 +0200 (CEST) Subject: SUSE-CU-2020:254-1: Recommended update of Message-ID: <20200620211951.E8E051010C@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:254-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:45 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:45 +0200 (CEST) Subject: SUSE-CU-2020:280-1: Recommended update of Message-ID: <20200620212045.EF72F10126@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:280-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:21:08 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:21:08 +0200 (CEST) Subject: SUSE-CU-2020:290-1: Recommended update of Message-ID: <20200620212108.EAFF010130@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:290-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:18:55 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:18:55 +0200 (CEST) Subject: SUSE-CU-2020:231-1: Recommended update of Message-ID: <20200620211855.A7714100F4@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:231-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:21:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:21:21 +0200 (CEST) Subject: SUSE-CU-2020:295-1: Recommended update of Message-ID: <20200620212121.32A9610135@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:295-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:56 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:56 +0200 (CEST) Subject: SUSE-CU-2020:256-1: Recommended update of Message-ID: <20200620211956.A59051010E@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:256-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:08 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:08 +0200 (CEST) Subject: SUSE-CU-2020:262-1: Recommended update of Message-ID: <20200620212008.E5A7C10114@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:262-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:29 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:29 +0200 (CEST) Subject: SUSE-CU-2020:272-1: Recommended update of Message-ID: <20200620212029.A4A0F1011E@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:272-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:21:04 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:21:04 +0200 (CEST) Subject: SUSE-CU-2020:288-1: Recommended update of Message-ID: <20200620212104.357021012E@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:288-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:18:49 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:18:49 +0200 (CEST) Subject: SUSE-CU-2020:228-1: Recommended update of Message-ID: <20200620211849.06F0D100F1@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:228-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:27 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:27 +0200 (CEST) Subject: SUSE-CU-2020:244-1: Recommended update of Message-ID: <20200620211927.4C34010102@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:244-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:13 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:13 +0200 (CEST) Subject: SUSE-CU-2020:238-1: Recommended update of Message-ID: <20200620211913.369AE100FC@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:238-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:15 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:15 +0200 (CEST) Subject: SUSE-CU-2020:265-1: Recommended update of Message-ID: <20200620212015.0A67A10117@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:265-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:18:44 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:18:44 +0200 (CEST) Subject: SUSE-CU-2020:226-1: Recommended update of Message-ID: <20200620211844.41174100EE@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:226-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:50 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:50 +0200 (CEST) Subject: SUSE-CU-2020:282-1: Recommended update of Message-ID: <20200620212050.4852A10128@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:282-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:48 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:48 +0200 (CEST) Subject: SUSE-CU-2020:281-1: Recommended update of Message-ID: <20200620212048.0D67B10127@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:281-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:21:06 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:21:06 +0200 (CEST) Subject: SUSE-CU-2020:289-1: Recommended update of Message-ID: <20200620212106.431BB1012F@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:289-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:21:43 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:21:43 +0200 (CEST) Subject: SUSE-CU-2020:299-1: Security update of caasp/v5/389-ds Message-ID: <20200620212143.4077B10138@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:299-1 Container Tags : caasp/v5/389-ds:1.4.3 Container Release : 1.49 Severity : important Type : security References : 1159819 1169746 1171978 CVE-2019-17006 CVE-2020-12399 ----------------------------------------------------------------- The container caasp/v5/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1677-1 Released: Thu Jun 18 18:16:39 2020 Summary: Security update for mozilla-nspr, mozilla-nss Type: security Severity: important References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53 - CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978). - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes mozilla-nspr to version 4.25 From sle-updates at lists.suse.com Sat Jun 20 15:20:11 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:11 +0200 (CEST) Subject: SUSE-CU-2020:263-1: Recommended update of Message-ID: <20200620212011.0500910115@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:263-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:18:46 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:18:46 +0200 (CEST) Subject: SUSE-CU-2020:227-1: Recommended update of Message-ID: <20200620211846.4B47E100EF@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:227-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:49 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:49 +0200 (CEST) Subject: SUSE-CU-2020:253-1: Recommended update of Message-ID: <20200620211949.0AEDB1010B@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:253-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:21:52 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:21:52 +0200 (CEST) Subject: SUSE-CU-2020:300-1: Recommended update of caasp/v5/389-ds Message-ID: <20200620212152.0B3701013A@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:300-1 Container Tags : caasp/v5/389-ds:1.4.3 Container Release : 1.49 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/389-ds was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:13 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:13 +0200 (CEST) Subject: SUSE-CU-2020:264-1: Recommended update of Message-ID: <20200620212013.0DCEB10116@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:264-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:44 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:44 +0200 (CEST) Subject: SUSE-CU-2020:279-1: Recommended update of Message-ID: <20200620212044.09BF410125@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:279-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:59 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:59 +0200 (CEST) Subject: SUSE-CU-2020:286-1: Recommended update of Message-ID: <20200620212059.0A1F21012C@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:286-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:18:51 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:18:51 +0200 (CEST) Subject: SUSE-CU-2020:229-1: Recommended update of Message-ID: <20200620211851.0D996100F2@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:229-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:21:11 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:21:11 +0200 (CEST) Subject: SUSE-CU-2020:291-1: Recommended update of Message-ID: <20200620212111.028F810131@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:291-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:21:16 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:21:16 +0200 (CEST) Subject: SUSE-CU-2020:293-1: Recommended update of Message-ID: <20200620212116.0C6F710133@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:293-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:21:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:21:19 +0200 (CEST) Subject: SUSE-CU-2020:294-1: Recommended update of Message-ID: <20200620212119.0158910134@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:294-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:15 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:15 +0200 (CEST) Subject: SUSE-CU-2020:239-1: Recommended update of Message-ID: <20200620211915.247E1100FD@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:239-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:19 +0200 (CEST) Subject: SUSE-CU-2020:267-1: Recommended update of Message-ID: <20200620212019.2974410119@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:267-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:44 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:44 +0200 (CEST) Subject: SUSE-CU-2020:251-1: Recommended update of Message-ID: <20200620211944.2F92810109@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:251-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:17 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:17 +0200 (CEST) Subject: SUSE-CU-2020:266-1: Recommended update of Message-ID: <20200620212017.2273E10118@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:266-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:56 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:56 +0200 (CEST) Subject: SUSE-CU-2020:285-1: Recommended update of Message-ID: <20200620212056.5E9C91012B@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:285-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:21 +0200 (CEST) Subject: SUSE-CU-2020:268-1: Recommended update of Message-ID: <20200620212021.58F101011A@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:268-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:37 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:37 +0200 (CEST) Subject: SUSE-CU-2020:248-1: Recommended update of Message-ID: <20200620211937.5CBA810106@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:248-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:08 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:08 +0200 (CEST) Subject: SUSE-CU-2020:236-1: Recommended update of Message-ID: <20200620211908.5F835100F9@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:236-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:39 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:39 +0200 (CEST) Subject: SUSE-CU-2020:249-1: Recommended update of Message-ID: <20200620211939.5B84B10107@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:249-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:18:39 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:18:39 +0200 (CEST) Subject: SUSE-CU-2020:224-1: Recommended update of Message-ID: <20200620211839.27C28100EB@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:224-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:21:01 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:21:01 +0200 (CEST) Subject: SUSE-CU-2020:287-1: Recommended update of Message-ID: <20200620212101.1AF641012D@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:287-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:18:58 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:18:58 +0200 (CEST) Subject: SUSE-CU-2020:232-1: Recommended update of Message-ID: <20200620211858.90E54100F5@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:232-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:42 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:42 +0200 (CEST) Subject: SUSE-CU-2020:250-1: Recommended update of Message-ID: <20200620211942.1F92C10108@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:250-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:39 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:39 +0200 (CEST) Subject: SUSE-CU-2020:277-1: Recommended update of Message-ID: <20200620212039.CCDE510123@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:277-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:06 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:06 +0200 (CEST) Subject: SUSE-CU-2020:261-1: Recommended update of Message-ID: <20200620212006.C138810113@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:261-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:27 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:27 +0200 (CEST) Subject: SUSE-CU-2020:271-1: Recommended update of Message-ID: <20200620212027.998EF1011D@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:271-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:04 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:04 +0200 (CEST) Subject: SUSE-CU-2020:260-1: Recommended update of Message-ID: <20200620212004.C760E10112@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:260-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:21:23 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:21:23 +0200 (CEST) Subject: SUSE-CU-2020:296-1: Recommended update of Message-ID: <20200620212123.CFBFE10136@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:296-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:21:25 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:21:25 +0200 (CEST) Subject: SUSE-CU-2020:297-1: Recommended update of Message-ID: <20200620212125.C38DE10137@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:297-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:02 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:02 +0200 (CEST) Subject: SUSE-CU-2020:259-1: Recommended update of Message-ID: <20200620212002.C0A9510111@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:259-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:58 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:58 +0200 (CEST) Subject: SUSE-CU-2020:257-1: Recommended update of Message-ID: <20200620211958.9CD8B1010F@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:257-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:31 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:31 +0200 (CEST) Subject: SUSE-CU-2020:273-1: Recommended update of Message-ID: <20200620212031.BF0971011F@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:273-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:00 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:00 +0200 (CEST) Subject: SUSE-CU-2020:258-1: Recommended update of Message-ID: <20200620212000.9F3C610110@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:258-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:22 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:22 +0200 (CEST) Subject: SUSE-CU-2020:242-1: Recommended update of Message-ID: <20200620211922.8BE0710100@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:242-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:17 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:17 +0200 (CEST) Subject: SUSE-CU-2020:240-1: Recommended update of Message-ID: <20200620211917.DE721100FE@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:240-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:34 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:34 +0200 (CEST) Subject: SUSE-CU-2020:247-1: Recommended update of Message-ID: <20200620211934.B2E7710105@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:247-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:19 +0200 (CEST) Subject: SUSE-CU-2020:241-1: Recommended update of Message-ID: <20200620211919.D1672100FF@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:241-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:33 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:33 +0200 (CEST) Subject: SUSE-CU-2020:274-1: Recommended update of Message-ID: <20200620212033.D76FB10120@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:274-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:37 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:37 +0200 (CEST) Subject: SUSE-CU-2020:276-1: Recommended update of Message-ID: <20200620212037.D128D10122@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:276-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:25 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:25 +0200 (CEST) Subject: SUSE-CU-2020:270-1: Recommended update of Message-ID: <20200620212025.83AFA1011C@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:270-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:20:35 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:20:35 +0200 (CEST) Subject: SUSE-CU-2020:275-1: Recommended update of Message-ID: <20200620212035.D31E910121@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:275-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:32 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:32 +0200 (CEST) Subject: SUSE-CU-2020:246-1: Recommended update of Message-ID: <20200620211932.8F8BE10104@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:246-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:25:17 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:25:17 +0200 (CEST) Subject: SUSE-CU-2020:327-1: Recommended update of caasp/v5/configmap-reload Message-ID: <20200620212517.60A4E10157@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/configmap-reload ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:327-1 Container Tags : caasp/v5/configmap-reload:0.3.0 , caasp/v5/configmap-reload:0.3.0-rev1 , caasp/v5/configmap-reload:0.3.0-rev1-build1.47 , caasp/v5/configmap-reload:beta Container Release : 1.47 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/configmap-reload was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:23:20 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:23:20 +0200 (CEST) Subject: SUSE-CU-2020:312-1: Recommended update of caasp/v5/cilium-etcd-operator Message-ID: <20200620212320.6C68910146@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/cilium-etcd-operator ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:312-1 Container Tags : caasp/v5/cilium-etcd-operator:2.0.5 , caasp/v5/cilium-etcd-operator:2.0.5-rev1 , caasp/v5/cilium-etcd-operator:2.0.5-rev1-build1.48 , caasp/v5/cilium-etcd-operator:beta Container Release : 1.48 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/cilium-etcd-operator was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:24:52 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:24:52 +0200 (CEST) Subject: SUSE-CU-2020:323-1: Recommended update of Message-ID: <20200620212452.7882B10152@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:323-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:25:45 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:25:45 +0200 (CEST) Subject: SUSE-CU-2020:331-1: Recommended update of caasp/v5/configmap-reload Message-ID: <20200620212545.76C311015B@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/configmap-reload ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:331-1 Container Tags : caasp/v5/configmap-reload:0.3.0 , caasp/v5/configmap-reload:0.3.0-rev1 , caasp/v5/configmap-reload:0.3.0-rev1-build1.47 , caasp/v5/configmap-reload:beta Container Release : 1.47 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/configmap-reload was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:24:42 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:24:42 +0200 (CEST) Subject: SUSE-CU-2020:321-1: Recommended update of caasp/v5/cilium-operator Message-ID: <20200620212442.7A2271014F@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/cilium-operator ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:321-1 Container Tags : caasp/v5/cilium-operator:1.6.6 , caasp/v5/cilium-operator:1.6.6-rev1 , caasp/v5/cilium-operator:1.6.6-rev1-build1.59 , caasp/v5/cilium-operator:beta Container Release : 1.59 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/cilium-operator was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:23:57 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:23:57 +0200 (CEST) Subject: SUSE-CU-2020:316-1: Recommended update of caasp/v5/cilium Message-ID: <20200620212357.AC3651014A@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/cilium ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:316-1 Container Tags : caasp/v5/cilium:1.6.6 , caasp/v5/cilium:1.6.6-rev1 , caasp/v5/cilium:1.6.6-rev1-build2.2 , caasp/v5/cilium:beta Container Release : 2.2 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/cilium was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:25:52 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:25:52 +0200 (CEST) Subject: SUSE-CU-2020:332-1: Security update of caasp/v5/configmap-reload Message-ID: <20200620212552.4D9A41015C@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/configmap-reload ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:332-1 Container Tags : caasp/v5/configmap-reload:0.3.0 , caasp/v5/configmap-reload:0.3.0-rev1 , caasp/v5/configmap-reload:0.3.0-rev1-build1.48 , caasp/v5/configmap-reload:beta Container Release : 1.48 Severity : important Type : security References : 1171863 1171864 1171866 1172348 CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 ----------------------------------------------------------------- The container caasp/v5/configmap-reload was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). From sle-updates at lists.suse.com Sat Jun 20 15:26:36 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:26:36 +0200 (CEST) Subject: SUSE-CU-2020:338-1: Recommended update of caasp/v5/curl Message-ID: <20200620212636.72F1810162@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/curl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:338-1 Container Tags : caasp/v5/curl:7.66.0 , caasp/v5/curl:7.66.0-rev1 , caasp/v5/curl:7.66.0-rev1-build1.48 , caasp/v5/curl:beta Container Release : 1.48 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/curl was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:23:33 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:23:33 +0200 (CEST) Subject: SUSE-CU-2020:314-1: Security update of caasp/v5/cilium-etcd-operator Message-ID: <20200620212333.ED32110148@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/cilium-etcd-operator ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:314-1 Container Tags : caasp/v5/cilium-etcd-operator:2.0.5 , caasp/v5/cilium-etcd-operator:2.0.5-rev1 , caasp/v5/cilium-etcd-operator:2.0.5-rev1-build1.49 , caasp/v5/cilium-etcd-operator:beta Container Release : 1.49 Severity : important Type : security References : 1171863 1171864 1171866 1172348 CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 ----------------------------------------------------------------- The container caasp/v5/cilium-etcd-operator was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). From sle-updates at lists.suse.com Sat Jun 20 15:26:55 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:26:55 +0200 (CEST) Subject: SUSE-CU-2020:342-1: Recommended update of Message-ID: <20200620212655.4D78D10167@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:342-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:22:58 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:22:58 +0200 (CEST) Subject: SUSE-CU-2020:309-1: Recommended update of caasp/v5/caasp-dex Message-ID: <20200620212258.ECF9C10143@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/caasp-dex ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:309-1 Container Tags : caasp/v5/caasp-dex:2.23.0 , caasp/v5/caasp-dex:2.23.0-rev1 , caasp/v5/caasp-dex:2.23.0-rev1-build2.2 , caasp/v5/caasp-dex:beta Container Release : 2.2 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/caasp-dex was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:23:27 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:23:27 +0200 (CEST) Subject: SUSE-CU-2020:313-1: Recommended update of caasp/v5/cilium-etcd-operator Message-ID: <20200620212327.07A3910147@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/cilium-etcd-operator ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:313-1 Container Tags : caasp/v5/cilium-etcd-operator:2.0.5 , caasp/v5/cilium-etcd-operator:2.0.5-rev1 , caasp/v5/cilium-etcd-operator:2.0.5-rev1-build1.48 , caasp/v5/cilium-etcd-operator:beta Container Release : 1.48 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/cilium-etcd-operator was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:26:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:26:53 +0200 (CEST) Subject: SUSE-CU-2020:341-1: Recommended update of Message-ID: <20200620212653.3E60510166@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:341-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:26:43 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:26:43 +0200 (CEST) Subject: SUSE-CU-2020:339-1: Recommended update of caasp/v5/curl Message-ID: <20200620212643.0F8BF10163@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/curl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:339-1 Container Tags : caasp/v5/curl:7.66.0 , caasp/v5/curl:7.66.0-rev1 , caasp/v5/curl:7.66.0-rev1-build1.48 , caasp/v5/curl:beta Container Release : 1.48 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/curl was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:24:55 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:24:55 +0200 (CEST) Subject: SUSE-CU-2020:324-1: Recommended update of Message-ID: <20200620212455.0BA1210153@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:324-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:26:50 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:26:50 +0200 (CEST) Subject: SUSE-CU-2020:340-1: Security update of caasp/v5/curl Message-ID: <20200620212650.2C75110164@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/curl ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:340-1 Container Tags : caasp/v5/curl:7.66.0 , caasp/v5/curl:7.66.0-rev1 , caasp/v5/curl:7.66.0-rev1-build1.49 , caasp/v5/curl:beta Container Release : 1.49 Severity : important Type : security References : 1171863 1171864 1171866 1172348 CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 ----------------------------------------------------------------- The container caasp/v5/curl was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). From sle-updates at lists.suse.com Sat Jun 20 15:24:20 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:24:20 +0200 (CEST) Subject: SUSE-CU-2020:318-1: Security update of caasp/v5/cilium Message-ID: <20200620212420.51B3E1014C@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/cilium ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:318-1 Container Tags : caasp/v5/cilium:1.6.6 , caasp/v5/cilium:1.6.6-rev1 , caasp/v5/cilium:1.6.6-rev1-build2.4 , caasp/v5/cilium:beta Container Release : 2.4 Severity : important Type : security References : 1171863 1171864 1171866 1172348 CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 ----------------------------------------------------------------- The container caasp/v5/cilium was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). From sle-updates at lists.suse.com Sat Jun 20 15:25:24 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:25:24 +0200 (CEST) Subject: SUSE-CU-2020:328-1: Security update of caasp/v5/configmap-reload Message-ID: <20200620212524.9CC0710158@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/configmap-reload ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:328-1 Container Tags : caasp/v5/configmap-reload:0.3.0 , caasp/v5/configmap-reload:0.3.0-rev1 , caasp/v5/configmap-reload:0.3.0-rev1-build1.48 , caasp/v5/configmap-reload:beta Container Release : 1.48 Severity : important Type : security References : 1171863 1171864 1171866 1172348 CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 ----------------------------------------------------------------- The container caasp/v5/configmap-reload was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). From sle-updates at lists.suse.com Sat Jun 20 15:24:49 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:24:49 +0200 (CEST) Subject: SUSE-CU-2020:322-1: Security update of caasp/v5/cilium-operator Message-ID: <20200620212449.98B1210150@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/cilium-operator ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:322-1 Container Tags : caasp/v5/cilium-operator:1.6.6 , caasp/v5/cilium-operator:1.6.6-rev1 , caasp/v5/cilium-operator:1.6.6-rev1-build1.61 , caasp/v5/cilium-operator:beta Container Release : 1.61 Severity : important Type : security References : 1171863 1171864 1171866 1172348 CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 ----------------------------------------------------------------- The container caasp/v5/cilium-operator was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). From sle-updates at lists.suse.com Sat Jun 20 15:25:38 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:25:38 +0200 (CEST) Subject: SUSE-CU-2020:330-1: Recommended update of caasp/v5/configmap-reload Message-ID: <20200620212538.D5AE21015A@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/configmap-reload ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:330-1 Container Tags : caasp/v5/configmap-reload:0.3.0 , caasp/v5/configmap-reload:0.3.0-rev1 , caasp/v5/configmap-reload:0.3.0-rev1-build1.47 , caasp/v5/configmap-reload:beta Container Release : 1.47 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/configmap-reload was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:25:03 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:25:03 +0200 (CEST) Subject: SUSE-CU-2020:325-1: Security update of caasp/v5/configmap-reload Message-ID: <20200620212503.2DB3110154@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/configmap-reload ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:325-1 Container Tags : caasp/v5/configmap-reload:0.3.0 , caasp/v5/configmap-reload:0.3.0-rev1 , caasp/v5/configmap-reload:0.3.0-rev1-build1.47 , caasp/v5/configmap-reload:beta Container Release : 1.47 Severity : important Type : security References : 1005023 1007715 1009532 1013125 1033084 1033085 1033086 1033087 1033088 1033089 1033090 1036463 1038194 1039099 1044840 1045723 1051143 1063675 1065270 1071321 1072183 1073313 1076696 1080919 1081947 1081947 1082293 1082318 1082318 1083158 1084671 1084812 1084842 1084934 1085196 1087550 1087982 1088052 1088279 1088524 1089640 1089761 1090944 1091265 1091677 1092100 1092877 1092920 1093753 1093753 1093851 1094150 1094154 1094161 1094222 1095096 1095661 1095670 1095973 1096191 1096718 1096745 1096974 1096984 1097073 1098569 1100396 1100415 1100488 1101040 1101470 1101591 1102046 1102310 1102526 1102564 1102840 1102908 1103320 1103320 1104531 1104780 1105031 1105166 1105435 1106214 1106383 1106390 1107066 1107067 1107617 1107640 1107941 1109197 1109252 1110304 1110445 1110700 1111019 1111388 1111498 1111973 1112024 1112570 1112723 1112726 1113083 1113632 1113665 1114135 1114407 1114592 1114674 1114675 1114681 1114686 1114845 1114933 1114984 1114993 1115640 1115929 1117025 1117063 1117993 1118086 1118364 1119687 1119971 1120323 1120346 1120689 1121197 1121446 1121563 1121563 1121753 1122000 1122417 1122729 1123043 1123333 1123685 1123710 1123727 1123892 1123919 1124122 1124153 1124223 1124847 1125007 1125352 1125352 1125410 1125604 1125886 1126056 1126096 1126117 1126118 1126119 1126377 1126590 1127223 1127308 1127557 1127701 1128246 1128383 1129576 1129598 1130045 1130230 1130325 1130326 1131060 1131330 1131686 1132348 1132400 1132721 1133297 1133495 1133506 1133509 1133773 1133808 1134193 1134217 1134524 1135123 1135254 1135534 1135708 1135709 1136717 1137053 1137624 1138793 1138869 1138939 1139083 1139083 1139459 1139459 1139939 1140631 1140647 1141059 1141093 1141113 1141883 1141897 1142649 1142654 1143055 1143194 1143273 1144047 1144169 1145023 1145716 1146866 1148517 1148987 1149145 1149332 1149995 1150137 1150595 1151023 1151023 1151377 1151582 1152101 1152590 1152692 1152755 1153936 1154036 1154037 1154256 1154295 1154661 1154871 1154884 1154887 1155199 1155207 1155271 1155327 1155337 1155338 1155339 1155574 1156213 1156482 1157278 1157292 1157794 1157893 1158095 1158095 1158485 1158830 1158921 1158996 1159814 1159928 1160039 1160160 1160571 1160595 1160735 1160970 1160979 1161215 1161216 1161218 1161219 1161220 1161262 1161436 1161517 1161521 1162108 1162108 1162518 1162930 1163184 1164505 1164562 1164717 1164950 1164950 1165011 1165539 1165579 1165784 1166106 1166260 1166510 1166510 1166748 1166881 1167631 1167674 1167898 1168076 1168345 1168699 1169512 1169569 1169944 1170527 1170771 1171872 1172021 353876 915402 918346 953659 960273 985657 991901 CVE-2009-5155 CVE-2015-0247 CVE-2015-1572 CVE-2016-10739 CVE-2016-3189 CVE-2017-17740 CVE-2017-18269 CVE-2017-7607 CVE-2017-7608 CVE-2017-7609 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-1000654 CVE-2018-1000858 CVE-2018-10360 CVE-2018-1122 CVE-2018-1123 CVE-2018-11236 CVE-2018-11237 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126 CVE-2018-12015 CVE-2018-12020 CVE-2018-14404 CVE-2018-14567 CVE-2018-15686 CVE-2018-15688 CVE-2018-16062 CVE-2018-16402 CVE-2018-16403 CVE-2018-16864 CVE-2018-16865 CVE-2018-16866 CVE-2018-16869 CVE-2018-17953 CVE-2018-18310 CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18520 CVE-2018-18521 CVE-2018-19211 CVE-2018-20346 CVE-2018-6954 CVE-2018-9251 CVE-2019-12290 CVE-2019-12900 CVE-2019-12900 CVE-2019-12904 CVE-2019-13050 CVE-2019-13057 CVE-2019-13565 CVE-2019-13627 CVE-2019-14250 CVE-2019-14866 CVE-2019-14889 CVE-2019-14889 CVE-2019-15847 CVE-2019-16168 CVE-2019-17543 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-18224 CVE-2019-19126 CVE-2019-19956 CVE-2019-19956 CVE-2019-20386 CVE-2019-20388 CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 CVE-2019-3880 CVE-2019-5021 CVE-2019-5094 CVE-2019-5188 CVE-2019-6454 CVE-2019-6454 CVE-2019-6706 CVE-2019-7150 CVE-2019-7665 CVE-2019-8905 CVE-2019-8906 CVE-2019-8907 CVE-2019-9169 CVE-2019-9936 CVE-2019-9937 CVE-2020-10029 CVE-2020-11501 CVE-2020-12243 CVE-2020-1712 CVE-2020-1712 CVE-2020-1730 CVE-2020-1752 CVE-2020-7595 SLE-5807 SLE-5933 SLE-6533 SLE-6536 SLE-7687 SLE-9132 ----------------------------------------------------------------- The container caasp/v5/configmap-reload was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1223-1 Released: Tue Jun 26 11:41:00 2018 Summary: Security update for gpg2 Type: security Severity: important References: 1096745,CVE-2018-12020 This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2' option (bsc#1096745). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1327-1 Released: Tue Jul 17 08:07:24 2018 Summary: Security update for perl Type: security Severity: moderate References: 1096718,CVE-2018-12015 This update for perl fixes the following issues: - CVE-2018-12015: The Archive::Tar module allowed remote attackers to bypass a directory-traversal protection mechanism and overwrite arbitrary files (bsc#1096718) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1346-1 Released: Thu Jul 19 09:25:08 2018 Summary: Security update for glibc Type: security Severity: moderate References: 1082318,1092877,1094150,1094154,1094161,CVE-2017-18269,CVE-2018-11236,CVE-2018-11237 This update for glibc fixes the following security issues: - CVE-2017-18269: An SSE2-optimized memmove implementation for i386 did not correctly perform the overlapping memory check if the source memory range spaned the middle of the address space, resulting in corrupt data being produced by the copy operation. This may have disclosed information to context-dependent attackers, resulted in a denial of service or code execution (bsc#1094150). - CVE-2018-11236: Prevent integer overflow on 32-bit architectures when processing very long pathname arguments to the realpath function, leading to a stack-based buffer overflow (bsc#1094161). - CVE-2018-11237: An AVX-512-optimized implementation of the mempcpy function may have writen data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper (bsc#1092877, bsc#1094154). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:1353-1 Released: Thu Jul 19 09:50:32 2018 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1009532,1038194,915402,918346,960273,CVE-2015-0247,CVE-2015-1572 This update for e2fsprogs fixes the following issues: Security issues fixed: - CVE-2015-0247: Fixed couple of heap overflows in e2fsprogs (fsck, dumpe2fs, e2image...) (bsc#915402). - CVE-2015-1572: Fixed potential buffer overflow in closefs() (bsc#918346). Bug fixes: - bsc#1038194: generic/405 test fails with /dev/mapper/thin-vol is inconsistent on ext4 file system. - bsc#1009532: resize2fs hangs when trying to resize a large ext4 file system. - bsc#960273: xfsprogs does not call %{?regenerate_initrd_post}. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1362-1 Released: Thu Jul 19 12:47:33 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1100415 ca-certificates-mozilla was updated to the 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415) Following CAs were removed: * S-TRUST_Universal_Root_CA * TC_TrustCenter_Class_3_CA_II * TUeRKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_H5 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1409-1 Released: Fri Jul 27 06:45:10 2018 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1039099,1083158,1088052,1091265,1093851,1095096,1095973,1098569 This update for systemd provides the following fixes: - systemctl: Mask always reports the same unit names when different unknown units are passed. (bsc#1095973) - systemctl: Check the existence of all units, not just the first one. - scsi_id: Fix the prefix for pre-SPC inquiry reply. (bsc#1039099) - device: Make sure to always retroactively start device dependencies. (bsc#1088052) - locale-util: On overlayfs FTW_MOUNT causes nftw(3) to not list *any* files. - Fix pattern to detect distribution. - install: The 'user' and 'global' scopes are equivalent for user presets. (bsc#1093851) - install: Search for preset files in /run (#7715) - install: Consider globally enabled units as 'enabled' for the user. (bsc#1093851) - install: Consider non-Alias=/non-DefaultInstance= symlinks as 'indirect' enablement. - install: Only consider names in Alias= as 'enabling'. - udev: Whitelist mlx4_core locally-administered MAC addresses in the persistent rule generator. (bsc#1083158) - man: Updated systemd-analyze blame description for service-units with Type=simple. (bsc#1091265) - fileio: Support writing atomic files with timestamp. - fileio.c: Fix incorrect mtime - Drop runtime dependency on dracut, otherwise systemd pulls in tools to generate the initrd even in container/chroot installations that don't have a kernel. For environments where initrd matters, dracut should be pulled via a pattern. (bsc#1098569) - An update broke booting with encrypted partitions on NVMe (bsc#1095096) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1754-1 Released: Fri Aug 24 16:40:21 2018 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1104780 This update for ca-certificates-mozilla fixes the following issues: Updated to the 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780) - removed server auth rights from following CAs: - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - removed CA - ComSign CA - new CA added: - GlobalSign ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1760-1 Released: Fri Aug 24 17:14:53 2018 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1072183 This update for libtirpc fixes the following issues: - rpcinfo: send RPC getport call as specified via parameter (bsc#1072183) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:1999-1 Released: Tue Sep 25 08:20:35 2018 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1071321 This update for zlib provides the following fixes: - Speedup zlib on power8. (fate#325307) - Add safeguard against negative values in uInt. (bsc#1071321) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2055-1 Released: Thu Sep 27 14:30:14 2018 Summary: Recommended update for openldap2 Type: recommended Severity: moderate References: 1089640 This update for openldap2 provides the following fix: - Fix slapd segfaults in mdb_env_reader_dest. (bsc#1089640) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2155-1 Released: Fri Oct 5 14:41:17 2018 Summary: Recommended update for ca-certificates Type: recommended Severity: moderate References: 1101470 This update for ca-certificates fixes the following issues: - Changed 'openssl' requirement to 'openssl(cli)' (bsc#1101470) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2177-1 Released: Tue Oct 9 09:00:13 2018 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1095661,1095670,1100488 This update for bash provides the following fixes: - Bugfix: Parse settings in inputrc for all screen TERM variables starting with 'screen.' (bsc#1095661) - Make the generation of bash.html reproducible. (bsc#1100488) - Use initgroups(3) instead of setgroups(2) to fix the usage of suid programs. (bsc#1095670) - Fix a problem that could cause hash table bash uses to store exit statuses from asynchronous processes to develop loops in circumstances involving long-running scripts that create and reap many processes. - Fix a problem that could cause the shell to loop if a SIGINT is received inside of a SIGINT trap handler. - Fix cases where a failing readline command (e.g., delete-char at the end of a line) can cause a multi-character key sequence to 'back up' and attempt to re-read some of the characters in the sequence. - Fix a problem when sourcing a file from an interactive shell, that setting the SIGINT handler to the default and typing ^C would cause the shell to exit. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2182-1 Released: Tue Oct 9 11:08:36 2018 Summary: Security update for libxml2 Type: security Severity: moderate References: 1088279,1102046,1105166,CVE-2018-14404,CVE-2018-14567,CVE-2018-9251 This update for libxml2 fixes the following security issues: - CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279) - CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166) - CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2370-1 Released: Mon Oct 22 14:02:01 2018 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1102310,1104531 This update for aaa_base provides the following fixes: - Let bash.bashrc work even for (m)ksh. (bsc#1104531) - Fix an error at login if java system directory is empty. (bsc#1102310) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2487-1 Released: Fri Oct 26 12:39:07 2018 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1102526 This update for glibc fixes the following issues: - Fix build on aarch64 with binutils newer than 2.30. - Fix year 2039 bug for localtime with 64-bit time_t (bsc#1102526) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2569-1 Released: Fri Nov 2 19:00:18 2018 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1110700 This update for pam fixes the following issues: - Remove limits for nproc from /etc/security/limits.conf (bsc#1110700) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2595-1 Released: Wed Nov 7 11:14:42 2018 Summary: Security update for systemd Type: security Severity: important References: 1089761,1090944,1091677,1093753,1101040,1102908,1105031,1107640,1107941,1109197,1109252,1110445,1112024,1113083,1113632,1113665,1114135,991901,CVE-2018-15686,CVE-2018-15688 This update for systemd fixes the following issues: Security issues fixed: - CVE-2018-15688: A buffer overflow vulnerability in the dhcp6 client of systemd allowed a malicious dhcp6 server to overwrite heap memory in systemd-networkd. (bsc#1113632) - CVE-2018-15686: A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. (bsc#1113665) Non security issues fixed: - dhcp6: split assert_return() to be more debuggable when hit - core: skip unit deserialization and move to the next one when unit_deserialize() fails - core: properly handle deserialization of unknown unit types (#6476) - core: don't create Requires for workdir if 'missing ok' (bsc#1113083) - logind: use manager_get_user_by_pid() where appropriate - logind: rework manager_get_{user|session}_by_pid() a bit - login: fix user at .service case, so we don't allow nested sessions (#8051) (bsc#1112024) - core: be more defensive if we can't determine per-connection socket peer (#7329) - core: introduce systemd.early_core_pattern= kernel cmdline option - core: add missing 'continue' statement - core/mount: fstype may be NULL - journald: don't ship systemd-journald-audit.socket (bsc#1109252) - core: make 'tmpfs' dependencies on swapfs a 'default' dep, not an 'implicit' (bsc#1110445) - mount: make sure we unmount tmpfs mounts before we deactivate swaps (#7076) - detect-virt: do not try to read all of /proc/cpuinfo (bsc#1109197) - emergency: make sure console password agents don't interfere with the emergency shell - man: document that 'nofail' also has an effect on ordering - journald: take leading spaces into account in syslog_parse_identifier - journal: do not remove multiple spaces after identifier in syslog message - syslog: fix segfault in syslog_parse_priority() - journal: fix syslog_parse_identifier() - install: drop left-over debug message (#6913) - Ship systemd-sysv-install helper via the main package This script was part of systemd-sysvinit sub-package but it was wrong since systemd-sysv-install is a script used to redirect enable/disable operations to chkconfig when the unit targets are sysv init scripts. Therefore it's never been a SySV init tool. - Add udev.no-partlabel-links kernel command-line option. This option can be used to disable the generation of the by-partlabel symlinks regardless of the name used. (bsc#1089761) - man: SystemMaxUse= clarification in journald.conf(5). (bsc#1101040) - systemctl: load unit if needed in 'systemctl is-active' (bsc#1102908) - core: don't freeze OnCalendar= timer units when the clock goes back a lot (bsc#1090944) - Enable or disable machines.target according to the presets (bsc#1107941) - cryptsetup: add support for sector-size= option (fate#325697) - nspawn: always use permission mode 555 for /sys (bsc#1107640) - Bugfix for a race condition between daemon-reload and other commands (bsc#1105031) - Fixes an issue where login with root credentials was not possible in init level 5 (bsc#1091677) - Fix an issue where services of type 'notify' harmless DENIED log entries. (bsc#991901) - Does no longer adjust qgroups on existing subvolumes (bsc#1093753) - cryptsetup: add support for sector-size= option (#9936) (fate#325697 bsc#1114135) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2018:2607-1 Released: Wed Nov 7 15:42:48 2018 Summary: Optional update for gcc8 Type: recommended Severity: low References: 1084812,1084842,1087550,1094222,1102564 The GNU Compiler GCC 8 is being added to the Development Tools Module by this update. The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15. Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved. The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened: https://gcc.gnu.org/gcc-8/changes.html Also changes needed or common pitfalls when porting software are described on: https://gcc.gnu.org/gcc-8/porting_to.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2825-1 Released: Mon Dec 3 15:35:02 2018 Summary: Security update for pam Type: security Severity: important References: 1115640,CVE-2018-17953 This update for pam fixes the following issue: Security issue fixed: - CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2861-1 Released: Thu Dec 6 14:32:01 2018 Summary: Security update for ncurses Type: security Severity: important References: 1103320,1115929,CVE-2018-19211 This update for ncurses fixes the following issues: Security issue fixed: - CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929). Non-security issue fixed: - Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2984-1 Released: Wed Dec 19 11:32:39 2018 Summary: Security update for perl Type: security Severity: moderate References: 1114674,1114675,1114681,1114686,CVE-2018-18311,CVE-2018-18312,CVE-2018-18313,CVE-2018-18314 This update for perl fixes the following issues: Secuirty issues fixed: - CVE-2018-18311: Fixed integer overflow with oversize environment (bsc#1114674). - CVE-2018-18312: Fixed heap-buffer-overflow write / reg_node overrun (bsc#1114675). - CVE-2018-18313: Fixed heap-buffer-overflow read if regex contains \0 chars (bsc#1114681). - CVE-2018-18314: Fixed heap-buffer-overflow in regex (bsc#1114686). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2018:2986-1 Released: Wed Dec 19 13:53:22 2018 Summary: Security update for libnettle Type: security Severity: moderate References: 1118086,CVE-2018-16869 This update for libnettle fixes the following issues: Security issues fixed: - CVE-2018-16869: Fixed a leaky data conversion exposing a manager oracle (bsc#1118086) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:23-1 Released: Mon Jan 7 16:30:33 2019 Summary: Security update for gpg2 Type: security Severity: moderate References: 1120346,CVE-2018-1000858 This update for gpg2 fixes the following issue: Security issue fixed: - CVE-2018-1000858: Fixed a Cross Site Request Forgery(CSRF) vulnerability in dirmngr that can result in Attacker controlled CSRF (bsc#1120346). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:44-1 Released: Tue Jan 8 13:07:32 2019 Summary: Recommended update for acl Type: recommended Severity: low References: 953659 This update for acl fixes the following issues: - test: Add helper library to fake passwd/group files. - quote: Escape literal backslashes. (bsc#953659) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:137-1 Released: Mon Jan 21 15:52:45 2019 Summary: Security update for systemd Type: security Severity: important References: 1005023,1045723,1076696,1080919,1093753,1101591,1111498,1114933,1117063,1119971,1120323,CVE-2018-16864,CVE-2018-16865,CVE-2018-16866,CVE-2018-6954 This update for systemd provides the following fixes: Security issues fixed: - CVE-2018-16864, CVE-2018-16865: Fixed two memory corruptions through attacker-controlled alloca()s (bsc#1120323) - CVE-2018-16866: Fixed an information leak in journald (bsc#1120323) - CVE-2018-6954: Fix mishandling of symlinks present in non-terminal path components (bsc#1080919) - Fixed an issue during system startup in relation to encrypted swap disks (bsc#1119971) Non-security issues fixed: - pam_systemd: Fix 'Cannot create session: Already running in a session' (bsc#1111498) - systemd-vconsole-setup: vconsole setup fails, fonts will not be copied to tty (bsc#1114933) - systemd-tmpfiles-setup: symlinked /tmp to /var/tmp breaking multiple units (bsc#1045723) - Fixed installation issue with /etc/machine-id during update (bsc#1117063) - btrfs: qgroups are assigned to parent qgroups after reboot (bsc#1093753) - logind: Stop managing VT switches if no sessions are registered on that VT. (bsc#1101591) - udev: Downgrade message when settting inotify watch up fails. (bsc#1005023) - udev: Ignore the exit code of systemd-detect-virt for memory hot-add. In SLE-12-SP3, 80-hotplug-cpu-mem.rules has a memory hot-add rule that uses systemd-detect-virt to detect non-zvm environment. The systemd-detect-virt returns exit failure code when it detected _none_ state. The exit failure code causes that the hot-add memory block can not be set to online. (bsc#1076696) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:147-1 Released: Wed Jan 23 17:57:31 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1121446 This update for ca-certificates-mozilla fixes the following issues: The package was updated to the 2.30 version of the Mozilla NSS Certificate store. (bsc#1121446) Removed Root CAs: - AC Raiz Certicamara S.A. - Certplus Root CA G1 - Certplus Root CA G2 - OpenTrust Root CA G1 - OpenTrust Root CA G2 - OpenTrust Root CA G3 - Visa eCommerce Root Added Root CAs: - Certigna Root CA (email and server auth) - GTS Root R1 (server auth) - GTS Root R2 (server auth) - GTS Root R3 (server auth) - GTS Root R4 (server auth) - OISTE WISeKey Global Root GC CA (email and server auth) - UCA Extended Validation Root (server auth) - UCA Global G2 Root (email and server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:247-1 Released: Wed Feb 6 07:18:45 2019 Summary: Security update for lua53 Type: security Severity: moderate References: 1123043,CVE-2019-6706 This update for lua53 fixes the following issues: Security issue fixed: - CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:369-1 Released: Wed Feb 13 14:01:42 2019 Summary: Recommended update for itstool Type: recommended Severity: moderate References: 1065270,1111019 This update for itstool and python-libxml2-python fixes the following issues: Package: itstool - Updated version to support Python3. (bnc#1111019) Package: python-libxml2-python - Fix segfault when parsing invalid data. (bsc#1065270) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:426-1 Released: Mon Feb 18 17:46:55 2019 Summary: Security update for systemd Type: security Severity: important References: 1117025,1121563,1122000,1123333,1123727,1123892,1124153,1125352,CVE-2019-6454 This update for systemd fixes the following issues: - CVE-2019-6454: Overlong DBUS messages could be used to crash systemd (bsc#1125352) - units: make sure initrd-cleanup.service terminates before switching to rootfs (bsc#1123333) - logind: fix bad error propagation - login: log session state 'closing' (as well as New/Removed) - logind: fix borked r check - login: don't remove all devices from PID1 when only one was removed - login: we only allow opening character devices - login: correct comment in session_device_free() - login: remember that fds received from PID1 need to be removed eventually - login: fix FDNAME in call to sd_pid_notify_with_fds() - logind: fd 0 is a valid fd - logind: rework sd_eviocrevoke() - logind: check file is device node before using .st_rdev - logind: use the new FDSTOREREMOVE=1 sd_notify() message (bsc#1124153) - core: add a new sd_notify() message for removing fds from the FD store again - logind: make sure we don't trip up on half-initialized session devices (bsc#1123727) - fd-util: accept that kcmp might fail with EPERM/EACCES - core: Fix use after free case in load_from_path() (bsc#1121563) - core: include Found state in device dumps - device: fix serialization and deserialization of DeviceFound - fix path in btrfs rule (#6844) - assemble multidevice btrfs volumes without external tools (#6607) (bsc#1117025) - Update systemd-system.conf.xml (bsc#1122000) - units: inform user that the default target is started after exiting from rescue or emergency mode - core: free lines after reading them (bsc#1123892) - sd-bus: if we receive an invalid dbus message, ignore and proceeed - automount: don't pass non-blocking pipe to kernel. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:571-1 Released: Thu Mar 7 18:13:46 2019 Summary: Security update for file Type: security Severity: moderate References: 1096974,1096984,1126117,1126118,1126119,CVE-2018-10360,CVE-2019-8905,CVE-2019-8906,CVE-2019-8907 This update for file fixes the following issues: The following security vulnerabilities were addressed: - CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974) - CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118) - CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119) - CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:641-1 Released: Tue Mar 19 13:17:28 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1112570,1114984,1114993 This update for glibc provides the following fixes: - Fix Haswell CPU string flags. (bsc#1114984) - Fix waiters-after-spinning case. (bsc#1114993) - Do not relocate absolute symbols. (bsc#1112570) - Add glibc-locale-base subpackage containing only C, C.UTF-8 and en_US.UTF-8 locales. (fate#326551) - Add HWCAP_ATOMICS to HWCAP_IMPORTANT (fate#325962) - Remove slow paths from math routines. (fate#325815, fate#325879, fate#325880, fate#325881, fate#325882) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:700-1 Released: Thu Mar 21 19:54:00 2019 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1044840 This update for cyrus-sasl provides the following fix: - Fix a problem that was causing syslog to be polluted with messages 'GSSAPI client step 1'. By server context the connection will be sent to the log function but the client content does not have log level information, so there is no way to stop DEBUG level logs. (bsc#1044840) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:713-1 Released: Fri Mar 22 15:55:05 2019 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1063675,1126590 This update for glibc fixes the following issues: - Add MAP_SYNC from Linux 4.15 (bsc#1126590) - Add MAP_SHARED_VALIDATE from Linux 4.15 (bsc#1126590) - nptl: Preserve error in setxid thread broadcast in coredumps (bsc#1063675, BZ #22153) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:732-1 Released: Mon Mar 25 14:10:04 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1088524,1118364,1128246 This update for aaa_base fixes the following issues: - Restore old position of ssh/sudo source of profile (bsc#1118364). - Update logic for JRE_HOME env variable (bsc#1128246) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:06 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://www.sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:791-1 Released: Thu Mar 28 12:06:50 2019 Summary: Security update for libnettle Type: recommended Severity: moderate References: 1129598 This update for libnettle to version 3.4.1 fixes the following issues: Issues addressed and new features: - Updated to 3.4.1 (fate#327114 and bsc#1129598) - Fixed a missing break statements in the parsing of PEM input files in pkcs1-conv. - Fixed a link error on the pss-mgf1-test which was affecting builds without public key support. - All functions using RSA private keys are now side-channel silent. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. - Changes in behavior: The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:858-1 Released: Wed Apr 3 15:50:37 2019 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1120689,1126096 This update for libtirpc fixes the following issues: - Fix a yp_bind_client_create_v3: RPC: Unknown host error (bsc#1126096). - add an option to enforce connection via protocol version 2 first (bsc#1120689). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:903-1 Released: Mon Apr 8 15:41:44 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1100396,1122729,1130045,CVE-2016-10739 This update for glibc fixes the following issues: Security issue fixed: - CVE-2016-10739: Fixed an improper implementation of getaddrinfo function which could allow applications to incorrectly assume that had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings (bsc#1122729). Other issue fixed: - Fixed an issue where pthread_mutex_trylock did not use a correct order of instructions while maintained the robust mutex list due to missing compiler barriers (bsc#1130045). - Added new Japanese Era name support (bsc#1100396). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1002-1 Released: Wed Apr 24 10:13:34 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1110304,1129576 This update for zlib fixes the following issues: - Fixes a segmentation fault error (bsc#1110304, bsc#1129576) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1040-1 Released: Thu Apr 25 17:09:21 2019 Summary: Security update for samba Type: security Severity: important References: 1114407,1124223,1125410,1126377,1131060,1131686,CVE-2019-3880 This update for samba fixes the following issues: Security issue fixed: - CVE-2019-3880: Fixed a path/symlink traversal vulnerability, which allowed an unprivileged user to save registry files outside a share (bsc#1131060). ldb was updated to version 1.2.4 (bsc#1125410 bsc#1131686): - Out of bound read in ldb_wildcard_compare - Hold at most 10 outstanding paged result cookies - Put 'results_store' into a doubly linked list - Refuse to build Samba against a newer minor version of ldb Non-security issues fixed: - Fixed update-apparmor-samba-profile script after apparmor switched to using named profiles (bsc#1126377). - Abide to the load_printers parameter in smb.conf (bsc#1124223). - Provide the 32bit samba winbind PAM module and its dependend 32bit libraries. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1206-1 Released: Fri May 10 14:01:55 2019 Summary: Security update for bzip2 Type: security Severity: low References: 985657,CVE-2016-3189 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2016-3189: Fixed a use-after-free in bzip2recover (bsc#985657). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1312-1 Released: Wed May 22 12:19:12 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1096191 This update for aaa_base fixes the following issue: * Shell detection in /etc/profile and /etc/bash.bashrc was broken within AppArmor-confined containers (bsc#1096191) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1364-1 Released: Tue May 28 10:51:38 2019 Summary: Security update for systemd Type: security Severity: moderate References: 1036463,1121563,1124122,1125352,1125604,1126056,1127557,1130230,1132348,1132400,1132721,1133506,1133509,CVE-2019-3842,CVE-2019-3843,CVE-2019-3844,CVE-2019-6454,SLE-5933 This update for systemd fixes the following issues: Security issues fixed: - CVE-2019-3842: Fixed a privilege escalation in pam_systemd which could be exploited by a local user (bsc#1132348). - CVE-2019-6454: Fixed a denial of service via crafted D-Bus message (bsc#1125352). - CVE-2019-3843, CVE-2019-3844: Fixed a privilege escalation where services with DynamicUser could gain new privileges or create SUID/SGID binaries (bsc#1133506, bsc#1133509). Non-security issued fixed: - logind: fix killing of scopes (bsc#1125604) - namespace: make MountFlags=shared work again (bsc#1124122) - rules: load drivers only on 'add' events (bsc#1126056) - sysctl: Don't pass null directive argument to '%s' (bsc#1121563) - systemd-coredump: generate a stack trace of all core dumps and log into the journal (jsc#SLE-5933) - udevd: notify when max number value of children is reached only once per batch of events (bsc#1132400) - sd-bus: bump message queue size again (bsc#1132721) - Do not automatically online memory on s390x (bsc#1127557) - Removed sg.conf (bsc#1036463) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1368-1 Released: Tue May 28 13:15:38 2019 Summary: Recommended update for sles12sp3-docker-image, sles12sp4-image, system-user-root Type: security Severity: important References: 1134524,CVE-2019-5021 This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues: - CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1372-1 Released: Tue May 28 16:53:28 2019 Summary: Security update for libtasn1 Type: security Severity: moderate References: 1105435,CVE-2018-1000654 This update for libtasn1 fixes the following issues: Security issue fixed: - CVE-2018-1000654: Fixed a denial of service in the asn1 parser (bsc#1105435). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1484-1 Released: Thu Jun 13 07:46:46 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1128383 This update for e2fsprogs fixes the following issues: - Check and fix tails of all bitmap blocks (bsc#1128383) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1486-1 Released: Thu Jun 13 09:40:24 2019 Summary: Security update for elfutils Type: security Severity: moderate References: 1033084,1033085,1033086,1033087,1033088,1033089,1033090,1106390,1107066,1107067,1111973,1112723,1112726,1123685,1125007,CVE-2017-7607,CVE-2017-7608,CVE-2017-7609,CVE-2017-7610,CVE-2017-7611,CVE-2017-7612,CVE-2017-7613,CVE-2018-16062,CVE-2018-16402,CVE-2018-16403,CVE-2018-18310,CVE-2018-18520,CVE-2018-18521,CVE-2019-7150,CVE-2019-7665 This update for elfutils fixes the following issues: Security issues fixed: - CVE-2017-7607: Fixed a heap-based buffer overflow in handle_gnu_hash (bsc#1033084) - CVE-2017-7608: Fixed a heap-based buffer overflow in ebl_object_note_type_name() (bsc#1033085) - CVE-2017-7609: Fixed a memory allocation failure in __libelf_decompress (bsc#1033086) - CVE-2017-7610: Fixed a heap-based buffer overflow in check_group (bsc#1033087) - CVE-2017-7611: Fixed a denial of service via a crafted ELF file (bsc#1033088) - CVE-2017-7612: Fixed a denial of service in check_sysv_hash() via a crafted ELF file (bsc#1033089) - CVE-2017-7613: Fixed denial of service caused by the missing validation of the number of sections and the number of segments in a crafted ELF file (bsc#1033090) - CVE-2018-16062: Fixed a heap-buffer overflow in /elfutils/libdw/dwarf_getaranges.c:156 (bsc#1106390) - CVE-2018-16402: Fixed a denial of service/double free on an attempt to decompress the same section twice (bsc#1107066) - CVE-2018-16403: Fixed a heap buffer overflow in readelf (bsc#1107067) - CVE-2018-18310: Fixed an invalid address read problem in dwfl_segment_report_module.c (bsc#1111973) - CVE-2018-18520: Fixed bad handling of ar files inside are files (bsc#1112726) - CVE-2018-18521: Fixed a denial of service vulnerabilities in the function arlib_add_symbols() used by eu-ranlib (bsc#1112723) - CVE-2019-7150: dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated (bsc#1123685) - CVE-2019-7665: NT_PLATFORM core file note should be a zero terminated string (bsc#1125007) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1631-1 Released: Fri Jun 21 11:17:21 2019 Summary: Recommended update for xz Type: recommended Severity: low References: 1135709 This update for xz fixes the following issues: Add SUSE-Public-Domain licence as some parts of xz utils (liblzma, xz, xzdec, lzmadec, documentation, translated messages, tests, debug, extra directory) are in public domain licence [bsc#1135709] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1635-1 Released: Fri Jun 21 12:45:53 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1134217 This update for krb5 provides the following fix: - Move LDAP schema files from /usr/share/doc/packages/krb5 to /usr/share/kerberos/ldap. (bsc#1134217) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1700-1 Released: Tue Jun 25 13:19:21 2019 Summary: Security update for libssh Type: recommended Severity: moderate References: 1134193 This update for libssh fixes the following issue: Issue addressed: - Added support for new AES-GCM encryption types (bsc#1134193). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1808-1 Released: Wed Jul 10 13:16:29 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1133808 This update for libgcrypt fixes the following issues: - Fixed redundant fips tests in some situations causing sudo to stop working when pam-kwallet is installed. bsc#1133808 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1846-1 Released: Mon Jul 15 11:36:33 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: Security issue fixed: - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1853-1 Released: Mon Jul 15 16:03:36 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1107617,1137053 This update for systemd fixes the following issues: - conf-parse: remove 4K line length limit (bsc#1137053) - udevd: change the default value of udev.children-max (again) (bsc#1107617) - meson: stop creating enablement symlinks in /etc during installation (sequel) - Fixed build for openSUSE Leap 15+ - Make sure we don't ship any static enablement symlinks in /etc Those symlinks must only be created by the presets. There are no changes in practice since systemd/udev doesn't ship such symlinks in /etc but let's make sure no future changes will introduce new ones by mistake. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1877-1 Released: Thu Jul 18 11:31:46 2019 Summary: Security update for glibc Type: security Severity: moderate References: 1117993,1123710,1127223,1127308,1131330,CVE-2009-5155,CVE-2019-9169 This update for glibc fixes the following issues: Security issues fixed: - CVE-2019-9169: Fixed a heap-based buffer over-read via an attempted case-insensitive regular-expression match (bsc#1127308). - CVE-2009-5155: Fixed a denial of service in parse_reg_exp() (bsc#1127223). Non-security issues fixed: - Does no longer compress debug sections in crt*.o files (bsc#1123710) - Fixes a concurrency problem in ldconfig (bsc#1117993) - Fixes a race condition in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP (bsc#1131330) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1971-1 Released: Thu Jul 25 14:58:52 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1138939,CVE-2019-12904 This update for libgcrypt fixes the following issues: Security issue fixed: - CVE-2019-12904: Fixed a flush-and-reload side-channel attack in the AES implementation (bsc#1138939). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:1994-1 Released: Fri Jul 26 16:12:05 2019 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1135123 This update for libxml2 fixes the following issues: - Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit when processing large XML files. (bsc#1135123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2004-1 Released: Mon Jul 29 13:01:59 2019 Summary: Security update for bzip2 Type: security Severity: important References: 1139083,CVE-2019-12900 This update for bzip2 fixes the following issues: - Fixed a regression with the fix for CVE-2019-12900, which caused incompatibilities with files that used many selectors (bsc#1139083). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2006-1 Released: Mon Jul 29 13:02:49 2019 Summary: Security update for gpg2 Type: security Severity: important References: 1124847,1141093,CVE-2019-13050 This update for gpg2 fixes the following issues: Security issue fixed: - CVE-2019-13050: Fixed a denial of service attacks via big keys (bsc#1141093). Non-security issue fixed: - Allow coredumps in X11 desktop sessions (bsc#1124847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2097-1 Released: Fri Aug 9 09:31:17 2019 Summary: Recommended update for libgcrypt Type: recommended Severity: important References: 1097073 This update for libgcrypt fixes the following issues: - Fixed a regression where system were unable to boot in fips mode, caused by an incomplete implementation of previous change (bsc#1097073). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2134-1 Released: Wed Aug 14 11:54:56 2019 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1136717,1137624,1141059,SLE-5807 This update for zlib fixes the following issues: - Update the s390 patchset. (bsc#1137624) - Tweak zlib-power8 to have type of crc32_vpmsum conform to usage. (bsc#1141059) - Use FAT LTO objects in order to provide proper static library. - Do not enable the previous patchset on s390 but just s390x. (bsc#1137624) - Add patchset for s390 improvements. (jsc#SLE-5807, bsc#1136717) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2188-1 Released: Wed Aug 21 10:10:29 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1140647 This update for aaa_base fixes the following issues: - Make systemd detection cgroup oblivious. (bsc#1140647) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2241-1 Released: Wed Aug 28 14:58:49 2019 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1144169 This update for ca-certificates-mozilla fixes the following issues: ca-certificates-mozillawas updated to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169) Removed CAs: - Certinomis - Root CA Includes new root CAs from the 2.32 version: - emSign ECC Root CA - C3 (email and server auth) - emSign ECC Root CA - G3 (email and server auth) - emSign Root CA - C1 (email and server auth) - emSign Root CA - G1 (email and server auth) - Hongkong Post Root CA 3 (server auth) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2307-1 Released: Thu Sep 5 14:45:08 2019 Summary: Security update for util-linux and shadow Type: security Severity: moderate References: 1081947,1082293,1085196,1106214,1121197,1122417,1125886,1127701,1135534,1135708,1141113,353876 This update for util-linux and shadow fixes the following issues: util-linux: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Prevent outdated pam files (bsc#1082293). - De-duplicate fstrim -A properly (bsc#1127701). - Do not trim read-only volumes (bsc#1106214). - Integrate pam_keyinit pam module to login (bsc#1081947). - Perform one-time reset of /etc/default/su (bsc#1121197). - Fix problems in reading of login.defs values (bsc#1121197) - libmount: To prevent incorrect behavior, recognize more pseudofs and netfs (bsc#1122417). - raw.service: Add RemainAfterExit=yes (bsc#1135534). - agetty: Return previous response of agetty for special characters (bsc#1085196, bsc#1125886) - libmount: print a blacklist hint for 'unknown filesystem type' (jsc#SUSE-4085, fate#326832) - Fix /etc/default/su comments and create /etc/default/runuser (bsc#1121197). shadow: - Fixed an issue where PATH settings in /etc/default/su being ignored (bsc#1121197) - Fix segfault in useradd during setting password inactivity period. (bsc#1141113) - Hardening for su wrappers (bsc#353876) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2361-1 Released: Thu Sep 12 07:54:54 2019 Summary: Recommended update for krb5 Type: recommended Severity: moderate References: 1081947,1144047 This update for krb5 contains the following fixes: - Integrate pam_keyinit PAM module, ksu-pam.d. (bsc#1081947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2395-1 Released: Wed Sep 18 08:31:38 2019 Summary: Security update for openldap2 Type: security Severity: moderate References: 1073313,1111388,1114845,1143194,1143273,CVE-2017-17740,CVE-2019-13057,CVE-2019-13565 This update for openldap2 fixes the following issues: Security issue fixed: - CVE-2019-13565: Fixed an authentication bypass when using SASL authentication and session encryption (bsc#1143194). - CVE-2019-13057: Fixed an issue with delegated database admin privileges (bsc#1143273). - CVE-2017-17740: When both the nops module and the member of overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. (bsc#1073313) Non-security issues fixed: - Fixed broken shebang line in openldap_update_modules_path.sh (bsc#1114845). - Create files in /var/lib/ldap/ during initial start to allow for transactional updates (bsc#1111388) - Fixed incorrect post script call causing tmpfiles creation not to be run (bsc#1111388). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2423-1 Released: Fri Sep 20 16:41:45 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1146866,SLE-9132 This update for aaa_base fixes the following issues: Added sysctl.d/51-network.conf to tighten network security (bsc#1146866) (jira#SLE-9132) Following settings have been tightened (and set to 0): - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2676-1 Released: Tue Oct 15 21:06:54 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1145716,1152101,CVE-2019-5094 This update for e2fsprogs fixes the following issues: Security issue fixed: - CVE-2019-5094: Fixed an arbitrary code execution via specially crafted ext4 file systems. (bsc#1152101) Non-security issue fixed: - libext2fs: Call fsync(2) to clear stale errors for a new a unix I/O channel. (bsc#1145716) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2730-1 Released: Mon Oct 21 16:04:57 2019 Summary: Security update for procps Type: security Severity: important References: 1092100,1121753,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124,CVE-2018-1125,CVE-2018-1126 This update for procps fixes the following issues: procps was updated to 3.3.15. (bsc#1092100) Following security issues were fixed: - CVE-2018-1122: Prevent local privilege escalation in top. If a user ran top with HOME unset in an attacker-controlled directory, the attacker could have achieved privilege escalation by exploiting one of several vulnerabilities in the config_file() function (bsc#1092100). - CVE-2018-1123: Prevent denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maped a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service) (bsc#1092100). - CVE-2018-1124: Prevent multiple integer overflows leading to a heap corruption in file2strvec function. This allowed a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users (bsc#1092100). - CVE-2018-1125: Prevent stack buffer overflow in pgrep. This vulnerability was mitigated by FORTIFY limiting the impact to a crash (bsc#1092100). - CVE-2018-1126: Ensure correct integer size in proc/alloc.* to prevent truncation/integer overflow issues (bsc#1092100). Also this non-security issue was fixed: - Fix CPU summary showing old data. (bsc#1121753) The update to 3.3.15 contains the following fixes: * library: Increment to 8:0:1 No removals, no new functions Changes: slab and pid structures * library: Just check for SIGLOST and don't delete it * library: Fix integer overflow and LPE in file2strvec CVE-2018-1124 * library: Use size_t for alloc functions CVE-2018-1126 * library: Increase comm size to 64 * pgrep: Fix stack-based buffer overflow CVE-2018-1125 * pgrep: Remove >15 warning as comm can be longer * ps: Fix buffer overflow in output buffer, causing DOS CVE-2018-1123 * ps: Increase command name selection field to 64 * top: Don't use cwd for location of config CVE-2018-1122 * update translations * library: build on non-glibc systems * free: fix scaling on 32-bit systems * Revert 'Support running with child namespaces' * library: Increment to 7:0:1 No changes, no removals New fuctions: numa_init, numa_max_node, numa_node_of_cpu, numa_uninit, xalloc_err_handler * doc: Document I idle state in ps.1 and top.1 * free: fix some of the SI multiples * kill: -l space between name parses correctly * library: dont use vm_min_free on non Linux * library: don't strip off wchan prefixes (ps & top) * pgrep: warn about 15+ char name only if -f not used * pgrep/pkill: only match in same namespace by default * pidof: specify separator between pids * pkill: Return 0 only if we can kill process * pmap: fix duplicate output line under '-x' option * ps: avoid eip/esp address truncations * ps: recognizes SCHED_DEADLINE as valid CPU scheduler * ps: display NUMA node under which a thread ran * ps: Add seconds display for cputime and time * ps: Add LUID field * sysctl: Permit empty string for value * sysctl: Don't segv when file not available * sysctl: Read and write large buffers * top: add config file support for XDG specification * top: eliminated minor libnuma memory leak * top: show fewer memory decimal places (configurable) * top: provide command line switch for memory scaling * top: provide command line switch for CPU States * top: provides more accurate cpu usage at startup * top: display NUMA node under which a thread ran * top: fix argument parsing quirk resulting in SEGV * top: delay interval accepts non-locale radix point * top: address a wishlist man page NLS suggestion * top: fix potential distortion in 'Mem' graph display * top: provide proper multi-byte string handling * top: startup defaults are fully customizable * watch: define HOST_NAME_MAX where not defined * vmstat: Fix alignment for disk partition format * watch: Support ANSI 39,49 reset sequences ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2757-1 Released: Wed Oct 23 17:21:17 2019 Summary: Security update for lz4 Type: security Severity: moderate References: 1153936,CVE-2019-17543 This update for lz4 fixes the following issues: - CVE-2019-17543: Fixed a heap-based buffer overflow in LZ4_write32 (bsc#1153936). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2812-1 Released: Tue Oct 29 14:57:55 2019 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1140631,1145023,1150595,SLE-7687 This update for systemd provides the following fixes: - Fix a problem that would cause invoking try-restart to an inactive service to hang when a daemon-reload is invoked before the try-restart returned. (bsc#1139459) - man: Add a note about _netdev usage. - units: Replace remote-cryptsetup-pre.target with remote-fs-pre.target. - units: Add [Install] section to remote-cryptsetup.target. - cryptsetup: Ignore _netdev, since it is used in generator. - cryptsetup-generator: Use remote-cryptsetup.target when _netdev is present. (jsc#SLE-7687) - cryptsetup-generator: Add a helper utility to create symlinks. - units: Add remote-cryptsetup.target and remote-cryptsetup-pre.target. - man: Add an explicit description of _netdev to systemd.mount(5). - man: Order fields alphabetically in crypttab(5). - man: Make crypttab(5) a bit easier to read. - units: Order cryptsetup-pre.target before cryptsetup.target. - Fix reporting of enabled-runtime units. - sd-bus: Deal with cookie overruns. (bsc#1150595) - rules: Add by-id symlinks for persistent memory. (bsc#1140631) - Buildrequire polkit so /usr/share/polkit-1/rules.d subdir can be only owned by polkit. (bsc#1145023) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2870-1 Released: Thu Oct 31 08:09:14 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1051143,1138869,1151023 This update for aaa_base provides the following fixes: - Check if variables can be set before modifying them to avoid warnings on login with a restricted shell. (bsc#1138869) - Add s390x compressed kernel support. (bsc#1151023) - service: Check if there is a second argument before using it. (bsc#1051143) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2418-1 Released: Thu Nov 14 11:53:03 2019 Summary: Recommended update for bash Type: recommended Severity: moderate References: 1133773,1143055 This update for bash fixes the following issues: - Rework patch readline-7.0-screen (bsc#1143055): map all 'screen(-xxx)?.yyy(-zzz)?' to 'screen' as well as map 'konsole(-xxx)?' and 'gnome(-xxx)?' to 'xterm' - Add a backport from bash 5.0 to perform better with large numbers of sub processes. (bsc#1133773) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2997-1 Released: Mon Nov 18 15:16:38 2019 Summary: Security update for ncurses Type: security Severity: moderate References: 1103320,1154036,1154037,CVE-2019-17594,CVE-2019-17595 This update for ncurses fixes the following issues: Security issues fixed: - CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036). - CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037). Non-security issue fixed: - Removed screen.xterm from terminfo database (bsc#1103320). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3059-1 Released: Mon Nov 25 17:33:07 2019 Summary: Security update for cpio Type: security Severity: moderate References: 1155199,CVE-2019-14866 This update for cpio fixes the following issues: - CVE-2019-14866: Fixed an improper validation of the values written in the header of a TAR file through the to_oct() function which could have led to unexpected TAR generation (bsc#1155199). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3061-1 Released: Mon Nov 25 17:34:22 2019 Summary: Security update for gcc9 Type: security Severity: moderate References: 1114592,1135254,1141897,1142649,1142654,1148517,1149145,CVE-2019-14250,CVE-2019-15847,SLE-6533,SLE-6536 This update includes the GNU Compiler Collection 9. A full changelog is provided by the GCC team on: https://www.gnu.org/software/gcc/gcc-9/changes.html The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages. To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it. Security issues fixed: - CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145) - CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649) Non-security issues fixed: - Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254) - Fixed miscompilation for vector shift on s390. (bsc#1141897) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3070-1 Released: Tue Nov 26 12:39:29 2019 Summary: Recommended update for gpg2 Type: recommended Severity: low References: 1152755 This update for gpg2 provides the following fix: - Remove a build requirement on self. This is causing Leap 15.2 bootstrap to fail. (bsc#1152755) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3086-1 Released: Thu Nov 28 10:02:24 2019 Summary: Security update for libidn2 Type: security Severity: moderate References: 1154884,1154887,CVE-2019-12290,CVE-2019-18224 This update for libidn2 to version 2.2.0 fixes the following issues: - CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884). - CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3087-1 Released: Thu Nov 28 10:03:00 2019 Summary: Security update for libxml2 Type: security Severity: low References: 1123919 This update for libxml2 doesn't fix any additional security issues, but correct its rpm changelog to reflect all CVEs that have been fixed over the past. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3118-1 Released: Fri Nov 29 14:41:35 2019 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1154295 This update for e2fsprogs fixes the following issues: - Make minimum size estimates more reliable for mounted filesystem. (bsc#1154295) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3166-1 Released: Wed Dec 4 11:24:42 2019 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1007715,1084934,1157278 This update for aaa_base fixes the following issues: - Use official key binding functions in inputrc that is replace up-history with previous-history, down-history with next-history and backward-delete-word with backward-kill-word. (bsc#1084934) - Add some missed key escape sequences for urxvt-unicode terminal as well. (bsc#1007715) - Clear broken ghost entry in patch which breaks 'readline'. (bsc#1157278) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:3240-1 Released: Tue Dec 10 10:40:19 2019 Summary: Recommended update for ca-certificates-mozilla, p11-kit Type: recommended Severity: moderate References: 1154871 This update for ca-certificates-mozilla, p11-kit fixes the following issues: Changes in ca-certificates-mozilla: - export correct p11kit trust attributes so Firefox detects built in certificates (bsc#1154871). Changes in p11-kit: - support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox detects built in certificates (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3267-1 Released: Wed Dec 11 11:19:53 2019 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an arbitrary command execution (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:3392-1 Released: Fri Dec 27 13:33:29 2019 Summary: Security update for libgcrypt Type: security Severity: moderate References: 1148987,1155338,1155339,CVE-2019-13627 This update for libgcrypt fixes the following issues: Security issues fixed: - CVE-2019-13627: Mitigation against an ECDSA timing attack (bsc#1148987). Bug fixes: - Added CMAC AES self test (bsc#1155339). - Added CMAC TDES self test missing (bsc#1155338). - Fix test dsa-rfc6979 in FIPS mode. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:129-1 Released: Mon Jan 20 09:21:13 2020 Summary: Security update for libssh Type: security Severity: important References: 1158095,CVE-2019-14889 This update for libssh fixes the following issues: - CVE-2019-14889: Fixed an unwanted command execution in scp caused by unsanitized location (bsc#1158095). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:225-1 Released: Fri Jan 24 06:49:07 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fix for 'ps -C' allowing to accept any arguments longer than 15 characters anymore. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:256-1 Released: Wed Jan 29 09:39:17 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1157794,1160970 This update for aaa_base fixes the following issues: - Improves the way how the Java path is created to fix an issue with sapjvm. (bsc#1157794) - Drop 'dev.cdrom.autoclose' = 0 from sysctl config. (bsc#1160970) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:262-1 Released: Thu Jan 30 11:02:42 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1149332,1151582,1157292,1157893,1158996,CVE-2019-19126 This update for glibc fixes the following issues: Security issue fixed: - CVE-2019-19126: Fixed to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition (bsc#1157292). Bug fixes: - Fixed z15 (s390x) strstr implementation that can return incorrect results if search string cross page boundary (bsc#1157893). - Fixed Hardware support in toolchain (bsc#1151582). - Fixed syscalls during early process initialization (SLE-8348). - Fixed an array overflow in backtrace for PowerPC (bsc#1158996). - Moved to posix_spawn on popen (bsc#1149332). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:265-1 Released: Thu Jan 30 14:05:34 2020 Summary: Security update for e2fsprogs Type: security Severity: moderate References: 1160571,CVE-2019-5188 This update for e2fsprogs fixes the following issues: - CVE-2019-5188: Fixed a code execution vulnerability in the directory rehashing functionality (bsc#1160571). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:279-1 Released: Fri Jan 31 12:01:39 2020 Summary: Recommended update for p11-kit Type: recommended Severity: moderate References: 1013125 This update for p11-kit fixes the following issues: - Also build documentation (bsc#1013125) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:335-1 Released: Thu Feb 6 11:37:24 2020 Summary: Security update for systemd Type: security Severity: important References: 1084671,1092920,1106383,1133495,1151377,1154256,1155207,1155574,1156213,1156482,1158485,1159814,1161436,1162108,CVE-2019-20386,CVE-2020-1712 This update for systemd fixes the following issues: - CVE-2020-1712 (bsc#bsc#1162108) Fix a heap use-after-free vulnerability, when asynchronous Polkit queries were performed while handling Dbus messages. A local unprivileged attacker could have abused this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted Dbus messages. - Use suse.pool.ntp.org server pool on SLE distros (jsc#SLE-7683) - libblkid: open device in nonblock mode. (bsc#1084671) - udev/cdrom_id: Do not open CD-rom in exclusive mode. (bsc#1154256) - bus_open leak sd_event_source when udevadm trigger??? (bsc#1161436 CVE-2019-20386) - fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (bsc#1133495 bsc#1159814) - fileio: initialize errno to zero before we do fread() - fileio: try to read one byte too much in read_full_stream() - logind: consider 'greeter' sessions suitable as 'display' sessions of a user (bsc#1158485) - logind: never elect a session that is stopping as display - journal: include kmsg lines from the systemd process which exec()d us (#8078) - udevd: don't use monitor after manager_exit() - udevd: capitalize log messages in on_sigchld() - udevd: merge conditions to decrease indentation - Revert 'udevd: fix crash when workers time out after exit is signal caught' - core: fragments of masked units ought not be considered for NeedDaemonReload (#7060) (bsc#1156482) - udevd: fix crash when workers time out after exit is signal caught - udevd: wait for workers to finish when exiting (bsc#1106383) - Improve bash completion support (bsc#1155207) * shell-completion: systemctl: do not list template units in {re,}start * shell-completion: systemctl: pass current word to all list_unit* * bash-completion: systemctl: pass current partial unit to list-unit* (bsc#1155207) * bash-completion: systemctl: use systemctl --no-pager * bash-completion: also suggest template unit files * bash-completion: systemctl: add missing options and verbs * bash-completion: use the first argument instead of the global variable (#6457) - networkd: VXLan Make group and remote variable separate (bsc#1156213) - networkd: vxlan require Remote= to be a non multicast address (#8117) (bsc#1156213) - fs-util: let's avoid unnecessary strerror() - fs-util: introduce inotify_add_watch_and_warn() helper - ask-password: improve log message when inotify limit is reached (bsc#1155574) - shared/install: failing with -ELOOP can be due to the use of an alias in install_error() (bsc#1151377) - man: alias names can't be used with enable command (bsc#1151377) - Add boot option to not use swap at system start (jsc#SLE-7689) - Allow YaST to select Iranian (Persian, Farsi) keyboard layout (bsc#1092920) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:339-1 Released: Thu Feb 6 13:03:22 2020 Summary: Recommended update for openldap2 Type: recommended Severity: low References: 1158921 This update for openldap2 provides the following fix: - Add libldap-data to the product (as it contains ldap.conf). (bsc#1158921) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:451-1 Released: Tue Feb 25 10:50:35 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1155337,1161215,1161216,1161218,1161219,1161220 This update for libgcrypt fixes the following issues: - ECDSA: Check range of coordinates (bsc#1161216) - FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] - FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] - FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] - FIPS: keywrap gives incorrect results [bsc#1161218] - FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:476-1 Released: Tue Feb 25 14:23:14 2020 Summary: Recommended update for perl Type: recommended Severity: moderate References: 1102840,1160039 This update for perl fixes the following issues: - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:480-1 Released: Tue Feb 25 17:38:22 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1160735 This update for aaa_base fixes the following issues: - Change 'rp_filter' to increase the default priority to ethernet over the wifi. (bsc#1160735) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:525-1 Released: Fri Feb 28 11:49:36 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1164562 This update for pam fixes the following issues: - Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:572-1 Released: Tue Mar 3 13:25:41 2020 Summary: Recommended update for cyrus-sasl Type: recommended Severity: moderate References: 1162518 This update for cyrus-sasl fixes the following issues: - Added support for retrieving negotiated SSF in gssapi plugin (bsc#1162518) - Fixed GSS-SPNEGO to use flags negotiated by GSSAPI for SSF (bsc#1162518) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:573-1 Released: Tue Mar 3 13:37:28 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1160160 This update for ca-certificates-mozilla to 2.40 fixes the following issues: Updated to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160): Removed certificates: - Certplus Class 2 Primary CA - Deutsche Telekom Root CA 2 - CN=Swisscom Root CA 2 - UTN-USERFirst-Client Authentication and Email added certificates: - Entrust Root Certification Authority - G4 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:597-1 Released: Thu Mar 5 15:24:09 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950 This update for libgcrypt fixes the following issues: - FIPS: Run the self-tests from the constructor [bsc#1164950] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:633-1 Released: Tue Mar 10 16:23:08 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1139939,1151023 This update for aaa_base fixes the following issues: - get_kernel_version: fix for current kernel on s390x (bsc#1151023, bsc#1139939) - added '-h'/'--help' to the command old - change feedback url from http://www.suse.de/feedback to https://github.com/openSUSE/aaa_base/issues ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:668-1 Released: Fri Mar 13 10:48:58 2020 Summary: Security update for glibc Type: security Severity: moderate References: 1163184,1164505,1165784,CVE-2020-10029 This update for glibc fixes the following issues: - CVE-2020-10029: Fixed a potential overflow in on-stack buffer during range reduction (bsc#1165784). - Fixed an issue where pthread were not always locked correctly (bsc#1164505). - Document mprotect and introduce section on memory protection (bsc#1163184). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:689-1 Released: Fri Mar 13 17:09:01 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for PAM fixes the following issue: - The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:475-1 Released: Thu Mar 19 11:00:46 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1160595 This update for systemd fixes the following issues: - Remove TasksMax limit for both user and system slices (jsc#SLE-10123) - Backport IP filtering feature (jsc#SLE-7743 bsc#1160595) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:729-1 Released: Thu Mar 19 14:44:22 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1166106 This update for glibc fixes the following issues: - Allow dlopen of filter object to work (bsc#1166106, BZ #16272) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:793-1 Released: Wed Mar 25 15:16:00 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1139459,1161262,1162108,1164717,1165579,CVE-2020-1712 This update for systemd fixes the following issues: - manager: fix job mode when signalled to shutdown etc (bsc#1161262) - remove fallback for user/exit.target - dbus method Manager.Exit() does not start exit.target - do not install rescue.target for alt-??? - %j/%J unit specifiers Added support for I/O scheduler selection with blk-mq (bsc#1165579, bsc#1164717). Added the udev 60-ssd-scheduler.rules: - This rules file which select the default IO scheduler for SSDs is being moved out from the git repo since this is not related to systemd or udev at all and is maintained by the kernel team. - core: coldplug possible nop_job (bsc#1139459) - Revert 'udev: use 'deadline' IO scheduler for SSD disks' - Fix typo in function name - polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it (bsc#1162108 CVE-2020-1712) - sd-bus: introduce API for re-enqueuing incoming messages - polkit: on async pk requests, re-validate action/details ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:820-1 Released: Tue Mar 31 13:02:22 2020 Summary: Security update for glibc Type: security Severity: important References: 1167631,CVE-2020-1752 This update for glibc fixes the following issues: - CVE-2020-1752: Fixed a use after free in glob which could have allowed a local attacker to create a specially crafted path that, when processed by the glob function, could potentially have led to arbitrary code execution (bsc#1167631). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:846-1 Released: Thu Apr 2 07:24:07 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1164950,1166748,1167674 This update for libgcrypt fixes the following issues: - FIPS: Remove an unneeded check in _gcry_global_constructor (bsc#1164950) - FIPS: Fix drbg to be threadsafe (bsc#1167674) - FIPS: Run self-tests from constructor during power-on [bsc#1166748] * Set up global_init as the constructor function: * Relax the entropy requirements on selftest. This is especially important for virtual machines to boot properly before the RNG is available: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:917-1 Released: Fri Apr 3 15:02:25 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: 1166510 This update for pam fixes the following issues: - Moved pam_userdb into a separate package pam-extra. (bsc#1166510) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:948-1 Released: Wed Apr 8 07:44:21 2020 Summary: Security update for gmp, gnutls, libnettle Type: security Severity: moderate References: 1152692,1155327,1166881,1168345,CVE-2020-11501 This update for gmp, gnutls, libnettle fixes the following issues: Security issue fixed: - CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345) FIPS related bugfixes: - FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518) - FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881) - FIPS: Added Diffie Hellman public key verification test. (bsc#1155327) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:961-1 Released: Wed Apr 8 13:34:06 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate References: 1160979 This update for e2fsprogs fixes the following issues: - e2fsck: clarify overflow link count error message (bsc#1160979) - ext2fs: update allocation info earlier in ext2fs_mkdir() (bsc#1160979) - ext2fs: implement dir entry creation in htree directories (bsc#1160979) - tests: add test to excercise indexed directories with metadata_csum (bsc#1160979) - tune2fs: update dir checksums when clearing dir_index feature (bsc#1160979) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:967-1 Released: Thu Apr 9 11:41:53 2020 Summary: Security update for libssh Type: security Severity: moderate References: 1168699,CVE-2020-1730 This update for libssh fixes the following issues: - CVE-2020-1730: Fixed a possible denial of service when using AES-CTR (bsc#1168699). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1063-1 Released: Wed Apr 22 10:46:50 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1165539,1169569 This update for libgcrypt fixes the following issues: This update for libgcrypt fixes the following issues: - FIPS: Switch the PCT to use the new signature operation (bsc#1165539) - FIPS: Verify that the generated signature and the original input differ in test_keys function for RSA, DSA and ECC (bsc#1165539) - Add zero-padding when qx and qy have different lengths when assembling the Q point from affine coordinates. - Ship the FIPS checksum file in the shared library package and create a separate trigger file for the FIPS selftests (bsc#1169569) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1175-1 Released: Tue May 5 08:33:43 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1165011,1168076 This update for systemd fixes the following issues: - Fix check for address to keep interface names stable. (bsc#1168076) - Fix for checking non-normalized WHAT for network FS. (bsc#1165011) - Allow to specify an arbitrary string for when vfs is used. (bsc#1165011) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1214-1 Released: Thu May 7 11:20:34 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1169944 This update for libgcrypt fixes the following issues: - FIPS: libgcrypt: Fixed a double free in test_keys() on failed signature verification (bsc#1169944) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1219-1 Released: Thu May 7 17:10:42 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1170771,CVE-2020-12243 This update for openldap2 fixes the following issues: - CVE-2020-12243: Fixed a denial of service related to recursive filters (bsc#1170771). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1226-1 Released: Fri May 8 10:51:05 2020 Summary: Recommended update for gcc9 Type: recommended Severity: moderate References: 1149995,1152590,1167898 This update for gcc9 fixes the following issues: This update ships the GCC 9.3 release. - Includes a fix for Internal compiler error when building HepMC (bsc#1167898) - Includes fix for binutils version parsing - Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10. - Add gcc9 autodetect -g at lto link (bsc#1149995) - Install go tool buildid for bootstrapping go ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1294-1 Released: Mon May 18 07:38:36 2020 Summary: Security update for file Type: security Severity: moderate References: 1154661,1169512,CVE-2019-18218 This update for file fixes the following issues: Security issues fixed: - CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661). Non-security issue fixed: - Fixed broken '--help' output (bsc#1169512). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1299-1 Released: Mon May 18 07:43:21 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1159928,1161517,1161521,CVE-2019-19956,CVE-2019-20388,CVE-2020-7595 This update for libxml2 fixes the following issues: - CVE-2019-20388: Fixed a memory leak in xmlSchemaPreRun (bsc#1161521). - CVE-2019-19956: Fixed a memory leak (bsc#1159928). - CVE-2020-7595: Fixed an infinite loop in an EOF situation (bsc#1161517). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1328-1 Released: Mon May 18 17:16:04 2020 Summary: Recommended update for grep Type: recommended Severity: moderate References: 1155271 This update for grep fixes the following issues: - Update testsuite expectations, no functional changes (bsc#1155271) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1361-1 Released: Thu May 21 09:31:18 2020 Summary: Recommended update for libgcrypt Type: recommended Severity: moderate References: 1171872 This update for libgcrypt fixes the following issues: - FIPS: RSA/DSA/ECC test_keys() print out debug messages only in debug mode (bsc#1171872) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1396-1 Released: Mon May 25 12:04:39 2020 Summary: Security update for zstd Type: security Severity: moderate References: 1082318,1133297 This update for zstd fixes the following issues: - Fix for build error caused by wrong static libraries. (bsc#1133297) - Correction in spec file marking the license as documentation. (bsc#1082318) - Add new package for SLE-15. (jsc#ECO-1886) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1400-1 Released: Mon May 25 14:09:02 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1162930 This update for glibc fixes the following issues: - nptl: wait for pending setxid request also in detached thread. (bsc#1162930) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1404-1 Released: Mon May 25 15:32:34 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1138793,1166260 This update for zlib fixes the following issues: - Including the latest fixes from IBM (bsc#1166260) IBM Z mainframes starting from version z15 provide DFLTCC instruction, which implements deflate algorithm in hardware with estimated compression and decompression performance orders of magnitude faster than the current zlib and ratio comparable with that of level 1. - Add SUSE specific fix to solve bsc#1138793. The fix will avoid to test if the app was linked with exactly same version of zlib like the one that is present on the runtime. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1506-1 Released: Fri May 29 17:22:11 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1087982,1170527 This update for aaa_base fixes the following issues: - Not all XTerm based emulators do have a terminfo entry. (bsc#1087982) - Better support of Midnight Commander. (bsc#1170527) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1532-1 Released: Thu Jun 4 10:16:12 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1172021,CVE-2019-19956 This update for libxml2 fixes the following issues: - CVE-2019-19956: Reverted the upstream fix for this memory leak because it introduced other, more severe vulnerabilities (bsc#1172021). From sle-updates at lists.suse.com Sat Jun 20 15:24:09 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:24:09 +0200 (CEST) Subject: SUSE-CU-2020:317-1: Recommended update of caasp/v5/cilium Message-ID: <20200620212409.23DE51014B@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/cilium ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:317-1 Container Tags : caasp/v5/cilium:1.6.6 , caasp/v5/cilium:1.6.6-rev1 , caasp/v5/cilium:1.6.6-rev1-build2.3 , caasp/v5/cilium:beta Container Release : 2.3 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/cilium was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:26:13 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:26:13 +0200 (CEST) Subject: SUSE-CU-2020:335-1: Recommended update of caasp/v5/coredns Message-ID: <20200620212613.C5B531015F@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/coredns ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:335-1 Container Tags : caasp/v5/coredns:1.6.7 , caasp/v5/coredns:1.6.7-rev1 , caasp/v5/coredns:1.6.7-rev1-build2.2 , caasp/v5/coredns:beta Container Release : 2.2 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/coredns was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:25:10 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:25:10 +0200 (CEST) Subject: SUSE-CU-2020:326-1: Recommended update of caasp/v5/configmap-reload Message-ID: <20200620212510.84DDE10156@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/configmap-reload ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:326-1 Container Tags : caasp/v5/configmap-reload:0.3.0 , caasp/v5/configmap-reload:0.3.0-rev1 , caasp/v5/configmap-reload:0.3.0-rev1-build1.47 , caasp/v5/configmap-reload:beta Container Release : 1.47 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/configmap-reload was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:26:20 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:26:20 +0200 (CEST) Subject: SUSE-CU-2020:336-1: Security update of caasp/v5/coredns Message-ID: <20200620212620.9362E10160@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/coredns ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:336-1 Container Tags : caasp/v5/coredns:1.6.7 , caasp/v5/coredns:1.6.7-rev1 , caasp/v5/coredns:1.6.7-rev1-build2.3 , caasp/v5/coredns:beta Container Release : 2.3 Severity : important Type : security References : 1171863 1171864 1171866 1172348 CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 ----------------------------------------------------------------- The container caasp/v5/coredns was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). From sle-updates at lists.suse.com Sat Jun 20 15:24:35 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:24:35 +0200 (CEST) Subject: SUSE-CU-2020:320-1: Recommended update of caasp/v5/cilium-operator Message-ID: <20200620212435.BE9F91014E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/cilium-operator ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:320-1 Container Tags : caasp/v5/cilium-operator:1.6.6 , caasp/v5/cilium-operator:1.6.6-rev1 , caasp/v5/cilium-operator:1.6.6-rev1-build1.57 , caasp/v5/cilium-operator:beta Container Release : 1.57 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/cilium-operator was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:26:06 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:26:06 +0200 (CEST) Subject: SUSE-CU-2020:334-1: Recommended update of caasp/v5/coredns Message-ID: <20200620212606.BD57B1015E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/coredns ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:334-1 Container Tags : caasp/v5/coredns:1.6.7 , caasp/v5/coredns:1.6.7-rev1 , caasp/v5/coredns:1.6.7-rev1-build2.2 , caasp/v5/coredns:beta Container Release : 2.2 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/coredns was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:05 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:05 +0200 (CEST) Subject: SUSE-CU-2020:235-1: Recommended update of Message-ID: <20200620211905.85AB9100F8@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:235-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:03 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:03 +0200 (CEST) Subject: SUSE-CU-2020:234-1: Recommended update of Message-ID: <20200620211903.89A20100F7@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:234-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:19:00 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:19:00 +0200 (CEST) Subject: SUSE-CU-2020:233-1: Recommended update of Message-ID: <20200620211900.B8C06100F6@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:233-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:18:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:18:53 +0200 (CEST) Subject: SUSE-CU-2020:230-1: Recommended update of Message-ID: <20200620211853.BAA4F100F3@maintenance.suse.de> SUSE Container Update Advisory: ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:230-1 Container Tags : Container Release : Severity : low Type : recommended References : ----------------------------------------------------------------- The container was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:22:37 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:22:37 +0200 (CEST) Subject: SUSE-CU-2020:306-1: Security update of caasp/v5/busybox Message-ID: <20200620212237.A8FF210140@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/busybox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:306-1 Container Tags : caasp/v5/busybox:1.26.2 , caasp/v5/busybox:1.26.2-rev1 , caasp/v5/busybox:1.26.2-rev1-build2.3 , caasp/v5/busybox:beta Container Release : 2.3 Severity : important Type : security References : 1171863 1171864 1171866 1172348 CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 ----------------------------------------------------------------- The container caasp/v5/busybox was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). From sle-updates at lists.suse.com Sat Jun 20 15:22:52 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:22:52 +0200 (CEST) Subject: SUSE-CU-2020:308-1: Recommended update of caasp/v5/caasp-dex Message-ID: <20200620212252.26CA010142@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/caasp-dex ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:308-1 Container Tags : caasp/v5/caasp-dex:2.23.0 , caasp/v5/caasp-dex:2.23.0-rev1 , caasp/v5/caasp-dex:2.23.0-rev1-build2.2 , caasp/v5/caasp-dex:beta Container Release : 2.2 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/caasp-dex was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:23:05 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:23:05 +0200 (CEST) Subject: SUSE-CU-2020:310-1: Security update of caasp/v5/caasp-dex Message-ID: <20200620212305.D53BF10144@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/caasp-dex ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:310-1 Container Tags : caasp/v5/caasp-dex:2.23.0 , caasp/v5/caasp-dex:2.23.0-rev1 , caasp/v5/caasp-dex:2.23.0-rev1-build2.3 , caasp/v5/caasp-dex:beta Container Release : 2.3 Severity : important Type : security References : 1171863 1171864 1171866 1172348 CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 ----------------------------------------------------------------- The container caasp/v5/caasp-dex was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). From sle-updates at lists.suse.com Sat Jun 20 15:22:31 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:22:31 +0200 (CEST) Subject: SUSE-CU-2020:305-1: Recommended update of caasp/v5/busybox Message-ID: <20200620212231.2CC331013F@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/busybox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:305-1 Container Tags : caasp/v5/busybox:1.26.2 , caasp/v5/busybox:1.26.2-rev1 , caasp/v5/busybox:1.26.2-rev1-build2.2 , caasp/v5/busybox:beta Container Release : 2.2 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/busybox was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:22:24 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:22:24 +0200 (CEST) Subject: SUSE-CU-2020:304-1: Recommended update of caasp/v5/busybox Message-ID: <20200620212224.4CF911013E@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/busybox ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:304-1 Container Tags : caasp/v5/busybox:1.26.2 , caasp/v5/busybox:1.26.2-rev1 , caasp/v5/busybox:1.26.2-rev1-build2.2 , caasp/v5/busybox:beta Container Release : 2.2 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/busybox was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Sat Jun 20 15:22:00 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:22:00 +0200 (CEST) Subject: SUSE-CU-2020:301-1: Security update of caasp/v5/389-ds Message-ID: <20200620212200.982B31013B@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:301-1 Container Tags : caasp/v5/389-ds:1.4.3 , caasp/v5/389-ds:1.4.3-rev1 , caasp/v5/389-ds:1.4.3-rev1-build2.1 , caasp/v5/389-ds:beta Container Release : 2.1 Severity : important Type : security References : 1171863 1171864 1171866 1172348 CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 ----------------------------------------------------------------- The container caasp/v5/389-ds was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). From sle-updates at lists.suse.com Sat Jun 20 15:22:09 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Sat, 20 Jun 2020 23:22:09 +0200 (CEST) Subject: SUSE-CU-2020:302-1: Recommended update of caasp/v5/389-ds Message-ID: <20200620212209.B33431013D@maintenance.suse.de> SUSE Container Update Advisory: caasp/v5/389-ds ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:302-1 Container Tags : caasp/v5/389-ds:1.4.3 , caasp/v5/389-ds:1.4.3-rev1 , caasp/v5/389-ds:1.4.3-rev1-build2.1 , caasp/v5/389-ds:beta Container Release : 2.1 Severity : low Type : recommended References : ----------------------------------------------------------------- The container caasp/v5/389-ds was updated. The following patches have been included in this update: From sle-updates at lists.suse.com Mon Jun 22 04:23:01 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 22 Jun 2020 12:23:01 +0200 (CEST) Subject: SUSE-RU-2020:14401-1: moderate: Recommended update for google-compute-engine Message-ID: <20200622102301.C56C0F749@maintenance.suse.de> SUSE Recommended Update: Recommended update for google-compute-engine ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:14401-1 Rating: moderate References: #1169977 Affected Products: SUSE Linux Enterprise Server 11-PUBCLOUD ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for google-compute-engine fixes the following issues: - Do not enable google-startup-scripts by default. (bsc#1169977) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-PUBCLOUD: zypper in -t patch pubclsp3-google-compute-engine-14401=1 Package List: - SUSE Linux Enterprise Server 11-PUBCLOUD (i586 ia64 ppc64 s390x x86_64): google-compute-engine-init-20180510-18.3 google-compute-engine-oslogin-20180510-18.3 References: https://bugzilla.suse.com/1169977 From sle-updates at lists.suse.com Mon Jun 22 07:12:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 22 Jun 2020 15:12:19 +0200 (CEST) Subject: SUSE-SU-2020:1699-1: important: Security update for the Linux Kernel Message-ID: <20200622131219.2B8A4F3E2@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1699-1 Rating: important References: #1051510 #1065729 #1071995 #1085030 #1111666 #1113956 #1114279 #1144333 #1148868 #1158983 #1161016 #1162063 #1166985 #1168081 #1169194 #1170592 #1171904 #1172458 #1172472 #1172537 #1172538 #1172759 #1172775 #1172781 #1172782 #1172783 #1172884 Cross-References: CVE-2019-20810 CVE-2020-10766 CVE-2020-10767 CVE-2020-10768 CVE-2020-13974 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has 22 fixes is now available. Description: The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-10768: The prctl() function could be used to enable indirect branch speculation even after it has been disabled. (bnc#1172783) - CVE-2020-10766: A bug in the logic handling could allow an attacker with a local account to disable SSBD protection. (bnc#1172781) - CVE-2020-10767: A IBPB would be disabled when STIBP was not available or when Enhanced Indirect Branch Restricted Speculation (IBRS) was available. This is unexpected behaviour could leave the system open to a spectre v2 style attack (bnc#1172782) - CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if k_ascii was called several times in a row (bnc#1172775) - CVE-2019-20810: go7007_snd_init did not call snd_card_free for a failure path, which caused a memory leak (bnc#1172458) The following non-security bugs were fixed: - ACPI: PM: Avoid using power resources if there are none for D0 (bsc#1051510). - ALSA: es1688: Add the missed snd_card_free() (bsc#1051510). - ALSA: hda/hdmi - enable runtime pm for newer AMD display audio (bsc#1111666). - ALSA: hda/realtek - Add LED class support for micmute LED (bsc#1111666). - ALSA: hda/realtek - Enable micmute LED on and HP system (bsc#1111666). - ALSA: hda/realtek - Fix unused variable warning w/o CONFIG_LEDS_TRIGGER_AUDIO (bsc#1111666). - ALSA: hda/realtek - Introduce polarity for micmute LED GPIO (bsc#1111666). - ALSA: hda/realtek - add a pintbl quirk for several Lenovo machines (bsc#1111666). - ALSA: hda: Add ElkhartLake HDMI codec vid (bsc#1111666). - ALSA: hda: add sienna_cichlid audio asic id for sienna_cichlid up (bsc#1111666). - ALSA: pcm: disallow linking stream to itself (bsc#1111666). - ALSA: usb-audio: Add Pioneer DJ DJM-900NXS2 support (bsc#1111666). - ALSA: usb-audio: Add duplex sound support for USB devices using implicit feedback (bsc#1111666). - ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt Dock (bsc#1111666). - ALSA: usb-audio: Clean up quirk entries with macros (bsc#1111666). - ALSA: usb-audio: Fix inconsistent card PM state after resume (bsc#1111666). - ALSA: usb-audio: Fix racy list management in output queue (bsc#1111666). - ALSA: usb-audio: Manage auto-pm of all bundled interfaces (bsc#1111666). - ALSA: usb-audio: Use the new macro for HP Dock rename quirks (bsc#1111666). - CDC-ACM: heed quirk also in error handling (git-fixes). - HID: sony: Fix for broken buttons on DS3 USB dongles (bsc#1051510). - KVM: x86/mmu: Set mmio_value to '0' if reserved #PF can't be generated (bsc#1171904). - KVM: x86: only do L1TF workaround on affected processors (bsc#1171904). - NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid() (bsc#1170592). - NFSv4: Retry CLOSE and DELEGRETURN on NFS4ERR_OLD_STATEID (bsc#1170592). - PCI/PM: Call .bridge_d3() hook only if non-NULL (git-fixes). - PCI/PTM: Inherit Switch Downstream Port PTM settings from Upstream Port (bsc#1051510). - PCI: Allow pci_resize_resource() for devices on root bus (bsc#1051510). - PCI: Fix pci_register_host_bridge() device_register() error handling (bsc#1051510). - PCI: Program MPS for RCiEP devices (bsc#1051510). - RDMA/efa: Fix setting of wrong bit in get/set_feature commands (bsc#1111666) - RDMA/efa: Support remote read access in MR registration (bsc#1111666) - RDMA/efa: Unified getters/setters for device structs bitmask access (bsc#1111666) - USB: gadget: udc: s3c2410_udc: Remove pointless NULL check in s3c2410_udc_nuke (bsc#1051510). - USB: host: ehci-mxc: Add error handling in ehci_mxc_drv_probe() (bsc#1051510). - USB: serial: option: add Telit LE910C1-EUX compositions (bsc#1051510). - USB: serial: qcserial: add DW5816e QDL support (bsc#1051510). - USB: serial: usb_wwan: do not resubmit rx urb on fatal errors (bsc#1051510). - USB: serial: usb_wwan: do not resubmit rx urb on fatal errors (git-fixes). - arm64: map FDT as RW for early_init_dt_scan() (jsc#SLE-12423). - bcache: Fix an error code in bch_dump_read() (git fixes (block drivers)). - block: remove QUEUE_FLAG_STACKABLE (git fixes (block drivers)). - block: sed-opal: fix sparse warning: convert __be64 data (git fixes (block drivers)). - brcmfmac: fix wrong location to get firmware feature (bsc#1111666). - btrfs: do not zero f_bavail if we have available space (bsc#1168081). - btrfs: do not zero f_bavail if we have available space (bsc#1168081). - char/random: Add a newline at the end of the file (jsc#SLE-12423). - cifs: get rid of unused parameter in reconn_setup_dfs_targets() (bsc#1144333). - cifs: handle hostnames that resolve to same ip in failover (bsc#1144333 bsc#1161016). - cifs: set up next DFS target before generic_ip_connect() (bsc#1144333 bsc#1161016). - clk: bcm2835: Fix return type of bcm2835_register_gate (bsc#1051510). - clk: clk-flexgen: fix clock-critical handling (bsc#1051510). - clk: sunxi: Fix incorrect usage of round_down() (bsc#1051510). - compat_ioctl: block: handle BLKREPORTZONE/BLKRESETZONE (git fixes (block drivers)). - compat_ioctl: block: handle Persistent Reservations (git fixes (block drivers)). - copy_{to,from}_user(): consolidate object size checks (git fixes). - crypto: caam - update xts sector size for large input length (bsc#1111666). - crypto: chelsio/chtls: properly set tp->lsndtime (bsc#1111666). - dm btree: increase rebalance threshold in __rebalance2() (git fixes (block drivers)). - dm cache: fix a crash due to incorrect work item cancelling (git fixes (block drivers)). - dm crypt: fix benbi IV constructor crash if used in authenticated mode (git fixes (block drivers)). - dm space map common: fix to ensure new block isn't already in use (git fixes (block drivers)). - dm verity fec: fix hash block number in verity_fec_decode (git fixes (block drivers)). - dm verity fec: fix memory leak in verity_fec_dtr (git fixes (block drivers)). - dm: fix potential for q->make_request_fn NULL pointer (git fixes (block drivers)). - dm: various cleanups to md->queue initialization code (git fixes). - dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()' (bsc#1111666). - drivers: soc: ti: knav_qmss_queue: Make knav_gp_range_ops static (bsc#1051510). - drm/i915: Whitelist context-local timestamp in the gen9 cmdparser (bsc#1111666). - drm: amd/display: fix Kconfig help text (bsc#1113956) - efi/random: Increase size of firmware supplied randomness (jsc#SLE-12423). - efi/random: Treat EFI_RNG_PROTOCOL output as bootloader randomness (jsc#SLE-12423). - efi: READ_ONCE rng seed size before munmap (jsc#SLE-12423). - efi: Reorder pr_notice() with add_device_randomness() call (jsc#SLE-12423). - evm: Check also if *tfm is an error pointer in init_desc() (bsc#1051510). - evm: Fix a small race in init_desc() (bsc#1051510). - extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()' (bsc#1051510). - fdt: Update CRC check for rng-seed (jsc#SLE-12423). - fdt: add support for rng-seed (jsc#SLE-12423). - firmware: imx: scu: Fix corruption of header (git-fixes). - firmware: imx: scu: Fix possible memory leak in imx_scu_probe() (bsc#1111666). - fpga: dfl: afu: Corrected error handling levels (git-fixes). - fs/reiserfs: Reenabled reiserfs (bsc#1172884) - gpiolib: Document that GPIO line names are not globally unique (bsc#1051510). - gpu: ipu-v3: pre: do not trigger update if buffer address does not change (bsc#1111666). - iio: buffer: Do not allow buffers without any channels enabled to be activated (bsc#1051510). - iio: pressure: bmp280: Tolerate IRQ before registering (bsc#1051510). - ima: Directly assign the ima_default_policy pointer to ima_rules (bsc#1051510). - ima: Fix ima digest hash table key calculation (bsc#1051510). - include/asm-generic/topology.h: guard cpumask_of_node() macro argument (bsc#1148868). - kabi: ppc64le: prevent struct dma_map_ops to become defined (jsc#SLE-12423). - kvm: x86: Fix L1TF mitigation for shadow MMU (bsc#1171904). - livepatch: Apply vmlinux-specific KLP relocations early (bsc#1071995). - livepatch: Disallow vmlinux.ko (bsc#1071995). - livepatch: Make klp_apply_object_relocs static (bsc#1071995). - livepatch: Prevent module-specific KLP rela sections from referencing vmlinux symbols (bsc#1071995). - livepatch: Remove .klp.arch (bsc#1071995). - mac80211: add option for setting control flags (bsc#1111666). - mac80211: set IEEE80211_TX_CTRL_PORT_CTRL_PROTO for nl80211 TX (bsc#1111666). - mailbox: imx: Disable the clock on devm_mbox_controller_register() failure (git-fixes). - md: Avoid namespace collision with bitmap API (git fixes (block drivers)). - md: use memalloc scope APIs in mddev_suspend()/mddev_resume() (bsc#1166985)). - md: use memalloc scope APIs in mddev_suspend()/mddev_resume() (git fixes (block drivers)). - mdraid: fix read/write bytes accounting (bsc#1172537). - mmc: block: Fix request completion in the CQE timeout path (bsc#1111666). - mmc: block: Fix use-after-free issue for rpmb (bsc#1111666). - mmc: fix compilation of user API (bsc#1051510). - netfilter: connlabels: prefer static lock initialiser (git-fixes). - netfilter: not mark a spinlock as __read_mostly (git-fixes). - nl80211: fix NL80211_ATTR_CHANNEL_WIDTH attribute type (bsc#1111666). - nvme-fc: Fail transport errors with NVME_SC_HOST_PATH (bsc#1158983 bsc#1172538). - nvme-tcp: fail command with NVME_SC_HOST_PATH_ERROR send failed (bsc#1158983 bsc#1172538). - nvme: fail cancelled commands with NVME_SC_HOST_PATH_ERROR (bsc#1158983 bsc#1172538). - overflow.h: Add arithmetic shift helper (git fixes). - overflow: Fix -Wtype-limits compilation warnings (git fixes). - p54usb: add AirVasT USB stick device-id (bsc#1051510). - pcm_native: result of put_user() needs to be checked (bsc#1111666). - perf, pt, coresight: Fix address filters for vmas with non-zero offset (git-fixes). - perf, pt, coresight: Fix address filters for vmas with non-zero offset (git-fixes). - perf/cgroup: Fix perf cgroup hierarchy support (git-fixes). - perf/cgroup: Fix perf cgroup hierarchy support (git-fixes). - perf/core: Add sanity check to deal with pinned event failure (git-fixes). - perf/core: Add sanity check to deal with pinned event failure (git-fixes). - perf/core: Avoid freeing static PMU contexts when PMU is unregistered (git-fixes). - perf/core: Avoid freeing static PMU contexts when PMU is unregistered (git-fixes). - perf/core: Correct event creation with PERF_FORMAT_GROUP (git-fixes). - perf/core: Correct event creation with PERF_FORMAT_GROUP (git-fixes). - perf/core: Do not WARN() for impossible ring-buffer sizes (git-fixes). - perf/core: Do not WARN() for impossible ring-buffer sizes (git-fixes). - perf/core: Fix __perf_read_group_add() locking (git-fixes (dependent patch)). - perf/core: Fix __perf_read_group_add() locking (git-fixes (dependent patch)). - perf/core: Fix bad use of igrab() (git fixes (dependent patch)). - perf/core: Fix crash when using HW tracing kernel filters (git-fixes). - perf/core: Fix ctx_event_type in ctx_resched() (git-fixes). - perf/core: Fix ctx_event_type in ctx_resched() (git-fixes). - perf/core: Fix error handling in perf_event_alloc() (git-fixes). - perf/core: Fix error handling in perf_event_alloc() (git-fixes). - perf/core: Fix exclusive events' grouping (git-fixes). - perf/core: Fix exclusive events' grouping (git-fixes). - perf/core: Fix group scheduling with mixed hw and sw events (git-fixes). - perf/core: Fix group scheduling with mixed hw and sw events (git-fixes). - perf/core: Fix impossible ring-buffer sizes warning (git-fixes). - perf/core: Fix impossible ring-buffer sizes warning (git-fixes). - perf/core: Fix lock inversion between perf,trace,cpuhp (git-fixes (dependent patch for 18736eef1213)). - perf/core: Fix lock inversion between perf,trace,cpuhp (git-fixes (dependent patch for 18736eef1213)). - perf/core: Fix locking for children siblings group read (git-fixes). - perf/core: Fix locking for children siblings group read (git-fixes). - perf/core: Fix perf_event_read_value() locking (git-fixes). - perf/core: Fix perf_event_read_value() locking (git-fixes). - perf/core: Fix perf_pmu_unregister() locking (git-fixes). - perf/core: Fix perf_pmu_unregister() locking (git-fixes). - perf/core: Fix perf_sample_regs_user() mm check (git-fixes). - perf/core: Fix perf_sample_regs_user() mm check (git-fixes). - perf/core: Fix possible Spectre-v1 indexing for ->aux_pages (git-fixes). - perf/core: Fix possible Spectre-v1 indexing for ->aux_pages (git-fixes). - perf/core: Fix race between close() and fork() (git-fixes). - perf/core: Fix race between close() and fork() (git-fixes). - perf/core: Fix the address filtering fix (git-fixes). - perf/core: Fix the address filtering fix (git-fixes). - perf/core: Fix use-after-free in uprobe_perf_close() (git-fixes). - perf/core: Fix use-after-free in uprobe_perf_close() (git-fixes). - perf/core: Force USER_DS when recording user stack data (git-fixes). - perf/core: Force USER_DS when recording user stack data (git-fixes). - perf/core: Restore mmap record type correctly (git-fixes). - perf/core: Restore mmap record type correctly (git-fixes). - perf/ioctl: Add check for the sample_period value (git-fixes). - perf/ioctl: Add check for the sample_period value (git-fixes). - perf/x86/pt, coresight: Clean up address filter structure (git fixes (dependent patch)). - perf: Allocate context task_ctx_data for child event (git-fixes). - perf: Allocate context task_ctx_data for child event (git-fixes). - perf: Copy parent's address filter offsets on clone (git-fixes). - perf: Copy parent's address filter offsets on clone (git-fixes). - perf: Fix header.size for namespace events (git-fixes). - perf: Fix header.size for namespace events (git-fixes). - perf: Return proper values for user stack errors (git-fixes). - perf: Return proper values for user stack errors (git-fixes). - pid: Improve the comment about waiting in zap_pid_ns_processes (git fixes)). - pinctrl: freescale: imx: Fix an error handling path in 'imx_pinctrl_probe()' (bsc#1051510). - pinctrl: imxl: Fix an error handling path in 'imx1_pinctrl_core_probe()' (bsc#1051510). - pinctrl: samsung: Save/restore eint_mask over suspend for EINT_TYPE GPIOs (bsc#1051510). - platform/x86: dell-laptop: do not register micmute LED if there is no token (bsc#1111666). - pnp: Use list_for_each_entry() instead of open coding (git fixes). - power: supply: bq24257_charger: Replace depends on REGMAP_I2C with select (bsc#1051510). - power: supply: lp8788: Fix an error handling path in 'lp8788_charger_probe()' (bsc#1051510). - power: supply: smb347-charger: IRQSTAT_D is volatile (bsc#1051510). - powerpc/64s: Do not let DT CPU features set FSCR_DSCR (bsc#1065729). - powerpc/64s: Save FSCR to init_task.thread.fscr after feature init (bsc#1065729). - powerpc/xive: Clear the page tables for the ESB IO mapping (bsc#1085030). - raid5: remove gfp flags from scribble_alloc() (bsc#1166985). - raid5: remove gfp flags from scribble_alloc() (git fixes (block drivers)). - resolve KABI warning for perf-pt-coresight (git-fixes). - resolve KABI warning for perf-pt-coresight (git-fixes). - s390/bpf: Maintain 8-byte stack alignment (bsc#1169194). - scsi: ibmvscsi: Do not send host info in adapter info MAD after LPM (bsc#1172759 ltc#184814). - spi: dw: use "smp_mb()" to avoid sending spi data error (bsc#1051510). - spi: spi-mem: Fix Dual/Quad modes on Octal-capable devices (bsc#1111666). - staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK (bsc#1051510). - staging: sm750fb: add missing case while setting FB_VISUAL (bsc#1051510). - tty: n_gsm: Fix SOF skipping (bsc#1051510). - tty: n_gsm: Fix bogus i++ in gsm_data_kick (bsc#1051510). - tty: n_gsm: Fix waking up upper tty layer when room available (bsc#1051510). - usb: dwc2: gadget: move gadget resume after the core is in L0 state (bsc#1051510). - usb: gadget: lpc32xx_udc: do not dereference ep pointer before null check (bsc#1051510). - usb: musb: Fix runtime PM imbalance on error (bsc#1051510). - usb: musb: start session in resume for host port (bsc#1051510). - virtio-blk: handle block_device_operations callbacks after hot unplug (git fixes (block drivers)). - w1: omap-hdq: cleanup to add missing newline for some dev_dbg (bsc#1051510). - watchdog: sp805: fix restart handler (bsc#1111666). - wil6210: add general initialization/size checks (bsc#1111666). - wil6210: check rx_buff_mgmt before accessing it (bsc#1111666). - wil6210: ignore HALP ICR if already handled (bsc#1111666). - work around mvfs bug (bsc#1162063). - x86/cpu/amd: Make erratum #1054 a legacy erratum (bsc#1114279). - x86: Fix early boot crash on gcc-10, third try (bsc#1114279). - xfrm: fix error in comment (git fixes). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1699=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (x86_64): kernel-azure-4.12.14-16.19.1 kernel-azure-base-4.12.14-16.19.1 kernel-azure-base-debuginfo-4.12.14-16.19.1 kernel-azure-debuginfo-4.12.14-16.19.1 kernel-azure-debugsource-4.12.14-16.19.1 kernel-azure-devel-4.12.14-16.19.1 kernel-syms-azure-4.12.14-16.19.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): kernel-devel-azure-4.12.14-16.19.1 kernel-source-azure-4.12.14-16.19.1 References: https://www.suse.com/security/cve/CVE-2019-20810.html https://www.suse.com/security/cve/CVE-2020-10766.html https://www.suse.com/security/cve/CVE-2020-10767.html https://www.suse.com/security/cve/CVE-2020-10768.html https://www.suse.com/security/cve/CVE-2020-13974.html https://bugzilla.suse.com/1051510 https://bugzilla.suse.com/1065729 https://bugzilla.suse.com/1071995 https://bugzilla.suse.com/1085030 https://bugzilla.suse.com/1111666 https://bugzilla.suse.com/1113956 https://bugzilla.suse.com/1114279 https://bugzilla.suse.com/1144333 https://bugzilla.suse.com/1148868 https://bugzilla.suse.com/1158983 https://bugzilla.suse.com/1161016 https://bugzilla.suse.com/1162063 https://bugzilla.suse.com/1166985 https://bugzilla.suse.com/1168081 https://bugzilla.suse.com/1169194 https://bugzilla.suse.com/1170592 https://bugzilla.suse.com/1171904 https://bugzilla.suse.com/1172458 https://bugzilla.suse.com/1172472 https://bugzilla.suse.com/1172537 https://bugzilla.suse.com/1172538 https://bugzilla.suse.com/1172759 https://bugzilla.suse.com/1172775 https://bugzilla.suse.com/1172781 https://bugzilla.suse.com/1172782 https://bugzilla.suse.com/1172783 https://bugzilla.suse.com/1172884 From sle-updates at lists.suse.com Mon Jun 22 07:15:59 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 22 Jun 2020 15:15:59 +0200 (CEST) Subject: SUSE-RU-2020:1700-1: moderate: Recommended update for ucode-intel Message-ID: <20200622131559.579B4F3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1700-1 Rating: moderate References: #1172466 #1172856 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for ucode-intel fixes the following issues: Updated Intel CPU Microcode to 20200616 official release (bsc#1172856) - revert 06-4e-03 Skylake U/Y, U23e ucode back to 000000d6 release - revert 06-5e-03 Skylake H/S ucode back to 000000d6 release, as both cause stability issues. (bsc#1172856) Updated Intel CPU Microcode to 20200609 official release (bsc#1172466) - no changes to 20200602 prerelease Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1700=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1700=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1700=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1700=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1700=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1700=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1700=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1700=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1700=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1700=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1700=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1700=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): ucode-intel-20200616-13.73.1 ucode-intel-debuginfo-20200616-13.73.1 ucode-intel-debugsource-20200616-13.73.1 - SUSE OpenStack Cloud 8 (x86_64): ucode-intel-20200616-13.73.1 ucode-intel-debuginfo-20200616-13.73.1 ucode-intel-debugsource-20200616-13.73.1 - SUSE OpenStack Cloud 7 (x86_64): ucode-intel-20200616-13.73.1 ucode-intel-debuginfo-20200616-13.73.1 ucode-intel-debugsource-20200616-13.73.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): ucode-intel-20200616-13.73.1 ucode-intel-debuginfo-20200616-13.73.1 ucode-intel-debugsource-20200616-13.73.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): ucode-intel-20200616-13.73.1 ucode-intel-debuginfo-20200616-13.73.1 ucode-intel-debugsource-20200616-13.73.1 - SUSE Linux Enterprise Server 12-SP4 (x86_64): ucode-intel-20200616-13.73.1 ucode-intel-debuginfo-20200616-13.73.1 ucode-intel-debugsource-20200616-13.73.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (x86_64): ucode-intel-20200616-13.73.1 ucode-intel-debuginfo-20200616-13.73.1 ucode-intel-debugsource-20200616-13.73.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): ucode-intel-20200616-13.73.1 ucode-intel-debuginfo-20200616-13.73.1 ucode-intel-debugsource-20200616-13.73.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): ucode-intel-20200616-13.73.1 ucode-intel-debuginfo-20200616-13.73.1 ucode-intel-debugsource-20200616-13.73.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): ucode-intel-20200616-13.73.1 ucode-intel-debuginfo-20200616-13.73.1 ucode-intel-debugsource-20200616-13.73.1 - SUSE Enterprise Storage 5 (x86_64): ucode-intel-20200616-13.73.1 ucode-intel-debuginfo-20200616-13.73.1 ucode-intel-debugsource-20200616-13.73.1 - HPE Helion Openstack 8 (x86_64): ucode-intel-20200616-13.73.1 ucode-intel-debuginfo-20200616-13.73.1 ucode-intel-debugsource-20200616-13.73.1 References: https://bugzilla.suse.com/1172466 https://bugzilla.suse.com/1172856 From sle-updates at lists.suse.com Mon Jun 22 07:16:46 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 22 Jun 2020 15:16:46 +0200 (CEST) Subject: SUSE-RU-2020:1701-1: moderate: Recommended update for ucode-intel Message-ID: <20200622131646.0277FF3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1701-1 Rating: moderate References: #1172466 #1172856 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for ucode-intel fixes the following issues: Updated Intel CPU Microcode to 20200616 official release (bsc#1172856) - revert 06-4e-03 Skylake U/Y, U23e ucode back to 000000d6 release - revert 06-5e-03 Skylake H/S ucode back to 000000d6 release, as both cause stability issues. (bsc#1172856) Updated Intel CPU Microcode to 20200609 official release (bsc#1172466) - no changes to 20200602 prerelease Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1701=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): ucode-intel-20200616-3.30.1 References: https://bugzilla.suse.com/1172466 https://bugzilla.suse.com/1172856 From sle-updates at lists.suse.com Mon Jun 22 07:17:28 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 22 Jun 2020 15:17:28 +0200 (CEST) Subject: SUSE-RU-2020:1704-1: moderate: Recommended update for susefirewall2-to-firewalld Message-ID: <20200622131728.D9A92F3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for susefirewall2-to-firewalld ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1704-1 Rating: moderate References: #1170461 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for susefirewall2-to-firewalld fixes the following issues: - Fixed "INVALID_PORT" error message with certain SuSEfirewall2 configurations (bsc#1170461). Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1704=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): susefirewall2-to-firewalld-0.0.4-3.9.1 References: https://bugzilla.suse.com/1170461 From sle-updates at lists.suse.com Mon Jun 22 07:18:05 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 22 Jun 2020 15:18:05 +0200 (CEST) Subject: SUSE-RU-2020:1702-1: moderate: Recommended update for ucode-intel Message-ID: <20200622131805.C7D43F3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1702-1 Rating: moderate References: #1172466 #1172856 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for ucode-intel fixes the following issues: Updated Intel CPU Microcode to 20200616 official release (bsc#1172856) - revert 06-4e-03 Skylake U/Y, U23e ucode back to 000000d6 release - revert 06-5e-03 Skylake H/S ucode back to 000000d6 release, as both cause stability issues. (bsc#1172856) Updated Intel CPU Microcode to 20200609 official release (bsc#1172466) - no changes to 20200602 prerelease Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1702=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1702=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1702=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (x86_64): ucode-intel-20200616-3.48.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): ucode-intel-20200616-3.48.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): ucode-intel-20200616-3.48.1 References: https://bugzilla.suse.com/1172466 https://bugzilla.suse.com/1172856 From sle-updates at lists.suse.com Mon Jun 22 07:18:48 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 22 Jun 2020 15:18:48 +0200 (CEST) Subject: SUSE-RU-2020:1703-1: moderate: Recommended update for ucode-intel Message-ID: <20200622131848.C4ACFF3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1703-1 Rating: moderate References: #1172466 #1172856 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for ucode-intel fixes the following issues: Updated Intel CPU Microcode to 20200616 official release (bsc#1172856) - revert 06-4e-03 Skylake U/Y, U23e ucode back to 000000d6 release - revert 06-5e-03 Skylake H/S ucode back to 000000d6 release, as both cause stability issues. (bsc#1172856) Updated Intel CPU Microcode to 20200609 official release (bsc#1172466) - no changes to 20200602 prerelease Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1703=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (x86_64): ucode-intel-20200616-3.17.1 ucode-intel-debuginfo-20200616-3.17.1 ucode-intel-debugsource-20200616-3.17.1 References: https://bugzilla.suse.com/1172466 https://bugzilla.suse.com/1172856 From sle-updates at lists.suse.com Mon Jun 22 10:13:03 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 22 Jun 2020 18:13:03 +0200 (CEST) Subject: SUSE-RU-2020:1706-1: important: Recommended update for susemanager-cloud-setup Message-ID: <20200622161303.30F08F3D7@maintenance.suse.de> SUSE Recommended Update: Recommended update for susemanager-cloud-setup ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1706-1 Rating: important References: #1172838 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP2 SUSE Linux Enterprise Module for Public Cloud 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for susemanager-cloud-setup contains the following fix: - Update to version 1.6 * suma-storage: handle /var/spacewalk correctly. (bsc#1172838) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP2: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2020-1706=1 - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-1706=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP2 (noarch): susemanager-cloud-setup-proxy-1.6-3.12.1 susemanager-cloud-setup-server-1.6-3.12.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (noarch): susemanager-cloud-setup-proxy-1.6-3.12.1 susemanager-cloud-setup-server-1.6-3.12.1 References: https://bugzilla.suse.com/1172838 From sle-updates at lists.suse.com Tue Jun 23 07:12:41 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 15:12:41 +0200 (CEST) Subject: SUSE-SU-2020:1712-1: moderate: Security update for xawtv Message-ID: <20200623131241.74C48F3E2@maintenance.suse.de> SUSE Security Update: Security update for xawtv ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1712-1 Rating: moderate References: #1171655 Cross-References: CVE-2020-13696 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xawtv fixes the following issues: - CVE-2020-13696: Fixed an issue in setuid-root program that which could have allowed arbitrary file existence tests and open() with O_RDWR (bsc#1171655). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1712=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1712=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): tv-common-3.103-6.3.1 tv-common-debuginfo-3.103-6.3.1 v4l-conf-3.103-6.3.1 v4l-conf-debuginfo-3.103-6.3.1 v4l-tools-3.103-6.3.1 v4l-tools-debuginfo-3.103-6.3.1 xawtv-debuginfo-3.103-6.3.1 xawtv-debugsource-3.103-6.3.1 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): tv-common-3.103-6.3.1 tv-common-debuginfo-3.103-6.3.1 v4l-conf-3.103-6.3.1 v4l-conf-debuginfo-3.103-6.3.1 v4l-tools-3.103-6.3.1 v4l-tools-debuginfo-3.103-6.3.1 xawtv-debuginfo-3.103-6.3.1 xawtv-debugsource-3.103-6.3.1 References: https://www.suse.com/security/cve/CVE-2020-13696.html https://bugzilla.suse.com/1171655 From sle-updates at lists.suse.com Tue Jun 23 07:13:22 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 15:13:22 +0200 (CEST) Subject: SUSE-RU-2020:1708-1: moderate: Recommended update for apache2-mod_nss Message-ID: <20200623131322.A1BA4F3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for apache2-mod_nss ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1708-1 Rating: moderate References: #1167322 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for apache2-mod_nss fixes the following issues: - Update from version 1.0.14 to 1.0.17 (jsc#ECO-1907, bsc#1167322) * Add TLSv1.3 support * Update documentation for TLS 1.3 * Add TLS 1.3 support to the cipher tests * PEP-8 fixups * Change the default certificate database format to SQLite. * Try to auto-detect the NSS database format if not specified * Update nss_pcache.8 man page to drop directory and prefix * When a token is configured in password file only authenticate once * Return an error when NSSPassPhraseDialog is invalid * Move 3DES ciphers down from HIGH to MEDIUM to match OpenSSL 1.0.2k+ * Add -Werror=implicit-function-declaration to CFLAGS * Handle group membership when testing for file permissions * NSS system-wide policy now disables SSLv3, don't use it in tests * Add missing error messages for libssl errors * Fix doc typo in SSL_[SERVER|CLIENT]_SAN_IPaddr env variable name * When including additional test config use specific extension * Fix the TLS Session ID cache * Make an invalid protocol setting fatal * Don't use same NSS db in nss_pcache as mod_nss, use NSS_NoDB_Init() * Add info log message when FIPS is enabled * Add AES-256 and drop DES, CAST128, SKIPJACK as wrapping key types * Fix removal of CR from PEM certificates * Add OCSP caching and timeout tuning knobs * Check the NSS database directory permissions as well as the files inside it for read access on startup. * Add in simple aliases for ciphers to fix those that don't follow the pattern (dhe_rsa_aes_128_sha256, dhe_rsa_aes_256_sha256) and those with typos (camelia_128_sha, camelia_256_sha) * Don't set remote user in fixup hook Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1708=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1708=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): apache2-mod_nss-1.0.17-19.12.1 apache2-mod_nss-debuginfo-1.0.17-19.12.1 apache2-mod_nss-debugsource-1.0.17-19.12.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): apache2-mod_nss-1.0.17-19.12.1 apache2-mod_nss-debuginfo-1.0.17-19.12.1 apache2-mod_nss-debugsource-1.0.17-19.12.1 References: https://bugzilla.suse.com/1167322 From sle-updates at lists.suse.com Tue Jun 23 07:14:04 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 15:14:04 +0200 (CEST) Subject: SUSE-SU-2020:1710-1: moderate: Security update for mariadb Message-ID: <20200623131404.74208F3E2@maintenance.suse.de> SUSE Security Update: Security update for mariadb ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1710-1 Rating: moderate References: #1171550 Cross-References: CVE-2020-13249 CVE-2020-2752 CVE-2020-2760 CVE-2020-2812 CVE-2020-2814 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for mariadb fixes the following issues: mariadb was updated to version 10.2.32 (bsc#1171550) - CVE-2020-2752: Fixed an issue which could have resulted in unauthorized ability to cause denial of service. - CVE-2020-2812: Fixed an issue which could have resulted in unauthorized ability to cause denial of service. - CVE-2020-2814: Fixed an issue which could have resulted in unauthorized ability to cause denial of service. - CVE-2020-2760: Fixed an issue which could have resulted in unauthorized ability to cause denial of service. - CVE-2020-13249: Fixed an improper validation of the content of an OK packet received from a server. Release notes and changelog: - https://mariadb.com/kb/en/library/mariadb-10232-release-notes - https://mariadb.com/kb/en/library/mariadb-10232-changelog - Update to 10.2.32 GA [bsc#1171550] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-1710=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2020-1710=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1710=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1710=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): mariadb-debuginfo-10.2.32-3.28.2 mariadb-debugsource-10.2.32-3.28.2 mariadb-galera-10.2.32-3.28.2 - SUSE OpenStack Cloud 9 (x86_64): mariadb-debuginfo-10.2.32-3.28.2 mariadb-debugsource-10.2.32-3.28.2 mariadb-galera-10.2.32-3.28.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): mariadb-10.2.32-3.28.2 mariadb-client-10.2.32-3.28.2 mariadb-client-debuginfo-10.2.32-3.28.2 mariadb-debuginfo-10.2.32-3.28.2 mariadb-debugsource-10.2.32-3.28.2 mariadb-tools-10.2.32-3.28.2 mariadb-tools-debuginfo-10.2.32-3.28.2 - SUSE Linux Enterprise Server 12-SP5 (noarch): mariadb-errormessages-10.2.32-3.28.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): mariadb-10.2.32-3.28.2 mariadb-client-10.2.32-3.28.2 mariadb-client-debuginfo-10.2.32-3.28.2 mariadb-debuginfo-10.2.32-3.28.2 mariadb-debugsource-10.2.32-3.28.2 mariadb-tools-10.2.32-3.28.2 mariadb-tools-debuginfo-10.2.32-3.28.2 - SUSE Linux Enterprise Server 12-SP4 (noarch): mariadb-errormessages-10.2.32-3.28.2 References: https://www.suse.com/security/cve/CVE-2020-13249.html https://www.suse.com/security/cve/CVE-2020-2752.html https://www.suse.com/security/cve/CVE-2020-2760.html https://www.suse.com/security/cve/CVE-2020-2812.html https://www.suse.com/security/cve/CVE-2020-2814.html https://bugzilla.suse.com/1171550 From sle-updates at lists.suse.com Tue Jun 23 07:14:46 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 15:14:46 +0200 (CEST) Subject: SUSE-SU-2020:1713-1: important: Security update for the Linux Kernel Message-ID: <20200623131446.4A9AFF3E2@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1713-1 Rating: important References: #1172049 #1172781 #1172782 #1172783 Cross-References: CVE-2020-10766 CVE-2020-10767 CVE-2020-10768 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise High Availability 12-SP3 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-10768: Fixed an issue with the prctl() function which could have allowed indirect branch speculation even after it has been disabled (bsc#1172783). - CVE-2020-10767: Fixed an issue where the Indirect Branch Prediction Barrier (IBPB) would have been disabled when STIBP is unavailable or enhanced IBRS is available making the system vulnerable to spectre v2 (bsc#1172782). - CVE-2020-10766: Fixed an issue with Linux scheduler which could have allowed an attacker to turn off the SSBD protection (bsc#1172781). - xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1172049). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1713=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1713=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1713=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1713=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1713=1 - SUSE Linux Enterprise High Availability 12-SP3: zypper in -t patch SUSE-SLE-HA-12-SP3-2020-1713=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1713=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1713=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): kernel-devel-4.4.180-94.124.1 kernel-macros-4.4.180-94.124.1 kernel-source-4.4.180-94.124.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): kernel-default-4.4.180-94.124.1 kernel-default-base-4.4.180-94.124.1 kernel-default-base-debuginfo-4.4.180-94.124.1 kernel-default-debuginfo-4.4.180-94.124.1 kernel-default-debugsource-4.4.180-94.124.1 kernel-default-devel-4.4.180-94.124.1 kernel-default-kgraft-4.4.180-94.124.1 kernel-syms-4.4.180-94.124.1 kgraft-patch-4_4_180-94_124-default-1-4.3.1 kgraft-patch-4_4_180-94_124-default-debuginfo-1-4.3.1 - SUSE OpenStack Cloud 8 (noarch): kernel-devel-4.4.180-94.124.1 kernel-macros-4.4.180-94.124.1 kernel-source-4.4.180-94.124.1 - SUSE OpenStack Cloud 8 (x86_64): kernel-default-4.4.180-94.124.1 kernel-default-base-4.4.180-94.124.1 kernel-default-base-debuginfo-4.4.180-94.124.1 kernel-default-debuginfo-4.4.180-94.124.1 kernel-default-debugsource-4.4.180-94.124.1 kernel-default-devel-4.4.180-94.124.1 kernel-default-kgraft-4.4.180-94.124.1 kernel-syms-4.4.180-94.124.1 kgraft-patch-4_4_180-94_124-default-1-4.3.1 kgraft-patch-4_4_180-94_124-default-debuginfo-1-4.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kernel-default-4.4.180-94.124.1 kernel-default-base-4.4.180-94.124.1 kernel-default-base-debuginfo-4.4.180-94.124.1 kernel-default-debuginfo-4.4.180-94.124.1 kernel-default-debugsource-4.4.180-94.124.1 kernel-default-devel-4.4.180-94.124.1 kernel-default-kgraft-4.4.180-94.124.1 kernel-syms-4.4.180-94.124.1 kgraft-patch-4_4_180-94_124-default-1-4.3.1 kgraft-patch-4_4_180-94_124-default-debuginfo-1-4.3.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): kernel-devel-4.4.180-94.124.1 kernel-macros-4.4.180-94.124.1 kernel-source-4.4.180-94.124.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): kernel-default-4.4.180-94.124.1 kernel-default-base-4.4.180-94.124.1 kernel-default-base-debuginfo-4.4.180-94.124.1 kernel-default-debuginfo-4.4.180-94.124.1 kernel-default-debugsource-4.4.180-94.124.1 kernel-default-devel-4.4.180-94.124.1 kernel-syms-4.4.180-94.124.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kernel-default-kgraft-4.4.180-94.124.1 kgraft-patch-4_4_180-94_124-default-1-4.3.1 kgraft-patch-4_4_180-94_124-default-debuginfo-1-4.3.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): kernel-devel-4.4.180-94.124.1 kernel-macros-4.4.180-94.124.1 kernel-source-4.4.180-94.124.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x): kernel-default-man-4.4.180-94.124.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): kernel-devel-4.4.180-94.124.1 kernel-macros-4.4.180-94.124.1 kernel-source-4.4.180-94.124.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): kernel-default-4.4.180-94.124.1 kernel-default-base-4.4.180-94.124.1 kernel-default-base-debuginfo-4.4.180-94.124.1 kernel-default-debuginfo-4.4.180-94.124.1 kernel-default-debugsource-4.4.180-94.124.1 kernel-default-devel-4.4.180-94.124.1 kernel-syms-4.4.180-94.124.1 - SUSE Linux Enterprise High Availability 12-SP3 (ppc64le s390x x86_64): cluster-md-kmp-default-4.4.180-94.124.1 cluster-md-kmp-default-debuginfo-4.4.180-94.124.1 dlm-kmp-default-4.4.180-94.124.1 dlm-kmp-default-debuginfo-4.4.180-94.124.1 gfs2-kmp-default-4.4.180-94.124.1 gfs2-kmp-default-debuginfo-4.4.180-94.124.1 kernel-default-debuginfo-4.4.180-94.124.1 kernel-default-debugsource-4.4.180-94.124.1 ocfs2-kmp-default-4.4.180-94.124.1 ocfs2-kmp-default-debuginfo-4.4.180-94.124.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): kernel-default-4.4.180-94.124.1 kernel-default-base-4.4.180-94.124.1 kernel-default-base-debuginfo-4.4.180-94.124.1 kernel-default-debuginfo-4.4.180-94.124.1 kernel-default-debugsource-4.4.180-94.124.1 kernel-default-devel-4.4.180-94.124.1 kernel-syms-4.4.180-94.124.1 - SUSE Enterprise Storage 5 (noarch): kernel-devel-4.4.180-94.124.1 kernel-macros-4.4.180-94.124.1 kernel-source-4.4.180-94.124.1 - SUSE Enterprise Storage 5 (x86_64): kernel-default-kgraft-4.4.180-94.124.1 kgraft-patch-4_4_180-94_124-default-1-4.3.1 kgraft-patch-4_4_180-94_124-default-debuginfo-1-4.3.1 - HPE Helion Openstack 8 (noarch): kernel-devel-4.4.180-94.124.1 kernel-macros-4.4.180-94.124.1 kernel-source-4.4.180-94.124.1 - HPE Helion Openstack 8 (x86_64): kernel-default-4.4.180-94.124.1 kernel-default-base-4.4.180-94.124.1 kernel-default-base-debuginfo-4.4.180-94.124.1 kernel-default-debuginfo-4.4.180-94.124.1 kernel-default-debugsource-4.4.180-94.124.1 kernel-default-devel-4.4.180-94.124.1 kernel-default-kgraft-4.4.180-94.124.1 kernel-syms-4.4.180-94.124.1 kgraft-patch-4_4_180-94_124-default-1-4.3.1 kgraft-patch-4_4_180-94_124-default-debuginfo-1-4.3.1 References: https://www.suse.com/security/cve/CVE-2020-10766.html https://www.suse.com/security/cve/CVE-2020-10767.html https://www.suse.com/security/cve/CVE-2020-10768.html https://bugzilla.suse.com/1172049 https://bugzilla.suse.com/1172781 https://bugzilla.suse.com/1172782 https://bugzilla.suse.com/1172783 From sle-updates at lists.suse.com Tue Jun 23 07:15:48 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 15:15:48 +0200 (CEST) Subject: SUSE-RU-2020:1707-1: moderate: Recommended update for gnu-free-fonts Message-ID: <20200623131548.CB0A3F3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for gnu-free-fonts ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1707-1 Rating: moderate References: #1170856 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for gnu-free-fonts fixes the following issue: - Fix building with fontforge 20190801. (bsc#1170856) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1707=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): gnu-free-fonts-0.20120503-4.3.1 References: https://bugzilla.suse.com/1170856 From sle-updates at lists.suse.com Tue Jun 23 07:16:27 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 15:16:27 +0200 (CEST) Subject: SUSE-SU-2020:1709-1: Security update for mercurial Message-ID: <20200623131627.CA15EF3E2@maintenance.suse.de> SUSE Security Update: Security update for mercurial ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1709-1 Rating: low References: #1133035 Cross-References: CVE-2019-3902 Affected Products: SUSE Linux Enterprise Module for Python2 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for mercurial fixes the following issues: Security issue fixed: - CVE-2019-3902: Fixed incorrect patch-checking with symlinks and subrepos (bsc#1133035). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-1709=1 Package List: - SUSE Linux Enterprise Module for Python2 15-SP1 (aarch64 ppc64le s390x x86_64): mercurial-4.5.2-3.9.44 mercurial-debuginfo-4.5.2-3.9.44 mercurial-debugsource-4.5.2-3.9.44 References: https://www.suse.com/security/cve/CVE-2019-3902.html https://bugzilla.suse.com/1133035 From sle-updates at lists.suse.com Tue Jun 23 07:17:05 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 15:17:05 +0200 (CEST) Subject: SUSE-SU-2020:1711-1: moderate: Security update for mariadb Message-ID: <20200623131705.E0A17F3E2@maintenance.suse.de> SUSE Security Update: Security update for mariadb ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1711-1 Rating: moderate References: #1171550 Cross-References: CVE-2020-13249 CVE-2020-2752 CVE-2020-2760 CVE-2020-2812 CVE-2020-2814 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for mariadb to version 10.2.32 fixes the following issues: mariadb was updated to version 10.2.32 (bsc#1171550) - CVE-2020-2752: Fixed an issue which could have resulted in unauthorized ability to cause denial of service. - CVE-2020-2812: Fixed an issue which could have resulted in unauthorized ability to cause denial of service. - CVE-2020-2814: Fixed an issue which could have resulted in unauthorized ability to cause denial of service. - CVE-2020-2760: Fixed an issue which could have resulted in unauthorized ability to cause denial of service. - CVE-2020-13249: Fixed an improper validation of the content of an OK packet received from a server. Release notes and changelog: - https://mariadb.com/kb/en/library/mariadb-10232-release-notes - https://mariadb.com/kb/en/library/mariadb-10232-changelog Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1711=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): libmysqld-devel-10.2.32-3.29.2 libmysqld19-10.2.32-3.29.2 libmysqld19-debuginfo-10.2.32-3.29.2 mariadb-10.2.32-3.29.2 mariadb-client-10.2.32-3.29.2 mariadb-client-debuginfo-10.2.32-3.29.2 mariadb-debuginfo-10.2.32-3.29.2 mariadb-debugsource-10.2.32-3.29.2 mariadb-tools-10.2.32-3.29.2 mariadb-tools-debuginfo-10.2.32-3.29.2 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (noarch): mariadb-errormessages-10.2.32-3.29.2 References: https://www.suse.com/security/cve/CVE-2020-13249.html https://www.suse.com/security/cve/CVE-2020-2752.html https://www.suse.com/security/cve/CVE-2020-2760.html https://www.suse.com/security/cve/CVE-2020-2812.html https://www.suse.com/security/cve/CVE-2020-2814.html https://bugzilla.suse.com/1171550 From sle-updates at lists.suse.com Tue Jun 23 10:13:07 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 18:13:07 +0200 (CEST) Subject: SUSE-SU-2020:1714-1: moderate: Security update for php5 Message-ID: <20200623161307.B66ABF3E2@maintenance.suse.de> SUSE Security Update: Security update for php5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1714-1 Rating: moderate References: #1168326 #1168352 #1171999 Cross-References: CVE-2019-11048 CVE-2020-7064 CVE-2020-7066 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for php5 fixes the following issues: - CVE-2020-7064: Fixed a one byte read of uninitialized memory in exif_read_data() (bsc#1168326). - CVE-2020-7066: Fixed URL truncation get_headers() if the URL contains zero (\0) character (bsc#1168352). - CVE-2019-11048: Improved the handling of overly long filenames or field names in HTTP file uploads (bsc#1171999). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1714=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-1714=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): php5-debuginfo-5.5.14-109.76.1 php5-debugsource-5.5.14-109.76.1 php5-devel-5.5.14-109.76.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php5-5.5.14-109.76.1 apache2-mod_php5-debuginfo-5.5.14-109.76.1 php5-5.5.14-109.76.1 php5-bcmath-5.5.14-109.76.1 php5-bcmath-debuginfo-5.5.14-109.76.1 php5-bz2-5.5.14-109.76.1 php5-bz2-debuginfo-5.5.14-109.76.1 php5-calendar-5.5.14-109.76.1 php5-calendar-debuginfo-5.5.14-109.76.1 php5-ctype-5.5.14-109.76.1 php5-ctype-debuginfo-5.5.14-109.76.1 php5-curl-5.5.14-109.76.1 php5-curl-debuginfo-5.5.14-109.76.1 php5-dba-5.5.14-109.76.1 php5-dba-debuginfo-5.5.14-109.76.1 php5-debuginfo-5.5.14-109.76.1 php5-debugsource-5.5.14-109.76.1 php5-dom-5.5.14-109.76.1 php5-dom-debuginfo-5.5.14-109.76.1 php5-enchant-5.5.14-109.76.1 php5-enchant-debuginfo-5.5.14-109.76.1 php5-exif-5.5.14-109.76.1 php5-exif-debuginfo-5.5.14-109.76.1 php5-fastcgi-5.5.14-109.76.1 php5-fastcgi-debuginfo-5.5.14-109.76.1 php5-fileinfo-5.5.14-109.76.1 php5-fileinfo-debuginfo-5.5.14-109.76.1 php5-fpm-5.5.14-109.76.1 php5-fpm-debuginfo-5.5.14-109.76.1 php5-ftp-5.5.14-109.76.1 php5-ftp-debuginfo-5.5.14-109.76.1 php5-gd-5.5.14-109.76.1 php5-gd-debuginfo-5.5.14-109.76.1 php5-gettext-5.5.14-109.76.1 php5-gettext-debuginfo-5.5.14-109.76.1 php5-gmp-5.5.14-109.76.1 php5-gmp-debuginfo-5.5.14-109.76.1 php5-iconv-5.5.14-109.76.1 php5-iconv-debuginfo-5.5.14-109.76.1 php5-imap-5.5.14-109.76.1 php5-imap-debuginfo-5.5.14-109.76.1 php5-intl-5.5.14-109.76.1 php5-intl-debuginfo-5.5.14-109.76.1 php5-json-5.5.14-109.76.1 php5-json-debuginfo-5.5.14-109.76.1 php5-ldap-5.5.14-109.76.1 php5-ldap-debuginfo-5.5.14-109.76.1 php5-mbstring-5.5.14-109.76.1 php5-mbstring-debuginfo-5.5.14-109.76.1 php5-mcrypt-5.5.14-109.76.1 php5-mcrypt-debuginfo-5.5.14-109.76.1 php5-mysql-5.5.14-109.76.1 php5-mysql-debuginfo-5.5.14-109.76.1 php5-odbc-5.5.14-109.76.1 php5-odbc-debuginfo-5.5.14-109.76.1 php5-opcache-5.5.14-109.76.1 php5-opcache-debuginfo-5.5.14-109.76.1 php5-openssl-5.5.14-109.76.1 php5-openssl-debuginfo-5.5.14-109.76.1 php5-pcntl-5.5.14-109.76.1 php5-pcntl-debuginfo-5.5.14-109.76.1 php5-pdo-5.5.14-109.76.1 php5-pdo-debuginfo-5.5.14-109.76.1 php5-pgsql-5.5.14-109.76.1 php5-pgsql-debuginfo-5.5.14-109.76.1 php5-phar-5.5.14-109.76.1 php5-phar-debuginfo-5.5.14-109.76.1 php5-posix-5.5.14-109.76.1 php5-posix-debuginfo-5.5.14-109.76.1 php5-pspell-5.5.14-109.76.1 php5-pspell-debuginfo-5.5.14-109.76.1 php5-shmop-5.5.14-109.76.1 php5-shmop-debuginfo-5.5.14-109.76.1 php5-snmp-5.5.14-109.76.1 php5-snmp-debuginfo-5.5.14-109.76.1 php5-soap-5.5.14-109.76.1 php5-soap-debuginfo-5.5.14-109.76.1 php5-sockets-5.5.14-109.76.1 php5-sockets-debuginfo-5.5.14-109.76.1 php5-sqlite-5.5.14-109.76.1 php5-sqlite-debuginfo-5.5.14-109.76.1 php5-suhosin-5.5.14-109.76.1 php5-suhosin-debuginfo-5.5.14-109.76.1 php5-sysvmsg-5.5.14-109.76.1 php5-sysvmsg-debuginfo-5.5.14-109.76.1 php5-sysvsem-5.5.14-109.76.1 php5-sysvsem-debuginfo-5.5.14-109.76.1 php5-sysvshm-5.5.14-109.76.1 php5-sysvshm-debuginfo-5.5.14-109.76.1 php5-tokenizer-5.5.14-109.76.1 php5-tokenizer-debuginfo-5.5.14-109.76.1 php5-wddx-5.5.14-109.76.1 php5-wddx-debuginfo-5.5.14-109.76.1 php5-xmlreader-5.5.14-109.76.1 php5-xmlreader-debuginfo-5.5.14-109.76.1 php5-xmlrpc-5.5.14-109.76.1 php5-xmlrpc-debuginfo-5.5.14-109.76.1 php5-xmlwriter-5.5.14-109.76.1 php5-xmlwriter-debuginfo-5.5.14-109.76.1 php5-xsl-5.5.14-109.76.1 php5-xsl-debuginfo-5.5.14-109.76.1 php5-zip-5.5.14-109.76.1 php5-zip-debuginfo-5.5.14-109.76.1 php5-zlib-5.5.14-109.76.1 php5-zlib-debuginfo-5.5.14-109.76.1 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php5-pear-5.5.14-109.76.1 References: https://www.suse.com/security/cve/CVE-2019-11048.html https://www.suse.com/security/cve/CVE-2020-7064.html https://www.suse.com/security/cve/CVE-2020-7066.html https://bugzilla.suse.com/1168326 https://bugzilla.suse.com/1168352 https://bugzilla.suse.com/1171999 From sle-updates at lists.suse.com Tue Jun 23 10:13:58 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 18:13:58 +0200 (CEST) Subject: SUSE-SU-2020:14404-1: moderate: Security Beta update for SUSE Manager Client Tools Message-ID: <20200623161358.98AB2F3E2@maintenance.suse.de> SUSE Security Update: Security Beta update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14404-1 Rating: moderate References: #1159284 #1165572 #1168340 #1169604 #1169800 #1170104 #1170288 #1170595 #1171687 #1171906 #1172075 #1173072 Cross-References: CVE-2020-11651 CVE-2020-11652 Affected Products: SUSE Manager Ubuntu 16.04-CLIENT-TOOLS-BETA ______________________________________________________________________________ An update that solves two vulnerabilities and has 10 fixes is now available. Description: This update fixes the following issues: salt: - Require python3-distro only for TW (bsc#1173072) - Various virt backports from 3000.2 - Avoid traceback on debug logging for swarm module (bsc#1172075) - Add publish_batch to ClearFuncs exposed methods - Zypperpkg: filter patterns that start with dot (bsc#1171906) - Batch mode now also correctly provides return value (bsc#1168340) - Add docker.logout to docker execution module (bsc#1165572) - Testsuite fix - Add option to enable/disable force refresh for zypper - Python3.8 compatibility changes - Prevent sporious "salt-api" stuck processes when managing SSH minions because of logging deadlock (bsc#1159284) - Avoid segfault from "salt-api" under certain conditions of heavy load managing SSH minions (bsc#1169604) - Revert broken changes to slspath made on Salt 3000 (saltstack/salt#56341) (bsc#1170104) - Returns a the list of IPs filtered by the optional network list - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) - Do not require vendored backports-abc (bsc#1170288) - Fix partition.mkpart to work without fstype (bsc#1169800) spacecmd: - Only report real error, not result (bsc#1171687) - Use defined return values for spacecmd methods so scripts can check for failure (bsc#1171687) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 16.04-CLIENT-TOOLS-BETA: zypper in -t patch suse-ubu164ct-client-tools-beta-202006-14404=1 Package List: - SUSE Manager Ubuntu 16.04-CLIENT-TOOLS-BETA (all): salt-common-3000+ds-1+9.17.1 salt-minion-3000+ds-1+9.17.1 spacecmd-4.1.4-2.9.4 References: https://www.suse.com/security/cve/CVE-2020-11651.html https://www.suse.com/security/cve/CVE-2020-11652.html https://bugzilla.suse.com/1159284 https://bugzilla.suse.com/1165572 https://bugzilla.suse.com/1168340 https://bugzilla.suse.com/1169604 https://bugzilla.suse.com/1169800 https://bugzilla.suse.com/1170104 https://bugzilla.suse.com/1170288 https://bugzilla.suse.com/1170595 https://bugzilla.suse.com/1171687 https://bugzilla.suse.com/1171906 https://bugzilla.suse.com/1172075 https://bugzilla.suse.com/1173072 From sle-updates at lists.suse.com Tue Jun 23 10:15:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 18:15:53 +0200 (CEST) Subject: SUSE-SU-2020:1718-1: moderate: Security Beta update for SUSE Manager Client Tools and Salt Message-ID: <20200623161553.655E1F3E2@maintenance.suse.de> SUSE Security Update: Security Beta update for SUSE Manager Client Tools and Salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1718-1 Rating: moderate References: #1134195 #1141661 #1159284 #1165572 #1168310 #1168340 #1169604 #1169800 #1170104 #1170231 #1170288 #1170557 #1170595 #1170684 #1171687 #1171906 #1172075 #1172462 #1173072 Cross-References: CVE-2019-10215 CVE-2019-15043 CVE-2020-11651 CVE-2020-11652 CVE-2020-12245 CVE-2020-13379 Affected Products: SUSE Manager Tools 12-BETA ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 13 fixes is now available. Description: This update fixes the following issues: cobbler: - Calculate relative path for kernel and inited when generating grub entry (bsc#1170231) Added: fix-grub2-entry-paths.diff - Fix os-release version detection for SUSE Modified: sles15.patch - Jinja2 template library fix (bsc#1141661) - Removes string replace for textmode fix (bsc#1134195) golang-github-prometheus-prometheus: - Update change log and spec file + Modified spec file: default to golang 1.14 to avoid "have choice" build issues in OBS. + Rebase and update patches for version 2.18.0 + Changed: * 0002-Default-settings.patch Changed - Update to 2.18.0 + Features * Tracing: Added experimental Jaeger support #7148 + Changes * Federation: Only use local TSDB for federation (ignore remote read). #7096 * Rules: `rule_evaluations_total` and `rule_evaluation_failures_total` have a `rule_group` label now. #7094 + Enhancements * TSDB: Significantly reduce WAL size kept around after a block cut. #7098 * Discovery: Add `architecture` meta label for EC2. #7000 + Bug fixes * UI: Fixed wrong MinTime reported by /status. #7182 * React UI: Fixed multiselect legend on OSX. #6880 * Remote Write: Fixed blocked resharding edge case. #7122 * Remote Write: Fixed remote write not updating on relabel configs change. #7073 - Changes from 2.17.2 + Bug fixes * Federation: Register federation metrics #7081 * PromQL: Fix panic in parser error handling #7132 * Rules: Fix reloads hanging when deleting a rule group that is being evaluated #7138 * TSDB: Fix a memory leak when prometheus starts with an empty TSDB WAL #7135 * TSDB: Make isolation more robust to panics in web handlers #7129 #7136 - Changes from 2.17.1 + Bug fixes * TSDB: Fix query performance regression that increased memory and CPU usage #7051 - Changes from 2.17.0 + Features * TSDB: Support isolation #6841 * This release implements isolation in TSDB. API queries and recording rules are guaranteed to only see full scrapes and full recording rules. This comes with a certain overhead in resource usage. Depending on the situation, there might be some increase in memory usage, CPU usage, or query latency. + Enhancements * PromQL: Allow more keywords as metric names #6933 * React UI: Add normalization of localhost URLs in targets page #6794 * Remote read: Read from remote storage concurrently #6770 * Rules: Mark deleted rule series as stale after a reload #6745 * Scrape: Log scrape append failures as debug rather than warn #6852 * TSDB: Improve query performance for queries that partially hit the head #6676 * Consul SD: Expose service health as meta label #5313 * EC2 SD: Expose EC2 instance lifecycle as meta label #6914 * Kubernetes SD: Expose service type as meta label for K8s service role #6684 * Kubernetes SD: Expose label_selector and field_selector #6807 * Openstack SD: Expose hypervisor id as meta label #6962 + Bug fixes * PromQL: Do not escape HTML-like chars in query log #6834 #6795 * React UI: Fix data table matrix values #6896 * React UI: Fix new targets page not loading when using non-ASCII characters #6892 * Remote read: Fix duplication of metrics read from remote storage with external labels #6967 #7018 * Remote write: Register WAL watcher and live reader metrics for all remotes, not just the first one #6998 * Scrape: Prevent removal of metric names upon relabeling #6891 * Scrape: Fix 'superfluous response.WriteHeader call' errors when scrape fails under some circonstances #6986 * Scrape: Fix crash when reloads are separated by two scrape intervals #7011 - Changes from 2.16.0 + Features * React UI: Support local timezone on /graph #6692 * PromQL: add absent_over_time query function #6490 * Adding optional logging of queries to their own file #6520 + Enhancements * React UI: Add support for rules page and "Xs ago" duration displays #6503 * React UI: alerts page, replace filtering togglers tabs with checkboxes #6543 * TSDB: Export metric for WAL write errors #6647 * TSDB: Improve query performance for queries that only touch the most recent 2h of data. #6651 * PromQL: Refactoring in parser errors to improve error messages #6634 * PromQL: Support trailing commas in grouping opts #6480 * Scrape: Reduce memory usage on reloads by reusing scrape cache #6670 * Scrape: Add metrics to track bytes and entries in the metadata cache #6675 * promtool: Add support for line-column numbers for invalid rules output #6533 * Avoid restarting rule groups when it is unnecessary #6450 + Bug fixes * React UI: Send cookies on fetch() on older browsers #6553 * React UI: adopt grafana flot fix for stacked graphs #6603 * React UI: broken graph page browser history so that back button works as expected #6659 * TSDB: ensure compactionsSkipped metric is registered, and log proper error if one is returned from head.Init #6616 * TSDB: return an error on ingesting series with duplicate labels #6664 * PromQL: Fix unary operator precedence #6579 * PromQL: Respect query.timeout even when we reach query.max-concurrency #6712 * PromQL: Fix string and parentheses handling in engine, which affected React UI #6612 * PromQL: Remove output labels returned by absent() if they are produced by multiple identical label matchers #6493 * Scrape: Validate that OpenMetrics input ends with `# EOF` #6505 * Remote read: return the correct error if configs can't be marshal'd to JSON #6622 * Remote write: Make remote client `Store` use passed context, which can affect shutdown timing #6673 * Remote write: Improve sharding calculation in cases where we would always be consistently behind by tracking pendingSamples #6511 * Ensure prometheus_rule_group metrics are deleted when a rule group is removed #6693 - Changes from 2.15.2 + Bug fixes * TSDB: Fixed support for TSDB blocks built with Prometheus before 2.1.0. #6564 * TSDB: Fixed block compaction issues on Windows. #6547 - Changes from 2.15.1 + Bug fixes * TSDB: Fixed race on concurrent queries against same data. #6512 - Changes from 2.15.0 + Features * API: Added new endpoint for exposing per metric metadata `/metadata`. #6420 #6442 + Changes * Discovery: Removed `prometheus_sd_kubernetes_cache_*` metrics. Additionally `prometheus_sd_kubernetes_workqueue_latency_seconds` and `prometheus_sd_kubernetes_workqueue_work_duration_seconds` metrics now show correct values in seconds. #6393 * Remote write: Changed `query` label on `prometheus_remote_storage_*` metrics to `remote_name` and `url`. #6043 + Enhancements * TSDB: Significantly reduced memory footprint of loaded TSDB blocks. #6418 #6461 * TSDB: Significantly optimized what we buffer during compaction which should result in lower memory footprint during compaction. #6422 #6452 #6468 #6475 * TSDB: Improve replay latency. #6230 * TSDB: WAL size is now used for size based retention calculation. #5886 * Remote read: Added query grouping and range hints to the remote read request #6401 * Remote write: Added `prometheus_remote_storage_sent_bytes_total` counter per queue. #6344 * promql: Improved PromQL parser performance. #6356 * React UI: Implemented missing pages like `/targets` #6276, TSDB status page #6281 #6267 and many other fixes and performance improvements. * promql: Prometheus now accepts spaces between time range and square bracket. e.g `[ 5m]` #6065 + Bug fixes * Config: Fixed alertmanager configuration to not miss targets when configurations are similar. #6455 * Remote write: Value of `prometheus_remote_storage_shards_desired` gauge shows raw value of desired shards and it's updated correctly. #6378 * Rules: Prometheus now fails the evaluation of rules and alerts where metric results collide with labels specified in `labels` field. #6469 * API: Targets Metadata API `/targets/metadata` now accepts empty `match_targets` parameter as in the spec. #6303 - Changes from 2.14.0 + Features * API: `/api/v1/status/runtimeinfo` and `/api/v1/status/buildinfo` endpoints added for use by the React UI. #6243 * React UI: implement the new experimental React based UI. #5694 and many more * Can be found by under `/new`. * Not all pages are implemented yet. * Status: Cardinality statistics added to the Runtime & Build Information page. #6125 + Enhancements * Remote write: fix delays in remote write after a compaction. #6021 * UI: Alerts can be filtered by state. #5758 + Bug fixes * Ensure warnings from the API are escaped. #6279 * API: lifecycle endpoints return 403 when not enabled. #6057 * Build: Fix Solaris build. #6149 * Promtool: Remove false duplicate rule warnings when checking rule files with alerts. #6270 * Remote write: restore use of deduplicating logger in remote write. #6113 * Remote write: do not reshard when unable to send samples. #6111 * Service discovery: errors are no longer logged on context cancellation. #6116, #6133 * UI: handle null response from API properly. #6071 - Changes from 2.13.1 + Bug fixes * Fix panic in ARM builds of Prometheus. #6110 * promql: fix potential panic in the query logger. #6094 * Multiple errors of http: superfluous response.WriteHeader call in the logs. #6145 - Changes from 2.13.0 + Enhancements * Metrics: renamed prometheus_sd_configs_failed_total to prometheus_sd_failed_configs and changed to Gauge #5254 * Include the tsdb tool in builds. #6089 * Service discovery: add new node address types for kubernetes. #5902 * UI: show warnings if query have returned some warnings. #5964 * Remote write: reduce memory usage of the series cache. #5849 * Remote read: use remote read streaming to reduce memory usage. #5703 * Metrics: added metrics for remote write max/min/desired shards to queue manager. #5787 * Promtool: show the warnings during label query. #5924 * Promtool: improve error messages when parsing bad rules. #5965 * Promtool: more promlint rules. #5515 + Bug fixes * UI: Fix a Stored DOM XSS vulnerability with query history [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-102 15). #6098 * Promtool: fix recording inconsistency due to duplicate labels. #6026 * UI: fixes service-discovery view when accessed from unhealthy targets. #5915 * Metrics format: OpenMetrics parser crashes on short input. #5939 * UI: avoid truncated Y-axis values. #6014 - Changes from 2.12.0 + Features * Track currently active PromQL queries in a log file. #5794 * Enable and provide binaries for `mips64` / `mips64le` architectures. #5792 + Enhancements * Improve responsiveness of targets web UI and API endpoint. #5740 * Improve remote write desired shards calculation. #5763 * Flush TSDB pages more precisely. tsdb#660 * Add `prometheus_tsdb_retention_limit_bytes` metric. tsdb#667 * Add logging during TSDB WAL replay on startup. tsdb#662 * Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654, tsdb#642, tsdb#627 + Bug fixes * Check for duplicate label names in remote read. #5829 * Mark deleted rules' series as stale on next evaluation. #5759 * Fix JavaScript error when showing warning about out-of-sync server time. #5833 * Fix `promtool test rules` panic when providing empty `exp_labels`. #5774 * Only check last directory when discovering checkpoint number. #5756 * Fix error propagation in WAL watcher helper functions. #5741 * Correctly handle empty labels from alert templates. #5845 - Update Uyuni/SUSE Manager service discovery patch + Modified 0003-Add-Uyuni-service-discovery.patch: + Adapt service discovery to the new Uyuni API endpoints + Modified spec file: force golang 1.12 to fix build issues in SLE15SP2 - Update to Prometheus 2.11.2 grafana: - Update to version 7.0.3 * Features / Enhancements - Stats: include all fields. #24829, @ryantxu - Variables: change VariableEditorList row action Icon to IconButton. #25217, @hshoff * Bug fixes - Cloudwatch: Fix dimensions of DDoSProtection. #25317, @papagian - Configuration: Fix env var override of sections containing hyphen. #25178, @marefr - Dashboard: Get panels in collapsed rows. #25079, @peterholmberg - Do not show alerts tab when alerting is disabled. #25285, @dprokop - Jaeger: fixes cascader option label duration value. #25129, @Estrax - Transformations: Fixed Transform tab crash & no update after adding first transform. #25152, @torkelo - Update to version 7.0.2 * Bug fixes - Security: Urgent security patch release to fix CVE-2020-13379 - Update to version 7.0.1 * Features / Enhancements - Datasource/CloudWatch: Makes CloudWatch Logs query history more readable. #24795, @kaydelaney - Download CSV: Add date and time formatting. #24992, @ryantxu - Table: Make last cell value visible when right aligned. #24921, @peterholmberg - TablePanel: Adding sort order persistance. #24705, @torkelo - Transformations: Display correct field name when using reduce transformation. #25068, @peterholmberg - Transformations: Allow custom number input for binary operations. #24752, @ryantxu * Bug fixes - Dashboard/Links: Fixes dashboard links by tags not working. #24773, @KamalGalrani - Dashboard/Links: Fixes open in new window for dashboard link. #24772, @KamalGalrani - Dashboard/Links: Variables are resolved and limits to 100. #25076, @hugohaggmark - DataLinks: Bring back variables interpolation in title. #24970, @dprokop - Datasource/CloudWatch: Field suggestions no longer limited to prefix-only. #24855, @kaydelaney - Explore/Table: Keep existing field types if possible. #24944, @kaydelaney - Explore: Fix wrap lines toggle for results of queries with filter expression. #24915, @ivanahuckova - Explore: fix undo in query editor. #24797, @zoltanbedi - Explore: fix word break in type head info. #25014, @zoltanbedi - Graph: Legend decimals now work as expected. #24931, @torkelo - LoginPage: Fix hover color for service buttons. #25009, @tskarhed - LogsPanel: Fix scrollbar. #24850, @ivanahuckova - MoveDashboard: Fix for moving dashboard caused all variables to be lost. #25005, @torkelo - Organize transformer: Use display name in field order comparer. #24984, @dprokop - Panel: shows correct panel menu items in view mode. #24912, @hugohaggmark - PanelEditor Fix missing labels and description if there is only single option in category. #24905, @dprokop - PanelEditor: Overrides name matcher still show all original field names even after Field default display name is specified. #24933, @torkelo - PanelInspector: Makes sure Data display options are visible. #24902, @hugohaggmark - PanelInspector: Hides unsupported data display options for Panel type. #24918, @hugohaggmark - PanelMenu: Make menu disappear on button press. #25015, @tskarhed - Postgres: Fix add button. #25087, @phemmer - Prometheus: Fix recording rules expansion. #24977, @ivanahuckova - Stackdriver: Fix creating Service Level Objectives (SLO) datasource query variable. #25023, @papagian - Update to version 7.0.0 * Breaking changes - Removed PhantomJS: PhantomJS was deprecated in Grafana v6.4 and starting from Grafana v7.0.0, all PhantomJS support has been removed. This means that Grafana no longer ships with a built-in image renderer, and we advise you to install the Grafana Image Renderer plugin. - Dashboard: A global minimum dashboard refresh interval is now enforced and defaults to 5 seconds. - Interval calculation: There is now a new option Max data points that controls the auto interval $__interval calculation. Interval was previously calculated by dividing the panel width by the time range. With the new max data points option it is now easy to set $__interval to a dynamic value that is time range agnostic. For example if you set Max data points to 10 Grafana will dynamically set $__interval by dividing the current time range by 10. - Datasource/Loki: Support for deprecated Loki endpoints has been removed. - Backend plugins: Grafana now requires backend plugins to be signed, otherwise Grafana will not load/start them. This is an additional security measure to make sure backend plugin binaries and files haven't been tampered with. Refer to Upgrade Grafana for more information. - @grafana/ui: Forms migration notice, see @grafana/ui changelog - @grafana/ui: Select API change for creating custom values, see @grafana/ui changelog + Deprecation warnings - Scripted dashboards is now deprecated. The feature is not removed but will be in a future release. We hope to address the underlying requirement of dynamic dashboards in a different way. #24059 - The unofficial first version of backend plugins together with usage of grafana/grafana-plugin-model is now deprecated and support for that will be removed in a future release. Please refer to backend plugins documentation for information about the new officially supported backend plugins. * Features / Enhancements - Backend plugins: Log deprecation warning when using the unofficial first version of backend plugins. #24675, @marefr - Editor: New line on Enter, run query on Shift+Enter. #24654, @davkal - Loki: Allow multiple derived fields with the same name. #24437, @aocenas - Orgs: Add future deprecation notice. #24502, @torkelo * Bug Fixes - @grafana/toolkit: Use process.cwd() instead of PWD to get directory. #24677, @zoltanbedi - Admin: Makes long settings values line break in settings page. #24559, @hugohaggmark - Dashboard: Allow editing provisioned dashboard JSON and add confirmation when JSON is copied to dashboard. #24680, @dprokop - Dashboard: Fix for strange "dashboard not found" errors when opening links in dashboard settings. #24416, @torkelo - Dashboard: Fix so default data source is selected when data source can't be found in panel editor. #24526, @mckn - Dashboard: Fixed issue changing a panel from transparent back to normal in panel editor. #24483, @torkelo - Dashboard: Make header names reflect the field name when exporting to CSV file from the the panel inspector. #24624, @peterholmberg - Dashboard: Make sure side pane is displayed with tabs by default in panel editor. #24636, @dprokop - Data source: Fix query/annotation help content formatting. #24687, @AgnesToulet - Data source: Fixes async mount errors. #24579, @Estrax - Data source: Fixes saving a data source without failure when URL doesn't specify a protocol. #24497, @aknuds1 - Explore/Prometheus: Show results of instant queries only in table. #24508, @ivanahuckova - Explore: Fix rendering of react query editors. #24593, @ivanahuckova - Explore: Fixes loading more logs in logs context view. #24135, @Estrax - Graphite: Fix schema and dedupe strategy in rollup indicators for Metrictank queries. #24685, @torkelo - Graphite: Makes query annotations work again. #24556, @hugohaggmark - Logs: Clicking "Load more" from context overlay doesn't expand log row. #24299, @kaydelaney - Logs: Fix total bytes process calculation. #24691, @davkal - Org/user/team preferences: Fixes so UI Theme can be set back to Default. #24628, @AgnesToulet - Plugins: Fix manifest validation. #24573, @aknuds1 - Provisioning: Use proxy as default access mode in provisioning. #24669, @bergquist - Search: Fix select item when pressing enter and Grafana is served using a sub path. #24634, @tskarhed - Search: Save folder expanded state. #24496, @Clarity-89 - Security: Tag value sanitization fix in OpenTSDB data source. #24539, @rotemreiss - Table: Do not include angular options in options when switching from angular panel. #24684, @torkelo - Table: Fixed persisting column resize for time series fields. #24505, @torkelo - Table: Fixes Cannot read property subRows of null. #24578, @hugohaggmark - Time picker: Fixed so you can enter a relative range in the time picker without being converted to absolute range. #24534, @mckn - Transformations: Make transform dropdowns not cropped. #24615, @dprokop - Transformations: Sort order should be preserved as entered by user when using the reduce transformation. #24494, @hugohaggmark - Units: Adds scale symbol for currencies with suffixed symbol. #24678, @hugohaggmark - Variables: Fixes filtering options with more than 1000 entries. #24614, @hugohaggmark - Variables: Fixes so Textbox variables read value from url. #24623, @hugohaggmark - Zipkin: Fix error when span contains remoteEndpoint. #24524, @aocenas - SAML: Switch from email to login for user login attribute mapping (Enterprise) - Update Makefile and spec file * Remove phantomJS patch from Makefile * Fix multiline strings in Makefile * Exclude s390 from SLE12 builds, golang 1.14 is not built for s390 - Add instructions for patching the Grafana javascript frontend. - BuildRequires golang(API) instead of go metapackage version range * BuildRequires: golang(API) >= 1.14 from BuildRequires: ( go >= 1.14 with go < 1.15 ) - Update to version 6.7.3 - This version fixes bsc#1170557 and its corresponding CVE-2020-12245 - Admin: Fix Synced via LDAP message for non-LDAP external users. #23477, @alexanderzobnin - Alerting: Fixes notifications for alerts with empty message in Google Hangouts notifier. #23559, @hugohaggmark - AuthProxy: Fixes bug where long username could not be cached.. #22926, @jcmcken - Dashboard: Fix saving dashboard when editing raw dashboard JSON model. #23314, @peterholmberg - Dashboard: Try to parse 8 and 15 digit numbers as timestamps if parsing of time range as date fails. #21694, @jessetan - DashboardListPanel: Fixed problem with empty panel after going into edit mode (General folder filter being automatically added) . #23426, @torkelo - Data source: Handle datasource withCredentials option properly. #23380, @hvtuananh - Security: Fix annotation popup XSS vulnerability. #23813, @torkelo - Server: Exit Grafana with status code 0 if no error. #23312, @aknuds1 - TablePanel: Fix XSS issue in header column rename (backport). #23814, @torkelo - Variables: Fixes error when setting adhoc variable values. #23580, @hugohaggmark - Update to version 6.7.2: (see installed changelog for the full list of changes) - BackendSrv: Adds config to response to fix issue for external plugins that used this property . #23032, @torkelo - Dashboard: Fixed issue with saving new dashboard after changing title . #23104, @dprokop - DataLinks: make sure we use the correct datapoint when dataset contains null value.. #22981, @mckn - Plugins: Fixed issue for plugins that imported dateMath util . #23069, @mckn - Security: Fix for dashboard snapshot original dashboard link could contain XSS vulnerability in url. #23254, @torkelo - Variables: Fixes issue with too many queries being issued for nested template variables after value change. #23220, @torkelo - Plugins: Expose promiseToDigest. #23249, @torkelo - Reporting (Enterprise): Fixes issue updating a report created by someone else - Update to 6.7.1: (see installed changelog for the full list of changes) Bug Fixes - Azure: Fixed dropdowns not showing current value. #22914, @torkelo - BackendSrv: only add content-type on POST, PUT requests. #22910, @hugohaggmark - Panels: Fixed size issue with panel internal size when exiting panel edit mode. #22912, @torkelo - Reporting: fixes migrations compatibility with mysql (Enterprise) - Reporting: Reduce default concurrency limit to 4 (Enterprise) - Update to 6.7.0: (see installed changelog for the full list of changes) Bug Fixes - AngularPanels: Fixed inner height calculation for angular panels . #22796, @torkelo - BackendSrv: makes sure provided headers are correctly recognized and set. #22778, @hugohaggmark - Forms: Fix input suffix position (caret-down in Select) . #22780, @torkelo - Graphite: Fixed issue with query editor and next select metric now showing after selecting metric node . #22856, @torkelo - Rich History: UX adjustments and fixes. #22729, @ivanahuckova - Update to 6.7.0-beta1: Breaking changes - Slack: Removed Mention setting and instead introduce Mention Users, Mention Groups, and Mention Channel. The first two settings require user and group IDs, respectively. This change was necessary because the way of mentioning via the Slack API changed and mentions in Slack notifications no longer worked. - Alerting: Reverts the behavior of diff and percent_diff to not always be absolute. Something we introduced by mistake in 6.1.0. Alerting now support diff(), diff_abs(), percent_diff() and percent_diff_abs(). #21338 - Notice about changes in backendSrv for plugin authors In our mission to migrate away from AngularJS to React we have removed all AngularJS dependencies in the core data retrieval service backendSrv. Removing the AngularJS dependencies in backendSrv has the unfortunate side effect of AngularJS digest no longer being triggered for any request made with backendSrv. Because of this, external plugins using backendSrv directly may suffer from strange behaviour in the UI. To remedy this issue, as a plugin author you need to trigger the digest after a direct call to backendSrv. Bug Fixes API: Fix redirect issues. #22285, @papagian Alerting: Don't include image_url field with Slack message if empty. #22372, @aknuds1 Alerting: Fixed bad background color for default notifications in alert tab . #22660, @krvajal Annotations: In table panel when setting transform to annotation, they will now show up right away without a manual refresh. #22323, @krvajal Azure Monitor: Fix app insights source to allow for new __timeFrom and __timeTo. #21879, @ChadNedzlek BackendSrv: Fixes POST body for form data. #21714, @hugohaggmark CloudWatch: Credentials cache invalidation fix. #22473, @sunker CloudWatch: Expand alias variables when query yields no result. #22695, @sunker Dashboard: Fix bug with NaN in alerting. #22053, @a-melnyk Explore: Fix display of multiline logs in log panel and explore. #22057, @thomasdraebing Heatmap: Legend color range is incorrect when using custom min/max. #21748, @sv5d Security: Fixed XSS issue in dashboard history diff . #22680, @torkelo StatPanel: Fixes base color is being used for null values . #22646, @torkelo - Update to version 6.6.2: (see installed changelog for the full list of changes) - Update to version 6.6.1: (see installed changelog for the full list of changes) - Update to version 6.6.0: (see installed changelog for the full list of changes) - Update to version 6.5.3: (see installed changelog for the full list of changes) - Update to version 6.5.2: (see installed changelog for the full list of changes) - Update to version 6.5.1: (see installed changelog for the full list of changes) - Update to version 6.5.0 (see installed changelog for the full list of changes) - Update to version 6.4.5: * Create version 6.4.5 * CloudWatch: Fix high CPU load (#20579) - Add obs-service-go_modules to download required modules into vendor.tar.gz - Adjusted spec file to use vendor.tar.gz - Adjusted Makefile to work with new filenames - BuildRequire go1.14 - Update to version 6.4.4: * DataLinks: Fix blur issues. #19883, @aocenas * Docker: Makes it possible to parse timezones in the docker image. #20081, @xlson * LDAP: All LDAP servers should be tried even if one of them returns a connection error. #20077, @jongyllen * LDAP: No longer shows incorrectly matching groups based on role in debug page. #20018, @xlson * Singlestat: Fix no data / null value mapping . #19951, @ryantxu - Revert the spec file and make script - Remove PhantomJS dependency - Update to 6.4.3 * Bug Fixes - Alerting: All notification channels should send even if one fails to send. #19807, @jan25 - AzureMonitor: Fix slate interference with dropdowns. #19799, @aocenas - ContextMenu: make ContextMenu positioning aware of the viewport width. #19699, @krvajal - DataLinks: Fix context menu not showing in singlestat-ish visualisations. #19809, @dprokop - DataLinks: Fix url field not releasing focus. #19804, @aocenas - Datasource: Fixes clicking outside of some query editors required 2 clicks. #19822, @aocenas - Panels: Fixes default tab for visualizations without Queries Tab. #19803, @hugohaggmark - Singlestat: Fixed issue with mapping null to text. #19689, @torkelo - @grafana/toolkit: Don't fail plugin creation when git user.name config is not set. #19821, @dprokop - @grafana/toolkit: TSLint line number off by 1. #19782, @fredwangwang - Update to 6.4.2 * Bug Fixes - CloudWatch: Changes incorrect dimension wmlid to wlmid . #19679, @ATTron - Grafana Image Renderer: Fixes plugin page. #19664, @hugohaggmark - Graph: Fixes auto decimals logic for y axis ticks that results in too many decimals for high values. #19618, @torkelo - Graph: Switching to series mode should re-render graph. #19623, @torkelo - Loki: Fix autocomplete on label values. #19579, @aocenas - Loki: Removes live option for logs panel. #19533, @davkal - Profile: Fix issue with user profile not showing more than sessions sessions in some cases. #19578, @huynhsamha - Prometheus: Fixes so results in Panel always are sorted by query order. #19597, @hugohaggmark - ShareQuery: Fixed issue when using -- Dashboard -- datasource (to share query result) when dashboard had rows. #19610, @torkelo - Show SAML login button if SAML is enabled. #19591, @papagian - SingleStat: Fixes postfix/prefix usage. #19687, @hugohaggmark - Table: Proper handling of json data with dataframes. #19596, @marefr - Units: Fixed wrong id for Terabits/sec. #19611, @andreaslangnevyjel - Changes from 6.4.1 * Bug Fixes - Provisioning: Fixed issue where empty nested keys in YAML provisioning caused a server crash, #19547 - ImageRendering: Fixed issue with image rendering in enterprise build (Enterprise) - Reporting: Fixed issue with reporting service when STMP was disabled (Enterprise). - Changes from 6.4.0 * Features / Enhancements - Build: Upgrade go to 1.12.10. #19499, @marefr - DataLinks: Suggestions menu improvements. #19396, @dprokop - Explore: Take root_url setting into account when redirecting from dashboard to explore. #19447, @ivanahuckova - Explore: Update broken link to logql docs. #19510, @ivanahuckova - Logs: Adds Logs Panel as a visualization. #19504, @davkal * Bug Fixes - CLI: Fix version selection for plugin install. #19498, @aocenas - Graph: Fixes minor issue with series override color picker and custom color . #19516, @torkelo - Changes from 6.4.0 Beta 2 * Features / Enhancements - Azure Monitor: Remove support for cross resource queries (#19115)". #19346, @sunker - Docker: Upgrade packages to resolve reported vulnerabilities. #19188, @marefr - Graphite: Time range expansion reduced from 1 minute to 1 second. #19246, @torkelo - grafana/toolkit: Add plugin creation task. #19207, @dprokop * Bug Fixes - Alerting: Prevents creating alerts from unsupported queries. #19250, @hugohaggmark - Alerting: Truncate PagerDuty summary when greater than 1024 characters. #18730, @nvllsvm - Cloudwatch: Fix autocomplete for Gamelift dimensions. #19146, @kevinpz - Dashboard: Fix export for sharing when panels use default data source. #19315, @torkelo - Database: Rewrite system statistics query to perform better. #19178, @papagian - Gauge/BarGauge: Fix issue with [object Object] in titles . #19217, @ryantxu - MSSQL: Revert usage of new connectionstring format introduced by #18384. #19203, @marefr - Multi-LDAP: Do not fail-fast on invalid credentials. #19261, @gotjosh - MySQL, Postgres, MSSQL: Fix validating query with template variables in alert . #19237, @marefr - MySQL, Postgres: Update raw sql when query builder updates. #19209, @marefr - MySQL: Limit datasource error details returned from the backend. #19373, @marefr - Changes from 6.4.0 Beta 1 * Features / Enhancements - API: Readonly datasources should not be created via the API. #19006, @papagian - Alerting: Include configured AlertRuleTags in Webhooks notifier. #18233, @dominic-miglar - Annotations: Add annotations support to Loki. #18949, @aocenas - Annotations: Use a single row to represent a region. #17673, @ryantxu - Auth: Allow inviting existing users when login form is disabled. #19048, @548017 - Azure Monitor: Add support for cross resource queries. #19115, @sunker - CLI: Allow installing custom binary plugins. #17551, @aocenas - Dashboard: Adds Logs Panel (alpha) as visualization option for Dashboards. #18641, @hugohaggmark - Dashboard: Reuse query results between panels . #16660, @ryantxu - Dashboard: Set time to to 23:59:59 when setting To time using calendar. #18595, @simPod - DataLinks: Add DataLinks support to Gauge, BarGauge and SingleStat2 panel. #18605, @ryantxu - DataLinks: Enable access to labels & field names. #18918, @torkelo - DataLinks: Enable multiple data links per panel. #18434, @dprokop - Docker: switch docker image to alpine base with phantomjs support. #18468, @DanCech - Elasticsearch: allow templating queries to order by doc_count. #18870, @hackery - Explore: Add throttling when doing live queries. #19085, @aocenas - Explore: Adds ability to go back to dashboard, optionally with query changes. #17982, @kaydelaney - Explore: Reduce default time range to last hour. #18212, @davkal - Gauge/BarGauge: Support decimals for min/max. #18368, @ryantxu - Graph: New series override transform constant that renders a single point as a line across the whole graph. #19102, @davkal - Image rendering: Add deprecation warning when PhantomJS is used for rendering images. #18933, @papagian - InfluxDB: Enable interpolation within ad-hoc filter values. #18077, @kvc-code - LDAP: Allow an user to be synchronized against LDAP. #18976, @gotjosh - Ldap: Add ldap debug page. #18759, @peterholmberg - Loki: Remove prefetching of default label values. #18213, @davkal - Metrics: Add failed alert notifications metric. #18089, @koorgoo - OAuth: Support JMES path lookup when retrieving user email. #14683, @bobmshannon - OAuth: return GitLab groups as a part of user info (enable team sync). #18388, @alexanderzobnin - Panels: Add unit for electrical charge - ampere-hour. #18950, @anirudh-ramesh - Plugin: AzureMonitor - Reapply MetricNamespace support. #17282, @raphaelquati - Plugins: better warning when plugins fail to load. #18671, @ryantxu - Postgres: Add support for scram sha 256 authentication. #18397, @nonamef - RemoteCache: Support SSL with Redis. #18511, @kylebrandt - SingleStat: The gauge option in now disabled/hidden (unless it's an old panel with it already enabled) . #18610, @ryantxu - Stackdriver: Add extra alignment period options. #18909, @sunker - Units: Add South African Rand (ZAR) to currencies. #18893, @jeteon - Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar * Bug Fixes - Alerting: Notification is sent when state changes from no_data to ok. #18920, @papagian - Alerting: fix duplicate alert states when the alert fails to save to the database. #18216, @kylebrandt - Alerting: fix response popover prompt when add notification channels. #18967, @lzdw - CloudWatch: Fix alerting for queries with Id (using GetMetricData). #17899, @alex-berger - Explore: Fix auto completion on label values for Loki. #18988, @aocenas - Explore: Fixes crash using back button with a zoomed in graph. #19122, @hugohaggmark - Explore: Fixes so queries in Explore are only run if Graph/Table is shown. #19000, @hugohaggmark - MSSQL: Change connectionstring to URL format to fix using passwords with semicolon. #18384, @Russiancold - MSSQL: Fix memory leak when debug enabled. #19049, @briangann - Provisioning: Allow escaping literal '$' with '$$' in configs to avoid interpolation. #18045, @kylebrandt - TimePicker: Fixes hiding time picker dropdown in FireFox. #19154, @hugohaggmark * Breaking changes + Annotations There are some breaking changes in the annotations HTTP API for region annotations. Region annotations are now represented using a single event instead of two seperate events. Check breaking changes in HTTP API below and HTTP API documentation for more details. + Docker Grafana is now using Alpine 3.10 as docker base image. + HTTP API - GET /api/alert-notifications now requires at least editor access. New /api/alert-notifications/lookup returns less information than /api/alert-notifications and can be access by any authenticated user. - GET /api/alert-notifiers now requires at least editor access - GET /api/org/users now requires org admin role. New /api/org/users/lookup returns less information than /api/org/users and can be access by users that are org admins, admin in any folder or admin of any team. - GET /api/annotations no longer returns regionId property. - POST /api/annotations no longer supports isRegion property. - PUT /api/annotations/:id no longer supports isRegion property. - PATCH /api/annotations/:id no longer supports isRegion property. - DELETE /api/annotations/region/:id has been removed. * Deprecation notes + PhantomJS - PhantomJS, which is used for rendering images of dashboards and panels, is deprecated and will be removed in a future Grafana release. A deprecation warning will from now on be logged when Grafana starts up if PhantomJS is in use. Please consider migrating from PhantomJS to the Grafana Image Renderer plugin. - Changes from 6.3.6 * Features / Enhancements - Metrics: Adds setting for turning off total stats metrics. #19142, @marefr * Bug Fixes - Database: Rewrite system statistics query to perform better. #19178, @papagian - Explore: Fixes error when switching from prometheus to loki data sources. #18599, @kaydelaney - Rebase package spec. Use mostly from fedora, fix suse specified things and fix some errors. - Add missing directories provisioning/datasources and provisioning/notifiers and sample.yaml as described in packaging/rpm/control from upstream. Missing directories are shown in logfiles. - Version 6.3.5 * Upgrades + Build: Upgrade to go 1.12.9. * Bug Fixes + Dashboard: Fixes dashboards init failed loading error for dashboards with panel links that had missing properties. + Editor: Fixes issue where only entire lines were being copied. + Explore: Fixes query field layout in splitted view for Safari browsers. + LDAP: multildap + ldap integration. + Profile/UserAdmin: Fix for user agent parser crashes grafana-server on 32-bit builds. + Prometheus: Prevents panel editor crash when switching to Prometheus datasource. + Prometheus: Changes brace-insertion behavior to be less annoying. - Version 6.3.4 * Security: CVE-2019-15043 - Parts of the HTTP API allow unauthenticated use. - Version 6.3.3 * Bug Fixes + Annotations: Fix failing annotation query when time series query is cancelled. #18532 1, @dprokop 1 + Auth: Do not set SameSite cookie attribute if cookie_samesite is none. #18462 1, @papagian 3 + DataLinks: Apply scoped variables to data links correctly. #18454 1, @dprokop 1 + DataLinks: Respect timezone when displaying datapoint???s timestamp in graph context menu. #18461 2, @dprokop 1 + DataLinks: Use datapoint timestamp correctly when interpolating variables. #18459 1, @dprokop 1 + Explore: Fix loading error for empty queries. #18488 1, @davkal + Graph: Fixes legend issue clicking on series line icon and issue with horizontal scrollbar being visible on windows. #18563 1, @torkelo 2 + Graphite: Avoid glob of single-value array variables . #18420, @gotjosh + Prometheus: Fix queries with label_replace remove the $1 match when loading query editor. #18480 5, @hugohaggmark 3 + Prometheus: More consistently allows for multi-line queries in editor. #18362 2, @kaydelaney 2 + TimeSeries: Assume values are all numbers. #18540 4, @ryantxu - Version 6.3.2 * Bug Fixes + Gauge/BarGauge: Fixes issue with losts thresholds and issue loading Gauge with avg stat. #18375 12 - Version 6.3.1 * Bug Fixes + PanelLinks: Fix crash issue Gauge & Bar Gauge for panels with panel links (drill down links). #18430 2 - Version 6.3.0 * Features / Enhancements + OAuth: Do not set SameSite OAuth cookie if cookie_samesite is None. #18392 4, @papagian 3 + Auth Proxy: Include additional headers as part of the cache key. #18298 6, @gotjosh + Build grafana images consistently. #18224 12, @hassanfarid + Docs: SAML. #18069 11, @gotjosh + Permissions: Show plugins in nav for non admin users but hide plugin configuration. #18234 1, @aocenas + TimePicker: Increase max height of quick range dropdown. #18247 2, @torkelo 2 + Alerting: Add tags to alert rules. #10989 13, @Thib17 1 + Alerting: Attempt to send email notifications to all given email addresses. #16881 1, @zhulongcheng + Alerting: Improve alert rule testing. #16286 2, @marefr + Alerting: Support for configuring content field for Discord alert notifier. #17017 2, @jan25 + Alertmanager: Replace illegal chars with underscore in label names. #17002 5, @bergquist 1 + Auth: Allow expiration of API keys. #17678, @papagian 3 + Auth: Return device, os and browser when listing user auth tokens in HTTP API. #17504, @shavonn 1 + Auth: Support list and revoke of user auth tokens in UI. #17434 2, @shavonn 1 + AzureMonitor: change clashing built-in Grafana variables/macro names for Azure Logs. #17140, @shavonn 1 + CloudWatch: Made region visible for AWS Cloudwatch Expressions. #17243 2, @utkarshcmu + Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu + Dashboard: Use timezone dashboard setting when exporting to CSV. #18002 1, @dehrax + Data links. #17267 11, @torkelo 2 + Docker: Switch base image to ubuntu:latest from debian:stretch to avoid security issues??? #17066 5, @bergquist 1 + Elasticsearch: Support for visualizing logs in Explore . #17605 7, @marefr + Explore: Adds Live option for supported datasources. #17062 1, @hugohaggmark 3 + Explore: Adds orgId to URL for sharing purposes. #17895 1, @kaydelaney 2 + Explore: Adds support for new loki ???start??? and ???end??? params for labels endpoint. #17512, @kaydelaney 2 + Explore: Adds support for toggling raw query mode in explore. #17870, @kaydelaney 2 + Explore: Allow switching between metrics and logs . #16959 2, @marefr + Explore: Combines the timestamp and local time columns into one. #17775, @hugohaggmark 3 + Explore: Display log lines context . #17097, @dprokop 1 + Explore: Don???t parse log levels if provided by field or label. #17180 1, @marefr + Explore: Improves performance of Logs element by limiting re-rendering. #17685, @kaydelaney 2 + Explore: Support for new LogQL filtering syntax. #16674 4, @davkal + Explore: Use new TimePicker from Grafana/UI. #17793, @hugohaggmark 3 + Explore: handle newlines in LogRow Highlighter. #17425, @rrfeng 1 + Graph: Added new fill gradient option. #17528 3, @torkelo 2 + GraphPanel: Don???t sort series when legend table & sort column is not visible . #17095, @shavonn 1 + InfluxDB: Support for visualizing logs in Explore. #17450 9, @hugohaggmark 3 + Logging: Login and Logout actions (#17760). #17883 1, @ATTron + Logging: Move log package to pkg/infra. #17023, @zhulongcheng + Metrics: Expose stats about roles as metrics. #17469 2, @bergquist 1 + MySQL/Postgres/MSSQL: Add parsing for day, weeks and year intervals in macros. #13086 6, @bernardd + MySQL: Add support for periodically reloading client certs. #14892, @tpetr + Plugins: replace dataFormats list with skipDataQuery flag in plugin.json. #16984, @ryantxu + Prometheus: Take timezone into account for step alignment. #17477, @fxmiii + Prometheus: Use overridden panel range for $__range instead of dashboard range. #17352, @patrick246 + Prometheus: added time range filter to series labels query. #16851 3, @FUSAKLA + Provisioning: Support folder that doesn???t exist yet in dashboard provisioning. #17407 1, @Nexucis + Refresh picker: Handle empty intervals. #17585 1, @dehrax + Singlestat: Add y min/max config to singlestat sparklines. #17527 4, @pitr + Snapshot: use given key and deleteKey. #16876, @zhulongcheng + Templating: Correctly display __text in multi-value variable after page reload. #17840 1, @EduardSergeev + Templating: Support selecting all filtered values of a multi-value variable. #16873 2, @r66ad + Tracing: allow propagation with Zipkin headers. #17009 4, @jrockway + Users: Disable users removed from LDAP. #16820 2, @alexanderzobnin * Bug Fixes + PanelLinks: Fix render issue when there is no panel description. #18408 3, @dehrax + OAuth: Fix ???missing saved state??? OAuth login failure due to SameSite cookie policy. #18332 1, @papagian 3 + cli: fix for recognizing when in dev mode??? #18334, @xlson + DataLinks: Fixes incorrect interpolation of ${__series_name} . #18251 1, @torkelo 2 + Loki: Display live tailed logs in correct order in Explore. #18031 3, @kaydelaney 2 + PhantomJS: Fixes rendering on Debian Buster. #18162 2, @xlson + TimePicker: Fixed style issue for custom range popover. #18244, @torkelo 2 + Timerange: Fixes a bug where custom time ranges didn???t respect UTC. #18248 1, @kaydelaney 2 + remote_cache: Fix redis connstr parsing. #18204 1, @mblaschke + AddPanel: Fix issue when removing moved add panel widget . #17659 2, @dehrax + CLI: Fix encrypt-datasource-passwords fails with sql error. #18014, @marefr + Elasticsearch: Fix default max concurrent shard requests. #17770 4, @marefr + Explore: Fix browsing back to dashboard panel. #17061, @jschill + Explore: Fix filter by series level in logs graph. #17798, @marefr + Explore: Fix issues when loading and both graph/table are collapsed. #17113, @marefr + Explore: Fix selection/copy of log lines. #17121, @marefr + Fix: Wrap value of multi variable in array when coming from URL. #16992 1, @aocenas + Frontend: Fix for Json tree component not working. #17608, @srid12 + Graphite: Fix for issue with alias function being moved last. #17791, @torkelo 2 + Graphite: Fixes issue with seriesByTag & function with variable param. #17795, @torkelo 2 + Graphite: use POST for /metrics/find requests. #17814 2, @papagian 3 + HTTP Server: Serve Grafana with a custom URL path prefix. #17048 6, @jan25 + InfluxDB: Fixes single quotes are not escaped in label value filters. #17398 1, @Panzki + Prometheus: Correctly escape ???|??? literals in interpolated PromQL variables. #16932, @Limess + Prometheus: Fix when adding label for metrics which contains colons in Explore. #16760, @tolwi + SinglestatPanel: Remove background color when value turns null. #17552 1, @druggieri - Make phantomjs dependency configurable - Create plugin directory and clean up (create in %install, add to %files) handling of /var/lib/grafana/* and salt: - Require python3-distro only for TW (bsc#1173072) - Various virt backports from 3000.2 - Avoid traceback on debug logging for swarm module (bsc#1172075) - Add publish_batch to ClearFuncs exposed methods - Zypperpkg: filter patterns that start with dot (bsc#1171906) - Batch mode now also correctly provides return value (bsc#1168340) - Add docker.logout to docker execution module (bsc#1165572) - Testsuite fix - Add option to enable/disable force refresh for zypper - Python3.8 compatibility changes - Prevent sporious "salt-api" stuck processes when managing SSH minions because of logging deadlock (bsc#1159284) - Avoid segfault from "salt-api" under certain conditions of heavy load managing SSH minions (bsc#1169604) - Revert broken changes to slspath made on Salt 3000 (saltstack/salt#56341) (bsc#1170104) - Returns a the list of IPs filtered by the optional network list - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) - Do not require vendored backports-abc (bsc#1170288) - Fix partition.mkpart to work without fstype (bsc#1169800) spacecmd: - Only report real error, not result (bsc#1171687) - Use defined return values for spacecmd methods so scripts can check for failure (bsc#1171687) spacewalk-client-tools: - Use 'int' instead of 'long' on rhn_check for both Python 2 and 3 suseRegisterInfo: - SuseRegisterInfo only needs perl-base, not full perl (bsc#1168310) uyuni-common-libs: - Uyuni-common-libs obsoletes python3-spacewalk-usix and python3-spacewalk-backend-libs (bsc#1170684) - Reposync speedup fixes zypp-plugin-spacewalk: - Prevent issue with non-ASCII characters in Python 2 systems (bsc#1172462) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 12-BETA: zypper in -t patch SUSE-SLE-Manager-Tools-12-2020-1718=1 Package List: - SUSE Manager Tools 12-BETA (aarch64 ppc64le s390x x86_64): golang-github-prometheus-prometheus-2.18.0-4.6.2 grafana-7.0.3-4.3.2 grafana-debuginfo-7.0.3-4.3.2 python2-salt-3000-49.20.1 python2-uyuni-common-libs-4.1.5-3.12.2 python3-salt-3000-49.20.1 salt-3000-49.20.1 salt-doc-3000-49.20.1 salt-minion-3000-49.20.1 - SUSE Manager Tools 12-BETA (noarch): koan-2.6.6-52.3.2 python2-spacewalk-check-4.1.5-55.15.2 python2-spacewalk-client-setup-4.1.5-55.15.2 python2-spacewalk-client-tools-4.1.5-55.15.2 python2-suseRegisterInfo-4.1.2-28.6.2 python2-zypp-plugin-spacewalk-1.0.7-33.6.1 spacecmd-4.1.4-41.9.2 spacewalk-check-4.1.5-55.15.2 spacewalk-client-setup-4.1.5-55.15.2 spacewalk-client-tools-4.1.5-55.15.2 suseRegisterInfo-4.1.2-28.6.2 zypp-plugin-spacewalk-1.0.7-33.6.1 References: https://www.suse.com/security/cve/CVE-2019-10215.html https://www.suse.com/security/cve/CVE-2019-15043.html https://www.suse.com/security/cve/CVE-2020-11651.html https://www.suse.com/security/cve/CVE-2020-11652.html https://www.suse.com/security/cve/CVE-2020-12245.html https://www.suse.com/security/cve/CVE-2020-13379.html https://bugzilla.suse.com/1134195 https://bugzilla.suse.com/1141661 https://bugzilla.suse.com/1159284 https://bugzilla.suse.com/1165572 https://bugzilla.suse.com/1168310 https://bugzilla.suse.com/1168340 https://bugzilla.suse.com/1169604 https://bugzilla.suse.com/1169800 https://bugzilla.suse.com/1170104 https://bugzilla.suse.com/1170231 https://bugzilla.suse.com/1170288 https://bugzilla.suse.com/1170557 https://bugzilla.suse.com/1170595 https://bugzilla.suse.com/1170684 https://bugzilla.suse.com/1171687 https://bugzilla.suse.com/1171906 https://bugzilla.suse.com/1172075 https://bugzilla.suse.com/1172462 https://bugzilla.suse.com/1173072 From sle-updates at lists.suse.com Tue Jun 23 10:18:38 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 18:18:38 +0200 (CEST) Subject: SUSE-RU-2020:1726-1: moderate: Recommended update for python-M2Crypto Message-ID: <20200623161838.560EAF3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for python-M2Crypto ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1726-1 Rating: moderate References: #1172226 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Python2 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for python-M2Crypto fixes the following issues: - Release python3-M2crypto to LTSS channels, to allow using salt even when the Server Applications Module is not used. (bsc#1172226) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1726=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1726=1 - SUSE Linux Enterprise Module for Python2 15-SP1: zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-1726=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1726=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1726=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1726=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): python-M2Crypto-debuginfo-0.35.2-3.9.1 python-M2Crypto-debugsource-0.35.2-3.9.1 python2-M2Crypto-0.35.2-3.9.1 python2-M2Crypto-debuginfo-0.35.2-3.9.1 python3-M2Crypto-0.35.2-3.9.1 python3-M2Crypto-debuginfo-0.35.2-3.9.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): python-M2Crypto-debuginfo-0.35.2-3.9.1 python-M2Crypto-debugsource-0.35.2-3.9.1 python2-M2Crypto-0.35.2-3.9.1 python2-M2Crypto-debuginfo-0.35.2-3.9.1 python3-M2Crypto-0.35.2-3.9.1 python3-M2Crypto-debuginfo-0.35.2-3.9.1 - SUSE Linux Enterprise Module for Python2 15-SP1 (aarch64 ppc64le s390x x86_64): python-M2Crypto-debuginfo-0.35.2-3.9.1 python-M2Crypto-debugsource-0.35.2-3.9.1 python2-M2Crypto-0.35.2-3.9.1 python2-M2Crypto-debuginfo-0.35.2-3.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): python-M2Crypto-debuginfo-0.35.2-3.9.1 python-M2Crypto-debugsource-0.35.2-3.9.1 python3-M2Crypto-0.35.2-3.9.1 python3-M2Crypto-debuginfo-0.35.2-3.9.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): python-M2Crypto-debuginfo-0.35.2-3.9.1 python-M2Crypto-debugsource-0.35.2-3.9.1 python2-M2Crypto-0.35.2-3.9.1 python2-M2Crypto-debuginfo-0.35.2-3.9.1 python3-M2Crypto-0.35.2-3.9.1 python3-M2Crypto-debuginfo-0.35.2-3.9.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): python-M2Crypto-debuginfo-0.35.2-3.9.1 python-M2Crypto-debugsource-0.35.2-3.9.1 python2-M2Crypto-0.35.2-3.9.1 python2-M2Crypto-debuginfo-0.35.2-3.9.1 python3-M2Crypto-0.35.2-3.9.1 python3-M2Crypto-debuginfo-0.35.2-3.9.1 References: https://bugzilla.suse.com/1172226 From sle-updates at lists.suse.com Tue Jun 23 10:19:24 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 18:19:24 +0200 (CEST) Subject: SUSE-SU-2020:14402-1: moderate: Security Beta update for SUSE Manager Client Tools Message-ID: <20200623161924.D694CF3E2@maintenance.suse.de> SUSE Security Update: Security Beta update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14402-1 Rating: moderate References: #1002529 #1003449 #1004047 #1004260 #1004723 #1008933 #1011304 #1011800 #1012398 #1012999 #1013876 #1013938 #1015882 #1017078 #1019386 #1020831 #1022562 #1022841 #1023535 #1024406 #1025896 #1027044 #1027240 #1027426 #1027722 #1030009 #1030073 #1032213 #1032452 #1032931 #1035914 #1036125 #1038855 #1039370 #1040886 #1041993 #1042749 #1043111 #1044719 #1050003 #1051948 #1052264 #1053376 #1053955 #1057635 #1059291 #1059758 #1060230 #1061407 #1062462 #1062464 #1063419 #1064520 #1065792 #1068446 #1068566 #1070372 #1071322 #1072599 #1075950 #1076578 #1079048 #1080290 #1081151 #1081592 #1083294 #1085667 #1087055 #1087278 #1087581 #1087891 #1088070 #1088888 #1089112 #1089362 #1089526 #1091371 #1092161 #1092373 #1094055 #1094190 #1095507 #1095651 #1095942 #1096514 #1097174 #1097413 #1098394 #1099323 #1099460 #1099887 #1099945 #1100142 #1100225 #1100697 #1101780 #1101812 #1101880 #1102013 #1102218 #1102265 #1102819 #1103090 #1103530 #1103696 #1104034 #1104154 #1104491 #1106164 #1107333 #1108557 #1108834 #1108969 #1108995 #1109023 #1109893 #1110938 #1111542 #1112874 #1113698 #1113699 #1113784 #1114029 #1114197 #1114474 #1114824 #1116343 #1116837 #1117995 #1121091 #1121439 #1122663 #1122680 #1123044 #1123512 #1123865 #1124277 #1125015 #1125610 #1125744 #1127389 #1128061 #1128554 #1129079 #1129243 #1130077 #1130588 #1130784 #1131114 #1132076 #1133523 #1133647 #1134860 #1135360 #1135507 #1135567 #1135732 #1135881 #1137642 #1138454 #1139761 #1140193 #1140912 #1143301 #1146192 #1146382 #1148311 #1148714 #1150447 #1151650 #1151947 #1152366 #1153090 #1153277 #1153611 #1154620 #1154940 #1155372 #1157465 #1157479 #1158441 #1159284 #1162327 #1162504 #1163871 #1163981 #1165425 #1165572 #1167437 #1167556 #1168340 #1169604 #1169800 #1170104 #1170288 #1170595 #1171687 #1171906 #1172075 #1173072 #769106 #769108 #776615 #849184 #849204 #849205 #879904 #887879 #889605 #892707 #902494 #908849 #926318 #932288 #945380 #948245 #955373 #958350 #959572 #963322 #965403 #967803 #969320 #970669 #971372 #972311 #972490 #975093 #975303 #975306 #975733 #975757 #976148 #977264 #978150 #978833 #979448 #979676 #980313 #983017 #983512 #985112 #985661 #986019 #987798 #988506 #989193 #989798 #990029 #990439 #990440 #991048 #993039 #993549 #996455 #999852 Cross-References: CVE-2016-1866 CVE-2016-9639 CVE-2017-12791 CVE-2017-14695 CVE-2017-14696 CVE-2018-15750 CVE-2018-15751 CVE-2019-17361 CVE-2019-18897 CVE-2020-11651 CVE-2020-11652 Affected Products: SUSE Manager Ubuntu 20.04-CLIENT-TOOLS-BETA ______________________________________________________________________________ An update that solves 11 vulnerabilities and has 245 fixes is now available. Description: This update fixes the following issues: salt: - Require python3-distro only for TW (bsc#1173072) - Various virt backports from 3000.2 - Avoid traceback on debug logging for swarm module (bsc#1172075) - Add publish_batch to ClearFuncs exposed methods - Zypperpkg: filter patterns that start with dot (bsc#1171906) - Batch mode now also correctly provides return value (bsc#1168340) - Add docker.logout to docker execution module (bsc#1165572) - Testsuite fix - Add option to enable/disable force refresh for zypper - Python3.8 compatibility changes - Prevent sporious "salt-api" stuck processes when managing SSH minions because of logging deadlock (bsc#1159284) - Avoid segfault from "salt-api" under certain conditions of heavy load managing SSH minions (bsc#1169604) - Revert broken changes to slspath made on Salt 3000 (saltstack/salt#56341) (bsc#1170104) - Returns a the list of IPs filtered by the optional network list - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) - Do not require vendored backports-abc (bsc#1170288) - Fix partition.mkpart to work without fstype (bsc#1169800) - Do not make file.recurse state to fail when msgpack 0.5.4 (bsc#1167437) - Fixes status attribute issue in aptpkg test - Make setup.py script not to require setuptools greater than 9.1 loop: fix variable names for until_no_eval - Drop conflictive module.run state patch (bsc#1167437) - Update patches after rebase with upstream v3000 tag (bsc#1167437) - Fix some requirements issues depending on Python3 versions - Fix for low rpm_lowpkg unit test - Add python-singledispatch as dependency for python2-salt - Fix for temp folder definition in loader unit test - Make "salt.ext.tornado.gen" to use "salt.ext.backports_abc" on Python 2 - Fix regression in service states with reload argument - Fix integration test failure for test_mod_del_repo_multiline_values - Fix for unless requisite when pip is not installed - Fix errors from unit tests due NO_MOCK and NO_MOCK_REASON deprecation - Fix tornado imports and missing _utils after rebasing patches - Removes unresolved merge conflict in yumpkg module - Enable building and installation for Fedora - Sanitize grains loaded from roster_grains.json cache during "state.pkg" - Backport saltutil state module to 2019.2 codebase (bsc#1167556) - Add new custom SUSE capability for saltutil state module - virt._get_domain: don't raise an exception if there is no VM - Adds test for zypper abbreviation fix - Improved storage pool or network handling - Better import cache handline - Requiring python3-distro only for openSUSE/SLE >= 15 - Use full option name instead of undocumented abbreviation for zypper - python-distro is only needed for > Python 3.7. Removing it for Python 2 - Avoid possible user escalation upgrading salt-master (bsc#1157465) (CVE-2019-18897) - Batch Async: Handle exceptions, properly unregister and close instances after running async batching to avoid CPU starvation of the MWorkers (bsc#1162327) - RHEL/CentOS 8 uses platform-python instead of python3 - Enable build for Python 3.8 - Fix 'os_family' grain for Astra Linux Common Edition - Update to Salt version 2019.2.3 (CVE-2019-17361) (bsc#1163981) (bsc#1162504) - Enable passing grains to start event based on 'start_event_grains' configuration parameter - Support for Btrfs and XFS in parted and mkfs added - Adds list_downloaded for apt Module to enable pre-downloading support Adds virt.(pool|network)_get_xml functions Various libvirt updates * Add virt.pool_capabilities function * virt.pool_running improvements * Add virt.pool_deleted state * virt.network_define allow adding IP configuration - virt: adding kernel boot parameters to libvirt xml - Fix virt states to not fail on VMs already stopped - xfs: do not fail if type is not present (bsc#1153611) - Fix errors when running virt.get_hypervisor function - Align virt.full_info fixes with upstream Salt - Let salt-ssh use platform-python on RHEL8 (bsc#1158441) - Fix StreamClosedError issue (bsc#1157479) - Limiting M2Crypto to >= SLE15 - Replacing pycrypto with M2Crypto (bsc#1165425) - Fix for log checking in x509 test - Prevent test_mod_del_repo_multiline_values to fail - Remove virt.pool_delete fast parameter (U#54474) - Remove unnecessary yield causing BadYieldError (bsc#1154620) - Prevent 'Already reading' continuous exception message (bsc#1137642) - Fix for aptpkg test with older mock modules - Remove wrong tests for core grain and improve debug logging - Use rich RPM deps to get a compatible version of tornado into the buildroot. - core.py: ignore wrong product_name files zypperpkg: understand product type - Enable usage of downloadonly parameter for apt module - Add missing 'fun' on events coming from salt-ssh wfunc executions (bsc#1151947) - Fix memory consumption problem on BatchAsync (bsc#1137642) - Fix dependencies for RHEL 8 - Prevent systemd-run description issue when running aptpkg (bsc#1152366) - Take checksums arg into account for postgres.datadir_init (bsc#1151650) - Improve batch_async to release consumed memory (bsc#1140912) - Require shadow instead of old pwdutils (bsc#1130588) - Conflict with tornado >= 5; for now we can only cope with Tornado 4.x (bsc#1101780). - Fix virt.full_info (bsc#1146382) - virt.volume_infos: silence libvirt error message - virt.volume_infos needs to ignore inactive pools - Fix for various bugs in virt network and pool states - Implement network.fqdns module function (bsc#1134860) - Strip trailing "/" from repo.uri when comparing repos in apktpkg.mod_repo (bsc#1146192) - Make python3 default for RHEL8 - Use python3 to build package Salt for RHEL8 - Fix aptpkg systemd call (bsc#1143301) - Move server_id deprecation warning to reduce log spamming (bsc#1135567) (bsc#1135732) - Fix memory leak produced by batch async find_jobs mechanism (bsc#1140912) - Files in salt-formulas folder can now be read and excuted by others (bsc#1150447) - Restore default behaviour of pkg list return (bsc#1148714) - Multiple fixes on cmdmod, chroot, freezer and zypperpkg needed for Yomi cmdmod: fix runas and group in run_chroot chroot: add missing sys directory chroot: change variable name to root chroot: fix bug in safe_kwargs iteration freezer: do not fail in cache dir is present freezer: clean freeze YAML profile on restore zypperpkg: fix pkg.list_pkgs cache - Avoid traceback on http.query when there are errors with the requested URL (bsc#1128554) - Salt python client get_full_returns seems return data from incorrect jid (bsc#1131114) - virt.volume_infos: don't raise an error if there is no VM - Prevent ansiblegate unit tests to fail on Ubuntu - Allow passing kwargs to pkg.list_downloaded for Zypper (bsc#1140193) - Do not make "ansiblegate" module to crash on Python3 minions (bsc#1139761) - Provide the missing features required for Yomi (Yet one more installer) - Fix zypper pkg.list_pkgs test expectation and dpkg mocking - Set 'salt' group for files and directories created by salt-standalone-formulas-configuration package - Fix virt.volume_infos raising an exception when there is only virtual machine on the minion. - Fix virt.purge() on all non-KVM hypervisors. For instance on Xen, virt.purge would simply throw an exception about unsupported flag - Building a libvirt pool starts it. When defining a new pool, we need to let build start it or we will get libvirt errors. - Fix handling of Virtual Machines with white space in their name. - avoid batch.py exception when minion does not respond (bsc#1135507) - Preserve already defined DESTRUCTIVE_TESTS and EXPENSIVE_TESTS env variables - Do not break repo files with multiple line values on yumpkg (bsc#1135360) - Fix return status when installing or updating RPM packages with "ppc64le" arch (bsc#1133647) - Add new "salt-standalone-formulas-configuration" package - Switch firewalld state to use change_interface (bsc#1132076) - Fix async-batch to fire a single done event - Do not make Salt CLI to crash when there are IPv6 established connections (bsc#1130784) - Include aliases in FQDNS grain (bsc#1121439) - Fix issue preventing syndic to start - Update to 2019.2.0 release (FATE#327138, bsc#1133523) - Use ThreadPool from multiprocessing.pool to avoid leakings when calculating FQDNs - Do not report patches as installed on RHEL systems when not all the related packages are installed (bsc#1128061) - Incorporate virt.volume_info fixes (PR#131) - Fix for -t parameter in mount module - No longer limiting Python3 version to <3.7 - Add virt.volume_infos and virt.volume_delete functions - Bugfix: properly refresh pillars (bsc#1125015) - Removes version from python3 requirement completely - Adds missing version update to %setup - Add virt.all_capabilities to return all host and domain capabilities at once - Switch to better correct version nomenclature Background: The special character tilde (~) will be available for use in version representing a negative version token. - Fix setup to use the right version tag - Add "id_" and "force" to the whitelist of API check - Add metadata to accepted keyword arguments (bsc#1122680) - Add salt-support script to package - Early feature: Salt support-config (salt-support) - Use Adler32 algorithm to compute string checksums (bsc#1102819) - Calculate the "FQDNs" grains in parallel to avoid long blocking (bsc#1129079) - Fix batch/batch-async related issues - Fixes typo in depedency: e2fsprogs - Adds missing dependencies to salt-common: python-concurrent.futures - Fix regression in dynamic pillarenv (bsc#1124277) - add parallel support for orchestrations (bsc#1116343) - Implement asynchronous batching - Let dpkg.info expose package status - Make aptpkg.info return only installed packages - Strip trailing / from repo URI when comparing repos in apktpkg.mod_repo - Include aliases in FQDNS grain - Prevents error when there's no job entry in filesystem cache due to race condition in minion onboarding (bsc#1122663) - Don't call zypper with more than one --no-refresh parameter (bsc#1123865) - Remove zypper-add-root-configuration-parameter patch (bsc#1123512) - Remove MSI Azure cloud module authentication patch (bsc#1123044) - Don't encode response string from role API - Add root parameter to Zypper module - Fix integration tests in state compiler (U#2068) - Fix "pkg.list_pkgs" output when using "attr" to take the arch into account (bsc#1114029) - Fix powerpc null server_id_arch (bsc#1117995) - Fix module 'azure.storage' has no attribute '__version__' (bsc#1121091) - Add supportconfig module and states for minions and SaltSSH - Fix FIPS enabled RES clients (bsc#1099887) - Add hold/unhold functions. Fix Debian repo "signed-by". - Strip architecture from debian package names - Fix latin1 encoding problems on file module (bsc#1116837) - Don't error on retcode 0 in libcrypto.OPENSSL_init_crypto - Handle anycast IPv6 addresses on network.routes (bsc#1114474) - Debian info_installed compatibility (U#50453) - Add compatibility with other package modules for "list_repos" function - Crontab module fix: file attributes option missing (bsc#1114824) - Fix git_pillar merging across multiple __env__ repositories (bsc#1112874) - Bugfix: unable to detect os arch when RPM is not installed (bsc#1114197) - Fix LDAP authentication issue when a valid token is generated by the salt-api even when invalid user credentials are passed. (U#48901) - Improved handling of LDAP group id. gid is no longer treated as a string, which could have lead to faulty group creations. (bsc#1113784) - Fix remote command execution and incorrect access control when using salt-api. (bsc#1113699, CVE-2018-15751) - Fix Directory traversal vulnerability when using salt-api. (bsc#1113698, CVE-2018-15750) Allows an attacker to determine what files exist on a server when querying /run or /events. - Add multi-file support and globbing to the filetree (U#50018) - Bugfix: supportconfig non-root permission issues (U#50095) - Open profiles permissions to everyone for read-only - Preserving signature in "module.run" state (U#50049) - Install default salt-support profiles - Add CPE_NAME for osversion* grain parsing - Get os_family for RPM distros from the RPM macros - Install support profiles - Fix async call to process manager (bsc#1110938) - Salt-based supportconfig implementation (technology preview) - Bugfix: any unicode string of length 16 will raise TypeError - Fix IPv6 scope (bsc#1108557) - Handle zypper ZYPPER_EXIT_NO_REPOS exit code (bsc#1108834, bsc#1109893) - Bugfix for pkg_resources crash (bsc#1104491) - Fix loosen azure sdk dependencies in azurearm cloud driver (bsc#1107333) - Fix broken "resolve_capabilities" on Python 3 (bsc#1108995) - Allow empty service_account_private_key in GCE driver (bsc#1108969) - Properly handle colons in inline dicts with yamlloader (bsc#1095651) - Fix wrong recurse behavior on for linux_acl.present (bsc#1106164) - Add additional x509 fixes - Fix for StringIO import in Python2 - Integration of MSI authentication for azurearm - Fix for Compound list targeting with "not" - Fixes 509x remote signing - Adds fix for SUSE Expanded Support os grain detection - Prepend current directory when path is just filename (bsc#1095942) - Only do reverse DNS lookup on IPs for salt-ssh (bsc#1104154) - Add support for Python 3.7 and Tornado 5.0 - Decode file contents for python2 (bsc#1102013, bsc#1103530) - Fix mine.get not returning data - workaround for #48020 (bsc#1100142) - Check dmidecoder executable on each "smbios" call to avoid race condition (bsc#1101880) - Add API log rotation on SUSE package (bsc#1102218) - Add missing dateutils import (bsc#1099945) - Backport the new libvirt_events engine from upstream - Fix file.blockreplace to avoid throwing IndexError (bsc#1101812) - Fix pkg.upgrade reports when dealing with multiversion packages (bsc#1102265) - Fix UnicodeDecodeError using is_binary check (bsc#1100225) - Fix corrupt public key with m2crypto python3 (bsc#1099323) - Prevent payload crash on decoding binary data (bsc#1100697) - Accounting for when files in an archive contain non-ascii characters (bsc#1099460) - Handle packages with multiple version properly with zypper (bsc#1096514) - Fix file.get_diff regression on 2018.3 (bsc#1098394) - Provide python version mismatch solutions (bsc#1072599) - Add custom SUSE capabilities as Grains (bsc#1089526) - Fix file.managed binary file utf8 error (bsc#1098394) - Add environment variable to know if yum is invoked from Salt (bsc#1057635) - Prevent deprecation warning with salt-ssh (bsc#1095507) - Fix for sorting of multi-version packages (bsc#1097174 and bsc#1097413) - Align SUSE salt-master.service 'LimitNOFILES' limit with upstream Salt - Add 'other' attribute to GECOS fields to avoid inconsistencies with chfn - Prevent zypper from parsing repo configuration from not .repo files (bsc#1094055) - Collect all versions of installed packages on SUSE and RHEL systems (bsc#1089526) - Documentation refresh to 2018.3.0 - No more AWS EC2 rate limitations in salt-cloud (bsc#1088888) - MySQL returner now also allows to use Unix sockets (bsc#1091371) - Do not override jid on returners, only sending back to master (bsc#1092373) - Fixes for salt-ssh: - Option --extra-filerefs doesn't add all files to the state archive - Pillar completely overwritten (not merged) when doing module.run + state.apply with pillar in kwargs - remove minion/thin/version if exists to force thin regeneration (bsc#1092161) - Fixed Python 3 issue with CIDR addresses. - Fix minion scheduler to return a 'retcode' attribute (bsc#1089112) - Fix for logging during network interface querying (bsc#1087581) - Fix rhel packages requires both net-tools and iproute (bsc#1087055) - Fix patchinstall on yum module. Bad comparison (bsc#1087278) - Strip trailing commas on Linux user's GECOS fields (bsc#1089362) - Fallback to PyMySQL (bsc#1087891) - Improved test for fqdns - Update SaltSSH patch (use code checksum instead version on thin update) - Fix for [Errno 0] Resolver Error 0 (no error) (bsc#1087581) - Add python-2.6 support to salt-ssh - Add iprout/net-tools dependency - salt-ssh: require same major version while minor is allowed to be - Add SaltSSH multi-version support across Python interpeters. - Fix zypper.info_installed 'ascii' issue - Update openscap push patch to include the test fixes - Explore 'module.run' state module output in depth to catch "result" properly - make it possible to use docker login, pull and push from module.run and detect errors - Fix logging with FQDNs - force re-generate a new thin.tgz when an update gets installed - Fix unicode decode error with salt-ssh - Fix cp.push empty file (bsc#1075950) - salt-ssh - move log_file option to changeable defaults - Fix grains containing trailing "\n" - Remove salt-minion python2 requirement when python3 is default (bsc#1081592) - Remove-obsolete-unicode-handling-in-pkg.info_installed - Restoring-installation-of-packages-for-Rhel-6-7 - Prevent queryformat pattern from expanding (bsc#1079048) - Fix epoch handling for Rhel 6 and 7 (bsc#1068566) - Reverting to current API for split_input - Fix for wrong version processing during yum pkg install (bsc#1068566) - Feat: add grain for all FQDNs (bsc#1063419) - Fix RES7: different dependency names for python-PyYAML and python-MarkupSafe - Build both python2 and python3 binaries together. - Bugfix: errors in external pillar causes crash instead of report of them (bsc#1068446) - Fix 'user.present' when 'gid_from_name' is set but group does not exist. - Fix "No service execution module loaded" issue (bsc#1065792) - Set SHELL environment variable - Removed unnecessary logging on shutdown (bsc#1050003) - Renamed patch that adds grain fqdns - Add fqdns to grains (bsc#1063419) - Fixing cherrypy websocket with python3 - Python3 bugfix for cherrypy read() - Fix for logging on salt-master exit in rare cases (pid-file removal) - Fix salt-master for old psutil version - Fix for delete_deployment in Kubernetes module (bsc#1059291) - Older logrotate need su directive (bsc#1071322) - Fix bsc#1041993 already included in 2017.7.2 - Fixed beacons failure when pillar-based suppressing config-based. (bsc#1060230) - Escape the usage of %{VERSION} when calling out to rpm. RPM 4.14 has %{VERSION} defined as 'the main packages version'. - Fix wrong version reported by Salt (bsc#1061407) - Fix CVE-2017-14696 (bsc#1062464) already included in 2017.7.2 - Run salt master as dedicated salt user - Run salt-api as user salt (bsc#1064520) - Re-added previously removed unit-test for bsc#1050003 - Fixes for CVE-2017-14695 and CVE-2017-14696 (bsc#1062462) - Add missing follow-up for CVE-2017-12791 (bsc#1053955) - Fixed salt target-type field returns "String" for existing jids but an empty "Array" for non existing jids. (issue#1711) - Fixed minion resource exhaustion when many functions are being executed in parallel (bsc#1059758) - Remove 'TasksTask' attribute from salt-master.service in older versions of systemd (bsc#985112) - Fix for delete_deployment in Kubernetes module (bsc#1059291) - Catching error when PIDfile cannot be deleted (bsc#1050003) - Use $HOME to get the user home directory instead using '~' char (bsc#1042749) - Fixed patches for Kubernetes and YUM modules - Add support for SUSE Manager scalability features (bsc#1052264) - Introducing the kubernetes module (bsc#1051948) - Revert "We don't have python-systemd, so notify can't work" - Notify systemd synchronously via NOTIFY_SOCKET (bsc#1053376) - Add clean_id function to salt.utils.verify.py (CVE-2017-12791, bsc#1053955) - Added bugfix when jobs scheduled to run at a future time stay pending for Salt minions (bsc#1036125) - Adding procps as dependency. This provides "ps" and "pgrep" utils which are called from different Salt modules and also from new salt-minion watchdog. - Adding a salt-minion watchdog for RHEL6 and SLES11 systems (sysV) to restart salt-minion in case of crashes during upgrade. - fix format error (bsc#1043111) - fix ownership for whole master cache directory (bsc#1035914) - Bugfix: clean up `change` attribute from interface dict (upstream) - Disable 3rd party runtime packages to be explicitly recommended. (bsc#1040886) - Bugfix: orchestrate and batches returns false failed information - speed-up cherrypy by removing sleep call - wrong os_family grains on SUSE - fix unittests (bsc#1038855) - fix setting the language on SUSE systems (bsc#1038855) - Documentation refresh to 2016.11.4 See https://docs.saltstack.com/en/develop/topics/releases/2016.11.4.html See https://docs.saltstack.com/en/develop/topics/releases/2016.11.3.html See https://docs.saltstack.com/en/develop/topics/releases/2016.11.2.html See https://docs.saltstack.com/en/develop/topics/releases/2016.11.1.html for full changelog - Use SUSE specific salt-api.service (bsc#1039370) - Bugfix: wrong os_family grains on SUSE (bsc#1038855) - Bugfix: unable to use hostname for minion ID as '127' (upstream) - Fix core grains constants for timezone (bsc#1032931) - Add unit test for a skip false values from preferred IPs upstream patch - Adding "yum-plugin-security" as required for RHEL 6 - Minor fixes on new pkg.list_downloaded - Listing all type of advisory patches for Yum module - Prevents zero length error on Python 2.6 - Fixes zypper test error after backporting - raet protocol is no longer supported (bsc#1020831) - Fix: move SSH data to the new home (bsc#1027722) - Fix: /var/log/salt/minion fails logrotate (bsc#1030009) - Fix: Result of master_tops extension is mutually overwritten (bsc#1030073) - Allows to set 'timeout' and 'gather_job_timeout' via kwargs - Allows to set custom timeouts for 'manage.up' and 'manage.status' - Use salt's ordereddict for comparison (fixes failing tests) - add special salt-minion.service file for RES7 - fix scripts for salt-proxy - define with systemd for fedora and rhel >= 7 (bsc#1027240) - add openscap module - file.get_managed regression fix (upstream issues #39762) - fix translate variable arguments if they contain hidden keywords (bsc#1025896) - fix service handling for openSUSE - added unit test for dockerng.sls_build dryrun - added dryrun to dockerng.sls_build - update dockerng minimal version requirements - fix format error in error parsing - keep fix for migrating salt home directory (bsc#1022562) - Fix salt pkg.latest raises exception if package is not available (bsc#1012999) - Fix timezone: should be always in UTC (bsc#1017078) - Fix timezone handling for rpm installtime (bsc#1017078) - Increasing timeouts for running integrations tests - Add buildargs option to dockerng.build module - Disable custom rosters for Salt SSH via Salt API (bsc#1011800) - Fix error when missing ssh-option parameter - readd yum notify plugin - all kwargs to dockerng.create to provide all features to sls_build as well - Bugfix: datetime should be returned always in UTC - Bugfix: scheduled state may cause crash while deserialising data on infinite recursion. (bsc#1036125) - Enable yum to handle errata on RHEL 6: require yum-plugin-security - Minor fixes on new pkg.list_downloaded - Listing all type of advisory patches for Yum module - Prevents zero length error on Python 2.6 - Fixes zypper test error after backporting - Refactoring on Zypper and Yum execution and state modules to allow installation of patches/errata. - Fix log rotation permission issue (bsc#1030009) - Use pkg/suse/salt-api.service by this package - Set SHELL env variable for the salt-api.service needed for salt-ssh ProxyCommand to work properly. - Fixes 'timeout' and 'gather_job_timeout' kwargs parameters for 'local_batch' client - Add missing bootstrap script for Salt Cloud (bsc#1032452) - Fix: add missing /var/cache/salt/cloud directory (bsc#1032213) - Added test case for race conditions on cache directory creation - Adding "pkg.install downloadonly=True" support to yum/dnf execution module - Makes sure "gather_job_timeout" is an Integer - Adding "pkg.downloaded" state and support for installing patches/erratas - Fix: merge master_tops output - Fix: race condition on cache directory creation - Cleanup salt user environment preparation (bsc#1027722) - Don't send passwords after shim delimiter is found (bsc#1019386) - Allows to set 'timeout' and 'gather_job_timeout' via kwargs - Allows to set custom timeouts for 'manage.up' and 'manage.status' - define with system for fedora and rhel 7 (bsc#1027240) - Fix service state returning stacktrace (bsc#1027044) - Prevents 'OSError' exception in case certain job cache path doesn't exist (bsc#1023535) - Backport: Fix issue with cp.push (#36136) - Fix salt-minion update on RHEL (bsc#1022841) - Adding new functions to Snapper execution module. - Fix invalid chars allowed for data IDs (bsc#1011304) - Fix timezone: should be always in UTC (bsc#1017078) - Fixes wrong "enabled" opts for yumnotify plugin - ssh-option parameter for salt-ssh command. - minion should pre-require salt - do not restart salt-minion in the salt package - add try-restart to sys-v init scripts - Adding "Restart=on-failure" for salt-minion systemd service - Re-introducing "KillMode=process" for salt-minion systemd service - Successfully exit of salt-api child processes when SIGTERM is received - Fix possible information leak due to revoked keys still being used. (bsc#1012398, CVE-2016-9639) - Splitted non-Linux and other external platform modules to 'salt-other' sub-package. - Switch package group from System/Monitoring to System/Management - fix exist codes of sysv init script (bsc#999852) - Including resolution parameters in the Zypper debug-solver call during a dry-run dist-upgrade. - Fix Salt API crash via salt-ssh on empty roster (bsc#1004723) - Adding 'dist-upgrade' support to zypper module (FATE#320559) - Copy .travis.yml from git commit ea63e793567ba777e47dc766a4f88edfb037a02f - Change travis configuration file to use salt-toaster - acl.delfacl: fix position of -X option to setfacl (bsc#1004260) - fix generated shebang in scripts on SLES-ES 7 (bsc#1004047) - Setting up OS grains for SLES-ES (SLES Expanded Support platform) - Move salt home directory to /var/lib/salt (bsc#1002529) - Adjust permissions on home directory - Adjust pre-install script to correctly move existing salt users' home directory salt user cannot write in his own home directory (/srv/salt) because it is owned by user `root`. This prevents salt from correctly save ssh known hosts in ~/.ssh/ and breaks salt-ssh bootstrapping. - Generate Salt Thin with configured extra modules (bsc#990439) - Unit and integration tests fixes for 2015.8.7 - Prevent pkg.install failure for expired keys (bsc#996455) - Required D-Bus and generating machine ID - add a macro to check if the docs should be build or the static tarball should be used - Helper script for updating documentation tarball. - Fix python-jinja2 requirements in rhel - Fix pkg.installed refresh repo failure (bsc#993549) Fix salt.states.pkgrepo.management no change failure (bsc#990440) - Prevent snapper module crash on load if no DBus is available in the system (bsc#993039) - Prevent continuous restart, if a dependency wasn't installed (bsc#991048) - Fix beacon list to include all beacons being process - Run salt-api as user salt like the master (bsc#990029) - Revert patch Minion ID generation (bsc#967803) - Fix broken inspector due to accidentally missed commit (bsc#989798) - Set always build salt-doc package. - Bugfix: lvm.vg_present does not recognize PV with certain LVM filter settings (bsc#988506) - Backport: Snapper module for Salt. - Bugfix: pkg.list_products on "registerrelease" and "productline" returns boolean.False if empty (bsc#989193, bsc#986019) - Rewrite Minion ID generation (bsc#967803) - Bugfix: Fixed behavior for SUSE OS grains (bsc#970669) - Bugfix: Salt os_family does not detect SLES for SAP (bsc#983017) - Move log message from INFO to DEBUG (bsc#985661) - Fix salt --summary to count not responding minions correctly (bsc#972311) - Fix memory leak on custom execution module sheduled jobs (bsc#983512) - fix groupadd module for sles11 systems (bsc#978150) - Fix pkgrepo.managed gpgkey argument doesn't work (bsc#979448) - Package checksum validation for zypper pkg.download - Check if a job has executed and returned successfully - Remove option -f from startproc (bsc#975733) - Changed Zypper's plugin. Added Unit test and related to that data (bsc#980313) - Zypper plugin: alter the generated event name on package set change. - Fix file ownership on master keys and cache directories during upgrade (handles upgrading from salt 2014, where the daemon ran as root, to 2015 where it runs as the salt user, bsc#979676). - salt-proxy .service file created (bsc#975306) - Prevent salt-proxy test.ping crash (bsc#975303) - Fix shared directories ownership issues. - Add Zypper plugin to generate an event,once Zypper is used outside the Salt infrastructure demand (bsc#971372). - Restore boolean values from the repo configuration and fix priority attribute (bsc#978833) - Unblock-Zypper. (bsc#976148) - Modify-environment. (bsc#971372) - Prevent crash if pygit2 package is requesting re-compilation. - align OS grains from older SLES with current one (bsc#975757) - Bugfix: salt-key crashes if tries to generate keys to the directory w/o write access (bsc#969320) - Check if EOL is available in a particular product (bsc#975093) - fix building with docs on SLE11 - Prevent metadata download when getting installed products - Add statically built docs. - fix sorting by latest package - ensure pkg.info_installed report latest package version (bsc#972490) - Use SHA256 by default in master, minion and proxy (bsc#955373) - Fix state structure compilation - Fix git_pillar race condition - fix detection of base products in SLE11 - fix rpm info for SLE11 - fix init system detection for SLE11 - Make checksum configurable (upstream still wants md5, we suggest sha256). (bsc#955373) - Fix the service state / module on SLE11. - Prevent rebuilds in OBS by not generating a date as a comment in a source file - Add better checking for zypper exit codes and simplify evaluation of the zypper error messages. - Adapt unit tests - Add initial pack of Zypper's Unit tests. Use XML output in list_upgrades. Bugfix: upgrade_available crashes when only one package specified Purge is not using "-u" anymore - fix argument handling of pkg.download - unify behavior of zypper refresh in salt - Fix crash with scheduler and runners - Call zypper always with --non-interactive - require rpm-python on SUSE for zypper support - fix state return code - add handling of OEM products to pkg.list_products - improve doc for list_pkgs - implement pkg.version_cmp in zypper.py - Booleans should not be strings from XML, add Unix ticks time and format result in a list of maps. - Stop salt-api daemon faster (bsc#963322) - Do not crash on salt-key reject/delete consecutive calls. - Improper handling of clear messages on the minion remote code execution (bsc#965403, CVE-2016-1866) - Fix latest version available comparison and implement epoch support in Zypper module. - Fix dependencies to Salt subpackages requiring release along the version. - Fix pkg.latest crash. - Fix pkg.latest SLS ID bug, when pkgs empty list is passed, but SLS ID still treated as a package name. - Fix zypper module info_available on SLE-11 - zypper/pkg: add package attributes filtering - Remove require on glibc-locale (bsc#959572) - Add missing return data to scheduled jobs - Update zypper-utf-8 patch for Python 2.6 - Report epoch and architecture of installed packages - pkg.info_installed exceeds the maximum event size, reduce the information to what's actually needed - Filter out bad UTF-8 strings in package data (bsc#958350) - reimplements pkg.list_products that potentially may be broken in a future releases of SLES. - fixes a regression introduced in 2015.8.2 - it shouldnt be >= 1110 but just > 1110 - require pmtools on sle11 to get dmidecode - First step to make the syndic also run as salt user. - Updated to bugfix release 2015.8.2 - os_grain patch fix the "os" grain on SLES11SP4 - zypper_pkgrepo fix the priority and humanname pkgrepo args for the zypper backend - Add support for ``spm.d/*.conf`` configuration of SPM (:issue:`27010`) - Fix ``proxy`` grains breakage for non-proxy minions (:issue:`27039`) - Fix global key management for git state - Fix passing http auth to ``util.http`` from ``state.file`` (:issue:`21917`) - Fix ``multiprocessing: True`` in windows (on by default`) - Add ``pkg.info`` to pkg modules - Fix name of ``serial`` grain (this was accidentally renamed in 2015.8.0`) - Merge config values from ``master.d``/``minion.d`` conf files (rather than flat update`) - Clean grains cache on grains sync (:issue:`19853`) - Remove streamed response for fileclient to avoid HTTP redirection problems (:issue:`27093`) - Fixed incorrect warning about ``osrelease`` grain (:issue:`27065`) - Fix authentication via Salt-API with tokens (:issue:`27270`) - Fix winrepo downloads from https locations (:issue:`27081`) - Fix potential error with salt-call as non-root user (:issue:`26889`) - Fix global minion provider overrides (:issue:`27209`) - Fix backward compatibility issues for pecl modules - Fix Windows uninstaller to only remove ``./bin``, ``salt*``, ``nssm.exe``, ``uninst.exe`` (:issue:`27383`) - Fix misc issues with mongo returner. - Add sudo option to cloud config files (:issue:`27398`) - Fix regression in RunnerClient argument handling (:issue:`25107`) - Fix ``dockerng.running`` replacing creation hostconfig with runtime hostconfig (:issue:`27265`) - Fix dockerng.running replacing creation hostconfig with runtime hostconfig (:issue:`27265`) - Increased performance on boto asg/elb states due to ``__states__`` integration - Windows minion no longer requires powershell to restart (:issue:`26629`) - Fix x509 module to support recent versions of OpenSSL (:issue:`27326`) - Some issues with proxy minions were corrected. - guard raet buildrequires with bcond_with raet and comment out the recommends for salt-raet. - remove pygit2 global recommends, it is only needed in the master - remove git-core, pygit2 should pull it as a dependency - Returns detailed information about a package - ifdef Recommends to build on RHEL based distros - use _initddir instead of _sysconfdir/init.d as it works on both platforms. - allow to disable docs in preparation for building on other platforms without all dependencies. - merge (build)requires/recommends with requirements/*txt and setup.py - add raet subpackage which will pull all requires for it and provides config snippets to enable it for the minion and master. - add tmpfiles.d file - Remove requires on python-ioflo and python-libnacl they will be pulled by python-raet, which is optional. - python-raet is optional, so make it a Recommends - update use-forking-daemon: the original intention was to get rid of the python systemd dependency. for this we do not have daemonize the whole process. just switching to simple mode is enough. - reenable completions on distros newer than sle11 - do not use _datarootdir, use _datadir instead. - package all directories in /var/cache/salt and /etc/salt and have permissions set for non root salt master - never require pygit2 and git. the master can run fine without. always use recommends - cleanup dependencies: - remove a lot of unneeded buildrequires - fdupes not present on SLE10 - python-certifi needed on SLE11 - python-zypp not needed any more - python-pygit2 is not a global requirement - convert python-pysqlite to recommends as it is not available on python <=2.7 - sles_version -> suse_version - Remove python-PyYAML from the dependencies list, as python-yaml is the same - Build the -completion subpackages in SLE11 as well - Add salt-proxy - Create salt user/group only in the -master subpkg - Fix typo in use-forking-daemon, that prevented daemon loading - Cleanup requirements - Updated the files ownership with salt user - removed m2crypto depency - Removed fish dependency for fish completions. - Added fish completions. - Support SLE11SP{3,4}, where the M2Crypto package is named python-m2crypto - Add prereq, for user creation. - Add creation of salt user in preparation of running the salt-master daemon as non-root user salt. - Add README.SUSE with explanation and how to. - only require git-core to not pull in git-web and gitk - Removed python-pssh depency not needed anymore. - The 2015.5.0 feature release of Salt is focused on hardening Salt and mostly on improving existing systems. A few major additions are present, primarily the new Beacon system. Most enhancements have been focused around improving existing features and interfaces. As usual the release notes are not exhaustive and primarily include the most notable additions and improvements. Hundreds of bugs have been fixed and many modules have been substantially updated and added. See especially the warning right on the top regarding python_shell=False. For all details see http://docs.saltstack.com/en/latest/topics/releases/2015.5.0.html - Moved the depencencies to main salt package except where they are specific for the package - Changed python-request dependency,only needed on salt-cloud - Added python-tornado dependency for http.py - Fixed zsh_completion in tarball. - Fixed salt-api requirements to require python-cherrypy - Fixed salt-cloud requiments to require salt-master - Fixed a key error bug in salt-cloud - Updated man pages to better match documentation - Fixed bug concerning high CPU usage with salt-ssh - Fixed bugs with remounting cvfs and fuse filesystems - Fixed bug with alowing requisite tracking of entire sls files - Fixed bug with aptpkg.mod_repo returning OK even if apt-add-repository fails - Increased frequency of ssh terminal output checking - Fixed malformed locale string in localmod module - Fixed checking of available version of package when accept_keywords were changed - Fixed bug to make git.latest work with empty repositories - Added **kwargs to service.mod_watch which removes warnings about enable and __reqs__ not being supported by the function - Improved state comments to not grow so quickly on failed requisites - Added force argument to service to trigger force_reload - Fixed bug to andle pkgrepo keyids that have been converted to int - Fixed module.portage_config bug with appending accept_keywords - Fixed bug to correctly report disk usage on windows minion - Added the ability to specify key prefix for S3 ext_pillar - Fixed issues with batch mode operating on the incorrect number of minions - Fixed a bug with the proxmox cloud provider stacktracing on disk definition - Fixed a bug with the changes dictionary in the file state - Fixed the TCP keep alive settings to work better with SREQ caching - Fixed many bugs within the iptables state and module - Fixed bug with states by adding fun, state, and unless to the state runtime internal keywords listing - Added ability to eAuth against Active Directory - Fixed some salt-ssh issues when running on Fedora 21 - Fixed grains.get_or_set_hash to work with multiple entries under same key - Added better explanations and more examples of how the Reactor calls functions to docs - Fixed bug to not pass ex_config_drive to libcloud unless it's explicitly enabled - Fixed bug with pip.install on windows - Fixed bug where puppet.run always returns a 0 retcode - Fixed race condition bug with minion scheduling via pillar - Made efficiency improvements and bug fixes to the windows installer - Updated environment variables to fix bug with pygit2 when running salt as non-root user - Fixed cas behavior on data module -- data.cas was not saving changes - Fixed GPG rendering error - Fixed strace error in virt.query - Fixed stacktrace when running chef-solo command - Fixed possible bug wherein uncaught exceptions seem to make zmq3 tip over when threading is involved - Fixed argument passing to the reactor - Fixed glibc caching to prevent bug where salt-minion getaddrinfo in dns_check() never got updated nameservers - fix salt-zsh-completion conflicts - Multi-master minions mode no longer route fileclient operations asymetrically. This fixes the source of many multi-master bugs where the minion would become unrepsonsive from one or more masters. - Fix bug wherein network.iface could produce stack traces. - net.arp will no longer be made available unless arp is installed on the system. - Major performance improvements to Saltnado - Allow KVM module to operate under KVM itself or VMWare Fusion - Various fixes to the Windows installation scripts - Fix issue where the syndic would not correctly propogate loads to the master job cache. - Improve error handling on invalid /etc/network/interfaces file in salt networking modules - Fix bug where a reponse status was not checked for in fileclient.get_url - Enable eauth when running salt in batch mode - Increase timeout in Boto Route53 module - Fix bugs with Salt's 'tar' module option parsing - Fix parsing of NTP servers on Windows - Fix issue with blockdev tuning not reporting changes correctly - Update to the latest Salt bootstrap script - Update Linode salt-cloud driver to use either linode-python or apache-libcloud - Fix for s3.query function to return correct headers - Fix for s3.head returning None for files that exist - Fix the disable function in win_service module so that the service is disabled correctly - Fix race condition between master and minion when making a directory when both daemons are on the same host - Fix an issue where file.recurse would fail at the root of an svn repo when the repo has a mountpoint - Fix an issue where file.recurse would fail at the root of an hgfs repo when the repo has a mountpoint - Fix an issue where file.recurse would fail at the root of an gitfs repo when the repo has a mountpoint - Add status.master capability for Windows. - Various fixes to ssh_known_hosts - Various fixes to states.network bonding for Debian - The debian_ip.get_interfaces module no longer removes nameservers. - Better integration between grains.virtual and systemd-detect-virt and virt-what - Fix traceback in sysctl.present state output - Fix for issue where mount.mounted would fail when superopts were not a part of mount.active (extended=True). Also mount.mounted various fixes for Solaris and FreeBSD. - Fix error where datetimes were not correctly safeguarded before being passed into msgpack. - Fix file.replace regressions. If the pattern is not found, and if dry run is False, and if `backup` is False, and if a pre-existing file exists with extension `.bak`, then that backup file will be overwritten. This backup behavior is a result of how `fileinput` works. Fixing it requires either passing through the file twice (the first time only to search for content and set a flag), or rewriting `file.replace` so it doesn't use `fileinput` - VCS filreserver fixes/optimizations - Catch fileserver configuration errors on master start - Raise errors on invalid gitfs configurations - set_locale when locale file does not exist (Redhat family) - Fix to correctly count active devices when created mdadm array with spares - Fix to correctly target minions in batch mode - Support ssh:// urls using the gitfs dulwhich backend - New fileserver runner - Fix various bugs with argument parsing to the publish module. - Fix disk.usage for Synology OS - Fix issue with tags occurring twice with docker.pulled - Fix incorrect key error in SMTP returner - Fix condition which would remount loopback filesystems on every state run - Remove requsites from listens after they are called in the state system - Make system implementation of service.running aware of legacy service calls - Fix issue where publish.publish would not handle duplicate responses gracefully. - Accept Kali Linux for aptpkg salt execution module - Fix bug where cmd.which could not handle a dirname as an argument - Fix issue in ps.pgrep where exceptions were thrown on Windows. - fix package bug with fdupes. - keep sle 11 sp3 support. - Fix erroneous warnings for systemd service enabled check (issue 19606) - Fix FreeBSD kernel module loading, listing, and persistence kmod (issue 197151, issue 19682) - Allow case-sensitive npm package names in the npm state. This may break behavior for people expecting the state to lowercase their npm package names for them. The npm module was never affected by mandatory lowercasing. (issue 20329) - Deprecate the activate parameter for pip.install for both the module and the state. If bin_env is given and points to a virtualenv, there is no need to activate that virtualenv in a shell for pip to install to the virtualenv. - Fix a file-locking bug in gitfs (issue 18839) - Fixed gitfs serving symlinks in file.recurse states (issue 17700) - Fixed holding of multiple packages (YUM) when combined with version pinning (issue 18468) - Fixed use of Jinja templates in masterless mode with non-roots fileserver backend (issue 17963) - Re-enabled pillar and compound matching for mine and publish calls. Note that pillar globbing is still disabled for those modes, for security reasons. (issue 17194) - Fix for tty: True in salt-ssh (issue 16847) - Needed to provide zsh completion because of the tarball missing the zsh completion script. - Added man salt.7.gz to salt-master package - added python-zipp as depency - added recommend python-pygit2, this is the preferred gitfs backend of saltstack - added zsh-completion package - SALT SSH ENHANCEMENTS: + Support for Fileserver Backends + Support for Saltfile + Ext Pillar + No more sshpass needed + Pure Python Shim + Custom Module Delivery + CP module Support + More Thin Directory Options - Salt State System enhancements: + New Imperative State Keyword "Listen" + New Mod Aggregate Runtime Manipulator + New Requisites: onchanges and onfail + New Global onlyif and unless + Use names to expand and override values - Salt Major Features: + Improved Scheduler Additions + Red Hat 7 Support + Fileserver Backends in Salt-call + Amazon Execution Modules in salt-cloud + LXC Runner Enhancements + Next Gen Docker Management + Peer System Performance Improvements + SDB Encryption at rest for configs + GPG Renderer encrypted pillar at rest + OpenStack Expansions + Queues System external queue systems into Salt events + Multi Master Failover Additions + Chef Execution Module - salt-api Project Merge + Synchronous and Asynchronous Execution of Runner and Wheel Modules + rest_cherrypy Additions + Web Hooks - Fileserver Backend Enhancements: + New gitfs Features + Pygit2 and Dulwich support + Mountpoints support + New hgfs Features + mountpoints support + New svnfs Features: + mountpoints + minionfs Featuressupport + mountpoints - New Salt Modules: + Oracle + Random + Redis + Amazon Simple Queue Service + Block Device Management + CoreOS etcd + Genesis + InfluxDB + Server Density + Twilio Notifications + Varnish + ZNC IRC Bouncer + SMTP - NEW RUNNERS: + Map/Reduce Style + Queue - NEW EXTERNAL PILLARS: + CoreOS etcd - NEW SALT-CLOUD PROVIDERS: + Aliyun ECS Cloud + LXC Containers + Proxmox (OpenVZ containers & KVM) - DEPRECATIONS: + Salt.modules.virtualenv_mod - fix module run exit code (issue 16420) - salt cloud Check the exit status code of scp before assuming it has failed. (issue 16599) - Fix scp_file always failing (which broke salt-cloud) (issue 16437) - Fix regression in pillar in masterless (issue 16210, issue 16416, issue 16428) - Fix for minion_id with byte-order mark (BOM) (issue 12296) - Fix runas deprecation in at module - Fix trailing slash befhavior for file.makedirs_ (issue 14019) - Fix chocolatey path (issue 13870) - Fix git_pillar infinite loop issues (issue 14671) - Fix json outputter null case - Fix for minion error if one of multiple masters are down (issue 14099) - Fix service.py version parsing for SLE 11 - Remove salt-master's hard requirement for git and python-GitPython on SLE 12 - Ensure salt uses systemd for services on SLES - Version 2014.1.9 contained a regression which caused inaccurate Salt version detection, and thus was never packaged for general release. This version contains the version detection fix, but is otherwise identical to 2014.1.9. - Version 2014.1.8 contained a regression which caused inaccurate Salt version detection, and thus was never packaged for general release. This version contains the version detection fix, but is otherwise identical to 2014.1.8. - Ensure salt-ssh will not continue if permissions on a temporary directory are not correct. - Use the bootstrap script distributed with Salt instead of relying on an external resource - Ensure salt states are placed into the .salt directory in salt-ssh - Use a randomized path for temporary files in a salt-cloud deployment - Clean any stale directories to ensure a fresh copy of salt-ssh during a deployment - Allow salt to correctly detect services provided by init scripts - Move systemd service file fix to patch, add PIDFile parameter (this fix is applicable for all SUSE versions) - Improve systemd service file fix for 12.3 Use forking instead of Simple and daemonize salt-master process - Fixed bug in opensuse 12.3 systemd file systemd 198 doesn't have python-systemd binding. - Disabled testing on SLES - Fix batch mode regression (issue 14046) - Fix extra iptables --help output (Sorry!) (issue 13648, issue 13507, issue 13527, issue 13607) - Fix mount.active for Solaris - Fix support for allow-hotplug statement in debian_ip network module - Add sqlite3 to esky builds - Fix jobs.active output (issue 9526) - Fix the virtual grain for Xen (issue 13534) - Fix eauth for batch mode (issue 9605) - Fix force-related issues with tomcat support (issue 12889) - Fix KeyError when cloud mapping - Fix salt-minion restart loop in Windows (issue 12086) - Fix detection of service virtual module on Fedora minions - Fix traceback with missing ipv4 grain (issue 13838) - Fix issue in roots backend with invalid data in mtime_map (issue 13836) - Fix traceback in jobs.active (issue 11151) - Add function for finding cached job on the minion - Fix for minion caching jobs when master is down - Bump default `syndic_wait` to 5 to fix syndic-related problems (issue 12262) - Fix false positive error in logs for `makeconf` state (issue 9762) - Fix for extra blank lines in `file.blockreplace` (issue 12422) - Use system locale for ports package installations - Fix for `cmd_iter`/`cmd_iter_no_block` blocking issues (issue 12617) - Fix traceback when syncing custom types (issue 12883) - Fix cleaning directory symlinks in `file.directory` - Add performance optimizations for `saltutil.sync_all` and `state.highstate` - Fix possible error in `saltutil.running` - Fix for kmod modules with dashes (issue 13239) - Fix possible race condition for Windows minions in state module reloading (issue 12370) - Fix bug with roster for `passwd`s that are loaded as non-string objects (issue 13249) - Keep duplicate version numbers from showing up in `pkg.list_pkgs` output - Fixes for Jinja renderer, timezone mod`module `/mod`state ` (issue 12724) - Fix timedatectl parsing for systemd>=210 (issue 12728) - Removed the deprecated external nodes classifier (originally accessible by setting a value for external_nodes in the master configuration file). Note that this functionality has been marked deprecated for some time and was replaced by the more general doc`master tops ` system. - More robust escaping of ldap filter strings. - Fix trailing slash in conf_master`gitfs_root` causing files not to be available (issue 13185) - added bash completion package - Fix setup.py dependency issue (issue 12031) - Fix handling for IOErrors under certain circumstances (issue 11783 and issue 11853) - Fix fatal exception when `/proc/1/cgroup` is not readable (issue 11619) - Fix os grains for OpenSolaris (issue 11907) - Fix `lvs.zero` module argument pass-through (issue 9001) - Fix bug in `debian_ip` interaction with `network.system` state (issue 11164) - Remove bad binary package verification code (issue 12177) - Fix traceback in solaris package installation (issue 12237) - Fix `file.directory` state symlink handling (issue 12209) - Remove `external_ip` grain - Fix `file.managed` makedirs issues (issue 10446) - Fix hang on non-existent Windows drive letter for `file` module (issue 9880) - Fix salt minion caching all users on the server (issue 9743) - Fix username detection when su'ed to root on FreeBSD (issue 11628) - Fix minionfs backend for file.recurse states - Fix 32-bit packages of different arches than the CPU arch, on 32-bit RHEL/CentOS (issue 11822) - Fix bug with specifying alternate home dir on user creation (FreeBSD) (issue 11790) - Don???t reload site module on module refresh for MacOS - Fix regression with running execution functions in Pillar SLS (issue 11453) - Fix some modules missing from Windows installer - Don???t log an error for yum commands that return nonzero exit status on non-failure (issue 11645) - Fix bug in rabbitmq state (issue 8703) - Fix missing ssh config options (issue 10604) - Fix top.sls ordering (issue 10810 and issue 11691) - Fix salt-key --list all (issue 10982) - Fix win_servermanager install/remove function (issue 11038) - Fix interaction with tokens when running commands as root (issue 11223) - Fix overstate bug with find_job and **kwargs (issue 10503) - Fix saltenv for aptpkg.mod_repo from pkgrepo state - Fix environment issue causing file caching problems (issue 11189) - Fix bug in __parse_key in registry state (issue 11408) - Add minion auth retry on rejection (issue 10763) - Fix publish_session updating the encryption key (issue 11493) - Fix for bad AssertionError raised by GitPython (issue 11473) - Fix debian_ip to allow disabling and enabling networking on Ubuntu (issue 11164) - Fix potential memory leak caused by saved (and unused) events (issue 11582) - Fix exception handling in the MySQL module (issue 11616) - Fix environment-related error (issue 11534) - Include psutil on Windows - Add file.replace and file.search to Windows (issue 11471) - Add additional file module helpers to Windows (issue 11235) - Add pid to netstat output on Windows (issue 10782) - Fix Windows not caching new versions of installers in winrepo (issue 10597) - Fix hardcoded md5 hashing - Fix kwargs in salt-ssh (issue 11609) - Fix file backup timestamps (issue 11745) - Fix stacktrace on sys.doc with invalid eauth (issue 11293) - Fix git.latest with test=True (issue 11595) - Fix file.check_perms hardcoded follow_symlinks (issue 11387) - Fix certain pkg states for RHEL5/Cent5 machines (issue 11719) - Features from 2014.1.0 Major Release: - 2014.1.0 is the first release to follow the new date-based release naming system. - Salt Cloud Merged into Salt - Google Compute Engine support is added to salt-cloud. - Salt Virt released - Docker Integration - IPv6 Support for iptables State/Module - GitFS Improvements - MinionFS - saltenv - Grains Caching - Improved Command Logging Control - PagerDuty Support - Virtual Terminal - Proxy Minions - bugfixes: - Fix mount.mounted leaving conflicting entries in fstab (:issue:`7079`) - Fix mysql returner serialization to use json (:issue:`9590`) - Fix ZMQError: Operation cannot be accomplished in current state errors (:issue:`6306`) - Rbenv and ruby improvements - Fix quoting issues with mysql port (:issue:`9568`) - Update mount module/state to support multiple swap partitions (:issue:`9520`) - Fix archive state to work with bsdtar - Clarify logs for minion ID caching - Add numeric revision support to git state (:issue:`9718`) - Update master_uri with master_ip (:issue:`9694`) - Add comment to Debian mod_repo (:issue:`9923`) - Fix potential undefined loop variable in rabbitmq state (:issue:`8703`) - Fix for salt-virt runner to delete key on VM deletion - Fix for salt-run -d to limit results to specific runner or function (:issue:`9975`) - Add tracebacks to jinja renderer when applicable (:issue:`10010`) - Fix parsing in monit module (:issue:`10041`) - Fix highstate output from syndic minions (:issue:`9732`) - Quiet logging when dealing with passwords/hashes (:issue:`10000`) - Fix for multiple remotes in git_pillar (:issue:`9932`) - Fix npm installed command (:issue:`10109`) - Add safeguards for utf8 errors in zcbuildout module - Fix compound commands (:issue:`9746`) - Add systemd notification when master is started - Many doc improvements - Fix some jinja render errors (issue 8418) - Fix file.replace state changing file ownership (issue 8399) - Fix state ordering with the PyDSL renderer (issue 8446) - Fix for new npm version (issue 8517) - Fix for pip state requiring name even with requirements file (issue 8519) - Add sane maxrunning defaults for scheduler (issue 8563) - Fix states duplicate key detection (issue 8053) - Fix SUSE patch level reporting (issue 8428) - Fix managed file creation umask (issue 8590) - Fix logstash exception (issue 8635) - Improve argument exception handling for salt command (issue 8016) - Fix pecl success reporting (issue 8750) - Fix launchctl module exceptions (issue 8759) - Fix argument order in pw_user module - Add warnings for failing grains (issue 8690) - Fix hgfs problems caused by connections left open (issue 8811 and issue 8810) - Fix installation of packages with dots in pkg name (issue 8614) - Fix noarch package installation on CentOS 6 (issue 8945) - Fix portage_config.enforce_nice_config (issue 8252) - Fix salt.util.copyfile umask usage (issue 8590) - Fix rescheduling of failed jobs (issue 8941) - Fix conflicting options in postgres module (issue 8717) - Fix ps modules for psutil >= 0.3.0 (issue 7432) - Fix postgres module to return False on failure (issue 8778) - Fix argument passing for args with pound signs (issue 8585) - Fix pid of salt CLi command showing in status.pid output (issue 8720) - Fix rvm to run gem as the correct user (issue 8951) - Fix namespace issue in win_file module (issue 9060) - Fix masterless state paths on windows (issue 9021) - Fix timeout option in master config (issue 9040) - Add ability to delete key with grains.delval (issue 7872) - Fix possible state compiler stack trace (issue 5767) - Fix grains targeting for new grains (issue 5737) - Fix bug with merging in git_pillar (issue 6992) - Fix print_jobs duplicate results - Fix possible KeyError from ext_job_cache missing option - Fix auto_order for - names states (issue 7649) - Fix regression in new gitfs installs (directory not found error) - Fix fileclient in case of master restart (issue 7987) - Try to output warning if CLI command malformed (issue 6538) - Fix --out=quiet to actually be quiet (issue 8000) - Fix for state.sls in salt-ssh (issue 7991) - Fix for MySQL grants ordering issue (issue 5817) - Fix traceback for certain missing CLI args (issue 8016) - Add ability to disable lspci queries on master (issue 4906) - Fail if sls defined in topfile does not exist (issue 5998) - Add ability to downgrade MySQL grants (issue 6606) - Fix ssh_auth.absent traceback (issue 8043) - Fix ID-related issues (issue 8052, issue 8050, and others) - Fix for jinja rendering issues (issue 8066 and issue 8079) - Fix argument parsing in salt-ssh (issue 7928) - Fix some GPU detection instances (issue 6945) - Fix bug preventing includes from other environments in SLS files - Fix for kwargs with dashes (issue 8102) - Fix apache.adduser without apachectl (issue 8123) - Fix issue with evaluating test kwarg in states (issue 7788) - Fix regression in salt.client.Caller() (issue 8078) - Fix bug where cmd.script would try to run even if caching failed (issue 7601) - Fix for mine data not being updated (issue 8144) - Fix a Xen detection edge case (issue 7839) - Fix version generation for when it's part of another git repo (issue 8090) - Fix _handle_iorder stacktrace so that the real syntax error is shown (issue 8114 and issue 7905) - Fix git.latest state when a commit SHA is used (issue 8163) - Fix for specifying identify file in git.latest (issue 8094) - Fix for --output-file CLI arg (issue 8205) - Add ability to specify shutdown time for system.shutdown (issue 7833) - Fix for salt version using non-salt git repo info (issue 8266) - Add additional hints at impact of pkgrepo states when test=True (issue 8247) - Fix for salt-ssh files not being owned by root (issue 8216) - Fix retry logic and error handling in fileserver (related to issue 7755) - Fix file.replace with test=True (issue 8279) - Add flag for limiting file traversal in fileserver (issue 6928) - Fix for extra mine processes (issue 5729) - Fix for unloading custom modules (issue 7691) - Fix for salt-ssh opts (issue 8005 and issue 8271) - Fix compound matcher for grains (issue 7944) - Add dir_mode to file.managed (issue 7860) - Improve traceroute support for FreeBSD and OS X (issue 4927) - Fix for matching minions under syndics (issue 7671) - Improve exception handling for missing ID (issue 8259) - Add configuration option for minion_id_caching - Fix open mode auth errors (issue 8402) - In preparation of salt Helium all requirements of salt-cloud absorbed in salt - Added salt-doc package with html documentation of salt - Updated requirements python-markupsafe required for salt-ssh - Don't support sysvinit and systemd for the same system; add conditionnal macros to use systemd only on systems which support it and sysvinit on other systems - Updated to salt 0.17.1 bugfix release (bsc#849205, bsc#849204, bsc#849184): - Fix symbolic links in thin.tgz (:issue:`7482`) - Pass env through to file patch state (:issue:`7452`) - Service provider fixes and reporting improvements (:issue:`7361`) - Add --priv option for specifying salt-ssh private key - Fix salt-thin's salt-call on setuptools installations (:issue:`7516`) - Fix salt-ssh to support passwords with spaces (:issue:`7480`) - Fix regression in wildcard includes (:issue:`7455`) - Fix salt-call outputter regression (:issue:`7456`) - Fix custom returner support for startup states (:issue:`7540`) - Fix value handling in augeas (:issue:`7605`) - Fix regression in apt (:issue:`7624`) - Fix minion ID guessing to use socket.getfqdn() first (:issue:`7558`) - Add minion ID caching (:issue:`7558`) - Fix salt-key race condition (:issue:`7304`) - Add --include-all flag to salt-key (:issue:`7399`) - Fix custom grains in pillar (part of :issue:`5716`, :issue:`6083`) - Fix race condition in salt-key (:issue:`7304`) - Fix regression in minion ID guessing, prioritize socket.getfqdn() (:issue:`7558`) - Cache minion ID on first guess (:issue:`7558`) - Allow trailing slash in file.directory state - Fix reporting of file_roots in pillar return (:issue:`5449` and :issue:`5951`) - Remove pillar matching for mine.get (:issue:`7197`) - Sanitize args for multiple execution modules - Fix yumpkag mod_repo functions to filter hidden args (:issue:`7656`) - Fix conflicting IDs in state includes (:issue:`7526`) - Fix mysql_grants.absent string formatting issue (:issue:`7827`) - Fix postgres.version so it won't return None (:issue:`7695`) - Fix for trailing slashes in mount.mounted state - Fix rogue AttributErrors in the outputter system (:issue:`7845`) - Fix for incorrect ssh key encodings resulting in incorrect key added (:issue:`7718`) - Fix for pillar/grains naming regression in python renderer (:issue:`7693`) - Fix args/kwargs handling in the scheduler (:issue:`7422`) - Fix logfile handling for file://, tcp:// and udp:// (:issue:`7754`) - Fix error handling in config file parsing (:issue:`6714`) - Fix RVM using sudo when running as non-root user (:issue:`2193`) - Fix client ACL and underlying logging bugs (:issue:`7706`) - Fix scheduler bug with returner (:issue:`7367`) - Fix user management bug related to default groups (:issue:`7690`) - Fix various salt-ssh bugs (:issue:`7528`) - Many various documentation fixes - Updated init files to be inline with fedora/rhel packaging upstream - activated salt-testing for unit testing salt before releasing rpm - added python-xml as dependency - Major features from Feature Release 0.17.0: - halite (web Gui) - salt ssh (remote execution/states over ssh) with its own package - Rosters (list system targets not know to master) - State Auto Order (state evaluation and execute in order of define) - state.sls Runner (system orchestration from within states via master) - Mercurial Fileserver Backend - External Logging Handlers (sentry and logstash support) - Jenkins Testing - Salt Testing Project (testing libraries for salt) - StormPath External Authentication support - LXC Support (lxc support for salt-virt) - Package dependencies reordering: * salt-master requires python-pyzmq, and recommends python-halite * salt-minion requires python-pyzmq * salt-ssh requires sshpass * salt-syndic requires salt-master Minor features: - 0.17.0 release wil be last release for 0.XX.X numbering system Next release will be .. - Multiple documentation improvements/additions - Added the osfinger and osarch grains - Fix bug in :mod:`hg.latest ` state that would erroneously delete directories (:issue:`6661`) - Fix bug related to pid not existing for :mod:`ps.top ` (:issue:`6679`) - Fix regression in :mod:`MySQL returner ` (:issue:`6695`) - Fix IP addresses grains (ipv4 and ipv6) to include all addresses (:issue:`6656`) - Fix regression preventing authenticated FTP (:issue:`6733`) - Fix :mod:`file.contains ` on values YAML parses as non-string (:issue:`6817`) - Fix :mod:`file.get_gid `, :mod:`file.get_uid `, and :mod:`file.chown ` for broken symlinks (:issue:`6826`) - Fix comment for service reloads in service state (:issue:`6851`) - Fixed scheduler config in pillar - Fixed default value for file_recv master config option - Fixed missing master configuration file parameters - Fixed regression in binary package installation on 64-bit systems - Fixed stackgrace when commenting a section in top.sls - Fixed state declarations not formed as a list message. - Fixed infinite loop on minion - Fixed stacktrace in watch when state is 'prereq' - Feature: function filter_by to grains module - Feature: add new "osfinger" grain - Newly installed salt-minion doesn't create /var/cache/salt/minion/proc - gracefully handle lsb_release data when it is enclosed in quotes - fixed pillar load from master config - pillar function pillar.item and pillar.items instead of pillar.data - fixed traceback when pillar sls is malformed - gracefully handle quoted publish commands - publich function publish.item and publish.items instead of publish.data - salt-key usage in minionswarm script fixed - minion random reauth_delay added to stagger re-auth attempts. - improved user and group management - improved file management - improved package management - service management custom initscripts support - module networking hwaddr renamed to be in line with other modules - fixed traceback in bridge.show - fixed ssh know_hosts and auth.present output. - postgresql module Fixes #6352. - returner fixes Fixes issue #5518 - http authentication issues fixed #6356 - warning of deprecation runas in favor of user - Updated init files, rc_status instead of rc status. - Multi-Master capability - Prereq, the new requisite - Peer system improvement - Relative Includes - More state Output Options - Improved Windows Support - Multi Targets for pkg.removed, pgk.purged States - Random Times in cron states - Confirmation Prompt on Key acceptance on master - Updated init files from upstream, so init files are the same for fedora/redhat/centos/debian/suse - Removed salt user and daemon.conf file, so package is in line with upstream packages fedora/centos/debian. - minor permission fix on salt config files to fix external auth - From the service release 0.15.2 xinetd service name not appended virt-module uses qemu-img publish.publish returns same info as salt-master updated gitfs module - Fixed salt-master config file not readable by user 'salt' - added logrotate on salt log files - fixes suse service check - From salt 0.15.0 Major update: - salt mine function - ipv6 support - copy files from minions to master - better template debugging - state event firing - major syndic updates - peer system updates - minion key revokation - function return codes - functions in overstate - Pillar error reporting - Cached State Data - Monitoring states - improved init files overwrite with /etc/default/salt - Updated init files: - removed probe/reload/force reload this isn't supported - some major fixes for the syndic system, - fixes to file.recurse and external auth and - Updated salt init files with option -d to really daemonize it - From updated to 0.14.0 MAJOR FEATURES: - Salt - As a Cloud Controller - Libvirt State - New get Functions - Fix #3693 (variable ref'ed before assignment) - Fix stack trace introduced with - Updated limit to be escaped like before and after. - Import install command from setuptools if we use them. - Fix user info not displayed correctly when group doesn't map cleanly - fix bug: Client.cache_dir() - Fix #3717 - Fix #3716 - Fix cmdmod.py daemon error - Updated test to properly determine homebrew user - split syndic from master in separate package spacecmd: - version 4.1.4-1 - only report real error, not result (bsc#1171687) - use defined return values for spacecmd methods so scripts can check for failure (bsc#1171687) - version 4.1.3-1 - disable globbing for api subcommand to allow wildcards in filter settings (bsc#1163871) - version 4.1.2-1 - Bugfix: attempt to purge SSM when it is empty (bsc#1155372) - version 4.1.1-1 - Bump version to 4.1.0 (bsc#1154940) - Prevent error when piping stdout in Python 2 (bsc#1153090) - Java api expects content as encoded string instead of encoded bytes like before (bsc#1153277) - Enable building and installing for Ubuntu 16.04 and Ubuntu 18.04 - Fix building and installing on CentOS8/RES8/RHEL8 - Check that a channel doesn't have clones before deleting it (bsc#1138454) - Add unit test for schedule, errata, user, utils, misc, configchannel and kickstart modules - Multiple minor bugfixes alongside the unit tests - Fix missing runtime dependencies that made spacecmd return old versions of packages in some cases, even if newer ones were available (bsc#1148311) - version 4.0.12-1 - Bugfix: referenced variable before assignment. - Add unit test for report, package, org, repo and group - Bugfix: 'dict' object has no attribute 'iteritems' (bsc#1135881) - Add unit tests for custominfo, snippet, scap, ssm, cryptokey and distribution - version 4.0.11-1 - SPEC cleanup - version 4.0.10-1 - add unit tests for spacecmd.api, spacecmd.activationkey and spacecmd.filepreservation - add unit tests for spacecmd.shell - Save SSM list on system delete and update cache (bsc#1130077, bsc#1125744) - add makefile and pylint configuration - version 4.0.9-1 - Add Pylint setup - Replace iteritems with items for python2/3 compat (bsc#1129243) - version 4.0.8-1 - fix python 3 bytes issue when handling config channels - version 4.0.7-1 - Add '--force', '-f' option to regenerateYumCache (bsc#1127389) - version 4.0.6-1 - Prevent spacecmd crashing when piping the output in Python 3 (bsc#1125610) - version 4.0.5-1 - Fix compatibility with Python 3 - version 4.0.4-1 - Fix importing state channels using configchannel_import - Fix getting file info for latest revision (via configchannel_filedetails) - version 4.0.3-1 - Add function to merge errata and packages through spacecmd (bsc#987798) - show group id on group_details (bsc#1111542) - State channels handling: Existing commands configchannel_create and configchannel_import were updated while system_scheduleapplyconfigchannels and configchannel_updateinitsls were added. - version 4.0.2-1 - add summary to softwarechannel.clone when calling older API versions (bsc#1109023) - New function/Update old functions to handle state channels as well - version 4.0.1-1 - Bump version to 4.0.0 (bsc#1104034) - Fix copyright for the package specfile (bsc#1103696) - Suggest not to use password option for spacecmd (bsc#1103090) - version 2.8.25.4-1 - add option to set cleanup type for system_delete (bsc#1094190) - version 2.8.25.3-1 - Sync with upstream (bsc#1083294) - version 2.8.25.2-1 - Sync with upstream (bsc#1083294) - 1539878 - add save_cache to do_ssm_intersect - Fix softwarechannel_listsyncschedule - version 2.8.21.2-1 - Disable pylint for python2 and RES < 8 (bsc#1088070) - version 2.8.21.1-1 - Sync with upstream (bsc#1083294) - Connect to API using FQDN instead of hostname to avoid SSL validation problems (bsc#1085667) - version 2.8.20.1-1 - 1536484 - Command spacecmd supports utf8 name of systems - 1484056 - updatefile and addfile are basically same calls - 1484056 - make configchannel_addfile fully non-interactive - 1445725 - display all checksum types, not just MD5 - remove clean section from spec (bsc#1083294) - Added function to update software channel. Moreover, some refactoring has been done (bsc#1076578) - version 2.8.17.2-1 - add more python3 compatibility changes - version 2.8.17.1-1 - Compatibility with Python 3 - Fix typo (bsc#1081151) - Configure gpg_flag via spacecmd creating a channel (bsc#1080290) - version 2.8.15.3-1 - Allow scheduling the change of software channels as an action. The previous channels remain accessible to the registered system until the action is executed. to the registered system until the action is executed. - version 2.8.15.2-1 - support multiple FQDNs per system (bsc#1063419) - version 2.8.13.2-1 - Fix bsc number for change 'configchannel export binary flag to json' - version 2.8.13.1-1 - add --config option to spacecmd - Added custom JSON encoder in order to parse date fields correctly (bsc#1070372) - version 2.8.10.1-1 - pylint - fix intendation - version 2.8.9.1-1 - fix build with python 3 - show list of arches for channel - allow softwarechannel_setsyncschedule to disable schedule - add softwarechannel_setsyncschedule --latest - in case of system named by id, let id take precedence - Make spacecmd prompt for password when overriding config file user - show less output of common packages in selected channels - adding softwarechannel_listmanageablechannels - version 2.7.8.7-1 - Switched logging from warning to debug - version 2.7.8.6-1 - configchannel export binary flag to json (bsc#1044719) - version 2.7.8.5-1 - spacecmd report_outofdatesystems: avoid one XMLRPC call per system (bsc#1015882) - version 2.7.8.4-1 - Remove debug logging from softwarechannel_sync function - version 2.7.8.3-1 - Remove get_certificateexpiration support in spacecmd (bsc#1013876) - version 2.7.8.2-1 - Adding softwarechannel_listmanageablechannels - version 2.7.8.1-1 - fix syntax error - version 2.7.7.1-1 - make sure to know if we get into default function and exit accordingly - version 2.7.6.1-1 - exit with 1 with incorrect command, wrong server, etc. - Updated links to github in spec files - print also systemdid with system name - improve output on error for listrepo (bsc#1027426) - print profile_name instead of string we're searching for - Fix: reword spacecmd removal msg (bsc#1024406) - Fix interactive mode - Add a type parameter to repo_create - version 2.7.3.2-1 - Removed obsolete code (bsc#1013938) - version 2.7.3.1-1 - Version 2.7.3-1 - version 2.5.5.3-1 - Make exception class more generic and code fixup (bsc#1003449) - Handle exceptions raised by listChannels (bsc#1003449) - Alert if a non-unique package ID is detected - version 2.5.5.2-1 - make spacecmd createRepo compatible with SUSE Manager 2.1 API (bsc#977264) - version 2.5.5.1-1 - mimetype detection to set the binary flag requires 'file' tool - Text description missing for remote command by Spacecmd - version 2.5.2.1-1 - spacecmd: repo_details show 'None' if repository doesn't have SSL Certtificate - spacecmd: Added functions to add/edit SSL certificates for repositories - version 2.5.1.2-1 - build spacecmd noarch only on new systems - version 2.5.1.1-1 - mimetype detection to set the binary flag requires 'file' tool - fix export/cloning: always base64 - Always base64 encode to avoid trim() bugs in the XML-RPC library. - set binary mode on uploaded files based on content (bsc#948245) - version 2.5.0.1-1 - drop monitoring - replace upstream subscription counting with new subscription matching (FATE#311619) - version 2.1.25.10-1 - Revert "1207606 - do not return one package multiple times" (bsc#945380) - check for existence of device description in spacecmd system_listhardware (bsc#932288) - version 2.1.25.9-1 - do not escape spacecmd command arguments - do not return one package multiple times - add system_setcontactmethod (FATE#314858) - add activationkey_setcontactmethod (FATE#314858) - show contact method with activationkey_details and system_details - clone config files without loosing trailing new lines (bsc#926318) - version 2.1.25.8-1 - sanitize data from export - version 2.1.25.7-1 - fix configchannel export - do not create 'contents' key for directories (bsc#908849) - fix patch summary printing - code cleanup - add new function kickstart_getsoftwaredetails - Added feature to get installed packageversion of a system or systems managed by ssm to spacecmd - version 2.1.25.6-1 - call listAutoinstallableChannels() for listing distributions (bsc#887879) - Fix spacecmd schedule listing (bsc#902494) - Teach spacecmd report_errata to process all-errata in the absence of further args - fix call of setCustomOptions() during kickstart_importjson (bsc#879904) - version 2.1.25.5-1 - spacecmd: fix listupgrades [bsc#892707] - version 2.1.25.4-1 - make print_result a static method of SpacewalkShell (bsc#889605) - version 2.1.25.3-1 - Added option to force deployment of a config channel to all subscribed systems - Added last boot message in system_details command - Updated kickstart_import documentation - Added kickstart_import_raw command - version 2.1.25.2-1 - set output encoding when stdout is not a tty - version 2.1.25.1-1 - make file_needs_b64_enc work for both str and unicode inputs - version 2.1.24.1-1 - Updating the copyright years info - version 2.1.22.1-1 - fix spacecmd, so it does not expect package id within the system.listPackages API call - fix binary file detection - added function package_listdependencies - version 2.1.20.1-1 - don't attempt to write out 'None' - fix system listing when identified by system id - version 2.1.18.1-1 - switch to 2.1 - version 1.7.7.11-1 - fixing spacecmd ssm 'list' has no attribute 'keys' error - version 1.7.7.10-1 - spacecmd errors out when trying to add script to kickstart - Make spacecmd able to specify config channel label - version 1.7.7.9-1 - fix directory export in configchannel_export - use 755 as default permissions for directories in configfile_getinfo - fix directory creation in configchannel_addfile - print the list of systems in system_runscript - print the list of systems in system_reboot - return a unique set from expand_systems - print a clearer error message when duplicate system names are found - standardize the behavior for when a system ID is not returned - add a delay before regenerating the system cache after a delete - handle binary files correctly in configfile_getinfo - print the name in the confirmation message of snippet_create - don't reuse variable names in parse_arguments - print the function's help message when -h in the argument list - print file path in package_details - fixing broken export of configchannels with symlinks - version 1.7.7.8-1 - prevent outputting escape sequences to non-terminals - Fixed small typo in spacecmd/src/lib/kickstart.py - do not quote argument of the help command (bsc#776615) - version 1.7.7.7-1 - Fix kickstart_export with old API versions - command line parameter for "distribution path" was documented wrong in help text (bsc#769106) - "suse" was missing in the helptext of the CLI for distributions (bsc#769108) - version 1.7.7.6-1 - enhancement add configchannel_sync - enhancement add softwarechannel_sync - version 1.7.7.5-1 - fixing chroot option for addscript - version 1.7.7.4-1 - kickstart_getcontents fix character encoding error - activationkey_import don't add empty package/group lists - fix activationkey_import when no base-channel specified - Fix reference to non-existent variable - improve configchannel_export operation on old API versions - *diff functions allow python 2.4 compatibility - changed get_string_diff_dicts to better fitting replacement method - remove reference to stage function - add do_SPACEWALKCOMPONENT_diff functions - system_comparewithchannel filter system packagelist - argument validation needed for configchannel_addfile - configchannel_addfile don't display b64 file contents - version 1.7.7.3-1 - enhancement add system_addconfigfile - Fix usage for configchannel_addfile - enhancement Add system_listconfigfiles - add option to allow templating for spacecmd kickstarting - version 1.7.7.2-1 - softwarechannel_clone avoid ISE on duplicate name - softwarechannel_adderrata mergeErrata should be cloneErrataAsOriginal - Add globbing support to distribution_details - Add globbing support to distribution_delete - Cleanup some typos in comments - custominfo_details add support for globbing key names - custominfo_deletekey add support for globbing key names - Add cryptokey_details globbing support - cryptokey_delete add support for globbing - Workaround missing date key in recent spacewalk listErrata - Add validation to softwarechannel_adderrata channel args - softwarechannel_adderrata add --skip mode - Add --quick mode to softwarechannel_adderrata - Allow config-channel export of b64 encoded files - Update the spacecmd copyright years - version 1.7.7.1-1 - Bumping package version - debranding - backport upstrem fixes - Initial release of spacecmd Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 20.04-CLIENT-TOOLS-BETA: zypper in -t patch suse-ubu204ct-suse-manager-client-tools-ubuntu2004-202006-14402=1 Package List: - SUSE Manager Ubuntu 20.04-CLIENT-TOOLS-BETA (amd64): libnorm1-1.5.8+dfsg2-2build1 libpgm-5.2-0-5.2.122~dfsg-3ubuntu1 libzmq5-4.3.2-2ubuntu1 prometheus-apache-exporter-0.7.0+ds-1 prometheus-node-exporter-0.18.1+ds-2 prometheus-postgres-exporter-0.8.0+ds-1 python3-zmq-18.1.1-3 - SUSE Manager Ubuntu 20.04-CLIENT-TOOLS-BETA (all): salt-common-3000+ds-1+2.5.1 salt-minion-3000+ds-1+2.5.1 spacecmd-4.1.4-2.3.1 References: https://www.suse.com/security/cve/CVE-2016-1866.html https://www.suse.com/security/cve/CVE-2016-9639.html https://www.suse.com/security/cve/CVE-2017-12791.html https://www.suse.com/security/cve/CVE-2017-14695.html https://www.suse.com/security/cve/CVE-2017-14696.html https://www.suse.com/security/cve/CVE-2018-15750.html https://www.suse.com/security/cve/CVE-2018-15751.html https://www.suse.com/security/cve/CVE-2019-17361.html https://www.suse.com/security/cve/CVE-2019-18897.html https://www.suse.com/security/cve/CVE-2020-11651.html https://www.suse.com/security/cve/CVE-2020-11652.html https://bugzilla.suse.com/1002529 https://bugzilla.suse.com/1003449 https://bugzilla.suse.com/1004047 https://bugzilla.suse.com/1004260 https://bugzilla.suse.com/1004723 https://bugzilla.suse.com/1008933 https://bugzilla.suse.com/1011304 https://bugzilla.suse.com/1011800 https://bugzilla.suse.com/1012398 https://bugzilla.suse.com/1012999 https://bugzilla.suse.com/1013876 https://bugzilla.suse.com/1013938 https://bugzilla.suse.com/1015882 https://bugzilla.suse.com/1017078 https://bugzilla.suse.com/1019386 https://bugzilla.suse.com/1020831 https://bugzilla.suse.com/1022562 https://bugzilla.suse.com/1022841 https://bugzilla.suse.com/1023535 https://bugzilla.suse.com/1024406 https://bugzilla.suse.com/1025896 https://bugzilla.suse.com/1027044 https://bugzilla.suse.com/1027240 https://bugzilla.suse.com/1027426 https://bugzilla.suse.com/1027722 https://bugzilla.suse.com/1030009 https://bugzilla.suse.com/1030073 https://bugzilla.suse.com/1032213 https://bugzilla.suse.com/1032452 https://bugzilla.suse.com/1032931 https://bugzilla.suse.com/1035914 https://bugzilla.suse.com/1036125 https://bugzilla.suse.com/1038855 https://bugzilla.suse.com/1039370 https://bugzilla.suse.com/1040886 https://bugzilla.suse.com/1041993 https://bugzilla.suse.com/1042749 https://bugzilla.suse.com/1043111 https://bugzilla.suse.com/1044719 https://bugzilla.suse.com/1050003 https://bugzilla.suse.com/1051948 https://bugzilla.suse.com/1052264 https://bugzilla.suse.com/1053376 https://bugzilla.suse.com/1053955 https://bugzilla.suse.com/1057635 https://bugzilla.suse.com/1059291 https://bugzilla.suse.com/1059758 https://bugzilla.suse.com/1060230 https://bugzilla.suse.com/1061407 https://bugzilla.suse.com/1062462 https://bugzilla.suse.com/1062464 https://bugzilla.suse.com/1063419 https://bugzilla.suse.com/1064520 https://bugzilla.suse.com/1065792 https://bugzilla.suse.com/1068446 https://bugzilla.suse.com/1068566 https://bugzilla.suse.com/1070372 https://bugzilla.suse.com/1071322 https://bugzilla.suse.com/1072599 https://bugzilla.suse.com/1075950 https://bugzilla.suse.com/1076578 https://bugzilla.suse.com/1079048 https://bugzilla.suse.com/1080290 https://bugzilla.suse.com/1081151 https://bugzilla.suse.com/1081592 https://bugzilla.suse.com/1083294 https://bugzilla.suse.com/1085667 https://bugzilla.suse.com/1087055 https://bugzilla.suse.com/1087278 https://bugzilla.suse.com/1087581 https://bugzilla.suse.com/1087891 https://bugzilla.suse.com/1088070 https://bugzilla.suse.com/1088888 https://bugzilla.suse.com/1089112 https://bugzilla.suse.com/1089362 https://bugzilla.suse.com/1089526 https://bugzilla.suse.com/1091371 https://bugzilla.suse.com/1092161 https://bugzilla.suse.com/1092373 https://bugzilla.suse.com/1094055 https://bugzilla.suse.com/1094190 https://bugzilla.suse.com/1095507 https://bugzilla.suse.com/1095651 https://bugzilla.suse.com/1095942 https://bugzilla.suse.com/1096514 https://bugzilla.suse.com/1097174 https://bugzilla.suse.com/1097413 https://bugzilla.suse.com/1098394 https://bugzilla.suse.com/1099323 https://bugzilla.suse.com/1099460 https://bugzilla.suse.com/1099887 https://bugzilla.suse.com/1099945 https://bugzilla.suse.com/1100142 https://bugzilla.suse.com/1100225 https://bugzilla.suse.com/1100697 https://bugzilla.suse.com/1101780 https://bugzilla.suse.com/1101812 https://bugzilla.suse.com/1101880 https://bugzilla.suse.com/1102013 https://bugzilla.suse.com/1102218 https://bugzilla.suse.com/1102265 https://bugzilla.suse.com/1102819 https://bugzilla.suse.com/1103090 https://bugzilla.suse.com/1103530 https://bugzilla.suse.com/1103696 https://bugzilla.suse.com/1104034 https://bugzilla.suse.com/1104154 https://bugzilla.suse.com/1104491 https://bugzilla.suse.com/1106164 https://bugzilla.suse.com/1107333 https://bugzilla.suse.com/1108557 https://bugzilla.suse.com/1108834 https://bugzilla.suse.com/1108969 https://bugzilla.suse.com/1108995 https://bugzilla.suse.com/1109023 https://bugzilla.suse.com/1109893 https://bugzilla.suse.com/1110938 https://bugzilla.suse.com/1111542 https://bugzilla.suse.com/1112874 https://bugzilla.suse.com/1113698 https://bugzilla.suse.com/1113699 https://bugzilla.suse.com/1113784 https://bugzilla.suse.com/1114029 https://bugzilla.suse.com/1114197 https://bugzilla.suse.com/1114474 https://bugzilla.suse.com/1114824 https://bugzilla.suse.com/1116343 https://bugzilla.suse.com/1116837 https://bugzilla.suse.com/1117995 https://bugzilla.suse.com/1121091 https://bugzilla.suse.com/1121439 https://bugzilla.suse.com/1122663 https://bugzilla.suse.com/1122680 https://bugzilla.suse.com/1123044 https://bugzilla.suse.com/1123512 https://bugzilla.suse.com/1123865 https://bugzilla.suse.com/1124277 https://bugzilla.suse.com/1125015 https://bugzilla.suse.com/1125610 https://bugzilla.suse.com/1125744 https://bugzilla.suse.com/1127389 https://bugzilla.suse.com/1128061 https://bugzilla.suse.com/1128554 https://bugzilla.suse.com/1129079 https://bugzilla.suse.com/1129243 https://bugzilla.suse.com/1130077 https://bugzilla.suse.com/1130588 https://bugzilla.suse.com/1130784 https://bugzilla.suse.com/1131114 https://bugzilla.suse.com/1132076 https://bugzilla.suse.com/1133523 https://bugzilla.suse.com/1133647 https://bugzilla.suse.com/1134860 https://bugzilla.suse.com/1135360 https://bugzilla.suse.com/1135507 https://bugzilla.suse.com/1135567 https://bugzilla.suse.com/1135732 https://bugzilla.suse.com/1135881 https://bugzilla.suse.com/1137642 https://bugzilla.suse.com/1138454 https://bugzilla.suse.com/1139761 https://bugzilla.suse.com/1140193 https://bugzilla.suse.com/1140912 https://bugzilla.suse.com/1143301 https://bugzilla.suse.com/1146192 https://bugzilla.suse.com/1146382 https://bugzilla.suse.com/1148311 https://bugzilla.suse.com/1148714 https://bugzilla.suse.com/1150447 https://bugzilla.suse.com/1151650 https://bugzilla.suse.com/1151947 https://bugzilla.suse.com/1152366 https://bugzilla.suse.com/1153090 https://bugzilla.suse.com/1153277 https://bugzilla.suse.com/1153611 https://bugzilla.suse.com/1154620 https://bugzilla.suse.com/1154940 https://bugzilla.suse.com/1155372 https://bugzilla.suse.com/1157465 https://bugzilla.suse.com/1157479 https://bugzilla.suse.com/1158441 https://bugzilla.suse.com/1159284 https://bugzilla.suse.com/1162327 https://bugzilla.suse.com/1162504 https://bugzilla.suse.com/1163871 https://bugzilla.suse.com/1163981 https://bugzilla.suse.com/1165425 https://bugzilla.suse.com/1165572 https://bugzilla.suse.com/1167437 https://bugzilla.suse.com/1167556 https://bugzilla.suse.com/1168340 https://bugzilla.suse.com/1169604 https://bugzilla.suse.com/1169800 https://bugzilla.suse.com/1170104 https://bugzilla.suse.com/1170288 https://bugzilla.suse.com/1170595 https://bugzilla.suse.com/1171687 https://bugzilla.suse.com/1171906 https://bugzilla.suse.com/1172075 https://bugzilla.suse.com/1173072 https://bugzilla.suse.com/769106 https://bugzilla.suse.com/769108 https://bugzilla.suse.com/776615 https://bugzilla.suse.com/849184 https://bugzilla.suse.com/849204 https://bugzilla.suse.com/849205 https://bugzilla.suse.com/879904 https://bugzilla.suse.com/887879 https://bugzilla.suse.com/889605 https://bugzilla.suse.com/892707 https://bugzilla.suse.com/902494 https://bugzilla.suse.com/908849 https://bugzilla.suse.com/926318 https://bugzilla.suse.com/932288 https://bugzilla.suse.com/945380 https://bugzilla.suse.com/948245 https://bugzilla.suse.com/955373 https://bugzilla.suse.com/958350 https://bugzilla.suse.com/959572 https://bugzilla.suse.com/963322 https://bugzilla.suse.com/965403 https://bugzilla.suse.com/967803 https://bugzilla.suse.com/969320 https://bugzilla.suse.com/970669 https://bugzilla.suse.com/971372 https://bugzilla.suse.com/972311 https://bugzilla.suse.com/972490 https://bugzilla.suse.com/975093 https://bugzilla.suse.com/975303 https://bugzilla.suse.com/975306 https://bugzilla.suse.com/975733 https://bugzilla.suse.com/975757 https://bugzilla.suse.com/976148 https://bugzilla.suse.com/977264 https://bugzilla.suse.com/978150 https://bugzilla.suse.com/978833 https://bugzilla.suse.com/979448 https://bugzilla.suse.com/979676 https://bugzilla.suse.com/980313 https://bugzilla.suse.com/983017 https://bugzilla.suse.com/983512 https://bugzilla.suse.com/985112 https://bugzilla.suse.com/985661 https://bugzilla.suse.com/986019 https://bugzilla.suse.com/987798 https://bugzilla.suse.com/988506 https://bugzilla.suse.com/989193 https://bugzilla.suse.com/989798 https://bugzilla.suse.com/990029 https://bugzilla.suse.com/990439 https://bugzilla.suse.com/990440 https://bugzilla.suse.com/991048 https://bugzilla.suse.com/993039 https://bugzilla.suse.com/993549 https://bugzilla.suse.com/996455 https://bugzilla.suse.com/999852 From sle-updates at lists.suse.com Tue Jun 23 10:48:18 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 18:48:18 +0200 (CEST) Subject: SUSE-SU-2020:14403-1: moderate: Security Beta update for SUSE Manager Client Tools Message-ID: <20200623164818.45780F3E2@maintenance.suse.de> SUSE Security Update: Security Beta update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14403-1 Rating: moderate References: #1159284 #1165572 #1168340 #1169604 #1169800 #1170104 #1170288 #1170595 #1171687 #1171906 #1172075 #1173072 Cross-References: CVE-2020-11651 CVE-2020-11652 Affected Products: SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA ______________________________________________________________________________ An update that solves two vulnerabilities and has 10 fixes is now available. Description: This update fixes the following issues: salt: - Require python3-distro only for TW (bsc#1173072) - Various virt backports from 3000.2 - Avoid traceback on debug logging for swarm module (bsc#1172075) - Add publish_batch to ClearFuncs exposed methods - Zypperpkg: filter patterns that start with dot (bsc#1171906) - Batch mode now also correctly provides return value (bsc#1168340) - Add docker.logout to docker execution module (bsc#1165572) - Testsuite fix - Add option to enable/disable force refresh for zypper - Python3.8 compatibility changes - Prevent sporious "salt-api" stuck processes when managing SSH minions because of logging deadlock (bsc#1159284) - Avoid segfault from "salt-api" under certain conditions of heavy load managing SSH minions (bsc#1169604) - Revert broken changes to slspath made on Salt 3000 (saltstack/salt#56341) (bsc#1170104) - Returns a the list of IPs filtered by the optional network list - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) - Do not require vendored backports-abc (bsc#1170288) - Fix partition.mkpart to work without fstype (bsc#1169800) spacecmd: - Only report real error, not result (bsc#1171687) - Use defined return values for spacecmd methods so scripts can check for failure (bsc#1171687) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA: zypper in -t patch suse-ubu184ct-client-tools-beta-202006-14403=1 Package List: - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA (amd64): python3-systemd-234-2build2 python3-tornado-4.5.3-1ubuntu0.1 python3-zmq-16.0.2-2build2 - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS-BETA (all): salt-common-3000+ds-1+27.20.1 salt-minion-3000+ds-1+27.20.1 spacecmd-4.1.4-2.9.1 References: https://www.suse.com/security/cve/CVE-2020-11651.html https://www.suse.com/security/cve/CVE-2020-11652.html https://bugzilla.suse.com/1159284 https://bugzilla.suse.com/1165572 https://bugzilla.suse.com/1168340 https://bugzilla.suse.com/1169604 https://bugzilla.suse.com/1169800 https://bugzilla.suse.com/1170104 https://bugzilla.suse.com/1170288 https://bugzilla.suse.com/1170595 https://bugzilla.suse.com/1171687 https://bugzilla.suse.com/1171906 https://bugzilla.suse.com/1172075 https://bugzilla.suse.com/1173072 From sle-updates at lists.suse.com Tue Jun 23 10:50:10 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 18:50:10 +0200 (CEST) Subject: SUSE-RU-2020:1728-1: moderate: Recommended update for python3-gcemetadata Message-ID: <20200623165010.7A6DEF3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for python3-gcemetadata ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1728-1 Rating: moderate References: #1045148 #1053687 #1053695 #1097505 #1134510 #1173136 Affected Products: SUSE Linux Enterprise Module for Public Cloud 12 ______________________________________________________________________________ An update that has 6 recommended fixes can now be installed. Description: This update for python3-gcemetadata fixes the following issues: - Add this package to SLE-12. (jsc#PM-1900, jsc#ECO-1918) - Fixed typo, missing "=" for "identity" option in processed command line options causes mis-identification of instance as missing identity data access - Handle the condition where the identity data of the instance may not be accessible from the metadata server and provide proper error messaging. (bsc#1134510) - Support instances with multiple Nics. (bsc#1097505) - Implement new feature to generate license verification token. (bsc#1053695, bsc#1053695) - Fix for the '--identity' argument: it must accept a value and the value is required. (bsc#1053687) - Fix for handling overlapping enpoint names and support writing data to a file and as XML snippets. - Set proper value for dict lookup to avoid traceback. (bsc#1045148) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2020-1728=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 12 (noarch): python3-gcemetadata-1.0.4-2.5.1 References: https://bugzilla.suse.com/1045148 https://bugzilla.suse.com/1053687 https://bugzilla.suse.com/1053695 https://bugzilla.suse.com/1097505 https://bugzilla.suse.com/1134510 https://bugzilla.suse.com/1173136 From sle-updates at lists.suse.com Tue Jun 23 10:51:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 18:51:21 +0200 (CEST) Subject: SUSE-RU-2020:14406-1: moderate: Recommended Beta update for SUSE Manager Client Tools Message-ID: <20200623165121.684A4F3E2@maintenance.suse.de> SUSE Recommended Update: Recommended Beta update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:14406-1 Rating: moderate References: #1167556 #1168310 #1170684 #1171687 #1172462 Affected Products: SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS-BETA SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS-BETA ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update fixes the following issues: salt: - Backport saltutil state module to 2016.11 codebase (bsc#1167556) - Add new custom SUSE capability for saltutil state module spacecmd: - Only report real error, not result (bsc#1171687) - Use defined return values for spacecmd methods so scripts can check for failure (bsc#1171687) spacewalk-client-tools: - Use 'int' instead of 'long' on rhn_check for both Python 2 and 3 suseRegisterInfo: - SuseRegisterInfo only needs perl-base, not full perl (bsc#1168310) uyuni-common-libs: - Uyuni-common-libs obsoletes python3-spacewalk-usix and python3-spacewalk-backend-libs (bsc#1170684) - Reposync speedup fixes zypp-plugin-spacewalk: - Prevent issue with non-ASCII characters in Python 2 systems (bsc#1172462) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS-BETA: zypper in -t patch slesctsp4-client-tools-beta-202006-14406=1 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS-BETA: zypper in -t patch slesctsp3-client-tools-beta-202006-14406=1 Package List: - SUSE Linux Enterprise Server 11-SP4-CLIENT-TOOLS-BETA (i586 ia64 ppc64 s390x x86_64): koan-2.2.2-0.72.6.1 python2-spacewalk-check-4.1.5-30.15.1 python2-spacewalk-client-setup-4.1.5-30.15.1 python2-spacewalk-client-tools-4.1.5-30.15.1 python2-suseRegisterInfo-4.1.2-9.6.1 python2-uyuni-common-libs-4.1.5-7.12.1 python2-zypp-plugin-spacewalk-1.0.7-30.6.1 salt-2016.11.10-46.9.1 salt-doc-2016.11.10-46.9.1 salt-minion-2016.11.10-46.9.1 spacecmd-4.1.4-21.9.1 spacewalk-check-4.1.5-30.15.1 spacewalk-client-setup-4.1.5-30.15.1 spacewalk-client-tools-4.1.5-30.15.1 suseRegisterInfo-4.1.2-9.6.1 zypp-plugin-spacewalk-1.0.7-30.6.1 - SUSE Linux Enterprise Server 11-SP3-CLIENT-TOOLS-BETA (i586 ia64 ppc64 s390x x86_64): koan-2.2.2-0.72.6.1 python2-spacewalk-check-4.1.5-30.15.1 python2-spacewalk-client-setup-4.1.5-30.15.1 python2-spacewalk-client-tools-4.1.5-30.15.1 python2-suseRegisterInfo-4.1.2-9.6.1 python2-uyuni-common-libs-4.1.5-7.12.1 python2-zypp-plugin-spacewalk-1.0.7-30.6.1 salt-2016.11.10-46.9.1 salt-doc-2016.11.10-46.9.1 salt-minion-2016.11.10-46.9.1 spacecmd-4.1.4-21.9.1 spacewalk-check-4.1.5-30.15.1 spacewalk-client-setup-4.1.5-30.15.1 spacewalk-client-tools-4.1.5-30.15.1 suseRegisterInfo-4.1.2-9.6.1 zypp-plugin-spacewalk-1.0.7-30.6.1 References: https://bugzilla.suse.com/1167556 https://bugzilla.suse.com/1168310 https://bugzilla.suse.com/1170684 https://bugzilla.suse.com/1171687 https://bugzilla.suse.com/1172462 From sle-updates at lists.suse.com Tue Jun 23 10:52:27 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 18:52:27 +0200 (CEST) Subject: SUSE-RU-2020:1716-1: moderate: Recommended update for SUSE Manager 4.1 RC Release Notes Message-ID: <20200623165227.E6188F3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for SUSE Manager 4.1 RC Release Notes ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1716-1 Rating: moderate References: #1173094 Affected Products: SUSE Manager Server 4.1 SUSE Manager Retail Branch Server 4.1 SUSE Manager Proxy 4.1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for SUSE Manager 4.1 RC Release Notes provides the following additions: - Release notes for SUSE Manager 4.1 RC (bsc#1173094) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2020-1716=1 - SUSE Manager Retail Branch Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2020-1716=1 - SUSE Manager Proxy 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2020-1716=1 Package List: - SUSE Manager Server 4.1 (ppc64le s390x x86_64): release-notes-susemanager-4.1.0.1-3.3.2 - SUSE Manager Retail Branch Server 4.1 (x86_64): release-notes-susemanager-proxy-4.1.0.1-3.3.2 - SUSE Manager Proxy 4.1 (x86_64): release-notes-susemanager-proxy-4.1.0.1-3.3.2 References: https://bugzilla.suse.com/1173094 From sle-updates at lists.suse.com Tue Jun 23 10:53:05 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 18:53:05 +0200 (CEST) Subject: SUSE-SU-2020:1715-1: moderate: Security Beta update for SUSE Manager Client Tools and Salt Message-ID: <20200623165305.AA6F8F3E2@maintenance.suse.de> SUSE Security Update: Security Beta update for SUSE Manager Client Tools and Salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1715-1 Rating: moderate References: #1159284 #1165572 #1168310 #1168340 #1169604 #1169800 #1170104 #1170231 #1170288 #1170557 #1170595 #1170684 #1170824 #1171687 #1171906 #1172075 #1172462 #1173072 Cross-References: CVE-2019-10215 CVE-2019-15043 CVE-2020-11651 CVE-2020-11652 CVE-2020-12245 CVE-2020-13379 Affected Products: SUSE Manager Tools 15-BETA ______________________________________________________________________________ An update that solves 6 vulnerabilities and has 12 fixes is now available. Description: This update fixes the following issues: dracut-saltboot: - Print a list of available disk devices (bsc#1170824) - Install wipefs to initrd - Force install crypt modules - Add missing terminal naming modifiers as exported veriables golang-github-prometheus-prometheus: - Update change log and spec file + Modified spec file: default to golang 1.14 to avoid "have choice" build issues in OBS. + Rebase and update patches for version 2.18.0 + Changed: * 0002-Default-settings.patch Changed - Update to 2.18.0 + Features * Tracing: Added experimental Jaeger support #7148 + Changes * Federation: Only use local TSDB for federation (ignore remote read). #7096 * Rules: `rule_evaluations_total` and `rule_evaluation_failures_total` have a `rule_group` label now. #7094 + Enhancements * TSDB: Significantly reduce WAL size kept around after a block cut. #7098 * Discovery: Add `architecture` meta label for EC2. #7000 + Bug fixes * UI: Fixed wrong MinTime reported by /status. #7182 * React UI: Fixed multiselect legend on OSX. #6880 * Remote Write: Fixed blocked resharding edge case. #7122 * Remote Write: Fixed remote write not updating on relabel configs change. #7073 - Changes from 2.17.2 + Bug fixes * Federation: Register federation metrics #7081 * PromQL: Fix panic in parser error handling #7132 * Rules: Fix reloads hanging when deleting a rule group that is being evaluated #7138 * TSDB: Fix a memory leak when prometheus starts with an empty TSDB WAL #7135 * TSDB: Make isolation more robust to panics in web handlers #7129 #7136 - Changes from 2.17.1 + Bug fixes * TSDB: Fix query performance regression that increased memory and CPU usage #7051 - Changes from 2.17.0 + Features * TSDB: Support isolation #6841 * This release implements isolation in TSDB. API queries and recording rules are guaranteed to only see full scrapes and full recording rules. This comes with a certain overhead in resource usage. Depending on the situation, there might be some increase in memory usage, CPU usage, or query latency. + Enhancements * PromQL: Allow more keywords as metric names #6933 * React UI: Add normalization of localhost URLs in targets page #6794 * Remote read: Read from remote storage concurrently #6770 * Rules: Mark deleted rule series as stale after a reload #6745 * Scrape: Log scrape append failures as debug rather than warn #6852 * TSDB: Improve query performance for queries that partially hit the head #6676 * Consul SD: Expose service health as meta label #5313 * EC2 SD: Expose EC2 instance lifecycle as meta label #6914 * Kubernetes SD: Expose service type as meta label for K8s service role #6684 * Kubernetes SD: Expose label_selector and field_selector #6807 * Openstack SD: Expose hypervisor id as meta label #6962 + Bug fixes * PromQL: Do not escape HTML-like chars in query log #6834 #6795 * React UI: Fix data table matrix values #6896 * React UI: Fix new targets page not loading when using non-ASCII characters #6892 * Remote read: Fix duplication of metrics read from remote storage with external labels #6967 #7018 * Remote write: Register WAL watcher and live reader metrics for all remotes, not just the first one #6998 * Scrape: Prevent removal of metric names upon relabeling #6891 * Scrape: Fix 'superfluous response.WriteHeader call' errors when scrape fails under some circonstances #6986 * Scrape: Fix crash when reloads are separated by two scrape intervals #7011 - Changes from 2.16.0 + Features * React UI: Support local timezone on /graph #6692 * PromQL: add absent_over_time query function #6490 * Adding optional logging of queries to their own file #6520 + Enhancements * React UI: Add support for rules page and "Xs ago" duration displays #6503 * React UI: alerts page, replace filtering togglers tabs with checkboxes #6543 * TSDB: Export metric for WAL write errors #6647 * TSDB: Improve query performance for queries that only touch the most recent 2h of data. #6651 * PromQL: Refactoring in parser errors to improve error messages #6634 * PromQL: Support trailing commas in grouping opts #6480 * Scrape: Reduce memory usage on reloads by reusing scrape cache #6670 * Scrape: Add metrics to track bytes and entries in the metadata cache #6675 * promtool: Add support for line-column numbers for invalid rules output #6533 * Avoid restarting rule groups when it is unnecessary #6450 + Bug fixes * React UI: Send cookies on fetch() on older browsers #6553 * React UI: adopt grafana flot fix for stacked graphs #6603 * React UI: broken graph page browser history so that back button works as expected #6659 * TSDB: ensure compactionsSkipped metric is registered, and log proper error if one is returned from head.Init #6616 * TSDB: return an error on ingesting series with duplicate labels #6664 * PromQL: Fix unary operator precedence #6579 * PromQL: Respect query.timeout even when we reach query.max-concurrency #6712 * PromQL: Fix string and parentheses handling in engine, which affected React UI #6612 * PromQL: Remove output labels returned by absent() if they are produced by multiple identical label matchers #6493 * Scrape: Validate that OpenMetrics input ends with `# EOF` #6505 * Remote read: return the correct error if configs can't be marshal'd to JSON #6622 * Remote write: Make remote client `Store` use passed context, which can affect shutdown timing #6673 * Remote write: Improve sharding calculation in cases where we would always be consistently behind by tracking pendingSamples #6511 * Ensure prometheus_rule_group metrics are deleted when a rule group is removed #6693 - Changes from 2.15.2 + Bug fixes * TSDB: Fixed support for TSDB blocks built with Prometheus before 2.1.0. #6564 * TSDB: Fixed block compaction issues on Windows. #6547 - Changes from 2.15.1 + Bug fixes * TSDB: Fixed race on concurrent queries against same data. #6512 - Changes from 2.15.0 + Features * API: Added new endpoint for exposing per metric metadata `/metadata`. #6420 #6442 + Changes * Discovery: Removed `prometheus_sd_kubernetes_cache_*` metrics. Additionally `prometheus_sd_kubernetes_workqueue_latency_seconds` and `prometheus_sd_kubernetes_workqueue_work_duration_seconds` metrics now show correct values in seconds. #6393 * Remote write: Changed `query` label on `prometheus_remote_storage_*` metrics to `remote_name` and `url`. #6043 + Enhancements * TSDB: Significantly reduced memory footprint of loaded TSDB blocks. #6418 #6461 * TSDB: Significantly optimized what we buffer during compaction which should result in lower memory footprint during compaction. #6422 #6452 #6468 #6475 * TSDB: Improve replay latency. #6230 * TSDB: WAL size is now used for size based retention calculation. #5886 * Remote read: Added query grouping and range hints to the remote read request #6401 * Remote write: Added `prometheus_remote_storage_sent_bytes_total` counter per queue. #6344 * promql: Improved PromQL parser performance. #6356 * React UI: Implemented missing pages like `/targets` #6276, TSDB status page #6281 #6267 and many other fixes and performance improvements. * promql: Prometheus now accepts spaces between time range and square bracket. e.g `[ 5m]` #6065 + Bug fixes * Config: Fixed alertmanager configuration to not miss targets when configurations are similar. #6455 * Remote write: Value of `prometheus_remote_storage_shards_desired` gauge shows raw value of desired shards and it's updated correctly. #6378 * Rules: Prometheus now fails the evaluation of rules and alerts where metric results collide with labels specified in `labels` field. #6469 * API: Targets Metadata API `/targets/metadata` now accepts empty `match_targets` parameter as in the spec. #6303 - Changes from 2.14.0 + Features * API: `/api/v1/status/runtimeinfo` and `/api/v1/status/buildinfo` endpoints added for use by the React UI. #6243 * React UI: implement the new experimental React based UI. #5694 and many more * Can be found by under `/new`. * Not all pages are implemented yet. * Status: Cardinality statistics added to the Runtime & Build Information page. #6125 + Enhancements * Remote write: fix delays in remote write after a compaction. #6021 * UI: Alerts can be filtered by state. #5758 + Bug fixes * Ensure warnings from the API are escaped. #6279 * API: lifecycle endpoints return 403 when not enabled. #6057 * Build: Fix Solaris build. #6149 * Promtool: Remove false duplicate rule warnings when checking rule files with alerts. #6270 * Remote write: restore use of deduplicating logger in remote write. #6113 * Remote write: do not reshard when unable to send samples. #6111 * Service discovery: errors are no longer logged on context cancellation. #6116, #6133 * UI: handle null response from API properly. #6071 - Changes from 2.13.1 + Bug fixes * Fix panic in ARM builds of Prometheus. #6110 * promql: fix potential panic in the query logger. #6094 * Multiple errors of http: superfluous response.WriteHeader call in the logs. #6145 - Changes from 2.13.0 + Enhancements * Metrics: renamed prometheus_sd_configs_failed_total to prometheus_sd_failed_configs and changed to Gauge #5254 * Include the tsdb tool in builds. #6089 * Service discovery: add new node address types for kubernetes. #5902 * UI: show warnings if query have returned some warnings. #5964 * Remote write: reduce memory usage of the series cache. #5849 * Remote read: use remote read streaming to reduce memory usage. #5703 * Metrics: added metrics for remote write max/min/desired shards to queue manager. #5787 * Promtool: show the warnings during label query. #5924 * Promtool: improve error messages when parsing bad rules. #5965 * Promtool: more promlint rules. #5515 + Bug fixes * UI: Fix a Stored DOM XSS vulnerability with query history [CVE-2019-10215](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-102 15). #6098 * Promtool: fix recording inconsistency due to duplicate labels. #6026 * UI: fixes service-discovery view when accessed from unhealthy targets. #5915 * Metrics format: OpenMetrics parser crashes on short input. #5939 * UI: avoid truncated Y-axis values. #6014 - Changes from 2.12.0 + Features * Track currently active PromQL queries in a log file. #5794 * Enable and provide binaries for `mips64` / `mips64le` architectures. #5792 + Enhancements * Improve responsiveness of targets web UI and API endpoint. #5740 * Improve remote write desired shards calculation. #5763 * Flush TSDB pages more precisely. tsdb#660 * Add `prometheus_tsdb_retention_limit_bytes` metric. tsdb#667 * Add logging during TSDB WAL replay on startup. tsdb#662 * Improve TSDB memory usage. tsdb#653, tsdb#643, tsdb#654, tsdb#642, tsdb#627 + Bug fixes * Check for duplicate label names in remote read. #5829 * Mark deleted rules' series as stale on next evaluation. #5759 * Fix JavaScript error when showing warning about out-of-sync server time. #5833 * Fix `promtool test rules` panic when providing empty `exp_labels`. #5774 * Only check last directory when discovering checkpoint number. #5756 * Fix error propagation in WAL watcher helper functions. #5741 * Correctly handle empty labels from alert templates. #5845 - Update Uyuni/SUSE Manager service discovery patch + Modified 0003-Add-Uyuni-service-discovery.patch: + Adapt service discovery to the new Uyuni API endpoints + Modified spec file: force golang 1.12 to fix build issues in SLE15SP2 - Update to Prometheus 2.11.2 grafana: - Update to version 7.0.3 * Features / Enhancements - Stats: include all fields. #24829, @ryantxu - Variables: change VariableEditorList row action Icon to IconButton. #25217, @hshoff * Bug fixes - Cloudwatch: Fix dimensions of DDoSProtection. #25317, @papagian - Configuration: Fix env var override of sections containing hyphen. #25178, @marefr - Dashboard: Get panels in collapsed rows. #25079, @peterholmberg - Do not show alerts tab when alerting is disabled. #25285, @dprokop - Jaeger: fixes cascader option label duration value. #25129, @Estrax - Transformations: Fixed Transform tab crash & no update after adding first transform. #25152, @torkelo - Update to version 7.0.2 * Bug fixes - Security: Urgent security patch release to fix CVE-2020-13379 - Update to version 7.0.1 * Features / Enhancements - Datasource/CloudWatch: Makes CloudWatch Logs query history more readable. #24795, @kaydelaney - Download CSV: Add date and time formatting. #24992, @ryantxu - Table: Make last cell value visible when right aligned. #24921, @peterholmberg - TablePanel: Adding sort order persistance. #24705, @torkelo - Transformations: Display correct field name when using reduce transformation. #25068, @peterholmberg - Transformations: Allow custom number input for binary operations. #24752, @ryantxu * Bug fixes - Dashboard/Links: Fixes dashboard links by tags not working. #24773, @KamalGalrani - Dashboard/Links: Fixes open in new window for dashboard link. #24772, @KamalGalrani - Dashboard/Links: Variables are resolved and limits to 100. #25076, @hugohaggmark - DataLinks: Bring back variables interpolation in title. #24970, @dprokop - Datasource/CloudWatch: Field suggestions no longer limited to prefix-only. #24855, @kaydelaney - Explore/Table: Keep existing field types if possible. #24944, @kaydelaney - Explore: Fix wrap lines toggle for results of queries with filter expression. #24915, @ivanahuckova - Explore: fix undo in query editor. #24797, @zoltanbedi - Explore: fix word break in type head info. #25014, @zoltanbedi - Graph: Legend decimals now work as expected. #24931, @torkelo - LoginPage: Fix hover color for service buttons. #25009, @tskarhed - LogsPanel: Fix scrollbar. #24850, @ivanahuckova - MoveDashboard: Fix for moving dashboard caused all variables to be lost. #25005, @torkelo - Organize transformer: Use display name in field order comparer. #24984, @dprokop - Panel: shows correct panel menu items in view mode. #24912, @hugohaggmark - PanelEditor Fix missing labels and description if there is only single option in category. #24905, @dprokop - PanelEditor: Overrides name matcher still show all original field names even after Field default display name is specified. #24933, @torkelo - PanelInspector: Makes sure Data display options are visible. #24902, @hugohaggmark - PanelInspector: Hides unsupported data display options for Panel type. #24918, @hugohaggmark - PanelMenu: Make menu disappear on button press. #25015, @tskarhed - Postgres: Fix add button. #25087, @phemmer - Prometheus: Fix recording rules expansion. #24977, @ivanahuckova - Stackdriver: Fix creating Service Level Objectives (SLO) datasource query variable. #25023, @papagian - Update to version 7.0.0 * Breaking changes - Removed PhantomJS: PhantomJS was deprecated in Grafana v6.4 and starting from Grafana v7.0.0, all PhantomJS support has been removed. This means that Grafana no longer ships with a built-in image renderer, and we advise you to install the Grafana Image Renderer plugin. - Dashboard: A global minimum dashboard refresh interval is now enforced and defaults to 5 seconds. - Interval calculation: There is now a new option Max data points that controls the auto interval $__interval calculation. Interval was previously calculated by dividing the panel width by the time range. With the new max data points option it is now easy to set $__interval to a dynamic value that is time range agnostic. For example if you set Max data points to 10 Grafana will dynamically set $__interval by dividing the current time range by 10. - Datasource/Loki: Support for deprecated Loki endpoints has been removed. - Backend plugins: Grafana now requires backend plugins to be signed, otherwise Grafana will not load/start them. This is an additional security measure to make sure backend plugin binaries and files haven't been tampered with. Refer to Upgrade Grafana for more information. - @grafana/ui: Forms migration notice, see @grafana/ui changelog - @grafana/ui: Select API change for creating custom values, see @grafana/ui changelog + Deprecation warnings - Scripted dashboards is now deprecated. The feature is not removed but will be in a future release. We hope to address the underlying requirement of dynamic dashboards in a different way. #24059 - The unofficial first version of backend plugins together with usage of grafana/grafana-plugin-model is now deprecated and support for that will be removed in a future release. Please refer to backend plugins documentation for information about the new officially supported backend plugins. * Features / Enhancements - Backend plugins: Log deprecation warning when using the unofficial first version of backend plugins. #24675, @marefr - Editor: New line on Enter, run query on Shift+Enter. #24654, @davkal - Loki: Allow multiple derived fields with the same name. #24437, @aocenas - Orgs: Add future deprecation notice. #24502, @torkelo * Bug Fixes - @grafana/toolkit: Use process.cwd() instead of PWD to get directory. #24677, @zoltanbedi - Admin: Makes long settings values line break in settings page. #24559, @hugohaggmark - Dashboard: Allow editing provisioned dashboard JSON and add confirmation when JSON is copied to dashboard. #24680, @dprokop - Dashboard: Fix for strange "dashboard not found" errors when opening links in dashboard settings. #24416, @torkelo - Dashboard: Fix so default data source is selected when data source can't be found in panel editor. #24526, @mckn - Dashboard: Fixed issue changing a panel from transparent back to normal in panel editor. #24483, @torkelo - Dashboard: Make header names reflect the field name when exporting to CSV file from the the panel inspector. #24624, @peterholmberg - Dashboard: Make sure side pane is displayed with tabs by default in panel editor. #24636, @dprokop - Data source: Fix query/annotation help content formatting. #24687, @AgnesToulet - Data source: Fixes async mount errors. #24579, @Estrax - Data source: Fixes saving a data source without failure when URL doesn't specify a protocol. #24497, @aknuds1 - Explore/Prometheus: Show results of instant queries only in table. #24508, @ivanahuckova - Explore: Fix rendering of react query editors. #24593, @ivanahuckova - Explore: Fixes loading more logs in logs context view. #24135, @Estrax - Graphite: Fix schema and dedupe strategy in rollup indicators for Metrictank queries. #24685, @torkelo - Graphite: Makes query annotations work again. #24556, @hugohaggmark - Logs: Clicking "Load more" from context overlay doesn't expand log row. #24299, @kaydelaney - Logs: Fix total bytes process calculation. #24691, @davkal - Org/user/team preferences: Fixes so UI Theme can be set back to Default. #24628, @AgnesToulet - Plugins: Fix manifest validation. #24573, @aknuds1 - Provisioning: Use proxy as default access mode in provisioning. #24669, @bergquist - Search: Fix select item when pressing enter and Grafana is served using a sub path. #24634, @tskarhed - Search: Save folder expanded state. #24496, @Clarity-89 - Security: Tag value sanitization fix in OpenTSDB data source. #24539, @rotemreiss - Table: Do not include angular options in options when switching from angular panel. #24684, @torkelo - Table: Fixed persisting column resize for time series fields. #24505, @torkelo - Table: Fixes Cannot read property subRows of null. #24578, @hugohaggmark - Time picker: Fixed so you can enter a relative range in the time picker without being converted to absolute range. #24534, @mckn - Transformations: Make transform dropdowns not cropped. #24615, @dprokop - Transformations: Sort order should be preserved as entered by user when using the reduce transformation. #24494, @hugohaggmark - Units: Adds scale symbol for currencies with suffixed symbol. #24678, @hugohaggmark - Variables: Fixes filtering options with more than 1000 entries. #24614, @hugohaggmark - Variables: Fixes so Textbox variables read value from url. #24623, @hugohaggmark - Zipkin: Fix error when span contains remoteEndpoint. #24524, @aocenas - SAML: Switch from email to login for user login attribute mapping (Enterprise) - Update Makefile and spec file * Remove phantomJS patch from Makefile * Fix multiline strings in Makefile * Exclude s390 from SLE12 builds, golang 1.14 is not built for s390 - Add instructions for patching the Grafana javascript frontend. - BuildRequires golang(API) instead of go metapackage version range * BuildRequires: golang(API) >= 1.14 from BuildRequires: ( go >= 1.14 with go < 1.15 ) - Update to version 6.7.3 - This version fixes bsc#1170557 and its corresponding CVE-2020-12245 - Admin: Fix Synced via LDAP message for non-LDAP external users. #23477, @alexanderzobnin - Alerting: Fixes notifications for alerts with empty message in Google Hangouts notifier. #23559, @hugohaggmark - AuthProxy: Fixes bug where long username could not be cached.. #22926, @jcmcken - Dashboard: Fix saving dashboard when editing raw dashboard JSON model. #23314, @peterholmberg - Dashboard: Try to parse 8 and 15 digit numbers as timestamps if parsing of time range as date fails. #21694, @jessetan - DashboardListPanel: Fixed problem with empty panel after going into edit mode (General folder filter being automatically added) . #23426, @torkelo - Data source: Handle datasource withCredentials option properly. #23380, @hvtuananh - Security: Fix annotation popup XSS vulnerability. #23813, @torkelo - Server: Exit Grafana with status code 0 if no error. #23312, @aknuds1 - TablePanel: Fix XSS issue in header column rename (backport). #23814, @torkelo - Variables: Fixes error when setting adhoc variable values. #23580, @hugohaggmark - Update to version 6.7.2: (see installed changelog for the full list of changes) - BackendSrv: Adds config to response to fix issue for external plugins that used this property . #23032, @torkelo - Dashboard: Fixed issue with saving new dashboard after changing title . #23104, @dprokop - DataLinks: make sure we use the correct datapoint when dataset contains null value.. #22981, @mckn - Plugins: Fixed issue for plugins that imported dateMath util . #23069, @mckn - Security: Fix for dashboard snapshot original dashboard link could contain XSS vulnerability in url. #23254, @torkelo - Variables: Fixes issue with too many queries being issued for nested template variables after value change. #23220, @torkelo - Plugins: Expose promiseToDigest. #23249, @torkelo - Reporting (Enterprise): Fixes issue updating a report created by someone else - Update to 6.7.1: (see installed changelog for the full list of changes) Bug Fixes - Azure: Fixed dropdowns not showing current value. #22914, @torkelo - BackendSrv: only add content-type on POST, PUT requests. #22910, @hugohaggmark - Panels: Fixed size issue with panel internal size when exiting panel edit mode. #22912, @torkelo - Reporting: fixes migrations compatibility with mysql (Enterprise) - Reporting: Reduce default concurrency limit to 4 (Enterprise) - Update to 6.7.0: (see installed changelog for the full list of changes) Bug Fixes - AngularPanels: Fixed inner height calculation for angular panels . #22796, @torkelo - BackendSrv: makes sure provided headers are correctly recognized and set. #22778, @hugohaggmark - Forms: Fix input suffix position (caret-down in Select) . #22780, @torkelo - Graphite: Fixed issue with query editor and next select metric now showing after selecting metric node . #22856, @torkelo - Rich History: UX adjustments and fixes. #22729, @ivanahuckova - Update to 6.7.0-beta1: Breaking changes - Slack: Removed Mention setting and instead introduce Mention Users, Mention Groups, and Mention Channel. The first two settings require user and group IDs, respectively. This change was necessary because the way of mentioning via the Slack API changed and mentions in Slack notifications no longer worked. - Alerting: Reverts the behavior of diff and percent_diff to not always be absolute. Something we introduced by mistake in 6.1.0. Alerting now support diff(), diff_abs(), percent_diff() and percent_diff_abs(). #21338 - Notice about changes in backendSrv for plugin authors In our mission to migrate away from AngularJS to React we have removed all AngularJS dependencies in the core data retrieval service backendSrv. Removing the AngularJS dependencies in backendSrv has the unfortunate side effect of AngularJS digest no longer being triggered for any request made with backendSrv. Because of this, external plugins using backendSrv directly may suffer from strange behaviour in the UI. To remedy this issue, as a plugin author you need to trigger the digest after a direct call to backendSrv. Bug Fixes API: Fix redirect issues. #22285, @papagian Alerting: Don't include image_url field with Slack message if empty. #22372, @aknuds1 Alerting: Fixed bad background color for default notifications in alert tab . #22660, @krvajal Annotations: In table panel when setting transform to annotation, they will now show up right away without a manual refresh. #22323, @krvajal Azure Monitor: Fix app insights source to allow for new __timeFrom and __timeTo. #21879, @ChadNedzlek BackendSrv: Fixes POST body for form data. #21714, @hugohaggmark CloudWatch: Credentials cache invalidation fix. #22473, @sunker CloudWatch: Expand alias variables when query yields no result. #22695, @sunker Dashboard: Fix bug with NaN in alerting. #22053, @a-melnyk Explore: Fix display of multiline logs in log panel and explore. #22057, @thomasdraebing Heatmap: Legend color range is incorrect when using custom min/max. #21748, @sv5d Security: Fixed XSS issue in dashboard history diff . #22680, @torkelo StatPanel: Fixes base color is being used for null values . #22646, @torkelo - Update to version 6.6.2: (see installed changelog for the full list of changes) - Update to version 6.6.1: (see installed changelog for the full list of changes) - Update to version 6.6.0: (see installed changelog for the full list of changes) - Update to version 6.5.3: (see installed changelog for the full list of changes) - Update to version 6.5.2: (see installed changelog for the full list of changes) - Update to version 6.5.1: (see installed changelog for the full list of changes) - Update to version 6.5.0 (see installed changelog for the full list of changes) - Update to version 6.4.5: * Create version 6.4.5 * CloudWatch: Fix high CPU load (#20579) - Add obs-service-go_modules to download required modules into vendor.tar.gz - Adjusted spec file to use vendor.tar.gz - Adjusted Makefile to work with new filenames - BuildRequire go1.14 - Update to version 6.4.4: * DataLinks: Fix blur issues. #19883, @aocenas * Docker: Makes it possible to parse timezones in the docker image. #20081, @xlson * LDAP: All LDAP servers should be tried even if one of them returns a connection error. #20077, @jongyllen * LDAP: No longer shows incorrectly matching groups based on role in debug page. #20018, @xlson * Singlestat: Fix no data / null value mapping . #19951, @ryantxu - Revert the spec file and make script - Remove PhantomJS dependency - Update to 6.4.3 * Bug Fixes - Alerting: All notification channels should send even if one fails to send. #19807, @jan25 - AzureMonitor: Fix slate interference with dropdowns. #19799, @aocenas - ContextMenu: make ContextMenu positioning aware of the viewport width. #19699, @krvajal - DataLinks: Fix context menu not showing in singlestat-ish visualisations. #19809, @dprokop - DataLinks: Fix url field not releasing focus. #19804, @aocenas - Datasource: Fixes clicking outside of some query editors required 2 clicks. #19822, @aocenas - Panels: Fixes default tab for visualizations without Queries Tab. #19803, @hugohaggmark - Singlestat: Fixed issue with mapping null to text. #19689, @torkelo - @grafana/toolkit: Don't fail plugin creation when git user.name config is not set. #19821, @dprokop - @grafana/toolkit: TSLint line number off by 1. #19782, @fredwangwang - Update to 6.4.2 * Bug Fixes - CloudWatch: Changes incorrect dimension wmlid to wlmid . #19679, @ATTron - Grafana Image Renderer: Fixes plugin page. #19664, @hugohaggmark - Graph: Fixes auto decimals logic for y axis ticks that results in too many decimals for high values. #19618, @torkelo - Graph: Switching to series mode should re-render graph. #19623, @torkelo - Loki: Fix autocomplete on label values. #19579, @aocenas - Loki: Removes live option for logs panel. #19533, @davkal - Profile: Fix issue with user profile not showing more than sessions sessions in some cases. #19578, @huynhsamha - Prometheus: Fixes so results in Panel always are sorted by query order. #19597, @hugohaggmark - ShareQuery: Fixed issue when using -- Dashboard -- datasource (to share query result) when dashboard had rows. #19610, @torkelo - Show SAML login button if SAML is enabled. #19591, @papagian - SingleStat: Fixes postfix/prefix usage. #19687, @hugohaggmark - Table: Proper handling of json data with dataframes. #19596, @marefr - Units: Fixed wrong id for Terabits/sec. #19611, @andreaslangnevyjel - Changes from 6.4.1 * Bug Fixes - Provisioning: Fixed issue where empty nested keys in YAML provisioning caused a server crash, #19547 - ImageRendering: Fixed issue with image rendering in enterprise build (Enterprise) - Reporting: Fixed issue with reporting service when STMP was disabled (Enterprise). - Changes from 6.4.0 * Features / Enhancements - Build: Upgrade go to 1.12.10. #19499, @marefr - DataLinks: Suggestions menu improvements. #19396, @dprokop - Explore: Take root_url setting into account when redirecting from dashboard to explore. #19447, @ivanahuckova - Explore: Update broken link to logql docs. #19510, @ivanahuckova - Logs: Adds Logs Panel as a visualization. #19504, @davkal * Bug Fixes - CLI: Fix version selection for plugin install. #19498, @aocenas - Graph: Fixes minor issue with series override color picker and custom color . #19516, @torkelo - Changes from 6.4.0 Beta 2 * Features / Enhancements - Azure Monitor: Remove support for cross resource queries (#19115)". #19346, @sunker - Docker: Upgrade packages to resolve reported vulnerabilities. #19188, @marefr - Graphite: Time range expansion reduced from 1 minute to 1 second. #19246, @torkelo - grafana/toolkit: Add plugin creation task. #19207, @dprokop * Bug Fixes - Alerting: Prevents creating alerts from unsupported queries. #19250, @hugohaggmark - Alerting: Truncate PagerDuty summary when greater than 1024 characters. #18730, @nvllsvm - Cloudwatch: Fix autocomplete for Gamelift dimensions. #19146, @kevinpz - Dashboard: Fix export for sharing when panels use default data source. #19315, @torkelo - Database: Rewrite system statistics query to perform better. #19178, @papagian - Gauge/BarGauge: Fix issue with [object Object] in titles . #19217, @ryantxu - MSSQL: Revert usage of new connectionstring format introduced by #18384. #19203, @marefr - Multi-LDAP: Do not fail-fast on invalid credentials. #19261, @gotjosh - MySQL, Postgres, MSSQL: Fix validating query with template variables in alert . #19237, @marefr - MySQL, Postgres: Update raw sql when query builder updates. #19209, @marefr - MySQL: Limit datasource error details returned from the backend. #19373, @marefr - Changes from 6.4.0 Beta 1 * Features / Enhancements - API: Readonly datasources should not be created via the API. #19006, @papagian - Alerting: Include configured AlertRuleTags in Webhooks notifier. #18233, @dominic-miglar - Annotations: Add annotations support to Loki. #18949, @aocenas - Annotations: Use a single row to represent a region. #17673, @ryantxu - Auth: Allow inviting existing users when login form is disabled. #19048, @548017 - Azure Monitor: Add support for cross resource queries. #19115, @sunker - CLI: Allow installing custom binary plugins. #17551, @aocenas - Dashboard: Adds Logs Panel (alpha) as visualization option for Dashboards. #18641, @hugohaggmark - Dashboard: Reuse query results between panels . #16660, @ryantxu - Dashboard: Set time to to 23:59:59 when setting To time using calendar. #18595, @simPod - DataLinks: Add DataLinks support to Gauge, BarGauge and SingleStat2 panel. #18605, @ryantxu - DataLinks: Enable access to labels & field names. #18918, @torkelo - DataLinks: Enable multiple data links per panel. #18434, @dprokop - Docker: switch docker image to alpine base with phantomjs support. #18468, @DanCech - Elasticsearch: allow templating queries to order by doc_count. #18870, @hackery - Explore: Add throttling when doing live queries. #19085, @aocenas - Explore: Adds ability to go back to dashboard, optionally with query changes. #17982, @kaydelaney - Explore: Reduce default time range to last hour. #18212, @davkal - Gauge/BarGauge: Support decimals for min/max. #18368, @ryantxu - Graph: New series override transform constant that renders a single point as a line across the whole graph. #19102, @davkal - Image rendering: Add deprecation warning when PhantomJS is used for rendering images. #18933, @papagian - InfluxDB: Enable interpolation within ad-hoc filter values. #18077, @kvc-code - LDAP: Allow an user to be synchronized against LDAP. #18976, @gotjosh - Ldap: Add ldap debug page. #18759, @peterholmberg - Loki: Remove prefetching of default label values. #18213, @davkal - Metrics: Add failed alert notifications metric. #18089, @koorgoo - OAuth: Support JMES path lookup when retrieving user email. #14683, @bobmshannon - OAuth: return GitLab groups as a part of user info (enable team sync). #18388, @alexanderzobnin - Panels: Add unit for electrical charge - ampere-hour. #18950, @anirudh-ramesh - Plugin: AzureMonitor - Reapply MetricNamespace support. #17282, @raphaelquati - Plugins: better warning when plugins fail to load. #18671, @ryantxu - Postgres: Add support for scram sha 256 authentication. #18397, @nonamef - RemoteCache: Support SSL with Redis. #18511, @kylebrandt - SingleStat: The gauge option in now disabled/hidden (unless it's an old panel with it already enabled) . #18610, @ryantxu - Stackdriver: Add extra alignment period options. #18909, @sunker - Units: Add South African Rand (ZAR) to currencies. #18893, @jeteon - Units: Adding T,P,E,Z,and Y bytes. #18706, @chiqomar * Bug Fixes - Alerting: Notification is sent when state changes from no_data to ok. #18920, @papagian - Alerting: fix duplicate alert states when the alert fails to save to the database. #18216, @kylebrandt - Alerting: fix response popover prompt when add notification channels. #18967, @lzdw - CloudWatch: Fix alerting for queries with Id (using GetMetricData). #17899, @alex-berger - Explore: Fix auto completion on label values for Loki. #18988, @aocenas - Explore: Fixes crash using back button with a zoomed in graph. #19122, @hugohaggmark - Explore: Fixes so queries in Explore are only run if Graph/Table is shown. #19000, @hugohaggmark - MSSQL: Change connectionstring to URL format to fix using passwords with semicolon. #18384, @Russiancold - MSSQL: Fix memory leak when debug enabled. #19049, @briangann - Provisioning: Allow escaping literal '$' with '$$' in configs to avoid interpolation. #18045, @kylebrandt - TimePicker: Fixes hiding time picker dropdown in FireFox. #19154, @hugohaggmark * Breaking changes + Annotations There are some breaking changes in the annotations HTTP API for region annotations. Region annotations are now represented using a single event instead of two seperate events. Check breaking changes in HTTP API below and HTTP API documentation for more details. + Docker Grafana is now using Alpine 3.10 as docker base image. + HTTP API - GET /api/alert-notifications now requires at least editor access. New /api/alert-notifications/lookup returns less information than /api/alert-notifications and can be access by any authenticated user. - GET /api/alert-notifiers now requires at least editor access - GET /api/org/users now requires org admin role. New /api/org/users/lookup returns less information than /api/org/users and can be access by users that are org admins, admin in any folder or admin of any team. - GET /api/annotations no longer returns regionId property. - POST /api/annotations no longer supports isRegion property. - PUT /api/annotations/:id no longer supports isRegion property. - PATCH /api/annotations/:id no longer supports isRegion property. - DELETE /api/annotations/region/:id has been removed. * Deprecation notes + PhantomJS - PhantomJS, which is used for rendering images of dashboards and panels, is deprecated and will be removed in a future Grafana release. A deprecation warning will from now on be logged when Grafana starts up if PhantomJS is in use. Please consider migrating from PhantomJS to the Grafana Image Renderer plugin. - Changes from 6.3.6 * Features / Enhancements - Metrics: Adds setting for turning off total stats metrics. #19142, @marefr * Bug Fixes - Database: Rewrite system statistics query to perform better. #19178, @papagian - Explore: Fixes error when switching from prometheus to loki data sources. #18599, @kaydelaney - Rebase package spec. Use mostly from fedora, fix suse specified things and fix some errors. - Add missing directories provisioning/datasources and provisioning/notifiers and sample.yaml as described in packaging/rpm/control from upstream. Missing directories are shown in logfiles. - Version 6.3.5 * Upgrades + Build: Upgrade to go 1.12.9. * Bug Fixes + Dashboard: Fixes dashboards init failed loading error for dashboards with panel links that had missing properties. + Editor: Fixes issue where only entire lines were being copied. + Explore: Fixes query field layout in splitted view for Safari browsers. + LDAP: multildap + ldap integration. + Profile/UserAdmin: Fix for user agent parser crashes grafana-server on 32-bit builds. + Prometheus: Prevents panel editor crash when switching to Prometheus datasource. + Prometheus: Changes brace-insertion behavior to be less annoying. - Version 6.3.4 * Security: CVE-2019-15043 - Parts of the HTTP API allow unauthenticated use. - Version 6.3.3 * Bug Fixes + Annotations: Fix failing annotation query when time series query is cancelled. #18532 1, @dprokop 1 + Auth: Do not set SameSite cookie attribute if cookie_samesite is none. #18462 1, @papagian 3 + DataLinks: Apply scoped variables to data links correctly. #18454 1, @dprokop 1 + DataLinks: Respect timezone when displaying datapoint???s timestamp in graph context menu. #18461 2, @dprokop 1 + DataLinks: Use datapoint timestamp correctly when interpolating variables. #18459 1, @dprokop 1 + Explore: Fix loading error for empty queries. #18488 1, @davkal + Graph: Fixes legend issue clicking on series line icon and issue with horizontal scrollbar being visible on windows. #18563 1, @torkelo 2 + Graphite: Avoid glob of single-value array variables . #18420, @gotjosh + Prometheus: Fix queries with label_replace remove the $1 match when loading query editor. #18480 5, @hugohaggmark 3 + Prometheus: More consistently allows for multi-line queries in editor. #18362 2, @kaydelaney 2 + TimeSeries: Assume values are all numbers. #18540 4, @ryantxu - Version 6.3.2 * Bug Fixes + Gauge/BarGauge: Fixes issue with losts thresholds and issue loading Gauge with avg stat. #18375 12 - Version 6.3.1 * Bug Fixes + PanelLinks: Fix crash issue Gauge & Bar Gauge for panels with panel links (drill down links). #18430 2 - Version 6.3.0 * Features / Enhancements + OAuth: Do not set SameSite OAuth cookie if cookie_samesite is None. #18392 4, @papagian 3 + Auth Proxy: Include additional headers as part of the cache key. #18298 6, @gotjosh + Build grafana images consistently. #18224 12, @hassanfarid + Docs: SAML. #18069 11, @gotjosh + Permissions: Show plugins in nav for non admin users but hide plugin configuration. #18234 1, @aocenas + TimePicker: Increase max height of quick range dropdown. #18247 2, @torkelo 2 + Alerting: Add tags to alert rules. #10989 13, @Thib17 1 + Alerting: Attempt to send email notifications to all given email addresses. #16881 1, @zhulongcheng + Alerting: Improve alert rule testing. #16286 2, @marefr + Alerting: Support for configuring content field for Discord alert notifier. #17017 2, @jan25 + Alertmanager: Replace illegal chars with underscore in label names. #17002 5, @bergquist 1 + Auth: Allow expiration of API keys. #17678, @papagian 3 + Auth: Return device, os and browser when listing user auth tokens in HTTP API. #17504, @shavonn 1 + Auth: Support list and revoke of user auth tokens in UI. #17434 2, @shavonn 1 + AzureMonitor: change clashing built-in Grafana variables/macro names for Azure Logs. #17140, @shavonn 1 + CloudWatch: Made region visible for AWS Cloudwatch Expressions. #17243 2, @utkarshcmu + Cloudwatch: Add AWS DocDB metrics. #17241, @utkarshcmu + Dashboard: Use timezone dashboard setting when exporting to CSV. #18002 1, @dehrax + Data links. #17267 11, @torkelo 2 + Docker: Switch base image to ubuntu:latest from debian:stretch to avoid security issues??? #17066 5, @bergquist 1 + Elasticsearch: Support for visualizing logs in Explore . #17605 7, @marefr + Explore: Adds Live option for supported datasources. #17062 1, @hugohaggmark 3 + Explore: Adds orgId to URL for sharing purposes. #17895 1, @kaydelaney 2 + Explore: Adds support for new loki ???start??? and ???end??? params for labels endpoint. #17512, @kaydelaney 2 + Explore: Adds support for toggling raw query mode in explore. #17870, @kaydelaney 2 + Explore: Allow switching between metrics and logs . #16959 2, @marefr + Explore: Combines the timestamp and local time columns into one. #17775, @hugohaggmark 3 + Explore: Display log lines context . #17097, @dprokop 1 + Explore: Don???t parse log levels if provided by field or label. #17180 1, @marefr + Explore: Improves performance of Logs element by limiting re-rendering. #17685, @kaydelaney 2 + Explore: Support for new LogQL filtering syntax. #16674 4, @davkal + Explore: Use new TimePicker from Grafana/UI. #17793, @hugohaggmark 3 + Explore: handle newlines in LogRow Highlighter. #17425, @rrfeng 1 + Graph: Added new fill gradient option. #17528 3, @torkelo 2 + GraphPanel: Don???t sort series when legend table & sort column is not visible . #17095, @shavonn 1 + InfluxDB: Support for visualizing logs in Explore. #17450 9, @hugohaggmark 3 + Logging: Login and Logout actions (#17760). #17883 1, @ATTron + Logging: Move log package to pkg/infra. #17023, @zhulongcheng + Metrics: Expose stats about roles as metrics. #17469 2, @bergquist 1 + MySQL/Postgres/MSSQL: Add parsing for day, weeks and year intervals in macros. #13086 6, @bernardd + MySQL: Add support for periodically reloading client certs. #14892, @tpetr + Plugins: replace dataFormats list with skipDataQuery flag in plugin.json. #16984, @ryantxu + Prometheus: Take timezone into account for step alignment. #17477, @fxmiii + Prometheus: Use overridden panel range for $__range instead of dashboard range. #17352, @patrick246 + Prometheus: added time range filter to series labels query. #16851 3, @FUSAKLA + Provisioning: Support folder that doesn???t exist yet in dashboard provisioning. #17407 1, @Nexucis + Refresh picker: Handle empty intervals. #17585 1, @dehrax + Singlestat: Add y min/max config to singlestat sparklines. #17527 4, @pitr + Snapshot: use given key and deleteKey. #16876, @zhulongcheng + Templating: Correctly display __text in multi-value variable after page reload. #17840 1, @EduardSergeev + Templating: Support selecting all filtered values of a multi-value variable. #16873 2, @r66ad + Tracing: allow propagation with Zipkin headers. #17009 4, @jrockway + Users: Disable users removed from LDAP. #16820 2, @alexanderzobnin * Bug Fixes + PanelLinks: Fix render issue when there is no panel description. #18408 3, @dehrax + OAuth: Fix ???missing saved state??? OAuth login failure due to SameSite cookie policy. #18332 1, @papagian 3 + cli: fix for recognizing when in dev mode??? #18334, @xlson + DataLinks: Fixes incorrect interpolation of ${__series_name} . #18251 1, @torkelo 2 + Loki: Display live tailed logs in correct order in Explore. #18031 3, @kaydelaney 2 + PhantomJS: Fixes rendering on Debian Buster. #18162 2, @xlson + TimePicker: Fixed style issue for custom range popover. #18244, @torkelo 2 + Timerange: Fixes a bug where custom time ranges didn???t respect UTC. #18248 1, @kaydelaney 2 + remote_cache: Fix redis connstr parsing. #18204 1, @mblaschke + AddPanel: Fix issue when removing moved add panel widget . #17659 2, @dehrax + CLI: Fix encrypt-datasource-passwords fails with sql error. #18014, @marefr + Elasticsearch: Fix default max concurrent shard requests. #17770 4, @marefr + Explore: Fix browsing back to dashboard panel. #17061, @jschill + Explore: Fix filter by series level in logs graph. #17798, @marefr + Explore: Fix issues when loading and both graph/table are collapsed. #17113, @marefr + Explore: Fix selection/copy of log lines. #17121, @marefr + Fix: Wrap value of multi variable in array when coming from URL. #16992 1, @aocenas + Frontend: Fix for Json tree component not working. #17608, @srid12 + Graphite: Fix for issue with alias function being moved last. #17791, @torkelo 2 + Graphite: Fixes issue with seriesByTag & function with variable param. #17795, @torkelo 2 + Graphite: use POST for /metrics/find requests. #17814 2, @papagian 3 + HTTP Server: Serve Grafana with a custom URL path prefix. #17048 6, @jan25 + InfluxDB: Fixes single quotes are not escaped in label value filters. #17398 1, @Panzki + Prometheus: Correctly escape ???|??? literals in interpolated PromQL variables. #16932, @Limess + Prometheus: Fix when adding label for metrics which contains colons in Explore. #16760, @tolwi + SinglestatPanel: Remove background color when value turns null. #17552 1, @druggieri - Make phantomjs dependency configurable - Create plugin directory and clean up (create in %install, add to %files) handling of /var/lib/grafana/* and koan: - Calculate relative path for kernel and inited when generating grub entry (bsc#1170231) Added: fix-grub2-entry-paths.diff - Fix os-release version detection for SUSE Modified: sles15.patch salt: - Require python3-distro only for TW (bsc#1173072) - Various virt backports from 3000.2 - Avoid traceback on debug logging for swarm module (bsc#1172075) - Add publish_batch to ClearFuncs exposed methods - Zypperpkg: filter patterns that start with dot (bsc#1171906) - Batch mode now also correctly provides return value (bsc#1168340) - Add docker.logout to docker execution module (bsc#1165572) - Testsuite fix - Add option to enable/disable force refresh for zypper - Python3.8 compatibility changes - Prevent sporious "salt-api" stuck processes when managing SSH minions because of logging deadlock (bsc#1159284) - Avoid segfault from "salt-api" under certain conditions of heavy load managing SSH minions (bsc#1169604) - Revert broken changes to slspath made on Salt 3000 (saltstack/salt#56341) (bsc#1170104) - Returns a the list of IPs filtered by the optional network list - Fix CVE-2020-11651 and CVE-2020-11652 (bsc#1170595) - Do not require vendored backports-abc (bsc#1170288) - Fix partition.mkpart to work without fstype (bsc#1169800) spacecmd: - Only report real error, not result (bsc#1171687) - Use defined return values for spacecmd methods so scripts can check for failure (bsc#1171687) spacewalk-client-tools: - Use 'int' instead of 'long' on rhn_check for both Python 2 and 3 suseRegisterInfo: - SuseRegisterInfo only needs perl-base, not full perl (bsc#1168310) uyuni-common-libs: - Uyuni-common-libs obsoletes python3-spacewalk-usix and python3-spacewalk-backend-libs (bsc#1170684) - Reposync speedup fixes zypp-plugin-spacewalk: - Prevent issue with non-ASCII characters in Python 2 systems (bsc#1172462) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 15-BETA: zypper in -t patch SUSE-SLE-Manager-Tools-15-2020-1715=1 Package List: - SUSE Manager Tools 15-BETA (aarch64 ppc64le s390x x86_64): golang-github-prometheus-prometheus-2.18.0-6.6.2 grafana-7.0.3-4.3.2 grafana-debuginfo-7.0.3-4.3.2 python2-salt-3000-8.20.1 python3-salt-3000-8.20.1 python3-uyuni-common-libs-4.1.5-3.12.2 salt-3000-8.20.1 salt-api-3000-8.20.1 salt-cloud-3000-8.20.1 salt-doc-3000-8.20.1 salt-master-3000-8.20.1 salt-minion-3000-8.20.1 salt-proxy-3000-8.20.1 salt-ssh-3000-8.20.1 salt-standalone-formulas-configuration-3000-8.20.1 salt-syndic-3000-8.20.1 - SUSE Manager Tools 15-BETA (noarch): dracut-saltboot-0.1.1590413773.a959db7-3.18.2 koan-2.9.0-7.6.2 python3-spacewalk-check-4.1.5-6.15.2 python3-spacewalk-client-setup-4.1.5-6.15.2 python3-spacewalk-client-tools-4.1.5-6.15.2 python3-suseRegisterInfo-4.1.2-6.6.2 python3-zypp-plugin-spacewalk-1.0.7-6.6.2 salt-bash-completion-3000-8.20.1 salt-fish-completion-3000-8.20.1 salt-zsh-completion-3000-8.20.1 spacecmd-4.1.4-6.9.2 spacewalk-check-4.1.5-6.15.2 spacewalk-client-setup-4.1.5-6.15.2 spacewalk-client-tools-4.1.5-6.15.2 suseRegisterInfo-4.1.2-6.6.2 zypp-plugin-spacewalk-1.0.7-6.6.2 References: https://www.suse.com/security/cve/CVE-2019-10215.html https://www.suse.com/security/cve/CVE-2019-15043.html https://www.suse.com/security/cve/CVE-2020-11651.html https://www.suse.com/security/cve/CVE-2020-11652.html https://www.suse.com/security/cve/CVE-2020-12245.html https://www.suse.com/security/cve/CVE-2020-13379.html https://bugzilla.suse.com/1159284 https://bugzilla.suse.com/1165572 https://bugzilla.suse.com/1168310 https://bugzilla.suse.com/1168340 https://bugzilla.suse.com/1169604 https://bugzilla.suse.com/1169800 https://bugzilla.suse.com/1170104 https://bugzilla.suse.com/1170231 https://bugzilla.suse.com/1170288 https://bugzilla.suse.com/1170557 https://bugzilla.suse.com/1170595 https://bugzilla.suse.com/1170684 https://bugzilla.suse.com/1170824 https://bugzilla.suse.com/1171687 https://bugzilla.suse.com/1171906 https://bugzilla.suse.com/1172075 https://bugzilla.suse.com/1172462 https://bugzilla.suse.com/1173072 From sle-updates at lists.suse.com Tue Jun 23 10:55:38 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 18:55:38 +0200 (CEST) Subject: SUSE-RU-2020:1727-1: moderate: Recommended update for python3-gcemetadata Message-ID: <20200623165538.B535DF3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for python3-gcemetadata ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1727-1 Rating: moderate References: #1173136 Affected Products: SUSE Linux Enterprise Module for Public Cloud 15-SP2 SUSE Linux Enterprise Module for Public Cloud 15-SP1 SUSE Linux Enterprise Module for Public Cloud 15 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for python3-gcemetadata fixes the following issues: Update to version 1.0.4 (bsc#1173136) - Fixed typo, missing "=" for "identity" option in processed command line options causes mis-identification of instance as missing identity data access Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Public Cloud 15-SP2: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2020-1727=1 - SUSE Linux Enterprise Module for Public Cloud 15-SP1: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-1727=1 - SUSE Linux Enterprise Module for Public Cloud 15: zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-2020-1727=1 Package List: - SUSE Linux Enterprise Module for Public Cloud 15-SP2 (noarch): python3-gcemetadata-1.0.4-3.9.1 - SUSE Linux Enterprise Module for Public Cloud 15-SP1 (noarch): python3-gcemetadata-1.0.4-3.9.1 - SUSE Linux Enterprise Module for Public Cloud 15 (noarch): python3-gcemetadata-1.0.4-3.9.1 References: https://bugzilla.suse.com/1173136 From sle-updates at lists.suse.com Tue Jun 23 13:12:34 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 23 Jun 2020 21:12:34 +0200 (CEST) Subject: SUSE-RU-2020:1729-1: moderate: Recommended update for release-notes-caasp Message-ID: <20200623191234.1DF49F3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for release-notes-caasp ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1729-1 Rating: moderate References: #1172270 #1172801 #1172972 Affected Products: SUSE CaaS Platform 4.0 ______________________________________________________________________________ An update that has three recommended fixes can now be installed. Description: This update for release-notes-caasp fixes the following issues: - Some links were broken (bsc#1172972) - Remove architecture related links (bsc#1172801) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE CaaS Platform 4.0 (noarch): release-notes-caasp-4.2.20200616-4.51.1 References: https://bugzilla.suse.com/1172270 https://bugzilla.suse.com/1172801 https://bugzilla.suse.com/1172972 From sle-updates at lists.suse.com Wed Jun 24 07:12:43 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 24 Jun 2020 15:12:43 +0200 (CEST) Subject: SUSE-SU-2020:1732-1: important: Security update for curl Message-ID: <20200624131243.88058F3E2@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1732-1 Rating: important References: #1173027 Cross-References: CVE-2020-8177 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1732=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1732=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1732=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1732=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1732=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1732=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1732=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1732=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1732=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1732=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1732=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): curl-7.37.0-37.47.1 curl-debuginfo-7.37.0-37.47.1 curl-debugsource-7.37.0-37.47.1 libcurl4-32bit-7.37.0-37.47.1 libcurl4-7.37.0-37.47.1 libcurl4-debuginfo-32bit-7.37.0-37.47.1 libcurl4-debuginfo-7.37.0-37.47.1 - SUSE OpenStack Cloud 8 (x86_64): curl-7.37.0-37.47.1 curl-debuginfo-7.37.0-37.47.1 curl-debugsource-7.37.0-37.47.1 libcurl4-32bit-7.37.0-37.47.1 libcurl4-7.37.0-37.47.1 libcurl4-debuginfo-32bit-7.37.0-37.47.1 libcurl4-debuginfo-7.37.0-37.47.1 - SUSE OpenStack Cloud 7 (s390x x86_64): curl-7.37.0-37.47.1 curl-debuginfo-7.37.0-37.47.1 curl-debugsource-7.37.0-37.47.1 libcurl4-32bit-7.37.0-37.47.1 libcurl4-7.37.0-37.47.1 libcurl4-debuginfo-32bit-7.37.0-37.47.1 libcurl4-debuginfo-7.37.0-37.47.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): curl-7.37.0-37.47.1 curl-debuginfo-7.37.0-37.47.1 curl-debugsource-7.37.0-37.47.1 libcurl4-7.37.0-37.47.1 libcurl4-debuginfo-7.37.0-37.47.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (x86_64): libcurl4-32bit-7.37.0-37.47.1 libcurl4-debuginfo-32bit-7.37.0-37.47.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): curl-7.37.0-37.47.1 curl-debuginfo-7.37.0-37.47.1 curl-debugsource-7.37.0-37.47.1 libcurl4-7.37.0-37.47.1 libcurl4-debuginfo-7.37.0-37.47.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): libcurl4-32bit-7.37.0-37.47.1 libcurl4-debuginfo-32bit-7.37.0-37.47.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): curl-7.37.0-37.47.1 curl-debuginfo-7.37.0-37.47.1 curl-debugsource-7.37.0-37.47.1 libcurl4-7.37.0-37.47.1 libcurl4-debuginfo-7.37.0-37.47.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (s390x x86_64): libcurl4-32bit-7.37.0-37.47.1 libcurl4-debuginfo-32bit-7.37.0-37.47.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): curl-7.37.0-37.47.1 curl-debuginfo-7.37.0-37.47.1 curl-debugsource-7.37.0-37.47.1 libcurl4-32bit-7.37.0-37.47.1 libcurl4-7.37.0-37.47.1 libcurl4-debuginfo-32bit-7.37.0-37.47.1 libcurl4-debuginfo-7.37.0-37.47.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): curl-7.37.0-37.47.1 curl-debuginfo-7.37.0-37.47.1 curl-debugsource-7.37.0-37.47.1 libcurl4-7.37.0-37.47.1 libcurl4-debuginfo-7.37.0-37.47.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x x86_64): libcurl4-32bit-7.37.0-37.47.1 libcurl4-debuginfo-32bit-7.37.0-37.47.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): curl-7.37.0-37.47.1 curl-debuginfo-7.37.0-37.47.1 curl-debugsource-7.37.0-37.47.1 libcurl4-32bit-7.37.0-37.47.1 libcurl4-7.37.0-37.47.1 libcurl4-debuginfo-32bit-7.37.0-37.47.1 libcurl4-debuginfo-7.37.0-37.47.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): curl-7.37.0-37.47.1 curl-debuginfo-7.37.0-37.47.1 curl-debugsource-7.37.0-37.47.1 libcurl4-7.37.0-37.47.1 libcurl4-debuginfo-7.37.0-37.47.1 - SUSE Enterprise Storage 5 (x86_64): libcurl4-32bit-7.37.0-37.47.1 libcurl4-debuginfo-32bit-7.37.0-37.47.1 - HPE Helion Openstack 8 (x86_64): curl-7.37.0-37.47.1 curl-debuginfo-7.37.0-37.47.1 curl-debugsource-7.37.0-37.47.1 libcurl4-32bit-7.37.0-37.47.1 libcurl4-7.37.0-37.47.1 libcurl4-debuginfo-32bit-7.37.0-37.47.1 libcurl4-debuginfo-7.37.0-37.47.1 References: https://www.suse.com/security/cve/CVE-2020-8177.html https://bugzilla.suse.com/1173027 From sle-updates at lists.suse.com Wed Jun 24 07:13:27 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 24 Jun 2020 15:13:27 +0200 (CEST) Subject: SUSE-SU-2020:1731-1: moderate: Security update for libreoffice Message-ID: <20200624131327.88C2FF3E2@maintenance.suse.de> SUSE Security Update: Security update for libreoffice ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1731-1 Rating: moderate References: #1160687 #1165870 #1167463 #1171997 Cross-References: CVE-2020-12801 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 ______________________________________________________________________________ An update that solves one vulnerability and has three fixes is now available. Description: This update for libreoffice to 6.4.4.2 fixes the following issues: Security issue fixed: - CVE-2020-12801: Fixed an issue with encrypted MSOffice documents that could be accidentally saved unencrypted (bsc#1171997). Non-security issues fixed: - Elements on title page mixed up (bsc#1160687). - Image shadow that should be invisible shown as extraneous line below (bsc#1165870). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1731=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1731=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1731=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1731=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): libreoffice-6.4.4.2-43.65.5 libreoffice-base-6.4.4.2-43.65.5 libreoffice-base-debuginfo-6.4.4.2-43.65.5 libreoffice-base-drivers-postgresql-6.4.4.2-43.65.5 libreoffice-base-drivers-postgresql-debuginfo-6.4.4.2-43.65.5 libreoffice-calc-6.4.4.2-43.65.5 libreoffice-calc-debuginfo-6.4.4.2-43.65.5 libreoffice-calc-extensions-6.4.4.2-43.65.5 libreoffice-debuginfo-6.4.4.2-43.65.5 libreoffice-debugsource-6.4.4.2-43.65.5 libreoffice-draw-6.4.4.2-43.65.5 libreoffice-draw-debuginfo-6.4.4.2-43.65.5 libreoffice-filters-optional-6.4.4.2-43.65.5 libreoffice-gnome-6.4.4.2-43.65.5 libreoffice-gnome-debuginfo-6.4.4.2-43.65.5 libreoffice-impress-6.4.4.2-43.65.5 libreoffice-impress-debuginfo-6.4.4.2-43.65.5 libreoffice-librelogo-6.4.4.2-43.65.5 libreoffice-mailmerge-6.4.4.2-43.65.5 libreoffice-math-6.4.4.2-43.65.5 libreoffice-math-debuginfo-6.4.4.2-43.65.5 libreoffice-officebean-6.4.4.2-43.65.5 libreoffice-officebean-debuginfo-6.4.4.2-43.65.5 libreoffice-pyuno-6.4.4.2-43.65.5 libreoffice-pyuno-debuginfo-6.4.4.2-43.65.5 libreoffice-writer-6.4.4.2-43.65.5 libreoffice-writer-debuginfo-6.4.4.2-43.65.5 libreoffice-writer-extensions-6.4.4.2-43.65.5 - SUSE Linux Enterprise Workstation Extension 12-SP5 (noarch): libreoffice-branding-upstream-6.4.4.2-43.65.5 libreoffice-icon-themes-6.4.4.2-43.65.5 libreoffice-l10n-af-6.4.4.2-43.65.5 libreoffice-l10n-ar-6.4.4.2-43.65.5 libreoffice-l10n-bg-6.4.4.2-43.65.5 libreoffice-l10n-ca-6.4.4.2-43.65.5 libreoffice-l10n-cs-6.4.4.2-43.65.5 libreoffice-l10n-da-6.4.4.2-43.65.5 libreoffice-l10n-de-6.4.4.2-43.65.5 libreoffice-l10n-en-6.4.4.2-43.65.5 libreoffice-l10n-es-6.4.4.2-43.65.5 libreoffice-l10n-fi-6.4.4.2-43.65.5 libreoffice-l10n-fr-6.4.4.2-43.65.5 libreoffice-l10n-gu-6.4.4.2-43.65.5 libreoffice-l10n-hi-6.4.4.2-43.65.5 libreoffice-l10n-hr-6.4.4.2-43.65.5 libreoffice-l10n-hu-6.4.4.2-43.65.5 libreoffice-l10n-it-6.4.4.2-43.65.5 libreoffice-l10n-ja-6.4.4.2-43.65.5 libreoffice-l10n-ko-6.4.4.2-43.65.5 libreoffice-l10n-lt-6.4.4.2-43.65.5 libreoffice-l10n-nb-6.4.4.2-43.65.5 libreoffice-l10n-nl-6.4.4.2-43.65.5 libreoffice-l10n-nn-6.4.4.2-43.65.5 libreoffice-l10n-pl-6.4.4.2-43.65.5 libreoffice-l10n-pt_BR-6.4.4.2-43.65.5 libreoffice-l10n-pt_PT-6.4.4.2-43.65.5 libreoffice-l10n-ro-6.4.4.2-43.65.5 libreoffice-l10n-ru-6.4.4.2-43.65.5 libreoffice-l10n-sk-6.4.4.2-43.65.5 libreoffice-l10n-sv-6.4.4.2-43.65.5 libreoffice-l10n-uk-6.4.4.2-43.65.5 libreoffice-l10n-xh-6.4.4.2-43.65.5 libreoffice-l10n-zh_CN-6.4.4.2-43.65.5 libreoffice-l10n-zh_TW-6.4.4.2-43.65.5 libreoffice-l10n-zu-6.4.4.2-43.65.5 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): libreoffice-6.4.4.2-43.65.5 libreoffice-base-6.4.4.2-43.65.5 libreoffice-base-debuginfo-6.4.4.2-43.65.5 libreoffice-base-drivers-postgresql-6.4.4.2-43.65.5 libreoffice-base-drivers-postgresql-debuginfo-6.4.4.2-43.65.5 libreoffice-calc-6.4.4.2-43.65.5 libreoffice-calc-debuginfo-6.4.4.2-43.65.5 libreoffice-calc-extensions-6.4.4.2-43.65.5 libreoffice-debuginfo-6.4.4.2-43.65.5 libreoffice-debugsource-6.4.4.2-43.65.5 libreoffice-draw-6.4.4.2-43.65.5 libreoffice-draw-debuginfo-6.4.4.2-43.65.5 libreoffice-filters-optional-6.4.4.2-43.65.5 libreoffice-gnome-6.4.4.2-43.65.5 libreoffice-gnome-debuginfo-6.4.4.2-43.65.5 libreoffice-impress-6.4.4.2-43.65.5 libreoffice-impress-debuginfo-6.4.4.2-43.65.5 libreoffice-librelogo-6.4.4.2-43.65.5 libreoffice-mailmerge-6.4.4.2-43.65.5 libreoffice-math-6.4.4.2-43.65.5 libreoffice-math-debuginfo-6.4.4.2-43.65.5 libreoffice-officebean-6.4.4.2-43.65.5 libreoffice-officebean-debuginfo-6.4.4.2-43.65.5 libreoffice-pyuno-6.4.4.2-43.65.5 libreoffice-pyuno-debuginfo-6.4.4.2-43.65.5 libreoffice-writer-6.4.4.2-43.65.5 libreoffice-writer-debuginfo-6.4.4.2-43.65.5 libreoffice-writer-extensions-6.4.4.2-43.65.5 - SUSE Linux Enterprise Workstation Extension 12-SP4 (noarch): libreoffice-branding-upstream-6.4.4.2-43.65.5 libreoffice-icon-themes-6.4.4.2-43.65.5 libreoffice-l10n-af-6.4.4.2-43.65.5 libreoffice-l10n-ar-6.4.4.2-43.65.5 libreoffice-l10n-bg-6.4.4.2-43.65.5 libreoffice-l10n-ca-6.4.4.2-43.65.5 libreoffice-l10n-cs-6.4.4.2-43.65.5 libreoffice-l10n-da-6.4.4.2-43.65.5 libreoffice-l10n-de-6.4.4.2-43.65.5 libreoffice-l10n-en-6.4.4.2-43.65.5 libreoffice-l10n-es-6.4.4.2-43.65.5 libreoffice-l10n-fi-6.4.4.2-43.65.5 libreoffice-l10n-fr-6.4.4.2-43.65.5 libreoffice-l10n-gu-6.4.4.2-43.65.5 libreoffice-l10n-hi-6.4.4.2-43.65.5 libreoffice-l10n-hr-6.4.4.2-43.65.5 libreoffice-l10n-hu-6.4.4.2-43.65.5 libreoffice-l10n-it-6.4.4.2-43.65.5 libreoffice-l10n-ja-6.4.4.2-43.65.5 libreoffice-l10n-ko-6.4.4.2-43.65.5 libreoffice-l10n-lt-6.4.4.2-43.65.5 libreoffice-l10n-nb-6.4.4.2-43.65.5 libreoffice-l10n-nl-6.4.4.2-43.65.5 libreoffice-l10n-nn-6.4.4.2-43.65.5 libreoffice-l10n-pl-6.4.4.2-43.65.5 libreoffice-l10n-pt_BR-6.4.4.2-43.65.5 libreoffice-l10n-pt_PT-6.4.4.2-43.65.5 libreoffice-l10n-ro-6.4.4.2-43.65.5 libreoffice-l10n-ru-6.4.4.2-43.65.5 libreoffice-l10n-sk-6.4.4.2-43.65.5 libreoffice-l10n-sv-6.4.4.2-43.65.5 libreoffice-l10n-uk-6.4.4.2-43.65.5 libreoffice-l10n-xh-6.4.4.2-43.65.5 libreoffice-l10n-zh_CN-6.4.4.2-43.65.5 libreoffice-l10n-zh_TW-6.4.4.2-43.65.5 libreoffice-l10n-zu-6.4.4.2-43.65.5 - SUSE Linux Enterprise Software Development Kit 12-SP5 (x86_64): libreoffice-debuginfo-6.4.4.2-43.65.5 libreoffice-debugsource-6.4.4.2-43.65.5 libreoffice-sdk-6.4.4.2-43.65.5 libreoffice-sdk-debuginfo-6.4.4.2-43.65.5 - SUSE Linux Enterprise Software Development Kit 12-SP4 (x86_64): libreoffice-debuginfo-6.4.4.2-43.65.5 libreoffice-debugsource-6.4.4.2-43.65.5 libreoffice-sdk-6.4.4.2-43.65.5 libreoffice-sdk-debuginfo-6.4.4.2-43.65.5 References: https://www.suse.com/security/cve/CVE-2020-12801.html https://bugzilla.suse.com/1160687 https://bugzilla.suse.com/1165870 https://bugzilla.suse.com/1167463 https://bugzilla.suse.com/1171997 From sle-updates at lists.suse.com Wed Jun 24 07:14:26 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 24 Jun 2020 15:14:26 +0200 (CEST) Subject: SUSE-SU-2020:14409-1: important: Security update for curl Message-ID: <20200624131426.9AAACF3E2@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14409-1 Rating: important References: #1173027 Cross-References: CVE-2020-8177 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Server 11-SECURITY SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-curl-14409=1 - SUSE Linux Enterprise Server 11-SECURITY: zypper in -t patch secsp3-curl-14409=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-curl-14409=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-curl-14409=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-curl-14409=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): curl-7.37.0-70.47.1 libcurl4-7.37.0-70.47.1 - SUSE Linux Enterprise Server 11-SP4-LTSS (ppc64 s390x x86_64): libcurl4-32bit-7.37.0-70.47.1 - SUSE Linux Enterprise Server 11-SECURITY (i586 ia64 ppc64 s390x x86_64): curl-openssl1-7.37.0-70.47.1 libcurl4-openssl1-7.37.0-70.47.1 - SUSE Linux Enterprise Server 11-SECURITY (ppc64 s390x x86_64): libcurl4-openssl1-32bit-7.37.0-70.47.1 - SUSE Linux Enterprise Server 11-SECURITY (ia64): libcurl4-openssl1-x86-7.37.0-70.47.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): curl-7.37.0-70.47.1 libcurl-devel-7.37.0-70.47.1 libcurl4-7.37.0-70.47.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): curl-debuginfo-7.37.0-70.47.1 curl-debugsource-7.37.0-70.47.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): curl-debuginfo-7.37.0-70.47.1 curl-debugsource-7.37.0-70.47.1 References: https://www.suse.com/security/cve/CVE-2020-8177.html https://bugzilla.suse.com/1173027 From sle-updates at lists.suse.com Wed Jun 24 07:15:09 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 24 Jun 2020 15:15:09 +0200 (CEST) Subject: SUSE-SU-2020:1734-1: important: Security update for curl Message-ID: <20200624131509.2F38DF3E2@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1734-1 Rating: important References: #1173027 Cross-References: CVE-2020-8177 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1734=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1734=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): curl-debuginfo-7.60.0-11.3.2 curl-debugsource-7.60.0-11.3.2 libcurl-devel-7.60.0-11.3.2 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): curl-7.60.0-11.3.2 curl-debuginfo-7.60.0-11.3.2 curl-debugsource-7.60.0-11.3.2 libcurl4-7.60.0-11.3.2 libcurl4-debuginfo-7.60.0-11.3.2 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libcurl4-32bit-7.60.0-11.3.2 libcurl4-debuginfo-32bit-7.60.0-11.3.2 References: https://www.suse.com/security/cve/CVE-2020-8177.html https://bugzilla.suse.com/1173027 From sle-updates at lists.suse.com Wed Jun 24 07:16:34 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 24 Jun 2020 15:16:34 +0200 (CEST) Subject: SUSE-RU-2020:1738-1: moderate: Recommended update for nodejs10 Message-ID: <20200624131634.CED7BF3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for nodejs10 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1738-1 Rating: moderate References: #1172728 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Web Scripting 15-SP2 SUSE Linux Enterprise Module for Web Scripting 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for nodejs10 fixes the following issues: - Added Require for nodejs10 when intalling npm10 (bsc#1172728) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1738=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1738=1 - SUSE Linux Enterprise Module for Web Scripting 15-SP2: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP2-2020-1738=1 - SUSE Linux Enterprise Module for Web Scripting 15-SP1: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP1-2020-1738=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1738=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1738=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): nodejs10-10.21.0-1.24.1 nodejs10-debuginfo-10.21.0-1.24.1 nodejs10-debugsource-10.21.0-1.24.1 nodejs10-devel-10.21.0-1.24.1 npm10-10.21.0-1.24.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): nodejs10-docs-10.21.0-1.24.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): nodejs10-10.21.0-1.24.1 nodejs10-debuginfo-10.21.0-1.24.1 nodejs10-debugsource-10.21.0-1.24.1 nodejs10-devel-10.21.0-1.24.1 npm10-10.21.0-1.24.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): nodejs10-docs-10.21.0-1.24.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP2 (aarch64 ppc64le s390x x86_64): nodejs10-10.21.0-1.24.1 nodejs10-debuginfo-10.21.0-1.24.1 nodejs10-debugsource-10.21.0-1.24.1 nodejs10-devel-10.21.0-1.24.1 npm10-10.21.0-1.24.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP2 (noarch): nodejs10-docs-10.21.0-1.24.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (aarch64 ppc64le s390x x86_64): nodejs10-10.21.0-1.24.1 nodejs10-debuginfo-10.21.0-1.24.1 nodejs10-debugsource-10.21.0-1.24.1 nodejs10-devel-10.21.0-1.24.1 npm10-10.21.0-1.24.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (noarch): nodejs10-docs-10.21.0-1.24.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): nodejs10-10.21.0-1.24.1 nodejs10-debuginfo-10.21.0-1.24.1 nodejs10-debugsource-10.21.0-1.24.1 nodejs10-devel-10.21.0-1.24.1 npm10-10.21.0-1.24.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): nodejs10-docs-10.21.0-1.24.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): nodejs10-10.21.0-1.24.1 nodejs10-debuginfo-10.21.0-1.24.1 nodejs10-debugsource-10.21.0-1.24.1 nodejs10-devel-10.21.0-1.24.1 npm10-10.21.0-1.24.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): nodejs10-docs-10.21.0-1.24.1 References: https://bugzilla.suse.com/1172728 From sle-updates at lists.suse.com Wed Jun 24 07:17:58 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 24 Jun 2020 15:17:58 +0200 (CEST) Subject: SUSE-SU-2020:1733-1: important: Security update for curl Message-ID: <20200624131758.442F0F3E2@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1733-1 Rating: important References: #1173026 #1173027 Cross-References: CVE-2020-8169 CVE-2020-8177 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). - CVE-2020-8169: Fixed an issue where could have led to partial password leak over DNS on HTTP redirect (bsc#1173026). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1733=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): curl-7.66.0-4.3.1 curl-debuginfo-7.66.0-4.3.1 curl-debugsource-7.66.0-4.3.1 libcurl-devel-7.66.0-4.3.1 libcurl4-7.66.0-4.3.1 libcurl4-debuginfo-7.66.0-4.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libcurl4-32bit-7.66.0-4.3.1 libcurl4-32bit-debuginfo-7.66.0-4.3.1 References: https://www.suse.com/security/cve/CVE-2020-8169.html https://www.suse.com/security/cve/CVE-2020-8177.html https://bugzilla.suse.com/1173026 https://bugzilla.suse.com/1173027 From sle-updates at lists.suse.com Wed Jun 24 07:18:43 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 24 Jun 2020 15:18:43 +0200 (CEST) Subject: SUSE-SU-2019:2900-2: moderate: Security update for libssh2_org Message-ID: <20200624131843.540CAF3E2@maintenance.suse.de> SUSE Security Update: Security update for libssh2_org ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:2900-2 Rating: moderate References: #1154862 Cross-References: CVE-2019-17498 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libssh2_org fixes the following issue: - CVE-2019-17498: Fixed an integer overflow in a bounds check that might have led to the disclosure of sensitive information or a denial of service (bsc#1154862). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1730=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1730=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1730=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1730=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1730=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libssh2-1-1.8.0-4.10.1 libssh2-1-debuginfo-1.8.0-4.10.1 libssh2-devel-1.8.0-4.10.1 libssh2_org-debugsource-1.8.0-4.10.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libssh2-1-32bit-1.8.0-4.10.1 libssh2-1-32bit-debuginfo-1.8.0-4.10.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libssh2-1-1.8.0-4.10.1 libssh2-1-debuginfo-1.8.0-4.10.1 libssh2-devel-1.8.0-4.10.1 libssh2_org-debugsource-1.8.0-4.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libssh2-1-1.8.0-4.10.1 libssh2-1-debuginfo-1.8.0-4.10.1 libssh2-devel-1.8.0-4.10.1 libssh2_org-debugsource-1.8.0-4.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libssh2-1-32bit-1.8.0-4.10.1 libssh2-1-32bit-debuginfo-1.8.0-4.10.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libssh2-1-1.8.0-4.10.1 libssh2-1-debuginfo-1.8.0-4.10.1 libssh2-devel-1.8.0-4.10.1 libssh2_org-debugsource-1.8.0-4.10.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libssh2-1-32bit-1.8.0-4.10.1 libssh2-1-32bit-debuginfo-1.8.0-4.10.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libssh2-1-1.8.0-4.10.1 libssh2-1-debuginfo-1.8.0-4.10.1 libssh2-devel-1.8.0-4.10.1 libssh2_org-debugsource-1.8.0-4.10.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libssh2-1-32bit-1.8.0-4.10.1 libssh2-1-32bit-debuginfo-1.8.0-4.10.1 References: https://www.suse.com/security/cve/CVE-2019-17498.html https://bugzilla.suse.com/1154862 From sle-updates at lists.suse.com Wed Jun 24 07:19:24 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 24 Jun 2020 15:19:24 +0200 (CEST) Subject: SUSE-RU-2020:14410-1: moderate: Recommended update for openssl-certs Message-ID: <20200624131924.1AF9CF3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for openssl-certs ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:14410-1 Rating: moderate References: #1172808 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for openssl-certs fixes the following issues: - Removed the expired addtrust ca, also one dutch CA. This avoids issues with sites still having AddTrust in their returned CA stack to cause certificate validation troubles with openssl. (bsc#1172808) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-openssl-certs-14410=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-openssl-certs-14410=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (noarch): openssl-certs-2.40-0.7.15.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (noarch): openssl-certs-2.40-0.7.15.1 References: https://bugzilla.suse.com/1172808 From sle-updates at lists.suse.com Wed Jun 24 07:20:06 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 24 Jun 2020 15:20:06 +0200 (CEST) Subject: SUSE-RU-2020:1737-1: moderate: Recommended update for nodejs8 Message-ID: <20200624132006.39EEAF3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for nodejs8 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1737-1 Rating: moderate References: #1172728 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Web Scripting 15-SP2 SUSE Linux Enterprise Module for Web Scripting 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for nodejs8 fixes the following issues: - Added Require for nodejs8 when intalling npm8 (bsc#1172728) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1737=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1737=1 - SUSE Linux Enterprise Module for Web Scripting 15-SP2: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP2-2020-1737=1 - SUSE Linux Enterprise Module for Web Scripting 15-SP1: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP1-2020-1737=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1737=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1737=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): nodejs8-8.17.0-3.35.1 nodejs8-debuginfo-8.17.0-3.35.1 nodejs8-debugsource-8.17.0-3.35.1 nodejs8-devel-8.17.0-3.35.1 npm8-8.17.0-3.35.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): nodejs8-docs-8.17.0-3.35.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): nodejs8-8.17.0-3.35.1 nodejs8-debuginfo-8.17.0-3.35.1 nodejs8-debugsource-8.17.0-3.35.1 nodejs8-devel-8.17.0-3.35.1 npm8-8.17.0-3.35.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): nodejs8-docs-8.17.0-3.35.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP2 (aarch64 ppc64le s390x x86_64): nodejs8-8.17.0-3.35.1 nodejs8-debuginfo-8.17.0-3.35.1 nodejs8-debugsource-8.17.0-3.35.1 nodejs8-devel-8.17.0-3.35.1 npm8-8.17.0-3.35.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP2 (noarch): nodejs8-docs-8.17.0-3.35.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (aarch64 ppc64le s390x x86_64): nodejs8-8.17.0-3.35.1 nodejs8-debuginfo-8.17.0-3.35.1 nodejs8-debugsource-8.17.0-3.35.1 nodejs8-devel-8.17.0-3.35.1 npm8-8.17.0-3.35.1 - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (noarch): nodejs8-docs-8.17.0-3.35.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): nodejs8-8.17.0-3.35.1 nodejs8-debuginfo-8.17.0-3.35.1 nodejs8-debugsource-8.17.0-3.35.1 nodejs8-devel-8.17.0-3.35.1 npm8-8.17.0-3.35.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): nodejs8-docs-8.17.0-3.35.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): nodejs8-8.17.0-3.35.1 nodejs8-debuginfo-8.17.0-3.35.1 nodejs8-debugsource-8.17.0-3.35.1 nodejs8-devel-8.17.0-3.35.1 npm8-8.17.0-3.35.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): nodejs8-docs-8.17.0-3.35.1 References: https://bugzilla.suse.com/1172728 From sle-updates at lists.suse.com Wed Jun 24 07:20:47 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 24 Jun 2020 15:20:47 +0200 (CEST) Subject: SUSE-SU-2020:1735-1: important: Security update for curl Message-ID: <20200624132047.611AEF3E2@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1735-1 Rating: important References: #1173027 Cross-References: CVE-2020-8177 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1735=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1735=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): curl-debuginfo-7.60.0-4.15.2 curl-debugsource-7.60.0-4.15.2 libcurl-devel-7.60.0-4.15.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): curl-7.60.0-4.15.2 curl-debuginfo-7.60.0-4.15.2 curl-debugsource-7.60.0-4.15.2 libcurl4-7.60.0-4.15.2 libcurl4-debuginfo-7.60.0-4.15.2 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libcurl4-32bit-7.60.0-4.15.2 libcurl4-debuginfo-32bit-7.60.0-4.15.2 References: https://www.suse.com/security/cve/CVE-2020-8177.html https://bugzilla.suse.com/1173027 From sle-updates at lists.suse.com Wed Jun 24 10:13:10 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 24 Jun 2020 18:13:10 +0200 (CEST) Subject: SUSE-RU-2020:1741-1: moderate: Recommended update for nodejs10 Message-ID: <20200624161310.72C7EF3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for nodejs10 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1741-1 Rating: moderate References: #1172728 Affected Products: SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for nodejs10 fixes the following issues: - Added Require for nodejs10 when intalling npm10 (bsc#1172728) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-1741=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): nodejs10-10.21.0-1.27.2 nodejs10-debuginfo-10.21.0-1.27.2 nodejs10-debugsource-10.21.0-1.27.2 nodejs10-devel-10.21.0-1.27.2 npm10-10.21.0-1.27.2 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): nodejs10-docs-10.21.0-1.27.2 References: https://bugzilla.suse.com/1172728 From sle-updates at lists.suse.com Wed Jun 24 10:14:37 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Wed, 24 Jun 2020 18:14:37 +0200 (CEST) Subject: SUSE-RU-2020:1740-1: moderate: Recommended update for tracker-miners Message-ID: <20200624161437.6D649F3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for tracker-miners ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1740-1 Rating: moderate References: #1171771 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for tracker-miners fixes the following issues: - use tracker_resource_set_uri() with rdf:type (bsc#1171771) - use libz to process ps.gz files (bsc#1171771) - fix handling of (atend) in ps files (bsc#1171771) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2020-1740=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (noarch): tracker-miners-lang-2.0.4-3.6.1 - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): tracker-miner-files-2.0.4-3.6.1 tracker-miner-files-debuginfo-2.0.4-3.6.1 tracker-miners-2.0.4-3.6.1 tracker-miners-debuginfo-2.0.4-3.6.1 tracker-miners-debugsource-2.0.4-3.6.1 References: https://bugzilla.suse.com/1171771 From sle-updates at lists.suse.com Thu Jun 25 01:24:18 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 25 Jun 2020 09:24:18 +0200 (CEST) Subject: SUSE-CU-2020:347-1: Security update of suse/sles12sp3 Message-ID: <20200625072418.41989F3D7@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp3 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:347-1 Container Tags : suse/sles12sp3:2.0.2 , suse/sles12sp3:24.167 , suse/sles12sp3:latest Container Release : 24.167 Severity : important Type : security References : 1102840 1156159 1160039 1170601 1171863 1171864 1171866 1172295 CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 ----------------------------------------------------------------- The container suse/sles12sp3 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1662-1 Released: Thu Jun 18 11:13:05 2020 Summary: Security update for perl Type: security Severity: important References: 1102840,1160039,1170601,1171863,1171864,1171866,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601). - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1689-1 Released: Fri Jun 19 11:03:49 2020 Summary: Recommended update for audit Type: recommended Severity: important References: 1156159,1172295 This update for audit fixes the following issues: - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295) - Fix hang on startup. (bsc#1156159) From sle-updates at lists.suse.com Thu Jun 25 01:32:13 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 25 Jun 2020 09:32:13 +0200 (CEST) Subject: SUSE-CU-2020:348-1: Security update of suse/sles12sp4 Message-ID: <20200625073213.D61C2F3E2@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:348-1 Container Tags : suse/sles12sp4:26.199 , suse/sles12sp4:latest Container Release : 26.199 Severity : important Type : security References : 1102840 1160039 1170601 1171863 1171864 1171866 CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 ----------------------------------------------------------------- The container suse/sles12sp4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1662-1 Released: Thu Jun 18 11:13:05 2020 Summary: Security update for perl Type: security Severity: important References: 1102840,1160039,1170601,1171863,1171864,1171866,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601). - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) From sle-updates at lists.suse.com Thu Jun 25 01:35:41 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 25 Jun 2020 09:35:41 +0200 (CEST) Subject: SUSE-CU-2020:349-1: Security update of suse/sles12sp5 Message-ID: <20200625073541.54323F3D7@maintenance.suse.de> SUSE Container Update Advisory: suse/sles12sp5 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:349-1 Container Tags : suse/sles12sp5:6.5.15 , suse/sles12sp5:latest Container Release : 6.5.15 Severity : important Type : security References : 1102840 1160039 1170601 1171863 1171864 1171866 CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 ----------------------------------------------------------------- The container suse/sles12sp5 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1662-1 Released: Thu Jun 18 11:13:05 2020 Summary: Security update for perl Type: security Severity: important References: 1102840,1160039,1170601,1171863,1171864,1171866,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed utf8 handling in perldoc by useing 'term' instead of 'man' (bsc#1170601). - Some packages make assumptions about the date and time they are built. This update will solve the issues caused by calling the perl function timelocal expressing the year with two digit only instead of four digits. (bsc#1102840) (bsc#1160039) From sle-updates at lists.suse.com Thu Jun 25 01:44:05 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 25 Jun 2020 09:44:05 +0200 (CEST) Subject: SUSE-CU-2020:350-1: Security update of suse/sle15 Message-ID: <20200625074405.6B038F3D7@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:350-1 Container Tags : suse/sle15:15.0 , suse/sle15:15.0.4.22.224 Container Release : 4.22.224 Severity : important Type : security References : 1171863 1171864 1171866 1172348 CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). From sle-updates at lists.suse.com Thu Jun 25 01:50:14 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 25 Jun 2020 09:50:14 +0200 (CEST) Subject: SUSE-CU-2020:351-1: Security update of suse/sle15 Message-ID: <20200625075014.7487EF3E2@maintenance.suse.de> SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2020:351-1 Container Tags : suse/sle15:15.1 , suse/sle15:15.1.6.2.256 Container Release : 6.2.256 Severity : important Type : security References : 1169947 1171863 1171864 1171866 1172348 1172925 CVE-2020-10543 CVE-2020-10878 CVE-2020-12723 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1637-1 Released: Wed Jun 17 15:07:58 2020 Summary: Recommended update for zypper Type: recommended Severity: important References: 1169947,1172925 This update for zypper fixes the following issues: - Print switch abbrev warning to stderr (bsc#1172925) - Fix typo in man page (bsc#1169947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). From sle-updates at lists.suse.com Thu Jun 25 07:13:57 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 25 Jun 2020 15:13:57 +0200 (CEST) Subject: SUSE-RU-2020:1745-1: moderate: Recommended update for suse-module-tools Message-ID: <20200625131357.CC5D4F3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for suse-module-tools ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1745-1 Rating: moderate References: #1132798 #1142152 #1158817 #1166531 #937216 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has 5 recommended fixes can now be installed. Description: This update for suse-module-tools fixes the following issues: - Fixes a dependency issue on ppc64le with papr_scm (bsc#1142152, fate#327775) - Fixes an issue where KVM virtualized machines with libvirt don't come up with an active ethernet connection when the host's bridge device is being used (openSUSE Leap only) (bsc#1158817) - Added new configuration file for s390x: modprobe.conf.s390x (bsc#1132798) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1745=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): suse-module-tools-15.1.22-3.16.1 References: https://bugzilla.suse.com/1132798 https://bugzilla.suse.com/1142152 https://bugzilla.suse.com/1158817 https://bugzilla.suse.com/1166531 https://bugzilla.suse.com/937216 From sle-updates at lists.suse.com Thu Jun 25 10:15:10 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 25 Jun 2020 18:15:10 +0200 (CEST) Subject: SUSE-SU-2020:1748-1: important: Security update for ceph Message-ID: <20200625161510.3273CFC36@maintenance.suse.de> SUSE Security Update: Security update for ceph ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1748-1 Rating: important References: #1126230 #1136082 #1157607 #1161096 #1162553 #1171670 #1171921 #1171960 #1171961 #1171963 Cross-References: CVE-2020-10753 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves one vulnerability and has 9 fixes is now available. Description: This is a version update for ceph to version 12.2.13: Security issue fixed: - CVE-2020-10753: Fixed an HTTP header injection via CORS ExposeHeader tag (bsc#1171921). - Notable changes in this update for ceph: * mgr: telemetry: backported and now available on SES5.5. Please consider enabling via "ceph telemetry on" (bsc#1171670) * OSD heartbeat ping time: new health warning, options and admin commands (bsc#1171960) * "osd_calc_pg_upmaps_max_stddev" ceph.conf parameter has been removed; use "upmap_max_deviation" instead (bsc#1171961) * Default maximum concurrent bluestore rocksdb compaction threads raised from 1 to 2 for improved ability to keep up with rgw bucket index workloads (bsc#1171963) - Bug fixes in this ceph update: * mon: Error message displayed when mon_osd_max_split_count would be exceeded is not as user-friendly as it could be (bsc#1126230) * ceph_volume_client: remove ceph mds calls in favor of ceph fs calls (bsc#1136082) * rgw: crypt: permit RGW-AUTO/default with SSE-S3 headers (bsc#1157607) * mon/AuthMonitor: don't validate fs caps on authorize (bsc#1161096) - Additional bug fixes: * ceph-volume: strip _dmcrypt suffix in simple scan json output (bsc#1162553) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1748=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1748=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1748=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1748=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1748=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1748=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1748=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1748=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1748=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1748=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1748=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): ceph-common-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-common-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-debugsource-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 - SUSE OpenStack Cloud 8 (x86_64): ceph-common-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-common-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-debugsource-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): ceph-debugsource-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs-devel-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados-devel-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados-devel-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd-devel-12.2.13+git.1592168685.85110a3e9d-2.50.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): ceph-debugsource-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs-devel-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados-devel-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados-devel-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd-devel-12.2.13+git.1592168685.85110a3e9d-2.50.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): ceph-common-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-common-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-debugsource-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): ceph-common-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-common-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-debugsource-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): ceph-common-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-common-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-debugsource-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): ceph-common-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-common-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-debugsource-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): ceph-common-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-common-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-debugsource-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): ceph-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-base-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-base-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-common-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-common-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-debugsource-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-fuse-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-fuse-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-mds-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-mds-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-mgr-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-mgr-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-mon-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-mon-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-osd-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-osd-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-radosgw-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-radosgw-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-ceph-compat-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python3-ceph-argparse-12.2.13+git.1592168685.85110a3e9d-2.50.1 python3-cephfs-12.2.13+git.1592168685.85110a3e9d-2.50.1 python3-cephfs-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python3-rados-12.2.13+git.1592168685.85110a3e9d-2.50.1 python3-rados-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python3-rbd-12.2.13+git.1592168685.85110a3e9d-2.50.1 python3-rbd-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python3-rgw-12.2.13+git.1592168685.85110a3e9d-2.50.1 python3-rgw-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 rbd-fuse-12.2.13+git.1592168685.85110a3e9d-2.50.1 rbd-fuse-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 rbd-mirror-12.2.13+git.1592168685.85110a3e9d-2.50.1 rbd-mirror-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 rbd-nbd-12.2.13+git.1592168685.85110a3e9d-2.50.1 rbd-nbd-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 - HPE Helion Openstack 8 (x86_64): ceph-common-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-common-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 ceph-debugsource-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-12.2.13+git.1592168685.85110a3e9d-2.50.1 libcephfs2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librados2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-12.2.13+git.1592168685.85110a3e9d-2.50.1 libradosstriper1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-12.2.13+git.1592168685.85110a3e9d-2.50.1 librbd1-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-12.2.13+git.1592168685.85110a3e9d-2.50.1 librgw2-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-cephfs-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rados-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rbd-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-12.2.13+git.1592168685.85110a3e9d-2.50.1 python-rgw-debuginfo-12.2.13+git.1592168685.85110a3e9d-2.50.1 References: https://www.suse.com/security/cve/CVE-2020-10753.html https://bugzilla.suse.com/1126230 https://bugzilla.suse.com/1136082 https://bugzilla.suse.com/1157607 https://bugzilla.suse.com/1161096 https://bugzilla.suse.com/1162553 https://bugzilla.suse.com/1171670 https://bugzilla.suse.com/1171921 https://bugzilla.suse.com/1171960 https://bugzilla.suse.com/1171961 https://bugzilla.suse.com/1171963 From sle-updates at lists.suse.com Thu Jun 25 10:16:53 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Thu, 25 Jun 2020 18:16:53 +0200 (CEST) Subject: SUSE-SU-2020:1747-1: important: Security update for ceph Message-ID: <20200625161653.391D6FC36@maintenance.suse.de> SUSE Security Update: Security update for ceph ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1747-1 Rating: important References: #1171921 Cross-References: CVE-2020-10753 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for ceph fixes the following issues: - CVE-2020-10753: Fixed an HTTP header injection via CORS ExposeHeader tag (bsc#1171921). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1747=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2020-1747=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): ceph-common-14.2.9.970+ged84cae0c9-3.41.1 ceph-common-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 ceph-debugsource-14.2.9.970+ged84cae0c9-3.41.1 libcephfs-devel-14.2.9.970+ged84cae0c9-3.41.1 libcephfs2-14.2.9.970+ged84cae0c9-3.41.1 libcephfs2-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 librados-devel-14.2.9.970+ged84cae0c9-3.41.1 librados-devel-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 librados2-14.2.9.970+ged84cae0c9-3.41.1 librados2-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 libradospp-devel-14.2.9.970+ged84cae0c9-3.41.1 librbd-devel-14.2.9.970+ged84cae0c9-3.41.1 librbd1-14.2.9.970+ged84cae0c9-3.41.1 librbd1-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 librgw-devel-14.2.9.970+ged84cae0c9-3.41.1 librgw2-14.2.9.970+ged84cae0c9-3.41.1 librgw2-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 python3-ceph-argparse-14.2.9.970+ged84cae0c9-3.41.1 python3-cephfs-14.2.9.970+ged84cae0c9-3.41.1 python3-cephfs-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 python3-rados-14.2.9.970+ged84cae0c9-3.41.1 python3-rados-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 python3-rbd-14.2.9.970+ged84cae0c9-3.41.1 python3-rbd-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 python3-rgw-14.2.9.970+ged84cae0c9-3.41.1 python3-rgw-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 rados-objclass-devel-14.2.9.970+ged84cae0c9-3.41.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): ceph-14.2.9.970+ged84cae0c9-3.41.1 ceph-base-14.2.9.970+ged84cae0c9-3.41.1 ceph-base-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 ceph-common-14.2.9.970+ged84cae0c9-3.41.1 ceph-common-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 ceph-debugsource-14.2.9.970+ged84cae0c9-3.41.1 ceph-fuse-14.2.9.970+ged84cae0c9-3.41.1 ceph-fuse-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 ceph-mds-14.2.9.970+ged84cae0c9-3.41.1 ceph-mds-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 ceph-mgr-14.2.9.970+ged84cae0c9-3.41.1 ceph-mgr-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 ceph-mon-14.2.9.970+ged84cae0c9-3.41.1 ceph-mon-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 ceph-osd-14.2.9.970+ged84cae0c9-3.41.1 ceph-osd-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 ceph-radosgw-14.2.9.970+ged84cae0c9-3.41.1 ceph-radosgw-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 cephfs-shell-14.2.9.970+ged84cae0c9-3.41.1 libcephfs2-14.2.9.970+ged84cae0c9-3.41.1 libcephfs2-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 librados2-14.2.9.970+ged84cae0c9-3.41.1 librados2-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 librbd1-14.2.9.970+ged84cae0c9-3.41.1 librbd1-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 librgw2-14.2.9.970+ged84cae0c9-3.41.1 librgw2-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 python3-ceph-argparse-14.2.9.970+ged84cae0c9-3.41.1 python3-cephfs-14.2.9.970+ged84cae0c9-3.41.1 python3-cephfs-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 python3-rados-14.2.9.970+ged84cae0c9-3.41.1 python3-rados-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 python3-rbd-14.2.9.970+ged84cae0c9-3.41.1 python3-rbd-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 python3-rgw-14.2.9.970+ged84cae0c9-3.41.1 python3-rgw-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 rbd-fuse-14.2.9.970+ged84cae0c9-3.41.1 rbd-fuse-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 rbd-mirror-14.2.9.970+ged84cae0c9-3.41.1 rbd-mirror-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 rbd-nbd-14.2.9.970+ged84cae0c9-3.41.1 rbd-nbd-debuginfo-14.2.9.970+ged84cae0c9-3.41.1 - SUSE Enterprise Storage 6 (noarch): ceph-grafana-dashboards-14.2.9.970+ged84cae0c9-3.41.1 ceph-mgr-dashboard-14.2.9.970+ged84cae0c9-3.41.1 ceph-mgr-diskprediction-local-14.2.9.970+ged84cae0c9-3.41.1 ceph-mgr-rook-14.2.9.970+ged84cae0c9-3.41.1 ceph-prometheus-alerts-14.2.9.970+ged84cae0c9-3.41.1 References: https://www.suse.com/security/cve/CVE-2020-10753.html https://bugzilla.suse.com/1171921 From sle-updates at lists.suse.com Thu Jun 25 16:13:10 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 00:13:10 +0200 (CEST) Subject: SUSE-SU-2020:1758-1: important: Security update for the Linux Kernel (Live Patch 5 for SLE 12 SP4) Message-ID: <20200625221310.ED50FF3E2@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 5 for SLE 12 SP4) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1758-1 Rating: important References: #1171746 #1172140 #1172437 Cross-References: CVE-2018-1000199 CVE-2019-15666 CVE-2020-10757 Affected Products: SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-95_19 fixes several issues. The following security issues were fixed: - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437). - CVE-2019-15666: Fixed an out of bounds read __xfrm_policy_unlink, which could have led to denial of service (bsc#1172140). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1171746). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-1756=1 SUSE-SLE-Live-Patching-12-SP4-2020-1757=1 SUSE-SLE-Live-Patching-12-SP4-2020-1758=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kgraft-patch-4_12_14-95_19-default-9-2.1 kgraft-patch-4_12_14-95_24-default-8-2.1 kgraft-patch-4_12_14-95_29-default-8-2.1 References: https://www.suse.com/security/cve/CVE-2018-1000199.html https://www.suse.com/security/cve/CVE-2019-15666.html https://www.suse.com/security/cve/CVE-2020-10757.html https://bugzilla.suse.com/1171746 https://bugzilla.suse.com/1172140 https://bugzilla.suse.com/1172437 From sle-updates at lists.suse.com Thu Jun 25 16:14:11 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 00:14:11 +0200 (CEST) Subject: SUSE-SU-2020:1764-1: important: Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP2) Message-ID: <20200625221411.76B80F3E2@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1764-1 Rating: important References: #1172437 Cross-References: CVE-2020-10757 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.4.121-92_129 fixes one issue. The following security issue was fixed: - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1764=1 SUSE-SLE-SAP-12-SP2-2020-1765=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1764=1 SUSE-SLE-SERVER-12-SP2-2020-1765=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kgraft-patch-4_4_121-92_125-default-6-2.1 kgraft-patch-4_4_121-92_129-default-3-2.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64): kgraft-patch-4_4_121-92_125-default-6-2.1 kgraft-patch-4_4_121-92_129-default-3-2.1 References: https://www.suse.com/security/cve/CVE-2020-10757.html https://bugzilla.suse.com/1172437 From sle-updates at lists.suse.com Thu Jun 25 16:14:58 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 00:14:58 +0200 (CEST) Subject: SUSE-RU-2020:1760-1: moderate: Recommended update for systemd Message-ID: <20200625221458.6A2FDF3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for systemd ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1760-1 Rating: moderate References: #1157315 #1162698 #1164538 #1169488 #1171145 #1172072 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Installer 15-SP1 ______________________________________________________________________________ An update that has 6 recommended fixes can now be installed. Description: This update for systemd fixes the following issues: - Merge branch 'SUSE/v234' into SLE15 units: starting suspend.target should not fail when suspend is successful (bsc#1172072) core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488) mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too udev: rename the persistent link for ATA devices (bsc#1164538) shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315) tmpfiles: remove unnecessary assert (bsc#1171145) test-engine: manager_free() was called too early pid1: by default make user units inherit their umask from the user manager (bsc#1162698) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1760=1 - SUSE Linux Enterprise Installer 15-SP1: zypper in -t patch SUSE-SLE-INSTALLER-15-SP1-2020-1760=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libsystemd0-234-24.52.3 libsystemd0-debuginfo-234-24.52.3 libudev-devel-234-24.52.3 libudev1-234-24.52.3 libudev1-debuginfo-234-24.52.3 systemd-234-24.52.3 systemd-container-234-24.52.3 systemd-container-debuginfo-234-24.52.3 systemd-coredump-234-24.52.3 systemd-coredump-debuginfo-234-24.52.3 systemd-debuginfo-234-24.52.3 systemd-debugsource-234-24.52.3 systemd-devel-234-24.52.3 systemd-sysvinit-234-24.52.3 udev-234-24.52.3 udev-debuginfo-234-24.52.3 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libsystemd0-32bit-234-24.52.3 libsystemd0-32bit-debuginfo-234-24.52.3 libudev1-32bit-234-24.52.3 libudev1-32bit-debuginfo-234-24.52.3 systemd-32bit-234-24.52.3 systemd-32bit-debuginfo-234-24.52.3 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): systemd-bash-completion-234-24.52.3 - SUSE Linux Enterprise Installer 15-SP1 (aarch64 ppc64le s390x x86_64): libudev1-234-24.52.3 systemd-234-24.52.3 systemd-sysvinit-234-24.52.3 udev-234-24.52.3 References: https://bugzilla.suse.com/1157315 https://bugzilla.suse.com/1162698 https://bugzilla.suse.com/1164538 https://bugzilla.suse.com/1169488 https://bugzilla.suse.com/1171145 https://bugzilla.suse.com/1172072 From sle-updates at lists.suse.com Thu Jun 25 16:16:16 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 00:16:16 +0200 (CEST) Subject: SUSE-SU-2020:1754-1: important: Security update for the Linux Kernel (Live Patch 9 for SLE 12 SP4) Message-ID: <20200625221616.D788FFCE6@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 9 for SLE 12 SP4) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1754-1 Rating: important References: #1171746 #1172437 Cross-References: CVE-2018-1000199 CVE-2020-10757 Affected Products: SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-95_37 fixes several issues. The following security issues were fixed: - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1171746). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-1750=1 SUSE-SLE-Live-Patching-12-SP4-2020-1751=1 SUSE-SLE-Live-Patching-12-SP4-2020-1752=1 SUSE-SLE-Live-Patching-12-SP4-2020-1753=1 SUSE-SLE-Live-Patching-12-SP4-2020-1754=1 SUSE-SLE-Live-Patching-12-SP4-2020-1755=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le x86_64): kgraft-patch-4_12_14-95_32-default-7-2.1 kgraft-patch-4_12_14-95_37-default-6-2.1 kgraft-patch-4_12_14-95_40-default-5-2.1 kgraft-patch-4_12_14-95_45-default-5-2.1 kgraft-patch-4_12_14-95_48-default-4-2.1 kgraft-patch-4_12_14-95_51-default-3-2.1 References: https://www.suse.com/security/cve/CVE-2018-1000199.html https://www.suse.com/security/cve/CVE-2020-10757.html https://bugzilla.suse.com/1171746 https://bugzilla.suse.com/1172437 From sle-updates at lists.suse.com Thu Jun 25 16:17:10 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 00:17:10 +0200 (CEST) Subject: SUSE-SU-2020:1767-1: important: Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP2) Message-ID: <20200625221710.4C85DFCE6@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1767-1 Rating: important References: #1172140 #1172437 Cross-References: CVE-2019-15666 CVE-2020-10757 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 4.4.121-92_117 fixes several issues. The following security issues were fixed: - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437). - CVE-2019-15666: Fixed an out of bounds read __xfrm_policy_unlink, which could have led to denial of service (bsc#1172140). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1766=1 SUSE-SLE-SAP-12-SP2-2020-1767=1 SUSE-SLE-SAP-12-SP2-2020-1768=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1766=1 SUSE-SLE-SERVER-12-SP2-2020-1767=1 SUSE-SLE-SERVER-12-SP2-2020-1768=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): kgraft-patch-4_4_121-92_114-default-10-2.1 kgraft-patch-4_4_121-92_117-default-9-2.1 kgraft-patch-4_4_121-92_120-default-8-2.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64): kgraft-patch-4_4_121-92_114-default-10-2.1 kgraft-patch-4_4_121-92_117-default-9-2.1 kgraft-patch-4_4_121-92_120-default-8-2.1 References: https://www.suse.com/security/cve/CVE-2019-15666.html https://www.suse.com/security/cve/CVE-2020-10757.html https://bugzilla.suse.com/1172140 https://bugzilla.suse.com/1172437 From sle-updates at lists.suse.com Thu Jun 25 16:18:00 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 00:18:00 +0200 (CEST) Subject: SUSE-RU-2020:1759-1: moderate: Recommended update for krb5 Message-ID: <20200625221800.20A2DF3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for krb5 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1759-1 Rating: moderate References: #1169357 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for krb5 fixes the following issue: - Call systemd to reload the services instead of init-scripts. (bsc#1169357) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1759=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1759=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): krb5-debuginfo-1.16.3-3.9.1 krb5-debugsource-1.16.3-3.9.1 krb5-plugin-kdb-ldap-1.16.3-3.9.1 krb5-plugin-kdb-ldap-debuginfo-1.16.3-3.9.1 krb5-server-1.16.3-3.9.1 krb5-server-debuginfo-1.16.3-3.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): krb5-1.16.3-3.9.1 krb5-client-1.16.3-3.9.1 krb5-client-debuginfo-1.16.3-3.9.1 krb5-debuginfo-1.16.3-3.9.1 krb5-debugsource-1.16.3-3.9.1 krb5-devel-1.16.3-3.9.1 krb5-plugin-preauth-otp-1.16.3-3.9.1 krb5-plugin-preauth-otp-debuginfo-1.16.3-3.9.1 krb5-plugin-preauth-pkinit-1.16.3-3.9.1 krb5-plugin-preauth-pkinit-debuginfo-1.16.3-3.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): krb5-32bit-1.16.3-3.9.1 krb5-32bit-debuginfo-1.16.3-3.9.1 References: https://bugzilla.suse.com/1169357 From sle-updates at lists.suse.com Thu Jun 25 16:18:43 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 00:18:43 +0200 (CEST) Subject: SUSE-RU-2020:1763-1: moderate: Recommended update for virt-manager Message-ID: <20200625221843.2F8AFF3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for virt-manager ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1763-1 Rating: moderate References: #1070896 #1126325 #1129176 #1129309 #1129423 #1134426 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has 6 recommended fixes can now be installed. Description: This update for virt-manager fixes the following issues: - virt-manager IndexError: string index out of range. (bsc#1134426) - In python3 there is effectively no difference between a long and int. (bsc#1070896) - Add support for the 'xenbus' controller and the attribute maxGrantFrames. (bsc#1126325) - s390x guests detect the sclp or virtio console. Disable the warning that might actually break setup. (bsc#1129176) - virt-install: ERROR Couldn't find hvm kernel for SUSE tree. (bsc#1129423) - Missing .treeinfo file on the media for CaaSP. (bsc#1129309) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1763=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1763=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1763=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1763=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (noarch): virt-install-1.5.1-7.12.1 virt-manager-1.5.1-7.12.1 virt-manager-common-1.5.1-7.12.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): virt-install-1.5.1-7.12.1 virt-manager-1.5.1-7.12.1 virt-manager-common-1.5.1-7.12.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): virt-install-1.5.1-7.12.1 virt-manager-1.5.1-7.12.1 virt-manager-common-1.5.1-7.12.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): virt-install-1.5.1-7.12.1 virt-manager-1.5.1-7.12.1 virt-manager-common-1.5.1-7.12.1 References: https://bugzilla.suse.com/1070896 https://bugzilla.suse.com/1126325 https://bugzilla.suse.com/1129176 https://bugzilla.suse.com/1129309 https://bugzilla.suse.com/1129423 https://bugzilla.suse.com/1134426 From sle-updates at lists.suse.com Thu Jun 25 16:19:56 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 00:19:56 +0200 (CEST) Subject: SUSE-RU-2020:1761-1: moderate: Recommended update for 389-ds Message-ID: <20200625221956.84E6DF3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for 389-ds ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1761-1 Rating: moderate References: #1171749 Affected Products: SUSE Linux Enterprise Module for Server Applications 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for 389-ds fixes the following issues: - Resolve TLS 1.0 recognition issue. (bsc#1171749) - Update from version 1.4.2.12~git0.b11942c36 to version 1.4.2.14~git0.5ac5b02ce: * Allow using uid for replication manager entry * Abort operation if CSN can not be generated * Fix ASAN ODR warnings * RFE - ds-replcheck - make online timeout configurable * Remove unnecessary slapi entry dups * Improve dscreate instance name validation * Ignore pid when it is ourself in protect_db * Fix some npm audit issues * Healthcheck json report fails when mapping tree is deleted * Container pid start and stop issues * Fix return code when it's nothing to free * Abort when a empty valueset is freed * Memory leaks in dbscan and changelog encryption * Prevent unnecessarily duplication of the target entry * Permissions of some shipped directories may change over time * Fix implementation of attr unique * Add nsslapd-enable-upgrade-hash to the schema * Deadlock when updating the schema * Unable to set sslVersionMin to TLS1.0 * Unable to install server where IPv6 is disabled * CLI fix consistency issues with confirmations * React deprecating ComponentWillMount * Fix npm audit issues * Heavy StartTLS connection load can randomly fail with err=1 * Transition between two instances needs improvement * Replace exec() with setattr() * The check for the ds version for the backend config was broken * Refactor passwordUserAttributes's and passwordBadWords's code * slapi_pal.c possible static buffer overflow * Remove dbmon "incr" option from arg parser * Port dbmon.sh to dsconf * Intermittent SSL hang with rhds * SSCA lacks basicConstraint:CA * Database links: get_monitor() takes 1 positional argument but 2 were given * Setting nsslapd-allowed-sasl-mechanisms truncates the value Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1761=1 Package List: - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): 389-ds-1.4.2.14~git0.5ac5b02ce-7.19.2 389-ds-debuginfo-1.4.2.14~git0.5ac5b02ce-7.19.2 389-ds-debugsource-1.4.2.14~git0.5ac5b02ce-7.19.2 389-ds-devel-1.4.2.14~git0.5ac5b02ce-7.19.2 389-ds-snmp-1.4.2.14~git0.5ac5b02ce-7.19.2 389-ds-snmp-debuginfo-1.4.2.14~git0.5ac5b02ce-7.19.2 lib389-1.4.2.14~git0.5ac5b02ce-7.19.2 libsvrcore0-1.4.2.14~git0.5ac5b02ce-7.19.2 libsvrcore0-debuginfo-1.4.2.14~git0.5ac5b02ce-7.19.2 References: https://bugzilla.suse.com/1171749 From sle-updates at lists.suse.com Thu Jun 25 16:20:39 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 00:20:39 +0200 (CEST) Subject: SUSE-RU-2020:1762-1: moderate: Recommended update for yast2-registration Message-ID: <20200625222039.9F123FCE6@maintenance.suse.de> SUSE Recommended Update: Recommended update for yast2-registration ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1762-1 Rating: moderate References: #1169577 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Installer 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for yast2-registration fixes the following issue: _ Update from version 4.1.25 to 4.1.26 Decline/refuse of an add-on license means canceling all add-ons. (bsc#1169577) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1762=1 - SUSE Linux Enterprise Installer 15-SP1: zypper in -t patch SUSE-SLE-INSTALLER-15-SP1-2020-1762=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): yast2-registration-4.1.26-3.12.1 - SUSE Linux Enterprise Installer 15-SP1 (noarch): yast2-registration-4.1.26-3.12.1 References: https://bugzilla.suse.com/1169577 From sle-updates at lists.suse.com Thu Jun 25 16:21:23 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 00:21:23 +0200 (CEST) Subject: SUSE-SU-2020:1749-1: important: Security update for tigervnc Message-ID: <20200625222123.D66C6FCE6@maintenance.suse.de> SUSE Security Update: Security update for tigervnc ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1749-1 Rating: important References: #1159856 #1159858 #1159860 #1160249 #1160250 #1160251 #1160937 #1165680 #1169952 Cross-References: CVE-2019-15691 CVE-2019-15692 CVE-2019-15693 CVE-2019-15694 CVE-2019-15695 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has four fixes is now available. Description: This update for tigervnc fixes the following issues: - CVE-2019-15691: Fixed a use-after-return due to incorrect usage of stack memory in ZRLEDecoder (bsc#1159856). - CVE-2019-15692: Fixed a heap-based buffer overflow in CopyRectDecode (bsc#1160250). - CVE-2019-15693: Fixed a heap-based buffer overflow in TightDecoder::FilterGradient (bsc#1159858). - CVE-2019-15694: Fixed a heap-based buffer overflow, caused by improper error handling in processing MemOutStream (bsc#1160251). - CVE-2019-15695: Fixed a stack-based buffer overflow, which could be triggered from CMsgReader::readSetCursor (bsc#1159860). Other bugs fixed: - Fix random connection freezes (bsc#1169952, bsc#1160249, bsc#1165680): Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1749=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1749=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libXvnc1-1.6.0-22.14.1 libXvnc1-debuginfo-1.6.0-22.14.1 tigervnc-1.6.0-22.14.1 tigervnc-debuginfo-1.6.0-22.14.1 tigervnc-debugsource-1.6.0-22.14.1 xorg-x11-Xvnc-1.6.0-22.14.1 xorg-x11-Xvnc-debuginfo-1.6.0-22.14.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libXvnc1-1.6.0-22.14.1 libXvnc1-debuginfo-1.6.0-22.14.1 tigervnc-1.6.0-22.14.1 tigervnc-debuginfo-1.6.0-22.14.1 tigervnc-debugsource-1.6.0-22.14.1 xorg-x11-Xvnc-1.6.0-22.14.1 xorg-x11-Xvnc-debuginfo-1.6.0-22.14.1 References: https://www.suse.com/security/cve/CVE-2019-15691.html https://www.suse.com/security/cve/CVE-2019-15692.html https://www.suse.com/security/cve/CVE-2019-15693.html https://www.suse.com/security/cve/CVE-2019-15694.html https://www.suse.com/security/cve/CVE-2019-15695.html https://bugzilla.suse.com/1159856 https://bugzilla.suse.com/1159858 https://bugzilla.suse.com/1159860 https://bugzilla.suse.com/1160249 https://bugzilla.suse.com/1160250 https://bugzilla.suse.com/1160251 https://bugzilla.suse.com/1160937 https://bugzilla.suse.com/1165680 https://bugzilla.suse.com/1169952 From sle-updates at lists.suse.com Fri Jun 26 04:13:17 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 12:13:17 +0200 (CEST) Subject: SUSE-SU-2020:1775-1: important: Security update for the Linux Kernel (Live Patch 3 for SLE 12 SP5) Message-ID: <20200626101317.63C6AF3E2@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 3 for SLE 12 SP5) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1775-1 Rating: important References: #1171746 #1172437 Cross-References: CVE-2018-1000199 CVE-2020-10757 Affected Products: SUSE Linux Enterprise Live Patching 12-SP5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-122_17 fixes several issues. The following security issues were fixed: - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1171746). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2020-1774=1 SUSE-SLE-Live-Patching-12-SP5-2020-1775=1 SUSE-SLE-Live-Patching-12-SP5-2020-1776=1 SUSE-SLE-Live-Patching-12-SP5-2020-1777=1 SUSE-SLE-Live-Patching-12-SP5-2020-1778=1 Package List: - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_17-default-4-2.1 kgraft-patch-4_12_14-122_20-default-3-2.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le x86_64): kgraft-patch-4_12_14-120-default-5-12.2 kgraft-patch-4_12_14-120-default-debuginfo-5-12.2 kgraft-patch-4_12_14-122_12-default-5-2.1 kgraft-patch-4_12_14-122_7-default-5-2.1 kgraft-patch-SLE12-SP5_Update_0-debugsource-5-12.2 References: https://www.suse.com/security/cve/CVE-2018-1000199.html https://www.suse.com/security/cve/CVE-2020-10757.html https://bugzilla.suse.com/1171746 https://bugzilla.suse.com/1172437 From sle-updates at lists.suse.com Fri Jun 26 04:14:10 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 12:14:10 +0200 (CEST) Subject: SUSE-SU-2020:1781-1: important: Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) Message-ID: <20200626101410.94A59F3E2@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1781-1 Rating: important References: #1172437 Cross-References: CVE-2020-10757 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.4.180-94_107 fixes one issue. The following security issue was fixed: - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1780=1 SUSE-SLE-SAP-12-SP3-2020-1781=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1780=1 SUSE-SLE-SERVER-12-SP3-2020-1781=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_107-default-6-2.1 kgraft-patch-4_4_180-94_107-default-debuginfo-6-2.1 kgraft-patch-4_4_180-94_113-default-5-2.1 kgraft-patch-4_4_180-94_113-default-debuginfo-5-2.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_107-default-6-2.1 kgraft-patch-4_4_180-94_107-default-debuginfo-6-2.1 kgraft-patch-4_4_180-94_113-default-5-2.1 kgraft-patch-4_4_180-94_113-default-debuginfo-5-2.1 References: https://www.suse.com/security/cve/CVE-2020-10757.html https://bugzilla.suse.com/1172437 From sle-updates at lists.suse.com Fri Jun 26 04:14:57 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 12:14:57 +0200 (CEST) Subject: SUSE-SU-2020:1769-1: important: Security update for squid Message-ID: <20200626101457.BFF0FF3E2@maintenance.suse.de> SUSE Security Update: Security update for squid ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1769-1 Rating: important References: #1173304 Cross-References: CVE-2020-14059 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Server Applications 15-SP2 SUSE Linux Enterprise Module for Server Applications 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for squid fixes the following issues: squid was updated to version 4.12 Security issue fixed: - CVE-2020-14059: Fixed an issue where a client could potentially deny the service of a server during TLS Handshake (bsc#1173304). Other issues addressed: - Reverted to slow search for new SMP shm pages due to a regression - Fixed an issue where negative responses were never cached - Fixed stall if transaction was overwriting a recently active cache entry Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1769=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1769=1 - SUSE Linux Enterprise Module for Server Applications 15-SP2: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP2-2020-1769=1 - SUSE Linux Enterprise Module for Server Applications 15-SP1: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2020-1769=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1769=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1769=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): squid-4.12-5.20.1 squid-debuginfo-4.12-5.20.1 squid-debugsource-4.12-5.20.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): squid-4.12-5.20.1 squid-debuginfo-4.12-5.20.1 squid-debugsource-4.12-5.20.1 - SUSE Linux Enterprise Module for Server Applications 15-SP2 (aarch64 ppc64le s390x x86_64): squid-4.12-5.20.1 squid-debuginfo-4.12-5.20.1 squid-debugsource-4.12-5.20.1 - SUSE Linux Enterprise Module for Server Applications 15-SP1 (aarch64 ppc64le s390x x86_64): squid-4.12-5.20.1 squid-debuginfo-4.12-5.20.1 squid-debugsource-4.12-5.20.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): squid-4.12-5.20.1 squid-debuginfo-4.12-5.20.1 squid-debugsource-4.12-5.20.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): squid-4.12-5.20.1 squid-debuginfo-4.12-5.20.1 squid-debugsource-4.12-5.20.1 References: https://www.suse.com/security/cve/CVE-2020-14059.html https://bugzilla.suse.com/1173304 From sle-updates at lists.suse.com Fri Jun 26 04:15:41 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 12:15:41 +0200 (CEST) Subject: SUSE-SU-2020:1770-1: important: Security update for squid Message-ID: <20200626101541.01FB5FC36@maintenance.suse.de> SUSE Security Update: Security update for squid ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1770-1 Rating: important References: #1173304 Cross-References: CVE-2020-14059 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for squid fixes the following issues: squid was updated to version 4.12 Security issue fixed: - CVE-2020-14059: Fixed an issue where a client could potentially deny the service of a server during TLS Handshake (bsc#1173304). Other issues addressed: - Reverted to slow search for new SMP shm pages due to a regression - Fixed an issue where negative responses were never cached - Fixed stall if transaction was overwriting a recently active cache entry Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1770=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): squid-4.12-4.12.1 squid-debuginfo-4.12-4.12.1 squid-debugsource-4.12-4.12.1 References: https://www.suse.com/security/cve/CVE-2020-14059.html https://bugzilla.suse.com/1173304 From sle-updates at lists.suse.com Fri Jun 26 04:16:19 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 12:16:19 +0200 (CEST) Subject: SUSE-SU-2020:1772-1: important: Security update for unbound Message-ID: <20200626101619.C3F10FC36@maintenance.suse.de> SUSE Security Update: Security update for unbound ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1772-1 Rating: important References: #1157268 #1171889 Cross-References: CVE-2019-18934 CVE-2020-12662 CVE-2020-12663 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for unbound fixes the following issues: - CVE-2020-12662: Fixed an issue where unbound could have been tricked into amplifying an incoming query into a large number of queries directed to a target (bsc#1171889). - CVE-2020-12663: Fixed an issue where malformed answers from upstream name servers could have been used to make unbound unresponsive (bsc#1171889). - CVE-2019-18934: Fixed a vulnerability in the IPSec module which could have allowed code execution after receiving a special crafted answer (bsc#1157268). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1772=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1772=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libunbound2-1.6.8-10.3.1 libunbound2-debuginfo-1.6.8-10.3.1 unbound-anchor-1.6.8-10.3.1 unbound-anchor-debuginfo-1.6.8-10.3.1 unbound-debuginfo-1.6.8-10.3.1 unbound-debugsource-1.6.8-10.3.1 unbound-devel-1.6.8-10.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libunbound2-1.6.8-10.3.1 libunbound2-debuginfo-1.6.8-10.3.1 unbound-anchor-1.6.8-10.3.1 unbound-anchor-debuginfo-1.6.8-10.3.1 unbound-debuginfo-1.6.8-10.3.1 unbound-debugsource-1.6.8-10.3.1 unbound-devel-1.6.8-10.3.1 References: https://www.suse.com/security/cve/CVE-2019-18934.html https://www.suse.com/security/cve/CVE-2020-12662.html https://www.suse.com/security/cve/CVE-2020-12663.html https://bugzilla.suse.com/1157268 https://bugzilla.suse.com/1171889 From sle-updates at lists.suse.com Fri Jun 26 04:17:08 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 12:17:08 +0200 (CEST) Subject: SUSE-SU-2020:1773-1: important: Security update for curl Message-ID: <20200626101708.342E2F3E2@maintenance.suse.de> SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1773-1 Rating: important References: #1173027 Cross-References: CVE-2020-8177 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1773=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1773=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1773=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1773=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1773=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): curl-7.60.0-3.29.1 curl-debuginfo-7.60.0-3.29.1 curl-debugsource-7.60.0-3.29.1 libcurl-devel-7.60.0-3.29.1 libcurl4-7.60.0-3.29.1 libcurl4-debuginfo-7.60.0-3.29.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libcurl4-32bit-7.60.0-3.29.1 libcurl4-32bit-debuginfo-7.60.0-3.29.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): curl-7.60.0-3.29.1 curl-debuginfo-7.60.0-3.29.1 curl-debugsource-7.60.0-3.29.1 libcurl-devel-7.60.0-3.29.1 libcurl4-7.60.0-3.29.1 libcurl4-debuginfo-7.60.0-3.29.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): curl-7.60.0-3.29.1 curl-debuginfo-7.60.0-3.29.1 curl-debugsource-7.60.0-3.29.1 libcurl-devel-7.60.0-3.29.1 libcurl4-7.60.0-3.29.1 libcurl4-debuginfo-7.60.0-3.29.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libcurl4-32bit-7.60.0-3.29.1 libcurl4-32bit-debuginfo-7.60.0-3.29.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): curl-7.60.0-3.29.1 curl-debuginfo-7.60.0-3.29.1 curl-debugsource-7.60.0-3.29.1 libcurl-devel-7.60.0-3.29.1 libcurl4-7.60.0-3.29.1 libcurl4-debuginfo-7.60.0-3.29.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libcurl4-32bit-7.60.0-3.29.1 libcurl4-32bit-debuginfo-7.60.0-3.29.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): curl-7.60.0-3.29.1 curl-debuginfo-7.60.0-3.29.1 curl-debugsource-7.60.0-3.29.1 libcurl-devel-7.60.0-3.29.1 libcurl4-7.60.0-3.29.1 libcurl4-debuginfo-7.60.0-3.29.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libcurl4-32bit-7.60.0-3.29.1 libcurl4-32bit-debuginfo-7.60.0-3.29.1 References: https://www.suse.com/security/cve/CVE-2020-8177.html https://bugzilla.suse.com/1173027 From sle-updates at lists.suse.com Fri Jun 26 04:17:51 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 12:17:51 +0200 (CEST) Subject: SUSE-SU-2020:1771-1: important: Security update for mutt Message-ID: <20200626101751.7D077FC36@maintenance.suse.de> SUSE Security Update: Security update for mutt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1771-1 Rating: important References: #1172906 #1172935 #1173197 Cross-References: CVE-2020-14093 CVE-2020-14154 CVE-2020-14954 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for mutt fixes the following issues: - CVE-2020-14954: Fixed a response injection due to a STARTTLS buffering issue which was affecting IMAP, SMTP, and POP3 (bsc#1173197). - CVE-2020-14093: Fixed a potential IMAP Man-in-the-Middle attack via a PREAUTH response (bsc#1172906, bsc#1172935). - CVE-2020-14154: Fixed an issue where Mutt was ignoring an expired certificate and was proceeding with a connection (bsc#1172906, bsc#1172935). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1771=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1771=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1771=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1771=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1771=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1771=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): mutt-1.10.1-3.8.1 mutt-debuginfo-1.10.1-3.8.1 mutt-debugsource-1.10.1-3.8.1 - SUSE Linux Enterprise Server for SAP 15 (noarch): mutt-doc-1.10.1-3.8.1 mutt-lang-1.10.1-3.8.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): mutt-1.10.1-3.8.1 mutt-debuginfo-1.10.1-3.8.1 mutt-debugsource-1.10.1-3.8.1 - SUSE Linux Enterprise Server 15-LTSS (noarch): mutt-doc-1.10.1-3.8.1 mutt-lang-1.10.1-3.8.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): mutt-1.10.1-3.8.1 mutt-debuginfo-1.10.1-3.8.1 mutt-debugsource-1.10.1-3.8.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): mutt-doc-1.10.1-3.8.1 mutt-lang-1.10.1-3.8.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): mutt-1.10.1-3.8.1 mutt-debuginfo-1.10.1-3.8.1 mutt-debugsource-1.10.1-3.8.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): mutt-doc-1.10.1-3.8.1 mutt-lang-1.10.1-3.8.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): mutt-1.10.1-3.8.1 mutt-debuginfo-1.10.1-3.8.1 mutt-debugsource-1.10.1-3.8.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): mutt-doc-1.10.1-3.8.1 mutt-lang-1.10.1-3.8.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): mutt-1.10.1-3.8.1 mutt-debuginfo-1.10.1-3.8.1 mutt-debugsource-1.10.1-3.8.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): mutt-doc-1.10.1-3.8.1 mutt-lang-1.10.1-3.8.1 References: https://www.suse.com/security/cve/CVE-2020-14093.html https://www.suse.com/security/cve/CVE-2020-14154.html https://www.suse.com/security/cve/CVE-2020-14954.html https://bugzilla.suse.com/1172906 https://bugzilla.suse.com/1172935 https://bugzilla.suse.com/1173197 From sle-updates at lists.suse.com Fri Jun 26 04:18:46 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 12:18:46 +0200 (CEST) Subject: SUSE-SU-2020:1784-1: important: Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) Message-ID: <20200626101846.7A9F2FC36@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1784-1 Rating: important References: #1172140 #1172437 Cross-References: CVE-2019-15666 CVE-2020-10757 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 4.4.180-94_100 fixes several issues. The following security issues were fixed: - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437). - CVE-2019-15666: Fixed an out of bounds read __xfrm_policy_unlink, which could have led to denial of service (bsc#1172140). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1782=1 SUSE-SLE-SAP-12-SP3-2020-1783=1 SUSE-SLE-SAP-12-SP3-2020-1784=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1782=1 SUSE-SLE-SERVER-12-SP3-2020-1783=1 SUSE-SLE-SERVER-12-SP3-2020-1784=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_100-default-8-2.1 kgraft-patch-4_4_180-94_100-default-debuginfo-8-2.1 kgraft-patch-4_4_180-94_103-default-8-2.1 kgraft-patch-4_4_180-94_103-default-debuginfo-8-2.1 kgraft-patch-4_4_180-94_97-default-10-2.1 kgraft-patch-4_4_180-94_97-default-debuginfo-10-2.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_100-default-8-2.1 kgraft-patch-4_4_180-94_100-default-debuginfo-8-2.1 kgraft-patch-4_4_180-94_103-default-8-2.1 kgraft-patch-4_4_180-94_103-default-debuginfo-8-2.1 kgraft-patch-4_4_180-94_97-default-10-2.1 kgraft-patch-4_4_180-94_97-default-debuginfo-10-2.1 References: https://www.suse.com/security/cve/CVE-2019-15666.html https://www.suse.com/security/cve/CVE-2020-10757.html https://bugzilla.suse.com/1172140 https://bugzilla.suse.com/1172437 From sle-updates at lists.suse.com Fri Jun 26 04:19:32 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 12:19:32 +0200 (CEST) Subject: SUSE-SU-2020:1779-1: important: Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) Message-ID: <20200626101932.5011FF3E2@maintenance.suse.de> SUSE Security Update: Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1779-1 Rating: important References: #1165631 #1171252 #1171254 #1172437 Cross-References: CVE-2020-10757 CVE-2020-12653 CVE-2020-12654 CVE-2020-1749 Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for the Linux Kernel 4.4.180-94_116 fixes several issues. The following security issues were fixed: - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172437). - CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171254). - CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171252). - CVE-2020-1749: Fixed an issue where some ipv6 protocols were not encrypted over ipsec tunnel (bsc#1165631). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1779=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1779=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_116-default-2-2.1 kgraft-patch-4_4_180-94_116-default-debuginfo-2-2.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_116-default-2-2.1 kgraft-patch-4_4_180-94_116-default-debuginfo-2-2.1 References: https://www.suse.com/security/cve/CVE-2020-10757.html https://www.suse.com/security/cve/CVE-2020-12653.html https://www.suse.com/security/cve/CVE-2020-12654.html https://www.suse.com/security/cve/CVE-2020-1749.html https://bugzilla.suse.com/1165631 https://bugzilla.suse.com/1171252 https://bugzilla.suse.com/1171254 https://bugzilla.suse.com/1172437 From sle-updates at lists.suse.com Fri Jun 26 07:12:43 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 15:12:43 +0200 (CEST) Subject: SUSE-RU-2020:1786-1: moderate: Recommended update for bcc Message-ID: <20200626131243.DB720F3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for bcc ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1786-1 Rating: moderate References: #1172230 Affected Products: SUSE Linux Enterprise Module for Development Tools 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for bcc fixes the following issues: - Recommends kernel-default-devel to be installed when kernel-default or kernel-default-base are installed (bsc#1172230) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP1-2020-1786=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): bcc-debuginfo-0.5.0-15.6.1 bcc-debugsource-0.5.0-15.6.1 bcc-devel-0.5.0-15.6.1 bcc-docs-0.5.0-15.6.1 bcc-examples-0.5.0-15.6.1 bcc-tools-0.5.0-15.6.1 libbcc0-0.5.0-15.6.1 libbcc0-debuginfo-0.5.0-15.6.1 libbpf0-0.5.0-15.6.1 libbpf0-debuginfo-0.5.0-15.6.1 python3-bcc-0.5.0-15.6.1 References: https://bugzilla.suse.com/1172230 From sle-updates at lists.suse.com Fri Jun 26 07:13:24 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 15:13:24 +0200 (CEST) Subject: SUSE-SU-2020:1789-1: important: Security update for tomcat Message-ID: <20200626131324.88C5BF3E2@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1789-1 Rating: important References: #1172405 Cross-References: CVE-2020-8022 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tomcat fixes the following issues: - CVE-2020-8022: Fixed a local root exploit due to improper permissions (bsc#1172405) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1789=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1789=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1789=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1789=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (noarch): tomcat-9.0.35-3.57.3 tomcat-admin-webapps-9.0.35-3.57.3 tomcat-el-3_0-api-9.0.35-3.57.3 tomcat-jsp-2_3-api-9.0.35-3.57.3 tomcat-lib-9.0.35-3.57.3 tomcat-servlet-4_0-api-9.0.35-3.57.3 tomcat-webapps-9.0.35-3.57.3 - SUSE Linux Enterprise Server 15-LTSS (noarch): tomcat-9.0.35-3.57.3 tomcat-admin-webapps-9.0.35-3.57.3 tomcat-el-3_0-api-9.0.35-3.57.3 tomcat-jsp-2_3-api-9.0.35-3.57.3 tomcat-lib-9.0.35-3.57.3 tomcat-servlet-4_0-api-9.0.35-3.57.3 tomcat-webapps-9.0.35-3.57.3 - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): tomcat-9.0.35-3.57.3 tomcat-admin-webapps-9.0.35-3.57.3 tomcat-el-3_0-api-9.0.35-3.57.3 tomcat-jsp-2_3-api-9.0.35-3.57.3 tomcat-lib-9.0.35-3.57.3 tomcat-servlet-4_0-api-9.0.35-3.57.3 tomcat-webapps-9.0.35-3.57.3 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): tomcat-9.0.35-3.57.3 tomcat-admin-webapps-9.0.35-3.57.3 tomcat-el-3_0-api-9.0.35-3.57.3 tomcat-jsp-2_3-api-9.0.35-3.57.3 tomcat-lib-9.0.35-3.57.3 tomcat-servlet-4_0-api-9.0.35-3.57.3 tomcat-webapps-9.0.35-3.57.3 References: https://www.suse.com/security/cve/CVE-2020-8022.html https://bugzilla.suse.com/1172405 From sle-updates at lists.suse.com Fri Jun 26 07:14:04 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 15:14:04 +0200 (CEST) Subject: SUSE-RU-2020:1785-1: moderate: Recommended update for perl-TimeDate Message-ID: <20200626131404.EACF6F3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for perl-TimeDate ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1785-1 Rating: moderate References: #1172834 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for perl-TimeDate fixes the following issue: - Parse out the century if specified (strptime). (bsc#1172834) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1785=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1785=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch): perl-TimeDate-2.30-3.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch): perl-TimeDate-2.30-3.9.1 References: https://bugzilla.suse.com/1172834 From sle-updates at lists.suse.com Fri Jun 26 07:14:41 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 15:14:41 +0200 (CEST) Subject: SUSE-SU-2020:1788-1: important: Security update for tomcat Message-ID: <20200626131441.A505AF3E2@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1788-1 Rating: important References: #1172405 Cross-References: CVE-2020-8022 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tomcat fixes the following issues: - CVE-2020-8022: Fixed a local root exploit due to improper permissions (bsc#1172405) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1788=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1788=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (noarch): tomcat-9.0.35-3.39.1 tomcat-admin-webapps-9.0.35-3.39.1 tomcat-docs-webapp-9.0.35-3.39.1 tomcat-el-3_0-api-9.0.35-3.39.1 tomcat-javadoc-9.0.35-3.39.1 tomcat-jsp-2_3-api-9.0.35-3.39.1 tomcat-lib-9.0.35-3.39.1 tomcat-servlet-4_0-api-9.0.35-3.39.1 tomcat-webapps-9.0.35-3.39.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): tomcat-9.0.35-3.39.1 tomcat-admin-webapps-9.0.35-3.39.1 tomcat-docs-webapp-9.0.35-3.39.1 tomcat-el-3_0-api-9.0.35-3.39.1 tomcat-javadoc-9.0.35-3.39.1 tomcat-jsp-2_3-api-9.0.35-3.39.1 tomcat-lib-9.0.35-3.39.1 tomcat-servlet-4_0-api-9.0.35-3.39.1 tomcat-webapps-9.0.35-3.39.1 References: https://www.suse.com/security/cve/CVE-2020-8022.html https://bugzilla.suse.com/1172405 From sle-updates at lists.suse.com Fri Jun 26 07:15:21 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 15:15:21 +0200 (CEST) Subject: SUSE-SU-2020:1791-1: important: Security update for tomcat Message-ID: <20200626131521.C0FD4F3E2@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1791-1 Rating: important References: #1172405 Cross-References: CVE-2020-8022 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tomcat fixes the following issues: - CVE-2020-8022: Fixed a local root exploit due to improper permissions (bsc#1172405) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1791=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1791=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1791=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1791=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1791=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1791=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1791=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1791=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1791=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1791=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1791=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): tomcat-8.0.53-29.32.1 tomcat-admin-webapps-8.0.53-29.32.1 tomcat-docs-webapp-8.0.53-29.32.1 tomcat-el-3_0-api-8.0.53-29.32.1 tomcat-javadoc-8.0.53-29.32.1 tomcat-jsp-2_3-api-8.0.53-29.32.1 tomcat-lib-8.0.53-29.32.1 tomcat-servlet-3_1-api-8.0.53-29.32.1 tomcat-webapps-8.0.53-29.32.1 - SUSE OpenStack Cloud 8 (noarch): tomcat-8.0.53-29.32.1 tomcat-admin-webapps-8.0.53-29.32.1 tomcat-docs-webapp-8.0.53-29.32.1 tomcat-el-3_0-api-8.0.53-29.32.1 tomcat-javadoc-8.0.53-29.32.1 tomcat-jsp-2_3-api-8.0.53-29.32.1 tomcat-lib-8.0.53-29.32.1 tomcat-servlet-3_1-api-8.0.53-29.32.1 tomcat-webapps-8.0.53-29.32.1 - SUSE OpenStack Cloud 7 (noarch): tomcat-8.0.53-29.32.1 tomcat-admin-webapps-8.0.53-29.32.1 tomcat-docs-webapp-8.0.53-29.32.1 tomcat-el-3_0-api-8.0.53-29.32.1 tomcat-javadoc-8.0.53-29.32.1 tomcat-jsp-2_3-api-8.0.53-29.32.1 tomcat-lib-8.0.53-29.32.1 tomcat-servlet-3_1-api-8.0.53-29.32.1 tomcat-webapps-8.0.53-29.32.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): tomcat-8.0.53-29.32.1 tomcat-admin-webapps-8.0.53-29.32.1 tomcat-docs-webapp-8.0.53-29.32.1 tomcat-el-3_0-api-8.0.53-29.32.1 tomcat-javadoc-8.0.53-29.32.1 tomcat-jsp-2_3-api-8.0.53-29.32.1 tomcat-lib-8.0.53-29.32.1 tomcat-servlet-3_1-api-8.0.53-29.32.1 tomcat-webapps-8.0.53-29.32.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): tomcat-8.0.53-29.32.1 tomcat-admin-webapps-8.0.53-29.32.1 tomcat-docs-webapp-8.0.53-29.32.1 tomcat-el-3_0-api-8.0.53-29.32.1 tomcat-javadoc-8.0.53-29.32.1 tomcat-jsp-2_3-api-8.0.53-29.32.1 tomcat-lib-8.0.53-29.32.1 tomcat-servlet-3_1-api-8.0.53-29.32.1 tomcat-webapps-8.0.53-29.32.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): tomcat-8.0.53-29.32.1 tomcat-admin-webapps-8.0.53-29.32.1 tomcat-docs-webapp-8.0.53-29.32.1 tomcat-el-3_0-api-8.0.53-29.32.1 tomcat-javadoc-8.0.53-29.32.1 tomcat-jsp-2_3-api-8.0.53-29.32.1 tomcat-lib-8.0.53-29.32.1 tomcat-servlet-3_1-api-8.0.53-29.32.1 tomcat-webapps-8.0.53-29.32.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): tomcat-8.0.53-29.32.1 tomcat-admin-webapps-8.0.53-29.32.1 tomcat-docs-webapp-8.0.53-29.32.1 tomcat-el-3_0-api-8.0.53-29.32.1 tomcat-javadoc-8.0.53-29.32.1 tomcat-jsp-2_3-api-8.0.53-29.32.1 tomcat-lib-8.0.53-29.32.1 tomcat-servlet-3_1-api-8.0.53-29.32.1 tomcat-webapps-8.0.53-29.32.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): tomcat-8.0.53-29.32.1 tomcat-admin-webapps-8.0.53-29.32.1 tomcat-docs-webapp-8.0.53-29.32.1 tomcat-el-3_0-api-8.0.53-29.32.1 tomcat-javadoc-8.0.53-29.32.1 tomcat-jsp-2_3-api-8.0.53-29.32.1 tomcat-lib-8.0.53-29.32.1 tomcat-servlet-3_1-api-8.0.53-29.32.1 tomcat-webapps-8.0.53-29.32.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): tomcat-8.0.53-29.32.1 tomcat-admin-webapps-8.0.53-29.32.1 tomcat-docs-webapp-8.0.53-29.32.1 tomcat-el-3_0-api-8.0.53-29.32.1 tomcat-javadoc-8.0.53-29.32.1 tomcat-jsp-2_3-api-8.0.53-29.32.1 tomcat-lib-8.0.53-29.32.1 tomcat-servlet-3_1-api-8.0.53-29.32.1 tomcat-webapps-8.0.53-29.32.1 - SUSE Enterprise Storage 5 (noarch): tomcat-8.0.53-29.32.1 tomcat-admin-webapps-8.0.53-29.32.1 tomcat-docs-webapp-8.0.53-29.32.1 tomcat-el-3_0-api-8.0.53-29.32.1 tomcat-javadoc-8.0.53-29.32.1 tomcat-jsp-2_3-api-8.0.53-29.32.1 tomcat-lib-8.0.53-29.32.1 tomcat-servlet-3_1-api-8.0.53-29.32.1 tomcat-webapps-8.0.53-29.32.1 - HPE Helion Openstack 8 (noarch): tomcat-8.0.53-29.32.1 tomcat-admin-webapps-8.0.53-29.32.1 tomcat-docs-webapp-8.0.53-29.32.1 tomcat-el-3_0-api-8.0.53-29.32.1 tomcat-javadoc-8.0.53-29.32.1 tomcat-jsp-2_3-api-8.0.53-29.32.1 tomcat-lib-8.0.53-29.32.1 tomcat-servlet-3_1-api-8.0.53-29.32.1 tomcat-webapps-8.0.53-29.32.1 References: https://www.suse.com/security/cve/CVE-2020-8022.html https://bugzilla.suse.com/1172405 From sle-updates at lists.suse.com Fri Jun 26 07:16:02 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 15:16:02 +0200 (CEST) Subject: SUSE-OU-2020:1787-1: Recommended update for python-scipy Message-ID: <20200626131602.0B256F3E2@maintenance.suse.de> SUSE Optional Update: Recommended update for python-scipy ______________________________________________________________________________ Announcement ID: SUSE-OU-2020:1787-1 Rating: low References: #1171510 Affected Products: SUSE Linux Enterprise Module for HPC 15-SP1 SUSE Enterprise Storage 6 ______________________________________________________________________________ An update that has one optional fix can now be installed. Description: This update for python-scipy doesn't fix any user visible issues, but improves the package building process. Patch Instructions: To install this SUSE Optional Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for HPC 15-SP1: zypper in -t patch SUSE-SLE-Module-HPC-15-SP1-2020-1787=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2020-1787=1 Package List: - SUSE Linux Enterprise Module for HPC 15-SP1 (aarch64 x86_64): python-scipy_1_2_0-gnu-hpc-debuginfo-1.2.0-4.3.1 python-scipy_1_2_0-gnu-hpc-debugsource-1.2.0-4.3.1 python2-scipy-gnu-hpc-1.2.0-4.3.1 python2-scipy_1_2_0-gnu-hpc-1.2.0-4.3.1 python2-scipy_1_2_0-gnu-hpc-debuginfo-1.2.0-4.3.1 python3-scipy-gnu-hpc-1.2.0-4.3.1 python3-scipy_1_2_0-gnu-hpc-1.2.0-4.3.1 python3-scipy_1_2_0-gnu-hpc-debuginfo-1.2.0-4.3.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): python-scipy-debuginfo-1.2.0-4.3.1 python-scipy-debugsource-1.2.0-4.3.1 python3-scipy-1.2.0-4.3.1 python3-scipy-debuginfo-1.2.0-4.3.1 References: https://bugzilla.suse.com/1171510 From sle-updates at lists.suse.com Fri Jun 26 07:16:39 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 15:16:39 +0200 (CEST) Subject: SUSE-SU-2020:1790-1: important: Security update for tomcat Message-ID: <20200626131639.594DBF3E2@maintenance.suse.de> SUSE Security Update: Security update for tomcat ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1790-1 Rating: important References: #1172405 Cross-References: CVE-2020-8022 Affected Products: SUSE Linux Enterprise Module for Web Scripting 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tomcat fixes the following issues: - CVE-2020-8022: Fixed a local root exploit due to improper permissions (bsc#1172405) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Web Scripting 15-SP1: zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP1-2020-1790=1 Package List: - SUSE Linux Enterprise Module for Web Scripting 15-SP1 (noarch): tomcat-9.0.35-4.35.1 tomcat-admin-webapps-9.0.35-4.35.1 tomcat-el-3_0-api-9.0.35-4.35.1 tomcat-jsp-2_3-api-9.0.35-4.35.1 tomcat-lib-9.0.35-4.35.1 tomcat-servlet-4_0-api-9.0.35-4.35.1 tomcat-webapps-9.0.35-4.35.1 References: https://www.suse.com/security/cve/CVE-2020-8022.html https://bugzilla.suse.com/1172405 From sle-updates at lists.suse.com Fri Jun 26 10:14:10 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Fri, 26 Jun 2020 18:14:10 +0200 (CEST) Subject: SUSE-SU-2020:1792-1: moderate: Security update for python3-requests Message-ID: <20200626161410.2BA37F3D7@maintenance.suse.de> SUSE Security Update: Security update for python3-requests ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1792-1 Rating: moderate References: #1054413 #1073879 #1111622 #1122668 #761500 #922448 #929736 #935252 #945455 #947357 #961596 #967128 Cross-References: CVE-2015-2296 CVE-2018-18074 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Manager Server 3.2 SUSE Manager Proxy 3.2 SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Module for Public Cloud 12 SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves two vulnerabilities and has 10 fixes is now available. Description: This update for python3-requests provides the following fix: python-requests was updated to 2.20.1. Update to version 2.20.1: * Fixed bug with unintended Authorization header stripping for redirects using default ports (http/80, https/443). Update to version 2.20.0: * Bugfixes + Content-Type header parsing is now case-insensitive (e.g. charset=utf8 v Charset=utf8). + Fixed exception leak where certain redirect urls would raise uncaught urllib3 exceptions. + Requests removes Authorization header from requests redirected from https to http on the same hostname. (CVE-2018-18074) + should_bypass_proxies now handles URIs without hostnames (e.g. files). Update to version 2.19.1: * Fixed issue where status_codes.py???s init function failed trying to append to a __doc__ value of None. Update to version 2.19.0: * Improvements + Warn about possible slowdown with cryptography version < 1.3.4 + Check host in proxy URL, before forwarding request to adapter. + Maintain fragments properly across redirects. (RFC7231 7.1.2) + Removed use of cgi module to expedite library load time. + Added support for SHA-256 and SHA-512 digest auth algorithms. + Minor performance improvement to Request.content. * Bugfixes + Parsing empty Link headers with parse_header_links() no longer return one bogus entry. + Fixed issue where loading the default certificate bundle from a zip archive would raise an IOError. + Fixed issue with unexpected ImportError on windows system which do not support winreg module. + DNS resolution in proxy bypass no longer includes the username and password in the request. This also fixes the issue of DNS queries failing on macOS. + Properly normalize adapter prefixes for url comparison. + Passing None as a file pointer to the files param no longer raises an exception. + Calling copy on a RequestsCookieJar will now preserve the cookie policy correctly. Update to version 2.18.4: * Improvements + Error messages for invalid headers now include the header name for easier debugging Update to version 2.18.3: * Improvements + Running $ python -m requests.help now includes the installed version of idna. * Bugfixes + Fixed issue where Requests would raise ConnectionError instead of SSLError when encountering SSL problems when using urllib3 v1.22. - Add ca-certificates (and ca-certificates-mozilla) to dependencies, otherwise https connections will fail. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1792=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1792=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1792=1 - SUSE Manager Server 3.2: zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-1792=1 - SUSE Manager Proxy 3.2: zypper in -t patch SUSE-SUSE-Manager-Proxy-3.2-2020-1792=1 - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1792=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1792=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1792=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1792=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1792=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1792=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1792=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1792=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1792=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1792=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2020-1792=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1792=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1792=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE OpenStack Cloud 8 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE OpenStack Cloud 7 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Manager Server 3.2 (noarch): python-certifi-2018.4.16-3.6.1 python-chardet-3.0.4-5.6.1 python-urllib3-1.22-3.20.1 python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Manager Proxy 3.2 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): python-certifi-2018.4.16-3.6.1 python-chardet-3.0.4-5.6.1 python-urllib3-1.22-3.20.1 python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Server 12-SP4 (noarch): python-chardet-3.0.4-5.6.1 python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Server 12-SP3-BCL (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - SUSE Linux Enterprise Module for Public Cloud 12 (noarch): python-certifi-2018.4.16-3.6.1 python-chardet-3.0.4-5.6.1 python-urllib3-1.22-3.20.1 python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-urllib3-1.22-3.20.1 - SUSE Enterprise Storage 5 (noarch): python-urllib3-1.22-3.20.1 python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 - HPE Helion Openstack 8 (noarch): python3-certifi-2018.4.16-3.6.1 python3-chardet-3.0.4-5.6.1 python3-requests-2.20.1-5.2 python3-urllib3-1.22-3.20.1 References: https://www.suse.com/security/cve/CVE-2015-2296.html https://www.suse.com/security/cve/CVE-2018-18074.html https://bugzilla.suse.com/1054413 https://bugzilla.suse.com/1073879 https://bugzilla.suse.com/1111622 https://bugzilla.suse.com/1122668 https://bugzilla.suse.com/761500 https://bugzilla.suse.com/922448 https://bugzilla.suse.com/929736 https://bugzilla.suse.com/935252 https://bugzilla.suse.com/945455 https://bugzilla.suse.com/947357 https://bugzilla.suse.com/961596 https://bugzilla.suse.com/967128 From sle-updates at lists.suse.com Mon Jun 29 07:13:01 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 29 Jun 2020 15:13:01 +0200 (CEST) Subject: SUSE-SU-2020:1794-1: important: Security update for mutt Message-ID: <20200629131301.989A9F3E2@maintenance.suse.de> SUSE Security Update: Security update for mutt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1794-1 Rating: important References: #1172906 #1172935 #1173197 Cross-References: CVE-2020-14093 CVE-2020-14154 CVE-2020-14954 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for mutt fixes the following issues: - CVE-2020-14954: Fixed a response injection due to a STARTTLS buffering issue which was affecting IMAP, SMTP, and POP3 (bsc#1173197). - CVE-2020-14093: Fixed a potential IMAP Man-in-the-Middle attack via a PREAUTH response (bsc#1172906, bsc#1172935). - CVE-2020-14154: Fixed an issue where Mutt was ignoring an expired certificate and was proceeding with a connection (bsc#1172906, bsc#1172935). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1794=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1794=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1794=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1794=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1794=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1794=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1794=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1794=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1794=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1794=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1794=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1794=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1794=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): mutt-1.10.1-55.11.1 mutt-debuginfo-1.10.1-55.11.1 mutt-debugsource-1.10.1-55.11.1 - SUSE OpenStack Cloud 8 (x86_64): mutt-1.10.1-55.11.1 mutt-debuginfo-1.10.1-55.11.1 mutt-debugsource-1.10.1-55.11.1 - SUSE OpenStack Cloud 7 (s390x x86_64): mutt-1.10.1-55.11.1 mutt-debuginfo-1.10.1-55.11.1 mutt-debugsource-1.10.1-55.11.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): mutt-1.10.1-55.11.1 mutt-debuginfo-1.10.1-55.11.1 mutt-debugsource-1.10.1-55.11.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): mutt-1.10.1-55.11.1 mutt-debuginfo-1.10.1-55.11.1 mutt-debugsource-1.10.1-55.11.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): mutt-1.10.1-55.11.1 mutt-debuginfo-1.10.1-55.11.1 mutt-debugsource-1.10.1-55.11.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): mutt-1.10.1-55.11.1 mutt-debuginfo-1.10.1-55.11.1 mutt-debugsource-1.10.1-55.11.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): mutt-1.10.1-55.11.1 mutt-debuginfo-1.10.1-55.11.1 mutt-debugsource-1.10.1-55.11.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): mutt-1.10.1-55.11.1 mutt-debuginfo-1.10.1-55.11.1 mutt-debugsource-1.10.1-55.11.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): mutt-1.10.1-55.11.1 mutt-debuginfo-1.10.1-55.11.1 mutt-debugsource-1.10.1-55.11.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): mutt-1.10.1-55.11.1 mutt-debuginfo-1.10.1-55.11.1 mutt-debugsource-1.10.1-55.11.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): mutt-1.10.1-55.11.1 mutt-debuginfo-1.10.1-55.11.1 mutt-debugsource-1.10.1-55.11.1 - HPE Helion Openstack 8 (x86_64): mutt-1.10.1-55.11.1 mutt-debuginfo-1.10.1-55.11.1 mutt-debugsource-1.10.1-55.11.1 References: https://www.suse.com/security/cve/CVE-2020-14093.html https://www.suse.com/security/cve/CVE-2020-14154.html https://www.suse.com/security/cve/CVE-2020-14954.html https://bugzilla.suse.com/1172906 https://bugzilla.suse.com/1172935 https://bugzilla.suse.com/1173197 From sle-updates at lists.suse.com Mon Jun 29 07:13:56 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 29 Jun 2020 15:13:56 +0200 (CEST) Subject: SUSE-RU-2020:1795-1: important: Recommended update for lvm2 Message-ID: <20200629131356.E2A35F3E2@maintenance.suse.de> SUSE Recommended Update: Recommended update for lvm2 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1795-1 Rating: important References: #1172566 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise High Availability 15-SP2 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for lvm2 fixes the following issues: - Fix potential data loss problem with LVM cache (bsc#1172566) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1795=1 - SUSE Linux Enterprise High Availability 15-SP2: zypper in -t patch SUSE-SLE-Product-HA-15-SP2-2020-1795=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): device-mapper-1.02.163-8.3.1 device-mapper-debuginfo-1.02.163-8.3.1 device-mapper-devel-1.02.163-8.3.1 libdevmapper-event1_03-1.02.163-8.3.1 libdevmapper-event1_03-debuginfo-1.02.163-8.3.1 libdevmapper1_03-1.02.163-8.3.1 libdevmapper1_03-debuginfo-1.02.163-8.3.1 liblvm2cmd2_03-2.03.05-8.3.1 liblvm2cmd2_03-debuginfo-2.03.05-8.3.1 lvm2-2.03.05-8.3.1 lvm2-debuginfo-2.03.05-8.3.1 lvm2-debugsource-2.03.05-8.3.1 lvm2-devel-2.03.05-8.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libdevmapper1_03-32bit-1.02.163-8.3.1 libdevmapper1_03-32bit-debuginfo-1.02.163-8.3.1 - SUSE Linux Enterprise High Availability 15-SP2 (aarch64 ppc64le s390x x86_64): lvm2-lockd-2.03.05-8.3.1 lvm2-lockd-debuginfo-2.03.05-8.3.1 lvm2-lvmlockd-debugsource-2.03.05-8.3.1 References: https://bugzilla.suse.com/1172566 From sle-updates at lists.suse.com Mon Jun 29 10:16:05 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Mon, 29 Jun 2020 18:16:05 +0200 (CEST) Subject: SUSE-SU-2020:1796-1: moderate: Security update for unzip Message-ID: <20200629161605.B00ECFEE0@maintenance.suse.de> SUSE Security Update: Security update for unzip ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1796-1 Rating: moderate References: #1110194 Cross-References: CVE-2018-18384 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for unzip fixes the following issues: - CVE-2018-18384: Fixed a buffer overflow when listing files (bsc#1110194) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1796=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1796=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): unzip-6.00-33.13.3 unzip-debuginfo-6.00-33.13.3 unzip-debugsource-6.00-33.13.3 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): unzip-6.00-33.13.3 unzip-debuginfo-6.00-33.13.3 unzip-debugsource-6.00-33.13.3 References: https://www.suse.com/security/cve/CVE-2018-18384.html https://bugzilla.suse.com/1110194 From sle-updates at lists.suse.com Tue Jun 30 07:12:37 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 30 Jun 2020 15:12:37 +0200 (CEST) Subject: SUSE-SU-2020:14414-1: important: Security update for mutt Message-ID: <20200630131237.3FBC5FF0B@maintenance.suse.de> SUSE Security Update: Security update for mutt ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14414-1 Rating: important References: #1172906 #1172935 #1173197 Cross-References: CVE-2020-14093 CVE-2020-14154 CVE-2020-14954 Affected Products: SUSE Linux Enterprise Server 11-SP4-LTSS SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP3 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for mutt fixes the following issues: - CVE-2020-14954: Fixed a response injection due to a STARTTLS buffering issue which was affecting IMAP, SMTP, and POP3 (bsc#1173197). - CVE-2020-14093: Fixed a potential IMAP Man-in-the-Middle attack via a PREAUTH response (bsc#1172906, bsc#1172935). - CVE-2020-14154: Fixed an issue where Mutt was ignoring an expired certificate and was proceeding with a connection (bsc#1172906, bsc#1172935). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-mutt-14414=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-mutt-14414=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-mutt-14414=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-mutt-14414=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): mutt-1.5.17-42.51.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): mutt-1.5.17-42.51.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): mutt-debuginfo-1.5.17-42.51.1 mutt-debugsource-1.5.17-42.51.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): mutt-debuginfo-1.5.17-42.51.1 mutt-debugsource-1.5.17-42.51.1 References: https://www.suse.com/security/cve/CVE-2020-14093.html https://www.suse.com/security/cve/CVE-2020-14154.html https://www.suse.com/security/cve/CVE-2020-14954.html https://bugzilla.suse.com/1172906 https://bugzilla.suse.com/1172935 https://bugzilla.suse.com/1173197 From sle-updates at lists.suse.com Tue Jun 30 07:13:33 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 30 Jun 2020 15:13:33 +0200 (CEST) Subject: SUSE-SU-2020:1798-1: moderate: Security update for mariadb-100 Message-ID: <20200630131333.39E5AFF0B@maintenance.suse.de> SUSE Security Update: Security update for mariadb-100 ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1798-1 Rating: moderate References: #1171550 Cross-References: CVE-2020-2752 CVE-2020-2812 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for mariadb-100 fixes the following issues: mariadb-100 was updated to version 10.0.44 (bsc#1171550) - CVE-2020-2752: Fixed an issue which could have resulted in unauthorized ability to cause denial of service. - CVE-2020-2812: Fixed an issue which could have resulted in unauthorized ability to cause denial of service. - Fixed some test failures Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1798=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1798=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1798=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1798=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1798=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1798=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): libmysqlclient_r18-10.0.40.4-2.20.1 libmysqlclient_r18-32bit-10.0.40.4-2.20.1 mariadb-100-debuginfo-10.0.40.4-2.20.1 mariadb-100-debugsource-10.0.40.4-2.20.1 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): libmysqlclient_r18-10.0.40.4-2.20.1 libmysqlclient_r18-32bit-10.0.40.4-2.20.1 mariadb-100-debuginfo-10.0.40.4-2.20.1 mariadb-100-debugsource-10.0.40.4-2.20.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): libmysqlclient-devel-10.0.40.4-2.20.1 libmysqlclient_r18-10.0.40.4-2.20.1 libmysqld-devel-10.0.40.4-2.20.1 libmysqld18-10.0.40.4-2.20.1 libmysqld18-debuginfo-10.0.40.4-2.20.1 mariadb-100-debuginfo-10.0.40.4-2.20.1 mariadb-100-debugsource-10.0.40.4-2.20.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): libmysqlclient-devel-10.0.40.4-2.20.1 libmysqlclient_r18-10.0.40.4-2.20.1 libmysqld-devel-10.0.40.4-2.20.1 libmysqld18-10.0.40.4-2.20.1 libmysqld18-debuginfo-10.0.40.4-2.20.1 mariadb-100-debuginfo-10.0.40.4-2.20.1 mariadb-100-debugsource-10.0.40.4-2.20.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libmysqlclient18-10.0.40.4-2.20.1 libmysqlclient18-debuginfo-10.0.40.4-2.20.1 mariadb-100-debuginfo-10.0.40.4-2.20.1 mariadb-100-debugsource-10.0.40.4-2.20.1 mariadb-100-errormessages-10.0.40.4-2.20.1 - SUSE Linux Enterprise Server 12-SP5 (s390x x86_64): libmysqlclient18-32bit-10.0.40.4-2.20.1 libmysqlclient18-debuginfo-32bit-10.0.40.4-2.20.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libmysqlclient18-10.0.40.4-2.20.1 libmysqlclient18-debuginfo-10.0.40.4-2.20.1 mariadb-100-debuginfo-10.0.40.4-2.20.1 mariadb-100-debugsource-10.0.40.4-2.20.1 mariadb-100-errormessages-10.0.40.4-2.20.1 - SUSE Linux Enterprise Server 12-SP4 (s390x x86_64): libmysqlclient18-32bit-10.0.40.4-2.20.1 libmysqlclient18-debuginfo-32bit-10.0.40.4-2.20.1 References: https://www.suse.com/security/cve/CVE-2020-2752.html https://www.suse.com/security/cve/CVE-2020-2812.html https://bugzilla.suse.com/1171550 From sle-updates at lists.suse.com Tue Jun 30 07:14:16 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 30 Jun 2020 15:14:16 +0200 (CEST) Subject: SUSE-SU-2020:1800-1: moderate: Security update for xmlgraphics-batik Message-ID: <20200630131416.C95F9FF0B@maintenance.suse.de> SUSE Security Update: Security update for xmlgraphics-batik ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1800-1 Rating: moderate References: #1172961 Cross-References: CVE-2019-17566 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for xmlgraphics-batik fixes the following issues: - CVE-2019-17566: Fixed a SSRF which might have allowed the underlying server to make arbitrary GET requests (bsc#1172961). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1800=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1800=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): xmlgraphics-batik-1.8-3.3.1 - SUSE Linux Enterprise Software Development Kit 12-SP4 (noarch): xmlgraphics-batik-1.8-3.3.1 References: https://www.suse.com/security/cve/CVE-2019-17566.html https://bugzilla.suse.com/1172961 From sle-updates at lists.suse.com Tue Jun 30 10:12:48 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 30 Jun 2020 18:12:48 +0200 (CEST) Subject: SUSE-RU-2020:1802-1: moderate: Recommended update for ucode-intel Message-ID: <20200630161248.CA23EFF0B@maintenance.suse.de> SUSE Recommended Update: Recommended update for ucode-intel ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1802-1 Rating: moderate References: #1172466 #1172856 Affected Products: SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that has two recommended fixes can now be installed. Description: This update for ucode-intel fixes the following issues: Updated Intel CPU Microcode to 20200616 official release (bsc#1172856) - revert 06-4e-03 Skylake U/Y, U23e ucode back to 000000d6 release - revert 06-5e-03 Skylake H/S ucode back to 000000d6 release, as both cause stability issues. (bsc#1172856) Updated Intel CPU Microcode to 20200609 official release (bsc#1172466) - no changes to 20200602 prerelease Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1802=1 Package List: - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): ucode-intel-20200616-3.3.1 References: https://bugzilla.suse.com/1172466 https://bugzilla.suse.com/1172856 From sle-updates at lists.suse.com Tue Jun 30 10:13:39 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 30 Jun 2020 18:13:39 +0200 (CEST) Subject: SUSE-RU-2020:1801-1: Recommended update for zeromq Message-ID: <20200630161339.28188FF0B@maintenance.suse.de> SUSE Recommended Update: Recommended update for zeromq ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1801-1 Rating: low References: #1171566 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update of zeromq fixes the following issue. - the libzmq5-32bit package is shipped on x86_64 platforms. (bsc#1171566) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1801=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1801=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1801=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1801=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1801=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1801=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): libzmq5-4.2.3-3.10.1 libzmq5-debuginfo-4.2.3-3.10.1 zeromq-debugsource-4.2.3-3.10.1 zeromq-devel-4.2.3-3.10.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): libzmq5-32bit-4.2.3-3.10.1 libzmq5-32bit-debuginfo-4.2.3-3.10.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): libzmq5-4.2.3-3.10.1 libzmq5-debuginfo-4.2.3-3.10.1 zeromq-debugsource-4.2.3-3.10.1 zeromq-devel-4.2.3-3.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): libzmq5-4.2.3-3.10.1 libzmq5-debuginfo-4.2.3-3.10.1 zeromq-debugsource-4.2.3-3.10.1 zeromq-devel-4.2.3-3.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): libzmq5-32bit-4.2.3-3.10.1 libzmq5-32bit-debuginfo-4.2.3-3.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libzmq5-4.2.3-3.10.1 libzmq5-debuginfo-4.2.3-3.10.1 zeromq-debugsource-4.2.3-3.10.1 zeromq-devel-4.2.3-3.10.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): libzmq5-32bit-4.2.3-3.10.1 libzmq5-32bit-debuginfo-4.2.3-3.10.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): libzmq5-4.2.3-3.10.1 libzmq5-debuginfo-4.2.3-3.10.1 zeromq-debugsource-4.2.3-3.10.1 zeromq-devel-4.2.3-3.10.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): libzmq5-32bit-4.2.3-3.10.1 libzmq5-32bit-debuginfo-4.2.3-3.10.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): libzmq5-4.2.3-3.10.1 libzmq5-debuginfo-4.2.3-3.10.1 zeromq-debugsource-4.2.3-3.10.1 zeromq-devel-4.2.3-3.10.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): libzmq5-32bit-4.2.3-3.10.1 libzmq5-32bit-debuginfo-4.2.3-3.10.1 References: https://bugzilla.suse.com/1171566 From sle-updates at lists.suse.com Tue Jun 30 10:14:25 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 30 Jun 2020 18:14:25 +0200 (CEST) Subject: SUSE-SU-2020:1803-1: important: Security update for squid Message-ID: <20200630161425.A03ACFF0B@maintenance.suse.de> SUSE Security Update: Security update for squid ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1803-1 Rating: important References: #1167373 #1173304 Cross-References: CVE-2019-18860 CVE-2020-14059 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for squid fixes the following issues: - CVE-2020-14059: Fixed an issue where a client could potentially deny the service of a server during TLS Handshake (bsc#1173304). - CVE-2019-18860: Fixed handling of invalid domain names in cachemgr.cgi (bsc#1167373). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1803=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1803=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1803=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1803=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1803=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1803=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1803=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1803=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1803=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1803=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1803=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1803=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (i586 x86_64): squid-3.5.21-26.26.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): squid-debuginfo-3.5.21-26.26.1 squid-debugsource-3.5.21-26.26.1 - SUSE OpenStack Cloud 8 (i586 x86_64): squid-3.5.21-26.26.1 - SUSE OpenStack Cloud 8 (x86_64): squid-debuginfo-3.5.21-26.26.1 squid-debugsource-3.5.21-26.26.1 - SUSE OpenStack Cloud 7 (i586 s390 s390x x86_64): squid-3.5.21-26.26.1 - SUSE OpenStack Cloud 7 (s390x x86_64): squid-debuginfo-3.5.21-26.26.1 squid-debugsource-3.5.21-26.26.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (i586 ppc64le x86_64): squid-3.5.21-26.26.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): squid-debuginfo-3.5.21-26.26.1 squid-debugsource-3.5.21-26.26.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (i586 ppc64le x86_64): squid-3.5.21-26.26.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): squid-debuginfo-3.5.21-26.26.1 squid-debugsource-3.5.21-26.26.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 i586 ppc64le s390 s390x x86_64): squid-3.5.21-26.26.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): squid-debuginfo-3.5.21-26.26.1 squid-debugsource-3.5.21-26.26.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 i586 ppc64le s390 s390x x86_64): squid-3.5.21-26.26.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): squid-debuginfo-3.5.21-26.26.1 squid-debugsource-3.5.21-26.26.1 - SUSE Linux Enterprise Server 12-SP3-BCL (i586 x86_64): squid-3.5.21-26.26.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): squid-debuginfo-3.5.21-26.26.1 squid-debugsource-3.5.21-26.26.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (i586 ppc64le s390 s390x x86_64): squid-3.5.21-26.26.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): squid-debuginfo-3.5.21-26.26.1 squid-debugsource-3.5.21-26.26.1 - SUSE Linux Enterprise Server 12-SP2-BCL (i586 x86_64): squid-3.5.21-26.26.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): squid-debuginfo-3.5.21-26.26.1 squid-debugsource-3.5.21-26.26.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): squid-3.5.21-26.26.1 squid-debuginfo-3.5.21-26.26.1 squid-debugsource-3.5.21-26.26.1 - HPE Helion Openstack 8 (i586 x86_64): squid-3.5.21-26.26.1 - HPE Helion Openstack 8 (x86_64): squid-debuginfo-3.5.21-26.26.1 squid-debugsource-3.5.21-26.26.1 References: https://www.suse.com/security/cve/CVE-2019-18860.html https://www.suse.com/security/cve/CVE-2020-14059.html https://bugzilla.suse.com/1167373 https://bugzilla.suse.com/1173304 From sle-updates at lists.suse.com Tue Jun 30 13:12:24 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 30 Jun 2020 21:12:24 +0200 (CEST) Subject: SUSE-RU-2020:1808-1: Recommended update for unixODBC Message-ID: <20200630191224.AE6A1FF0B@maintenance.suse.de> SUSE Recommended Update: Recommended update for unixODBC ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1808-1 Rating: low References: #1171566 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Basesystem 15-SP2 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: unixODBC was updated to fix the following issue: - ship unixODBC-32bit on x86_64 systems for compatibility (bsc#1171566) Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-1808=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-1808=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-1808=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-1808=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1808=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-1808=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): unixODBC-2.3.6-3.2.1 unixODBC-debuginfo-2.3.6-3.2.1 unixODBC-debugsource-2.3.6-3.2.1 unixODBC-devel-2.3.6-3.2.1 - SUSE Linux Enterprise Server for SAP 15 (x86_64): unixODBC-32bit-2.3.6-3.2.1 unixODBC-32bit-debuginfo-2.3.6-3.2.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): unixODBC-2.3.6-3.2.1 unixODBC-debuginfo-2.3.6-3.2.1 unixODBC-debugsource-2.3.6-3.2.1 unixODBC-devel-2.3.6-3.2.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): unixODBC-2.3.6-3.2.1 unixODBC-debuginfo-2.3.6-3.2.1 unixODBC-debugsource-2.3.6-3.2.1 unixODBC-devel-2.3.6-3.2.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64): unixODBC-32bit-2.3.6-3.2.1 unixODBC-32bit-debuginfo-2.3.6-3.2.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): unixODBC-2.3.6-3.2.1 unixODBC-debuginfo-2.3.6-3.2.1 unixODBC-debugsource-2.3.6-3.2.1 unixODBC-devel-2.3.6-3.2.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (x86_64): unixODBC-32bit-2.3.6-3.2.1 unixODBC-32bit-debuginfo-2.3.6-3.2.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): unixODBC-2.3.6-3.2.1 unixODBC-debuginfo-2.3.6-3.2.1 unixODBC-debugsource-2.3.6-3.2.1 unixODBC-devel-2.3.6-3.2.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (x86_64): unixODBC-32bit-2.3.6-3.2.1 unixODBC-32bit-debuginfo-2.3.6-3.2.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): unixODBC-2.3.6-3.2.1 unixODBC-debuginfo-2.3.6-3.2.1 unixODBC-debugsource-2.3.6-3.2.1 unixODBC-devel-2.3.6-3.2.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (x86_64): unixODBC-32bit-2.3.6-3.2.1 unixODBC-32bit-debuginfo-2.3.6-3.2.1 References: https://bugzilla.suse.com/1171566 From sle-updates at lists.suse.com Tue Jun 30 13:13:10 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 30 Jun 2020 21:13:10 +0200 (CEST) Subject: SUSE-SU-2020:1805-1: moderate: Security update for ntp Message-ID: <20200630191310.95D8EFF0B@maintenance.suse.de> SUSE Security Update: Security update for ntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1805-1 Rating: moderate References: #1169740 #1171355 #1172651 #1173334 Cross-References: CVE-2018-8956 CVE-2020-11868 CVE-2020-13817 CVE-2020-15025 Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Enterprise Storage 5 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for ntp fixes the following issues: ntp was updated to 4.2.8p15 - CVE-2020-11868: Fixed an issue which a server mode packet with spoofed source address frequently send to the client ntpd could have caused denial of service (bsc#1169740). - CVE-2018-8956: Fixed an issue which could have allowed remote attackers to prevent a broadcast client from synchronizing its clock with a broadcast NTP server via spoofed mode 3 and mode 5 packets (bsc#1171355). - CVE-2020-13817: Fixed an issue which an off-path attacker with the ability to query time from victim's ntpd instance could have modified the victim's clock by a limited amount (bsc#1172651). - CVE-2020-15025: Fixed an issue which remote attacker could have caused denial of service by consuming the memory when a CMAC key was used andassociated with a CMAC algorithm in the ntp.keys (bsc#1173334). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2020-1805=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2020-1805=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-1805=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2020-1805=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-1805=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1805=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1805=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2020-1805=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2020-1805=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-1805=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-1805=1 - SUSE Enterprise Storage 5: zypper in -t patch SUSE-Storage-5-2020-1805=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2020-1805=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): ntp-4.2.8p15-88.1 ntp-debuginfo-4.2.8p15-88.1 ntp-debugsource-4.2.8p15-88.1 ntp-doc-4.2.8p15-88.1 - SUSE OpenStack Cloud 8 (x86_64): ntp-4.2.8p15-88.1 ntp-debuginfo-4.2.8p15-88.1 ntp-debugsource-4.2.8p15-88.1 ntp-doc-4.2.8p15-88.1 - SUSE OpenStack Cloud 7 (s390x x86_64): ntp-4.2.8p15-88.1 ntp-debuginfo-4.2.8p15-88.1 ntp-debugsource-4.2.8p15-88.1 ntp-doc-4.2.8p15-88.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): ntp-4.2.8p15-88.1 ntp-debuginfo-4.2.8p15-88.1 ntp-debugsource-4.2.8p15-88.1 ntp-doc-4.2.8p15-88.1 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): ntp-4.2.8p15-88.1 ntp-debuginfo-4.2.8p15-88.1 ntp-debugsource-4.2.8p15-88.1 ntp-doc-4.2.8p15-88.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): ntp-4.2.8p15-88.1 ntp-debuginfo-4.2.8p15-88.1 ntp-debugsource-4.2.8p15-88.1 ntp-doc-4.2.8p15-88.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): ntp-4.2.8p15-88.1 ntp-debuginfo-4.2.8p15-88.1 ntp-debugsource-4.2.8p15-88.1 ntp-doc-4.2.8p15-88.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): ntp-4.2.8p15-88.1 ntp-debuginfo-4.2.8p15-88.1 ntp-debugsource-4.2.8p15-88.1 ntp-doc-4.2.8p15-88.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): ntp-4.2.8p15-88.1 ntp-debuginfo-4.2.8p15-88.1 ntp-debugsource-4.2.8p15-88.1 ntp-doc-4.2.8p15-88.1 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): ntp-4.2.8p15-88.1 ntp-debuginfo-4.2.8p15-88.1 ntp-debugsource-4.2.8p15-88.1 ntp-doc-4.2.8p15-88.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): ntp-4.2.8p15-88.1 ntp-debuginfo-4.2.8p15-88.1 ntp-debugsource-4.2.8p15-88.1 ntp-doc-4.2.8p15-88.1 - SUSE Enterprise Storage 5 (aarch64 x86_64): ntp-4.2.8p15-88.1 ntp-debuginfo-4.2.8p15-88.1 ntp-debugsource-4.2.8p15-88.1 ntp-doc-4.2.8p15-88.1 - HPE Helion Openstack 8 (x86_64): ntp-4.2.8p15-88.1 ntp-debuginfo-4.2.8p15-88.1 ntp-debugsource-4.2.8p15-88.1 ntp-doc-4.2.8p15-88.1 References: https://www.suse.com/security/cve/CVE-2018-8956.html https://www.suse.com/security/cve/CVE-2020-11868.html https://www.suse.com/security/cve/CVE-2020-13817.html https://www.suse.com/security/cve/CVE-2020-15025.html https://bugzilla.suse.com/1169740 https://bugzilla.suse.com/1171355 https://bugzilla.suse.com/1172651 https://bugzilla.suse.com/1173334 From sle-updates at lists.suse.com Tue Jun 30 13:14:11 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 30 Jun 2020 21:14:11 +0200 (CEST) Subject: SUSE-SU-2020:1807-1: moderate: Security update for openconnect Message-ID: <20200630191411.DF03FFF0B@maintenance.suse.de> SUSE Security Update: Security update for openconnect ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1807-1 Rating: moderate References: #1171862 Cross-References: CVE-2020-12823 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for openconnect fixes the following issues: - CVE-2020-12823: Fixed a buffer overflow via crafted certificate data which could have led to denial of service (bsc#1171862). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2020-1807=1 - SUSE Linux Enterprise Workstation Extension 12-SP4: zypper in -t patch SUSE-SLE-WE-12-SP4-2020-1807=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (noarch): openconnect-lang-7.08-3.12.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): openconnect-7.08-3.12.1 openconnect-debuginfo-7.08-3.12.1 openconnect-debugsource-7.08-3.12.1 - SUSE Linux Enterprise Workstation Extension 12-SP4 (x86_64): openconnect-7.08-3.12.1 openconnect-debuginfo-7.08-3.12.1 openconnect-debugsource-7.08-3.12.1 - SUSE Linux Enterprise Workstation Extension 12-SP4 (noarch): openconnect-lang-7.08-3.12.1 References: https://www.suse.com/security/cve/CVE-2020-12823.html https://bugzilla.suse.com/1171862 From sle-updates at lists.suse.com Tue Jun 30 13:14:50 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 30 Jun 2020 21:14:50 +0200 (CEST) Subject: SUSE-SU-2020:1806-1: Security update for transfig Message-ID: <20200630191450.0413FFF0B@maintenance.suse.de> SUSE Security Update: Security update for transfig ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1806-1 Rating: low References: #1106531 #1143650 Cross-References: CVE-2018-16140 CVE-2019-14275 Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for transfig fixes the following issues: Security issue fixed: - CVE-2019-14275: Fixed stack-based buffer overflow in the calc_arrow function (bsc#1143650). - CVE-2018-16140: Fixed a buffer underwrite vulnerability in get_line() in read.c, which allowed an attacker to write prior to the beginning of the buffer via specially crafted .fig file (bsc#1106531) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1806=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1806=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): transfig-3.2.5e-2.8.2 transfig-debuginfo-3.2.5e-2.8.2 transfig-debugsource-3.2.5e-2.8.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): transfig-3.2.5e-2.8.2 transfig-debuginfo-3.2.5e-2.8.2 transfig-debugsource-3.2.5e-2.8.2 References: https://www.suse.com/security/cve/CVE-2018-16140.html https://www.suse.com/security/cve/CVE-2019-14275.html https://bugzilla.suse.com/1106531 https://bugzilla.suse.com/1143650 From sle-updates at lists.suse.com Tue Jun 30 13:15:37 2020 From: sle-updates at lists.suse.com (sle-updates at lists.suse.com) Date: Tue, 30 Jun 2020 21:15:37 +0200 (CEST) Subject: SUSE-RU-2020:1804-1: moderate: Recommended update for php74 Message-ID: <20200630191537.89F23FF0B@maintenance.suse.de> SUSE Recommended Update: Recommended update for php74 ______________________________________________________________________________ Announcement ID: SUSE-RU-2020:1804-1 Rating: moderate References: #1172178 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Module for Web Scripting 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 ______________________________________________________________________________ An update that has one recommended fix can now be installed. Description: This update for php74 fixes the following issues: This update supplies PHP 7.4.6 and its modules in parallel to the existing php72 packages. You can switch to it e.g. by using "zypper in php74". Please read migration notes from PHP 7.2 to 7.4: - https://www.php.net/manual/en/migration73.php - https://www.php.net/manual/en/migration74.php Patch Instructions: To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-1804=1 - SUSE Linux Enterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-1804=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1804=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2020-1804=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-1804=1 - SUSE Linux Enterprise Module for Advanced Systems Management 12: zypper in -t patch SUSE-SLE-Module-Adv-Systems-Management-12-2020-1804=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): liblmdb-0_9_11-0.9.11-7.2.1 liblmdb-0_9_11-debuginfo-0.9.11-7.2.1 lmdb-debuginfo-0.9.11-7.2.1 lmdb-debugsource-0.9.11-7.2.1 oniguruma-debugsource-5.9.2-13.3.1 oniguruma-devel-5.9.2-13.3.1 php74-debuginfo-7.4.6-1.5.4 php74-debugsource-7.4.6-1.5.4 php74-devel-7.4.6-1.5.4 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): liblmdb-0_9_11-0.9.11-7.2.1 liblmdb-0_9_11-debuginfo-0.9.11-7.2.1 lmdb-debuginfo-0.9.11-7.2.1 lmdb-debugsource-0.9.11-7.2.1 oniguruma-debugsource-5.9.2-13.3.1 oniguruma-devel-5.9.2-13.3.1 php74-debuginfo-7.4.6-1.5.4 php74-debugsource-7.4.6-1.5.4 php74-devel-7.4.6-1.5.4 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): libonig2-5.9.2-13.3.1 libonig2-debuginfo-5.9.2-13.3.1 oniguruma-debugsource-5.9.2-13.3.1 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): libonig2-5.9.2-13.3.1 libonig2-debuginfo-5.9.2-13.3.1 oniguruma-debugsource-5.9.2-13.3.1 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php74-7.4.6-1.5.4 apache2-mod_php74-debuginfo-7.4.6-1.5.4 liblmdb-0_9_11-0.9.11-7.2.1 liblmdb-0_9_11-debuginfo-0.9.11-7.2.1 php74-7.4.6-1.5.4 php74-bcmath-7.4.6-1.5.4 php74-bcmath-debuginfo-7.4.6-1.5.4 php74-bz2-7.4.6-1.5.4 php74-bz2-debuginfo-7.4.6-1.5.4 php74-calendar-7.4.6-1.5.4 php74-calendar-debuginfo-7.4.6-1.5.4 php74-ctype-7.4.6-1.5.4 php74-ctype-debuginfo-7.4.6-1.5.4 php74-curl-7.4.6-1.5.4 php74-curl-debuginfo-7.4.6-1.5.4 php74-dba-7.4.6-1.5.4 php74-dba-debuginfo-7.4.6-1.5.4 php74-debuginfo-7.4.6-1.5.4 php74-debugsource-7.4.6-1.5.4 php74-dom-7.4.6-1.5.4 php74-dom-debuginfo-7.4.6-1.5.4 php74-enchant-7.4.6-1.5.4 php74-enchant-debuginfo-7.4.6-1.5.4 php74-exif-7.4.6-1.5.4 php74-exif-debuginfo-7.4.6-1.5.4 php74-fastcgi-7.4.6-1.5.4 php74-fastcgi-debuginfo-7.4.6-1.5.4 php74-fileinfo-7.4.6-1.5.4 php74-fileinfo-debuginfo-7.4.6-1.5.4 php74-fpm-7.4.6-1.5.4 php74-fpm-debuginfo-7.4.6-1.5.4 php74-ftp-7.4.6-1.5.4 php74-ftp-debuginfo-7.4.6-1.5.4 php74-gd-7.4.6-1.5.4 php74-gd-debuginfo-7.4.6-1.5.4 php74-gettext-7.4.6-1.5.4 php74-gettext-debuginfo-7.4.6-1.5.4 php74-gmp-7.4.6-1.5.4 php74-gmp-debuginfo-7.4.6-1.5.4 php74-iconv-7.4.6-1.5.4 php74-iconv-debuginfo-7.4.6-1.5.4 php74-intl-7.4.6-1.5.4 php74-intl-debuginfo-7.4.6-1.5.4 php74-json-7.4.6-1.5.4 php74-json-debuginfo-7.4.6-1.5.4 php74-ldap-7.4.6-1.5.4 php74-ldap-debuginfo-7.4.6-1.5.4 php74-mbstring-7.4.6-1.5.4 php74-mbstring-debuginfo-7.4.6-1.5.4 php74-mysql-7.4.6-1.5.4 php74-mysql-debuginfo-7.4.6-1.5.4 php74-odbc-7.4.6-1.5.4 php74-odbc-debuginfo-7.4.6-1.5.4 php74-opcache-7.4.6-1.5.4 php74-opcache-debuginfo-7.4.6-1.5.4 php74-openssl-7.4.6-1.5.4 php74-openssl-debuginfo-7.4.6-1.5.4 php74-pcntl-7.4.6-1.5.4 php74-pcntl-debuginfo-7.4.6-1.5.4 php74-pdo-7.4.6-1.5.4 php74-pdo-debuginfo-7.4.6-1.5.4 php74-pgsql-7.4.6-1.5.4 php74-pgsql-debuginfo-7.4.6-1.5.4 php74-phar-7.4.6-1.5.4 php74-phar-debuginfo-7.4.6-1.5.4 php74-posix-7.4.6-1.5.4 php74-posix-debuginfo-7.4.6-1.5.4 php74-readline-7.4.6-1.5.4 php74-readline-debuginfo-7.4.6-1.5.4 php74-shmop-7.4.6-1.5.4 php74-shmop-debuginfo-7.4.6-1.5.4 php74-snmp-7.4.6-1.5.4 php74-snmp-debuginfo-7.4.6-1.5.4 php74-soap-7.4.6-1.5.4 php74-soap-debuginfo-7.4.6-1.5.4 php74-sockets-7.4.6-1.5.4 php74-sockets-debuginfo-7.4.6-1.5.4 php74-sodium-7.4.6-1.5.4 php74-sodium-debuginfo-7.4.6-1.5.4 php74-sqlite-7.4.6-1.5.4 php74-sqlite-debuginfo-7.4.6-1.5.4 php74-sysvmsg-7.4.6-1.5.4 php74-sysvmsg-debuginfo-7.4.6-1.5.4 php74-sysvsem-7.4.6-1.5.4 php74-sysvsem-debuginfo-7.4.6-1.5.4 php74-sysvshm-7.4.6-1.5.4 php74-sysvshm-debuginfo-7.4.6-1.5.4 php74-tidy-7.4.6-1.5.4 php74-tidy-debuginfo-7.4.6-1.5.4 php74-tokenizer-7.4.6-1.5.4 php74-tokenizer-debuginfo-7.4.6-1.5.4 php74-xmlreader-7.4.6-1.5.4 php74-xmlreader-debuginfo-7.4.6-1.5.4 php74-xmlrpc-7.4.6-1.5.4 php74-xmlrpc-debuginfo-7.4.6-1.5.4 php74-xmlwriter-7.4.6-1.5.4 php74-xmlwriter-debuginfo-7.4.6-1.5.4 php74-xsl-7.4.6-1.5.4 php74-xsl-debuginfo-7.4.6-1.5.4 php74-zip-7.4.6-1.5.4 php74-zip-debuginfo-7.4.6-1.5.4 php74-zlib-7.4.6-1.5.4 php74-zlib-debuginfo-7.4.6-1.5.4 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php74-pear-1.10.19-1.3.2 php74-pecl-1.10.19-1.3.2 - SUSE Linux Enterprise Module for Advanced Systems Management 12 (ppc64le s390x x86_64): liblmdb-0_9_11-0.9.11-7.2.1 liblmdb-0_9_11-debuginfo-0.9.11-7.2.1 lmdb-debuginfo-0.9.11-7.2.1 lmdb-debugsource-0.9.11-7.2.1 References: https://bugzilla.suse.com/1172178