SUSE Image Update Advisory: suse-sles-15-sp1-chost-byos-v20201209-hvm-ssd-x86_64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2020:112-1
Image Tags        : suse-sles-15-sp1-chost-byos-v20201209-hvm-ssd-x86_64:20201209
Image Release     : 
Severity          : critical
Type              : security
References        : 1011548 1027519 1027519 1055014 1055186 1058115 1061843 1065600
                        1065600 1065729 1065729 1065729 1066382 1077428 1094244 1100369
                        1104902 1109160 1112178 1112178 1113956 1118367 1118368 1123327
                        1128220 1131277 1133877 1134760 1139775 1140683 1141559 1152930
                        1153943 1153946 1154366 1154935 1155027 1156205 1157051 1158499
                        1158830 1159566 1160158 1161168 1161198 1161203 1161239 1161335
                        1161923 1162896 1163569 1163592 1165281 1165424 1165502 1165534
                        1165786 1166602 1166848 1167030 1167471 1167527 1168468 1168698
                        1169972 1170347 1170415 1170667 1170713 1171313 1171558 1171675
                        1171688 1171740 1171742 1171762 1171806 1172157 1172429 1172538
                        1172688 1172695 1172798 1172846 1172873 1172952 1172958 1173060
                        1173064 1173104 1173115 1173256 1173273 1173307 1173311 1173391
                        1173422 1173432 1173433 1173503 1173529 1173902 1173972 1173983
                        1173994 1174079 1174232 1174240 1174257 1174443 1174444 1174477
                        1174561 1174564 1174593 1174697 1174748 1174748 1174753 1174817
                        1174899 1174918 1174918 1174918 1175110 1175168 1175228 1175306
                        1175342 1175443 1175520 1175568 1175592 1175721 1175749 1175847
                        1175882 1175894 1175989 1176011 1176022 1176038 1176062 1176086
                        1176092 1176123 1176142 1176155 1176173 1176181 1176192 1176192
                        1176235 1176242 1176262 1176262 1176278 1176285 1176316 1176317
                        1176318 1176319 1176320 1176321 1176325 1176339 1176341 1176343
                        1176344 1176345 1176346 1176347 1176348 1176349 1176350 1176354
                        1176381 1176395 1176400 1176410 1176410 1176423 1176435 1176435
                        1176482 1176485 1176507 1176513 1176536 1176544 1176545 1176546
                        1176548 1176549 1176560 1176579 1176625 1176644 1176659 1176670
                        1176671 1176674 1176698 1176699 1176700 1176712 1176712 1176713
                        1176721 1176722 1176723 1176725 1176732 1176740 1176740 1176759
                        1176788 1176789 1176800 1176855 1176869 1176877 1176902 1176902
                        1176907 1176935 1176946 1176950 1176962 1176966 1176983 1176990
                        1177027 1177027 1177030 1177041 1177042 1177043 1177044 1177086
                        1177101 1177121 1177143 1177206 1177238 1177238 1177258 1177271
                        1177281 1177291 1177293 1177294 1177295 1177296 1177340 1177409
                        1177409 1177410 1177411 1177412 1177412 1177413 1177413 1177414
                        1177414 1177458 1177460 1177460 1177470 1177479 1177490 1177510
                        1177511 1177526 1177526 1177533 1177603 1177613 1177685 1177687
                        1177703 1177719 1177724 1177725 1177740 1177749 1177750 1177753
                        1177754 1177755 1177766 1177790 1177819 1177820 1177855 1177856
                        1177858 1177861 1177864 1177913 1177914 1177915 1177939 1177950
                        1177957 1177983 1178003 1178027 1178078 1178123 1178166 1178185
                        1178187 1178188 1178202 1178234 1178278 1178330 1178346 1178346
                        1178350 1178353 1178354 1178376 1178387 1178393 1178466 1178512
                        1178589 1178591 1178591 1178622 1178686 1178727 1178765 1178782
                        1178882 1178882 1178963 1179150 1179151 1179193 1179431 906079
                        927455 935885 935885 998893 CVE-2017-3136 CVE-2018-5741 CVE-2019-20916
                        CVE-2019-20916 CVE-2019-6477 CVE-2020-0404 CVE-2020-0427 CVE-2020-0430
                        CVE-2020-0431 CVE-2020-0432 CVE-2020-12351 CVE-2020-12352 CVE-2020-13844
                        CVE-2020-14318 CVE-2020-14323 CVE-2020-14342 CVE-2020-14351 CVE-2020-14381
                        CVE-2020-14383 CVE-2020-14390 CVE-2020-1472 CVE-2020-15999 CVE-2020-16120
                        CVE-2020-24659 CVE-2020-25212 CVE-2020-25219 CVE-2020-25284 CVE-2020-25285
                        CVE-2020-25595 CVE-2020-25596 CVE-2020-25597 CVE-2020-25598 CVE-2020-25599
                        CVE-2020-25600 CVE-2020-25601 CVE-2020-25602 CVE-2020-25603 CVE-2020-25604
                        CVE-2020-25641 CVE-2020-25643 CVE-2020-25645 CVE-2020-25656 CVE-2020-25668
                        CVE-2020-25692 CVE-2020-25704 CVE-2020-25705 CVE-2020-26088 CVE-2020-26154
                        CVE-2020-27670 CVE-2020-27670 CVE-2020-27671 CVE-2020-27671 CVE-2020-27672
                        CVE-2020-27672 CVE-2020-27673 CVE-2020-27673 CVE-2020-27674 CVE-2020-27675
                        CVE-2020-28196 CVE-2020-28368 CVE-2020-28368 CVE-2020-8027 CVE-2020-8037
                        CVE-2020-8277 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618 CVE-2020-8619
                        CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624
                        CVE-2020-8694 
-----------------------------------------------------------------

The container suse-sles-15-sp1-chost-byos-v20201209-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2704-1
Released:    Tue Sep 22 15:06:36 2020
Summary:     Recommended update for krb5
Type:        recommended
Severity:    moderate
References:  1174079
This update for krb5 fixes the following issue:

- Fix prefix reported by krb5-config, libraries and headers are not installed under /usr/lib/mit prefix. (bsc#1174079)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2712-1
Released:    Tue Sep 22 17:08:03 2020
Summary:     Security update for openldap2
Type:        security
Severity:    moderate
References:  1175568,CVE-2020-8027
This update for openldap2 fixes the following issues:

- CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2722-1
Released:    Wed Sep 23 11:36:10 2020
Summary:     Security update for samba
Type:        security
Severity:    important
References:  1176579,CVE-2020-1472
This update for samba fixes the following issues:

 - ZeroLogon: An elevation of privilege was possible with some non default configurations when an attacker established
 a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC) 
 (CVE-2020-1472, bsc#1176579).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2729-1
Released:    Wed Sep 23 16:00:48 2020
Summary:     Security update for cifs-utils
Type:        security
Severity:    moderate
References:  1152930,1174477,CVE-2020-14342
This update for cifs-utils fixes the following issues:

- CVE-2020-14342: Fixed a shell command injection vulnerability in mount.cifs (bsc#1174477). 
- Fixed an invalid free in mount.cifs; (bsc#1152930).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2757-1
Released:    Fri Sep 25 19:45:40 2020
Summary:     Recommended update for nfs-utils
Type:        recommended
Severity:    moderate
References:  1173104
This update for nfs-utils fixes the following issue:

- Some scripts are requiring Python2 while it is not installed by default and they can work with Python3. (bsc#1173104)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2780-1
Released:    Tue Sep 29 11:27:51 2020
Summary:     Recommended update for rsyslog
Type:        recommended
Severity:    moderate
References:  1173433
This update for rsyslog fixes the following issues:

- Fix the URL for bug reporting. (bsc#1173433)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2790-1
Released:    Tue Sep 29 14:13:29 2020
Summary:     Security update for xen
Type:        security
Severity:    important
References:  1027519,1176339,1176341,1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25598,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25602,CVE-2020-25603,CVE-2020-25604
This update for xen fixes the following issues:

- CVE-2020-25602: Fixed an issue where there was a crash when
  handling guest access to MSR_MISC_ENABLE was thrown (bsc#1176339,XSA-333)
- CVE-2020-25598: Added a missing unlock in XENMEM_acquire_resource error path
  (bsc#1176341,XSA-334)
- CVE-2020-25604: Fixed a race condition when migrating timers between x86 
  HVM vCPU-s (bsc#1176343,XSA-336)
- CVE-2020-25595: Fixed an issue where PCI passthrough code was reading back hardware registers (bsc#1176344,XSA-337)
- CVE-2020-25597: Fixed an issue where a valid event channels may not turn invalid (bsc#1176346,XSA-338)
- CVE-2020-25596: Fixed a potential denial of service in x86 pv guest kernel via SYSENTER (bsc#1176345,XSA-339)
- CVE-2020-25603: Fixed an issue due to  missing barriers when accessing/allocating an event channel (bsc#1176347,XSA-340)
- CVE-2020-25600: Fixed out of bounds event channels available to 32-bit x86 domains (bsc#1176348,XSA-342)
- CVE-2020-25599: Fixed race conditions with evtchn_reset() (bsc#1176349,XSA-343)
- CVE-2020-25601: Fixed an issue due to lack of preemption in evtchn_reset() / evtchn_destroy() (bsc#1176350,XSA-344)	  

- Various bug fixes (bsc#1027519)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2818-1
Released:    Thu Oct  1 10:38:55 2020
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592
This update for libzypp, zypper provides the following fixes:

Changes in libzypp:
- VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)
- Support buildnr with commit hash in purge-kernels. This adds special behaviour for when
  a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)
- Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)
- Make sure reading from lsof does not block forever. (bsc#1174240)
- Just collect details for the signatures found.

Changes in zypper:
- man: Enhance description of the global package cache. (bsc#1175592)
- man: Point out that plain rpm packages are not downloaded to the global package cache.
  (bsc#1173273)
- Directly list subcommands in 'zypper help'. (bsc#1165424)
- Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.
- Point out that plaindir repos do not follow symlinks. (bsc#1174561)
- Fix help command for list-patches.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2825-1
Released:    Fri Oct  2 08:44:28 2020
Summary:     Recommended update for suse-build-key
Type:        recommended
Severity:    moderate
References:  1170347,1176759
This update for suse-build-key fixes the following issues:

- The SUSE Notary Container key is different from the build signing
  key, include this key instead as suse-container-key. (PM-1845 bsc#1170347)

- The SUSE build key for SUSE Linux Enterprise 12 and 15 is extended by 4 more years. (bsc#1176759)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2830-1
Released:    Fri Oct  2 10:34:26 2020
Summary:     Security update for permissions
Type:        security
Severity:    moderate
References:  1161335,1176625
This update for permissions fixes the following issues:

- whitelist WMP (bsc#1161335, bsc#1176625)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2863-1
Released:    Tue Oct  6 09:28:41 2020
Summary:     Recommended update for efivar
Type:        recommended
Severity:    moderate
References:  1175989
This update for efivar fixes the following issues:

- Fixed an issue when segmentation fault are caused on non-EFI systems. (bsc#1175989)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2867-1
Released:    Tue Oct  6 16:12:10 2020
Summary:     Recommended update for multipath-tools
Type:        recommended
Severity:    important
References:  1139775,1161923,1165786,1172157,1172429,1173060,1173064,1176644,1176670
This update for multipath-tools fixes the following issues:

- kpartx: Recognize DASD on loop devices again. (bsc#1139775)
- kpartx.rules: Fix handling of synthetic uevents. (bsc#1161923)
- libmpathpersist: Limit PRIN allocation length to 8192 bytes. (bsc#1165786)
- Fix handling of incompletely initialized udev devices. (bsc#1172157)
- Avoid data corruption caused by duplicate alias in bindings file. (bsc#1172429)
- Improve logging for failure to set dev_loss_tmo. (bsc#1173060, bsc#1173064)
- Fix handling of hardware properties for maps without paths. (bsc#1176644)
- Backported upstream fixes (bsc#1176670):
  * multipath-tools: add HPE MSA 1060/2060 to hwtable.
  * ALUA support for PURE FlashArray.
  * libmultipath: EMC PowerMax NVMe device config.
  * libmultipath: Fix ALUA autodetection when paths are down.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2869-1
Released:    Tue Oct  6 16:13:20 2020
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1011548,1153943,1153946,1161239,1171762
This update for aaa_base fixes the following issues:

- DIR_COLORS (bug#1006973):
  
  - add screen.xterm-256color
  - add TERM rxvt-unicode-256color
  - sort and merge TERM entries in etc/DIR_COLORS
  
- check for Packages.db and use this instead of Packages. (bsc#1171762)
- Rename path() to _path() to avoid using a general name.
- refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548)
- etc/profile add some missing ;; in case esac statements
- profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946)
- backup-rpmdb: exit if zypper is running (bsc#1161239)
- Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2901-1
Released:    Tue Oct 13 14:22:43 2020
Summary:     Security update for libproxy
Type:        security
Severity:    important
References:  1176410,1177143,CVE-2020-25219,CVE-2020-26154
This update for libproxy fixes the following issues:

- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).
- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2905-1
Released:    Tue Oct 13 15:48:30 2020
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1055186,1065600,1065729,1094244,1112178,1113956,1154366,1167527,1168468,1169972,1171675,1171688,1171742,1173115,1174899,1175228,1175749,1175882,1176011,1176022,1176038,1176235,1176242,1176278,1176316,1176317,1176318,1176319,1176320,1176321,1176381,1176395,1176410,1176423,1176482,1176507,1176536,1176544,1176545,1176546,1176548,1176659,1176698,1176699,1176700,1176721,1176722,1176725,1176732,1176788,1176789,1176869,1176877,1176935,1176950,1176962,1176966,1176990,1177027,1177030,1177041,1177042,1177043,1177044,1177121,1177206,1177258,1177291,1177293,1177294,1177295,1177296,CVE-2020-0404,CVE-2020-0427,CVE-2020-0431,CVE-2020-0432,CVE-2020-14381,CVE-2020-14390,CVE-2020-25212,CVE-2020-25284,CVE-2020-25641,CVE-2020-25643,CVE-2020-26088
The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).
- CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).
- CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).
- CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).
- CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).
- CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).
- CVE-2020-25212: Fixed getxattr kernel panic and memory overflow (bsc#1176381).
- CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).
- CVE-2020-14381: Fixed requeue paths such that filp was valid when dropping the references (bsc#1176011).
- CVE-2019-25643: Fixed an improper input validation in ppp_cp_parse_cr function which could have led to memory corruption and read overflow (bsc#1177206).
- CVE-2020-25641: Fixed ann issue where length bvec was causing softlockups (bsc#1177121).

The following non-security bugs were fixed:

- 9p: Fix memory leak in v9fs_mount (git-fixes).
- ACPI: EC: Reference count query handlers under lock (git-fixes).
- airo: Add missing CAP_NET_ADMIN check in AIROOLDIOCTL/SIOCDEVPRIVATE (git-fixes).
- airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE (git-fixes).
- airo: Fix read overflows sending packets (git-fixes).
- ALSA: asihpi: fix iounmap in error handler (git-fixes).
- ALSA: firewire-digi00x: exclude Avid Adrenaline from detection (git-fixes).
- ALSA; firewire-tascam: exclude Tascam FE-8 from detection (git-fixes).
- ALSA: hda: Fix 2 channel swapping for Tegra (git-fixes).
- ALSA: hda: fix a runtime pm issue in SOF when integrated GPU is disabled (git-fixes).
- ALSA: hda/realtek: Add quirk for Samsung Galaxy Book Ion NT950XCJ-X716A (git-fixes).
- ALSA: hda/realtek - Improved routing for Thinkpad X1 7th/8th Gen (git-fixes).
- altera-stapl: altera_get_note: prevent write beyond end of 'key' (git-fixes).
- ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter (git-fixes).
- arm64: KVM: Do not generate UNDEF when LORegion feature is present (jsc#SLE-4084).
- arm64: KVM: regmap: Fix unexpected switch fall-through (jsc#SLE-4084).
- asm-generic: fix -Wtype-limits compiler warnings (bsc#1112178).
- ASoC: kirkwood: fix IRQ error handling (git-fixes).
- ASoC: tegra: Fix reference count leaks (git-fixes).
- ath10k: fix array out-of-bounds access (git-fixes).
- ath10k: fix memory leak for tpc_stats_final (git-fixes).
- ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read (git-fixes).
- batman-adv: Add missing include for in_interrupt() (git-fixes).
- batman-adv: Avoid uninitialized chaddr when handling DHCP (git-fixes).
- batman-adv: bla: fix type misuse for backbone_gw hash indexing (git-fixes).
- batman-adv: bla: use netif_rx_ni when not in interrupt context (git-fixes).
- batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh (git-fixes).
- batman-adv: mcast/TT: fix wrongly dropped or rerouted packets (git-fixes).
- bcache: Convert pr_ uses to a more typical style (git fixes (block drivers)).
- bcache: fix overflow in offset_to_stripe() (git fixes (block drivers)).
- bcm63xx_enet: correct clock usage (git-fixes).
- bcm63xx_enet: do not write to random DMA channel on BCM6345 (git-fixes).
- bitfield.h: do not compile-time validate _val in FIELD_FIT (git fixes (bitfield)).
- blktrace: fix debugfs use after free (git fixes (block drivers)).
- block: add docs for gendisk / request_queue refcount helpers (git fixes (block drivers)).
- block: revert back to synchronous request_queue removal (git fixes (block drivers)).
- block: Use non _rcu version of list functions for tag_set_list (git-fixes).
- Bluetooth: Fix refcount use-after-free issue (git-fixes).
- Bluetooth: guard against controllers sending zero'd events (git-fixes).
- Bluetooth: Handle Inquiry Cancel error after Inquiry Complete (git-fixes).
- Bluetooth: L2CAP: handle l2cap config request during open state (git-fixes).
- Bluetooth: prefetch channel before killing sock (git-fixes).
- bnxt_en: Fix completion ring sizing with TPA enabled (networking-stable-20_07_29).
- bonding: use nla_get_u64 to extract the value for IFLA_BOND_AD_ACTOR_SYSTEM (git-fixes).
- btrfs: require only sector size alignment for parent eb bytenr (bsc#1176789).
- btrfs: tree-checker: fix the error message for transid error (bsc#1176788).
- ceph: do not allow setlease on cephfs (bsc#1177041).
- ceph: fix potential mdsc use-after-free crash (bsc#1177042).
- ceph: fix use-after-free for fsc->mdsc (bsc#1177043).
- ceph: handle zero-length feature mask in session messages (bsc#1177044).
- cfg80211: regulatory: reject invalid hints (bsc#1176699).
- cifs: Fix leak when handling lease break for cached root fid (bsc#1176242).
- cifs/smb3: Fix data inconsistent when punch hole (bsc#1176544).
- cifs/smb3: Fix data inconsistent when zero file range (bsc#1176536).
- clk: Add (devm_)clk_get_optional() functions (git-fixes).
- clk: rockchip: Fix initialization of mux_pll_src_4plls_p (git-fixes).
- clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED (git-fixes).
- clk/ti/adpll: allocate room for terminating null (git-fixes).
- clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init() (git-fixes).
- cpufreq: intel_pstate: Fix EPP setting via sysfs in active mode (bsc#1176966).
- dmaengine: at_hdmac: check return value of of_find_device_by_node() in at_dma_xlate() (git-fixes).
- dmaengine: of-dma: Fix of_dma_router_xlate's of_dma_xlate handling (git-fixes).
- dmaengine: pl330: Fix burst length if burst size is smaller than bus width (git-fixes).
- dmaengine: tegra-apb: Prevent race conditions on channel's freeing (git-fixes).
- dmaengine: zynqmp_dma: fix burst length configuration (git-fixes).
- dm crypt: avoid truncating the logical block size (git fixes (block drivers)).
- dm: fix redundant IO accounting for bios that need splitting (git fixes (block drivers)).
- dm integrity: fix a deadlock due to offloading to an incorrect workqueue (git fixes (block drivers)).
- dm integrity: fix integrity recalculation that is improperly skipped (git fixes (block drivers)).
- dm: report suspended device during destroy (git fixes (block drivers)).
- dm rq: do not call blk_mq_queue_stopped() in dm_stop_queue() (git fixes (block drivers)).
- dm: use noio when sending kobject event (git fixes (block drivers)).
- dm writecache: add cond_resched to loop in persistent_memory_claim() (git fixes (block drivers)).
- dm writecache: correct uncommitted_block when discarding uncommitted entry (git fixes (block drivers)).
- dm zoned: assign max_io_len correctly (git fixes (block drivers)).
- drivers: char: tlclk.c: Avoid data race between init and interrupt handler (git-fixes).
- Drivers: hv: Specify receive buffer size using Hyper-V page size (bsc#1176877).
- Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload (git-fixes).
- drivers/net/wan/x25_asy: Fix to make it work (networking-stable-20_07_29).
- drm/amd/display: dal_ddc_i2c_payloads_create can fail causing panic (git-fixes).
- drm/amd/display: fix ref count leak in amdgpu_drm_ioctl (git-fixes).
- drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails (git-fixes).
- drm/amdgpu: Fix buffer overflow in INFO ioctl (git-fixes).
- drm/amdgpu: Fix bug in reporting voltage for CIK (git-fixes).
- drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms (git-fixes).
- drm/amdgpu: increase atombios cmd timeout (git-fixes).
- drm/amdgpu/powerplay: fix AVFS handling with custom powerplay table (git-fixes).
- drm/amdgpu/powerplay/smu7: fix AVFS handling with custom powerplay table (git-fixes).
- drm/amdkfd: fix a memory leak issue (git-fixes).
- drm/amdkfd: Fix reference count leaks (git-fixes).
- drm/amd/pm: correct Vega10 swctf limit setting (git-fixes).
- drm/amd/pm: correct Vega12 swctf limit setting (git-fixes).
- drm/ast: Initialize DRAM type before posting GPU (bsc#1113956) 	* context changes
- drm/mediatek: Add exception handing in mtk_drm_probe() if component init fail (git-fixes).
- drm/mediatek: Add missing put_device() call in mtk_hdmi_dt_parse_pdata() (git-fixes).
- drm/msm/a5xx: Always set an OPP supported hardware value (git-fixes).
- drm/msm: add shutdown support for display platform_driver (git-fixes).
- drm/msm: Disable preemption on all 5xx targets (git-fixes).
- drm/msm: fix leaks if initialization fails (git-fixes).
- drm/msm/gpu: make ringbuffer readonly (bsc#1112178) 	* context changes
- drm/nouveau/debugfs: fix runtime pm imbalance on error (git-fixes).
- drm/nouveau/dispnv50: fix runtime pm imbalance on error (git-fixes).
- drm/nouveau/drm/noveau: fix reference count leak in nouveau_fbcon_open (git-fixes).
- drm/nouveau: Fix reference count leak in nouveau_connector_detect (git-fixes).
- drm/nouveau: fix reference count leak in nv50_disp_atomic_commit (git-fixes).
- drm/nouveau: fix runtime pm imbalance on error (git-fixes).
- drm/omap: fix possible object reference leak (git-fixes).
- drm/radeon: fix multiple reference count leak (git-fixes).
- drm/radeon: Prefer lower feedback dividers (git-fixes).
- drm/radeon: revert 'Prefer lower feedback dividers' (git-fixes).
- drm/sun4i: Fix dsi dcs long write function (git-fixes).
- drm/sun4i: sun8i-csc: Secondary CSC register correction (git-fixes).
- drm/tve200: Stabilize enable/disable (git-fixes).
- drm/vc4/vc4_hdmi: fill ASoC card owner (git-fixes).
- e1000: Do not perform reset in reset_task if we are already down (git-fixes).
- EDAC: Fix reference count leaks (bsc#1112178).
- fbcon: prevent user font height or width change from causing (bsc#1112178) 	
- Fix error in kabi fix for: NFSv4: Fix OPEN / CLOSE race (bsc#1176950).
- ftrace: Move RCU is watching check after recursion check (git-fixes).
- ftrace: Setup correct FTRACE_FL_REGS flags for module (git-fixes).
- gma/gma500: fix a memory disclosure bug due to uninitialized bytes (git-fixes).
- gpio: tc35894: fix up tc35894 interrupt configuration (git-fixes).
- gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable() (git-fixes).
- gtp: fix Illegal context switch in RCU read-side critical section (git-fixes).
- gtp: fix use-after-free in gtp_newlink() (git-fixes).
- Hide e21a4f3a930c as of its duplication
- HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage() (git-fixes).
- hsr: use netdev_err() instead of WARN_ONCE() (bsc#1176659).
- hv_utils: drain the timesync packets on onchannelcallback (bsc#1176877).
- hv_utils: return error if host timesysnc update is stale (bsc#1176877).
- hwmon: (applesmc) check status earlier (git-fixes).
- i2c: core: Do not fail PRP0001 enumeration when no ID table exist (git-fixes).
- i2c: cpm: Fix i2c_ram structure (git-fixes).
- ibmvnic: add missing parenthesis in do_reset() (bsc#1176700 ltc#188140).
- ieee802154/adf7242: check status of adf7242_read_reg (git-fixes).
- ieee802154: fix one possible memleak in ca8210_dev_com_init (git-fixes).
- iio:accel:bmc150-accel: Fix timestamp alignment and prevent data leak (git-fixes).
- iio: accel: kxsd9: Fix alignment of local buffer (git-fixes).
- iio:accel:mma7455: Fix timestamp alignment and prevent data leak (git-fixes).
- iio:adc:ina2xx Fix timestamp alignment issue (git-fixes).
- iio: adc: mcp3422: fix locking on error path (git-fixes).
- iio: adc: mcp3422: fix locking scope (git-fixes).
- iio:adc:ti-adc081c Fix alignment and data leak issues (git-fixes).
- iio: adc: ti-ads1015: fix conversion when CONFIG_PM is not set (git-fixes).
- iio: improve IIO_CONCENTRATION channel type description (git-fixes).
- iio:light:ltr501 Fix timestamp alignment issue (git-fixes).
- iio:light:max44000 Fix timestamp alignment and prevent data leak (git-fixes).
- iio:magnetometer:ak8975 Fix alignment and data leak issues (git-fixes).
- include: add additional sizes (bsc#1094244 ltc#168122).
- iommu/amd: Fix IOMMU AVIC not properly update the is_run bit in IRTE (bsc#1177293).
- iommu/amd: Fix potential @entry null deref (bsc#1177294).
- iommu/amd: Print extended features in one line to fix divergent log levels (bsc#1176316).
- iommu/amd: Re-factor guest virtual APIC (de-)activation code (bsc#1177291).
- iommu/amd: Restore IRTE.RemapEn bit after programming IRTE (bsc#1176317).
- iommu/amd: Restore IRTE.RemapEn bit for amd_iommu_activate_guest_mode (bsc#1177295).
- iommu/amd: Use cmpxchg_double() when updating 128-bit IRTE (bsc#1176318).
- iommu/exynos: add missing put_device() call in exynos_iommu_of_xlate() (bsc#1177296).
- iommu/omap: Check for failure of a call to omap_iommu_dump_ctx (bsc#1176319).
- iommu/vt-d: Serialize IOMMU GCMD register modifications (bsc#1176320).
- kernel-syms.spec.in: Also use bz compression (boo#1175882).
- KVM: arm64: Change 32-bit handling of VM system registers (jsc#SLE-4084).
- KVM: arm64: Cleanup __activate_traps and __deactive_traps for VHE and non-VHE (jsc#SLE-4084).
- KVM: arm64: Configure c15, PMU, and debug register traps on cpu load/put for VHE (jsc#SLE-4084).
- KVM: arm64: Defer saving/restoring 32-bit sysregs to vcpu load/put (jsc#SLE-4084).
- KVM: arm64: Defer saving/restoring 64-bit sysregs to vcpu load/put on VHE (jsc#SLE-4084).
- KVM: arm64: Directly call VHE and non-VHE FPSIMD enabled functions (jsc#SLE-4084).
- KVM: arm64: Do not deactivate VM on VHE systems (jsc#SLE-4084).
- KVM: arm64: Do not save the host ELR_EL2 and SPSR_EL2 on VHE systems (jsc#SLE-4084).
- KVM: arm64: Factor out fault info population and gic workarounds (jsc#SLE-4084).
- KVM: arm64: Fix order of vcpu_write_sys_reg() arguments (jsc#SLE-4084).
- KVM: arm64: Forbid kprobing of the VHE world-switch code (jsc#SLE-4084).
- KVM: arm64: Improve debug register save/restore flow (jsc#SLE-4084).
- KVM: arm64: Introduce framework for accessing deferred sysregs (jsc#SLE-4084).
- KVM: arm64: Introduce separate VHE/non-VHE sysreg save/restore functions (jsc#SLE-4084).
- KVM: arm64: Introduce VHE-specific kvm_vcpu_run (jsc#SLE-4084).
- KVM: arm64: Move common VHE/non-VHE trap config in separate functions (jsc#SLE-4084).
- KVM: arm64: Move debug dirty flag calculation out of world switch (jsc#SLE-4084).
- KVM: arm64: Move HCR_INT_OVERRIDE to default HCR_EL2 guest flag (jsc#SLE-4084).
- KVM: arm64: Move userspace system registers into separate function (jsc#SLE-4084).
- KVM: arm64: Prepare to handle deferred save/restore of 32-bit registers (jsc#SLE-4084).
- KVM: arm64: Prepare to handle deferred save/restore of ELR_EL1 (jsc#SLE-4084).
- KVM: arm64: Remove kern_hyp_va() use in VHE switch function (jsc#SLE-4084).
- KVM: arm64: Remove noop calls to timer save/restore from VHE switch (jsc#SLE-4084).
- KVM: arm64: Rework hyp_panic for VHE and non-VHE (jsc#SLE-4084).
- KVM: arm64: Rewrite sysreg alternatives to static keys (jsc#SLE-4084).
- KVM: arm64: Rewrite system register accessors to read/write functions (jsc#SLE-4084).
- KVM: arm64: Slightly improve debug save/restore functions (jsc#SLE-4084).
- KVM: arm64: Unify non-VHE host/guest sysreg save and restore functions (jsc#SLE-4084).
- KVM: arm64: Write arch.mdcr_el2 changes since last vcpu_load on VHE (jsc#SLE-4084).
- KVM: arm/arm64: Avoid vcpu_load for other vcpu ioctls than KVM_RUN (jsc#SLE-4084).
- KVM: arm/arm64: Avoid VGICv3 save/restore on VHE with no IRQs (jsc#SLE-4084).
- KVM: arm/arm64: Get rid of vcpu->arch.irq_lines (jsc#SLE-4084).
- KVM: arm/arm64: Handle VGICv3 save/restore from the main VGIC code on VHE (jsc#SLE-4084).
- KVM: arm/arm64: Move vcpu_load call after kvm_vcpu_first_run_init (jsc#SLE-4084).
- KVM: arm/arm64: Move VGIC APR save/restore to vgic put/load (jsc#SLE-4084).
- KVM: arm/arm64: Prepare to handle deferred save/restore of SPSR_EL1 (jsc#SLE-4084).
- KVM: arm/arm64: Remove leftover comment from kvm_vcpu_run_vhe (jsc#SLE-4084).
- KVM: introduce kvm_arch_vcpu_async_ioctl (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_get_fpu (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_get_mpstate (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_get_regs (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_run (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_set_fpu (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_set_guest_debug (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_set_mpstate (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_set_regs (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_set_sregs (jsc#SLE-4084).
- KVM: Move vcpu_load to arch-specific kvm_arch_vcpu_ioctl_translate (jsc#SLE-4084).
- KVM: PPC: Fix compile error that occurs when CONFIG_ALTIVEC=n (jsc#SLE-4084).
- KVM: Prepare for moving vcpu_load/vcpu_put into arch specific code (jsc#SLE-4084).
- KVM: SVM: Add a dedicated INVD intercept routine (bsc#1112178).
- KVM: SVM: Fix disable pause loop exit/pause filtering capability on SVM (bsc#1176321).
- KVM: SVM: fix svn_pin_memory()'s use of get_user_pages_fast() (bsc#1112178).
- KVM: Take vcpu->mutex outside vcpu_load (jsc#SLE-4084).
- libceph: allow setting abort_on_full for rbd (bsc#1169972).
- libnvdimm: cover up nvdimm_security_ops changes (bsc#1171742).
- libnvdimm: cover up struct nvdimm changes (bsc#1171742).
- libnvdimm/security, acpi/nfit: unify zero-key for all security commands (bsc#1171742).
- libnvdimm/security: fix a typo (bsc#1171742 bsc#1167527).
- libnvdimm/security: Introduce a 'frozen' attribute (bsc#1171742).
- lib/raid6: use vdupq_n_u8 to avoid endianness warnings (git fixes (block drivers)).
- mac802154: tx: fix use-after-free (git-fixes).
- md: raid0/linear: fix dereference before null check on pointer mddev (git fixes (block drivers)).
- media: davinci: vpif_capture: fix potential double free (git-fixes).
- media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq() (git-fixes).
- media: smiapp: Fix error handling at NVM reading (git-fixes).
- media: ti-vpe: cal: Restrict DMA to avoid memory corruption (git-fixes).
- mfd: intel-lpss: Add Intel Emmitsburg PCH PCI IDs (git-fixes).
- mfd: mfd-core: Protect against NULL call-back function pointer (git-fixes).
- mm: Avoid calling build_all_zonelists_init under hotplug context (bsc#1154366).
- mmc: cqhci: Add cqhci_deactivate() (git-fixes).
- mmc: sdhci-msm: Add retries when all tuning phases are found valid (git-fixes).
- mmc: sdhci-pci: Fix SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers (git-fixes).
- mmc: sdhci: Workaround broken command queuing on Intel GLK based IRBIS models (git-fixes).
- mm/page_alloc.c: fix a crash in free_pages_prepare() (git fixes (mm/pgalloc)).
- mm/vmalloc.c: move 'area->pages' after if statement (git fixes (mm/vmalloc)).
- mtd: cfi_cmdset_0002: do not free cfi->cfiq in error path of cfi_amdstd_setup() (git-fixes).
- mtd: lpddr: Fix a double free in probe() (git-fixes).
- mtd: phram: fix a double free issue in error path (git-fixes).
- mtd: properly check all write ioctls for permissions (git-fixes).
- net: dsa: b53: Fix sparse warnings in b53_mmap.c (git-fixes).
- net: dsa: b53: Use strlcpy() for ethtool::get_strings (git-fixes).
- net: dsa: mv88e6xxx: fix 6085 frame mode masking (git-fixes).
- net: dsa: mv88e6xxx: Fix interrupt masking on removal (git-fixes).
- net: dsa: mv88e6xxx: Fix name of switch 88E6141 (git-fixes).
- net: dsa: mv88e6xxx: fix shift of FID bits in mv88e6185_g1_vtu_loadpurge() (git-fixes).
- net: dsa: mv88e6xxx: Unregister MDIO bus on error path (git-fixes).
- net: dsa: qca8k: Allow overwriting CPU port setting (git-fixes).
- net: dsa: qca8k: Enable RXMAC when bringing up a port (git-fixes).
- net: dsa: qca8k: Force CPU port to its highest bandwidth (git-fixes).
- net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init() (git-fixes).
- net: fs_enet: do not call phy_stop() in interrupts (git-fixes).
- net: initialize fastreuse on inet_inherit_port (networking-stable-20_08_15).
- net: lan78xx: Bail out if lan78xx_get_endpoints fails (git-fixes).
- net: lan78xx: replace bogus endpoint lookup (networking-stable-20_08_08).
- net: lio_core: fix potential sign-extension overflow on large shift (git-fixes).
- net/mlx5: Add meaningful return codes to status_to_err function (git-fixes).
- net/mlx5: E-Switch, Use correct flags when configuring vlan (git-fixes).
- net/mlx5e: XDP, Avoid checksum complete when XDP prog is loaded (git-fixes).
- net: mvneta: fix mtu change on port without link (git-fixes).
- net-next: ax88796: Do not free IRQ in ax_remove() (already freed in ax_close()) (git-fixes).
- net/nfc/rawsock.c: add CAP_NET_RAW check (networking-stable-20_08_15).
- net: qca_spi: Avoid packet drop during initial sync (git-fixes).
- net: qca_spi: Make sure the QCA7000 reset is triggered (git-fixes).
- net: refactor bind_bucket fastreuse into helper (networking-stable-20_08_15).
- net/smc: fix dmb buffer shortage (git-fixes).
- net/smc: fix restoring of fallback changes (git-fixes).
- net/smc: fix sock refcounting in case of termination (git-fixes).
- net/smc: improve close of terminated socket (git-fixes).
- net/smc: Prevent kernel-infoleak in __smc_diag_dump() (git-fixes).
- net/smc: remove freed buffer from list (git-fixes).
- net/smc: reset sndbuf_desc if freed (git-fixes).
- net/smc: set rx_off for SMCR explicitly (git-fixes).
- net/smc: switch smcd_dev_list spinlock to mutex (git-fixes).
- net/smc: tolerate future SMCD versions (git-fixes).
- net: stmmac: call correct function in stmmac_mac_config_rx_queues_routing() (git-fixes).
- net: stmmac: Disable ACS Feature for GMAC >= 4 (git-fixes).
- net: stmmac: do not stop NAPI processing when dropping a packet (git-fixes).
- net: stmmac: dwmac4: fix flow control issue (git-fixes).
- net: stmmac: dwmac_lib: fix interchanged sleep/timeout values in DMA reset function (git-fixes).
- net: stmmac: dwmac-meson8b: Add missing boundary to RGMII TX clock array (git-fixes).
- net: stmmac: dwmac-meson8b: fix internal RGMII clock configuration (git-fixes).
- net: stmmac: dwmac-meson8b: fix setting the RGMII TX clock on Meson8b (git-fixes).
- net: stmmac: dwmac-meson8b: Fix the RGMII TX delay on Meson8b/8m2 SoCs (git-fixes).
- net: stmmac: dwmac-meson8b: only configure the clocks in RGMII mode (git-fixes).
- net: stmmac: dwmac-meson8b: propagate rate changes to the parent clock (git-fixes).
- net: stmmac: Fix error handling path in 'alloc_dma_rx_desc_resources()' (git-fixes).
- net: stmmac: Fix error handling path in 'alloc_dma_tx_desc_resources()' (git-fixes).
- net: stmmac: rename dwmac4_tx_queue_routing() to match reality (git-fixes).
- net: stmmac: set MSS for each tx DMA channel (git-fixes).
- net: stmmac: Use correct values in TQS/RQS fields (git-fixes).
- net-sysfs: add a newline when printing 'tx_timeout' by sysfs (networking-stable-20_07_29).
- net: systemport: Fix software statistics for SYSTEMPORT Lite (git-fixes).
- net: systemport: Fix sparse warnings in bcm_sysport_insert_tsb() (git-fixes).
- net: tulip: de4x5: Drop redundant MODULE_DEVICE_TABLE() (git-fixes).
- net: ucc_geth - fix Oops when changing number of buffers in the ring (git-fixes).
- NFSv4: do not mark all open state for recovery when handling recallable state revoked flag (bsc#1176935).
- nvme-fc: set max_segments to lldd max value (bsc#1176038).
- nvme-pci: override the value of the controller's numa node (bsc#1176507).
- ocfs2: give applications more IO opportunities during fstrim (bsc#1175228).
- omapfb: fix multiple reference count leaks due to pm_runtime_get_sync (git-fixes).
- PCI/ASPM: Allow re-enabling Clock PM (git-fixes).
- PCI: Fix pci_create_slot() reference count leak (git-fixes).
- PCI: qcom: Add missing ipq806x clocks in PCIe driver (git-fixes).
- PCI: qcom: Add missing reset for ipq806x (git-fixes).
- PCI: qcom: Add support for tx term offset for rev 2.1.0 (git-fixes).
- PCI: qcom: Define some PARF params needed for ipq8064 SoC (git-fixes).
- PCI: rcar: Fix incorrect programming of OB windows (git-fixes).
- phy: samsung: s5pv210-usb2: Add delay after reset (git-fixes).
- pinctrl: mvebu: Fix i2c sda definition for 98DX3236 (git-fixes).
- powerpc/64s: Blacklist functions invoked on a trap (bsc#1094244 ltc#168122).
- powerpc/64s: Fix HV NMI vs HV interrupt recoverability test (bsc#1094244 ltc#168122).
- powerpc/64s: Fix unrelocated interrupt trampoline address test (bsc#1094244 ltc#168122).
- powerpc/64s: Include  header file to fix a warning (bsc#1094244 ltc#168122).
- powerpc/64s: machine check do not trace real-mode handler (bsc#1094244 ltc#168122).
- powerpc/64s: sreset panic if there is no debugger or crash dump handlers (bsc#1094244 ltc#168122).
- powerpc/64s: system reset interrupt preserve HSRRs (bsc#1094244 ltc#168122).
- powerpc: Add cputime_to_nsecs() (bsc#1065729).
- powerpc/book3s64/radix: Add kernel command line option to disable radix GTSE (bsc#1055186 ltc#153436).
- powerpc/book3s64/radix: Fix boot failure with large amount of guest memory (bsc#1176022 ltc#187208).
- powerpc: Implement ftrace_enabled() helpers (bsc#1094244 ltc#168122).
- powerpc/init: Do not advertise radix during client-architecture-support (bsc#1055186 ltc#153436 ).
- powerpc/kernel: Cleanup machine check function declarations (bsc#1065729).
- powerpc/kernel: Enables memory hot-remove after reboot on pseries guests (bsc#1177030 ltc#187588).
- powerpc/mm: Enable radix GTSE only if supported (bsc#1055186 ltc#153436).
- powerpc/mm: Limit resize_hpt_for_hotplug() call to hash guests only (bsc#1177030 ltc#187588).
- powerpc/mm: Move book3s64 specifics in subdirectory mm/book3s64 (bsc#1176022 ltc#187208).
- powerpc/powernv: Remove real mode access limit for early allocations (bsc#1176022 ltc#187208).
- powerpc/prom: Enable Radix GTSE in cpu pa-features (bsc#1055186 ltc#153436).
- powerpc/pseries/le: Work around a firmware quirk (bsc#1094244 ltc#168122).
- powerpc/pseries: lift RTAS limit for radix (bsc#1176022 ltc#187208).
- powerpc/pseries: Limit machine check stack to 4GB (bsc#1094244 ltc#168122).
- powerpc/pseries: Machine check use rtas_call_unlocked() with args on stack (bsc#1094244 ltc#168122).
- powerpc/pseries: radix is not subject to RMA limit, remove it (bsc#1176022 ltc#187208).
- powerpc/pseries/ras: Avoid calling rtas_token() in NMI paths (bsc#1094244 ltc#168122).
- powerpc/pseries/ras: Fix FWNMI_VALID off by one (bsc#1094244 ltc#168122).
- powerpc/pseries/ras: fwnmi avoid modifying r3 in error case (bsc#1094244 ltc#168122).
- powerpc/pseries/ras: fwnmi sreset should not interlock (bsc#1094244 ltc#168122).
- powerpc/traps: Do not trace system reset (bsc#1094244 ltc#168122).
- powerpc/traps: fix recoverability of machine check handling on book3s/32 (bsc#1094244 ltc#168122).
- powerpc/traps: Make unrecoverable NMIs die instead of panic (bsc#1094244 ltc#168122).
- powerpc/xmon: Use `dcbf` inplace of `dcbi` instruction for 64bit Book3S (bsc#1065729).
- power: supply: max17040: Correct voltage reading (git-fixes).
- rcu: Do RCU GP kthread self-wakeup from softirq and interrupt (git fixes (rcu)).
- regulator: push allocation in set_consumer_device_supply() out of lock (git-fixes).
- rpadlpar_io: Add MODULE_DESCRIPTION entries to kernel modules (bsc#1176869 ltc#188243).
- rpm/constraints.in: recognize also kernel-source-azure (bsc#1176732)
- rpm/kernel-binary.spec.in: Also sign ppc64 kernels (jsc#SLE-15857 jsc#SLE-13618).
- rpm/kernel-cert-subpackage: add CA check on key enrollment (bsc#1173115) To avoid the unnecessary key enrollment, when enrolling the signing key of the kernel package, '--ca-check' is added to mokutil so that mokutil will ignore the request if the CA of the signing key already exists in MokList or UEFI db. Since the macro, %_suse_kernel_module_subpackage, is only defined in a kernel module package (KMP), it's used to determine whether the %post script is running in a kernel package, or a kernel module package.
- rpm/kernel-source.spec.in: Also use bz compression (boo#1175882).
- rpm/macros.kernel-source: pass -c proerly in kernel module package (bsc#1176698) The '-c' option wasn't passed down to %_kernel_module_package so the ueficert subpackage wasn't generated even if the certificate is specified in the spec file.
- rtc: ds1374: fix possible race condition (git-fixes).
- rtlwifi: rtl8192cu: Prevent leaking urb (git-fixes).
- rxrpc: Fix race between recvmsg and sendmsg on immediate call failure (networking-stable-20_08_08).
- rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA (networking-stable-20_07_29).
- s390/mm: fix huge pte soft dirty copying (git-fixes).
- s390/qeth: do not process empty bridge port events (git-fixes).
- s390/qeth: integrate RX refill worker with NAPI (git-fixes).
- s390/qeth: tolerate pre-filled RX buffer (git-fixes).
- scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del() (bsc#1174899).
- scsi: fnic: Do not call 'scsi_done()' for unhandled commands (bsc#1168468, bsc#1171675).
- scsi: ibmvfc: Avoid link down on FS9100 canister reboot (bsc#1176962 ltc#188304).
- scsi: ibmvfc: Use compiler attribute defines instead of __attribute__() (bsc#1176962 ltc#188304).
- scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername() (bsc#1177258).
- scsi: libfc: Fix for double free() (bsc#1174899).
- scsi: libfc: free response frame from GPN_ID (bsc#1174899).
- scsi: libfc: Free skb in fc_disc_gpn_id_resp() for valid cases (bsc#1174899).
- scsi: lpfc: Add dependency on CPU_FREQ (git-fixes).
- scsi: lpfc: Fix setting IRQ affinity with an empty CPU mask (git-fixes).
- scsi: qla2xxx: Fix regression on sparc64 (git-fixes).
- scsi: qla2xxx: Fix the return value (bsc#1171688).
- scsi: qla2xxx: Fix the size used in a 'dma_free_coherent()' call (bsc#1171688).
- scsi: qla2xxx: Fix wrong return value in qla_nvme_register_hba() (bsc#1171688).
- scsi: qla2xxx: Fix wrong return value in qlt_chk_unresolv_exchg() (bsc#1171688).
- scsi: qla2xxx: Handle incorrect entry_type entries (bsc#1171688).
- scsi: qla2xxx: Log calling function name in qla2x00_get_sp_from_handle() (bsc#1171688).
- scsi: qla2xxx: Remove pci-dma-compat wrapper API (bsc#1171688).
- scsi: qla2xxx: Remove redundant variable initialization (bsc#1171688).
- scsi: qla2xxx: Remove superfluous memset() (bsc#1171688).
- scsi: qla2xxx: Simplify return value logic in qla2x00_get_sp_from_handle() (bsc#1171688).
- scsi: qla2xxx: Suppress two recently introduced compiler warnings (git-fixes).
- scsi: qla2xxx: Warn if done() or free() are called on an already freed srb (bsc#1171688).
- sdhci: tegra: Remove SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK for Tegra186 (git-fixes).
- sdhci: tegra: Remove SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK for Tegra210 (git-fixes).
- serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout (git-fixes).
- serial: 8250_omap: Fix sleeping function called from invalid context during probe (git-fixes).
- serial: 8250_port: Do not service RX FIFO if throttled (git-fixes).
- Set CONFIG_HAVE_KVM_VCPU_ASYNC_IOCTL=y (jsc#SLE-4084).
- SMB3: Honor persistent/resilient handle flags for multiuser mounts (bsc#1176546).
- SMB3: Honor 'seal' flag for multiuser mounts (bsc#1176545).
- SMB3: warn on confusing error scenario with sec=krb5 (bsc#1176548).
- stmmac: Do not access tx_q->dirty_tx before netif_tx_lock (git-fixes).
- tcp: apply a floor of 1 for RTT samples from TCP timestamps (networking-stable-20_08_08).
- thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430 (git-fixes).
- tools/power/cpupower: Fix initializer override in hsw_ext_cstates (bsc#1112178).
- USB: core: fix slab-out-of-bounds Read in read_descriptors (git-fixes).
- USB: dwc3: Increase timeout for CmdAct cleared by device controller (git-fixes).
- USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() (git-fixes).
- USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int (git-fixes).
- USB: Fix out of sync data toggle if a configured device is reconfigured (git-fixes).
- USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb() (git-fixes).
- USB: gadget: f_ncm: Fix NDP16 datagram validation (git-fixes).
- USB: gadget: u_f: add overflow checks to VLA macros (git-fixes).
- USB: gadget: u_f: Unbreak offset calculation in VLAs (git-fixes).
- USB: hso: check for return value in hso_serial_common_create() (networking-stable-20_08_08).
- usblp: fix race between disconnect() and read() (git-fixes).
- USB: lvtest: return proper error code in probe (git-fixes).
- usbnet: ipheth: fix potential null pointer dereference in ipheth_carrier_set (git-fixes).
- USB: qmi_wwan: add D-Link DWM-222 A2 device ID (git-fixes).
- USB: quirks: Add no-lpm quirk for another Raydium touchscreen (git-fixes).
- USB: quirks: Add USB_QUIRK_IGNORE_REMOTE_WAKEUP quirk for BYD zhaoxin notebook (git-fixes).
- USB: quirks: Ignore duplicate endpoint on Sound Devices MixPre-D (git-fixes).
- USB: serial: ftdi_sio: add IDs for Xsens Mti USB converter (git-fixes).
- USB: serial: option: add support for SIM7070/SIM7080/SIM7090 modules (git-fixes).
- USB: serial: option: support dynamic Quectel USB compositions (git-fixes).
- USB: sisusbvga: Fix a potential UB casued by left shifting a negative value (git-fixes).
- USB: storage: Add unusual_uas entry for Sony PSZ drives (git-fixes).
- USB: typec: ucsi: acpi: Check the _DEP dependencies (git-fixes).
- USB: uas: Add quirk for PNY Pro Elite (git-fixes).
- USB: UAS: fix disconnect by unplugging a hub (git-fixes).
- USB: yurex: Fix bad gfp argument (git-fixes).
- vgacon: remove software scrollback support (bsc#1176278).
- video: fbdev: fix OOB read in vga_8planes_imageblit() (git-fixes).
- virtio-blk: free vblk-vqs in error path of virtblk_probe() (git fixes (block drivers)).
- vrf: prevent adding upper devices (git-fixes).
- vxge: fix return of a free'd memblock on a failed dma mapping (git-fixes).
- x86/fsgsbase/64: Fix NULL deref in 86_fsgsbase_read_task (bsc#1112178).
- xen: do not reschedule in preemption off sections (bsc#1175749).
- xen/events: do not use chip_data for legacy IRQs (bsc#1065600).
- xen uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (bsc#1065600).
- xhci: Do warm-reset when both CAS and XDEV_RESUME are set (git-fixes).
- yam: fix possible memory leak in yam_init_driver (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2914-1
Released:    Tue Oct 13 17:25:20 2020
Summary:     Security update for bind
Type:        security
Severity:    moderate
References:  1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624
This update for bind fixes the following issues:

BIND was upgraded to version 9.16.6:

Note:

- bind is now more strict in regards to DNSSEC. If queries are not working,
  check for DNSSEC issues. For instance, if bind is used in a namserver
  forwarder chain, the forwarding DNS servers must support DNSSEC.

Fixing security issues:

- CVE-2020-8616: Further limit the number of queries that can be triggered from
  a request.  Root and TLD servers are no longer exempt
  from max-recursion-queries.  Fetches for missing name server. (bsc#1171740)
  Address records are limited to 4 for any domain.
- CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an
  assertion failure. (bsc#1171740)
- CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass 
  the tcp-clients limit (bsc#1157051).
- CVE-2018-5741: Fixed the documentation (bsc#1109160).
- CVE-2020-8618: It was possible to trigger an INSIST when determining
  whether a record would fit into a TCP message buffer (bsc#1172958).
- CVE-2020-8619: It was possible to trigger an INSIST in
  lib/dns/rbtdb.c:new_reference() with a particular zone content
  and query patterns (bsc#1172958).
- CVE-2020-8624: 'update-policy' rules of type 'subdomain' were
  incorrectly treated as 'zonesub' rules, which allowed
  keys used in 'subdomain' rules to update names outside
  of the specified subdomains. The problem was fixed by
  making sure 'subdomain' rules are again processed as
  described in the ARM (bsc#1175443).
- CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it
  was possible to trigger an assertion failure in code
  determining the number of bits in the PKCS#11 RSA public
  key with a specially crafted packet (bsc#1175443).
- CVE-2020-8621: named could crash in certain query resolution scenarios
  where QNAME minimization and forwarding were both
  enabled (bsc#1175443).
- CVE-2020-8620: It was possible to trigger an assertion failure by
  sending a specially crafted large TCP DNS message (bsc#1175443).
- CVE-2020-8622: It was possible to trigger an assertion failure when
  verifying the response to a TSIG-signed request (bsc#1175443).

Other issues fixed:

- Add engine support to OpenSSL EdDSA implementation.
- Add engine support to OpenSSL ECDSA implementation.
- Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
- Warn about AXFR streams with inconsistent message IDs.
- Make ISC rwlock implementation the default again.
- Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)
- Installed the default files in /var/lib/named and created 
  chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)
- Fixed an issue where bind was not working in FIPS mode (bsc#906079).
- Fixed dependency issues (bsc#1118367 and bsc#1118368).
- GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).
- Fixed an issue with FIPS (bsc#1128220).
- The liblwres library is discontinued upstream and is no longer included.
- Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).
- Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.
- The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.
- Zone timers are now exported via statistics channel.
- The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.
- 'rndc dnstap -roll ' did not limit the number of saved files to .
- Add 'rndc dnssec -status' command.
- Addressed a couple of situations where named could crash.
- Changed /var/lib/named to owner root:named and perms rwxrwxr-t
  so that named, being a/the only member of the 'named' group
  has full r/w access yet cannot change directories owned by root
  in the case of a compromized named.
  [bsc#1173307, bind-chrootenv.conf]
- Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).
- Removed '-r /dev/urandom' from all invocations of rndc-confgen
  (init/named system/lwresd.init system/named.init in vendor-files)
  as this option is deprecated and causes rndc-confgen to fail.
  (bsc#1173311, bsc#1176674, bsc#1170713)
- /usr/bin/genDDNSkey: Removing the use of the -r option in the call
  of /usr/sbin/dnssec-keygen as BIND now uses the random number
  functions provided by the crypto library (i.e., OpenSSL or a
  PKCS#11 provider) as a source of randomness rather than /dev/random.
  Therefore the -r command line option no longer has any effect on
  dnssec-keygen. Leaving the option in genDDNSkey as to not break
  compatibility. Patch provided by Stefan Eisenwiener.
  [bsc#1171313]
- Put libns into a separate subpackage to avoid file conflicts
  in the libisc subpackage due to different sonums (bsc#1176092).
- Require /sbin/start_daemon: both init scripts, the one used in
  systemd context as well as legacy sysv, make use of start_daemon.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2947-1
Released:    Fri Oct 16 15:23:07 2020
Summary:     Security update for gcc10, nvptx-tools
Type:        security
Severity:    moderate
References:  1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844
This update for gcc10, nvptx-tools fixes the following issues:

This update provides the GCC10 compiler suite and runtime libraries.

The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by
the gcc10 variants.

The new compiler variants are available with '-10' suffix, you can specify them
via:

	CC=gcc-10
	CXX=g++-10

or similar commands.

For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html

Changes in nvptx-tools:

- Enable build on aarch64
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2953-1
Released:    Mon Oct 19 06:25:15 2020
Summary:     Recommended update for gettext-runtime
Type:        recommended
Severity:    moderate
References:  1176142
This update for gettext-runtime fixes the following issues:

- Fix for an issue when 'xgettext' crashes during creating a 'POT' file. (bsc#1176142) 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2958-1
Released:    Tue Oct 20 12:24:55 2020
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1158830
This update for procps fixes the following issues:

- Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2972-1
Released:    Tue Oct 20 17:07:51 2020
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    critical
References:  1065729,1140683,1172538,1174748,1175520,1176400,1176946,1177027,1177340,1177511,1177685,1177724,1177725,CVE-2020-12351,CVE-2020-12352,CVE-2020-25645
The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2020-12351: Fixed a type confusion while processing AMP packets aka 'BleedingTooth' aka 'BadKarma' (bsc#1177724).
- CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka 'BleedingTooth' aka 'BadChoice' (bsc#1177725).
- CVE-2020-25645: Fixed an issue which traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted (bsc#1177511).


The following non-security bugs were fixed:

- drm/sun4i: mixer: Extend regmap max_register (git-fixes).
- i2c: meson: fix clock setting overwrite (git-fixes).
- iommu/vt-d: Correctly calculate agaw in domain_init() (bsc#1176400).
- mac80211: do not allow bigger VHT MPDUs than the hardware supports (git-fixes).
- macsec: avoid use-after-free in macsec_handle_frame() (git-fixes).
- mmc: core: do not set limits.discard_granularity as 0 (git-fixes).
- mm: memcg: switch to css_tryget() in get_mem_cgroup_from_mm() (bsc#1177685).
- NFS: On fatal writeback errors, we need to call nfs_inode_remove_request() (bsc#1177340).
- NFS: Revalidate the file mapping on all fatal writeback errors (bsc#1177340).
- nvme: add a Identify Namespace Identification Descriptor list quirk (bsc#1174748). add two previous futile attempts to fix the bug to blacklist.conf
- nvme: Fix ctrl use-after-free during sysfs deletion (bsc#1174748).
- nvme: fix deadlock caused by ANA update wrong locking (bsc#1174748).
- nvme: fix possible io failures when removing multipathed ns (bsc#1174748).
- nvme: make nvme_identify_ns propagate errors back (bsc#1174748). Refresh:  - patches.suse/nvme-flush-scan_work-when-resetting-controller.patch
- nvme: make nvme_report_ns_ids propagate error back (bsc#1174748).
- nvme-multipath: do not reset on unknown status (bsc#1174748).
- nvme: Namepace identification descriptor list is optional (bsc#1174748).
- nvme: pass status to nvme_error_status (bsc#1174748).
- nvme-rdma: Avoid double freeing of async event data (bsc#1174748).
- nvme: return error from nvme_alloc_ns() (bsc#1174748).
- powerpc/dma: Fix dma_map_ops::get_required_mask (bsc#1065729).
- scsi-hisi-kabi-fixes.patch
- scsi-hisi-kabi-fixes.patch
- scsi: hisi_sas: Add debugfs ITCT file and add file operations (bsc#1140683).
- scsi: hisi_sas: Add manual trigger for debugfs dump (bsc#1140683).
- scsi: hisi_sas: Add missing seq_printf() call in hisi_sas_show_row_32() (bsc#1140683).
- scsi: hisi_sas: Change return variable type in phy_up_v3_hw() (bsc#1140683).
- scsi: hisi_sas: Correct memory allocation size for DQ debugfs (bsc#1140683).
- scsi: hisi_sas: Do some more tidy-up (bsc#1140683).
- scsi: hisi_sas: Fix a timeout race of driver internal and SMP IO (bsc#1140683).
- scsi: hisi_sas: Fix type casting and missing static qualifier in debugfs code (bsc#1140683). Refresh:
- scsi-hisi_sas-Issue-internal-abort-on-all-relevant-q.patch
- scsi: hisi_sas: No need to check return value of debugfs_create functions (bsc#1140683). Update:
- scsi: hisi_sas: Some misc tidy-up (bsc#1140683).
- scsi: qla2xxx: Add IOCB resource tracking (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Add rport fields in debugfs (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Add SLER and PI control support (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Allow dev_loss_tmo setting for FC-NVMe devices (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Correct the check for sscanf() return value (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix buffer-buffer credit extraction error (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix crash on session cleanup with unload (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix inconsistent format argument type in qla_dbg.c (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix inconsistent format argument type in qla_os.c (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix inconsistent format argument type in tcm_qla2xxx.c (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix I/O errors during LIP reset tests (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix I/O failures during remote port toggle testing (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix memory size truncation (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix MPI reset needed message (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix point-to-point (N2N) device discovery issue (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Fix reset of MPI firmware (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Honor status qualifier in FCP_RSP per spec (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Make tgt_port_database available in initiator mode (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Performance tweak (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Reduce duplicate code in reporting speed (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Remove unneeded variable 'rval' (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Setup debugfs entries for remote ports (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Update version to 10.02.00.102-k (bsc#1176946 bsc#1175520 bsc#1172538).
- scsi: qla2xxx: Update version to 10.02.00.103-k (bsc#1176946 bsc#1175520 bsc#1172538).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2975-1
Released:    Wed Oct 21 08:16:15 2020
Summary:     Recommended update for kexec-tools
Type:        recommended
Severity:    critical
References:  1133877,1141559,1168698,1172688
This update for kexec-tools fixes the following issues:

- Fixes an issue where XEN fails to start 'kdump' service. (bsc#1133877, bsc#1141559, bsc#1172688)
- Fix for loading kdump kernel with kexec on startup. (bsc#1168698)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2983-1
Released:    Wed Oct 21 15:03:03 2020
Summary:     Recommended update for file
Type:        recommended
Severity:    moderate
References:  1176123
This update for file fixes the following issues:

- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)  
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2988-1
Released:    Wed Oct 21 17:35:34 2020
Summary:     Security update for gnutls
Type:        security
Severity:    moderate
References:  1176086,1176181,1176671,CVE-2020-24659
This update for gnutls fixes the following issues:

- Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181)
- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086)
- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)
- FIPS: Add TLS KDF selftest (bsc#1176671)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:2989-1
Released:    Thu Oct 22 08:53:10 2020
Summary:     Recommended update for chrony
Type:        recommended
Severity:    moderate
References:  1171806
This update for chrony fixes the following issues:

- Integrate three upstream patches to fix an infinite loop in chronyc. (bsc#1171806)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:2995-1
Released:    Thu Oct 22 10:03:09 2020
Summary:     Security update for freetype2
Type:        security
Severity:    important
References:  1177914,CVE-2020-15999
This update for freetype2 fixes the following issues:

- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2020:3048-1
Released:    Tue Oct 27 16:05:17 2020
Summary:     Recommended update for libsolv, libzypp, yaml-cpp, zypper
Type:        recommended
Severity:    moderate
References:  1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885
This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:

libzypp was updated to 17.25.1:

- When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)
- Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)
  kernel-default-base has new packaging, where the kernel uname -r
  does not reflect the full package version anymore. This patch
  adds additional logic to use the most generic/shortest edition
  each package provides with %{packagename}= to group the
  kernel packages instead of the rpm versions.
  This also changes how the keep-spec for specific versions is
  applied, instead of matching the package versions, each of the
  package name provides will be matched.
- RepoInfo: Return the type of the local metadata cache as
  fallback (bsc#1176435)
- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.
  Enhance API and testcases. (bsc#1174918)
- Update docs regarding 'opensuse' namepace matching.
- Link against libzstd to close libsolvs open references
  (as we link statically)

yaml-cpp:

- The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS
  channels, and the INSTALLER channels, as a new libzypp dependency.

  No source changes were done to yaml-cpp.

zypper was updated to 1.14.40:

- info: Assume descriptions starting with '

' are richtext (bsc#935885) - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to 0.7.15 to fix: - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers - new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3051-1 Released: Tue Oct 27 16:08:54 2020 Summary: Security update for xen Type: security Severity: important References: 1177409,1177412,1177413,1177414,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 This update for xen fixes the following issues: - bsc#1177409 - VUL-0: CVE-2020-27673: xen: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286) - bsc#1177412 - VUL-0: CVE-2020-27672: xen: Race condition in Xen mapping code (XSA-345) - bsc#1177413 - VUL-0: CVE-2020-27671: xen: undue deferral of IOMMU TLB flushes (XSA-346) - bsc#1177414 - VUL-0: CVE-2020-27670: xen: unsafe AMD IOMMU page table updates (XSA-347) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3058-1 Released: Wed Oct 28 06:11:14 2020 Summary: Recommended update for catatonit Type: recommended Severity: moderate References: 1176155 This update for catatonit fixes the following issues: - Fixes an issue when catatonit hangs when process dies in very specific way. (bsc#1176155) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3092-1 Released: Thu Oct 29 16:37:35 2020 Summary: Security update for samba Type: security Severity: important References: 1173902,1173994,1177613,CVE-2020-14318,CVE-2020-14323,CVE-2020-14383 This update for samba fixes the following issues: - CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records (bsc#1177613). - CVE-2020-14323: Unprivileged user can crash winbind (bsc#1173994). - CVE-2020-14318: Missing permissions check in SMB1/2/3 ChangeNotify (bsc#1173902). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3099-1 Released: Thu Oct 29 19:33:41 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3123-1 Released: Tue Nov 3 09:48:13 2020 Summary: Recommended update for timezone Type: recommended Severity: important References: 1177460,1178346,1178350,1178353 This update for timezone fixes the following issues: - Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353) - Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460) - Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3129-1 Released: Tue Nov 3 12:10:14 2020 Summary: Recommended update for sysconfig Type: recommended Severity: moderate References: 1159566,1173391,1176285,1176325 This update for sysconfig fixes the following issues: - Fix for 'netconfig' to run with a new library including fallback to the previous location. (bsc#1176285) - Fix for changing content of such files like '/etc/resolv.conf' to avoid linked applications re-read them and unnecessarily re-initializes themselves accordingly. (bsc#1176325) - Fix for 'chrony helper' calling in background. (bsc#1173391) - Fix for configuration file by creating a symlink for it to prevent false ownership on the file. (bsc#1159566) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3198-1 Released: Fri Nov 6 13:00:46 2020 Summary: Recommended update for SUSEConnect Type: recommended Severity: moderate References: 1155027 This update for SUSEConnect fixes the following issues: - Recognize more formats when parsing the '.curlrc' for proxy credentials. (bsc#1155027) - Add 'rpmlintrc' to filter false-positive warning about patch not applied - Extend the YaST API in order to access to the package search functionality. (jsc#SLE-9109) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3234-1 Released: Fri Nov 6 16:01:36 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1177864 This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3253-1 Released: Mon Nov 9 07:45:04 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1174697,1176173 This update for mozilla-nss fixes the following issues: - Fixes an issue for Mozilla Firefox which has failed in fips mode (bsc#1174697) - FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1176173). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3270-1 Released: Tue Nov 10 17:53:08 2020 Summary: Recommended update for bind Type: recommended Severity: moderate References: 1175894,1177603,1177790,1177913,1177915,1178078 This update for bind fixes the following issues: - Add '/usr/lib64/named' to the files and directories in bind config to include external plugins for chroot. (bsc#1178078) - Replaced named's dependency on time-sync with a dependency on time-set in 'named.service' to avoid a dependency-loop. (bsc#1177790) - Removed 'dnssec-enable' from named.conf as it has been obsoleted and may break. (bsc#1177915) - Added a comment for reference which should be removed in the future. (bsc#1177603) - Added a comment to the 'dnssec-validation' in named.conf with a reference to forwarders which do not return signed responses. (bsc#1175894) - Replaced an INSIST macro which calls abort with a test and a diagnostic output. (bsc#1177913) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3272-1 Released: Tue Nov 10 19:39:20 2020 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1055014,1061843,1065600,1065729,1066382,1077428,1112178,1131277,1134760,1170415,1171558,1173432,1174748,1176354,1176485,1176560,1176713,1176723,1177086,1177101,1177271,1177281,1177410,1177411,1177470,1177687,1177719,1177740,1177749,1177750,1177753,1177754,1177755,1177766,1177855,1177856,1177861,1178003,1178027,1178166,1178185,1178187,1178188,1178202,1178234,1178330,CVE-2020-0430,CVE-2020-14351,CVE-2020-16120,CVE-2020-25285,CVE-2020-25656,CVE-2020-27673,CVE-2020-27675,CVE-2020-8694 The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bug fixes. The following security bugs were fixed: - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485). - CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-16120: Fixed a permissions issue in ovl_path_open() (bsc#1177470). - CVE-2020-8694: Restricted energy meter to root access (bsc#1170415). - CVE-2020-27673: Fixed an issue where rogue guests could have caused denial of service of Dom0 via high frequency events (XSA-332 bsc#1177411) - CVE-2020-27675: Fixed a race condition in event handler which may crash dom0 (XSA-331 bsc#1177410). The following non-security bugs were fixed: - ALSA: bebob: potential info leak in hwdep_read() (git-fixes). - ALSA: compress_offload: remove redundant initialization (git-fixes). - ALSA: core: init: use DECLARE_COMPLETION_ONSTACK() macro (git-fixes). - ALSA: core: pcm: simplify locking for timers (git-fixes). - ALSA: core: timer: clarify operator precedence (git-fixes). - ALSA: core: timer: remove redundant assignment (git-fixes). - ALSA: ctl: Workaround for lockdep warning wrt card->ctl_files_rwlock (git-fixes). - ALSA: hda - Do not register a cb func if it is registered already (git-fixes). - ALSA: hda/realtek - Add mute Led support for HP Elitebook 845 G7 (git-fixes). - ALSA: hda/realtek - The front Mic on a HP machine does not work (git-fixes). - ALSA: hda/realtek: Enable audio jacks of ASUS D700SA with ALC887 (git-fixes). - ALSA: hda: auto_parser: remove shadowed variable declaration (git-fixes). - ALSA: hda: use semicolons rather than commas to separate statements (git-fixes). - ALSA: mixart: Correct comment wrt obsoleted tasklet usage (git-fixes). - ALSA: rawmidi: (cosmetic) align function parameters (git-fixes). - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl (git-fixes). - ALSA: usb-audio: Add mixer support for Pioneer DJ DJM-250MK2 (git-fixes). - ALSA: usb-audio: endpoint.c: fix repeated word 'there' (git-fixes). - ALSA: usb-audio: fix spelling mistake 'Frequence' -> 'Frequency' (git-fixes). - ASoC: qcom: lpass-cpu: fix concurrency issue (git-fixes). - ASoC: qcom: lpass-platform: fix memory leak (git-fixes). - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() (git-fixes). - ath10k: Fix the size used in a 'dma_free_coherent()' call in an error handling path (git-fixes). - ath10k: provide survey info as accumulated data (git-fixes). - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() (git-fixes). - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() (git-fixes). - ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() (git-fixes). - backlight: sky81452-backlight: Fix refcount imbalance on error (git-fixes). - blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART (bsc#1177750). - block: ensure bdi->io_pages is always initialized (bsc#1177749). - Bluetooth: MGMT: Fix not checking if BT_HS is enabled (git-fixes). - Bluetooth: Only mark socket zapped after unlocking (git-fixes). - bnxt: do not enable NAPI until rings are ready (networking-stable-20_09_11). - bnxt_en: Check for zero dir entries in NVRAM (networking-stable-20_09_11). - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach (git-fixes). - brcmfmac: check ndev pointer (git-fixes). - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy (git-fixes). - btrfs: check the right error variable in btrfs_del_dir_entries_in_log (bsc#1177687). - btrfs: do not force read-only after error in drop snapshot (bsc#1176354). - btrfs: do not set the full sync flag on the inode during page release (bsc#1177687). - btrfs: fix incorrect updating of log root tree (bsc#1177687). - btrfs: fix race between page release and a fast fsync (bsc#1177687). - btrfs: only commit delayed items at fsync if we are logging a directory (bsc#1177687). - btrfs: only commit the delayed inode when doing a full fsync (bsc#1177687). - btrfs: qgroup: fix qgroup meta rsv leak for subvolume operations (bsc#1177856). - btrfs: qgroup: fix wrong qgroup metadata reserve for delayed inode (bsc#1177855). - btrfs: reduce contention on log trees when logging checksums (bsc#1177687). - btrfs: release old extent maps during page release (bsc#1177687). - btrfs: remove no longer needed use of log_writers for the log root tree (bsc#1177687). - btrfs: remove root usage from can_overcommit (bsc#1131277). - btrfs: stop incremening log_batch for the log root tree when syncing log (bsc#1177687). - btrfs: take overcommit into account in inc_block_group_ro (bsc#1176560). - btrfs: tree-checker: fix false alert caused by legacy btrfs root item (bsc#1177861). - can: c_can: reg_map_{c,d}_can: mark as __maybe_unused (git-fixes). - can: flexcan: flexcan_chip_stop(): add error handling and propagate error value (git-fixes). - can: softing: softing_card_shutdown(): add braces around empty body in an 'if' statement (git-fixes). - ceph: fix memory leak in ceph_cleanup_snapid_map() (bsc#1178234). - ceph: map snapid to anonymous bdev ID (bsc#1178234). - ceph: promote to unsigned long long before shifting (bsc#1178187). - clk: at91: clk-main: update key before writing AT91_CKGR_MOR (git-fixes). - clk: at91: remove the checking of parent_name (git-fixes). - clk: bcm2835: add missing release if devm_clk_hw_register fails (git-fixes). - clk: imx8mq: Fix usdhc parents order (git-fixes). - coredump: fix crash when umh is disabled (bsc#1177753). - crypto: algif_skcipher - EBUSY on aio should be an error (git-fixes). - crypto: ccp - fix error handling (git-fixes). - crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call (git-fixes). - crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() (git-fixes). - crypto: omap-sham - fix digcnt register handling with export/import (git-fixes). - cxl: Rework error message for incompatible slots (bsc#1055014 git-fixes). - cypto: mediatek - fix leaks in mtk_desc_ring_alloc (git-fixes). - Disable ipa-clones dump for KMP builds (bsc#1178330) The feature is not really useful for KMP, and rather confusing, so let's disable it at building out-of-tree codes - dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status (git-fixes). - drm/amdgpu: prevent double kfree ttm->sg (git-fixes). - drm/gma500: fix error check (git-fixes). - drm/msm: Drop debug print in _dpu_crtc_setup_lm_bounds() (git-fixes). - drm/nouveau/mem: guard against NULL pointer access in mem_del (git-fixes). - EDAC/i5100: Fix error handling order in i5100_init_one() (bsc#1112178). - eeprom: at25: set minimum read/write access stride to 1 (git-fixes). - Fix use after free in get_capset_info callback (git-fixes). - gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY (networking-stable-20_08_24). - gtp: add GTPA_LINK info to msg sent to userspace (networking-stable-20_09_11). - HID: roccat: add bounds checking in kone_sysfs_write_settings() (git-fixes). - HID: wacom: Avoid entering wacom_wac_pen_report for pad / battery (git-fixes). - i2c: imx: Fix external abort on interrupt in exit paths (git-fixes). - ibmveth: Identify ingress large send packets (bsc#1178185 ltc#188897). - ibmveth: Switch order of ibmveth_helper calls (bsc#1061843 git-fixes). - ibmvnic: fix ibmvnic_set_mac (bsc#1066382 ltc#160943 git-fixes). - ibmvnic: save changed mac address to adapter->mac_addr (bsc#1134760 ltc#177449 git-fixes). - iio:accel:bma180: Fix use of true when should be iio_shared_by enum (git-fixes). - iio:adc:max1118 Fix alignment of timestamp and data leak issues (git-fixes). - iio:adc:ti-adc0832 Fix alignment issue with timestamp (git-fixes). - iio:adc:ti-adc12138 Fix alignment issue with timestamp (git-fixes). - iio:dac:ad5592r: Fix use of true for IIO_SHARED_BY_TYPE (git-fixes). - iio:gyro:itg3200: Fix timestamp alignment and prevent data leak (git-fixes). - iio:light:si1145: Fix timestamp alignment and prevent data leak (git-fixes). - iio:magn:hmc5843: Fix passing true where iio_shared_by enum required (git-fixes). - ima: Remove semicolon at the end of ima_get_binary_runtime_size() (git-fixes). - include/linux/swapops.h: correct guards for non_swap_entry() (git-fixes (mm/swap)). - Input: ep93xx_keypad - fix handling of platform_get_irq() error (git-fixes). - Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 (git-fixes). - Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() (git-fixes). - Input: omap4-keypad - fix handling of platform_get_irq() error (git-fixes). - Input: sun4i-ps2 - fix handling of platform_get_irq() error (git-fixes). - Input: twl4030_keypad - fix handling of platform_get_irq() error (git-fixes). - iomap: Make sure iomap_end is called after iomap_begin (bsc#1177754). - ip: fix tos reflection in ack and reset packets (networking-stable-20_09_24). - ipv4: Restore flowi4_oif update before call to xfrm_lookup_route (git-fixes). - iwlwifi: mvm: split a print to avoid a WARNING in ROC (git-fixes). - kbuild: enforce -Werror=return-type (bsc#1177281). - leds: mt6323: move period calculation (git-fixes). - lib/crc32.c: fix trivial typo in preprocessor condition (git-fixes). - libceph: clear con->out_msg on Policy::stateful_server faults (bsc#1178188). - livepatch: Test if -fdump-ipa-clones is really available As of now we add -fdump-ipa-clones unconditionally. It does not cause a trouble if the kernel is build with the supported toolchain. Otherwise it could fail easily. Do the correct thing and test for the availability. - mac80211: handle lack of sband->bitrates in rates (git-fixes). - mailbox: avoid timer start from callback (git-fixes). - media: ati_remote: sanity check for both endpoints (git-fixes). - media: bdisp: Fix runtime PM imbalance on error (git-fixes). - media: exynos4-is: Fix a reference count leak (git-fixes). - media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync (git-fixes). - media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync (git-fixes). - media: firewire: fix memory leak (git-fixes). - media: m5mols: Check function pointer in m5mols_sensor_power (git-fixes). - media: media/pci: prevent memory leak in bttv_probe (git-fixes). - media: omap3isp: Fix memleak in isp_probe (git-fixes). - media: platform: fcp: Fix a reference count leak (git-fixes). - media: platform: s3c-camif: Fix runtime PM imbalance on error (git-fixes). - media: platform: sti: hva: Fix runtime PM imbalance on error (git-fixes). - media: Revert 'media: exynos4-is: Add missed check for pinctrl_lookup_state()' (git-fixes). - media: s5p-mfc: Fix a reference count leak (git-fixes). - media: saa7134: avoid a shift overflow (git-fixes). - media: st-delta: Fix reference count leak in delta_run_work (git-fixes). - media: sti: Fix reference count leaks (git-fixes). - media: tc358743: initialize variable (git-fixes). - media: ti-vpe: Fix a missing check and reference count leak (git-fixes). - media: tuner-simple: fix regression in simple_set_radio_freq (git-fixes). - media: usbtv: Fix refcounting mixup (git-fixes). - media: uvcvideo: Ensure all probed info is returned to v4l2 (git-fixes). - media: vsp1: Fix runtime PM imbalance on error (git-fixes). - memory: fsl-corenet-cf: Fix handling of platform_get_irq() error (git-fixes). - memory: omap-gpmc: Fix a couple off by ones (git-fixes). - mfd: sm501: Fix leaks in probe() (git-fixes). - mic: vop: copy data to kernel space then write to io memory (git-fixes). - misc: mic: scif: Fix error handling path (git-fixes). - misc: rtsx: Fix memory leak in rtsx_pci_probe (git-fixes). - misc: vop: add round_up(x,4) for vring_size to avoid kernel panic (git-fixes). - mlx5 PPC ringsize workaround (bsc#1173432). - mlx5: remove support for ib_get_vector_affinity (bsc#1174748). - mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa (git-fixes (mm/numa)). - mm/huge_memory.c: use head to check huge zero page (git-fixes (mm/thp)). - mm/ksm.c: do not WARN if page is still mapped in remove_stable_node() (git-fixes (mm/hugetlb)). - mm/mempolicy.c: fix out of bounds write in mpol_parse_str() (git-fixes (mm/mempolicy)). - mm/mempolicy.c: use match_string() helper to simplify the code (git-fixes (mm/mempolicy)). - mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() (git-fixes (mm/writeback)). - mm/page-writeback.c: improve arithmetic divisions (git-fixes (mm/writeback)). - mm/page-writeback.c: use div64_ul() for u64-by-unsigned-long divide (git-fixes (mm/writeback)). - mm/page_owner.c: remove drain_all_pages from init_early_allocated_pages (git-fixes (mm/debug)). - mm/rmap: fixup copying of soft dirty and uffd ptes (git-fixes (mm/rmap)). - mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: fix race condition in zs_destroy_pool (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: fix the migrated zspage statistics (git-fixes (mm/zsmalloc)). - mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely (git-fixes (mm/zsmalloc)). - mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup() (git-fixes (mm/hugetlb)). - mmc: sdio: Check for CISTPL_VERS_1 buffer size (git-fixes). - Move upstreamed patches into sorted section - mtd: lpddr: fix excessive stack usage with clang (git-fixes). - mtd: mtdoops: Do not write panic data twice (git-fixes). - mwifiex: do not call del_timer_sync() on uninitialized timer (git-fixes). - mwifiex: Do not use GFP_KERNEL in atomic context (git-fixes). - mwifiex: fix double free (git-fixes). - mwifiex: remove function pointer check (git-fixes). - mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO (git-fixes). - net/mlx5e: Take common TIR context settings into a function (bsc#1177740). - net/mlx5e: Turn on HW tunnel offload in all TIRs (bsc#1177740). - net: disable netpoll on fresh napis (networking-stable-20_09_11). - net: fec: Fix PHY init after phy_reset_after_clk_enable() (git-fixes). - net: fec: Fix phy_device lookup for phy_reset_after_clk_enable() (git-fixes). - net: Fix potential wrong skb->protocol in skb_vlan_untag() (networking-stable-20_08_24). - net: hns: Fix memleak in hns_nic_dev_probe (networking-stable-20_09_11). - net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC (networking-stable-20_09_24). - net: phy: Avoid NPD upon phy_detach() when driver is unbound (networking-stable-20_09_24). - net: qrtr: fix usage of idr in port assignment to socket (networking-stable-20_08_24). - net: systemport: Fix memleak in bcm_sysport_probe (networking-stable-20_09_11). - net: usb: dm9601: Add USB ID of Keenetic Plus DSL (networking-stable-20_09_11). - net: usb: qmi_wwan: add Cellient MPL200 card (git-fixes). - net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails (git-fixes). - net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() (git-fixes). - netlabel: fix problems with mapping removal (networking-stable-20_09_11). - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() (git-fixes). - nl80211: fix non-split wiphy information (git-fixes). - NTB: hw: amd: fix an issue about leak system resources (git-fixes). - nvme-rdma: fix crash due to incorrect cqe (bsc#1174748). - nvme-rdma: fix crash when connect rejected (bsc#1174748). - nvme: do not update disk info for multipathed device (bsc#1171558). - platform/x86: mlx-platform: Remove PSU EEPROM configuration (git-fixes). - powerpc/hwirq: Remove stale forward irq_chip declaration (bsc#1065729). - powerpc/icp-hv: Fix missing of_node_put() in success path (bsc#1065729). - powerpc/irq: Drop forward declaration of struct irqaction (bsc#1065729). - powerpc/perf/hv-gpci: Fix starting index value (bsc#1065729). - powerpc/powernv/dump: Fix race while processing OPAL dump (bsc#1065729). - powerpc/powernv/elog: Fix race while processing OPAL error log event (bsc#1065729). - powerpc/pseries: explicitly reschedule during drmem_lmb list traversal (bsc#1077428 ltc#163882 git-fixes). - powerpc/pseries: Fix missing of_node_put() in rng_init() (bsc#1065729). - powerpc: Fix undetected data corruption with P9N DD2.1 VSX CI load emulation (bsc#1065729). - pty: do tty_flip_buffer_push without port->lock in pty_write (git-fixes). - pwm: lpss: Add range limit check for the base_unit register value (git-fixes). - pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() (git-fixes). - ring-buffer: Return 0 on success from ring_buffer_resize() (git-fixes). - rtl8xxxu: prevent potential memory leak (git-fixes). - scsi: ibmvfc: Fix error return in ibmvfc_probe() (bsc#1065729). - scsi: ibmvscsi: Fix potential race after loss of transport (bsc#1178166 ltc#188226). - sctp: not disable bh in the whole sctp_get_port_local() (networking-stable-20_09_11). - spi: fsl-espi: Only process interrupts for expected events (git-fixes). - tg3: Fix soft lockup when tg3_reset_task() fails (networking-stable-20_09_11). - tipc: fix memory leak caused by tipc_buf_append() (git-fixes). - tipc: fix shutdown() of connection oriented socket (networking-stable-20_09_24). - tipc: fix shutdown() of connectionless socket (networking-stable-20_09_11). - tipc: fix the skb_unshare() in tipc_buf_append() (git-fixes). - tipc: fix uninit skb->data in tipc_nl_compat_dumpit() (networking-stable-20_08_24). - tipc: use skb_unshare() instead in tipc_buf_append() (networking-stable-20_09_24). - tty: ipwireless: fix error handling (git-fixes). - tty: serial: earlycon dependency (git-fixes). - tty: serial: fsl_lpuart: fix lpuart32_poll_get_char (git-fixes). - usb: cdc-acm: add quirk to blacklist ETAS ES58X devices (git-fixes). - usb: cdc-acm: handle broken union descriptors (git-fixes). - usb: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync() (git-fixes). - usb: core: Solve race condition in anchor cleanup functions (git-fixes). - usb: dwc2: Fix INTR OUT transfers in DDMA mode (git-fixes). - usb: dwc2: Fix parameter type in function pointer prototype (git-fixes). - usb: dwc3: core: add phy cleanup for probe error handling (git-fixes). - usb: dwc3: core: do not trigger runtime pm when remove driver (git-fixes). - usb: dwc3: ep0: Fix ZLP for OUT ep0 requests (git-fixes). - usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets (git-fixes). - usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above (git-fixes). - usb: gadget: function: printer: fix use-after-free in __lock_acquire (git-fixes). - usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well (git-fixes). - usb: ohci: Default to per-port over-current protection (git-fixes). - usb: serial: qcserial: fix altsetting probing (git-fixes). - vfs: fix FIGETBSZ ioctl on an overlayfs file (bsc#1178202). - video: fbdev: sis: fix null ptr dereference (git-fixes). - video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error (git-fixes). - VMCI: check return value of get_user_pages_fast() for errors (git-fixes). - w1: mxc_w1: Fix timeout resolution problem leading to bus error (git-fixes). - watchdog: iTCO_wdt: Export vendorsupport (bsc#1177101). - watchdog: iTCO_wdt: Make ICH_RES_IO_SMI optional (bsc#1177101). - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 (git-fixes). - writeback: Avoid skipping inode writeback (bsc#1177755). - writeback: Fix sync livelock due to b_dirty_time processing (bsc#1177755). - writeback: Protect inode->i_io_list with inode->i_lock (bsc#1177755). - x86, fakenuma: Fix invalid starting node ID (git-fixes (mm/x86/fakenuma)). - x86/apic: Unify duplicated local apic timer clockevent initialization (bsc#1112178). - x86/fpu: Allow multiple bits in clearcpuid= parameter (bsc#1112178). - x86/xen: disable Firmware First mode for correctable memory errors (bsc#1176713). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/events: add a new 'late EOI' evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/gntdev.c: Mark pages as dirty (bsc#1065600). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen: XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information (XSA-332 bsc#1065600). - xfs: avoid infinite loop when cancelling CoW blocks after writeback failure (bsc#1178027). - xfs: limit entries returned when counting fsmap records (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3285-1 Released: Wed Nov 11 11:22:14 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885 This update for libsolv, libzypp, zypper fixes the following issues: libzypp was updated to version 17.25.1: - Fix bsc#1176902: When kernel-rt has been installed, the purge-kernels service fails during boot. - Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192) kernel-default-base has new packaging, where the kernel uname -r does not reflect the full package version anymore. This patch adds additional logic to use the most generic/shortest edition each package provides with %{packagename}= to group the kernel packages instead of the rpm versions. This also changes how the keep-spec for specific versions is applied, instead of matching the package versions, each of the package name provides will be matched. - RepoInfo: Return the type of the local metadata cache as fallback (bsc#1176435) - VendorAttr: Fix broken 'suse,opensuse' equivalence handling. Enhance API and testcases. (bsc#1174918) - Update docs regarding 'opensuse' namepace matching. - New solver testcase format. - Link against libzsd to close libsolvs open references (as we link statically) zypper was updated to version 1.14.40. - info: Assume descriptions starting with '

' are richtext (bsc#935885) - Use new testcase API in libzypp. - BuildRequires: libzypp-devel >= 17.25.0. - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to version 0.7.16: - do not ask the namespace callback for splitprovides when writing a testcase - fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes - improve choicerule generation so that package updates are prefered in more cases - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers - new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3287-1 Released: Wed Nov 11 12:24:43 2020 Summary: Recommended update for grub2 Type: recommended Severity: moderate References: 1172952,1176062,1177957,1178278 This update for grub2 fixes the following issues: - Fixed an issue, where the https boot was interrupted by an unrecognized network address error message (bsc#1172952) - Improve the error handling when grub2-install fails with short mbr gap (bsc#1176062) - Fixed an error in grub2-install where it exited with 'failed to get canonical path of `/boot/grub2/i386-pc'.' (bsc#1177957) - Fixed a boot failure issue on blocklist installations (bsc#1178278) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3300-1 Released: Thu Nov 12 13:30:59 2020 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1177939 This update for openssh fixes the following issues: - Ensure that only approved DH parameters are used in FIPS mode, to meet NIST 800-56arev3 restrictions. (bsc#1177939). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3323-1 Released: Fri Nov 13 15:25:55 2020 Summary: Recommended update for cloud-init Type: recommended Severity: moderate References: 1174443,1174444,1177526 This update for cloud-init contains the following fixes: + Avoid exception if no gateway information is present and warning is triggered for existing routing. (bsc#1177526) Update to version 20.2 (bsc#1174443, bsc#1174444) + doc/format: reference make-mime.py instead of an inline script (#334) + Add docs about creating parent folders (#330) [Adrian Wilkins] + DataSourceNoCloud/OVF: drop claim to support FTP (#333) (LP: #1875470) + schema: ignore spurious pylint error (#332) + schema: add json schema for write_files module (#152) + BSD: find_devs_with_ refactoring (#298) [Goneri Le Bouder] + nocloud: drop work around for Linux 2.6 (#324) [Goneri Le Bouder] + cloudinit: drop dependencies on unittest2 and contextlib2 (#322) + distros: handle a potential mirror filtering error case (#328) + log: remove unnecessary import fallback logic (#327) + .travis.yml: don't run integration test on ubuntu/* branches (#321) + More unit test documentation (#314) + conftest: introduce disable_subp_usage autouse fixture (#304) + YAML align indent sizes for docs readability (#323) [Tak Nishigori] + network_state: add missing space to log message (#325) + tests: add missing mocks for get_interfaces_by_mac (#326) (LP: #1873910) + test_mounts: expand happy path test for both happy paths (#319) + cc_mounts: fix incorrect format specifiers (#316) (LP: #1872836) + swap file 'size' being used before checked if str (#315) [Eduardo Otubo] + HACKING.rst: add pytest version gotchas section (#311) + docs: Add steps to re-run cloud-id and cloud-init (#313) [Joshua Powers] + readme: OpenBSD is now supported (#309) [Goneri Le Bouder] + net: ignore 'renderer' key in netplan config (#306) (LP: #1870421) + Add support for NFS/EFS mounts (#300) [Andrew Beresford] (LP: #1870370) + openbsd: set_passwd should not unlock user (#289) [Goneri Le Bouder] + tools/.github-cla-signers: add beezly as CLA signer (#301) + util: remove unnecessary lru_cache import fallback (#299) + HACKING.rst: reorganise/update CLA signature info (#297) + distros: drop leading/trailing hyphens from mirror URL labels (#296) + HACKING.rst: add note about variable annotations (#295) + CiTestCase: stop using and remove sys_exit helper (#283) + distros: replace invalid characters in mirror URLs with hyphens (#291) (LP: #1868232) + rbxcloud: gracefully handle arping errors (#262) [Adam Dobrawy] + Fix cloud-init ignoring some misdeclared mimetypes in user-data. [Kurt Garloff] + net: ubuntu focal prioritize netplan over eni even if both present (#267) (LP: #1867029) + cloudinit: refactor util.is_ipv4 to net.is_ipv4_address (#292) + net/cmdline: replace type comments with annotations (#294) + HACKING.rst: add Type Annotations design section (#293) + net: introduce is_ip_address function (#288) + CiTestCase: remove now-unneeded parse_and_read helper method (#286) + .travis.yml: allow 30 minutes of inactivity in cloud tests (#287) + sources/tests/test_init: drop use of deprecated inspect.getargspec (#285) + setup.py: drop NIH check_output implementation (#282) + Identify SAP Converged Cloud as OpenStack [Silvio Knizek] + add Openbsd support (#147) [Goneri Le Bouder] + HACKING.rst: add examples of the two test class types (#278) + VMWware: support to update guest info gc status if enabled (#261) [xiaofengw-vmware] + Add lp-to-git mapping for kgarloff (#279) + set_passwords: avoid chpasswd on BSD (#268) [Goneri Le Bouder] + HACKING.rst: add Unit Testing design section (#277) + util: read_cc_from_cmdline handle urlencoded yaml content (#275) + distros/tests/test_init: add tests for _get_package_mirror_info (#272) + HACKING.rst: add links to new Code Review Process doc (#276) + freebsd: ensure package update works (#273) [Goneri Le Bouder] + doc: introduce Code Review Process documentation (#160) + tools: use python3 (#274) + cc_disk_setup: fix RuntimeError (#270) (LP: #1868327) + cc_apt_configure/util: combine search_for_mirror implementations (#271) + bsd: boottime does not depend on the libc soname (#269) [Goneri Le Bouder] + test_oracle,DataSourceOracle: sort imports (#266) + DataSourceOracle: update .network_config docstring (#257) + cloudinit/tests: remove unneeded with_logs configuration (#263) + .travis.yml: drop stale comment (#255) + .gitignore: add more common directories (#258) + ec2: render network on all NICs and add secondary IPs as static (#114) (LP: #1866930) + ec2 json validation: fix the reference to the 'merged_cfg' key (#256) [Paride Legovini] + releases.yaml: quote the Ubuntu version numbers (#254) [Paride Legovini] + cloudinit: remove six from packaging/tooling (#253) + util/netbsd: drop six usage (#252) + workflows: introduce stale pull request workflow (#125) + cc_resolv_conf: introduce tests and stabilise output across Python versions (#251) + fix minor issue with resolv_conf template (#144) [andreaf74] + doc: CloudInit also support NetBSD (#250) [Goneri Le Bouder] + Add Netbsd support (#62) [Goneri Le Bouder] + tox.ini: avoid substition syntax that causes a traceback on xenial (#245) + Add pub_key_ed25519 to cc_phone_home (#237) [Daniel Hensby] + Introduce and use of a list of GitHub usernames that have signed CLA (#244) + workflows/cla.yml: use correct username for CLA check (#243) + tox.ini: use xenial version of jsonpatch in CI (#242) + workflows: CLA validation altered to fail status on pull_request (#164) + tox.ini: bump pyflakes version to 2.1.1 (#239) + cloudinit: move to pytest for running tests (#211) + instance-data: add cloud-init merged_cfg and sys_info keys to json (#214) (LP: #1865969) + ec2: Do not fallback to IMDSv1 on EC2 (#216) + instance-data: write redacted cfg to instance-data.json (#233) (LP: #1865947) + net: support network-config:disabled on the kernel commandline (#232) (LP: #1862702) + ec2: only redact token request headers in logs, avoid altering request (#230) (LP: #1865882) + docs: typo fixed: dta → data [Alexey Vazhnov] + Fixes typo on Amazon Web Services (#217) [Nick Wales] + Fix docs for OpenStack DMI Asset Tag (#228) [Mark T. Voelker] (LP: #1669875) + Add physical network type: cascading to openstack helpers (#200) [sab-systems] + tests: add focal integration tests for ubuntu (#225) - From 20.1 (first vesrion after 19.4) + ec2: Do not log IMDSv2 token values, instead use REDACTED (#219) (LP: #1863943) + utils: use SystemRandom when generating random password. (#204) [Dimitri John Ledkov] + docs: mount_default_files is a list of 6 items, not 7 (#212) + azurecloud: fix issues with instances not starting (#205) (LP: #1861921) + unittest: fix stderr leak in cc_set_password random unittest output. (#208) + cc_disk_setup: add swap filesystem force flag (#207) + import sysvinit patches from freebsd-ports tree (#161) [Igor Galić] + docs: fix typo (#195) [Edwin Kofler] + sysconfig: distro-specific config rendering for BOOTPROTO option (#162) [Robert Schweikert] (LP: #1800854) + cloudinit: replace 'from six import X' imports (except in util.py) (#183) + run-container: use 'test -n' instead of 'test ! -z' (#202) [Paride Legovini] + net/cmdline: correctly handle static ip= config (#201) [Dimitri John Ledkov] (LP: #1861412) + Replace mock library with unittest.mock (#186) + HACKING.rst: update CLA link (#199) + Scaleway: Fix DatasourceScaleway to avoid backtrace (#128) [Louis Bouchard] + cloudinit/cmd/devel/net_convert.py: add missing space (#191) + tools/run-container: drop support for python2 (#192) [Paride Legovini] + Print ssh key fingerprints using sha256 hash (#188) (LP: #1860789) + Make the RPM build use Python 3 (#190) [Paride Legovini] + cc_set_password: increase random pwlength from 9 to 20 (#189) (LP: #1860795) + .travis.yml: use correct Python version for xenial tests (#185) + cloudinit: remove ImportError handling for mock imports (#182) + Do not use fallocate in swap file creation on xfs. (#70) [Eduardo Otubo] (LP: #1781781) + .readthedocs.yaml: install cloud-init when building docs (#181) (LP: #1860450) + Introduce an RTD config file, and pin the Sphinx version to the RTD default (#180) + Drop most of the remaining use of six (#179) + Start removing dependency on six (#178) + Add Rootbox & HyperOne to list of cloud in README (#176) [Adam Dobrawy] + docs: add proposed SRU testing procedure (#167) + util: rename get_architecture to get_dpkg_architecture (#173) + Ensure util.get_architecture() runs only once (#172) + Only use gpart if it is the BSD gpart (#131) [Conrad Hoffmann] + freebsd: remove superflu exception mapping (#166) [Goneri Le Bouder] + ssh_auth_key_fingerprints_disable test: fix capitalization (#165) [Paride Legovini] + util: move uptime's else branch into its own boottime function (#53) [Igor Galić] (LP: #1853160) + workflows: add contributor license agreement checker (#155) + net: fix rendering of 'static6' in network config (#77) (LP: #1850988) + Make tests work with Python 3.8 (#139) [Conrad Hoffmann] + fixed minor bug with mkswap in cc_disk_setup.py (#143) [andreaf74] + freebsd: fix create_group() cmd (#146) [Goneri Le Bouder] + doc: make apt_update example consistent (#154) + doc: add modules page toc with links (#153) (LP: #1852456) + Add support for the amazon variant in cloud.cfg.tmpl (#119) [Frederick Lefebvre] + ci: remove Python 2.7 from CI runs (#137) + modules: drop cc_snap_config config module (#134) + migrate-lp-user-to-github: ensure Launchpad repo exists (#136) + docs: add initial troubleshooting to FAQ (#104) [Joshua Powers] + doc: update cc_set_hostname frequency and descrip (#109) [Joshua Powers] (LP: #1827021) + freebsd: introduce the freebsd renderer (#61) [Goneri Le Bouder] + cc_snappy: remove deprecated module (#127) + HACKING.rst: clarify that everyone needs to do the LP->GH dance (#130) + freebsd: cloudinit service requires devd (#132) [Goneri Le Bouder] + cloud-init: fix capitalisation of SSH (#126) + doc: update cc_ssh clarify host and auth keys [Joshua Powers] (LP: #1827021) + ci: emit names of tests run in Travis (#120) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3358-1 Released: Tue Nov 17 13:17:10 2020 Summary: Security update for tcpdump Type: security Severity: moderate References: 1178466,CVE-2020-8037 This update for tcpdump fixes the following issues: - CVE-2020-8037: Fixed an issue where PPP decapsulator did not allocate the right buffer size (bsc#1178466). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3377-1 Released: Thu Nov 19 09:29:32 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3382-1 Released: Thu Nov 19 11:03:01 2020 Summary: Recommended update for dmidecode Type: recommended Severity: moderate References: 1174257 This update for dmidecode fixes the following issues: - Add partial support for SMBIOS 3.4.0. (bsc#1174257) - Skip details of uninstalled memory modules. (bsc#1174257) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3413-1 Released: Thu Nov 19 12:45:18 2020 Summary: Security update for xen Type: security Severity: important References: 1027519,1177950,1178591,CVE-2020-28368 This update for xen fixes the following issues: Security issue fixed: - CVE-2020-28368: Fixed the Intel RAPL sidechannel attack, aka PLATYPUS attack, aka XSA-351 (bsc#1178591). Non-security issues fixed: - Updated to Xen 4.12.4 bug fix release (bsc#1027519). - Fixed a panic during MSI cleanup on AMD hardware (bsc#1027519). - Adjusted help for --max_iters, default is 5 (bsc#1177950). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3419-1 Released: Thu Nov 19 13:40:32 2020 Summary: Recommended update for multipath-tools Type: recommended Severity: moderate References: 1162896,1178354 This update for multipath-tools fixes the following issues: - Avoid reading files extensions other than '.conf' from config dir. (bsc#1162896) - Fix wrong usage of '%service_del_preun -n' macro in spec file. (bsc#1178354) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3461-1 Released: Fri Nov 20 13:09:07 2020 Summary: Recommended update for bind Type: recommended Severity: low References: 1177983 This update for bind fixes the following issue: - Build the 'Administrator Reference Manual' which is built using python3-Sphinx (bsc#1177983) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3478-1 Released: Mon Nov 23 09:33:17 2020 Summary: Security update for c-ares Type: security Severity: moderate References: 1178882,CVE-2020-8277 This update for c-ares fixes the following issues: - Version update to 1.17.0 * CVE-2020-8277: Fixed a Denial of Service through DNS request (bsc#1178882) * For further details see https://c-ares.haxx.se/changelog.html ----------------------------------------------------------------- Advisory ID: SUSE-OU-2020:3481-1 Released: Mon Nov 23 11:17:09 2020 Summary: Optional update for vim Type: optional Severity: low References: 1166602,1173256,1174564,1176549 This update for vim doesn't fix any user visible issues and it is optional to install. - Introduce vim-small package with reduced requirements for small installations (bsc#1166602). - Stop owning /etc/vimrc so the old, distro provided config actually gets removed. - Own some dirs in vim-data-common so installation of vim-small doesn't leave not owned directories. (bsc#1173256) - Add vi as slave to update-alternatives so that every package has a matching 'vi' symlink. (bsc#1174564, bsc#1176549) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3485-1 Released: Mon Nov 23 13:10:36 2020 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1123327,1173503,1175110,998893 This update for lvm2 fixes the following issues: - Fixed an issue when the hot spares in LVM not added automatically. (bsc#1175110) - Fixed an issue when lvm produces a large number of luns with error message 'Too many open files'. (bsc#1173503) - Fixes an issue when LVM initialization failed during reboot. (bsc#998893) - Fixed a misplaced parameter in the lvm configuration. (bsc#1123327) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3507-1 Released: Tue Nov 24 17:16:45 2020 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1058115,1163592,1167030,1172873,1175306,1175721,1176855,1176907,1176983,1177703,1177819,1177820,1178123,1178393,1178589,1178622,1178686,1178765,1178782,927455,CVE-2020-25668,CVE-2020-25704,CVE-2020-25705 The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782). - CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter() (bsc#1178393). - CVE-2020-25668: Fixed a use-after-free in con_font_op() (bnc#1178123). The following non-security bugs were fixed: - 9P: Cast to loff_t before multiplying (git-fixes). - acpi-cpufreq: Honor _PSD table setting on new AMD CPUs (git-fixes). - ACPI: debug: do not allow debugging when ACPI is disabled (git-fixes). - ACPI: dock: fix enum-conversion warning (git-fixes). - ACPI / extlog: Check for RDMSR failure (git-fixes). - ACPI: NFIT: Fix comparison to '-ENXIO' (git-fixes). - ACPI: video: use ACPI backlight for HP 635 Notebook (git-fixes). - ALSA: hda - Fix the return value if cb func is already registered (git-fixes). - ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() (git-fixes). - ata: sata_rcar: Fix DMA boundary mask (git-fixes). - ath10k: fix VHT NSS calculation when STBC is enabled (git-fixes). - ath10k: start recovery process when payload length exceeds max htc length for sdio (git-fixes). - bus/fsl_mc: Do not rely on caller to provide non NULL mc_io (git-fixes). - can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() (git-fixes). - can: dev: __can_get_echo_skb(): fix real payload length return value for RTR frames (git-fixes). - can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context (git-fixes). - can: peak_canfd: pucan_handle_can_rx(): fix echo management when loopback is on (git-fixes). - can: peak_usb: add range checking in decode operations (git-fixes). - can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping (git-fixes). - can: rx-offload: do not call kfree_skb() from IRQ context (git-fixes). - clk: ti: clockdomain: fix static checker warning (git-fixes). - crypto: bcm - Verify GCM/CCM key length in setkey (git-fixes). - device property: Do not clear secondary pointer for shared primary firmware node (git-fixes). - device property: Keep secondary firmware node secondary by type (git-fixes). - drbd: code cleanup by using sendpage_ok() to check page for kernel_sendpage() (bsc#1172873). - drm/amd/display: Do not invoke kgdb_breakpoint() unconditionally (git-fixes). - drm/amd/display: HDMI remote sink need mode validation for Linux (git-fixes). - drm/amdgpu: do not map BO in reserved region (git-fixes). - drm/bridge/synopsys: dsi: add support for non-continuous HS clock (git-fixes). - drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working correctly (git-fixes). - drm/i915: Break up error capture compression loops with cond_resched() (git-fixes). - drm/i915: Force VT'd workarounds when running as a guest OS (git-fixes). - drm/imx: tve remove extraneous type qualifier (git-fixes). - drm/ttm: fix eviction valuable range check (git-fixes). - drm/vc4: drv: Add error handding for bind (git-fixes). - efivarfs: Replace invalid slashes with exclamation marks in dentries (git-fixes). - ftrace: Fix recursion check for NMI test (git-fixes). - ftrace: Handle tracing when switching between context (git-fixes). - hv_netvsc: Add XDP support (bsc#1177819, bsc#1177820). - hv_netvsc: Fix XDP refcnt for synthetic and VF NICs (bsc#1177819, bsc#1177820). - hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306). - icmp: randomize the global rate limiter (git-fixes). - kthread_worker: prevent queuing delayed work from timer_fn when it is being canceled (git-fixes). - leds: bcm6328, bcm6358: use devres LED registering function (git-fixes). - libceph: use sendpage_ok() in ceph_tcp_sendpage() (bsc#1172873). - media: platform: Improve queue set up flow for bug fixing (git-fixes). - media: tw5864: check status of tw5864_frameinterval_get (git-fixes). - memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event (bsc#1177703). - mmc: sdhci-of-esdhc: Handle pulse width detection erratum for more SoCs (git-fixes). - mmc: sdhci-of-esdhc: set timeout to max before tuning (git-fixes). - mm/memcg: fix refcount error while moving and swapping (bsc#1178686). - Move the upstreamed powercap fix into sorted sectio - mtd: lpddr: Fix bad logic in print_drs_error (git-fixes). - net: add WARN_ONCE in kernel_sendpage() for improper zero-copy send (bsc#1172873). - net: introduce helper sendpage_ok() in include/linux/net.h (bsc#1172873). - net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition (git-fixes). - nvme-tcp: check page by sendpage_ok() before calling kernel_sendpage() (bsc#1172873). - p54: avoid accessing the data mapped to streaming DMA (git-fixes). - pinctrl: intel: Set default bias in case no particular value given (git-fixes). - powerpc/pseries/cpuidle: add polling idle for shared processor guests (bsc#1178765 ltc#188968). - powerpc/vnic: Extend 'failover pending' window (bsc#1176855 ltc#187293). - power: supply: test_power: add missing newlines when printing parameters by sysfs (git-fixes). - regulator: defer probe when trying to get voltage from unresolved supply (git-fixes). - regulator: resolve supply after creating regulator (git-fixes). - ring-buffer: Fix recursion protection transitions between interrupt context (git-fixes). - rpm/kernel-module-subpackage: make Group tag optional (bsc#1163592) - scsi: libiscsi: use sendpage_ok() in iscsi_tcp_segment_map() (bsc#1172873). - staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice (git-fixes). - staging: octeon: Drop on uncorrectable alignment or FCS error (git-fixes). - staging: octeon: repair 'fixed-link' support (git-fixes). - thunderbolt: Add the missed ida_simple_remove() in ring_request_msix() (git-fixes). - USB: Add NO_LPM quirk for Kingston flash drive (git-fixes). - USB: adutux: fix debugging (git-fixes). - usb: cdc-acm: fix cooldown mechanism (git-fixes). - usb: host: fsl-mph-dr-of: check return of dma_set_mask() (git-fixes). - usb: mtu3: fix panic in mtu3_gadget_stop() (git-fixes). - USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231 (git-fixes). - USB: serial: option: add Quectel EC200T module support (git-fixes). - USB: serial: option: add Telit FN980 composition 0x1055 (git-fixes). - usb: typec: tcpm: During PR_SWAP, source caps should be sent only after tSwapSourceStart (git-fixes). - usb: typec: tcpm: reset hard_reset_count for any disconnect (git-fixes). - video: fbdev: pvr2fb: initialize variables (git-fixes). - video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306). - video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306). - video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306). - vt: Disable KD_FONT_OP_COPY (bsc#1178589). - x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306). - x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels (bsc#1058115 bsc#1176907). - xfs: do not update mtime on COW faults (bsc#1167030). - xfs: fix a missing unlock on error in xfs_fs_map_blocks (git-fixes). - xfs: fix flags argument to rmap lookup when converting shared file rmaps (git-fixes). - xfs: fix rmap key and record comparison functions (git-fixes). - xfs: flush new eof page on truncate to avoid post-eof corruption (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3546-1 Released: Fri Nov 27 11:21:09 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1172695 This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3560-1 Released: Mon Nov 30 12:21:34 2020 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1158499,1160158,1161198,1161203,1163569,1165281,1165534,1166848,1175847,1177479 This update for openssl-1_1 fixes the following issues: This update backports various bugfixes for FIPS: - Restore private key check in EC_KEY_check_key [bsc#1177479] - Add shared secret KAT to FIPS DH selftest [bsc#1175847] - Include ECDH/DH Requirements from SP800-56Arev3 [bsc#1175847] - Fix locking issue uncovered by python testsuite (bsc#1166848) - Fix the sequence of locking operations in FIPS mode [bsc#1165534] - Fix deadlock in FIPS rand code (bsc#1165281) - Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569) - Fix FIPS DRBG without derivation function (bsc#1161198) - Allow md5_sha1 in FIPS mode to enable TLS 1.0 (bsc#1161203) - Obsolete libopenssl-1_0_0-hmac for a clean upgrade from SLE-12 (bsc#1158499) - Restore the EVP_PBE_scrypt() behavior from before the KDF patch by treating salt=NULL as salt='' (bsc#1160158) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3566-1 Released: Mon Nov 30 16:56:52 2020 Summary: Security update for python-setuptools Type: security Severity: important References: 1176262,CVE-2019-20916 This update for python-setuptools fixes the following issues: - Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3572-1 Released: Mon Nov 30 18:12:34 2020 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1177533 This update for lvm2 fixes the following issues: - Fixed an issue where /boot logical volume was accidentally unmounted (bsc#1177533) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3579-1 Released: Tue Dec 1 14:24:31 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: - Add support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3581-1 Released: Tue Dec 1 14:40:22 2020 Summary: Recommended update for libusb-1_0 Type: recommended Severity: moderate References: 1178376 This update for libusb-1_0 fixes the following issues: - Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3593-1 Released: Wed Dec 2 10:33:49 2020 Summary: Security update for python3 Type: security Severity: important References: 1176262,1179193,CVE-2019-20916 This update for python3 fixes the following issues: Update to 3.6.12 (bsc#1179193), including: - Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3608-1 Released: Wed Dec 2 18:16:12 2020 Summary: Recommended update for cloud-init Type: recommended Severity: important References: 1177526,1179150,1179151 This update for cloud-init contains the following fixes: - Add cloud-init-azure-def-usr-pass.patch (bsc#1179150, bsc#1179151) + Properly set the password for the default user in all circumstances - Patch the full package version into the cloud-init version file - Update cloud-init-write-routes.patch (bsc#1177526) + Fix missing default route when dual stack network setup is used. Once a default route was configured for Ipv6 or IPv4 the default route configuration for the othre protocol was skipped. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3611-1 Released: Thu Dec 3 09:33:54 2020 Summary: Security update for xen Type: security Severity: important References: 1177409,1177412,1177413,1177414,1178591,1178963,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 This update for xen fixes the following issues: - bsc#1178963 - VUL-0: xen: stack corruption from XSA-346 change (XSA-355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3616-1 Released: Thu Dec 3 10:56:12 2020 Summary: Recommended update for c-ares Type: recommended Severity: moderate References: 1178882 - Fixed incomplete c-ares-devel dependencies introduced by the privous update (bsc#1178882). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3620-1 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3703-1 Released: Mon Dec 7 20:17:32 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1179431 This update for aaa_base fixes the following issue: - Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)