SUSE-IU-2022:148-1: Security update of suse-sles-15-sp1-chost-byos-v20220127-gen2
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Sat Jan 29 07:28:34 UTC 2022
SUSE Image Update Advisory: suse-sles-15-sp1-chost-byos-v20220127-gen2
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2022:148-1
Image Tags : suse-sles-15-sp1-chost-byos-v20220127-gen2:20220127
Image Release :
Severity : critical
Type : security
References : 1014440 1021918 1027496 1029961 1029961 1029961 1040589 1046305
1046306 1046540 1046542 1046648 1047218 1047233 1050242 1050244
1050536 1050538 1050545 1050625 1056653 1056657 1056787 1064802
1065600 1065729 1066129 1073513 1074220 1075020 1078466 1080040
1083473 1085917 1086282 1086301 1086313 1086314 1089870 1098633
1100416 1102408 1102408 1103990 1103991 1103992 1104270 1104277
1104279 1104353 1104427 1104742 1104745 1106014 1108488 1109837
1110435 1111981 1112178 1112374 1112500 1113013 1113956 1115408
1119113 1122417 1125671 1125886 1126206 1126390 1127354 1127371
1129735 1129770 1129898 1131314 1131553 1133374 1134353 1136348
1136513 1138715 1138746 1140565 1146705 1148868 1149032 1149792
1149813 1149954 1152308 1152489 1153687 1153720 1154353 1154393
1154837 1154935 1157818 1158812 1158958 1158959 1158960 1159491
1159715 1159847 1159850 1159886 1159989 1160309 1160438 1160439
1160452 1160462 1161268 1162581 1162964 1163019 1163617 1164713
1164719 1165198 1165780 1165780 1167471 1167756 1167773 1168481
1168894 1169122 1169348 1170092 1170094 1170442 1170774 1170858
1171257 1171420 1171479 1171962 1172091 1172115 1172234 1172236
1172240 1172308 1172380 1172383 1172384 1172385 1172386 1172442
1172455 1172478 1172505 1172670 1172863 1172863 1172973 1172974
1173485 1173612 1173641 1173746 1173760 1173886 1174016 1174026
1174075 1174206 1174386 1174504 1174514 1174641 1174697 1174978
1175081 1175289 1175441 1175448 1175449 1175519 1175534 1175570
1175821 1175960 1175970 1176201 1176206 1176262 1176293 1176370
1176389 1176473 1176673 1176681 1176682 1176684 1176708 1176711
1176720 1176724 1176784 1176785 1176831 1176846 1176855 1176934
1176940 1177081 1177120 1177125 1177222 1177238 1177275 1177315
1177315 1177371 1177411 1177427 1177460 1177583 1177666 1177789
1177883 1177976 1178036 1178049 1178049 1178168 1178174 1178181
1178219 1178236 1178377 1178379 1178386 1178469 1178490 1178491
1178561 1178565 1178577 1178624 1178675 1178683 1178775 1178801
1178801 1178874 1178900 1178910 1178934 1178935 1178966 1178969
1179082 1179083 1179093 1179142 1179156 1179222 1179264 1179265
1179382 1179428 1179454 1179466 1179467 1179468 1179477 1179484
1179508 1179509 1179563 1179573 1179575 1179610 1179660 1179686
1179694 1179721 1179756 1179805 1179816 1179831 1179847 1179878
1179908 1179909 1180020 1180038 1180058 1180064 1180073 1180077
1180083 1180125 1180130 1180176 1180197 1180243 1180262 1180401
1180401 1180403 1180432 1180433 1180434 1180435 1180478 1180501
1180523 1180596 1180663 1180686 1180721 1180765 1180812 1180827
1180851 1180891 1180912 1180933 1180964 1180995 1181011 1181018
1181108 1181126 1181131 1181158 1181161 1181170 1181173 1181193
1181230 1181231 1181260 1181283 1181283 1181299 1181306 1181309
1181328 1181349 1181351 1181358 1181368 1181371 1181425 1181443
1181504 1181505 1181535 1181536 1181540 1181594 1181610 1181622
1181639 1181641 1181651 1181671 1181677 1181679 1181696 1181730
1181730 1181732 1181732 1181747 1181749 1181753 1181809 1181831
1181843 1181854 1181874 1181911 1181933 1181944 1181960 1181967
1181976 1182011 1182012 1182016 1182047 1182057 1182057 1182057
1182072 1182117 1182130 1182137 1182140 1182168 1182175 1182244
1182246 1182262 1182263 1182279 1182281 1182293 1182309 1182324
1182328 1182331 1182333 1182362 1182372 1182379 1182382 1182408
1182411 1182412 1182413 1182415 1182416 1182417 1182418 1182419
1182420 1182421 1182422 1182425 1182451 1182471 1182476 1182577
1182604 1182629 1182651 1182672 1182715 1182716 1182717 1182791
1182846 1182904 1182917 1182936 1182947 1182950 1182968 1182975
1183012 1183022 1183024 1183063 1183064 1183069 1183070 1183085
1183094 1183194 1183194 1183239 1183268 1183370 1183371 1183374
1183374 1183405 1183421 1183453 1183456 1183457 1183509 1183572
1183572 1183574 1183574 1183589 1183593 1183628 1183646 1183686
1183696 1183732 1183738 1183761 1183775 1183791 1183797 1183800
1183826 1183855 1183858 1183933 1183936 1183939 1183947 1183979
1184085 1184120 1184124 1184124 1184136 1184161 1184167 1184168
1184170 1184192 1184193 1184194 1184196 1184198 1184208 1184211
1184260 1184310 1184326 1184358 1184388 1184391 1184393 1184397
1184399 1184400 1184401 1184435 1184439 1184454 1184505 1184507
1184509 1184511 1184512 1184514 1184521 1184583 1184611 1184614
1184614 1184616 1184644 1184650 1184673 1184675 1184677 1184690
1184758 1184761 1184768 1184804 1184804 1184815 1184829 1184912
1184942 1184962 1184967 1184994 1184994 1184997 1184997 1185016
1185046 1185089 1185092 1185113 1185157 1185163 1185170 1185232
1185232 1185239 1185244 1185261 1185261 1185281 1185302 1185325
1185331 1185345 1185377 1185405 1185405 1185408 1185408 1185409
1185409 1185410 1185410 1185417 1185428 1185438 1185441 1185441
1185464 1185464 1185464 1185464 1185524 1185540 1185562 1185588
1185591 1185611 1185621 1185621 1185642 1185677 1185680 1185698
1185701 1185725 1185726 1185726 1185748 1185758 1185762 1185807
1185859 1185860 1185861 1185862 1185863 1185898 1185899 1185901
1185910 1185938 1185950 1185958 1185961 1185961 1185961 1185973
1185987 1185991 1185993 1186004 1186012 1186015 1186037 1186049
1186060 1186061 1186062 1186078 1186109 1186111 1186114 1186285
1186290 1186347 1186382 1186390 1186390 1186397 1186447 1186463
1186482 1186484 1186484 1186489 1186498 1186503 1186561 1186565
1186602 1186672 1186674 1186687 1186791 1186910 1186975 1186975
1187038 1187050 1187060 1187071 1187105 1187153 1187167 1187196
1187210 1187212 1187215 1187224 1187260 1187260 1187270 1187273
1187292 1187338 1187364 1187365 1187366 1187367 1187386 1187400
1187425 1187452 1187466 1187499 1187512 1187529 1187538 1187539
1187554 1187565 1187595 1187601 1187654 1187668 1187696 1187696
1187704 1187738 1187760 1187911 1187921 1187937 1187993 1188018
1188062 1188062 1188063 1188063 1188063 1188067 1188090 1188116
1188127 1188156 1188160 1188161 1188172 1188179 1188217 1188218
1188219 1188220 1188282 1188282 1188291 1188344 1188401 1188435
1188563 1188571 1188601 1188616 1188623 1188651 1188651 1188713
1188763 1188838 1188868 1188876 1188881 1188891 1188904 1188921
1188983 1188985 1188986 1189031 1189057 1189097 1189145 1189206
1189241 1189262 1189287 1189291 1189297 1189399 1189400 1189465
1189465 1189480 1189521 1189521 1189552 1189683 1189702 1189706
1189743 1189803 1189841 1189841 1189846 1189879 1189884 1189884
1189929 1189938 1189983 1189984 1189996 1190023 1190023 1190025
1190052 1190059 1190062 1190067 1190115 1190115 1190117 1190159
1190159 1190199 1190225 1190234 1190276 1190325 1190349 1190351
1190356 1190358 1190373 1190374 1190375 1190406 1190432 1190440
1190465 1190467 1190479 1190523 1190534 1190534 1190543 1190552
1190576 1190595 1190596 1190598 1190598 1190601 1190620 1190626
1190645 1190670 1190679 1190705 1190712 1190717 1190717 1190739
1190746 1190758 1190784 1190785 1190793 1190815 1190826 1190858
1190915 1190933 1190975 1190984 1191015 1191121 1191172 1191193
1191193 1191200 1191240 1191242 1191252 1191260 1191286 1191292
1191315 1191317 1191324 1191334 1191349 1191355 1191370 1191434
1191457 1191480 1191500 1191563 1191566 1191609 1191628 1191675
1191690 1191790 1191800 1191804 1191888 1191922 1191961 1191987
1192045 1192146 1192161 1192248 1192267 1192284 1192337 1192379
1192400 1192436 1192688 1192717 1192775 1192781 1192790 1192802
1192849 1193170 1193436 1193480 1193481 1193488 1193521 1193845
1194251 1194362 1194474 1194476 1194477 1194478 1194479 1194480
928700 928701 954813 CVE-2015-3414 CVE-2015-3415 CVE-2016-10228
CVE-2016-2124 CVE-2017-9271 CVE-2018-13405 CVE-2018-15750 CVE-2018-15751
CVE-2018-9517 CVE-2019-15890 CVE-2019-16884 CVE-2019-19244 CVE-2019-19317
CVE-2019-19603 CVE-2019-19645 CVE-2019-19646 CVE-2019-19880 CVE-2019-19921
CVE-2019-19923 CVE-2019-19924 CVE-2019-19925 CVE-2019-19926 CVE-2019-19959
CVE-2019-19977 CVE-2019-20218 CVE-2019-20838 CVE-2019-20916 CVE-2019-25013
CVE-2019-3874 CVE-2019-3900 CVE-2020-0429 CVE-2020-0433 CVE-2020-10756
CVE-2020-11080 CVE-2020-11651 CVE-2020-11652 CVE-2020-11947 CVE-2020-12049
CVE-2020-12400 CVE-2020-12401 CVE-2020-12403 CVE-2020-12762 CVE-2020-12770
CVE-2020-12829 CVE-2020-13361 CVE-2020-13362 CVE-2020-13434 CVE-2020-13435
CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-13659 CVE-2020-13765
CVE-2020-13987 CVE-2020-13988 CVE-2020-14155 CVE-2020-14343 CVE-2020-14364
CVE-2020-14364 CVE-2020-14372 CVE-2020-15257 CVE-2020-15358 CVE-2020-15469
CVE-2020-15863 CVE-2020-16092 CVE-2020-17437 CVE-2020-17438 CVE-2020-24370
CVE-2020-24371 CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-25084
CVE-2020-25085 CVE-2020-25592 CVE-2020-25613 CVE-2020-25624 CVE-2020-25625
CVE-2020-25632 CVE-2020-25639 CVE-2020-25647 CVE-2020-25648 CVE-2020-25659
CVE-2020-25670 CVE-2020-25671 CVE-2020-25672 CVE-2020-25673 CVE-2020-25707
CVE-2020-25717 CVE-2020-25717 CVE-2020-25723 CVE-2020-25723 CVE-2020-26137
CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2020-26558
CVE-2020-27170 CVE-2020-27171 CVE-2020-27617 CVE-2020-27618 CVE-2020-27673
CVE-2020-27749 CVE-2020-27779 CVE-2020-27815 CVE-2020-27821 CVE-2020-27835
CVE-2020-27840 CVE-2020-27840 CVE-2020-28493 CVE-2020-28916 CVE-2020-29129
CVE-2020-29129 CVE-2020-29130 CVE-2020-29130 CVE-2020-29361 CVE-2020-29368
CVE-2020-29374 CVE-2020-29443 CVE-2020-29562 CVE-2020-29568 CVE-2020-29569
CVE-2020-29573 CVE-2020-29651 CVE-2020-35503 CVE-2020-35504 CVE-2020-35505
CVE-2020-35506 CVE-2020-35512 CVE-2020-35519 CVE-2020-36221 CVE-2020-36222
CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227
CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 CVE-2020-36310 CVE-2020-36311
CVE-2020-36312 CVE-2020-36322 CVE-2020-36385 CVE-2020-36386 CVE-2020-3702
CVE-2020-3702 CVE-2020-4788 CVE-2020-6829 CVE-2020-8608 CVE-2020-8625
CVE-2020-9327 CVE-2021-0129 CVE-2021-0342 CVE-2021-0512 CVE-2021-0605
CVE-2021-0941 CVE-2021-20177 CVE-2021-20181 CVE-2021-20193 CVE-2021-20203
CVE-2021-20208 CVE-2021-20219 CVE-2021-20221 CVE-2021-20225 CVE-2021-20231
CVE-2021-20232 CVE-2021-20233 CVE-2021-20254 CVE-2021-20255 CVE-2021-20257
CVE-2021-20257 CVE-2021-20277 CVE-2021-20277 CVE-2021-20305 CVE-2021-20322
CVE-2021-21284 CVE-2021-21284 CVE-2021-21285 CVE-2021-21285 CVE-2021-21334
CVE-2021-22543 CVE-2021-22555 CVE-2021-22876 CVE-2021-22898 CVE-2021-22922
CVE-2021-22923 CVE-2021-22924 CVE-2021-22925 CVE-2021-22946 CVE-2021-22947
CVE-2021-23133 CVE-2021-23134 CVE-2021-23336 CVE-2021-23840 CVE-2021-23841
CVE-2021-24031 CVE-2021-24032 CVE-2021-25214 CVE-2021-25215 CVE-2021-25217
CVE-2021-25219 CVE-2021-25315 CVE-2021-25317 CVE-2021-26720 CVE-2021-26930
CVE-2021-26931 CVE-2021-26932 CVE-2021-27212 CVE-2021-27218 CVE-2021-27219
CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-28038 CVE-2021-28660
CVE-2021-28688 CVE-2021-28950 CVE-2021-28964 CVE-2021-28965 CVE-2021-28971
CVE-2021-28972 CVE-2021-29154 CVE-2021-29155 CVE-2021-29264 CVE-2021-29265
CVE-2021-29647 CVE-2021-29650 CVE-2021-30002 CVE-2021-30465 CVE-2021-30465
CVE-2021-3156 CVE-2021-31607 CVE-2021-3177 CVE-2021-31799 CVE-2021-31810
CVE-2021-31916 CVE-2021-32066 CVE-2021-32399 CVE-2021-32760 CVE-2021-32760
CVE-2021-33033 CVE-2021-33034 CVE-2021-33200 CVE-2021-33200 CVE-2021-3326
CVE-2021-3347 CVE-2021-3348 CVE-2021-33560 CVE-2021-33574 CVE-2021-33624
CVE-2021-33909 CVE-2021-33909 CVE-2021-33910 CVE-2021-33910 CVE-2021-3416
CVE-2021-3419 CVE-2021-3426 CVE-2021-3426 CVE-2021-3428 CVE-2021-3444
CVE-2021-34556 CVE-2021-3468 CVE-2021-34693 CVE-2021-3483 CVE-2021-3491
CVE-2021-34981 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517
CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3527 CVE-2021-3537
CVE-2021-3541 CVE-2021-3542 CVE-2021-35477 CVE-2021-3580 CVE-2021-3582
CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-35942 CVE-2021-3595
CVE-2021-3607 CVE-2021-3608 CVE-2021-3609 CVE-2021-3611 CVE-2021-36222
CVE-2021-3640 CVE-2021-3653 CVE-2021-3655 CVE-2021-3656 CVE-2021-3659
CVE-2021-3669 CVE-2021-3672 CVE-2021-3679 CVE-2021-3682 CVE-2021-3712
CVE-2021-3712 CVE-2021-3713 CVE-2021-3715 CVE-2021-37159 CVE-2021-3732
CVE-2021-3733 CVE-2021-3737 CVE-2021-3744 CVE-2021-3744 CVE-2021-3748
CVE-2021-3752 CVE-2021-3752 CVE-2021-3753 CVE-2021-37576 CVE-2021-3759
CVE-2021-3760 CVE-2021-37600 CVE-2021-3764 CVE-2021-3764 CVE-2021-3772
CVE-2021-37750 CVE-2021-38160 CVE-2021-38185 CVE-2021-38185 CVE-2021-38198
CVE-2021-38204 CVE-2021-39537 CVE-2021-40490 CVE-2021-40490 CVE-2021-41089
CVE-2021-41091 CVE-2021-41092 CVE-2021-41103 CVE-2021-41617 CVE-2021-41864
CVE-2021-42008 CVE-2021-42252 CVE-2021-42739 CVE-2021-43527 CVE-2021-43618
CVE-2021-43784 CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823
CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827
-----------------------------------------------------------------
The container suse-sles-15-sp1-chost-byos-v20220127-gen2 was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2018:2454-1
Released: Thu Oct 25 11:19:46 2018
Summary: Recommended update for python-pyOpenSSL
Type: recommended
Severity: moderate
References: 1110435
This update for python-pyOpenSSL fixes the following issues:
- Handle duplicate certificate addition using X509_STORE_add_cert so
it works after upgrading to openssl 1.1.1. (bsc#1110435)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2019:2647-1
Released: Fri Oct 11 17:12:06 2019
Summary: Recommended update for python-pyOpenSSL
Type: recommended
Severity: moderate
References: 1149792
This update for python-pyOpenSSL fixes the following issues:
- Adds compatibility for openSSL 1.1.1d (bsc#1149792)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2810-1
Released: Tue Oct 29 14:56:44 2019
Summary: Security update for runc
Type: security
Severity: moderate
References: 1131314,1131553,1152308,CVE-2019-16884
This update for runc fixes the following issues:
Security issue fixed:
- CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308)
Non-security issues fixed:
- Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:36-1
Released: Wed Jan 8 10:26:46 2020
Summary: Recommended update for python-pyOpenSSL
Type: recommended
Severity: low
References: 1159989
This update fixes the build of python-pyOpenSSL in 2020 (bsc#1159989).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:944-1
Released: Tue Apr 7 15:49:33 2020
Summary: Security update for runc
Type: security
Severity: moderate
References: 1149954,1160452,CVE-2019-19921
This update for runc fixes the following issues:
runc was updated to v1.0.0~rc10
- CVE-2019-19921: Fixed a mount race condition with shared mounts (bsc#1160452).
- Fixed an issue where podman run hangs when spawned by salt-minion process (bsc#1149954).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:305-1
Released: Thu Feb 4 15:00:37 2021
Summary: Recommended update for libprotobuf
Type: recommended
Severity: moderate
References:
libprotobuf was updated to fix:
- ship the libprotobuf-lite15 on the base products. (jsc#ECO-2911)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:435-1
Released: Thu Feb 11 14:47:25 2021
Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork
Type: security
Severity: important
References: 1174075,1176708,1178801,1178969,1180243,1180401,1181730,1181732,CVE-2020-15257,CVE-2021-21284,CVE-2021-21285
This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:
Security issues fixed:
- CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969).
- CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732)
- CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730)
Non-security issues fixed:
- Update Docker to 19.03.15-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for
bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285).
- Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE.
It appears that SLES doesn't like the patch. (bsc#1180401)
- Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and
fixes CVE-2020-15257. bsc#1180243
- Update to containerd v1.3.7, which is required for Docker 19.03.13-ce.
bsc#1176708
- Update to Docker 19.03.14-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243
https://github.com/docker/docker-ce/releases/tag/v19.03.14
- Enable fish-completion
- Add a patch which makes Docker compatible with firewalld with
nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
(bsc#1178801, SLE-16460)
- Update to Docker 19.03.13-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708
- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
- Emergency fix: %requires_eq does not work with provide symbols,
only effective package names. Convert back to regular Requires.
- Update to Docker 19.03.12-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md.
- Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of
spurrious errors due to Go returning -EINTR from I/O syscalls much more often
(due to Go 1.14's pre-emptive goroutine support).
- Add BuildRequires for all -git dependencies so that we catch missing
dependencies much more quickly.
- Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce.
bsc#1180243
- Add patch which makes libnetwork compatible with firewalld with
nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
(bsc#1178801, SLE-16460)
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:441-1
Released: Thu Feb 11 16:35:04 2021
Summary: Optional update for python3-jsonschema
Type: optional
Severity: low
References: 1180403
This update provides the python3 variant of the jsonschema module to the
SUSE Linux Enterprise 15 SP2 Basesystem module.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:502-1
Released: Thu Feb 18 05:33:06 2021
Summary: Recommended update for openssh
Type: recommended
Severity: moderate
References: 1180501
This update for openssh fixes the following issues:
- Fixed a crash which sometimes occured on connection termination, caused
by accessing freed memory (bsc#1180501)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:507-1
Released: Thu Feb 18 09:34:49 2021
Summary: Security update for bind
Type: security
Severity: important
References: 1182246,CVE-2020-8625
This update for bind fixes the following issues:
- CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy
negotiation can be targeted by a buffer overflow attack [bsc#1182246]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:516-1
Released: Thu Feb 18 14:42:51 2021
Summary: Recommended update for docker, golang-github-docker-libnetwork
Type: recommended
Severity: moderate
References: 1178801,1180401,1182168
This update for docker, golang-github-docker-libnetwork fixes the following issues:
- A libnetwork firewalld integration enhancement was broken, disable it (bsc#1178801,bsc#1180401,bsc#1182168)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:526-1
Released: Fri Feb 19 12:46:27 2021
Summary: Recommended update for python-distro
Type: recommended
Severity: moderate
References:
This update for python-distro fixes the following issues:
Upgrade from version 1.2.0 to 1.5.0 (jsc#ECO-3212)
- Backward compatibility:
- Keep output as native string so we can compatible with python2 interface
- Prefer the `VERSION_CODENAME` field of `os-release` to parsing it from `VERSION`
- Bug Fixes:
- Fix detection of RHEL 6 `ComputeNode`
- Fix Oracle 4/5 `lsb_release` id and names
- Ignore `/etc/plesk-release` file while parsing distribution
- Return `_uname_info` from the `uname_info()` method
- Fixed `CloudLinux` id discovery
- Update Oracle matching
- Warn about wrong locale.
- Documentation:
- Distro is the recommended replacement for `platform.linux_distribution`
- Add Ansible reference implementation and fix arch-linux link
- Add facter reference implementation
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:529-1
Released: Fri Feb 19 14:53:47 2021
Summary: Security update for python3
Type: security
Severity: moderate
References: 1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177
This update for python3 fixes the following issues:
- CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126).
- Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:532-1
Released: Fri Feb 19 17:29:03 2021
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1046305,1046306,1046540,1046542,1046648,1050242,1050244,1050536,1050538,1050545,1056653,1056657,1056787,1064802,1066129,1073513,1074220,1075020,1086282,1086301,1086313,1086314,1098633,1103990,1103991,1103992,1104270,1104277,1104279,1104353,1104427,1104742,1104745,1109837,1111981,1112178,1112374,1113956,1119113,1126206,1126390,1127354,1127371,1129770,1136348,1149032,1174206,1176831,1176846,1178036,1178049,1178900,1179093,1179142,1179508,1179509,1179563,1179573,1179575,1179878,1180130,1180765,1180812,1180891,1180912,1181018,1181170,1181230,1181231,1181260,1181349,1181425,1181504,1181809,CVE-2020-25639,CVE-2020-27835,CVE-2020-29568,CVE-2020-29569,CVE-2021-0342,CVE-2021-20177,CVE-2021-3347,CVE-2021-3348
The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).
- CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).
- CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).
- CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required. (bnc#1180812)
- CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).
- CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).
- CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).
- CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).
The following non-security bugs were fixed:
- ACPI: scan: Harden acpi_device_add() against device ID overflows (git-fixes).
- ACPI: scan: Make acpi_bus_get_device() clear return pointer on error (git-fixes).
- ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI (git-fixes).
- ALSA: doc: Fix reference to mixart.rst (git-fixes).
- ALSA: fireface: Fix integer overflow in transmit_midi_msg() (git-fixes).
- ALSA: firewire-tascam: Fix integer overflow in midi_port_work() (git-fixes).
- ALSA: hda/via: Add minimum mute flag (git-fixes).
- ALSA: hda/via: Fix runtime PM for Clevo W35xSS (git-fixes).
- ALSA: pcm: Clear the full allocated memory at hw_params (git-fixes).
- ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info() (git-fixes).
- ASoC: Intel: haswell: Add missing pm_ops (git-fixes).
- ASoC: dapm: remove widget from dirty list on free (git-fixes).
- EDAC/amd64: Fix PCI component registration (bsc#1112178).
- IB/mlx5: Fix DEVX support for MLX5_CMD_OP_INIT2INIT_QP command (bsc#1103991).
- KVM: SVM: Initialize prev_ga_tag before use (bsc#1180912).
- KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages (bsc#1181230).
- NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock (git-fixes).
- NFS: nfs_igrab_and_active must first reference the superblock (git-fixes).
- NFS: switch nfsiod to be an UNBOUND workqueue (git-fixes).
- NFSv4.2: condition READDIR's mask for security label based on LSM state (git-fixes).
- RDMA/addr: Fix race with netevent_callback()/rdma_addr_cancel() (bsc#1103992).
- RDMA/bnxt_re: Do not add user qps to flushlist (bsc#1050244 ).
- RDMA/bnxt_re: Do not report transparent vlan from QP1 (bsc#1104742).
- RDMA/cma: Do not overwrite sgid_attr after device is released (bsc#1103992).
- RDMA/core: Ensure security pkey modify is not lost (bsc#1046306 ).
- RDMA/core: Fix pkey and port assignment in get_new_pps (bsc#1046306).
- RDMA/core: Fix protection fault in get_pkey_idx_qp_list (bsc#1046306).
- RDMA/core: Fix reported speed and width (bsc#1046306 ).
- RDMA/core: Fix return error value in _ib_modify_qp() to negative (bsc#1103992).
- RDMA/core: Fix use of logical OR in get_new_pps (bsc#1046306 ).
- RDMA/hns: Bugfix for memory window mtpt configuration (bsc#1104427).
- RDMA/hns: Bugfix for slab-out-of-bounds when unloading hip08 driver (bsc#1104427).
- RDMA/hns: Fix cmdq parameter of querying pf timer resource (bsc#1104427 bsc#1126206).
- RDMA/hns: Fix missing sq_sig_type when querying QP (bsc#1104427 ).
- RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver (bsc#1104427).
- RDMA/iw_cxgb4: Fix incorrect function parameters (bsc#1136348 jsc#SLE-4684).
- RDMA/iw_cxgb4: initiate CLOSE when entering TERM (bsc#1136348 jsc#SLE-4684).
- RDMA/mlx5: Add init2init as a modify command (bsc#1103991 ).
- RDMA/mlx5: Fix typo in enum name (bsc#1103991).
- RDMA/mlx5: Fix wrong free of blue flame register on error (bsc#1103991).
- RDMA/qedr: Fix inline size returned for iWARP (bsc#1050545 ).
- SUNRPC: cache: ignore timestamp written to 'flush' file (bsc#1178036).
- USB: ehci: fix an interrupt calltrace error (git-fixes).
- USB: gadget: legacy: fix return error code in acm_ms_bind() (git-fixes).
- USB: serial: iuu_phoenix: fix DMA from stack (git-fixes).
- USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set (git-fixes).
- USB: yurex: fix control-URB timeout handling (git-fixes).
- __netif_receive_skb_core: pass skb by reference (bsc#1109837).
- arm64: pgtable: Ensure dirty bit is preserved across pte_wrprotect() (bsc#1180130).
- arm64: pgtable: Fix pte_accessible() (bsc#1180130).
- bnxt_en: Do not query FW when netif_running() is false (bsc#1086282).
- bnxt_en: Fix accumulation of bp->net_stats_prev (bsc#1104745 ).
- bnxt_en: Improve stats context resource accounting with RDMA driver loaded (bsc#1104745).
- bnxt_en: Release PCI regions when DMA mask setup fails during probe (git-fixes).
- bnxt_en: Reset rings if ring reservation fails during open() (bsc#1086282).
- bnxt_en: fix HWRM error when querying VF temperature (bsc#1104745).
- bnxt_en: fix error return code in bnxt_init_board() (git-fixes).
- bnxt_en: fix error return code in bnxt_init_one() (bsc#1050242 ).
- bnxt_en: read EEPROM A2h address using page 0 (git-fixes).
- bnxt_en: return proper error codes in bnxt_show_temp (bsc#1104745).
- bonding: set dev->needed_headroom in bond_setup_by_slave() (git-fixes).
- btrfs: add a flag to iterate_inodes_from_logical to find all extent refs for uncompressed extents (bsc#1174206).
- btrfs: add a flags argument to LOGICAL_INO and call it LOGICAL_INO_V2 (bsc#1174206).
- btrfs: increase output size for LOGICAL_INO_V2 ioctl (bsc#1174206).
- btrfs: qgroup: do not try to wait flushing if we're already holding a transaction (bsc#1179575).
- caif: no need to check return value of debugfs_create functions (git-fixes).
- can: c_can: c_can_power_up(): fix error handling (git-fixes).
- can: dev: prevent potential information leak in can_fill_info() (git-fixes).
- can: vxcan: vxcan_xmit: fix use after free bug (git-fixes).
- chelsio/chtls: correct function return and return type (bsc#1104270).
- chelsio/chtls: correct netdevice for vlan interface (bsc#1104270 ).
- chelsio/chtls: fix a double free in chtls_setkey() (bsc#1104270 ).
- chelsio/chtls: fix always leaking ctrl_skb (bsc#1104270 ).
- chelsio/chtls: fix deadlock issue (bsc#1104270).
- chelsio/chtls: fix memory leaks caused by a race (bsc#1104270 ).
- chelsio/chtls: fix memory leaks in CPL handlers (bsc#1104270 ).
- chelsio/chtls: fix panic during unload reload chtls (bsc#1104270 ).
- chelsio/chtls: fix socket lock (bsc#1104270).
- chelsio/chtls: fix tls record info to user (bsc#1104270 ).
- chtls: Added a check to avoid NULL pointer dereference (bsc#1104270).
- chtls: Fix chtls resources release sequence (bsc#1104270 ).
- chtls: Fix hardware tid leak (bsc#1104270).
- chtls: Remove invalid set_tcb call (bsc#1104270).
- chtls: Replace skb_dequeue with skb_peek (bsc#1104270 ).
- cpumap: Avoid warning when CONFIG_DEBUG_PER_CPU_MAPS is enabled (bsc#1109837).
- cxgb3: fix error return code in t3_sge_alloc_qset() (git-fixes).
- cxgb4/cxgb4vf: fix flow control display for auto negotiation (bsc#1046540 bsc#1046542).
- cxgb4: fix SGE queue dump destination buffer context (bsc#1073513).
- cxgb4: fix adapter crash due to wrong MC size (bsc#1073513).
- cxgb4: fix all-mask IP address comparison (bsc#1064802 bsc#1066129).
- cxgb4: fix large delays in PTP synchronization (bsc#1046540 bsc#1046648).
- cxgb4: fix the panic caused by non smac rewrite (bsc#1064802 bsc#1066129).
- cxgb4: fix thermal zone device registration (bsc#1104279 bsc#1104277).
- cxgb4: fix throughput drop during Tx backpressure (bsc#1127354 bsc#1127371).
- cxgb4: move DCB version extern to header file (bsc#1104279 ).
- cxgb4: remove cast when saving IPv4 partial checksum (bsc#1074220).
- cxgb4: set up filter action after rewrites (bsc#1064802 bsc#1066129).
- cxgb4: use correct type for all-mask IP address comparison (bsc#1064802 bsc#1066129).
- cxgb4: use unaligned conversion for fetching timestamp (bsc#1046540 bsc#1046648).
- dm: avoid filesystem lookup in dm_get_dev_t() (bsc#1178049).
- dmaengine: xilinx_dma: check dma_async_device_register return value (git-fixes).
- dmaengine: xilinx_dma: fix mixed_enum_type coverity warning (git-fixes).
- docs: Fix reST markup when linking to sections (git-fixes).
- drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' (git-fixes).
- drm/amd/powerplay: fix a crash when overclocking Vega M (bsc#1113956)
- drm/amdkfd: Put ACPI table after using it (bsc#1129770) Backporting changes: * context changes
- drm/atomic: put state on error path (git-fixes).
- drm/i915: Check for all subplatform bits (git-fixes).
- drm/i915: Clear the repeater bit on HDCP disable (bsc#1112178)
- drm/i915: Fix sha_text population code (bsc#1112178)
- drm/msm: Avoid div-by-zero in dpu_crtc_atomic_check() (bsc#1129770)
- drm/msm: Fix WARN_ON() splat in _free_object() (bsc#1129770)
- drm/msm: Fix use-after-free in msm_gem with carveout (bsc#1129770)
- drm/nouveau/bios: fix issue shadowing expansion ROMs (git-fixes).
- drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields (git-fixes).
- drm/nouveau/privring: ack interrupts the same way as RM (git-fixes).
- drm/tve200: Fix handling of platform_get_irq() error (bsc#1129770)
- drm/vgem: Replace opencoded version of drm_gem_dumb_map_offset() (bsc#1112178)
- drm: sun4i: hdmi: Fix inverted HPD result (bsc#1112178)
- drm: sun4i: hdmi: Remove extra HPD polling (bsc#1112178)
- ehci: fix EHCI host controller initialization sequence (git-fixes).
- ethernet: ucc_geth: fix use-after-free in ucc_geth_remove() (git-fixes).
- floppy: reintroduce O_NDELAY fix (boo#1181018).
- futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#1149032).
- futex: Ensure the correct return value from futex_lock_pi() (bsc#1181349 bsc#1149032).
- futex: Fix incorrect should_fail_futex() handling (bsc#1181349).
- futex: Handle faults correctly for PI futexes (bsc#1181349 bsc#1149032).
- futex: Provide and use pi_state_update_owner() (bsc#1181349 bsc#1149032).
- futex: Replace pointless printk in fixup_owner() (bsc#1181349 bsc#1149032).
- futex: Simplify fixup_pi_state_owner() (bsc#1181349 bsc#1149032).
- futex: Use pi_state_update_owner() in put_pi_state() (bsc#1181349 bsc#1149032).
- i2c: octeon: check correct size of maximum RECV_LEN packet (git-fixes).
- i40e: Fix removing driver while bare-metal VFs pass traffic (git-fixes).
- i40e: avoid premature Rx buffer reuse (bsc#1111981).
- igb: Report speed and duplex as unknown when device is runtime suspended (git-fixes).
- igc: fix link speed advertising (jsc#SLE-4799).
- iio: ad5504: Fix setting power-down state (git-fixes).
- iommu/vt-d: Do not dereference iommu_device if IOMMU_API is not built (bsc#1181260, jsc#ECO-3191).
- iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1181260, jsc#ECO-3191).
- ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K (bsc#1109837).
- ixgbe: avoid premature Rx buffer reuse (bsc#1109837 ).
- kABI: Fix kABI for extended APIC-ID support (bsc#1181260, jsc#ECO-3191).
- kernfs: deal with kernfs_fill_super() failures (bsc#1181809).
- lockd: do not use interval-based rebinding over TCP (git-fixes).
- locking/futex: Allow low-level atomic operations to return -EAGAIN (bsc#1149032).
- md/raid10: initialize r10_bio->read_slot before use (git-fixes).
- md: fix a warning caused by a race between concurrent md_ioctl()s (git-fixes).
- media: gp8psk: initialize stats at power control logic (git-fixes).
- misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() (git-fixes).
- misdn: dsp: select CONFIG_BITREVERSE (git-fixes).
- mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() (git-fixes).
- mlxsw: destroy workqueue when trap_register in mlxsw_emad_init (bsc#1112374).
- mlxsw: spectrum: Do not modify cloned SKBs during xmit (git-fixes).
- mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails (bsc#1112374).
- mlxsw: switchx2: Do not modify cloned SKBs during xmit (git-fixes).
- mm, page_alloc: fix core hung in free_pcppages_bulk() (git fixes (mm/hotplug)).
- mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() (git fixes (mm/pgalloc)).
- mm/rmap: map_pte() was not handling private ZONE_DEVICE page properly (git fixes (mm/hmm)).
- mm/slab: use memzero_explicit() in kzfree() (git fixes (mm/slab)).
- mm: do not wake kswapd prematurely when watermark boosting is disabled (git fixes (mm/vmscan)).
- mm: hwpoison: disable memory error handling on 1GB hugepage (git fixes (mm/hwpoison)).
- mmc: sdhci-xenon: fix 1.8v regulator stabilization (git-fixes).
- nbd: Fix memory leak in nbd_add_socket (bsc#1181504).
- net/af_iucv: always register net_device notifier (git-fixes).
- net/af_iucv: fix null pointer dereference on shutdown (bsc#1179563 LTC#190108).
- net/af_iucv: set correct sk_protocol for child sockets (git-fixes).
- net/filter: Permit reading NET in load_bytes_relative when MAC not set (bsc#1109837).
- net/liquidio: Delete driver version assignment (git-fixes).
- net/liquidio: Delete non-working LIQUIDIO_PACKAGE check (git-fixes).
- net/mlx4_en: Avoid scheduling restart task if it is already running (git-fixes).
- net/mlx5: Add handling of port type in rule deletion (bsc#1103991).
- net/mlx5: Fix memory leak on flow table creation error flow (bsc#1046305).
- net/mlx5e: Fix VLAN cleanup flow (git-fixes).
- net/mlx5e: Fix VLAN create flow (git-fixes).
- net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups (git-fixes).
- net/mlx5e: Fix two double free cases (bsc#1046305).
- net/mlx5e: IPoIB, Drop multicast packets that this interface sent (bsc#1075020).
- net/mlx5e: TX, Fix consumer index of error cqe dump (bsc#1103990 ).
- net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq (bsc#1103990).
- net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels (bsc#1109837).
- net/smc: cancel event worker during device removal (git-fixes).
- net/smc: check for valid ib_client_data (git-fixes).
- net/smc: fix sleep bug in smc_pnet_find_roce_resource() (git-fixes).
- net/smc: receive pending data after RCV_SHUTDOWN (git-fixes).
- net/smc: receive returns without data (git-fixes).
- net/sonic: Add mutual exclusion for accessing shared state (git-fixes).
- net: atlantic: fix potential error handling (git-fixes).
- net: atlantic: fix use after free kasan warn (git-fixes).
- net: bcmgenet: keep MAC in reset until PHY is up (git-fixes).
- net: bcmgenet: reapply manual settings to the PHY (git-fixes).
- net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe() (git-fixes).
- net: cbs: Fix software cbs to consider packet sending time (bsc#1109837).
- net: dsa: LAN9303: select REGMAP when LAN9303 enable (git-fixes).
- net: dsa: b53: b53_arl_rw_op() needs to select IVL or SVL (git-fixes).
- net: ena: set initial DMA width to avoid intel iommu issue (git-fixes).
- net: ethernet: mlx4: Avoid assigning a value to ring_cons but not used it anymore in mlx4_en_xmit() (git-fixes).
- net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse() (git-fixes).
- net: freescale: fec: Fix ethtool -d runtime PM (git-fixes).
- net: hns3: add a missing uninit debugfs when unload driver (bsc#1104353).
- net: hns3: add compatible handling for command HCLGE_OPC_PF_RST_DONE (git-fixes).
- net: hns3: add management table after IMP reset (bsc#1104353 ).
- net: hns3: check reset interrupt status when reset fails (git-fixes).
- net: hns3: clear reset interrupt status in hclge_irq_handle() (git-fixes).
- net: hns3: fix a TX timeout issue (bsc#1104353).
- net: hns3: fix a wrong reset interrupt status mask (git-fixes).
- net: hns3: fix error VF index when setting VLAN offload (bsc#1104353).
- net: hns3: fix error handling for desc filling (bsc#1104353 ).
- net: hns3: fix for not calculating TX BD send size correctly (bsc#1126390).
- net: hns3: fix interrupt clearing error for VF (bsc#1104353 ).
- net: hns3: fix mis-counting IRQ vector numbers issue (bsc#1104353).
- net: hns3: fix shaper parameter algorithm (bsc#1104353 ).
- net: hns3: fix the number of queues actually used by ARQ (bsc#1104353).
- net: hns3: fix use-after-free when doing self test (bsc#1104353 ).
- net: hns3: reallocate SSU' buffer size when pfc_en changes (bsc#1104353).
- net: mvpp2: Fix GoP port 3 Networking Complex Control configurations (bsc#1098633).
- net: mvpp2: Fix error return code in mvpp2_open() (bsc#1119113 ).
- net: mvpp2: fix pkt coalescing int-threshold configuration (bsc#1098633).
- net: phy: Allow BCM54616S PHY to setup internal TX/RX clock delay (git-fixes).
- net: phy: broadcom: Fix RGMII delays configuration for BCM54210E (git-fixes).
- net: phy: micrel: Discern KSZ8051 and KSZ8795 PHYs (git-fixes).
- net: phy: micrel: make sure the factory test bit is cleared (git-fixes).
- net: qca_spi: Move reset_count to struct qcaspi (git-fixes).
- net: smc911x: Adjust indentation in smc911x_phy_configure (git-fixes).
- net: stmmac: 16KB buffer must be 16 byte aligned (git-fixes).
- net: stmmac: Do not accept invalid MTU values (git-fixes).
- net: stmmac: Enable 16KB buffer size (git-fixes).
- net: stmmac: RX buffer size must be 16 byte aligned (git-fixes).
- net: stmmac: dwmac-meson8b: Fix signedness bug in probe (git-fixes).
- net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes (git-fixes).
- net: stmmac: fix length of PTP clock's name string (git-fixes).
- net: stmmac: gmac4+: Not all Unicast addresses may be available (git-fixes).
- net: sunrpc: interpret the return value of kstrtou32 correctly (git-fixes).
- net: team: fix memory leak in __team_options_register (git-fixes).
- net: tulip: Adjust indentation in {dmfe, uli526x}_init_module (git-fixes).
- net: usb: lan78xx: Fix error message format specifier (git-fixes).
- net: vlan: avoid leaks on register_vlan_dev() failures (git-fixes).
- net_failover: fixed rollback in net_failover_open() (bsc#1109837).
- net_sched: let qdisc_put() accept NULL pointer (bsc#1056657 bsc#1056653 bsc#1056787).
- nfp: validate the return code from dev_queue_xmit() (git-fixes).
- nfs_common: need lock during iterate through the list (git-fixes).
- nfsd4: readdirplus shouldn't return parent of export (git-fixes).
- nfsd: Fix message level for normal termination (git-fixes).
- pNFS: Mark layout for return if return-on-close was not sent (git-fixes).
- page_frag: Recover from memory pressure (git fixes (mm/pgalloc)).
- powerpc/perf: Add generic compat mode pmu driver (bsc#1178900 ltc#189284).
- powerpc/perf: Fix crashes with generic_compat_pmu & BHRB (bsc#1178900 ltc#189284 git-fixes).
- powerpc/perf: init pmu from core-book3s (bsc#1178900 ltc#189284).
- qed: Fix race condition between scheduling and destroying the slowpath workqueue (bsc#1086314 bsc#1086313 bsc#1086301).
- qed: Fix use after free in qed_chain_free (bsc#1050536 bsc#1050538).
- r8152: Add Lenovo Powered USB-C Travel Hub (git-fixes).
- rtmutex: Remove unused argument from rt_mutex_proxy_unlock() (bsc#1181349 bsc#1149032).
- s390/cio: fix use-after-free in ccw_device_destroy_console (git-fixes).
- s390/dasd: fix list corruption of lcu list (bsc#1181170 LTC#190915).
- s390/dasd: fix list corruption of pavgroup group list (bsc#1181170 LTC#190915).
- s390/dasd: prevent inconsistent LCU device data (bsc#1181170 LTC#190915).
- s390/qeth: delay draining the TX buffers (git-fixes).
- s390/qeth: fix L2 header access in qeth_l3_osa_features_check() (git-fixes).
- s390/qeth: fix deadlock during recovery (git-fixes).
- s390/qeth: fix locking for discipline setup / removal (git-fixes).
- s390/smp: perform initial CPU reset also for SMT siblings (git-fixes).
- sched/fair: Fix enqueue_task_fair warning (bsc#1179093).
- sched/fair: Fix enqueue_task_fair() warning some more (bsc#1179093).
- sched/fair: Fix reordering of enqueue/dequeue_task_fair() (bsc#1179093).
- sched/fair: Fix unthrottle_cfs_rq() for leaf_cfs_rq list (bsc#1179093).
- sched/fair: Reorder enqueue/dequeue_task_fair path (bsc#1179093).
- scsi: core: Fix VPD LUN ID designator priorities (bsc#1178049, git-fixes).
- scsi: ibmvfc: Set default timeout to avoid crash during migration (bsc#1181425 ltc#188252).
- scsi: lpfc: Enhancements to LOG_TRACE_EVENT for better readability (bsc#1180891).
- scsi: lpfc: Fix FW reset action if I/Os are outstanding (bsc#1180891).
- scsi: lpfc: Fix NVMe recovery after mailbox timeout (bsc#1180891).
- scsi: lpfc: Fix PLOGI S_ID of 0 on pt2pt config (bsc#1180891).
- scsi: lpfc: Fix auto sli_mode and its effect on CONFIG_PORT for SLI3 (bsc#1180891).
- scsi: lpfc: Fix crash when a fabric node is released prematurely (bsc#1180891).
- scsi: lpfc: Fix error log messages being logged following SCSI task mgnt (bsc#1180891).
- scsi: lpfc: Fix target reset failing (bsc#1180891).
- scsi: lpfc: Fix vport create logging (bsc#1180891).
- scsi: lpfc: Implement health checking when aborting I/O (bsc#1180891).
- scsi: lpfc: Prevent duplicate requests to unregister with cpuhp framework (bsc#1180891).
- scsi: lpfc: Refresh ndlp when a new PRLI is received in the PRLI issue state (bsc#1180891).
- scsi: lpfc: Simplify bool comparison (bsc#1180891).
- scsi: lpfc: Update lpfc version to 12.8.0.7 (bsc#1180891).
- scsi: lpfc: Use the nvme-fc transport supplied timeout for LS requests (bsc#1180891).
- scsi: qla2xxx: Fix description for parameter ql2xenforce_iocb_limit (bsc#1179142).
- serial: mvebu-uart: fix tx lost characters at power off (git-fixes).
- spi: cadence: cache reference clock rate during probe (git-fixes).
- team: set dev->needed_headroom in team_setup_by_port() (git-fixes).
- tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS (bsc#1109837).
- usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data() (git-fixes).
- usb: dwc3: ulpi: Use VStsDone to detect PHY regs access completion (git-fixes).
- usb: gadget: configfs: Preserve function ordering after bind failure (git-fixes).
- usb: gadget: f_uac2: reset wMaxPacketSize (git-fixes).
- usb: gadget: select CONFIG_CRC32 (git-fixes).
- usb: udc: core: Use lock when write to soft_connect (git-fixes).
- veth: Adjust hard_start offset on redirect XDP frames (bsc#1109837).
- vfio iommu: Add dma available capability (bsc#1179573 LTC#190106).
- vfio-pci: Use io_remap_pfn_range() for PCI IO memory (bsc#1181231).
- vhost/vsock: fix vhost vsock cid hashing inconsistent (git-fixes).
- virtio_net: Keep vnet header zeroed if XDP is loaded for small buffer (git-fixes).
- wan: ds26522: select CONFIG_BITREVERSE (git-fixes).
- wil6210: select CONFIG_CRC32 (git-fixes).
- x86/apic: Fix x2apic enablement without interrupt remapping (bsc#1181260, jsc#ECO-3191).
- x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where available (bsc#1181260, jsc#ECO-3191).
- x86/hyperv: Fix kexec panic/hang issues (bsc#1176831).
- x86/i8259: Use printk_deferred() to prevent deadlock (bsc#1112178).
- x86/ioapic: Handle Extended Destination ID field in RTE (bsc#1181260, jsc#ECO-3191).
- x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181260, jsc#ECO-3191).
- x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181260, jsc#ECO-3191).
- x86/mm/numa: Remove uninitialized_var() usage (bsc#1112178).
- x86/mm: Fix leak of pmd ptlock (bsc#1112178).
- x86/msi: Only use high bits of MSI address for DMAR unit (bsc#1181260, jsc#ECO-3191).
- x86/mtrr: Correct the range check before performing MTRR type lookups (bsc#1112178).
- x86/resctrl: Do not move a task to the same resource group (bsc#1112178).
- x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR (bsc#1112178).
- xdp: Fix xsk_generic_xmit errno (bsc#1109837).
- xhci: make sure TRB is fully written before giving it to the controller (git-fixes).
- xhci: tegra: Delay for disabling LFPS detector (git-fixes).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:551-1
Released: Tue Feb 23 09:31:53 2021
Summary: Security update for avahi
Type: security
Severity: moderate
References: 1180827,CVE-2021-26720
This update for avahi fixes the following issues:
- CVE-2021-26720: drop privileges when invoking avahi-daemon-check-dns.sh (bsc#1180827)
- Update avahi-daemon-check-dns.sh from Debian. Our previous version relied on ifconfig, route, and init.d.
- Add sudo to requires: used to drop privileges.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:556-1
Released: Tue Feb 23 11:17:20 2021
Summary: Recommended update for open-lldp
Type: recommended
Severity: moderate
References: 1175570
This update for open-lldp fixes the following issue:
Update to version v1.0.1+65.f3b70663b55e
- Event interface: only set receive buffer size if too small (bsc#1175570)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:571-1
Released: Tue Feb 23 16:11:33 2021
Summary: Recommended update for cloud-init
Type: recommended
Severity: moderate
References: 1180176
This update for cloud-init contains the following fixes:
- Update cloud-init-write-routes.patch (bsc#1180176)
+ Follow up to previous changes. Fix order of operations
error to make gateway comparison between subnet configuration and
route configuration valuable rather than self-comparing.
- Add cloud-init-sle12-compat.patch (jsc#PM-2335)
- Python 3.4 compatibility in setup.py
- Disable some test for mock version compatibility
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:580-1
Released: Wed Feb 24 11:16:42 2021
Summary: Optional update for python-cffi
Type: optional
Severity: low
References: 1182471
This update for python-cffi fixes the following issues:
- Restored compatibility with Python 2.7 update (bsc#1182471)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:653-1
Released: Fri Feb 26 19:53:43 2021
Summary: Security update for glibc
Type: security
Severity: important
References: 1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326
This update for glibc fixes the following issues:
- Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973)
- x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649)
- gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
- iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224)
- iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923)
- Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:654-1
Released: Fri Feb 26 20:01:10 2021
Summary: Security update for python-Jinja2
Type: security
Severity: important
References: 1181944,1182244,CVE-2020-28493
This update for python-Jinja2 fixes the following issues:
- CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have
been called with untrusted user data (bsc#1181944).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:684-1
Released: Tue Mar 2 19:05:30 2021
Summary: Security update for grub2
Type: security
Severity: important
References: 1175970,1176711,1177883,1179264,1179265,1182057,1182262,1182263,CVE-2020-14372,CVE-2020-25632,CVE-2020-25647,CVE-2020-27749,CVE-2020-27779,CVE-2021-20225,CVE-2021-20233
This update for grub2 fixes the following issues:
grub2 now implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057)
Following security issues are fixed that can violate secure boot constraints:
- CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711)
- CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883)
- CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264)
- CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970)
- CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262)
- CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:689-1
Released: Tue Mar 2 19:08:40 2021
Summary: Security update for bind
Type: security
Severity: important
References: 1180933
This update for bind fixes the following issues:
- dnssec-keygen can no longer generate HMAC keys. Use tsig-keygen instead. [bsc#1180933]
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:723-1
Released: Mon Mar 8 16:45:27 2021
Summary: Security update for openldap2
Type: security
Severity: important
References: 1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212
This update for openldap2 fixes the following issues:
- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the
X.509 DN parsing in decode.c ber_next_element, resulting in denial
of service.
- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN
parsing in ad_keystring, resulting in denial of service.
- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash
in the Certificate List Exact Assertion processing, resulting in
denial of service.
- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the
cancel_extop Cancel operation, resulting in denial of service.
- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the
saslAuthzTo processing, resulting in denial of service.
- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash
in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd
crash in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the
saslAuthzTo validation, resulting in denial of service.
- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact
Assertion processing, resulting in denial of service (schema_init.c
serialNumberAndIssuerCheck).
- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter
control handling, resulting in denial of service (double free and
out-of-bounds read).
- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur
in the issuerAndThisUpdateCheck function via a crafted packet,
resulting in a denial of service (daemon exit) via a short timestamp.
This is related to schema_init.c and checkTime.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:737-1
Released: Tue Mar 9 16:07:48 2021
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1065600,1163617,1170442,1176855,1179082,1179428,1179660,1180058,1180262,1180964,1181671,1181747,1181753,1181843,1181854,1182047,1182130,1182140,1182175,CVE-2020-29368,CVE-2020-29374,CVE-2021-26930,CVE-2021-26931,CVE-2021-26932
The SUSE Linux Enterprise 15 SP1 kernel was updated receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843).
- CVE-2021-26931: Fixed an issue where Linux kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753).
- CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747).
by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372).
- CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access
because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428).
The following non-security bugs were fixed:
- btrfs: Cleanup try_flush_qgroup (bsc#1182047).
- btrfs: Do not flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: fix data bytes_may_use underflow with fallocate due to failed quota reserve (bsc#1182130)
- btrfs: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: Remove btrfs_inode from btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: Simplify code flow in btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: Unlock extents in btrfs_zero_range in case of errors (bsc#1182047).
- Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() (git-fixes).
- ibmvnic: fix a race between open and reset (bsc#1176855 ltc#187293).
- kernel-binary.spec: Add back initrd and image symlink ghosts to filelist (bsc#1182140). Fixes: 76a9256314c3 ('rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082).')
- libnvdimm/dimm: Avoid race between probe and available_slots_show() (bsc#1170442).
- net: bcmgenet: add support for ethtool rxnfc flows (git-fixes).
- net: bcmgenet: code movement (git-fixes).
- net: bcmgenet: fix mask check in bcmgenet_validate_flow() (git-fixes).
- net: bcmgenet: Fix WoL with password after deep sleep (git-fixes).
- net: bcmgenet: re-remove bcmgenet_hfb_add_filter (git-fixes).
- net: bcmgenet: set Rx mode before starting netif (git-fixes).
- net: bcmgenet: use __be16 for htons(ETH_P_IP) (git-fixes).
- net: bcmgenet: Use correct I/O accessors (git-fixes).
- net: lpc-enet: fix error return code in lpc_mii_init() (git-fixes).
- net/mlx4_en: Handle TX error CQE (bsc#1181854).
- net: moxa: Fix a potential double 'free_irq()' (git-fixes).
- net: sun: fix missing release regions in cas_init_one() (git-fixes).
- nvme-multipath: Early exit if no path is available (bsc#1180964).
- rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058)
- scsi: target: fix unmap_zeroes_data boolean initialisation (bsc#1163617).
- usb: dwc2: Abort transaction after errors with unknown reason (bsc#1180262).
- usb: dwc2: Do not update data length if it is 0 on inbound transfers (bsc#1180262).
- usb: dwc2: Make 'trimming xfer length' a debug message (bsc#1180262).
- vmxnet3: Remove buf_info from device accessible structures (bsc#1181671).
- xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600).
- xen/netback: fix spurious event detection for common event case (bsc#1182175).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:753-1
Released: Tue Mar 9 17:09:57 2021
Summary: Security update for openssl-1_1
Type: security
Severity: moderate
References: 1182331,1182333,CVE-2021-23840,CVE-2021-23841
This update for openssl-1_1 fixes the following issues:
- CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
- CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:784-1
Released: Mon Mar 15 11:19:08 2021
Summary: Recommended update for efivar
Type: recommended
Severity: moderate
References: 1181967
This update for efivar fixes the following issues:
- Fixed an issue with the NVME path parsing (bsc#1181967)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:786-1
Released: Mon Mar 15 11:19:23 2021
Summary: Recommended update for zlib
Type: recommended
Severity: moderate
References: 1176201
This update for zlib fixes the following issues:
- Fixed hw compression on z15 (bsc#1176201)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:890-1
Released: Fri Mar 19 15:51:41 2021
Summary: Security update for glib2
Type: security
Severity: important
References: 1182328,1182362,CVE-2021-27218,CVE-2021-27219
This update for glib2 fixes the following issues:
- CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328)
- CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:924-1
Released: Tue Mar 23 10:00:49 2021
Summary: Recommended update for filesystem
Type: recommended
Severity: moderate
References: 1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094
This update for filesystem the following issues:
- Remove duplicate line due to merge error
- Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011)
- Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705)
- Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466)
- Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519)
This update for systemd fixes the following issues:
- Fix for a possible memory leak. (bsc#1180020)
- Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596)
- Fixed an issue when starting a container conflicts with another one. (bsc#1178775)
- Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831)
- Don't use shell redirections when calling a rpm macro. (bsc#1183094)
- 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:926-1
Released: Tue Mar 23 13:20:24 2021
Summary: Recommended update for systemd-presets-common-SUSE
Type: recommended
Severity: moderate
References: 1083473,1112500,1115408,1165780,1183012
This update for systemd-presets-common-SUSE fixes the following issues:
- Add default user preset containing:
- enable `pulseaudio.socket` (bsc#1083473)
- enable `pipewire.socket` (bsc#1183012)
- enable `pipewire-pulse.socket` (bsc#1183012)
- enable `pipewire-media-session.service` (used with pipewire >= 0.3.23)
- Changes to the default preset:
- enable `btrfsmaintenance-refresh.path`.
- disable `btrfsmaintenance-refresh.service`.
- enable `dnf-makecache.timer`.
- enable `ignition-firstboot-complete.service`.
- enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500)
- enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408)
- remove enable `updatedb.timer`
- Avoid needless refresh on boot. (bsc#1165780)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:931-1
Released: Wed Mar 24 12:10:41 2021
Summary: Security update for nghttp2
Type: security
Severity: important
References: 1172442,1181358,CVE-2020-11080
This update for nghttp2 fixes the following issues:
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:933-1
Released: Wed Mar 24 12:16:14 2021
Summary: Security update for ruby2.5
Type: security
Severity: important
References: 1177125,1177222,CVE-2020-25613
This update for ruby2.5 fixes the following issues:
- CVE-2020-25613: Fixed a potential HTTP Request Smuggling in WEBrick (bsc#1177125).
- Enable optimizations also on ARM64 (bsc#1177222)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:934-1
Released: Wed Mar 24 12:18:21 2021
Summary: Security update for gnutls
Type: security
Severity: important
References: 1183456,1183457,CVE-2021-20231,CVE-2021-20232
This update for gnutls fixes the following issues:
- CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456).
- CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:944-1
Released: Wed Mar 24 13:41:45 2021
Summary: Security update for ldb
Type: security
Severity: important
References: 1183572,1183574,CVE-2020-27840,CVE-2021-20277
This update for ldb fixes the following issues:
- CVE-2020-27840: Fixed an unauthenticated remote heap corruption via bad DNs (bsc#1183572).
- CVE-2021-20277: Fixed an out of bounds read in ldb_handler_fold (bsc#1183574).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:947-1
Released: Wed Mar 24 14:30:58 2021
Summary: Security update for python3
Type: security
Severity: moderate
References: 1182379,CVE-2021-23336
This update for python3 fixes the following issues:
- python36 was updated to 3.6.13
- CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:948-1
Released: Wed Mar 24 14:31:34 2021
Summary: Security update for zstd
Type: security
Severity: moderate
References: 1183370,1183371,CVE-2021-24031,CVE-2021-24032
This update for zstd fixes the following issues:
- CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371).
- CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:951-1
Released: Thu Mar 25 14:36:20 2021
Summary: Recommended update for rsyslog
Type: recommended
Severity: moderate
References: 1178490
This update for rsyslog fixes the following issues:
- Fix groupname retrieval for large groups. (bsc#1178490)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:956-1
Released: Thu Mar 25 19:19:02 2021
Summary: Security update for libzypp, zypper
Type: security
Severity: moderate
References: 1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179816,1179847,1179909,1180077,1180663,1180721,1181328,1181622,1182629,CVE-2017-9271
This update for libzypp, zypper fixes the following issues:
Update zypper to version 1.14.43:
- doc: give more details about creating versioned package locks
(bsc#1181622)
- man: Document synonymously used patch categories (bsc#1179847)
- Fix source-download commands help (bsc#1180663)
- man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816)
- Extend apt packagemap (fixes #366)
- --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077)
- Prefer /run over /var/run.
Update libzypp to 17.25.8:
- Try to provide a mounted /proc in --root installs (bsc#1181328)
Some systemd tools require /proc to be mounted and fail if it's
not there.
- Enable release packages to request a releaxed suse/opensuse
vendorcheck in dup when migrating. (bsc#1182629)
- Patch: Identify well-known category names (bsc#1179847)
This allows to use the RH and SUSE patch categrory names
synonymously:
(recommended = bugfix) and (optional = feature = enhancement).
- Add missing includes for GCC 11 compatibility.
- Fix %posttrans script execution (fixes #265)
The scripts are execuable. No need to call them through 'sh -c'.
- Commit: Fix rpmdb compat symlink in case rpm got removed.
- Repo: Allow multiple baseurls specified on one line (fixes #285)
- Regex: Fix memory leak and undefined behavior.
- Add rpm buildrequires for test suite (fixes #279)
- Use rpmdb2solv new -D switch to tell the location ob the
rpmdatabase to use.
- CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583)
- RepoManager: Force refresh if repo url has changed (bsc#1174016)
- RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966)
- RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427).
- RpmDb: If no database exists use the _dbpath configured in rpm. Still makes sure a compat
symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910)
- Fixed update of gpg keys with elongated expire date (bsc#1179222)
- needreboot: remove udev from the list (bsc#1179083)
- Fix lsof monitoring (bsc#1179909)
- Rephrase solver problem descriptions (jsc#SLE-8482)
- Adapt to changed gpg2/libgpgme behavior (bsc#1180721)
- Multicurl backend breaks with with unknown filesize (fixes #277)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:960-1
Released: Mon Mar 29 11:16:28 2021
Summary: Recommended update for cloud-init
Type: recommended
Severity: moderate
References: 1181283
This update for cloud-init fixes the following issues:
- Does no longer include the sudoers.d directory twice (bsc#1181283)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:974-1
Released: Mon Mar 29 19:31:27 2021
Summary: Security update for tar
Type: security
Severity: low
References: 1181131,CVE-2021-20193
This update for tar fixes the following issues:
CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:985-1
Released: Tue Mar 30 14:43:43 2021
Summary: Recommended update for the Azure SDK and CLI
Type: recommended
Severity: moderate
References: 1125671,1140565,1154393,1174514,1175289,1176784,1176785,1178168,CVE-2020-14343,CVE-2020-25659
This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit).
(bsc#1176784, jsc#ECO=3105)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:991-1
Released: Wed Mar 31 13:28:37 2021
Summary: Recommended update for vim
Type: recommended
Severity: moderate
References: 1182324
This update for vim provides the following fixes:
- Install SUSE vimrc in /usr. (bsc#1182324)
- Source correct suse.vimrc file. (bsc#1182324)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1004-1
Released: Thu Apr 1 15:07:09 2021
Summary: Recommended update for libcap
Type: recommended
Severity: moderate
References: 1180073
This update for libcap fixes the following issues:
- Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460)
- Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1021-1
Released: Tue Apr 6 14:30:30 2021
Summary: Recommended update for cups
Type: recommended
Severity: moderate
References: 1175960
This update for cups fixes the following issues:
- Fixed the web UI kerberos authentication (bsc#1175960)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1141-1
Released: Mon Apr 12 13:13:36 2021
Summary: Recommended update for openldap2
Type: recommended
Severity: low
References: 1182791
This update for openldap2 fixes the following issues:
- Improved the proxy connection timeout options to prune connections properly (bsc#1182791)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1161-1
Released: Tue Apr 13 11:35:57 2021
Summary: Security update for cifs-utils
Type: security
Severity: moderate
References: 1183239,CVE-2021-20208
This update for cifs-utils fixes the following issues:
- CVE-2021-20208: Fixed a potential kerberos auth leak escaping from container (bsc#1183239)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1164-1
Released: Tue Apr 13 14:01:58 2021
Summary: Security update for open-iscsi
Type: security
Severity: important
References: 1173886,1179908,1183421,CVE-2020-13987,CVE-2020-13988,CVE-2020-17437,CVE-2020-17438
This update for open-iscsi fixes the following issues:
- CVE-2020-17437: uIP Out-of-Bounds Write (bsc#1179908)
- CVE-2020-17438: uIP Out-of-Bounds Write (bsc#1179908)
- CVE-2020-13987: uIP Out-of-Bounds Read (bsc#1179908)
- CVE-2020-13988: uIP Integer Overflow (bsc#1179908)
- Enabled no-wait ('-W') iscsiadm option for iscsi login service (bsc#1173886, bsc#1183421)
- Added the ability to perform async logins (bsc#1173886)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1169-1
Released: Tue Apr 13 15:01:42 2021
Summary: Recommended update for procps
Type: recommended
Severity: low
References: 1181976
This update for procps fixes the following issues:
- Corrected a statement in the man page about processor pinning via taskset (bsc#1181976)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1245-1
Released: Fri Apr 16 14:46:38 2021
Summary: Security update for qemu
Type: security
Severity: important
References: 1172383,1172384,1172385,1172386,1172478,1173612,1174386,1174641,1175441,1176673,1176682,1176684,1178049,1178174,1178565,1178934,1179466,1179467,1179468,1179686,1180523,1181108,1181639,1181933,1182137,1182425,1182577,1182968,1183979,CVE-2020-11947,CVE-2020-12829,CVE-2020-13361,CVE-2020-13362,CVE-2020-13659,CVE-2020-13765,CVE-2020-14364,CVE-2020-15469,CVE-2020-15863,CVE-2020-16092,CVE-2020-25084,CVE-2020-25624,CVE-2020-25625,CVE-2020-25723,CVE-2020-27617,CVE-2020-27821,CVE-2020-28916,CVE-2020-29129,CVE-2020-29130,CVE-2020-29443,CVE-2021-20181,CVE-2021-20203,CVE-2021-20221,CVE-2021-20257,CVE-2021-3416
This update for qemu fixes the following issues:
- Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)
- Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)
- Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)
- Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)
- Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)
- Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)
- Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)
- Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)
- Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)
- Fix heap overflow in MSIx emulation (CVE-2020-27821, bsc#1179686)
- Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)
- Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)
- Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)
- Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)
- Fix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467)
- Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386)
- Fix issue where s390 guest fails to find zipl boot menu index (bsc#1183979)
- Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523)
- Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)
- Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425)
- Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)
- Apply fixes to qemu scsi passthrough with respect to timeout and error conditions, including using more correct status codes. (bsc#1178049)
- Fix OOB access in ARM interrupt handling (CVE-2021-20221 bsc#1181933)
- Tweaks to spec file for better formatting, and remove not needed BuildRequires for e2fsprogs-devel and libpcap-devel
- Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)
- Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)
- Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)
- Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)
- Fix buffer overflow in the XGMAC device (CVE-2020-15863 bsc#1174386)
- Use '%service_del_postun_without_restart' instead of '%service_del_postun' to avoid 'Failed to try-restart qemu-ga at .service' error while updating the qemu-guest-agent. (bsc#1178565)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1270-1
Released: Tue Apr 20 14:04:29 2021
Summary: Recommended update for grub2
Type: recommended
Severity: important
References: 1181696,1182012,1183761
This update for grub2 fixes the following issues:
- Fix error `grub_file_filters not found` in Azure virtual machine. (bsc#1182012)
- Fix a migration issue due to a lower build number in higher service packs. (bsc#1183761)
- Fix executable stack marking in `grub-emu`. (bsc#1181696)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1275-1
Released: Tue Apr 20 14:31:26 2021
Summary: Security update for sudo
Type: security
Severity: important
References: 1183936,CVE-2021-3156
This update for sudo fixes the following issues:
- L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1280-1
Released: Tue Apr 20 14:34:19 2021
Summary: Security update for ruby2.5
Type: security
Severity: moderate
References: 1184644,CVE-2021-28965
This update for ruby2.5 fixes the following issues:
- Update to 2.5.9
- CVE-2021-28965: XML round-trip vulnerability in REXML (bsc#1184644)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1295-1
Released: Wed Apr 21 14:08:19 2021
Summary: Recommended update for systemd-presets-common-SUSE
Type: recommended
Severity: moderate
References: 1184136
This update for systemd-presets-common-SUSE fixes the following issues:
- Enabled hcn-init.service for HNV on POWER (bsc#1184136)
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:1296-1
Released: Wed Apr 21 14:09:28 2021
Summary: Optional update for e2fsprogs
Type: optional
Severity: low
References: 1183791
This update for e2fsprogs fixes the following issues:
- Fixed an issue when building e2fsprogs (bsc#1183791)
This patch does not fix any user visible issues and is therefore optional to install.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1297-1
Released: Wed Apr 21 14:10:10 2021
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1178219
This update for systemd fixes the following issues:
- Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot
be stopped properly and would leave mount points mounted.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1407-1
Released: Wed Apr 28 15:49:02 2021
Summary: Recommended update for libcap
Type: recommended
Severity: important
References: 1184690
This update for libcap fixes the following issues:
- Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1412-1
Released: Wed Apr 28 17:09:28 2021
Summary: Security update for libnettle
Type: security
Severity: important
References: 1184401,CVE-2021-20305
This update for libnettle fixes the following issues:
- CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401).
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:1425-1
Released: Thu Apr 29 06:23:08 2021
Summary: Optional update for tcpdump
Type: optional
Severity: low
References: 1183800
This update for tcpdump fixes the following issues:
- Disabled five regression tests that fail with libpcap > 1.8.1 (bsc#1183800)
This patch does not fix any user visible issues and is therefore optional to install.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1449-1
Released: Fri Apr 30 08:08:25 2021
Summary: Recommended update for systemd-presets-branding-SLE
Type: recommended
Severity: moderate
References: 1165780
This update for systemd-presets-branding-SLE fixes the following issues:
- Don't enable 'btrfsmaintenance-refresh.service', 'btrfsmaintenance' is managed by systemd-presets-common-SUSE instead. (bsc#1165780)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1451-1
Released: Fri Apr 30 08:08:45 2021
Summary: Recommended update for dhcp
Type: recommended
Severity: moderate
References: 1185157
This update for dhcp fixes the following issues:
- Use '/run' instead of '/var/run' for PIDFile in 'dhcrelay.service'. (bsc#1185157)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1454-1
Released: Fri Apr 30 09:22:26 2021
Summary: Security update for cups
Type: security
Severity: important
References: 1184161,CVE-2021-25317
This update for cups fixes the following issues:
- CVE-2021-25317: ownership of /var/log/cups could allow privilege escalation from lp user to root via symlink attacks (bsc#1184161)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1456-1
Released: Fri Apr 30 12:00:01 2021
Summary: Recommended update for cifs-utils
Type: recommended
Severity: important
References: 1184815
This update for cifs-utils fixes the following issues:
- Fixed a bug where it was no longer possible to mount CIFS filesystem after the
last maintenance update (bsc#1184815)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1462-1
Released: Fri Apr 30 14:54:23 2021
Summary: Recommended update for cloud-init
Type: recommended
Severity: moderate
References: 1181283,1184085
This update for cloud-init fixes the following issues:
- Fixed an issue, where the bonding options were wrongly configured in SLE and openSUSE (bsc#1184085)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1471-1
Released: Tue May 4 08:36:57 2021
Summary: Security update for bind
Type: security
Severity: important
References: 1183453,1185345,CVE-2021-25214,CVE-2021-25215
This update for bind fixes the following issues:
- CVE-2021-25214: Fixed a broken inbound incremental zone update (IXFR) which could have caused named to terminate unexpectedly (bsc#1185345).
- CVE-2021-25215: Fixed an assertion check which could have failed while answering queries for DNAME records that required the DNAME to be processed to resolve itself (bsc#1185345).
- make /usr/bin/delv in bind-tools position independent (bsc#1183453).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1493-1
Released: Tue May 4 17:13:34 2021
Summary: Security update for avahi
Type: security
Severity: moderate
References: 1184521,CVE-2021-3468
This update for avahi fixes the following issues:
- CVE-2021-3468: avoid infinite loop by handling HUP event in client_work (bsc#1184521).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1498-1
Released: Tue May 4 17:17:43 2021
Summary: Security update for samba
Type: security
Severity: important
References: 1178469,1179156,1183572,1183574,1184310,1184677,CVE-2020-27840,CVE-2021-20254,CVE-2021-20277
This update for samba fixes the following issues:
- CVE-2021-20277: Fixed an out of bounds read in ldb_handler_fold (bsc#1183574).
- CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677).
- CVE-2020-27840: Fixed an unauthenticated remote heap corruption via bad DNs (bsc#1183572).
- Avoid free'ing our own pointer in memcache when memcache_trim attempts to reduce cache size (bsc#1179156).
- s3-libads: use dns name to open a ldap session (bsc#1184310).
- Adjust smbcacls '--propagate-inheritance' feature to align with upstream (bsc#1178469).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1523-1
Released: Wed May 5 18:24:20 2021
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518
This update for libxml2 fixes the following issues:
- CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
- CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
- CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1527-1
Released: Thu May 6 08:58:53 2021
Summary: Recommended update for bash
Type: recommended
Severity: important
References: 1183064
This update for bash fixes the following issues:
- Fixed a segmentation fault that used to occur when bash read a history file
that was malformed in a very specific way. (bsc#1183064)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1543-1
Released: Fri May 7 15:16:33 2021
Summary: Recommended update for patterns-microos
Type: recommended
Severity: moderate
References: 1184435
This update for patterns-microos provides the following fix:
- Require the libvirt-daemon-qemu package and include the needed dependencies in the
product. (bsc#1184435)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1549-1
Released: Mon May 10 13:48:00 2021
Summary: Recommended update for procps
Type: recommended
Severity: moderate
References: 1185417
This update for procps fixes the following issues:
- Support up to 2048 CPU as well. (bsc#1185417)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1557-1
Released: Tue May 11 09:50:00 2021
Summary: Security update for python3
Type: security
Severity: moderate
References: 1183374,CVE-2021-3426
This update for python3 fixes the following issues:
- CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1564-1
Released: Tue May 11 13:29:55 2021
Summary: Security update for shim
Type: security
Severity: important
References: 1177315,1182057,1185464
This update for shim fixes the following issues:
- Update to the unified shim binary for SBAT support (bsc#1182057)
+ Merged EKU codesign check (bsc#1177315)
- shim-install: Always assume 'removable' for Azure to avoid the endless reset loop (bsc#1185464).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1565-1
Released: Tue May 11 14:20:04 2021
Summary: Recommended update for krb5
Type: recommended
Severity: moderate
References: 1185163
This update for krb5 fixes the following issues:
- Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163);
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1566-1
Released: Wed May 12 09:39:16 2021
Summary: Recommended update for chrony
Type: recommended
Severity: moderate
References: 1162964,1184400
This update for chrony fixes the following issues:
- Fix build with glibc-2.31 (bsc#1162964)
- Use /run instead of /var/run for PIDFile in chronyd.service (bsc#1184400)
-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:1592-1
Released: Wed May 12 13:47:41 2021
Summary: Optional update for sed
Type: optional
Severity: low
References: 1183797
This update for sed fixes the following issues:
- Fixed a building issue with glibc-2.31 (bsc#1183797).
This patch is optional to install.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1602-1
Released: Thu May 13 16:35:19 2021
Summary: Recommended update for libsolv, libzypp
Type: recommended
Severity: moderate
References: 1180851,1181874,1182936,1183628,1184997,1185239
This update for libsolv and libzypp fixes the following issues:
libsolv:
Upgrade from version 0.7.17 to version 0.7.19
- Fix rare segfault in `resolve_jobrules()` that could happen if new rules are learned.
- Fix memory leaks in error cases
- Fix error handling in `solv_xfopen_fd()`
- Fix regex code on win32
- fixed memory leak in choice rule generation
- `repo_add_conda`: add a flag to skip version 2 packages.
libzypp:
Upgrade from version 17.25.8 to version 17.25.10
- Properly handle permission denied when providing optional files. (bsc#1185239)
- Fix service detection with `cgroupv2`. (bsc#1184997)
- Add missing includes for GCC 11. (bsc#1181874)
- Fix unsafe usage of static in media verifier.
- `Solver`: Avoid segfault if no system is loaded. (bsc#1183628)
- `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851)
- Do no cleanup in custom cache dirs. (bsc#1182936)
- `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1612-1
Released: Fri May 14 17:09:39 2021
Summary: Recommended update for openldap2
Type: recommended
Severity: moderate
References: 1184614
This update for openldap2 fixes the following issue:
- Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1624-1
Released: Tue May 18 14:14:41 2021
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1047233,1172455,1173485,1176720,1177411,1178181,1179454,1180197,1181960,1182011,1182672,1182715,1182716,1182717,1183022,1183063,1183069,1183509,1183593,1183646,1183686,1183696,1183775,1184120,1184167,1184168,1184170,1184192,1184193,1184194,1184196,1184198,1184208,1184211,1184388,1184391,1184393,1184397,1184509,1184511,1184512,1184514,1184583,1184650,1184942,1185113,1185244,CVE-2020-0433,CVE-2020-25670,CVE-2020-25671,CVE-2020-25672,CVE-2020-25673,CVE-2020-27170,CVE-2020-27171,CVE-2020-27673,CVE-2020-27815,CVE-2020-35519,CVE-2020-36310,CVE-2020-36311,CVE-2020-36312,CVE-2020-36322,CVE-2021-20219,CVE-2021-27363,CVE-2021-27364,CVE-2021-27365,CVE-2021-28038,CVE-2021-28660,CVE-2021-28688,CVE-2021-28950,CVE-2021-28964,CVE-2021-28971,CVE-2021-28972,CVE-2021-29154,CVE-2021-29155,CVE-2021-29264,CVE-2021-29265,CVE-2021-29647,CVE-2021-29650,CVE-2021-30002,CVE-2021-3428,CVE-2021-3444,CVE-2021-3483
The SUSE Linux Enterprise 15 SP1 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).
- CVE-2021-29650: Fixed an issue inside the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).
- CVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations (bnc#1184942).
- CVE-2020-36310: Fixed an issue in arch/x86/kvm/svm/svm.c that allowed a set_memory_region_test infinite loop for certain nested page faults (bnc#1184512).
- CVE-2020-27673: Fixed an issue in Xen where a guest OS users could have caused a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411, bnc#1184583).
- CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bnc#1184391).
- CVE-2020-25673: Fixed NFC endless loops caused by repeated llcp_sock_connect() (bsc#1178181).
- CVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect() (bsc#1178181).
- CVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect() (bsc#1178181).
- CVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind() (bsc#1178181).
- CVE-2020-36311: Fixed an issue in arch/x86/kvm/svm/sev.c that allowed attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions) (bnc#1184511).
- CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).
- CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211).
- CVE-2021-30002: Fixed a memory leak issue when a webcam device exists (bnc#1184120).
- CVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl() (bsc#1184393).
- CVE-2021-20219: Fixed a denial of service vulnerability in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could have delayed the loop and cause a threat to the system availability (bnc#1184397).
- CVE-2021-28964: Fixed a race condition in fs/btrfs/ctree.c that could have caused a denial of service because of a lack of locking on an extent buffer before a cloning operation (bnc#1184193).
- CVE-2021-3444: Fixed the bpf verifier as it did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution (bnc#1184170).
- CVE-2021-28971: Fixed a potential local denial of service in intel_pmu_drain_pebs_nhm where userspace applications can cause a system crash because the PEBS status in a PEBS record is mishandled (bnc#1184196).
- CVE-2021-28688: Fixed XSA-365 that includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains (bnc#1183646).
- CVE-2021-29265: Fixed an issue in usbip_sockfd_store in drivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status (bnc#1184167).
- CVE-2021-29264: Fixed an issue in drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver that allowed attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bnc#1184168).
- CVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c where the RPA PCI Hotplug driver had a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination (bnc#1184198).
- CVE-2021-29647: Fixed an issue in kernel qrtr_recvmsg in net/qrtr/qrtr.c that allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bnc#1184192).
- CVE-2020-27171: Fixed an issue in kernel/bpf/verifier.c that had an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bnc#1183686, bnc#1183775).
- CVE-2020-27170: Fixed an issue in kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. This affects pointer types that do not define a ptr_limit (bnc#1183686 bnc#1183775).
- CVE-2021-28660: Fixed rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing beyond the end of the ssid array (bnc#1183593).
- CVE-2020-35519: Update patch reference for x25 fix (bsc#1183696).
- CVE-2021-3428: Fixed ext4 integer overflow in ext4_es_cache_extent (bsc#1173485, bsc#1183509).
- CVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where a possible use after free due to improper locking could have happened. This could have led to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1176720).
- CVE-2021-28038: Fixed an issue with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bnc#1183022, bnc#1183069).
- CVE-2020-27815: Fixed jfs array index bounds check in dbAdjTree (bsc#1179454).
- CVE-2021-27365: Fixed an issue inside the iSCSI data structures that does not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bnc#1182715).
- CVE-2021-27363: Fixed an issue with a kernel pointer leak that could have been used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables (bnc#1182716).
- CVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c where an unprivileged user can craft Netlink messages (bnc#1182717).
The following non-security bugs were fixed:
- Revert 'rpm/kernel-binary.spec.in: Fix dependency of kernel-*-devel package (bsc#1184514)' This turned out to be a bad idea: the kernel-$flavor-devel package must be usable without kernel-$flavor, e.g. at the build of a KMP. And this change brought superfluous installation of kernel-preempt when a system had kernel-syms (bsc#1185113).
- Xen/gnttab: handle p2m update errors on a per-slot basis (bsc#1183022 XSA-367).
- bfq: Fix kABI for update internal depth state when queue depth changes (bsc#1172455).
- bfq: update internal depth state when queue depth changes (bsc#1172455).
- bpf: Add sanity check for upper ptr_limit (bsc#1183686 bsc#1183775).
- bpf: Simplify alu_limit masking for pointer arithmetic (bsc#1183686 bsc#1183775).
- handle also the opposite type of race condition
- ibmvnic: Clear failover_pending if unable to schedule (bsc#1181960 ltc#190997).
- ibmvnic: always store valid MAC address (bsc#1182011 ltc#191844).
- ibmvnic: store valid MAC address (bsc#1182011).
- macros.kernel-source: Use spec_install_pre for certificate installation (boo#1182672).
- nvme: return an error if nvme_set_queue_count() fails (bsc#1180197).
- post.sh: Return an error when module update fails (bsc#1047233 bsc#1184388).
- rpm/kernel-obs-build.spec.in: Include essiv with dm-crypt (boo#1183063).
- rpm/macros.kernel-source: fix KMP failure in %install (bsc#1185244)
- rpm/mkspec: Use tilde instead of dot for version string with rc (bsc#1184650)
- xen-netback: respect gnttab_map_refs()'s return value (bsc#1183022, XSA-367).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1643-1
Released: Wed May 19 13:51:48 2021
Summary: Recommended update for pam
Type: recommended
Severity: important
References: 1181443,1184358,1185562
This update for pam fixes the following issues:
- Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
- Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to
an attempt to resolve it as a hostname (bsc#1184358)
- In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1647-1
Released: Wed May 19 13:59:12 2021
Summary: Security update for lz4
Type: security
Severity: important
References: 1185438,CVE-2021-3520
This update for lz4 fixes the following issues:
- CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1654-1
Released: Wed May 19 16:43:36 2021
Summary: Security update for libxml2
Type: security
Severity: important
References: 1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537
This update for libxml2 fixes the following issues:
- CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)
- CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
- CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
- CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1669-1
Released: Thu May 20 11:10:44 2021
Summary: Recommended update for nfs-utils
Type: recommended
Severity: moderate
References: 1181540,1181651,1183194,1185170
This update for nfs-utils fixes the following issues:
- The '/var/run' is long deprecated - switch all relevant paths to '/run'. (bsc#1185170)
- Improve logging of authentication (bsc#1181540)
- Add man page of the 'nconnect mount'. (bsc#1181651)
- Fixed an issue when HANA crashed due to inaccessible/hanging NFS mount. (bsc#1183194)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1672-1
Released: Thu May 20 13:44:41 2021
Summary: Recommended update for supportutils
Type: recommended
Severity: moderate
References: 1021918,1089870,1168894,1169122,1169348,1170092,1170094,1170858,1176370,1178491,1180478,1181351,1181610,1181679,1181911,1182904,1182950,1183732,1183826,1184829,1184912
This update for supportutils fixes the following issues:
- Collects rotated logs with different compression types (bsc#1180478)
- Captures now IBM Power bootlist (jsc#SLE-15557)
- Fixed some errors with supportutils in combination with the btrfs filesystem (bsc#1168894)
- Fixed an issue with ntp.txt, when it contains large binary data (bsc#1169122)
- Checks package signatures in rpm.txt (bsc#1021918)
- Optimize find (bsc#1184912)
- Using zypper --xmlout (bsc#1181351)
- Error fix for sysfs.txt (bsc#1089870)
- Added list-timers to systemd.txt (bsc#1169348)
- Including nfs4 in search (bsc#1184829)
- [powerpc] Collect dynamic_debug log files for ibmvNIC #98 (bsc#1183826)
- Fixed mismatched taint flags (bsc#1178491)
- Removed redundant fdisk code that can cause timeout issues (bsc#1181679)
- Supportconfig processes -f without hanging (bsc#1182904)
- Collect logs for power specific components (using iprconfig) pr#94 (bsc#1182950)
- [powerpc] Collect logs for power specific components (HNV) pr#88 (bsc#1181911)
- Includes NVMe information with OPTION_NVME=1 in nvme.txt (bsc#1176370, SLE-15932)
- No longer truncates boot log (bsc#1181610)
- Collects rotated logs with different compression types (bsc#1180478)
- Capture IBM Power bootlist (SLE-15557)
- [powerpc] Collect logs for power specific components #72 (bscn#1176895)
- Fixed btrfs errors (bsc#1168894)
- Large ntp.txt with binary data (bsc#1169122)
- Only include hostinfo details in /etc/motd (bsc#1170092)
- Fixed CPU load average calculation (bsc#1170094)
- Understands 3rd party packages on SLES or OpenSUSE (bsc#1170858)
- Implement persistens host information across reboots (bsc#1183732)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1675-1
Released: Thu May 20 15:00:23 2021
Summary: Recommended update for snappy
Type: recommended
Severity: moderate
References: 1080040,1184507
This update for snappy fixes the following issues:
Update from version 1.1.3 to 1.1.8
- Small performance improvements.
- Removed `snappy::string` alias for `std::string`.
- Improved `CMake` configuration.
- Improved packages descriptions.
- Fix RPM groups.
- Aarch64 fixes
- PPC speedups
- PIE improvements
- Fix license install. (bsc#1080040)
- Fix a 1% performance regression when snappy is used in PIE executable.
- Improve compression performance by 5%.
- Improve decompression performance by 20%.
- Use better download URL.
- Fix a build issue for tensorflow2. (bsc#1184507)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1702-1
Released: Tue May 25 09:53:56 2021
Summary: Recommended update for shim
Type: recommended
Severity: moderate
References: 1185464,1185961
This update for shim fixes the following issues:
- shim-install: instead of assuming 'removable' for Azure, remove fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot
to make \EFI\Boot bootable and keep the boot option created by efibootmgr (bsc#1185464, bsc#1185961)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1773-1
Released: Wed May 26 17:22:21 2021
Summary: Recommended update for python3
Type: recommended
Severity: low
References:
This update for python3 fixes the following issues:
- Make sure to close the import_failed.map file after the exception
has been raised in order to avoid ResourceWarnings when the
failing import is part of a try...except block.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1809-1
Released: Mon May 31 16:24:59 2021
Summary: Security update for curl
Type: security
Severity: moderate
References: 1177976,1183933,1186114,CVE-2021-22876,CVE-2021-22898
This update for curl fixes the following issues:
- CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933).
- CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114).
- Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976).
- Allow partial chain verification (jsc#SLE-17956).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1841-1
Released: Wed Jun 2 16:30:17 2021
Summary: Security update for dhcp
Type: security
Severity: important
References: 1186382,CVE-2021-25217
This update for dhcp fixes the following issues:
- CVE-2021-25217: A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1846-1
Released: Fri Jun 4 08:46:37 2021
Summary: Recommended update for mozilla-nss
Type: recommended
Severity: moderate
References: 1185910
This update for mozilla-nss fixes the following issue:
- Provide some missing binaries from `mozilla-nss` not added in `SLE-Module-Basesystem_15-SP3`. (bsc#1185910)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1859-1
Released: Fri Jun 4 09:02:38 2021
Summary: Security update for python-py
Type: security
Severity: moderate
References: 1179805,1184505,CVE-2020-29651
This update for python-py fixes the following issues:
- CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1861-1
Released: Fri Jun 4 09:59:40 2021
Summary: Recommended update for gcc10
Type: recommended
Severity: moderate
References: 1029961,1106014,1178577,1178624,1178675,1182016
This update for gcc10 fixes the following issues:
- Disable nvptx offloading for aarch64 again since it doesn't work
- Fixed a build failure issue. (bsc#1182016)
- Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
- Fix 32bit 'libgnat.so' link. (bsc#1178675)
- prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
- Build complete set of multilibs for arm-none target. (bsc#1106014)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1882-1
Released: Tue Jun 8 13:25:36 2021
Summary: Recommended update for shim
Type: recommended
Severity: moderate
References: 1185464,1185961
This update for shim fixes the following issues:
- shim-install: remove the unexpected residual 'removable' label
for Azure (bsc#1185464, bsc#1185961)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1912-1
Released: Wed Jun 9 13:54:20 2021
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1181161,1183405,1183738,1183947,1184611,1184675,1185642,1185680,1185725,1185859,1185860,1185862,1185863,1185898,1185899,1185901,1185938,1185950,1185987,1186060,1186061,1186062,1186111,1186285,1186390,1186484,1186498,CVE-2020-24586,CVE-2020-24587,CVE-2020-26139,CVE-2020-26141,CVE-2020-26145,CVE-2020-26147,CVE-2021-23133,CVE-2021-23134,CVE-2021-32399,CVE-2021-33034,CVE-2021-33200,CVE-2021-3491
The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484).
- CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111)
- CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062)
- CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060)
- CVE-2021-23133: Fixed a race condition in SCTP sockets, which could lead to privilege escalation from the context of a network service or an unprivileged process. (bnc#1184675)
- CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642).
- CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).
- CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859).
- CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862).
- CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859).
- CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860)
- CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987)
The following non-security bugs were fixed:
- Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725).
- Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725).
- dm: fix redundant IO accounting for bios that need splitting (bsc#1183738).
- ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043).
- ibmvfc: Handle move login failure (bsc#1185938 ltc#192043).
- ibmvfc: Reinit target retries (bsc#1185938 ltc#192043).
- kabi: Fix breakage in NVMe driver (bsc#1181161).
- kabi: Fix nvmet error log definitions (bsc#1181161).
- kabi: nvme: fix fast_io_fail_tmo (bsc#1181161).
- md/raid1: properly indicate failure when ending a failed write request (bsc#1185680).
- net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405)
- netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950).
- netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950).
- netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950).
- netfilter: conntrack: tcp: only close if RST matches exact sequence (bsc#1183947 bsc#1185950).
- nvme-fabrics: allow to queue requests for live queues (bsc#1181161).
- nvme-fabrics: do not check state NVME_CTRL_NEW for request acceptance (bsc#1181161).
- nvme-fabrics: reject I/O to offline device (bsc#1181161).
- nvme-pci: Sync queues on reset (bsc#1181161).
- nvme-rdma: avoid race between time out and tear down (bsc#1181161).
- nvme-rdma: avoid repeated request completion (bsc#1181161).
- nvme-rdma: avoid request double completion for concurrent nvme_rdma_timeout (bsc#1181161).
- nvme-rdma: fix controller reset hang during traffic (bsc#1181161).
- nvme-rdma: fix possible hang when failing to set io queues (bsc#1181161).
- nvme-rdma: fix timeout handler (bsc#1181161).
- nvme-rdma: serialize controller teardown sequences (bsc#1181161).
- nvme-tcp: avoid race between time out and tear down (bsc#1181161).
- nvme-tcp: avoid repeated request completion (bsc#1181161).
- nvme-tcp: avoid request double completion for concurrent nvme_tcp_timeout (bsc#1181161).
- nvme-tcp: fix controller reset hang during traffic (bsc#1181161).
- nvme-tcp: fix possible hang when failing to set io queues (bsc#1181161).
- nvme-tcp: fix timeout handler (bsc#1181161).
- nvme-tcp: serialize controller teardown sequences (bsc#1181161).
- nvme: Restart request timers in resetting state (bsc#1181161).
- nvme: add error log page slot definition (bsc#1181161).
- nvme: include admin_q sync with nvme_sync_queues (bsc#1181161).
- nvme: introduce 'Command Aborted By host' status code (bsc#1181161).
- nvme: introduce nvme_is_fabrics to check fabrics cmd (bsc#1181161).
- nvme: introduce nvme_sync_io_queues (bsc#1181161).
- nvme: make fabrics command run on a separate request queue (bsc#1181161).
- nvme: prevent warning triggered by nvme_stop_keep_alive (bsc#1181161).
- nvme: unlink head after removing last namespace (bsc#1181161).
- nvmet: add error log support for fabrics-cmd (bsc#1181161).
- nvmet: add error-log definitions (bsc#1181161).
- video: hyperv_fb: Add ratelimit on error message (bsc#1185725).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1917-1
Released: Wed Jun 9 14:48:05 2021
Summary: Security update for libxml2
Type: security
Severity: moderate
References: 1186015,CVE-2021-3541
This update for libxml2 fixes the following issues:
- CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1918-1
Released: Wed Jun 9 15:20:01 2021
Summary: Security update for qemu
Type: security
Severity: important
References: 1149813,1163019,1172380,1175534,1178683,1178935,1179477,1179484,1182846,1182975,CVE-2019-15890,CVE-2020-10756,CVE-2020-14364,CVE-2020-25707,CVE-2020-25723,CVE-2020-29129,CVE-2020-29130,CVE-2020-8608,CVE-2021-20257,CVE-2021-3419
This update for qemu fixes the following issues:
- CVE-2020-10756: Fix out-of-bounds read information disclosure in icmp6_send_echoreply (bsc#1172380)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1923-1
Released: Thu Jun 10 08:37:00 2021
Summary: Recommended update for nfs-utils
Type: recommended
Severity: important
References: 1183194
This update for nfs-utils fixes the following issues:
- Ensured thread safety when opening files over NFS to prevent a
use-after-free issue (bsc#1183194)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1953-1
Released: Thu Jun 10 16:18:50 2021
Summary: Recommended update for gpg2
Type: recommended
Severity: moderate
References: 1161268,1172308
This update for gpg2 fixes the following issues:
- Fixed an issue where the gpg-agent's ssh-agent does not handle flags
in signing requests properly (bsc#1161268 and bsc#1172308).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1954-1
Released: Fri Jun 11 10:45:09 2021
Summary: Security update for containerd, docker, runc
Type: security
Severity: important
References: 1168481,1175081,1175821,1181594,1181641,1181677,1181730,1181732,1181749,1182451,1182476,1182947,1183024,1183855,1184768,1184962,1185405,CVE-2021-21284,CVE-2021-21285,CVE-2021-21334,CVE-2021-30465
This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594)
* Switch version to use -ce suffix rather than _ce to avoid confusing other
tools (bsc#1182476).
* CVE-2021-21284: Fixed a potential privilege escalation when the root user in
the remapped namespace has access to the host filesystem (bsc#1181732)
* CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest
crashes the dockerd daemon (bsc#1181730).
* btrfs quotas being removed by Docker regularly (bsc#1183855, bsc#1175081)
runc was updated to v1.0.0~rc93 (bsc#1182451, bsc#1175821 bsc#1184962).
* Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).
* Fixed /dev/null is not available (bsc#1168481).
* CVE-2021-30465: Fixed a symlink-exchange attack vulnarability (bsc#1185405).
containerd was updated to v1.4.4
* CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397).
* Handle a requirement from docker (bsc#1181594).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1987-1
Released: Wed Jun 16 12:11:50 2021
Summary: Recommended update for samba
Type: recommended
Severity: important
References: 1185089
This update for samba fixes the following issues:
- Fixes a regression changing the computer account password when using net ads(bsc#1185089)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2091-1
Released: Mon Jun 21 10:45:13 2021
Summary: Recommended update for wget
Type: recommended
Severity: moderate
References: 1181173
This update for wget fixes the following issue:
- When running recursively, wget will verify the length of the whole
URL when saving the files. This will make it overwrite files with
truncated names, throwing the following message:
'The name is too long,... trying to shorten'. (bsc#1181173)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2106-1
Released: Mon Jun 21 19:26:19 2021
Summary: Security update for salt
Type: security
Severity: critical
References: 1171257,1176293,1179831,1181368,1182281,1182293,1182382,1185092,1185281,1186674,CVE-2018-15750,CVE-2018-15751,CVE-2020-11651,CVE-2020-11652,CVE-2020-25592,CVE-2021-25315,CVE-2021-31607
This update for salt fixes the following issues:
Update to Salt release version 3002.2 (jsc#ECO-3212, jsc#SLE-18033, jsc#SLE-18028)
- Check if dpkgnotify is executable (bsc#1186674)
- Drop support for Python2. Obsoletes `python2-salt` package (jsc#SLE-18028)
- virt module updates
* network: handle missing ipv4 netmask attribute
* more network support
* PCI/USB host devices passthrough support
- Set distro requirement to oldest supported version in requirements/base.txt
- Bring missing part of async batch implementation back (CVE-2021-25315, bsc#1182382)
- Always require `python3-distro` (bsc#1182293)
- Remove deprecated warning that breaks minion execution when 'server_id_use_crc' opts is missing
- Fix pkg states when DEB package has 'all' arch
- Do not force beacons configuration to be a list.
- Remove msgpack < 1.0.0 from base requirements (bsc#1176293)
- msgpack support for version >= 1.0.0 (bsc#1171257)
- Fix issue parsing errors in ansiblegate state module
- Prevent command injection in the snapper module (bsc#1185281, CVE-2021-31607)
- transactional_update: detect recursion in the executor
- Add subpackage salt-transactional-update (jsc#SLE-18033)
- Improvements on 'ansiblegate' module (bsc#1185092):
* New methods: ansible.targets / ansible.discover_playbooks
- Add support for Alibaba Cloud Linux 2 (Aliyun Linux)
- Regression fix of salt-ssh on processing targets
- Update target fix for salt-ssh and avoiding race condition on salt-ssh event processing (bsc#1179831, bsc#1182281)
- Add notify beacon for Debian/Ubuntu systems
- Fix zmq bug that causes salt-call to freeze (bsc#1181368)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2143-1
Released: Wed Jun 23 16:27:04 2021
Summary: Security update for libnettle
Type: security
Severity: important
References: 1187060,CVE-2021-3580
This update for libnettle fixes the following issues:
- CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2157-1
Released: Thu Jun 24 15:40:14 2021
Summary: Security update for libgcrypt
Type: security
Severity: important
References: 1187212,CVE-2021-33560
This update for libgcrypt fixes the following issues:
- CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2171-1
Released: Mon Jun 28 14:06:45 2021
Summary: Recommended update for btrfsmaintenance
Type: recommended
Severity: moderate
References: 1178874
This update for btrfsmaintenance fixes the following issues:
- Remove [Install] section from btrfsmaintenance. (bsc#1178874)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2173-1
Released: Mon Jun 28 14:59:45 2021
Summary: Recommended update for automake
Type: recommended
Severity: moderate
References: 1040589,1047218,1182604,1185540,1186049
This update for automake fixes the following issues:
- Implement generated autoconf makefiles reproducible (bsc#1182604)
- Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
- Avoid bashisms in test-driver script. (bsc#1185540)
This update for pcre fixes the following issues:
- Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)
This update for brp-check-suse fixes the following issues:
- Add fixes to support reproducible builds. (bsc#1186049)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2178-1
Released: Mon Jun 28 15:56:15 2021
Summary: Recommended update for systemd-presets-common-SUSE
Type: recommended
Severity: moderate
References: 1186561
This update for systemd-presets-common-SUSE fixes the following issues:
When installing the systemd-presets-common-SUSE package for the
first time in a new system, it might happen that some services
are installed before systemd so the %systemd_pre/post macros
would not work. This is handled by enabling all preset services
in this package's %posttrans section but it wasn't enabling
user services, just system services. Now it enables also the
user services installed before this package (bsc#1186561)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2179-1
Released: Mon Jun 28 17:36:37 2021
Summary: Recommended update for thin-provisioning-tools
Type: recommended
Severity: moderate
References: 1184124
This update for thin-provisioning-tools fixes the following issues:
- Link as position-independent executable (bsc#1184124)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2191-1
Released: Mon Jun 28 18:38:12 2021
Summary: Recommended update for patterns-microos
Type: recommended
Severity: moderate
References: 1186791
This update for patterns-microos provides the following fix:
- Add zypper-migration-plugin to the default pattern. (bsc#1186791)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2193-1
Released: Mon Jun 28 18:38:43 2021
Summary: Recommended update for tar
Type: recommended
Severity: moderate
References: 1184124
This update for tar fixes the following issues:
- Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2196-1
Released: Tue Jun 29 09:41:39 2021
Summary: Security update for lua53
Type: security
Severity: moderate
References: 1175448,1175449,CVE-2020-24370,CVE-2020-24371
This update for lua53 fixes the following issues:
Update to version 5.3.6:
- CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449)
- CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448)
- Long brackets with a huge number of '=' overflow some internal buffer arithmetic.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2205-1
Released: Wed Jun 30 09:17:41 2021
Summary: Recommended update for openldap2
Type: recommended
Severity: important
References: 1187210
This update for openldap2 fixes the following issues:
- Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2222-1
Released: Thu Jul 1 11:51:43 2021
Summary: Recommended update for multipath-tools
Type: recommended
Severity: moderate
References: 1174026,1177081,1177371,1178377,1178379,1182072,1182917,1184260
This update for multipath-tools fixes the following issues:
- Update from version 0.7.9+195+suse.16740c5 to version 0.7.9+207+suse.58b7a57:
* Improve handling of changed WWIDs and temporary failure to obtain WWID.
Option 'disable_changed_wwids' is now ignored. (bsc#1184260)
* enable negated regular expression syntax in conf file (bsc#1182917)
* change default devnode blacklist to `'!^(sd[a-z]|dasd[a-z]|nvme[0-9])'`
* Avoid 'illegal request' errors on non-RDAC storage (bsc#1182072, bsc#1177371)
* fixes for SAS expanders (bsc#1178377, bsc#1178379, bsc#1177081)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2223-1
Released: Thu Jul 1 12:15:26 2021
Summary: Recommended update for chrony
Type: recommended
Severity: moderate
References: 1173760
This update for chrony fixes the following issues:
- Fixed an issue when chrony aborts in FIPS mode due to MD5. (bsc#1173760)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2246-1
Released: Mon Jul 5 15:17:49 2021
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1154935,1167471,1178561,1184761,1184967,1185046,1185331,1185807,1185958,1187292,1187400
This update for systemd fixes the following issues:
cgroup: Parse infinity properly for memory protections. (bsc#1167471)
cgroup: Make empty assignments reset to default. (bsc#1167471)
cgroup: Support 0-value for memory protection directives. (bsc#1167471)
core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935)
bus-unit-util: Add proper 'MemorySwapMax' serialization.
core: Accept MemorySwapMax= properties that are scaled.
execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967)
core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331)
Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046)
rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561)
write_net_rules: Set execute bits. (bsc#1178561)
udev: Rework network device renaming.
Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available''
mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761)
core: fix output (logging) for mount units (#7603) (bsc#1187400)
udev requires systemd in its %post (bsc#1185958)
cgroup: Parse infinity properly for memory protections (bsc#1167471)
cgroup: Make empty assignments reset to default (bsc#1167471)
cgroup: Support 0-value for memory protection directives (bsc#1167471)
Create /run/lock/subsys again (bsc#1187292)
The creation of this directory was mistakenly dropped when
'filesystem' package took the initialization of the generic paths
over.
Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2286-1
Released: Fri Jul 9 17:38:53 2021
Summary: Recommended update for dosfstools
Type: recommended
Severity: moderate
References: 1172863
This update for dosfstools fixes the following issue:
- Fixed a bug that was causing an installation issue when trying to create
an EFI partition on an NVMe-over-Fabrics device (bsc#1172863)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2292-1
Released: Mon Jul 12 08:25:20 2021
Summary: Security update for dbus-1
Type: security
Severity: important
References: 1187105,CVE-2020-35512
This update for dbus-1 fixes the following issues:
- CVE-2020-35512: Fixed a use-after-free or potential undefined behaviour caused by shared UID's (bsc#1187105)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2320-1
Released: Wed Jul 14 17:01:06 2021
Summary: Security update for sqlite3
Type: security
Severity: important
References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327
This update for sqlite3 fixes the following issues:
- Update to version 3.36.0
- CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener
optimization (bsc#1173641)
- CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in
isAuxiliaryVtabOperator (bsc#1164719)
- CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
- CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
- CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer
dereference (bsc#1160309)
- CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
- CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
- CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715)
- CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference
(bsc#1159491)
- CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with
a shadow table name (bsc#1158960)
- CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated
columns (bsc#1158959)
- CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views
in conjunction with ALTER TABLE statements (bsc#1158958)
- CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column,
which allows attackers to cause a denial of service (bsc#1158812)
- CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a
sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
- CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
- CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
- CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
- CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
- CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
- CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
- CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2395-1
Released: Mon Jul 19 12:08:34 2021
Summary: Recommended update for efivar
Type: recommended
Severity: moderate
References: 1187386
This update for efivar provides the following fix:
- Fix the eMMC sysfs parsing. (bsc#1187386)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2404-1
Released: Tue Jul 20 14:21:30 2021
Summary: Security update for systemd
Type: security
Severity: moderate
References: 1184994,1188063,CVE-2021-33910
This update for systemd fixes the following issues:
- CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063)
- Skip udev rules if 'elevator=' is used (bsc#1184994)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2412-1
Released: Tue Jul 20 15:25:21 2021
Summary: Security update for containerd
Type: security
Severity: moderate
References: 1188282,CVE-2021-32760
This update for containerd fixes the following issues:
- CVE-2021-32760: Fixed a bug which allows untrusted container images to change permissions in the host's filesystem. (bsc#1188282)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2427-1
Released: Wed Jul 21 11:28:37 2021
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1153720,1174978,1179610,1181193,1185428,1185701,1185861,1186463,1186484,1187038,1187050,1187215,1187452,1187554,1187595,1187601,1188062,1188116,CVE-2020-24588,CVE-2020-26558,CVE-2020-36385,CVE-2020-36386,CVE-2021-0129,CVE-2021-0512,CVE-2021-0605,CVE-2021-22555,CVE-2021-33200,CVE-2021-33624,CVE-2021-33909,CVE-2021-34693,CVE-2021-3609
The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2021-33624: Fixed a bug which allows unprivileged BPF program to leak the contents of arbitrary kernel memory (and therefore, of all physical memory) via a side-channel. (bsc#1187554)
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187601)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187595)
- CVE-2020-26558: Fixed a flaw in the Bluetooth LE and BR/EDR secure pairing that could permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing. (bnc#1179610)
- CVE-2021-34693: Fixed a bug in net/can/bcm.c which could allow local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. (bsc#1187452)
- CVE-2021-0129: Fixed an improper access control in BlueZ that may have allowed an authenticated user to potentially enable information disclosure via adjacent access. (bnc#1186463)
- CVE-2020-36386: Fixed an out-of-bounds read in hci_extended_inquiry_result_evt. (bsc#1187038)
- CVE-2020-24588: Fixed a bug that could allow an adversary to abuse devices that support receiving non-SSP A-MSDU frames to inject arbitrary network packets. (bsc#1185861 bsc#1185863)
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (bsc#1188062)
- CVE-2021-3609: Fixed a race condition in the CAN BCM networking protocol which allows for local privilege escalation. (bsc#1187215)
- CVE-2020-36385: Fixed a use-after-free flaw in ucma.c which allows for local privilege escalation. (bsc#1187050)
- CVE-2021-33200: Fix leakage of uninitialized bpf stack under speculation. (bsc#1186484)
The following non-security bugs were fixed:
- af_packet: fix the tx skb protocol in raw sockets with ETH_P_ALL (bsc#1176081).
- kabi: preserve struct header_ops after bsc#1176081 fix (bsc#1176081).
- net: Do not set transport offset to invalid value (bsc#1176081).
- net: Introduce parse_protocol header_ops callback (bsc#1176081).
- net/ethernet: Add parse_protocol header_ops support (bsc#1176081).
- net/mlx5e: Remove the wrong assumption about transport offset (bsc#1176081).
- net/mlx5e: Trust kernel regarding transport offset (bsc#1176081).
- net/packet: Ask driver for protocol if not provided by user (bsc#1176081).
- net/packet: Remove redundant skb->protocol set (bsc#1176081).
- resource: Fix find_next_iomem_res() iteration issue (bsc#1181193).
- scsi: scsi_dh_alua: Retry RTPG on a different path after failure (bsc#1174978 bsc#1185701).
- SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428).
- SUNRPC: More fixes for backlog congestion (bsc#1185428).
- x86/crash: Add e820 reserved ranges to kdump kernel's e820 table (bsc#1181193).
- x86/debug: Extend the lower bound of crash kernel low reservations (bsc#1153720).
- x86/e820, ioport: Add a new I/O resource descriptor IORES_DESC_RESERVED (bsc#1181193).
- x86/mm: Rework ioremap resource mapping determination (bsc#1181193).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2440-1
Released: Wed Jul 21 13:48:24 2021
Summary: Security update for curl
Type: security
Severity: moderate
References: 1188217,1188218,1188219,1188220,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925
This update for curl fixes the following issues:
- CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220)
- CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219)
- CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218)
- CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2465-1
Released: Fri Jul 23 14:56:48 2021
Summary: Recommended update for shim
Type: recommended
Severity: moderate
References: 1185232,1185261,1185441,1185621,1187071,1187260,1187696
This update for shim fixes the following issues:
Update to shim to 15.4-4.7.1, Version: 15.4, 'Thu Jul 15 2021'
Update the SLE signatures
Includes fixes for various bugs in MOK handling and booting
(bsc#1187696, bsc#1185261, bsc#1185441, bsc#1187071, bsc#1185621,
bsc#1185261, bsc#1185232, bsc#1185261, bsc#1187260, bsc#1185232)
Remove shim-install because the shim-install is updated in the RPM.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2477-1
Released: Tue Jul 27 13:32:50 2021
Summary: Recommended update for growpart-rootgrow
Type: recommended
Severity: important
References: 1165198,1188179
This update for growpart-rootgrow fixes the following issues:
- Change the logic to determine the partition ID of the root filesystem
(bsc#1188179)
+ Previously the algorithm depended on the order of the output
from lsblk using an index to keep track of the known partitions.
The new implementation is order independent, it depends on the
partition ID being numerical in nature and at the end of the device
string.
- Add coverage config.
Omit version module from coverage check.
- Fix string formatting for flake8 formatting.
- Replace travis testing with GitHub actions.
Add ci testing workflow action.
- Switch implementation to use Popen for Python 3.4 compatibility (bsc#1165198)
- Bump version: 1.0.2 â 1.0.3
- Fixed unit tests and style
This clobbers several fixes into one. Sorry about it but I
started on already made changes done by other people.
This commit includes several pep8 style fixes mostly on
the indentation level. In addition it fixes the unit
tests to really cover all code and to make the exception
tests really effective.
- Switch to use Popen instead of run
The run() fuction in the subprocess module was implemented after
Python 3.4. However, we need to support Python 3.4 for SLES 12
- Bump version: 1.0.1 â 1.0.2
- Package LICENSE file
The LICENSE file is part of the source repo but was not
packaged with the rpm package
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2573-1
Released: Thu Jul 29 14:21:52 2021
Summary: Recommended update for timezone
Type: recommended
Severity: moderate
References: 1188127
This update for timezone fixes the following issue:
- From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by
the IANA time zone database package, in addition to 'zone1970.tab', as before. This makes sure time zone aliases are
now correctly supported. This update adds the 'tzdata.zi' file (bsc#1188127).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2591-1
Released: Mon Aug 2 12:56:12 2021
Summary: Security update for qemu
Type: security
Severity: important
References: 1176681,1185591,1186290,1187364,1187365,1187366,1187367,1187499,1187529,1187538,1187539,CVE-2020-25085,CVE-2021-3582,CVE-2021-3592,CVE-2021-3593,CVE-2021-3594,CVE-2021-3595,CVE-2021-3607,CVE-2021-3608,CVE-2021-3611
This update for qemu fixes the following issues:
Security issues fixed:
- CVE-2021-3595: Fixed slirp: invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366)
- CVE-2021-3592: Fix for slirp: invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364)
- CVE-2021-3594: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367)
- CVE-2021-3593: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365)
- CVE-2021-3582: Fix possible mremap overflow in the pvrdma (bsc#1187499)
- CVE-2021-3607: Ensure correct input on ring init (bsc#1187539)
- CVE-2021-3608: Fix the ring init error flow (bsc#1187538)
- CVE-2021-3611: Fix intel-hda segmentation fault due to stack overflow (bsc#1187529)
- CVE-2020-25085: Fix out-of-bounds access issue while doing multi block SDMA (bsc#1176681)
Other issues fixed:
- QEMU BIOS fails to read stage2 loader (on s390x)(bsc#1186290)
- Fix qemu hang while cancelling migrating hugepage vm (bsc#1185591)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2603-1
Released: Wed Aug 4 10:09:08 2021
Summary: Recommended update for sca-appliance-common, supportutils
Type: recommended
Severity: moderate
References: 1185991,1185993,1186347,1186397,1186687
This update for sca-appliance-common, supportutils fixes the following issues:
- Adding ethtool options to the supportconfigt. (jsc#SLE-18239, jsc#SLE-18344)
- Fixed and issue when 'lsof' causes performance problems. (bsc#1186687)
- Exclude 'rhn.conf' from 'etc.txt' to prevent supportconfig capturing passwords in clear text. (bsc#1186347)
- Fix 'analyzevmcore' to supports local directories. (bsc#1186397)
- Fix for 'getappcore' checking for valid compression binary. (bsc#1185991)
- Fixed 'getappcore' to prevent triggering errors with help message. (bsc#1185993)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2681-1
Released: Thu Aug 12 14:59:06 2021
Summary: Recommended update for growpart-rootgrow
Type: recommended
Severity: important
References: 1188868,1188904
This update for growpart-rootgrow fixes the following issues:
- Fix root partition ID lookup. Only consider trailing digits to be part of the paritition ID. (bsc#1188868) (bsc#1188904)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2689-1
Released: Mon Aug 16 10:54:52 2021
Summary: Security update for cpio
Type: security
Severity: important
References: 1189206,CVE-2021-38185
This update for cpio fixes the following issues:
It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2760-1
Released: Tue Aug 17 17:11:14 2021
Summary: Security update for c-ares
Type: security
Severity: important
References: 1188881,CVE-2021-3672
This update for c-ares fixes the following issues:
Version update to git snapshot 1.17.1+20200724:
- CVE-2021-3672: fixed missing input validation on hostnames returned by DNS servers (bsc#1188881)
- If ares_getaddrinfo() was terminated by an ares_destroy(), it would cause crash
- Crash in sortaddrinfo() if the list size equals 0 due to an unexpected DNS response
- Expand number of escaped characters in DNS replies as per RFC1035 5.1 to prevent spoofing
- Use unbuffered /dev/urandom for random data to prevent early startup performance issues
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2763-1
Released: Tue Aug 17 17:16:22 2021
Summary: Recommended update for cpio
Type: recommended
Severity: critical
References: 1189465
This update for cpio fixes the following issues:
- A regression in last update would cause builds to hang on various architectures(bsc#1189465)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2780-1
Released: Thu Aug 19 16:09:15 2021
Summary: Recommended update for cpio
Type: recommended
Severity: critical
References: 1189465,CVE-2021-38185
This update for cpio fixes the following issues:
- A regression in the previous update could lead to crashes (bsc#1189465)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2800-1
Released: Fri Aug 20 10:43:04 2021
Summary: Security update for krb5
Type: security
Severity: important
References: 1188571,CVE-2021-36222
This update for krb5 fixes the following issues:
- CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2810-1
Released: Mon Aug 23 12:14:30 2021
Summary: Security update for dbus-1
Type: security
Severity: moderate
References: 1172505,CVE-2020-12049
This update for dbus-1 fixes the following issues:
- CVE-2020-12049: truncated messages lead to resource exhaustion. (bsc#1172505)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2817-1
Released: Mon Aug 23 15:05:18 2021
Summary: Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3
Type: security
Severity: moderate
References: 1102408,1138715,1138746,1176389,1177120,1182421,1182422,CVE-2020-26137
This patch updates the Python AWS SDK stack in SLE 15:
General:
# aws-cli
- Version updated to upstream release v1.19.9
For a detailed list of all changes, please refer to the changelog file of this package.
# python-boto3
- Version updated to upstream release 1.17.9
For a detailed list of all changes, please refer to the changelog file of this package.
# python-botocore
- Version updated to upstream release 1.20.9
For a detailed list of all changes, please refer to the changelog file of this package.
# python-urllib3
- Version updated to upstream release 1.25.10
For a detailed list of all changes, please refer to the changelog file of this package.
# python-service_identity
- Added this new package to resolve runtime dependencies for other packages.
Version: 18.1.0
# python-trustme
- Added this new package to resolve runtime dependencies for other packages.
Version: 0.6.0
Security fixes:
# python-urllib3:
- CVE-2020-26137: urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated
by inserting CR and LF control characters in the first argument of putrequest() (bsc#1177120)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2831-1
Released: Tue Aug 24 16:20:45 2021
Summary: Security update for openssl-1_1
Type: security
Severity: important
References: 1189521,CVE-2021-3712
This update for openssl-1_1 fixes the following security issue:
- CVE-2021-3712: a bug in the code for printing certificate details could
lead to a buffer overrun that a malicious actor could exploit to crash
the application, causing a denial-of-service attack. [bsc#1189521]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2871-1
Released: Mon Aug 30 15:46:25 2021
Summary: Recommended update for bind
Type: recommended
Severity: moderate
References: 1187921,1188763
This update for bind fixes the following issues:
- Fix an assertion failure in the 'rehash()' function (bsc#1188763)
When calculating the new hashtable bitsize, there was an off-by-one error
that would allow the new bitsize to be larger than maximum allowed.
- tsig-keygen is now used to generate DDNS keys (bsc#1187921)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2887-1
Released: Tue Aug 31 13:31:19 2021
Summary: Recommended update for cloud-init
Type: recommended
Severity: moderate
References: 1183939,1184758
This update for cloud-init contains the following:
- Change log file creation mode to 640. (bsc#1183939)
- Do not write the generated password to the log file. (bsc#1184758)
- Allow purging cache when Python when version change detected.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2937-1
Released: Fri Sep 3 09:18:45 2021
Summary: Security update for libesmtp
Type: security
Severity: important
References: 1160462,1189097,CVE-2019-19977
This update for libesmtp fixes the following issues:
- CVE-2019-19977: Fixed stack-based buffer over-read in ntlm/ntlmstruct.c (bsc#1160462).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2938-1
Released: Fri Sep 3 09:19:36 2021
Summary: Recommended update for openldap2
Type: recommended
Severity: moderate
References: 1184614
This update for openldap2 fixes the following issue:
- openldap2-contrib is shipped to the Legacy Module. (bsc#1184614)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2950-1
Released: Fri Sep 3 11:59:19 2021
Summary: Recommended update for pcre2
Type: recommended
Severity: moderate
References: 1187937
This update for pcre2 fixes the following issue:
- Equalizes the result of a function that may have different output on s390x if compared to older (bsc#1187937)
PHP versions.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2962-1
Released: Mon Sep 6 18:23:01 2021
Summary: Recommended update for runc
Type: recommended
Severity: critical
References: 1189743
This update for runc fixes the following issues:
- Fixed an issue when toolbox container fails to start. (bsc#1189743)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2968-1
Released: Tue Sep 7 09:53:00 2021
Summary: Security update for openssl-1_1
Type: security
Severity: low
References: 1189521,CVE-2021-3712
This update for openssl-1_1 fixes the following issues:
- CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712.
Read buffer overruns processing ASN.1 strings (bsc#1189521).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2979-1
Released: Wed Sep 8 11:54:54 2021
Summary: Recommended update for SUSEConnect
Type: recommended
Severity: moderate
References: 1185611
This update for SUSEConnect fixes the following issues:
- Disallow registering via SUSEConnect if the system is managed by SUSE Manager.
- Add subscription name to output of 'SUSEConnect --status'.
- send payload of GET requests as part of the url, not in the body (see bsc#1185611)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3001-1
Released: Thu Sep 9 15:08:13 2021
Summary: Recommended update for netcfg
Type: recommended
Severity: moderate
References: 1189683
This update for netcfg fixes the following issues:
- add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683]
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3022-1
Released: Mon Sep 13 10:48:16 2021
Summary: Recommended update for c-ares
Type: recommended
Severity: important
References: 1190225
This update for c-ares fixes the following issue:
- Allow '_' as part of DNS response. (bsc#1190225)
- 'c-ares' 1.17.2 introduced response validation to prevent a security issue, however it was not listing '_' as a
valid character for domain name responses which caused issues when a 'CNAME' referenced a 'SRV' record which
contained underscores.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3034-1
Released: Tue Sep 14 13:49:23 2021
Summary: Recommended update for python-pytz
Type: recommended
Severity: moderate
References: 1185748
This update for python-pytz fixes the following issues:
- Add %pyunittest shim for platforms where it is missing.
- Remove real directory of %{python_sitelib}/pytz/zoneinfo when upgrading, before it is replaced by a symlink. (bsc#1185748)
- update to 2021.1:
* update to IANA 2021a timezone release
- update to 2020.5:
* update to IANA 2020e timezone release
- update to 2020.4:
* update to IANA 2020d timezone release
- update to version 2020.1:
* Test against Python 3.8 and Python 3.9
* Bump version numbers to 2020.1/2020a
* use .rst extension name
* Make FixedOffset part of public API
- Update to 2019.3
* IANA 2019c
- Add versioned dependency on timezone database to ensure the correct data is installed
- Add a symlink to the system timezone database
- update to 2019.2
* IANA 2019b
* Defer generating case-insensitive lookups
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3115-1
Released: Thu Sep 16 14:04:26 2021
Summary: Recommended update for mozilla-nspr, mozilla-nss
Type: recommended
Severity: moderate
References: 1029961,1174697,1176206,1176934,1179382,1188891,CVE-2020-12400,CVE-2020-12401,CVE-2020-12403,CVE-2020-25648,CVE-2020-6829
This update for mozilla-nspr fixes the following issues:
mozilla-nspr was updated to version 4.32:
* implement new socket option PR_SockOpt_DontFrag
* support larger DNS records by increasing the default buffer
size for DNS queries
* Lock access to PRCallOnceType members in PR_CallOnce* for
thread safety bmo#1686138
* PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get
information about the operating system build version.
Mozilla NSS was updated to version 3.68:
* bmo#1713562 - Fix test leak.
* bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
* bmo#1693206 - Implement PKCS8 export of ECDSA keys.
* bmo#1712883 - DTLS 1.3 draft-43.
* bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
* bmo#1713562 - Validate ECH public names.
* bmo#1717610 - Add function to get seconds from epoch from pkix::Time.
update to NSS 3.67
* bmo#1683710 - Add a means to disable ALPN.
* bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
* bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
* bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
* bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.
update to NSS 3.66
* bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
* bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
* bmo#1708307 - Remove Trustis FPS Root CA from NSS.
* bmo#1707097 - Add Certum Trusted Root CA to NSS.
* bmo#1707097 - Add Certum EC-384 CA to NSS.
* bmo#1703942 - Add ANF Secure Server Root CA to NSS.
* bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
* bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
* bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
* bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
* bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
* bmo#1709291 - Add VerifyCodeSigningCertificateChain.
update to NSS 3.65
* bmo#1709654 - Update for NetBSD configuration.
* bmo#1709750 - Disable HPKE test when fuzzing.
* bmo#1566124 - Optimize AES-GCM for ppc64le.
* bmo#1699021 - Add AES-256-GCM to HPKE.
* bmo#1698419 - ECH -10 updates.
* bmo#1692930 - Update HPKE to final version.
* bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
* bmo#1703936 - New coverity/cpp scanner errors.
* bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
* bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
* bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.
update to NSS 3.64
* bmo#1705286 - Properly detect mips64.
* bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and
disable_crypto_vsx.
* bmo#1698320 - replace __builtin_cpu_supports('vsx') with
ppc_crypto_support() for clang.
* bmo#1613235 - Add POWER ChaCha20 stream cipher vector
acceleration.
Fixed in 3.63
* bmo#1697380 - Make a clang-format run on top of helpful contributions.
* bmo#1683520 - ECCKiila P384, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual
scalar multiplication.
* bmo#1683520 - ECCKiila P521, change syntax of nested structs
initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual
scalar multiplication.
* bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683.
* bmo#1694214 - tstclnt can't enable middlebox compat mode.
* bmo#1694392 - NSS does not work with PKCS #11 modules not supporting
profiles.
* bmo#1685880 - Minor fix to prevent unused variable on early return.
* bmo#1685880 - Fix for the gcc compiler version 7 to support setenv
with nss build.
* bmo#1693217 - Increase nssckbi.h version number for March 2021 batch
of root CA changes, CA list version 2.48.
* bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's
'Chambers of Commerce' and 'Global Chambersign' roots.
* bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
* bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
* bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
* bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs
from NSS.
* bmo#1687822 - Turn off Websites trust bit for the âStaat der
Nederlanden Root CA - G3â root cert in NSS.
* bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce
Root - 2008' and 'Global Chambersign Root - 2008â.
* bmo#1694291 - Tracing fixes for ECH.
update to NSS 3.62
* bmo#1688374 - Fix parallel build NSS-3.61 with make
* bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()
can corrupt 'cachedCertTable'
* bmo#1690583 - Fix CH padding extension size calculation
* bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail
* bmo#1690421 - Install packaged libabigail in docker-builds image
* bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing
* bmo#1674819 - Fixup a51fae403328, enum type may be signed
* bmo#1681585 - Add ECH support to selfserv
* bmo#1681585 - Update ECH to Draft-09
* bmo#1678398 - Add Export/Import functions for HPKE context
* bmo#1678398 - Update HPKE to draft-07
update to NSS 3.61
* bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key
values under certain conditions.
* bmo#1684300 - Fix default PBE iteration count when NSS is compiled
with NSS_DISABLE_DBM.
* bmo#1651411 - Improve constant-timeness in RSA operations.
* bmo#1677207 - Upgrade Google Test version to latest release.
* bmo#1654332 - Add aarch64-make target to nss-try.
Update to NSS 3.60.1:
Notable changes in NSS 3.60:
* TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support
has been added, replacing the previous ESNI (draft-ietf-tls-esni-01)
implementation. See bmo#1654332 for more information.
* December 2020 batch of Root CA changes, builtins library updated
to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769
for more information.
Update to NSS 3.59.1:
* bmo#1679290 - Fix potential deadlock with certain third-party
PKCS11 modules
Update to NSS 3.59:
Notable changes:
* Exported two existing functions from libnss:
CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData
Bugfixes
* bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
* bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
* bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
root certs when SHA1 signatures are disabled.
* bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
solve some test intermittents
* bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
our CVE-2020-25648 fix that broke purple-discord
(boo#1179382)
* bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
* bmo#1667989 - Fix gyp linking on Solaris
* bmo#1668123 - Export CERT_AddCertToListHeadWithData and
CERT_AddCertToListTailWithData from libnss
* bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* bmo#1663091 - Remove unnecessary assertions in the streaming
ASN.1 decoder that affected decoding certain PKCS8
private keys when using NSS debug builds
* bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
update to NSS 3.58
Bugs fixed:
* bmo#1641480 (CVE-2020-25648)
Tighten CCS handling for middlebox compatibility mode.
* bmo#1631890 - Add support for Hybrid Public Key Encryption
(draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
(draft-ietf-tls-esni).
* bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto
extensions.
* bmo#1668328 - Handle spaces in the Python path name when using
gyp on Windows.
* bmo#1667153 - Add PK11_ImportDataKey for data object import.
* bmo#1665715 - Pass the embedded SCT list extension (if present)
to TrustDomain::CheckRevocation instead of the notBefore value.
update to NSS 3.57
* The following CA certificates were Added:
bmo#1663049 - CN=Trustwave Global Certification Authority
SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
* The following CA certificates were Removed:
bmo#1651211 - CN=EE Certification Centre Root CA
SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
bmo#1656077 - O=Government Root Certification Authority; C=TW
SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
* Trust settings for the following CA certificates were Modified:
bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
Websites (server authentication) trust bit removed.
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
update to NSS 3.56
Notable changes
* bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
* bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
* bmo#1654142 - Add CPU feature detection for Intel SHA extension.
* bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
* bmo#1656986 - Properly detect arm64 during GYP build architecture
detection.
* bmo#1652729 - Add build flag to disable RC2 and relocate to
lib/freebl/deprecated.
* bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
* bmo#1588941 - Send empty certificate message when scheme selection
fails.
* bmo#1652032 - Fix failure to build in Windows arm64 makefile
cross-compilation.
* bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
* bmo#1653975 - Fix 3.53 regression by setting 'all' as the default
makefile target.
* bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
* bmo#1659814 - Fix interop.sh failures with newer tls-interop
commit and dependencies.
* bmo#1656519 - NSPR dependency updated to 4.28
update to NSS 3.55
Notable changes
* P384 and P521 elliptic curve implementations are replaced with
verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
* PK11_FindCertInSlot is added. With this function, a given slot
can be queried with a DER-Encoded certificate, providing performance
and usability improvements over other mechanisms. (bmo#1649633)
* DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)
Relevant Bugfixes
* bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and
P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
* bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
* bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
* bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part
ChaCha20 (which was not functioning correctly) and more strictly
enforce tag length.
* bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1653202 - Fix initialization bug in blapitest when compiled
with NSS_DISABLE_DEPRECATED_SEED.
* bmo#1646594 - Fix AVX2 detection in makefile builds.
* bmo#1649633 - Add PK11_FindCertInSlot to search a given slot
for a DER-encoded certificate.
* bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
* bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
* bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
* bmo#1649226 - Add Wycheproof ECDSA tests.
* bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
* bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in
RSA_CheckSignRecover.
* bmo#1646324 - Advertise PKCS#1 schemes for certificates in the
signature_algorithms extension.
update to NSS 3.54
Notable changes
* Support for TLS 1.3 external pre-shared keys (bmo#1603042).
* Use ARM Cryptography Extension for SHA256, when available
(bmo#1528113)
* The following CA certificates were Added:
bmo#1645186 - certSIGN Root CA G2.
bmo#1645174 - e-Szigno Root CA 2017.
bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
* The following CA certificates were Removed:
bmo#1645199 - AddTrust Class 1 CA Root.
bmo#1645199 - AddTrust External CA Root.
bmo#1641718 - LuxTrust Global Root 2.
bmo#1639987 - Staat der Nederlanden Root CA - G2.
bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
* A number of certificates had their Email trust bit disabled.
See bmo#1618402 for a complete list.
Bugs fixed
* bmo#1528113 - Use ARM Cryptography Extension for SHA256.
* bmo#1603042 - Add TLS 1.3 external PSK support.
* bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
* bmo#1645186 - Add 'certSIGN Root CA G2' root certificate.
* bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate.
* bmo#1641716 - Add Microsoft's non-EV root certificates.
* bmo1621151 - Disable email trust bit for 'O=Government
Root Certification Authority; C=TW' root.
* bmo#1645199 - Remove AddTrust root certificates.
* bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate.
* bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root
certificate.
* bmo#1618402 - Remove Symantec root certificates and disable email trust
bit.
* bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
* bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c.
* bmo#1642153 - Fix infinite recursion building NSS.
* bmo#1642638 - Fix fuzzing assertion crash.
* bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
* bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
* bmo#1643557 - Fix numerous compile warnings in NSS.
* bmo#1644774 - SSL gtests to use ClearServerCache when resetting
self-encrypt keys.
* bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c.
* bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3133-1
Released: Fri Sep 17 16:37:56 2021
Summary: Recommended update for grub2, efibootmgr
Type: recommended
Severity: moderate
References: 1186565,1186975,1187565
This update for grub2, efibootmgr provides the following fixes:
- Ship package grub2-arm64-efi and the required efibootmgr also to ppc64le, s390x and x86_64 (bsc#1186565)
- Fix error gfxterm isn't found with multiple terminals (bsc#1187565)
- Fix ocasional boot failure after kdump procedure when using XFS (bsc#1186975)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3182-1
Released: Tue Sep 21 17:04:26 2021
Summary: Recommended update for file
Type: recommended
Severity: moderate
References: 1189996
This update for file fixes the following issues:
- Fixes exception thrown by memory allocation problem (bsc#1189996)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3224-1
Released: Fri Sep 24 11:34:33 2021
Summary: Recommended update for shim-susesigned
Type: recommended
Severity: moderate
References: 1177315,1177789,1182057,1184454,1185232,1185261,1185441,1185464,1185621,1185961,1187260,1187696
This update for shim-susesigned fixes the following issues:
Sync with Microsoft signed shim to Thu Jul 15 08:13:26 UTC 2021.
This update addresses the 'susesigned' shim component.
shim was updated to 15.4 (bsc#1182057)
- console: Move the countdown function to console.c
- fallback: show a countdown menu before reset
- MOK: Fix the missing vendor cert in MokListRT
- mok: fix the mirroring of RT variables
- Add the license change statement for errlog.c and mok.c
- Remove a couple of incorrect license claims.
- MokManager: Use CompareMem on MokListNode.Type instead of CompareGuid
- Make EFI variable copying fatal only on secureboot enabled systems
- Remove call to TPM2 get_event_log
- tpm: Fix off-by-one error when calculating event size
- tpm: Define EFI_VARIABLE_DATA_TREE as packed
- tpm: Don't log duplicate identical events
- VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
- OpenSSL: always provide OBJ_create() with name strings.
- translate_slashes(): don't write to string literals
- Fix a use of strlen() instead of Strlen()
- shim: Update EFI_LOADED_IMAGE with the second stage loader file path
- tpm: Include information about PE/COFF images in the TPM Event Log
- Fix a broken tpm type
- All newly released openSUSE kernels enable kernel lockdown
and signature verification, so there is no need to add the
prompt anymore.
- Fix the NULL pointer dereference in AuthenticodeVerify()
- Remove the build ID to make the binary reproducible when building with AArch64 container
- Prevent the build id being added to the binary. That can cause issues with the signature
- Allocate MOK config table as BootServicesData to avoid the error message from linux kernel
- Handle ignore_db and user_insecure_mode correctly (bsc#1185441)
- Relax the maximum variable size check for u-boot
- Relax the check for import_mok_state() when Secure Boot is off
- Relax the check for the LoadOptions length
- Fix the size of rela* sections for AArch64
- Disable exporting vendor-dbx to MokListXRT
- Don't call QueryVariableInfo() on EFI 1.10 machines
- Avoid buffer overflow when copying the MOK config table
- Avoid deleting the mirrored RT variables
- Update to 15.3 for SBAT support (bsc#1182057)
- Generate vender-specific SBAT metadata
- Rename the SBAT variable and fix the self-check of SBAT
- Split the keys in vendor-dbx.bin to vendor-dbx-sles and
vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce
the size of MokListXRT (bsc#1185261)
- shim-install: reset def_shim_efi to 'shim.efi' if the given file doesn't exist
- shim-install: instead of assuming 'removable' for Azure, remove
fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot
to make \EFI\Boot bootable and keep the boot option created by
efibootmgr (bsc#1185464, bsc#1185961)
- shim-install: always assume 'removable' for Azure to avoid the endless reset loop (bsc#1185464)
- shim-install: Support changing default shim efi binary in /usr/etc/default/shim and /etc/default/shim (bsc#1177315)
- Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys:
+ SLES-UEFI-SIGN-Certificate-2020-07.crt
+ openSUSE-UEFI-SIGN-Certificate-2020-07.crt
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3233-1
Released: Mon Sep 27 15:02:21 2021
Summary: Recommended update for xfsprogs
Type: recommended
Severity: moderate
References: 1085917,1181299,1181306,1181309,1181535,1181536,1188651,1189552
This update for xfsprogs fixes the following issues:
- Fixes an issue when 'fstests' with 'xfs' fail. (bsc#1181309, bsc#1181299)
- xfsprogs: Split 'libhandle1' into a separate package, since nothing within xfsprogs dynamically links against it. The shared library is still required by xfsdump as a runtime dependency.
- mkfs.xfs: Fix 'ASSERT' on too-small device with stripe geometry. (bsc#1181536)
- mkfs.xfs: If either 'sunit' or 'swidth' is not zero, the other must be as well. (bsc#1085917, bsc#1181535)
- xfs_growfs: Refactor geometry reporting. (bsc#1181306)
- xfs_growfs: Allow mounted device node as argument. (bsc#1181299)
- xfs_repair: Rebuild directory when non-root leafn blocks claim block 0. (bsc#1181309)
- xfs_repair: Check plausibility of root dir pointer before trashing it. (bsc#1188651)
- xfs_bmap: Remove '-c' from manpage. (bsc#1189552)
- xfs_bmap: Do not reject '-e'. (bsc#1189552)
- Implement 'libhandle1' through ECO. (jsc#SLE-20360)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3245-1
Released: Tue Sep 28 13:54:31 2021
Summary: Recommended update for docker
Type: recommended
Severity: important
References: 1190670
This update for docker fixes the following issues:
- Return ENOSYS for clone3 in the seccomp profile to avoid breaking containers using glibc 2.34.
- Add shell requires for the *-completion subpackages.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3278-1
Released: Mon Oct 4 09:30:10 2021
Summary: Recommended update for ca-certificates-mozilla
Type: recommended
Severity: important
References: 1190858
This update for ca-certificates-mozilla fixes the following issues:
- remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires
September 30th 2021 and openssl certificate chain handling does not handle
this correctly in openssl 1.0.2 and older. (bsc#1190858)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3297-1
Released: Wed Oct 6 16:53:29 2021
Summary: Security update for curl
Type: security
Severity: moderate
References: 1190373,1190374,CVE-2021-22946,CVE-2021-22947
This update for curl fixes the following issues:
- CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374).
- CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3318-1
Released: Wed Oct 6 19:31:19 2021
Summary: Recommended update for sudo
Type: recommended
Severity: moderate
References: 1176473,1181371
This update for sudo fixes the following issues:
- Update to sudo 1.8.27 (jsc#SLE-17083).
- Fixed special handling of ipa_hostname (bsc#1181371).
- Restore sudo ldap behavior to ignore expire dates when SUDOERS_TIMED option is not set in /etc/ldap.conf (bsc#1176473).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3348-1
Released: Tue Oct 12 13:08:06 2021
Summary: Security update for systemd
Type: security
Severity: moderate
References: 1134353,1171962,1184994,1188018,1188063,1188291,1188713,1189480,1190234,CVE-2021-33910
This update for systemd fixes the following issues:
- CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063).
- logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018).
- Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353).
- Rules weren't applied to dm devices (multipath) (bsc#1188713).
- Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234).
- Make sure the versions of both udev and systemd packages are always the same (bsc#1189480).
- Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291).
- Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3385-1
Released: Tue Oct 12 15:54:31 2021
Summary: Security update for glibc
Type: security
Severity: moderate
References: 1186489,1187911,CVE-2021-33574,CVE-2021-35942
This update for glibc fixes the following issues:
- CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911)
- CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3404-1
Released: Wed Oct 13 10:40:17 2021
Summary: Recommended update for kdump
Type: recommended
Severity: moderate
References: 1154837,1164713,1172670,1182309,1183070,1184616,1186037,1188090
This update for kdump fixes the following issues:
- Make sure that the udev runtime directory exists (bsc#1164713).
- Add 'bootdev=' to dracut command line (bsc#1182309).
- Query systemd network.service to find out if wicked is used (bsc#1182309).
- Install /etc/resolv.conf using its resolved path (bsc#1183070).
- Avoid an endless loop when resolving a hostname fails with EAI_AGAIN (bsc#1183070).
- Do not add network-related dracut options if ip= is set explicitly (bsc#1182309, bsc#1188090).
- Fix incorrect exit code checking after 'local' with assignment (bsc#1184616).
- Do not iterate past end of string (bsc#1186037).
- Activate udev rules late during boot (bsc#1154837).
- Make sure that initrd.target.wants directory exists (bsc#1172670).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3410-1
Released: Wed Oct 13 10:41:36 2021
Summary: Recommended update for xkeyboard-config
Type: recommended
Severity: moderate
References: 1191242
This update for xkeyboard-config fixes the following issue:
- Wrong keyboard mapping causing input delays with ABNT2 keyboards. (bsc#1191242)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3447-1
Released: Fri Oct 15 09:05:15 2021
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1065729,1148868,1152489,1154353,1159886,1167773,1170774,1173746,1176940,1184439,1184804,1185302,1185677,1185726,1185762,1187167,1188067,1188651,1188986,1189297,1189841,1189884,1190023,1190062,1190115,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191240,1191292,CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490
The SUSE Linux Enterprise 15 SP2 kernel was updated.
The following security bugs were fixed:
- CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193)
- CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023)
- CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159)
- CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884)
- CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534)
- CVE-2021-3669: Fixed a bug that doesn't allow /proc/sysvipc/shm to scale with large shared memory segment counts which could lead to resource exhaustion and DoS. (bsc#1188986)
The following non-security bugs were fixed:
- ALSA: firewire-motu: fix truncated bytes in message tracepoints (git-fixes).
- apparmor: remove duplicate macro list_entry_is_head() (git-fixes).
- ASoC: fsl_micfil: register platform component before registering cpu dai (git-fixes).
- ASoC: mediatek: common: handle NULL case in suspend/resume function (git-fixes).
- ASoC: rockchip: i2s: Fix regmap_ops hang (git-fixes).
- ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B (git-fixes).
- ASoC: SOF: Fix DSP oops stack dump output contents (git-fixes).
- ath9k: fix OOB read ar9300_eeprom_restore_internal (git-fixes).
- ath9k: fix sleeping in atomic context (git-fixes).
- blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762).
- blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762).
- blk-mq: mark if one queue map uses managed irq (bsc#1185762).
- Bluetooth: skip invalid hci_sync_conn_complete_evt (git-fixes).
- bnx2x: fix an error code in bnx2x_nic_load() (git-fixes).
- bnxt_en: Add missing DMA memory barriers (git-fixes).
- bnxt_en: Disable aRFS if running on 212 firmware (git-fixes).
- bnxt_en: Do not enable legacy TX push on older firmware (git-fixes).
- bnxt_en: Store the running firmware version code (git-fixes).
- bnxt: count Tx drops (git-fixes).
- bnxt: disable napi before canceling DIM (git-fixes).
- bnxt: do not lock the tx queue from napi poll (git-fixes).
- bnxt: make sure xmit_more + errors does not miss doorbells (git-fixes).
- btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626).
- clk: at91: clk-generated: Limit the requested rate to our range (git-fixes).
- clk: at91: clk-generated: pass the id of changeable parent at registration (git-fixes).
- console: consume APC, DM, DCS (git-fixes).
- cuse: fix broken release (bsc#1190596).
- cxgb4: dont touch blocked freelist bitmap after free (git-fixes).
- debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746).
- devlink: Break parameter notification sequence to be before/after unload/load driver (bsc#1154353).
- dmaengine: ioat: depends on !UML (git-fixes).
- dmaengine: sprd: Add missing MODULE_DEVICE_TABLE (git-fixes).
- dmaengine: xilinx_dma: Set DMA mask for coherent APIs (git-fixes).
- docs: Fix infiniband uverbs minor number (git-fixes).
- drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps (git-fixes).
- drm: avoid blocking in drm_clients_info's rcu section (git-fixes).
- drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex (git-fixes).
- drm/amd/display: Fix timer_per_pixel unit error (git-fixes).
- drm/amdgpu: Fix BUG_ON assert (git-fixes).
- drm/gma500: Fix end of loop tests for list_for_each_entry (git-fixes).
- drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV (git-fixes).
- drm/panfrost: Clamp lock region to Bifrost minimum (git-fixes).
- e1000e: Do not take care about recovery NVM checksum (jsc#SLE-8100).
- e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes).
- EDAC/i10nm: Fix NVDIMM detection (bsc#1152489).
- EDAC/synopsys: Fix wrong value type assignment for edac_mode (bsc#1152489).
- erofs: fix up erofs_lookup tracepoint (git-fixes).
- fbmem: do not allow too huge resolutions (git-fixes).
- fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() (git-fixes).
- fpga: machxo2-spi: Return an error on failure (git-fixes).
- fuse: flush extending writes (bsc#1190595).
- fuse: truncate pagecache on atomic_o_trunc (bsc#1190705).
- genirq: add device_has_managed_msi_irq (bsc#1185762).
- gpio: uniphier: Fix void functions to remove return value (git-fixes).
- gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() (git-fixes).
- gve: fix the wrong AdminQ buffer overflow check (bsc#1176940).
- hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726).
- hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726).
- hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (git-fixes).
- hwmon: (tmp421) fix rounding for negative values (git-fixes).
- hwmon: (tmp421) report /PVLD condition as fault (git-fixes).
- i40e: Add additional info to PHY type error (git-fixes).
- i40e: Fix firmware LLDP agent related warning (git-fixes).
- i40e: Fix log TC creation failure when max num of queues is exceeded (git-fixes).
- i40e: Fix logic of disabling queues (git-fixes).
- i40e: Fix queue-to-TC mapping on Tx (git-fixes).
- iavf: Fix ping is lost after untrusted VF had tried to change MAC (jsc#SLE-7940).
- iavf: Set RSS LUT and key in reset handle path (git-fixes).
- ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510).
- ibmvnic: Consolidate code in replenish_rx_pool() (bsc#1190758 ltc#191943).
- ibmvnic: Fix up some comments and messages (bsc#1190758 ltc#191943).
- ibmvnic: init_tx_pools move loop-invariant code (bsc#1190758 ltc#191943).
- ibmvnic: Reuse LTB when possible (bsc#1190758 ltc#191943).
- ibmvnic: Reuse rx pools when possible (bsc#1190758 ltc#191943).
- ibmvnic: Reuse tx pools when possible (bsc#1190758 ltc#191943).
- ibmvnic: Use bitmap for LTB map_ids (bsc#1190758 ltc#191943).
- ibmvnic: Use/rename local vars in init_rx_pools (bsc#1190758 ltc#191943).
- ibmvnic: Use/rename local vars in init_tx_pools (bsc#1190758 ltc#191943).
- ice: Prevent probing virtual functions (git-fixes).
- iio: dac: ad5624r: Fix incorrect handling of an optional regulator (git-fixes).
- include/linux/list.h: add a macro to test if entry is pointing to the head (git-fixes).
- iomap: Fix negative assignment to unsigned sis->pages in iomap_swapfile_activate (bsc#1190784).
- ionic: cleanly release devlink instance (bsc#1167773).
- ionic: count csum_none when offload enabled (bsc#1167773).
- ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115).
- ipc/util.c: use binary search for max_idx (bsc#1159886).
- ipvs: allow connection reuse for unconfirmed conntrack (bsc#1190467).
- ipvs: avoid expiring many connections from timer (bsc#1190467).
- ipvs: Fix up kabi for expire_nodest_conn_work addition (bsc#1190467).
- ipvs: queue delayed work to expire no destination connections if expire_nodest_conn=1 (bsc#1190467).
- iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed (git-fixes).
- kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable.
- kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs.
- kernel-binary.spec: Do not sign kernel when no key provided (bsc#1187167 bsc#1191240 ltc#194716).
- kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358). The script part for base package case is completely separate from the part for subpackages. Remove the part for subpackages from the base package script and use the KMP scripts for subpackages instead.
- libata: fix ata_host_start() (git-fixes).
- mac80211-hwsim: fix late beacon hrtimer handling (git-fixes).
- mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug (git-fixes).
- mac80211: fix use-after-free in CCMP/GCMP RX (git-fixes).
- mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap (git-fixes).
- mac80211: mesh: fix potentially unaligned access (git-fixes).
- media: cedrus: Fix SUNXI tile size calculation (git-fixes).
- media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats (git-fixes).
- media: dib8000: rewrite the init prbs logic (git-fixes).
- media: imx258: Limit the max analogue gain to 480 (git-fixes).
- media: imx258: Rectify mismatch of VTS value (git-fixes).
- media: rc-loopback: return number of emitters rather than error (git-fixes).
- media: TDA1997x: fix tda1997x_query_dv_timings() return value (git-fixes).
- media: uvc: do not do DMA on stack (git-fixes).
- media: v4l2-dv-timings.c: fix wrong condition in two for-loops (git-fixes).
- mfd: Do not use irq_create_mapping() to resolve a mapping (git-fixes).
- mlx4: Fix missing error code in mlx4_load_one() (git-fixes).
- mm: always have io_remap_pfn_range() set pgprot_decrypted() (git-fixes).
- mm/swap: consider max pages in iomap_swapfile_add_extent (bsc#1190785).
- mmc: core: Return correct emmc response in case of ioctl error (git-fixes).
- mmc: rtsx_pci: Fix long reads when clock is prescaled (git-fixes).
- mmc: sdhci-of-arasan: Check return value of non-void funtions (git-fixes).
- net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726).
- net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726).
- net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726).
- net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726).
- net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726).
- net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726).
- net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726).
- net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726).
- net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726).
- net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726).
- net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes).
- net: sched: sch_teql: fix null-pointer dereference (bsc#1190717).
- net/mlx5: E-Switch, handle devcom events only for ports on the same device (git-fixes).
- net/mlx5: Fix flow table chaining (git-fixes).
- net/mlx5: Fix return value from tracer initialization (git-fixes).
- net/mlx5: Unload device upon firmware fatal error (git-fixes).
- net/mlx5e: Avoid creating tunnel headers for local route (git-fixes).
- net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() (git-fixes).
- net/mlx5e: Prohibit inner indir TIRs in IPoIB (git-fixes).
- netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (bsc#1190062).
- nfp: update ethtool reporting of pauseframe control (git-fixes).
- NFS: change nfs_access_get_cached to only report the mask (bsc#1190746).
- NFS: do not store 'struct cred *' in struct nfs_access_entry (bsc#1190746).
- NFS: pass cred explicitly for access tests (bsc#1190746).
- nvme: avoid race in shutdown namespace removal (bsc#1188067).
- nvme: fix refcounting imbalance when all paths are down (bsc#1188067).
- parport: remove non-zero check on count (git-fixes).
- PCI: aardvark: Fix checking for PIO status (git-fixes).
- PCI: aardvark: Fix masking and unmasking legacy INTx interrupts (git-fixes).
- PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response (git-fixes).
- PCI: Add ACS quirks for Cavium multi-function devices (git-fixes).
- PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms (git-fixes).
- PCI: Add AMD GPU multi-function power dependencies (git-fixes).
- PCI: ibmphp: Fix double unmap of io_mem (git-fixes).
- PCI: pci-bridge-emul: Add PCIe Root Capabilities Register (git-fixes).
- PCI: pci-bridge-emul: Fix array overruns, improve safety (git-fixes).
- PCI: pci-bridge-emul: Fix big-endian support (git-fixes).
- PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported (git-fixes).
- PCI: Use pci_update_current_state() in pci_enable_device_flags() (git-fixes).
- PM: base: power: do not try to use non-existing RTC for storing data (git-fixes).
- PM: EM: Increase energy calculation precision (git-fixes).
- power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors (git-fixes).
- power: supply: max17042_battery: fix typo in MAx17042_TOFF (git-fixes).
- powercap: intel_rapl: add support for Sapphire Rapids (jsc#SLE-15289).
- powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868).
- powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523).
- powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729).
- powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729).
- powerpc/perf: Fix the check for SIAR value (bsc#1065729).
- powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729).
- powerpc/perf: Use stack siar instead of mfspr (bsc#1065729).
- powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729).
- powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729).
- powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729).
- powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498).
- powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729).
- pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523).
- pwm: img: Do not modify HW state in .remove() callback (git-fixes).
- pwm: rockchip: Do not modify HW state in .remove() callback (git-fixes).
- pwm: stm32-lp: Do not modify HW state in .remove() callback (git-fixes).
- qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes).
- RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init() (bsc#1170774).
- Re-enable UAS for LaCie Rugged USB3-FW with fk quirk (git-fixes).
- regmap: fix page selection for noinc reads (git-fixes).
- regmap: fix page selection for noinc writes (git-fixes).
- regmap: fix the offset of register error log (git-fixes).
- Restore kabi after NFS: pass cred explicitly for access tests (bsc#1190746).
- rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools. This allows fixing bugs in the scriptlets as well as defining initrd regeneration policy independent of the kernel packages.
- rpm/kernel-binary.spec: Use only non-empty certificates.
- rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804).
- rtc: rx8010: select REGMAP_I2C (git-fixes).
- rtc: tps65910: Correct driver module alias (git-fixes).
- s390/unwind: use current_frame_address() to unwind current task (bsc#1185677).
- sched/fair: Add ancestors of unthrottled undecayed cfs_rq (bsc#1191292).
- scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576).
- scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576).
- scsi: fc: Add EDC ELS definition (bsc#1190576).
- scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576).
- scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576).
- scsi: lpfc: Add cm statistics buffer support (bsc#1190576).
- scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576).
- scsi: lpfc: Add cmfsync WQE support (bsc#1190576).
- scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576).
- scsi: lpfc: Add EDC ELS support (bsc#1190576).
- scsi: lpfc: Add MIB feature enablement support (bsc#1190576).
- scsi: lpfc: Add rx monitoring statistics (bsc#1190576).
- scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576).
- scsi: lpfc: Add support for cm enablement buffer (bsc#1190576).
- scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576).
- scsi: lpfc: Add support for the CM framework (bsc#1190576).
- scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576).
- scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576).
- scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576).
- scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576).
- scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576).
- scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576).
- scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576).
- scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576).
- scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576).
- scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576).
- scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576).
- scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576).
- scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576).
- scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576).
- scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576).
- scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576).
- scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576).
- scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576).
- scsi: lpfc: Remove unneeded variable (bsc#1190576).
- scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576).
- scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576).
- scsi: lpfc: Use correct scnprintf() limit (bsc#1190576).
- scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576).
- scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576).
- scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576).
- scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297).
- serial: 8250_pci: make setup_port() parameters explicitly unsigned (git-fixes).
- serial: 8250: Define RX trigger levels for OxSemi 950 devices (git-fixes).
- serial: mvebu-uart: fix driver's tx_empty callback (git-fixes).
- serial: sh-sci: fix break handling for sysrq (git-fixes).
- spi: Fix tegra20 build with CONFIG_PM=n (git-fixes).
- staging: board: Fix uninitialized spinlock when attaching genpd (git-fixes).
- staging: ks7010: Fix the initialization of the 'sleep_status' structure (git-fixes).
- staging: rts5208: Fix get_ms_information() heap buffer size (git-fixes).
- thermal/core: Potential buffer overflow in thermal_build_list_of_policies() (git-fixes).
- time: Handle negative seconds correctly in timespec64_to_ns() (git-fixes).
- tty: Fix data race between tiocsti() and flush_to_ldisc() (git-fixes).
- tty: serial: jsm: hold port lock when reporting modem line changes (git-fixes).
- tty: synclink_gt, drop unneeded forward declarations (git-fixes).
- usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c (git-fixes).
- usb: core: hcd: Add support for deferring roothub registration (git-fixes).
- usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails (git-fixes).
- usb: dwc2: Avoid leaving the error_debugfs label unused (git-fixes).
- usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave (git-fixes).
- usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA (git-fixes).
- usb: EHCI: ehci-mv: improve error handling in mv_ehci_enable() (git-fixes).
- usb: gadget: r8a66597: fix a loop in set_feature() (git-fixes).
- usb: gadget: u_ether: fix a potential null pointer dereference (git-fixes).
- usb: host: fotg210: fix the actual_length of an iso packet (git-fixes).
- usb: host: fotg210: fix the endpoint's transactional opportunities calculation (git-fixes).
- usb: musb: musb_dsps: request_irq() after initializing musb (git-fixes).
- usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes).
- usb: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter (git-fixes).
- usb: serial: option: add device id for Foxconn T99W265 (git-fixes).
- usb: serial: option: add Telit LN920 compositions (git-fixes).
- usb: serial: option: remove duplicate USB device ID (git-fixes).
- usbip: give back URBs for unsent unlink requests during cleanup (git-fixes).
- usbip:vhci_hcd USB port can get stuck in the disabled state (git-fixes).
- video: fbdev: asiliantfb: Error out if 'pixclock' equals zero (git-fixes).
- video: fbdev: kyro: Error out if 'pixclock' equals zero (git-fixes).
- video: fbdev: kyro: fix a DoS bug by restricting user input (git-fixes).
- video: fbdev: riva: Error out if 'pixclock' equals zero (git-fixes).
- vmxnet3: add support for 32 Tx/Rx queues (bsc#1190406).
- vmxnet3: add support for ESP IPv6 RSS (bsc#1190406).
- vmxnet3: increase maximum configurable mtu to 9190 (bsc#1190406).
- vmxnet3: prepare for version 6 changes (bsc#1190406).
- vmxnet3: remove power of 2 limitation on the queues (bsc#1190406).
- vmxnet3: set correct hash type based on rss information (bsc#1190406).
- vmxnet3: update to version 6 (bsc#1190406).
- watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST (git-fixes).
- x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1185302).
- x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439).
- x86/cpu: Fix core name for Sapphire Rapids (jsc#SLE-15289).
- x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1152489).
- x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1152489).
- x86/resctrl: Fix default monitoring groups reporting (bsc#1152489).
- xfs: allow mount/remount when stripe width alignment is zero (bsc#1188651).
- xfs: sync lazy sb accounting on quiesce of read-only mounts (bsc#1190679).
- xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes).
- xhci: Set HCD flag to defer primary roothub registration (git-fixes).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3454-1
Released: Mon Oct 18 09:29:26 2021
Summary: Security update for krb5
Type: security
Severity: moderate
References: 1189929,CVE-2021-37750
This update for krb5 fixes the following issues:
- CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3480-1
Released: Wed Oct 20 11:24:08 2021
Summary: Recommended update for yast2-network
Type: recommended
Severity: moderate
References: 1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933
This update for yast2-network fixes the following issues:
- Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915).
- Fix the shown description using the interface friendly name when it is empty (bsc#1190933).
- Consider aliases sections as case insensitive (bsc#1190739).
- Display user defined device name in the devices overview (bnc#1190645).
- Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344).
- Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910).
- Fix desktop file so the control center tooltip is translated (bsc#1187270).
- Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016).
- Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3490-1
Released: Wed Oct 20 16:31:55 2021
Summary: Security update for ncurses
Type: security
Severity: moderate
References: 1190793,CVE-2021-39537
This update for ncurses fixes the following issues:
- CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3494-1
Released: Wed Oct 20 16:48:46 2021
Summary: Recommended update for pam
Type: recommended
Severity: moderate
References: 1190052
This update for pam fixes the following issues:
- Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
- Added new file macros.pam on request of systemd. (bsc#1190052)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3506-1
Released: Mon Oct 25 10:20:22 2021
Summary: Security update for containerd, docker, runc
Type: security
Severity: important
References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434,CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103
This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.9-ce. (bsc#1191355)
See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md.
CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103
container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355
- CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282)
- Install systemd service file as well (bsc#1190826)
Update to runc v1.0.2. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.2
* Fixed a failure to set CPU quota period in some cases on cgroup v1.
* Fixed the inability to start a container with the 'adding seccomp filter
rule for syscall ...' error, caused by redundant seccomp rules (i.e. those
that has action equal to the default one). Such redundant rules are now
skipped.
* Made release builds reproducible from now on.
* Fixed a rare debug log race in runc init, which can result in occasional
harmful 'failed to decode ...' errors from runc run or exec.
* Fixed the check in cgroup v1 systemd manager if a container needs to be
frozen before Set, and add a setting to skip such freeze unconditionally.
The previous fix for that issue, done in runc 1.0.1, was not working.
Update to runc v1.0.1. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.1
* Fixed occasional runc exec/run failure ('interrupted system call') on an
Azure volume.
* Fixed 'unable to find groups ... token too long' error with /etc/group
containing lines longer than 64K characters.
* cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
frozen. This is a regression in 1.0.0, not affecting runc itself but some
of libcontainer users (e.g Kubernetes).
* cgroupv2: bpf: Ignore inaccessible existing programs in case of
permission error when handling replacement of existing bpf cgroup
programs. This fixes a regression in 1.0.0, where some SELinux
policies would block runc from being able to run entirely.
* cgroup/systemd/v2: don't freeze cgroup on Set.
* cgroup/systemd/v1: avoid unnecessary freeze on Set.
- fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704
Update to runc v1.0.0. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.0.0
! The usage of relative paths for mountpoints will now produce a warning
(such configurations are outside of the spec, and in future runc will
produce an error when given such configurations).
* cgroupv2: devices: rework the filter generation to produce consistent
results with cgroupv1, and always clobber any existing eBPF
program(s) to fix runc update and avoid leaking eBPF programs
(resulting in errors when managing containers).
* cgroupv2: correctly convert 'number of IOs' statistics in a
cgroupv1-compatible way.
* cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
* cgroupv2: wait for freeze to finish before returning from the freezing
code, optimize the method for checking whether a cgroup is frozen.
* cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94
* cgroups/systemd: fixed returning 'unit already exists' error from a systemd
cgroup manager (regression in rc94)
+ cgroupv2: support SkipDevices with systemd driver
+ cgroup/systemd: return, not ignore, stop unit error from Destroy
+ Make 'runc --version' output sane even when built with go get or
otherwise outside of our build scripts.
+ cgroups: set SkipDevices during runc update (so we don't modify
cgroups at all during runc update).
+ cgroup1: blkio: support BFQ weights.
+ cgroupv2: set per-device io weights if BFQ IO scheduler is available.
Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95
This release of runc contains a fix for CVE-2021-30465, and users are
strongly recommended to update (especially if you are providing
semi-limited access to spawn containers to untrusted users). (bsc#1185405)
Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94
Breaking Changes:
* cgroupv1: kernel memory limits are now always ignored, as kmemcg has
been effectively deprecated by the kernel. Users should make use of regular
memory cgroup controls.
Regression Fixes:
* seccomp: fix 32-bit compilation errors
* runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
* runc start: fix 'chdir to cwd: permission denied' for some setups
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3510-1
Released: Tue Oct 26 11:22:15 2021
Summary: Recommended update for pam
Type: recommended
Severity: important
References: 1191987
This update for pam fixes the following issues:
- Fixed a bad directive file which resulted in
the 'securetty' file to be installed as 'macros.pam'.
(bsc#1191987)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3523-1
Released: Tue Oct 26 15:40:13 2021
Summary: Security update for util-linux
Type: security
Severity: moderate
References: 1122417,1125886,1178236,1188921,CVE-2021-37600
This update for util-linux fixes the following issues:
Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2:
- CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c (bsc#1188921).
- agetty: Fix 8-bit processing in get_logname() (bsc#1125886).
- mount: Fix 'mount' output for net file systems (bsc#1122417).
- ipcs: Avoid overflows (bsc#1178236)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3529-1
Released: Wed Oct 27 09:23:32 2021
Summary: Security update for pcre
Type: security
Severity: moderate
References: 1172973,1172974,CVE-2019-20838,CVE-2020-14155
This update for pcre fixes the following issues:
Update pcre to version 8.45:
- CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
- CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3545-1
Released: Wed Oct 27 14:46:39 2021
Summary: Recommended update for less
Type: recommended
Severity: low
References: 1190552
This update for less fixes the following issues:
- Add missing runtime dependency on package 'which', that is used by
lessopen.sh (bsc#1190552)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3614-1
Released: Thu Nov 4 12:27:09 2021
Summary: Security update for qemu
Type: security
Severity: important
References: 1180432,1180433,1180434,1180435,1182651,1186012,1189145,1189702,1189938,CVE-2020-35503,CVE-2020-35504,CVE-2020-35505,CVE-2020-35506,CVE-2021-20255,CVE-2021-3527,CVE-2021-3682,CVE-2021-3713,CVE-2021-3748
This update for qemu fixes the following issues:
Security issues fixed:
- Fix out-of-bounds write in UAS (USB Attached SCSI) device emulation (bsc#1189702, CVE-2021-3713)
- Fix heap use-after-free in virtio_net_receive_rcu (bsc#1189938, CVE-2021-3748)
- usbredir: free call on invalid pointer in bufp_alloc (bsc#1189145, CVE-2021-3682)
- NULL pointer dereference in ESP (bsc#1180433, CVE-2020-35504) (bsc#1180434, CVE-2020-35505) (bsc#1180435, CVE-2020-35506)
- NULL pointer dereference issue in megasas-gen2 host bus adapter (bsc#1180432, CVE-2020-35503)
- eepro100: stack overflow via infinite recursion (bsc#1182651, CVE-2021-20255)
- usb: unbounded stack allocation in usbredir (bsc#1186012, CVE-2021-3527)
Non-security issues fixed:
- Use max host physical address if -cpu max is used (bsc#1188299)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3626-1
Released: Mon Nov 8 15:46:57 2021
Summary: Recommended update for SUSEConnect
Type: recommended
Severity: important
References:
This update for SUSEConnect contains the following fix:
- Update to 0.3.32:
- Allow --regcode and --instance-data attributes at the same time. (jsc#PCT-164)
- Document that 'debug' can also get set in the config file.
- --status will also print the subscription name.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3674-1
Released: Tue Nov 16 15:15:33 2021
Summary: Security update for samba
Type: security
Severity: important
References: 1014440,1192284,CVE-2016-2124,CVE-2020-25717
This update for samba fixes the following issues:
- CVE-2016-2124: Fixed not to fallback to non spnego authentication if we require kerberos (bsc#1014440).
- CVE-2020-25717: Fixed privilege escalation inside an AD Domain where a user could become root on domain members (bsc#1192284).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3773-1
Released: Tue Nov 23 15:49:30 2021
Summary: Security update for bind
Type: security
Severity: important
References: 1192146,CVE-2021-25219
This update for bind fixes the following issues:
- CVE-2021-25219: Fixed lame cache that could have been abused to severely degrade resolver performance (bsc#1192146).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3781-1
Released: Tue Nov 23 23:48:43 2021
Summary: This update for libzypp, zypper and libsolv fixes the following issues:
Type: recommended
Severity: moderate
References: 1153687,1182372,1183268,1183589,1184326,1184399,1184997,1185325,1186447,1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190356,1190465,1190712,1190815,1191286,1191324,1191370,1191609,1192337,1192436
This update for zypper fixes the following issues:
- Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested.
- Let a patch's reboot-needed flag overrule included packages. (bsc#1183268)
- Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687)
- Protect against strict/relaxed user umask via sudo. (bsc#1183589)
- xml summary: Add solvables repository alias. (bsc#1182372)
- Allow trusted repos to add additional signing keys. (bsc#1184326)
- MediaCurl: Fix logging of redirects.
- Let negative values wait forever for the zypp lock. (bsc#1184399)
- Fix 'purge-kernels' is broken in Leap 15.3. (bsc#1185325)
- Fix service detection with cgroupv2. (bsc#1184997)
- Add hints to 'trust GPG key' prompt.
- Enhance XML output of repo GPG options
- Add optional attributes showing the raw values actually present in the '.repo' file.
- Link all executables with -pie (bsc#1186447)
- Ship an empty '/etc/zypp/needreboot' per default. (jsc#PM-2645)
- Fix solver jobs for PTFs. (bsc#1186503)
- choice rules: treat orphaned packages as newest. (bc#1190465)
- Add need reboot/restart hint to XML install summary. (bsc#1188435)
- Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815)
- Fix obs:// platform guessing for Leap. (bsc#1187425)
- Fix purge-kernels fails. (bsc#1187738)
- Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712)
- Prompt: choose exact match if prompt options are not prefix free. (bsc#1188156)
- Do not check of signatures and keys two times(redundant). (bsc#1190059)
- Rephrase vendor conflict message in case 2 packages are involved. (bsc#1187760)
- Show key fpr from signature when signature check fails. (bsc#1187224)
- Make sure to keep states alives while transitioning. (bsc#1190199)
- Fix crashes in logging code when shutting down. (bsc#1189031)
- Manpage: Improve description about patch updates. (bsc#1187466)
- Avoid calling 'su' to detect a too restrictive sudo user umask. (bsc#1186602)
- Consolidate reboot-recommendations across tools and stop using /etc/zypp/needreboot (jsc#-SLE-18858)
- Disable logger in the child after fork (bsc#1192436)
- Check log writer before accessing it (bsc#1192337)
- Allow uname-r format in purge kernels keepspec
- zypper should keep cached files if transaction is aborted (bsc#1190356)
- Require a minimum number of mirrors for multicurl (bsc#1191609)
- Use procfs to detect nr of open fd's if rlimit is too high (bsc#1191324)
- Fix translations (bsc#1191370)
- RepoManager: Don't probe for plaindir repo if URL schema is plugin (bsc#1191286)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3787-1
Released: Wed Nov 24 06:00:10 2021
Summary: Recommended update for xfsprogs
Type: recommended
Severity: moderate
References: 1189983,1189984,1191500,1191566,1191675
This update for xfsprogs fixes the following issues:
- Make libhandle1 an explicit dependency in the xfsprogs-devel package (bsc#1191566)
- Remove deprecated barrier/nobarrier mount options from manual pages section 5 (bsc#1191675)
- xfs_io: include support for label command (bsc#1191500)
- xfs_quota: state command to report all three (-ugp) grace times separately (bsc#1189983)
- xfs_admin: add support for external log devices (bsc#1189984)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3799-1
Released: Wed Nov 24 18:07:54 2021
Summary: Recommended update for gcc11
Type: recommended
Severity: moderate
References: 1187153,1187273,1188623
This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided:
To select these compilers install the packages:
- gcc11
- gcc-c++11
- and others with 11 prefix.
to select them for building:
- CC='gcc-11'
- CXX='g++-11'
The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants.
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3809-1
Released: Fri Nov 26 00:31:59 2021
Summary: Recommended update for systemd
Type: recommended
Severity: moderate
References: 1189803,1190325,1190440,1190984,1191252,1192161
This update for systemd fixes the following issues:
- Add timestamp to D-Bus events to improve traceability (jsc#SLE-21862, jsc#SLE-18102, jsc#SLE-18103)
- Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161)
- shutdown: Reduce log level of unmounts (bsc#1191252)
- pid1: make use of new 'prohibit_ipc' logging flag in PID 1 (bsc#1189803)
- core: rework how we connect to the bus (bsc#1190325)
- mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
- virt: detect Amazon EC2 Nitro instance (bsc#1190440)
- Several fixes for umount
- busctl: use usec granularity for the timestamp printed by the busctl monitor command
- fix unitialized fields in MountPoint in dm_list_get()
- shutdown: explicitly set a log target
- mount-util: add mount_option_mangle()
- dissect: automatically mark partitions read-only that have a read-only file system
- build-sys: require proper libmount version
- systemd-shutdown: use log_set_prohibit_ipc(true)
- rationalize interface for opening/closing logging
- pid1: when we can't log to journal, remember our fallback log target
- log: remove LOG_TARGET_SAFE pseudo log target
- log: add brief comment for log_set_open_when_needed() and log_set_always_reopen_console()
- log: add new 'prohibit_ipc' flag to logging system
- log: make log_set_upgrade_syslog_to_journal() take effect immediately
- dbus: split up bus_done() into seperate functions
- machine-id-setup: generate machine-id from DMI product ID on Amazon EC2
- virt: if we detect Xen by DMI, trust that over CPUID
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3825-1
Released: Wed Dec 1 13:39:52 2021
Summary: Recommended update for grub2
Type: recommended
Severity: moderate
References: 1167756,1186975
This update for grub2 fixes the following issues:
- Fix boot failure as journaled data not get drained due to abrupt power off after grub-install (bsc#1167756)
- Fix boot failure after kdump due to the content of grub.cfg to pending modificaton in xfs journal (bsc#1186975)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3830-1
Released: Wed Dec 1 13:45:46 2021
Summary: Security update for glibc
Type: security
Severity: moderate
References: 1027496,1183085,CVE-2016-10228
This update for glibc fixes the following issues:
- libio: do not attempt to free wide buffers of legacy streams (bsc#1183085)
- CVE-2016-10228: Rewrite iconv option parsing to fix security issue (bsc#1027496)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3838-1
Released: Wed Dec 1 16:07:54 2021
Summary: Security update for ruby2.5
Type: security
Severity: important
References: 1188160,1188161,1190375,CVE-2021-31799,CVE-2021-31810,CVE-2021-32066
This update for ruby2.5 fixes the following issues:
- CVE-2021-31799: Fixed Command injection vulnerability in RDoc (bsc#1190375).
- CVE-2021-31810: Fixed trusting FTP PASV responses vulnerability in Net:FTP (bsc#1188161).
- CVE-2021-32066: Fixed StartTLS stripping vulnerability in Net:IMAP (bsc#1188160).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3869-1
Released: Thu Dec 2 07:10:09 2021
Summary: Recommended update for suse-module-tools
Type: recommended
Severity: moderate
References: 1189841,1189879,1190598,1191200,1191260,1191480,1191804,1191922
This update for suse-module-tools fixes the following issues:
- rpm-script: fix bad exit status in OpenQA (bsc#1191922)
- cert-script: Deal with existing $cert.delete file (bsc#1191804)
- cert-script: Ignore kernel keyring for kernel certificates (bsc#1191480)
- cert-script: Only print mokutil output in verbose mode
- inkmp-script(postun): don't pass existing files to weak-modules2 (bsc#1191200)
- kernel-scriptlets: skip cert scriptlet on non-UEFI systems (bsc#1191260)
- rpm-script: link config also into /boot (bsc#1189879)
- Import kernel scriptlets from kernel-source (bsc#1189841, bsc#1190598)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3876-1
Released: Thu Dec 2 08:19:20 2021
Summary: Security update for the Linux Kernel
Type: security
Severity: important
References: 1100416,1108488,1129735,1129898,1133374,1136513,1171420,1176724,1177666,1181158,1184673,1184804,1185377,1185726,1185758,1185973,1186078,1186109,1186390,1186482,1186672,1188062,1188063,1188172,1188563,1188601,1188616,1188838,1188876,1188983,1188985,1189057,1189262,1189291,1189399,1189400,1189706,1189846,1189884,1190023,1190025,1190067,1190115,1190117,1190159,1190276,1190349,1190351,1190479,1190534,1190601,1190717,1191193,1191315,1191317,1191349,1191457,1191628,1191790,1191800,1191888,1191961,1192045,1192267,1192379,1192400,1192775,1192781,1192802,CVE-2018-13405,CVE-2018-9517,CVE-2019-3874,CVE-2019-3900,CVE-2020-0429,CVE-2020-12770,CVE-2020-3702,CVE-2020-4788,CVE-2021-0941,CVE-2021-20322,CVE-2021-22543,CVE-2021-31916,CVE-2021-33033,CVE-2021-33909,CVE-2021-34556,CVE-2021-34981,CVE-2021-3542,CVE-2021-35477,CVE-2021-3640,CVE-2021-3653,CVE-2021-3655,CVE-2021-3656,CVE-2021-3659,CVE-2021-3679,CVE-2021-3715,CVE-2021-37159,CVE-2021-3732,CVE-2021-3744,CVE-2021-3752,CVE-2021-3753,CV
E-2021-37576,CVE-2021-3759,CVE-2021-3760,CVE-2021-3764,CVE-2021-3772,CVE-2021-38160,CVE-2021-38198,CVE-2021-38204,CVE-2021-40490,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739
The SUSE Linux Enterprise 15 SP1 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- Unprivileged BPF has been disabled by default to reduce attack surface as too many security issues have happened in the past (jsc#SLE-22573)
You can reenable via systemctl setting /proc/sys/kernel/unprivileged_bpf_disabled to 0. (kernel.unprivileged_bpf_disabled = 0)
- CVE-2021-0941: In bpf_skb_change_head of filter.c, there is a possible out of bounds read due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1192045).
- CVE-2021-31916: An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel A bound check failure allowed an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability (bnc#1192781).
- CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
- CVE-2021-34981: Fixed file refcounting in cmtp when cmtp_attach_device fails (bsc#1191961).
- CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free (bnc#1188601).
- CVE-2021-3772: Fixed sctp vtag check in sctp_sf_ootb (bsc#1190351).
- CVE-2021-3655: Missing size validations on inbound SCTP packets may have allowed the kernel to read uninitialized memory (bnc#1188563).
- CVE-2021-33033: The Linux kernel has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value (bnc#1186109 bnc#1186390 bnc#1188876).
- CVE-2021-3760: Fixed a use-after-free vulnerability with the ndev->rf_conn_info object (bsc#1190067).
- CVE-2021-42739: The firewire subsystem in the Linux kernel has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bnc#1184673).
- CVE-2021-3542: Fixed heap buffer overflow in firedtv driver (bsc#1186063).
- CVE-2018-13405: The inode_init_owner function in fs/inode.c in the Linux kernel allowed local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID (bnc#1100416 bnc#1129735).
- CVE-2021-3715: Fixed a use-after-free in route4_change() in net/sched/cls_route.c (bsc#1190349).
- CVE-2021-34556: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack (bnc#1188983).
- CVE-2021-35477: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation did not necessarily occur before a store operation that has an attacker-controlled value (bnc#1188985).
- CVE-2021-42252: An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes (bnc#1190479).
- CVE-2021-41864: prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel allowed unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write (bnc#1191317).
- CVE-2021-42008: The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access (bnc#1191315).
- CVE-2021-3759: Unaccounted ipc objects could have lead to breaking memcg limits and DoS attacks (bsc#1190115).
- CVE-2020-3702: Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic (bnc#1191193).
- CVE-2021-3752: Fixed a use after free vulnerability in the bluetooth module. (bsc#1190023)
- CVE-2021-40490: A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel (bnc#1190159 bnc#1192775)
- CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884)
- CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534)
- CVE-2020-12770: An issue was discovered in the Linux kernel sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040 (bnc#1171420).
- CVE-2021-3640: Fixed a Use-After-Free vulnerability in function sco_sock_sendmsg() in the bluetooth stack (bsc#1188172).
- CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario (bnc#1133374).
- CVE-2019-3874: The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. (bnc#1129898).
- CVE-2018-9517: In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (bnc#1108488).
- CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190117)
- CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling (bsc#1190025).
- CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files (bsc#1189706).
- CVE-2021-3653: A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the 'int_ctl' field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7 (bnc#1189399).
- CVE-2021-3656: Missing validation of the the `virt_ext` VMCB field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS for the L2 guest (bsc#1189400).
- CVE-2021-38204: drivers/usb/host/max3421-hcd.c allowed physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations (bnc#1189291).
- CVE-2021-3679: A lack of CPU resource in the tracing module functionality was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service (bnc#1189057).
- CVE-2020-4788: IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296 (bnc#0 bnc#1177666 bnc#1181158).
- CVE-2021-3659: Fixed a NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (bsc#1188876).
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1176724).
- CVE-2021-37576: arch/powerpc/kvm/book3s_rtas.c on the powerpc platform allowed KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e (bnc#1188838 bnc#1190276).
- CVE-2021-22543: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allowed users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation (bnc#1186482 bnc#1190276).
- CVE-2021-33909: fs/seq_file.c did not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05 (bnc#1188062 bnc#1188063).
The following non-security bugs were fixed:
- Add arch-dependent support markers in supported.conf (bsc#1186672)
- Add the support for kernel-FLAVOR-optional subpackage (jsc#SLE-11796)
- bpf: Add kconfig knob for disabling unpriv bpf by default (jsc#SLE-22913)
- bpf: Disallow unprivileged bpf by default (jsc#SLE-22913).
- ceph: take snap_empty_lock atomically with snaprealm refcount change (bsc#1191888).
- config: disable unprivileged BPF by default (jsc#SLE-22913)
- cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758,bsc#1192400).
- drm: fix spectre issue in vmw_execbuf_ioctl (bsc#1192802).
- ftrace: Fix scripts/recordmcount.pl due to new binutils (bsc#1192267).
- gigaset: fix spectre issue in do_data_b3_req (bsc#1192802).
- hisax: fix spectre issues (bsc#1192802).
- hv: mana: adjust mana_select_queue to old API (jsc#SLE-18779, bsc#1185726).
- hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726).
- hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726).
- hysdn: fix spectre issue in hycapi_send_message (bsc#1192802).
- infiniband: fix spectre issue in ib_uverbs_write (bsc#1192802).
- infiniband: fix spectre issue in ib_uverbs_write (bsc#1192802).
- ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115).
- iwlwifi: fix spectre issue in iwl_dbgfs_update_pm (bsc#1192802).
- kernel-binary.spec: Exctract s390 decompression code (jsc#SLE-17042).
- kernel-binary.spec: Fix up usrmerge for non-modular kernels.
- kernel-binary.spec.in: build-id check requires elfutils.
- kernel-binary.spec.in: Regenerate makefile when not using mkmakefile.
- kernel-binary.spec: Only use mkmakefile when it exists Linux 5.13 no longer had a mkmakefile script
- kernel-binary.spec: Remove obsolete and wrong comment mkmakefile is repleced by echo on newer kernel
- kernel-docs.spec.in: Build using an utf-8 locale. Sphinx cannot handle UTF-8 input in non-UTF-8 locale.
- media: dvb_ca_en50221: prevent using slot_info for Spectre attacs (bsc#1192802).
- media: dvb_ca_en50221: sanity check slot number from userspace (bsc#1192802).
- media: wl128x: get rid of a potential spectre issue (bsc#1192802).
- memcg: enable accounting for file lock caches (bsc#1190115).
- mm/memory.c: do_fault: avoid usage of stale vm_area_struct (bsc#1136513).
- mpt3sas: fix spectre issues (bsc#1192802).
- net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726).
- net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726).
- net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726).
- net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726).
- net: mana: Fix error handling in mana_create_rxq() (git-fixes, bsc#1191800).
- net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726).
- net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726).
- net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726).
- net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726).
- net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726).
- net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726).
- net_sched: cls_route: remove the right filter from hashtable (networking-stable-20_03_28).
- net: sched: sch_teql: fix null-pointer dereference (bsc#1190717).
- net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() (bsc#1192802).
- NFS: Do uncached readdir when we're seeking a cookie in an empty page cache (bsc#1191628).
- objtool: Do not fail on missing symbol table (bsc#1192379).
- osst: fix spectre issue in osst_verify_frame (bsc#1192802).
- ovl: check whiteout in ovl_create_over_whiteout() (bsc#1189846).
- ovl: filter of trusted xattr results in audit (bsc#1189846).
- ovl: fix dentry leak in ovl_get_redirect (bsc#1189846).
- ovl: initialize error in ovl_copy_xattr (bsc#1189846).
- ovl: relax WARN_ON() on rename to self (bsc#1189846).
- PCI: hv: Use expected affinity when unmasking IRQ (bsc#1185973).
- Revert 'memcg: enable accounting for file lock caches (bsc#1190115).' This reverts commit 912b4421a3e9bb9f0ef1aadc64a436666259bd4d. It's effectively upstream commit 3754707bcc3e190e5dadc978d172b61e809cb3bd applied to kernel-source (to avoid proliferation of patches). Make a note in blacklist.conf too.
- s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (bsc#1190601).
- s390/bpf: Fix branch shortening during codegen pass (bsc#1190601).
- s390/bpf: Fix optimizing out zero-extensions (bsc#1190601).
- s390: bpf: implement jitting of BPF_ALU | BPF_ARSH | BPF_* (bsc#1190601).
- s390/bpf: Wrap JIT macro parameter usages in parentheses (bsc#1190601).
- scripts/git_sort/git_sort.py: add bpf git repo
- scripts/git_sort/git_sort.py: Update nvme repositories
- scsi: libfc: Fix array index out of bound exception (bsc#1188616).
- scsi: lpfc: Fix FLOGI failure due to accessing a freed node (bsc#1191349).
- scsi: lpfc: Fix memory overwrite during FC-GS I/O abort handling (bsc#1191349 bsc#1191457).
- scsi: lpfc: Keep NDLP reference until after freeing the IOCB after ELS handling (bsc#1191349 bsc#1191457).
- scsi: target: avoid using lun_tg_pt_gp after unlock (bsc#1186078).
- sctp: check asoc peer.asconf_capable before processing asconf (bsc#1190351).
- sctp: fully initialize v4 addr in some functions (bsc#1188563).
- sysvipc/sem: mitigate semnum index against spectre v1 (bsc#1192802).
- target: core: Fix sense key for invalid XCOPY request (bsc#1186078).
- Update config files: Add CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
- Use /usr/lib/modules as module dir when usermerge is active in the target distro.
- UsrMerge the kernel (boo#1184804)
- x86/CPU: Add more Icelake model numbers (bsc#1185758,bsc#1192400).
- xfrm: xfrm_state_mtu should return at least 1280 for ipv6 (bsc#1185377).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3883-1
Released: Thu Dec 2 11:47:07 2021
Summary: Recommended update for timezone
Type: recommended
Severity: moderate
References: 1177460
This update for timezone fixes the following issues:
Update timezone to 2021e (bsc#1177460)
- Palestine will fall back 10-29 (not 10-30) at 01:00
- Fiji suspends DST for the 2021/2022 season
- 'zic -r' marks unspecified timestamps with '-00'
- Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers
- Refresh timezone info for china
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3891-1
Released: Fri Dec 3 10:21:49 2021
Summary: Recommended update for keyutils
Type: recommended
Severity: moderate
References: 1029961,1113013,1187654
This update for keyutils fixes the following issues:
- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)
keyutils was updated to 1.6.3 (jsc#SLE-20016):
* Revert the change notifications that were using /dev/watch_queue.
* Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
* Allow 'keyctl supports' to retrieve raw capability data.
* Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
* Allow 'keyctl new_session' to name the keyring.
* Allow 'keyctl add/padd/etc.' to take hex-encoded data.
* Add 'keyctl watch*' to expose kernel change notifications on keys.
* Add caps for namespacing and notifications.
* Set a default TTL on keys that upcall for name resolution.
* Explicitly clear memory after it's held sensitive information.
* Various manual page fixes.
* Fix C++-related errors.
* Add support for keyctl_move().
* Add support for keyctl_capabilities().
* Make key=val list optional for various public-key ops.
* Fix system call signature for KEYCTL_PKEY_QUERY.
* Fix 'keyctl pkey_query' argument passing.
* Use keyctl_read_alloc() in dump_key_tree_aux().
* Various manual page fixes.
Updated to 1.6:
* Apply various specfile cleanups from Fedora.
* request-key: Provide a command line option to suppress helper execution.
* request-key: Find least-wildcard match rather than first match.
* Remove the dependency on MIT Kerberos.
* Fix some error messages
* keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
* Fix doc and comment typos.
* Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
* Add pkg-config support for finding libkeyutils.
* upstream isn't offering PGP signatures for the source tarballs anymore
Updated to 1.5.11 (bsc#1113013)
* Add keyring restriction support.
* Add KDF support to the Diffie-Helman function.
* DNS: Add support for AFS config files and SRV records
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3899-1
Released: Fri Dec 3 11:27:41 2021
Summary: Security update for aaa_base
Type: security
Severity: moderate
References: 1162581,1174504,1191563,1192248
This update for aaa_base fixes the following issues:
- Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504).
- Add $HOME/.local/bin to PATH, if it exists (bsc#1192248).
- Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563).
- Support xz compressed kernel (bsc#1162581)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3930-1
Released: Mon Dec 6 11:16:10 2021
Summary: Recommended update for curl
Type: recommended
Severity: moderate
References: 1192790
This update for curl fixes the following issues:
- Fix sftp via proxy failure in curl, by preventing libssh from creating socket (bsc#1192790)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3934-1
Released: Mon Dec 6 13:22:27 2021
Summary: Security update for mozilla-nss
Type: security
Severity: important
References: 1193170,CVE-2021-43527
This update for mozilla-nss fixes the following issues:
Update to version 3.68.1:
- CVE-2021-43527: Fixed a Heap overflow in NSS when verifying DER-encoded DSA or RSA-PSS signatures (bsc#1193170).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3946-1
Released: Mon Dec 6 14:57:42 2021
Summary: Security update for gmp
Type: security
Severity: moderate
References: 1192717,CVE-2021-43618
This update for gmp fixes the following issues:
- CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3947-1
Released: Mon Dec 6 14:58:06 2021
Summary: Security update for openssh
Type: security
Severity: important
References: 1190975,CVE-2021-41617
This update for openssh fixes the following issues:
- CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3987-1
Released: Fri Dec 10 06:09:40 2021
Summary: Recommended update for suse-module-tools
Type: recommended
Severity: moderate
References: 1187196
This update for suse-module-tools fixes the following issues:
- Blacklist isst_if_mbox_msr driver because uses hardware information based on
CPU family and model, which is too unspecific. On large systems, this causes
a lot of failing loading attempts for this driver, leading to slow or even
stalled boot (bsc#1187196)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4015-1
Released: Mon Dec 13 17:16:00 2021
Summary: Security update for python3
Type: security
Severity: moderate
References: 1180125,1183374,1183858,1185588,1187338,1187668,1189241,1189287,CVE-2021-3426,CVE-2021-3733,CVE-2021-3737
This update for python3 fixes the following issues:
- CVE-2021-3737: Fixed http client infinite line reading (DoS) after a http 100. (bsc#1189241)
- CVE-2021-3733: Fixed ReDoS in urllib.request. (bsc#1189287)
- CVE-2021-3426: Fixed an information disclosure via pydoc. (bsc#1183374)
- Rebuild to get new headers, avoid building in support for stropts.h (bsc#1187338).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4017-1
Released: Tue Dec 14 07:26:55 2021
Summary: Recommended update for openssl-1_1
Type: recommended
Severity: moderate
References: 1180995
This update for openssl-1_1 fixes the following issues:
- Add RFC3526 and RFC7919 groups to 'openssl genpkey' so that it can output FIPS-appropriate parameters
consistently with our other codestreams (bsc#1180995)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4117-1
Released: Mon Dec 20 09:13:26 2021
Summary: Recommended update for samba
Type: recommended
Severity: important
References: 1192849,CVE-2020-25717
This update for samba fixes the following issues:
The username map advice from the CVE-2020-25717 advisory
note has undesired side effects for the local nt token. Fallback
to a SID/UID based mapping if the name based lookup fails (bsc#1192849).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4139-1
Released: Tue Dec 21 17:02:44 2021
Summary: Recommended update for systemd
Type: recommended
Severity: critical
References: 1193481,1193521
This update for systemd fixes the following issues:
- Revert 'core: rework how we connect to the bus' (bsc#1193521 bsc#1193481)
sleep-config: partitions can't be deleted, only files can
shared/sleep-config: exclude zram devices from hibernation candidates
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4154-1
Released: Wed Dec 22 11:02:38 2021
Summary: Security update for p11-kit
Type: security
Severity: important
References: 1180064,1187993,CVE-2020-29361
This update for p11-kit fixes the following issues:
- CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064)
- Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4171-1
Released: Thu Dec 23 09:55:13 2021
Summary: Security update for runc
Type: security
Severity: moderate
References: 1193436,CVE-2021-43784
This update for runc fixes the following issues:
Update to runc v1.0.3.
* CVE-2021-43784: Fixed a potential vulnerability related to the internal usage
of netlink, which is believed to not be exploitable with any released versions of runc (bsc#1193436)
* Fixed inability to start a container with read-write bind mount of a read-only fuse host mount.
* Fixed inability to start when read-only /dev in set in spec.
* Fixed not removing sub-cgroups upon container delete, when rootless cgroup
v2 is used with older systemd.
* Fixed returning error from GetStats when hugetlb is unsupported (which
causes excessive logging for kubernetes).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4182-1
Released: Thu Dec 23 11:51:51 2021
Summary: Recommended update for zlib
Type: recommended
Severity: moderate
References: 1192688
This update for zlib fixes the following issues:
- Fix hardware compression incorrect result on z15 hardware (bsc#1192688)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4-1
Released: Mon Jan 3 08:28:54 2022
Summary: Recommended update for libgcrypt
Type: recommended
Severity: moderate
References: 1193480
This update for libgcrypt fixes the following issues:
- Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:49-1
Released: Tue Jan 11 09:19:15 2022
Summary: Recommended update for apparmor
Type: recommended
Severity: moderate
References: 1191690
This update for apparmor fixes the following issues:
- Fixed an issue when apparmor provides python2 and python3 libraries with the same name. (bsc#1191690)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:57-1
Released: Wed Jan 12 07:10:42 2022
Summary: Recommended update for libzypp
Type: recommended
Severity: moderate
References: 1193488,954813
This update for libzypp fixes the following issues:
- Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488)
- Fix wrong encoding of URI compontents of ISO images (bsc#954813)
- When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible
- Introduce zypp-curl as a sublibrary for CURL related code
- zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set
- Save all signatures associated with a public key in its PublicKeyData
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:72-1
Released: Thu Jan 13 16:13:36 2022
Summary: Recommended update for mozilla-nss and MozillaFirefox
Type: recommended
Severity: important
References: 1193845
This update for mozilla-nss and MozillaFirefox fix the following issues:
mozilla-nss:
- Update from version 3.68.1 to 3.68.2 (bsc#1193845)
- Add SHA-2 support to mozilla::pkix's Online Certificate Status Protocol
implementation
MozillaFirefox:
- Firefox Extended Support Release 91.4.1 ESR (bsc#1193845)
- Add SHA-2 support to mozilla::pkix's Online Certificate Status Protocol
implementation to fix frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING
error messages when trying to connect to various microsoft.com domains
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:84-1
Released: Mon Jan 17 04:40:30 2022
Summary: Recommended update for dosfstools
Type: recommended
Severity: moderate
References: 1172863,1188401
This update for dosfstools fixes the following issues:
- To be able to create filesystems compatible with previous
version, add -g command line option to mkfs (bsc#1188401)
- BREAKING CHANGES:
After fixing of bsc#1172863 in the last update, mkfs started to
create different images than before. Applications that depend on
exact FAT file format (e. g. embedded systems) may be broken in
two ways:
* The introduction of the alignment may create smaller images
than before, with a different positions of important image
elements. It can break existing software that expect images in
doststools <= 4.1 style.
To work around these problems, use '-a' command line argument.
* The new image may contain a different geometry values. Geometry
sensitive applications expecting doststools <= 4.1 style images
can fails to accept different geometry values.
There is no direct work around for this problem. But you can
take the old image, use 'file -s $IMAGE', check its
'sectors/track' and 'heads', and use them in the newly
introduced '-g' command line argument.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:178-1
Released: Tue Jan 25 14:16:23 2022
Summary: Security update for expat
Type: security
Severity: important
References: 1194251,1194362,1194474,1194476,1194477,1194478,1194479,1194480,CVE-2021-45960,CVE-2021-46143,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827
This update for expat fixes the following issues:
- CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251).
- CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362).
- CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474).
- CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476).
- CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477).
- CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478).
- CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479).
- CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:184-1
Released: Tue Jan 25 18:20:56 2022
Summary: Security update for json-c
Type: security
Severity: important
References: 1171479,CVE-2020-12762
This update for json-c fixes the following issues:
- CVE-2020-12762: Fixed integer overflow and out-of-bounds write. (bsc#1171479)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:203-1
Released: Wed Jan 26 14:13:45 2022
Summary: Recommended update for cloud-init
Type: recommended
Severity: important
References: 1186004
This update for cloud-init fixes the following issues:
- Update to version 21.2 (bsc#1186004)
+ Add \r\n check for SSH keys in Azure (#889)
+ Revert 'Add support to resize rootfs if using LVM (#721)' (#887)
(LP: #1922742)
+ Add Vultaire as contributor (#881) [Paul Goins]
+ Azure: adding support for consuming userdata from IMDS (#884) [Anh Vo]
+ test_upgrade: modify test_upgrade_package to run for more sources (#883)
+ Fix chef module run failure when chef_license is set (#868) [Ben Hughes]
+ Azure: Retry net metadata during nic attach for non-timeout errs (#878)
[aswinrajamannar]
+ Azure: Retrieve username and hostname from IMDS (#865) [Thomas Stringer]
+ Azure: eject the provisioning iso before reporting ready (#861) [Anh Vo]
+ Use `partprobe` to re-read partition table if available (#856)
[Nicolas Bock] (LP: #1920939)
+ fix error on upgrade caused by new vendordata2 attributes (#869)
(LP: #1922739)
+ add prefer_fqdn_over_hostname config option (#859)
[hamalq] (LP: #1921004)
+ Emit dots on travis to avoid timeout (#867)
+ doc: Replace remaining references to user-scripts as a config module
(#866) [Ryan Harper]
+ azure: Removing ability to invoke walinuxagent (#799) [Anh Vo]
+ Add Vultr support (#827) [David Dymko]
+ Fix unpickle for source paths missing run_dir (#863)
[lucasmoura] (LP: #1899299)
+ sysconfig: use BONDING_MODULE_OPTS on SUSE (#831) [Jens Sandmann]
+ bringup_static_routes: fix gateway check (#850) [Petr Fedchenkov]
+ add hamalq user (#860) [hamalq]
+ Add support to resize rootfs if using LVM (#721)
[Eduardo Otubo] (LP: #1799953)
+ Fix mis-detecting network configuration in initramfs cmdline (#844)
(LP: #1919188)
+ tools/write-ssh-key-fingerprints: do not display empty header/footer
(#817) [dermotbradley]
+ Azure helper: Ensure Azure http handler sleeps between retries (#842)
[Johnson Shi]
+ Fix chef apt source example (#826) [timothegenzmer]
+ .travis.yml: generate an SSH key before running tests (#848)
+ write passwords only to serial console, lock down cloud-init-output.log
(#847) (LP: #1918303)
+ Fix apt default integration test (#845)
+ integration_tests: bump pycloudlib dependency (#846)
+ Fix stack trace if vendordata_raw contained an array (#837) [eb3095]
+ archlinux: Fix broken locale logic (#841)
[Kristian Klausen] (LP: #1402406)
+ Integration test for #783 (#832)
+ integration_tests: mount more paths IN_PLACE (#838)
+ Fix requiring device-number on EC2 derivatives (#836) (LP: #1917875)
+ Remove the vi comment from the part-handler example (#835)
+ net: exclude OVS internal interfaces in get_interfaces (#829)
(LP: #1912844)
+ tox.ini: pass OS_* environment variables to integration tests (#830)
+ integration_tests: add OpenStack as a platform (#804)
+ Add flexibility to IMDS api-version (#793) [Thomas Stringer]
+ Fix the TestApt tests using apt-key on Xenial and Hirsute (#823)
[Paride Legovini] (LP: #1916629)
+ doc: remove duplicate 'it' from nocloud.rst (#825) [V.I. Wood]
+ archlinux: Use hostnamectl to set the transient hostname (#797)
[Kristian Klausen]
+ cc_keys_to_console.py: Add documentation for recently added config key
(#824) [dermotbradley]
+ Update cc_set_hostname documentation (#818) [Toshi Aoyama]
>From 21.1
+ Azure: Support for VMs without ephemeral resource disks. (#800)
[Johnson Shi] (LP: #1901011)
+ cc_keys_to_console: add option to disable key emission (#811)
[Michael Hudson-Doyle] (LP: #1915460)
+ integration_tests: introduce lxd_use_exec mark (#802)
+ azure: case-insensitive UUID to avoid new IID during kernel upgrade
(#798) (LP: #1835584)
+ stale.yml: don't ask submitters to reopen PRs (#816)
+ integration_tests: fix use of SSH agent within tox (#815)
+ integration_tests: add UPGRADE CloudInitSource (#812)
+ integration_tests: use unique MAC addresses for tests (#813)
+ Update .gitignore (#814)
+ Port apt cloud_tests to integration tests (#808)
+ integration_tests: fix test_gh626 on LXD VMs (#809)
+ Fix attempting to decode binary data in test_seed_random_data test (#806)
+ Remove wait argument from tests with session_cloud calls (#805)
+ Datasource for UpCloud (#743) [Antti Myyrä]
+ test_gh668: fix failure on LXD VMs (#801)
+ openstack: read the dynamic metadata group vendor_data2.json (#777)
[Andrew Bogott] (LP: #1841104)
+ includedir in suoders can be prefixed by 'arroba' (#783)
[Jordi Massaguer Pla]
+ [VMware] change default max wait time to 15s (#774) [xiaofengw-vmware]
+ Revert integration test associated with reverted #586 (#784)
+ Add jordimassaguerpla as contributor (#787) [Jordi Massaguer Pla]
+ Add Rick Harding to CLA signers (#792) [Rick Harding]
+ HACKING.rst: add clarifying note to LP CLA process section (#789)
+ Stop linting cloud_tests (#791)
+ cloud-tests: update cryptography requirement (#790) [Joshua Powers]
+ Remove 'remove-raise-on-failure' calls from integration_tests (#788)
+ Use more cloud defaults in integration tests (#757)
+ Adding self to cla signers (#776) [Andrew Bogott]
+ doc: avoid two warnings (#781) [Dan Kenigsberg]
+ Use proper spelling for Red Hat (#778) [Dan Kenigsberg]
+ Add antonyc to .github-cla-signers (#747) [Anton Chaporgin]
+ integration_tests: log image serial if available (#772)
+ [VMware] Support cloudinit raw data feature (#691) [xiaofengw-vmware]
+ net: Fix static routes to host in eni renderer (#668) [Pavel Abalikhin]
+ .travis.yml: don't run cloud_tests in CI (#756)
+ test_upgrade: add some missing commas (#769)
+ cc_seed_random: update documentation and fix integration test (#771)
(LP: #1911227)
+ Fix test gh-632 test to only run on NoCloud (#770) (LP: #1911230)
+ archlinux: fix package upgrade command handling (#768) [Bao Trinh]
+ integration_tests: add integration test for LP: #1910835 (#761)
+ Fix regression with handling of IMDS ssh keys (#760) [Thomas Stringer]
+ integration_tests: log cloud-init version in SUT (#758)
+ Add ajmyyra as contributor (#742) [Antti Myyrä]
+ net_convert: add some missing help text (#755)
+ Missing IPV6_AUTOCONF=no to render sysconfig dhcp6 stateful on RHEL
(#753) [Eduardo Otubo]
+ doc: document missing IPv6 subnet types (#744) [Antti Myyrä]
+ Add example configuration for datasource `AliYun` (#751) [Xiaoyu Zhong]
+ integration_tests: add SSH key selection settings (#754)
+ fix a typo in man page cloud-init.1 (#752) [Amy Chen]
+ network-config-format-v2.rst: add Netplan Passthrough section (#750)
+ stale: re-enable post holidays (#749)
+ integration_tests: port ca_certs tests from cloud_tests (#732)
+ Azure: Add telemetry for poll IMDS (#741) [Johnson Shi]
+ doc: move testing section from HACKING to its own doc (#739)
+ No longer allow integration test failures on travis (#738)
+ stale: fix error in definition (#740)
+ integration_tests: set log-cli-level to INFO by default (#737)
+ PULL_REQUEST_TEMPLATE.md: use backticks around commit message (#736)
+ stale: disable check for holiday break (#735)
+ integration_tests: log the path we collect logs into (#733)
+ .travis.yml: add (most) supported Python versions to CI (#734)
+ integration_tests: fix IN_PLACE CLOUD_INIT_SOURCE (#731)
+ cc_ca_certs: add RHEL support (#633) [cawamata]
+ Azure: only generate config for NICs with addresses (#709)
[Thomas Stringer]
+ doc: fix CloudStack configuration example (#707) [Olivier Lemasle]
+ integration_tests: restrict test_lxd_bridge appropriately (#730)
+ Add integration tests for CLI functionality (#729)
+ Integration test for gh-626 (#728)
+ Some test_upgrade fixes (#726)
+ Ensure overriding test vars with env vars works for booleans (#727)
+ integration_tests: port lxd_bridge test from cloud_tests (#718)
+ Integration test for gh-632. (#725)
+ Integration test for gh-671 (#724)
+ integration-requirements.txt: bump pycloudlib commit (#723)
+ Drop unnecessary shebang from cmd/main.py (#722) [Eduardo Otubo]
+ Integration test for LP: #1813396 and #669 (#719)
+ integration_tests: include timestamp in log output (#720)
+ integration_tests: add test for LP: #1898997 (#713)
+ Add integration test for power_state_change module (#717)
+ Update documentation for network-config-format-v2 (#701) [ggiesen]
+ sandbox CA Cert tests to not require ca-certificates (#715)
[Eduardo Otubo]
+ Add upgrade integration test (#693)
+ Integration test for 570 (#712)
+ Add ability to keep snapshotted images in integration tests (#711)
+ Integration test for pull #586 (#706)
+ integration_tests: introduce skipping of tests by OS (#702)
+ integration_tests: introduce IntegrationInstance.restart (#708)
+ Add lxd-vm to list of valid integration test platforms (#705)
+ Adding BOOTPROTO = dhcp to render sysconfig dhcp6 stateful on RHEL
(#685) [Eduardo Otubo]
+ Delete image snapshots created for integration tests (#682)
+ Parametrize ssh_keys_provided integration test (#700) [lucasmoura]
+ Drop use_sudo attribute on IntegrationInstance (#694) [lucasmoura]
+ cc_apt_configure: add riscv64 as a ports arch (#687)
[Dimitri John Ledkov]
+ cla: add xnox (#692) [Dimitri John Ledkov]
+ Collect logs from integration test runs (#675)
>From 20.4.1
+ Revert 'ssh_util: handle non-default AuthorizedKeysFile config (#586)'
>From 20.4
+ tox: avoid tox testenv subsvars for xenial support (#684)
+ Ensure proper root permissions in integration tests (#664) [James Falcon]
+ LXD VM support in integration tests (#678) [James Falcon]
+ Integration test for fallocate falling back to dd (#681) [James Falcon]
+ .travis.yml: correctly integration test the built .deb (#683)
+ Ability to hot-attach NICs to preprovisioned VMs before reprovisioning
(#613) [aswinrajamannar]
+ Support configuring SSH host certificates. (#660) [Jonathan Lung]
+ add integration test for LP: #1900837 (#679)
+ cc_resizefs on FreeBSD: Fix _can_skip_ufs_resize (#655)
[Mina GaliÄ] (LP: #1901958, #1901958)
+ DataSourceAzure: push dmesg log to KVP (#670) [Anh Vo]
+ Make mount in place for tests work (#667) [James Falcon]
+ integration_tests: restore emission of settings to log (#657)
+ DataSourceAzure: update password for defuser if exists (#671) [Anh Vo]
+ tox.ini: only select 'ci' marked tests for CI runs (#677)
+ Azure helper: Increase Azure Endpoint HTTP retries (#619) [Johnson Shi]
+ DataSourceAzure: send failure signal on Azure datasource failure (#594)
[Johnson Shi]
+ test_persistence: simplify VersionIsPoppedFromState (#674)
+ only run a subset of integration tests in CI (#672)
+ cli: add + -system param to allow validating system user-data on a
machine (#575)
+ test_persistence: add VersionIsPoppedFromState test (#673)
+ introduce an upgrade framework and related testing (#659)
+ add + -no-tty option to gpg (#669) [Till Riedel] (LP: #1813396)
+ Pin pycloudlib to a working commit (#666) [James Falcon]
+ DataSourceOpenNebula: exclude SRANDOM from context output (#665)
+ cloud_tests: add hirsute release definition (#662)
+ split integration and cloud_tests requirements (#652)
+ faq.rst: add warning to answer that suggests running `clean` (#661)
+ Fix stacktrace in DataSourceRbxCloud if no metadata disk is found (#632)
[Scott Moser]
+ Make wakeonlan Network Config v2 setting actually work (#626)
[dermotbradley]
+ HACKING.md: unify network-refactoring namespace (#658) [Mina GaliÄ]
+ replace usage of dmidecode with kenv on FreeBSD (#621) [Mina GaliÄ]
+ Prevent timeout on travis integration tests. (#651) [James Falcon]
+ azure: enable pushing the log to KVP from the last pushed byte (#614)
[Moustafa Moustafa]
+ Fix launch_kwargs bug in integration tests (#654) [James Falcon]
+ split read_fs_info into linux & freebsd parts (#625) [Mina GaliÄ]
+ PULL_REQUEST_TEMPLATE.md: expand commit message section (#642)
+ Make some language improvements in growpart documentation (#649)
[Shane Frasier]
+ Revert '.travis.yml: use a known-working version of lxd (#643)' (#650)
+ Fix not sourcing default 50-cloud-init ENI file on Debian (#598)
[WebSpider]
+ remove unnecessary reboot from gpart resize (#646) [Mina GaliÄ]
+ cloudinit: move dmi functions out of util (#622) [Scott Moser]
+ integration_tests: various launch improvements (#638)
+ test_lp1886531: don't assume /etc/fstab exists (#639)
+ Remove Ubuntu restriction from PR template (#648) [James Falcon]
+ util: fix mounting of vfat on *BSD (#637) [Mina GaliÄ]
+ conftest: improve docstring for disable_subp_usage (#644)
+ doc: add example query commands to debug Jinja templates (#645)
+ Correct documentation and testcase data for some user-data YAML (#618)
[dermotbradley]
+ Hetzner: Fix instance_id / SMBIOS serial comparison (#640)
[Markus Schade]
+ .travis.yml: use a known-working version of lxd (#643)
+ tools/build-on-freebsd: fix comment explaining purpose of the script
(#635) [Mina GaliÄ]
+ Hetzner: initialize instance_id from system-serial-number (#630)
[Markus Schade] (LP: #1885527)
+ Explicit set IPV6_AUTOCONF and IPV6_FORCE_ACCEPT_RA on static6 (#634)
[Eduardo Otubo]
+ get_interfaces: don't exclude Open vSwitch bridge/bond members (#608)
[Lukas Märdian] (LP: #1898997)
+ Add config modules for controlling IBM PowerVM RMC. (#584)
[Aman306] (LP: #1895979)
+ Update network config docs to clarify MAC address quoting (#623)
[dermotbradley]
+ gentoo: fix hostname rendering when value has a comment (#611)
[Manuel Aguilera]
+ refactor integration testing infrastructure (#610) [James Falcon]
+ stages: don't reset permissions of cloud-init.log every boot (#624)
(LP: #1900837)
+ docs: Add how to use cloud-localds to boot qemu (#617) [Joshua Powers]
+ Drop vestigial update_resolve_conf_file function (#620) [Scott Moser]
+ cc_mounts: correctly fallback to dd if fallocate fails (#585)
(LP: #1897099)
+ .travis.yml: add integration-tests to Travis matrix (#600)
+ ssh_util: handle non-default AuthorizedKeysFile config (#586)
[Eduardo Otubo]
+ Multiple file fix for AuthorizedKeysFile config (#60) [Eduardo Otubo]
+ bddeb: new + -packaging-branch argument to pull packaging from branch
(#576) [Paride Legovini]
+ Add more integration tests (#615) [lucasmoura]
+ DataSourceAzure: write marker file after report ready in preprovisioning
(#590) [Johnson Shi]
+ integration_tests: emit settings to log during setup (#601)
+ integration_tests: implement citest tests run in Travis (#605)
+ Add Azure support to integration test framework (#604) [James Falcon]
+ openstack: consider product_name as valid chassis tag (#580)
[Adrian Vladu] (LP: #1895976)
+ azure: clean up and refactor report_diagnostic_event (#563) [Johnson Shi]
+ net: add the ability to blacklist network interfaces based on driver
during enumeration of physical network devices (#591) [Anh Vo]
+ integration_tests: don't error on cloud-init failure (#596)
+ integration_tests: improve cloud-init.log assertions (#593)
+ conftest.py: remove top-level import of httpretty (#599)
+ tox.ini: add integration-tests testenv definition (#595)
+ PULL_REQUEST_TEMPLATE.md: empty checkboxes need a space (#597)
+ add integration test for LP: #1886531 (#592)
+ Initial implementation of integration testing infrastructure (#581)
[James Falcon]
+ Fix name of ntp and chrony service on CentOS and RHEL. (#589)
[Scott Moser] (LP: #1897915)
+ Adding a PR template (#587) [James Falcon]
+ Azure parse_network_config uses fallback cfg when generate IMDS network
cfg fails (#549) [Johnson Shi]
+ features: refresh docs for easier out-of-context reading (#582)
+ Fix typo in resolv_conf module's description (#578) [WacÅaw Schiller]
+ cc_users_groups: minor doc formatting fix (#577)
+ Fix typo in disk_setup module's description (#579) [WacÅaw Schiller]
+ Add vendor-data support to seedfrom parameter for NoCloud and OVF (#570)
[Johann Queuniet]
+ boot.rst: add First Boot Determination section (#568) (LP: #1888858)
+ opennebula.rst: minor readability improvements (#573) [Mina GaliÄ]
+ cloudinit: remove unused LOG variables (#574)
+ create a shutdown_command method in distro classes (#567)
[Emmanuel Thomé]
+ user_data: remove unused constant (#566)
+ network: Fix type and respect name when rendering vlan in
sysconfig. (#541) [Eduardo Otubo] (LP: #1788915, #1826608)
+ Retrieve SSH keys from IMDS first with OVF as a fallback (#509)
[Thomas Stringer]
+ Add jqueuniet as contributor (#569) [Johann Queuniet]
+ distros: minor typo fix (#562)
+ Bump the integration-requirements versioned dependencies (#565)
[Paride Legovini]
+ network-config-format-v1: fix typo in nameserver example (#564)
[Stanislas]
+ Run cloud-init-local.service after the hv_kvp_daemon (#505)
[Robert Schweikert]
+ Add method type hints for Azure helper (#540) [Johnson Shi]
+ systemd: add Before=shutdown.target when Conflicts=shutdown.target is
used (#546) [Paride Legovini]
+ LXD: detach network from profile before deleting it (#542)
[Paride Legovini] (LP: #1776958)
+ redhat spec: add missing BuildRequires (#552) [Paride Legovini]
+ util: remove debug statement (#556) [Joshua Powers]
+ Fix cloud config on chef example (#551) [lucasmoura]
>From 20.3
+ Azure: Add netplan driver filter when using hv_netvsc driver (#539)
[James Falcon] (LP: #1830740)
+ query: do not handle non-decodable non-gzipped content (#543)
+ DHCP sandboxing failing on noexec mounted /var/tmp (#521) [Eduardo Otubo]
+ Update the list of valid ssh keys. (#487)
[Ole-Martin Bratteng] (LP: #1877869)
+ cmd: cloud-init query to handle compressed userdata (#516) (LP: #1889938)
+ Pushing cloud-init log to the KVP (#529) [Moustafa Moustafa]
+ Add Alpine Linux support. (#535) [dermotbradley]
+ Detect kernel version before swap file creation (#428) [Eduardo Otubo]
+ cli: add devel make-mime subcommand (#518)
+ user-data: only verify mime-types for TYPE_NEEDED and x-shellscript
(#511) (LP: #1888822)
+ DataSourceOracle: retry twice (and document why we retry at all) (#536)
+ Refactor Azure report ready code (#468) [Johnson Shi]
+ tox.ini: pin correct version of httpretty in xenial{,-dev} envs (#531)
+ Support Oracle IMDSv2 API (#528) [James Falcon]
+ .travis.yml: run a doc build during CI (#534)
+ doc/rtd/topics/datasources/ovf.rst: fix doc8 errors (#533)
+ Fix 'Users and Groups' configuration documentation (#530) [sshedi]
+ cloudinit.distros: update docstrings of add_user and create_user (#527)
+ Fix headers for device types in network v2 docs (#532)
[Caleb Xavier Berger]
+ Add AlexBaranowski as contributor (#508) [Aleksander Baranowski]
+ DataSourceOracle: refactor to use only OPC v1 endpoint (#493)
+ .github/workflows/stale.yml: s/Josh/Rick/ (#526)
+ Fix a typo in apt pipelining module (#525) [Xiao Liang]
+ test_util: parametrize devlist tests (#523) [James Falcon]
+ Recognize LABEL_FATBOOT labels (#513) [James Falcon] (LP: #1841466)
+ Handle additional identifier for SLES For HPC (#520) [Robert Schweikert]
+ Revert 'test-requirements.txt: pin pytest to <6 (#512)' (#515)
+ test-requirements.txt: pin pytest to <6 (#512)
+ Add 'tsanghan' as contributor (#504) [tsanghan]
+ fix brpm building (LP: #1886107)
+ Adding eandersson as a contributor (#502) [Erik Olof Gunnar Andersson]
+ azure: disable bouncing hostname when setting hostname fails (#494)
[Anh Vo]
+ VMware: Support parsing DEFAULT-RUN-POST-CUST-SCRIPT (#441)
[xiaofengw-vmware]
+ DataSourceAzure: Use ValueError when JSONDecodeError is not available
(#490) [Anh Vo]
+ cc_ca_certs.py: fix blank line problem when removing CAs and adding
new one (#483) [dermotbradley]
+ freebsd: py37-serial is now py37-pyserial (#492) [Goneri Le Bouder]
+ ssh exit with non-zero status on disabled user (#472)
[Eduardo Otubo] (LP: #1170059)
+ cloudinit: remove global disable of pylint W0107 and fix errors (#489)
+ networking: refactor wait_for_physdevs from cloudinit.net (#466)
(LP: #1884626)
+ HACKING.rst: add pytest.param pytest gotcha (#481)
+ cloudinit: remove global disable of pylint W0105 and fix errors (#480)
+ Fix two minor warnings (#475)
+ test_data: fix faulty patch (#476)
+ cc_mounts: handle missing fstab (#484) (LP: #1886531)
+ LXD cloud_tests: support more lxd image formats (#482) [Paride Legovini]
+ Add update_etc_hosts as default module on *BSD (#479) [Adam Dobrawy]
+ cloudinit: fix tip-pylint failures and bump pinned pylint version (#478)
+ Added BirknerAlex as contributor and sorted the file (#477)
[Alexander Birkner]
+ Update list of types of modules in cli.rst [saurabhvartak1982]
+ tests: use markers to configure disable_subp_usage (#473)
+ Add mention of vendor-data to no-cloud format documentation (#470)
[Landon Kirk]
+ Fix broken link to OpenStack metadata service docs (#467)
[Matt Riedemann]
+ Disable ec2 mirror for non aws instances (#390)
[lucasmoura] (LP: #1456277)
+ cloud_tests: don't pass + -python-version to read-dependencies (#465)
+ networking: refactor is_physical from cloudinit.net (#457) (LP: #1884619)
+ Enable use of the caplog fixture in pytest tests, and add a
cc_final_message test using it (#461)
+ RbxCloud: Add support for FreeBSD (#464) [Adam Dobrawy]
+ Add schema for cc_chef module (#375) [lucasmoura] (LP: #1858888)
+ test_util: add (partial) testing for util.mount_cb (#463)
+ .travis.yml: revert to installing ubuntu-dev-tools (#460)
+ HACKING.rst: add details of net refactor tracking (#456)
+ .travis.yml: rationalise installation of dependencies in host (#449)
+ Add dermotbradley as contributor. (#458) [dermotbradley]
+ net/networking: remove unused functions/methods (#453)
+ distros.networking: initial implementation of layout (#391)
+ cloud-init.service.tmpl: use 'rhel' instead of 'redhat' (#452)
+ Change from redhat to rhel in systemd generator tmpl (#450)
[Eduardo Otubo]
+ Hetzner: support reading user-data that is base64 encoded. (#448)
[Scott Moser] (LP: #1884071)
+ HACKING.rst: add strpath gotcha to testing gotchas section (#446)
+ cc_final_message: don't create directories when writing boot-finished
(#445) (LP: #1883903)
+ .travis.yml: only store new schroot if something has changed (#440)
+ util: add ensure_dir_exists parameter to write_file (#443)
+ printing the error stream of the dhclient process before killing it
(#369) [Moustafa Moustafa]
+ Fix link to the MAAS documentation (#442)
[Paride Legovini] (LP: #1883666)
+ RPM build: disable the dynamic mirror URLs when using a proxy (#437)
[Paride Legovini]
+ util: rename write_file's copy_mode parameter to preserve_mode (#439)
+ .travis.yml: use $TRAVIS_BUILD_DIR for lxd_image caching (#438)
+ cli.rst: alphabetise devel subcommands and add net-convert to list (#430)
+ Default to UTF-8 in /var/log/cloud-init.log (#427) [James Falcon]
+ travis: cache the chroot we use for package builds (#429)
+ test: fix all flake8 E126 errors (#425) [Joshua Powers]
+ Fixes KeyError for bridge with no 'parameters:' setting (#423)
[Brian Candler] (LP: #1879673)
+ When tools.conf does not exist, running cmd 'vmware-toolbox-cmd
config get deployPkg enable-custom-scripts', the return code will
be EX_UNAVAILABLE(69), on this condition, it should not take it as
error. (#413) [chengcheng-chcheng]
+ Document CloudStack data-server well-known hostname (#399) [Gregor Riepl]
+ test: move conftest.py to top-level, to cover tests/ also (#414)
+ Replace cc_chef is_installed with use of subp.is_exe. (#421)
[Scott Moser]
+ Move runparts to subp. (#420) [Scott Moser]
+ Move subp into its own module. (#416) [Scott Moser]
+ readme: point at travis-ci.com (#417) [Joshua Powers]
+ New feature flag functionality and fix includes failing silently (#367)
[James Falcon] (LP: #1734939)
+ Enhance poll imds logging (#365) [Moustafa Moustafa]
+ test: fix all flake8 E121 and E123 errors (#404) [Joshua Powers]
+ test: fix all flake8 E241 (#403) [Joshua Powers]
+ test: ignore flake8 E402 errors in main.py (#402) [Joshua Powers]
+ cc_grub_dpkg: determine idevs in more robust manner with grub-probe
(#358) [Matthew Ruffell] (LP: #1877491)
+ test: fix all flake8 E741 errors (#401) [Joshua Powers]
+ tests: add groovy integration tests for ubuntu (#400)
+ Enable chef_license support for chef infra client (#389) [Bipin Bachhao]
+ testing: use flake8 again (#392) [Joshua Powers]
+ enable Puppet, Chef mcollective in default config (#385)
[Mina GaliÄ (deprecated: Igor GaliÄ)] (LP: #1880279)
+ HACKING.rst: introduce .net + > Networking refactor section (#384)
+ Travis: do not install python3-contextlib2 (dropped dependency) (#388)
[Paride Legovini]
+ HACKING: mention that .github-cla-signers is alpha-sorted (#380)
+ Add bipinbachhao as contributor (#379) [Bipin Bachhao]
+ cc_snap: validate that assertions property values are strings (#370)
+ conftest: implement partial disable_subp_usage (#371)
+ test_resolv_conf: refresh stale comment (#374)
+ cc_snap: apply validation to snap.commands properties (#364)
+ make finding libc platform independent (#366)
[Mina GaliÄ (deprecated: Igor GaliÄ)]
+ doc/rtd/topics/faq: Updates LXD docs links to current site (#368) [TomP]
+ templater: drop Jinja Python 2 compatibility shim (#353)
+ cloudinit: minor pylint fixes (#360)
+ cloudinit: remove unneeded __future__ imports (#362)
+ migrating momousta lp user to Moustafa-Moustafa GitHub user (#361)
[Moustafa Moustafa]
+ cloud_tests: emit dots on Travis while fetching images (#347)
+ Add schema to apt configure config (#357) [lucasmoura] (LP: #1858884)
+ conftest: add docs and tests regarding CiTestCase's subp functionality
(#343)
+ analyze/dump: refactor shared string into variable (#350)
+ doc: update boot.rst with correct timing of runcmd (#351)
+ HACKING.rst: change contact info to Rick Harding (#359) [lucasmoura]
+ HACKING.rst: guide people to add themselves to the CLA file (#349)
+ HACKING.rst: more unit testing documentation (#354)
+ .travis.yml: don't run lintian during integration test package builds
(#352)
+ Add test to ensure docs examples are valid cloud-init configs (#355)
[James Falcon] (LP: #1876414)
+ make suse and sles support 127.0.1.1 (#336) [chengcheng-chcheng]
+ Create tests to validate schema examples (#348)
[lucasmoura] (LP: #1876412)
+ analyze/dump: add support for Amazon Linux 2 log lines (#346)
(LP: #1876323)
+ bsd: upgrade support (#305) [Goneri Le Bouder]
+ Add lucasmoura as contributor (#345) [lucasmoura]
+ Add 'therealfalcon' as contributor (#344) [James Falcon]
+ Adapt the package building scripts to use Python 3 (#231)
[Paride Legovini]
+ DataSourceEc2: use metadata's NIC ordering to determine route-metrics
(#342) (LP: #1876312)
+ .travis.yml: introduce caching (#329)
+ cc_locale: introduce schema (#335)
+ doc/rtd/conf.py: bump copyright year to 2020 (#341)
+ yum_add_repo: Add Centos to the supported distro list (#340)
- Fix unit test fail in TestGetPackageMirrorInfo::test_substitution.
- Add patch from upstream to remove python2 compatibility so
cloud-init builds fine in Tumbleweed with a recent Jinja2
version. This patch is only applied in TW.
The following package changes have been done:
- SUSEConnect-0.3.32-7.25.1 updated
- aaa_base-84.87+git20180409.04c9dae-3.52.1 updated
- apparmor-parser-2.12.3-7.25.3 updated
- bash-4.4-9.14.1 updated
- bind-utils-9.16.6-12.57.1 updated
- btrfsmaintenance-0.4.2-3.3.1 updated
- ca-certificates-mozilla-2.44-4.32.1 updated
- chrony-pool-suse-3.2-9.24.2 updated
- chrony-3.2-9.24.2 updated
- cifs-utils-6.9-5.12.1 updated
- cloud-init-config-suse-21.2-8.51.1 updated
- cloud-init-21.2-8.51.1 updated
- containerd-ctr-1.4.11-56.1 updated
- containerd-1.4.11-56.1 updated
- cpio-2.12-3.9.1 updated
- cups-config-2.2.7-3.26.1 updated
- curl-7.60.0-28.1 updated
- dbus-1-1.12.2-8.11.2 updated
- dhcp-client-4.3.6.P1-6.11.1 updated
- dhcp-4.3.6.P1-6.11.1 updated
- docker-20.10.9_ce-156.1 updated
- dosfstools-4.1-3.6.1 updated
- e2fsprogs-1.43.8-4.26.1 updated
- efibootmgr-14-4.3.2 updated
- file-magic-5.32-7.14.1 updated
- filesystem-15.0-11.3.2 updated
- file-5.32-7.14.1 updated
- glibc-locale-base-2.26-13.62.1 updated
- glibc-locale-2.26-13.62.1 updated
- glibc-2.26-13.62.1 updated
- gpg2-2.2.5-4.19.8 updated
- growpart-rootgrow-1.0.5-1.9.1 updated
- grub2-i386-pc-2.02-123.7.17 updated
- grub2-x86_64-efi-2.02-123.7.17 updated
- grub2-2.02-123.7.17 updated
- kdump-0.9.0-4.9.1 updated
- kernel-default-4.12.14-197.102.2 updated
- keyutils-1.6.3-5.6.1 updated
- kmod-compat-25-6.10.1 updated
- kmod-25-6.10.1 updated
- kpartx-0.7.9+207+suse.58b7a57-3.15.1 updated
- krb5-1.16.3-3.24.1 updated
- less-530-3.3.2 updated
- libapparmor1-2.12.3-7.25.2 updated
- libaugeas0-1.10.1-3.3.1 updated
- libavahi-client3-0.7-3.9.1 updated
- libavahi-common3-0.7-3.9.1 updated
- libbind9-1600-9.16.6-12.57.1 updated
- libblkid1-2.33.2-4.16.1 updated
- libbz2-1-1.0.6-5.11.1 updated
- libcap2-2.26-4.6.1 updated
- libcares2-1.17.1+20200724-3.17.1 updated
- libcom_err2-1.43.8-4.26.1 updated
- libcups2-2.2.7-3.26.1 updated
- libcurl4-7.60.0-28.1 updated
- libdbus-1-3-1.12.2-8.11.2 updated
- libdcerpc-binding0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libdcerpc0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libdns1605-9.16.6-12.57.1 updated
- libefivar1-37-6.12.1 updated
- libesmtp-1.0.6-150.4.1 updated
- libexpat1-2.2.5-3.9.1 updated
- libext2fs2-1.43.8-4.26.1 updated
- libfdisk1-2.33.2-4.16.1 updated
- libfreebl3-3.68.2-3.64.2 updated
- libgcc_s1-11.2.1+git610-1.3.9 updated
- libgcrypt20-1.8.2-8.42.1 updated
- libglib-2_0-0-2.54.3-4.24.1 updated
- libgmodule-2_0-0-2.54.3-4.24.1 updated
- libgmp10-6.1.2-4.9.1 updated
- libgnutls30-3.6.7-6.40.2 updated
- libhogweed4-3.4.1-4.18.1 updated
- libirs1601-9.16.6-12.57.1 updated
- libisc1606-9.16.6-12.57.1 updated
- libisccc1600-9.16.6-12.57.1 updated
- libisccfg1600-9.16.6-12.57.1 updated
- libjson-c3-0.13-3.3.1 updated
- libkeyutils1-1.6.3-5.6.1 updated
- libkmod2-25-6.10.1 updated
- libldap-2_4-2-2.4.46-9.58.1 updated
- libldap-data-2.4.46-9.58.1 updated
- libldb1-1.4.6-3.8.1 updated
- liblldp_clif1-1.0.1+65.f3b70663b55e-3.9.1 updated
- liblua5_3-5-5.3.6-3.6.1 updated
- liblz4-1-1.8.0-3.8.1 updated
- libmagic1-5.32-7.14.1 updated
- libmount1-2.33.2-4.16.1 updated
- libncurses6-6.1-5.9.1 updated
- libndr-krb5pac0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libndr-nbt0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libndr-standard0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libndr0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libnetapi0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libnettle6-3.4.1-4.18.1 updated
- libnghttp2-14-1.40.0-3.11.1 updated
- libns1604-9.16.6-12.57.1 updated
- libopeniscsiusr0_2_0-2.0.876-13.42.1 updated
- libopenssl1_1-1.1.0i-14.24.3 updated
- libp11-kit0-0.23.2-4.13.1 updated
- libpcap1-1.8.1-4.5.1 updated
- libpcre1-8.45-20.10.1 updated
- libpcre2-8-0-10.31-3.3.1 updated
- libprocps7-3.3.15-7.19.1 updated
- libprotobuf-lite15-3.5.0-5.2.1 added
- libpython3_6m1_0-3.6.15-3.91.3 updated
- libreadline7-7.0-9.14.1 updated
- libruby2_5-2_5-2.5.9-4.20.1 updated
- libsamba-credentials0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libsamba-errors0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libsamba-hostconfig0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libsamba-passdb0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libsamba-util0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libsamdb0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libsigc-2_0-0-2.10.0-3.7.1 updated
- libsmartcols1-2.33.2-4.16.1 updated
- libsmbconf0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libsmbldap2-4.9.5+git.477.8163dd03413-3.61.1 updated
- libsnappy1-1.1.8-3.3.1 updated
- libsolv-tools-0.7.20-4.3.1 updated
- libsqlite3-0-3.36.0-3.12.1 updated
- libstdc++6-11.2.1+git610-1.3.9 updated
- libsystemd0-234-24.102.1 updated
- libtevent-util0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libudev1-234-24.102.1 updated
- libuuid1-2.33.2-4.16.1 updated
- libwbclient0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libxml2-2-2.9.7-3.37.1 updated
- libz1-1.2.11-3.24.1 updated
- libzstd1-1.4.4-1.6.1 updated
- libzypp-17.29.0-3.64.1 updated
- multipath-tools-0.7.9+207+suse.58b7a57-3.15.1 updated
- ncurses-utils-6.1-5.9.1 updated
- netcfg-11.6-3.3.1 updated
- nfs-client-2.1.1-10.18.1 updated
- open-iscsi-2.0.876-13.42.1 updated
- open-lldp-1.0.1+65.f3b70663b55e-3.9.1 updated
- openssh-7.9p1-6.28.1 updated
- openssl-1_1-1.1.0i-14.24.3 updated
- p11-kit-tools-0.23.2-4.13.1 updated
- p11-kit-0.23.2-4.13.1 updated
- pam-1.3.0-6.50.1 updated
- procps-3.3.15-7.19.1 updated
- python3-Jinja2-2.10.1-3.10.2 updated
- python3-PyJWT-1.7.1-6.4.1 updated
- python3-PyYAML-5.3.1-6.10.1 updated
- python3-asn1crypto-0.24.0-3.2.1 updated
- python3-base-3.6.15-3.91.3 updated
- python3-bind-9.16.6-12.57.1 updated
- python3-blinker-1.4-3.4.1 updated
- python3-cffi-1.11.2-4.6.1 updated
- python3-cryptography-2.8-7.4.1 updated
- python3-distro-1.5.0-3.5.1 updated
- python3-ecdsa-0.13.3-3.7.1 updated
- python3-jsonschema-2.6.0-4.2.2 updated
- python3-oauthlib-2.0.6-3.4.1 updated
- python3-pyOpenSSL-17.5.0-3.9.1 added
- python3-pyasn1-0.4.2-3.2.1 updated
- python3-pycparser-2.17-3.2.1 updated
- python3-pytz-2021.1-6.7.1 updated
- python3-py-1.8.1-5.6.1 updated
- python3-requests-2.24.0-6.10.2 updated
- python3-six-1.14.0-7.3.1 updated
- python3-urllib3-1.25.10-9.14.1 updated
- python3-3.6.15-3.91.4 updated
- qemu-tools-3.1.1.1-80.40.1 updated
- rsyslog-8.33.1-3.34.2 updated
- ruby2.5-stdlib-2.5.9-4.20.1 updated
- ruby2.5-2.5.9-4.20.1 updated
- runc-1.0.3-27.1 added
- samba-libs-python3-4.9.5+git.477.8163dd03413-3.61.1 updated
- samba-libs-4.9.5+git.477.8163dd03413-3.61.1 updated
- sed-4.4-4.3.1 updated
- shim-15.4-3.32.1 updated
- sudo-1.8.27-4.21.4 updated
- supportutils-3.1.17-5.34.1 updated
- suse-build-key-12.0-8.16.1 updated
- suse-module-tools-15.1.24-3.22.1 updated
- systemd-presets-branding-SLE-15.1-20.8.1 updated
- systemd-presets-common-SUSE-15-8.9.1 updated
- systemd-sysvinit-234-24.102.1 updated
- systemd-234-24.102.1 updated
- tar-1.30-3.9.1 updated
- tcpdump-4.9.2-3.15.1 updated
- terminfo-base-6.1-5.9.1 updated
- terminfo-6.1-5.9.1 updated
- thin-provisioning-tools-0.7.5-3.3.1 updated
- timezone-2021e-75.4.1 updated
- udev-234-24.102.1 updated
- util-linux-systemd-2.33.2-4.16.1 updated
- util-linux-2.33.2-4.16.1 updated
- vim-data-common-8.0.1568-5.14.1 updated
- vim-8.0.1568-5.14.1 updated
- wget-1.20.3-3.12.1 updated
- xfsprogs-4.15.0-4.52.1 updated
- xkeyboard-config-2.23.1-3.9.1 updated
- zypper-migration-plugin-0.12.1590748670.86b0749-6.9.1 updated
- zypper-1.14.50-3.46.1 updated
- docker-libnetwork-0.7.0.1+gitr2902_153d0769a118-4.21.2 removed
- docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.38.2 removed
- python-rpm-macros-20200207.5feb6c1-3.11.1 removed
More information about the sle-updates
mailing list